This might sound like an idea from an overcautious paranoid guy. But it’s not: My customer is in a very sensitive business. The problem Somebody may scan the internet for open ports and, by random, connect to my customer’s IP. This person will send a request and see my customer’s gateway. He might get curious, even though the gateway is not branded at all and the hostname is not...
WordPress is one of the most popular web publishing software, both in the private and commercial sectors. While the private sector will hardly use a Citrix NetScaler ADC, not to mention, Citrix Firewall, it is rather common in the commercial world. This page will focus on a simple, robust deployment. It requires advanced (enterprise) or premium (platinum) editions of Citrix NetScaler ADC. It’s...
One of the main concerns that my large customers have is that the Citrix Gateway could fall victim to a DOS or DDOS attack. Linked to this, of course, is the concern that – after a successful attack – it might be possible to bypass authentication or compromise the gateway or the appliance. We have to distinguish between attacks that happen before and those that happen after...
last update: February 21st 2022 Recently, I had been asked, how to protect a gateway from threads. It’s easy, I thought, Citrix ADC has everything needed in good quality: A Bot Management, Web Application Firewall (WAF), and AppQoE (Application quality of experience, a DOS protection feature). So nothing easier than that: Create the policies desired and bind them to the gateway. Shortly...
There is something I frequently get asked for: How can we find out, which users use which ciphers? Will Citrix ADC show this information? Does ADM show it? A simple answer would be: No chance, ADC can’t do it at all. ADM – however – can do. If you don’t like ADM (I’d wonder why) you can’t. Let’s not make things that simple. We all are engineers. The word...
In Theory, it’s easy: Load Balancing is stronger than Content Switching. I tested with 13.0 82.42 on a Citrix ADC VPX. With some surprise to me: There had been differences between the features tested. I tested with Responder Policies, Citrix ADC Bot Protection, and Citrix Web Application Firewall. The setup I used a content switching vServer (192.168.229.200) and a non-addressable load-balancing...
I came across following issue, doing a Citrix ADC / NetScaler project: My customer wanted to use Azure MFA for internal users and LDAP/RADIUS for external users like contractors and parters. That’s a typical use-case for n-factor authentication. So how do we solve problems like that? The solution A Solution based on group membership The difference between internal and external users is...
Last change: December 21st 2021. Thanks to Dirk Bautz! This is the 2nd part to my article “Which ciphers to use on a Citrix ADC /NetScaler?” This one had been about TLS versions up to 1.2 only. Moving from TLS 1.2 to TLS 1.3 on an existing Citrix ADC ( NetScaler) may be a big step with some obstacles to overcome. It needs some investigation. Why TLS 1.3? Simple: TLS 1.3 is faster, as...
latest update: May 5th 2021 Recently I found myself in a discussion with another Citrix architect about the number of cyphers needed. I had added as little as fife cyphers to a cypher group. He thought this is not enough. Why should we have many cyphers into a cypher group? To be honest, I don’t understand. It may look flexible, feature-rich and mighty. Customers may get impressed...
I am a big fan of cheating if it comes to security. Giving wrong answers to questions may be misleading and will direct attackers into the wrong direction. This will cost time and, at the same time, rise the risk of being caught red-handed. If someone attacks a website, he has to be discrete and fast. Discrete to not get trapped, quick to be long gone in case the owner learns about the attack. So...