With NetScaler 14.1, Citrix started to allow binding Web Application Firewall (WAF) policies to the gateway and to a AAA vServer or a Gateway. Why does it make sense to bind a WAF to the gateway? The more popular Citrix NetScaler became, the greater the interest of hackers in NetScaler grew. And NetScaler is now a very widely used tool for remote access. Due to the increased interest of hackers...
Deploy Native OTP on Citrix NetScaler using an n-factor flow
n-factor has been around for a few years now, and n-factor flows have also been on board a Citrix NetScaler for some time. n-factor flows are much clearer than “traditional” n-factor authentication, but there are a few obstacles on the way to a good deployment. One problem that I have failed at is SSO (Single Sign On) when the password is the second factor. The deployment I am...
Changing favicon and header-colour of Citrix NetScaler’s and Citrix ADM’s GUI
One of the most annoying things that can happen to you is making changes to the wrong NetScaler. I don’t know about you, but it happens to me from time to time because I usually have several NetScalers open at the same time, ideally NetScalers with identical configurations: the test environment, the integration environment and the production environment. Experiments and trials in the...
Where did Citrix NetScaler’s dig command go?
In the latest versions of Citrix NetScaler ADC, the dig command is missing. Where did it disappear to and why? The reason is relatively simple: recent versions of BSD from version 10 do not support dig anymore, it has been replaced by drill. The good thing is that drill has almost the same functions and parameters as dig, so you just have to replace dig with drill. The current Citrix NetScaler...
Citrix NetScaler Gateway: How to log on to different domains
A real-world problem: My customer had a gateway that could log on to two different domains (Domain1 and Domain2). For each domain, there was a Citrix Virtual Apps and Desktops (CVAD) environment. If you log on to Domain1, then you should get connected to CVAD1, if you log on to Domain2, then to CVAD2. There was an additional problem: it was possible that the same user with the same password...
How to find out, when a STA went down on Citrix NetScaler ADC
Recently, I came across a question: When did the STA go down? How can we find out? Well, that’s easy to tell, as it gets logged. Unfortunately, the log isn’t that easy to understand. And, of course, like all logs in Citrix NetScaler, it disappears in a bit more than a day due to logfile rollover. Where do we search for these logs? Like always, my first source is Syslog. In a...
Blocking requests to the IP address in SSL vServers on Citrix NetScaler ADC
This might sound like an idea from an overcautious paranoid guy. But it’s not: My customer is in a very sensitive business. The problem Somebody may scan the internet for open ports and, by random, connect to my customer’s IP. This person will send a request and see my customer’s gateway. He might get curious, even though the gateway is not branded at all and the hostname is not...
Importing an existing NetScaler configuration from MPX/SDX into a VPX
It’s one of the things I do most often: Import a customer’s NetScaler installation into a VPX, so I can have a look at it. In fact, I do most of my audits that way. What is required The best basis would be a Citrix NetScaler backup. It contains everything we need, except for certificates, together with some other data in addition, like logs. The ns.conf file, alone, would be...
Citrix NetScaler language definition for Notepad++
Notepad++ is widely used by Windows administrators. The reason is, Notepad++ is not just a good editor, it also allows to “understand” different languages, like HTML, CSS, Java, Pearl and many more. My friend and fellow CCI (Citrix trainer) at that time, Christian Schwendemann (now Citrix employee), created NetScaler definitions for Notepad++. He sent it to me, but I found several...
Importing/exporting Citrix NetScaler Application Firewall profiles
Usually, we create profiles in a test environment. After thoughtful testing, we have to copy them to the production and the DR site. Requirements: Test, production and DR site have to be exactly the same version, or the import will fail. The user has to be able to use the shell (so it has to be equivalent to nsroot) Exporting a profile The profile can get exported at any time. This can be done...