Disable TLS/SSL Client Renegotiation on NetScaler

Just a quick Reminder for securing your Citrix Enviroment: If you are running a NetScaler Gateway for your Remote Access to your Citrix XenApp/XenDesktop Enviroment (or pretty much anything else) make sure to disable secure and nonsecure TLS/SSL renegotiations initiated by a client to avoid potential Denial of Service Attacks.

Unfortunately the default setting (as of Netscaler Release 10.1) is set to an unsecure setting of allowing TLS/SSL Renegotiations.

You can set the appropriate Options via the NetScaler GUI under the "Advanced SSL Settings".

Make sure to select "FRONTEND_CLIENT" "ALL" in the Dropdown menu for Deny SSL Renegotiation.

Update: Since NetScaler 10.5 (for fresh Installations) the new Default is to deny all SSL Renegotiations. So the new recommendation is to set "Deny SSL Renegotian" to ALL instead of FRONTEND_CLIENT if you have upgraded your NetScalers from <10.5.

Thanks to Boris Groenhout for letting me know via the Comments.

Afterwards make sure everything is set appropriately by using the SSL Scanner from Qualys Labs under: https://www.ssllabs.com/ssltest. If you have configured everything correct (regarding TLS/SSL Renegotiation) you should see the following in the Report generated by the SSL Scanner:

You can also use the SSL Scanner to check if your SSL Certificate Chaining is working correctly and if you are using secure Cipher Suites on your NetScaler Gateway.

Updated 03.02.2016 - Added Notice regarding new Defaults for fresh NetScaler 10.5 Installations.