Citrix Workspace app for Mac and Windows OS fails with “cannot connect to the server” from the internet when connected externally

We observed that removing the response-rewrite policies made it possible to login with LDAP-only in Receiver.

However, we needed two-factor auth and thus had to bind the policies.

With response-rewrite policy bound (the one setting header “X-Citrix-AM-GatewayAuthType” = SMS).

Binding the policy setting “PWDCount=0”, made the Receiver fail.

Entrust – SMS Passcode reported back that if Netscaler version is 12.x, the policy must be replaced with this:

add rewrite policy RWP-RES-REMOVE_2ND_PASSWORD “HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).EQ(“/logon/LogonPoint/index.html”)” RWA-RES- REMOVE_2ND_PASSWORD

and a corresponding action:

add rewrite action RWA-RES-REMOVE_2ND_PASSWORD replace_all “HTTP.RES.BODY(99999)” “”\r\n”+n”<style type=\”text/css\”>\r\n”+n”[for=\”passwd1\”] { display: none;}\r\n”+n”#passwd1 { display: none; }\r\n”+n”</style>\r\n”+n”\r\n”+n”</body>\r\n”+n”</html>\r\n”” -search “text(“</body>n</html>”)”

Related:

  • No Related Posts

How to create rewrite policy for content security headers , XSS protection, HSTS, X-Content-Type-Options & Content-Security-Policy.

1. Create rewrite actions for each one of the headers. Go to AppExpert > Rewrite > Actions and click Add:

User-added image

User-added image
User-added image
User-added image

Rewrite Actions :

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security “”max-age=157680000″”

add rewrite action rw_act_insert_XSS_header insert_http_header X-Xss-Protection “”1; mode=block””

add rewrite action rw_act_insert_Xcontent_header insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action rw_act_insert_Content_security_policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:””

2. Create rewrite policies and link them to the actions. Go to AppExpert > Rewrite > Policies and click Add to create policy :

User-added image
User-added image
User-added image
User-added image
Rewrite Policy’s:

add rewrite policy enforce_STS true insert_STS_header

add rewrite policy rw_pol_insert_XSS_header “HTTP.RES.HEADER(“X-Xss-Protection”).EXISTS.NOT” rw_act_insert_XSS_header

add rewrite policy rw_pol_insert_XContent TRUE rw_act_insert_Xcontent_header

add rewrite policy rw_pol_insert_Content_security_policy TRUE rw_act_insert_Content_security_policy

3. Bind policies to vserver on Response using Goto Expression NEXT:

User-added image
User-added image
vserver binding commands:

bind vpn vserver access -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_XSS_header -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_XContent -priority 120 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_Content_security_policy -priority 130 -gotoPriorityExpression NEXT -type RESPONSE

NOTE :In case of SSLVPN, we need to use the below Content-Security Action :

add rewrite action Rewrite_Insert_Content-Security-Policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ http://localhost:* data:;” “

The localhost exception is required because the browser passes the cookie/GW information to the plugin using localhost http call. Since the CSP had only “self”, only calls to the vserver would be allowed.

Since we pass the AAAC cookie, GW address etc using this : image.src = “http://localhost:“+agentPort+”/svc?NSC_AAAC=”+ns_aaac+”&nsloc=”+nsloc+”&nsversion=1,1,1,1&nstrace=DEBUG&nsvip=255.255.255.255”;,

we need to make the changes only for img-src. This is enough for the communications with the browser and the plugin.

If localhost exception is not mentioned, we may face issues with browser stuck on the plugin download page.

Related:

  • No Related Posts

How to Force Secure and HttpOnly Cookie Options for Websites Using NetScaler Appliance

Important! You cannot use the HttpOnly option when a web application requires access to Cookie contents by using a client side script such as JavaScript or a client-side Java Applet. From the method mentioned in this article only server generated cookies can be rewritten, not the cookies generated by NetScaler Appliance (for ex: AppFirewall, persistence, VPN session cookies and so on)

Also note that this procedure is not applicable to VPN Vservers.

To configure the NetScaler appliance to force the Secure and HttpOnly flags for an existing HTTP virtual server, complete the following steps:

Using NetScaler GUI

  1. Go to Rewrite > Actions, and then click add to add a new rewrite action.

    User-added image

  2. Go to Rewrite > Policies and then click add to adda new Rewrite policy.

    User-added image

  3. Go to Load Balancing > Virtual Servers and then bind the Rewrite (Response) policy to the corresponding SSL VServer.

    User-added image

Using NetScaler CLI

  1. Create a rewrite action (this example is configured to set both Secure and HttpOnly flags. If either one is missing, modify it as necessary for other combinations).

    add rewrite action act_cookie_Secure replace_all http.RES.full_Header “”Secure; HttpOnly; path=/”” -search “regex(re!(path=/\; Secure; HttpOnly)|(path=/\; Secure)|(path=/\; HttpOnly)|(path=/)!)” -bypassSafetyCheck YES

    This policy will replace all instances of “path=/”, “path=/; Secure”, “path=/; Secure; HttpOnly” and “path=/; HttpOnly” with “Secure; HttpOnly; path=/”. Note that this regex fail if the case doesn’t match.

