Microsoft Direct Access does not natively support SSL offloading of IP-HTTPS, but they may not have that much against using SSL Bridge instead. Lately Netscaler allow us to have the ability of configuring a backend SSL profile, which makes life much easier for us to achieve our goal, which is SSL offloading of IP-HTTPS. Personally I’m on latest Netscaler firmware 12.0 53.13 nc and here follows the configuration needed to make this work:
#Start by defining your Microsoft Direct Access servers
add server da-server-01 10.0.1.15
add server da-server-02 10.0.1.16
#Create a new back-end SSL profile and assign “SSL3-NULL-SHA” cipher to it
add ssl profile ns_da_ssl_profile_backend -sslProfileType BackEnd -eRSA DISABLED -sessReuse ENABLED -sessTimeout 300
bind ssl profile ns_da_ssl_profile_backend -cipherName SSL3-NULL-SHA -cipherPriority 1
#Create a new front-end SSL profile and assign “TLS1-ECDHE-RSA-AES128-SHA” & “SSL3-NULL-SHA” ciphers to it
add ssl profile ns_da_ssl_profile_frontend -sessReuse ENABLED -sessTimeout 120
bind ssl profile ns_da_ssl_profile_frontend -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 1
bind ssl profile ns_da_ssl_profile_frontend -cipherName SSL3-NULL-SHA -cipherPriority 2
#Create a new load balancing service group, bind Direct Access servers and the newly created backend profile to it. You do not need to bind any certificate on this level
add serviceGroup lbsg-ip-https-443 SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind serviceGroup lbsg-ip-https-443 da-server-01 443
bind serviceGroup lbsg-ip-https-443 da-server-02 443
set ssl serviceGroup lbsg-ip-https-443 -sslProfile ns_da_ssl_profile_backend
#Create a new load balancing virtual server, bind both Direct Access service group and the newly created front-end profile to it (you may need to assign an IP of course)
add lb vserver lbvs-ip-https-443 SSL 10.20.30.40 443 -persistenceType SSLSESSION -timeout 10 -cltTimeout 180
bind lb vserver lbvs-ip-https-443 lbsg-ip-https-443
set ssl vserver lbvs-ip-https-443 -sslProfile ns_da_ssl_profile_frontend
bind ssl vserver lbvs-ip-https-443 -certkeyName SSL-Certificate
Optional Steps
If you wish to perform pre-authentication on Netscaler level you may need to add some configuration on both front-end SSL profile and load balancing virtual server.
Start by taking a look at your front-end SSL profile you just created (located at System – Profiles – SSL Profile) and enable “Client Authentication” and set client certificate to “Mandatory”
Now we need to extract some information regarding the root and intermediate certificates used by Direct Access servers, by alternatively running the following powershell command on one of the Direct Access servers:
(Get-RemoteAccess).IPsecRootCertificate | Format-Table Thumbprint
and you’ll get something like this:
(Get-RemoteAccess).IPsecRootCertificate | Format-Table Thumbprint
Thumbprint
———-
C1E5A0E98252A679EFDDTC081F278FA142Z367B4
Now check exactly which root certificate has a matching thumbprint ID and export it together with its associated intermediate certificate so you can import them as CA certificates to your Netscaler. Do not forget to link the intermediate certificate to the root one.
Before we proceed with binding of imported certificates to the load balancing virtual server, it is recommended to configure the CRL (Cerificate Revocation List) on the Netscaler to prevent users with revoked certificates from accessing the environment. You can do that easiest from the CLI or if you prefer using the web GUI, you can navigate to (Traffic Management – SSL – CRL)
Navigate to Traffic Management – SSL – CRL and start by uploading the CRL file. You may need to ask your PKI administrator for the CRL file or just check the root certificate itself by looking for CRL Distribution Points field, and you will find the full URL to the CRL file, paste the URL in the browser, save the file locally and upload it to the Netscaler. the default location will be: /var/netscaler/ssl/
In my case my CRL file name is: SHRootCA.crl and my full URL is http://crl.smali.local/CertEnroll/SHRootCA.crl
So my CLI command (CRL configuration) will look like this:
add ssl crl Smali-CRL “/var/netscaler/ssl/SHRootCA.crl” -inform DER -refresh ENABLED -CAcert DA-Root -method HTTP -url “http://crl.smali.local/CertEnroll/SHRootCA.crl” -port 80 -interval DAILY -time 04:30
once that is done you should be able to see the following:
Well, the final step will be binding the device root and intermediate certificates as CA certificates on load balancing VIP:
In my case I’ll be chosing CRL check as mandatory (if you chose not to configure any CRL you may need to link both certificates as optional.
That should be it 🙂