Add a certificate to NetScaler’s admin page

      No Comments on Add a certificate to NetScaler’s admin page

Usually the admin page is protected by a self signed certificate. So if you surf to your NetScaler using SSL (and you always should manage your NetScaler using SSL!!!) you’ll face a certificate warning.

Eventually you could consider this warning to be of no relevance. It is your NetScaler, your intimate friend, so why worry? True. There is no problem as long as your network is safe.

We all know there are security audits every now and then. And they won’t agree to the statement above. They’ll want to see secure communication to the management interface. Without any issues.

So let’s create a certificate. My NetScaler is 192.168.0.1, so I created a CSR for a host called 192.168.0.1. This does not exactly follow the RFC, but both, Microsoft CA and NetScaler don’t care about it. I created the certificate and added it to my NetScaler.

How to use a self signed certificate for NetScaler management

It took me some time to find out. It’s well hidden!

InternalServices
So we’ll open up this 192.168.0.1:443 service, add the newly created certificate.

This would be a perfect opportunity to disable SSL V3 and change cyphers to “TLS Only” or “high” cypher group. You may find advice here.

Disable insecure Management

Test if secure management is possible first! Also check the upgrade dialogue (this is still done using Java)

Open up System -> Network -> IPs

select your NetScaler IP and click edit; scroll down to the end and check secure access only.

Do the same with your Subnet IP.

I think it would be a good idea to deselect FTP and telnet too as this are no secure protocols and are not needed to manage a NetScaler. Deselect SNMP if you don’t need it.

Additional ways to protect management access

Well, if you click to Network -> ACLs you’ll find “extended ACLs”. You may deny all access to your NSIP and SNIPs and then allow certain ports and even limit access to certain management workstation’s IPs.

Have fun

Johannes

Leave a Reply

Your email address will not be published. Required fields are marked *