Johannes Norz
-
Posts
363 -
Joined
-
Last visited
-
Days Won
17
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Johannes Norz
-
-
Well, the Source IP (SIP) mode is the right choice. However, the problem with SIP mode is that the NetScaler uses the client IP. So it sends a TCP SYN packet from the client IP to the backend, and the backend server sends SYN/ACK to the "real" client. This packet comes as a surprise to the client and is therefore discarded.
There are only two ways to work around the problem:
- The NetScaler and the mail server are in the same subnet, then you can, as mentioned, enter the NetScaler as the default gateway on the mail server (which has the disadvantage that the NetScaler must have licensed all traffic that the mail server must do to the Internet, this includes updates.
- And perhaps better: The components between NetScaler and mail server (switches, routers) must support Policy Based Routing (PBR). Then only the traffic that was initiated from the NetScaler runs via the NetScaler. If the device is a Cisco device, PBR can be programmed very quickly and easily via RISE Integration.
-
On 3/19/2024 at 11:29 AM, Jeff Riechers said:
F5 can do Irules for routing Citrix traffic, but that also is not supported.
F5 won't solve his problem, rather the opposite would be true: He wants to get rid of costly components, not replace a very expensive one with an extremely expensive one 😂
-
1
-
-
There is no direct support for ISO 8583 built into WAF. However, you may use HTTP load-balancing and WAF for ISO 8583 data.
-
It is not supported.
-
1
-
-
Even though nspepi is a good tool, I would do a snapshot, examine the current configuration (i.e. which policies exist, where are they bound too and some more things like that). I would strongly recommend following Amin's suggestion to do a snapshot first. Even more: I'd clone this snapshot, move it into different networks (to avoid IP address conflicts, most hypervisors support host-only networks) and do the upgrade there. Make sure the MAC address of the first network card is the same as the original VM, or you won't be licensed.
-
I used source IP persistence for StoreFront (following Citrix leading practices). Now I found out, that persistence sessions get created, but they time out, even if a user is busy.
before upgrading to 14.1, all entries in the persistence table are extended when the user does something. I want this behaviour back, as users tend to work for 8-10 hours daily, and not just for 30 minutes.
-
On 1/29/2024 at 12:46 PM, rajkumar P1709162701 said:
Dear sir,
You can try this one also ^https:\/\/.*\/Profile\/MyProfile$
Regards,
Rajkumar M
In NetScaler, you don't need to escape/, as it is Phython RegEX, not (like stated every now and then) Pearl.
-
Until NS 14.1 build 8.50, disabled features had been marked as disabled in NS-GUI. That had been a good feature. Unfortunately, it vanished in 14.1 12.30 and did not return in 14.1 17.38. That's a bloody mess, as 1) we are used to it, and 2) it's been a rather handy feature.
In short, I want this feature back!
-
Manoj, you will probably need persistence. To prove you could shut down all services but one. I am pretty sure, this would do the trick.
The problem about persistence: Source IP won't work, as the source IP will always be the SNIP of the DMZ side NetScaler. So you would probably need to change to Source-IP mode, with all the difficulties SIP mode brings (asymmetric routing, ...)
-
18 minutes ago, Manoj Rana said:
Also, I want to know if you know about SQL Load balance.
It doesn't work if it is behind the 2 VIPs. But if I remove one of the VIP. It always works
Do you know if this is expected behavior or am i missing something?
Thanks
Manoj
Hi Manjo,
I don't see why this should not work. It would be an SQL load balancer of the correct type (MS-SQL, MY-SQL or Oracle) on the internal NetScaler. On the DMZ NetScaler, it would be a vServer of the same type, pointing to the vServer on the internal NetScaler.
I have never seen something like that, as it's rather rare to see an SQL being published on the internet. At least not for a reason (I found several SQL Servers on the internet, mostly MS-SQL servers, all of which had been there by mistake).
There is another method you could use, in case this does not work: Create a load balancer of Type TCP or even ANY on the DMZ NetScaler. This will just do a simple, stupid forward of all traffic to the internal NetScaler. The port number would be your SQL server's port number. In the case of ANY, you could set the port to *, however, in this case, you would have to filter traffic on the firewall. That way, the DMZ NetScaler would do nothing but stupid proxying of everything that comes in.
