Change the following variables below to that of your NetScaler deployment
- %vServer% to the VIP name of your access gateway
- “VPX_Group %OR% MPX_Group” – Choose the cipher group to bind, either VPX or MPX
Copy and paste the script via a putty onto your NetScaler CLI
—————Start – Do Not Copy This Line—————
set ssl vserver %vServer% -ssl3 disabled -tls11 enabled -tls12 enabled
create ssl dhparam DH-Key 2048 -gen 2
set ssl vserver %vServer% -dh ENABLED -dhFile “/nsconfig/ssl/DH-Key” -dhCount 1000 -eRSA DISABLED
add ssl cipher “MPX_Group”
add ssl cipher “VPX_Group”
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher “MPX_Group” -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher “MPX_Group” -cipherName SSL3-DES-CBC3-SHA
bind ssl cipher “VPX _Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher “VPX_Group” -cipherName SSL3-DES-CBC3-SHA
unbind ssl vserver %vServer% -cipherName ALL
bind ssl vserver %vServer% -cipherName “VPX_Group %OR% MPX_Group”
bind ssl vs %vServer% -eccCurveName ALL
add rewrite action act_sts_header insert_http_header Strict-Transport-Security q/””max-age=157680000″”/
add rewrite policy pol_sts_force true act_sts_header
bind vpn vserver %vServer% -policy pol_sts_force -priority 100 -gotoPriorityExpression END -type RESPONSE
—————End – Do Not Copy This Line—————
Once the script has completed, Check you server status: Qualys SSL labs