Exchange Extended Protection & Netscaler Content Switching

[Deas-h]

Can someone please clarify the known issue "SSL offloading or SSL termination via Layer 7 load balancing" in combination with Netscaler Content Switching?

https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/

I read a lot about this and wording is always a little bit different which makes understanding the impact not easy. We use Citrix Netscaler Content Switching without SSL Offloading. We use the same certificate on Netscaler and Exchange. I also talked to our network guy and he is also not sure if Content Switching blocks us from using Extended Protection.

Would it be possible for someone to be a little bit more specific about content switching?

If I enable it and it is not working with our setup - can I go back without any problem with the script?

Thanks a lot for your help!

[bill-long]

I'll take a stab at this. I read the Content Switching doc I found here: https://docs.citrix.com/en-us/citrix-adc/current-release/content-switching.html

Note the doc states the following: "Content switching can be used with HTTP, HTTPS, TCP, and UDP connections. For HTTPS, you must enable SSL Offload." So, I'm a bit confused about the statement that it is being used without SSL Offload.

Since Content Switching involves looking at the HTTP request, that means TLS must be terminating at the Netscaler, because it must open up the TLS stream and read the HTTP method and such. That means that the Channel Binding Token is invalid when the request is sent on to the Exchange server, even if a new TLS connection is established from the Netscaler to Exchange using the same cert. This is exactly the type of man-in-the-middle scenario that Extended Protection is intended to protect against. Thus, I would expect that Extended Protection cannot be used in this scenario.

If there is indeed a way to use Content Switching without terminating the TLS session in the middle - for example, if Content Switching can act purely based on source IP or something else exposed at the TCP layer and leave the TLS session untouched - then it's possible Extended Protection could work in that type of configuration. However, the docs imply it's not possible to do that.

@tweekerz @lusassl-msft Can I get a sanity check on the above? Does this sound right?

[Deas-h]

Thanks for your reply! You exactly hit what I am thinking about...

My understanding for SSL Offloading is, that the connection is terminated on Netscaler and the backend connection from Netscaler to Exchange is HTTP. This is not the case in our setup! And also the official site has this understanding I think:

https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/

Here is a guide on how to setup Content Switching with Netscaler. We didn´t followed this specific guide, but it shows how the cofiguration works.

https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

My understanding of what I wrote so far would be, that it should work. But when I start the script, I get this warning:

Known Issues: Following scenarios will not work when Extended Protection is enabled. SSL offloading or SSL termination via Layer 7 load balancing

Our Network guy said Content Switching is kind of Layer 7 as we check the URL and redirect the request to the correct backend as you can see in the setup guide I linked above. And we also terminate the SSL connection on Netscaler, but the backend connection is again SSL.

After reading and thinking about all this information, I am really not sure if this would work or not. Unfortunately I have no test environment and just because the documentation states going back is easy, it must not be the case in this scenario.

Thanks a lot for your help!

[lusassl-msft]

@bill-long I read the same as you regarding SSL offloading. It will be performed on the device in the middle and not on the Exchange server. My understanding of this is that it can be considered as SSL bridging, which should work if the same certificate is used on the device in the middle (Netscaler for example) and Exchange Server. The channel binding token (CBT) is a hash of the certificate which is used and therefore it must be the same on all devices, otherwise Exchange would reject the connection. But let me double-check internally.

[bill-long]

@lusassl-msft @Deas-h Based on a discussion in an email thread, the consensus seems to be that Extended Protection should actually work as long as the Exchange server and the device have the same certificate.

[Deas-h]

@bill-long Thanks for clarifying this! I will do the change next week in a maintenance window and update this thread about the result.

@All - thanks a lot for your help!!!

[Deas-h]

I can confirm now, that Citrix Netscaler LB with Exchange Content Switching configuration is working with Extended Protection. In the meantime I was also in contact with Frank Carius from MSXFAQ and he said, that he implemented Extended Protection successfully with KEMP. He also confirmed what @lusassl-msft said - the important part is that the certificate used MUST be the same on the load balancer and exchange. With this prerequisite it should work on all load balancers.

I think it would be helpful for others if you could use this information to update the documentation about SSL bridging and "SSL termination via Layer 7 load balancing"

Thanks again for your help!!!

[lusassl-msft]

Assigned to @tweekerz to update the documentation

[lusassl-msft]

@Deas-h we have the following wording in the EP documentation. Please let us know if this is sufficient:

SSL Bridging supported scenarios section:

Extended Protection is supported in environments that use SSL Bridging under certain conditions. To enable Extended Protection in your Exchange environment using SSL Bridging, you must use the same SSL certificate on Exchange and your Load Balancers. If not this will cause Extended Protection to fail.

Q&A section:

Q: While we understand that preventing MitM attacks is important, can we have our own devices in the middle with our own certificates?
A: If the device uses the same certificate as the Exchange Server, they can be used.

[Deas-h]

Thanks for the wording - I think this explains everything and makes clear what the important part is!

Thanks again for your help!!!

[lusassl-msft]

Okay, great. Thanks for your feedback and feel free to reach out to us if you have any further feedback.

[TimoGT]

@Deas-h - I am looking at implementing this, and wanted to confirm your results: If the CSVS and LBVS's all have their protocol set to 'SSL', and the same certificate is loaded in the NetScaler and Exchange servers, then you were able to enable Extended Protection successfully?

[Deas-h]

My LBVS ist SSL, my CSVS is SSL and they all use the same certificate. YES, Extended Protection is working without a problem in this setup since more than one year.

I already confirmed this in a post above: https://github.com/microsoft/CSS-Exchange/issues/1463#issuecomment-1409911092

[SivaMulpuru]

@Deas-h , just for clarity CS vs bound cert needs to matches with exchange right? nothing to do with ssl profile/cert on service groups?

[Deas-h]

LBVS, CSVS and Exchange have alle the same certificate bound to it. Service Groups don´t have a cert bound to them.

[SivaMulpuru]

Thanks @Deas-h

[TimoGT]

Thanks @Deas-h - appreciate your response.