Browser Content Redirection: whitelisting websites

Browser Content Redirection is a technology built around a URL whitelisting mechanism. Two policies are exposed in Studio for that purpose:

i. Browser content redirection Access Control List (ACL) policy settings (a.k.a the ACL policy)

ii. Browser content redirection authentication sites (a.k.a the authentication sites policy)

While the description in edocs tries to cover the general cases, there are some websites using intrinsic redirection mechanisms that make the whitelisting process more difficult.

[Note: websites that rely on Integrated Windows Authentication, or that require a pop-up Windows Security message box are not handled correctly by BCR with CWA 1905 or older. This is because our overlay browser (HdxBrowser.exe or HdxBrowsercef.exe) cannot display that window, hence the user is stuck on a blank page. See CTX230052 (current limitations section)

CWA 1907 for Windows and higher fixes this problem].


As an example of BCR redirections, we will look into Microsoft Teams.

It is essential that the Developer Tools is used to understand the website’s behavior before configuring any policy.

The ‘Preserve Log’ check-box should be ticked, otherwise entries are cleared automatically.

User-added image

Microsoft Teams

A user typing http://teams.microsoft.com will get an HTTP 307 response from the webserver, repointing the browser to https://teams.microsoft.com

(Hence it is critical that the right syntax is used when whitelisting a website, like http or https, with or without www, etc – otherwise redirection might fail).

From that URL, the resource https://teams.microsoft.com/auth/prelogin is contacted by the browser, which eventually ends up being redirected to:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fteams.microsoft.com%2Fgo&state=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&&client-request-id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&x-client-SKU=Js&x-client-Ver=1.0.9&nonce=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1&domain_hint=


Once the browser loads this page, it ‘rests’ and waits for user input. These redirections occured very fast, and the HdxVideo.js javascript that the Browser Content Redirection Chrome Extension needs to inject is not done in time.

In this case, the url https://login.microsoftonline.com/* needs to be whitelisted in the ACL policy in Studio.

Since Admins might not want to redirect the entire domain, better granularity can be achieved by leveraging a common parameter in OAuth 2.0 (redirect_uri, where the App name is embedded in the URL).

So whitelisting the following URL in the BCR ACL policy in Studio will achieve the objective, thanks to wildcards:

https://login.microsoftonline.com/*teams*

The Chrome Extension will now be able to inject HdxVideo.js, and the first redirection happens. The user will end up being redirected to an Office 365 Authentication website that is linked to Teams (see screenshot above), but this time the website will be running locally on the endpoint’s overlay browser that is part of Workspace app (HdxBrowserCef.exe).

Important: Please note that any IdP/SSO websites your organization deployed to authenticate users in O365 will also need to be added to the Authentication Sites policy (e.g. https://mycompany.okta.com)

Please also note that Teams will require to add https://login.microsoftonline.com/login* to the Authentication Sites.

After a successful authentication, the overlay browser HdxBrowserCef.exe is pointed back to https://teams.microsoft.com

This URL (https://teams.microsoft.com/*) should now be whitelisted also in the ‘Authentication Sites’ policy in Studio.

Note: This might be somehow counter intuitive as the Authentication site is login.microsoftonline.com, not teams.microsoft.com – yet the problem in Teams is that the Chrome Extension is not loaded fast enough by the Browser and therefore injection fails on teams.microsoft.com.

Browser Content Redirection treats websites whitelisted under the Authentication sites policy as child websites that must remain redirected if the parent website was in the ACL whitelist policy. In the Teams case then, teams.microsoft.com is the child website of the parent login.microsoftonline.com

Note: Peer-to-Peer Video conferencing is currently not available with Teams and Chrome, so it will not work with BCR either. Once Microsoft officially supports Chrome browser for peer to peer video, BCR will support it automatically.

Joining a conference call with video is supported in BCR.

GoToMeeting

First thing to notice is that navigating to https://gotomeet.me/mymeetingID redirects to https://www.gotomeet.me/mymeetingID

Whitelisting without the ‘www’ will result in failure. So whitelisting https://www.gotomeet.me/* is the solution (in the ACL policy).

Note the use of the wildcard ‘*’ – this allows you to whitelist any path for that URL.

After the webpage is redirected, the user can click ‘Join meeting in browser’, which points to:

https://app.gotomeeting.com/index.html?meetingId=xxxxxxxxxx

User-added image

Note that this is a different FQDN. So if the user clicks on that link, he will fall back to server-side.

