Jump to content

Shahzad Siddique 2

Members
  • Posts

    14
  • Joined

  • Last visited

Posts posted by Shahzad Siddique 2

  1. Hi Harihara,

    you are correct, while running > /var/log/messages i can see many events showing SElinux is preventing to start blx and their dependencies.

    After Running > grubby --update-kernel ALL --args selinux=0 and rebooting linux host i can see SElinux is disabled & now i can able to start blx.

    Wants to know how to configure VIp on shared mode, were single nic is configured on linux.

    Since it is shared mode of deployment, where i have only single NIC, using IPtable external IP is configured with DNAT rule to access netscaler management on CLI 9022 and GUI 9080.

    But not sure how to configure VIP, can you guide on this.

  2. cat /var/log/blx-boot.log > below error

    Thu Nov 9 05:35:26 PM IST 2023: Started parsing blx.conf

    blx-conf-parser-388: awk -f /usr/sbin/blx-get-block.awk -v block="blx-system-config" /root/.blx/blx-derived.conf

    blx-conf-parse-648: Config block interfaces not found.

    blx-conf-parse-807: Core Dumps enabled.

    blx-conf-parse-815: Using existing core_pattern set in /proc/sys/kernel/core_pattern for core dumps. If you want to use the default pattern mentioned in blx.conf, restart BLX after removing the existing pattern with below command:

        echo '' | tee /proc/sys/kernel/core_pattern

    blx-dpdk-nic-parse-1015: All interfaces specified in /etc/blx/blx.conf are not compatible with BLX DPDK, starting BLX in Non-DPDK mode

    blx-conf-parser-1037: Enabling net.ipv4.ip_forward=1.

    blx-conf-parse-1775: mgmt-ssh-port not specified in blx.conf. blx-ssh will use mgmt-ssh-port:9022

    blx-conf-parse-1865: Both mgmt-http-port and mgmt-https-port not specified in blx.conf. blx-web-config will use mgmt-http-port:9080 and mgmt-https-port:9443

    blx-conf-parse-2010: BLX listening to ip address configured on host for mgmt access. Ignoring static-routes.

    192.0.0.1 is set as ipaddress by default for BLX.

    Thu Nov 9 05:35:26 PM IST 2023: Completed parsing blx.conf

  3. sudo yum install ./blx*rpm

    While running "Systemctl start blx" getting below error

    root@blx-host blx]# systemctl status blx.service

    × blx.service - BLX service

       Loaded: loaded (/usr/lib/systemd/system/blx.service; enabled; preset: disabled)

       Active: failed (Result: exit-code) since Thu 2023-11-09 17:35:27 IST; 19min ago

      Process: 26918 ExecStartPre=/usr/sbin/blx-helper.sh (code=exited, status=0/SUCCESS)

      Process: 27107 ExecStartPre=/bin/bash -c ${CHCON} (code=exited, status=0/SUCCESS)

      Process: 27108 ExecStart=/root/.blx/blx-pre-start.sh (code=exited, status=203/EXEC)

      Process: 27109 ExecStopPost=/root/.blx/blx-post-stop.sh (code=exited, status=0/SUCCESS)

      Process: 27110 ExecStopPost=/bin/bash -c ${RESTORECON} (code=exited, status=0/SUCCESS)

      Process: 27111 ExecStopPost=/bin/rm -rf /root/.blx (code=exited, status=0/SUCCESS)

      Main PID: 27108 (code=exited, status=203/EXEC)

        CPU: 211ms

    Nov 09 17:35:26 blx-host blx-helper.sh[26944]: touch: missing file operand

    Nov 09 17:35:26 blx-host blx-helper.sh[26944]: Try 'touch --help' for more information.

    Nov 09 17:35:26 blx-host blx-helper.sh[26918]: /usr/sbin/blx-helper.sh: line 810: [: too many arguments

    Nov 09 17:35:26 blx-host blx-helper.sh[27099]: cat: '': No such file or directory

    Nov 09 17:35:26 blx-host systemd[27108]: blx.service: Failed to locate executable /root/.blx/blx-pre-start.sh: Permission denied

    Nov 09 17:35:27 blx-host systemd[27108]: blx.service: Failed at step EXEC spawning /root/.blx/blx-pre-start.sh: Permission denied

    Nov 09 17:35:27 blx-host systemd[1]: blx.service: Main process exited, code=exited, status=203/EXEC

    Nov 09 17:35:27 blx-host systemd[27109]: blx.service: Executable /root/.blx/blx-post-stop.sh missing, skipping: Permission denied

    Nov 09 17:35:27 blx-host systemd[1]: blx.service: Failed with result 'exit-code'.

