Jump to content

  • Articles

    Show all categories
    Guest
    Deployment Guide: Migrating Citrix ADM to Citrix ADM service
    May 4, 2021
    Author:  Arnaud Pain
    Overview
    In this document, you’ll discover how to migrate Citrix ADM (Application Delivery Management) on-premises to Citrix ADM service. Migrating to cloud resources modernizes your deployment, providing enhanced elasticity, scalability, and management.
    The guidance documented here is based on a deployment in a Citrix approved lab environment running on VMware vSphere Hypervisor. The initial and final deployments represent typical customer environments.
    Audience
    We’ve written this document for users who are
    Familiar with the administration of a Citrix ADM It’s also helpful if you know Citrix Cloud fundamentals and understand Citrix ADM service.
    Set up a basic Citrix Cloud environment
    For more information on onboarding process see the Getting Started section. During the initial configuration of the ADM service agent , you need to provide the Service URL and Activation Code that are provided during the initial configuration in Citrix Cloud.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.bdbf2782224d8a654e74e114c6a3a0c1.jpg" data-ratio="94.37" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Note:
    As we migrate from on-premises ADM, we do not need to continue the Agent configuration and can click Skip.
    Deploy ADM service agent
    More details can be found here.
    Download the agent image as instructed in Getting Started. Import the agent image file to VMware vSphere. From the Console, configure the initial network configuration options as show in the below example: /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.53f2478a87dc79419d89f5325ec6e589.jpg" data-ratio="30.63" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    After completing the initial network configuration, save the configuration settings. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.8ca15ad5c9be081e5f5a9fe38a585431.jpg" data-ratio="22.12" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    When prompted, log on using the default (nsrecover/nsroot) credentials. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.aa7b9aa824cd57bd0c996f1064edbc61.jpg" data-ratio="17.03" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Run the script /mps/register_agent_cloud.py. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.b595724c0d1e0775583bb780c8960cb3.jpg" data-ratio="6.73" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Enter the Service URL and the Activation Code that was provided in Citrix Cloud during initial configuration. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.2a7ee578d924f03f883ebd2ae7763e39.jpg" data-ratio="16.18" width="748" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    You are prompted to change ADM (Application Delivery Management) Agent default password. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.3628bce1d710e50ca2cccab4c04623e6.jpg" data-ratio="12.3" width="748" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    After update of the Agent Password and successful registration, the agent will restart to complete the installation process. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.96b1fb9cc8703b9a4f79b03c2ff6441e.jpg" data-ratio="18.68" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Migrate to ADM service
    After the ADM service agent basic configuration is done, the next step is to upgrade the ADM to a Firmware that includes the script that will be used to migrate. You can migrate on-premises Citrix ADM 13.0 76.29 or a later version to Citrix Cloud. If your ADM has 12.1 or an earlier version, you must first upgrade to 13.0 76.29 or a later version and then migrate to Citrix Cloud. For more information, see the Upgrade section.
    Once your ADM is on the required version, you can start the process for the migration, the next step is to configure the on-premises ADM service agent.
    Configure ADM service agent
    To enable communications between Citrix ADC instances and Citrix ADM, you must configure an agent. Citrix ADM agents are, by default, automatically upgraded to latest build. You can also select a specific time for the agent upgrade. For more information, see Configuring agent upgrade settings.
    If your existing on-premises ADM, standalone or HA pair, has no on-premises agents configured, you must configure at least one agent for ADM service. If your existing on-premises ADM, standalone or HA pair, has configured with on-premises agents for multisite deployments, it is advised to configure the same number of agents for ADM service. For more information on configuring an agent, see the Getting Started section.
    Connect to Citrix Cloud. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.c52c8e7bc27e31f5b0587b9df1127fe4.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click Home icon and select Identity and Access Management. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.17ac9574a346b0fc0caf5102443be7d2.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click API Access tab. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.60e13b7a313c60cdb29988c5ebaba24c.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Provide a name for Secure client and click Create Client. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.bf0bade687ced4a739205a4ab73d76bf.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click Download. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.9b77241f5ce5030b78a67f6571072ad2.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    License
    If you use your on-premises ADM deployment as a Pooled license server for ADC instances, you will need, before the migration, to reallocate your licenses to ADM service. In fact, during the migration process, the ADC license configuration is updated to point to ADM service agent instead of your ADM on-premises.
    Connect to Citrix Cloud ADM service. Navigate to Networks > Licenses. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.9498df664c5db9a1761465a365619e8a.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Take not of your Host ID and go to https://www.mycitrix.com to reallocate your licenses. Ensure your licenses are present in ADM service before starting the migration.
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.77315d0c3fa1b430900ea9abf35023bb.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Migrate
    The secureclient.csv downloaded from previous steps needs to be uploaded to primary ADM. Copy the client ID and secret CSV file, for example, in the /var directory.
    Note:
    For an ADM HA pair, copy the CSV file in the primary node.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.29a740da472ef0da9769de19e5ff0c83.jpg" data-ratio="93.94" width="726" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    We recommend to updating to ADM 76.x or later builds as the migration scripts (servicemigrationtool.py and config_collect_onprem.py) are available as part of the build, available in /mps/scripts.
    Note:
    Ensure that the on-premises ADM has internet connectivity during migration.
    For an ADM HA pair, log on to the primary node.
    Using an SSH client, log on to the on-premises ADM. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.1b3a67f77a1c897c4faff360613f76da.jpg" data-ratio="8.31" width="734" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Enter in Shell Validate if the CSV file is present. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.26ab0b62362f0fcc9e5c192a8f62e307.jpg" data-ratio="14.65" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Run the following commands to complete the migration: 
    a. cd /mps/scripts
     