The solution is to whitelist https://app.gotomeeting.com/*

You can either add this to the ACL policy or to the Authentication Sites policy (or both).

The difference is that if you add it only to the ACL policy, if the user clicks on the link it will trigger a re-processing of the URL by the VDA (look up of that URL in the ACL entries), resulting in a few extra redirection steps.

If you add it to the Authentication Sites policy, then since the parent website is https://www.gotomeet.me/* and that is already whitelisted in the ACL policy, a re-processing of the URL by the VDA is not required and the experience is smoother (see last paragraph under the Teams section).

Of course there could be a scenario where the user types https://app.gotomeeting.com/index.html?meetingId=xxxxxxxxxx directly as the first URL in Chrome’s navigation bar. Browser Content Redirection will only kick-in if that URL is on the ACL policy (that is because the Authentication Sites policy is only processed after an ACL match). So in order to prevent this exact scenario from failing, you can add the URL to the ACL and Authentication Sites policies (and hence the reference to ‘both’ in the paragraph above).


Microsoft Stream

Microsoft’s corporate video-sharing platform runs as an Office 365 service.

The URL https://stream.microsoft.com/* needs to be whitelisted in the ACL policy.

That is because whitelisting https://web.microsoftstream.comwill not work, since that page redirects to login.microsoftonline.comusing HTTP response status code 302 Found, and that page in turn redirects to https://stream.microsoft.com.

Once the browser lands on that website, clicking on Sign In will redirect to https://login.microsoftonline.com/common/oauth2/*microsoftstream*

where the user finally will insert his credentials.

Hence the site https://login.microsoftonline.com/*microsoftstream* needs to be added to Authentication Sites.

(This is different from the behavior in Teams).

If you are using SSO solutions like OKTA, or ADFS, the URLs will need to be added under Authentication Sites also.

Finally, also add https://web.microsoftstream.com/* to the Authentication Sites.


Google Meet and Google Hangouts

Add https://meet.google.com/* to the ACL policy.

Add https://hangouts.google.com/* to the ACL policy.

Important: Add https://accounts.google.com/* to the Authentication Sites policy.

Any other website used for SSO (e.g. Okta) must be added to the Authentication Sites policy (it could be more than one).

These websites require WebRTC support, hence you must use Citrix Workspace app 1809 for Windows or higher.

Currently, outgoing screensharing is not supported when using BCR.

Cisco Webex Teams

Add https://teams.webex.com/* to the ACL policy.

Add https://idbroker.webex.com/* to the Authentication Sites policy. This entry might vary depending on your Organization’s SSO configuration and IdP providers. Any website used for SSO must be added to the Authentication Sites policy (it could be more than one).

Cisco Webex Meetings

Currently not supported since this website uses Content Security Policy (CSP). See CTX230052.

Citrix and Cisco are collaborating on this and are aiming to have a solution ready.

Related:

  • No Related Posts

Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway

This vulnerability has been addressed in the following versions of Citrix ADC and Citrix Gateway:

  • Citrix ADC and Citrix Gateway version 13.0 build 41.28 and later
  • Citrix ADC and NetScaler Gateway version 12.1 build 54.16 and later
  • Citrix ADC and NetScaler Gateway version 12.0 build 62.10 and later
  • Citrix ADC and NetScaler Gateway version 11.1 build 63.9 and later
  • Citrix ADC and NetScaler Gateway version 10.5 build 70.8 and later

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix ADC or Citrix Gateway that contains a fix for this issue as soon as possible.

These versions are available on the Citrix website at the following addresses:

https://www.citrix.com/downloads/citrix-adc/

https://www.citrix.com/downloads/citrix-gateway/

In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted traffic only. Citrix has published additional guidance on the secure configuration of the management interfaces. This can be found at the following location:

https://support.citrix.com/article/CTX228148

Related:

  • No Related Posts

Recommended Hotfixes for Citrix Hypervisor (Formerly XenServer )

Citrix Hypervisor, formerly XenServer, is powered by the Xen Project hypervisor.

This article contains the complete set of recommended updates/hotfixes for Citrix Hypervisor(formerly XenServer) .

