How to Set Up SSL Relay Feature and Use NetScaler Appliance to Load Balance SSL Relay Service

How to Set Up SSL Relay Feature and Use NetScaler Appliance to Load Balance SSL Relay Service

book

Article ID: CTX200034

calendar_today

Updated On:

Description

This article explains how to set up SSL Relay feature and also how to use NetScaler appliance to load balance SSL Relay service.

Background

The Citrix SSL Relay provides end-to-end encryption of communication. SSL Relay can secure communication between clients and servers running Web Interface, and computers running XenApp using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

SSL Relay is used to secure communication between Web Interface, the XML broker, and the client and server to a published resource. To access the SSLRelay node on your XenApp server, go to Administrative Tools > Citrix > Administration Tools > Citrix SSL Relay - Configuration Tool.

User-added image

User-added image

Instructions

XenApp Server Requirements

  1. Server certificate installed on the XenApp servers that will run the SSLRelay service.

  2. XML, ICA, and Session Reliability ports configured.

  3. XML Service DNS address resolution enabled.

  4. Trust XML service.

  5. Verify if the Citrix SSLRelay Service is running.

  6. XenApp servers running the SSLRelay service must be rebooted for the changes to take effect.

Web Interface Requirements

  1. Root certificate.

  2. AddressResolutionType option set to AddressResolutionType=DNS in the webinterface.conf file.

  3. When setting the XML Transport type in Web Interface for farm settings set type to SSLRelay.

  4. Set the XenApp server name to use Full Qualified Domain Name (FQDN). Verify if Web Interface can resolve the FQDN of the XenApp servers.

Note: The SSL Relay will work if Web Interface is on NetScaler. Ensure to install the root certificate in the Java Keystore and that host record is set on NetScaler to resolve the XenApp servers running the XML/SSLRelay Service.
Refer to Citrix eDocs for additional information on SSLRelay. 

Configuration on NetScaler to Load Balance XenApp Server  

  1. Create SSLBridge service for the XenApp servers.

  2. Create SSLBridge vserver then bind the SSLBridge services.

XenApp Server Requirements

  1. A wildcard certificate to be used on XenApp servers. The *.reklawpw.com is the wildcard certificate in this case as shown in the following screen shot. Same name to be added for SSLRelay communication to all XenApp servers.

    User-added image

  2. SSLrelayname, in this case relay.reklawpw.com is used by all the XenApp servers.

    User-added image

  3. Add a host record on the XenApp servers to map the SSLRelay name set previously to match the IP of the running XenApp server.

Web Interface Server Requirements

  1. Add the FQDN of the name that is shared between all the XenApp servers. Also this name is resolvable to the NetScaler SSL Bridge virtual server IP

  2. Set the Transport type to SSL Relay.

  3. Set the SSL Relay port. In this case port 444 is used because XenApp server is running IIS which is already using port 443.

    User-added image

    Note: You must either use wildcard or named certificate but not SAN.

Issue/Introduction

This article explains how to set up SSL Relay feature and also how to use NetScaler appliance to load balance SSL relay service.
Powered by Wolken Software