This is the forth part of this blog. Part Part 1 2 3 4 5 Click here to see how to start your WAF project StartURLs are a powerful tool to protect a web server. Probably, creating StartURLs will be the first thing you need to do. There are two ways to deal with it: Learning or doing. Learning Learning does not mean, you learn, instead Citrix ADC / NetScaler learns about the application. There is...
This is the second part of this blog. Part 1 2 3 4 5 Click here to see how to start your WAF project Signatures Make sure, signatures get updated automatically. Today (January 22 2020) we have version 40. Check the auto update settings. Check, if Signatures Auto Update is enabled and Click on “Check URL”. This will connect to the update server and see the current version of signatures...
This is the forth part of this blog. Part Part 1 2 3 4 5 I am currently working on a Citrix ADC (NetScaler) WAF project. It’s a big international enterprise, security is of some concern to them. So everything hould be pretty much straight forward? Well, it never is. So, how to begin? Well, I almost forgot to mention: I have to introduce myself to the customer. “Hi, I’m Johannes...
Recently a friend asked a question: How is it possible to bypass a responder policy. They knew it happened, but they could not reproduce. HTML- Encoding HTML Encoding is a stupid trick, used by hackers ever since. Any character may get encoded using a encoding table. So instead of using you might use something like . This is strictly following standards. No one does, as it is huge overhead, but...
Of course you know the problem. You need to access your Citrix ADC, but you are not in the company. Of course you don’t want to open ports 443 and 22 on the firewall, that would be insane. What can you do? I solved the riddle for http and ssh. The http access It’s more or less easy to connect to a Citrix ADC from outside. You just have to open port 443 to the NSIP, that’s it...
It’s a problem coming up every now and then: I can’t connect to a certain Citrix VDA, but can connect to all/some others. If your problem is a more general one, continue reading here My first guess would always be a L4 problem, but “I opened up all firewalls”. Never open too much, and maybe it’s not an issue about firewalls. First of all, it’s not the STA...
Sometimes, people want to know, how to extract data from APPFW logs. That’s easy, it is in /var/log/ns.log (and it’s predecessors, these ns.log.XX.gz). grep APPFW ns.log will extract all application firewall logs. zcat ns.log.*.gz |grep APPFW will do the same to the old logs. Unfortunately this will give you a terrible mess of output. It’s hardly possible to find false positives...
I recently tried to migrate an existing configuration from one Citrix ADC (NetScaler) to the other. Both of them had been the same hardware (VPX running on KVM), used the same type of license (premium). If you move to different hardware please continue reading from here How to do Basically, it’s just the /flash/nsconfig/ns.conf file to be copied. But if you do you’ll face some serious...
Yesterday I upgraded to NetScaler 13 built 41.20. Everything worked fine. No problems. But out of a sudden, my Exchange deployment failed to authenticate (I did it following Julian Mooren’s outstanding deployment guide). I did some further investigation and found all my other AAA servers don’t authenticate, even though the outcome of authentication requests was positive. I always saw...
last update: September 25th 2019 I was recently asked: Johannes, is it possible to orun the same AAA server, from the inside with single factor, from the outside with two factor authentication? Of course it is. That’s how you do: Prerequisites My test environment contains of a lb vServer (lb_vsrv_colors). I created a AAA vServer aaa_multifactor_ath. There is a content switching vServer...