Implement HSTS/STS on your NetScaler Gateway

Today another small Blogpost on making your NetScaler Gateway / Access Gateway Enviroment (or any other Website published through a NetScaler) a little more secure by implementing HTTP Strict Transport Security (HSTS or STS). This should take you no longer than 15 Minutes to implement.

Let's get started. First we have to create a Rewrite Action and a Rewrite Policy. We start with the Rewrite Action:

Configure the Rewrite Action with the following Parameters as shown in the Screenshot.

  • Name: Insert_STS_Header (feel free to name it whatever you want to)
  • Type: INSERT_HTTP_HEADER
  • Header Name: Strict-Transport-Security
  • String: "max-age=157680000"

The max-age Value is given in seconds.

For all the CLI Fans here are the needed Snippets:

The next Step is to create the Rewrite Policy.

Create the Rewrite Policy with the following Parameters (see the following Screenshot)

  • Name: Enforce_STS
  • Action: select the previously created Rewrite Action
  • Expression: TRUE

Last Configuration Step is to bind it to your Netscaler Gateway / Access Gateway vServer under Policies -> Rewrite (Response) and make sure to save your running Config.

To make sure you configure everything correct you can use the SSL Scanner from Qualys Labs. You should see something similar to this:

Feel free to read my previous Blogpost on how to disable TLS/SSL Client Renegotiations on NetScaler for more SSL/TLS Security.

Disable TLS/SSL Client Renegotiation on NetScaler

Just a quick Reminder for securing your Citrix Enviroment: If you are running a NetScaler Gateway for your Remote Access to your Citrix XenApp/XenDesktop Enviroment (or pretty much anything else) make sure to disable secure and nonsecure TLS/SSL renegotiations initiated by a client to avoid potential Denial of Service Attacks.

Unfortunately the default setting (as of Netscaler Release 10.1) is set to an unsecure setting of allowing TLS/SSL Renegotiations.

You can set the appropriate Options via the NetScaler GUI under the "Advanced SSL Settings".

Make sure to select "FRONTEND_CLIENT" "ALL" in the Dropdown menu for Deny SSL Renegotiation.

Update: Since NetScaler 10.5 (for fresh Installations) the new Default is to deny all SSL Renegotiations. So the new recommendation is to set "Deny SSL Renegotian" to ALL instead of FRONTEND_CLIENT if you have upgraded your NetScalers from <10.5.

Thanks to Boris Groenhout for letting me know via the Comments.

Afterwards make sure everything is set appropriately by using the SSL Scanner from Qualys Labs under: https://www.ssllabs.com/ssltest. If you have configured everything correct (regarding TLS/SSL Renegotiation) you should see the following in the Report generated by the SSL Scanner:

You can also use the SSL Scanner to check if your SSL Certificate Chaining is working correctly and if you are using secure Cipher Suites on your NetScaler Gateway.

Updated 03.02.2016 - Added Notice regarding new Defaults for fresh NetScaler 10.5 Installations.

Configure NetScaler Gateway for Receiver Storefront Access

I have seen quite a lot of Questions in the CitrixIRC Channel on how to correctly configure the NetScaler Access Gateway (now named NetScaler Gateway) to provide access to Storefront Services (also often called CloudGateway Express) for all the different Citrix Receivers.

The following Configuration is intended for a CloudGateway Express Implementation (Storefront without the AppController). The Load Balancing of the Storefront Servers itself should already be working (see my other Blogpost on how to setup Storefront Load Balancing).

I'll just dump a lot of Screenshots of my NetScaler Gateway Configuration without any further explanations in the hopes to help someone out there in configuring the NetScaler Gateway + Storefront. If you have questions, feel free to leave a comment below.

Screenshots after the break.

INFO: Since NetScaler 10.5 you need to set the Receiver for Web Site via the Web Interface Address Field under Published Applications (and no longer via the Home Page Field as seen in the Screenshot) in the NetScaler GUI. See this Blogpost regarding the Changes.

Citrix NetScaler Storefront Load Balancing

A quick Guide on how to setup your Storefront Servers for Load Balancing under NetScaler.

The first Step is to add your Storefront Servers as Servers in the NetScaler GUI under Load Balancing -> Servers. My Storefront Servers are my existing Citrix WebInterface Servers who are currently running WebInterface 5.4 and Storefront 2.0 side by side.

The next Step is to configure the needed Storefront Monitors. Since NetScaler Release 10.1 there is a new builtin Storefront Monitor. For every Storefront Server you are going to load balance you should create a separate Monitor (see my older Blogpost for more Information).

pdate: Since Netscaler Build 10.1-123.9 the Storefront Monitor Script has been updated by Citrix and no longer requires the Hostname. So you can now use a single Storefront Monitor for all your Storefront Servers.

If you are loadbalancing a HTTPS/SSL Storefront Deployment make sure to tick the "Secure" Box when configuring the NetScaler Monitor under Standard Parameters (not shown in the Screenshot because of a Bug in the older Netscaler Builds before 10.1-123.9)

Under the "Special Parameters" Tab fill in the Hostname of your Server hosting the Storefront Services and also fill in the Store Name you choose during the initial Storefront Installation and Configuration.

Step 3 is to create your Storefront Services under Load Balancing -> Services. Bind your newly created Storefront Monitors to your Services. If you have created separate Monitors for every Storefront Server, make sure to bind the correct Monitor to the corresponding Storefront Service or else your Monitor will mark your Service as DOWN.

Under the "Advanced" Tab you'll have to enable the "Client IP" checkbox and put X-Forwarded-For into the Textfield (like in the Screenshot).

The last step is to create the Virtual Server who will be load balancing your two (or more) Storefront Servers. Choose an IP and activate the previously created Storefront Services (svc_sf01 and svc_sf02 in my case). I would recommend creating a new DNS A Record pointing to your new Virtual IP (should be the same Alias you choose during the Storefront Configuration).

Under "Method and Persistence" choose Round Robin or Least Connection as LB Method. Under Persistence you should select SOURCEIP and set the Time-out to 20 Minutes (Default Timeout in Storefront).

Finally create a new SSL Cert pointing to the DNS Alias you created earlier and bind the SSL Cert to the Virtual Server. Done. 

Feel free to leave a comment if you have questions.

Skip vDisk Boot Menu under PVS 7.0/7.1

Under Provisioning Services 6.1 I had disabled the vDisk Boot Menu for all of my Maintenance/Test Target Devices by setting the "SkipBootMenu" DWORD Registry Key as described in the Citrix Support Article CTX135299.

After upgrading my Provisioning Servers to Version 7.x the PVS vDisk Boot Menu reappeared even though the SkipBootMenu was still present. After a quick Call with Citrix it was determined that the Registry Key has been moved from:

  • Old: HKLM\Software\Citrix\ProvisioningServices\SkipBootMenu (PVS 6.x)
  • New: HKLM\Software\Citrix\ProvisioningServices\StreamProcess\SkipBootMenu (PVS 7.x)

The correct Registry Key Location for PVS 7.0

After moving the Registry Key to the new Location and restarting the StreamService my Maintenance/Test Target Devices are now skipping the vDisk Boot Menu again. Problem solved!