With NetScaler 14.1, Citrix started to allow binding Web Application Firewall (WAF) policies to the gateway and to a AAA vServer or a Gateway. Why does it make sense to bind a WAF to the gateway? The more popular Citrix NetScaler became, the greater the interest of hackers in NetScaler grew. And NetScaler is now a very widely used tool for remote access. Due to the increased interest of hackers...
n-factor has been around for a few years now, and n-factor flows have also been on board a Citrix NetScaler for some time. n-factor flows are much clearer than “traditional” n-factor authentication, but there are a few obstacles on the way to a good deployment. One problem that I have failed at is SSO (Single Sign On) when the password is the second factor. The deployment I am...
A real-world problem: My customer had a gateway that could log on to two different domains (Domain1 and Domain2). For each domain, there was a Citrix Virtual Apps and Desktops (CVAD) environment. If you log on to Domain1, then you should get connected to CVAD1, if you log on to Domain2, then to CVAD2. There was an additional problem: it was possible that the same user with the same password...
WordPress is one of the most popular web publishing software, both in the private and commercial sectors. While the private sector will hardly use a Citrix NetScaler ADC, not to mention, Citrix Firewall, it is rather common in the commercial world. This page will focus on a simple, robust deployment. It requires advanced (enterprise) or premium (platinum) editions of Citrix NetScaler ADC. It’s...
One of the main concerns that my large customers have is that the Citrix Gateway could fall victim to a DOS or DDOS attack. Linked to this, of course, is the concern that – after a successful attack – it might be possible to bypass authentication or compromise the gateway or the appliance. We have to distinguish between attacks that happen before and those that happen after...
© image: Wikipedia Two and a half years ago, I have written an article about LDAP. I always planned to add an article about RADIUS as well, but I never did. Today, I had to troubleshoot a RADIUS problem, so I did the necessary traces. It is a DUO server, but most other servers behave similarly. Here we go! What is RADIUS RADIUS (Remote Authentication Dial-In User Service) is a protocol to...
I came across following issue, doing a Citrix ADC / NetScaler project: My customer wanted to use Azure MFA for internal users and LDAP/RADIUS for external users like contractors and parters. That’s a typical use-case for n-factor authentication. So how do we solve problems like that? The solution A Solution based on group membership The difference between internal and external users is...
last update: September 25th 2019 I was recently asked: Johannes, is it possible to orun the same AAA server, from the inside with single factor, from the outside with two factor authentication? Of course it is. That’s how you do: Prerequisites My test environment contains of a lb vServer (lb_vsrv_colors). I created a AAA vServer aaa_multifactor_ath. There is a content switching vServer...
Authentication in Citrix ADC (NetScaler) is done from BSD, not from Citrix ADC (NetScaler). Because of this, traffic usually originates from NSIP. This is sometimes of surprise to network (and firewall) admins. It usually comes means: It may very well be a little bit different. Normal behaviour Usually NetScaler sends an authentication request to BSD. The AAA daemon in BSD will then connect to...
last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log on to the BSD shell. This is a requirement to change to BSD shell. Change to the /tmp...