Well over a month ago Citrix released the XenMobile Device Manager SSL Offload Server Patch for NetScaler. And although this has been something weโve been waiting for, although โweโ is probably still a relatively small group, for some reason I haven’t read or heard a thing about it. Perhaps XenMobile isnโt as popular as I thought or people just donโt mind putting their MDM machines in their DMZโs, I know I would. Whichever the case may be, from now on you can securely place your MDM machine on your internal network without having to worry about potential unsecure connections, SSL only! Although I do highlight the XenMobile MDM server patch, the below is applicable to other sorts of (web) services as well.
The NetScaler and me
During the past few months I covered a large part of the Citrix portfolio, I discussed XenApp, XenDesktop, XenMobile, StoreFront, Provisioning Services and a few more, including several Microsoft related technologies as well. A subject left out of scope is Citrixโs NetScaler, hereโs why. Iโve never really been a networking kind of guy, donโt know why to be honest. Sure, I know my VLANs, subnets, tagging etcโฆ but I never really dealt with any (advanced) network device configurations apart from some simple switches and wireless routers. Now it’s not that Iโm completely unfamiliar with the NetScaler portfolio, I mean, I know what itโs capable of technically, most of it anyway, I can also highlight some of the differences between physical vs virtual, licensing structures, scale up and out models and I can probably think of at least a dozen use cases on when and why to implement as well, but thatโs where it ends. Although that may sound like a lot to some, it isnโt, not really.
SSL Offloading you say?
I decided Itโs time for change and since Iโm also working on XenMobile at the moment I thought the two would make a good combination. Letโs start by looking at the SSL Offloading feature in general, how does it work and what are some of the benefits. Simply put, SSL (Secure Socket Layer) provides an encryption / authentication (Handshake) mechanism between a client and server system. SSL encryption is based on SSL certificates which can be bought from a trusted Certificate Authority, or CA in short, and without Offloading applied need to be installed on the web server hosting the service. Have a look at this Wikipedia page with regards to CAโs if youโre not familiar with the concept. Note that although their (SSL certificates) primary use is to secure web servers, they can also be used to secure email servers, file transfers, and other data connections.
Delegating tasks
By default, the web server, there can be multiple of course, hosting the certificate handles all decryption and encryption of SSL traffic, potentially burdening the server with extra load. This could, when traffic is heavy, impact performance since decrypting and encrypting network traffic can be a CPU-intensive task, particularly during session initiation a.k.a. the Handshake which also includes the server to client authentication, and vice versa, see the โLetโs shake handsโ section below. By implementing SSL Offloading you basically delegate these tasks, of handshaking, decrypting and or encrypting traffic to a third party device, automatically freeing the web server from (extra) load. Note that SSL certificates can also be self generated, on the Citrix NetScaler appliance for example, however, Citrix recommends to buy one from a trusted CA of choice. Use self signed / generated certificates for testing purposes only.
The Offload server patch and its advantages
When the XenMobile Device Manager SSL Offload Server Patch for NetScaler is installed and configured accordingly (certificate needs to be known by the NetScaler as well) NetScaler will handle all decryption, encryption and authentication from then on, freeing your MDM server(s) from certain tasks (the Handshake in particular) enhancing performance. Another advantage, and probably the main one, is that the device responsible for Offloading all SSL traffic, the Citrix NetScaler in our case, can live within our DMZ, the way we like it, and the web server(s) for which SSL traffic is being offloaded can be safely placed on your (more secure) internal network without having to worry about unsafe connections since theyโre all being checked, inspected, decrypted and possible encrypted by the NetScaler before finally ending up on the web server.
No more DMZ
This, as off version 8.6.1, is now also true for Citrix XenMobile MDM as well, before Citrix XenMobile version 8.6.1 the MDM server needed to be placed in the DMZ since it had to authenticate, decrypt and encrypt all SSL traffic itself. So next to potential more intensive resource use, this also meant insecure placement. This was basically the only way you could implement it because placing it on your internal network would mean that uninspected and unauthenticated traffic would be able to enter, leaving you with no other options. Below, the way it was before 8.6.1 Due note that I don’t mention any Cluster / HA or +1 scenario’s throughout the article since this is a whole other subject on itself.
A bit more specific
SSL Offloading, as a term, is still a bit generic, lets talk about some of the options we have at our disposal. There are basically two ways (and to all network proโs out there, correct me if Iโm wrong) when it comes to Offloading SSL traffic: SSL Termination and SSL Bridging, at least these are the two most common ones. When terminating SSL traffic all relevant data gets decrypted, inspected and send to the web server. Note that with termination the data send from the NetScaler (DMZ) to the web server (internal network) is unencrypted. Although your internal network might be seen as secure and trusted by most, using SSL Termination can be flagged, as a security risk. I guess this will differ per company. The big advantage is that the data is already decrypted and inspected in the DMZ before reaching the web server, again, freeing up resources and more secure.
When using NetScaler
The above applies to โgeneralโ networking and as such is applicable to different kinds of ย appliances and web servers. When SSL Termination gets applied on a NetScaler you have two options, one, like above: traffic gets decrypted and send to the web server unencrypted and two: traffic gets decrypted, inspected and re-encrypted before itโs sent to the web server. This is also referred to as end-to-end Termination and is recommended by Citrix. (see the comments section below, thanks Anton!).
Bridging
SSL Bridging is similar to Termination, as described above, with one additional step added. The SSL encrypted data enters the offload appliance, next the sessions getโs authenticated and the data decrypted, inspected etcโฆ till finally it gets encrypted again and send through to the web server on your internal network. Although this is the more secure way of handling things it could potentially slow down operations when traffic is heavy since the web server still needs to decrypt / encrypt the data. Never the less, itโs the recommended way of implementing SSL Offloading if at all possible. With NetScaler, and thus MDM, things work a bit different.
When using NetScaler
Just like before, the above applies to ‘general’ networking and therefore applies to all other appliances, services and web servers. NetScalers works with so called virtual servers, which also applies when setting up, but is not limited to, SSL Bridging. When configuring a NetScaler SSL Bridge (virtual server) data remains encrypted, isnโt inspected and is directly send through to the web server without any pre-authentication or whatsoever, no certificates needed. Try to avoid this setup whenever possible. Also see:
http://blogs.citrix.com/2013/03/12/fronting-xenmobile-mdm-with-netscaler/
Other considerations
As mentioned with MDM, till now, Offloading wasnโt an option at all and all data needed to be decrypted and encrypted on the web server anyway, and although with implementing SSL end-to-end Termination on a NetScaler, this hasnโt changed, at least now the MDM server can reside on your internal network instead of your DMZ. When traffic increases you could always consider to implement โnormalโ Termination, add more web servers or offload your web server in another way, perhaps SSL acceleration might do the trick, will be discussed shortly. The amount of data that needs to be processed influences the type of offloading you implement. Of course your internal network needs to be seen as secure and treated as such with regards to NetScaler SSL Termination. With either termination or bridging in place the architecture will look something like this:
SSL Acceleration
As mentioned, SSL cryptography can be a very CPU intensive task. Because of this, over the years, engineers have been developing several techniques trying to relieve the web server from this task improving overall performance, with Terminating and Bridging probably being the best known. Asymmetric cryptography in particular (public key), which is used during the SSL Handshake to initiate the secure connection, as opposed to symmetric encryption, is the most resource intensive of the two. SSL (hardware) Acceleration was one of the first methods used to address this issue.
It consists of a physical PCI / SCSI card that you plug into your system. Itโs equipped with a co-processor that handles part of the SSL (Asymmetric cryptography) processing freeing up resources on the web server. Data processing still takes place on the web server so it’s not the same as the SSL Offloading options mentioned earlier but it does increase performance. One of the main differences between SSL Acceleration and complete Offloading is that Acceleration is applied to just one server at a time and Termination and or Bridging can be applied to multiple web servers simultaneously. At least you have options, take your pick.
Letโs shake hands!
SSL primarily uses symmetric encryption, which consists of single shared key used for both encryption and decryption, when exchanging data between client and server systems. I say โprimarilyโ because during the SSL Handshake (initiating the connection and authenticating the server) asymmetric public key (consists of a key pair) encryption is used during the first phase. Symmetric encryption is considered less secure than asymmetric encryption, however, itโs much faster and thus far less resource intensive when it comes to encrypting and decrypting data, a trade off between the two you could say.
