Support for nShield Connect hardware security module (HSM)

A non-FIPS Citrix ADC appliance stores the server’s private key on the hard disk. On a FIPS appliance, the key is stored in a cryptographic module known as the HSM. Storing a key in the HSM protects it from physical and software attacks. In addition, the keys are encrypted by using special FIPS approved ciphers.

Only the Citrix ADC MPX 9700/10500/12500/15500 FIPS appliances support a FIPS card. Support for FIPS is not available on other MPX appliances, or on the SDX and VPX appliances. This limitation is addressed by supporting a nShield Connect external HSM on all Citrix ADC MPX, SDX, and VPX appliances except the MPX 9700/10500/12500/15500 FIPS appliances.

nShield® Connect is an external FIPS-certified network-attached HSM. With an nShield HSM, the keys are securely stored as application key tokens on a remote file server (RFS) and can be reconstituted inside the nShield HSM only.

If you are already using a nShield HSM, you can now use a Citrix ADC to optimize, secure, and control the delivery of all enterprise and cloud services.


  • nShield HSMs comply with FIPS 140-2 Level 3 specifications, while the MPX FIPS appliances comply with level 2 specifications.
  • You cannot decrypt the trace while using the nShield HSM. Only the hardserver can read the response from the HSM to the Citrix ADC appliance, because it is encrypted.

Supported versions matrix

Citrix ADC Version nShield Client Version Hardserver Version nShield Firmware Version
10.5e, 11.0, 11.1, 12.0, 12.1 11.70, 11.72 2.71.2 2.50.16, 2.51.10
Support for nShield Connect hardware security module (HSM)