Gijs Lemahieu1709159845
-
Posts
19 -
Joined
-
Last visited
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Gijs Lemahieu1709159845
-
-
Hi Carl,
thanks for your feedback. I have indeed the option to enable 'is name regex' on the relaxation rule but to be honest, I don't understand what this means (and there is not much available neither).
Do you mean I should enable this parameter and configure a regex expression which ignores the domain? If this is the case, I don't know how to write a regex expression for that, as there are hundreds of domains, without any structure (some may contain the character '-', length varies between 10 and 50 characters, ...).
In fact I'm only interested in the 'path part'.
Could you give a small example (cli is also fine) how I could configure this from where I can start?
Thank you very much!
Gijs.
-
Hi,
we are currently implementing / finetuning the WAF setup.
we are hosting the same website for hundreds of customers, each customer with his own domain.
I'm a bit stuck on implementing relaxation rules, define something which always works, regardless the domain of the url.
An example of the error I get:
CEF:0|Citrix|NetScaler|NS13.0|APPFW|APPFW_XSS|6|src=1.2.3.4 spt=13771 method=POST request=https://domain/Profile/MyProfile msg=Cross-site script check failed for field __eventtarget\="Bad tag: %#
=> this is blocked and I would like to create a relaxation rule for this.
This should ignore the domain part of the url and only look ath the path part
so
https://customer.domain.net/Profile/MyProfile - field __eventtarget should be allowed
https://domaincustomer.com/Profile/MyProfile - field __eventtarget should be allowed
in responder policies I can use the variable HTTP.REQ.URL.PATH but can I use something similar in regex expressions in a situation like this?
thanks for your help!
Gijs.
-
Hi,
I'm exploring bot management and the possibilities of this.
I was able to setup a basic configuration and i see that there are hits on the signatures (with the command stat bot profile) but how can I get some logging of this?
I cannot find any entry in the ns.log file. I can configure a log action on 'bot management policy' level, but I don't know how to get the bot management variables to see which signature was hit on which url for instance.
We are running the latest version of ADC 13.0
LOG is enabled for every signature and action is set to 'none'.
Other features (like waf) are logging to the ns.log by default but this seems to be different for bot management logging?
Can anyone help me?
Regards,
Gijs.
-
Hi Paul,
I ended up with creating a support ticket.
"APPFW_GLOBAL" was introduced in 13.1 release and this binding is missing from 13.0 or prior releases, citrix documentation (13.0) though, tells to use this binding...
this article is working fine on ADC 13.0 (classic policies).
I've asked the support to update the 13.0 documentation.
Regards,
Gijs
-
Hi,
I would like to send all web app firewall logs to an external syslog server, to be able to parse them and tune the configuration based on the logs.
Somehow this doesn't work, but documentation / forums about it are sometimes quite confusing and not very clear
What I've done so far:
- edited the syslog.conf file : local2.* is now redirected to /var/log/appfw.log instead of iprep.log
- restarted the syslog process
- added a syslog action : add audit syslogAction sysact1 <ip> -serverPort <port> -logLevel ALL -logFacility LOCAL2 -userDefinedAuditlog YES
- added a syslog policy : add audit syslogPolicy syspol1 true sysact1
-
tried to bind this with this command : bind audit syslogGlobal -policyName syspol1 -priority 100 -globalBindType APPFW_GLOBAL
=> this fails becaus APPFW_GLOBAL is not accepted as value, I only have RNAT_GLOBAL, SYSTEM_GLOBAL and VPN_GLOBAL
I noticed that a new global binding type (APPFW_GLOBAL) was introduced in version 13.1 build 12.51 (https://docs.citrix.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-12-51.html) but sending only the appfw logs to a separate syslog server should also be possible in version 13.0 I think?
Does someone has an idea / solution for this?
Thanks
GIjs.
-
Hi,
has anyone an idea how to solve this?
Regards,
Gijs.
-
Hi Rhonda,
version 13.0 87.9
GUI has the same result (I tried it initially with the GUI and tried afterwards with the CLI - above command)
Regards,
Gijs.
-
Hi,
first of all some background. I have a customer, communicating with an API hosted over the ADC appliance.
Sometimes (some days not, some days once and some days multiple times), there is a problem and the SSL handshake is failing. I have setup debuglogging, but I was not able to identify the problem.
I started a trace and I was able to capture one example of the problem.
- Clients sends a Client Hello (TLS 1.3)
- ADC replies with 'Hello Retry Request' and 'Change Cipher Spec
- Clients replies with 'Change Cipher Spec, Client Hello'
- ADC responds with RST, ACK (Window 9811)
I upgraded the ADC to the latest version but the problem still occurs (less frequently though).
As the problem occurs less frequently, I'm not able to capture the problem in a trace file anymore. I have started a trace with these settings :
start nstrace -filter CONNECTION.SRCIP.EQ(a.b.c.d) -link ENABLED -size 0 -nf 10 -time 720 -capdroppkt ENABLED -capsslkeys ENABLED -traceformat PCAP
but this is creating a lot of data and I'm not able to capture more then 1 hour. I thought that this trace was circular but this is not how I expect circular logging. I would expect some roll over so that the oldest file is overwritten and that I always would be able to go back 1 hour in the past (due to the amount of data) but this doesn't work. After 1 hour, the trace just stops.- Is there a way to configure 'roll-over logging' instead of circular logging (which basically just splits up the trace in multiple files) so that the oldest file is overwritten and so that I can go back on hour in the past?
- Should I be able to configure a filter on the trace some how to capture only on conversations which ends with a Reset packet? This would create much less data and I would be able to capture on a much longer timeframe without filling up the /var directory.
Once this is solved I should be able to see if the ADC is still / always responding with RST, ACK (windows 9811) - and search a cause and solution for that ?
Thanks!
Gijs.
-
Hi Rhonda,
thanks a lot for your quick reply!
I tried with the first command (bind vpn vserver <vpnvserver> -policy <polname> -priority <priority> -type aaa_request) and this solved my problem. I'm getting redirected immediatly to the default logon page (as requested).
So if I understand this correctly, by setting the flow type to 'aaa_request' instead of the default 'request', this runs before authentication and is working fine (this is only possible in CLI) ?
FYI, I'm upgrading from version 13.0.71.44 to 13.0.87.9
Regards,
Gijs.
-
Hi,
first of all some background. I have set up the Netscaler as SAML SP and multiple customers can logon and authenticate on their own IdP (similar to this blog : https://www.citrix.com/blogs/2020/04/23/multi-domain-citrix-gateway-nfactor-authentication-and-citrix-fas/).
This is working fine, but one of the customers wanted to avoid the first step (filling in the email address, so that the netscaler can filter out the domain and forward the request to the corresponding IdP) and they figured out an url (making use of browser developing tools) like:
https://samllogonurl.com/nf/auth/doSaml?act=Name_Of_Authentication_SAML_Server;nf=;wv=0
When using this URL, they were immediately forwarded from the Netscaler to the correct IdP (without the first step of filling in the email address).
Now, after upgrading the ADC (version 13, most recent version), this (static) link is no longer working. I figured out (also making use of browser developing tools) that the URL changed to something like:
and this link expires after some time, so it is somehow dynamic. The static link though, is hardcoded in the endpoint setup of the customer and is not very easy to modify.
I'm looking for a way to get this solved, and my idea was to forward incoming requests on https://samllogonurl.com/nf/auth/doSaml?act=Name_Of_Authentication_SAML_Server;nf=;wv=0 to https://samllogonurl.com so they can follow the regular flow, making use of a responder policy.
I created a responder policy with this expression:
http.REQ.URL.EQ("/nf/auth/doSaml?act=Name_Of_Authentication_SAML_Server;nf=;wv=0") and this action:
redirect to https://samllogonurl.com"
and I tried binding this policy to the Citrix Gateway virtual server and also binding it globally.
If I evaluate the policy expression (making use of live headers when hitting the static url), then it should be working.
For some reason though, the responder policy doesn't work and I'm still redirected to the IdP of the customer when hitting the static url.
Has anyone an idea how I can solve this and if this should be working?
Thanks a lot!
-
nevermind, i was able to fix it.
The SNI settings were not configured correctly.
Regards,
Gijs.
-
Hi,
loadbalancing Exchange was working fine until we hardened Exchange following this article:
https://docs.microsoft.com/en-us/exchange/exchange-tls-configuration?view=exchserver-2019
Current situation:
- Exchange only accepts TLS1.2 with the recommended TLS 1.2 cipher suites
- on ADC (version 13.0.71) I'm using a SSL backend profile (only TLS1.2 enabled, 4 SSL ciphers - which are in the above list configured on Exchange, 'Deny SSL Renegotiation' set to 'NONSECURE')
I have tried by setting 'AllowInsecureRenegoClients' and 'AllowInsecureRenegoServers' on Exchange on '0' (following hardening guide) and on '1' (following different articles on internet) but it still doesn't work.
I have tried several things and articles (also several posts in this forum) but I don't get it working.
An idea would be to re-enable TLS 1.1 again, but this is something I would like to avoid.
Someone can help me with this?
Thanks!
Gijs.
