We help IT Professionals succeed at work.
Troubleshooting Question

Netscaler MPX9700 FIPS latest firmware

jnordeng
jnordeng asked
on
41 Views
Last Modified: 2020-10-30
Hello.  I am struggling with the Citrix portal as of late create a support ticket or trying to find the appropriate download.  If someone can point me in the right place to download the latest Firmware Update supported on the Netscaler MPX9700 FIPS model, that would be appreciated.  We'd like to get current and address https://support.citrix.com/article/CTX276688 as well.  

Thanks in advance.
Comment
Watch Question

Senior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Thanks, I have the updated Firmware on the HSM, that's running 2.2.  Thanks for the info on the MPX9700 FIPS firmware though, that's what I was looking for.  

I did see this one, Citrix ADC FIPS Release 12.1 Build 55.19, but because it is calling out specific models, This FIPS build is only qualified to upgrade existing VPX FIPS instance or MPX 8900/15000-50G FIPS platforms where the FIPS boundary is the whole system.  And then says to use a different build if not a FIPS device, wasn't sure if I would be compatible with my MPX9700 FIPS.  

If i recall, the firmware updates are roll-ups so to speak and I don't need an interim update?

Thanks in advance.

Author

Commented:
I should add we are currently running version NS11.1 63.15.nc 
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Well, it depends.  I upgraded 12 FIPS 9700 Netscalers across three Citrix Farms for the largest Blue Cross Blue Shield in the world in South Carolina.  The process 100% of all Military claims - Tricare.  Requires Top Secret Clearance to enter the building.  Those were on a version of 9.x.

The firmware earlier than a certain 10.X did require incremental upgrades in a precise order.  If memory serves, I had to perform 4-5 firmware updates in order to get at the most recent version - at that time.  

However, I have not seen or read that as a requirement in the builds that ship with 11.x or higher.  

And to be clear, that verbiage was clearly stated in the documentation relative to those updates.  I was one of the first in Texas to implement NetScaler to replace Secure Gateway after Citrix acquired the technology.

Citrix excels and/or surpasses the competition with its strategy to provide a holistic and inherent secure solution.

Before Web Interface was Nfuse - for example.  My first implementation of Citrix was on NT 3.51 and then Windows NT 4.0.  It was far from a complete solution where remote access required having external NAT's with port forwarding in order to access something from external that was not WAN connected.  

This became Web Interface but you still had the NAT requirement.  Enter - Secure Gateway running on Windows.  Secure Gateway became NetScaler.  NetScaler became a full-blow LB / ADC that rivels and in some ways surpassed BigIP F5.  In there you had the addition of a concept of STA - Secure Ticket Authority to prevent and address man-in-the-middle interception of the traffic or ICA file.  

Point being, along with the adoption of these technologies they have consistently grown and matured.  Back then, yes - you did have to perform multiple firmware upgrades in the age of 9.x to I believe 10.5.  

However, that has come a long way.  That one link I sent is specific to 9700 and MPX class.  There was a time where you could only get FIPS as a physical hardware appliance.  

Regardless, you will notice that the core firmware is the same for all FIPS class appliances.  Where some tend to get confused is with the HSM and the SSL Certificates.  

I did write a complete outline and response relative to how and what order to replace those certificates for FIPS - somewhere here on Experts Exchange - a matter of fact.

The FIPS Firmware link I sent is applicable to all the above and even with the 9.x firmware, it would not run the firmware update if the prerequisite version was missing.  I would not have expected that to change and I would not think it is a concern for versions 11.x and above.  








Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I will add those previous responses to questions on FIPS as well.  Might come in handy.

https://www.experts-exchange.com/questions/29132059/WildCard-Certificates-for-use-on-Netscaler-FIPS-appliance.html

https://www.experts-exchange.com/questions/29131153/Clarification-of-Step-Order-Netscaler-HA-Setup-with-FIPS.html 

These were fairly detailed and where my answer was accepted as the final solution.

If anything, for future reference.

Author

Commented:
Thank you - appreciate it Brian, :)