Kai Thorsrud
-
Posts
35 -
Joined
-
Last visited
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Everything posted by Kai Thorsrud
-
Hi, Luckily i configure all my Netscalers using terraform only but i have to login to GUI to verify my changes. I login to Netscaler gui like 50-100 times every day.. I patched all my Netscalers hours after the software was avail for download. Is there a way to disable this annoyance ? If not atleast make it funnier: "If you have not patched your netscalers by now and this device is intenet facing, you are OWNED" :D. If you have a internet facing device you need to patch within a few hours these days... get current to the real world
-
This is how i do cloud environments with Netscaler: see attached drawing
-
Hi morten. A pure dynamic learning client creates ineffective rules, duplicate rules and also if you have an infected client you can feed the WAF with security issues. Furthermore in real life scenarios whenever i use dynamic learning clients the ns.logs will fill up with dynamic learning client detecting new rules and whenever the NS tries to add the rule Netscaler will report "Rule Already exisists". Dynamic Learning is not mature yet. Typically what i do is to construct manual WAF Rules because they are more effective than dynamic rules. i.e take a swagger definition and create rules from that, then use knowledge of HTTP, HTML, my SANS Certifications on redteam/blueteam work to implement rules.
-
I Belive this will also happen if the node you are failing over to is unlicensed (SSL Feature not enabled on secondary node)
-
The terraform provider is more mature in my opinion. I would recommend looking at terraform. (I used to prefer ansible 2 years ago) One benefit with ansible is that it is really easy to talk directly to the nitro api. https://developer-docs.netscaler.com/en-us/adc-nitro-api/13-1/ My ansible knowledge is outdated so i have no direct answer to your Q
-
This is great news Julian. I use it with Storefront + FAS. Do you utilize FAS aswell in your setup ?.
-
i have never touched anything but platinum. know that OAuth IDP on CAG works, OAuth SP does not work afaik. I will have to test again since i know "you know your shit" :D
-
I have tried in the past to bind a Auth Profile to a CAG. The Auth profile points to a aaa_vserver with OAuth 2.x enabled but it doesnt work as long as i use OAuth. Are there any other ways to bind an OAuth Auth action to a vpn vserver / CAG / Citrix Access GW? Maybe i have overlooked some smart way to implement OAuth on a vpn vserver.
-
Not easy to implement i guess :D SAML Assertions are flexible.
-
if you echo the line you have attempted then pipe that line to a shell or a way of executing i belive it will work
-
Just read the doc at . https://registry.terraform.io/providers/citrix/citrixadc/latest/docs/resources/vpnvserver it works as intended.
-
OAuth Authentication as far as i know.. if you have found a way please share :D Only SAML works as far as i can work out.
-
OAuth Authentication as far as i know.. if you have found a way please share :D Only SAML works as far as i can work out.
-
hehe this was an old post.. didnt notice
-
Morten is correct and on the right track. The best way would be to let Netscaler decrypt the traffic. Then you can use Botnet Framework, WAF , IP Reputation or several other of the Netscaler protection features handle it. I have successfully handled several DDOS attackes using netscalers in the past. The problem is that if you are new to this with no experience implementing the correct protection / rules for the DDOS you are experiencing takes experience and will be a challenge. I have successfully stopped several ddos attacks and made several companies survive black friday, lauch of playstation 5 and similar. I find Netsclaer to kick ass on stopping L7 DDOS attacks if you can decrypt the traffic. The problem is the config my friend. Learning protocols, spotting patterns in the attack takes experience.. No i do not have time to help with config.
-
Correct. Netscaler Gateway seems to be the correct name for CAG these days. (Citrix Access Gateway).
-
But the real cool thing is: Netscaler supports it :D on everything but CAG.. Netscaler can even be an OAuth 2.0 V2 MSAL API Gateway with bearer token cache. That means you can protect legacy API´s using Netscaler without rewriting backend code only clientside which is possible.. Changing legacy backend API´s = Forget it.. 10 years ++ dev work for the devs
-
This will be a two step process to explain. The thing is that Microsoft used something called ADAL in the past. ADAL is now End of Life. End of support and since march 23 no longer even patched for security fixes. Whenever you obtain a saml assertion from Azure IDP you are talking with ADAL in Azure. MSAL is the new Auth framework. it is not possible to obtain a saml assertion from MSAL Endpoints in Azure since MSAL does not support SAML. This link show ADAL = End Of Life, End of security patches. https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-migration Furthermore follow this link and read Microsoft`s answer that they do not support SAML on MSAL. https://learn.microsoft.com/en-us/answers/questions/1074499/is-it-possible-to-use-msal-access-token-in-saml-fl Adding a very important thing in regards to using OAuth as an IDP in Azure: You have to use the v2 version since v1 = ADAL. v2 endpoint is something like this: https://login.microsoftonline.com/organizations/oauth2/v2.0/ = MSAL https://login.microsoftonline.com/organizations/oauth2/v1.0/ = ADAL Yeah they really keep us busy.. This topic is a big challenge for the producers of applications i host behind netscaler. They are soo proud they can finally say "Now we support SAML" ... And im like "oh noes.. here we go again" .... 1 week with meetings and discussions with their dev team they go "ok, fuck" "we get it now"...
-
Btw: I do run all on github + azure devops. i use pipelines.
-
Hi and thank you for your time to answer me. I need help with this.. This is not supported by your terraform provider. See link in the bottom of this post I was supposed to have a meeting with Konstantinos Kaltsas where i wanted to demonstrate how cool Netscaler can actually be in large real life scenarios. We scheduled meetings 3 times and every time i had to cancel because i am so busy with work. Now i am even more busy, This post is the best i am able todo. (I code,sleep,eat,workout to get stronger and stronger,family, repeat) https://github.com/citrix/terraform-provider-citrixadc/issues/1037
-
Hi, I do complete terraform deployments with more or less all features available. I have developed seperate Modules that Deploys a Netscaler in azureConfigure an entire netscaler according to best practise (With A+ ssllabs)Deploy Botnet Protection Deploy WAF Deploy OAuth 2.0 v2 MSAL for applicationsDeploy a web application (or any application with any protocol with or without custom monitors)Deploy OAuth 2.0 v2 MSAL JWT with Token Cache so i can protect legacy API´s as a modern API GatewayDeploy CAG for XenApp / XenDesk with SAML to connect with Storefront+FASHandle Certificates for all Applications and updating them as they change My upcoming challenge will be: How to handle WAF Rulesets for persistent deploys. In a Blue/Green or Canary Environment i need to be able to handle rules (beeing learned data) using code to have a consistent ruleset Beeing able to deploy WAF rules using code is a big plus as independent audits and revisioning of our internet exposed infrastructure becomes possible. Zero Trust is the key for me. Nothing enters our network w/o proper authentication from Azure. Once Authenticated and Authorized WAF+BotNet = key. Do you have any advice on how to solve these challenges ? In a real life enterprise scenario this is a challenge to solve. Netscaler is a big business enabler for enterprises since all code cannot be refactored easily. Such a migration is a 5-10 year challenge. Netscaler really bridges the gap in a hybrid environment
-
Even more urgent: Warning Azure Active Directory Authentication Library (ADAL) has been deprecated. While existing apps that use ADAL will continue to work, Microsoft will no longer release security fixes on ADAL. Use the Microsoft Authentication Library (MSAL) to avoid putting your app's security at risk.
-
Just adding more information to this post to make it easier to understand how SAML = End of Life.. It is not possible to get a SAML Assertion with MSAL. ADAL is End of Life.. Quote from article below: "All Microsoft support and development for ADAL, including security fixes, ended on June 30, 2023." https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-migration
-
SAML is End of Life in Azure and furthermore all SAML Authentication in Azure is ADAL not MSAL. If you do ADAL Auth you are missing out alot of the new security features such as new conditional access rules and so on. i started writing a terraform CAG Module / XenApp/XenDesk module today and it was sad to see that there is still only SAML supported for CAG.
-
Or even better: Support for OAuth since SAML is End Of Life in Azure