AuthorJohannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security. He frequently works for Citrix international Consulting Services and several education centres all around the globe. Johannes lives in Austria. He had been borne in Innsbruch (

Using the http-ecv monitor together with JSON payload on Citrix ADC / NetScaler


The problem Funny enough (or frustrating enough), an http-ecv monitor won’t work with JSON-based replies on a Citrix ADC / NetScaler. It will not find any data in an HTTP response and fail. WTF? The reason The http-ecv monitor requires the http-response to be of MIME-Type text (usually text/html). JSON data, however, is application/json. That’s why it does not work. The solution There...

Passing LDAP (AD) attributes from SAML IDP to SAML SP with Citrix ADC / NetScaler as a SAML IDP


Sometimes, we need specific attributes like an E-Mail address or the userPrincipalName to be passed from a SAML IDP to the SP. If you use a Citrix ADC / NetScaler as SAML IDP, it is, indeed, an easy thing to do. Let’s have a look. Extracting attributes from LDAP The first step, of course, is always to retrieve an attribute from LDAP. This is done via an LDAP policy. I won’t go into...

A proper DOS- Protection for Citrix Gateway


One of the main concerns that my large customers have is that the Citrix Gateway could fall victim to a DOS or DDOS attack. Linked to this, of course, is the concern that – after a successful attack – it might be possible to bypass authentication or compromise the gateway or the appliance. We have to distinguish between attacks that happen before and those that happen after...

Troubleshooting login problems with Citrix Gateway


last updated: April 26 2022 I am currently creating a slide deck for a CUGC event on May 11. It will be about securing Citrix (NetScaler) Gateway. During my work, I wanted to find out, what the cookie NSC_VPNERR is good for. After a successful login, its value is set to 3 (Citrix ADC 13.0, it’s not documented). With most of the current browsers, you have to press F12 to see the...

Add pop-up windows for certain countries from Citrix ADC/NetScaler


Recently, I had to add a pop-up window to a webpage. It should display every time users from a certain region surfs to this site. In this very case, it’s been information on Putin’s war against Ukraine. My customer’s idea had been to bypassPutin’s ban of information. However, however, did not want to touch each and every page, and it had to be dependent on the country:...

Blocking SPAM in a guest book


Recently I had a SPAMer here in my blog, who wanted to place his links here. I don’t know why he had chosen this blog, in particular, I also don’t know what he expected from it, because all entries here are moderated. I have always approved all entries, that had been professionally appropriate, but I do not allow SPAM. But, of course, it’s overhead for me. Anyway, no matter why...

Reply with a valid A or AAA record to every misspelled DNS request


last update: July 12th 2022 If someone makes a typing error when entering the domain name, he will not get a valid response. This is a typical example: You can clearly see: The response got an NXDOMAIN status, a non-existing domain. This, however, is not always desired, instead, you might want to return an IP address. It should have looked like this: This time, you see an answer section. The IP...

Extending /var on a Citrix ADC/NetScaler VPX


There is a question coming up every now and then: How to extend space on a Citrix ADC formerly called NetScaler. First of all: There is absolutely no supported way to do so! With this in mind, we can continue. Is there a real need to extend the disk space? The answer is no. There is plenty of space for all needs. You said, there is space enough, why did I run out of diskspace? That’s hard...

Mitigation for Log4J (CVE-2021-44228)


Last update: December 22nd 2021 Many of us, today, struggle with the Log4J security issue (CVE-2021-44228). It will take a long time to fix all apps, as the Apache log4J framework is built deep into several apps. For many of my customer’s apps, it’s still not clear, if whether they are affected, or not. At the same time, there are already exploits out there, allowing attackers to get shell access...

Securing Citrix Gateway using Citrix ADC Bot Management, Citrix Web Application Firewall and DOS-Protection


last update: February 21st 2022 Recently, I had been asked, how to protect a gateway from threads. It’s easy, I thought, Citrix ADC has everything needed in good quality: A Bot Management, Web Application Firewall (WAF), and AppQoE (Application quality of experience, a DOS protection feature). So nothing easier than that: Create the policies desired and bind them to the gateway. Shortly...

Recent Posts

Recent Comments