Whilst this guide specifically uses NetScaler v11.1 many of the tweaks that secure the NetScaler configuration can be applied to prior versions. This guide shows how to obtain an A+ rating score from SSL Labs for your NetScaler Gateway vServer.
When we build a NetScaler Gateway vServer by default and run it through SSL Labs you get a “C” score.Some of the reasons you get a grade of C are due to SSLv3 being enabled which is prone to various vulnerabilities. Another is due to Secure Renegotiation not being available. Certificates issued to the NetScaler Gateway vServer should be SHA2 issued certificates including the intermediate certificate. That is not covered here however does affect the score and if you are getting a grade worse than C that may be why.Firstly on the NetScaler you want to replace the default ciphers offered by the NetScaler Gateway vServer with more secure cipher suites. Navigate to the NetScaler and browse to Traffic Management -> SSL -> Cipher Groups -> Add. Specify a name for the Cipher Group. Click Add. Move all secure cipher suites to the right. I’m selecting all TLS 1.2 suites. You can look on the internet for a list of secure cipher suites available today. Save the new Ciphher Group.Navigate to your NetScaler Gateway vServer and click edit on SSL Ciphers. Click the minus symbol beside DEFAULT. Now click on Cipher Groups. Use the dropdown to select the newly created Cipher Group and click OK. Secure_Cipher_Group is the only group you should now see in the list. If Default is still showing in the list go in and remove it again. Next click edit on SSL Parameters. You want to disable SSL protocols such as SSLv3 so uncheck unsecure protocols. I’m leaving TLSv1.2 as the only available protocol NetScaler Gateway will use this protocol only when negotiating a secure connection with an end-users browser. Click OK. Click Done. Now SSL Labs is reporting as A-. Still some work to do. Notice that the NetScaler Gateway is no longer subject to possible attacks such as POODLE. Secure Renegotiation still is an issue though so we will tackle that next.Navigate back to the NetScaler Gateway. Under SSL Profile nothing will be selected by default. Click + and add the default SSL Profile. Now click the edit button. Change Deny SSL Renegotiation to ALL. It should be ALL by default. Save your configuration. Still A- but the Secure Renegotiation warning is gone. Let’s tackle Forward Secrecy next. Navigate back to the Cipher Group you created earlier. You want to move all ECDHE Cipher Suits to the top so that the NetScaler Gateway will offer these to servers first. The ECDHE (Elliptic Curve Ephemeral diffie-Hellman) ciphers include Forward Secrecy. Click OK. Now SSL Labs reports A. Getting there. To get that A+ rating all that is left to do is to implement a rewrite action to insert a Strict Transport Security header in to the response headers.
If using NetScaler 12.0 build 41.16+ you can enable HSTS directly at the vServer level under SSL Parameters or within an SSL Profile.
If you are using versions previous to 12.41.16, Navigate to AppExpert -> Rewrite -> Actions -> Add. Supply a name, choose INSERT_HTTP_HEADER under Type and under Header Name type Strict-Transport-Security. Under Expression enter “max-age=157680000”. Click Create. Now navigate to Policies -> Add. Supply a name, specify the action we just created and enter true under Expression.Click Create. Next navigate to the NetScaler Gateway vServer, under Policies click +. Choose Rewrite and Reponse. Click Continue. Select the Insert-HTS-Header Policy. Click Bind. And there you have it. A+ on the NetScaler Gateway.