Netscaler WAF step by step guide

We will focus on WAF implementation on Standalone WAF edition NetScaler in this blog.

Netscaler WAF feature is available with below licensing models

  • Citrix NetScaler MPX and VPX, Platinum Edition,
  • NetScaler MPX appliances running Enterprise Edition with Optional Module
  • Stand- alone WAF edition based on NetScaler MPX appliances

We have seen lots of documentation listing the WAF implementation with Platinum edition and optional module with Enterprise Edition, However this blog is completely focused on Stand alone Netscaler WAF edition on NetScaler MPX appliances which is widely being used now a days.

The tricky part with all these three licensing models is that Platinum and Enterprise edition with WAF Optional modules of NetScalers have lots of features which we use in daily basis like load balancing and other stuff, However the surprising part is Stand alone WAF edition will have content switching but not load balancing in the licensed features, however we can use the virtual server bind to content switching vServer in WAF stand alone edition which we will cover in this blog.

WAF implementation is very easy and straight forward with NetScaler when compared with other WAF devices which we need to spend couple of days to do minimum configuration where as with NetScaler we can do WAF implementation in just couple of minutes.

Questions to ask before doing Netscaler WAF implementation:

  • Backend Web server OS: Windows, Linux, Unix, others
  • Web Server Type : IIS , Apache
  • Application Type : ASP. NET, PHP, ActiveX, Apache Tomcat, Domino, and WebLogic
  • No of Web servers: Load balancing and content switching required.
  • SSL: Do you require SSL? If so, what key size (512, 1024, 2048, 4096) is used for signing certificates?
  • Application Traffic Volume: Average traffic of applications and high utilization timeframes.
  • Backend Database and Connectivity: MS-SQL, MySQL, Oracle, , Sybase or postgress

Available Licensed features with Netscaler Standalone WAF edition.

Step By Step Configuration of WAF

These steps will apply to all editions, however standalone WAF edition will have very minimal features required only for WAF.

  1. Infrastructure and virtual server Details
  2. Create WAF policies
  3. Create load balancing server
  4. Create load balancing server group
  5. Create load balancing virtual server
  6. Create content switch virtual server and Assign WAF policy
  7. Test the URL

Infrastructure and virtual server Details

  • Webserver IP : 192.168.1.100
  • WebServer : IIS based Web server
  • Content Switch virtual server IP : 192.168.1.110

Note: In my case both webserver and virtual server VIP are in same subnet, however it can be in different subnets.

Create WAF policies

Before creating a WAF policy check if your backend server will fall under one of these categories, by default all web servers will fall under web application category.

  1. Web Application (HTML)
  2. XML Application (XML,SOAP)
  3. Web 2.0 Application (HTML,XML,REST)

go to Configuration – Security – Application Firewall – Application Firewall Wizard (select)

  • Name: WEB-WAF-STD
  • Type: Web
  • Next to continue

Specify Rule section – Leave default true – Next to continue

Select Signature Section

  • Create New Signature
  • Simple for standard WAF / Advanced for High security

Specify Signature Protection Section

The default ones works very well, so leave default – Next to continue

Specify Deep Protection Section

The default ones works very well, so leave default – Finish to complete

To verify and review the WAF policies

go to Configuration – security – application firewall – Profiles

WAF policy we created will show here along with some default ones.

With this we are done with WAF policy creation now we will move to other steps.

Create load balancing server

Traffic Management – Virtual servers – Servers – Add (select)

  • Name: A-WEB-Server
  • IP: 192.168.1.100
  • Ok to Continue

Create load balancing server group

Traffic Management – Virtual servers – service groups – Add (select)

  • Name: A-Web-Server-Group
  • Protocol:SSL
  • Cache Type: Default (Server)
  • Ok to Continue

Select any where on members section to add members.

Select server based – click on select server

Select the web-server created in before step – Select

Review right server is selected – Port 443 – Create ( Port depends on application in my case it is 443, it can be different as per your backed server)

Select Monitor on Right side – it will be added to your service group.

Select on Monitor section

Select Monitor – Click to select

Select TCP – select to continue

verify TCP from monitors – Bind

The service group will be created – Refresh so that effective state will come up.

Create load balancing virtual server

Traffic management – Virtual servers & Services – Virtual Servers – Add ( Select)

  • Name : A-WEB-vServer
  • Protocol : SSL
  • IP: Non addressable ( it can be with IP also, in this case you need two IP’s, One for vServer and another for Content switch vServer)

Select the load balancing service group section

Click to select

Select group created before – Select

Review the group name – Bind

Warning : Feature(s) not licensed [LB] , Ignore this as we will use content switch vServer on top of this.

  • This warning is coming as load balancing is not a licensed feature in WAF edition.

Click on server certificate

Click to Select the certificate

Select your certificate – I am using default, in your case it will be a valid certificate.

Review the certificate Name – Bind

Continue – Click Done to finish virtual server creation

The created virtual server will show as below.

Create content switch virtual server and Assign WAF policy

Traffic management – Content Switching – Virtual server – Add (select)

  • Name: A-Webserver-CSvServer
  • Protocol:SSL
  • Target Type : None
  • IP: 192.168.1.110 ( this is my VIP users will connect to)
  • Port: 443
  • OK to continue

Select the Default Virtual server Bound – With this we will bind previously created virtual server to content switch vserver.

Binding virtual server

  • Choose virtual server :Load balancing virtual server
  • Default load balancing virtual server : A-WEB-vServer ( this server we created before)

Click OK to continue

Click on Policies on the Right top – this will add policies section to our CvServer

Select ( + ) sign to add a policy for WAF.

Policies

  • Choose Policy : App firewall
  • Choose Type: Request
  • Continue

Click on Select Policy section.

Select the WAF policy that we had created earlier WEB-WAF-STD and Select

Review and Click Bind. In some cases if you have multiple WAF policies, you will play with Priority section and add them all.

Click on Done to complete the Content Switch Virtual server configuration.

Now our Content switch virtual server with WAF policies are created. Refresh using Right circle icon so that server status will come up.

Test the URL

Now if this is for external users will NAT public IP with our VIP 192.168.1.110 and create Public DNS record. If it is for internal Just create DNS record pointing to VIP 192.168.1.110 and your website should be accessible.

Netscaler will check the traffic with all the setting under our WAF profile for this virtual server.

We hope this post is useful, Leave your comments and feedback below.

 

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Mobility, Virtualization, VDI, HCI and Network Virtualization products from VMWare, Citrix and Microsoft.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons