Category Archives: Citrix themes

statistical data from Citrix ADC / NetScaler APPFW logs

Sometimes, people want to know, how to extract data from APPFW logs. That’s easy, it is in /var/log/ns.log (and it’s predecessors, these ns.log.XX.gz). grep APPFW ns.log will extract all application firewall logs. zcat ns.log.*.gz |grep APPFW will do the same to the old logs. Unfortunately this will give you a… Read more »

Becoming an OCSP

      No Comments on Becoming an OCSP

Just started becoming an OCSP. This does not mean Online Certificate Status Protocol, but Offensive Computing Security Professional. It’s a widely respected certification in penetration testing. A long time wish is going to become true. I am excited! In the end I’ll have to do a 24 hour penetration into… Read more »

Migrating a Citrix ADC /NetScaler config to an other box

I recently tried to migrate an existing configuration from one Citrix ADC (NetScaler) to the other. Both of them had been the same hardware (VPX running on KVM), used the same type of license (premium). If you move to different hardware please continue reading from here How to do Basically,… Read more »

AAA-default settings changed with Citrix ADC (NetScaler) 13 built 41.20

Yesterday I upgraded to NetScaler 13 built 41.20. Everything worked fine. No problems. But out of a sudden, my Exchange deployment failed to authenticate (I did it following Julian Mooren’s outstanding deployment guide). I did some further investigation and found all my other AAA servers don’t authenticate, even though the… Read more »

Citrix ADC / NetScaler: two factors from outside, single factor inside

last update: September 25th 2019 I was recently asked: Johannes, is it possible to orun the same AAA server, from the inside with single factor, from the outside with two factor authentication? Of course it is. That’s how you do: Prerequisites My test environment contains of a lb vServer (lb_vsrv_colors)…. Read more »

Citrix ADC (NetScaler) 13: Pre-authenticating to TCP services

photo by geralt (pixabay.com) Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a Citrix ADC / NetScaler can’t…. Read more »

Single sign on to SAS applications using Citrix NetScaler Gateway and Microsoft ADFS

The problem I recently had to assist designing a portal solution. The customer had an existing solution based on Microsoft ADFS to log on users to ShareFile, Office 365, SAP and similar applications. In addition they used Citrix Gateway (NetScaler Gateway) to publish applications XenApp applications and VDI (XenDesktop) to… Read more »

Citrix ADC (NetScaler) AAA-traffic explained

Authentication in Citrix ADC (NetScaler) is done from BSD, not from Citrix ADC (NetScaler). Because of this, traffic usually originates from NSIP. This is sometimes of surprise to network (and firewall) admins. It usually comes means: It may very well be a little bit different. Normal behaviour Usually NetScaler sends… Read more »

Debugging Authentication problems in Citrix ADC / NetScaler using the aaad.debug file

last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log… Read more »

Scoring an A+ on SSL Labs using a Citrix ADC / NetScaler version 12.1

There are serious changes in 12.1. I’m currently investigating these changes and will update this article as soon as any possible   This will be my shortest blog about the subject ever. Citrix finally did it! They created a “Built-in secure front-end SSL profile” called ns_default_ssl_profile_secure_frontend. What do you need… Read more »

How can Citrix NetScaler ADC protect cookies from being stolen?

How to protect your cookies using Citrix NetScaler I recently did a web application firewall (WAF) project for a big company owning and hosting hundreds of websites. They did several penetration tests. One of them focussed on cookies. Citrix NetScaler did a great job protecting cookies, cookie tampering was impossible,… Read more »

Detecting Slowloris with Citrix NetScaler (Citrix ADC)

Last update: Nov 21th, 2018 tested using firmware 11.1 If you read about slowloris, you always read about NetScaler doing a great job. Tests in our lab environment show: NetScaler will successfully block these attacks. And there is hardly anything we have to do about it: It’s built into the… Read more »

Citrix NetScaler is dead. Long live the Citrix ADC

All of us are always a bit shy looking at Citrix Synergy: What will it bring? Well, this time, Citrix comes up with brand new names for all products. It’s the first time Citrix is renaming the product. Until now the mane resisted all renaming by marketing departement. Citrix aquired… Read more »

Concerns about Citrix NetScaler Web Application Firewall (WAF)

Let’s talk about a WAF, a Web Application Firewall on a Citrix NetScaler. What’s to be concerned off? Is it worth while considering a NetScaler to be your WAF? I do work for several companies, including Citrix Consulting Services. Recently I worked on some Web Application Firewall projects, so I… Read more »

Citrix ADC (NetScaler) as a SAML IDP and SAML SP

last update: 2019/09/05 Tested with NetScaler 11, Citrix ADC 12.1 and 13.0 I needed to use a Citrix ADC (NetScaler) both, as a SAML identity provider (IDP) and service provider (SP). So I set up my test environment accordingly. What my test environment looked like: You see, I created two… Read more »