Citrix Workspace app for Mac and Windows OS fails with “cannot connect to the server” from the internet when connected externally

We observed that removing the response-rewrite policies made it possible to login with LDAP-only in Receiver.

However, we needed two-factor auth and thus had to bind the policies.

With response-rewrite policy bound (the one setting header “X-Citrix-AM-GatewayAuthType” = SMS).

Binding the policy setting “PWDCount=0”, made the Receiver fail.

Entrust – SMS Passcode reported back that if Netscaler version is 12.x, the policy must be replaced with this:

add rewrite policy RWP-RES-REMOVE_2ND_PASSWORD “HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).EQ(“/logon/LogonPoint/index.html”)” RWA-RES- REMOVE_2ND_PASSWORD

and a corresponding action:

add rewrite action RWA-RES-REMOVE_2ND_PASSWORD replace_all “HTTP.RES.BODY(99999)” “”\r\n”+n”<style type=\”text/css\”>\r\n”+n”[for=\”passwd1\”] { display: none;}\r\n”+n”#passwd1 { display: none; }\r\n”+n”</style>\r\n”+n”\r\n”+n”</body>\r\n”+n”</html>\r\n”” -search “text(“</body>n</html>”)”

Related:

  • No Related Posts

Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information.

The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information.

Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info

Security Impact Rating: High

CVE: CVE-2019-1653

Related:

  • No Related Posts

Re: Adding static route in Avamar

Hello All,

I don’t know whether this is a right question to ask but as a newbie to Avamar product,I want someone to answer my question regarding adding static routes to Avamar (single node grid). is it even possible ?

We have two networks (network 1, network 2) which are isolated but recently we decided to backup all the clients from network 2 to network 1. since both the networks are segregated the networking team created a routing interface for devices in network 1 to talk to devices in network 2 and vice versa. so my question is, is it possible to add static route in (Avamar)IDPA for all the devices in network 1 to talk to devices in network 2

Note : the networking team did a ping test from all the routers (16) in network 2 to Avamar and to routing interface everything is reachable. Even the Avamar in Network 1 can reach the routing interface that’s created but cannot reach any router (16) in network 2. There are no firewalls on the routers in network 2.So what changes need to be made on Avamar/DD. Is it even possible ?

I hope this makes sense. Let me know if you have any questions. I can provide more details if needed.

Thanks in Advance

PK

Related:

  • No Related Posts

Adding static route in Avamar

Hello All,

I don’t know whether this is a right question to ask but as a newbie to Avamar product,I want someone to answer my question regarding adding static routes to Avamar (single node grid). is it even possible ?

We have two networks (network 1, network 2) which are isolated but recently we decided to backup all the clients from network 2 to network 1. since both the networks are segregated the networking team created a routing interface for devices in network 1 to talk to devices in network 2 and vice versa. so my question is, is it possible to add static route in (Avamar)IDPA for all the devices in network 1 to talk to devices in network 2

Note : the networking team did a ping test from all the routers (16) in network 2 to Avamar and to routing interface everything is reachable. Even the Avamar in Network 1 can reach the routing interface that’s created but cannot reach any router (16) in network 2. There are no firewalls on the routers in network 2.So what changes need to be made on Avamar/DD. Is it even possible ?

I hope this makes sense. Let me know if you have any questions. I can provide more details if needed.

Thanks in Advance

PK

Related:

  • No Related Posts

Placement of ProxySG in Network

I need a solution

Hello All,

This is regarding installing 2x ProxySG appliances in the network.

I’m new to ProxySG appliances, was wondering which place would be best to place ProxySG appliances in the existing network architecture; should be installed between Edge/Internet Router and Perimeter Firewall or behind the Perimeter Firewall. Current purpose of the appliance is to perform content filtering for the users.

0

Related:

  • No Related Posts

Performance issue is observed if USIP/RNAT + TCP Timestamp is enabled on Client machine as well as on NetScaler

1) When (USIP + Timestamp) is enabled on NetScaler (LB Vserver and Service) and also if we enabled TCP timestamp on Client machine through Registry settings. RESULT: NetScaler is sending the same TSVAL to backend server and Latency issues found. Once after refreshing the browser NetScaler sends the TSVAL properly to backend server and the required page gets displayed.

2) When (USIP + Timestamp) is enabled only on NetScaler (LB Vserver and Service) and if the Client is not enabled with TCP timestamp. RESULT: NetScaler is sending TSVAL properly to backend and no latency issues found.

3) When (SNIP +Timestamp) is enabled on NetScaler (LB Vserver and Service) and if the Client is enabled with TCP timestamp. RESULT: NetScaler is sending the same TSVAL to backend server. However, no delay issue observed.

4) Also we could see the NetScaler is advertising the MSS value as 1448 instead of 1460 when TCP timestamp is enabled on NetScaler.

Related:

  • No Related Posts

How to Increase Seed Database Size for the URL Filtering Feature

Complete the installation of NetScaler release 12.0 build 53.110 and wait for the NetScaler node to return to service after reboot next follow the steps bellow to perform the necessary steps:

  1. Modify the file “/flash/boot/loader.conf” appending the following line:
netscaler.bsd_max_mem_mb=5000

After the change the file should look like this…

autoboot_delay=3boot_verbose=0kernel="/ns-12.0-53.110"vfs.root.mountfrom="ufs:/dev/md0c"console="vidconsole,comconsole"netscaler.bsd_max_mem_mb=5000

This change is needed in order to accommodate the larger Seed DB sizes available with the new SDK.

  1. Next, reboot the node for the new setting to take effect.

  1. Change Seed DB size level to the max value with the “SeedDbSizeLevel” parameter:
> set urlfiltering parameter -SeedDbSizeLevel 5

The updated seed DB size will take effect on the next automatic seed DB update. The update schedule is defined by the HoursBetweenDbUpdates and TimeOfDayToUpdateDB parameters. An update will only occur if a new version is available.

  1. Verify downloaded Seed DB size.

Once the Seed DB update process has been successfully completed, check the “/var/gcf1/data” directory and verify the size of the fcdb.now matches (approximately) the configured CLI level.


NOTE: In order to use the larger sizes the next steps have to be made first in order for the system to be able to allocate that memory.

With smaller sizes of the DB the URL filtering feature it’s possible that will require more frequent access to the non-local DB through an Internet connection.

Related:

  • No Related Posts

XenApp/XenDesktop 7.X NetScaler MAS Integration With Citrix Director Breaks On Group Policy Update

  • After the above configuration, the Network tab in the Trends page In Citrix Director shows latency and bandwidth effects for applications, desktops, and users across your deployment.

NMAS1

  • After Director Server reboot or on running Group Policy update the Netscaler MAS integration with Citrix Director Breaks and the Network tab in Citrix Director Trends page does not show the statistics.

NMAS

  • Re-configuring the Netscaler MAS Integration with Citrix Director fixes the issue untill next Group Policy update of Director Server reboot.
  • As per CDF traces we see the below error :

DirectorService,_#dotNet#_,0,,1,CDF_NET_ERROR,”DirectorService:1:1:[t:53, s:gfmgwn5ibtsyl5yz10ritnx5] Loading plugin panel file C:inetpubwwwrootDirectorbin..DisplayConfigHdxInsightPluginHdxInsightForUDPluginConfig.xml failed with exception failed to get configuration information and inner exception : The data is invalid.

DirectorService,_#dotNet#_,0,,1,CDF_NET_ERROR,”DirectorService:1:1:[t:53, s:gfmgwn5ibtsyl5yz10ritnx5] Loading plugin panel file C:inetpubwwwrootDirectorbin..DisplayConfigHdxInsightPluginHdxInsightPluginConfig.xml failed with exception failed to get configuration information and inner exception : The data is invalid.

Related:

  • No Related Posts

How to Use NetScaler Appliance to Avoid Layer 7 DDoS Attacks

You can use the Access Control List (ACL) functionality to block known “bad” IP addresses.

To block any malicious network traffic, such as, HTTP DDoS, you can use any of the following NetScaler features:

    Access Control Lists

    To configure ACL on the NetScaler appliance, see Citrix Documentation – Access Control Lists.

    Run the following command to view details of the simple ACL:

    nsroot@ns> show simpleacl

    1) Name: block_bad_ip Action: DENY Hits: 6 srcIP = 10.28.224.227 Protocol: TCP DestPort = 80 TTL: 3541(seconds)Done

    Simple ACLs are only stored in the memory for a selected amount of time, such as, 3600 seconds from the time there is a hit on the appliance. Therefore, you can never see them in the running configuration, but the appliance looks out for these IP addresses hitting the appliance. The configuration is simple and the information about them is not stored in the running configuration. Therefore, using Simple ACL is more memory efficient.

    Run the following command to view the details of the extended ACL:

    nsroot@ns> show acl

    1) Name: ext_block_bad_ip Action: ALLOW Hits: 0 srcIP = 100.0.0.0-101.0.0.255 destIP srcMac: Protocol: TCP srcPort destPort Vlan: Interface: Active Status: ENABLED Applied Status: APPLIED Priority: 10 NAT: NO TTL: Log Status: DISABLEDDone

    The extended ACL is present in the current configuration. Extended configuration can take IP address ranges as a parameter.

    Run the following command to view the ACL in the current configuration:

    nsroot@ns> show run | grep acl

    add ns acl ext_block_bad_ip ALLOW -srcIP = 100.0.0.0-101.0.0.255 -protocol TCP -priority 10 -kernelstate SFAPPLIED61 

    HTTP DoS Protection

    To configure HTTP Denial of Service (DoS) Protection feature on NetScaler appliance, see Citrix Documentation – HTTP Denial-of-Service Protection.

    Depending on the HTTP DoS policy setting and queue depth, you can generate JavaScript based responses from the NetScaler appliance. However, the appliance cannot look at or select client IP address and implement the policy. The appliance enables the policy when the queue depth is low.

    The client detect rate setting is very subjective to the customer environment and you must have a balance between valid and invalid requests.

    Rate Limiting

    To configure Rate Limiting feature on NetScaler appliance, see Citrix Documentation – Rate Limiting.

    Rate Limiting is a good option because it provides the client IP address based control. But, you have to be careful, because on the internet many valid requests can originate from the same client IP address that has undergone Network Address Translation (NAT).

    The following sample configuration is based on the client IP address.

    Commands to configure Rate Limiting feature:

    add ns limitSelector limit_selector_client_ip client.ip.SRC

    add ns limitIdentifier limit_identifier_client_ip -threshold 1000 -timeSlice 60000 -mode REQUEST_RATE -limitType SMOOTH

    -selectorName limit_selector_client_ip


    Note: One minute time slice with a threshold of 1000, based on the client IP address.

    Commands to add Responder Policy by using a Named Expression:

    add policy expression expr_pol_CompanyA_SubDomain “HTTP.REQ.METHOD.EQ(POST) &&

    http.REQ.HOSTNAME.EQ(“SubDomain.CompanyA.com”) && http.REQ.url.contains(“/CompanyA/SubDomain/testurl”)”

    add responder policy pol_resp_CompanyA_SubDomain_client “expr_pol_CompanyA_SubDomain &&

    sys.CHECK_LIMIT(“limit_identifier_client_ip”)” DROP NOOP

    Slow POST Protection

    When you receive slow POST attack as described in Layer 7 DDoS, this issue can be resolved by installing NetScaler software release 9.2 52.8 nCore or later or 9.3 48.6 nCore or later.

    The following two temporary workarounds can resolve this issue:

    Method 1

    Run the following commands to protect the back end servers. Connections are accumulated in the NetScaler appliance until the complete HTTP POST data is received:

    add rewrite action reqrepall replace_all “http.req.body(999999)” http.req.method -search text(“a_ string_that_does_not _occur”) -bypassSafetyCheck YES

    add rewrite policy reqrepall http.req.method.eq(POST) reqrepall

    Method 2

    In this method, rate limiting is used to control the flow of connections to the appliance.

    Run the following commands to configure the Responder Policy:

    add responder policy slowpostpol ” SYS.CHECK_LIMIT(“slowpostid1″)” RESET

    bind responder global slowpostpol 1 END -type REQ_DEFAULT

    set responder param -undefAction NOOP

    Run the following command to configure Rate Limiting:

    add ns limitSelector slowpostsel CLIENT.IP.SRC

    add ns limitIdentifier slowpostid1 -threshold 6 -timeSlice 10 -mode REQUEST_RATE -limitType SMOOTH -selectorName slowpostsel

    The following command has sample values that can be used when you add a Responder Policy:

    add responder policy DOS “HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.BODY(999999).LENGTH.GT(0) ” NOOP

    Dropping Invalid HTTP Requests

    Usually the source of DDoS attacks does not use valid HTTP requests.

    If any of the following conditions are satisfied for the HTTP header of the request, then the HTTP request is invalid:

    • HTTP major version number is not in the range of 0 through 9.

    • Invalid HTTP response status code begins with a character not in the range of 0 through 9.

    • A packet full of CR-LF/whitespace characters is received before the HTTP Request Line.

    • No URL after HTTP request method.

    • No HTTP/ after URL in HTTP Request Line.

    • Space in the URL/request.

    • When the number of hold NetScaler Buffers (NSBs) exceeds the configured limit.

    • Server sends more than Content-Length of data.

    • Invalid value of Content-Length header (non-numeric characters).

    • HTTP CONNECT request method.
    • No HOST header in HTTP/1.1 Request Line.

Related: