NetScaler | Daniel Ruiz

NetScaler Unified Gateway / SSO with Citrix StoreFront 3.9 and Client Access Mode

May 30, 2017 1 Comment

Been working on deploying the NetScaler Unified Gateway for the last few weeks. Our goal is to simply create a unified page to access internal resources such as Outlook Web Access, Intranet, ShareFile, as well as XenApp/XenDesktop resources running on the new version of Citrix StoreFront 3.9. As a side note, I will be posting my customization code on StoreFront 3.9 in the coming weeks.

First let me discuss (again) about an issue I noticed with version of NetScaler NS11.0 running 63.16.nc when working with Content Switches and ZeroIP NetScaler Gateways.

I ran into a bug that crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP). Meaning, that I was binding a profile policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is.

This bug is has been fixed from 11.0 Build 64.x and later, and 11.1. In my case I upgraded to the now latest version of 11.0 70.12nc.

Lets get started:

On your StoreFront server, make sure that the Enable Remote Access setting for the store is set to No VPN or Full VPN tunnel

In the web.config file, located in drive:/inetpub/wwwroot/citrix/storeweb, make sure to set X-Frame-Options to allow and Content-Security-Policy to frame-ancestors ‘self‘. You will see 3 entries for this. Make sure you change them all. This will allow the page to come up with all browsers including IE. Once the changes are made, simply reset IIS or reboot your SF server(s)

On the NetScaler Session Profile the following settings are required:

On the Client Experience tab:
Clientless Access = ON
Single Sign-on to Web Applications = Checked
Credentials Index = Primary

On the Security tab:
Default Authorization Action = Allow

On the Published Applications tab:
ICA Proxy = OFF
Web Interface Address = https://serverFQDN/Citrix/StoreWeb (StoreWeb is the actual store name).
Single Sign-on Domain = Configured

Make sure you use the FQDN link to your storefront server. You can run into an issue within Clientless Access mode not displaying the Storefront Server page if you configure to an IP.

Once changed to FQDN the page displayed successfully (Ex: https://server.domain.com/Citrix/meWeb/)

This is a sample of the session profile I manually created and binded to the session policy the UG Wizard created.

add vpn sessionAction UG_VPN_SAct_dmz -defaultAuthorizationAction ALLOW -SSO ON -windowsAutoLogon ON -wihome “https://server.domain.com/Citrix/meWeb/” -wiPortalMode COMPACT -ClientChoices ON -ntDomain name_of_domain -clientlessVpnMode ON -emailHome “https://mail.domain.com/owa/”

Optionally, you can bypass the Client Choices option on NetScaler Unified Gateway with a Responder policy. This way users wont have to click on the Client Access option, but instead be redirected to it after user log on.

To do this:

Create a Responder action based on the URL your users will be connecting to

add responder action ug_redirect_ac redirect “\”https://name.domain.com/cgi/setclient?cvpn\”” -responseStatusCode 302

Create a Responder policy, notice it is looking for that choices.html page

add responder policy ug_redirect_pol “HTTP.REQ.HOSTNAME.EQ(\”name.domain.com\”) && HTTP.REQ.URL.CONTAINS(\”vpns/choices.html\”)” ug_redirect_ac

Bind the Responder policy to the NetScaler Gateway the UG config creates. In my case it is called UG_VPN_ug_gtw_dmz

bind vpn vserver UG_VPN_ug_gtw_dmz -policy ug_redirect_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Once the policy is binded, users will simply be redirected to the “Clientless Access” portion of the site without being prompted to select VPN, Clientless Access, or good old StoreFront/Web Interface

That is it! Hope this helps! Cheers

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Filed under Access Gateway, Citrix, NetScaler, StoreFront Tagged with Clientless Access, StoreFront Unified Gateway

Bypass Client Choices on NetScaler Unified Gateway

May 4, 2017 Leave a comment

It’s been a while since I posted something new. Lately I been primarily working with Cisco and Nutanix related techs, but now getting back to my good old Citrix roots (Forgot how fun it actually is).

