Manoj Rana
-
Posts
483 -
Joined
-
Last visited
-
Days Won
11
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Manoj Rana
-
-
40 minutes ago, Johannes Norz said:
Hi Manjo,
I don't see why this should not work. It would be an SQL load balancer of the correct type (MS-SQL, MY-SQL or Oracle) on the internal NetScaler. On the DMZ NetScaler, it would be a vServer of the same type, pointing to the vServer on the internal NetScaler.
I have never seen something like that, as it's rather rare to see an SQL being published on the internet. At least not for a reason (I found several SQL Servers on the internet, mostly MS-SQL servers, all of which had been there by mistake).
There is another method you could use, in case this does not work: Create a load balancer of Type TCP or even ANY on the DMZ NetScaler. This will just do a simple, stupid forward of all traffic to the internal NetScaler. The port number would be your SQL server's port number. In the case of ANY, you could set the port to *, however, in this case, you would have to filter traffic on the firewall. That way, the DMZ NetScaler would do nothing but stupid proxying of everything that comes in.
Thanks again Johannes. Much appreciated
I am trying the second method as you suggested
This is on the DMZ netscler and on the other Netscaler I am using proper SQL vserver properties.
add lb vserver SQL-Test TCP 1.2.3.4 1433 -persistenceType NONE -cltTimeout 9000
add serviceGroup SQL-Test-LBServiceGroup TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
I have bind the server to service group and service group bind to vserver.
However, there's an error message related to a pre-login handshake.
Default time 30 seconds
No Timout
Thanks
Manoj
-
Thanks Johannes.
If there is no way to secure the TCP load balancer. I think SSL_TCP is better than just TCP. I will try and give it a go.
Also, I want to know if you know about SQL Load balance.
It doesn't work if it is behind the 2 VIPs. But if I remove one of the VIP. It always works
Do you know if this is expected behavior or am i missing something?
Thanks
Manoj
-
Hi All,
I have a load balancer configured to use a custom TCP port(5058). What steps do I need to take to secure this configuration?
Specifically:
- Should I create n TCP profile on the load balancer for this port? If so, what type of profile makes the most sense?
- How can i add the certificates if possible?
- Are there any other profile settings or changes you would advise to make sure unauthorized access is prohibited and data on this port is encrypted in transit and at rest?
- Are there any other considerations around securing a custom TCP port on the load balancer that I should be aware of?
Please let me know if you have any recommendations or need additional details about my current configuration. My goal is to dial in the proper security controls for this custom integration while maintaining availability and load balancing functionality.
Thanks
Manoj
-
Hi all,
I am working on a project to configure access the services hosted in AWS/Azure via our on-premises NetScaler. The goal is to allow the NetScaler to direct traffic to the AWS/Azure environment.
The setup would involve the applications and backend servers running in AWS/Azure with public IP addresses. Then we need to configure the on-premises NetScaler to send traffic to those AWS/Azure public IPs.
I wanted to check - how are other setting up the NetScaler integration and communication with Azure-hosted resources?
Thank you,
Manoj -
Hi,
I'm curious to find out if anyone has encountered issues or is aware of any problems when using the script to create SSL entities and profiles with the .exe.
https://github.com/netscaler/default-ssl-profile-script#readme.
Thanks
Manoj
-
-
Hi Carl,
It is replacing the ADFS Proxy.
Thanks
-
Hi All,
I've configured an ADFS proxy in the DMZ using SSL instead of SSL bridge. Additionally, I've set up load balancing (SSL_BRIDGE), with the DMZ VIP (SSL) pointing to SSL_BRIDGE. While this configuration is operational, there appears to be an issue where all traffic is being treated as internal. This is problematic because MFA is enabled for external users on ADFS, but it's not prompting for MFA challenges. Anyone know how to fix this issue ?
Manoj
-
Greetings everyone,
I have encountered an issue with server 2022 logoff for published Desktop. Users are unable to log off cleanly as their sessions get stuck at the logoff screen, requiring me to perform a forceful logoff.
Upon their subsequent login, a new session is initiated, as evident in the situation described.
Has anyone else experienced a similar issue?
Thank you.
-
Thanks Carl.
I wanted to know if something can be done apply a rewrite policy or something like this.
Web Authentication Action in NetScaler
Thanks
-
Hi,
I currently employ a tomcat-based load balancer through NetScaler for my application. However, I've discovered a potential security concern. When users enter their usernames and passwords, I noticed that Fiddler, while using the JSON tab, exposes this sensitive information like username and password in plain text. I'm concerned about the risk of data interception and unauthorized access.
To address this issue, I want to explore if NetScaler can enhance the protection of this sensitive information. I'm looking for solutions that can ensure encrypted transmission of user credentials between clients and the application servers..
