Securing your NetScaler (as best as you can) in Microsoft Azure

Securing your NetScaler (as best as you can) in Microsoft Azure

Securing your NetScaler (as best as you can) in Microsoft Azure

This post has already been read 7981 times!

Earlier this year I wrote 2 articles on deploying XenDesktop 7.7 in the Microsoft Azure Public cloud and securing those deployments with a Citrix NetScaler.  This article will focus on securing those NetScaler appliances as best as you currently can with the supported version of firmware running in Microsoft Azure.

Lets get to it.

Initial Pen Test using SSL Labs

01 - initial test

As you can see – out of the box Citrix NetScaler in Azure is graded an overall rating of C.  Lets see if we can improve this.

Certificate Chaining

If you have a certificate from a public provider that uses intermediaries then you should install and link those to your server certificate you have on your NetScaler.  NOTE: You will not need to install and link the Root CA.

Log into your NetScaler

02 - loginto netscaler

Expand Traffic Management – SSL – Certificates

03 - ssl - certs - install

Click Install

04 - install]

Upload your intermediate certificate

05 - int cert details

Click Install and you should see the certificate installed

08 - certs installed

Right click your server certificate and select Link

09 - link server cert

Select your intermediary certificate from the list

10 - select int

Click OK to link

Disabling SSL3

You should disable SSL3 on your NetScaler Gateway as this is considered insecure

Expand System – Profiles

15 - ssl profile

Click Add

16 - add ssl profile

Configure the settings as below – ensuring your disabling SSL3

17 - ssl profile settings

Disable SSL3

18 - protocol settings

Click ok to save the profile

19 - ssl profile created

Expand NetScaler Gateway – Virtual Servers

20 - navigate gateway

Open your NetScaler Gateway and add SSL Profile

21 - click ssl profile

Select your new profile from the list

22 - select ssl profile

Click ok to apply the new SSL Profile Settings.

Create a Secure Cipher Group List

You need to remove the insecure ciphers from the available supported options on the gateway.

Select Traffic Management – SSL – Cipher Groups

23 - cipher groups

Click Add

24 - add cipher group

Add the following Ciphers into your group

25 - add ciphers

Click Create then navigate to your NetScaler Gateway again

20 - navigate gateway

Open your NetScaler Gateway and click to Add SSL Ciphers

26 - add sll cipher button

Remove all the listed Ciphers

27 - remove all ciphers

Click Add

25 - add ciphers

Select your new Cipher group and click to add it

29 - select new group

Click ok to commit the changes

Create a Diffie Helman Key

Navigate to Traffic Management – SSL

30 - create dh key

Click on Create Diffie Helman Key and fill out the details ensuring you save the .key file to the NetScaler

31 - add dh key detail

Navigate to System – Profiles

15 - ssl profile

Open your SSL Profile you created earlier

32 - ssl parameters

Enable Diffie Helman Param

33 - enable dh

Set the refresh count to 1000 and select the key you created earlier

34 - dh settings

Click ok to apply the settings.

Validate the Settings

35 - resolved issues

If you look at the list of issues out the box we have addressed SSL3, RC4 Ciphers, Forward Secrecy and the Certificate Chain but NOT the TLS 1.2.

So, here we come to the big issue with Securing your NetScaler Gateway in Microsoft Azure.  Currently the firmware version of NetScaler Gateway in Azure is 10.5.51.  This version of the VPX does not support TLS 1.2 and therefore you cannot enable it and lift your security score above C.  This does not mean that you should not implement the other techniques described here to secure your device but unfortunatly until Citrix and Microsoft lift the version of NetScaler in Azure to at lease 10.5.57 then we will not be able to enable TLS 1.2 and therefore get an A with SSL Labs.

Hope this helps you out somewhat.

Laters,

b@m

Leave a Reply

Your email address will not be published. Required fields are marked *