For list of Drivers and versions – CTX257603-Driver versions for XenServer and Citrix Hypervisor

For List of XenServer Tools/Management Agent/Windows Driver Updates refer toCTX235403-Updates to Management Agent – For XenServer 7.0 and later​

For XenServer 6.x hotfixes, refer to CTX138115 – Recommended Hotfixes for XenServer 6.x

Citrix Hypervisor 8.0 XenServer 7.6 XenServer 7.1 CU2 XenServer 7.0

For more information, refer to the following Knowledge Center articles

Note: Citrix recommends updating the XenServer Console before updating any new hotfixes. All XenServer hotfixes can be applied at the same time and the hotfixes in the article are not relevant to the installation order

Hotfix XS80E002 – For Citrix Hypervisor 8.0 All customers who are affected by the issues described in CTX256725 – Citrix Hypervisor Multiple Security Updates should install this hotfix.

Content live patchable** Yes
Hotfix XS80E004 – For Citrix Hypervisor 8.0

This hotfix resolves the following issues:

  • If you forcibly shut down a VM that has an AMD MxGPU attached, or the guest OS shuts down abnormally, your Citrix Hypervisor server might experience memory corruption.
  • If you force a shutdown on a Windows VM that is in an unclean state, the Citrix Hypervisor server hosting the VM might crash.

For Sandybridge hardware, this hotfix updates the Intel microcode to the microcode-20190618 release. This microcode addresses issues described in CTX251995 – Citrix XenServer Multiple Security Updates. To apply the updated microcode you must stop and start your Citrix Hypervisor host. To check that the microcode has been correctly applied, see the advice in the security bulletin.

This hotfix also includes the following previously released hotfixes:

Content live patchable** Yes
Hotfix XS76E005 –

For XenServer 7.6
All customers who are affected by the issues described in CTX256725 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable** Yes
Hotfix XS76E007-

For XenServer 7.6

This hotfix resolves the following issue:

  • If you forcibly shut down a VM that has an AMD MxGPU attached, or the guest OS shuts down abnormally, your Citrix Hypervisor server might experience memory corruption.

For Sandybridge hardware, this hotfix updates the Intel microcode to the microcode-20190618 release. This microcode addresses issues described in CTX251995 – Citrix XenServer Multiple Security Updates. To apply the updated microcode you must stop and start your XenServer host. To check that the microcode has been correctly applied, see the advice in the security bulletin.

This hotfix also includes the following previously released hotfixes:

Content live patchable** Yes

XenServer 7.1 Cumulative Update 2 (XS71ECU2) must be installed by all customers running XenServer 7.1 CU1 as , since March 12 2019 no further hotfixes will be produced for XenServer 7.1 CU1.

XenServer 7.1 Cumulative Update 2 and its subsequent hotfixes are available only to customers on the Customer Success Services program.

For more information about XenServer 7.1 CU2, see the Citrix XenServer 7.1 Cumulative Update 2 Release Notes.

XenCenter 7.1.3

This release of XenCenter is for customers who use XenCenter as the management console for XenServer 7.1 LTSR. XenCenter 7.1 CU2 is released as part of XenServer 7.1 Cumulative Update 2 and is available only to customers on the Customer Success Services program.

We recommend that you install this version of XenCenter before using XenCenter to update XenServer 7.1 CU1 hosts to XenServer 7.1 CU2.

XS71ECU2

XenServer 7.1 Cumulative Update 2 (XS71ECU2) must be installed by customers running XenServer 7.1 LTSR CU1. It includes all previously released XenServer 7.1 CU1 hotfixes. Installation of XS71ECU2 is required for all future functional hotfixes for XenServer 7.1 LTSR.

XenServer 7.1 Cumulative Update 2 and its subsequent hotfixes are available only to customers on the Customer Success Services program.

Citrix will continue to provide security updates to the base XenServer 7.1 CU1 product for a period of three months from the release date of the XenServer 7.1 Cumulative Update 2 (until March 12, 2019). After this three month period elapses, any new hotfixes released will only support XenServer 7.1 with CU2 applied.

For more information about XenServer 7.1 CU2, see the Citrix XenServer 7.1 Cumulative Update 2 Release Notes.

Content live patchable** No
Hotfix XS71ECU2003 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • Depending on the guest OS and device, devices passed through to a guest might not function correctly due to missed interrupts.
Content live patchable** No
Hotfix XS71ECU2007 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • Improvements to VM performance and stability.
  • A race condition in XenBus can cause pauses in Windows VM operation, which lead to Timeout Detection and Recovery (TDR) events. The TDR can cause the VM to crash.
  • Under low resource situations, Xennet can consume all of the RAM on a Windows VM. This causes the VM to crash.
  • Windows VMs with the XenVBD driver installed can experience a high number of system interrupts when performing storage operations, especially if you are using fast storage and transferring large amounts of data.

