Get an A+ rating score on NetScaler 11.1-12.1

Whilst this guide specifically uses NetScaler v11.1 many of the tweaks that secure the NetScaler configuration can be applied to prior versions or later versions. This has also been tested on NetScaler 12.0.57.24. This guide shows how to obtain an A+ rating score from SSL Labs for your NetScaler Gateway vServer.

When we build a NetScaler Gateway Virtual Server with default settings and run it through SSL Labs you get a C score.1-min

Some of the reasons you get a grade of C are due to SSLv3 being enabled which is prone to various vulnerabilities. Another reason is due to Secure Renegotiation not being available. Certificates issued to the NetScaler Gateway vServer should be SHA2 issued certificates (same applies for the intermediate certificate). Cerificates are not covered here however they do affect the score and if you are getting a grade worse than C that may be why.2-min

Firstly on NetScaler you want to replace the default ciphers offered by the NetScaler Gateway vServer with more secure cipher suites. On NetScaler browse to Traffic Management -> SSL -> Cipher Groups -> Add. 3-min

Specify a name for the Cipher Group. Click Add. 4-min

Move all secure ciphers to the right. I’m selecting all TLS 1.2 suites. You can search on the internet for a list of the latest secure cipher suites available today. Save the new Cipher Group.5-min

Navigate to your NetScaler Gateway vServer and click edit beside SSL Ciphers. 6-min

Click the minus symbol beside DEFAULT. 7-min

Now click on Cipher Groups. 8-min

Use the dropdown to select the newly created Cipher Group and click OK. 9-min

Secure_Cipher_Group is the only group you should now see in the list. If Default is still showing in the list remove it. 10-min

Next click edit on SSL Parameters. 11-min

You want to disable SSL protocols such as SSLv3 so uncheck unsecure protocols.12-min

I’m leaving TLSv1.2 as the only available protocol. NetScaler Gateway will use this protocol only when negotiating a secure connection with an end-users browser. Click OK. 13-min

Click Done. 14-min

Now SSL Labs is reporting as A-. Still some work to do. 15-min

Notice that the NetScaler Gateway is no longer subject to possible attacks such as POODLE. Secure Renegotiation is still is an issue though so we will tackle that next.16-min

Navigate back to the NetScaler Gateway. Under SSL Profile nothing will be selected by default. Click + and add the default SSL Profile. Now click the edit button. 17-min

Change Deny SSL Renegotiation to NONSECURE. It should be ALL by default. Also uncheck protocols such as SSL3 from the SSL Profile. I am only allowing TLS 1.2. Save your configuration.

A- now but the Secure Renegotiation warning is gone. Let’s tackle Forward Secrecy next. 19-min

Navigate back to the Cipher Group you created earlier. You want to move all ECDHE Ciphers to the top so that the NetScaler Gateway will offer these to connecting clients first. The ECDHE (Elliptic Curve Ephemeral diffie-Hellman) ciphers include Forward Secrecy. Click OK. 20-min

Now SSL Labs reports A. Getting there. 21-min

To get that A+ rating all that is left to do is to implement a rewrite action to insert a Strict Transport Security header in to the response headers.

Note: If using NetScaler 12.0 build 41.16+ you can enable HSTS directly at the vServer level under SSL Parameters or within an SSL Profile.

 

If you are using versions previous to 12.41.16, Navigate to AppExpert -> Rewrite -> Actions -> Add. 22-min

 

Supply a name, choose INSERT_HTTP_HEADER under Type and under Header Name type Strict-Transport-Security. Under Expression enter “max-age=157680000”. Click Create. 23-min

Now navigate to Policies -> Add. Supply a name, specify the action we just created and enter true under Expression. Click Create. 24-min

Next navigate to the NetScaler Gateway vServer, under Policies click +. 25-min

Choose Rewrite and Reponse. Click Continue. 26-min

Select the Insert-STS-Header Policy. Click Bind. 27-min

And there you have it. A+ on the NetScaler Gateway. 28-min


9 Comments

  • Boris Groenhout

    April 25, 2017

    For security reasons I will advice to set the Deny SSL Renegotiation value to FONTEND_CLIENT instead of NONSECURE.

    In CTX 123680 Citrix advice us to change Deny SSL Renegotiation to ALL. At least you need to change to NONSECURE, better FRONTEND_CLIENT, but ALL would be best.

    Reply
    • George Spiers

      April 25, 2017

      You are right. ALL is the default setting and most secure.

      Reply
  • Pingback: Keeping your NetScaler A+ Rating on SSL Labs – Citrix and Stuff

  • Anonymous

    June 6, 2018

    Hi George,
    I have two problems with ns 11.1. 56.10 nc version.

    I get only A-.
    – All ECDHE Cipher Suits are on to the top in the CipherGroup
    – when I created STS-Header-Policy with exactly expression “max-age=157680000”, the popup Expresion syntax error appears.

    Reply
  • Juan L

    June 6, 2018

    Hi George,
    I have two problems with ns 11.1. 56.10 nc version.

    I get only A-.
    – All ECDHE Cipher Suits are on to the top in the CipherGroup
    – when I created STS-Header-Policy with exactly expression “max-age=157680000”, the popup Expresion syntax error appears.

    Reply
    • George Spiers

      June 7, 2018

      Don’t copy my expression, type it in manually and it will work.

      Reply
      • Anonymous

        June 19, 2018

        Thanks, It’s work.

        Reply
  • Eric

    March 4, 2019

    Is there any drawbacks/cons to using the built-in HSTS checkbox rather than the rewrite? Does it work exactly the same way?

    Reply
    • George Spiers

      March 4, 2019

      It works the same way, and easier to implement of course. I did find one bug before when using the checkbox and Native OTP together. Not sure if that was fixed as I never revisited the problem and just used Rewrite as a workaround.

      Reply

Leave a Reply to George Spiers Cancel reply