NetScaler – SSLVPN with DTLS 1.2 UDP

Reading Time: 2 minutes

Overview

There is a great post about DTLS 1.2 from Ferroque Systems for using EDT with HDX. I tried that config for the usage of DTLS 1.2 within SSLVPN, so the tunnel in Citrix Secure Access will go with UDP and in case of non-working, doing auto-fallback to TCP. I’ve noticed some difference in Ciphers where this Quickpost is about.

Configuration

Connection Tests with Wireshark

During the first tests I’ve noticed the connection is not using UDP. I’ve used the two DTLS 1.2 Cipher which are recommended in the article above. But see here the Wireshark results during the authentication and session-initialization, Handshake Failure:

So I did some tests, adding and removing DTLS Cipher in my Cipher Group and checking again with Wireshark.

My results are these two Cipher (red marked) are only working with CSA (23.8.1.11) for DTLS 1.2 – the two first ones are recommended for DTLS Usage with HDX EDT for Citrix Workspace App.

Even with the latest CSA Build 24.6.1.18 only these two Cipher are supported for building up a successful DTLS 1.2 connection:

Wireshark again when using these two ECDHE-RSA Cipher, connection and tunnel successful with UDP:

Summary

Just a quick post to validate – in case of DTLS there is no feature parity between Workspace App and Secure Access Client, unfortunately.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *