How to Score an A Grade on Your Citrix NetScaler SSL Virtual Servers

[fa icon="long-arrow-left"] Back to all posts

[fa icon="pencil'] Posted by Johnny Ma [fa icon="calendar"] February 14, 2017

Have you had your external SSL based Virtual Servers on a Citrix NetScaler scanned? Scanning with free utilities such as ssllabs.com can ensure that you have the proper certificate chain on the NetScaler to avoid any certificate errors on browsers. In addition, this can flag any security issues with your SSL based virtual servers.

NetScaler-SSL-Virtual-Servers-grade-a.png

But what if you don’t get an “A”? Let’s look at what causes a lower letter grade, and what you can do to improve your score.

[Before we dive in – you may be wondering – why doesn’t the NetScaler provide a score without having to run a third party test? It’s by default configured to accept all permutations of browsers and this configuration is only required if you are security focused on what is being delivered to the external internet.]

Factors effecting your score:

  • If you are running any firmware below 10.5 build 58.8.nc and your NetScaler is a VPX (virtual) the highest score that can be obtained is a C.
  • If you are running any firmware below 10.5, build 58.8.nc on a physical appliance (MPX or SDX) your score can vary as the Cavium chipset that processes the SSL transaction can provide a higher score as it supports SSL Ciphers that a virtual does not.
  • If you are running the out of box configuration where you have not adjusted any of the SSL Ciphers, you are going to be susceptible to the SSLv3 POODLE vulnerability and will accept Rc4 Ciphers.
  • Hardening SSL by removing ciphers and adjusting protocols will make legacy OSs such as XP no longer be able the reach your website. (A good reason to upgrade.)
  • Adjusting the SSL Ciphers and Protocols will force browsers to renegotiate their connections so this can interrupt services for the virtual server.
  • This configuration only applies to SSL based load balancing, NetScaler Gateway and content switching virtual servers and does not apply to SSLBRIDGE based virtual servers as the SSL transaction is not terminated at the NetScaler.

So how do you get from an “F” to an “A”?

NetScaler-SSL-Virtual-Servers-grade-f.png

It’s not as hard as you think:

  1. The first step is to plan your downtime accordingly. Making changes in the middle of the day may cause an influx of tickets because users will keep being kicked out of services running on the virtual server.
  2. Edit each of your SSL virtual servers:
    1. Under SSL Parameters uncheck to disable SSLv3 and enable TLSv1, TLSv1.1 and TLSv1.2.
    2. If these settings are greyed out or missing, it means you don’t have a version NetScaler that supports these and you should consider upgrading the firmware on the NetScaler.

NetScaler-SSL-Virtual-Servers-parameters.png

  1. Create a Diffie-Hellman Key with the key size of 2048. This key will be bound to each virtual server. In this example, I have not-so-creatively named the DH key “2048DH.key.” I recommend you pick a name that makes sense for your deployment to keep everything organized.
NetScaler-SSL-Virtual-Servers-cinfigure-ssl-dh-param.png
  1. Create a custom SSL Cipher Group. Out of the Default cipher group, which consists of 28 SSL Ciphers, only eight of these are needed in order to support modern day browsers. They do need to be in this specific order as well.

NetScaler-SSL-Virtual-Servers-create-cipher-group.png

Here are the ciphers in text format:

2-ECDHE-RSA-AES-128-SHA256
TLS1-ECDHE-RSA-AES256-SHA
TLS1-ECDHE-RSA-AES128-SHA
TLS1-DHE-RSA-AES-256-CBC-SHA
TLS1-DHE-RSA-AES-128-CBC-SHA
TLS1-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
SSL3-DES-CBC3-SHA

Note: Can’t bind the TLS1.2-ECDHE-RSA-AES-128-SHA256 SSL cipher to your custom cipher group? This is solved by upgrading past 11.0 Build 64.34.nc

  1. Unbind the Default SSL Ciphers by adding in the SSL Ciphers section to your virtual server then bind the custom group to your SSL based virtual servers.

NetScaler-SSL-Virtual-Servers-use-custom-cipher-group.png

  1. If you upgraded your NetScaler from any firmware below 10.5, you will need to bind the ECC Curve policies onto each VIP that was on the system previously.

NetScaler-SSL-Virtual-Servers-ecc-curve-binding.png

  1. Test, confirm functionality and scan again using ssllabs.com.

While it’s theoretically possible to score 100% on the scan, I find that there are actually potential issues that come from this. One thing that I have seen is inability to launch applications from Citrix XenApp/XenDesktop. Therefore, the configuration I outlined above won’t score you a perfect 100%, but does remove critical security flaws while allowing services to remain unaffected.


For more information, don't hesitate to Contact Us . We can manage this for you with our Managed Citrix Virtual Environments services.

Lewan Technology is a Citrix Gold Solutions Advisor and has the largest resident Citrix consulting bench in Denver, CO and the Rocky Mountain region, comprised of certified architects, engineers and administrators. We also hold the Citrix Specialist in Virtualization distinction.

Topics: Virtualization, Citrix, Citrix XenApp, Citrix XenDesktop, NetScaler

Johnny Ma
Written by Johnny Ma

Johnny is a Senior Consulting Engineer/Architect at Lewan, specializing in the deployment of desktop virtualization, application delivery and mobile device management solutions.

  • View & Submit Comments

[fa icon="envelope"] Subscribe to Email Updates



[fa icon="comments-o"] Follow us

Get even more great content, photos, event info and industry news.