Support for Thales nShield® HSM

A non-FIPS Citrix ADC appliance stores the server’s private key on the hard disk. On a FIPS appliance, the key is stored in a cryptographic module known as hardware security module (HSM). Storing a key in the HSM protects it from physical and software attacks. In addition, the keys are encrypted by using special FIPS approved ciphers.

Only the Citrix ADC MPX 9700/10500/12500/15500 FIPS appliances support a FIPS card. Support for FIPS is not available on other MPX appliances, or on the SDX and VPX appliances. This limitation is addressed by supporting a Thales nShield® Connect external HSM on all Citrix ADC MPX, SDX, and VPX appliances except the MPX 9700/10500/12500/15500 FIPS appliances.

Thales nShield® Connect is an external FIPS-certified network-attached HSM. With a Thales HSM, the keys are securely stored as application key tokens on a remote file server (RFS) and can be reconstituted inside the Thales HSM only.

If you are already using a Thales HSM, you can now use a Citrix ADC to optimize, secure, and control the delivery of all enterprise and cloud services.


  • Thales HSMs comply with FIPS 140-2 Level 3 specifications, while the MPX FIPS appliances comply with level 2 specifications.
  • You cannot decrypt the trace while using the Thales HSM. Only the Hardserver can read the response from the HSM to the Citrix ADC appliance, because it is encrypted.

Supported versions matrix

Citrix ADC Version Thales Client Version Hardserver Version Thales Firmware Version
10.5e, 11.0, 11.1, 12.0, 12.1 11.70, 11.72 2.71.2 2.50.16, 2.51.10

Support for Thales nShield® HSM