NetScaler Gateway security recommendations

Use a ‘Default Deny’ policy

We recommend that administrators configure the NetScaler Gateway with a ‘deny all’ policy at the global level, in addition to the use of authorization policies to selectively enable the access to resources on a group basis.

By default, the defaultAuthorizationAction parameter is set to DENY. Verify this setting and grant explicit access to each user. You can use the show defaultAuthorizationAction command on the CLI to verify the setting. To set the parameter to deny all resources at the global level, run the following command from the CLI:

set vpn parameter -defaultAuthorizationAction DENY
<!--NeedCopy-->

Use TLS1.2 communication between servers

We recommend that TLS1.2 or TLS 1.3 be used for the links between NetScaler Gateway and other services, such as LDAP and Web Interface servers. The use of older versions of this protocol, TLS 1.1, TLS 1.0, and SSLv3 and earlier is not recommended.

Use the ‘Intranet Applications’ feature Use Intranet Applications to define which networks are intercepted by the NetScaler Gateway plug-in and sent to the gateway. The following is a sample set of commands to define interception:

add vpn intranetApplication intra1 ANY 10.217.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT

bind vpn vserver v1 –intranetapp intra1
<!--NeedCopy-->

Authentication, authorization, and auditing security recommendations

If a NetScaler or a NetScaler Gateway appliance is configured as SAML SP or SAML IdP or both, see the article https://support.citrix.com/article/CTX316577 for recommended configuration details.

For details about SAML authentication, see SAML authentication.

Enable encryption of NetScaler Gateway login information for nFactor authentication

A NetScaler Gateway appliance with nFactor authentication can encrypt the login request fields submitted by a client (browser or SSO apps) during the authentication process. The encrypted login request fields provide an extra layer of security to protect the user’s sensitive data from being disclosed.

To enable the login encryption by using the CLI, run the following command.

set aaa parameter [-loginEncryption (ENABLED | DISABLED)]
<!--NeedCopy-->

To enable the login encryption by using the GUI

  1. Navigate to Security > AAA – Application Traffic.
  2. Click Change authentication AAA settings under the Authentication Settings section.
  3. On the Configure AAA Parameter page, in Login Encryption click Enabled.

For more details on login encryption, see Encryption of NetScaler Gateway login information for nFactor authentication.

NetScaler Gateway security recommendations