Citrix VDA 2006 + 2009: Citrix ICA could not configure Thinwire and switch to the remote ICA display

After an experimental upgrade on some VDAs in a customer’s environment experiencing issues when connecting to our Windows 10 virtual desktops. Desktop Viewer starts up, stuck for some seconds and closes without any error or event. We just see this window: After some minutes you just see the connection on the VM is closed due to the VDA timeout. Internal connections through Storefront are working fine all the time. So…

Read More

Citrix ADC 13.0-64-35 and Storefront “Cannot complete your request” (CVE-2020-8245, CVE-2020-8246 or CVE-2020-8247)

Starting with Citrix ADC feature release 13.0 build 64.35, some weak SSO types are dishonored globally. This affects Citrix XenDesktop Site and the Citrix Storefront authentication mechanism between Citrix Gateway and SF directly. These SSO types will be now disabled by default: Basic authentication Digest Access authentication NTLM without Negotiate NTLM2 Key or Negotiate Sign This means Single Sign-On (SSO) configuration in Citrix ADC and Citrix Gateway has to be…

Read More

Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update

On Sep 17, Citrix released CTX281474 article with three vulnerabilities which are fixed by new firmware releases on all supported version tracks. The following vulnerabilities are addressed here: CVE-2020-8245: An html injection attack against SSL VPN portal, CVE-2020-8246: A Denial-of-Service attack originating from the management network CVE-2020-8247: A escalation of privileges on the management interface. 8246 & 8287 are attacks on the management interfaces which should NOT be directly reachable from unauthorized…

Read More

LDAP channel binding changes in 2020

Microsoft announced an update that is going to disable unsigned LDAP by default. What does this mean for administrators? Long story short, but you can no longer use bindings to domain controllers over port 389. After the installation of the update you have to use either LDAPS over port 636 or using StartTLS on port 389. Both scenarios still require to add a certificate on the domain controllers. Microsoft has…

Read More

Netscaler – AD Group permission check on vserver level

In a Netscaler project I came to a requirement, to check if an user is member of an specific Active Directory group before the request is forwarded to the load balancing vServer. The customer has multiple lb vservers, which are protected by an simple AAA authentication server. The authentication domain was set to the top level domain, e.g. fabric.com.  The following subdomains are representing the other applications: sharepoint.fabric.com jira.fabric.com documentcenter.fabric.com …

Read More

Risk-based Authentication with Netscaler n-Factor Feature and forwarding credentials to SAML

Scenario We came across a requirement while implementing Citrix Netscaler as a central authentication instance for web applications, which was described with several needs on the customer site. User are going to start a cloud web application for example from SAP or other cloud providers This application will create a SAML request and send it to a Netscaler AAA service to authenticate the users from an on-premise repository (LDAP) Netscaler…

Read More

Insert your Password Policy notification in Netscaler Gateway 11.1

  I am often asked to customize the Netscaler logon pages with the company corporate design, logos and other stuff. Another very common requirement is, to have the opportunity to set a hint what is the compony’s LDAP password complexity policy, when the user have to change their passwords in a remote scenario. Netscaler does not offer any functionality to do this in the GUI. The second challenge is, Citrix…

Read More

Overview: How to score an „A+“ at ssllabs.com with Citrix Netscaler

My last blog about securing Netscaler VPX was about Netscaler 10.5.57, which was the first firmware with TLS 1.1 and TLS 1.2 support. After the update and activating TLS 1.1/TLS1.2 (and disabling SSLv3 of course) the rating at https://www.ssllabs.com/ssltest/ is an „A“ with is pretty good, but also gives us room for more optimization.   Custom Ciphers The first thing we should optimize are the used ciphers. My suggestion here is to start…

Read More

Netscaler 10.5 57.7 VPX supports TLS 1.1 & TLS 1.2

It took some time and many disscussions but it looks like Netscaler VPX and TLS 1.x came together. The first thing you need is to update to the latest Netscaler build 10.5 57.7 Now enable TLS settings on your vServer:

Now have a look to the config:

If you have done so, save your config und go to: https://www.ssllabs.com/ssltest/index.html In my case got an A- in my first test…

Read More

Netscaler 10.5: A first look

Am 30.5. hat Citrix die neue Netscaler Version 10.5 veröffentlich. Diese Version kommt mit einer komplett überarbeiteten Oberfläche und vielen wizardgesteuerten Einstellungsmöglichkeiten und für alle leidgeprüften Netscaler Admins: Weitesgehend ohne Java GUI, sondern auf HTML5 basierend. Weitesgehend deshalb, weil z.B. die Erstellung der Schaubilder mit dem Visualizer weiterhin über JAVA realisiert ist. Citrix beschreibt die Anzahl der Neuerungen auf mehr als 100: Interessant aus meiner Sicht vor allem: SPDY v3 Support Support…

Read More