This post has already been read 9700 times!
Earlier this year I wrote 2 articles on deploying XenDesktop 7.7 in the Microsoft Azure Public cloud and securing those deployments with a Citrix NetScaler. This article will focus on securing those NetScaler appliances as best as you currently can with the supported version of firmware running in Microsoft Azure.
Lets get to it.
Initial Pen Test using SSL Labs
As you can see – out of the box Citrix NetScaler in Azure is graded an overall rating of C. Lets see if we can improve this.
If you have a certificate from a public provider that uses intermediaries then you should install and link those to your server certificate you have on your NetScaler. NOTE: You will not need to install and link the Root CA.
Log into your NetScaler
Expand Traffic Management – SSL – Certificates
Upload your intermediate certificate
Click Install and you should see the certificate installed
Right click your server certificate and select Link
Select your intermediary certificate from the list
Click OK to link
You should disable SSL3 on your NetScaler Gateway as this is considered insecure
Expand System – Profiles
Configure the settings as below – ensuring your disabling SSL3
Click ok to save the profile
Expand NetScaler Gateway – Virtual Servers
Open your NetScaler Gateway and add SSL Profile
Select your new profile from the list
Click ok to apply the new SSL Profile Settings.
Create a Secure Cipher Group List
You need to remove the insecure ciphers from the available supported options on the gateway.
Select Traffic Management – SSL – Cipher Groups
Add the following Ciphers into your group
Click Create then navigate to your NetScaler Gateway again
Open your NetScaler Gateway and click to Add SSL Ciphers
Remove all the listed Ciphers
Select your new Cipher group and click to add it
Click ok to commit the changes
Create a Diffie Helman Key
Navigate to Traffic Management – SSL
Click on Create Diffie Helman Key and fill out the details ensuring you save the .key file to the NetScaler
Navigate to System – Profiles
Open your SSL Profile you created earlier
Enable Diffie Helman Param
Set the refresh count to 1000 and select the key you created earlier
Click ok to apply the settings.
Validate the Settings
If you look at the list of issues out the box we have addressed SSL3, RC4 Ciphers, Forward Secrecy and the Certificate Chain but NOT the TLS 1.2.
So, here we come to the big issue with Securing your NetScaler Gateway in Microsoft Azure. Currently the firmware version of NetScaler Gateway in Azure is 10.5.51. This version of the VPX does not support TLS 1.2 and therefore you cannot enable it and lift your security score above C. This does not mean that you should not implement the other techniques described here to secure your device but unfortunatly until Citrix and Microsoft lift the version of NetScaler in Azure to at lease 10.5.57 then we will not be able to enable TLS 1.2 and therefore get an A with SSL Labs.
Hope this helps you out somewhat.