Get an A+ rating score on NetScaler 11.1

Whilst this guide specifically uses NetScaler v11.1 many of the tweaks that secure the NetScaler configuration can be applied to prior versions. This guide shows how to obtain an A+ rating score from SSL Labs for your NetScaler Gateway vServer.

When we build a NetScaler Gateway vServer by default and run it through SSL Labs you get a “C” score.1-minSome of the reasons you get a grade of C are due to SSLv3 being enabled which is prone to various vulnerabilities. Another is due to Secure Renegotiation not being available. Certificates issued to the NetScaler Gateway vServer should be SHA2 issued certificates including the intermediate certificate. That is not covered here however does affect the score and if you are getting a grade worse than C that may be why.2-minFirstly on the NetScaler you want to replace the default ciphers offered by the NetScaler Gateway vServer with more secure cipher suites. Navigate to the NetScaler and browse to Traffic Management -> SSL -> Cipher Groups -> Add. 3-minSpecify a name for the Cipher Group. Click Add. 4-minMove all secure cipher suites to the right. I’m selecting all TLS 1.2 suites. You can look on the internet for a list of secure cipher suites available today. Save the new Ciphher Group.5-minNavigate to your NetScaler Gateway vServer and click edit on SSL Ciphers. 6-minClick the minus symbol beside DEFAULT. 7-minNow click on Cipher Groups. 8-minUse the dropdown to select the newly created Cipher Group and click OK. 9-minSecure_Cipher_Group is the only group you should now see in the list. If Default is still showing in the list go in and remove it again. 10-minNext click edit on SSL Parameters. 11-minYou want to disable SSL protocols such as SSLv3 so uncheck unsecure protocols. 12-minI’m leaving TLSv1.2 as the only available protocol NetScaler Gateway will use this protocol only when negotiating a secure connection with an end-users browser. Click OK. 13-minClick Done. 14-minNow SSL Labs is reporting as A-. Still some work to do. 15-minNotice that the NetScaler Gateway is no longer subject to possible attacks such as POODLE. Secure Renegotiation still is an issue though so we will tackle that next.16-minNavigate back to the NetScaler Gateway. Under SSL Profile nothing will be selected by default. Click + and add the default SSL Profile. Now click the edit button. 17-minChange Deny SSL Renegotiation to ALL. It should be ALL by default. Save your configuration. Still A- but the Secure Renegotiation warning is gone. Let’s tackle Forward Secrecy next. 19-minNavigate back to the Cipher Group you created earlier. You want to move all ECDHE Cipher Suits to the top so that the NetScaler Gateway will offer these to servers first. The ECDHE (Elliptic Curve Ephemeral diffie-Hellman) ciphers include Forward Secrecy. Click OK. 20-minNow SSL Labs reports A. Getting there. 21-minTo get that A+ rating all that is left to do is to implement a rewrite action to insert a Strict Transport Security header in to the response headers.

If using NetScaler 12.0 build 41.16+ you can enable HSTS directly at the vServer level under SSL Parameters or within an SSL Profile.

If you are using versions previous to 12.41.16, Navigate to AppExpert -> Rewrite -> Actions -> Add. 22-minSupply a name, choose INSERT_HTTP_HEADER under Type and under Header Name type Strict-Transport-Security. Under Expression enter “max-age=157680000”. Click Create. 23-minNow navigate to Policies -> Add. Supply a name, specify the action we just created and enter true under Expression.Click Create. 24-minNext navigate to the NetScaler Gateway vServer, under Policies click +. 25-minChoose Rewrite and Reponse. Click Continue. 26-minSelect the Insert-HTS-Header Policy. Click Bind. 27-minAnd there you have it. A+ on the NetScaler Gateway. 28-min


  • Boris Groenhout

    April 25, 2017

    For security reasons I will advice to set the Deny SSL Renegotiation value to FONTEND_CLIENT instead of NONSECURE.

    In CTX 123680 Citrix advice us to change Deny SSL Renegotiation to ALL. At least you need to change to NONSECURE, better FRONTEND_CLIENT, but ALL would be best.

    • George Spiers

      April 25, 2017

      You are right. ALL is the default setting and most secure.


Leave a Reply