Shared security responsibilities

September 6, 2025

Contributed by:

Actions needed from customers

Following are some of the actions from the customers as part of security best practices.

Credentials for accessing the Adaptive Authentication UI: The customer is responsible for creating and maintaining the credentials for accessing the Adaptive Authentication UI. If the customer is working with Citrix Support to resolve an issue, the customer might need to share these credentials with support personnel.
Multifactor authentication: As a best practice, customers must configure multifactor authentication policies to prevent unauthorized access to the resources.
Authentication Credentials: Customers must configure their authentication credentials as per the general security and password standards.
Remote CLI access security: Citrix provides remote CLI access for customers. However, customers are responsible for maintaining the security of the instance during runtime.
SSL private keys: As the NetScaler® is under customer control, Citrix does not have any access to the file system. Customers must ensure that they safeguard the certificates and keys that they are hosting on the NetScaler instance.
Data backup: Back up the configuration, certificates, keys, portal customizations, and any other file system modifications.
Disk images of the NetScaler instances: Maintain and manage the NetScaler disk space and disk clean-up. For details, see Instance Management.
For a sample load balanced LDAPS configuration, see Sample LDAP and LDAPS load balancing configuration.

Actions needed from both the customer and Citrix

Disaster recovery: In supported Azure regions, the NetScaler high availability instances are provisioned in separate availability zones to safeguard against data loss. In the event of Azure data loss, Citrix recovers as many resources in the Citrix-managed Azure subscription as possible.

In the event of the loss of an entire Azure region, the customer is responsible for rebuilding their customer-managed virtual network in a new region and creating a new VNet peering.
Secure access via the public management IP address:

Secure the access to the management interfaces by assigned public IP addresses and allow outbound connectivity to the Internet.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Shared security responsibilities

September 6, 2025

Contributed by:

September 6, 2025

Contributed by:

Shared security responsibilities

Actions needed from customers

Actions needed from both the customer and Citrix

In this article