Your guide on Citrix NetScaler Security Hardening

Security hardening should always be a top priority when it comes to vital components of an infrastructure. Citrix NetScaler safeguard is the main topic in this post.

In this post; we are going to see how to significantly enhance security on a Citrix NetScaler appliance.

We will go through all steps required to get an A+ rating from the always trustworthy Qualys SSL Labs website.

Citrix NetScaler is a powerful appliance with an amazing number of options for various kinds of configurations.

December 2019 events, led organizations to an increased tendency to further secure their appliances and this is going to be our focus in this post.

Αs of November 2020 the latest release is 3.0 67.39. This release includes support for TLS 1.3 while it contains fixes to recently disclosed vulnerabilities.

Despite our focus on this particular release in the post, the below configuration is applied to the majority of NetScaler releases, even those that don’t support TLS 1.3.

The SSL profile which is built-in the 3.0 67.39 release comes with the following setup:

  1. SSLv3 enabled
  2. TLS 1.0 enabled
  3. TLS 1.1 enabled
  4. TLS 1.2 enabled
  5. TLS 1.3 disabled
  6. Default Cipher Group contains some vulnerable to attacks ciphers
  7. Secure Renegotiation is not supported out of the box
  8. Perfect Forward Secrecy (PFS) is not supported out of the box
  9. Strict Transport Security (HSTS) is not supported out of the box

As a result of the default configuration, our server rating drops significantly, most of the times between C and B grades.

Next, we are going to see in detail how to immediately convert this rating to A+ which means our setup would be much stronger after the implemented configuration.
We will apply all the changes on the Virtual Server settings; assuming we would have created one previously.

Disable Insecure SSL and TLS Protocols

Let’s start off with disabling these protocols that are nowadays considered obsolete:

We can find encryption protocols in SSL Parameters in our Virtual Server settings. 

Since we want to offer only secure protocols, deselect everything except for TLS 1.2 and TLS 1.3.

Then click OK and save the changes.

Choose custom SSL Ciphers

In this step we are going to choose only the strongest Ciphers and remove those considered vulnerable and obsolete:

SSL Parameters menu is where Default Cipher Group resides as well. Remove the Default option and add the following ciphers:

Citrix NetScaler Custom Cipher

It is important to keep in mind that Citrix NetScaler will use the ciphers in a particular order; thus, ensure to keep your preferred ones at the top of the list.

In this configuration, we have topped TLS 1.3 ciphers as the preferred ones with TLS 1.2 following right after. TLS 1.2 Elliptic-curve Diffie–Hellman (ECDH) and Diffie–Hellman exchange (DHE) considered the strongest for this version protocol while they offer support for Perfect Forward Secrecy (PFS) feature as well. More on PFS are following below.

Enable Secure Negotiation

Secure Negotiation is another best practice we follow in our efforts to enhance the security of our Citrix NetScaler system. Since we have TLS 1.2 protocol enabled, this feature must be enabled. We only want to allow clients that support RFC 5746 to renegotiate; hence we select the NONSECURE option in Traffic Management -> SSL -> Change advanced SSL settings menu.

Enable Perfect Forward Secrecy (PFS)

Citrix’ definition for PFS stands for “Perfect Forward Secrecy ensures protection of current SSL communications even if the session key of the webserver is compromised at a later point in time.” Sounds good, doesn’t it? So let’s go ahead and see how to enable it:

We must create a Diffie-Hellman (DH) key which we will later bind it in our virtual server. For that, we go again to Traffic Management -> SSL menu but this time we select the Create Diffie-Hellman (DH) key option.

Choose your desired name for the key, insert DH Parameter Size value in Bits (preferably 2048 since 4096 is not yet supported and 1024 is not that secure) and click on Create.

Citrix NetScaler Diffie-Hellman key

Next, go to your virtual server SSL Parameters menu and check the Enable DH Param option. In the File Path, choose the key file you have just created. You can leave all the rest options as is and save your changes.

Citrix NetScaler SSL Parameters

By creating the custom cipher group in one of the steps above, we have ensured to provide support for PFS; thus, at that point, we must consider the PFS feature enabled!

Enable Strict Transport Security (HSTS)

The main objective of HSTS is to protect the users so that their browsers always connect to a website over HTTPS. It ensures that the contacted domain will send all communications over HTTPS.

NetScaler has HSTS as a built-in option from release 12.0 and onwards. Let’s see how to enable it in our virtual server:

AppExpert -> Rewrite menu is what we should go to create a rewrite action so then can be assigned to a policy we will also create.

Click on add and provide any name you like. Our name would be STS_Header. Input the “insert_http_header” value in the Type field. For the Target Expression; we are going to use, what else? Strict-Transport-Security. Then fill in the Expression value with “max-age=157680000”, including the quotes. The value is in seconds. We will leave empty the Refine Search field.

Citrix NetScaler Rewrite Action

After, we will create a Rewrite policy. In the same menu, on Rewrite Policy, click on Add. Again, give a name of your choice, insert TRUE as the Expression value and select the previously created action. Leave the Undefined Result Action setting as is.

Citrix NetScaler Rewrite Policy

Head to your virtual server and find the Policies option. Create a Rewrite(Response) policy and bind your previously created policy. Save the configuration.

That’s it! You have just provided your server one of the most hardened configurations!

Now go back to Qualys SSL site and re-run your test. You should see a result (very) similar to the below!

One thing that despite it won’t count to your overall rating from Qualys you should pay attention to is to ensure you configure Secure LDAP (port 636) over LDAP (389) while configuring user authentication in your virtual server. For this, your Domain Controllers should support Secure LDAP binding which means they should have a valid SSL certificate installed on their stores.

I hope you found this post informative and I would like to thank you for reading!

Leave a Reply