Shahzad Siddique 2
-
Posts
14 -
Joined
-
Last visited
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Shahzad Siddique 2
-
-
Hi Harihara,
you are correct, while running > /var/log/messages i can see many events showing SElinux is preventing to start blx and their dependencies.
After Running > grubby --update-kernel ALL --args selinux=0 and rebooting linux host i can see SElinux is disabled & now i can able to start blx.
Wants to know how to configure VIp on shared mode, were single nic is configured on linux.
Since it is shared mode of deployment, where i have only single NIC, using IPtable external IP is configured with DNAT rule to access netscaler management on CLI 9022 and GUI 9080.
But not sure how to configure VIP, can you guide on this.
-
cat /var/log/blx-boot.log > below error
Thu Nov 9 05:35:26 PM IST 2023: Started parsing blx.conf
blx-conf-parser-388: awk -f /usr/sbin/blx-get-block.awk -v block="blx-system-config" /root/.blx/blx-derived.conf
blx-conf-parse-648: Config block interfaces not found.
blx-conf-parse-807: Core Dumps enabled.
blx-conf-parse-815: Using existing core_pattern set in /proc/sys/kernel/core_pattern for core dumps. If you want to use the default pattern mentioned in blx.conf, restart BLX after removing the existing pattern with below command:
echo '' | tee /proc/sys/kernel/core_pattern
blx-dpdk-nic-parse-1015: All interfaces specified in /etc/blx/blx.conf are not compatible with BLX DPDK, starting BLX in Non-DPDK mode
blx-conf-parser-1037: Enabling net.ipv4.ip_forward=1.
blx-conf-parse-1775: mgmt-ssh-port not specified in blx.conf. blx-ssh will use mgmt-ssh-port:9022
blx-conf-parse-1865: Both mgmt-http-port and mgmt-https-port not specified in blx.conf. blx-web-config will use mgmt-http-port:9080 and mgmt-https-port:9443
blx-conf-parse-2010: BLX listening to ip address configured on host for mgmt access. Ignoring static-routes.
192.0.0.1 is set as ipaddress by default for BLX.
Thu Nov 9 05:35:26 PM IST 2023: Completed parsing blx.conf
-
sudo yum install ./blx*rpm
While running "Systemctl start blx" getting below error
root@blx-host blx]# systemctl status blx.service
× blx.service - BLX service
Loaded: loaded (/usr/lib/systemd/system/blx.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Thu 2023-11-09 17:35:27 IST; 19min ago
Process: 26918 ExecStartPre=/usr/sbin/blx-helper.sh (code=exited, status=0/SUCCESS)
Process: 27107 ExecStartPre=/bin/bash -c ${CHCON} (code=exited, status=0/SUCCESS)
Process: 27108 ExecStart=/root/.blx/blx-pre-start.sh (code=exited, status=203/EXEC)
Process: 27109 ExecStopPost=/root/.blx/blx-post-stop.sh (code=exited, status=0/SUCCESS)
Process: 27110 ExecStopPost=/bin/bash -c ${RESTORECON} (code=exited, status=0/SUCCESS)
Process: 27111 ExecStopPost=/bin/rm -rf /root/.blx (code=exited, status=0/SUCCESS)
Main PID: 27108 (code=exited, status=203/EXEC)
CPU: 211ms
Nov 09 17:35:26 blx-host blx-helper.sh[26944]: touch: missing file operand
Nov 09 17:35:26 blx-host blx-helper.sh[26944]: Try 'touch --help' for more information.
Nov 09 17:35:26 blx-host blx-helper.sh[26918]: /usr/sbin/blx-helper.sh: line 810: [: too many arguments
Nov 09 17:35:26 blx-host blx-helper.sh[27099]: cat: '': No such file or directory
Nov 09 17:35:26 blx-host systemd[27108]: blx.service: Failed to locate executable /root/.blx/blx-pre-start.sh: Permission denied
Nov 09 17:35:27 blx-host systemd[27108]: blx.service: Failed at step EXEC spawning /root/.blx/blx-pre-start.sh: Permission denied
Nov 09 17:35:27 blx-host systemd[1]: blx.service: Main process exited, code=exited, status=203/EXEC
Nov 09 17:35:27 blx-host systemd[27109]: blx.service: Executable /root/.blx/blx-post-stop.sh missing, skipping: Permission denied
Nov 09 17:35:27 blx-host systemd[1]: blx.service: Failed with result 'exit-code'.
Nov 09 17:35:27 blx-host systemd[1]: Failed to start BLX service.
-
Hi All,
We are creating create Oracle-ECV monitor to identify if the associated backend server is ready for write operation on the database. Based on the query response make the service status Up/DOWN. Is any sample available to achieve the same? please help to create advanced oracle ecv monitor.
Regards,
Shahzad
-
Hi Jeff,
There is a catch, we also need to create a broker access rule, post that I can able to see Weblinks published content.
Create Broker Accessrule for above delivery group to define user assignment
Get-BrokerDesktopGroup |fl name, Uid
New-BrokerAccessPolicyRule -Name "SPA-DG_Direct" -Enabled $true -AllowedUsers Filtered -AllowRestart $true -AllowedConnections NotViaAG -IncludedSmartAccessFilterEnabled $true -IncludedUserFilterEnabled $true -DesktopGroupUid 13
New-BrokerAccessPolicyRule -Name "SPA-DG_AG" -Enabled $true -AllowedUsers Filtered -AllowRestart $true -AllowedConnections ViaAG -IncludedSmartAccessFilterEnabled $true -IncludedUserFilterEnabled $true -DesktopGroupUid 13
-
Hi Folks,
Evaluating Citrix SPA Onprem for publishing intranet Web Url, followed below link
Setup Details:
Citrix CVAD 2203 -Cu2
Netscaler - 13.1 build 45
Workspace App: 2303 (Embedded enterprise browser)
Configuration Steps followed for building SPA Onprem
1. Created Blank Delivery Group and published Content and associated to blank DeliveryGroup
Add-PsSnapin Citrix*
new-BrokerDesktopGroup -Name "SPA-DG" -DesktopKind 1
$deliveryGroupName = "SPA-DG"
$appURL = "https://dc01.xen.lab/certsrv/"
$appName = "Cert-Portal"
$appIconFilePath = "C:\g2m.ico"
$appDescription = "KEYWORDS:SPAENABLED"
$deliveryGroupUid = (Get-BrokerDesktopGroup -DesktopGroupName $deliveryGroupName).UidNew-BrokerApplication -ApplicationType PublishedContent -CommandLineExecutable $appURL -Name $appName -DesktopGroup $deliveryGroupUid -Description $appDescription
Get-BrokerApplication -ApplicationType PublishedContent | Format-Table @{Label="Type"; Expression={$_.ApplicationType}},Name,@{Label="URL"; Expression={$_.CommandLineExecutable}},@{Label="Delivery group"; Expression={(Get-BrokerDesktopGroup -Uid $_.AssociatedDesktopGroupUids[0]).Name}},Description2. Created Policy.json file on Storefront under below path
mkdir C:\inetpub\wwwroot\Citrix\spa\Resources
mkdir C:\inetpub\wwwroot\Citrix\spa\Resources\SecureBrowserCopied policy.json file to Secure browser directory
3. Run PowerShell script with the code mentioned in Above link to change web.config
4. Configure Onprem Netscaler gateway for enabling CLientAccess,Web address encoding, enabling secure browse, excluding SF & Citrix FQDNs from clientless access mode (globally)
add vpn sessionAction SPA-act -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "https://ddc01.xen.lab/Citrix/spaWeb" -ClientChoices OFF -ntDomain xen.lab -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://ddc01.xen.lab"
add vpn sessionPolicy SPA_SessionPol "aaa.USER.IS_MEMBER_OF(\"rabale-group\")" SPA-act
bind policy patset ns_cvpn_default_bypass_domains citrix.com -index 4
bind policy patset ns_cvpn_default_bypass_domains ddc01.xen.lab -index 55. Created Authorization policy and bind Web resources to AAA group
add aaa group rabale-group
add authorization policy Allow_StoreFront "HTTP.REQ.HOSTNAME.CONTAINS(\"ddc01.xen.lab\")" ALLOW
add authorization policy Deny_ALL true DENY
add authorization policy Allow_Cert-Portal "HTTP.REQ.HOSTNAME.CONTAINS(\"dc01.xen.lab\")" ALLOWbind aaa group rabale-group -policy Allow_Cert-Portal -priority 100 -gotoPriorityExpression END
bind aaa group rabale-group -policy Allow_StoreFront -priority 110 -gotoPriorityExpression END
bind aaa group rabale-group -policy Deny_ALL -priority 120 -gotoPriorityExpression ENDProblem Statement >
Testing SPA resources using WorkspaceApp 2303 version from end-user system. Only able to get see CVAD resources. Published Web content is not visible to users.
