Configure full SSL VPN with Citrix NetScaler 12 in CLI and optimize the configuration to get an A+ on Qualys SSL Labs.
In this article, we will setup a full SSL VPN configuration with Citrix NetScaler 12 VPX (1000) using only the command line and we will optimize this configuration to follow the best practices from Citrix in order to get an A+ rating from Qualys SSL Labs.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
Getting started
For this lab, you need the following:
- NetScaler (12.0 at least) configured (For this lab, we are going to use the NetScaler HA pair running NS12.1 48.13.nc firmware. You can take a look at this article Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair).
- Public SSL/TLS certificate imported in the NetScaler configuration. Root and Intermediate certificates must also be imported and chained properly.
- Public IP
- A private IP available for the VPN virtual server (Ex: 192.168.1.27)
- A port available for the VPN (Ex: default 443 or 3000)
- An AD group available to restrict the access to the VPN. (Ex: cn=vpn_users,ou=groups,dc=citrixguru,dc=lab)
- A service account for the LDAP communication (See Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11)
Configure full SSL VPN with Citrix NetScaler in CLI
Add test user in the VPN group
In this post, VPN access will be restricted to users members of an AD group (cn=vpn_users,ou=groups,dc=citrixguru,dc=lab).

Create AlwaysOnProfile
Connect to your Citrix NetScaler via CLI.
Type the following command to create an AlwaysOnProfile:
1 |
add vpn alwaysONProfile vpn_alwayson_prof -clientControl ALLOW |
You can make sure that the command was entered properly by typing show vpn alwaysONProfile:

Create session profile
Next step is to create a new Session Profile in NetScaler, type the following command:
1 |
add vpn sessionAction vpn_session_prof -sessTimeout 360 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -clientIdleTimeout 360 -clientCleanupPrompt OFF -homePage "https://www.citrixguru.com" -icaProxy OFF -clientlessVpnMode DISABLED -alwaysONProfileName vpn_alwayson_prof |
You can make sure that the command was entered properly by typing show vpn sessionaction vpn_session_prof:

Create session policy
Then we will create a new Session Policy in NS, enter the following command:
1 |
add vpn sessionPolicy vpn_session_pol ns_true vpn_session_prof |
You can make sure that the command was entered properly by typing show vpn sessionpolicy vpn_session_pol:

Create a new LDAP server
Note: you can reuse one if you already have this configured.
1 |
add authentication ldapAction vpn_ldap_srv -serverIP 10.0.0.10 -serverPort 636 -ldapBase "cn=users,dc=citrixguru,dc=lab" -ldapBindDn svc_ldap@citrixguru.lab -ldapBindDnPassword <PASSWORD> -ldapLoginName sAMAccountName -searchFilter "memberof=cn=vpn_users,ou=groups,dc=citrixguru,dc=lab" -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED |
You can make sure that the command was entered properly by typing show authentication ldapaction vpn_ldap_srv:

I published a post on this blog to configure LDAPS with NetScaler, see Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11.
Create Authentication Policy
Then create a new Authentication Policy with the following command:
1 |
add authentication ldapPolicy ldap_vpn_pol ns_true vpn_ldap_srv |
You can make sure that the command was entered properly by typing show authentication ldappolicy vpn_ldap_pol:

Create virtual server
Create a new virtual server for the VPN with the command below:
1 |
add vpn vserver vsng-vpn SSL 192.168.1.27 443 -downStateFlush DISABLED -Listenpolicy NONE |
You can make sure that the command was entered properly by typing show vpn vserver vsng-vpn:

Bind SSL certificates
Next step is to bind the server certificate and the root CA certificate to the virtual server:
1 2 |
bind ssl vserver vsng-vpn -certkeyName CitrixGURU-Public bind ssl vserver vsng-vpn -certkeyName RootCA-CitrixGURU.LAB -CA -ocspCheck Optional |
You can make sure that the command was entered properly by typing show ssl vserver vsng-vpn:

Bind portal theme
Bind the X1 portal theme (optional)
1 |
bind vpn vserver vsng-vpn -portaltheme X1 |
You can make sure that the command was entered properly by typing show ssl vserver vsng-vpn | more:

Bind LDAP policy
Bind the ldap policy that we have created before with the virtual server:
1 |
bind vpn vserver vsng-vpn -policy ldap_vpn_pol -priority 100 |
You can make sure that the command was entered properly by typing show ssl vserver vsng-vpn | more:

Bind Session policy
Bind the session policy that we have created before with the virtual server:
1 |
bind vpn vserver vsng-vpn -policy vpn_session_pol -priority 100 |
You can make sure that the command was entered properly by typing show ssl vserver vsng-vpn | more:

