Citrix SSL Forward proxy’s Default authorization is to ALLOW ANY instead of DENY ANY

As per current design the DEFAULT Authorization of Citrix SSL Forward proxy is ALLOW ANY instead of DENY ANY. Hence, filed an Enhancement request with Citrix Development team.

While Citrix Development team is working on an enhancement request to make the DEFAULT Authorization as DENY ANY, We have a workaround as shown in the below configuration snippet to achieve the same requirement (i.e Default DENY ANY)

Sample Configuration Snippet:

———————————————-

The below configuration will take care of all requests that come in with a port value in the URL or HOST Header and Deny the access if the destination ports are not with :443 or :80

NOTE: Like port :443 or :80 mentioned in the below patset, You can also add the “ : <port number>“ in patset which is required to be allowed via Citrix ADC Proxy.

> add patset allowed_ports

> bind policy patset allowed_ports “:443”

> bind policy patset allowed_ports “:80”

>add responder policy web only ‘(HTTP.REQ.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT) || (HTTP.REQ.URL.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.URL.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT)’ RESET

> bind cs vs SSL-FORWARDPROXY Vserver -policyname web_only -priority 10

Related:

  • No Related Posts

Update version release to replace Citrix ADC VPX 12.1-55.18 – Citrix Service Provider program

This article describes the release of solution build 12.1-55.237.

Solution

In accordance with license server certificate renewal, new build version of Citrix ADC* VPX (CSP) is released.

This build 12.1-55.237 is based on existing 12.1-55.18. Only license communication part is updated and other features are unchanged.

*) Former Netscaler

Applicable Products

Citrix ADC VPX 10 – Standard Edition for Service Providers

Citrix ADC VPX 50 – Standard Edition for Service Providers

Citrix ADC VPX 200 – Standard Edition for Service Providers

Citrix ADC VPX 1000 – Standard Edition for Service Providers

Citrix ADC VPX 3000 – Standard Edition for Service Providers

Related:

  • No Related Posts

Error: “Certificate with key size greater than RSA512 or DSA512 bits not supported” on NetScaler

To resolve this issue, apply any or both of the following resolutions, as required:

After applying the required resolution, the additional ciphers are available and you can add a certificate that has a key size greater than 512 bits. The NetScaler appliance supports certificates with key size 512, 1024, 2048, and 4096 bits.

Related:

  • No Related Posts