Been working on a new deployment of the Citrix NetScaler Unified Gateway, which c’mon that is just a marketing name, technically it is nothing more than some pretty good Content Switching policies and actions, but lets not get into that 🙂

By the way I am actually in the middle of creating a post on how to deploy Unified Gateway, and integrating it with OWA, StoreFront 3.8 including customization code, ShareFile with on-prem storage, and a good old intranet/internal sites so we see how SSO works as part of the deployment. So look for that in the coming weeks.

Now before we get started. Watch out for the NetScaler build you are running! I ran into a bug which actually made the primary NetScaler crash (not a fun event to have to explain to management)

This darn bug in technical terms, crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP). Meaning, that I was binding a Responder policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is. Thought it was pretty amusing.

04_ug_ns_gateway_zero_ip

This bug is has been fixed from 11.0 Build 64.x and later, and 11.1. In my case I was running NS11.0 63.16.nc

Ok. Lets get started.

Create your Unified Gateway config (blog post coming soon)
Once you verify things are working, go ahead and connect to the new portal
By default after you authenticate, you get prompted with the Client Choices options page, this will confuse the hell out of your users. So lets get rid of this!
My goal was to select all client traffic to automatically get routed to the “Clientless Access” option without anyone clicking on it.
To accomplish this you simply need to create the following Responder action, and policy, then finally bind it to the NetScaler Gateway Content Switch the Unified Gateway config creates.
Here it goes:
- Create a Responder action based on the URL your users will be connecting to
- add responder action ug_redirect_ac redirect “\”https://name.domain.com/cgi/setclient?cvpn\”” -responseStatusCode 302
- Create a Responder policy, notice it is looking for that choices.html page
- add responder policy ug_redirect_pol “HTTP.REQ.HOSTNAME.EQ(\”name.domain.com\”) && HTTP.REQ.URL.CONTAINS(\”vpns/choices.html\”)” ug_redirect_ac
- Bind the Responder policy to the NetScaler Gateway the UG config creates. In my case it is called UG_VPN_ug_gtw_dmz
- bind vpn vserver UG_VPN_ug_gtw_dmz -policy ug_redirect_pol -priority 100 -gotoPriorityExpression END -type REQUEST

That is it! Hope this helps! Cheers

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website

Filed under Citrix, NetScaler Tagged with Citrix Unified Gateway, NetScaler Content Switch Gateway, NetScaler Gateway, NetScaler Unified Gateway, Responder policy Unified Gateway

Duo two-factor authentication with NetScaler Gateway

June 28, 2016 5 Comments

I been seeking an alternative for second factor authentication with Citrix NetScaler for a while, just sick of RSA and all its complexity and upgrades and tokens, etc. During my search for another method I was directed to Duo and was immediately excited about it. Duo combines modern two-factor authentication with advanced endpoint security solutions to protect users from account takeovers and data breaches.

Duo integrates with Citrix NetScaler Gateway to add two-factor authentication with Radius and back-end authentication services for LDAP.

Screenshots below are from my Apple Watch and iPhone using the “Push” option

Environment:

Citrix NetsScaler 11.0Build 63.16.nc
StoreFront 3.5

To integrate Duo with your NetScaler Gateway, you will need to install a local proxy service on a server within your network. Before proceeding, you should locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports Windows and Linux systems (in particular, we recommend Windows Server 2008 R2 or later, Red Hat Enterprise Linux 6 or later, CentOS 6 or later, or Debian 6 or later).

Then you’ll need to:

Sign up for a Duo account.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate Citrix NetScaler in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname.

Install the Duo Authentication Proxy

The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).

Download the Duo Authentication Proxy for Windows.
On the Windows system you have chosen to host the Duo Authentication Proxy, launch the proxy installer and follow the on-screen prompts.

Configure the Proxy

After the installation completes, you will need to configure the proxy.

The Duo Authentication Proxy configuration file is named authproxy.cfg, and is located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at:

Platform	Default Configuration Path
Windows (64-bit)	C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
Windows (32-bit)	C:\Program Files\Duo Security Authentication Proxy\conf\authproxy.cfg
Linux	/opt/duoauthproxy/conf/authproxy.cfg

Your Auth Proxy config will look something like this.

