Disable RC4/ weak ciphers citrix secure gateway 3.3.2 PCI compliance

Running a Windows 2008R2 box with Citrix Secure Gateway 3.2  trying to pass PCI scan noting weak ciphers.
TLS_RSA_WITH_RC4_128_MD5 (0x4)   WEAK 128
I believe these are the ciphers that Citrix Secure Gateway uses for the COM cipher suite

I have done the below to address the issue but the weak cipher finding continues to be a problem
1. Set Citrix to 'limit cipher suites to stream ciphers only' to prevent POODLE which works POODLE is no longer a finding but I believe Citrix is using
TLS_RSA_WITH_RC4_128_MD5 (0x4)   WEAK 128

2. Disabled RC4 ciphers using IISCrypto and verified settings in registry HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
Ensured RC4 128/128 key existed with DWord value 'Enabled' set to 0x0 these keys exist for all RC4 (64/128, 56/128) etc.  also ensure the hotfix 2868725 applied.

3. Enabled Local group policy for SSL setting the cipher order and removing all RC4 ciphers

Tried setting secure gateway to only use Gov ciphers (SSL_RSA_WITH_3DES_EDE_CBC_SHA) but this setting makes my site unavailable. Had to re-enable COM ciphers.

I am not 100% confident that I can effectively remove RC4 with Citrix secure gateway 3.3.2 being used? Does anyone have insight how to prevent the weak ciphers findings?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian CTXSupportCitrix ConsultantCommented:
Secure Gateway was on the end of life schedule way back in 2006.  Although it's still somewhat used, it hasn't been supported in quite some time, and I'm not sure there is a way around the PCI compliance issue if you continue to use that product.


I think the VPX (Express) will likely fit your needs and would recommend exploring that option.


nexxtepAuthor Commented:
We are planning on moving to NetScaler solution but in the mean time I was able to get configure Secure Gateway using the GOV ciphers and TLS1.0 only so that the scan no longer fails due to weak ciphers. I am closing the question. Thanks for the recommendation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian CTXSupportCitrix ConsultantCommented:
Sorry I couldn't help more.  I don't have access to any site that has that deployed anymore and haven't in many years, so I don't recall all of the options.  Good find with the gov ciphers.
nexxtepAuthor Commented:
I was able to solve the issue myself via trial and error. Other recommendations did not fix the actual issue rather recommended going with up to date product which is the ultimate resolution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.