Classification: Internal

How to secure management access to

NetScaler and create unique certificates in
a highly available setup
• Mar 12, 2018

• /

• NetScaler

In this article I explain steps that can be taken to secure management access to NetScaler
ADCs. I also explain a common scenario where two NetScaler’s residing in a highly available
configuration each need their own unique certificate for HTTPS management
communication.

As a best practice, you shouldn’t enable management access on Subnet IPs even though
that is possible. Many administrators do so especially when NetScaler is part of a highly
available setup because it allows you to always reach the primary instance just by browsing
to the SNIP address.

Instead, it is better to only allow management access to NetScaler IPs, also referred to as the
management IP address of NetScaler. Other steps that are recommended to secure access
to NetScaler is:

▪ Restrict access to the NetScaler IP using firewall rules so only certain management
machines and personnel can browse to the NetScaler IP.

▪ Block port 80 TCP access to the NetScaler IP by again using ACLs either on your
firewalls that sit in-front of NetScaler or on the NetScaler itself.

▪ Enable Secure Only on NetScaler so that only HTTPS communication is allowed to

the appliance for management access.

▪ Create unique certificates on each NetScaler appliance that is part of an HA

configuration and prevent those certificates from synchronising to their partner.

In this article you are shown how to:

1. Configure ACLs directly on NetScaler to allow just a single management server

access to the management portal of NetScaler over HTTPS.

2. Configure NetScaler to allow only secure access to the management GUI.

 Classification: Internal

3. Install certificates on each appliance whilst blocking synchronisation to ensure

browsers don’t flag certificate errors.

Contents:
▪ Configure ACLs on NetScaler to allow management access from a single server

▪ Configure NetScaler to allow secure access only

▪ Install unique certificates on each NetScaler that is part of HA

Configure ACLs on NetScaler to allow management

access from a single server:

You firstly need to make sure that internal management communication is allowed. By
default it is, but by running show l3param on the CLI of NetScaler you can confirm
that implicitACLAllow is set to ENABLED.
 Classification: Internal

Next navigate to System -> Network -> ACLs -> Extended ACLs -> Add.

In this scenario we allow one single management server access to VPX1. Specify a Name, set
the Priority to 1, specify the management server IP under Source IP Low and the destination
 Classification: Internal

NetScaler IP of VPX1 under Destination IP Low.

 Classification: Internal

Set the Protocol to TCP and enter 443 under Destination port low.
 Classification: Internal

Create a second ACL this time with a Priority of 2 and Destination IP Low set to the NetScaler

IP address of VPX2.
 Classification: Internal

Specify TCP and 443 as before.

Create a final ACL for denying all other traffic. Specify a Priority of 100.
 Classification: Internal

Enter the VPX1 and VPX2 NetScaler IP addresses under Destination IP Low and Destination
IP High. Specify TCP under Protocol and 443 under Destination port low.

Whilst the ACLs have been created, they have not yet been applied. To apply, select Action ->

Apply.
 Classification: Internal

Click Yes.

Test access to make sure that you can browse to the management portal of each appliance
using your elected management server.

Configure NetScaler to allow secure access only:

By default, you can browse to the NSIP of NetScaler from your web browser over TCP port
80 or 443. By enabling Secure Access Only, we make sure that NetScaler does not accept
connections over port 80. To enable this, log on to NetScaler and navigate to System -
> Network -> IPs, click on the NetScaler IP and towards the bottom check Secure Access

Only. Click OK.

Click Yes. The page at this stage will be

reloaded over an HTTPS connection.
 Classification: Internal

Note that you must also enable Secure Access Only on the secondary appliance.

Install unique certificates on each NetScaler that is

part of HA:

By default, both appliances share the same ns-server-certificate certificate/key pair. This
certificate is synchronised between both appliances and the common name is the same.

If we were to browse to the NetScaler management address over HTTPS, by default we get a
certificate warning because the common name of this default certificate does not match the
URL we specify.

In the event we have two NetScaler appliances in a highly available configuration, we have to
make sure that each NSIP management address is protected by a unique certificate that
matches the hostname or identifier of the appliance. That causes some challenges because
by default certificates in a high availability scenario replicate between both appliances.

So, for example, if I have a certificate for NetScalerOne and I’ve configured NetScaler to use
this certificate for the management URL, that configuration will replicate to the second
appliance so any browsing to the second appliance will bring about a certificate mismatch
error because the certificate won’t match the secondary NetScaler’s management URL.
 Classification: Internal

To get around this, we create two unique certificates (one for each appliance) and store
them in a directory on NetScaler that is not synchronised between both appliances.

To begin, on the primary NetScaler navigate to Traffic Management -> SSL -> SSL Files -
> Keys -> Create RSA Key.
 Classification: Internal

Specify a name. Set the Key Size(bits) to 2048 or above if required, set PEM Encoding
Algorithm to DES3 and specify a PEM Passphrase. Click Create.

Click on the CSRs tab and click Create Certificate Signing Request (CSR).
 Classification: Internal

Specify a new name for the CSR as below. Under Key Filename browse and select from the
appliance the RSA.key file that was created earlier. Enter the PEM Passphrase set against the
private key. Select SHA256 as the Digest Method. Under Common Name enter the FQDN of
your primary NetScaler and then enter an Organization Name.
 Classification: Internal

Specify a value for Sate or Province, Country and then click Create.

Select the new CSR and click Download.

Against your Active Directory Certificate Services server, issue the certreq command against
the CSR you created for the primary NetScaler so that you are issued a certificate.
 Classification: Internal

Save the certificate with an appropriate name to identify the certificate as being for the
primary NetScaler.

On your primary NetScaler, launch a program such as WinSCP and navigate

to /flash/nsconfig/. Create a new directory naming it SSL_NOSYNC.

Within the SSL_NOSYNC directory copy the RSA.key key from /nsconfig/ssl/ and the
certificate you have just been issued by your Certificate Authority. Place these files in the

new SSL_NOSYNC directory.

Rename the certificate to a name such as NSIPCert.cer. This certificate name will be the
same on your secondary appliance. Delete the RSA.key key and CSR file
from /nsconfig/ssl/ on your primary appliance.

At this stage repeat the same steps on the secondary appliance. You will be generating a
new RSA key called RSA.key, generating a new CSR and submitting the request to your
Certificate Authority. You will then copy both the issued certificate and RSA.key to the newly
 Classification: Internal

created SSL_NOSYNC directory on the secondary appliance and deleting the

original RSA.key and CSR files from /nsconfig/ssl/.

Now on both primary and secondary appliances issue command add ssl certKey NSVPXCert
-cert /nsconfig/SSL_NOSYNC/NSIPCert.cer -key /nsconfig/SSL_NOSYNC/RSA.key -
Password yourRSAKeypassword.

Save the running configuration by issuing command save nsconf.

The certificate will show up on each appliance as below. Primary NetScaler will contain a
certificate with Common Name set to the FQDN of the primary appliance and the secondary
appliance will contain a separate certificate with Common Name set to the FQDN of the
secondary appliance.

Next navigate to Traffic Management -> Load Balancing -> Services -> Internal Services and
click into nshttps-127.0.0.1-443.
 Classification: Internal

Click on 1 Server Certificate.

Select the existing ns-server-certificate and click Unbind.

Click Yes.

Click Add Binding.

Click Click to select.

 Classification: Internal

Select the newly imported certificate and click Select.

Click Bind.

Click Close.

Click Done.

Now repeat the same steps on the remaining appliance.

 Classification: Internal

To test, browse to the primary and secondary NetScaler, confirming that you receive the
correct certificate from both appliances and that no certificate errors are presented.

Tags: citrix, management, netscaler, secure nsip