This post has already been read 12089 times!
After getting a gentle nudge from Claudio about a post suggested (see below) I have finally got round to putting this together. The purpose of this is to show you the steps you would need to take to get your NetScaler Gateway you have built using the inbuilt wizard secure and conforming to your company standards.
Here is a gateway I built using the wizard – I built a new LDAP policy as part of this gateway and did not use the existing one I had on my NetScaler already
First lets run a ssl labs test against the server
So, that’s out the box with the wizard. Lets deal with the security first.
Disable SSL 3 and Create Diffie-Hellman Key
First create a Diffie-Hellman key by going to Traffic Management and SSL. On the right you will see the option to create a Diffie-Hellman Key. Click that and give the key a new file name on the NetScaler and set the DH Parameter Size to 2048
Next open up your new NetScaler Gateway and edit the SSL Parameters for the gateway
Check to enable the DH Param, select your new key, set the refresh to 1000 and disable SSLv3
Certificates
I normally bind my internal Root CA’s to the gateway so that the Gateway itself trusts the SSL Certs issued to the internal resources. To do this again, open up your gateway, under certificates make sure to bind all your internal CA’s to the CA Certificate section
Another thing is to ensure that your public certificate assigned to the gateway has the full chain presented on the NetScaler WITHOUT the Root CA. Head over to Traffic Management – SSL – Certificates – Server Certificates
Right click on your public certificate and click on link
If you have uploaded your intermediary certificates to the NetScaler you can link them here. Do this for all intermediate certificates but don’t link right back to the root
SSL Renegotiation
Open the Advanced SSL Settings from Traffic Management – SSL
Change the Deny SSL Renegotiation to NONSECURE
Cipher Suite
Assign the following Ciphers to the NetScaler Gateway and remove the Default Group
- TLS1-ECDHE-RSA-AES256-SHA
- TLS1-ECDHE-RSA-AES128-SHA
- TLS1-DHE-RSA-AES-256-CBC-SHA
- TLS1-DHE-RSA-AES-128-CBC-SHA
- TLS1-AES-256-CBC-SHA
- TLS1-AES-128-CBC-SHA
- SSL3-DES-CBC3-SHA
Secure Transport Session Header
Create a ReWrite Policy and Action for the STS Header. For details instructions on creating this policy please see the following post:
Once you have created this bind it to your NetScaler Gateway
So, lets test the NetScaler Gateway again
Once you have a secure NetScaler Gateway you could leave it there. However, if like me you like to have all your NetScaler Items names correctly then the wizard will leave you feeling pretty bad about the state of your config.
To Clean up do the following:
Rename The NetScaler Gateway
Out the box your NetScaler Gateway will be _XD_IPADDRESSOFGATEWAY_443
Find this in NetScaler Gateway – Virtual Servers. Right click and rename it to your external FQDN
Session Policies
By default the wizard will create 2 policies for you – 1 for Receiver for Web and 1 for Native Receiver. These can be found under NetScaler Gateway – Policies – Session
NetScaler does not support the renaming of session policies so to get this done you will have to create 2 new session profiles and 2 new session policies then bind them to the NetScaler Gateway and delete the old ones.
TIP – To pre-fill the options in a session policy or any NetScaler function – put a tick in the policy you want to replicate and click Add. It will pre-fill out all the options for you so you can just change the name!
Start with Session Profiles and create 2 new ones (one for Web and one for native receiver)
NOTE: The Web Policies created by the wizard will start with PL_WB and AC_WB and the native receiver will be PL_OS and AC_OS
Next do the same for the policies but pick your new profiles what match the policy you are working on
Finally open up your gateway, bind the new policies as a priority of 100 then remove the old ones from the netscaler
LDAP Authentication
If you use the wizard to create your LDAP Policy it will be named IPADDRESS_LDAP – again not great for my OCD. Also NetScaler does not allow you to rename the LDAP policies so we have to take the same approach as with the session policies.
Add a new LDAP Server by going to System – Authentication – LDAP then select Servers.
Put a tick in your server then click Add and give it a name you want.
NOTE: You will need to re-enter the bind password for the LDAP Connection here.
Next add the LDAP Policy and pick your new server
Finally bind that to your NetScaler Gateway and remove the old policy and profile from the NetScaler
That’s it, how to take your wizard built NetScaler Gateway and get it up to a secure SSL Labs standard as well as making the naming fit your needs.
One thing worth mentioning here is that when you rename the gateway it will not appear in the XenApp and XenDesktop Section of the NetScaler – but who needs that when you have NetScaler MAS to hand to monitor everything :o)
Laters,
b@m
Pingback: How to take your Citrix NetScaler Gateway (Wizard Built) to the Next Level