ADC: HSTS not working on NetScaler Gateway when using a Standard License.

book

Article ID: CTX692924

calendar_today

Updated On:

Description

After enabling HSTS at the Gateway Virtual Server (using SSL Profile or SSL Parameters), some responses still do not contain the HSTS header.

Resolution

If you need HSTS enabled for AAA responses, then it will require a NetScaler license edition that would allow for the AAA feature to be enabled. If you have such license, then ensure that the AAA feature is enabled.

Problem Cause

This is caused by a limitation of the Standard license, which does not allow for enabling the AAA feature, the HSTS insertion is done by the Gateway only for responses generated by the Gateway (i.e. index.html), but not for the traffic generated by the AAA virtual server used by the Authentication Profile configured at the Gateway (i.e. tmindex.html)).

To clarify further, in this deployment type, we are dealing with two entities.

Gateway virtual server
AAA virtual server

The AAA virtual server is used for the nFactor authentication when an Authentication Profile is bound at the Gateway VS. With the Standard license, the AAA feature cannot be enabled, therefore its usage is very limited and only certain parts of it can be customized through the Gateway configuration.

The HSTS parameter is applied at a virtual server level. With the Standard License, we are able to modify the parameter (via SSL Parameters or using an SSL Profile) on the Gateway virtual server, but not on the AAA virtual server. Since the AAA feature is not enabled, the NetScaler does not allow customization of the parameters of the virtual server created through the Authentication Profile bound at to the Gateway.

Since we can enable HSTS at the Gateway virtual server, any responses generated by the Gateway virtual server entity itself will have the HSTS header inserted. However, responses generated by the AAA virtual server used by the Gateway to authenticate the users will not have the HSTS header inserted, since the HSTS option customization will not take effect in the AAA virtual server if the AAA feature is disabled.

Additional Information

The AAA feature is available in NetScaler Advanced and Premium edition licenses. For refence, please see the below documentation:

Licensing overview | NetScaler 14.1

nFactor for gateway authentication | Authentication and Authorization (netscaler.com)

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"