[ad_client]
host=IP Address of your LDAP server (I use an LDAP VIP on NetScaler)
service_account_username=An LDAP Service account (Read only)
service_account_password=LDAP_Password
search_dn=dc=domain,dc=com (you can specify an OU, etc, but pointing to your root makes it easier and you can then select a user group.)

[radius_server_iframe]
type=citrix_netscaler
ikey=Your Duo integration key
skey=Your Duo secret key
api_host=Your Duo API hostname
failmode=safe
client=ad_client
radius_ip_1=IP address of NetScaler (NSIP) or Subnet IP address (SNIP) if you have a pair
radius_secret_1=Radius Shared Key between your NetScaler and Auth Proxy server
port=1812

[radius_server_auto]
ikey=Your Duo integration key
skey=Your Duo secret key
api_host=Your Duo API hostname
failmode=safe
client=ad_client
radius_ip_1=IP address of NetScaler (NSIP) or Subnet IP address (SNIP) if you have a pair
radius_secret_1=Radius Shared Key between your NetScaler and Auth Proxy server
port=18120

[cloud] (This section is to allow LDAP synch from the Duo Admin console to your LDAP environment
ikey=Your Duo integration key for the Authentication Proxy (not NetScaler)
skey=Your Duo secret key for the Authentication Proxy (not NetScaler)
api_host=Your Duo API hostname for the Authentication Proxy (not NetScaler)

Done, now lets do some NetScaler work. The steps below will create a new NetScaler Gateway which will score an A+ with SSLLABS.COM

1. Create your DUO Radius Policy and Server, in the sample below I am using ns_true which will allow all traffic. You can certainly get creative and configure headers with Citrix Receiver information such as “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver”

add authentication radiusAction duo_ctx_web_srv -serverIP YOUR_AUTH_PROXY_SERVER -serverPort 1812 -authTimeout 60 -radKey “Radius Shared Key between your NetScaler and Auth Proxy server” -encrypted -encryptmethod ENCMTHD_3 -accounting ON
add authentication radiusPolicy duo_ctx_web_pol ns_true duo_ctx_web_srv

2. Create your new Custom Cipher group, then bind the Ciphers to it.

add ssl cipher custom_ciphers

bind ssl cipher custom_ciphers -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName SSL3-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName SSL2-DES-CBC3-MD5
bind ssl cipher custom_ciphers -cipherName SSL3-EDH-DSS-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName SSL3-EDH-RSA-DES-CBC3-SHA

3. Create your Strict Transport Security Rewrite policy

add rewrite action rw_action_sts_header insert_http_header Strict-Transport-Security “\”max-age=157680000\””
add rewrite policy rw_pol_sts_config TRUE rw_action_sts_header

4. Create your SSL redirect from HTTP

add responder action http_to_https redirect “\”https://\” + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE” -responseStatusCode 302
add responder policy http_to_https_pol HTTP.REQ.IS_VALID http_to_https RESET

add service ns_redirect_dummy 127.0.0.1 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED cip-header -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

5. Create your HTTP NetScaler Gateway VIP and bind the HTTP to HTTPS redirect responder

add lb vserver remote_ns_gtw_redirect HTTP YOUR_IP_ADDRESS 80 -persistenceType NONE -cltTimeout 180
bind lb vserver remote_ns_gtw_redirect ns_redirect_dummy
bind lb vserver remote_ns_gtw_redirect -policyName http_to_https_pol -priority 100 -gotoPriorityExpression END -type REQUEST

6. Create your NetScaler Gateway

add vpn vserver remote_ns_gtw SSL YOUR_IP_ADDRESS 443 -maxAAAUsers 9045 -downStateFlush DISABLED -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -appflowLog ENABLED
set ssl vserver remote_ns_gtw -dh ENABLED -dhFile “/nsconfig/ssl/dhkey2048.key” -ssl3 DISABLED
bind vpn vserver remote_ns_gtw -staServer “http://YOUR_STA_SERVER:180”
bind vpn vserver remote_ns_gtw -staServer “http://YOUR_OTHER_STA_SERVER:180”
bind vpn vserver remote_ns_gtw -portaltheme X1

