NetScaler SSL VPN Errors Test

The SSL VPN provides remote users access to authorized resources on a private intranet network, over a secure connection. The SSL VPN feature uses certain security policies that are enforced by the policy engine on the ADC appliance. If too many resource accesses (be it HTTP or non-HTTP) through SSL VPN are denied by the packet engine due to violation of the security policies, it indicates that the ADC appliance is highly prone to vulnerability which would eventually result in a poor performance show of the ADC. In order to closely monitor the performance of the ADC appliance, administrators should constantly keep a vigil on the errors that occur when resources are accessed through SSL VPN. The NetScaler SSL VPN Errors test helps administrators in this regard. Using this test, administrators may be proactively alerted to the number of HTTP/non HTTP resource accesses denied by the policy engine and the number of times the Client Computer Security Check plug in for a SSL VPN failed to enforce a security policy.

For this test to run and report metrics, the ADC appliance should be configured to create a Syslog file in a remote Syslog server, where the details of all interactions with the ADC appliance will be logged. To know how to configure a remote Syslog server for the use of the ADC appliance, refer to Creating a Syslog file in a remote Syslog servertopic.

This test is disabled by default. To enable the test, follow the Agents -> Tests -> Enable/Disable menu sequence in the eG administrative interface, pick Citrix ADC VPX/MPX as the Component type, select Performance as the Test type, choose this test from the list of disabled tests list, and click on the < button.

Target of the test : An ADC VPX/MPX

Agent deploying the test : A remote agent

Outputs of the test : One set of results for the ADC appliance being monitored.

Target of the test : An ADC VPX/MPX

Agent deploying the test : A remote agent

Outputs of the test : One set of results for the ADC appliance being monitored.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed

Host

The IP address of the host for which the test is being configured.

Port

The port at which the host listens. By default, this is NULL.

Log File Path

This test reports metrics by parsing a Syslog file. Specify the full path to the Syslog file here.

Search String

By default, the Syslog file may contain information relating to a number of servers that are inter linked with the target ADC appliance. In order to obtain the metrics of the target ADC appliance alone, specify the hostname or the IP address of the target ADC appliance for which the logs are to be read from the syslog file, in the Search String text box. Using this search string the information in the Syslog file may be parsed and metrics may be collected.

Search String Index

Here, specify the cursor position after which the eG agent should search for the specified Search String (or the position up to which the eG agent should ignore while searching for the specified Search String) in the syslog file. For example, if the specified Search String appears in the syslog file at the 17th position, then you may need to specify the Search String as 16.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Non HTTP resource access denied

Indicates the number of non-HTTP resource accesses that were denied by the policy engine.

Number

The Policy Engine (PE) provides a common framework for creating policy expressions that can be utilized by any of the features of the Citrix ADC Application Switch. The Policy Engine refers to the architecture in the Citrix ADC Application Switch for versions up to 8.x.

The features that use policies are:

  • Load Balancing
  • Content Switching
  • Content Filtering
  • AppCompress
  • Cache Redirection
  • SSL VPN
  • Priority Queuing
  • DoS Protection
  • Sure Connect

A Policy consists of an expression and an action. Expressions are “shared” among features on the switch. Actions are “feature-specific”. So we can create an expression to determine certain file types that are being processed by the ADC and as an action you can compress or optimize those files.

The packet engine is created to perform TCP/IP processing, optimization tasks and acceleration of packages, next to this it enforces security policies too. This is a continuous process of grabbing packets, handling them accordingly and putting the packets in place again, the packet engine is designed to run an entire instance of ADC’s packet engine on each processor core (nCore technology) and runs as a kernel component on the ADC. The Packet Processing Engine is responsible for all load balancing acceleration, server offload and security tasks.

The detailed diagnosis of this measure if enabled lists the User, NAT IP, vServer, Source, Destination, the data sent, the data received and the policy that denied access to the non-HTTP resource.

HTTP resource access denied

Indicates the number of HTTP resource accesses that were denied by the policy engine.

Number

The detailed diagnosis of this measure if enabled lists the User, vServer, the data sent, the name of the remote host, the denied URL, and the policy that denied access to the HTTP resource.

Client security check for a SSL VPN fails

Indicates the number times the client computer security check for a SSL VPN failed.

Number

The SSL VPN administrator can configure the Client Computer Security Check plug-in to enforce a security policy on the client computer. A security policy is typically meant to ensure that security applications are installed and running. Security applications typically include personal firewalls, anti-virus packages, and customized applications or services. The plug-in performs a security check to ensure that the security policy is adhered to. These security checks can be performed once on login to the SSL VPN and also at periodic intervals during an active SSL VPN session as specified by the administrator.If a security check fails at any of these points, the plug-in will not be able to access the SSL VPN, even if successfully authenticated. If you are currently logged in and a security check fails, you will be disconnected from the SSL VPN. Frequent failures are a cause of concern and administrators should rectify such errors as soon as possible.

Client security expression evaluates to false

Indicates the number of times the client security check for a SSL VPN evaluated to false.

Number

Ideally, the value of this measure should be zero.