Secure Web Error :: 403 Forbidden Access - while accessing secure websites on SecureBrowse Mode through NetScaler Gateway
Article ID: CTX231815
Updated On:
Description
Unable to access two specific websites when traversing the NetScaler (Previously NS10.5: Build 66.9.nc, then updated to 11.1 56.15.nc). Customer uses Secure Web browser, but it only fails when traffic is redirected through NetScaler, when not, web pages load fine. Attempted to circumvent any access issues by adding a Server and associated Service on the NetScaler. This did not work. There is no reason these URL's should be blocked at the NetScaler as 1000's of sites are accessed daily. Some of the sites not working: sni_required_site.com
Resolution
This is a limitation of NS 11.x- there are two possible solutions ::
First Solution :: A workaround - Create a LB with SNI enabled Service, and route traffic to this website using a ADNS record. https://docs.citrix.com/ko-kr/netscaler/11-1/ssl/config-ssloffloading/support_for_sni_on_backend_service.html
1. create a Server for website that require SNI support
2. create a backend ssl profile with SNI enable and common name of website that require SNI
3. create a ssl Service, bind ssl profile from step 2
4. create a SSL LB VIP with service from step 3, bind any wild card cert. Use any dummy IP address.
5. create a ADNS record pointing to dummy IP from step 4 and website FQDN
Second Solution :: Upgrade to 12.0. Citrix has included built-in Support for SNI through the Gateway VPN in SecureBrowse Mode.
Configuring Server Name Indication (SNI) Extension::
=======================================
https://docs.citrix.com/en-us/netscaler-gateway/12/configuring-server-name-indication-extension.html
C:\OpenSSL\bin\openssl.exe s_client -connect sni_required_site.com:443
CONNECTED(000001C0)
13328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1515703521
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
When SNI is included in SSL handshake request, it succeed.
C:\OpenSSL\bin\openssl.exe s_client -connect sni_required_site.com:443 -servername sni_required_site.com
CONNECTED(000001D4)
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=*.sni_required_site.com
i:/C=US/O=xxxxx/OU=Server CA 1B/CN=xxxxx
1 s:/C=US/O=xxxxx/OU=Server CA 1B/CN=xxxxx
i:/C=US/O=xxxxx/CN=xxxxxRoot CA 1
2 s:/C=US/O=xxxxx/CN=xxxxxRoot CA 1
i:/C=US/ST=zzzzz/L=Scottsdale/O=yyyyy Technologies, Inc./CN=yyyyy Services Root Certificate Authority - G2
3 s:/C=US/ST=zzzzzz/L=Scottsdale/O=yyyyy Technologies, Inc./CN=yyyyy Services Root Certificate Authority - G2
i:/C=US/O=yyyyy Technologies, Inc./OU=yyyyy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
First Solution :: A workaround - Create a LB with SNI enabled Service, and route traffic to this website using a ADNS record. https://docs.citrix.com/ko-kr/netscaler/11-1/ssl/config-ssloffloading/support_for_sni_on_backend_service.html
1. create a Server for website that require SNI support
2. create a backend ssl profile with SNI enable and common name of website that require SNI
3. create a ssl Service, bind ssl profile from step 2
4. create a SSL LB VIP with service from step 3, bind any wild card cert. Use any dummy IP address.
5. create a ADNS record pointing to dummy IP from step 4 and website FQDN
Second Solution :: Upgrade to 12.0. Citrix has included built-in Support for SNI through the Gateway VPN in SecureBrowse Mode.
Configuring Server Name Indication (SNI) Extension::
=======================================
https://docs.citrix.com/en-us/netscaler-gateway/12/configuring-server-name-indication-extension.html
Problem Cause
SNI not enabled. Backend WebSites require SNI. Can be confirmed with OpenSSL s_client -connect toolC:\OpenSSL\bin\openssl.exe s_client -connect sni_required_site.com:443
CONNECTED(000001C0)
13328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1515703521
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
When SNI is included in SSL handshake request, it succeed.
C:\OpenSSL\bin\openssl.exe s_client -connect sni_required_site.com:443 -servername sni_required_site.com
CONNECTED(000001D4)
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=*.sni_required_site.com
i:/C=US/O=xxxxx/OU=Server CA 1B/CN=xxxxx
1 s:/C=US/O=xxxxx/OU=Server CA 1B/CN=xxxxx
i:/C=US/O=xxxxx/CN=xxxxxRoot CA 1
2 s:/C=US/O=xxxxx/CN=xxxxxRoot CA 1
i:/C=US/ST=zzzzz/L=Scottsdale/O=yyyyy Technologies, Inc./CN=yyyyy Services Root Certificate Authority - G2
3 s:/C=US/ST=zzzzzz/L=Scottsdale/O=yyyyy Technologies, Inc./CN=yyyyy Services Root Certificate Authority - G2
i:/C=US/O=yyyyy Technologies, Inc./OU=yyyyy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
Was this article helpful?
Yes
No
Powered by
