How to Record Network Packet Trace on NetScaler Appliance

Points to Note

  • Citrix recommends the use of recent Wireshark version from the “automated build section” of the following web link: http://www.wireshark.org/download/automated.

  • In NetScaler software release 10.5 and later, to decrypt the capture, ensure that ECC (Elliptic Curve Cryptography), Session Reuse and DH Param are disabled/removed from the virtual server before the trace is captured. Refer to the Additional Resources section of this article before making these changes

To record the network packet trace on a NetScaler appliance, complete the following procedure based on the NetScaler firmware:

NetScaler 11.1

  1. Expand the System node of the navigation pane on the appliance.

  2. Select the Diagnostics node.

  3. Click the Start new trace link in the Diagnostics page, as shown in the following screenshot:

    User-added image

  4. Update the packet size to 0 in the Packet size field.

    User-added image

  5. Click Start to start recording the network packet trace.

  6. Click Stop and Download to stop recording the network packet trace after the test is complete.

    User-added image

    An nstrace.cap file is generated, which contains the network packet trace.

  7. Select the required file and click Select and click Download.

    User-added image

  8. Open the network packet trace file with the Wireshark utility to display the content of the file.

NetScaler 10.5 and Later

  1. Expand the System node of the navigation pane on the appliance.

  2. Select the Diagnostics node.

  3. Click the Start new trace link under Technical Support Tools as shown in the following screen shot:

    User-added image

  4. Update the packet size to 0 in the Packet Size field.

    User-added image

    Note:If NetScaler headers are not required then select Capture trace in .pcap format.

  5. Click Start to start recording the network packet trace.

  6. Click OK to stop recording the network packet trace after the test is complete.

    An nstrace.cap file is generated, which contains the network packet trace.

  7. Highlight the required file and click Download.

    User-added image

  8. Specify a destination and save the packet trace.

  9. Open the network packet trace file with the Wireshark utility to display the content of the file.

Note: Select Decrypted SSL packets (SSLPLAIN) to decrypt the packet trace without the private key.

User-added image

Capturing SSL master keys

In the latest 11.0 and 11.1 version and above there is an option to capture the session keys which will be valid for only for that particular session/nstrace and this option can be used if you donot want to share the private key or use SSLPLAIN mode. For more information please refer to

How to use the new “capsslkeys” option when trying to capture nstrace on Netscaler

Exporting Session Keys without sharing Private key

In most of the scenarios the private key is not available or shared. In such scenarios we can suggest to export the SSL session keys instead of the private key. Please refer to the below article for more information.

How to Export and Use SSL Session Keys to Decrypt SSL Traces Without Sharing the SSL Private Key

Using Filters

Additionally, it is always recommended to add IP based filters while taking traces. This will ensure that you will capture only interested traffic which will further ease your troubleshooting. Adding filters will also decrease the load on NetScaler while taking traces.

You will find the option to configure filters on the same page:


Simple IP based filters are enough to get the right captures. For a detailed list of filters and examples, refer to Citrix Documentation – nstrace.

Example: Capturing a trace with VServer IP filter (both frontend and backend)

With a filter of the Vserver IP address and enabling the option “–link” in CLI or select the option “Trace filtered connection peer traffic” in GUI (available 10.1 and above), you will be able to capture both the front end and backend traffic for that particular IP address. With this option it is not recommended to mention a source IP or destination IP filter.

start nstrace -size 0 -filter “CONNECTION.IP.EQ(1.1.1.1)” -link ENABLED

show nstrace

State: RUNNING Scope: LOCAL TraceLocation: “/var/nstrace/24Mar2017_16_00_19/…” Nf: 24 Time: 3600 Size: 0 Mode: TXB NEW_RX

Traceformat: NSCAP PerNIC: DISABLED FileName: 24Mar2017_16_00_19 Filter: “CONNECTION.IP.EQ(1.1.1.1)” Link: ENABLED Merge: ONSTOP Doruntimecleanup: ENABLED

TraceBuffers: 5000 SkipRPC: DISABLED Capsslkeys: DISABLED InMemoryTrace: DISABLED

User-added image

Capturing Cyclic traces

It is always challenging to troubleshoot an intermittent issue. Cyclic tracing is best suited for issues which are intermittent. These traces can be run over a span of few hours or days based on the occurance of the issue. Also a specific filter can be used as mentioned above. Please evaluate the size of the trace files that are being generated before running it for a longer time (as this can fill up the var space)

Run the following command from CLI

start nstrace -nf 60 -time 30 -size 0

This particular trace will create 60 files each of them for 30 sec. This means the files will start getting overwritten after 60 trace files or 30 mins

Show nstrace à To check the status of the nstrace

Stop nstrace à To stop the nstrace.

Best Practices

On a unit handling gigabytes of traffic per second, capturing traffic is a very resource intensive process. The impact to resources is mainly in terms of CPU and Disk Space. Disk Space impact can be reduced by using filtering expressions (capturing traffic only related to a particular IP). However the impact on CPU remains despite using expressions and in some cases might cause a slight further increase as NetScaler now needs to process packets according to the filter before capturing them.

The best practice with regards to tracing are:

  1. The duration for which the trace is run should be as limited as possible while still ensuring the packets of interest are captured.
  2. Schedule the tracing activity to happen at a time when the number of users (and hence the traffic) is greatly reduced, such as during off hours.

Related:

SecureWeb 10.7.25 :Unable to resolve two internal URL’s with error ERR::NET_EMPTY_RESPONSE

• Looking at the VPN config file from Secure Hub folder, we do see the Split Tunnel configured with “Reverse”.

<SplitTunnel>

<State>Reverse</State>

<IntranetAppNames></IntranetAppNames>



</SplitTunnel>

-From the MDX policies of Secure Web, we see that both intranet sites has been added.

-Add the traffic policy to bypass the proxy and with the removal of ReverseSplitTunnel ,the issue will be fixed.

Reference:

  • As per the Citrix Document https://support.citrix.com/article/CTX136914#Q11 regarding the Split Tunnel Reverse Exclusion list , if we configure split Tunnel Reverse Exclusion list, the defined URLS the traffic will go via 4G or Wifi(Internet) and it will not go via Netscaler.



XenMobile 10.3.5 or later introduces a new MDX policy titled “Reverse Split Tunnel Mode Exclusion List”. This is configured with the ‘Exclusion’ range based on a comma-separated list of DNS suffixes and FQDN, which defines the URLs for which traffic must be sent out on the local area network (LAN) of the device and would not be sent to the NetScaler.

Related:

Issues Viewing Encrypted Email Content on Non-Primary Monitors

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Activate RightSignature in Your ShareFile Account

If you are an Admin or Owner, follow the steps below to add a new user to your account:

Create an Employee

First, head to People > Manage Users Home or Browse Employees. Click Create Employee

User-added image

Enter your user’s email address, first name and last name. (Company is optional). If you wish to add additional users, click Add another. When adding multiple users at Step 1, those users must all be given the same permissions and folder access later in the creation process.

User-added image

Next, customize your new employee’s User Access.

User-added image

Under E-Signature you will see the 3 options related solely to e-signatures. The first option “Send document for e-signature” is your base level permission. Checking this permission will allow an employee user to send documents for e-signature. Note: Checking this permission will use one of your e-signature licenses

Once this permission is enabled the employee user can now send documents for e-signature from within your ShareFile account.

Related:

  • No Related Posts

RightSignature Documents Archive

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

ShareFile Drive Mapper Tool

Download Drive Mapper

Drive Mapper can be downloaded from the Apps section of your ShareFile account, or the Citrix Downloads page.

For an MSI version of the Drive Mapper tool, please see the Citrix Downloads page.


Article Contents (click a link to skip to that section)

Encrypting File System

ShareFile data downloaded via Drive Mapper is cached to the local disk of the user’s computer. The persistence of this data will vary depending on usage and settings for cache handling. Drive Mapper will encrypt the data on the local disk by default, unless disabled via policy.

There are two methods which may be used to encrypt the cached files on disk. The default method is to use the built in Windows Encrypting File System (EFS). The below prompt will appear for customers that recently upgraded to v3.4.110.0 or later.

User-added image


If EFS is not available, Drive Mapper will use its own encryption method to protect the files and no action is required from the user end.


Note Regarding Drive Mapper and Antivirus Programs

Antivirus scans of the Drive Mapper file location can generate unwanted download notifications, depending on your notification settings. To avoid receiving a large amount of download notifications unexpectedly, ShareFile recommends adding the Drive Mapper app as an exception to your antivirus program.


Requirements

This app is available for Employee users. Client users cannot use this app.

The following environments are supported:

  • Windows 10 (x86 and x64)
  • Windows 8.1 (x86 and x64)
  • Windows 7 SP1 (x86 and x64)
  • XenDesktop 7.6
  • XenDesktop 7.7
  • XenDesktop 7.8 (requires v3.1.124.0 or later)
  • XenApp 6.5 (requires v3.1.124.0 or later)
  • XenApp 7.6
  • XenApp 7.7
  • XenApp 7.8
  • Citrix Profile Management 5.x
  • Windows Server 2008R2
  • Windows Server 2012R2
  • Windows Server 2016

Install Drive Mapper

Once you have downloaded the installation file from the Apps section of your account, run the installation file ad complete setup. Once installed, you will be prompted to enter your ShareFile account credentials.

Once Drive Mapper has been installed, you may select it from your Programs list in the Start Menu, as well as view it from the “Computer” section of your Windows Explorer window.

User-added image

Drive Letter and Cache Settings

You may customize the Drive Letter and Cache within the Settings menu. Access this menu by right-clicking the ShareFile icon in your task tray or accessing Drive Mapper from the Programs menu. A low cache setting may impact your ability to work on certain file types.

ShareFile data downloaded via Drive Mapper is cached to the local disk of the user’s computer. The persistence of this data will vary depending on usage and settings for cache handling. Drive Mapper will encrypt the data on the local disk by default, unless disabled via policy.

