[netscaler clients tls version reporting]

Here is a way to get which client IP is trying to connection using which SSL version :

 

1) Create a logaction :

add audit messageaction TLS_logging ERROR "\"Client: \"+CLIENT.IP.SRC+\" using \"+CLIENT.SSL.VERSION" -logtoNewnslog YES -bypassSafetyCheck YES

 

2) Create a responder policy with action as NOOP (no action) and log action as the above :

add responder policy TLS_version_loging true NOOP -logAction TLS_logging

 

3) Bind it to the Vserver

bind lb vserver <VserverName> -policyName TLS_version_loging -priority 100 -gotoPriorityExpression END -type REQUEST

 

 

This is going to send the syslogs , I see them in my Commandcenter in this form :

default RESPONDER Message 577028 0 :  "Client: 1.2.3.2 using 771"

default RESPONDER Message 576926 0 :  "Client: 1.2.3.2 using 769"

 

Since the SSL version is shown as 771 & 769 , i did some search and found that they are code for TLS1.2 & TLS1.0 respectively .

Here are the full SSL version code :

 

SSL_LIBRARY_VERSION_2=2
SSL_LIBRARY_VERSION_3_0=768
SSL_LIBRARY_VERSION_TLS_1_0=769
SSL_LIBRARY_VERSION_TLS_1_1=770
SSL_LIBRARY_VERSION_TLS_1_2=771
SSL_LIBRARY_VERSION_TLS_1_3=772

 

 

So basically on the Command center(if you are using it) create a view in syslog with any 'Message' containing '769' .

[Login Banner]

I customized EULA on 10.1 by adding below code after '<!-- Footer -->:

 

<div id="copyrightfooter">
<div style="position:absolute;top:475px;left:550px; width: 100%; margin:0 auto; height:20px;"><font color="white" size="2"
<p id="copyrightFooterText">This system is to be used by Company name authorized users. Users expressly consent to monitoring for <br> administrative and security purposes. Evidence of any misuse will be cause for civil/criminal prosecution.</center></p>
</div>

[After User Password Expires User Cannot change password]

Hi Joe,

 

what to edit in en.xml file directly instead of using this rewrite ?

[Delete cookies and redirect back to login page]

Hi Marc,

 

Good to know you made progress . The expressions you are using is only meant for the request part . Since only traffic policy is getting hit in the req. flow , the  way to make that redirect work is by modifying the response of backend server.

 

since you have created a logout page , you may want to add this into the html file :

<META HTTP-EQUIV="refresh" CONTENT="60;URL=https://appname.domainname.com/">

 

here content is the number of sec. before it refresh the page with the URL specified.

[Delete cookies and redirect back to login page]

So if i understand the flow correctly , the traffic policy is hit first and it clears the session, and the http req. is send to backend server , since there is no page as /logout , the response from backend server is a 404 not found

 

If my above assumption is true , then you will have to create a rewrite policy that will look for www.website.com/Logout in the "response body" (not the request) and then replace http response to a 302 redirect .

[Delete cookies and redirect back to login page]

Hi Marc,

 

When you use traffic policy to clear out the user's session , which page does it redirect user to ? there must be some response after the session is cleared on Netscaler .

[File share bookmark, upload fails]

Yes , its in System --> diagnostic -->Start new trace .

 

http://support.citrix.com/article/CTX128655

 

http://support.citrix.com/article/CTX120941

[File share bookmark, upload fails]

Have you tried tacking a packet capture on Netscaler to see where the connection drops when user gets page cannot be displayed ?

[NetScaler login shows HTTP 500 Internal Error]

Hi Tim

 

Might be similar issue as mentioned in release notes of 10.1 129.11 :

Issue ID 488015: If the hostname that sends an incoming request does not match the domain configured on the authentication virtual server, the NetScaler ADC returns an HTTP 500 error. As a workaround, configure an authentication profile and include the hostname.

[NetScaler login shows HTTP 500 Internal Error]

Hi Tim ,

 

receiving ' iwagent.c[1107]:main EV_DEBUG: handle time out  ' is  normal when using aaad.debug .

And based on line " /usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]:send_accept sending accept to kernel for : timhsending accept to kernel for timh "

It looks like user 'timh' is verified by Ldap server . That means the user is now provided with an auth cookie " NSC_AAAC" and the site URL on which it should return to get applications published .

Questions for you :

- What is the URL at which you get 500 server error .

- Is the Netscaler's SNIP able to communicate with backend storefront / Webinterface servers on the ports you configured ?

[Monitoring HTTPS gives error - Time out during SSL handshake stage]

Possible reasons :

1) If you have a firewall in between these servers which is patched with "Poodle sslv3 block" , its possible that the packets are dropped on firewall when Netscaler uses sslv3 for ssl handshake . Better disable sslv3 on the services forcing service monitors on tlsv1 .

 

2) backend server are over consumed with resources , and is rejecting some ssl connections .

 

3) backend servers have multiple interfaces , and some return traffic are not routed back to Netscaler as its taking a different interface and looping in your network .

[Responder for SSL Chrome Problem]

Try 302 redirect  instead of 301 .

[Delete a portion of a path - Rewite?]

If the characters are same then you can use something like this :

add rewrite action t replace HTTP.REQ.URL "\"/\"+  HTTP.REQ.URL.SKIP(\'a\',3)" -bypassSafetyCheck YES

[SSL Error 61]

When user clicks on the application , Citrix Receiver initiates a new SSL connection to the AGEE Vserver and using this connection it sends the ICA traffic over the SSL connection .

When Receiver is initiating the connection it verifies whether the cert is valid , for that it looks for the intermediate cert and root cert in the User's trusted certificate folder . And when its not able to create a trusted link , it might generate this type of error .

To verify if its something on the client machine , enable receiver logging http://support.citrix.com/article/CTX134101 and go through the log file to identify the point where it fails .

[SSL Error 61]

Its with your client machine . As it doesn't have the intermediate cert " DigiCert SHA2 Secure Server CA " in its trusted store .

1) Link the intermediate cert with the server cert on the Netscaler .

2) Import this intermediate cert to your client machine in its trusted certificate folder .

[Responder with complex HTML page and custom return code]

If you want the users to see  the error as '503 Service Unavailable' with the html page , I suggest you to edit the .html page and insert a line with this error code . This will let you to show User with your custom page and the desired error code .

No user will validate whether the actual status code is '200 ok' or '503 service unavailable' error since these error code will be in the HTTP header 'status code' and won't show up on the page which client will be viewing.

 

If you want the Netscaler to send 503 error  you can kill the httpd daemon, then you wont be able to display the .html page with it , and this will cause other services(GUI,VPN-GUI) of netscaler to fail also (complete disaster) :) .

[Delete a portion of a path - Rewite?]

i think you will have to create a rewrite action looking at the server's response and change the body containing the URL into the URL containing /aaa . While the rewrite policy will look at the unique IP or the unique portion of URL.

[Delete a portion of a path - Rewite?]

In this case you will have to create a new rewrite policy to modify the server's response , by adding /aaa in the start URl .

But to make such policy you should identify the factor on which Netscaler will take this decision i.e how the netscaler will identify whether this response should be rewritten with /aaa or with /bbb .

[Delete a portion of a path - Rewite?]

Here is the evaluation result for your reference

[Delete a portion of a path - Rewite?]

Based on the packet flow the Client's request will be reaching CS Vserver , which will send to one of the LB Vserver(based on your policy to check /aaa) , so If you apply a rewrite on this LB Vserver ( who will LB the request to the backend server) then the backend server will not see /aaa  in the URL path .

 

The action you tried previously will give invalid argument because you should be selecting the target which can only be a URL, header etc. .. you cant go beyond that is what i found .

 

I tried one action which might work for you :

add rewrite action t replace HTTP.REQ.URL "\"/\"+HTTP.REQ.URL.PATH_AND_QUERY.STRIP_START_CHARS(\"/aaa/\")" -bypassSafetyCheck YES

 

This will strip the /aaa/   and will keep the rest of the URL intact , I have to add / in the begining to compensate for the / i am striping .

This will remove /aaa completly  even if you have a URL starting with /aaas/anything  it will remove the aaa and the result will be /s/anything .

 

Will post the evalutation for reference .

[Delete a portion of a path - Rewite?]

Hi David ,

 

For your request what do you want to accomplish ? do you want the request going to backend server to be re-written to /SomePath/SomeOtherPath/

 after removing /aaa ?  or do you want the response from the backend server to be rewritten before sending it to the client ?

 

Here is the packet flow diagram of Netscaler illustrating which process(re-write, responder..etc) will get applied when the packet enter the netscaler from Client end and leave toward backend server , also the return path . Based on this you can identify which method should be good for you . http://support.citrix.com/servlet/KbServlet/download/32455-102-691592/CTX135254%20-%20Netscaler%20-%2010.0%20Packet%20Flow.pdf