Theres been alot of talk recently and rightly so on the importance of securing your Citrix NetScaler. A popular site for testing how secure your NetScaler is Qualys SSL labs which once you enter in your FQDN will give you a graded report against various know vulnerabilities.

There are plenty of resources on the net explaining what features you need and which you need to disable to secure your NetScaler against the common security exploits but if only there was an easy way to jump from that initial C rating straight to A+…

I have tested this across several versions of Citrix NetScaler 10.5 and 11 firmware releases so you should not have any problems running the script against yours. As ususal make sure you have saved and backed up your config before applying anything new to a NetScaler including this script (and as usual test it before deploying to production equipment).

—UPDATE— Please see this post HERE for the A+ script for NetScaler 11.1 firmware —UPDATE—

All you need to do is change a couple of variables and run it through putty or the NetScaler console.

Variables
%vServer% change this to match the VIP name of your access gateway, there are 6 instances of this within the script so do a find and replace and save yourself even more time!

bind ssl vserver %vServer% -cipherName “VPX_Group %OR% MPX_Group” Within this line choose the cipher group you wish to bind depending on if you have a VPX (virtual) or MPX (physical) device.

Once you have run the script goto Qualys SSL labs and run the test again. You should find that you now score A+. That wasn’t so hard was it?

Script

set ssl vserver %vServer% -ssl3 disabled -tls11 enabled -tls12 enabled

create ssl dhparam DH-Key 2048 -gen 2
set ssl vserver %vServer% -dh ENABLED -dhFile “/nsconfig/ssl/DH-Key” -dhCount 1000 -eRSA DISABLED 

add ssl cipher “MPX_Group”
add ssl cipher “VPX_Group”
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName SSL3-DES-CBC3-SHA
bind ssl cipher “VPX _Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName SSL3-DES-CBC3-SHA

unbind ssl vserver %vServer% -cipherName ALL
bind ssl vserver %vServer% -cipherName “VPX_Group %OR% MPX_Group”
bind ssl vs %vServer% -eccCurveName ALL

add rewrite action act_sts_header insert_http_header Strict-Transport-Security q/”\”max-age=157680000\””/
add rewrite policy pol_sts_force true act_sts_header
bind vpn vserver %vServer% -policy pol_sts_force -priority 100 -gotoPriorityExpression END -type RESPONSE

 

 

End Of Script

 

Author: Dale Scriven

Tagged with:
 

One Response to Citrix NetScaler how to score A+ on SSLlabs.com the easy way!

  1. […] I’ve written previously a script (HERE) that allows you to easily tighten security on your Citrix NetScaler and score that all important […]

Leave a Reply

Set your Twitter account name in your settings to use the TwitterBar Section.
%d bloggers like this: