Deployment guidelines

When deploying a NetScaler, consider the following physical and appliance security best practices:

Physical security best practices

Deploy the NetScaler appliance in a secure location

The NetScaler appliances must be deployed in a secure location with sufficient physical access controls to protect NetScaler from unauthorized access. At the minimum, access to the server room must be controlled with a lock, electronic card reader, or other similar physical methods.

Other measures can include the use of an electronic surveillance system, for example CCTV, to continuously monitor the activity of the room. In the event of an unauthorized intrusion, the output from this system must notify security personnel. If there is CCTV, the recorded footage is available for audit purposes.

Secure access to NetScaler front panel and console port

NetScaler or VPX hosting server must be deployed in a rack or cage that can be locked with a suitable key, or other physical methods. The locking prevents access to the physical ports of the NetScaler or, in a VPX deployment, the virtualization host console.

Power supply protection

NetScaler (or hosting server) must be protected with a suitable uninterruptible power supply. In the event of a power outage, the uninterruptible power supply ensures continued operation of NetScaler, or allows a controlled shutdown of a physical or virtual NetScaler. The use of an uninterruptible power supply also aids in the protection against power spikes.

Cryptographic key protection

If extra protection is required for the cryptographic keys in your deployment, consider the use of a FIPS 140-2 Level 2 compliant NetScaler. The FIPS platform uses a hardware security module to protect critical cryptographic keys in NetScaler from unauthorized access.

NetScaler security best practice

Perform NetScaler software updates

We recommend that, before deployment, customers ensure that their NetScaler has been updated with the latest firmware versions. When carried out remotely, we recommend that customers use a secure protocol, such as SFTP or HTTPS, to upgrade NetScaler.

Customers are also advised reviewing security bulletins that relate to their NetScaler products. For information about new and updated security bulletins, see the NetScaler Security Bulletins webpage https://support.citrix.com/knowledge-center/search#/ and consider signing up for alerts for new and updated bulletins https://support.citrix.com/user/alerts.

Secure the operating system of servers hosting NetScaler VPX

NetScaler VPX can run either a virtual appliance on a standard virtualization server or as a virtual appliance on NetScaler SDX.

In addition to applying normal physical security procedures, you must protect access to the virtualization host with a role-based access control and strong password management. Also, the server must be updated with the latest security patches for the operating system when they become available, and deploy an up-to-date antivirus software on the server, if applicable to the type of virtualization. Customers using the NetScaler SDX platform to host NetScaler VPX must ensure that they are using the latest firmware version for their NetScaler SDX.

Reset the NetScaler lights out management (LOM)

We recommend that, before configuring the LOM for use in a production deployment, you perform a factory reset of the LOM to restore the default settings.

1. At the NetScaler shell prompt, run the following command:

   >ipmitool raw 0x30 0x41 0x1
   <!--NeedCopy-->
   

   Note:

   Running this command resets the LOM to the factory default settings and deletes all the SSL certificates. For instructions on how to reconfigure the LOM port, see Lights out management port of the NetScaler MPX appliance.

2. In the LOM GUI, navigate to Configuration > SSL Certification, and add a certificate and private key.

   Also, we recommend that the following user configuration is carried out using the LOM GUI:

   • Navigate to Configuration > Users > Modify User, and change the password of the nsroot superuser account.
   • Navigate to Configuration > Users > Modify User, and create policies for, or bind existing policies to, the users.
   • Navigate to Configuration > IP Access Control > Add, and configure the IP access control to allow access to the known range of IP addresses.
   • Navigate to Configuration > Users > Modify User, and create an alternative superuser account and bind policies to this account.

   For more details about LOM configuration, see LOM Configuration.

Maintenance and removal of persistent data

If a NetScaler is redeployed to another environment, decommissioned, or returned under RMA, ensure that persistent data is correctly removed from NetScaler.

For more information about this process, see Wiping your data before sending the ADC appliance to Citrix.