Marcelo Oguma de Souza1709152865
-
Posts
36 -
Joined
-
Last visited
-
Days Won
4
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Marcelo Oguma de Souza1709152865
-
-
The RTT is measured against the DNS server that the user is using. So, if your user in the US has configured in his/her device a DNS server in UK, that server is the one that will send the DNS query to NetScaler GSLB, thus the NetScaler will think the user is in UK and respond with the IP address of the UK datacenter (lowest RTT).
I suggest you check which DNS server the user has configured.
Hope it helps.
-
On 1/31/2024 at 7:54 PM, Fabian Hässelbarth said:
Our SNIP can reach the Exchange servers, but is in fact located in a different network.
For MAC-based redirection to work, you have to configure SNIPs in the same subnet as the backend servers, because the NetScaler needs to discover the MAC address of each server. Without being in the same layer 2 network that is not possible.
If you want Exchange to receive the real client IP for purposes of allowing/denying specific IPs to use SMTP relay, you can do that with a Responder policy in the NetScaler. And if the Exchange team want to have the connection logs, you can create a log policy and send via syslog to an external server.
-
Hi,
Can you detail what exactly is the invalid HTTP request you're using to test?
I'm wondering if it could be the case that http.req.is_valid.not considers it valid, but the setting in the default profile does not (not sure if they validate requests in the same way).
-
Hi,
BOT policies are processed before WAF.
The points where you bind a police (default global, Virtual Server, etc.) only matter (regarding order of processing) for policies of the same type (e.g. a WAF policy bound to the Virtual Server takes precedence over a WAF policy bound to default global)
Please see the NetScaler packet flow in this documentation: https://docs.netscaler.com/en-us/citrix-adc/current-release/getting-started-with-citrix-adc.html
This page explains the order of processing of different bind points: https://docs.netscaler.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/configure-advanced-policy-expressions/bind-policies-using-advanced-policy.html#bind-points-and-order-of-evaluation
Hope it helps.
-
1
-
-
The newnslog files store logs, events, and statistics from the many internal counters. If you don't need this historic information, it is safe to delete them.
Looking at your list of files, looks like the most recent is from Nov 24 12:54 and it is compressed, which makes me think that somehow you solved the automatic compressing issue. (maybe you fixed a problem in the nslog.nextzip file?)
On the tar command to compress the folder you need to put a ./ (dot and slash) before the folder name (or the full path), like this:
tar -cz newnslog.13.tar.gz ./newnslog.13It will not remove the folder automatically, just create a compressed file of the folder contents. After that you have to manually delete each folder.
Hope it helps,
Marcelo Oguma
-
1
-
-
-
On 8/30/2023 at 11:08 PM, Jonathan Sultzer said:
I am responsible for our citrix environment as a past admin no longer works with me. To my knowledge and with netscaler historical records going back 4 years, we have never had a gateway configured. Somehow, external access to published applications and desktops between 3 domains hosted on a single domains storefront was in production. Netscaler is configured for load balancing and has 2 storefront servers. 1 of those 2 storefront servers went down due to a guest OS issue and now all external access has stopped. Has anyone ever seen this kind of multi-domain setup bypassing the need for a gateway? This has actually perplexed engineers during support calls as a gateway is needed.
One way for external users to access StoreFront directly without a NetScaler Gateway is use a VPN connection. Isn't that your case?
-
20 hours ago, Andrew Pilgrim said:
I am sorry this is a bit generic but for now it's a simple question. Has anyone has successfully got a softphone application to actually work via the Netscalers?
We have been asked to load balance our internal servicedesk phone system and i am running into issues because it has an integrated softphone feature.
I have got the basic load balancing of the web client sorted using HTTPS but i am running into problems trying to get the softphone integration working. I know this use's UDP protocol but i cannot get it to work.
I have tried setting up the virtual server as UDP protocol with ANY port allowed and tried that with both a Service group made up of the 2 physical servers as well as individual services for each server, again set up to allow ANY port and just does not work. The messages i keep getting suggest that something is blocking the ports but i cannot figure out what that could be.
So yeah, for now the question is simply one of has anyone successfully got servers running a telephony application that has a softphone integration working and load balanced? And if so would you be able to offer some insight into how you got the softphone bit working please?
ThanksI would expect the IP telephony vendor to list what is required from the load balancing configuration (doesn't have to be specific NetScaler configuration, just general LB requirements). Perhaps it uses SIP protocol or requires some specific type of persistency, etc.
Hope it helps.