There are two methods which may be used to encrypt the cached files on disk.

User-added image

Single FolderMounting

You are able to map a single accountsubdirectory to the ShareFile data location using Group Policy Setting.

Policy Name : Account Subdirectory

Location In Group Policy Editor : UserConfigurationPoliciesAdministrative TemplatesShareFileDrive Mapper


Right-Click Menu – Share a File

You may share files from within the Drive Mapper location. To do so, right-click a file and access the Drive Mapper options. Choose how you wish to share your file. Generate a link to copy and paste where you see fit, or choose the ShareFile Email system to automatically generate an email message containing a link to your file and a brief description of the file being sent. You can customize the default expiration policy for shared items in the Settings menu. Note: If configured, Administrator settings will override your local expiration policy settings.

User-added image
User-added image

Check In Check Out

This feature requires Drive Mapper v3.4.110.0 or later.

Right-click on a file to view the Check Out option.

User-added image

Once files are checked out, they will be denoted by the orange check out icon. To view the status of a file or check in a file, right-click it and access the appropriate option.

User-added image

Access Personal Cloud and Office 365 Connectors

This feature requires version 3.5 or later. Note: Files and folders cannot be moved within Personal Cloud Connectors.

In order to access Personal Cloud or Office 365 locations from within your Drive Mapper app, the Connectors must first be created. Click here for information on how to create these Connectors.

Once your Connectors have been created and authenticated, you can view the locations from within the Drive Mapper file directory, as shown below.

(Note: You can unlink Personal Cloud Connectors by right-clicking the connector folder and choosing the Unlink option.)

User-added image


Access Restricted Zones, Network Shares, or SharePoint

When attempting to access one of the above, you will be prompted to enter your credentials.

User-added image

Moving files within Network Shares and SharePoint Connector locations is supported on v3.4.110.0 or later.

Switch Account

To sign into a different ShareFile account, access the Account tab of the settings menu, and click Logoff.

Exclude File Types from Drive Mapper

ShareFile automatically prevents the following file types from being synced: .pst.

To add or remove a file type on the exclusion list, navigate to Program FilesCitrixShareFileDrive MapperShareFileDriveMapper.exe.config and edit the file with Notepad.

User-added image



Drive Mapper and Archiving Accounts

Archiving accounts cannot rename files or folders.

Because of this, accounts with Archiving enabled are currently not be able to use the “Create New Folder” button to create new folders in the Windows Explorer window, since this function will first “create” a new folder with the default New Folder folder name, then attempt to “rename” the newly created folder.


Troubleshooting – Submit Logs

You can submit logs to ShareFile Support from the About tab of the settings menu. Please enter a detailed description of your problem when submitting logs.

Adding a Folder in “Shared Folders”

Adding a folder directly to the root within “Shared Folders” is not supported in Drive Mapper. If you need to add a new root level folder, you will need to login to the web application to add the folder and it will display in Drive Mapper.

The error messaging you will see if you attempt to do this is –

Destination Folder Access Denied –

User-added image

And then – Location is not available –

User-added image

Available Localization

English, German, French, Spanish, Russian, Dutch, Portuguese, Japanese, Korean and Simplified Chinese.

Related:

Unable to search few public apps in XenMobile

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

XenMobile: Usage of iPhone X FaceID feature

Question:

Is the iPhone X feature of FaceID supported in XenMobile?

Answer:

Yes, FaceID authentication is supported with XenMobile. iPhone X FaceID uses the same APIs as the Touch ID feature in other iOS devices.

Question:

Will there be merge of both functions (Touch ID and FaceID), since it depends on the iPhone, which feature is used?

Answer:

Since iPhone X FaceID uses the same APIs as the Touch ID feature in other iOS devices. So for iPhone X you will be prompted to use FaceID, and for other iOS devices you will be prompted to use TouchID. Since it depends on the iPhone, which feature is used (for Example iPhone 7 – TouchID, iPhone X – FaceID)

Question:

How will Secure Hub utilize the Face ID feature?

Answer:

For the first time when Face ID is setup and we access Secure Hub, we are prompted if we want to use Face ID instead of PIN. If you select Yes, you can use Face ID for offline authentication every time instead of the PIN.

Question:

Will end users ever need to enter their PIN instead of the FaceID?

Answer:

End users will still have to enter PIN whenever online authentication through NetScaler Gateway is required. This is required in the following instances:

  1. The user’s session has expired.
  2. The user reboots the device.
  3. ​Secure Hub is not currently running and the user launches it or an MDX app.

Question:

Will disabling or blocking camera create any issue with FaceID recognition?

Answer:

FaceID uses a different API than the regular Camera APIs. It uses the same API for TouchID. The block camera policy will not block FaceID.

Related:

  • No Related Posts

Is it possible to disable Secure Mail popups for App feedback

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Full backup on the SDX not working “Error : Configuration Backup failed, reason SCP

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts