Best practices for NetScaler Console security
NetScaler Console is a centralized management solution that simplifies operations by providing administrators with enterprise-wide visibility and automating management jobs that need to be run across multiple instances. You can manage and monitor NetScaler products that include NetScaler MPX, NetScaler VPX, NetScaler SDX, NetScaler CPX, and NetScaler Gateway. You can use NetScaler Console to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified console.
NetScaler Console is a virtual appliance that runs on Citrix XenServer, VMware ESXi, and Linux KVM. NetScaler Console addresses the application visibility challenge by collecting the following detailed information about web-application and virtual-desktop traffic:
-
User-session-level information
-
Webpage performance data
-
Database information flowing through the NetScaler instances at your site and provides actionable reports.
NetScaler Console enables IT administrators to troubleshoot and proactively monitor customer issues in a matter of minutes.
To maintain security through the deployment lifecycle, we recommend the following considerations:
Do not expose the NetScaler Console IP address and NetScaler agent IP address to the Internet
We recommend that the NetScaler Console IP address and NetScaler agent IP address is not exposed to the public Internet and is deployed behind an appropriate stateful Packet Inspection (SPI) firewall.
Strong password for system user
We recommend using a strong password for system users accounts created in NetScaler Console. Examples of password complexity requirements are as follows:
- The password must have a minimum length of eight characters.
- The password must not contain dictionary words or a combination of dictionary words.
- The password must include at least one uppercase letter, one lowercase letter, one number, and one special character.
To set a minimum password length using NetScaler Console:
- Navigate to Settings > Users & Roles.
- In the User Administration page, click Settings on the right.
- Select Enable Password Complexity.
- In the Password Policy page, specify the minimum password length as 8.
- Click OK.
Change the default certificate
During the initial configuration of NetScaler Console, the default TLS certificates are created. These certificates are not intended for use in production deployments and must be replaced.
We recommend that you configure NetScaler Console to use certificates either from a reputable Certificate Authority (CA) or appropriate certificates from your enterprise Certificate Authority. For more information, see Install SSL certificates.
To install an SSL certificate on NetScaler Console:
- Navigate to Settings > Administration.
- Under SSL Settings, click Install SSL Certificate.
- In the Install SSL Certificate on Console page, select the certificate and key files and optionally specify a password if the private key is encrypted.
- Click OK.
Disable local authentication
When external authentication is configured on NetScaler Console and as an admin you prefer to deny access to local system users to log on to management access, you must disable local authentication. For more information see, Enable external authentication.
Note:
External server must be configured.
To disable local authentication:
- Navigate to Settings > Authentication.
- On the Authentication page, click Settings.
- On the Authentication Settings page, in Server Type select EXTERNAL.
- Click Insert, and on the External Servers page, select one or multiple authentication servers to cascade.
- Clear Enable fallback local authentication to disable local authentication.
- Click OK.