Tutorial: Securing the NetScaler Management Page

4 Jun

In this tutorial I’ll guide you in securing your management page. The goal of the tut. is making sure the NetScaler Management Page is SSL encrypted and AD Integrated. Meaning you’re able to login with your Active Directory admin account. Let’s go!

First encrypt the management page. We do want the page encrypted before entering domain passwords of course 😉 In my case I use a self signed certificate so you need to add that certificate in the SSL section and link it to the Root CA Cert that signed the cert.

securingnetscaler1

Second configure an IP in the IP section to allow the management protocols. You can use a SNIP or MIP address but not a VIP. I already checked Secure Access Only, but make sure to first finish this tutorial before you do so. I used my SNIP to allow the management protocols.

securingnetscaler2

Now the next part is a little hidden. In the Loadbalancing > Services section you can open up the action menu and choose internal services

securingnetscaler3

In this section you will find all the internal NetScaler services.

securingnetscaler4

Open all the secure services to configure the self-signed certificate.

securingnetscaler5

After configuring the certs you can enable the Secure Access Only checkbox. Now the AD Integration part. In the System > Authentication > LDAP section add an authentication server. You need to configure the BaseDN where your admin accounts reside and in the search filter you need to add the group the accounts need to be a member of. Remember to start the searchfilter with memberOf=CN= (if you forget the CN part it won’t work).

securingnetscaler6

After configuring the authentication server you need to configure the authentication policy. You need this policy to respond when a connection is made to the (in my case) SNIP address.

securingnetscaler7

And the policy needs to be bound. This time globally.

securingnetscaler8

securingnetscaler9

To finish up you need to create the group in the groups section and make it a super user. The groupname of course must match the name of the AD group.

securingnetscaler10

Your nsroot account will still be active and you can’t disable it. So give it a very complex password and just don’t use it anymore.

Comments

Leave a Reply