Category Archives: Security

Creating Certificates for Citrix ADC (NetScaler)

The way we create certificates has not changed significantly over the years. Only the wizard is subject to a certain change. This blog is based on Citrix ADC 13, elder versions don’t differ significantly. The following steps are necessary to create a certificate: Generate the key pair Create the certificate-signing… Read more »

How to recover a Citrix ADC/NetScaler VPX from CVE-2019-19781 (both on Hypervisor and on SDX)

last update: March 2nd 2020 Well, there are many guides. So why do I write a blog about it? Just to have one more? Bull shit! The truth is: I don’t like them at all! What’s wrong about all these guides? They all focus on how to remove malware currently… Read more »

How to start a Citrix ADC / NetScaler WAF Project, Part 1: General

This is the forth part of this blog. Part Part 1 2 3 4 5 I am currently working on a Citrix ADC (NetScaler) WAF project. It’s a big international enterprise, security is of some concern to them. So everything hould be pretty much straight forward? Well, it never is…. Read more »

Protecting a URL using Citrix ADC responder policies

Recently a friend asked a question: How is it possible to bypass a responder policy. They knew it happened, but they could not reproduce. HTML- Encoding HTML Encoding is a stupid trick, used by hackers ever since. Any character may get encoded using a encoding table. So instead of using… Read more »

AAA-default settings changed with Citrix ADC (NetScaler) 13 built 41.20

Yesterday I upgraded to NetScaler 13 built 41.20. Everything worked fine. No problems. But out of a sudden, my Exchange deployment failed to authenticate (I did it following Julian Mooren’s outstanding deployment guide). I did some further investigation and found all my other AAA servers don’t authenticate, even though the… Read more »

Citrix ADC (NetScaler) 13: Pre-authenticating to TCP based services

photo by geralt (pixabay.com) last update: January 5th 2020 Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a… Read more »

Single sign on to SAS applications using Citrix ADC / NetScaler Gateway and Microsoft ADFS

The problem I recently had to assist designing a portal solution. The customer had an existing solution based on Microsoft ADFS to log on users to ShareFile, Office 365, SAP and similar applications. In addition they used Citrix Gateway (NetScaler Gateway) to publish applications XenApp applications and VDI (XenDesktop) to… Read more »

Citrix ADC (NetScaler) AAA-traffic explained

Authentication in Citrix ADC (NetScaler) is done from BSD, not from Citrix ADC (NetScaler). Because of this, traffic usually originates from NSIP. This is sometimes of surprise to network (and firewall) admins. It usually comes means: It may very well be a little bit different. Normal behaviour Usually NetScaler sends… Read more »

How will a Citrix ADC (NetScaler) Web-application Firewall (WAF) change your ADC’s behaviour?

There is one thing different about a Citrix ADC WAF (Web Application Firewall) compared to most other features in Citrix ADC: It will affect your whole ADC deployment as soon as you turn it on. It you would, for example, turn on rewriting feature (enable feature RW), it would probably… Read more »

Debugging Authentication problems in Citrix ADC / NetScaler using the aaad.debug file

last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log… Read more »

Concerns about Citrix NetScaler Web Application Firewall (WAF)

Let’s talk about a WAF, a Web Application Firewall on a Citrix NetScaler. What’s to be concerned off? Is it worth while considering a NetScaler to be your WAF? I do work for several companies, including Citrix Consulting Services. Recently I worked on some Web Application Firewall projects, so I… Read more »

Logging more detailed data about websites blocked by NetScaler Web Application Firewall (WAF)

last update: April 16th 2018 I had been asked recently: Johannes, how can we log data about NetScaler Application Firewall policy hits in detail? The standard NetScaler Web Application Firewall log-files NetScaler’s Web Application Firewall logs to /var/log/ns.log. These logs are fine for trouble shooting. There is a good description… Read more »

Citrix ADC (NetScaler) as a SAML IDP and SAML SP

last update: 2019/09/05 Tested with NetScaler 11, Citrix ADC 12.1 and 13.0 I needed to use a Citrix ADC (NetScaler) both, as a SAML identity provider (IDP) and service provider (SP). So I set up my test environment accordingly. What my test environment looked like: You see, I created two… Read more »

Digging into Citrix NetScaler IP-reputation feature

last update: 2018/04/12 I recently had to protect a website using IP reputation feature. There is some good information about this feature, however I decided to glean information here. Facts about this feature IP reputation is a platinum feature. It is included in web application firewall (there are extra licenses… Read more »

DDOS protection using Citrix NetScaler, 1st part

last update: February 21st 2018 How to protect a website using Citrix NetScaler? Well it seems to be easy. A nonsense question. We may use AppQoE (Application level Quality of Experience), a feature introduced with NetScaler version 10, so it’s quite an old feature. Let’s start. AppQoE is enterprise edition… Read more »

Splitting up a NetScaler site using admin partitions

(a nice but partly failed try) Complex web applications may lead to complex NetScaler configuration. And sometimes an administrator may get lost troubleshooting complex websites, especially sites using content switching. This is an example of a real world website: The portal page is assembled of several independent web applications. Each… Read more »

Changing my Citrix NetScaler VPX based website from http to https and scoring an A+ in SSL labs test

Last update: July 12 2018 This blog is about NetScaler versions up to 12. January 2020: It’s pretty outdated by now, as some of the proposed encryption methods are outdated and there are serious concerns about TLS1.0 and TLS 1.1. Read Thomas’s blog from here. Citrix NetScaler load balancing and… Read more »