How Do I Setup TLS_FALLBACK_SCSV On NetScaler?

Use Case

Protect server against POODLE attack by preventing the protocol downgrade attack.

Introduction to TLS_FALLBACK_SCSV

POODLE attack is a man-in-the-middle attack in which an attacker takes advantage of the fall back behaviour of clients (including browsers) to attack servers which support SSL 3.0 and CBC encryption mode.

User-added image

Most SSL/TLS implementations are backward compatible with SSL 3.0 to interoperate with legacy systems. A POODLE attacker leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. He can trigger a connection failure and then force the use of SSL 3.0 and attempt an attack.

User-added image

To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above, so disabling SSL 3.0 might not be possible. The solution to this problem is that the browsers and servers should implement TLS_FALLBACK_SCSV which makes downgrade attacks impossible. This is how it works – browsers support a downgrade mechanism in the form of Signaling Cipher Suite Value (SCSV). After a session fails during the initial handshake, the browser will retry, but attempts on version one lower than before. For example, after failing to connect to a server with the max version set to TLS 1.1, the client would retry with the max version set to TLS 1.0. This mechanism basically ensures connectivity but lowers down the security and makes the session vulnerable.

The presence of this SCSV extension in the Client Hello indicates that the client is retrying to connect to the server by using a lower SSL version, after its previous attempt to communicate with a higher version failed. Therefore, if the server finds this extension in Client Hello and also finds that the client is proposing a version that is lower than the maximum version supported by the server, it is a likely indication of a “man in the middle attack” The server drops such handshakes.

Qualys SSL Labs, which test servers and browsers for SSL vulnerabilities, mandates a server to support TLS_FALLBACK_SCSV to get A+ rating.

Related:

XenApp URL Redirection Does Not Work

The multi-string value “ValidSites” when entered into the registry creates a “whitelist” of URLs to be redirected, but when the key is left in blank, with no URLs or values listed, it will prevent any URLs from redirecting to the client device.

As per http://support.citrix.com/article/CTX106094 “…When specifying sites with the valid sites registry key, all the URLs that are not in the list, open in the server….”

Related:

MDX managed apps cannot open links properly so that apps which are not managed launch automatically

Solution: use MDX app policies to configure the desired outcome. The specific steps listed on this article achieve success.

App URL Schemes can be misunderstood or easily confused sometimes. These steps can help you with configuration problems….

The following details and points will help for you to configure ‘any’ such app appropriately on your server also:

Secure Web MDX Configuration:

No specific configuration is needed with Secure Web. The following default settings can be used with Secure Web MDX, for the purposes of this example:

App URL schemes:

ctxmobilebrowser:,ctxmobilebrowsers:,ctxmobilebrowserappstore:

(For reference, these are those App URL Schemes which Secure Web will register with iOS as being handled by the Secure Web app itself).

Allowed URLs:

^http:,^https:,^mailto:=ctxmail:,+^ctxmailex:,+^ctxmailex2:,+^citrixreceiver:,+^telprompt:,+^tel:,+^col-g2m-2:,+^col-g2w-2:,+^col-g2t-2:,+^maps:ios_addr,+^mapitem:,+^itms-services:,+^itms-apps:,+^itms-appss:,+^ctx-sf:,+^lmi-g2m:,+^lync:

(For reference, these are the App IDs and also the App URL Schemes which Secure Web will be allowed to process. One outcome of a process might be that it is simply ‘allowed’. Clicking on a link and seeing it proceed to load is one example of this. For those entries where an ‘=’ symbol is seen, then not only will this action be ‘allowed to process’ but it will also be an action which is ‘passed over to’ or ‘converted in to’ whatever is on the right side of the ‘=’ symbol).

Secure Mail MDX Configuration:


This is where our solution is used. The following default settings are found:

App URL schemes:

ctxmail:,ctxinternalmail:,ctxmailex:,ctxmailex2:,ctxmailappstore:,ctxmailoauth:,ctxevent:

Allowed URLs

+maps.apple.com,+itunes.apple.com,+apps.apple.com,^http:=ctxmobilebrowser:,^https:=ctxmobilebrowsers:,^mailto:=ctxmail:,+^citrixreceiver:,+^telprompt:,+^tel:,+^lmi-g2m:,+^col-g2w-2:,+^maps:ios_addr,+^mapitem:,+^sms:,+^facetime:,+^ctxnotes:,+^ctxnotesex:,+^ctxmobilebrowser:,+^ctxmobilebrowserappstore:,+^ctxtasks:,+^facetime-audio:,+^itms-apps:,+^ctx-sf:,+^sharefile:,+^lync:,+^slack:,+^slackmdm:,+^msauth:

So that the desired outcome be achieved, change ‘Allowed URLs’ to the following:

+com.booking.BookingApp,+maps.apple.com,+itunes.apple.com,+apps.apple.com,^http://www.booking.com/,^http:=ctxmobilebrowser:,^https:=ctxmobilebrowsers:,^mailto:=ctxmail:,+^citrixreceiver:,+^telprompt:,+^tel:,+^lmi-g2m:,+^col-g2w-2:,+^maps:ios_addr,+^mapitem:,+^sms:,+^facetime:,+^ctxnotes:,+^ctxnotesex:,+^ctxmobilebrowser:,+^ctxmobilebrowserappstore:,+^ctxtasks:,+^facetime-audio:,+^itms-apps:,+^ctx-sf:,+^sharefile:,+^lync:,+^slack:,+^slackmdm:,+^msauth:

Related:

Error – “An Unexpected MAPI Error Occurred. Index Was Out of Range. Must Be Non-Negative and Less Than the Size of the Collection.”

For some AD environments containing configurations with complex nested groups and domains with many trust associations, the default method might be unable to find the user’s expected administrative memberships.

To resolve such scenarios, use one of the registry setting to change the search approach.

Related:

Error: 'Name server already exists' – Unable to add DNS servers in NetScaler

To resolve this issue:

  1. Check if you have DNS Load Balance Virtual Server already added on NetScaler or not.

  2. If yes, we need to remove DNS Load Balance Virtual Server and respective services.

  3. Try to add the nameserver again, you should be able to add it.

  4. On NetScaler we can add either dns nameserver or DNS LB VIP for same DNS server.

  5. You can traverse to System > Networks > IPs and check is there’s a VIP already existing with this IP.

Best way is to run, “sh run | grep <IP Address>” from CLI to find any matching configuration.

If that doesn’t work try warm restarting the NetScaler.

Related:

ShareFile notify users of their own activity

Notify users of their own activity

By default, ShareFile account settings prevent email notifications from being sent to any user regarding their own activity, even if they have Upload Alerts or Download Alerts enabled on a folder.

This setting can be changed so that users can receive notifications of their own uploads and downloads. Some accounts choose to make this change so that users can keep notifications as receipts of their own activity. This setting can be changed in the Advanced Preferences menu.

When you set upload or download notifications for particular users on folders, by default, the users will receive notifications about these uploads/downloads in real-time. Users can change this default behavior by clicking the Personal Settings link in their account. However, if you want to set a default value for this setting for all users on your account, you may do so using this setting.

Note:

Changing this setting does not affect existing users in the system (it is only applied to newly-created users). You can update this setting for individual users in the at their individual profile page found under People. In Real-Time is the default value.

Users can receive email notifications in the following languages: English, German, Spanish, French, Dutch, Chinese, Russian, Japanese, Korean, Portuguese.

Related:

XenMobile Analyzer Tool

The new XenMobile Analyzer Tool is a cloud-based solution that allows XenMobile administrators to diagnose issues proactively and in real time. XenMobile Analyzer environmental checks can identify device issues, user enrollment issues, and authentication issues. Numerous use-cases and deployment options are supported including MDM, MDM + MAM, MAM-only and five different authentication scenarios on both iOS and Android mobile environments.

Citrix Cerebro functionality has now been integrated into XenMobile Analyzer!

Visit our YouTube channel for a demonstration of XenMobile Analyzer Tool. The XenMobile Analyzer Tool is currently available on the XenMobile Management Tools page .

Please note, XM Analyzer tool does not currently function in the Workspace. Citrix is aware of this issue and currently investigating.

Scheduling Periodic Health Check Using XenMobile Analyzer Tool

XenMobile Analyzer Tool now provides you with the facility to monitor your XenMobile environment periodically. You can choose the time and frequency of when the health check should run. During configuration you will have to provide an email address and this email will be used by the XenMobile Analyzer Tool to send notifications on the health check. The XenMobile Analyzer Tool runs health checks automatically at the scheduled intervals and sends you email notifications on the results of the health checks.

Adding a New Health Check Schedule

  1. After you have set up your test environment, select it from the list and click Add Schedule.

    User-added image

    Or, you can also do this when you are on the Report page of a completed test.

    User-added image

  2. Click I Agree button to enable XenMobile Analyzer to store the test user credentials securely and click Continue.

    User-added image

  3. Enter the user credentials used for testing and click Continue.

    User-added image

  4. Select whether you want the health check to run Daily or Weekly and pick a time to run the health check. Select your time zone from the drop-down list.

    Next, select a date for the health checks to stop running.

    Finally, in the Recipients text-box, enter the email addresses (separated by comma if more than one) to which notification alerts about the scheduled tests will be sent.

    Click Save.

    User-added image

  5. Your scheduled health check is created.

    User-added image

After you successfully schedule a health check, you will receive an email from xma_admin@citrix.com confirming that the schedule has been added. The health check will run at the scheduled time in XenMobile Analyzer Tool. And every time the scheduled health check runs, you will get the notification email on the status of the health check.

Editing a Health Check Schedule

  • At any time, you can select the test environment where you want to edit the schedule and click Edit Schedule to change any of the variables entered. You can also pause/resume the health check schedule at any time using the ON/OFF switch.

    User-added image

Supported Test Environments for Adding Health Check Schedule

You will be able to only schedule tests which use:

  • LDAP authentication
  • Certificate authentication
  • LDAP + Certificate based enrollment authentication

You will not be able to schedule tests which have the following type of enrollment:

  • Invitation URL – because the invitation URL will be redeemed after the first enrollment and cannot be reused for next time.
  • Two-factor authentication which uses Security Token – because the token will expire in a short period of time.
  • Username + PIN enrollment
  • Username + Password + PIN enrollment

Related: