Can ProxySG ‘uplevel’ a TLS connection to an internet website?

I need a solution

I have a legacy client on my network that needs to connect to an internet website that is disabling support for TLS 1.0 and 1.1.  This client is not capable of making connections higher than TLS 1.0, though.  It uses the ProxySG explicitly with a CONNECT, but I can route the traffic to get it there transparently as well if needed.  Is there a way in the ProxySG to cause the Proxy -> OCS connection to be TLS 1.2 even though the Client -> Proxy connection is TLS 1.0?

I found one knowledge entry that looks like it’s specific to making the reverse happen, but I think this is more of a source/dst/action rule (https://support.symantec.com/en_US/article.TECH248…).  I tried it anyway with the client.negotiated.ssl.version set to TLSV1 and it resulted in a ‘n/a’ in a policy trace.

Anyone know if there’s a way to do this?

0

Related:

  • No Related Posts

“Cannot complete request” when logging on via NetScaler using dual factor authentication and SSON to StoreFront Server 3.14

The certificate hash shown did not match the one binding to the SSL port 443 in IIS (correct cert hash starts with 89BA19BD4…)

Delete the legacy certificate causing errors via CLI command

Netsh http delete sslcert ipport=0.0.0.0:443

Note: The legacy certificate was associated with another set of StoreFront servers (3 SF servers) instead of the new certificate created for this new set of 2 SF servers.

Validation

When issuing the CLI command:

“netsh http show sslcert” – we now see that the certificate is gone

When testing logging on to the NetScaler, we were able to SSON to SF server using the 2 factor authentication in place and keeping the setting “Enable Loopback Communication” set to ON (Under SF – Edit Receiver for Web Site – Advanced Settings)

Related:

  • No Related Posts

Receiver for HTML5 – Unable to Launch Apps Using HTTPS URL

When Receiver for HTML5 is hosted on a https site (default and recommended), non SSL/TLS websocket connections are prohibited by browsers.

In explaining the technical reason behind this it is important to understand the following two principles:

1. As opposed to existing as a separate process, Citrix Receiver for HTML5 operates within the frame and process space of the browser itself. As such the browser has the ability to enforce certain security parameters.

2. Additionally, when any Receiver (or Workspace App for newer versions) makes a connection to a VDA for either a published desktop or app, the underlying connection is made to the VDA and not the Storefront server as any kind of intermediate proxy.


This second point is less obvious in the case of Citrix Receiver for HTML5 because the published desktop or app displays within the browser frame and “appears” to be connected via the Storefront server. Despite this appearance though, the underlying TCP/UDP connection is still between the client and the VDA. If the Storefront base URL is SSL enabled (where it begins with https as is best practice) and the VDA is not SSL enabled (which it is not by default) the browser in this case will prevent the connection due to what it sees as an underlying inconsistency. The inconsistency is that while the URL shown in the browser frame is prefixed with https, the actual underlying connection is not https even though it is not obvious to the user.

There are two solutions for this.

Solution 1 is to enable SSL on the VDA using one of these guides:

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/tls.html#configure-tls-on-a-vda-using-the-powershell-script

https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6-using-ssl/

This will ensure that the connection path is SSL enabled between the internal client and the VDA.

Solution 2 is to have your connections from the clients first go through a Netscaler Gateway. Netscaler Gateway will proxy the connections and perform a SSL handshake between the client and the Netscaler. In this scenario there is no inconsistency and connections via HTML5 Receiver will succeed.

Related:

SD-WAN Zero Touch Deployment: Status: Waiting for appliance to connect

  1. Verify that the appliance is properly cabled and has Internet connectivity

  2. Verify if the appliance has access to ZTD service by running the following curl request from root account:

    curl -X GET https://sdwanzt.citrixnetworkapi.net/root/sdwanzt/v1/version

Sample Successful Output

User-added image

Sample Failed Output:

User-added image


3. In addition to curlrequest, you can also verify if the appliance is able to access the following 3 FQDNs on TCP port 443:

https://sdwanzt.citrixnetworkapi.net

https://trust.citrixnetworkapi.net

https:///download.citrixnetworkapi.net

Sample Successful Output

$ telnet sdwanzt.citrixnetworkapi.net 443

Trying 52.4.199.234…

Connected to sdwanzt.citrixnetworkapi.net.

Escape character is ‘^]’.

$ telnet trust.citrixnetworkapi.net 443

Trying 52.4.199.234…

Connected to trust.citrixnetworkapi.net.

Escape character is ‘^]’.

$ telnet download.citrixnetworkapi.net 443

Trying 52.4.199.234…

Connected to download.citrixnetworkapi.net.

Escape character is ‘^]’.

Sample Failed Output

telnet: could not resolve sdwanzt.citrixnetworkapi.net/443: Name or service not known

telnet: could not resolve trust.citrixnetworkapi.net/443: Name or service not known

telnet: could not resolve download.citrixnetworkapi.net/443: Name or service not known

User-added image

telnet: Unable to connect to remote host: Connection refused

User-added image

telnet: Unable to connect to remote host: No route to host

User-added image

Related:

  • No Related Posts

Can HTTPS be monitored with Network Monitor 15.1?

I need a solution

Hi,

I have 2 detection servers Network Monitor 15.1 in 2 different core switches but checking the incidents HTTPS are generated without having the HTTPS protocol enabled, someone can explain me why it generates this type of incidents or within this new version it already detects the encrypted traffic HTTPS Network Monitor natively.

Thanks and regards.

0

Related:

  • No Related Posts

Re: ESRS Network Connectivity (NAT)

Hi,

Sometimes the network check is reporting incorrect results. A meaningful test from the VM itself would be a

curl -v -k https://esrs3.emc.com

curl -v -k https://esrs3-core.emc.com

if these two work (the second will probably end in a SSL handshake failure, but SSL handshake will at least be started), please follow fix 1 in KB article 503235 to be able to skip the network check. There will be an option in the GUI to skip the network check in a future version, unfortunately not in 3.32 yet.

If provisioning does not work, indicating a real issue with the network connectivity, please open a SR with support to get assistance.

Regards

Frank

Related:

  • No Related Posts

Weak Dillie Helmut encryption enforced on messagelabs servers

I do not need a solution (just sharing information)

Hello,

We just resolved an issue emailing to multiple messagelabs customers.

After a new exchange 2016 server got configured (with microsoft best practice security guidelines) we couldnt email to multiple domains who happen use messagelabs.

Errors we got in protocollog smtpsend:

TLS negotiation failed with error InvalidToken

421 Service Temporarily Unavailable

After troubleshooting we found that a Diffie-Helmann cipher suite was forced to be 2048bit on our exchange server but the MessageLabs servers only accepted worse/lower encrypted communication(i.e. 512/1024bit). 

More information about this issue:

https://weakdh.org/

Could this issue be resolved?

Sincerely,

Mark

0

Related:

  • No Related Posts

ShareFile TLS Guidance

This article was last updated on November 1st, 2018 – Please visit this page often for the latest information.

Citrix ShareFile supports security best practices including our Transport Layer Security (TLS) implementation for the various components. There are no known security vulnerabilities in our implementation as of the date of this article. Citrix ShareFile operations will disable TLS v1.0 and v1.1 on October 31st, 2019.

We understand that security is very important and in some cases, customers will need to update their TLS implementation, particularly disabling TLS v1.0 and/or v1.1 to meet security best practices and compliance. This article will describe how customers can leverage Citrix ShareFile components that supports TLS v1.2 and specific dependencies on web browsers, mobile platforms and development environment for API and SDK consumers.

What is TLS?

TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today replacing Secure Socket Layer (SSL), and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS, to date, are TLS 1.3, 1.2, 1.1 and 1.0.

TLS v1.0 when not configured correctly can be vulnerable to well-known attacks such POODLETLS,CRIMEand DROWN. References:

https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/

https://www.ssllabs.com/ssl-pulse/

Citrix ShareFile is not vulnerable to the known attacks described above given that the TLS implementation is current. For specific technical details on current supported levels, please see:

SSL Labs Test Result for ShareFile

For customers that have updated their environment to allow TLS v1.2 and higher only, the following information can help determine the minimum versions of various components to support the environment:

ShareFile Clients and Plug-ins

Clients or Plug-ins Supported Versions Additional Notes
Citrix Files for Windows 4.X and higher Latest release: ShareFile downloads
Citrix Files for Mac 4.X and higher Latest release: ShareFile downloads
Citrix Files for Outlook 6.X and higher Latest release: ShareFile downloads
ShareFile Sync for Windows 3.14 and higher Latest release: ShareFile downloads
ShareFile Sync for Mac 3.0 and higher Latest release: ShareFile downloads
ShareFile Drive Mapper Dependent on .NET Framework v4.6.2 and higher Latest release: ShareFile downloads

.NET Framework download link
ShareFile Outlook Plug-in 4.4 and higher Latest release: ShareFile downloads
Print to ShareFile 2.8 and higher Software details here
ShareFile Desktop App for Windows 1.8 and higher Software details here
ShareFile Desktop App for Mac 1.0 and higher Software details here

ShareFile Mobile Apps

Mobile Apps Supported OS Platforms Additional Notes
ShareFile Android App Android 5 and higher Software details here
ShareFile iOS App iOS 10 and higher Software details here
ShareFile Windows Phone App Windows Phone 10 and higher Software details here

ShareFile StorageZones Controller and Tools

Components Supported Versions Additional Notes
StorageZones Controller 5.3.1 and higher
Latest release: here (Sign in required) Configuration guidance with NetScaler here.
User Management Tool (UMT) 1.8.1 and higher for non Policy Based Administration (PBA) accounts

1.12 and higher for PBA accounts

Software details here
ShareFile Data Migration Tool 3.2 and higher Software details here
ShareFile Command Line Interface (SFCLI) N/A SFCLI will need to be updated with PowerShell SDK. More details can be found here.
ShareFile V1 API N/A ShareFIle V1 API will need to be updated with V3 API. The migration guide can be found here.

ShareFile API and SDK

ShareFile API will negotiate for the highest supported version first starting with TLS v1.2 before trying lower versions of TLS. It will prevent a deliberate downgrade if a higher TLS version is supported.

For ShareFile SDKs, .NET Framework 4.6.2 and higher is needed to support TLS v1.2 by default. The latest .NET Framework can be downloaded here.

FAQs

When will ShareFile disable TLS v1.0 and/or TLS v1.1? The current date where TLS v1.0 and v1.1 will be disabled is October 31st, 2019.
Is ShareFile vulnerable to known TLS vulnerabilities? As of writing, there are no known vulnerabilities. This can be independently verified through SSL Labs. You can use your subdomain (eg. company.sharefile.com) to be tested with SSL Labs: https://www.ssllabs.com/ssltest/index.html
What should customers do to avoid TLS v1.0 and TLS v1.1 implementation when using ShareFile? Use the above reference on ShareFile components and related dependencies (like .NET Framework 4.6.2 and higher) that supports TLS v1.2 by default. Upgrade the relevant components and prepare the environment to be ready when TLS v1.0 will be disabled.

Related:

NetScaler 59XX or 89XX Stops Processing SSL Traffic

On MPX 59XX or 89XX all SSL related functions suddenly stops working.

All backend SSL connections failed and all SSL vServers will not accept traffic, including HTTPS connections to the management interface.

For SDX 89XX this occurs for all running VPX instances, but not the SVM.

During this time, the SSL Transactions (ssl_tot_sslInfo_TotalTxCount) may drop to 0


To resolve this, a reboot of the full appliance is required.

In the event of a HA deployment, you can failover and reboot the affected appliance, while it is Secondary

Related:

  • No Related Posts