Skip to main content

Secure Deployment Guide for NetScaler MPX and VPX Appliances

Citrix have released this great secure deployment guide for NetScaler MPX and VPX appliance.

I have made a summary in bullets so you can get a quick overview what the guide covers. I recommend that you download the guide to read the entire content.


NetScaler® Security Best Practices for MPX and VPX

Citrix® NetScaler® MPX appliance is an application delivery controller that accelerates Web sites, provides L4-7 traffic management, offers an integrated application firewall, and offloads servers. Citrix® NetScaler® VPX is a virtual appliance that has all the features of NetScaler MPX appliance, runs on standard servers, and provides higher availability for Web applications including Citrix XenDesktop and XenApp. Utilizing both NetScaler MPX and VPX appliances, an organization can deploy the flex-tenancy solution that further optimizes Web application delivery infrastructure by separating high-volume shared network services from processor-intensive, application-specific services. Furthermore, a NetScaler appliance enables the seamless integration with Citrix OpenCloud Access that can extend a datacenter with the power of the Cloud.

To maintain security through the deployment lifecycle, Citrix recommends the following security considerations:

  • PhysicalSecurity
  • ApplianceSecurity
  • NetworkSecurity
  • AdministrationandManagement

Deployment Guidelines

The following are the organizational security considerations and recommendations for the deployment of a NetScaler appliance:

Physical Security

  • Deploy the Appliance in the Secure Server Room
  • Protect the Front Panel and Console Port from Unauthorized Access
  • Protect Power Supply

Appliance Security

  • Secure the Server operating system that Hosts a NetScaler VPX Appliance
  • PerformRemoteSoftwareUpdates
  • FollowSecureLifecycleManagementPractices

Network Security

  • Consider using an X.509 Certificate from a Reputed Certificate Authority for the Internet Facing Web Application
  • Use Transport Layer Security when Accessing an Administrator Interface
  • Use a Non-routable Management IPAddress
  • Configure a High Availability Setup
  • Configure Network Security Domains
  • Use Stateful Firewall Protection

Administration and Management

  • Create an Alternate Super User Account
  • Change Password for the nsroot Super User Account.
  • Follow Best Practices for the Implementation of a NetScaler Appliance
  • Use Access Control
  • Set up Secure Communication Between Peer Appliances
  • Configure Other Accounts Remotely
  • Configure Logging to External NetScaler Log Host
  • Add SNMP Managers
  • Use SNMP v3 Security Features
  • Configure NTP
  • DisableSSLv2Redirect
  • DropinvalidHTTPrequests
  • DisableSSLRenegotiation
  • Whitelist HTTP headers
  • Disable Layer 3 Mode
  • Consider Using Application Firewall in a NetScaler Platinum Edition Appliance

NetScaler-FIPS Recommendations

  • Change FIPS Crypto Card Passwords
  • Store the HSM Password in a Secure Location

Access Gateway Enterprise Edition Security Recommendations

  • Use Default Deny
  • Use SSLv3/TLS Communication Between Servers
  • Use the Intranet applications feature

Application Firewall Security Recommendations

  • Deploy the Appliance in the Two-arm Mode
  • Use Default Deny

Download the – Secure Deployment Guide for NetScaler MPX and VPX Appliances here

Communication Ports Used by Citrix Technologies *updated

Fred Donovan from Citrix have updated the whitepaper – Communication Ports Used by Citrix Technologies to version 1.5 (April 2011)


This document provides an overview of ports that are used by Citrix components and must be considered as part of Virtual Computing architecture, especially if communication traffic traverses network components such as firewalls or proxy servers, where ports must be opened to ensure communication flow.


The assignments are listed by the Internet Assigned Numbers Authority (IANA), updated regularly, and revised when new information is available and new assignments are made. The specific location of the port numbers list is available at the following Web site:

Microsoft Article “Network Ports Used by Key Microsoft Server Products”.

Microsoft Article ID 832017 “Service overview and network port requirements for the Windows Server system”.

Download WhitePaper – Communication Ports Used by Citrix Technologies here

Access Gateway VPX 5.0.2

Access Gateway VPX 5.0 is a virtual appliance for Citrix XenServer or VMWare ESX/ESXi that provides secure access to virtual desktops, applications and data while allowing users to work from anywhere. It offers the same capabilities as an Access Gateway physical appliance (Model 2010) while giving greater flexibility and more deployment options to IT administrators. Access Gateway VPX is the best choice for organizations who need to rapidly provision secure access, reduce infrastructure requirements, and minimize power consumption.

New Features Supported in This Maintenance Release

Access Gateway Imaging Tool

The Access Gateway imaging tool now exists as a .zip file containing all files necessary for reimaging the appliance. You download the .zip file, extract the files, and run the tool. The tool indicates the location of the USB drive. By using the .zip file, you no longer need to select an ISO file.

Certificate Length

If you attempt to import an intermediate certificate to Access Gateway where the Subject field is longer than 128 characters, you receive the error message “Value too long for type character varying (128).”

Secure Ticket Authority

You can now configure up to 25 servers running the Secure Ticket Authority (STA).

Static Routing

You can now add up to 256 static routes on the Access Gateway appliance.

Upgrading Access Controller

You can now upgrade Access Controller from Version 5.0 or Version 5.0.1 to Version 5.0.2 without removing the previous version.

XenApp Services Site

You can configure Access Gateway to use a XenApp Services site, giving users access to virtual applications from their computer desktop or mobile device when they authenticate through the Web Interface.

New Features from Previously Released Maintenance Releases

Support for Web Interface 5.4

Access Gateway 5.0.1 supports the following Web Interface 5.4 features:

  • Password Change. When the Web Interface is the home page, users can change their password after they log on.
  • ICA File Signing. The Web Interface digitally signs generated ICA files, to allow compatible Citrix clients and plug-ins to validate that the file originates from a trusted source.

User Software

Access Gateway supports the following user software:

  • Access Gateway Plug-in for Mac OS X Version 2.0
  • Citrix Receiver 2.1


Download Access Gateway VPX 5.0.2 (Require MyCitrix ID)

Command Center 4.1

Command Center is a central manager for Citrix NetScaler, Citrix Access Gateway Enterprise Edition and Citrix Branch Repeater appliances.

New Features in Version 4.1

  • MS SQL 2008 Support
  • Distributed Agents enhanced to Support Syslog, Entity monitoring and Cert Mgmt
  • NITRO for Command Center – JAVA and C# API Support
  • Triggers based on Alarm age
  • Simplified SSL server certificate procedure from CC client for Command Center Server
  • Appfw Signature syslog analytics support
  • Schedule AppFW Dashboard support
  • AppFw transaction id will be displayed in syslog view page
  • Session timeout setting in HTML UI
  • Start in Options in UI
  • Show system name/hostname instead of IP address
  • NetScaler upgradation task to support 9.3 upgradation
  • SNMP authentication failure trap to display source IP
  • Branch Repeater restart task enhancement
  • Add trap action template for event and alarm triggers
  • CC SNMP agent runs on port 8161
  • Ability to configure SNMP trap port
  • Ability to configure multiple Maps with same name

Command Center Features

  • Fault Management and Event Aggregation
  • Historical Reporting and Performance Graphs
  • Real-Time Entity Monitoring Dashboard
  • Central Configuration Management
  • Central Configuration Audit
  • Advanced Alert Thresholds
  • High Availability Deployment Support
  • Automated Task Rollback
  • Central Certificate Management
  • Distributed Agents for better scalability

Supported Operating Systems
Command Center can be installed on servers with the following operating systems

  • Windows Server 2008 and 2008 R2
  • Windows Server 2003 with SP2
  • Red Hat Linux ES 4.0/5.x
  • CentOS 5.5

Supported Databases
Command Center supports the following databases

  • MySQL 5.1.x with InnoDB storage engine
  • Microsoft SQL Server 2005/2008
  • Oracle Database Server 10g

Supported Devices
Command Center supports the following devices

  • NetScaler Enterprise and Platinum edition devices, running OS versions 8.x and 9.x
  • Branch Repeater/ Repeater devices, running OS versions 4.3.2+ and CBRwWS 2.0+
  • Access Gateway Enterprise Edition devices, running OS versions 8.x and 9.x

Command Center is available to manage NetScaler Enterprise and Platinum edition, Access Gateway Enterprise Edition and Citrix Branch Repeater devices.

Administrations Guide
Installations Guide
Release Notes
User Guide

Download Command Center 4.1

Download Command Center 4.1 here (requires MyCitrix login)

Simplicity is Power

I have noticed today that Citrix have updated their webpage, and i noticed a cool new Citrix Advertise “Work on anywhere, On any device, thats the power of virtual computing” yes this is the topics we se over and over at the Citrix Synergy events ;o).

I recommend you look at this cool webpage, where Citrix explains what Virtual Computing, Virtual Desktop, High-Definition Desktop, Virtual Servers and Networking means to them and how Citrix can solve these things.

look more at