Tutorial: Securing the NetScaler Management Page
In this tutorial I’ll guide you in securing your management page. The goal of the tut. is making sure the NetScaler Management Page is SSL encrypted and AD Integrated. Meaning you’re able to login with your Active Directory admin account. Let’s go!
First encrypt the management page. We do want the page encrypted before entering domain passwords of course 😉 In my case I use a self signed certificate so you need to add that certificate in the SSL section and link it to the Root CA Cert that signed the cert.
Second configure an IP in the IP section to allow the management protocols. You can use a SNIP or MIP address but not a VIP. I already checked Secure Access Only, but make sure to first finish this tutorial before you do so. I used my SNIP to allow the management protocols.
Now the next part is a little hidden. In the Loadbalancing > Services section you can open up the action menu and choose internal services
In this section you will find all the internal NetScaler services.
Open all the secure services to configure the self-signed certificate.
After configuring the certs you can enable the Secure Access Only checkbox. Now the AD Integration part. In the System > Authentication > LDAP section add an authentication server. You need to configure the BaseDN where your admin accounts reside and in the search filter you need to add the group the accounts need to be a member of. Remember to start the searchfilter with memberOf=CN= (if you forget the CN part it won’t work).
After configuring the authentication server you need to configure the authentication policy. You need this policy to respond when a connection is made to the (in my case) SNIP address.
And the policy needs to be bound. This time globally.
To finish up you need to create the group in the groups section and make it a super user. The groupname of course must match the name of the AD group.
Your nsroot account will still be active and you can’t disable it. So give it a very complex password and just don’t use it anymore.
Comments