After implementing these best practices you can test your setup (if your server is reachable by public and running on default port 443) with Qualys' ssltest.
On Citrix NetScaler you can mitigate risk by denying insecure SSL renegotiation:set ssl parameter -denySSLReneg NONSECUREYou can now check the status.
show ssl parameter
...
Deny SSL Renegotiation NONSECURE
...
Don't forget to save the running configuration.
save ns config
I've decided to disable RC4 ciphers by disabling the DEFAULT cipher group and enabling the cipher group HIGH per vServer.
A side node: if you do not have a N3 chip in your NetScaler MPX you won't be able to use ECDHE. I guess this results in having no Perfect Forward Secrecy at all.Some other useful links you might be interested in:
Credit goes to kro.hn, for supplying additional useful information.Update: Does your mail server support STARTTLS?
Update 2: How's your Browsers SSL?