-
20 hours ago, Davide Bono said:
Hello,
I am trying to create a globally bound policy to restrict access to a specific URL on all our websites (/Admin)
I have a couple of questions:
- could this policy expression work for the purpose?HTTP.REQ.URL.PATH.GET(1).EQ(\"Admin\")
or http.req.url.path.get(1).set_text_mode(ignorecase).eq("admin")
The action would be DROP
- if I bind the policy globally, will this override/delete all the policies that already exists on the virtual servers?
Thank you in advance
Yes, your expression should work. I would go with the second option (ignorecase).
It will not delete existing vserver policies. If you bind as global override it will take precedence over vserver level policies (be processed before). If you bind simply as global (not override) the vserver level policies will be processed first.
Hope it helps.
-
1
-
-
17 hours ago, Chris Condon said:
What we'd like to do is set up the Netscalers so that if someone goes to oldfarm.mycompany.com the Netscaler sends them to the old farm Storefront, and if they go to newfarm.mycompany,.com they are sent to the new Storefront.
Hello Chris, if you want to maintain access to your oldfarm AND the newfarm FQDNs, then you need to configure different session policies for each FQDN. To match each policy you would have to check the hostname being requested by the users with something like HTTP.REQ.HOSTNAME.EQ("oldfarm.mycompany.com") or HTTP.REQ.HEADER("Host").EQ("oldfarm.mycompany.com"), these two are equivalent. Then each session policy will point to the corresponding StoreFront servers VIP (assuming you're load balancing the SFs).
You can also use separate policies for your authentication policies, if necessary (if, for example, you have different domains for each farm), in a similar approach.
This article has a similar discussion (just avoid using the old classic policy format, "REQ.HTTP" mentioned sometimes).
https://discussions.citrix.com/topic/413141-different-url-same-gateway-different-storefront/
Hope it helps.
-
2
-
-
1 hour ago, Sam Snyder1709163558 said:
TRUE && (HTTP.REQ.HEADER("User-Agent").SET_TEXT_MODE(IGNORECASE).CONTAINS("CitrixReceiver").NOT && HTTP.REQ.HEADER("Referer").EXISTS) && (CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("OU=ABC Corp") || CLIENT.SSL.CLIENT_CERT.SUBJECT.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"OU=Bob") && CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("C=BobA"))
The expression evaluator gives the error "Invalid expression [SSL/SSLVPN expression %26 CLIENT.SSL.CLIENT_CERT]" on this statement. Doin some research it seems that this error is given for the statement "... (CLIENT.SSL.CLIENT_CERT.SUBJECT.CONTAINS("OU=ABC Corp")..." (as well as the other statements used to verify the certificate).
Is it no longer possible to check the presented certificates Subject in a policy?
There's an extra \ in (\"OU=Bob") that is not necessary if you're configuring from the GUI.
As for the expression evaluator error, I think it doesn't support evaluating SSL expressions like the client cert.
And I'm wondering why you have the initial "TRUE" at the beginning of the expression, in theory it's not doing anything.
Hope it helps.
-
7 minutes ago, Giovanni Molito said:
Many Thanks!
One last question please.
Upgrading to 13.1, Could i have any issue with Storefront v.19.12cu2?
Here https://docs.citrix.com/en-us/storefront/1912-ltsr/system-requirements.html seems YES
but here https://docs.citrix.com/en-us/citrix-gateway/current-release/citrix-prod-compatibility.html NO
Thank you again
NetScaler 13.1 is compatible with Storefront v.19.12cu2, no issues there.
I think the first link has outdated information, thanks for spotting that. I'll ask the documentation team to update it. -
I would also try disabling the cache in NetScaler Gateway vserver (it is enabled by default even if you have the Integrated Caching feature disabled).
You can do this by adding a NOCACHE policy with highest priority (lower number, priority=1 for example) and rule=true, to your Gateway vservers.
Do this a few days before trying the upgrade, to make sure cache on clients is cleared. Then after a successful upgrade you can remove this policy again after some days to re-enable caching.
Note: with caching disabled, per user traffic might increase a bit during the login, if your links are close to saturation, I recommend to watch it closely.
This article has a step by step guide (although it was for a much older firmware, the process to disable cache is still valid)
-
Both 13.0 and 13.1 support both VMWare 6.7 and 7.0, so from the NetScaler perspective, doesn't matter much which one you upgrade first.
If you have other VMs sharing the same physical host, I think it makes sense to upgrade the NetScaler first, to start with the simplest change, as upgrading the hypervisor would impact all the VMs at the same time.
