Tag: Citrix Page 1 of 2

Citrix ADC, Secure LDAP

Microsoft has announced that from January 2020, only secure LDAP request are supported: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

From the article:

LDAP channel binding and LDAP signing provide ways to increase the security of network communications between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. There is a vulerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities.  Microsoft Security Advisory ADV190023 address the issue by recommending the administrators enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers. This hardening must be done manually until the release of the security update that will enable these settings by default. 

Microsoft intends to release a security update on Windows Update to enable LDAP channel binding and LDAP signing hardening changes and anticipate this update will be available in mid-January 2020.”

And why is this important for the Citrix ADC. Well that is because that we can use 3 mode of LDAP communications on the Citrix ADC:

  • PLAINTEXT:
  • TLS:
  • SSL:

If your configuration uses PLANTEXT, that it will stop working after mid-January, if you patch your Windows Domain Controllers, and who don’t do that.

Get out there and check your configuration and change it if you are using PLAINTEXT.

Citrix ADC 12.1 (NetScaler ADC), New licensing

Expiration:

 

With the new version 12.1 Build 48.13, Citrix added information about license expiration date. This is nice when running a Trial or Demo license:

With that they added another change, if care reading their documentation:

From https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html:

“Upon license expiration, the Citrix ADC appliance automatically restarts to revoke the license. If Citrix ADC appliance uses Citrix service provider (CSP) licenses, the appliance does not restart automatically to revoke the license. However, if the user restarts the appliance, it restarts as unlicensed.”

And trust me it will restart the NetScaler. As a consultant I offend use Trial versions for PoC. There where no problems in running beyond the expiration date if you did not restart the NetScaler. This is over now.

 

Express vs. Freemium:

 

Some time a go the Express version was replaced with the Freemium license. The Express license need to be updated every year because of the 1-year expiration. The Freemium have no expiration date, but it has not the Access Gateway feature.

This is a problem as the Express version was for very small customers with a replace for their old Citrix Secure Gateway (Yes, I am that old and have done a lot of installations of the Citrix Secure Gateway). So, what to customers running the Express version then do?

If we look at https://support.citrix.com/article/CTX121291 we find the answer:

Just update the NetScaler, and you will end up with an Express version with no expiration:

This must be done before the expiration of the old Express license, because if you restart the NetScaler with an expired license all features are disabled.

 

Conclusion:

 

Changes are made, so read the documentation. Get out there and upgrade the Express installations to version 12.1.

 

Citrix NetScaler, Custom logging

We, my college and I, where doing a XenMobile installation at a customer, which had a strict logging policy. The users where allow internet access through Secure Web App in XenMobile.

All internet traffic had to go out of the company Firewall, for security reasons. When doing this the NetScaler SNIP is logged in the Firewall, but the customer wants the user’s devices IP address logged.

 

We came up with a custom logging solution with a syslog server. The syslog server configuration on the NetScaler was done, se more here:

 

How to Configure Syslog on a NetScaler Appliance

https://support.citrix.com/article/CTX121728

 

When that was done, I configured an Auditing Message Actions:

With this I log the device IP and the requested URL.

The I made an Rewrite policy, with the flowing settings:

This will not do any rewrite, as action is set to NOREWRITE, but it will use the Auditing Message Actions and send the information to the syslog server.

 

Finally, I bound the rewrite policy to the XenMobile Access Gateway configuration:

For the test I tried to access http://dr.dk with in the Secure Web App, and I found the flowing logging on the syslog server:

Conclusion:

We ended up with a logging of the device IP and the access URL. With the many expressions available on the NetScaler you would be able to log almost everything in the syslog server.

Remember to bound the rewrite policy with NEXT as Goto Expression, or you could end up with others rewrite policies not being processed.

 

CLI commands:

add audit messageaction log_act_custom ALERT “\”Client:\”+CLIENT.IP.SRC+\” accessed \”+HTTP.REQ.URL”

add rewrite policy log_rw_pol true NOREWRITE -logAction log_act_custom

bind vpn vserver < Gateway virtual server name> -policy log_rw_pol -priority 100 -gotoPriorityExpression NEXT -type REQUEST

 

Citrix Receiver Auto-update

With the new Citrix Receiver Auto-update function, it is important to select the right update program that fit your installation.

