SSL revocation issues for devices without internet access

Posted on 2013-10-25
Medium Priority
Last Modified: 2016-10-25
Hi all,

We are using a Citrix NetScaler to provide users with access to a Citrix Web Interface.  We have setup a publicly verifiable SSL from GoDaddy to encrypt traffic on the NetScaler.  From an internet location, this works great.

We also have users that access this same NetScaler location on our LAN.  We do not provide direct internet access to the LAN.  Many of our devices our WYSE terminals (mostly model T50).  These device will not load our Citrix web page as they cannot complete the SSL revocation process.

I am wondering what the best way to resovle this problem would be?  I have considered setting up a different Citrix site, but I was wondering if there was a way to resolve this issue.

Any thoughts?
Question by:Tat4Tat
LVL 25

Expert Comment

by:Dirk Kotte
ID: 39604264
CRL's are an essential component when using certificates.
if the client can't reach a CRL distribution point, so he should not use this certificate.

i think there are some options:
allow internet-access to the CRL or create a second virtual server at the netscaler and use an internal CA.

(possible you can disable the CRL-checking at the thin-client)
LVL 33

Accepted Solution

shalomc earned 1500 total points
ID: 39607277
You can setup a web server on a VM or internal server, download the CRL to it, and spoof the specific CRL FQDN with your internal DNS. Most if not all CRL are http only so it is easy to get away with it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

586 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question