Morten Kallesøe

its not logged in ns.log ? or in ns.log.*? or maybe in a upstream syslog server?

Where did you remove this flag?

Hmmm - and the setting OFF is of course NOT documented. https://docs.netscaler.com/en-us/netscaler-gateway/current-release/vpn-user-config/configure-plugin-connections/enable-proxy-support-for-user-connections.html :-( also in https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/vpn/vpnsessionaction - "* OFF - Proxy settings are not configured. " - but i guess, that means NS WILL DISABLE the proxy configuration.

the lbvserver should not be able to reply 404, if its down. 404 is a vaild reponse, and indicates that something is doing an reply.

Yes, i am currently looking into implementing a similar feature that you are describing, and i dont think it will be possible before the next release of NetScaler (14.1 21.x and 13.1 52.x) as they will contain a WAF module that's loaded BEFORE aaa vServer. but since the new protection is happening in WAF, you properly need premium license, and the creativity also needs to be flexed to create proper policies. We will see when the new release hits the street.

check your logs, and check suffixList - (this is controlled by add dns suffix <fqdn> in netscaler)

i think this questions is better suited on a Azure forum

can you paste your ns.conf thats relevant to your setup?

i would do a fresh install of 14.1 and manually import the config. you have not been maintaining your system for a long time, and now its time to pay the technical debt.

You dont need Direct Server Return (DSR) and MAC based forwarding. just change the default GW to the a SNIP that the exchange server can reach. and create manual routes for internal traffic. unless you want DSR, but DSR can work without MAC based forwarding.

Why are you not allowing access to "/" - seems like a legit place to start - no? but yes, you are right, if the rewrite policy is not hit (and therefor the action also) no HSTS headers are set.

You should create a case with support. they can clarify if its a bug or not.

Different networking, requires different routing. They are not supposed to be synced. INC = Independent Network Configuration, i would say its pretty self explanatory why you need to create routes manually.

Hi Björn I have only played around with it briefly(prometheus + Grafana - NOT splunk), and you can export vServer stats directly from NetScaler, no need for ADM. I use ADM/Console for WAF + BOT Monitoring + GW Insights. its a love / hate relationship, as there is many good things, but i tend to run into bug after bug, which complicates things. However, i keep support and engineering on there tippy toes 🙂

IF you listen to the NetScaler podcast show (https://www.youtube.com/watch?v=Yu8v6ZNNsF0 ) you can hear Richard talk about ARM as the next natural evolution of the platform. MY guess is that it properly be released this year