NetScaler secure deployment guide

NetScaler Gateway security recommendations

February 6, 2025

Contributed by:

C C

Use a ‘Default Deny’ policy

We recommend that administrators configure the NetScaler Gateway with a ‘deny all’ policy at the global level, in addition to the use of authorization policies to selectively enable the access to resources on a group basis.

By default, the defaultAuthorizationAction parameter is set to DENY. Verify this setting and grant explicit access to each user. You can use the show vpn parameter command on the CLI to verify the setting. To set the parameter to deny all resources at the global level, run the following command from the CLI:

set vpn parameter -defaultAuthorizationAction DENY
<!--NeedCopy-->

Use TLS1.2 communication between servers

We recommend that TLS1.2 or TLS 1.3 be used for the links between NetScaler Gateway and other services, such as LDAP and Web Interface servers. The use of older versions of this protocol, TLS 1.1, TLS 1.0, and SSLv3 and earlier is not recommended.

Use intranet applications

Use the Intranet Applications feature to define which networks are intercepted by the NetScaler Gateway plug-in and sent to the gateway. The following is a sample set of commands to define interception:

add vpn intranetApplication intra1 ANY 10.217.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT

bind vpn vserver v1 –intranetapp intra1
<!--NeedCopy-->

Authentication, authorization, and auditing security recommendations

If a NetScaler or a NetScaler Gateway appliance is configured as SAML SP or SAML IdP or both, see the article https://support.citrix.com/article/CTX316577 for recommended configuration details.

For details about SAML authentication, see SAML authentication.

A NetScaler Gateway appliance with nFactor authentication can encrypt the login request fields submitted by a client (browser or SSO apps) during the authentication process. The encrypted login request fields provide an extra layer of security to protect the user’s sensitive data from being disclosed.

To enable the login encryption by using the CLI, run the following command.

set aaa parameter [-loginEncryption (ENABLED | DISABLED)]
<!--NeedCopy-->

To enable the login encryption by using the GUI

Navigate to Security > AAA – Application Traffic.
Click Change authentication AAA settings under the Authentication Settings section.
On the Configure AAA Parameter page, in Login Encryption click Enabled.

For more details on login encryption, see Encryption of NetScaler Gateway login information for nFactor authentication.

Protect authentication, authorization, and auditing VPN virtual server and NetScaler Gateway

We recommend the following mitigations to protect authentication, authorization, and auditing VPN virtual server and NetScaler Gateway:

Ensure that multifactor authentication is enabled for NetScaler Gateway and the multifactor authentication verification factor is before LDAP factor. For more information, see Configure Multifactor authentication.

Create a responder policy to allow requests only for desired FQDN as some of the attacks seem to be triggered for NetScaler Gateway IP address and not FQDN.

add responder policy IP_Block "HTTP.REQ.HOSTNAME.EQ(\"<enter gateway FQDN here>\").NOT" DROP

bind vpn vserver <vserver name> -policy IP_Block -priority 100 -type REQUEST
<!--NeedCopy-->

Enable IP reputation. Enabling IP reputation helps in dropping requests from known malicious IP addresses and reducing the impact of attacks. Run the following commands to enable IP reputation:
```
enable feature reputation

add responder policy policy_brute_block_ip "CLIENT.IP.SRC.IPREP_IS_MALICIOUS" DROP

bind vpn vserver <Gateway_vserver_name> -policy policy_brute_block_ip -priority 50 -gotoPriorityExpression END -type AAA_REQUEST

```
For more information on how to configure IP reputation, see IP Reputation.
Enable recaptcha on NetScaler. For information on how to configure recaptcha, see reCaptcha configuration for nFactor authentication.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Gateway security recommendations

February 6, 2025

Contributed by:

C C

February 6, 2025

Contributed by:

C C

Use a ‘Default Deny’ policy
Use TLS1.2 communication between servers
Use intranet applications
Authentication, authorization, and auditing security recommendations
Enable encryption of NetScaler Gateway login information for nFactor authentication
Protect authentication, authorization, and auditing VPN virtual server and NetScaler Gateway

Was this helpful

NetScaler Gateway security recommendations

Use a ‘Default Deny’ policy

Use TLS1.2 communication between servers

Use intranet applications

Authentication, authorization, and auditing security recommendations

Enable encryption of NetScaler Gateway login information for nFactor authentication

Protect authentication, authorization, and auditing VPN virtual server and NetScaler Gateway

In this article