Citrix ADC - Cipher Suites

Defining which Cipher suites can be used when a client communicates with a Virtual IP on a Citrix ADC. Since VIPs are client facing, they are subject to vulnerability scans and external threats. This document covers how to select with Cipher suites are used (disabling the less secure/higher risk suites)

Summary

Cipher Suites are always a cause for concern when it comes to any vulnerability or SSL scan.  Web servers have a lot of older cipher suites enabled that use algorithms that are considered weaker and not as secure.  Qualys is especially brutal on not having support for Diffie Hellman key exchanges.  As a result, we generally disable these weaker cipher suites on our IIS servers and can do the same on the Citrix ADC.  

Systems Involved

• ADCMAN.NIC.EDU

Overview

We are familiar with Cipher Suites when we use Nartac's IIS Crypto Software to Harden an IIS server that is directly NAT'd to the Internet

We can create a similar policy on the Citrix ADC.  In the case of the ADC, you can create different Cipher Suite Groups and assign different CSG's to different VIP's.  This is especially useful since we can have a VIP to host a site that requires legacy browsers that do not support the newer ciphers (hopefully we don't).  

Before we go and look at the Cipher Suites, let's see what Cipher Suite your VIP uses.  Click on the VIP and scroll down to the SSL Ciphers section.  If no one has modified the SSL Ciphers for that particular VIP, it should use the DEFAULT Cipher Suite

Rather than modifying the Default Cipher Group, we can add the various groups and individual Ciphes that are included with the ADC.  However, that would mean you would have to click into each one to see which Ciphers are in which group. 

Rather than having to select an existing group or cipher, we just created a new one called NIC_Default.  To review or edit that Group, click on Traffic Management->SSL->Cipher Groups

Custom Cipher Groups are at the end of this exhaustive list

Check the box and click on Edit.  You will be presented with a box that lists all the Cipher Suites that have been added to NIC_Default.  

Currently, the only Ciphers that have been added to NIC_Default are TLS1.2 and TLS1.3 ciphers.  If we need to add weaker ciphers, we can do so by clicking on the Add button.  

Once you click OK, you will need to apply this Cipher Group to you VIP for it to take effect.  Remember, any changes to the ADC is real-time and take effect as soon as you click Ok.