While performing security scan with ssllabs site it was observed that Forward Secrecy is not supported for Internet Explorer.

Complete the following steps to solve the issue:

1. When upgrading from a build earlier than NetScaler 10.1 build 121.10 release, you must explicitly bind ECC curves to the existing SSL virtual servers.

2. In NetScaler 10.5 release or later, the VPX virtual appliance supports the ECDHE cipher group. Configure the following ciphers on the top of all the ciphers so that these ciphers get the priority when the client is trying to negotiate:
   TLS1-ECDHE-RSA-RC4-SHA
   TLS1-ECDHE-RSA-DES-CBC3-SHA
   TLS1-ECDHE-RSA-AES128-SHA
   TLS1-ECDHE-RSA-AES256-SHA

3. ECDHE ciphers should be configured along ECC curve P_256. To unbind and bind an ECC curve to an SSL virtual server, use the following commands:
   unbind ssl vserver <vServerName> -eccCurveName ALL 
   bind ssl vserver <vServerName> -eccCurveName P_256

After performing the preceding steps and performing a security scan, you can see that the client has negotiated for ECDHE and Forward Secrecy is supported.

Screen shot showing Forward Secrecy is supported:

Troubleshooting Methodology

While performing a security scan with SSL-LABS, it was observed that the Forward Secrecy was not supported even though the ECDHE ciphers were configured.

A screen shot showing No Forward Secrecy:

Citrix Documentation - What's New in Previous 10.5 Builds.