Recently a friend asked a question: How is it possible to bypass a responder policy. They knew it happened, but they could not reproduce. HTML- Encoding HTML Encoding is a stupid trick, used by hackers ever since. Any character may get encoded using a encoding table. So instead of using you might use something like . This is strictly following standards. No one does, as it is huge overhead, but...
It’s a problem coming up every now and then: I can’t connect to a certain Citrix VDA, but can connect to all/some others. If your problem is a more general one, continue reading here My first guess would always be a L4 problem, but “I opened up all firewalls”. Never open too much, and maybe it’s not an issue about firewalls. First of all, it’s not the STA...
Sometimes, people want to know, how to extract data from APPFW logs. That’s easy, it is in /var/log/ns.log (and it’s predecessors, these ns.log.XX.gz). grep APPFW ns.log will extract all application firewall logs. zcat ns.log.*.gz |grep APPFW will do the same to the old logs. Unfortunately this will give you a terrible mess of output. It’s hardly possible to find false positives...
I recently tried to migrate an existing configuration from one Citrix ADC (NetScaler) to the other. Both of them had been the same hardware (VPX running on KVM), used the same type of license (premium). If you move to different hardware please continue reading from here How to do Basically, it’s just the /flash/nsconfig/ns.conf file to be copied. But if you do you’ll face some serious...
last update: September 25th 2019 I was recently asked: Johannes, is it possible to orun the same AAA server, from the inside with single factor, from the outside with two factor authentication? Of course it is. That’s how you do: Prerequisites My test environment contains of a lb vServer (lb_vsrv_colors). I created a AAA vServer aaa_multifactor_ath. There is a content switching vServer...
photo by geralt (pixabay.com) last update: January 5th 2020 Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a Citrix ADC / NetScaler can’t. Ok, it can do, or would you think, I’ll write a blog about me failing...
last update: 09/23/2019 I face lack of disk space since I upgraded to Citrix ADC 13.0 (“Citrix NetScaler 13.0”) built 13.0 built 36.27. Symptoms: It’s not possible to log on any more, using external authentication. Logging is stopped due to /var being out of disk space. Citrix ADC does not work fine any more. In addition it may lead to a reboot, unsaved configuration may get...
last update: august 2019 I have created an IP address calculator. It’s calculating network- and host address, shows weather an optional 2nd address is local or remote. Output is decimal, hexadecimal and binary. It will tell you, if an IP address is valid or not (i.e. 172.16.253.0 / 24 is invalid while 172.16.253.0 / 23 would be valid; 127.255.255.254 is a loop-back address, 169.254.15.2 is...
I love doing whiteboarding sessions. I always do it during training, and I also did some at home and put these on YouTube. This is a list of Videos I did: My first Video was about setting up a Citrix ADC (Citrix NetScaler). It was a blended video, some parts clicking into Citrix NetScaler ADC, some parts white-boarding My second Video was about basic Load-balancing on Citrix ADC (Citrix...
last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log on to the BSD shell. This is a requirement to change to BSD shell. Change to the /tmp...