-
On 1/3/2024 at 5:21 PM, Felipe Ruiz1709162764 said:
Hi people,
We are in the process of replacing an nginx haproxy to netscaler but we are facing problems with one web application that uses SSL on the front-end and on the back-end. The web application runs on a container in Open shift. When routing the traffic through the NS the app returns a HTTP 503 error. When comparing network traces between nginx and NS traffic we see no differences in the SSL handshake nor in the HTTP headers. Layers 3 and 4 also shows no problems at all.
When looking at the nginx config, we found a parameter that is currently enabled but when disabled it produces the same http 503 error; The parameter is "proxy_ssl_server_name" and is set to "on". Then theres another one "proxy_ssl_name" set to the hostname of the web application.
Does anybody know what would be the equivalent configuration in netscaler?
It's just a guess. Probably, the server header in the HTTP request is wrong? 503 is service unavailable, and this could be in case the server name from outside is different from the server name configured on the webserver.
In case, you could create 2 rewriting policies, one to delete the server header, and one to set it to the correct value. -
On 1/10/2024 at 8:10 AM, Manoj Rana said:
Hi All,
I have a load balancer configured to use a custom TCP port(5058). What steps do I need to take to secure this configuration?
Specifically:
There is no way to secure a TCP load-balancer.
Do you think about SSL offloading? In case you would need a SSL_TCP loadbalancer. You may bind certificates there. Services would be SSL_TCP as well.
-
I don't fully understand your question.
Weight is about how many requests go to which service.
max-client set to 15
S1: Weight 5: 5 / 10 / 15 / out of service
S2: Weight 1: 1 / 2 / 3 / 4 /5 /6 /7 / ... / 14 / 15 / out of service
-
If you don't need a warm reboot, you could do a
save ns config -all
shell reboot -r
The BSD command reboot does not ask any questions, however, it does not do a warm reboot ?
-
Well, these are no GET, but POST messages. That's a very different piece of cake, and it makes sense to me. Never mix up GET and POST! (see https://www.rfc-editor.org/rfc/rfc9110.html#name-method-definitions)
I have double-checked your expressions, and they evaluate 1 and 2.
HTTP.REQ.BODY(500).AFTER_STR("PEM1=").BEFORE_STR("&").EQ("2")
returns false
HTTP.REQ.BODY(500).AFTER_STR("PEM2=").BEFORE_STR("%%").EQ("1")
returns false
HTTP.REQ.BODY(500).AFTER_STR("PEM1=").BEFORE_STR("&").EQ(HTTP.REQ.BODY(500).AFTER_STR("PEM2=").BEFORE_STR("%%"))
returns true
I can't help.
-
I just saw this is an HTTP GET? A GET containing a body is quite unusual. Server semantics for GET, however, are restricted such that a body, if any, has no semantic meaning to the request. The requirements on parsing are separate from the requirements on method semantics. So, yes, you can send a body with GET, and no, it is never useful to do so.
Probably that's why the policy fails. I didn't try to send an HTTP get with content to my NetScaler, so I could not give it a try. Probably, both expressions are empty and therefore equal? Or both of them are not defined and therefore equal? I don't know.
-
Bjoern, n-factor flows get bound to a AAA vServer by a policy. So the solution would be changing the expression from a simple true to something like HTTP.REQ.HOSTNAME.EQ("customer1.example.com")
That way, you may use the same gateway for several customers and - at the same time - authenticate each one of them using a different n-factor flow. That makes things very handy to use for users and - at the same time - clearer for the admin.
Of course, you could create just a single n-factor flow as well and start with a dropdown list. However, this would expose the list of your customers to users, and for the user, it would mean he would have to select the right customer, an unnecessary overhead.
Next, you would have to change expressions of the session policies as well. They would be something like HTTP.REQ.HOSTNAME.EQ("customer1.example.com") && HTTP.REQ.HEADER("User-Agent").CONTAINS("Citrix Receiver").NOT
-
1
-
-
On 12/18/2023 at 8:13 AM, Bril licenses said:
Thanks for the reply. I will try that. however my main concern now is that I have enabled default profile and maybe it has overwritten my existing SSL profile parameters.
this has affected the App/VDI connectivity from Windows clients also. even the light version .
How can i revert that? as I mentioned I checked the ns.conf file and I did not find the parameter
The "default SSL Profile" can't be undone. It changes the way NetScaler handles SSL, it would leave the box in an unstable state (believe me, I have tried for scientific reasons). It changes the way, SSL ciphers get bound to vServers. If you undo this change (it's just a line in ns.conf), it will crash the box or in the best case make all SSL vServers unusable.
"Default SSL profiles" are a great thing, and NetScaler will move to this in the near future, so we all have to go there. It leads to a more streamlined configuration. That's the reason why.
If you want to undo this change, you would have to restore an old ns.conf file.I would rather address the problem with MacOS. The term is a bit misleading, as it's just BSD with a fancy shell. So it can adequately handle SSL. There are 2 reasons for the error message you get:
- it can't handle the SSL version desired (i.e. TLS 1.2, 1.3). If a box is unable to handle TLS 1.2, it's end of life. I would not go beyond TLS 1.2 anymore.
- it can't handle the cipher suites in use. You might read two of my blog articles about proper SSL handling: https://norz.at/?p=1314 (TLS 1.2) and https://norz.at/?p=1358 (TLS 1.3).
In short, you will probably have to enable the right TLS version and bind decent SSL ciphers to the profile.
-
Just gave it a try. Worked fine for me. This is what my n-factor flow looked like:
-
I guess, there is something wrong about your expressions.
To debug, you could create a custom log entry like that (see here, if you don't know: https://norz.at/?p=572):
"Param 1: " + HTTP.REQ.BODY(500).AFTER_STR("PEM1=").BEFORE_STR("&") + " Param 2: " + HTTP.REQ.BODY(500).AFTER_STR("PEM2=").BEFORE_STR("%%")
This would log these substrings into syslog. you might watch the output in realtime by using # tail -F /var/log/ns.log | grep Param
-
2 hours ago, Carl Stalhood1709151912 said:
Edit the Login Schema. Click More. There's a checkbox for Enable Single Sign On Credentials.
Thanks, Carl, it had not been exactly what I had been looking for, but it had been helpful, I didn't know about these "hidden" attributes. This one would have been right, in case I use several dialogues. But it brought me to the right article: https://support.citrix.com/article/CTX219481/sso-fails-when-nfactor-is-used-adc. Using the "credential index" in a traffic policy solved my problem.
-
Create an authorization policy with action ALLOW and action HTTP.REQ.URL.EQ("/service1"), Bind it to AD_Group_Service1. That way, it will only allow members of this group to connect to /service1, Same for the other two services.
I guess, this will solve your problem.
-
On 11/22/2023 at 1:25 PM, Jeff Riechers1709152667 said:
It depends on what the policy is doing. They usually will block it out so that you don't have 2 vips looking for the same hostname.
Oh. In the days of old, I had an HTTP and an SSL vServer with equivalent hostnames quite often (that's why we needed persistence groups). It used to be normal. Nowadays this setup is less popular.
-
Well, you are right, you should not use
On 11/13/2023 at 9:48 AM, Jarno Nousiainen said:"ERROR: Multiple Bind not supported for Content Switching Advanced policies without action"
classic policies anymore! But look at the error message? What does it say? It talks about cs-policies without action. I consider cs-policies without action to be outdated. Create a cs-action, bind it to the policy and you may bind this policy to any cs-vserver you like. Just gave it a try.
However, a cs-policy with an action can't invoke a cs-policy label. So you have to create seperate dummy policies for each cs-vserver.
Client Issues on MAC OS
in Core ADC use cases
Posted
I don't really know what a Mac is (and I refuse to do), but as far as I can see, the client is unable to create a config file.
So the client can't create the directory needed to store the config file.
These ones don't surprise me: No config directory, no config data.
As far as I understand, MacOS seems to be just a custom shell for BSD, and BSD is UNIX. I guess, the user who installed this client does not have the right to create a subdirectory in the desired location (following UNIX best practices, this should be /etc).