eG Monitoring
 

Measures reported by NSsslVpnTest

The SSL VPN provides remote users access to authorized resources on a private intranet network, over a secure connection. The SSL VPN feature uses certain security policies that are enforced by the policy engine on the NetScaler appliance. If too many resource accesses (be it HTTP or non-HTTP) through SSL VPN are denied by the packet engine due to violation of the security policies, it indicates that the NetScaler appliance is highly prone to vulnerability which would eventually result in a poor performance show of the NetScaler. In order to closely monitor the performance of the NetScaler appliance, administrators should constantly keep a vigil on the errors that occur when resources are accessed through SSL VPN. The NSsslVpnTest test helps administrators in this regard.

Using this test, administrators may be proactively alerted to the number of HTTP/non HTTP resource accesses denied by the policy engine and the number of times the Client Computer Security Check plug in for a SSL VPN failed to enforce a security policy.

For this test to run and report metrics, the NetScaler device should be configured to create a Syslog file in a remote Syslog server, where the details of all interactions with the NetScaler appliance will be logged. To know how to configure the Syslog server where this Syslog file should be created, Click here.

Outputs of the test : One set of results for the NetScaler appliance being monitored

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
non_http_denied Indicates the number of non-HTTP resource accesses that were denied by the policy engine. Number The Policy Engine (PE) provides a common framework for creating policy expressions that can be utilized by any of the features of the Citrix NetScaler Application Switch. The Policy Engine refers to the architecture in the Citrix NetScaler Application Switch for versions up to 8.x.

The features that use policies are:

  • Load Balancing

  • Content Switching

  • Content Filtering

  • AppCompress

  • Cache Redirection

  • SSL VPN

  • Priority Queuing

  • DoS Protection

  • Sure Connect

A Policy consists of an expression and an action. Expressions are “shared” among features on the switch. Actions are “feature-specific”. So we can create an expression to determine certain file types that are being processed by the NetScaler and as an action you can compress or optimize those files.

The packet engine is created to perform TCP/IP processing, optimization tasks and acceleration of packages, next to this it enforces security policies too. This is a continuous process of grabbing packets, handling them accordingly and putting the packets in place again, the packet engine is designed to run an entire instance of NetScaler's packet engine on each processor core (nCore technology) and runs as a kernel component on the NetScaler. The Packet Processing Engine is responsible for all load balancing acceleration, server offload and security tasks.

The detailed diagnosis of this measure if enabled lists the User, NAT IP, vServer, Source, Destination, the data sent, the data received and the policy that denied access to the non-HTTP resource.
http_access_denied Indicates the number of HTTP resource accesses that were denied by the policy engine. Number The detailed diagnosis of this measure if enabled lists the User, vServer, the data sent, the name of the remote host, the denied URL, and the policy that denied access to the HTTP resource.
cs_check_sslvpn_fails Indicates the number times the client computer security check for a SSL VPN failed. Number The SSL VPN administrator can configure the Client Computer Security Check plug-in to enforce a security policy on the client computer. A security policy is typically meant to ensure that security applications are installed and running. Security applications typically include personal firewalls, anti-virus packages, and customized applications or services. The plug-in performs a security check to ensure that the security policy is adhered to. These security checks can be performed once on login to the SSL VPN and also at periodic intervals during an active SSL VPN session as specified by the administrator.If a security check fails at any of these points, the plug-in will not be able to access the SSL VPN, even if successfully authenticated. If you are currently logged in and a security check fails, you will be disconnected from the SSL VPN. Frequent failures are a cause of concern and administrators should rectify such errors as soon as possible.
cs_expr_eval_fails Indicates the number of times the client security check for a SSL VPN evaluated to false. Number Ideally, the value of this measure should be zero.