This hotfix also includes the drivers required to support Windows Server 2019 VMs on XenServer 7.1 CU2.

Content live patchable** No
Hotfix XS71ECU2011 – For XenServer 7.1 Cumulative Update 2

This hotfix includes the following improvements:

  • Add a template and support for SUSE Linux Enterprise Server 12 SP4 (64-bit)
  • Add a template and support for SUSE Linux Enterprise Desktop 12 SP4 (64-bit)
Content live patchable** No

Hotfix XS71ECU2012 – For XenServer 7.1 Cumulative Update 2 All customers who are affected by the issues described in CTX256725 – Citrix XenServer Multiple Security Updates should install this hotfix.

This security hotfix addresses the vulnerabilities as described in the Security Bulletin above. In addition, it resolves the following issues:

  • If you perform an action that causes the standby storage to go offline, a race condition can cause all of the XenServer hosts in a pool to crash. The error message ‘blocked FC remote port time out’ appears multiple times in the logs.
  • If you shutdown or reboot your XenServer host shortly after starting a lot of guest VPX instances (>20), the XenServer host hangs.

This hotfix also includes the following previously released hotfixes:

Content live patchable** Yes
Hotfix XS71ECU2013 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • A reboot of one switch in an MC-LAG bond makes all bond links to go down, causing a total connectivity loss for 3 seconds.
Content live patchable** No
Hotfix XS71ECU20014 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • If you forcibly shut down a VM that has an AMD MxGPU attached, or the guest OS shuts down abnormally, your Citrix Hypervisor server might experience memory corruption.
  • XenServer does not copy SMBIOS type 2 information from the XenServer host to a VM.
  • When attempting to import or export an OVA/OVF file in a pool that contains different feature sets, the import or export might fail with the error message: “Failed to start Transfer VM”.

For Sandybridge hardware, this hotfix updates the Intel microcode to the microcode-20190618 release. This microcode addresses issues described in CTX251995 – Citrix XenServer Multiple Security Updates. To apply the updated microcode you must stop and start your XenServer host. To check that the microcode has been correctly applied, see the advice in the security bulletin.

This hotfix also includes the following previously released hotfixes:

Content live patchable** Yes
Hotfix XS71ECU20016 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • If you have configured your logging to use the legacy logrotate mechanism, you can only retain two files per log. All other log files are removed.
  • On XenServer startup, FCoE services start on bonded devices. This is not a supported state.
Content live patchable** No
Hotfix XS71ECU20018 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • When you eject a XenServer host with a static IP address from a resource pool, the XenServer host loses its DNS configuration.
  • On XenServer hosts with multiple base boards, the SMBIOS type 2 information provided to a VM by the XenServer host can be incorrect.
  • The XenServer host’s serial console can fail to display when the serial console is not on COM1, and the host’s integrated GPU has been disabled to allow for GPU passthrough.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No
Hotfix XS71ECU2019 – For XenServer 7.1 Cumulative Update 2

This hotfix resolves the following issues:

  • The garbage collector process for the storage manager generates zombie processes. This error can cause XenServer to slow down and cause processes to fail as process IDs become unavailable.
  • A fault can occur in tapdisk that causes unexpected behavior. For example, the local disk can be marked as read only.
  • The RRDs for Intellicache do not work and graphs of these performance metrics cannot be viewed in XenCenter.

This hotfix also includes the following previously released hotfixes:

Apply the following hotfixes for XenServer 7.0 and restart XenServer when the hotfix installation is complete.

Hotfix XS70E001 –

For XenServer 7.0
This is a XenCenter update (a .exe file) and not a host side Hotfix. This package needs to be installed

on the Windows Machine Running XenCenter
Hotfix XS70E002 – For XenServer 7.0 All customers who are affected by the CVE-2016-2107 issue described in

CTX212736: Citrix XenServer Multiple Security Updates should install this hotfix.
Hotfix XS70E004 – For XenServer 7.0 Important: This is a critical hotfix for customers running XenServer 7.0. All XenServer 7.0

customers must apply this hotfix.
Hotfix XS70E009 – For XenServer 7.0

This hotfix resolves the following issue:

  • In rare circumstances when a XenServer host is enabling HA, or during a host reboot with HA enabled, the host can fail to establish HA communication with the other hosts. This is due to another process on the host using the listening port required by the HA software.
Update XS70EU001 – Management Agent for XenServer 7.0 The Management Agent update resolves the following issues:

  • Installation of Management Agent can fail after installing newer I/O drivers through Windows Update.
  • Failure to reboot a Windows VM after installing XenServer Tools can result in excessive log entries being written to xensource.log and xenstored-access.log until the VM is rebooted. If customers do not reboot the VM, or delay the reboot, excess logs can fill up the XenServer host log partition.
  • The Management Agent can crash and respawn on systems without a terminal services Windows Management Instrumentation (WMI) object causing high CPU usage and excessive logging in /var/log/daemon.
  • If the Management Agent auto update is enabled after installing XenServer Tools, and a new update is available, the initial auto-update can fail due to a race condition that can cause multiple update attempts to occur simultaneously.
Update XS70EU002 – Management Agent for XenServer 7.0 New versions of the I/O drivers, compatible with Microsoft Windows Server 2016 have been released.
Update XS70EU003 – Management Agent for XenServer 7.0
  • The default behavior of the Management Agent has been improved to enable customers to configure whether any I/O driver updates included in the Management Agent should be applied automatically. For more information, see section 4.3.1 Installing XenServer Tools in the XenServer 7.0 Virtual Machine User’s Guide.
  • This version (v7.1.844) of the Management Agent includes new versions of the I/O drivers that are compatible with Microsoft Windows Server 2016. These drivers have been released previously through the Microsoft Windows Server Update Service. For more information, see Update XS70EU002 – Windows I/O Drivers for XenServer 7.0.
Hotfix XS70E018 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX220112: Citrix XenServer Multiple Security Updates should install this hotfix.
  • This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX219378: Citrix XenServer Multiple Security Updates should install this hotfix.
  • This hotfix supports the improvements to XenServer’s Direct Inspect APIs.
Hotfix XS70E024 – For XenServer 7.0
  • When booting a vGPU provisioned Virtual Machine (VM) from network, an interaction between VGA BIOS and VGA emulation code in the vGPU device model can result in the corruption of the VM console in XenCenter.
Hotfix XS70E027 – For XenServer 7.0
  • When Installing XenServer or upgrading XenServer to a newer version, PBIS services get enabled (even when Role-based access control (RBAC) is not used) and display a lot of error messages. Also, this issue consumes a lot of control domain (dom0) resources.
Hotfix XS70E028 – For XenServer 7.0 This hotfix supports the following new guest operating systems.

  • Oracle Linux 6.8
  • Red Hat Enterprise Linux 6.8
  • CentOS 6.8
  • NeoKylin Linux Advanced Server 6.5 ( only 64 bit )
  • NeoKylin Linux Advanced Server 7.2 ( Only 64 bit )
  • SUSE Linux Enterprise Server 11 SP4
Hotfix XS70E037 – For XenServer 7.0

This hotfix addresses the following issue:

  • When attempting to use XenServer Conversion Manager (XCM) Console to connect to an XCM Virtual Appliance that runs on a slave host, the connection fails and the following message is displayed by the console: “There was a failure communicating with the plugin.” This hotfix ensures that the XCM Console can connect to a XCM Virtual Appliance that runs on any XenServer host.
Hotfix XS70E041 – For XenServer 7.0

This hotfix resolves the following issue:

  • When using SSH to connect to XenServer, a user might experience a memory leak in systemd on XenServer.
Hotfix XS70E048 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX230138 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E052 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX232655 – Citrix XenServer Multiple Security Updates should install this hotfix.This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.
Hotfix XS70E065 – For XenServer 7.0

This hotfix resolves the following issues:

  • A race condition caused Windows VMs to hang repeatedly and give an error with Event ID 129: “StorPort detected a SRB timeout, and issued a reset”.
  • XenVBD can consume 100% of a vCPU and can block other processes from using that vCPU.
  • If a restart is performed without clicking on the Yes or No buttons of the restart to complete installation dialog box, the dialog box continues to appear even after restarting the VM.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E068 – For XenServer 7.0 All customers who are affected by the issues described in CTX251995 – Citrix XenServer Multiple Security Updates should install this hotfix.

This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E069 – For XenServer 7.0

This hotfix resolves the following issue:

  • If you cancel an ongoing Storage XenMotion, the next attempt to migrate the VM using Storage XenMotion fails with the “VDI Mirroring Cannot be performed” error. However, any subsequent attempts to migrate the VM succeed.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E070 – For XenServer 7.0

This hotfix resolves the following issues:

  • A VM taking more than 30 seconds to shut down can lead to the error “Domain stuck in dying state after 30s”.
  • Automated guest agent update stops working after a host reboot, due to its dependency on entries in xenstore that were not properly recreated after the reboot.
  • Windows VMs with XenIface driver version 8.2.0.61 or later installed that are hosted on a XenServer 7.0 host cannot be clean shutdown by using XenCenter. The option is disabled in the XenCenter interface. This issue only occurs if the Management Agent is not running on the VM.
  • In high-load situations, XenServer sometimes fails to detect a VM having the latest PV Tools installed and reports them as out of date.

This hotfix also includes the following previously released hotfixes:

This hotfix addresses the following issues that are present in the now superseded hotfix (XS70E067):

  • XenCenter 8.0 does not connect to XenServer 7.0 hosts that have XS70E067 applied and reports the following error: “This pool contains servers earlier than Citrix Hypervisor 7.0. Please use an earlier version of XenCenter to manage this pool.” To work around this issue, use XenCenter 7.6 or earlier to connect to these hosts.

Important: If you have already installed XS70E067 on your XenServer 7.0 hosts, you must apply this hotfix before you can upgrade these hosts to a later version of XenServer.

Hotfix XS70E071 – For XenServer 7.0 All customers who are affected by the issues described in CTX256725 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Related:

  • No Related Posts

Authentication Bypass Vulnerability in Citrix ADC and Citrix Gateway Management Interface

This vulnerability has been addressed in the following versions of Citrix ADC and Citrix Gateway:

  • Citrix ADC and Citrix Gateway version 13.0 build 41.28 and later
  • Citrix ADC and NetScaler Gateway version 12.1 build 54.16 and later
  • Citrix ADC and NetScaler Gateway version 12.0 build 62.10 and later
  • Citrix ADC and NetScaler Gateway version 11.1 build 63.9 and later
  • Citrix ADC and NetScaler Gateway version 10.5 build 70.8 and later

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix ADC or Citrix Gateway that contains a fix for this issue as soon as possible.

These versions are available on the Citrix website at the following addresses:

https://www.citrix.com/downloads/citrix-adc/

https://www.citrix.com/downloads/citrix-gateway/

In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted traffic only. Citrix has published additional guidance on the secure configuration of the management interfaces. This can be found at the following location:

https://support.citrix.com/article/CTX228148

Related:

  • No Related Posts

Latest ShareFile Password Reset Requirements and Policy

ShareFile Password Requirements

By default, a ShareFile password must contain:

  • A minimum of 8 characters
  • 1 upper case letter
  • 1 lower case letter
  • 1 number
  • 1 special character
  • No more than 50 characters

These default requirements cannot be lowered or removed.

There is an additional password history requirement preventing use of the previous 25 passwords on your account. This requirement can be modified as needed, but cannot be removed entirely.

Additional Password Requirements

The Administrator user of your ShareFile account may change the password requirements for the ShareFile account at their own discretion. To do so, navigate to the Admin section of your ShareFile account and click Password Policy in the sidebar. Any changes made will go into effect the next time a user changes his or her password. When a password’s expiration time is met, users will be prompted to change their password the next time they log in to ShareFile.

Special Character Requirements:

  • !
  • #
  • $
  • %
  • ^
  • &
  • *
  • ( )
  • _
  • +
  • =
  • /
  • .
  • ?
  • [
  • ]
  • |
  • `
  • ~
  • @

Related:

  • No Related Posts

How to Configure External Authentication Using TACACS+ on NetScaler

To configure external authentication using TACACS+, complete the following procedures: For TACACS+ server configuration, please refer to your vendor documentation.

TACACS+ server is configured to authenticate users and authorize commands. Citrix ADC must be configured to send the authentication and authorization requests.

  1. Go to System > Authentication > Basic Policies > TACACS and add a server.

  2. Specify the IP address of the TACACS+ server and the appropriate TACACS key as defined in the network configuration of the server.

  3. Use the following command to configure the TACACS authentication server from the command line (in this example TAC is the server name).

    > add authentication tacacsAction tacacs -serverIP 1.1.1.1 -serverPort 49 -authTimeout 3 -tacacsSecret “********” -authorization ON -accounting OFF -auditFailedCmds OFF

    add authentication tacacsAction <name> [-serverIP <ip_addr>] [-serverPort port>] [-authTimeout <positive_integer>] [-tacacsSecret <string>] [-authorization ( ON | OFF )] [-accounting ( ON | OFF )]
  4. Create the TACACS policy and set the expression to ns_true.

  5. Issue the following command to configure this from the command line (in this example, TAC_Pol is the name of the policy).

    > add authentication tacacsPolicy centos_pol -rule ns_true -reqAction centos

  6. To bind the policy globally, select the Active check-box next to the policy.


  7. Issue the following command:

    >bind system global centos_pol -priority 101​​​​​​

Related:

  • No Related Posts

Hotfix XS71ECU2018 – For XenServer 7.1 Cumulative Update 2

Who Should Install This Hotfix?

This is a hotfix for customers running XenServer 7.1 Cumulative Update 2.

Note: This hotfix is available only to customers on the Customer Success Services program.

Information About this Hotfix

Component Details
Prerequisite None
Post-update tasks Restart the XAPI Toolstack
Content live patchable** No
Baselines for Live Patch N/A
Revision History

Published on Oct 17, 2019

** Available to Enterprise Customers.

Issues Resolved In This Hotfix

This hotfix resolves the following issues:

  • When you eject a XenServer host with a static IP address from a resource pool, the XenServer host loses its DNS configuration.
  • On XenServer hosts with multiple base boards, the SMBIOS type 2 information provided to a VM by the XenServer host can be incorrect.
  • The XenServer host’s serial console can fail to display when the serial console is not on COM1, and the host’s integrated GPU has been disabled to allow for GPU passthrough.

This hotfix also includes the following previously released hotfixes:

Installing the Hotfix

Customers should use either XenCenter or the XenServer Command Line Interface (CLI) to apply this hotfix. As with any software update, back up your data before applying this update. Citrix recommends updating all hosts within a pool sequentially. Upgrading of hosts should be scheduled to minimize the amount of time the pool runs in a “mixed state” where some hosts are upgraded and some are not. Running a mixed pool of updated and non-updated hosts for general operation is not supported.

Note: The attachment to this article is a zip file. It contains the hotfix update package only. Click the following link to download the source code for any modified open source components XS71ECU2018-sources.iso. The source code is not necessary for hotfix installation: it is provided to fulfill licensing obligations.

Installing the Hotfix by using XenCenter

Choose an Installation Mechanism

There are three mechanisms to install a hotfix:

  1. Automated Updates
  2. Download update from Citrix
  3. Select update or Supplemental pack from disk

The Automated Updates feature is available for XenServer Enterprise Edition customers, or to those who have access to XenServer through their XenApp/XenDesktop entitlement. For information about installing a hotfix using the Automated Updates feature, see the Applying Automated Updates in the XenServer documentation.

For information about installing a hotfix using the Download update from Citrix option, see Applying an Update to a Pool in the XenServer documentation.

The following section contains instructions on option (3) installing a hotfix that you have downloaded to disk:

  1. Download the hotfix to a known location on a computer that has XenCenter installed.
  2. Unzip the hotfix zip file and extract the .iso file
  3. In XenCenter, on the Tools menu, select Install Update. This displays the Install Update wizard.
  4. Read the information displayed on the Before You Start page and click Next to start the wizard.
  5. Click Browse to locate the iso file, select XS71ECU2018.iso and then click Open.
  6. Click Next.
  7. Select the pool or hosts you wish to apply the hotfix to, and then click Next.
  8. The Install Update wizard performs a number of update prechecks, including the space available on the hosts, to ensure that the pool is in a valid configuration state. The wizard also checks whether the hosts need to be rebooted after the update is applied and displays the result.
  9. Follow the on-screen recommendations to resolve any update prechecks that have failed. If you want XenCenter to automatically resolve all failed prechecks, click Resolve All. When the prechecks have been resolved, click Next.

  10. Choose the Update Mode. Review the information displayed on the screen and select an appropriate mode.
  11. Note: If you click Cancel at this stage, the Install Update wizard reverts the changes and removes the update file from the host.

  12. Click Install update to proceed with the installation. The Install Update wizard shows the progress of the update, displaying the major operations that XenCenter performs while updating each host in the pool.
  13. When the update is applied, click Finish to close the wizard.
  14. If you chose to carry out the post-update tasks, do so now.
  15. The hotfix is applied to all hosts in the pool, but it will not take effect until the XAPI service is restarted on all hosts. On the console of each host in the pool beginning with the master, enter the following command to restart the XAPI service:

    xe-toolstack-restart

    Note: When this command is run on the Pool Master, XenCenter will lose connection to the pool. Wait for 30 seconds after losing connection, and then reconnect manually.

Installing the Hotfix by using the xe Command Line Interface

  1. Download the hotfix file to a known location.
  2. Extract the .iso file from the zip.
  3. Upload the .iso file to the Pool Master by entering the following commands:

    (Where -s is the Pool Master’s IP address or DNS name.)

    xe -s <server> -u <username> -pw <password> update-upload file-name=<filename>XS71ECU2018.iso

    XenServer assigns the update file a UUID which this command prints. Note the UUID.

    58c32b4a-00cd-4644-95c3-58f97c482e13

  4. Apply the update to all hosts in the pool, specifying the UUID of the update:

    xe update-pool-apply uuid=58c32b4a-00cd-4644-95c3-58f97c482e13

    Alternatively, if you need to update and restart hosts in a rolling manner, you can apply the update file to an individual host by running the following:

    xe update-apply host=<host> uuid=58c32b4a-00cd-4644-95c3-58f97c482e13

  5. Verify that the update was applied by using the update-list command.

    xe update-list -s <server> -u root -pw <password> name-label=XS71ECU2018

    If the update is successful, the hosts field contains the UUIDs of the hosts to which this patch was successfully applied. This should be a complete list of all hosts in the pool.

  6. The hotfix is applied to all hosts in the pool, but it will not take effect until the XAPI service is restarted on all hosts. On the console of each host in the pool beginning with the master, enter the following command to restart the XAPI service:

    xe-toolstack-restart

    Note: When this command is run on the Pool Master, XenCenter will lose connection to the pool. Wait for 30 seconds after losing connection, and then reconnect manually.

  7. Use the update-pool-clean command to remove the update files from all hosts in the pool. This command frees up space on shared storage and does not uninstall the update.

    xe update-pool-clean uuid=58c32b4a-00cd-4644-95c3-58f97c482e13

Files

Hotfix File

Component Details
Hotfix Filename XS71ECU2018.iso
Hotfix File sha256 87f985b5cf53cc9b446fb7765c38e1840fb7c466b8a40d101591f645e4315d24
Hotfix Source Filename XS71ECU2018-sources.iso
Hotfix Source File sha256 c4f94f67951497a98a8751f5f8c7043f9ff7194d6067f23548a78555a968122e
Hotfix Zip Filename XS71ECU2018.zip
Hotfix Zip File sha256 aeb43ba0388dffb4b69669281f10559c8950c2076c20ee2174dc439c6ac5df1c
Size of the Zip file 74.6 MB

Files Updated

forkexecd-1.1.2-4.el7.centos.x86_64.rpm
gpumon-0.4.0-4.el7.centos.x86_64.rpm
jemalloc-3.6.0-1.el7.x86_64.rpm
message-switch-1.4.3-1.el7.centos.x86_64.rpm
ocaml-xenops-tools-1.0.1.1-2.el7.centos.x86_64.rpm
rrd2csv-1.0.2-4.el7.centos.x86_64.rpm
rrdd-plugins-1.0.4.1-1.el7.centos.x86_64.rpm
sm-cli-0.9.8-3.el7.centos.x86_64.rpm
squeezed-0.13.2-4.el7.centos.x86_64.rpm
v6d-citrix-10.0.9-2.el7.centos.x86_64.rpm
vhd-tool-0.11.5-2.el7.centos.x86_64.rpm
xapi-core-1.14.51-1.x86_64.rpm
xapi-storage-0.9.1-2.el7.centos.x86_64.rpm
xapi-storage-script-0.13.0-4.el7.centos.x86_64.rpm
xapi-tests-1.14.51-1.x86_64.rpm
xapi-xe-1.14.51-1.x86_64.rpm
xcp-networkd-0.13.9-1.el7.centos.x86_64.rpm
xcp-rrdd-1.2.2-1.el7.centos.x86_64.rpm
xenops-cli-1.0.2.1-2.el7.centos.x86_64.rpm
xenopsd-0.17.15-2.el7.centos.x86_64.rpm
xenopsd-xc-0.17.15-2.el7.centos.x86_64.rpm
xenopsd-xenlight-0.17.15-2.el7.centos.x86_64.rpm
xha-10.1.0-1.el7.centos.x86_64.rpm

More Information

For more information, see XenServer Documentation.

If you experience any difficulties, contact Citrix Technical Support.

Related:

  • No Related Posts