SSL Virtual Servers – NetScaler 11

Last Modified: Aug 5, 2016 @ 2:39 pm

This page contains generic instructions for all SSL Virtual Servers including: Load Balancing, NetScaler Gateway, and Content Switching.


đź’ˇ = Recently Updated

Cipher Group


  1. Ryan Butler has a PowerShell script at Github that can automate NetScaler SSL configuration to get an A+.  💡
  2. The easiest way to create a cipher group is from the CLI. See Citrix Blogs Scoring an A+ at with Citrix NetScaler – 2016 update for cipher group CLI commands.
  3. Go to Traffic Management > SSL > Cipher Groups.
  4. On the right, click Add.
  5. Name it Modern or similar.
  6. In the middle, click Add.
  7. Use the search box to find a particular cipher.
  8. Check the box next to one of the results and click the arrow to move it to the right. See Citrix Blogs Scoring an A+ at with Citrix NetScaler – 2016 update for recommended ciphers. The recommended ciphers vary based on the hardware platform and support for older clients.
  9. Click Create when done.

Default SSL Profile

In NetScaler 11.0 build 64 and newer, SSL Profiles are much more functional. You can use SSL Profiles to disable SSLv3, bind ciphers, and bind ECC curves.

Note: the default SSL Profile affects all SSL Virtual Servers unless you create additional SSL Profiles and bind the additional SSL Profiles to individual SSL Virtual Servers.

Citrix CTX201710 Cipher/Protocol Support Matrix of NetScaler Appliances – VPX 11.0 build 64 and older supports fewer ciphers than MPX. This was corrected in 11.0 build 65.

NetScaler 11.0 build 65 adds TLS 1.2 for back-end connections from VPX appliances. However, it does not appear to be possible to enable TLS 1.2 on SSL Profiles on VPX. If you don’t enable the default SSL profiles then you can enable TLS 1.2 on each Service Group or Service. If you are using VPX, don’t enable Default SSL profile as detailed in this section. 💡

NetScaler 11.0 build 64 and older does not do a proper handshake with TLS 1.2 IIS servers. To work around this problem, disable TLS 1.2 on the load balancing services as detailed at CTX205578 Back-End Connection on TLS 1.1/1.2 from NetScaler to IIS Servers Break. Or upgrade to 11.0 build 65.

Also see CTX205576 NetScaler to Back-End SSL Handshake Failure on Disabling SSL 3.0 on Back-End (Physical) Servers. These articles describe both SSL services and SSL_BRIDGE services.

  1. Go to Traffic Management > SSL.
  2. On the right, in the right column, click Change advanced SSL settings.
  3. Near the bottom, check the box next to Enable Default Profile. Note: this will change SSL settings on all SSL Virtual Servers to match the default SSL profile. You might want to do this during a maintenance window. Click OK when done.
  4. If you go back into Advanced SSL Settings, notice that the Default Profile is enabled and there’s no way to disable it.
  5. To change the default SSL profile, on the left, go to System > Profiles.
  6. On the right, switch to the SSL Profile tab.
  7. Highlight the frontend or backend default profile and click Edit. Note: this is the same place where you can create more SSL profiles.
  8. Notice that SSLv3 is disabled by default.
  9. If you do any SSL Offload (SSL on the client side, HTTP on the server side) then you’ll need to edit the Basic Settings section and enable SSL Redirect. Or you can create a new SSL Profile with this option enabled. It’s near the bottom of the section. With this option enabled, any 301/302 redirects from the server with HTTP locations are rewritten to HTTPS locations. You might need this option for StoreFront load balancing if doing SSL Offload.
  10. It’s currently not possible to bind user-defined cipher groups using the GUI but you can easily do this using the CLI. First unbind the DEFAULT cipher group and then bind the Modern cipher group.
    unbind ssl profile ns_default_ssl_profile_frontend -cipherName DEFAULT
    bind ssl profile ns_default_ssl_profile_frontend -cipherName Modern

  11. If you edit one of your SSL Virtual Servers, there’s an SSL Profile section indicating that the default profile is being used. You can change the binding to a different SSL Profile.

Bind Certificate, Bind Cipher Group, Disable SSLv3, Enable STS

NetScaler 11.0 build 64 and older do not do a proper handshake with TLS 1.2 IIS servers. To work around this problem, disable TLS 1.2 on the load balancing services as detailed at CTX205578 Back-End Connection on TLS 1.1/1.2 from NetScaler to IIS Servers Break. Also see CTX205576 NetScaler to Back-End SSL Handshake Failure on Disabling SSL 3.0 on Back-End (Physical) Servers. These articles describe both SSL services and SSL_BRIDGE services.

