Netscaler VPX A(+) rating on SSL Labs

June 29, 2015

NetScaler

Due to the recent (and ongoing?) discoveries of vulnerabilities in SSL and others, it has become more important than ever to get a good rating on the SSL Labs Server Test.

I’m not the first to write a blogpost on the subject either. There was even one on the official Citrix Blog pages:

http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/

And I would not dare to forget the post of new CTP Anton van Pelt:

http://www.antonvanpelt.com/make-your-netscaler-ssl-vips-more-secure-updated/

So, why bother to make my own blogpost anyway?

First of all, I’m focusing on the VPX platform only in the first place. The VPX does need its own set of ciphers since not all ciphers are supported.

Before I move on, a quick heads up: if your certificate is not yet SHA2, you are limited to an “A”-rating. Once you renew your SSL certificate, you will be on SHA2 and be able to score the “A+” rating. I’m emphasizing this because I was still using an SHA1 certificate on my VPX. The SHA2 renewal is in the works. Therefore, my screenshots will show “A” and not “A+”.

So I focus on VPX only, but even then, why bother? Well, if you read the comments on both posts you’ll see some confusion to say the least. Confusion on the setup for VPX, confusion why some results don’t work, … but that’s not all. What am I talking about? Well, there’s scoring an A/A+ on the SSL Labs test and scoring an A/A+ on the test with a setup that works on all your endpoints.

Let’s be brutally honest here, and I mean no disrespect to the other writers here, it’s not that difficult at all to get the A-rating. If one was to disable 99% of the ciphers and keeping only the super-secure one(s), one will score A/A+. But your users/customers wouldn’t be happy at all. Why? Because the vast majority of them won’t be able to connect anymore.

So, as I was building the config for an environment with a mix of XenApp 7.6, 6.5 and even 4.5 servers, I’m pretty confident that my setup will work in your environment too.

Here we go.

Step 1.

Upgrade to 10.5 build 57.7

Step 2.

Create a Diffie-Hellman key (for perfect Forward Secrecy)

screenshot 1

 

screenshot 2

Step 3.

Disable SSL3. Enable TLS 1.2. Protocols on the Access Gateway vServer should look like this:

screenshot 3

You can find this on the SSL parameters section of your Access Gateway vServer.

Step 4.

On the same screen, enable DH Param accordingly, by selecting they .key file generated in step 2.

screenshot 4

Step 5.

This is the tricky one. The goal is to get all ciphers you need, and applied in the correct order. I chose to change the default cipher group rather than creating a new one. This is my cipher-list:

screenshot 5

screenshot 6

Yes, I know SSL3 is disabled, but you still need the cipher present.

Oh and you if you get this error:

screenshot 7

You can ignore this (see: http://support.citrix.com/article/CTX135519).
Step 6

Create a rewrite policy or make sure by other means that your vserver can only be accessed on HTTPS, not HTTP.

And the end result:

screenshot 8

That’s it. I’ve tested this setup with Citrix Receiver on iOS, Receiver on Android, Receiver for ChromeOS and, of course, “plain” Receiver for Windows.

Bart Jacobs

 

 

About Bart Jacobs

Bart Jacobs is a Senior System Engineer/Consultant based in Belgium. He started his career back in 1998. One of the first projects he worked on in those days was Citrix Metaframe 1.8 on Microsoft Windows NT 4 Terminal Server codename "Hydra". Over the years, Citrix technology has always been a major theme in his professional career, resulting in becoming a true technical expert in the matter. In the last few years, he has also become an expert in virtualization technology, with a special interest in a real challenger in this business: Citrix XenServer. Bart has founded his own company BJ IT back in 2007 and is mainly working as a (Citrix) consultant now.

View all posts by Bart Jacobs

5 Responses to “Netscaler VPX A(+) rating on SSL Labs”

  1. Peter N Says:

    I think the last step here getting an A+ is switching the SHA1 certificate to an SHA2 (SHA256).

    Regards, Peter

    Reply

  2. Martin Santak Says:

    Hi Carl, great article. Helped me a lot in several customer environments. With current Receiver 4.3 I am facing an SSL Error 4 / TLS 1.2 Error (see also https://discussions.citrix.com/topic/366616-receiver-43-tls12-error/). Can you Repro the issue as well? Best regards ! m.

    Reply

    • Anton van Pelt Says:

      Hi,

      Try to start with only disabling SSL3 and enabling TLS1, TLS1.1 and TLS1.2 on the NetScaler Gateway Virtual Server. You can also bind the SSL Cipher Group HIGH. This should result in a A- rating.

      Cheers,
      Anton

      Reply

  3. Sven Says:

    Hi Bart,

    great Article, but there is some more small thing for the “A+”-Rating, the Strict Transport Security, that you can configure with an Rewriting Policy.

    http://blogs.citrix.com/2010/09/10/strict-transport-security-sts-or-hsts-with-citrix-netscaler-and-access-gateway-enterprise/

    Regards,
    Sven

    Reply

Leave a Reply