At this time, the VPN should already be working but we will do some optimizations.
Additional configurations
Note: NetScaler automatically added the following configuration during our steps:
1 2 3 4 5 6 7 8 9 10 |
bind vpn vserver vsng-vpn -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST bind vpn vserver vsng-vpn -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST bind vpn vserver vsng-vpn -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST bind vpn vserver vsng-vpn -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST bind vpn vserver vsng-vpn -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE bind vpn vserver vsng-vpn -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE bind ssl vserver vsng-vpn -eccCurveName P_256 bind ssl vserver vsng-vpn -eccCurveName P_384 bind ssl vserver vsng-vpn -eccCurveName P_224 bind ssl vserver vsng-vpn -eccCurveName P_521 |
You don’t need to type that during the configuration.
Optimizations
Enter the following commands to optimize the virtual server for Qualys:
1 2 3 4 5 6 7 8 9 10 |
set ssl parameter -denySSLReneg NONSECURE set ssl vserver vsng-vpn -sessreuse DISABLED create ssl dhparam "/nsconfig/ssl/dhkey2048-vpn.key" 2048 -gen 2 set ssl vserver vsng-vpn -dh ENABLED -dhFile "/nsconfig/ssl/dhkey2048-vpn.key" set ssl vserver vsng-vpn -ssl3 DISABLED set ssl vserver vsng-vpn -ssl2 DISABLED set ssl vserver vsng-vpn -tls1 DISABLED set ssl vserver vsng-vpn -HSTS ENABLED bind ssl vserver vsng-vpn -eccCurveName ALL set ssl vserver vsng-vpn -HSTS ENABLED -maxage 157680000 |
Citrix also provided the following list of cipher optimizations:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
add ssl cipher ssllabs-smw-q2-2018 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES128-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES256-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-256-CBC-SHA unbind ssl vserver vsng-vpn -cipherName DEFAULT bind ssl vserver vsng-vpn -cipherName ssllabs-smw-q2-2018 |
The configuration above should give you an A+ on Qualys (July 2018).

Full configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
add vpn alwaysONProfile vpn_alwayson_prof -clientControl ALLOW add vpn sessionAction vpn_session_prof -sessTimeout 360 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -clientIdleTimeout 360 -clientCleanupPrompt OFF -homePage "https://www.citrixguru.com" -icaProxy OFF -clientlessVpnMode DISABLED -alwaysONProfileName vpn_alwayson_prof add vpn sessionPolicy vpn_session_pol ns_true vpn_session_prof add authentication ldapAction vpn_ldap_srv -serverIP 10.0.0.10 -serverPort 636 -ldapBase "cn=users,dc=citrixguru,dc=lab" -ldapBindDn svc_ldap@citrixguru.lab -ldapBindDnPassword <PASSWORD> -ldapLoginName sAMAccountName -searchFilter "memberof=cn=vpn_users,ou=groups,dc=citrixguru,dc=lab" -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED add authentication ldapPolicy ldap_vpn_pol ns_true vpn_ldap_srv add vpn vserver vsng-vpn SSL 192.168.1.27 443 -downStateFlush DISABLED -Listenpolicy NONE bind ssl vserver vsng-vpn -certkeyName CitrixGURU-Public bind ssl vserver vsng-vpn -certkeyName RootCA-CitrixGURU.LAB -CA -ocspCheck Optional bind vpn vserver vsng-vpn -portaltheme X1 bind vpn vserver vsng-vpn -policy ldap_vpn_pol -priority 100 bind vpn vserver vsng-vpn -policy vpn_session_pol -priority 100 set ssl parameter -denySSLReneg NONSECURE set ssl vserver vsng-vpn -sessreuse ENABLED -sesstimeout 120 create ssl dhparam "/nsconfig/ssl/dhkey2048-vpn.key" 2048 -gen 2 set ssl vserver vsng-vpn -dh ENABLED -dhFile "/nsconfig/ssl/dhkey2048-vpn.key" set ssl vserver vsng-vpn -ssl3 DISABLED set ssl vserver vsng-vpn -ssl2 DISABLED set ssl vserver vsng-vpn -tls1 DISABLED set ssl vserver vsng-vpn -HSTS ENABLED bind ssl vserver vsng-vpn -eccCurveName ALL set ssl vserver vsng-vpn -HSTS ENABLED -maxage 157680000 add ssl cipher ssllabs-smw-q2-2018 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES128-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-ECDSA-AES256-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher ssllabs-smw-q2-2018 -cipherName TLS1-AES-256-CBC-SHA unbind ssl vserver vsng-vpn -cipherName DEFAULT bind ssl vserver vsng-vpn -cipherName ssllabs-smw-q2-2018 |
Validate the VPN configuration
I will do this step with my Android phone and from the website.
Go to the Store and download Citrix SSO (Android) or Citirix VPN (Apple Store).
Add a new connection.
Note: here I am using a different port for the VPN. I added a new NAT rule in my router to redirect port 3000 to my virtual server IP port 443.

Click Save and connect to the VPN. You will be prompted to enter your credentials.
Then the VPN session is connected.

You can take a look at the stats to confirm that you are connected.

Or go to whatismyip.com from the device to confirm that the IP is from the VPN host.

Test from the website.
Go the the VPN url and logon.

The website will check if NetScaler Gateway Plug-in is installed.

You can also download the plug-in here: https://www.citrix.com/downloads/netscaler-gateway/plug-ins/netscaler-gateway-plug-in-clients-v121-4813.html.
Install it.

Then, Chrome will prompt you to be able to detect that the VPN session has started.

Note: you may have to reboot to finish the install.

Once connected, you will be automatically redirected to the homepage configured in the VPN session profile (citrixguru.com).
You can also connect to the VPN without going to the website.
Just open NetScaler Gateway plug-in.
Add a new connection.




You can click on Home page to be redirected to the homepage configured in the VPN session profile (citrixguru.com). By default, no automatic redirection in this case.
That’s all to configure a full SSL VPN in NetScaler with the CLI. I hope it helped. Cheers.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering