AuthorJohannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS). He frequently works for Citrix international Consulting Services and several education centres all around the globe. Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (

Blocking requests to the IP address in SSL vServers on Citrix NetScaler ADC


This might sound like an idea from an overcautious paranoid guy. But it’s not: My customer is in a very sensitive business. The problem Somebody may scan the internet for open ports and, by random, connect to my customer’s IP. This person will send a request and see my customer’s gateway. He might get curious, even though the gateway is not branded at all and the hostname is not...

Importing an existing NetScaler configuration from MPX/SDX into a VPX


It’s one of the things I do most often: Import a customer’s NetScaler installation into a VPX, so I can have a look at it. In fact, I do most of my audits that way. What is required The best basis would be a Citrix NetScaler backup. It contains everything we need, except for certificates, together with some other data in addition, like logs. The ns.conf file, alone, would be...

Citrix NetScaler language definition for Notepad++


Notepad++ is widely used by Windows administrators. The reason is, Notepad++ is not just a good editor, it also allows to “understand” different languages, like HTML, CSS, Java, Pearl and many more. My friend and fellow CCI (Citrix trainer) at that time, Christian Schwendemann (now Citrix employee), created NetScaler definitions for Notepad++. He sent it to me, but I found several...

Importing/exporting Citrix NetScaler Application Firewall profiles


Usually, we create profiles in a test environment. After thoughtful testing, we have to copy them to the production and the DR site. Requirements: Test, production and DR site have to be exactly the same version, or the import will fail. The user has to be able to use the shell (so it has to be equivalent to nsroot) Exporting a profile The profile can get exported at any time. This can be done...

Monitoring Citrix NetScaler WAF from command-line and ADM


No doubt, monitoring a WAF is an important thing to do. It helps to find attacks and their sources for forensic purposes and is needed to find false positives as well. How to do it? Citrix NetScaler WAF logs locally, that’s great for real-time logging and trouble shooting, but it may also log to external sources like Citrix Application Delivery Manager (ADM), that’s great for long...

Protecting WordPress based websites using Citrix NetScaler WAF


WordPress is one of the most popular web publishing software, both in the private and commercial sectors. While the private sector will hardly use a Citrix NetScaler ADC, not to mention, Citrix Firewall, it is rather common in the commercial world. This page will focus on a simple, robust deployment. It requires advanced (enterprise) or premium (platinum) editions of Citrix NetScaler ADC. It’s...

RFC (Request for Comment): a Naming schema for Citrix NetScaler ADC


In my day-to-day work (audits, project management, project oversight, architecture, …), I usually see Citrix NetScaler ADCs administered by someone else. In my audits, one of my first steps is checking for a consistent naming scheme. NetScalers tend to be chaotic if naming is chaotic. Of course, one can argue that the naming of objects is not essential, but for me, it is also a gauge of how...

Using the http-ecv monitor together with JSON payload on Citrix ADC / NetScaler


The problem Funny enough (or frustrating enough), an http-ecv monitor won’t work with JSON-based replies on a Citrix ADC / NetScaler. It will not find any data in an HTTP response and fail. WTF? The reason The http-ecv monitor requires the http-response to be of MIME-Type text (usually text/html). JSON data, however, is application/json. That’s why it does not work. The solution There...

Passing LDAP (AD) attributes from SAML IDP to SAML SP with Citrix ADC / NetScaler as a SAML IDP


Sometimes, we need specific attributes like an E-Mail address or the userPrincipalName to be passed from a SAML IDP to the SP. If you use a Citrix ADC / NetScaler as SAML IDP, it is, indeed, an easy thing to do. Let’s have a look. Extracting attributes from LDAP The first step, of course, is always to retrieve an attribute from LDAP. This is done via an LDAP policy. I won’t go into...

A proper DOS- Protection for Citrix Gateway


One of the main concerns that my large customers have is that the Citrix Gateway could fall victim to a DOS or DDOS attack. Linked to this, of course, is the concern that – after a successful attack – it might be possible to bypass authentication or compromise the gateway or the appliance. We have to distinguish between attacks that happen before and those that happen after...

Recent Posts

Recent Comments