You may not want users to update their Citrix Receiver them self, as your helpdesk has to deal with different versions of the Citrix Receiver. If your organization requires that you be in the LTSR program, then you have to set this on the installation/policy.

If using installation parameters the flowing can be used:

To test I have run this installation:

This end up with these registry settings:

Be aware that I have run the installation as an administrator. If you run the installation as a user then the settings will be under HKEY_CURRENT_USER and not under HKEY_LOCAL_MACHINE.

You can allow control the update feature with policies:

Conclution:

My point is that it is important to think of the update feature, when deploying Citrix Receiver. I have seen customers that did not control this and end up with many calls to the helpdesk, because Citrix Receiver started to update on the clients.  A lot of cleanup had to be done because clients had different versions of the Citrix Receiver installed.

 

Citrix Advanced Content Switching Policy/Action

If you have, many websites Load Balancing on the NetScaler you properly use Content Switching to minimize the need of IP addresses. For this to work you have policies and actions to control the traffic flow. However, do you know that with NetScaler you can use expressions to configure the Content Switching actions?

This can come in handy when managing multiple websites Load Balancing. Let me show you a short configuration to demonstrate how this I working.

I have 2 demo web sites configured demo1.virtual-hawk.com and demo2.virtual-hawk.com. I have created the servers with FQDN names, as I am using host names on the web sites.

IIS configuration:

NetScaler Server configuration:

I then created 2 service for the web sites:

2 Load Balancing Virtual Serves for the Content Switching to go to. These are “non addressable”, because all traffic will come through the Content Switching Virtual Server:

The important thing is the naming of the Load Balancing Virtual Server, as we will use that in the Content Switching Action.

I have made a Content Switching Action with expressions used for targeting the Load Balancing Virtual Server:

With the use of the expression “cs_lb_vs_” + HTTP.REQ.HOSTNAME, the action will go to cs_lb_vs_demo1.virtual-hawk.com if the client request the site demo1.virtual-hawk.com.

The Content Switching Policy, I only need 1:

Finely I created the Content Switching Virtual Sever, and bound the policy to it:

Now for the test I checked the demo1.virtual-hawk.com and demo2.virtual-hawk.com are going to the Content Switching Virtual Server on 10.11.12.171:

When I test from the browser, I get the flowing:

Conclution:

With the use of Content Switching Action expressions, we can minimize the NetScaler configuration. For any new sites, I only have to configure the Load Balancing Virtual Servers with the right naming and no more. All the Content Switching are still the same and already configured.

 

CLI Commands:

add server demo1.virtual-hawk.com 10.11.12.172

add server demo2.virtual-hawk.com 10.11.12.173

add service lb_svc_demo1.virtual-hawk.com demo1.virtual-hawk.com HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add service lb_svc_demo2.virtual-hawk.com demo2.virtual-hawk.com HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add lb vserver cs_lb_vs_demo1.virtual-hawk.com HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180

add lb vserver cs_lb_vs_demo2.virtual-hawk.com HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180

bind lb vserver cs_lb_vs_demo1.virtual-hawk.com lb_svc_demo1.virtual-hawk.com

bind lb vserver cs_lb_vs_demo2.virtual-hawk.com lb_svc_demo2.virtual-hawk.com

add cs action cs_act_http_req_hostname -targetVserverExpr “\”cs_lb_vs_\” + HTTP.REQ.HOSTNAME”

add cs policy cs_pol_http_req_hostname -rule “HTTP.REQ.HOSTNAME.CONTAINS(\”virtual-hawk.com\”)” -action cs_act_http_req_hostname

add cs vserver cs_vs_virtual-hawk.com HTTP 10.11.12.171 80 -cltTimeout 180

bind cs vserver cs_vs_virtual-hawk.com -policyName cs_pol_http_req_hostname -priority 100

Page 1 of 2

Powered by WordPress & Theme by Anders Norén