    b. python servicemigrationtool.py
     
    For example: python servicemigrationtool.py /var/secureclient.csv
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.11102c1408857d62dfe73c4dcf072e8c.jpg" data-ratio="2.97" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    After you run the script, it checks the prerequisites and then proceeds with the migration. The script first checks for the license availability. The following message is displayed only if you have lesser ADM service license than the on-premises license.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.2d93058834e28950fc0a2298a79a249d.jpg" data-ratio="46.07" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    If you select Y, the migration continues by licensing the VIP randomly. If you select N, the script stops the migration. If you have the unsupported ADC instance version for the pooled license server, the following message is displayed:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.91f65d8e80d5f8c2d4346ee3bd9d74f9.jpg" data-ratio="59.03" width="620" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    If you select Y, the migration process continues by changing the license server. If you select N, the script prompts if you want to proceed with rest of the migration. The script stops the migration if you select N. If you have the supported ADC instance version for the pooled license server, the following message is displayed:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.92e989a5cdecb104f04f344b28ab5351.jpg" data-ratio="54.25" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Note:
    You will only see above the Primary Node IP Address.
    If you select Y, the migration process continues by changing the license server. Depending upon the on-premises configuration, the approximate time for the migration to complete is between a few minutes and a few hours. After the migration is complete, you see the following message:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.d1daccb00efc5948f2b7b10b54c5d304.jpg" data-ratio="12.95" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    The migration is successful once all the ADC and SD-WAN WANOP instances and their respective configurations are successfully moved to ADM service.
    Validate
    After successful migration, the on-premises Citrix ADM stops processing the following instance events:
    SSL certificates Syslog messages Backup Agent cluster Performance reporting Configuration audit Emon scheduler
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.d18f9628a504f103a532a4f8ed4b94a4.jpg" data-ratio="19.32" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    You can connect to Citrix ADM service and ensure you see your ADC instance.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.36de88296d79d3faef6a88d182969bed.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    NetScaler Cyber Threat Intelligence
    NetScaler WAF Signatures Update v117
    (limited to CISCO XE Software)
     NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate the maximum severity CVSS 10 zero-day vulnerability in Cisco IOS XE (CVE-2023-20198) which  has been exploited in the wild.
    Cisco has issued a security advisory regarding multiple vulnerabilities in the web UI feature of Cisco IOS XE Software. The most critical vulnerability, CVE-2023-20198, allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then exploit another component of the web UI feature to elevate privilege to root and write the implant to the file system. Cisco has assigned a CVSS Score of 10.0 to CVE-2023-20198. The company is providing availability of Software Maintenance Upgrade (SMU) files and will update the advisory as additional releases post to Cisco Software Download Center. For steps to close the attack vector for these vulnerabilities, see the Recommendations section of Cisco's advisory. For protection until updating to latest version download and use v117 signature.
      Signatures included in v117:
    Signature rule
    CVE ID
    Description
    998597
    CVE-2023-20198
    WEB-MISC Cisco IOS XE Software - Authentication Bypass Vulnerability (CVE-2023-20198)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 117 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
     Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
     
     
     
    Konstantinos Kaltsas
    Learn how to leverage WAF Policies for protecting your Applications. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to create WAF policies and profiles. How to enable WAF policies on load balancing or content switching virtual server level. How to block or log malicious requests based on different criteria. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.
    Konstantinos Kaltsas
    Learn how to leverage basic Rewrite / Responder Policies for manipulating Requests and Responses. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to create rewrite / responder policies. What is the difference between the two? How to bind a policy on a content switching server. How to manipulate an incoming request based on different criteria. How to redirect a request based on different criteria. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.
    Konstantinos Kaltsas
    Learn how to deploy & configure a Content Switching virtual server for routing traffic to your applications. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to deploy a content switching virtual server to route traffic to your apps. How to route traffic based on URL path How to route traffic based on HTTP Header values. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.
    Mayur Vadhar
    NetScaler CPX is a container-based application delivery controller that can be provisioned on a Docker host. NetScaler CPX enables customers to leverage Docker engine capabilities and use NetScaler load balancing and traffic management features for container-based applications. 
     
    In this hands-on lab, learn how to expose microservice application deployed in a Kubernetes Cluster using NetScaler CPX on an existing Kubernetes Cluster.
    The lab will demonstrate how to:
    Deploy a microservice Guestbook application on Kubernetes Deploy NetScaler CPX and expose it using NodePort service Expose Guestbook application via NetScaler CPX through HTTP Expose Guestbook application via NetScaler CPX through HTTPS Redirect incoming HTTP traffic to HTTPS for Guestbook application Click the Start hands-on Lab at the top of the post to try out !Let us know your feedback or any issues in the comments section.
     
    Juliano Reckziegel
    In numerous instances, there's a need to customize the Citrix Gateway login page. Sometimes, it's crucial to include disclaimers, while in other cases, it's essential to direct users to a support link, among other requirements.
    It has come to our attention that many companies have attempted to modify the built-in HTML/JS files for this purpose. However, this approach is neither supported nor sustainable because these customizations can be lost during system upgrades or even routine reboots, unless you utilize the 'rc.netscaler' file.
    An alternative method is to employ rewrite policies or use a JavaScript file within a customized RfWebUI theme. These approaches ensure that your customizations persist through system reboots and upgrades, making them the preferred choice.
    Personally, I prefer employing a JavaScript file because it's compatible with both Citrix Gateway virtual servers and AAA virtual servers, providing a remarkable level of versatility. This is primarily due to its ability to inject HTML code either before, after, or within specific elements or their parent elements. All that's required is the identification of a class name or an ID on the webpage to instruct the browser to insert extra elements precisely at that location.
    Below is an example of a Citrix Gateway landing page with text additions incorporated into an RfWebUI theme without a logo."

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.f93c244386e4a397b3eaed66104b277b.jpg" data-ratio="48" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Caching
    Before I proceed to explain how to achieve the desired outcome, let's first address caching. NetScaler boasts an advanced caching feature that can optimize user access and reduce the amount of data downloads needed to render the authentication page. Interestingly, the Citrix Gateway login page employs this feature by default, even when it's not explicitly enabled, and it stores the landing page files within the "loginstaticobjects" content group.
    To confirm this, you can access the NetScaler GUI and navigate to Optimization -> Integrated Caching -> View Cache Objects. Here, you'll notice that a variety of file types, such as .html, .js, .css, .gif, .png, and .json files, are automatically cached. Here are a few examples of the files that are cached without manual intervention.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.7b17427b1e7781ce116ef87ea96b6e4a.jpg" data-ratio="61.8" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Additionally, these types of objects are also cached by the end user's browser. Consequently, if you wish to modify messages and immediately see the changes, you'll need to clear both the NetScaler cache and the browser cache.
    To clear the NetScaler cache, you can use the following command:
    flush contentGroup loginstaticobjects For browser cache clearance, there are multiple methods available. One approach I use on Chrome and Edge is to open the developer tools, right-click on the reload icon, and select "Empty cache and hard reset."

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.c2341779c2bbf1ae8528b68445a6375d.jpg" data-ratio="48.9" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Finding the anchor element
    The next step is to pinpoint the specific page element where we want to inject HTML code—whether it's before, after, or within that element. To accomplish this, you can use either Chrome or Edge. Simply right-click anywhere on the page and choose "Inspect" to identify the element that will serve as our anchor.
    In the example below, I've identified a hidden div at the top of the login page with the ID "customExplicitAuthHeader."

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.403902608c794c42528f8646de140225.jpg" data-ratio="62.7" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    No need to worry about this; I've already selected a couple of existing elements, and I'll share them here.
    TEXT1
    Let's proceed with the first customization and add TEXT1 to the page as followed:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.4e13ff418698b967fcab23d84ba0c59f.jpg" data-ratio="49.9" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    To achieve this, create a new RfWebUI theme and modify the initially empty script.js file located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML1 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center"><BR><BR>TEXT1<BR><BR> </div>';
    element = document.getElementById("customExplicitAuthHeader");
    element.insertAdjacentHTML('afterend',HTML1); In this example, we find the anchor element based on its id customExplicitAuthHeader and we add a new <div> after it.
    TEXT2 and TEXT3
    The next customizations involve adding TEXT2 and TEXT3:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.d028f22d38a52a81b7225f60474c68ff.jpg" data-ratio="50.7" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Again, modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML2 = '<span style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center; position: absolute; top: 50%">TEXT2</span>';
    const HTML3 = '<span style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center; position: absolute; top: 50%">TEXT3</span>';
    elements = document.getElementsByClassName('logon-spacer');
    elements[0].insertAdjacentHTML('afterbegin',HTML2);
    elements[1].insertAdjacentHTML('afterbegin',HTML3); In this example, we find the anchor element based on class name logon-spacer, when we use class name, JavaScript will return an array, this is the reason we use [0] and [1] to indicate the first spaces located in the left of the authentication form and the second spaces located on the right of it. The HTML code added here is a <span> to be inside of the existing element.
    TEXT4 and TEXT5
    Now, let's add TEXT4 and TEXT5.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.ac0076b984f60cf74bf88b3376805e36.jpg" data-ratio="50.2" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML4 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: left"><BR><BR>TEXT4<BR><BR> </div>';
    const HTML5 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: left"><BR><BR>TEXT5<BR><BR> </div>';
    elements = document.getElementsByClassName('form-container');
    elements[0].insertAdjacentHTML('beforebegin',HTML4);
    elements[0].insertAdjacentHTML('afterend',HTML5); In this example, we find the anchor element based on class name form-container and we inject a new <div> for TEXT4 before the element and a second <div> for TEXT5 after it.
    TEXT6 and TEXT7
    Moving on, now we will add TEXT6 and TEXT7:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.5462e96c26065cac7ad076f68f65aa92.jpg" data-ratio="50.2" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML6 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center"><BR><BR>TEXT6<BR><BR> </div>';
    const HTML7 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center"><BR><BR>TEXT7<BR><BR> </div>';
    element = document.getElementById("pluginExplicitAuthTop").parentNode;
    element.insertAdjacentHTML('beforebegin',HTML6);
    element.insertAdjacentHTML('afterend',HTML7); Here we select the parent element of the element with id pluginExplicitAuthTop and we create a <div> for TEXT6 before and another <div> for TEXT7 after.
    TEXT8
    Now, let's add TEXT8: 

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.05a610087542e75e639930fb6359758d.jpg" data-ratio="50.3" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML8 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center"><BR><BR>TEXT8<BR><BR> </div>';
    Items = document.getElementById('customExplicitAuthFooter');
    Items.insertAdjacentHTML('beforebegin',HTML8); TEXT8 is very similar to TEXT1, the anchor element is select based on ID customExplicitAuthFooter and a new <div> is inserted before it.
    TEXT9 and TEXT10
    Finally, we have TEXT9 and TEXT10.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.84bd273858102051b6c92e80ae178ff3.jpg" data-ratio="50.5" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML9 = '<div class="field CredentialTypenone"><div><span style="display: block; color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center">TEXT9</span></div></div>';
    const HTML10 = '<div class="field CredentialTypenone"><div><span style="display: block; color: lightgrey; margin: 0 auto; font-size: 12px; text-align: right">TEXT10</span></div></div>';

    checkForm();

    function checkForm () {
      if ( document.forms[0] ) { //Check if form exists
          div = document.getElementById("passwd").parentNode.parentNode;
          div.insertAdjacentHTML('beforebegin',HTML9);
          div.insertAdjacentHTML('afterend',HTML10);
      } else {
        setTimeout(checkForm, 50); //wait 50 ms, then try again
      }
    } If you need to insert HTML code within the authentication form, a slightly different approach is required due to its dynamic creation. In this scenario, we will first check if the authentication form already exists before injecting the new HTML code. If it doesn't exist, we will wait for 50 milliseconds before checking again.
    Conclusion
    In these instances, I applied a few styles to position the text as needed. However, it's essential to keep in mind that you have the option to utilize CSS for a cleaner separation of JS code and styling. To achieve this, simply make the necessary adjustments in the style.css file within the newly created RfWebUI theme.
    Please exercise caution with the character ' because the HTML code is encapsulated within two single quotation marks. To use it correctly, insert a backslash () before the single quote character to escape it.
    Remember that the objective here is not to offer JavaScript programming best practices but rather to showcase its capabilities and provide initial guidance to assist you in customizing your portal in a manner that ensures the changes endure through reboots and upgrades.
    In conclusion, the power to enhance and tailor your Citrix Gateway login page lies in your hands. Armed with the knowledge of how to insert HTML code via JavaScript, you can seamlessly integrate links, provide additional information, or offer valuable guidance to your users during their authentication process. The ability to customize this crucial portal empowers you to create a more user-friendly and informative experience that aligns with your organization's specific needs. So, embrace this opportunity and embark on the journey to create a login page that truly reflects your vision and aids your users every step of the way. Your portal's potential is limited only by your imagination, so go ahead and make it your own.
     
    Guest

    Kubecon 2023

    By Guest, in NetScaler Cloud Native,

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.d3d652121b1456cbd8d24a99f37ceb56.jpg" data-ratio="56.3" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">

    Kubecon and CloudNativeCon are the Cloud Native Computing Foundation’s (CNCF) flagship conference that gathers adopters and technologists from leading open-source and cloud-native communities together. It is THE conference for gathering developers, IT professionals, and C-level leaders across the ecosystem to share learnings, highlight innovation, and discuss the future of cloud-native computing, including emerging trends in microservices architectures and container orchestration with technologies like Kubernetes, Prometheus, and many more.Komal Bhardwaj and I will be attending the conference in Chicago from the 6th through the 9th of November. We would love to connect with NetScaler customers or partners attending the conference. You can schedule a time on my calendar here: https://calendly.com/richard-faulkner-iho/kubecon-meet-up. You can schedule a meeting with Komal here: https://calendly.com/komal-bhardwaj-netscaler/30min. I look forward to seeing you there!

     
    Guest
    POC Guide: Deploying a NetScaler VPX on Nutanix AHV
    Special Thanks To: David Brett, Nagaraj Harikar, and Abhishek Gautam
    Overview
    This proof of concept guide is designed to provide a step-by-step method to deploy an instance of the NetScaler VPX on Nutanix AHV and prepare it for use. NetScaler VPX running on Nutanix AHV is supported through the Citrix Ready Program. This guide will assist in deploying a VPX appliance using Prism Element with some basic best practices. This guide will NOT cover the specific needs for every deployment. It is recommended that deployments and testing are conducted to define the best method for a particular need. 
     Nutanix Acropolis Hypervisor (AHV) is a modern and secure virtualization platform that powers VMs and containers for applications and cloud-native workloads on-premises and in public clouds that can run any application at any scale.
    Prerequisites
    This guide assumes the following prerequisites have been completed:
    Nutanix AHV is configured and ready for use Nutanix Prism Element will be used for the deployment (not Prism Central) Sufficient resources are available to support the recommended VM configuration The NetScaler VPX requires a minimum of 2 vCPUs and 2 GB of RAM (4 GB RAM or more is recommended). At least one vNIC (2 or more vNICs recommended for Management and Production networks) At least 20 GB of disk space A basic understanding of Nutanix AHV A basic understanding of Nutanix Prism Element Familiarity with the Acropolis Command Line Interface (ACLI) Familiarity with the initial setup of a NetScaler VPX appliance. Considerations for NetScaler VPX appliances
    A proof of concept deployment is set up to try out different functions of the VPX appliance. With a POC deployment, customers can:
    Try different features Familiarize themselves with the environment Try different configurations to see how they impact performance, usability, etc. A POC is not intended for production workloads and should only be utilized for learning and feasibility purposes. 
    Therefore, a virtual appliance running with (2) vCPUs, (4) GB RAM, and 20 GB of disc drive should be sufficient. In a production environment, it is recommended to provision the appliance with adequate resources for the expected workload. With a virtual appliance on Nutanix AHV, scaling up or down on resources is very easy, making the virtual appliance very flexible. To determine the required resources for your workload, use the following NetScaler Form Factors Datasheet
    Deploying the NetScaler VPX
    Download the VPX virtual appliance (the example below shows the latest 14.1 version of the firmware, however other versions are available for AHV should this meet your business requirements)/applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.bb1c757e0893d8afb1c71effee4cfe58.jpg" data-ratio="55.74" width="531" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Download the “Citrix ADC VPX for KVM” file. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.4bea10cb105684b86059397aecfd9a69.jpg" data-ratio="31.48" width="648" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    On the first extraction, it will become a “tar” file. Extract that until you see the “.qcow2” and “.xml” files./applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.d3c00ec0851aa00f1fb21a0cd1d07245.jpg" data-ratio="13.39" width="732" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Login to Prism Element (not Prism Central) From Home, select Settings Choose Image Configuration Give the image a name Select the “DISK” image type Pick a storage container Choose “Upload a file” and navigate to the NetScaler VPX “.qcow2” file Choose “Save” to create the image /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.748cfb8e6aaba32a6562ea846280ecfa.jpg" data-ratio="77.79" width="671" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    7. Once the file uploads, you should see the image listed and the status should show as  “ACTIVE”, this may take some time as Prism Element processes the image file.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.0c1797029bd64be6ec2450ec1e6cf349.jpg" data-ratio="6.63" width="603" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    8. Navigate to VM and then click Create VM

