NetScaler Secure Deployment Guide - Citrix Docs
Citrix Systems, Inc.Secure Deployment Guide for NetScalerMPX, VPX, and SDX AppliancesMarch 2018
2Copyright and Trademark Notice and Disclaimers 2018 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property ofCitrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and TrademarkOffice and in other countries. All other marks are the property of their respective owner(s).The following information is forFCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class Adigital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection againstharmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, andcan radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may causeharmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmfulinterference, in which case users will be required to correct the interference at their own expense.Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCCrequirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations,and you may be required to correct any interference to radio or television communications at your own expense.You can determine whether your equipment is causing interference by turning it off. If the interference stops, it wasprobably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causesinterference, try to correct the interference by using one or more of the following measures:Move the NetScaler equipment to one side or the other of your equipment.Move the NetScaler equipment farther away from your equipment.Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScalerequipment and your equipment are on circuits controlled by different circuit breakers or fuses.)Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authorityto operate the product.BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch aretrademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft,PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of theMicrosoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is atrademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brandand product names may be registered trademarks or trademarks of their respective holders.The license to Citrix and third-party software delivered as part of Product(s) is identified in the relevant Productdocumentation as delivered with the Product(s).Last Updated: March 2018Novant
3Table of ContentsIntroduction to Best Practices for NetScaler MPX, VPX, and SDX Security . 4Deployment Guidelines . 5Physical Security Best Practice . 5NetScaler Appliance Security Best Practice . 6Configuration Guidelines . 7Network Security . 7Key Network Security Considerations . 7Additional Network Security Considerations: . 8Securing Pass-through Traffic on the NetScaler Appliance by using the Infrastructure ModeSettings . 11Administration and Management . 15System and User Accounts . 15Logging and Monitoring. 20LOM Configuration. 21Applications and Services . 22DNSSec Security Recommendations . 23Legacy configuration . 24NetScaler Cryptographic Recommendations . 25Managing TLS Certificates and Keys: . 25NetScaler-FIPS Recommendations . 27Additional Features: App Firewall and Gateway. 27Application Firewall Security Recommendations . 27Application Firewall – Building Multiple Tiers of Security . 28NetScaler Gateway Security Recommendations . 30Additional Information Resources . 31Novant
4Introduction to Best Practices for NetScalerMPX, VPX, and SDX SecurityA Citrix NetScaler MPX appliance is an application delivery controller that accelerates web sites, provides L4-7 trafficmanagement, offers an integrated application firewall, and offloads servers. A Citrix NetScaler VPX instance is avirtual appliance that has all the features of a NetScaler MPX appliance, runs on standard servers, and provides higheravailability for web applications including Citrix XenDesktop and XenApp. A Citrix NetScaler SDX appliance providesadvanced virtualization for all the flexibility of VPX with the performance of MPX. Using MPX, VPX, and SDX, anorganization can deploy the flex or true-multitenancy solution that optimizes your web-application delivery infrastructureby separating high-volume shared network services from processor-intensive, application-specific services. A NetScalerappliance also provides the seamless integration with Citrix OpenCloud Access that can extend the datacenter with thepower of the Cloud.To maintain security through the deployment lifecycle, Citrix recommends reviewing the following considerations for: Physical SecurityAppliance SecurityNetwork SecurityAdministration and ManagementNote that different deployments might require different security considerations. This document provides general securityguidance to help you decide on an appropriate secure deployment based on your specific security requirements.Novant
5Deployment GuidelinesWhen deploying a Citrix NetScaler, you should consider the following physical and appliance security best practices:Physical Security Best PracticeDeploy the NetScaler appliance in a secure locationThe NetScaler appliances should be deployed in a secure location with sufficient physical access controls to protect theappliances from unauthorized access. At the minimum, access to the server room should be controlled with a lock,electronic card reader, or other similar physical methods.Additional measures can include the use of an electronic surveillance system, for example CCTV, to continuously monitorthe activity of the room. In the event of an unauthorized intrusion, the output from this system should notify securitypersonnel. In the case of CCTV, the recorded footage will be available for audit purposes.Secure access to the appliance front panel and console portThe NetScaler appliance or VPX hosting server should be deployed in a rack or cage that can be locked with a suitable key,or other physical methods. This will prevent access to the physical ports of the NetScaler appliance or, in the case of a VPXdeployment, the virtualization host console.Power Supply ProtectionThe NetScaler appliance (or hosting server) should be protected with a suitable uninterruptible power supply (UPS). In theevent of a power outage, this will ensure continued operation of the appliance, or allow controlled shutdown of physical orvirtual NetScalers. The use of a UPS will also aid in the protection against power spikes.Cryptographic key protectionIf additional protection is required for the cryptographic keys in your deployment, consider use of a FIPS 140-2 Level 2compliant appliance. The FIPS platform uses a hardware security module to protect critical cryptographic keys in theappliance from unauthorized access.Novant
