Citrix NetScaler – SSL Offloading

KB ID 0001192 

Problem

What is SSL Offloading?

If you run https services (Note: I say services, this does not have to be a website), the actual security is handled by SSL/TLS, one of the things this does is encrypt the traffic between the client and server. (This is why your online banking and shopping is done over https and not http.)

Thats great, but encrypting and decrypting all that traffic takes a lot of processing cycles, if you have http servers doing that work it will divert a lot of CPU/vCPU time away from its normal job of providing web services. If you have a very busy site, you may start to scale those servers out, and load balance them, but the http servers themselves will still need the extra grunt to do the decryption/encryption work.

You can install SSL accelerators, (often refereed to as Crypto Offload Cards,) into your servers to hand-off that workload, but in a modern virtual datacenter, that does not scale well at all.

So what if you get your ‘load-balancer’ to decrypt the traffic coming in, and re-encrypt it on its way out? The https servers no longer have to do the ‘heavy lifting’. Whats more, if you put an SSL accelerator in your load balancer, that makes it run more efficiently. Thats exactly what Citrix have done, their hardware NetScalers have a Cavium CN1620-NFBE3- 2.0-G or Cavium CN1120-NFB accelerator card in them, to take this job on. (Note: This does not apply to the virtual appliance, (obviously) but that can still perform SSL offloading).

Put Simply: Your forward facing services are HTTPS, your ‘back-end’ services are HTTP.

Solution

Before you start, I’m assuming you already have your back end servers setup in NetScaler, and have those servers presented as either a ‘service group’ or as individual ‘services’. If you are unsure how to do this, follow the article below, (all the way to setting up the Virtual Server.)

Citrix NetScaler – Simple HTTP Site Load Balancing

I’m also assuming you have uploaded into the NetScaler, the certificate you are going to present publicly, and the CA-Root certificate, (and any intermediate CA certificates if required).  If you are using ‘self-signed’ certificates you might want to see the following article;

Citrix NetScaler – ‘Certificate is not a server certificate’

Citrix NetScaler Deploying SSL Offload

Log into the NetScaler > Configuration > Traffic Management > Virtual Servers > Add.

Give the Virtual Server a name > Protocol will be SSL > Set the IP (VIP) > The port will be 443 > OK.

Now add in your service group (or service(s)). I have two http servers setup in a service group, (see the article above). Click ‘No Load Balancing Virtual Server Service Group (or Service) Binding.

Search arrow.

Locate and tick your back end service group > Select.

Bind

Continue.

At this point you can upload the certificate and CA certificate.

Done.

It can take a little while to ‘go-green’ if there is a problem, click the drop down error on the left for more information. If this is a new deployment you may encounter the following problem;

NetScaler – SSL Virtual Server State: Down Effective State: Down

So now if you hit the VIP the NetScaler is presenting on https, it converts it to http and load balances across the back end servers for you.

Related Articles, References, Credits, or External Links

NA