How to take your NetScaler Gateway (Wizard Built) to the Next Level

How to take your NetScaler Gateway (Wizard Built) to the Next Level

How to take your NetScaler Gateway (Wizard Built) to the Next Level

This post has already been read 5613 times!

After getting a gentle nudge from Claudio about a post suggested (see below) I have finally got round to putting this together.  The purpose of this is to show you the steps you would need to take to get your NetScaler Gateway you have built using the inbuilt wizard secure and conforming to your company standards.

nudge

Here is a gateway I built using the wizard – I built a new LDAP policy as part of this gateway and did not use the existing one I had on my NetScaler already

01-gateway-standard

First lets run a ssl labs test against the server

02-ssl-test

So, that’s out the box with the wizard.  Lets deal with the security first.

Disable SSL 3 and Create Diffie-Hellman Key

First create a Diffie-Hellman key by going to Traffic Management and SSL.  On the right you will see the option to create a Diffie-Hellman Key.  Click that and give the key a new file name on the NetScaler and set the DH Parameter Size to 2048

03-dh-key

Next open up your new NetScaler Gateway and edit the SSL Parameters for the gateway

Check to enable the DH Param, select your new key, set the refresh to 1000 and disable SSLv3

04-ssl-params

Certificates

I normally bind my internal Root CA’s to the gateway so that the Gateway itself trusts the SSL Certs issued to the internal resources.  To do this again, open up your gateway, under certificates make sure to bind all your internal CA’s to the CA Certificate section

05-certs

Another thing is to ensure that your public certificate assigned to the gateway has the full chain presented on the NetScaler WITHOUT the Root CA.  Head over to Traffic Management – SSL – Certificates – Server Certificates

Right click on your public certificate and click on link

If you have uploaded your intermediary certificates to the NetScaler you can link them here.  Do this for all intermediate certificates but don’t link right back to the root

06-cert-linking

SSL Renegotiation

Open the Advanced SSL Settings from Traffic Management – SSL

Change the Deny SSL Renegotiation to NONSECURE

07-ssl-reneg

Cipher Suite

Assign the following Ciphers to the NetScaler Gateway and remove the Default Group

  • TLS1-ECDHE-RSA-AES256-SHA
  • TLS1-ECDHE-RSA-AES128-SHA
  • TLS1-DHE-RSA-AES-256-CBC-SHA
  • TLS1-DHE-RSA-AES-128-CBC-SHA
  • TLS1-AES-256-CBC-SHA
  • TLS1-AES-128-CBC-SHA
  • SSL3-DES-CBC3-SHA

08-ssl-ciphers

Secure Transport Session Header

Create a ReWrite Policy and Action for the STS Header.  For details instructions on creating this policy please see the following post:

STS Header – NetScaler

Once you have created this bind it to your NetScaler Gateway

09-sts

So, lets test the NetScaler Gateway again

10-ssl-test-2

Once you have a secure NetScaler Gateway you could leave it there.  However, if like me you like to have all your NetScaler Items names correctly then the wizard will leave you feeling pretty bad about the state of your config.

To Clean up do the following:

Rename The NetScaler Gateway

Out the box your NetScaler Gateway will be _XD_IPADDRESSOFGATEWAY_443

Find this in NetScaler Gateway – Virtual Servers.  Right click and rename it to your external FQDN

Session Policies

By default the wizard will create 2 policies for you – 1 for Receiver for Web and 1 for Native Receiver.  These can be found under NetScaler Gateway – Policies – Session

NetScaler does not support the renaming of session policies so to get this done you will have to create 2 new session profiles and 2 new session policies then bind them to the NetScaler Gateway and delete the old ones.

TIP – To pre-fill the options in a session policy or any NetScaler function – put a tick in the policy you want to replicate and click Add.  It will pre-fill out all the options for you so you can just change the name!

Start with Session Profiles and create 2 new ones (one for Web and one for native receiver)

NOTE: The Web Policies created by the wizard will start with PL_WB and AC_WB and the native receiver will be PL_OS and AC_OS

11-profiles

Next do the same for the policies but pick your new profiles what match the policy you are working on

12-policies

Finally open up your gateway, bind the new policies as a priority of 100 then remove the old ones from the netscaler

13-binding

LDAP Authentication

If you use the wizard to create your LDAP Policy it will be named IPADDRESS_LDAP – again not great for my OCD.  Also NetScaler does not allow you to rename the LDAP policies so we have to take the same approach as with the session policies.

Add a new LDAP Server by going to System – Authentication – LDAP then select Servers.

Put a tick in your server then click Add and give it a name you want.

NOTE: You will need to re-enter the bind password for the LDAP Connection here.

14-ldap-server

Next add the LDAP Policy and pick your new server

15-ldap-policy

Finally bind that to your NetScaler Gateway and remove the old policy and profile from the NetScaler

16-ldap-binding

That’s it, how to take your wizard built NetScaler Gateway and get it up to a secure SSL Labs standard as well as making the naming fit your needs.

One thing worth mentioning here is that when you rename the gateway it will not appear in the XenApp and XenDesktop Section of the NetScaler – but who needs that when you have NetScaler MAS to hand to monitor everything :o)

Laters,

b@m

One thought on “How to take your NetScaler Gateway (Wizard Built) to the Next Level

  1. Pingback: How to take your Citrix NetScaler Gateway (Wizard Built) to the Next Level

Leave a Reply

Your email address will not be published. Required fields are marked *