Preview of what is coming this weekend…..
How about a way to convert basic authentication on Citrix Gateway on-prem to advanced authentication with nFactor.
Category: Gateway formerly known as Netscaler Page 2 of 3
Make sure and keep up to date from Citrix with the CVE-2021-44228. https://support.citrix.com/article/CTX335705
This link has the mitigations for the WAF and a Responder policy. https://www.citrix.com/blogs/2021/12/13/guidance-for-reducing-apache-log4j-security-vulnerability-risk-with-citrix-waf/
Went and got me some class! Wonderful instructor Matthew Jones over at Layer8!
Taking the CNS-420 Citrix Networking Assessment, Design, and Advanced Configuration course this week! #citrix #netscaler
So ran into an interesting thing restoring a Citrix Netscaler Gateway ADC. I went through and was doing a re-deploy of an ADC VPX. So a couple things that I noticed that were rather odd…..
First thing that I noticed was this:
So what I noticed was when you select “Import” radio button, the button to accept it once you select the file, is the “Backup” button still. I would think this would be a fantastic change to make a button with the name “Import.” This is something minor, but it was something that stood out to me.
Next thing of interest when restoring your backup file…..
Once you have “Backup / Imported” your file to the ADC, you can go back to the list of backup files available to you. Something of importance here. If you have the “Basic” backup, that is a very minimal backup including configuration files only. If you use the “Full” option, this includes the /nsconfig/, /var/, certificates, and License files. Rather important to make sure you are using the correct backup option here. And example here is re-deploying the VPX and wanting to replace the one you had.
Now when you select the “Restore” option, you get this screen:
You then get an option to “Reboot.”
Once I did the “Warm reboot,” I was presented with a wait 60 seconds screen. When I logged back in, I noticed that there was basically nothing there. I worked on it for a few minutes and decided to shut it down and power it back up after looking for another backup file. Once it had powered down and powered back on, low and behold it happened to have everything! Success was had! Something to note that will be rather important, should you decide to re-deploy a VPX on ESXi, make sure to note the MAC address of the VM BEFORE you re-deploy. The license file is married to the MAC and that is EXTREMELY important. You can open the license file with Notepad or Notepad++ and read the MAC there and then manually set it on the VM options. Just something that I ran into and thought would be useful information to have!
Note: I had already applied the license file and found that I had to change the MAC address, so all of that was done before attempting to restore the configuration from backup.
Greetings and such! So there is threat advisory out there abouts on DTLS Amplification DDoS for the ADC. The CTX article right here should lead you the right way with the checking and the remediation for it!
https://support.citrix.com/article/CTX289674
This is something to check and get ahead of so that you don’t run into a potential issue!
Good afternoon champions of remote making work possible peoples! Welcome to April 99th! Hope that everyone is staying safe and secure in this tumultuous time. Had some fun with a NSSSL bug. If there is a bug, I will find it. Had some more fun with another one. Somehow, someway, some method the IISU_IUSRS group got removed from C:\Windows\Temp and one of the really long folder names that was .NET. Anyone else have that fun? Causes things to not work as intended with StoreFront. I think there may be gremlins hiding out and strategically targetting. I’m prepping my anti-gremlin weapons. Looks like the new CU1 is out for 1912LTSR. Get on over and be checking that out! (psst… I’ll leave a link below for you. Really. You need to do it. I’ll wait. No seriously. JUST DO IT!)
There are some things you need to pay attention to. StoreFront upgrade. READ AND FOLLOW the directions. It will only help you.
Let’s see… I did get a nice Google Nest thermostat. Somehow, on a relatively new house (built in the early 2000s), I had a mercury thermostat. A real live mercury one. It wasn’t working like it should have been. I may have inadvertently knocked the panel across the room and damaged the thermister. I am seeing a nice reduction in power use. 15-20% ish. Not too shabby. I also got a Razer BlackWidow Elite keyboard with the orange switches. Really enjoying typing a keyboard that doesn’t cause the wrist and hands to feel like they are on fire.
Everyone here has been staying healthy and COVID free. You stay safe as well!
Looks like the new firmwares have come out for the varying versions of Netscaler firmware. Make sure and download from Citrix now and get your patch on! Seriously, this is important to patch. I mean it!
https://www.citrix.com/downloads/citrix-adc/firmware.html
The link is above!
Citrix NetScaler CVE-2019-19781: What You Need to Know
https://support.citrix.com/article/CTX267679
For those that do not wish to follow the link, I have the info below!
Standalone:
enable ns feature responder add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403 bind responder global ctx267027 1 END -type REQ_OVERRIDE save config shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" reboot For your HA users out there: On primary: enable ns feature responder add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403 bind responder global ctx267027 1 END -type REQ_OVERRIDE save config shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" reboot On secondary after primary comes up: shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" reboot
Good news, is that they have released dates for the firmware!
| Citrix ADC and Citrix Gateway | ||
| Version | Refresh Build | Expected Release Date |
| 10.5 | 10.5.70.x | 31st January 2020 |
| 11.1 | 11.1.63.x | 20th January 2020 |
| 12.0 | 12.0.63.x | 20th January 2020 |
| 12.1 | 12.1.55.x | 27th January 2020 |
| 13.0 | 13.0.47.x | 27th January 2020 |
| Citrix SD-WAN WANOP | ||
| 10.2.6 | 11.1.63.x | TBD |
| 11.0.3 | 11.1.63.x | TBD |
Good evening folks! Looks like some more fun has cropped up in Citrix Gateway in regards to firmware. Looks like 13.0-41.20_nc has an issue in some instances that you lose the ability to create or edit session profiles. We get the same issue as listed below.
There also was a CVE (CVE-2019-18225) that has come out that will need to be applied. Not sure if that will fix the issue with the session profile or not. Looking to get that applied here shortly and will update this post to let you know if it resolves the issue. Hopefully, two birds with one stone.
UPDATE: So it looks like the upgrade to build-13.0-41.28_nc has resolved the issue with being able to edit session profiles! YAY!! Just wanted to give a heads up on that!