Tag: Citrix Page 2 of 3

Citrix ADC, User Certificate Authentication

Once again, a was struggling to get User Certificate Authentication to work, until I suddenly remembered why:

You cannot put your Certification Authentication Virtual Server behind a Content Switching Virtual Server.

You can, but then you must enable Client Authentication on the Content Switching Virtual Server, and as this often have a lot of other web sites configured all of them will have Client Authentication enabled.

The reason for this is that when you use Content Switching Virtual Server the SSL session is established to this and the you need Client Authentication configured here.

So, if you have a special web site that you need to protect with Client Authentication you need a direct accessible Authentication Virtual Server.

Let me show the configuration I ended up with:

Create an Authentication Virtual Server:

Bind your public certificate and your root ca certificate:

For test a use a local user account, but this is normal an Active Directory account:

Then add the Certificate Authentication policy:

You will end up with 2 primary authentication policies:

Change the SSL Parameters so that Client Authentication is enabled:

Now create the Load Balancing Virtual Server and enable Authentication on this:

That is, it, and when we test, we will get this.

When testing with a user that have no certificate the site will close the connection:

And testing with a user that have a certificate the user is prompted for the certificate to use:

After selected the certificate, the user is redirected to the Authentication Virtual Server for logon:

Conclusion:

You can use User certificates when protecting web sites with authentication. Just remember that the authentication virtual server can often not be behind a content switching server as this will enable user certification on all web site configured on the content switching server.

Citrix ADC, Developer monitor

Again, by a customer I was asked to deliver a solution to there Citrix ADC. The customer has a web server farm which is controlled and maintained by their web developers. There needed their web developers to control witch servers where active in the farm and witch there where in maintains mode.

The easy way is to create a login for the web developers for the Citrix ADC, but there where other system load balanced through the Citrix ADC, and the web developers may not change the configuration for the other systems. We could have created a partition on the Citrix ADC, but I came up with a custom monitor solution. The web developers agreed to put a file on the web servers, and I created a monitor the checked for the content of that file.

GUI:

CLI:

add lb monitor lb_mon_www HTTP-ECV -send "GET https://www.domain.dk/nodestatus.txt" -recv online -LRTM DISABLED -secure YES

If the “nodstatus.txt” return online, the monitor detects the web server as “up” and the load balancing will send traffic to the web server. If anything, else than online is received the monitor will set the web server as “down” and no traffic will be sent to it.

The web developers control the content of the nodestatus.txt file, and in that way, they can control which web servers receive request and which is not, and the developers have no login/access to the Citrix ADC.

Citrix ADC 12.1 (NetScaler ADC), New licensing

Expiration:

 

With the new version 12.1 Build 48.13, Citrix added information about license expiration date. This is nice when running a Trial or Demo license:

With that they added another change, if care reading their documentation:

From https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html:

“Upon license expiration, the Citrix ADC appliance automatically restarts to revoke the license. If Citrix ADC appliance uses Citrix service provider (CSP) licenses, the appliance does not restart automatically to revoke the license. However, if the user restarts the appliance, it restarts as unlicensed.”

And trust me it will restart the NetScaler. As a consultant I offend use Trial versions for PoC. There where no problems in running beyond the expiration date if you did not restart the NetScaler. This is over now.

 

Express vs. Freemium:

 

Some time a go the Express version was replaced with the Freemium license. The Express license need to be updated every year because of the 1-year expiration. The Freemium have no expiration date, but it has not the Access Gateway feature.

This is a problem as the Express version was for very small customers with a replace for their old Citrix Secure Gateway (Yes, I am that old and have done a lot of installations of the Citrix Secure Gateway). So, what to customers running the Express version then do?

If we look at https://support.citrix.com/article/CTX121291 we find the answer:

Just update the NetScaler, and you will end up with an Express version with no expiration:

This must be done before the expiration of the old Express license, because if you restart the NetScaler with an expired license all features are disabled.

 

Conclusion:

 

Changes are made, so read the documentation. Get out there and upgrade the Express installations to version 12.1.

 

Citrix NetScaler, Custom logging

We, my college and I, where doing a XenMobile installation at a customer, which had a strict logging policy. The users where allow internet access through Secure Web App in XenMobile.

All internet traffic had to go out of the company Firewall, for security reasons. When doing this the NetScaler SNIP is logged in the Firewall, but the customer wants the user’s devices IP address logged.

 

We came up with a custom logging solution with a syslog server. The syslog server configuration on the NetScaler was done, se more here:

 

How to Configure Syslog on a NetScaler Appliance

https://support.citrix.com/article/CTX121728

 

When that was done, I configured an Auditing Message Actions:

With this I log the device IP and the requested URL.

The I made an Rewrite policy, with the flowing settings:

This will not do any rewrite, as action is set to NOREWRITE, but it will use the Auditing Message Actions and send the information to the syslog server.

 

Finally, I bound the rewrite policy to the XenMobile Access Gateway configuration:

For the test I tried to access http://dr.dk with in the Secure Web App, and I found the flowing logging on the syslog server:

Conclusion:

We ended up with a logging of the device IP and the access URL. With the many expressions available on the NetScaler you would be able to log almost everything in the syslog server.

Remember to bound the rewrite policy with NEXT as Goto Expression, or you could end up with others rewrite policies not being processed.

 

CLI commands:

add audit messageaction log_act_custom ALERT “\”Client:\”+CLIENT.IP.SRC+\” accessed \”+HTTP.REQ.URL”

add rewrite policy log_rw_pol true NOREWRITE -logAction log_act_custom

bind vpn vserver < Gateway virtual server name> -policy log_rw_pol -priority 100 -gotoPriorityExpression NEXT -type REQUEST

 

Citrix Receiver Auto-update

With the new Citrix Receiver Auto-update function, it is important to select the right update program that fit your installation.

You may not want users to update their Citrix Receiver them self, as your helpdesk has to deal with different versions of the Citrix Receiver. If your organization requires that you be in the LTSR program, then you have to set this on the installation/policy.

If using installation parameters the flowing can be used:

To test I have run this installation:

This end up with these registry settings:

Be aware that I have run the installation as an administrator. If you run the installation as a user then the settings will be under HKEY_CURRENT_USER and not under HKEY_LOCAL_MACHINE.

You can allow control the update feature with policies:

Conclution:

My point is that it is important to think of the update feature, when deploying Citrix Receiver. I have seen customers that did not control this and end up with many calls to the helpdesk, because Citrix Receiver started to update on the clients.  A lot of cleanup had to be done because clients had different versions of the Citrix Receiver installed.

 

Page 2 of 3

Powered by WordPress & Theme by Anders Norén