Case Study: SSL Gateway Security
Objective
In October 2024, we conducted a sector-specific audit of 80 enterprise SSL remote access gateways, spanning Citrix NetScaler ADC, VMware Horizon UAG, Microsoft RDS Gateway, F5, and Azure-integrated deployments. The aim: to assess the current security posture of real-world environments across multiple platforms.
The findings were both revealing and unexpected.
A snapshot of Gateway SSL configurations
Platform Breakdown
| Platform | No of gateways (%) |
| Citrix Netscaler ADC | 41 |
| Omnissa Horizon UAG | 42 |
| F5 BIG-IP | 6 |
| MS RDS Gateway | 6 |
| Azure MFA | 5 |
The vast majority of enterprises deployments within this sector were either Citrix CVAD and Netscaler ADC or Ominssa Horizon and Unified Access Gateway (UAG).
Key Insight:
One of the most notable surprises was the identical split between Citrix and Horizon deployments. Citrix has historically dominated this sector, so the parity signals a shifting trend in platform preferences.
There was also a small but notable MS Remote Desktop Services (RDS) presence.
TLS and Cipher Configuration
| Protocol enabled | No of Gateways |
| SSL 3.0 | 3 |
| TLS 1.0 and 1.1 | 8 |
| TLS 1.1 and 1.2 | 1 |
| TLS 1.2 | 22 |
| TLS 1.1, 1.2, and 1.3 | 3 |
| TLS 1.2 and 1.3 | 35 |
| TLS 1.3 | 38 |
| Weak Ciphers enabled | No of Gateways |
| RC4 | 4 |
Security Issues Identified:
Several gateways were configured with outdated or insecure protocols including SSL 3.0, TLS1.0 and TLS 1.1. Those gateways with SSL 3.0 enabled remained vulnerable to the POODLE attack.
Several gateways had weak RC4 ciphers configured and enabled.
Qualys SSL Scores
Qualys is a free online service that performs deep analysis of the configuration of any SSL web server on the public internet and that score card should be used to improve a gateways configuration. Achieving a score of A+ is a Citrix Netscaler ADC best practice recommendation.
| Qualys SSL Score | No of Gateways |
| A+ | 29 |
| A | 13 |
| B | 22 |
| C | 3 |
| SSL scan failed | 10 |
| Qualys SSL Score | Citrix Netscaler ADC | VMware UAG |
| A+ | 6 | 22 |
| A | 7 | 2 |
| B | 11 | 6 |
| C | 3 | 0 |
| Failed to complete scan | 5 | 3 |
Key Takeaway:
VMware UAG consistently outperformed Citrix NetScaler ADCs, with a significantly higher rate of A+ scores and no UAG appliances receiving a grade C. This suggests that Horizon UAG environments may benefit from more consistent SSL configuration standards and proactive maintenance.
However, it’s worth noting that SSL scans failed on 10 gateways, meaning their security posture remains unknown at the time of writing. Nearly all of these gateways (Netscaler ADC or Horizon UAG) were accessible and therefore, these failures may indicate firewall restrictions preventing the Qualys SSL scanner from successfully connecting to the gateway.
Authentication Method Usage and Branding
SAML as an Indentity Provider (IDP) was used by 21 Gateways
Username and password (No MFA) – 10 Gateways
RSA Radius + Passcode MFA – 37 Gateways
Multi-factor solutions intergated with gateways ranged from RSA Radius, Pinsafe, Swivel MFA to MS Azure IDP. Interestingly only one gateway was intergrated with DUO MFA and no gateway was integrated with Okta MFA solutions.
Branding and custom landing pages:
Default theme was used by 43 gateways
Minor customisations to the default theme was implemented on 4 gateways
Fully customised themes were used by 33 gateways.
Key Takeaway:
While most gateways had multifactor authentication in place, 10 still relied solely on basic username and password, leaving them exposed to unnecessary risk. This underscores the need for consistent MFA enforcement across all access points.
Conclusion
Key Takeaway:
This audit provides a revealing snapshot of the remote access gateway landscape in late 2024 within a specific business sector. While many organisations have embraced Multifactor Authentication (MFA) and modern protocols like TLS 1.3, a significant number of deployments continue to rely on outdated configurations, including weak ciphers, legacy SSL/TLS versions, incomplete certificate chains and in some cases, no MFA at all.
In June 2025, a second round of validation revealed that several of the same gateways remained vulnerable, with weak RC4 ciphers, SSL 3.0, and TLS 1.0/1.1 still enabled — despite the growing urgency to mitigate these well-documented risks.
One notable trend in the data is the higher rate of misconfiguration among NetScaler ADCs when compared to their UAG counterparts. The reasons behind this disparity warrant closer scrutiny: why are these settings not being addressed during firmware updates or is it a matter of administrative oversight?
As security threats evolve, and remote access infrastructure such as CItrix Netscaler ADC and Horizon UAG face increased targeting, regular SSL health checks and proactive configuration reviews remain essential.
Ready to Strengthen Your Gateway Security?
Questions?
Get a clear picture of your current posture—before attackers do. Let’s audit, optimise, and secure.