So I’ve written previously a script (HERE) that allows you to easily tighten security on your Citrix NetScaler and score that all important A+ rating on Qualsys’s SSLlabs.com. This script has worked fine for a new revisions of the Citrix NetScaler that was up until firmware the new 11.1 release.

Running the old script on SSLlabs.com on Citrix NetScaler 11.1 now gets you a year A- rating and while thats still pretty good we know we can do better.

This script has been updated to utilise the SSL profile feature a little more within the NetScaler Gateway component.

As before there are a number of variables to change within the script to match your environment.

%NSG_NAME% you will need to find and replace all instances of this with the name of your NetScaler Gateway VIP.

%PUBLIC_IP% you’ll need to substitute this for your external public IP such as 208.67.222.231 or similar

%GROUP% this one will have to be changed to either show VPX_GROUP or MPX_GROUP depending on which NetScaler appliance you are running this against.

 

Once you have changed the variables fire up a putty session and copy and paste the script into the ssh session. Now obviously being a script and publicly available you need to test it within your environment to ensure compatibility and I cannot take responsibility etc for any failures of the script but it has worked perfectly in my numerous tests so you shouldn’t have any issues either.

 

set ssl vserver %NSG_NAME% -ssl3 disabled -tls11 enabled -tls12 enabled

create ssl dhparam DH-Key 2048 -gen 2

add ssl cipher “MPX_Group”
add ssl cipher “VPX_Group”
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName SSL3-DES-CBC3-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName SSL3-DES-CBC3-SHA

unbind ssl vserver %NSG_NAME% -cipherName ALL
bind ssl vserver %NSG_NAME% -cipherName VPX_Group
bind ssl vserver %NSG_NAME% -eccCurveName ALL

add rewrite action act_sts_header insert_http_header Strict-Transport-Security “\”max-age=157680000\””
add rewrite policy pol_sts_force true act_sts_header
bind vpn vserver %NSG_NAME% -policy pol_sts_force -priority 100 -gotoPriorityExpression END -type RESPONSE

set ssl parameter defaultProfile e
add ssl profile ssl-reneg -dh ENABLED -dhFile “/nsconfig/ssl/DH-Key” -eRSA DISABLED -sessReuse ENABLED -sessTimeout 120 -denySSLReneg NONSECURE
set ssl vserver %NSG_NAME% -sslProfile ssl-reneg
add certAction ca1 -twoFactor ON
add certPolicy cp1 ns_true ca1
add authorization policy certauthorize “REQ.SSL.CLIENT.CERT EXISTS && REQ.IP.DESTIP == %PUBLIC_IP%” ALLOW
unbind ssl profile ssl-reneg -cipherName All
bind ssl profile ssl-reneg -eccCurveName P_256
bind ssl profile ssl-reneg -eccCurveName P_384
bind ssl profile ssl-reneg -eccCurveName P_224
bind ssl profile ssl-reneg -eccCurveName P_521
bind ssl profile ssl-reneg -cipherName %VPX_Group% -cipherPriority 1

 

 

Once the script has run then head over to SSLLabs.com and test your site you should now find you get a lovely healthy looking A+ rating.

 

Author: Dale Scriven

 

 

Tagged with:
 

One Response to Score an A+ on SSLlabs.com with Citrix NetScaler 11.1

  1. […] Please see this post HERE for the A+ script for NetScaler 11.1 firmware […]

Leave a Reply

Set your Twitter account name in your settings to use the TwitterBar Section.
%d bloggers like this: