Author Archives: Johannes Norz

About Johannes Norz

Citrix consultant, evangelist, blogger and trainer, Austria

Scoring an A+ on SSL Labs using a Citrix ADC / NetScaler version 12.1

This will be my shortest blog about the subject ever. Citrix finally did it! They created a “Built-in secure front-end SSL profile” called ns_default_ssl_profile_secure_frontend. What do you need to do? Just bind this profile to your vServer. That’s it. Isn’t it great? Compare this to my last blog about the… Read more »

Citrix NetScaler ADC: Having fun with Nitro

Recently I had several requests related to NITRO. NITRO is Citrix NetScaler’s API. Any device may communicate to a NetScaler using NITRO. Even a browser! Citrix exposes several settings and counters and even allows changes. NITRO is the central source for scripting NetScalers. I, being rather an administrator than a… Read more »

How can Citrix NetScaler ADC protect cookies from being stolen?

How to protect your cookies using Citrix NetScaler I recently did a web application firewall (WAF) project for a big company owning and hosting hundreds of websites. They did several penetration tests. One of them focussed on cookies. Citrix NetScaler did a great job protecting cookies, cookie tampering was impossible,… Read more »

Detecting Slowloris with Citrix NetScaler (Citrix ADC)

Last update: May 31th, 2018 tested using firmware 11.1 If you read about slowloris, you always read about NetScaler doing a great job. Tests in our lab environment show: NetScaler will successfully block these attacks. And there is hardly anything we have to do about it: it’s built into the… Read more »

Citrix NetScaler is dead. Long live the Citrix ADC

All of us are always a bit shy looking at Citrix Synergy: What will it bring? Well, this time, Citrix comes up with brand new names for all products. It’s the first time Citrix is renaming the product. Until now the mane resisted all renaming by marketing departement. Citrix aquired… Read more »

Concerns about Citrix NetScaler Web Application Firewall (WAF)

Let’s talk about a WAF, a Web Application Firewall on a Citrix NetScaler. What’s to be concerned off? Is it worth while considering a NetScaler to be your WAF? I do work for several companies, including Citrix Consulting Services. Recently I worked on some Web Application Firewall projects, so I… Read more »

Logging more detailed data about websites blocked by NetScaler Web Application Firewall (WAF)

last update: April 16th 2018 I had been asked recently: Johannes, how can we log data about NetScaler Application Firewall policy hits in detail? The standard NetScaler Web Application Firewall log-files NetScaler’s Web Application Firewall logs to /var/log/ns.log. These logs are fine for trouble shooting. There is a good description… Read more »

Citrix NetScaler as a SAML IDP and SAML SP

      No Comments on Citrix NetScaler as a SAML IDP and SAML SP

I needed to use a Citrix NetScaler both, as a SAML identity provider (IDP) and service provider (SP). So I set up my test environment accordingly. What my test environment looked like: You see, I created two admin partitions on my Citrix NetScaler, one for the service provider (SP partition),… Read more »

IP address calculator

      No Comments on IP address calculator

What’s an IP address calculator? I’m pretty sure it’s something you won’t need. It will help understanding IP addresses. It does calculations on IP addresses and will tell you, if the address is valid (or a network / broadcast address), and if two addresses are on the same subnet. Why… Read more »

Scheduling NetScaler commands for a specific time on Citrix NetScaler

Last update: 2018/03/27 Sometimes we have to schedule commands in a Citrix NetScaler. A good example would be: force HA failover It’s obvious, we don’t want to fail over during day time to not disconnect TCP connections, to not interrupt users. The best time would be something like 3:30 AM…. Read more »

Digging into Citrix NetScaler IP-reputation feature

last update: 2018/04/12 I recently had to protect a website using IP reputation feature. There is some good information about this feature, however I decided to glean information here. Facts about this feature IP reputation is a platinum feature. It is included in web application firewall (there are extra licenses… Read more »

Creating a Citrix NetScaler Test environment

last update: October 2017 (LINUX support) Creating a Citrix NetScaler Test environment Being a Citrix Certified Instructor I am very much aware of the Red/Green/Blue website used during official Citrix NetScaler training (CNS-220, CNS-222). I created my own test website. I usually use it during product demonstrations to present anything… Read more »

Citrix NetScaler Logging and policy trouble shooting

Citrix NetScaler Logging and policy trouble shooting Some times it’s quite hard to understand what’s going on. There is so much mystics about policies. And it’s even harder to understand what went on (past tense). “Johannes, there had been several problems connecting to <any blabla application here>” “I’m sorry, I… Read more »

Why do I love HDX on UDP in Citrix XenDesktop and XenApp?

Why do I love HDX on UDP in Citrix XenDesktop and XenApp? (HDX Enlightened Data Transport EDT) Well, I’m mainly a network guy. So I’ll take a look at this brand new feature from networking perspective.I’ll start from scratch, so I don’t assume you understand network protocols. But let me… Read more »

DDOS protection using Citrix NetScaler, 2nd part

Yesterday I published a blog about DDOS- protection. I used the Citrix NetScaler AppQoE feature to do so. That’s nice, but not enough. I still could beat my server to a pulp easily. Just 10 clients launching a DDOS attack using HULK had been enough. I can’t throttle down the… Read more »

DDOS protection using Citrix NetScaler, 1st part

last update: February 21st 2018 How to protect a website using Citrix NetScaler? Well it seems to be easy. A nonsense question. We may use AppQoE (Application level Quality of Experience), a feature introduced with NetScaler version 10, so it’s quite an old feature. Let’s start. AppQoE is enterprise edition… Read more »

Selecting the correct language based on Accept-Language HTTP header using Citrix NetScaler responder policies

I recently was hired to create a web application firewall (WAF) using Citrix NetScaler to protect a SAP Hybris based e-shop. This shop has content for several languages, so we had to select the right home page. The base URL of the website was like that: https://shop.domain.com/shop/language/. SSL was optional…. Read more »