  2. Create a rewrite policy to trigger the action.

    add rewrite policy rw_force_secure_cookie “http.RES.HEADER(“Set-Cookie”).EXISTS” act_cookie_Secure

  3. Bind the rewrite policy to the VServer to be secured (if Secure option is used, an SSL VServer should be used).

    bind lb vserver mySSLVServer -policyName rw_force_secure_cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

    Example:

    Before Rewrite:< Set-Cookie: CtxsAuthId=C5614491; path=/Citrix/ProdWeb/

    After Rewrite: < Set-Cookie: CtxsAuthId=C5614491; Secure; HttpOnly; path=/Citrix/ProdWeb/

Related:

How to Rewrite Server HTTP Response Codes to Redirect Clients to a Different Page

Redirecting the Client Requests to a Custom Page when the Backend Server returns the 404 Response Code

To redirect the client requests to a custom page when the backend server returns the 404 response code, complete the following procedure:

  • Connect to the NetScaler appliance by using an SSH utility, such as PuTTY.
  • From the command line interface of the appliance, run the following command to create a rewrite action:
    add rewrite action sample_rewrite_action replace_http_res “”HTTP/1.1 302 Temporary RedirectnLocation: http://<Custom_Error_Page_Link> nn””
      • Run the following command to create a rewrite policy:
        add rewrite policy sample_rewrite_policy ‘HTTP.RES.STATUS.EQ(404)’ sample_rewrite_action
          • Run the following command to bind the policy globally:
            bind rewrite global sample_rewrite_policy 1

            OR:
            Bind this directly to a Vserver instead of globally like this:

            bind lb vserver LB_VServer_Name -policyName sample_rewrite_policy -priority 100 -type RESPONSE

              Note: In the preceding commands, the 302 Temporarily Redirect response code is used to redirect the client request to the customized page when the server returns a 404.

              Note: Ensure that you have enabled the HTTP Rewrite feature of the NetScaler appliance.

Related:

“Q11827 HTTP Security Header Not Detected” on NetScaler Management IP Using Qualys Scan

Note:

1. This is a generic template that is applicable across various NS Versions, some of these may not be needed on later versions, for version specific config, please review fiddler / dev-tool output while accessing NetScaler Management IP and apply the config in part two for the missing headers only.

2. Take System backup before making any changes

3. Check GUI Access, API Based monitoring tools functionality (NMAS, Command Center, any other) with NetScaler thoroughly after making these changes


Part 1: Execute following command on Shell prompt to enable rewrite feature on Management IP, and to make the changes persistent across reboot (On both Primary and Secondary)

nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0

cd /nsconfig

echo nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 >> rc.netscaler

cat rc.netscaler | grep skip_systemaccess


Part 2: Exit from Shell and execute the following commands on > prompt (On primary only, these commands with sync on secondary)

Enable ns feature rewrite

add policy expression is_management_ip client.ip.dst.eq(SYS.NSIP)

add rewrite action insert_x-xss-protection_act insert_http_header X-XSS-Protection “”1; mode=block””

add rewrite action insert_x-content-type-options_act insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action insert_x-frame-options_act insert_http_header X-Frame-Options “”SAMEORIGIN””

add rewrite action insert_x-hsts-header_act insert_http_header Strict-Transport-Security “”max-age=157680000; includeSubDomains””

add rewrite action insert_CSP_act insert_http_header Content-Security-Policy “”frame-ancestors ‘self'””

add rewrite policy insert_x-xss-protection_pol “is_management_ip && http.RES.HEADER(“X-XSS-Protection”).EXISTS.NOT” insert_x-xss-protection_act

add rewrite policy insert_x-content-type-options_pol “is_management_ip && http.RES.HEADER(“X-Content-Type-Options”).EXISTS.NOT” insert_x-content-type-options_act

add rewrite policy insert_x-frame-options_pol “is_management_ip && http.RES.HEADER(“X-Frame-Options”).EXISTS.NOT” insert_x-frame-options_act

add rewrite policy insert_x-hsts-header_pol “is_management_ip && http.RES.HEADER(“Strict-Transport-Security”).EXISTS.NOT” insert_x-hsts-header_act

add rewrite policy insert_CSP_pol “is_management_ip && http.RES.HEADER(“Content-Security-Policy”).EXISTS.NOT” insert_CSP_act

#Note: The priority Nos below may have to be edited to not conflict with existing globally bound policies

bind rewrite global insert_x-xss-protection_pol 2 next -type RES_DEFAULT

bind rewrite global insert_x-content-type-options_pol 3 next -type RES_DEFAULT

bind rewrite global insert_x-frame-options_pol 4 next -type RES_DEFAULT

bind rewrite global insert_CSP_pol 5 next -type RES_DEFAULT

bind rewrite global insert_x-hsts-header_pol 6 next -type RES_DEFAULT

Related:

HTTP Headers on NetScaler Management IP for Qualys Scan QID 11827

Note:

1. This is a generic template that is applicable across various NS Versions, some of these may not be needed on later versions, for version specific config, please review fiddler / dev-tool output while accessing NetScaler Management IP and apply the config in part two for the missing headers only.

2. Take System backup before making any changes

3. Check GUI Access, API Based monitoring tools functionality (NMAS, Command Center, any other) with NetScaler thoroughly after making these changes


Part 1: Execute following command on Shell prompt to enable rewrite feature on Management IP, and to make the changes persistent across reboot (On both Primary and Secondary)

nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0

cd /nsconfig

echo nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 >> rc.netscaler

cat rc.netscaler | grep skip_systemaccess


Part 2: Exit from Shell and execute the following commands on > prompt (On primary only, these commands with sync on secondary)

Enable ns feature rewrite

add policy expression is_management_ip client.ip.dst.eq(SYS.NSIP)

add rewrite action insert_x-xss-protection_act insert_http_header X-XSS-Protection “”1; mode=block””

add rewrite action insert_x-content-type-options_act insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action insert_x-frame-options_act insert_http_header X-Frame-Options “”SAMEORIGIN””

add rewrite action insert_x-hsts-header_act insert_http_header Strict-Transport-Security “”max-age=157680000; includeSubDomains””

add rewrite action insert_CSP_act insert_http_header Content-Security-Policy “”frame-ancestors ‘self'””

add rewrite policy insert_x-xss-protection_pol “is_management_ip && http.RES.HEADER(“X-XSS-Protection”).EXISTS.NOT” insert_x-xss-protection_act

add rewrite policy insert_x-content-type-options_pol “is_management_ip && http.RES.HEADER(“X-Content-Type-Options”).EXISTS.NOT” insert_x-content-type-options_act

add rewrite policy insert_x-frame-options_pol “is_management_ip && http.RES.HEADER(“X-Frame-Options”).EXISTS.NOT” insert_x-frame-options_act

add rewrite policy insert_x-hsts-header_pol “is_management_ip && http.RES.HEADER(“Strict-Transport-Security”).EXISTS.NOT” insert_x-hsts-header_act

add rewrite policy insert_CSP_pol “is_management_ip && http.RES.HEADER(“Content-Security-Policy”).EXISTS.NOT” insert_CSP_act

#Note: The priority Nos below may have to be edited to not conflict with existing globally bound policies

bind rewrite global insert_x-xss-protection_pol 2 next -type RES_DEFAULT

bind rewrite global insert_x-content-type-options_pol 3 next -type RES_DEFAULT

bind rewrite global insert_x-frame-options_pol 4 next -type RES_DEFAULT

bind rewrite global insert_CSP_pol 5 next -type RES_DEFAULT

bind rewrite global insert_x-hsts-header_pol 6 next -type RES_DEFAULT

Related:

How to have a random Background Image on NetScaler Gateway Page

1) Create a folder at and deposit your contents – label them desktop_0x.jpg:

2) Create a portal theme based on X1 and edit the background image to desktop_01.jpg (select image, upload it):

User-added image


3) Bind the portal theme to NSG.

4) Then create the following policies (note this commands are for the CLI as they escape special chars):

>add rewrite action rewrite_image_background replace HTTP.REQ.URL.PATH_AND_QUERY “”/logon/themes/custom_media_test/desktop_0″+ sys.RANDOM.MUL(7).ADD(1).TYPECAST_NUM_AT+”.jpg””

>add rewrite policy rewrite_background_request “http.REQ.URL.CONTAINS(“desktop_01.jpg”) ” rewrite_image_background

Policy:

User-added image

Action:

User-added image

5) Bind the rewrite policy to the NetScaler Gateway.

User-added image

6) Go to the NetScaler Gateway URL and refresh the page. You should be getting a random image every time you refresh.

Related:

How URL rewriting works in DataPower to be specific what is the effect of “URL Rewrite Direction”

What is the effect of assigning “Response” to “URL Rewrite Direction” to a URL rewrite policy?

Can we use URL rewrite policy to rewrite Backend URL?

Does it only rewrite statically defined “Default Backend URL” or has capability to dynamically defined “Backend URL”?

According to the documentation https://www.ibm.com/support/knowledgecenter/en/SS9H2Y_7.5.0/com.ibm.dp.doc/urlrewritepolicy.html, URL rewriting policy is invoked before processing which implies we will not be able to rewrite dynamically defined “Backend URL”. Is this true?

If we can’t use URL Rewrite policy to rewrite the backend URL what is the purpose of having “Response” value as an option for “URL Rewrite Direction”? If you could share use cases it will be helpful.

Related:

  • No Related Posts

Re-evaluate after rewrite

I need a solution

I have an action to rewrite a URL, removing the path portion of the request:

<Proxy "fc rewrites"> client.address=fcServer

client.protocol=https action.fcRewrite(yes)

define action fcRewrite
rewrite (url, "^https://(.+?)/.+$", "https://$(1)")
end action fcRewrite

On policy trace, it appears the original URL is evaluated by policy and appropriate action taken – only the rewritten URL is sent to the OCS. I need the re-written URL to be re-evaluated by policy, is this even possible?

Thanks all!

0

Related: