Author Archives: Johannes Norz

About Johannes Norz

Citrix CTA, consultant, evangelist, blogger and trainer, Austria

Which ciphers to use on a Citrix ADC /NetScaler?

Recently I found myself in a discussion with an other Citrix architect about number of ciphers needed. I had added as little as fife ciphers to a cipher group. He thought, this is not enough. Why should we have many ciphers into a cipher group? To be honest, I don’t… Read more »

A simple way for a Citrix ADC (NetScaler) to respond with a 404 not found

I am a big fan of cheating if it comes to security. Giving wrong answers to questions may be misleading and will direct attackers into the wrong direction. This will cost time and, at the same time, rise the risk of being caught red-handed. If someone attacks a website, he… Read more »

A quick way to expand performance on Citrix (NetScaler) Gateways

This is Corona time, and Corona drives virtualization like nothing else did before. I recently had to fix issues with remote access. Usually, it would have to handle round about 1,500 users, but now, the number of users increased to 15,00, so ten times as much. The existing MPX-11500 could… Read more »

Using Geo-Location in Citrix ADC / NetScaler

There are several use cases for geo-location information in Citrix ADC / NetScaler. It may be helpful with WAF logs. I am European, I won’t spend much time on a positive, if the log comes from North Korea, but I would consider it to be a “false positive”, if it… Read more »

Are there Syslog events coming from partitions?

© Wikipedia, Creufop There seems to be no way to log events inside partitions, even though there are settings for logging and configuration seems to be right. They are exactly the same as in default partition. Syslog server is 127.0.0.1, so the local machine. Everything seems to be perfect. But… Read more »

Creating Certificates for Citrix ADC (NetScaler)

The way we create certificates has not changed significantly over the years. Only the wizard is subject to a certain change. This blog is based on Citrix ADC 13, elder versions don’t differ significantly. The following steps are necessary to create a certificate: Generate the key pair Create the certificate-signing… Read more »

Creating a Citrix ADC / NetScaler Test environment #2

last update: May 5th 2020 Almost two years ago I created a test website for Citrix NetScaler. The product is now called Citrix ADC. It had been a set of files, both, for both, Linux and Windows. It allowed you to create a test environment to test load-balancing solutions, content… Read more »

How to recover a Citrix ADC/NetScaler VPX from CVE-2019-19781 (both on Hypervisor and on SDX)

last update: March 2nd 2020 Well, there are many guides. So why do I write a blog about it? Just to have one more? Bull shit! The truth is: I don’t like them at all! What’s wrong about all these guides? They all focus on how to remove malware currently… Read more »

How to start a Citrix ADC / NetScaler WAF Project, Part 4: Start URLs

This is the forth part of this blog. Part Part 1 2 3 4 5 Click here to see how to start your WAF project StartURLs are a powerful tool to protect a web server. Probably, creating StartURLs will be the first thing you need to do. There are two… Read more »

How to start a Citrix ADC / NetScaler WAF Project Part 2: Signatures

This is the second part of this blog. Part 1 2 3 4 5 Click here to see how to start your WAF project Signatures Make sure, signatures get updated automatically. Today (January 22 2020) we have version 40. Check the auto update settings. Check, if Signatures Auto Update is… Read more »

How to start a Citrix ADC / NetScaler WAF Project, Part 1: General

This is the forth part of this blog. Part Part 1 2 3 4 5 I am currently working on a Citrix ADC (NetScaler) WAF project. It’s a big international enterprise, security is of some concern to them. So everything hould be pretty much straight forward? Well, it never is…. Read more »

Protecting a URL using Citrix ADC responder policies

Recently a friend asked a question: How is it possible to bypass a responder policy. They knew it happened, but they could not reproduce. HTML- Encoding HTML Encoding is a stupid trick, used by hackers ever since. Any character may get encoded using a encoding table. So instead of using… Read more »

Citrix ADC: Save access from outside (using SSH or SSL)

Of course you know the problem. You need to access your Citrix ADC, but you are not in the company. Of course you don’t want to open ports 443 and 22 on the firewall, that would be insane. What can you do? I solved the riddle for http and ssh…. Read more »

Virtual Apps and Desktops (XenApp) can’t connect through Citrix Gateway (NetScaler)?

It’s a problem coming up every now and then: I can’t connect to a certain Citrix VDA, but can connect to all/some others. If your problem is a more general one, continue reading here My first guess would always be a L4 problem, but “I opened up all firewalls”. Never… Read more »

statistical data from Citrix ADC / NetScaler APPFW logs

Sometimes, people want to know, how to extract data from APPFW logs. That’s easy, it is in /var/log/ns.log (and it’s predecessors, these ns.log.XX.gz). grep APPFW ns.log will extract all application firewall logs. zcat ns.log.*.gz |grep APPFW will do the same to the old logs. Unfortunately this will give you a… Read more »

Migrating a Citrix ADC /NetScaler config to an other box

I recently tried to migrate an existing configuration from one Citrix ADC (NetScaler) to the other. Both of them had been the same hardware (VPX running on KVM), used the same type of license (premium). If you move to different hardware please continue reading from here How to do Basically,… Read more »

AAA-default settings changed with Citrix ADC (NetScaler) 13 built 41.20

Yesterday I upgraded to NetScaler 13 built 41.20. Everything worked fine. No problems. But out of a sudden, my Exchange deployment failed to authenticate (I did it following Julian Mooren’s outstanding deployment guide). I did some further investigation and found all my other AAA servers don’t authenticate, even though the… Read more »

Citrix ADC / NetScaler: two factors from outside, single factor inside

last update: September 25th 2019 I was recently asked: Johannes, is it possible to orun the same AAA server, from the inside with single factor, from the outside with two factor authentication? Of course it is. That’s how you do: Prerequisites My test environment contains of a lb vServer (lb_vsrv_colors)…. Read more »

Citrix ADC (NetScaler) 13: Pre-authenticating to TCP based services

photo by geralt (pixabay.com) last update: January 5th 2020 Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a… Read more »