Citrix Systems – Page 2 – Intelligent Systems Monitoring

Citrix SSL Forward proxy’s Default authorization is to ALLOW ANY instead of DENY ANY

June 26, 2021June 26, 2021 Citrix Leave a comment

As per current design the DEFAULT Authorization of Citrix SSL Forward proxy is ALLOW ANY instead of DENY ANY. Hence, filed an Enhancement request with Citrix Development team.

While Citrix Development team is working on an enhancement request to make the DEFAULT Authorization as DENY ANY, We have a workaround as shown in the below configuration snippet to achieve the same requirement (i.e Default DENY ANY)

Sample Configuration Snippet:

———————————————-

The below configuration will take care of all requests that come in with a port value in the URL or HOST Header and Deny the access if the destination ports are not with :443 or :80

NOTE: Like port :443 or :80 mentioned in the below patset, You can also add the “ : <port number>“ in patset which is required to be allowed via Citrix ADC Proxy.

> add patset allowed_ports

> bind policy patset allowed_ports “:443”

> bind policy patset allowed_ports “:80”

>add responder policy web only ‘(HTTP.REQ.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT) || (HTTP.REQ.URL.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.URL.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT)’ RESET

> bind cs vs SSL-FORWARDPROXY Vserver -policyname web_only -priority 10

No Related Posts

Citrix Access Gateway OAUTH IDP: Getting ” Failed to login the user due to insufficient claims. Please contact your administrator”

June 23, 2021June 23, 2021 Citrix Leave a comment

Customer has configured Citrix Access Gateway as OAuth IDP with Workspace in Cloud and after user authentication is completed, users were getting the error as shownbelow

” Failed to login the user due to insufficient claims. Please contact your administrator”

The Attributes sent by Citrix Access Gateway (OAuth IDP) can be seen in /var/log/ns.log.

In the below log snippet, you could see that the Attributes such as ( Name, UPN, CIP and SID, etc ) sent by Citrix Access GAteway (OAuth IDP) are BLANK.

ns.log:

=======

Nov 6 13:55:09 <local0.info> XX.XX.XX.XX 06/11/2019:12:55:09 0-PPE-0 : default AAATM Message 3795 0 : “OAUTHIDP: CC IDTOKEN: user: <test@example.com>’s claims are: sub:, name:, upn:, email:, ctx_auth_alias:, cip_domain:, cip_forest: sid:, oid:, amr:[“otp”], nonce:637085983001757588.Mjg2NWQ2YWMtZDI5OC00ZjQ4LTk0NDQtNTJlM2I1ZmVlNjBlOGQ0NzQ0OWUtNjZlMi00NjI0LWIzMWQtNTNjYzMzY2VkYzk0, familyname:, givename:, domain: , groups len 0

No Related Posts

Update version release to replace Citrix ADC VPX 12.1-55.18 – Citrix Service Provider program

June 23, 2021June 23, 2021 Citrix Leave a comment

This article describes the release of solution build 12.1-55.237.

Solution

In accordance with license server certificate renewal, new build version of Citrix ADC* VPX (CSP) is released.

This build 12.1-55.237 is based on existing 12.1-55.18. Only license communication part is updated and other features are unchanged.

*) Former Netscaler

Applicable Products

Citrix ADC VPX 10 – Standard Edition for Service Providers

Citrix ADC VPX 50 – Standard Edition for Service Providers

Citrix ADC VPX 200 – Standard Edition for Service Providers

Citrix ADC VPX 1000 – Standard Edition for Service Providers

Citrix ADC VPX 3000 – Standard Edition for Service Providers

No Related Posts

ADM and Director Intergration missing Network HDX data: Error “No details are available” or blank page

June 17, 2021June 17, 2021 Citrix Leave a comment

Running Citrix ADM 13.0 (latest) and attempting to integrated the network function into our Citrix Director 1912.

Attempted to use both HTTP and HTTPS.

WIth HTTP the network tab on director is blank.

With HTTPS it say no details are available.

The following guide was used: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/hdx-insight.html

Using HTTPS ::

Using HTTPS

Network capture trace shows Director Servers sends a FIN and interrupt TLS Handshake with ADM Server.

TLS flow Request from ADM Server

==========================

Transport Layer Security

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 170

Handshake Protocol: New Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

Content Type: Change Cipher Spec (20)

Version: TLS 1.2 (0x0303)

Length: 1

Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 96

Handshake Protocol: Encrypted Handshake Message

Response TLS from Director Server

==========================

Transmission Control Protocol, Src Port: 52282, Dst Port: 443, Seq: 342, Ack: 4300, Len: 0

Source Port: 52282

Destination Port: 443

[Stream index: 0]

[TCP Segment Len: 0]

Sequence Number: 342 (relative sequence number)

Sequence Number (raw): 1163837986

[Next Sequence Number: 343 (relative sequence number)]

Acknowledgment Number: 4300 (relative ack number)

Acknowledgment number (raw): 1444382645

0101 …. = Header Length: 20 bytes (5)

Flags: 0x011 (FIN, ACK)

Window: 512

[Calculated window size: 131072]

[Window size scaling factor: 256]

Checksum: 0xb928 [unverified]

[Checksum Status: Unverified]

Urgent Pointer: 0

[SEQ/ACK analysis]

[Timestamps]

When using HTTP :: Browser shows a blank page, no errors or details.

No Related Posts

FIPS Appliance Error “Enabling of TLSv1.1/1.2 is not supported on this entity/platform”

June 16, 2021June 16, 2021 Citrix Leave a comment

Citrix Secure Web Gateway, formerly NetScaler Secure Web Gateway

1- From GUI or CLI, when trying to enable TLSv1.1 and TLSv1.2 getting error “Enabling of TLSv1.1/1.2 is not supported on this entity/platform”

User-added image

No Related Posts

ADM and Director Intergration missing Network HDX data :: Error “No details are available” or blank page

June 15, 2021June 15, 2021 Citrix Leave a comment

Running Citrix ADM 13.0 (latest) and attempting to integrated the network function into our Citrix Director 1912.

Attempted to use both HTTP and HTTPS.

WIth HTTP the network tab on director is blank.

With HTTPS it say no details are available.

The following guide was used: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/hdx-insight.html

Using HTTPS ::

Using HTTPS

Network capture trace shows Director Servers sends a FIN and interrupt TLS Handshake with ADM Server.

When using HTTP :: Browser shows a blank page, no errors or details.

No Related Posts

Error: “The Citrix WEM Agent Host Service service hung on starting”, Netlogon prevented from starting

June 10, 2021June 10, 2021 Citrix Leave a comment

Open regedit on the affected desktop or server running the Citrix Workspace Environment Management Agent.

Browse to the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWemAgentSvc

Then add “Winmgmt” to the DependOnService value (without removing EventSystem).

No Related Posts

Virtual Desktops 1912 — Issues with UPM when using client VDI’s

June 7, 2021June 7, 2021 Citrix Leave a comment

On master image

Downloaded PSEXEC.EXE – https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Ran the following command psexec -s -I regedit.exe

Removed HKLM/SOFTWARE/POLICIES/CITRIX/USERPROFILEMANAGER

No Related Posts

Can’t deploy Workspace App automatically for IOS / Android in a zero touch configuration

June 3, 2021June 3, 2021 Citrix Leave a comment

This article is intended for Citrix administrators and technical teams only.

Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.

Not able to give users pre-configured device.

No Related Posts

Workspace App for IOS – Error ‘EAP is activated and not supported on IOS’ when connecting through Netscaler Gateway

June 3, 2021June 3, 2021 Citrix Leave a comment

This article is intended for Citrix administrators and technical teams only.

Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.

Users are unable to connect using Workspace App for iOS through Netscaler Gateway. The connection with Windows, Mac OS works with the Workspace app. Receiver for iOS also works correctly. If the manual configuration with the URL https://baseurl/citrix/store/discovery is used, the error message: “EAP is activated and not supported on IOS”. EAP isn’t used on this Gateway. If we use the automatic configuration with the baseURL the following error message is displayed: “Cannot add account” “All stores in the discovery document have been loaded”. In both scenarios it failes to add the account.

No Related Posts

Tag: Citrix Systems

Citrix SSL Forward proxy’s Default authorization is to ALLOW ANY instead of DENY ANY

Related:

Update version release to replace Citrix ADC VPX 12.1-55.18 – Citrix Service Provider program

Related:

ADM and Director Intergration missing Network HDX data: Error “No details are available” or blank page

Related:

FIPS Appliance Error “Enabling of TLSv1.1/1.2 is not supported on this entity/platform”

Related:

ADM and Director Intergration missing Network HDX data :: Error “No details are available” or blank page

Related:

Error: “The Citrix WEM Agent Host Service service hung on starting”, Netlogon prevented from starting

Related:

Virtual Desktops 1912 — Issues with UPM when using client VDI’s

Related:

Can’t deploy Workspace App automatically for IOS / Android in a zero touch configuration

Related:

Workspace App for IOS – Error ‘EAP is activated and not supported on IOS’ when connecting through Netscaler Gateway

Related:

Links