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.8f388827cff461bf8082799e4b328fd6.jpg" data-ratio="36.45" width="107" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.04c0ef05f5cfc23ec989c33c989e37bc.jpg" data-ratio="80.04" width="491" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    9. On the Create VM Screen, remove the CD ROM Drive
    10 Add a new disk
    Select “Clone from the image service” from the drop-down menu In the Bus Type, select “SCSI” Note: The NetScaler VPX has been deployed with PCI, SCSI, SATA, and IDE bus disks without issue Choose the NetScaler image that was uploaded Choose “Add” /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.1157d9d7dd7c9c10969e5b2a5fcdbbfe.jpg" data-ratio="116.4" width="494" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    11. The disk will then be added/applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.618b9623e18a0ebe7c08d08df078111b.jpg" data-ratio="71.63" width="490" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    12. Add VLANs as necessary. A minimum of two VLANs (Management and LAN) are  recommended
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.9236ccbb20f3ad2198bd76892141cf7d.jpg" data-ratio="103.06" width="490" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    13. Do not set affinity now, as it will be set later in this guide14. Choose "Save"
    Once the VM is listed and shows as powered off, we must add a serial port. The VM appliance will not boot without a serial port connection, and Nutanix AHV does not add a serial port by default.To add the Serial Port SSH into the CVM using the username “nutanix” and the password you set for that account (You can find a list of CVM IP addresses in the “Hardware” section of the Prism Element console) Enter the ACLI  acli
    Enter the following command to create the serial port where <vmname> is the name you gave to the VPX Appliance vm.serial_port_create <vmname> type=kServer index=0
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.bb4acb87756681a950c2c87e27548f8c.jpg" data-ratio="22.7" width="326" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    At this point, you can snapshot the VM to be used as a template later should you wish to deploy more instances (an HA pair, for example).
     
    Initial Configuration
    Power on the VM Launch the VNC console /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.e1648c092933a9cc2a3fbba148286847.jpg" data-ratio="62.03" width="345" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Watch the VM Boot /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.4eae06d1b25af47681aa42658f8242b2.jpg" data-ratio="61.87" width="716" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Log in with the default credentials of nsrootnsroot You will be prompted to change the password. It is recommended that you change it at this time Manually run the “config ns” command from the CLI Assign the IP Enter the NetMask Choose “Apply changes and exit” /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.6d8ebdf08db1c29dafe48447ea030da2.jpg" data-ratio="49.37" width="711" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    6. Restart the VMWhen the appliance reboots, log back into the CLI and add the default route using the command below, replacing <default_route> with the default route assigned to the network that your NSIP resides on.
     
