This might sound like an idea from an overcautious paranoid guy. But it’s not: My customer is in a very sensitive business. The problem Somebody may scan the internet for open ports and, by random, connect to my customer’s IP. This person will send a request and see my customer’s gateway. He might get curious, even though the gateway is not branded at all and the hostname is not...
It’s one of the things I do most often: Import a customer’s NetScaler installation into a VPX, so I can have a look at it. In fact, I do most of my audits that way. What is required The best basis would be a Citrix NetScaler backup. It contains everything we need, except for certificates, together with some other data in addition, like logs. The ns.conf file, alone, would be...
The problem Funny enough (or frustrating enough), an http-ecv monitor won’t work with JSON-based replies on a Citrix ADC / NetScaler. It will not find any data in an HTTP response and fail. WTF? The reason The http-ecv monitor requires the http-response to be of MIME-Type text (usually text/html). JSON data, however, is application/json. That’s why it does not work. The solution There...
Sometimes, we need specific attributes like an E-Mail address or the userPrincipalName to be passed from a SAML IDP to the SP. If you use a Citrix ADC / NetScaler as SAML IDP, it is, indeed, an easy thing to do. Let’s have a look. Extracting attributes from LDAP The first step, of course, is always to retrieve an attribute from LDAP. This is done via an LDAP policy. I won’t go into...
One of the main concerns that my large customers have is that the Citrix Gateway could fall victim to a DOS or DDOS attack. Linked to this, of course, is the concern that – after a successful attack – it might be possible to bypass authentication or compromise the gateway or the appliance. We have to distinguish between attacks that happen before and those that happen after...
last update: February 21st 2022 Recently, I had been asked, how to protect a gateway from threads. It’s easy, I thought, Citrix ADC has everything needed in good quality: A Bot Management, Web Application Firewall (WAF), and AppQoE (Application quality of experience, a DOS protection feature). So nothing easier than that: Create the policies desired and bind them to the gateway. Shortly...
HTTP v3 and HTTP v2 on a Citrix ADC / NetScaler last update: February 28th 2022 HTTP/1.0 and HTTP/1.1 are dead. They are inefficient plain text protocols. The amount of data to be transferred is huge and latency is a big problem, mostly for intercontinental connections. But what alternatives do we have? Are there alternatives? A view on the history of HTTP HTTP/0.9 – The one-line protocol The...
There is something I frequently get asked for: How can we find out, which users use which ciphers? Will Citrix ADC show this information? Does ADM show it? A simple answer would be: No chance, ADC can’t do it at all. ADM – however – can do. If you don’t like ADM (I’d wonder why) you can’t. Let’s not make things that simple. We all are engineers. The word...
This is something, people tend to ask for: A sorry server responding with a meaningful message in case all services are down. It’s an easy task to do, so I decided to write a quick guide on how to create a setup like that. What we need A load-balancing vServer does not respond, as soon as all services are down. However, there are “protection Servers”. And that’s what I will use...
During one of my Citrix ADC projects, I came across a strange problem. I had to give external users access to a certain IoT device. These very devices don’t support static addressing (!) and are well known for being exploitable, however, there is no really secure alternative available on the market. Because of this, my customer wanted to restrict these crappy devices to a certain range of...