Usually, the admin page is protected by a self-signed certificate. So if you surf to your NetScaler using SSL (and you always should manage your NetScaler using SSL!!!) you’ll face a certificate warning.
Eventually, you could consider this warning to be of no relevance. It is your NetScaler, your intimate friend, so why worry? True. There is no problem as long as your network is safe.
We all know there are security audits every now and then. And they won’t agree to the statement above. They’ll want to see secure communication to the management interface. Without any issues.
So let’s create a certificate. My NetScaler is 192.168.0.1, so I created a CSR for a host called 192.168.0.1. This does not exactly follow the RFC, but both, Microsoft CA and NetScaler don’t care about it. I created the certificate and added it to my NetScaler.
How to use a self signed certificate for NetScaler management
It took me some time to find out. It’s well hidden!
So we’ll open up this 192.168.0.1:443 service, add the newly created certificate.
This would be a perfect opportunity to disable SSL V3 and change cyphers to “TLS Only” or “high” cypher group. You may find advice here.
Disable insecure Management
Test if secure management is possible first! Also, check the upgrade dialogue (this is still done using Java)
Open up System -> Network -> IPs
select your NetScaler IP and click edit; scroll down to the end and check secure access only.
Do the same with your Subnet IP.
I think it would be a good idea to deselect FTP and telnet too as this are no secure protocols and are not needed to manage a NetScaler. Deselect SNMP if you don’t need it.
Additional ways to protect management access
Well, if you click to Network -> ACLs you’ll find “extended ACLs”. You may deny all access to your NSIP and SNIPs and then allow certain ports and even limit access to certain management workstation’s IPs.
Have fun
