So you have this “NetScaler” thing to front end your XenApp or XenDesktop environment… But maybe you are like me and NetScaler Security isn’t what you spend most of your day dealing with. So, how can you make sure in light of recent security threats that it is running properly? In a post in 2016 I discussed how to get an A+ Rating at SSL Labs for your NetScaler Gateway in under 5 minutes. I figured it was time for an update for 2017 taking some new things into consideration but approach this from the point of view of someone like me that isn’t “A NetScaler Person.”
Given that my point of reference in 2012 was this wonderful Citrix blog article called “NetScaler for the XenApp Dummy” I thought I would pay homage with my own guide! And for the record, I’m not calling anyone a ‘dummy’. I’m just trying to take the approach of not having any assumptions so everyone can understand. I’ve learned a lot just in writing this article! So don’t be a dummy like I was- take NetScaler Security seriously even if you’re just using it for NetScaler Gateway!
In this series you’ll learn simple ways to increase your NetScaler security (especially for NetScaler Gateway) using our recommended 4-phase Methodology: Assess, Design, Change, Maintain.
Our first step will be to Assess the current state of your NetScalers and figure out what areas of risk you have.
Steven Wright of Citrix Consulting has released another guidance for getting an A+ NetScaler Rating at SSL Labs (SSLLabs.com) on June 9th, 2016. The good news is that I’ve validated it works- read on to see the proof!
Why You Want an A+ NetScaler Rating at SSLLabs.com
Security is very much front-of-mind these days, and fortunately SSLlabs.com has a tool to scan your site, including NetScaler Gateway, to detect known problems against current threats.
In case you missed it, you have a whole new reason to re-visit your NetScaler SSL configuration, even if it is a VPX which previously didn’t support nifty security like TLS 1.2. This changed after the last round of updates, so you no longer are forced into an MPX to get good security (though admittedly the CPU usage is a bit higher without the offload chip offered in the MPX and SDX platforms).
If you are running a NetScaler VPX, your out-of-the-box configuration will likely give you a NetScaler Rating of either an F or a C in most cases. Around here, we go for the big grade- so here’s how to get an A+ NetScaler Rating, even with a VPX.
Words of Warning
A few caveats that I know of – First off- I don’t really consider myself an authority on NetScaler, so take all of this with a grain of salt and ALWAYS TEST BEFORE YOU GO LIVE IN PRODUCTION. Messing with SSL ciphers can cause outages, especially for NetScaler Gateway.
Second, if you need to support older clients, especially Windows XP clients, be VERY CAREFUL deploying all of these settings. You may be stuck with a “C” score for needing SSL v3 to stay turned on in some cases. Even a C rating can still be very secure, this is just how SSLLabs.com rates things even if there’s just one attack vector left (unfortunately, SSL is a big one).
But… if not, you can get a score that looks more like this:
What an A+ Rating looks like from a NetScaler Gateway VPX
Before we go further, I want to reiterate that I’m just validating what someone else created- don’t credit me with this, Steven Wright and Citrix Consulting Services (CCS) did all the work making this possible! Even though I still do occasional work for CCS, I want to make sure noone gets confused!
Previously, you may have looked here: https://www.citrix.com/blogs/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/ This was a good guide, but consider this article a replacement: https://www.citrix.com/blogs/2016/06/09/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-2016-update/
The nice thing here is that the blog article has all the steps you need, so break out that puTTY connection and get started!
First things first- note your current rating at SSLlabs.com – I typically do NOT share my results, but feel free if you like to brag.
My configuration included a more modern GoDaddy SSL cert with SHA256 and RSA 2048 strength on a NetScaler VPX 200 with the Enterprise license.
I tested this with firmware 11.0 65.72.nc using the NetScaler Gateway wizard. In my case, it works, so don’t hate me for taking a shortcut 🙂
As I mentioned above- this gave me a NetScaler Rating of “C”. You can test yours by going back to SSLLabs.com and hitting ‘clear cache’ to re-test.
SSLLabs C Rating on NetScaler VPX
Going from C to B
- Disable SSL v3
- I Disabled TLS 1 and 1.1
- I tried first enabling ECDHE cipher group settings included as a default
Not too bad- a Solid B with this change! I thought it would be an A- but I think there may be a few things in the ECDHE group that will rob you of the rating. You’ll need to define your ciphers manually.
SSLLabs B Rating on NetScaler VPX
Getting a NetScaler Rating of A+
- Removed Ciphers (all)
- Implemented STS (Strict Transport Security)
- Added the cipher lists that Steven came up with, below
- Bound the new cipher sets and made sure to use the ECC Curve configuration
Here's the commands to use in the CLI- note that everything in BOLD ITALIC is a name you will need to give it yourself, not a specific command.
add ssl cipher custom-ssllabs-cipher
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName SSL3-DES-CBC3-SHA
unbind ssl vserver DJ_NSG -cipherName DEFAULT
bind ssl vserver DJ_NSG -cipherName custom-ssllabs-cipher
bind ssl vserver DJ_NSG -eccCurveName ALL
- Next, I needed to allow secure renegotiation, and enable STS on my NetScaler Gateway
set ssl parameter -denySSLReneg FRONTEND_CLIENT
add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy enforce_STS true insert_STS_header
bind vpn vserver DJ_NSG -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
That’s it! In under 5 minutes, going from NetScaler Rating at SSLLabs.com of C to an A+!!!
I anticipate this should work on an MPX just as well, if not better- but I haven’t yet tested it. If you have- comment below with the firmware version you used and your score!
Feel free to share this with your friends, and I welcome any feedback below- but make sure if you have anything that definitely needs Steven’s attention to leave a comment at https://www.citrix.com/blogs/2016/06/09/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-2016-update/