Category Archives: Security

AAA-default settings changed with Citrix ADC (NetScaler) 13 built 41.20

Yesterday I upgraded to NetScaler 13 built 41.20. Everything worked fine. No problems. But out of a sudden, my Exchange deployment failed to authenticate (I did it following Julian Mooren’s outstanding deployment guide). I did some further investigation and found all my other AAA servers don’t authenticate, even though the… Read more »

Citrix ADC (NetScaler) 13: Pre-authenticating to TCP services

photo by geralt (pixabay.com) Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a Citrix ADC / NetScaler can’t…. Read more »

Single sign on to SAS applications using Citrix NetScaler Gateway and Microsoft ADFS

The problem I recently had to assist designing a portal solution. The customer had an existing solution based on Microsoft ADFS to log on users to ShareFile, Office 365, SAP and similar applications. In addition they used Citrix Gateway (NetScaler Gateway) to publish applications XenApp applications and VDI (XenDesktop) to… Read more »

Citrix ADC (NetScaler) AAA-traffic explained

Authentication in Citrix ADC (NetScaler) is done from BSD, not from Citrix ADC (NetScaler). Because of this, traffic usually originates from NSIP. This is sometimes of surprise to network (and firewall) admins. It usually comes means: It may very well be a little bit different. Normal behaviour Usually NetScaler sends… Read more »

How will a Citrix ADC (NetScaler) Web-application Firewall (WAF) change your ADC’s behaviour?

There is one thing different about a Citrix ADC WAF (Web Application Firewall) compared to most other features in Citrix ADC: It will affect your whole ADC deployment as soon as you turn it on. It you would, for example, turn on rewriting feature (enable feature RW), it would probably… Read more »

Debugging Authentication problems in Citrix ADC / NetScaler using the aaad.debug file

last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log… Read more »

Concerns about Citrix NetScaler Web Application Firewall (WAF)

Let’s talk about a WAF, a Web Application Firewall on a Citrix NetScaler. What’s to be concerned off? Is it worth while considering a NetScaler to be your WAF? I do work for several companies, including Citrix Consulting Services. Recently I worked on some Web Application Firewall projects, so I… Read more »

Logging more detailed data about websites blocked by NetScaler Web Application Firewall (WAF)

last update: April 16th 2018 I had been asked recently: Johannes, how can we log data about NetScaler Application Firewall policy hits in detail? The standard NetScaler Web Application Firewall log-files NetScaler’s Web Application Firewall logs to /var/log/ns.log. These logs are fine for trouble shooting. There is a good description… Read more »

Citrix ADC (NetScaler) as a SAML IDP and SAML SP

last update: 2019/09/05 Tested with NetScaler 11, Citrix ADC 12.1 and 13.0 I needed to use a Citrix ADC (NetScaler) both, as a SAML identity provider (IDP) and service provider (SP). So I set up my test environment accordingly. What my test environment looked like: You see, I created two… Read more »

Digging into Citrix NetScaler IP-reputation feature

last update: 2018/04/12 I recently had to protect a website using IP reputation feature. There is some good information about this feature, however I decided to glean information here. Facts about this feature IP reputation is a platinum feature. It is included in web application firewall (there are extra licenses… Read more »

DDOS protection using Citrix NetScaler, 1st part

last update: February 21st 2018 How to protect a website using Citrix NetScaler? Well it seems to be easy. A nonsense question. We may use AppQoE (Application level Quality of Experience), a feature introduced with NetScaler version 10, so it’s quite an old feature. Let’s start. AppQoE is enterprise edition… Read more »

Splitting up a NetScaler site using admin partitions

(a nice but partly failed try) Complex web applications may lead to complex NetScaler configuration. And sometimes an administrator may get lost troubleshooting complex websites, especially sites using content switching. This is an example of a real world website: The portal page is assembled of several independent web applications. Each… Read more »

Changing my Citrix NetScaler VPX based website from http to https and scoring an A+ in SSL labs test

Last update: July 12 2018 This blog is about NetScaler versions up to 12. For 12.1 read here Citrix NetScaler load balancing and content switching servers will only score an C in quality labs SSL test, no matter if you use a VPX, MPX or SDX. There are several reasons for… Read more »

How to get a valide certificate for our NetScaler, if possible for free?

This is an updated blog entry. I first posted it on my old and discontinued blog at blog.com for Citrix NetScaler 10, this one is for Citrix NetScaler 11. We all know how to get a private Certificate for free: You just have to set up a Windows Server, add… Read more »

Making a NetScaler Gateway on NetScaler 11 a bit more secure

last update February 7th 2017 We have previously created a NetScaler Gateway on our NetScaler 11. That’s great! Time to check if it’s secure. I usually use SSL labs SSL test, a widely used tool to test the security of a website. I have an other blog about NetScaler virtual… Read more »

Replacing HTTP server related information using a NetScaler policy label

It may not be the strongest security measure, but many administrators are not quite sure about HTTP headers like Server or X-Powered-By. There seems to be just one reason why this header has to be in a HTTP response: It makes life easier for a hacker. So why not just… Read more »