Enabling Secure Access Only for NetScalers

goto system/network/ips. Select NSIP address and edit. Scroll to bottom and check “Secure Access Only” option. Perform the same for snip ip as well. So, all communication goes through 443 for both nsip and snip.

Replacing internal Default Certificate

Goto Traffic Management/SSL/Certificates/Server Certificates. Select ns-server-certificate, update and select your new cert and key. Check “No domain check” option. You can setup an fqdn like netscaler01.company.com and get cert for that fqdn. Perform the same on other netscalers if you have more. After the certificate is updated in netscaler, open browser and goto https://netscaler01.company.com. It should open the portal without any cert errors. You can get one san cert for all your netscalers.

Scoring A+ on SSLLabs.com

Goto ssllabs.com and click on “Test your Server” option to the right. Enter your netscaler gateway url or lb vip url (if lb vip is exposed to internet). After sometime, it will show the rating and the cert links etc…

goto SSL/Certificates/Server Certificates/ - Link your intermediate and root and server certificate. Next goto SSL/change advanced ssl settings / scroll down and Enable default profile and click ok. Select Yes when prompted again.

goto system/profiles and goto SSL profile. Click add. Name the profile, goto deny ssl renegotiation and select nonsecure from dropdown. Scroll down and enable HSTS option. Enter max age as 157680000. Remove TLSv1 or other old protocols. Only enable TLSv12 and TLSv13 and uncheck all others. click ok.

Edit ciphers on the same profile. Click pencil icon to do the same under ssl ciphers. Click add, remove the default cipher, and in the available list, scroll down and select secure cipher. click ok.

goto your lb vip or netscaler gateway, and remove ssl profile which was already there and select the one we created above. click done.

If you have ADM setup, navigate to ADM/Applications/Dashboard option and click on the lbvip or netscaler gateway. click on the SSL tab at the top. Click on “upgrade to an A+ ssl rating” option. Review the options displayed and click continue.