The NetScaler appliance now stores AAA authentication logs.

- Errors and warnings are logged in the /var/nslog/ns.log file

- Information and debug level logs are logged in the /var/log/nsvpn.log file.

You can now configure a timeout value for the NetScaler shell on a per-user basis. Before this change, the shell would never time out.

To set the shell timeout value for a user:

> set system user <userName> -timeout <value>

Note: This configuration is effective only if the "restrictedTimeout" parameter of the "set system parameter" is ENABLED.

The NetScaler appliance now displays a customizable banner before you logon through either the console or SSH.

The default banner is a warning that is enclosed in "#########" that says only authorized users must access the system.

You can customize this message as follows:

1. Go to the shell.

2. Add you customized message in the "/nsconfig/issue" (for the console) and/or "/nsconfig/issue.net" (for SSH) files.

3. Reboot the appliance (simplest option) or copy the modified files to the "/etc/" directory.

Note: If you want to simply modify the existing message, you can copy the relevant file from the "/etc/" directory to the "/nsconfig/" directory, modify it, and then upload it to the "/etc/" directory.

Important: If you do not want any banner, make sure the files exist but have no content.

You can now view the statistics of services and service groups that are bound to a load balancing virtual server by using the following URL:

http://<netscaler-ip-address>/nitro/v1/stat/lbvserver/<name>?statbindings=yes

You cannot view these details by using the "http://<netscaler-ip-address>/nitro/v1/stat/lbvserver/<name>" URL which only gives the statistics of the load balancing virtual server.

The NetScaler appliance does not block traffic that matches an ACL rule if the traffic is destined to the appliance's NSIP address, or one of its SNIP addresses, and a port in the 3008-3011 range.

This behavior is now specified by the default setting of the new Implicit ACL Allow (implicitACLAllow) parameter (of the L3 param command). You can disable this parameter if you want to block traffic to ports in the 3008-3011 range. An appliance in a high availability configuration makes an exception for its partner (primary or secondary) node. It does not block traffic from that node.

To disable or enable this parameter by using the command line interface

At the command prompt, type:

> set l3param -implicitACLAllow [ENABLED|DISABLED]

Note: The parameter implicitACLAllow is enabled by default.

Example

> set l3param -implicitACLAllow DISABLED

Done

OpenSSL libraries are now integrated to operate in the FIPS mode.

You can now remove a file securely from the file system. At the shell prompt, type:

#srm [OPTION]... [FILE]...

The OpenSSL package used on the NetScaler appliance is now upgraded to version 1.0.1j.

A NetScaler MPX-FIPS appliance displays the following error message while executing long running commands, such as create fipskey: ERROR: Communication error with the packet engine.

SSL and TLS renegotiations are vulnerable to an MITM attack that injects its own content as a prefix to a TLS connection. A new option addresses this vulnerability. If you specify NONSECURE as the value of the denySSLReneg parameter in the "set ssl parameter" command, any nonsecure renegotiations are denied. For more information about this attack, see RFC 5746. For more information about setting this parameter, see "Configuring Advanced SSL Settings" in the "SSL Offload and Acceleration" chapter of the Traffic Management Guide for 9.3.e at http://support.citrix.com/article/CTX130084.

If you restart a NetScaler appliance that has FIPS firmware version 2.2, the FIPS key might be temporarily unavailable.

The NetScaler appliance fails if it receives an incorrectly formatted SSL/TLS record protocol header, because the code processes the TLS packet as type DTLS and tries to reference a NULL pointer.

FIPS firmware version 2.2 supports TLS protocol versions 1.1 and 1.2. From the command line, you can update the firmware version of the FIPS card of a NetScaler MPX 9700/10500/12500/15500 FIPS appliance from version 1.1 to version 2.2.

For successful SIM key propagation from primary to secondary in a high availability (HA) pair, the Cavium firmware version on each appliance should be identical. Perform the firmware update on the secondary appliance first. If executed on the primary appliance first, the long-running update process causes a failover.

Limitations

- Secure renegotiation is supported only on SSL virtual servers and front-end SSL services.

- Creating a certificate signing request by using a key that was created on firmware version 1.1 and updated to firmware version 2.2 fails.

- You cannot create a 1024-bit RSA key on firmware version 2.2. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.

- Secure renegotiation using SSLv3 protocol is not supported.

For more details about this update, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/fips/update-fipscard-firmware-version_2_2.html.

A new command updates the firmware on your MPX-FIPS appliance. The updated firmware provides support for TLS protocol version 1.1 and 1.2.

For more information, see http://docs.citrix.com/en-us/netscaler/10-5/ns-tmg-wrapper-10-con/ns-ssl-wrapper-con-10/ns-tmg-fips-wrapper-con-10/ns-tmg-fips-update-fipscard-firmware-version_2_2_tsk.html.

You can now enable FIPS mode on any NetScaler appliance. In FIPS mode, the user land daemons of the appliance use FIPS 140-2 Level-1 certified crypto algorithms. At the NetScaler command prompt, type:

> set system parameter -fipsUserMode [enable | disable]

You must save the configuration and restart the appliance for the changes to become effective.

You can now enable FIPS mode on any NetScaler appliance. In FIPS mode, the user land daemons of the appliance use FIPS 140-2 Level-1 certified crypto algorithms. At the NetScaler command prompt, type:

> set system parameter -fipsUserMode [enable | disable]

You must save the configuration and restart the appliance for the changes to become effective.

If you try to create a FIPS key of fewer than 2048 bits on firmware version 2.2, an error message appears. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.

Earlier, sensitive information such as passwords and keys, except system user passwords, were encrypted by using the RC4 encryption method, and if two keys or passwords were the same, the encrypted strings were also the same.

Now, the appliance uses the AES256-CBC cipher with dynamic KEK (Key Encryption Key). As a result, even if two keys and passwords are the same, the encrypted string for each will be different.

To generate a dynamic KEK, at the NetScaler command prompt, type:

create system kek <PassPhrase>

The output of the show fips command now includes the firmware build number.

If password based authentication is used to open an SSH session to a NetScaler appliance, the wrong remote IP address is sent to the NetScaler syslog records.

NetScaler users who are associated with the "network" command policy are now restricted from viewing audit messages.

Note: Previously, "network" users could view audit messages, and could therefore view the commands executed by any user.

You can now configure the level of complexity for the user passwords defined on a NetScaler appliance. To do this, you must configure the following:

- Specify the scope for strong passwords: Enable strong passwords for all users or only for local NetScaler users. By default, this field is disabled.

- Specify the minimum length of the passwords: The default minimum length for a non-strong password is 1 character and for a strong passwords it is 4 characters. A strong password must contain at least one lower case character, one upper case character, one numeric character and one special character from the set (!, @, #, (, ), $, %, ^, &, *).

Configure by using the CLI:

> set system parameter -strongpassword (disabled | enableall | enablelocal) -minpasswordlen <positive_integer>

!!! Important !!! After enabling strong passwords for the appliance, make sure that you update the passwords to match the strong password criteria. Otherwise, users with weak passwords cannot access the appliance. To locate the weak passwords, in the shell, go to the "/netscaler" directory and run the "nsconfigaudit -weakpasswd" utility.

The NetScaler Application Delivery Controller (ADC) and NetScaler Gateway are vulnerable to the arbitrary code execution in a SOAP interface, as described at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7140.

Refer to the Citrix security bulletin on this issue at http://support.citrix.com/article/CTX200206.

With this fix, the ADC and NetScaler Gateway do not allow a remote attacker to execute arbitrary code.