Virtualization, technology, and random rantings with a focus on Citrix and VMware.

Category: Gateway formerly known as Netscaler Page 2 of 3

EULA Evolves, Form Of nFactor!

Preview of what is coming this weekend…..

nFactor Overview

How about a way to convert basic authentication on Citrix Gateway on-prem to advanced authentication with nFactor.

Responder To The Log4

Make sure and keep up to date from Citrix with the CVE-2021-44228.

This link has the mitigations for the WAF and a Responder policy.

Got Some Class

Went and got me some class! Wonderful instructor Matthew Jones over at Layer8!

Getting after it!

Level Up That Knowledge!

Taking the CNS-420 Citrix Networking Assessment, Design, and Advanced Configuration course this week! #citrix #netscaler

ADC Your Way To Restore

So ran into an interesting thing restoring a Citrix Netscaler Gateway ADC. I went through and was doing a re-deploy of an ADC VPX. So a couple things that I noticed that were rather odd…..

First thing that I noticed was this:

Backup / Import option

So what I noticed was when you select “Import” radio button, the button to accept it once you select the file, is the “Backup” button still. I would think this would be a fantastic change to make a button with the name “Import.” This is something minor, but it was something that stood out to me.

Next thing of interest when restoring your backup file…..

Restore option

Once you have “Backup / Imported” your file to the ADC, you can go back to the list of backup files available to you. Something of importance here. If you have the “Basic” backup, that is a very minimal backup including configuration files only. If you use the “Full” option, this includes the /nsconfig/, /var/, certificates, and License files. Rather important to make sure you are using the correct backup option here. And example here is re-deploying the VPX and wanting to replace the one you had.

Now when you select the “Restore” option, you get this screen:

Restore option

You then get an option to “Reboot.”

Reboot option

Once I did the “Warm reboot,” I was presented with a wait 60 seconds screen. When I logged back in, I noticed that there was basically nothing there. I worked on it for a few minutes and decided to shut it down and power it back up after looking for another backup file. Once it had powered down and powered back on, low and behold it happened to have everything! Success was had! Something to note that will be rather important, should you decide to re-deploy a VPX on ESXi, make sure to note the MAC address of the VM BEFORE you re-deploy. The license file is married to the MAC and that is EXTREMELY important. You can open the license file with Notepad or Notepad++ and read the MAC there and then manually set it on the VM options. Just something that I ran into and thought would be useful information to have!

Note: I had already applied the license file and found that I had to change the MAC address, so all of that was done before attempting to restore the configuration from backup.

DTLS Essence

Greetings and such! So there is threat advisory out there abouts on DTLS Amplification DDoS for the ADC. The CTX article right here should lead you the right way with the checking and the remediation for it!

This is something to check and get ahead of so that you don’t run into a potential issue!

Surviving Healthy @HOME

Good afternoon champions of remote making work possible peoples! Welcome to April 99th! Hope that everyone is staying safe and secure in this tumultuous time. Had some fun with a NSSSL bug. If there is a bug, I will find it. Had some more fun with another one. Somehow, someway, some method the IISU_IUSRS group got removed from C:\Windows\Temp and one of the really long folder names that was .NET. Anyone else have that fun? Causes things to not work as intended with StoreFront. I think there may be gremlins hiding out and strategically targetting. I’m prepping my anti-gremlin weapons. Looks like the new CU1 is out for 1912LTSR. Get on over and be checking that out! (psst… I’ll leave a link below for you. Really. You need to do it. I’ll wait. No seriously. JUST DO IT!)

There are some things you need to pay attention to. StoreFront upgrade. READ AND FOLLOW the directions. It will only help you.

Let’s see… I did get a nice Google Nest thermostat. Somehow, on a relatively new house (built in the early 2000s), I had a mercury thermostat. A real live mercury one. It wasn’t working like it should have been. I may have inadvertently knocked the panel across the room and damaged the thermister. I am seeing a nice reduction in power use. 15-20% ish. Not too shabby. I also got a Razer BlackWidow Elite keyboard with the orange switches. Really enjoying typing a keyboard that doesn’t cause the wrist and hands to feel like they are on fire.

Everyone here has been staying healthy and COVID free. You stay safe as well!

More nCore Than You Have Room For!

Looks like the new firmwares have come out for the varying versions of Netscaler firmware. Make sure and download from Citrix now and get your patch on! Seriously, this is important to patch. I mean it!

The link is above!

Remediate! CVE-2019-19781

Looks like there is big trouble in little China here. There is a responder policy you can put into place to mitigate this CVE until the software is released to update your ADC. All credit here goes to Citrix hosting the information. I’m just providing you a quick link back to the action! For those that want to know more, I found this great explanation of what happens with this exploit.

Citrix NetScaler CVE-2019-19781: What You Need to Know

For those that do not wish to follow the link, I have the info below!


enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config 

shell -ys skip_systemaccess_policyeval=0 shell "echo ' -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" 

For your HA users out there:
On primary:

enable ns feature responder add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403 bind responder global ctx267027 1 END -type REQ_OVERRIDE save config  shell -ys skip_systemaccess_policyeval=0 shell "echo ' -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" 
On secondary after primary comes up:

shell -ys skip_systemaccess_policyeval=0 shell "echo ' -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" 

Good news, is that they have released dates for the firmware!

Citrix ADC and Citrix Gateway
Version Refresh Build Expected Release Date
10.5 10.5.70.x 31st January 2020
11.1 11.1.63.x 20th January 2020
12.0 12.0.63.x 20th January 2020
12.1 12.1.55.x 27th January 2020
13.0 13.0.47.x 27th January 2020
10.2.6 11.1.63.x TBD
11.0.3 11.1.63.x TBD

Session Profiles, You Don’t Need No Session Profiles!

Good evening folks! Looks like some more fun has cropped up in Citrix Gateway in regards to firmware. Looks like 13.0-41.20_nc has an issue in some instances that you lose the ability to create or edit session profiles. We get the same issue as listed below.

There also was a CVE (CVE-2019-18225) that has come out that will need to be applied. Not sure if that will fix the issue with the session profile or not. Looking to get that applied here shortly and will update this post to let you know if it resolves the issue. Hopefully, two birds with one stone.

UPDATE: So it looks like the upgrade to build-13.0-41.28_nc has resolved the issue with being able to edit session profiles! YAY!! Just wanted to give a heads up on that!

Page 2 of 3

Powered by WordPress & Theme by Anders Norén