photo by geralt (pixabay.com) last update: January 5th 2020 Recently I had to find a solution to block all connections to a TCP based service (SSH, TCP port 22), except of connections from IP addresses that pr-eauthenticated using a AAA vServer. This is something, most firewalls can do, but a Citrix ADC / NetScaler can’t. Ok, it can do, or would you think, I’ll write a blog about me failing...
last update: 09/23/2019 I face lack of disk space since I upgraded to Citrix ADC 13.0 (“Citrix NetScaler 13.0”) built 13.0 built 36.27. Symptoms: It’s not possible to log on any more, using external authentication. Logging is stopped due to /var being out of disk space. Citrix ADC does not work fine any more. In addition it may lead to a reboot, unsaved configuration may get...
last update: April 2023 The problem I recently had to assist designing a portal solution. The customer had an existing solution based on Microsoft ADFS to log on users to ShareFile, Office 365, SAP and similar applications. In addition they used Citrix Gateway (NetScaler Gateway) to publish applications XenApp applications and VDI (XenDesktop) to users. We had to unify the user experience and...
last update: august 2019 I have created an IP address calculator. It’s calculating network- and host address, shows weather an optional 2nd address is local or remote. Output is decimal, hexadecimal and binary. It will tell you, if an IP address is valid or not (i.e. 172.16.253.0 / 24 is invalid while 172.16.253.0 / 23 would be valid; 127.255.255.254 is a loop-back address, 169.254.15.2 is...
One of the first things you do if you need to secure a web appication using Citrix NetScaler ADC WAF (Web paalication Firewall), is setting the correct profile type. Even though the profile type may bet changed later on, it is a serious decision you have to do. There are two settings: The Profile Type Web Application (HTML) XML Application (XML, SOAP) Web 2.0 Application (HTML, XML, REST)...
Authentication in Citrix ADC (NetScaler) is done from BSD, not from Citrix ADC (NetScaler). Because of this, traffic usually originates from NSIP. This is sometimes of surprise to network (and firewall) admins. It usually comes means: It may very well be a little bit different. Normal behaviour Usually NetScaler sends an authentication request to BSD. The AAA daemon in BSD will then connect to...
There is one thing different about a Citrix ADC WAF (Web Application Firewall) compared to most other features in Citrix ADC: It will affect your whole ADC deployment as soon as you turn it on. It you would, for example, turn on rewriting feature (enable feature RW), it would probably add a microsecond or two to packet processing, but apart from this not affect anything, as there are no policies...
I love doing whiteboarding sessions. I always do it during training, and I also did some at home and put these on YouTube. This is a list of Videos I did: My first Video was about setting up a Citrix ADC (Citrix NetScaler). It was a blended video, some parts clicking into Citrix NetScaler ADC, some parts white-boarding My second Video was about basic Load-balancing on Citrix ADC (Citrix...
last update: October 2nd 2018 This is the second part of debugging logon. The first one, a network trace about LDAP, may be found here. Citrix ADC / NetScaler logs all events related to AAA (authentication, authorization, auditing) to /tmp/aaad.debug You need to be nsroot or superuser to successfully log on to the BSD shell. This is a requirement to change to BSD shell. Change to the /tmp...
last update: November 3rd 2020 This is the first part of debugging logon problems. The second one, an explanation of aaad.debug log, may be found here. Recently I had to debug LDAP authentication on Citrix ADC / NetScaler and I started digging deeper. I wanted to know how LDAP authentication really works, so I did what I always do in a case like that: I started with a network trace. Attention: in...