Thanks
Manoj
-
Hi All,
I am trying to use rewrite policy and action to replace the first part of the URL and keep the last part last part http://example:9080/forms/anon/org/app/ to https:newexample.fqdn.com/apps/secure/org/app and keep everything after.
Old URL : http://example:9080/forms/anon/org/app/b006aa54-1737-43c9-8a03-a2cb0be9113c/launch/index.html?form=F_StudyLeave&id=6c29a26d-960d-4b88-8803-a664d723a312
NEW URL: https://newexample.fqdn.com/apps/secure/org/app/secure/org/app/b006aa54-1737-43c9-8a03-a2cb0be9113c/launch/index.html?form=F_StudyLeave&id=6c29a26d-960d-4b88-8803-a664d723a312
Actions
Expression: HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE)
Expression: HTTP.REQ.URL.REPLACE("^http://example:9080/forms/anon/org/app/(.*)", "https://newexample.fqdn.com/apps/secure/org/app/$1")
Policies
Expression: HTTP.REQ.URL.STARTSWITH("/forms/anon/org/app/")
It is not working. Can anyone let me know any other way to achieve this?
Thanks
Manoj
-
Thanks Jeff.
If that setting is set on the LDAP server Load balance it self should also not work.
When trying to access via load balance it is working fine.
Thanks
-
Thanks Jeff.
Is that a hard certificate verification check on the LB ? I am not seeing any option to change this.
Thanks
Manoj
-
Hi,
I have encountered an issue while attempting to connect ldp.exe to a GSLB (Global Server Load Balancing) setup for LDAPS on SSL_TCP. The GSLB configuration is similar to the load balancer server's SSL_TCP on port 636. However, when I try to establish the connection, I receive the following error message:
ld = ldap_sslinit("laps.abc.com", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to laps.abc.com.Interestingly, when I attempt to connect directly to the load balancer's single site IP, everything appears to be functioning correctly. I'm uncertain as to what may be missing or misconfigured on the GSLB side.
I would appreciate any advice or guidance you can provide.
Thanks
Manoj
-
Thanks I will add the 389 and test
-
Hi,
I have a client who has specific requirements for their application. They want to use LDAPS Port 636, but their application also needs access to port 389 (CLDAP - UDP 389) for health checking purposes. the application uses ping to monitor the service.
I would like to know how I can configure the load balancer to accommodate LDAPS on port 636 while allowing pings to port 389 simultaneously.
Thank you,
Manoj
-
Hi,
Have you tried this ?
Delete the ICA files from system TEMP folders before launching the app.
C:\Users\<username>\AppData\Local\Temp
C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache\ (Windows8 / 10)
C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 (Windows7)
Ref
https://support.citrix.com/article/CTX227354
Thanks
Manoj
-
Hi,
The message you mentioned, regarding the "NSAPI_FLUSHONEARP" command, is indeed related to flushing the Address Resolution Protocol (ARP) cache entry for a specific IP address. ARP is responsible for mapping IP addresses to MAC addresses within a local network. Flushing an ARP entry can be beneficial when encountering network connectivity issues, as it helps ensure that the ARP cache remains up to date.
However, based on the limited information provided, it is difficult to determine the specific context or issue you are facing. it would be helpful to have additional details about the problem you are experiencing. Could you please provide any specific error messages, system logs, or any other relevant information related to the issue?
Thanks
Manoj
-
Hi,
You can reuse the same CSR and private key for certificate renewals. However, it's always a good practice to check with your specific CA or certificate provider to ensure their renewal process aligns with this approach.
Thanks
Manoj
-
Hi,
Verify that the display settings are configured correctly for dual monitors. Make sure they are the same for both monitor
Thanks
Manoj
-
Thanks Carl.
I wanted to thank you for your assistance. I have managed to identify the issue.
The problem was related to the GSLB (Global Server Load Balancing) services. Initially, we had only configured subdomain DNS entries. However, after adding the main domain DNS name, the services are now functioning correctly.
Thank you again.
Best regards
Manoj
-
Hi All,
I have several GSLB services set up on the Netscaler, and I want to configure the Netscaler itself as a forwarder for requests from external users. However, when I run the command "nslookup abc.abc.com Nerscler_ADNSIP," I'm not receiving any response. Can you provide guidance on how to configure this correctly? I have setup according to this link
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for abc.abc.com
Thanks
Manoj
-
Upon inspecting each folder within the profile, it appears that they are all empty.
Securing Custom LB Port Configuration
in Core ADC use cases
Posted
Thanks Joh.
Just like to share that after playing with the settings managed to get this working.
This is needed to set up in my case and all working.
Thanks for your help.
Manoj