[NetScaler Trace Study] - Using Client Certificate Authentication at Frontend and Backend (without passthrough)

book

calendar_today

This trace study looks at client certificate authentication taking place at both the frontend and backend.

This example trace was carried out in a practice lab environment with the following IP Addresses

The load balanced vserver is configured with Client Cert authentication set to Mandatory:

The load balanced vserver is configured with Client Cert auth set to Mandatory

The NetScaler client certificate is bound to the Service:

The NetScaler client certificate is bound to the Service

At the backend, the Web server also requires Client Cert:

At the backend, the Web server also requires Client Cert

First, we can see the Client cert request is sent when the vServer sends its certificate to the client:

First, we can see the Client cert request is sent when the vServer sends its certificate to the client

When the Client cert authentication is complete on frontend, the NetScaler connects to backend and completes SSL handshake:

When the Client cert authentication is complete on frontend, the NetScaler connects to backend and completes SSL handshake

After the SSL handshake, the NetScaler makes a request for the resource which requires client certificates. This begins the SSL Renegotiation:

The NetScaler then sends its own client certificate:

The NetScaler then sends its own client certificate

Notice that if SSL Renegotiation is set to DENY ALL, the connection will fail after the server Hello Request:

Notice that if SSL Renegotiation is set to DENY ALL, the connection will fail after the server Hello Request

Also note that when the trace is encrypted, it just shows a load of PSH, ACKs:

Also note that when the trace is encrypted, it just shows a load of PSH, ACKs

This trace study looks at client certificate authentication taking place at both the frontend and backend.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"