Kai Thorsrud
-
Posts
35 -
Joined
-
Last visited
Kai Thorsrud's Achievements
-
Hi, Luckily i configure all my Netscalers using terraform only but i have to login to GUI to verify my changes. I login to Netscaler gui like 50-100 times every day.. I patched all my Netscalers hours after the software was avail for download. Is there a way to disable this annoyance ? If not atleast make it funnier: "If you have not patched your netscalers by now and this device is intenet facing, you are OWNED" :D. If you have a internet facing device you need to patch within a few hours these days... get current to the real world
-
This is how i do cloud environments with Netscaler: see attached drawing
-
Hi morten. A pure dynamic learning client creates ineffective rules, duplicate rules and also if you have an infected client you can feed the WAF with security issues. Furthermore in real life scenarios whenever i use dynamic learning clients the ns.logs will fill up with dynamic learning client detecting new rules and whenever the NS tries to add the rule Netscaler will report "Rule Already exisists". Dynamic Learning is not mature yet. Typically what i do is to construct manual WAF Rules because they are more effective than dynamic rules. i.e take a swagger definition and create rules from that, then use knowledge of HTTP, HTML, my SANS Certifications on redteam/blueteam work to implement rules.
-
I Belive this will also happen if the node you are failing over to is unlicensed (SSL Feature not enabled on secondary node)
-
The terraform provider is more mature in my opinion. I would recommend looking at terraform. (I used to prefer ansible 2 years ago) One benefit with ansible is that it is really easy to talk directly to the nitro api. https://developer-docs.netscaler.com/en-us/adc-nitro-api/13-1/ My ansible knowledge is outdated so i have no direct answer to your Q
-
This is great news Julian. I use it with Storefront + FAS. Do you utilize FAS aswell in your setup ?.
-
i have never touched anything but platinum. know that OAuth IDP on CAG works, OAuth SP does not work afaik. I will have to test again since i know "you know your shit" :D
-
I have tried in the past to bind a Auth Profile to a CAG. The Auth profile points to a aaa_vserver with OAuth 2.x enabled but it doesnt work as long as i use OAuth. Are there any other ways to bind an OAuth Auth action to a vpn vserver / CAG / Citrix Access GW? Maybe i have overlooked some smart way to implement OAuth on a vpn vserver.
-
Not easy to implement i guess :D SAML Assertions are flexible.
-
if you echo the line you have attempted then pipe that line to a shell or a way of executing i belive it will work
-
Just read the doc at . https://registry.terraform.io/providers/citrix/citrixadc/latest/docs/resources/vpnvserver it works as intended.
-
OAuth Authentication as far as i know.. if you have found a way please share :D Only SAML works as far as i can work out.
-
OAuth Authentication as far as i know.. if you have found a way please share :D Only SAML works as far as i can work out.
-
hehe this was an old post.. didnt notice
-
Morten is correct and on the right track. The best way would be to let Netscaler decrypt the traffic. Then you can use Botnet Framework, WAF , IP Reputation or several other of the Netscaler protection features handle it. I have successfully handled several DDOS attackes using netscalers in the past. The problem is that if you are new to this with no experience implementing the correct protection / rules for the DDOS you are experiencing takes experience and will be a challenge. I have successfully stopped several ddos attacks and made several companies survive black friday, lauch of playstation 5 and similar. I find Netsclaer to kick ass on stopping L7 DDOS attacks if you can decrypt the traffic. The problem is the config my friend. Learning protocols, spotting patterns in the attack takes experience.. No i do not have time to help with config.