Jump to content
Welcome to our new Citrix community!

Expression to detect Citrix files on Netscaler


Sebin Mathew

Recommended Posts

In our current setup, we've integrated Citrix ShareFile with Citrix Netscaler. Client access to the ShareFile control plane has been disabled, and external users are being redirected to Netscaler for 2-factor authentication when accessing from outside. Our aim is to refine this configuration so that when users access Citrix files via mobile, the system, upon inspecting the header value indicating Netscaler involvement, will automatically redirect them to a page that does not require 2-factor authentication.

Link to comment
Share on other sites

  • 4 weeks later...

If I understood correctly you want to bypass NetScaler MFA for mobile devices using Citrix Files?

You can go for User-Agent Header of the mobile devices and build your authentication flow.

 

User-Agent expression could look like this:

http.req.header(User-Agent).contains("iOS") || http.req.header(User-Agent).contains("Android") || http.req.header(User-Agent).contains("Windows Phone")

 

I don't know these mobile headers 100% for sure, so you may need to adjust the header value according to what your mobile devices are and what they send within their header. You can check that via wireshark trace for example (or you just know it :D). You can use "EQ" instead of "CONTAINS" aswell, but this requires the complete and exact user agent header string or it won't work. Also consider using SET_TEXT_MODE(IGNORECASE) for case insensitivity

 

Now depending on your authentication flow, you have this rule as first priority connecting to an auth action without MFA and then second prio would be "true" rule which redirects to MFA. 


E: Also please note, that User-Agent Headers can be manipulated within the request (just as any other Header), so an attacker who gets a grip of that configuration, could bypass MFA by pretending to send request from mobile device

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...