-
11 hours ago, Michael Medwid1709162093 said:
I would like to have the Citrix ADC VPX accept a connection from internal users and then have that traffic forwarded to an external http/https web site.
When that traffic egresses our network I was that source IP address to be from our data center and not the original IP address of the client.
Is this possible?Yes, you can use the SSL Forward Proxy feature, either transparent or explicit.
https://docs.citrix.com/en-us/citrix-adc/current-release/forward-proxy.html
Or if it's just for one single web site, then you can potentially setup a simple LB vserver (HTTP and/or SSL_BRIDGE), point the services to the public IP (note, the IPs of the site might change from time to time) of the web site (or use domain-based services for dynamic name-to-IP resolution, but resolving at an external DNS) and configure the user localhost file (or your internal DNS, assuming the client is pointing to your internal DNS) to resolve the FQDN to the VIP. Not a very elegant solution, but depending on what you need, might be good enough.
-
On the SMTP LB vserver, you can bind a responder policy that refers to an allowlist (which can be a patset or dataset with a list of IP addresses) and drops any request from IPs not in the list.
Some examples:
https://support.citrix.com/article/CTX222249/how-to-create-responder-policy-allowblock-a-set-of-ips
https://www.jeroentielen.nl/citrix-adc-netscaler-client-ip-or-subnet-black-and-whitelist/
-
2 hours ago, dirk kotte said:
Hi all,
we configured a new MPX with "STAYPRIMARY" and the other device with "STAYSECONDARY".
But after activating HA from Node1-GUI both show Node1 & Node2 as "Secondary".The Node2 was previously used for testing. All configurations should be lost/cleared.
What could be wrong? Some ideas?THX Dirk
Did you enable the failsafe mode?
-
Firmware version 12.0 is End of Life since October 30th, 2020.
You won't be able to find it in Citrix websites anymore.
The latest 13.1 firmware has a KVM image too.
https://www.citrix.com/downloads/citrix-adc/virtual-appliances/vpx-release-13-1.html
Hope it helps.
-
Restoring a SDX backup to a different HW model is not supported.
https://docs.citrix.com/en-us/sdx/current-release/configuring-management-service/backup-restore.html
"Ensure that the platform variant on which the backup was taken is the same as on which you are trying to restore. Restoring the backup file between two different platform variants is not supported."
You will have to configure the SVM settings and create the virtual instances manually, and after that you can use the approaches described in the links below to migrate each instance configurations and files.
https://www.citrix.com/blogs/2020/06/03/lessons-from-the-field-citrix-adc-migrations/
https://www.carlstalhood.com/migrate-citrix-adc-config-to-new-adc-appliances/
Hope it helps.
-
14 hours ago, Felipe Ruiz1709162764 said:
2023-01-23 17:59:40.024 | Tid: 08568 | ERROR | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496
2023-01-23 17:59:40.024 | Tid: 08568 | ERROR | downloadEpaLib | 381 | Failed to verify downloaded EPA libraryLooks like the client is not able to properly download the EPA files.
Try disabling the cache on the VPN vserver to make sure is not a cache-related issue. (cache is enabled by default on VPN vservers)
add cache policy epa_nocache_pol -rule "HTTP.REQ.URL.CONTAINS(\"/win/epaPackage.exe\")" -action NOCACHE
bind vpn vserver <vserver_name> -policy epa_nocache_pol -priority 1 -gotoPriorityExpression END -type REQUEST
-
13 hours ago, Rob Hoffman1709162939 said:
How do I know what firmware version I need on NetScaler ?
On the NetScaler side, FQDN-based split tunneling is supported since 13.0 build 36.27.
-
The VPN client for Windows (now Secure Access Client) supports it in version 22.6.1.5 and later.
-
1
-
-
11 hours ago, Zulhadi Zainal said:
Hi All,
Just want to asking. Anyone have an idea, where the location of phone number records of all user that registered for the 2FA (token on manageOTP) when accessing to Citrix ADC to go in the VDI? Appreciate your advice on this. Thanks
Regards,
Zulhadi
If you are referring to using a SMS token as 2nd factor, the ADC gets the phone number from an Active Directory attribute (named "mobile" in the example from documentation in the link below). It is not stored in any Citrix component.
-
Do you have your load balancing VIP configured for DNS_TCP too?
Netscaler NSC cookies remains in browser after unsucessfull logon
in Core ADC use cases
Posted
What error are you getting after the unsuccessful authentication? (before trying to refresh the page)