CategorySecurity

Citrix ADC (NetScaler) 13: Pre-authenticating to TCP based services

C

photo by geralt (pixabay.com) last update: January 5th 2020 Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a Citrix ADC / NetScaler can’t. Ok, it can do, or would you think, I’ll write a blog about me failing...

Single sign on to SAS applications using Citrix ADC / NetScaler Gateway and Microsoft ADFS

S

last update: April 2023 The problem I recently had to assist designing a portal solution. The customer had an existing solution based on Microsoft ADFS to log on users to ShareFile, Office 365, SAP and similar applications. In addition they used Citrix Gateway (NetScaler Gateway) to publish applications XenApp applications and VDI (XenDesktop) to users. We had to unify the user experience and...

NetScaler WAF profile types

N

One of the first things you do if you need to secure a web appication using Citrix NetScaler ADC WAF (Web paalication Firewall), is setting the correct profile type. Even though the profile type may bet changed later on, it is a serious decision you have to do. There are two settings: The Profile Type Web Application (HTML) XML Application (XML, SOAP) Web 2.0 Application (HTML, XML, REST)...

How will a Citrix ADC (NetScaler) Web-application Firewall (WAF) change your ADC’s behaviour?

H

There is one thing different about a Citrix ADC WAF (Web Application Firewall) compared to most other features in Citrix ADC: It will affect your whole ADC deployment as soon as you turn it on. It you would, for example, turn on rewriting feature (enable feature RW), it would probably add a microsecond or two to packet processing, but apart from this not affect anything, as there are no policies...

Debugging Authentication problems in Citrix ADC / NetScaler using the aaad.debug file

D

last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log on to the BSD shell. This is a requirement to change to BSD shell. Change to the /tmp...

LDAP and Citrix ADC / NetScaler

L

last update: November 3rd 2020 This is the first part of debugging logon problems. The second one, an explanation of aaad.debug log, may be found here. Recently I had to debug LDAP authentication on Citrix ADC / NetScaler and I started digging deeper. I wanted to know how LDAP authentication really works, so I did what I always do in a case like that: I started with a network trace. Attention: in...

How can Citrix NetScaler ADC protect cookies from being stolen?

H

How to protect your cookies using Citrix NetScaler Remark: Citrix ADC (NetScaler) firmware version 13 contains cookie theft protection. I recently did a web application firewall (WAF) project for a big company owning and hosting hundreds of websites. They did several penetration tests. One of them focussed on cookies. Citrix NetScaler did a great job protecting cookies, cookie tampering was...

Detecting Slowloris with Citrix NetScaler (Citrix ADC)

D

Last update: Nov 21th, 2018 tested using firmware 11.1 If you read about slowloris, you always read about NetScaler doing a great job. Tests in our lab environment show: NetScaler will successfully block these attacks. And there is hardly anything we have to do about it: It’s built into the system. Great news indeed! The only thing we have to do is reduce client idle timeout to a lower...

Concerns about Citrix NetScaler Web Application Firewall (WAF)

C

Let’s talk about a WAF, a Web Application Firewall on a Citrix NetScaler. What’s to be concerned off? Is it worth while considering a NetScaler to be your WAF? I do work for several companies, including Citrix Consulting Services. Recently I worked on some Web Application Firewall projects, so I have some experience on it. Usual concerns will a Citrix NetScaler be really safe WAF? How...

Logging more detailed data about websites blocked by NetScaler Web Application Firewall (WAF)

L

last update: April 16th 2018 I had been asked recently: Johannes, how can we log data about NetScaler Application Firewall policy hits in detail? The standard NetScaler Web Application Firewall log-files NetScaler’s Web Application Firewall logs to /var/log/ns.log. These logs are fine for trouble shooting. There is a good description about these logs here. This is a sample log, stolen from...

Recent Posts

Recent Comments