    Nov 09 17:35:27 blx-host systemd[1]: Failed to start BLX service.

  4. Hi Jeff,

       There is a catch, we also need to create a broker access rule, post that I can able to see Weblinks published content.

     

    Create Broker Accessrule for above delivery group to define user assignment

     

    Get-BrokerDesktopGroup |fl name, Uid

     

    New-BrokerAccessPolicyRule -Name "SPA-DG_Direct" -Enabled $true -AllowedUsers Filtered -AllowRestart $true -AllowedConnections NotViaAG -IncludedSmartAccessFilterEnabled $true -IncludedUserFilterEnabled $true -DesktopGroupUid 13

     

    New-BrokerAccessPolicyRule -Name "SPA-DG_AG" -Enabled $true -AllowedUsers Filtered -AllowRestart $true -AllowedConnections ViaAG -IncludedSmartAccessFilterEnabled $true -IncludedUserFilterEnabled $true -DesktopGroupUid 13

     

     

  5. Hi Folks,

    Evaluating Citrix SPA Onprem for publishing intranet Web Url, followed below link

     

    https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/secure-private-access-on-premises.html#configuration-process

     

    Setup Details:

     

    Citrix CVAD 2203 -Cu2

    Netscaler - 13.1 build 45

    Workspace App: 2303 (Embedded enterprise browser)

     

    Configuration Steps followed for building SPA Onprem 

     

    1. Created Blank Delivery Group and published Content and associated to blank DeliveryGroup

    Add-PsSnapin Citrix*

    new-BrokerDesktopGroup -Name "SPA-DG" -DesktopKind 1

    $deliveryGroupName = "SPA-DG"
    $appURL = "https://dc01.xen.lab/certsrv/"
    $appName = "Cert-Portal"
    $appIconFilePath = "C:\g2m.ico"
    $appDescription = "KEYWORDS:SPAENABLED"
    $deliveryGroupUid = (Get-BrokerDesktopGroup -DesktopGroupName $deliveryGroupName).Uid

    New-BrokerApplication -ApplicationType PublishedContent -CommandLineExecutable $appURL -Name $appName -DesktopGroup $deliveryGroupUid -Description $appDescription
     Get-BrokerApplication -ApplicationType PublishedContent | Format-Table @{Label="Type"; Expression={$_.ApplicationType}},Name,@{Label="URL"; Expression={$_.CommandLineExecutable}},@{Label="Delivery group"; Expression={(Get-BrokerDesktopGroup -Uid $_.AssociatedDesktopGroupUids[0]).Name}},Description

     

    2.  Created Policy.json file on Storefront under below path

    mkdir C:\inetpub\wwwroot\Citrix\spa\Resources
    mkdir C:\inetpub\wwwroot\Citrix\spa\Resources\SecureBrowser

     

    Copied policy.json file to Secure browser directory

     

    3. Run PowerShell script with the code mentioned in Above link to change web.config

     

    4. Configure Onprem Netscaler gateway for enabling CLientAccess,Web address encoding, enabling secure browse, excluding SF & Citrix FQDNs from clientless access mode (globally)

     

    add vpn sessionAction SPA-act -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://ddc01.xen.lab/Citrix/spaWeb" -ClientChoices OFF -ntDomain xen.lab -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://ddc01.xen.lab"

     

    add vpn sessionPolicy SPA_SessionPol "aaa.USER.IS_MEMBER_OF(\"rabale-group\")" SPA-act

    bind policy patset ns_cvpn_default_bypass_domains citrix.com -index 4
    bind policy patset ns_cvpn_default_bypass_domains ddc01.xen.lab -index 5

     

    5. Created Authorization policy and bind Web resources to AAA group

    add aaa group rabale-group

    add authorization policy Allow_StoreFront "HTTP.REQ.HOSTNAME.CONTAINS(\"ddc01.xen.lab\")" ALLOW
    add authorization policy Deny_ALL true DENY
    add authorization policy Allow_Cert-Portal "HTTP.REQ.HOSTNAME.CONTAINS(\"dc01.xen.lab\")" ALLOW

    bind aaa group rabale-group -policy Allow_Cert-Portal -priority 100 -gotoPriorityExpression END
    bind aaa group rabale-group -policy Allow_StoreFront -priority 110 -gotoPriorityExpression END
    bind aaa group rabale-group -policy Deny_ALL -priority 120 -gotoPriorityExpression END

     

    Problem Statement >

    Testing SPA resources using WorkspaceApp 2303 version from end-user system. Only able to get see CVAD resources. Published Web content is not visible to users.

