Jump to content
Welcome to our new Citrix community!

Admin Portal and Responders


Brad Ordner

Recommended Posts

Hi, 

 

Wanted to clarify if this part of Mitigation Steps for CVE-2019-19781 is for the HTTPs management traffic? We have Private IPs assigned to our NSIPs and did not deploy this code as they are not public facing IPs -

 

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"

 

The ‘skip_systemaccess_policyeval’ Flag

This flag ensures that the responder policies are evaluated on the admin portal traffic.
If the admin portal IP is in a secured environment, this knob is not needed. 
Enabling this might cause some obstruction to some admin pages. In such a case, the customer can toggle the flag during their maintenance window and set it back to the value ‘1’.

 

We tried to deploy it in our Azure VPXs and the entire thing lost its licence. So don't really want to deploy on our On Prem devices. 

 

Thanks

 

Brad

 

Link to comment
Share on other sites

I've discovered on firmware 12.1.54.x (might be on other version as well) that this "fix" breaks some GUI functions. If you only use the Responder policy and do not apply the file skip_systemaccess_policyeval=0 part of the fix the GUI is not affected. 

 

If the full fix is applied, try the following:

Go to any CAG ( Gateway vServer) that has STAs applied to them and try view the STAs. You should receive an error popup and then no STA servers shown.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...