n-factor has been around for a few years now, and n-factor flows have also been on board a Citrix NetScaler for some time. n-factor flows are much clearer than “traditional” n-factor authentication, but there are a few obstacles on the way to a good deployment. One problem that I have failed at is SSO (Single Sign On) when the password is the second factor. The deployment I am...
Blocking requests to the IP address in SSL vServers on Citrix NetScaler ADC
This might sound like an idea from an overcautious paranoid guy. But it’s not: My customer is in a very sensitive business. The problem Somebody may scan the internet for open ports and, by random, connect to my customer’s IP. This person will send a request and see my customer’s gateway. He might get curious, even though the gateway is not branded at all and the hostname is not...
Protecting WordPress based websites using Citrix NetScaler WAF
WordPress is one of the most popular web publishing software, both in the private and commercial sectors. While the private sector will hardly use a Citrix NetScaler ADC, not to mention, Citrix Firewall, it is rather common in the commercial world. This page will focus on a simple, robust deployment. It requires advanced (enterprise) or premium (platinum) editions of Citrix NetScaler ADC. It’s...
A proper DOS- Protection for Citrix Gateway
One of the main concerns that my large customers have is that the Citrix Gateway could fall victim to a DOS or DDOS attack. Linked to this, of course, is the concern that – after a successful attack – it might be possible to bypass authentication or compromise the gateway or the appliance. We have to distinguish between attacks that happen before and those that happen after...
Securing Citrix Gateway using Citrix ADC Bot Management, Citrix Web Application Firewall and DOS-Protection
last update: February 21st 2022 Recently, I had been asked, how to protect a gateway from threads. It’s easy, I thought, Citrix ADC has everything needed in good quality: A Bot Management, Web Application Firewall (WAF), and AppQoE (Application quality of experience, a DOS protection feature). So nothing easier than that: Create the policies desired and bind them to the gateway. Shortly...
Citrix ADC / NetScaler: How to find out, which users use which Ciphers?
There is something I frequently get asked for: How can we find out, which users use which ciphers? Will Citrix ADC show this information? Does ADM show it? A simple answer would be: No chance, ADC can’t do it at all. ADM – however – can do. If you don’t like ADM (I’d wonder why) you can’t. Let’s not make things that simple. We all are engineers. The word...
Priority of policies in Citrix ADC / NetScaler Content Switching in combination with Load Balancing
In Theory, it’s easy: Load Balancing is stronger than Content Switching. I tested with 13.0 82.42 on a Citrix ADC VPX. With some surprise to me: There had been differences between the features tested. I tested with Responder Policies, Citrix ADC Bot Protection, and Citrix Web Application Firewall. The setup I used a content switching vServer (192.168.229.200) and a non-addressable load-balancing...
Flexible Multi-Factor flows in Citrix ADC (NetScaler) using Azure MFA
I came across following issue, doing a Citrix ADC / NetScaler project: My customer wanted to use Azure MFA for internal users and LDAP/RADIUS for external users like contractors and parters. That’s a typical use-case for n-factor authentication. So how do we solve problems like that? The solution A Solution based on group membership The difference between internal and external users is...
Citrix ADC / NetScaler and TLS 1.3
Last change: December 21st 2021. Thanks to Dirk Bautz! This is the 2nd part to my article “Which ciphers to use on a Citrix ADC /NetScaler?” This one had been about TLS versions up to 1.2 only. Moving from TLS 1.2 to TLS 1.3 on an existing Citrix ADC ( NetScaler) may be a big step with some obstacles to overcome. It needs some investigation. Why TLS 1.3? Simple: TLS 1.3 is faster, as...
Which cyphers to use on a Citrix ADC /NetScaler?
latest update: May 5th 2021 Recently I found myself in a discussion with another Citrix architect about the number of cyphers needed. I had added as little as fife cyphers to a cypher group. He thought this is not enough. Why should we have many cyphers into a cypher group? To be honest, I don’t understand. It may look flexible, feature-rich and mighty. Customers may get impressed...