Switch branches/tags
Nothing to show
Find file History
Ryan Butler
Latest commit f71edee Feb 11, 2018
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
CTX227928.ps1
NSBestPractices.ps1
README.MD adding NS best practice script Feb 8, 2018
get-nslicexp.ps1
set-nsssl.ps1
upgrade-ns.ps1

README.MD

Netscaler

Netscaler Scripts and files

If you receive an error within PowerShell from Windows 7 or Windows 2008 R2 SP1 like the one mentioned below. Please install Windows Management Framework 4.0 KB2819745 Alt text

set-nsssl.ps1

CREATED: 3-17-16

Please see My blog for more information.

Based on this Citrix blog

  • Checks and sets all SSL Netscaler managment, load balancer, Netscaler Gateway and content switch VIPS
  • Enables TLS 1.2
  • Disables SSLv2 and SSLv3
  • Removes "Default" ciphers
  • Creates new cipher group and binds to VIPs while removing all other ciphers (auto detects VPX with corresponding supported ciphers)
  • Creates and binds Diffie-Hellman (DH) 2048 bit key (Forward Secrecy)
  • Creates and binds "Strict Transport Security policy"
  • Allow secure renegotiation
  • Results in A+ on https://www.ssllabs.com/ssltest

NOTE: Must be firmware 10.5 or greater

USE WITH CAUTION

Changelog

  • 3-17-16:
    • Added port 3008 and 3009 to managment ips
  • 3-28-16:
    • Rewrite to reflect PowerShell best practice
    • Can adjust SSL Managment IPs
  • 6-13-16 (Tested with VPX 11.0 65.31)
    • Adjusted ciphers to reflect recent 6-9-16 Citrix blog
    • Ciphers are now the same for VPX or MPX\SDX
    • Removes management IPs (NSIP) from being adjusted by default.
    • Enables TLS 1.2
  • 6-14-16
    • Added HTTPS connection option
    • Added SSL renegotiation
  • 12-29-16
    • Added NS firmware version check (10.5 or greater required due to 'systemfile' API)
  • 03-13-16
    • Added check for Default SSL Profiles and if enabled uses SSL profile for all VIPS
    • Created parameter to enable default SSL profile option on 11.1 or greater
  • 06-02-17
    • Added Error handling
    • Changed how default profiles bind cipher groups
    • Added a policy priority argument
  • 08-28-17
    • Formatted and added to PS gallery
  • 01-27-18

PS Gallery

If running PowerShell version 5 or above you can install via Microsoft PowerShell Gallery

Install

Install-Script -Name set-nsssl -Scope currentuser

Inspect

Save-Script -Name set-nsssl -Path <path>

Update

Update-Script set-nsssl

upgrade-ns.ps1

CREATED: 6-30-16

Uses the 11.1 REST API to upgrade Netscaler firmware. See Blog Post for more information

NOTE: Must be firmware 11.1 or greater

Changelog

  • 12-29-16: Added NS version check

get-nslicexp.ps1

CREATED: 8-14-16

Grabs Netscaler license expiration information via REST. See Blog Post for more information and detailed usage.

NOTE: Must be firmware 10.5 or greater

Changelog

  • 8-14-16: Now compares Netscaler time VS system time of script host
  • 12-14-16: Fix for double digit days
  • 12-28-16: Better error handling when grabbing license files and NS version check
  • 08-28-17: Formatted and added to PS gallery

PS Gallery

If running PowerShell version 5 or above you can install via Microsoft PowerShell Gallery

Install

Install-Script -Name get-nslicexp -Scope currentuser

Inspect

Save-Script -Name get-nslicexp -Path <path>

Update

Update-Script get-nslicexp

NSBestPractices.ps1

CREATED: 2-8-18 Configures Netscaler for CTX121149 and CTX232321