Citrix ADC: Save access from outside (using SSH or SSL)

By Johannes Norz
6 January 2020
3 Min read
In Citrix themes
Add comment
C

Of course you know the problem. You need to access your Citrix ADC, but you are not in the company.

Of course you don’t want to open ports 443 and 22 on the firewall, that would be insane. What can you do?

I solved the riddle for http and ssh.

The http access

It’s more or less easy to connect to a Citrix ADC from outside. You just have to open port 443 to the NSIP, that’s it. I’d suggest using strong passwords. Anyway, that’s a single factor authentication. And that’s not sufficient.

Instead I decided to create a load-balancing vServer. It’s easy.

add service svc_snip_http snip SSL 443
add lb vserver lb_vsrv_management SSL 192.168.10.13 443 -AuthenticationHost
bind lb vserver lb_vsrv_management svc_snip_http
bind lb vserver lb_vsrv_management svc_snip_http
set ssl vserver lb_vsrv_management -sslProfile ssl_profile_frontend_A-Plus
bind ssl vserver lb_vsrv_management -cipherName APlus_Ciphers
preauth.mydomain.com -Authentication ON -authnVsName AAA_Server

You see, I use an Citrix ADC AAA authentication vServer and a SSL profile (ssl_profile_frontend_A-Plus) as well as a bunch of ciphers (APlus_Ciphers)

add authentication vserver AAA_Preauth SSL 192.168.10.14 443
set ssl vserver AAA_Preauth -sslProfile ssl_profile_frontend_A-Plus
bind ssl vserver lb_vsrv_management -cipherName APlus_Ciphers
bind authentication vserver AAA_Preauth -portaltheme Greenbubble
bind authentication vserver AAA_Preauth -policy auth_RADIUS_auth -priority 100

I use a SSL profile (ssl_profile_frontend_A-Plus), a simple portal theme and a RADIUS policy (auth_RADIUS_domain). It is based on token authentication.

I publish this to the internet. So in a user first has to authenticate to the AAA vServer, using a token based authentication, and may then connect to the Citrix ADC management interface.

The ssh access

Of course, I would like to have 2-factor authentication with ssh as well, however, it seems to be impossible. Is it? No, it isn’t. I have written a blog about pre- authentication to TCP (or UDP) based services using a Citrix ADC AAA vServer. I will use this method. Problem solved?

Unfortunately, it seems to be impossible to point a service, different to http(s) to Citrix ADC’s management IPs.

I tried several tricks, however I failed: No chance to get a TCP port 22 service up. I disabled health checking, but the service didn’t work. I spent some days thinking. My solution is not a brilant one, but it works:

I created a service of type ANY, pointing to a (manageable) SNIP. I had to disable health check, as my monitor failed. I created a vServer of type ANY, bound the service. I than followed my blog about pre authentication.

 

FacebookXEmailLinkedInWhatsAppPinterest

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

View all posts

Add comment

Read more

By Johannes Norz 6 January 2020
Add comment

Recent Posts

Recent Comments