jnordeng
asked on
Netscaler MPX9700 FIPS latest firmware
Hello. I am struggling with the Citrix portal as of late create a support ticket or trying to find the appropriate download. If someone can point me in the right place to download the latest Firmware Update supported on the Netscaler MPX9700 FIPS model, that would be appreciated. We'd like to get current and address https://support.citrix.com/article/CTX276688 as well.
Thanks in advance.
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I should add we are currently running version NS11.1 63.15.nc
Well, it depends. I upgraded 12 FIPS 9700 Netscalers across three Citrix Farms for the largest Blue Cross Blue Shield in the world in South Carolina. The process 100% of all Military claims - Tricare. Requires Top Secret Clearance to enter the building. Those were on a version of 9.x.
The firmware earlier than a certain 10.X did require incremental upgrades in a precise order. If memory serves, I had to perform 4-5 firmware updates in order to get at the most recent version - at that time.
However, I have not seen or read that as a requirement in the builds that ship with 11.x or higher.
And to be clear, that verbiage was clearly stated in the documentation relative to those updates. I was one of the first in Texas to implement NetScaler to replace Secure Gateway after Citrix acquired the technology.
Citrix excels and/or surpasses the competition with its strategy to provide a holistic and inherent secure solution.
Before Web Interface was Nfuse - for example. My first implementation of Citrix was on NT 3.51 and then Windows NT 4.0. It was far from a complete solution where remote access required having external NAT's with port forwarding in order to access something from external that was not WAN connected.
This became Web Interface but you still had the NAT requirement. Enter - Secure Gateway running on Windows. Secure Gateway became NetScaler. NetScaler became a full-blow LB / ADC that rivels and in some ways surpassed BigIP F5. In there you had the addition of a concept of STA - Secure Ticket Authority to prevent and address man-in-the-middle interception of the traffic or ICA file.
Point being, along with the adoption of these technologies they have consistently grown and matured. Back then, yes - you did have to perform multiple firmware upgrades in the age of 9.x to I believe 10.5.
However, that has come a long way. That one link I sent is specific to 9700 and MPX class. There was a time where you could only get FIPS as a physical hardware appliance.
Regardless, you will notice that the core firmware is the same for all FIPS class appliances. Where some tend to get confused is with the HSM and the SSL Certificates.
I did write a complete outline and response relative to how and what order to replace those certificates for FIPS - somewhere here on Experts Exchange - a matter of fact.
The FIPS Firmware link I sent is applicable to all the above and even with the 9.x firmware, it would not run the firmware update if the prerequisite version was missing. I would not have expected that to change and I would not think it is a concern for versions 11.x and above.
The firmware earlier than a certain 10.X did require incremental upgrades in a precise order. If memory serves, I had to perform 4-5 firmware updates in order to get at the most recent version - at that time.
However, I have not seen or read that as a requirement in the builds that ship with 11.x or higher.
And to be clear, that verbiage was clearly stated in the documentation relative to those updates. I was one of the first in Texas to implement NetScaler to replace Secure Gateway after Citrix acquired the technology.
Citrix excels and/or surpasses the competition with its strategy to provide a holistic and inherent secure solution.
Before Web Interface was Nfuse - for example. My first implementation of Citrix was on NT 3.51 and then Windows NT 4.0. It was far from a complete solution where remote access required having external NAT's with port forwarding in order to access something from external that was not WAN connected.
This became Web Interface but you still had the NAT requirement. Enter - Secure Gateway running on Windows. Secure Gateway became NetScaler. NetScaler became a full-blow LB / ADC that rivels and in some ways surpassed BigIP F5. In there you had the addition of a concept of STA - Secure Ticket Authority to prevent and address man-in-the-middle interception of the traffic or ICA file.
Point being, along with the adoption of these technologies they have consistently grown and matured. Back then, yes - you did have to perform multiple firmware upgrades in the age of 9.x to I believe 10.5.
However, that has come a long way. That one link I sent is specific to 9700 and MPX class. There was a time where you could only get FIPS as a physical hardware appliance.
Regardless, you will notice that the core firmware is the same for all FIPS class appliances. Where some tend to get confused is with the HSM and the SSL Certificates.
I did write a complete outline and response relative to how and what order to replace those certificates for FIPS - somewhere here on Experts Exchange - a matter of fact.
The FIPS Firmware link I sent is applicable to all the above and even with the 9.x firmware, it would not run the firmware update if the prerequisite version was missing. I would not have expected that to change and I would not think it is a concern for versions 11.x and above.
I will add those previous responses to questions on FIPS as well. Might come in handy.
https://www.experts-exchange.com/questions/29132059/WildCard-Certificates-for-use-on-Netscaler-FIPS-appliance.html
https://www.experts-exchange.com/questions/29131153/Clarification-of-Step-Order-Netscaler-HA-Setup-with-FIPS.html
These were fairly detailed and where my answer was accepted as the final solution.
If anything, for future reference.
https://www.experts-exchange.com/questions/29132059/WildCard-Certificates-for-use-on-Netscaler-FIPS-appliance.html
https://www.experts-exchange.com/questions/29131153/Clarification-of-Step-Order-Netscaler-HA-Setup-with-FIPS.html
These were fairly detailed and where my answer was accepted as the final solution.
If anything, for future reference.
ASKER
Thank you - appreciate it Brian, :)
ASKER
I did see this one, Citrix ADC FIPS Release 12.1 Build 55.19, but because it is calling out specific models, This FIPS build is only qualified to upgrade existing VPX FIPS instance or MPX 8900/15000-50G FIPS platforms where the FIPS boundary is the whole system. And then says to use a different build if not a FIPS device, wasn't sure if I would be compatible with my MPX9700 FIPS.
If i recall, the firmware updates are roll-ups so to speak and I don't need an interim update?
Thanks in advance.