Currently (11/3/16, NS11.0 Netscaler VPX’s do not support TLS 1.1 and TLS 1.2 to back end services. You can still use TLS 1.1 and TLS 1.2 on the front end but TLS 1.0 needs to be enabled on the back end server or the service status will show as down.

Below is the support matrix from a Citrix document, Ciphers Supported by the NetScaler Appliance.


Also, worth keeping in mind is that there is an issue with Netscaler <> IIS where the back end connections stop working. This didn’t seem to affect 11.0 but it does NS11.0, so even a default 2012 R2 build stopped working until I disabled TLS 1.1/1.2 globally on the Netscaler. You can disable TLS 1.1/1.2 globally using the command below, see CTX205578 for more info.

set ssl parameter -svctls1112disable enable -montls1112disable enable