-
Hi,
We have a setup where we configured FAS and the ADC as SP (more or less similar to this setup : https://www.citrix.com/blogs/2020/04/23/multi-domain-citrix-gateway-nfactor-authentication-and-citrix-fas/)
I'm just wondering if it would be possible to provision the users from Azure AD (using the provisioning feature next to the single sign-on feature on enterprise application level) instead of creating shadow users
Does someone knows if this is possible or supported?
Thanks!
Gijs.
-
Hi,
someone with an idea about this?
Any help would be much appreciated!
Thanks,
Gijs
-
Hi,
We have a webfarm hosted on Windows Server (IIS) with 10 webservers (shared configuration).
On this webfarm there are several websites and application pools and we use SNI (Server Name Indication) to host multiple certificates on the same ip address and port (443)
This is the setup used:
- Customer has its own domain and they create a cname record to host their webshop : webshop.customerA.com and this is redirected to webshop.ourdomain.com
- webshop.ourdomain.com is a a-record and is pointing to the firewall
- on the firewall there is a destination nat rule which redirects the traffic to an internal ip address of the Netscaler (virtual server)
- virtual server on ADC handles the request and sends it to one of the webservers
- the webserver which receives the request is sending the request to the correct website / app pool (based on the SNI, based in the url of the initial request)
We use different websites / application pools because we are hosting several versions and we can upgrade a client to a higher version by removing the binding from website A and link the binding to website B (website A and B are hosted on the same webfarm, just different sites).
With the approach, to upgrade a customer, there is no need to change DNS records, only the binding to one of the sites on IIS defines which site / app pool will handle the request.
It may happen that one of the app pools or sites is down on one of the servers of the webfarm and that the ADC is still forwarding requests to this site on this specific server and this is something I would like to get resolved.
I'm stuck now on the architecture of the virtual server and the monitors to use.
Possibilities I see :
- use ping as a monitor. Disadvantage : this is only layer 4 and doesn't monitor on layer 7
- use http or http-ecv as monitor : this may work but I can only monitor one url (and thus one site on each webserver). If this site is down, but all the other sites / app pools are up and running, this would generate a false positive and set the server down
- http-inline will only generate less impact on the webservers by monitoring but doesn't my problem either.
- create a monitor for each site/app pool (with a static url for each site which i can use in the monitor for that site (version)) but if there is an incoming request, ADC doesn't know which app pool will pick up the request because it hasn't insight on the bindings on IIS so the ADC can't know if the specific site for the requested URL is up & running on the server to which the request would be redirected
The theoretical solution would be
- to extract the requested url from the client (e.g. webshop.customerA.com where the request is e.g. https://webshop.customerA.com/kql/activities/overview)
- use the assigned load balancing method (e.g. leastconnection) to define the webserver to where the request would be sent
- use the inline-http monitor with the extracted url to check if this specific site is running on this specific webserver (defined in step 2) to verify with a layer 7 check if this site is up and running
- when the result of the monitor is positive => request can be transferred to the webserver
- when the result is negative (site is down) => the ADC should select another server and consider this webserver as down for this request (or e.g. 5 seconds)
- when none of the webservers is considered as up for this specific request, the end user should be redirected to another site (generic down site)
Does someone has another idea or approach on how I could set this up?
Thanks for your help!
Gijs.
-
Hi,
does anyone has an idea?
Regards,
Gijs.
-
Hi,
anyone with an idea how to get this solved?
thanks!
Gijs.
-
Hi,
we have Netscaler gateway running on Netscaler VPX v12.0
Logon page is already customized (logon fields are renamed, custom logo, ...). We also have implemented some kind of EULA with rewrite policies and this works fine.
We have now implemented a customer status page (a product of Atlassian) and they provide a possibility to implement a plugin on a website which automatically show the current status.
This is a JS script. So our idea was to add this to the logon page:
<script src="https://statusportal..../script.js">
I tried adding this in a rewrite policy but for some reason I cannot get it working (I even don't know if this is supported).
When addding the rewrite action, I get this error:
Expression syntax error [ript src="^https://zt, Offset 35]
I tried several thing but I cannot get it working. Could someone help me on this?
Thanks!
Gijs.
is it possible to log the source ip of a request to a data set or a pattern set?
in Core ADC use cases
Posted
Idea is to configure a responder policy and check if the http.req.url is listed in a pattern set (hosted on the netscaler itself), and if the condition is true => log the source ip to another pattern set.
Consequently, I can configure second responder policy, and verify if the source ip is listed in the first pattern set (filled up by the 1st responder policy). When the condition is true, i would block that request.
In that way, I would have some kind of auto block mechanism when someone (or something) tries to access specific url's (like /wp-admin or other similar stuff ...) that all subsequent request from that user would automatically be blocked
I don't know however, if it is somehow possible to fill up a pattern set as a responder action or a audit message action.