Month: January 2018

NetScaler GEO IP Web Site Protection

You can use the NetScaler to make GEO IP filter to your Web Sites. This can enhanced your security, as traffic only from specified countries is allowed. You can have Web Sites with data you don’t wont specified countries to access.

You can also use it to send users from specified locations to specified Web Sites, with are customized for them.

In the flowing example I simply block all traffic not from DK locations.

First check if your GEO IP is imported:

Update:

In the new build of Citrix ADC/NetScaler the GEO IP Database is included. You only need to enable the Citrix ADC/NetScaler to you it:

add locationFile /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4

set locationParameter -matchWildcardtoany YES

***** Old blog, start *****

If status is “Not Loaded” upload the GEO IP Database to /var/geoip

I have downloaded the GEO IP Database from http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip

Unforcedly this is a legacy database and maintains of this will stop, but for testing the configuration it will be fine. This is the statement from MAXMIND:

After uploading the file “GeoIPCountryWhois.csv” to the /var/geoip/ you need to configure the NetScaler to load it:

Control that it is loaded:

As after NetScaler Version 11.1 Build 53.11 you need to enable wildcard search, with this:

***** Old Blog, end *****

For testing, I have made a response action:

And a response policy:

Now bind the responder policy to the Load Balancing vServer, and test.

To trigger a block a simply change the DK to another country, as I have no way to test from other than DK IP addresses. When changing to SE, I get the flowing message when testing:

I recommend that you simply use a drop, to hide that you actually make the GEO IP check. You can do that with:

Conclution:

GEO IP can be used to enhanced your security as you can set a policy to witch country that are allowed to access a Web Site or a Access Gateway.

You can use GEO IP to send users to specified Web Server based on their public IP Adresses.

CLI Commands:

show locationparameter

add locationfile /var/geoip/GeoIPCountryWhois.csv -format GeoIP-Country

set locationParameter -matchWildcardtoany YES

add responder action res_act_display_blocked_page respondwith “\”Sorry, the IP address you are connecting from (\”+CLIENT.IP.SRC+\”) is detected as untrusted. Access to our systems from your location is not allowed.\””

add responder policy res_pol_drop_non_dk “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.DK.*.*.*.*\”).NOT” res_act_display_blocked_page

set responder policy res_pol_drop_non_dk -action DROP

Citrix Receiver Auto-update

With the new Citrix Receiver Auto-update function, it is important to select the right update program that fit your installation.

You may not want users to update their Citrix Receiver them self, as your helpdesk has to deal with different versions of the Citrix Receiver. If your organization requires that you be in the LTSR program, then you have to set this on the installation/policy.

If using installation parameters the flowing can be used:

To test I have run this installation:

This end up with these registry settings:

Be aware that I have run the installation as an administrator. If you run the installation as a user then the settings will be under HKEY_CURRENT_USER and not under HKEY_LOCAL_MACHINE.

You can allow control the update feature with policies:

Conclution:

My point is that it is important to think of the update feature, when deploying Citrix Receiver. I have seen customers that did not control this and end up with many calls to the helpdesk, because Citrix Receiver started to update on the clients.  A lot of cleanup had to be done because clients had different versions of the Citrix Receiver installed.

 

NetScaler configuration files

When do I save the NetScaler configuration, is offend a question from my customers. Well that is not an easy question to answer, but if explain how the NetScaler configurations files work, you might see why.

The NetScaler operates with running and saved configurations. This is a lot like any Cisco product if you know them. The running configuration is only in memory and is gone if the NetScaler is power off. Beside that, the NetScaler have five saved configurations files:

Every time you save the NetScaler configuration, the ns.conf file are updated. A backup of that are saved in the ns.conf.0 file. Every other configuration file are rotated to keep the newest files on the NetScaler.

With that in mind you should properly not save the configuration every time you make a little change, doing the day. If you hit the save button repeatedly, then you will not be able to get back to an old configuration after five saves.

I normally save the configuration at the end of a day, but before I do a “Saved v/s Running”:

This will give me an list of all the changes a have made doing the day, and I can use that for my documentation.

This is an example of how the “Saved v/s Running” output is:

As you can see, you even get the commands for change the configuration back.

If you want to do it from the CLI you can use this:

With “Revision History” you can even get the different between to saved stages:

 

From CLI you can use:

Conclution:

I offend recommend that you save the configuration when you are sure that no other changes is needed. This mean that you can save when you have tested and tested again.

Beside the save on the NetScaler I have several times used the “Revision History” when customers not where sure of the changes made to the NetScaler configuration.

 

Citrix Advanced Content Switching Policy/Action

If you have, many websites Load Balancing on the NetScaler you properly use Content Switching to minimize the need of IP addresses. For this to work you have policies and actions to control the traffic flow. However, do you know that with NetScaler you can use expressions to configure the Content Switching actions?

This can come in handy when managing multiple websites Load Balancing. Let me show you a short configuration to demonstrate how this I working.

I have 2 demo web sites configured demo1.virtual-hawk.com and demo2.virtual-hawk.com. I have created the servers with FQDN names, as I am using host names on the web sites.

IIS configuration:

NetScaler Server configuration:

I then created 2 service for the web sites:

2 Load Balancing Virtual Serves for the Content Switching to go to. These are “non addressable”, because all traffic will come through the Content Switching Virtual Server:

The important thing is the naming of the Load Balancing Virtual Server, as we will use that in the Content Switching Action.

I have made a Content Switching Action with expressions used for targeting the Load Balancing Virtual Server:

With the use of the expression “cs_lb_vs_” + HTTP.REQ.HOSTNAME, the action will go to cs_lb_vs_demo1.virtual-hawk.com if the client request the site demo1.virtual-hawk.com.

The Content Switching Policy, I only need 1:

Finely I created the Content Switching Virtual Sever, and bound the policy to it:

Now for the test I checked the demo1.virtual-hawk.com and demo2.virtual-hawk.com are going to the Content Switching Virtual Server on 10.11.12.171:

When I test from the browser, I get the flowing:

Conclution:

With the use of Content Switching Action expressions, we can minimize the NetScaler configuration. For any new sites, I only have to configure the Load Balancing Virtual Servers with the right naming and no more. All the Content Switching are still the same and already configured.

 

CLI Commands:

add server demo1.virtual-hawk.com 10.11.12.172

add server demo2.virtual-hawk.com 10.11.12.173

add service lb_svc_demo1.virtual-hawk.com demo1.virtual-hawk.com HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add service lb_svc_demo2.virtual-hawk.com demo2.virtual-hawk.com HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add lb vserver cs_lb_vs_demo1.virtual-hawk.com HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180

add lb vserver cs_lb_vs_demo2.virtual-hawk.com HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180

bind lb vserver cs_lb_vs_demo1.virtual-hawk.com lb_svc_demo1.virtual-hawk.com

bind lb vserver cs_lb_vs_demo2.virtual-hawk.com lb_svc_demo2.virtual-hawk.com

add cs action cs_act_http_req_hostname -targetVserverExpr “\”cs_lb_vs_\” + HTTP.REQ.HOSTNAME”

add cs policy cs_pol_http_req_hostname -rule “HTTP.REQ.HOSTNAME.CONTAINS(\”virtual-hawk.com\”)” -action cs_act_http_req_hostname

add cs vserver cs_vs_virtual-hawk.com HTTP 10.11.12.171 80 -cltTimeout 180

bind cs vserver cs_vs_virtual-hawk.com -policyName cs_pol_http_req_hostname -priority 100

Powered by WordPress & Theme by Anders Norén