     

    Thanks in Advance

     

    Shahzad Siddique

     

    nsrunning (4).conf

     

     

    SPA-Onprem Steps.txt

  6. Hi Subhojit,

    I created 2 vservers for but and create http profile for SSL vserver. as mentioned in documentation

    Configure HTTP/3 service discovery

    add ns httpProfile http-profile -altsvc ENABLED -altSvcValue "h3-29=":443"; ma=3600; persist=1"

    add lb vserver lbvs SSL 10.20.40.150 443 -persistenceType NONE -cltTimeout 180 -httpProfileName http-profile

    I can also see the http response header is also showing Alt-svc header

    HTTP/1.1 200 OK

    Content-Type: text/html

    Last-Modified: Tue, 27 Oct 2020 10:41:40 GMT

    Accept-Ranges: bytes

    ETag: "b39ee5c04dacd61:0"

    Server: Microsoft-IIS/8.5

    Date: Tue, 14 Mar 2023 07:04:20 GMT

    Content-Length: 5227

    Alt-Svc: h3-29=":443"; ma=3600; persist=1

    But further not redirecting to http_QUIC vserver, it is still continue to work on SSL vserver only.

    Attaching runningconfig for your reference , please help if any futher correction needed.

  7. Hi Subhojit,

    Thank you for your guidance, we have to create 2 vserver :

    Flow: Cip > Vserver1 (HTTP/SSL) set with Quic profile bound. which then redirects HTTP traffic to QUIC configured vserver.

    is there anything in addition to enabling the client browser to support QUIC protocol?

    I enabled Quic flag extension in chrome browser

  8. Configured Citrix netscaler to support HTTP_QUIC protocol to support http3 in frontend. my question how do we test it from open internet.

    below are the sample config

    add ns httpProfile http3_quic -http3 ENABLED

    add quic profile quic_http3 -ackDelayExponent 10 -activeConnectionIDlimit 4

    add ssl profile ssl_profile1 -sslProfileType QUIC-FrontEnd -sessReuse ENABLED -sessTimeout 120 -tls1 DISABLED -tls11 DISABLED -tls12 DISABLED -tls13 ENABLED

    add lb vserver http_quic-lb HTTP_QUIC 10.20.40.150 443 -persistenceType NONE -cltTimeout 120 -httpProfileName http3_quic -quicProfileName quic_http3

    bind lb vserver http_quic-lb service1

    set ssl vserver http_quic-lb -sslProfile ssl_profile1

    bind ssl vserver http_quic-lb -certkeyName emudra_connect.mspllabs.co.in.p

    bind ssl vserver http_quic-lb -eccCurveName P_256

    bind ssl vserver http_quic-lb -eccCurveName P_384

    bind ssl vserver http_quic-lb -eccCurveName P_224

    bind ssl vserver http_quic-lb -eccCurveName P_521

  9. Hi guys,

       after applying Log4j mitigation steps using responder policy, we were observed false positive behavior were legitimate traffic is getting blocked. Is there any way to get a Logs for binded responder policy getting hits.

     

    trying using policy based logging, https://support.citrix.com/article/CTX125466. But see no log in tail -f /log/ns.log.

     

    please help in achieving the same, thanks in advance.

  10. Push notification was not able to register with citrix SSO token using QR-Code scanner. Getting error "Push Notification Failed BAD request" on both iOS & android devices. 

     

    1. we found that client was properly encoding the data of scan to netscaler.

    2. ADC was not able to use that data, and since it was not able to understand that request, it was sending the http 400 bad request error to client.

     

    Finally, Problem got resolved by upgrading netscaler firmware to version 12.1 build 55.13.

  11. Even I am also facing a similar issue.

     

    Currently, I am using netscaler version 13.0 build 41.20. 

     

    HINT: according to Citrix release note some known issue in 13.0 build 41.20

     

    The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [# NSAUTH-6106]

     

    What to know from which build onwards push notification, let's check with ver 12.1

     

×
×
  • Create New...