6NetScaler Appliance Security Best PracticePerform appliance software updatesCitrix strongly recommends that, prior to deployment, customers ensure their appliances have been updated with thelatest firmware versions. When carried out remotely, Citrix recommends that customers use a secure protocol, such asSFTP or HTTPS, to upgrade the appliance.Customers are also strongly advised to review security bulletins that relate to their Citrix products. For information on newand updated security bulletins, please refer to the Citrix Security Bulletins web page(https://support.citrix.com/securitybulletins) and consider signing up for alerts on new and updated bulletins.Secure the operating system of servers hosting a NetScaler VPX applianceA NetScaler VPX appliance can run either a virtual appliance on a standard virtualization server or as a virtual appliance ona NetScaler SDX.In addition to applying normal physical security procedures, you should protect access to the virtualization host with rolebased access control and strong password management. Additionally, the server should be updated with the latestsecurity patches for the operating system when they become available, and deploy up-to-date antivirus software on theserver, if applicable to the type of virtualization. Customers using the NetScaler SDX platform to host NetScaler VPXshould ensure that they are using the latest firmware version for their NetScaler SDX.Reset the NetScaler Lights Out Management (LOM)Citrix recommends that, before configuring the LOM for use in a production deployment, you perform a factory reset ofthe LOM to restore the default settings.1. At the NetScaler shell prompt, run the following command: ipmitool raw 0x30 0x41 0x1Note: Running the above command resets the LOM to the factory default settings and deletes all the SSLcertificates. For instructions on how to reconfigure the LOM port, please refer to the following -management-portlom.html2.In the LOM GUI, navigate to Configuration SSL Certification, and add a new certificate and private key.Additionally, Citrix strongly recommends that the following user configuration is carried out. Using the LOM GUI: Navigate to Configuration Users Modify User and change the password of the nsroot superuser account. Navigate to Configuration Users Modify User and create policies for, or bind existing policies to, the users. Navigate to Configuration IP Access Control Add and configure the IP access control to allow access to theknown range of IP addresses. Navigate to Configuration Users Modify User, create an alternative superuser account and bind policies tothis account.For more details about LOM configuration, see LOM Configuration.Maintenance and removal of persistent dataIn the event that a NetScaler is redeployed to another environment, decommissioned, or returned to Citrix under RMA,you should ensure that persistent data is correctly removed from the appliance.For more information about this process, see the following FAQ: Novant
7Configuration GuidelinesNetwork SecurityWhen deploying a NetScaler appliance to a production environment, Citrix strongly recommends that the following keyconfiguration changes are made: The NetScaler administrator interface (NSIP) should not be exposed to the Internet. The NetScaler default SSL certificate should be replaced. HTTPS (HTTP over TLS) should be used when accessing the GUI and the default HTTP interface disabled.The following section provides more information on these key considerations, in addition to further changes that arerecommended.Key Network Security ConsiderationsDo not expose the NSIP to the InternetCitrix strongly recommends that the NetScaler Management IP (NSIP) is not exposed to the public Internet and isdeployed behind an appropriate stateful Packet Inspection (SPI) firewall.Replace the NetScaler Default TLS CertificateDuring the initial configuration of a NetScaler appliance, default TLS certificates are created. These are not intended foruse in production deployments and should be replaced.Citrix recommends that customers configure the NetScaler appliance to use certificates either from a reputable CertificateAuthority (CA) or appropriate certificates from your enterprise CA.When bound to a public-facing virtual server, a valid TLS certificate from a reputable CA simplifies the user experience forInternet-facing web applications; user web browsers require no user interaction when initiating secure communicationwith the web server. To replace the default NetScaler certificate with a trusted CA certificate, see Knowledge Centerarticle CTX122521: “How to Replace the Default Certificate of a NetScaler Appliance with a Trusted CA Certificate thatMatches the Hostname of the Appliance.”Alternatively, it is possible to create and use custom TLS certificates and private keys. While this can provide an equivalentlevel of transport layer security, it requires the TLS certificates to be distributed to users and will require user interactionwhen initiating connections to the web server. For more information on how to create custom certificates, see KnowledgeCenter article CTX121617: “How to Create and Install Self-Signed Certificates on NetScaler Appliance”More information on TLS certificate management and configuration can be found in the “NetScaler TLSRecommendations” section of this guide.Disable HTTP access to the Administrator InterfaceTo protect traffic to the NetScaler administrative interface and GUI, the NetScaler appliance should be configured to useHTTPS. This can be accomplished with the following steps: Create a 2048-bit or greater RSA private and public key pair and use the keys for HTTPS and SSH to access NetScalerIP address, replacing the factory provisioned 512-bit RSA private and public key pair. Configure the appliance to use only strong cipher suites and change the ‘DEFAULT’ set of cipher suites to reflect thison the appliance. It is recommended that you use the list of approved TLS CipherSuites in section 3.3 of NIST SpecialPublication 800-52 (Revision 1) as a guidance. This document can be found on the NIST website at the followingNovant
