So you have this “NetScaler” thing to front end your XenApp or XenDesktop environment… But maybe you are like me and NetScaler Security isn’t what you spend most of your day dealing with. So, how can you make sure in light of recent security threats that it is running properly? In a post in 2016 I discussed how to get an A+ Rating at SSL Labs for your NetScaler Gateway in under 5 minutes. I figured it was time for an update for 2017 taking some new things into consideration but approach this from the point of view of someone like me that isn’t “A NetScaler Person.”
[*updated 1/4/2019 with new link for Citrix article]
Steven Wright of Citrix Consulting has released another guidance for getting an A+ NetScaler Rating at SSL Labs (SSLLabs.com) on June 9th, 2016. The good news is that I’ve validated it works- read on to see the proof!
Why You Want an A+ NetScaler Rating at SSLLabs.com
Security is very much front-of-mind these days, and fortunately SSLlabs.com has a tool to scan your site, including NetScaler Gateway, to detect known problems against current threats.
In case you missed it, you have a whole new reason to re-visit your NetScaler SSL configuration, even if it is a VPX which previously didn’t support nifty security like TLS 1.2. This changed after the last round of updates, so you no longer are forced into an MPX to get good security (though admittedly the CPU usage is a bit higher without the offload chip offered in the MPX and SDX platforms).
If you are running a NetScaler VPX, your out-of-the-box configuration will likely give you a NetScaler Rating of either an F or a C in most cases. Around here, we go for the big grade- so here’s how to get an A+ NetScaler Rating, even with a VPX.
Words of Warning
A few caveats that I know of – First off- I don’t really consider myself an authority on NetScaler, so take all of this with a grain of salt and ALWAYS TEST BEFORE YOU GO LIVE IN PRODUCTION. Messing with SSL ciphers can cause outages, especially for NetScaler Gateway.
Second, if you need to support older clients, especially Windows XP clients, be VERY CAREFUL deploying all of these settings. You may be stuck with a “C” score for needing SSL v3 to stay turned on in some cases. Even a C rating can still be very secure, this is just how SSLLabs.com rates things even if there’s just one attack vector left (unfortunately, SSL is a big one).
But… if not, you can get a score that looks more like this:
What an A+ Rating looks like from a NetScaler Gateway VPX
Before we go further, I want to reiterate that I’m just validating what someone else created- don’t credit me with this, Steven Wright and Citrix Consulting Services (CCS) did all the work making this possible! Even though I still do occasional work for CCS, I want to make sure noone gets confused!
The nice thing here is that the blog article has all the steps you need, so break out that puTTY connection and get started!
First things first- note your current rating at SSLlabs.com – I typically do NOT share my results, but feel free if you like to brag.
My configuration included a more modern GoDaddy SSL cert with SHA256 and RSA 2048 strength on a NetScaler VPX 200 with the Enterprise license.
I tested this with firmware 11.0 65.72.nc using the NetScaler Gateway wizard. In my case, it works, so don’t hate me for taking a shortcut 🙂
As I mentioned above- this gave me a NetScaler Rating of “C”. You can test yours by going back to SSLLabs.com and hitting ‘clear cache’ to re-test.
SSLLabs C Rating on NetScaler VPX
Going from C to B
Disable SSL v3
I Disabled TLS 1 and 1.1
I tried first enabling ECDHE cipher group settings included as a default
Not too bad- a Solid B with this change! I thought it would be an A- but I think there may be a few things in the ECDHE group that will rob you of the rating. You’ll need to define your ciphers manually.
SSLLabs B Rating on NetScaler VPX
Getting a NetScaler Rating of A+
Removed Ciphers (all)
Implemented STS (Strict Transport Security)
Added the cipher lists that Steven came up with, below
Bound the new cipher sets and made sure to use the ECC Curve configuration
Here's the commands to use in the CLI- note that everything in BOLD ITALIC is a name you will need to give it yourself, not a specific command.
add ssl cipher custom-ssllabs-cipher
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName SSL3-DES-CBC3-SHA