  1. When creating the SSL Virtual Server, on the left, in the Certificates section, click where it says No Server Certificate.
  2. Click where it says Click to select.
  3. Select a certificate and click Select.
  4. Click Bind.

    bind ssl vserver MyvServer -certkeyName MyCert
  5. If the SSL Parameters section isn’t added, on the right, in the Advanced Settings column, click SSL Parameters.
  6. On the left, in the SSL Parameters section, click the pencil icon.
  7. Uncheck the box next to SSLv3. This removes a security vulnerability. Make sure TLSv11 and TLSv12 are enabled. Click OK.

    set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
  8. On the right, in the Advanced Settings column, click SSL Ciphers.
  9. On the left, in the SSL Ciphers section, select the previously created Modern Cipher Group and click OK.

    unbind ssl vserver MyvServer -cipherName ALL
    bind ssl vserver MyvServer -cipherName Modern
  10. If you see a warning about No usable ciphers, click OK and ignore it.
  11. SSL Virtual Servers created on newer versions of NetScaler will automatically have ECC Curves bound to them. However, if this appliance was upgraded from an older version then the ECC Curves might not be bound. On the right, in the Advanced Settings section, click ECC Curve.
  12. On the left, in the ECC Curve section, click where it says No ECC Curve.
  13. Click to select.
  14. Choose ALL and click Select.

    bind ssl vserver MyvServer -eccCurveName ALL
  15. Click Bind.
  16. Consider enabling Strict Transport Security by creating a rewrite policy and binding it to this SSL Virtual Server. See Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated). Also see CTX205221 How Do I Do HSTS on NetScaler?

    enable ns feature rewrite
    add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
    add rewrite policy insert_STS_header true insert_STS_header
    bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Tests

After you’ve created an SSL Virtual Server, run the following tests:

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, then users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP but listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443.

The Down Virtual Server Method is easy but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right, find the SSL Virtual Server you’ve already created, right-click it and click Add. Doing it this way copies some of the data from the already created Virtual Server.
  3. Change the name to indicate that this new Virtual Server is an SSL Redirect.
  4. Change the Protocol to HTTP on Port 80.
  5. The IP Address should already be filled in. It must match the original SSL Virtual Server. Click OK.
  6. Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
  7. On the right, in the Advanced Settings column, click Protection.
  8. In the Redirect URL field, enter the full URL including https://. For example: Click OK.

  9. Click Done.
  10. When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for the redirect to work.

SSL Redirect – Responder Method

The Down Virtual Server Method is easy but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect. This method requires the Redirect Virtual Server to be UP.

  1. Create a dummy Load Balancing service. This dummy service can be bound to multiple Redirect Virtual Servers.

  2. Name it AlwaysUp or similar.
  3. Use a loopback IP address (e.g. After the service is created it changes to a NetScaler-owned IP.
  4. Click the More link.
  5. This dummy service must always be UP so uncheck the box next to Health Monitoring. Click OK and then click Done.

    add server
    add service AlwaysUp HTTP 80 -healthMonitor NO
  6. On the left, expand AppExpert and click Responder.
  7. If Responder is not enabled, right-click Responder and click Enable Feature.

    enable ns feature RESPONDER
  8. Under Responder, click Actions.
  9. On the right, click Add.
  10. Give the action a name.
  11. Change the Type to Redirect.
  12. Enter an expression. The following expression can be used by multiple Redirect Virtual Servers. Or you can create a Responder Action with a more specific Target. Click Create.

    add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
  13. On the left, under Responder, click Policies.
  14. On the right, click Add.
  15. Give the policy a name.
  16. Select the previously created Responder action.
  17. For the expression, enter the following. Then click Create.

    add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact
  18. Create a Load Balancing Virtual Server with Protocol HTTP and Port 80. The VIP should match an existing SSL Virtual Server or NetScaler Gateway Virtual Server.

  19. Bind the Dummy (AlwaysUp) service, and click OK.

  20. On the right, in the Advanced Settings column, click Policies.
  21. Click the plus icon in the top right of the Policies box.
  22. Select Responder and click Continue.
  23. Select the Redirect Responder policy and click Bind. Then click Done.

    add lb vserver MyvServer-HTTP-SSLRedirect HTTP 80
    bind lb vserver AlwaysUp
    bind lb vserver -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
  24. The primary advantage of this method is that the Redirect Virtual Server is UP.

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

38 thoughts on “SSL Virtual Servers – NetScaler 11”

  1. Hi Carl,
    I have problems getting a Java FTP client to work.
    We have the Serv-U FTP server which provides SFTP as well as a web gui.
    I have configured a LB server for the TCP22 connection and all works fine from ex. FileZilla FTP client.
    Our users can also connect to a HTTPS gui and up/download files. This GUI is configured as a CS that accepts the HTTPS connection and forwards it to a LB vserver that is load balancing between the 2 servers. the connection “on the back” is also HTTPS.
    Here comes the problem:
    From the HTTPS gui the user can launch a Java “FTP” client that connects using the credentials from the HTTPS connection. This Java application launches without problems but when transferring files the files will copy approx 20-40 sec and the the connection is dropped. I have tried to capture the traffic but since it is HTTPS it doesn’t reveal much.
    Connecting directly to the Serv-U servers all works fine.
    Have you seen this type of behaviour?

    1. If you look in ns.conf, there is a command to enable it. You can remove that command and reboot. Then you’ll probably have to reconfigure your SSL vServer SSL settings.

  2. Hello Carl,

    I figured I would ask you this question, I have been struggling with some time.

    We are using PaloAlto to perform SSL decryption for Sharefile to block malware and certain file types; however, PA does not support Diffie Helmen ciphers so I need to create a custom cipher suite. This has been completed but here is the issue.

    I currently have sharefile on a CSW and really don’t want to burn another public IP for the ciphers, but what I noticed is that the client only respects the ciphers on the CSW not the LB VIP. Is there any way to redirect the cipher negotiation to the LB vip??

  3. I applied all of the settings on a NetScaler 11.0 66.11nc VPX. I now get my A+ at SSLLABS, but can’t login anymore. Only get a blank page. On my Server 2012 R2 Storefront 3.6 installation I have a bunch of “Schannel” Errors, that the ciphers are not supported. What do I have to change in the IIS to work with the A+ NetScaler?

      1. At least not intentional. I’m testing the github script right now ( instead of doing it by myself. But I remember having the same error in the past, while I first tried to achieve the A+.
        But if you mean “ns_default_ssl_profile_backend” then no, I don’t think there has been a change.
        I really just want the A+ and the Stroefront setup working.
        Maybe I have this error:

    1. I solved the error accroding to “”
      Had to disable TLS1.2 on the IIS. Seems to be a pretty bad joke from Microsoft..

  4. Hi Carl, you recommend to not use Default SSL Profile with NetScaler 11.0 VPX 65.
    Do you know if this has been solved with “build-11.0-66.11_nc” so we can now follow your guide the same for MPX and VPX?

    1. I have not done it at any customer so I don’t know if it works or not. I believe it’s fixed in 11.0 build 65. It seems to work in 11.1. However, even in 11.1, enabling default SSL Profile disables new features. So I’m more inclined to skip the Default SSL Profile and instead manually bind a Custom SSL Profile to each SSL vServer.

      1. Thank you very much. I will also stick to the manual way, and will ignore the SSL Profile feature.
        If the GitHub Script works as well as it seems, then it won’T be more work anyway.

  5. THanks for all this work. It is a big help to the Netscaler community.
    I have an issue with an SSL offload implementation.
    THe backend server runs oracle application server. The appserver respond to http:7778 for initiation and redirects to Oracle SSO Server listening on http:7777.
    I setup the ssl offload using a CS on https:4443 and works for the oracle appserver only, i.e. it works for http:7778.
    I have 2 CS policies one for each lb service http:7778 and http:7777, but the ssl offload does not work with authentication portion.
    Here is the config I have so far.
    add server csmstest_server -comment oracle-app-csms-appdev
    add service csmstest_http_78_svc csmstest_server HTTP 7778 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
    add service csmstest_http_77_svc csmstest_server HTTP 7777 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
    add ssl certKey csmstest -cert csmstest.cer -key csmstest
    link ssl certKey csmstest mreca02
    add lb vserver csmstest_http_78_lb_vserv HTTP 80 -persistenceType NONE -Listenpolicy None -cltTimeout 180
    add lb vserver csmstest_http_77_lb_vserv HTTP 80 -persistenceType NONE -Listenpolicy None -cltTimeout 180
    add cs vserver csw_vserv_SSL_csmstest SSL 443 -cltTimeout 180 -Listenpolicy None
    add cs vserver csw_vserv_HTTP_csmstest HTTP 80 -cltTimeout 180 -Listenpolicy None
    add cs policy csw_pol_csmstest-78 -rule “HTTP.REQ.URL.CONTAINS(\”/csms\”)”
    add cs policy csw_pol_csmstest-77 -rule “HTTP.REQ.URL.CONTAINS(\”/mysso/\”)”
    bind lb vserver csmstest_http_78_lb_vserv csmstest_http_78_svc
    bind lb vserver csmstest_http_77_lb_vserv csmstest_http_77_svc
    bind cs vserver csw_vserv_SSL_csmstest -policyName csw_pol_csmstest-78 -targetLBVserver csmstest_http_78_lb_vserv -priority 110
    bind cs vserver csw_vserv_SSL_csmstest -policyName csw_pol_csmstest-77 -targetLBVserver csmstest_http_77_lb_vserv -priority 120
    bind cs vserver csw_vserv_HTTP_csmstest -policyName http-to-https_responder_pol -priority 100 -gotoPriorityExpression END -type REQUEST
    bind ssl vserver csw_vserv_SSL_csmstest -certkeyName csmstest

    Using curl here is the sequence of events:

    curl -I -v -s http://sy00011.bc.broward.cty:7778/csms/ 1 > /dev/null
    * About to connect() to sy00011.bc.broward.cty port 7778
    * Trying… connected
    * Connected to sy00011.bc.broward.cty ( port 7778
    > HEAD /csms/ HTTP/1.1
    > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    > Host: sy00011.bc.broward.cty:7778
    > Accept: */*
    < HTTP/1.1 302 Redirect to Oracle SSO Server
    < Location: http://sy00011.bc.broward.cty:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.4~159632FC~ACB59D2A915DB34889C1DA173C7543564A62BDF208D5A5668644D98510E12414DE6CF10EE6C0901E78A32A16210785C079E5DAE778BC27B6F9FACFC9626002B1743B241BBBD02175D173F77FB635A1737DC2239837EAD684C79BD5CB167306982B48CF09916071436A7CF96FD9D2377F2918142F042286011463B9223410EC4FD72B056649CF5EE20605427132B82B7018CB18E01055B09C9647CD846A6151102CAD625650AC8974BAEEDBFC58561D574FEDD6B45FA31A9316C5B2A3CCD4A5FA0348C04A79D9E9C2530EBE40940C92B9
    < Cache-Control: private
    < Content-Type: text/html
    < Set-Cookie: JSESSIONID=c0a8bec630dc86caf5c34e334edfa5beb1b5f4505112.e3mOc3yQa3eLe34Sa3ySb38Ob3f0mRbHqObGrlbOnl92; path=/csms
    < Server: Oracle-Application-Server-10g/ Oracle-HTTP-Server OracleAS-Web-Cache-10g/ (N;ecid=84994757831,0)
    < Date: Tue, 28 Jun 2016 14:10:13 GMT
    < Osso-Paranoid: true
    * Connection #0 to host sy00011.bc.broward.cty left intact
    * About to connect() to 1 port 80
    * Trying… Failed to connect to Invalid argument
    * Success
    * couldn't connect to host
    * Closing connection #1
    * Closing connection #0

  6. If the Access Gateway Virtual Server is configured to use (for the sake of brevity) ciphers 1, 2, 3, and 4 (in that order) AND the AG VServer is talking to the STAs over https then does the OS of the STAs, Windows 2k8R2 for example, need to also support those same ciphers suites?

    If that is a correct statement, then does the order come into play? In other words, if the client browser hits the AG VIP and an ECDHE GCM cipher is supported and it uses it. The client browser and the NetScaler support that cipher, authentication can happen, but the STAs (2k8R2) do not, users will get a TLS handshake will fail when they attempt to launch an app?

    1. The ciphers on the Gateway vServer only apply to the client-side of the connection.

      When NetScaler connects to STA it’s using a server-side connection, which allows all ciphers. You can verify this by running a network trace on NetScaler and look for SSL Handshake.

  7. Hi, very good job that you are doing here! :).
    Have you ever tested the check with the latest NetScaler release (11.0-65.35)?
    For me an error occured and I think because of the release version and not because of my settings.
    Would be great if you could proof it.


      1. After a couple of seconds it says “Assessment failed: Unable to connect to the Server”.
        Usually it works without a problem.

        Moreover in the description it says (next to some other possible reasons for the failure):
        “NetScaler issues – some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that’s most likely the reason”

        I am using a “near to default” SSL-Profile, just with DHE configured for PFS.
        TLS 1.2 is also activated in the profile.
        I have also added the TLS1.2 ciphers although using the VPX but they finally seem to work with this release.
        Removing the TLS1.2 ciphers from the SSL-Profile did not change anything.

        Unfortunately I have activated the default ssl-profile setting on the VPX before I noticed that this setting seems to be “irreversible”.
        Any idea why it is not possible to revert this setting?

        Everything is working fine but I would like to know why the test is failing.
        It might also be a firewall issue – I did not do a ssllabs check before I upgraded to the latest release so I don’t know if it has worked before.

  8. Hi Carl, I tried to apply http to http rediction to a web service, users inside and outside the local network have to reach the site through internet, the firewall has ports 80 and 443 open and are pointed to the NS VIP on port 443 and 80 respectively, if i test the site using the fqdn the user reach the public ip but it seems like it does not hit the vip addres, if i use the private ip on the lan redirection seems to work, but it kind of looks like redirection doesnt work when i use fqdn/path, do you have any suggestions? thanks in advance

    1. Is your NetScaler connected to multiple subnets? If so then your networking/routing might not be setup correct. Enabling Mac Based Forwarding might help.

      What is your Responder policy expression?

      You’ll probably need to do some network troubleshooting. Does the DNS name resolve correctly? Use tools like WireShark or Fiddler to troublehshoot.

      1. Hi Carl, Thank you for your response. I am connected to multiple subnets (gonna double check if I do have MBF activated), this is my responder policy “https://\” + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE”, I will also try with fiddler to see if I have any luck. Thanks!

        1. Actually, that’s the Responder action.

          I think I see an extra backslash in there.

          The NetScaler GUI lets you Evaluate your expressions to make sure they work correctly.

  9. Carl, I’ve created a site called apps-test that is working beautifully. Custom portal theme, two form authentication, load balanced storefront, everything is working great. The problem is that the test is over and now management wants the site rebranded to just “” for deployment. When I change the cert and change the URL on the storefronts, it still somehow tries to go to apps-test instead, the browser complains about the cert, and even the custom portal theme is wrecked.

    So my question is, what is the correct way to change the URL and cert on a virtual server without breaking everything? Please and thanks in advance.

    1. You can search through the NetScaler config for the wrong URL. I’m guessing you have a hard coded site redirect somewhere – either on NetScaler or on StoreFront.

    1. Are you asking how to configure two different RADIUS policies for NetScaler Gateway? If so, follow my two-factor instructions but replace LDAP with your first RADIUS policy.

      Or are you instead asking how to load balance RADIUS?

  10. Hi Carl

    Not sure if I’m right here, but let me ask a question.
    I tried to configure STA on netscaler over a LB vserver (one for each STA!) and set Netprofiles on the Services because we have multiple SNIPs. Everything works with STA on port 80 but not on port 443.

    Do you have an idea, how to configure STA vserver for https?
    I’m now searching for so Long with no success. Maybe you have a solution?


    1. Are you saying that you created the SSL LB for each STA and configured Gateway with https:// STA URLs and it doesn’t work?

      1. Yes, thats correct. the same way with http it works! Tried to configure LB with TCP 443 or SSL_TCP 443 or SSL_Bridge with no success.
        Any idea?

        1. The protocol should be SSL. I’ll try to do it myself and see if it works. Do you also have SSL cert on the STA server?

          1. What if you add a https Service?
            For me it works as well with a http Service. But if I Change it to a SSL Service it doesn’t work anymore.
            We do have a SSL certificate on the STA Server.
            What type of certificate do you add on the SSL LB vServer?
            Did you configure https://VIP with the IP address of the LB vServer or with a DNS Name?

          2. I did VIP (IP Address). That eliminates DNS issues. NetScaler doesn’t verify certs so it works.

            I’ll try an SSL service later. But usually SSL -> HTTP is the more difficult case.

            Maybe you have a physical NetScaler with one of the builds that enables TLS 1.2 on the services. In that case you can try disabling TLS 1.1/1.2 on the SSL service.

  11. Have you tried NetScaler v11 62.10 yet? I’m having a terrible time finding a set of ciphers for a test VPX instance that doesn’t give me “No usable ciphers configured on the SSL vserver” error.

Leave a Reply