    route add 0.0.0.0 0.0.0.0 <default_route>
     
    Save the configuration using the command below to ensure the default route persists during a reboot save ns config
    Now you can connect to the GUI After this point, the configuration proceeds like any other NetScaler setup. 
    Additional Considerations
    High CPU usage
    CPU usage will show high by default on NetScaler VPX appliances. If you desire to enable CPU sharing, then you should enable CPU Yield.
    From the GUI Navigate to Settings and click the “Change VPX Settings link/applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.c641a583e49a2ea89e1b1f6dd8178d1a.jpg" data-ratio="40.87" width="1243" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Change “CPU Yield” to Yes Save the configuration /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.ab3173df542069505c7a747a8f4088fc.jpg" data-ratio="161.01" width="318" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     2. From the CLIset ns vpxparam -cpuyield YES
    Running a pair of appliances for high availability (HA)
    If you are going to run an HA pair of appliances, it is recommended that you set anti-affinity rules so the appliances will always be run on separate AHV hosts
    To accomplish this:
    Login to the CVM via SSH Create the VM group where <vmgroupname> is the name you give to the group of NetScalers you deployed on AHV vm_group.create <vmgroupname>
    Add the existing NetScalers to the group where <vmgroupname> is the name from the previous step, and <vm1name> and <vm2name> are the NetScaler VMs to be added to the group vm_group.add_vms <vmgroupname> vm_list=<vm1name>,<vm2name>
    Set the Anti-affinity rule where <vmgroupname> is the name given in step 2 above vm_group.antiaffinity_set <vmgroupname>
     
    Disaster Recovery and GSLB
    Suppose multiple sites are to be used, and Global Server Load Balancing (GSLB) is utilized for access. In that case, it is recommended that an HA pair of NetScalers be deployed on AHV at both locations. You can then use Nutanix technologies such as DR replication to ensure the availability of your NetScaler pair should you experience a cluster outage. More information on Nutanix DR replication can be found here.
    Resources
    NetScaler Form Factors Datasheet
    FAQ on Deploying a NetScaler VPX
     
     
     
    NetScaler Cyber Threat Intelligence
    NetScaler WAF Signatures Update v116
    (limited to SharePoint and Atlassian)
     NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate two vulnerabilities in two software with high penetration. The first vulnerability is related to a Microsoft SharePoint Server chain attack that exploits CVE-2023-24955, while the second vulnerability deals with a critical Atlassian Confluence Server vulnerability, namely CVE-2023-22525. 
    CVE-2023-22525 is a critical vulnerability in Atlassian Confluence Server. The vulnerability allows an attacker to execute remote code on the affected system, which could lead to data theft or system compromise. The vulnerability affects Confluence Server versions 6.1.0 to 7.13.20, 7.19.8, and 8.2.0 1. Atlassian has released a patch for this vulnerability, and users are advised to update their systems as soon as possible. The vulnerability is caused by an input validation error when Confluence Server processes user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted request to the affected server. Once the attacker has successfully exploited the vulnerability, they can execute arbitrary code on the affected system with the privileges of the Confluence Server process. To mitigate this vulnerability, Atlassian recommends that users upgrade their Confluence Server installations to version 7.13.21, 7.19.9, or 8.2.1. If upgrading is not possible, users can apply a workaround by disabling the “Widget Connector” feature in Confluence Server or enable our WAF signature.
    CVE-2023-24955 is a remote code execution vulnerability affecting Microsoft SharePoint Server. The vulnerability was assigned a CVSSv3 score of 7.2 and could allow an authenticated Site Owner to execute code on an affected SharePoint Server. The vulnerability was part of a chain attack that also involved another vulnerability, CVE-2023-29357, which is an elevation of privilege vulnerability in Microsoft SharePoint Server that was assigned a CVSSv3 score of 9.8 and rated critical (part of v112 WAF signature version). A proof-of-concept exploit chain has been released for these two vulnerabilities that can be exploited to achieve unauthenticated RCE against Microsoft SharePoint Server.
     Signatures included in v115:
    Signature rule
    CVE ID
    Description
    998598
    CVE-2023-24955
    WEB-MISC Microsoft SharePoint Server - Remote Code Execution Vulnerability (CVE-2023-24955)
    998599
    CVE-2023-22515
    WEB-MISC Atlassian Confluence Server - Broken Access Control Vulnerability via /setup/*.action (CVE-2023-22515)
    998600
    CVE-2023-22515
    WEB-MISC Atlassian Confluence Server - Broken Access Control Vulnerability via /server-info.action (CVE-2023-22515)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 115 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
    Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
     
     
     

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...