I recently added a Netscaler (NetScaler Express for testing purposes) to our DMZ network, the idea is to test one of our outdated Apache servers (running on windows); we moved the server to our internal network and placed the netscaler on the DMZ. The VIP on the NetScaler is the same IP the server previously had.
The thing is that when I run a vulnerability scan against the VIP on the NetScaler using Nessus Pro, it gives me the same results as if I was running the vulnerability scan on the server.
I have disabled SSL v2 and v3 and TLS 1.0 on the netscaler VIP, I have also changed the cipher from default to to the high cipher profile.
My question is, when I do a vulnerability scan on the NetScaler VIP, does the netscaler send the information to the server, thus bypassing all the configuration on the netscaler, I was under the impression the users only hit the VIP, therefore all the security done in the VIP will suffice.
As a note, we take security very serious, this particular server is running an old version of apache, php and mysql on windows and in time we will migrate the application to .NET, but I wanted to have a workaround during the time it takes to do the migration.
Any help is appreciated, thank you and have a great day