Cannot ‘Allow’ Citrix system file extensions when installing CF for Mac

Grab a copy of the database

  • The path is: /var/db/SystemPolicyConfiguration/ . See screenshot below and the required files:
  • image.png
  • Check if the kernel extension is allowed as shown below:
  • If it is allowed, then perform the steps highlighted below.

To fix the “Drive Unavailable” error, perform the following steps:

  1. Startup the Mac in recovery mode .
  2. Click the Utilities menu and select Terminal.
  3. Enter the following command:
    • /usr/sbin/spctl kext-consent add TEAMID
  4. Press Enter
    • Example: For Citrix the command would be: /usr/sbin/spctl kext-consent add S272Y5R93J
  5. Close the Terminal app and restart

If issue persists, Trigger the prompt by loading the kernel extension manually

sudo kextutil -t /Library/Filesystems/ctxfuse.fs/Contents/Extensions/10.12/ctxfuse.kext/

Note: Older builds (20.9 or less) can use sudo kextutil -t /Library/Filesystems/ctxfuse.fs/Contents/Extensions/10.11/ctxfuse.kext/

After running this command, open the system preferences in the security pane and see if you can approve the prompt.


While running the above command, if you encounter the Unable to stage kext” error then perform the action items highlighted below:

image.png

  1. As suggested here, run the below command:
    • chflags restricted /Volumes/Macintosh HD/private/var/db/KernelExtensionManagement
  2. People who have ran into the staging error have also reported upgrading to MacOS 10.15 Catalina also fixes the issue.

Related:

  • No Related Posts

Error: “Cannot connect to server: please check network and try again” on Receiver

The request for resources/list can be very time consuming and can take upto 30 seconds in worst cases (depending on the performance of the network, StoreFront server or other components). This can cause timeout on the Receiver UI. But the response has been received successfully on the Receiver side.

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

We can figure out whether this issue is caused by network latency by adding the following registry key on the client:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixDazzle

Reg_SZ WebUILoadingWatchDogTimeoutMs

WebUILoadingWatchDogTimeoutMs controls the timeout value of watchdog.

Alternately, turn off the Unified Experience in StoreFront (if Receiver 4.4 is being used).

Related:

  • No Related Posts

Cisco IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability

A vulnerability in the DECnet Phase IV and DECnet/OSI protocol processing of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient input validation of DECnet traffic that is received by an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-decnet-dos-cuPWDkyL

This advisory is part of the March 2021 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2021-1352

Related:

  • No Related Posts

Cisco IOS and IOS XE Software Common Industrial Protocol Privilege Escalation Vulnerability

A vulnerability in the CLI command permissions of Cisco IOS and Cisco IOS XE Software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP) and then remotely configure the device as an administrative user.

This vulnerability exists because incorrect permissions are associated with the show cip security CLI command. An attacker could exploit this vulnerability by issuing the command to retrieve the password for CIP on an affected device. A successful exploit could allow the attacker to reconfigure the device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-XE-SAP-OPLbze68

This advisory is part of the March 2021 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2021-1392

Related:

  • No Related Posts

How to Pass the Client's Source Port to the Backend Server When Accessed Through NetScaler

To achieve this, we would have to disable the Use Proxy Port option.

To configure the Use Proxy Port setting on a service by using the configuration utility:

  1. Navigate to Traffic Management> Load Balancing > Services, and open a service.
  2. In Advanced Settings, select Traffic Settings, and unselect Use Proxy Port.

To configure the Use Proxy Port setting on a service by using the CLI:

At the command prompt, type:

set service svc -useproxyport NO

The Use Proxy Port option works only when the Use Source IP/ Use Client IP option is enabled on the Service/Service Group respectively.

Also, this option is enabled by default for TCP-based service types, such as TCP, HTTP, and SSL,

This will allow the backend server to see client IP and source port from which the client tries to connect.

Related:

  • No Related Posts

ADC | GUI Access lost after firmware upgrade

in a lot of environments, due to the COVID situation there was spike in access to VPN based services, and in some situations slowness was observed in loading VPN / AAA Login page, to mitigate this problem some changes were done on httpd.conf file (https://support.citrix.com/article/CTX255947).

With a customized httpd.conf (for the above or any other reason), GUI issues can occur, an excerpt from the article below.

WARNING – Following the above solution might result in issues with future firmware upgrades.

When you apply the above configuration, the httpd.conf will not be updated during a future firmware upgrade. This could cause the GUI to become completely unavailable.

If this occurs, you must delete the file /nsconfig/httpd.conf (on both primary and then secondary node), reboot the ADC, and then reapply the below settings.

The clear diagnosis of that issue is that if you run “ps aux | grep httpd” in shell mode, there will be no httpd processes running.

Related:

Debug invalid_request

I need a solution

Hello fellows,

is there any way how we can debug requests that are denied because of an invalid_request? For example to see if an header is malformed and in what way.

For HTTP connections we can of course capture the whole connection stream, but what about HTTPS connections? Is there a debug log where ProxySG is providing such information?

0

Related: