last update: July 12th 2022 If someone makes a typing error when entering the domain name, he will not get a valid response. This is a typical example: You can clearly see: The response got an NXDOMAIN status, a non-existing domain. This, however, is not always desired, instead, you might want to return an IP address. It should have looked like this: This time, you see an answer section. The IP...
last update: November 16 2023 There is a question coming up every now and then: How to extend space on a Citrix ADC formerly called NetScaler. First of all: There is no supported way to do so! With this in mind, we can continue. Is there a real need to extend the disk space? The answer is no. There is plenty of space for all needs. You said, there is space enough, why did I run out of diskspace...
Last update: December 22nd 2021 Many of us, today, struggle with the Log4J security issue (CVE-2021-44228). It will take a long time to fix all apps, as the Apache log4J framework is built deep into several apps. For many of my customer’s apps, it’s still not clear, if whether they are affected, or not. At the same time, there are already exploits out there, allowing attackers to get shell access...
last update: February 21st 2022 Recently, I had been asked, how to protect a gateway from threads. It’s easy, I thought, Citrix ADC has everything needed in good quality: A Bot Management, Web Application Firewall (WAF), and AppQoE (Application quality of experience, a DOS protection feature). So nothing easier than that: Create the policies desired and bind them to the gateway. Shortly...
HTTP v3 and HTTP v2 on a Citrix ADC / NetScaler last update: February 28th 2022 HTTP/1.0 and HTTP/1.1 are dead. They are inefficient plain text protocols. The amount of data to be transferred is huge and latency is a big problem, mostly for intercontinental connections. But what alternatives do we have? Are there alternatives? A view on the history of HTTP HTTP/0.9 – The one-line protocol The...
There is something I frequently get asked for: How can we find out, which users use which ciphers? Will Citrix ADC show this information? Does ADM show it? A simple answer would be: No chance, ADC can’t do it at all. ADM – however – can do. If you don’t like ADM (I’d wonder why) you can’t. Let’s not make things that simple. We all are engineers. The word...
I recently had been asked, if it would be possible to export syslog files and the TCP connection table into Microsoft Excel. Exporting Syslog to Microsoft Excel Exporting the syslog file is quite simple: It’s just a tiny bash script: rm /var/log/output.csv while read -r month day time servity ip date timezone hostname ppe spacer msg; do printf "%s;" "$month $day $time" "$servity" "$ip"...
Citrix ADC / NetScaler has three types of persistence that sound similar: Rule-Based Persistence (RULE) Custom Server ID (CUSTOMSERVERID) URL Passive (URLPASSIVE) Rule-based persistnce set lb vserver <servername> -persistenceType RULE -rule "<request-rule>" -resRule "<response-rule>" -cltTimeout <persistence timeout> With rule-based persistence, we use the existing...
In Theory, it’s easy: Load Balancing is stronger than Content Switching. I tested with 13.0 82.42 on a Citrix ADC VPX. With some surprise to me: There had been differences between the features tested. I tested with Responder Policies, Citrix ADC Bot Protection, and Citrix Web Application Firewall. The setup I used a content switching vServer (192.168.229.200) and a non-addressable load-balancing...
This is something, people tend to ask for: A sorry server responding with a meaningful message in case all services are down. It’s an easy task to do, so I decided to write a quick guide on how to create a setup like that. What we need A load-balancing vServer does not respond, as soon as all services are down. However, there are “protection Servers”. And that’s what I will use...