Tag: ADC

Citrix ADC, Secure LDAP, Updated

Microsoft has announced that from Marts 2020, only secure LDAP request are supported: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

From the article:

LDAP channel binding and LDAP signing provide ways to increase the security of network communications between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. There is a vulerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities.  Microsoft Security Advisory ADV190023 address the issue by recommending the administrators enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers. This hardening must be done manually until the release of the security update that will enable these settings by default. 

Microsoft intends to release a security update on Windows Update to enable LDAP channel binding and LDAP signing hardening changes and anticipate this update will be available in March 2020.

And why is this important for the Citrix ADC. Well that is because that we can use 3 mode of LDAP communications on the Citrix ADC:

  • PLAINTEXT:
  • TLS:
  • SSL:

If your configuration uses PLANTEXT, that it will stop working after marts, if you patch your Windows Domain Controllers, and who don’t do that.

Get out there and check your configuration and change it if you are using PLAINTEXT.

Citrix ADC 12.1 (NetScaler ADC), New licensing

Expiration:

 

With the new version 12.1 Build 48.13, Citrix added information about license expiration date. This is nice when running a Trial or Demo license:

With that they added another change, if care reading their documentation:

From https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html:

“Upon license expiration, the Citrix ADC appliance automatically restarts to revoke the license. If Citrix ADC appliance uses Citrix service provider (CSP) licenses, the appliance does not restart automatically to revoke the license. However, if the user restarts the appliance, it restarts as unlicensed.”

And trust me it will restart the NetScaler. As a consultant I offend use Trial versions for PoC. There where no problems in running beyond the expiration date if you did not restart the NetScaler. This is over now.

 

Express vs. Freemium:

 

Some time a go the Express version was replaced with the Freemium license. The Express license need to be updated every year because of the 1-year expiration. The Freemium have no expiration date, but it has not the Access Gateway feature.

This is a problem as the Express version was for very small customers with a replace for their old Citrix Secure Gateway (Yes, I am that old and have done a lot of installations of the Citrix Secure Gateway). So, what to customers running the Express version then do?

If we look at https://support.citrix.com/article/CTX121291 we find the answer:

Just update the NetScaler, and you will end up with an Express version with no expiration:

This must be done before the expiration of the old Express license, because if you restart the NetScaler with an expired license all features are disabled.

 

Conclusion:

 

Changes are made, so read the documentation. Get out there and upgrade the Express installations to version 12.1.

 

Powered by WordPress & Theme by Anders Norén