Asymmetric
Although, once the connection is established, SSL traffic is symmetrically encrypted, SSL connections are still prone to performance degradation and overall slowness because of the Handshake process involved. As mentioned, during this phase asymmetric public key encryption is used (much more resource intensive), the server needs to be authenticated, as well as the client when two-way authentication is applied, impacting overall performance significantly. This is where SSL Offloading and Acceleration come into play and do their magic. Just to clarify, hereโs a general overview on the SSL Handshake process, got this from http://publib.boulder.ibm.com
Conclusion
Depending on your internal network, is it seen and treated as secure, security demands in general and the amount of data (or number of requests) that needs to be processed, all or a combination of the above methods might offer a solution. Implementing SSL Offloading is always going to be a trade off between speed and security. If we look at Citrix XenMobile in particular SSL Offloading wasnโt possible before december 2013, so even with end-to-end Termination configured, still burdening the web server with the extra load of SSL decryption and encryption, itโs a step forward from DMZ implementations.
To round things up, have a look at this Blog from Citrix:
http://blogs.citrix.com/2013/12/09/xenmobile-how-does-it-scale/
It will give you some great insights with regards to XenMobile sizing and Cluster / HA set ups. It will also provide you with a hyperlink to the XenMobile reference architecture. As youโll notice, your environment will need to be pretty substantial before MDM will cave in when it comes to the number of mobile devices connection up to your MDM server and exchanging information.
Bas van Kaam ยฉ
Reference materials used: Citrix.com, Microsoft.com, IBM.com, Windowssecurity.com and the Citrix E-Docs website.
Join [displaycount list=”Bas van Kaam”] other subscribers !
[optinform]
7 responses to “NetScaler SSL Offloading for XenMobile MDM… Finally!”
Great article, ill have to try it on my next xenmobile implementation
Thanks Kirk,
Have you done multiple already?
Regards,
Bas.
Hi Bas,
Some feedback on the NetScaler SSL Bridging functionality: When using a SSL Bridge Virtual Server on NetScaler SSL based traffic remains encrypted and is passed to the next hop.
NetScaler don’t offload SSL in this situation, in fact, NetScaler is not able to inspect the encrypted traffic! You also don’t need any SSL certificate on the NetScaler box itself!
In your case this will add a other situation:
– SSL Bridge, not inspected encrypted traffic flows to the web server.
– SSL Offload, NetScaler decrypt the SSL traffic and traffic flows as clear text to the web server.
– SSL Offload (end-to-end encryption), NetScaler decrypt the SSL traffic then the traffic gets re-encrypted and flows encrypted to the web server.
Try to avoid SSL Bridging unless there is no other option, like before the XenMobile 8.6.1 release!
Cheers!
Anton
Thanks Anton, great info, the box for ‘learned something new today’ is checked :-)
Recap: So basically Termination is called Offloading (in Citrix terms) and has two options. Bridging however, as far as Citrix goes anyway, works a bit different from what we’re used to in the ‘normal’ networking world in that the traffic doesn’t get decrypted, inspected, encrypted and send along.
Thatโs also why they criticised this setup : http://blogs.citrix.com/2013/03/12/fronting-xenmobile-mdm-with-netscaler/
Regards,
Bas.
[…] of version 8.6.1 the Mobile Device Management (MDM) server supports SSL Offloading through Citrix NetScaler. Because of this It can now be placed on your secure, internal network. No more, unsecure, DMZ […]
How does this work for the initial device enrollment process where device is new, and does not have SSL cert yet if XDM is on Trusted LAN? Do you need to let connection from ‘as yet unknown’ device through to XDM to enroll?
Hi Toni, very good question! I’m writing an article on that as we speak :-) Let’s just say that not everybody agrees with this set up. Some say, yes, it’s unmanaged, unauthenticated and doesn’t have a certificate, but it’s just aimed at the MDM server, which isn’t domain joined by the way. Others say, no way, DMZ, period! I think both have a good point. No matter where it’s placed, traffic (inbound) can always be ‘inspected’ by NetScaler, but more on this next week, hopefully :-)
Regards,
Bas.