Building a NetScaler Gateway from Scratch (SSL Labs A Grade)

Building a NetScaler Gateway from Scratch (SSL Labs A Grade)

Building a NetScaler Gateway from Scratch (SSL Labs A Grade)

This post has already been read 9596 times!

I was recently asked about building a NetScaler Gateway from scratch for ICA only connections.  I know this can be done using a wizard but if you want to know a little more about how it all hangs together or to name things how you want instead of the names given by the wizards then a manual build is the way to go.  The following article will walk you through building your NetScaler Gateway from the ground up and ending with a secure, working remote access solution.

This article assumes that you have LDAP Bind Credentials, All your SSL Certificates to hand and also have the appropriate firewall / NAT rules in place to access your gateway from the outside world.

The way I like to build a NetScaler Gateway is a similar approach to how I like to cook.  Get everything ready first then put it all together at the end.  I may seem that things are a little weird at first but not creating the gateway and building it out from there but trust me – it will all work in the end !

To have a working NetScaler thats secure you will need the following

  • LDAP Methods (I know you should use 2Fa but in this case i am only binding LDAP)
  • A Diffie Hellman Key
  • Certificates
  • A Custom Cipher Group
  • Session Policies and Profiles for Web and Receiver access
  • A Secure Transport Session Rewrite Policy
  • Custom SSL Settings for SSL3
  • TCP Profile for XenDesktop
  • Secure Renegotiation only enabled for Secure Connections
  • Secure Ticketing in place

So, lets get going.

LDAP

First log into your NetScaler and Navigate to the LDAP Policies shown below

01-authentication

Create a new policy and fill out the server and bind details.  Click on test connection to ensure that the connection is working correctly

02-initial-ldap-connection

Once connected fill out the Other Settings.  This is where you define what the user will log into the NetScaler Gateway with.  I have used SAMAccountName below but you could easily use UPN by defining it here.

03-other-ldap-settings

Click on ok and you will see the LDAP Server Policy Created.

04-ldap-server-profile-created

Next create an Authentication Policy with the value of ns_true and bind it to the LDAP server you have just defined

05-ldap-server-policy

Thats it for LDAP – you “should” have a working LDAP server now.  To test this head over to the Authentication Dashboard

06-auth-dashboard

You should see your server shown there with a status of Up

07-ldap-working

Diffie Hellman

Navigate to the SSL section of the NetScaler shown below

08-create-dh-key

On the right under Tools click on Create Diffie Hellman Key

09-start-create

Give the DH key a file name located on the NetScaler and set the parameter size to 2048

10-dh-param

Click on Create to create the key

Certificates

Navigate to Server Certificates shown below

11-install-certs

Click to Install a new certificate.  Provide your Cert and Key File and import it into the NetScaler

12-install-cert

You should see your external certificate listed and valid

13-server-certs-installed

Next install the Root and Intemediary Certificates for your external certificate and your internal CA if applicable

14-trusted-certs

In my case I have imported my Start SSL int and root as well as my internal root CA

15-trusted-installed

If you look at my external certificate you can see that there is an intermediary certificate in-between the public cert and the root.

16-cert-path

Navigate to the public certificate and right click to link it to the intermediary.

NOTE: Do not link the intermediary to the root as this will cause SSL Labs to see a anchor in the certificate chain

17-link-certs

18-link-certs

Custom Cipher Group

Next you will need to create a custom cipher group to apply to your gateway.  This will ensure that there are no insecure ciphers available externally from your gateway.

These ciphers were taken from Anton’s blog post about securing your SSL VIPS on NetScaler.  This can be found here.

Navigate to the Cipher Groups

19-cipher-group

Click to add a cipher group and assign the following ciphers for a VPX

  • TLS1-ECDHE-RSA-AES256-SHA
    TLS1-ECDHE-RSA-AES128-SHA
    TLS1-DHE-RSA-AES-256-CBC-SHA
    TLS1-DHE-RSA-AES-128-CBC-SHA
    TLS1-AES-256-CBC-SHA
    TLS1-AES-128-CBC-SHA
    SSL3-DES-CBC3-SHA

20-create-cipher-group

Session Policies

Next you have to create the Session Policies that you will assign to the NetScaler Gateway.  A session policy are the settings that are applied to the client based on the method they are connecting to the gateway.  In this case I am going to provide settings for Native Citrix Receiver and the Web Client.

Navigate to Session Policies

21-create-session-policies

First I will create 2 profiles – one for Native and one for Web

22-create-profiles-first

Click to create a Native Client Session Profile and follow the settings shown below

23-native-client-1

24-native-client-2

25-native-client-3

26-native-client-4

NOTE: On this section change the StoreFront service to match the StoreFront service you are providing internally

27-native-client-5

28-native-client-6

Click on create then add another Session Profile for the Web Client following the settings below

29-web-client-1

30-web-client-2

31-web-client-3

32-web-client-4

NOTE: On this section change the StoreFront service to match the StoreFront service you are providing internally, also note that you do not need the Account Services Address

33-web-client-5

34-web-client-6

Click Create and you will see 2 new session profiles created

35-profiles-created

Next you need to define the Session Policies and bind then to the profile.  The Session Policy is where you check the HTTP Header and determine what client the user is using and apply the relevant session profile

Create a Policy for Native using the following as the expression

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

and bind this to your native profile

36-session-policy-native

Next create a policy for web using the following as the expression

REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS

and bind this to your web profile

37-session-policy-web

Secure Transport Session Header

You will now create the Secure Transport Session header to be put into your NetScaler Gateway sessions to abide by SSL Labs best practice

Navigate to Rewrite Actions and create a new action

38-rewrite-action

Fill out the details as shown below

39-create-rewrite-action-sts

Then create a Rewrite Policy

40-rewrite-policy

and fill out as shown below binding it to your new Rewrite Action

41-create-rewrite-policy-sts

So thats the basic elements done to make your NetScaler Gateway, lets put it all together

NetScaler Gateway

First navigate to NetScaler Gateway and add a new Virtual Server

42-create-gateway

Give it a name, IP Address in your DMZ and a Port you want to run the NetScaler Gateway on then click to expand More Settings

43-initial-settings

Select ICA Only from the settings displayed and click OK

44-ica-proxy

Next you need to bind your Certificates you imported earlier

45-bind-certs

Click on the Server Certificate and bind your public SSL Cert and also on CA Certificates and bind the intermediarys and root CA’s for the public and internal CA’s

46-bound-certs

Next comes Authentication.  Click to add an authentication method to the NetScaler

47-auth-policy

Select LDAP and Primary

48-ldap

Bind your LDAP Policy you created earlier and click ok

49-select-ldap

Done

50-bound-ldap

Nothing in this case for advanced authentication

51-no-advanced

Next click to edit the SSL Parameters as we need to enable Diffie Hellman and disable SSL 3

52-edit-ssl

Enable Diffie Hellman and select the key file from the NetScaler you created earlier as well as setting the refresh time, also disable SSL 3

53-secure-ssl

Next click to edit the Ciphers and remove the Default Group

54-edit-ciphers

Bind your new custom Cipher Group and click ok

NOTE: You can ignore this error from the GUI if you receive it

55-cipher-error

56-ciphers-bound

Next you will specify the TCP Profile to use ont he gateway, click to edit the profiles

57-apply-tcp-profile

Select the XA_XD profile from the list provided

58-select-xad

Now you will bind the 2 session policies to the NetScaler Gateway

Click to add a policy

59-add-session-policies

Select Session

60-select-session

Bind one of your profiles with a priority of 100

61-native

Then click to bind the other profile also as priority 100.  Once done you should see both profiles on the gateway

62-bind-both

Next you will add the STS Rewrite policy to the Gateway.  Click to add another policy but select Rewrite from the drop down list

63-bind-rewrite

Select your SES Header Policy you created earlier

64-rewrite-bound

Click Bind

Next you need to specify a Secure Ticketing Authority for the Gateway

Click the + next to Published Applications on the right

65-published-apps

Click on No STA Server to add your STA Server

66-sta

Specify the HTTP or HTTPS path to the Secure Ticketing Authority

67-sta-binding

Click Bind

68-check-sta

To check the STA is working click on the 1 STA Server link and it should show the STA as green

69-sta-valid

 

Finally navigate to Traffic Management and SSL and click on Advanced SSL Settings on the right

Change Deny SSL Renegotitation to NONSECURE

70-1-secure-neg

Don your NetScaler Gateway should show as UP and should be ready to test!

70-gateway-built

Lets Access the NetScaler Gateway!

71-gateway-accessable

Run a SSL Labs Test against the URL

72-grade-a

Log into the Gateway – NOTE I am using SAMAccountName as this is what i specified in my LDAP policy

73-login

Display the StoreFront Apps

74-logged-in

Launch a Desktop via the NetScaler Gateway

75-logged-in-and-run-up

Thats it, all the details on how to build a basic NetScaler Gateway for ICA Connections.  Hope this helps some of you out especially the guy who asked me to write this article – you know who you are.

Have Fun Building!

b@m #NetScalerRocks

 

8 thoughts on “Building a NetScaler Gateway from Scratch (SSL Labs A Grade)

  1. frano

    very cool article, perfect

    is it possible to have a second article with a auth factor with client user certificates using?

    regards

    frank

  2. Pingback: Building a NetScaler Gateway from Scratch - Part 2 - The CLI ! | bretty.me.uk

  3. Pingback: Building a Citrix NetScaler Gateway from Scratch (SSL Labs A Grade)

  4. Pingback: How to take your NetScaler Gateway (Wizard Built) to the Next Level | bretty.me.uk

Leave a Reply

Your email address will not be published. Required fields are marked *