[ns_saml_disable_comma_sep_attr_res nsapimgr]

Newer versions of ADC 13.0+ migrated SAML tokens format from CSV comma separated to XML-format

 

Toggle between CSV type comma separated and XML-format SAML token formats 

 

> nsapimgr_wr.sh -ys call=ns_saml_enable_comma_sep_attr_res
> nsapimgr_wr.sh -ys call=ns_saml_disable_comma_sep_attr_res

 

To make it persistent, you need an rc.netscaler file under /nsconfig/

 

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/saml-authentication.html

Security Assertion Markup Language (SAML) is an XML-based authentication mechanism that provides single sign-on capability and is defined by the OASIS Security Services Technical Committee.

[Director/NMAS integration]

Verify the following ::

 

1. Use the ADM FQDN instead or IP when configuring director script to reference ADM.

2. Replace the ADM TLS cert with a cert trusted by Director Server.

3. Make sure there are no FW blocking https:443 between Director and ADM.

4. If network capture trace from Director shows TLS handshake problems (and you don't know how to fix them) use HTTP only instead HTTPS when integrating director and ADM

 

 

[Director MAS configuration]

Verify the following ::

1. Use the ADM FQDN instead or IP when configuring director script to reference ADM.
2. Replace the ADM TLS cert with a cert trusted by Director Server.
3. Make sure there are no FW blocking https:443 between Director and ADM.
4. If network capture trace from Director shows TLS handshake problems (and you don't know how to fix them) use HTTP only instead HTTPS when integrating director and ADM

 

 

[Cannot validate SSL certificate on one client]

Solution is here :: https://support.citrix.com/article/CTX132169

 

Cause #3 resolved the issue for me.

I'm using a self signed cert.

 

[Add VPX to ADM - Device with this IP address already exists but it doesn't]

Known issue NSADM-62399

Not a lot you can do by yourself. The left over IP is present in ADM DB, it needs to be removed manually from DB by Citrix Support.

[Network Trace on MAS Server]

Proper way to capture a network trace from ADM server is like capturing a network trace from any FreeBSD host. Command like this would do the job :

Note : before taking a trace check ADM has enough space available in /var

> df -h /var/

 

> tcpdump -s 0 -w /var/tmp/output_file.cap host [ip] 

 

-s 0 is to capture the full frame size, not just a portion.

-w path is destination of trace file.

-host is trace filter (you could use also "host [ip] and port [port]")

 

 

 

 

[Generic Cross-Site Request Forgery]

To mitigate CSRF vulnerability, use AppFW, here is a good guide :

 

Netscaler App Firewall Deployment FAQ and Guides

https://support.citrix.com/article/CTX227310

[Netscaler Gateway DTLS for Audio over UDP]

Need to Upgrade ADC to least latest 12.0 build.

[EDT/DTLS not working through Gateway URL]

Upgrade ADC to latest build, many improvements have been made to DTLS app streaming.

Latest build today for 12.0 architecture is 63.xx

Also, latest builds of Workspace/Receiver uses only one cipher for DTLS 1.0 streaming which is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

Workspace/Receiver also uses DTLS 1.2 with these three:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

Make sure those TLS ciphers are bound to the Citrix Gateway.

 

Overview of the Crypto Kit updates in Citrix Workspace for Windows and Mac

https://support.citrix.com/article/CTX250104

[Is DTLS used by the VPN?]

On 3/22/2019 at 10:33 AM, Rowen Gunn said:

 

I've read the link, it mentions audio once on the entire page. The Netscaler has no insight into say Lync or Skype audio packets because they are wrapped in SSL encryption. It's up to the application itself on the VPN to determine if it will use UDP or TCP for audio, the Netscaler doesn't and can't make that choice for an application running on the VPN because it can't see inside the packets of data once encrypted.

 

If this was an ICA gateway then yes 100%, DTLS is used for audio. It's also used for Framehawk which isn't audio at all, the page doesn't mention that at all but FrameHawk which is just video can't work without DTLS.

 

It seems like Citrix themselves have some confusion on what DTLS is and what uses it. Despite the multiple Citrix employees saying different things in this thread... I've worked on a Netscaler based SSL VPN for years now, DTLS is used by the VPN and it's used for much more than audio. Citrix's VPN client debug logs make that very clear and perhaps the employees posting quick canned responses or responding to dead threads should really look at those logs before posting conflicting data.

VPN plug-in will use DTLS to stream audio traffic when ever is possible and available in the VPN channel between client and Netscaler gateway.

[Is DTLS used by the VPN?]

sh tcpParam

sh tcpProfile nstcp_default_profile

 

These commands will how same values and the default profiles are the same on any given Netscaler version. But remember DTLS uses UDP not TCP ;) there will be not much impact tweaking the TCP options.

 

Although, for app streaming through the gateway Citrix recommend the build-in tcp profile :: nstcp_default_XA_XD_profile

 

[Is DTLS used by the VPN?]

Here you can find detailed information regarding Citrix DTLS Support

 

Support for DTLSv1.0 protocol

https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/support-for-dtls-protocol.html

[Is DTLS used by the VPN?]

DTLS is used by Citrix VPN plug-in when needed for example: audio traffic over the VPN tunnel. Audio is more sensitive to latency, DTLS will encrypt UDP/443 traffic. In a network trace you would see protocol DTLSv1.0 when DTLS is used.

[NS.CONF Language File for Notepad++ [Download]]

Cool, thx.