I recently encountered a problem where I had a Citrix NetScaler that, for security reasons, had no internet connection. It was located in the second DMZ and was intended to act as a second-hop server. A relatively large number of load balancers had been set up, along with the corresponding WAFs. A Citrix Knowledge Base article explains exactly how to configure NetScaler itself so that it loads...
IDP-initiated single sign on (SSO) login on Citrix NetScaler is not directly supported. That’s the bad news. The good news is that with a little trick, you can get it to work quite well. What is the problem? Actually, everything you need is already there. The problem is simply that you cannot bind traffic policies to authentication vServers. Traffic policies support SAML SSO. So we have to...
There are several issues that can arise when using a Citrix NetScaler as a SAML IDP. Although SAML is a great standard and defines very well how SAML works, some details are implementation-dependent. Many of the problems that arise stem from misunderstandings between SP and Citrix NetScaler IDP. Problems can occur in two places: on the way from the SP to the IDP and on the way back from the IDP...
When I try to perform SAML authentication, the IDP returns an error message: ACS URL in request is invalid. Please contact your administrator The reason for this behavior is that the SAML service provider URL is not specified or is specified incorrectly. The correct format is (in the case of a Citrix NetScaler SP, this is implementation-dependent). If the SAML IDP outputs the following message...
When you want to run NetScaler, the question of the right platform quickly arises. Even companies that have been using NetScaler for years are confronted with this question at the latest when the next upgrade is due. The following hardware platforms are available: Citrix NetScaler MPX: NetScaler in hardware, MPX appliances have SSL acceleration chips Citrix NetScaler VPX: NetScaler as virtual...
Citrix has announced that the N-Factor Flow Visualizer will no longer be supported in the NetScaler ADC. I personally liked to design my N-Factor Flows using this visualizer, because it is convenient and hides the complexity of N-Factor. I also recommended that my customers design their multifactor authentication using this flow designer. However, later versions of NetScaler 14.1 shows N-Factor...
My college Thomas Kötzing did it: He published a tool to recover from lost passwords. You can find this tool from here. Of course, you need to have the content from /nsconfig/keys to do so.
Starting with February 2025, Citrix cancelled both, the CTP and CTA program. So I lost my status as a CTA. This is not just sad for me but for all of the great community we had. I became friends with some of my fellow CTAs and some of the CTPs as well. I am thankful for these 4 years full of exciting projects, friendship and a great community. I hope to see you again, my friends!
Last update: March 2nd 2025 With NetScaler 14.1, Citrix started to allow binding Web Application Firewall (WAF) policies to the gateway and to a AAA vServer or a Gateway. Why does it make sense to bind a WAF to the gateway? The more popular Citrix NetScaler became, the greater the interest of hackers in NetScaler grew. And NetScaler is now a very widely used tool for remote access. Due to the...
n-factor has been around for a few years now, and n-factor flows have also been on board a Citrix NetScaler for some time. n-factor flows are much clearer than “traditional” n-factor authentication, but there are a few obstacles on the way to a good deployment. One problem that I have failed at is SSO (Single Sign On) when the password is the second factor. The deployment I am...