-
Posts
14 -
Joined
-
Last visited
-
Days Won
1
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Reinier Sanchez1709155063
-
-
Verify the following ::
1. Use the ADM FQDN instead or IP when configuring director script to reference ADM.
2. Replace the ADM TLS cert with a cert trusted by Director Server.
3. Make sure there are no FW blocking https:443 between Director and ADM.
4. If network capture trace from Director shows TLS handshake problems (and you don't know how to fix them) use HTTP only instead HTTPS when integrating director and ADM
-
Verify the following ::
1. Use the ADM FQDN instead or IP when configuring director script to reference ADM.
2. Replace the ADM TLS cert with a cert trusted by Director Server.
3. Make sure there are no FW blocking https:443 between Director and ADM.
4. If network capture trace from Director shows TLS handshake problems (and you don't know how to fix them) use HTTP only instead HTTPS when integrating director and ADM -
Solution is here :: https://support.citrix.com/article/CTX132169
Cause #3 resolved the issue for me.
I'm using a self signed cert.
-
Known issue NSADM-62399
Not a lot you can do by yourself. The left over IP is present in ADM DB, it needs to be removed manually from DB by Citrix Support.
-
Proper way to capture a network trace from ADM server is like capturing a network trace from any FreeBSD host. Command like this would do the job :
Note : before taking a trace check ADM has enough space available in /var
> df -h /var/
> tcpdump -s 0 -w /var/tmp/output_file.cap host [ip]
-s 0 is to capture the full frame size, not just a portion.
-w path is destination of trace file.
-host is trace filter (you could use also "host [ip] and port [port]")
-
To mitigate CSRF vulnerability, use AppFW, here is a good guide :
Netscaler App Firewall Deployment FAQ and Guides
https://support.citrix.com/article/CTX227310
-
Need to Upgrade ADC to least latest 12.0 build.
-
Upgrade ADC to latest build, many improvements have been made to DTLS app streaming.
Latest build today for 12.0 architecture is 63.xx
Also, latest builds of Workspace/Receiver uses only one cipher for DTLS 1.0 streaming which is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Workspace/Receiver also uses DTLS 1.2 with these three:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Make sure those TLS ciphers are bound to the Citrix Gateway.
Overview of the Crypto Kit updates in Citrix Workspace for Windows and Mac
-
On 3/22/2019 at 10:33 AM, Rowen Gunn said:
I've read the link, it mentions audio once on the entire page. The Netscaler has no insight into say Lync or Skype audio packets because they are wrapped in SSL encryption. It's up to the application itself on the VPN to determine if it will use UDP or TCP for audio, the Netscaler doesn't and can't make that choice for an application running on the VPN because it can't see inside the packets of data once encrypted.
If this was an ICA gateway then yes 100%, DTLS is used for audio. It's also used for Framehawk which isn't audio at all, the page doesn't mention that at all but FrameHawk which is just video can't work without DTLS.
It seems like Citrix themselves have some confusion on what DTLS is and what uses it. Despite the multiple Citrix employees saying different things in this thread... I've worked on a Netscaler based SSL VPN for years now, DTLS is used by the VPN and it's used for much more than audio. Citrix's VPN client debug logs make that very clear and perhaps the employees posting quick canned responses or responding to dead threads should really look at those logs before posting conflicting data.
VPN plug-in will use DTLS to stream audio traffic when ever is possible and available in the VPN channel between client and Netscaler gateway.
-
sh tcpParam
sh tcpProfile nstcp_default_profile
These commands will how same values and the default profiles are the same on any given Netscaler version. But remember DTLS uses UDP not TCP ;) there will be not much impact tweaking the TCP options.
Although, for app streaming through the gateway Citrix recommend the build-in tcp profile :: nstcp_default_XA_XD_profile
-
Here you can find detailed information regarding Citrix DTLS Support
Support for DTLSv1.0 protocol
https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/support-for-dtls-protocol.html
-
DTLS is used by Citrix VPN plug-in when needed for example: audio traffic over the VPN tunnel. Audio is more sensitive to latency, DTLS will encrypt UDP/443 traffic. In a network trace you would see protocol DTLSv1.0 when DTLS is used.
-
2
-
-
ns_saml_disable_comma_sep_attr_res nsapimgr
in Core ADC use cases
Posted
Newer versions of ADC 13.0+ migrated SAML tokens format from CSV comma separated to XML-format
Toggle between CSV type comma separated and XML-format SAML token formats
> nsapimgr_wr.sh -ys call=ns_saml_enable_comma_sep_attr_res
> nsapimgr_wr.sh -ys call=ns_saml_disable_comma_sep_attr_res
To make it persistent, you need an rc.netscaler file under /nsconfig/
https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/saml-authentication.html
Security Assertion Markup Language (SAML) is an XML-based authentication mechanism that provides single sign-on capability and is defined by the OASIS Security Services Technical Committee.