Netscaler – AD Group permission check on vserver level

In a Netscaler project I came to a requirement, to check if an user is member of an specific Active Directory group before the request is forwarded to the load balancing vServer. The customer has multiple lb vservers, which are protected by an simple AAA authentication server. The authentication domain was set to the top level domain, e.g. fabric.com.  The following subdomains are representing the other applications: sharepoint.fabric.com jira.fabric.com documentcenter.fabric.com …

Read More

Risk-based Authentication with Netscaler n-Factor Feature and forwarding credentials to SAML

Scenario We came across a requirement while implementing Citrix Netscaler as a central authentication instance for web applications, which was described with several needs on the customer site. User are going to start a cloud web application for example from SAP or other cloud providers This application will create a SAML request and send it to a Netscaler AAA service to authenticate the users from an on-premise repository (LDAP) Netscaler…

Read More

Insert your Password Policy notification in Netscaler Gateway 11.1

  I am often asked to customize the Netscaler logon pages with the company corporate design, logos and other stuff. Another very common requirement is, to have the opportunity to set a hint what is the compony’s LDAP password complexity policy, when the user have to change their passwords in a remote scenario. Netscaler does not offer any functionality to do this in the GUI. The second challenge is, Citrix…

Read More

Overview: How to score an „A+“ at ssllabs.com with Citrix Netscaler

My last blog about securing Netscaler VPX was about Netscaler 10.5.57, which was the first firmware with TLS 1.1 and TLS 1.2 support. After the update and activating TLS 1.1/TLS1.2 (and disabling SSLv3 of course) the rating at https://www.ssllabs.com/ssltest/ is an „A“ with is pretty good, but also gives us room for more optimization.   Custom Ciphers The first thing we should optimize are the used ciphers. My suggestion here is to start…

Read More

Netscaler 10.5 57.7 VPX supports TLS 1.1 & TLS 1.2

It took some time and many disscussions but it looks like Netscaler VPX and TLS 1.x came together. The first thing you need is to update to the latest Netscaler build 10.5 57.7 Now enable TLS settings on your vServer:

Now have a look to the config:

If you have done so, save your config und go to: https://www.ssllabs.com/ssltest/index.html In my case got an A- in my first test…

Read More

Netscaler 10.5: A first look

Am 30.5. hat Citrix die neue Netscaler Version 10.5 veröffentlich. Diese Version kommt mit einer komplett überarbeiteten Oberfläche und vielen wizardgesteuerten Einstellungsmöglichkeiten und für alle leidgeprüften Netscaler Admins: Weitesgehend ohne Java GUI, sondern auf HTML5 basierend. Weitesgehend deshalb, weil z.B. die Erstellung der Schaubilder mit dem Visualizer weiterhin über JAVA realisiert ist. Citrix beschreibt die Anzahl der Neuerungen auf mehr als 100: Interessant aus meiner Sicht vor allem: SPDY v3 Support Support…

Read More

Netscaler Nitro API: First Steps

Ich habe mir seit langer Zeit vorgenommen, die Nitro API des Netscalers unter die Lupe zu nehmen und nun hat es tatsächlich geklappt. Befassen möchte ich mich mit der CSharp Variante der API und im folgenden die grundlegenden Schritte zur Installation und zum initialen Verbindungsaufbau zum Netscaler beschreiben, da dies oft die erste Hürde darstellt. Der Nitro Webservice ist standardmaäßig auf jeder Netscaler Appliance aktiv und kann über drei Wege…

Read More