Skip to main content

Secure Deployment Guide for NetScaler MPX and VPX Appliances

Citrix have released this great secure deployment guide for NetScaler MPX and VPX appliance.

I have made a summary in bullets so you can get a quick overview what the guide covers. I recommend that you download the guide to read the entire content.

Overview

NetScaler® Security Best Practices for MPX and VPX

Citrix® NetScaler® MPX appliance is an application delivery controller that accelerates Web sites, provides L4-7 traffic management, offers an integrated application firewall, and offloads servers. Citrix® NetScaler® VPX is a virtual appliance that has all the features of NetScaler MPX appliance, runs on standard servers, and provides higher availability for Web applications including Citrix XenDesktop and XenApp. Utilizing both NetScaler MPX and VPX appliances, an organization can deploy the flex-tenancy solution that further optimizes Web application delivery infrastructure by separating high-volume shared network services from processor-intensive, application-specific services. Furthermore, a NetScaler appliance enables the seamless integration with Citrix OpenCloud Access that can extend a datacenter with the power of the Cloud.

To maintain security through the deployment lifecycle, Citrix recommends the following security considerations:

  • PhysicalSecurity
  • ApplianceSecurity
  • NetworkSecurity
  • AdministrationandManagement

Deployment Guidelines

The following are the organizational security considerations and recommendations for the deployment of a NetScaler appliance:

Physical Security

  • Deploy the Appliance in the Secure Server Room
  • Protect the Front Panel and Console Port from Unauthorized Access
  • Protect Power Supply

Appliance Security

  • Secure the Server operating system that Hosts a NetScaler VPX Appliance
  • PerformRemoteSoftwareUpdates
  • FollowSecureLifecycleManagementPractices

Network Security

  • Consider using an X.509 Certificate from a Reputed Certificate Authority for the Internet Facing Web Application
  • Use Transport Layer Security when Accessing an Administrator Interface
  • Use a Non-routable Management IPAddress
  • Configure a High Availability Setup
  • Configure Network Security Domains
  • Use Stateful Firewall Protection

Administration and Management

  • Create an Alternate Super User Account
  • Change Password for the nsroot Super User Account.
  • Follow Best Practices for the Implementation of a NetScaler Appliance
  • Use Access Control
  • Set up Secure Communication Between Peer Appliances
  • Configure Other Accounts Remotely
  • Configure Logging to External NetScaler Log Host
  • Add SNMP Managers
  • Use SNMP v3 Security Features
  • Configure NTP
  • DisableSSLv2Redirect
  • DropinvalidHTTPrequests
  • DisableSSLRenegotiation
  • Whitelist HTTP headers
  • Disable Layer 3 Mode
  • Consider Using Application Firewall in a NetScaler Platinum Edition Appliance

NetScaler-FIPS Recommendations

  • Change FIPS Crypto Card Passwords
  • Store the HSM Password in a Secure Location

Access Gateway Enterprise Edition Security Recommendations

  • Use Default Deny
  • Use SSLv3/TLS Communication Between Servers
  • Use the Intranet applications feature

Application Firewall Security Recommendations

  • Deploy the Appliance in the Two-arm Mode
  • Use Default Deny

Download the – Secure Deployment Guide for NetScaler MPX and VPX Appliances here

Leave a Reply

Your email address will not be published. Required fields are marked *

Turn on pictures to see the captcha *