Thanks in Advance
Shahzad Siddique
-
Also i use same backend http service for both SSL and http_quic protocol based vservers.
-
Hi Subhojit,
I created 2 vservers for but and create http profile for SSL vserver. as mentioned in documentation
Configure HTTP/3 service discovery
add ns httpProfile http-profile -altsvc ENABLED -altSvcValue "h3-29=":443"; ma=3600; persist=1"
add lb vserver lbvs SSL 10.20.40.150 443 -persistenceType NONE -cltTimeout 180 -httpProfileName http-profile
I can also see the http response header is also showing Alt-svc header
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Tue, 27 Oct 2020 10:41:40 GMT
Accept-Ranges: bytes
ETag: "b39ee5c04dacd61:0"
Server: Microsoft-IIS/8.5
Date: Tue, 14 Mar 2023 07:04:20 GMT
Content-Length: 5227
Alt-Svc: h3-29=":443"; ma=3600; persist=1
But further not redirecting to http_QUIC vserver, it is still continue to work on SSL vserver only.
Attaching runningconfig for your reference , please help if any futher correction needed.
-
Hi Subhojit,
Thank you for your guidance, we have to create 2 vserver :
Flow: Cip > Vserver1 (HTTP/SSL) set with Quic profile bound. which then redirects HTTP traffic to QUIC configured vserver.
is there anything in addition to enabling the client browser to support QUIC protocol?
I enabled Quic flag extension in chrome browser
-
Configured Citrix netscaler to support HTTP_QUIC protocol to support http3 in frontend. my question how do we test it from open internet.
below are the sample config
add ns httpProfile http3_quic -http3 ENABLED
add quic profile quic_http3 -ackDelayExponent 10 -activeConnectionIDlimit 4
add ssl profile ssl_profile1 -sslProfileType QUIC-FrontEnd -sessReuse ENABLED -sessTimeout 120 -tls1 DISABLED -tls11 DISABLED -tls12 DISABLED -tls13 ENABLED
add lb vserver http_quic-lb HTTP_QUIC 10.20.40.150 443 -persistenceType NONE -cltTimeout 120 -httpProfileName http3_quic -quicProfileName quic_http3
bind lb vserver http_quic-lb service1
set ssl vserver http_quic-lb -sslProfile ssl_profile1
bind ssl vserver http_quic-lb -certkeyName emudra_connect.mspllabs.co.in.p
bind ssl vserver http_quic-lb -eccCurveName P_256
bind ssl vserver http_quic-lb -eccCurveName P_384
bind ssl vserver http_quic-lb -eccCurveName P_224
bind ssl vserver http_quic-lb -eccCurveName P_521
-
Hi guys,
after applying Log4j mitigation steps using responder policy, we were observed false positive behavior were legitimate traffic is getting blocked. Is there any way to get a Logs for binded responder policy getting hits.
trying using policy based logging, https://support.citrix.com/article/CTX125466. But see no log in tail -f /log/ns.log.
please help in achieving the same, thanks in advance.
-
Push notification was not able to register with citrix SSO token using QR-Code scanner. Getting error "Push Notification Failed BAD request" on both iOS & android devices.
1. we found that client was properly encoding the data of scan to netscaler.
2. ADC was not able to use that data, and since it was not able to understand that request, it was sending the http 400 bad request error to client.
Finally, Problem got resolved by upgrading netscaler firmware to version 12.1 build 55.13.
-
Even I am also facing a similar issue.
Currently, I am using netscaler version 13.0 build 41.20.
HINT: according to Citrix release note some known issue in 13.0 build 41.20
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[# NSAUTH-6106]
What to know from which build onwards push notification, let's check with ver 12.1
Deploying Netscaler BLX in Shared mode on RHEL 9.2 , hosted on Xenserver hypervisor.
in Core ADC use cases
Posted
Hi harihara,
Thanks a lot for clarifying my queries. now I can correlate shared and dedicated mode in BLX