Product Documentation

Planning for Security

When planning your NetScaler Gateway deployment, you should understand basic security issues associated with certificates, and with authentication and authorization.

Configuring Secure Certificate Management

By default, NetScaler Gateway includes a self-signed Secure Sockets Layer (SSL) server certificate that enables the appliance to complete SSL handshakes. Self-signed certificates are adequate for testing or for sample deployments, but Citrix does not recommend using them for production environments. Before you deploy NetScaler Gateway in a production environment, Citrix recommends that you request and receive a signed SSL server certificate from a known Certificate Authority (CA) and upload it to NetScaler Gateway.

If you deploy NetScaler Gateway in any environment where NetScaler Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on NetScaler Gateway. For example, if you deploy NetScaler Gateway with Citrix XenApp and the Web Interface, you can encrypt connections from NetScaler Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on NetScaler Gateway.

Authentication Support

You can configure NetScaler Gateway to authenticate users and to control the level of access (or authorization) that users have to the network resources on the internal network.

Before deploying NetScaler Gateway, your network environment should have the directories and authentication servers in place to support one of the following authentication types:

  • LDAP
  • RADIUS
  • TACACS+
  • Client certificate with auditing and smart card support
  • RSA with RADIUS configuration
  • SAML authentication

If your environment does not support any of the authentication types in the preceding list, or you have a small population of remote users, you can create a list of local users on NetScaler Gateway. You can then configure NetScaler Gateway to authenticate users against this local list. With this configuration, you do not need to maintain user accounts in a separate, external directory.

Planning for Security