NetScaler secure deployment guide

NetScaler Gateway security recommendations

July 25, 2024

Contributed by:

Use a ‘Default Deny’ policy

We recommend that administrators configure the NetScaler Gateway with a ‘deny all’ policy at the global level, in addition to the use of authorization policies to selectively enable the access to resources on a group basis.

By default, the defaultAuthorizationAction parameter is set to DENY. Verify this setting and grant explicit access to each user. You can use the show defaultAuthorizationAction command on the CLI to verify the setting. To set the parameter to deny all resources at the global level, run the following command from the CLI:

set vpn parameter -defaultAuthorizationAction DENY
<!--NeedCopy-->

Use TLS1.2 communication between servers

We recommend that TLS1.2 or TLS 1.3 be used for the links between NetScaler Gateway and other services, such as LDAP and Web Interface servers. The use of older versions of this protocol, TLS 1.1, TLS 1.0, and SSLv3 and earlier is not recommended.

Use the ‘Intranet Applications’ feature Use Intranet Applications to define which networks are intercepted by the NetScaler Gateway plug-in and sent to the gateway. The following is a sample set of commands to define interception:

add vpn intranetApplication intra1 ANY 10.217.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT

bind vpn vserver v1 –intranetapp intra1
<!--NeedCopy-->

Authentication, authorization, and auditing security recommendations

If a NetScaler or a NetScaler Gateway appliance is configured as SAML SP or SAML IdP or both, see the article https://support.citrix.com/article/CTX316577 for recommended configuration details.

For details about SAML authentication, see SAML authentication.

A NetScaler Gateway appliance with nFactor authentication can encrypt the login request fields submitted by a client (browser or SSO apps) during the authentication process. The encrypted login request fields provide an extra layer of security to protect the user’s sensitive data from being disclosed.

To enable the login encryption by using the CLI, run the following command.

set aaa parameter [-loginEncryption (ENABLED | DISABLED)]
<!--NeedCopy-->

To enable the login encryption by using the GUI

Navigate to Security > AAA – Application Traffic.
Click Change authentication AAA settings under the Authentication Settings section.
On the Configure AAA Parameter page, in Login Encryption click Enabled.

For more details on login encryption, see Encryption of NetScaler Gateway login information for nFactor authentication.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Gateway security recommendations

July 25, 2024

Contributed by:

July 25, 2024

Contributed by:

NetScaler Gateway security recommendations

Use a ‘Default Deny’ policy

Use TLS1.2 communication between servers

Authentication, authorization, and auditing security recommendations

Enable encryption of NetScaler Gateway login information for nFactor authentication

In this article