8address: y-tlsimplementations?pub id 915295 Configure the appliance to use SSH public key authentication to access the administrator interface. Do not use theNetScaler default keys. Create and use your own 2048-bit RSA private and public key pair. For more information, seeKnowledge Center article CTX109011: How to Secure SSH Access to the NetScaler Appliance with Public KeyAuthentication. Once the NetScaler has been configured to use these new certificates, HTTP access to the GUI management interfacecan be disabled with the following command: set ns ip NSIP -gui SECUREONLYFor more information on how to configure secure access to the Administration GUI, see the Knowledge Center articleCTX111531: “How to Enable Secure Access to NetScaler GUI Using the SNIP/MIP Address of the Appliance.”Additional Network Security Considerations:The following additional network-related security considerations should also be taken into account when deploying yourNetScaler appliances:Disable SSH Port ForwardingSSH Port Forwarding is not required by the NetScaler appliance. If you do not wish to use this functionality, then Citrixrecommends that you disable it using the following steps:1. Edit the /etc/sshd config file by adding the following line.AllowTcpForwarding no2. Save the file and copy it to /nsconfig to make the changes are persistent in case you reboot during the tests.Kill the process by using the kill -SIGHUP sshdpid command, or restart the system.Configure the NetScaler appliance with High AvailabilityIn deployments where continuous operation is required, the NetScaler appliances can be deployed in a high availabilitysetup. Such a setup provides continued operation if one of the appliances stops functioning or requires an offline upgrade.For information on how to configure high availability setup, see High Availability Configuring High Availability topic onthe Citrix Docs and Knowledge Center article CTX116748: How to Set Up a High Availability Pair on NetScaler.In deployments where high availability is not required, this feature should be disabled.Set up secure communication between peer appliancesIf you have configured your NetScaler appliances in a high availability or GSLB setup, secure the communication betweenthe appliances.To secure communication between the appliances, perform the following procedure on each appliance:1. In the configuration utility’s navigation pane, expand the Network node.2. Select the RPC node.3. On the RPC page, select the IP address.4. Click Open.5. Type the password in the Password and Confirm Password fields.6. Select the Secure option on the Configure RPC node dialog box.Novant
9The NetScaler appliance features can also use SSH key based authentication for internal communication when the internaluser is disabled. In such cases, the key name must be set as "ns comm key". For more information, see Accessing aNetScaler by Using SSH Keys and No Password.Note: It is recommended that you disable the internal user account (by using the set ns param internaluserlogin disabled command).Configure Network Security Domains and VLANsCitrix strongly recommends that network traffic to the NetScaler appliance’s management interface is separated, eitherphysically or logically, from normal network traffic. The recommended best practice is to have three VLANs: Outside Internet VLANManagement VLANInside server VLANCitrix recommends configuring the network to make the LOM port part of the management VLAN.When deploying a NetScaler appliance in two-arm mode, dedicate a specific port to a specific network. If VLAN tagginga
Introduction to Best Practices for NetScaler MPX, VPX, and SDX Security A Citrix NetScaler MPX appliance is an application delivery cont
Citrix NetScaler 1000V Product Overview Citrix NetScaler is the industry's leading web application delivery solution. It increases the performance and availability of all applications and data. Citrix NetScaler 1000V brings together Citrix NetScaler with Cisco Nexus 1000V Switch vPath te
Citrix NetScaler 1000V Product Overview Citrix NetScaler is the industry's leading web application delivery solution. It increases the performance and availability of all applications and data. Citrix NetScaler 1000V brings together Citrix NetScaler with Cisco Nexus 1000V Switch vPath technology for policy-based service insertion and chaining.
Citrix NetScaler Datasheet citrix.com Citrix NetScaler Make web applications run five times better. Citrix NetScaler is a web application delivery solution that makes applications five times better by accelerating performance, ensuring th
NOTE: NetScaler Gateway is one of the more common used features within Citrix NetScaler. Either it can be used as a feature on the NetScaler VPX/MPX or we can buy the NetScaler Gateway VPX/MPX, which only licensed to do NetScaler Gateway. So for instance if we are using Citrix Receiver for remote access, it will connect directly to
Automation mit NetScaler - AutoScale Cloud Orchestration Internet 1. NetScaler is auto-provisioned M M M 56783. NetScaler monitoring engine auto4. NetScaler triggers 2. NetScaler monitors servers for CPU, Memory, Latency, Throughput . On successful AutoScale, . NetScaler automatic
for Citrix Netscaler 1 Purpose: Thisguide will walk you through how to enroll a new device for the purpose of using Citrix Netscaler access. Specifically the following items are covered: 1. Device requirements 2. Enrolling the device using Citrix Netscaler 3. Enrolling the SMS text features 4. Future workflow I. Device Requirements 1.
Figure 1. Device choices - dedicated NetScaler MPX HA pair for Tenant 1, NetScaler MPX cluster for Tenant 2 and NetScaler SDX serving Tenants 3-N Instances The second NetScaler multi-tenancy building block is the instance. With instances, administrators can con (gure a single physical appliance to operate as multiple independent NetScaler ADCs.
software is available via download now for NetScaler MPX and VPX platforms running NetScaler 10 (any edition). Each node within the cluster must have a cluster upgrade license. Region Availability All Languages English Product Name Citrix NetScaler 10 Public Announcement Date April 17, 20