7. Bind your DUO Radius Policy and Server (The sample below binds an already existing StoreFront 3.5 Session Policy) – NOTICE THE 120 REWRITE POLICY (rw_pol_sts_config) This is done as I later bind 2 additional Rewrite policies to automatically select the “I accept the Terms & Conditions” checkbox and enable the “Log On” button

bind vpn vserver remote_ns_gtw -policy duo_ctx_web_pol -priority 100
bind vpn vserver remote_ns_gtw -policy web_sf35_policy -priority 100
bind vpn vserver remote_ns_gtw -policy rw_pol_sts_config -priority 120 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver remote_ns_gtw -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _noCacheRest -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE

8. Bind your SSL certificate and custom Ciphers to your NetScaler Gateway

bind ssl vserver remote_ns_gtw -cipherName custom_ciphers
bind ssl vserver remote_ns_gtw -certkeyName wildcard

9. Bind the ECC curves, they are required for PFS w/ ECDHE ciphers

bind ssl vserver remote_ns_gtw -eccCurveName P_256
bind ssl vserver remote_ns_gtw -eccCurveName P_384
bind ssl vserver remote_ns_gtw -eccCurveName P_224
bind ssl vserver remote_ns_gtw -eccCurveName P_521

10. Set up Rewrite policies to automatically select the “I accept the Terms & Conditions” checkbox and enable the “Log On” button. In the end you will have 3 Rewrite policies enabled. One for selecting the checkbox automatically, the other for enabling the “Log On” button, and finally one to enable HSTS/STS which you will need to achieve the A+ score.

bind vpn vserver remote_ns_gtw -policy ns_gtw_eula_checked_pol -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
bind vpn vserver remote_ns_gtw -policy ns_gtw_LogonAutoEnable_rw_pol -priority 110 -gotoPriorityExpression END -type RESPONSE

11. Set up for firewal NATs and ACL, for this example I am using Cisco

object network obj-YOUR_IP (DMZ I hope :))
host YOUR_IP

nat (dmz,outside) static YOUR_EXTERNAL_IP
object network obj-YOUR_IP

access-list EXT-INBOUND extended permit tcp any4 host YOUR_IP eq www
access-list EXT-INBOUND extended permit tcp any4 host YOUR_IP eq https

That is it! Hope this helps

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Filed under Citrix, NetScaler Tagged with Duo, Radius Duo, Two factor

Set up a maintenance page on Netscaler Gateway

May 5, 2016 6 Comments

From time to time there may be a need to bring your remote access down due to scheduled maintenance. Sure all sorts of communication will be sent out, but the cold fact is that users don’t read or remember 😛

Below are the steps on how to manually display a maintenance page on your NetScaler Gateway to inform that the site is down.

Create a maintenance html page (code included below)
Create a Responder action which will redirect the traffic to the maintenance page.
Create a Responder policy to only be used when the traffic contains a specific fqdn (ex: remote.company.com) as well as specific index.html file.
Bind your Responder policy to your NetScaler Gateway vServer

Environment:

Citrix NetsScaler 11.0Build 63.16.nc
StoreFront 3.5

Lets get started:

Create your maintenance.html page and upload to the Netscaler, in my case I am using a very customized theme and uploaded to /var/netscaler/logon/themes/nameoftheme/custom_media

<!doctype html>
<title>Site Maintenance</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>

<article>
<h1>We’ll be back soon!</h1>

Sorry for the inconvenience but we’re performing maintenance between the hours of midnight to 4 am. If you need to you can always contact us, otherwise we’ll be back online shortly!

— Information Technology Support Center

</article>

2. Create a Responder action to redirect to your new maintenance.html file

add responder action ns_gateway_maint_action redirect “\”https://remote.company.com/logon/themes/Default/custom_media/maintenance.html\”” -responseStatusCode 302

3. Create a Responder policy and assign the action from step 2. In my case, I am hosting several sites on a single gateway, so I needed to specify the hostname header and index.html file of my NetScaler Gateway site 😛

add responder policy ns_gateway_maint_policy “HTTP.REQ.HOSTNAME.EQ(\”remote.company.com\”) && HTTP.REQ.URL.CONTAINS(\”index.html\”)” ns_gateway_maint_action

4. Bind your new responder policy to your NetScaler Gateway site

bind vpn vserver external_portal -policy ns_gateway_maint_policy -priority 100 -gotoPriorityExpression END -type REQUEST

Next time your users go to your Gateway, in my case https://remote.company.com, they will all be redirected to the maintenance page, once work is done, you can unbind the policy and users will again be redirected to your Gateway main page.

unbind vpn vserver internal_portal -policy ns_gateway_maint_policy

Hope this helps 🙂

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Filed under Citrix, NetScaler

NetScaler SSL A+ Secured VIPs

February 17, 2016 2 Comments

Below are the steps I followed to score an A+ with Qualys while working on a new XenMobile 🙂 and NetScaler Unified Gateway deployment.

There are some caveats however since Citrix is now delivering TLS1.2 with TLS_FALLBACK-protection across all NetScaler products. Good right? well if you are running a version below 10.5.57.7.nc you will need to update your NS appliances.

10.5.57.7.nc is available to all NetScaler and NetScaler Gateway customers. With this release and above, you now can achieve and A+ regardless of the hardware platform including VPX running on your own hypervisor, MPX or SDX .

Environment:

Citrix NetsScaler 11.0Build 63.16.nc
XenMobile 10.3
StoreFront 3.0

Lets gets started:

Bind specific Ciphers to your SSL vServer, then disable RC4 by creating our own Cipher Group.

Please note TLS1-AES-256-CBC-SHA is needed to support older SOCKS-clients such as Receivers prior to 4.2.100 running on Windows and several others. This includes the XenMobile WorxMail client in STA-mode.

In the future this might change as Citrix moves forward with TLS1.2 support across their products.

set ssl vserver portal_netscaler -tls1 ENABLED
set ssl vserver portal_netscaler -tls11 DISABLED
set ssl vserver portal_netscaler -tls12 ENABLED
set ssl vserver portal_netscaler -ssl2 DISABLED
set ssl vserver portal_netscaler -ssl3 DISABLED
unbind ssl vserver portal_netscaler -cipherName ALL
bind ssl vserver portal_netscaler -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl vserver portal_netscaler -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl vserver portal_netscaler -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl vserver portal_netscaler -cipherName TLS1-AES-256-CBC-SHA

Crate a new Cipher Group from the default Cipher Group and disable the RC4 suite as you will be capped to a B. There are some weaknesses with the RC4 Cipher Suite that could enable an attacker to decrypt the key stream. You can read more on how an attack against TLS/RC4 is possible by reviewing this PDF (http://cr.yp.to/talks/2013.03.12/slides.pdf)

add ssl cipher DEFAULT_no_RC4
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-EDH-RSA-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-EDH-DSS-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-DES-CBC3-SHA

Bind the new SSL Cipher Group to your vServer

bind ssl vserver portal_netscaler -cipherName DEFAULT_no_RC4

The above will get you to an A- Score:

You can also enable Forward Secrecy, with the new firmware it’s now possible to enable PFS for all modern Clients/Browser and receive an A+

Follow the instructions below and score A+

https://blog.cjharms.info/2014/05/enable-forward-secrecy-and-secure.html

Hope this helps 🙂

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Filed under Citrix, NetScaler

← Older posts

Daniel Ruiz – Blog

NetScaler Unified Gateway / SSO with Citrix StoreFront 3.9 and Client Access Mode

Bypass Client Choices on NetScaler Unified Gateway

Duo two-factor authentication with NetScaler Gateway

Set up a maintenance page on Netscaler Gateway

NetScaler SSL A+ Secured VIPs

Recent Posts

Categories

Archives

Recent Comments