Category Archives: Citrix themes

Citrix ADC (NetScaler) 13: Pre-authenticating to TCP services

photo by geralt (pixabay.com) Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a Citrix ADC / NetScaler can’t…. Read more »

Single sign on to SAS applications using Citrix NetScaler Gateway and Microsoft ADFS

The problem I recently had to assist designing a portal solution. The customer had an existing solution based on Microsoft ADFS to log on users to ShareFile, Office 365, SAP and similar applications. In addition they used Citrix Gateway (NetScaler Gateway) to publish applications XenApp applications and VDI (XenDesktop) to… Read more »

Citrix ADC (NetScaler) AAA-traffic explained

Authentication in Citrix ADC (NetScaler) is done from BSD, not from Citrix ADC (NetScaler). Because of this, traffic usually originates from NSIP. This is sometimes of surprise to network (and firewall) admins. It usually comes means: It may very well be a little bit different. Normal behaviour Usually NetScaler sends… Read more »

Debugging Authentication problems in Citrix ADC / NetScaler using the aaad.debug file

last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log… Read more »

Scoring an A+ on SSL Labs using a Citrix ADC / NetScaler version 12.1

There are serious changes in 12.1. I’m currently investigating these changes and will update this article as soon as any possible   This will be my shortest blog about the subject ever. Citrix finally did it! They created a “Built-in secure front-end SSL profile” called ns_default_ssl_profile_secure_frontend. What do you need… Read more »

How can Citrix NetScaler ADC protect cookies from being stolen?

How to protect your cookies using Citrix NetScaler I recently did a web application firewall (WAF) project for a big company owning and hosting hundreds of websites. They did several penetration tests. One of them focussed on cookies. Citrix NetScaler did a great job protecting cookies, cookie tampering was impossible,… Read more »

Detecting Slowloris with Citrix NetScaler (Citrix ADC)

Last update: Nov 21th, 2018 tested using firmware 11.1 If you read about slowloris, you always read about NetScaler doing a great job. Tests in our lab environment show: NetScaler will successfully block these attacks. And there is hardly anything we have to do about it: It’s built into the… Read more »

Citrix NetScaler is dead. Long live the Citrix ADC

All of us are always a bit shy looking at Citrix Synergy: What will it bring? Well, this time, Citrix comes up with brand new names for all products. It’s the first time Citrix is renaming the product. Until now the mane resisted all renaming by marketing departement. Citrix aquired… Read more »

Concerns about Citrix NetScaler Web Application Firewall (WAF)

Let’s talk about a WAF, a Web Application Firewall on a Citrix NetScaler. What’s to be concerned off? Is it worth while considering a NetScaler to be your WAF? I do work for several companies, including Citrix Consulting Services. Recently I worked on some Web Application Firewall projects, so I… Read more »

Citrix ADC (NetScaler) as a SAML IDP and SAML SP

last update: 2019/04/01 Tested with NetScaler 11 and Citrix ADC 12.1 I needed to use a Citrix ADC (NetScaler) both, as a SAML identity provider (IDP) and service provider (SP). So I set up my test environment accordingly. What my test environment looked like: You see, I created two admin… Read more »

Scheduling NetScaler commands for a specific time on Citrix NetScaler

Last update: 2018/03/27 Sometimes we have to schedule commands in a Citrix NetScaler. A good example would be: force HA failover It’s obvious, we don’t want to fail over during day time to not disconnect TCP connections, to not interrupt users. The best time would be something like 3:30 AM…. Read more »

Creating a Citrix NetScaler Test environment

last update: October 2017 (LINUX support) Creating a Citrix NetScaler Test environment Being a Citrix Certified Instructor I am very much aware of the Red/Green/Blue website used during official Citrix NetScaler training (CNS-220, CNS-222). I created my own test website. I usually use it during product demonstrations to present anything… Read more »

Citrix NetScaler Logging and policy trouble shooting

Citrix NetScaler Logging and policy trouble shooting Some times it’s quite hard to understand what’s going on. There is so much mystics about policies. And it’s even harder to understand what went on (past tense). “Johannes, there had been several problems connecting to <any blabla application here>” “I’m sorry, I… Read more »

Why do I love HDX on UDP in Citrix XenDesktop and XenApp?

Why do I love HDX on UDP in Citrix XenDesktop and XenApp? (HDX Enlightened Data Transport EDT) Well, I’m mainly a network guy. So I’ll take a look at this brand new feature from networking perspective.I’ll start from scratch, so I don’t assume you understand network protocols. But let me… Read more »