Citrix SSL Forward proxy’s Default authorization is to ALLOW ANY instead of DENY ANY

As per current design the DEFAULT Authorization of Citrix SSL Forward proxy is ALLOW ANY instead of DENY ANY. Hence, filed an Enhancement request with Citrix Development team.

While Citrix Development team is working on an enhancement request to make the DEFAULT Authorization as DENY ANY, We have a workaround as shown in the below configuration snippet to achieve the same requirement (i.e Default DENY ANY)

Sample Configuration Snippet:

———————————————-

The below configuration will take care of all requests that come in with a port value in the URL or HOST Header and Deny the access if the destination ports are not with :443 or :80

NOTE: Like port :443 or :80 mentioned in the below patset, You can also add the “ : <port number>“ in patset which is required to be allowed via Citrix ADC Proxy.

> add patset allowed_ports

> bind policy patset allowed_ports “:443”

> bind policy patset allowed_ports “:80”

>add responder policy web only ‘(HTTP.REQ.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT) || (HTTP.REQ.URL.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.URL.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT)’ RESET

> bind cs vs SSL-FORWARDPROXY Vserver -policyname web_only -priority 10

Related:

  • No Related Posts

How to Pass the Client's Source Port to the Backend Server When Accessed Through NetScaler

To achieve this, we would have to disable the Use Proxy Port option.

To configure the Use Proxy Port setting on a service by using the configuration utility:

  1. Navigate to Traffic Management> Load Balancing > Services, and open a service.
  2. In Advanced Settings, select Traffic Settings, and unselect Use Proxy Port.

To configure the Use Proxy Port setting on a service by using the CLI:

At the command prompt, type:

set service svc -useproxyport NO

The Use Proxy Port option works only when the Use Source IP/ Use Client IP option is enabled on the Service/Service Group respectively.

Also, this option is enabled by default for TCP-based service types, such as TCP, HTTP, and SSL,

This will allow the backend server to see client IP and source port from which the client tries to connect.

Related:

  • No Related Posts

Error:”Cannot connect to server” “Can't assign requested address”

1: None ADC issue

Confirmed in client packets and NetScaler nstrace, there is no TCP connection founded for launch failed desktop session. Client did not try to establish any TCP connection for desktop launch failed scenario. Only successful ICA connection recorded and matched with customer’s test results.

2: Client DNS resolution failured from CDF trace in receiver.

A hostname is being given of HDX-dektop.server to connect to. The Client, however, is translating this to the ip address of 0.0.0.2. The Implication here is that this is a secured environment that has a proxy setting in place to redirect many undesired addresses to 0.0.0.2.

CDF Log:

37525,0,2020/08/05 17:51:22:57588,11944,7864,-1,HPC_ICA_ENG,SslASock_Api.c,467,SslASock_Connect(),1,Information,”SSL Relay host name:HDX-dektop.server resolved to: 10.204.182.11″,”” (working scenario)

130535,0,2020/08/05 17:51:33:46960,13344,13428,-1,HPC_ICA_ENG,SslASock_Api.c,467,SslASock_Connect(),1,Information,”SSL Relay host name: HDX-dektop.server resolved to: 0.0.0.2″,“” (NOT working scenario)

Related:

FAQ: How do I Block Heartbleed on NetScaler?

Q: Is NetScaler affected by Heartbleed vulnerability?

A: Heartbleed is one of the most impactful vulnerability identified in the recent history of SSL protocol. Heartbleed is a bug identified in OpenSSL’s implementation of TLS heartbeat extension which allows intruders to get information from the server’s memory thereby revealing potential user data which was assumed to be safe using TLS. OpenSSL runs in majority of sites hosted in the internet which makes this a widely impacted one. The secure information that is shared with the server is now accessible by the attacker and this action is completely undetectable.

Use cases

  • Andy wishes to interact in a secure fashion (some arbitrary, some known) free from Heartbleed attacks through a web browser.
  • Banking.com wishes to host web servers to be used by people like Andy in a secure fashion free from Heartbleed attack.

Q: How does Heartbleed work?

A: In order to understand Heartbleed, it is required to understand how heartbeat extensions work. There is a heartbeat request-response exchange done between sender and receiver that allows the usage of “keep-alive” without performing a renegotiation. The message format contains Heartbeat message type, Payload, Payload length and Padding. Payload can be any value which needs to be shared with the other participant (say a server). The server copies the payload , creates a response message around it and replies back to the sender. Payload length field is 2 byte long and decides the length of the payload. This implies payload can be anything up to 65536 bytes. As per RFC 6520, if the payload length is bigger than the supported value, then the message should be discarded silently. In this scenario, server should not process the message and send a response. This is not the case with OpenSSL’s implementation which lead to the Heartbleed vulnerability. As a result server sends extra bytes of information which was requested by the attacker. This is the data present in the server’s memory which can be sensitive information.

Q: How does NetScaler help?

A: NetScaler comes to the rescue! NetScaler was never affected by the issue found in OpenSSL implementation. NetScaler can block Heartbleed attacks as the affected versions of OpenSSL (1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) are not used by NetScaler. NetScaler operating system uses modified SSL stack which is fine tuned for security, performance and other use cases and is not impacted by this vulnerability. On management pane, OpenSSL is used, however the affected versions are not used and thus not affected by Heartbleed vulnerability.

To know more information on the list of Citrix products that requires updates to evade Heartbleed vulnerability please read the support article : http://support.citrix.com/article/CTX140605.

Related:

FAQ: NetScaler Load Balancing/Persistence

Q: How does LB slow start work with persistence? When is the slow start exited?

A: By default a newly configured virtual server remains in a Slow Start mode for Startup RR Factor of 100.

If there are 2 services bound to the LB VIP, the LB vServer will exit the slow-start mode after 200 hits. The calculation is PE(n) X service(n) X 100 = 1 X 2 X 100 = 200 (assuming there is one PE).

When Source IP based persistency is configured, the client connections need to hit the LB VIP with different source IP’s. In the above case, if 200 connections are initiated from the same source IP, the counter will only decrement by 1 (with 199 connections remaining). The rest of the 199 connections need to be from unique source IP’s for the NetScaler to exit the slow-start mode and come back to the configured load balancing method

root@netscaler# nsconmsg -K newnslog -d current -s disptime=1 -g vsvr_do_next_rrreq | moreDisplaying performance informationNetScaler V20 Performance DataNetScaler NS11.1: Build 51.21.nc, Date: Dec 22 2016, 12:32:24 14 427000 200 200 28 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:55:59 2017 15 322000 199 -1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 11:01:21 2017 16 1938995 198 -1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 13:15:31 2017 17 14000 197 -1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 13:15:45 2017If the persistence is set to NONE, irrespective of the Source IP's, once the number of connections reaches 200, the slow start is exited 2 223997 200 1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:46:46 2017 3 49000 199 -1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:47:35 2017 4 7000 176 -23 -3 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:47:42 2017 5 7001 163 -13 -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:47:49 2017 6 6999 132 -31 -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:47:56 2017 7 7000 109 -23 -3 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:03 2017 8 7000 89 -20 -2 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:10 2017 9 7000 57 -32 -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:17 2017 10 7000 25 -32 -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:24 2017 11 7001 23 -2 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:31 2017 12 14000 13 -10 -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:45 2017 13 6999 0 -13 -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:52 2017

Refer to https://support.citrix.com/article/CTX108886 to know more about Slow-Start

Q: A persistence RULE is configured with a persistence timeout of 10 minutes. When “show persistent sessions” command is run for that particular load balancing vServer, many entries with a timeout of 0 (expired) are still see in the output table. What causes this persistence table entries to show even though the timeout has expired?

A: The “show persistence session” output only displays entry from master core and not from peer cores where persistence session is cached.

Even if the timeout value is set to 0 on the master core, the other core still has this session entry with non-zero value due to which the master core does not remove this from its table immediately after it times out.

By design, after the connection is idle and deleted and the persistence timeout has passed, in addition to remaining for 2 minutes due to the relationship between the master core and the peer core, there may be a case in which 120-330 seconds remain for synchronization between NSPPE and internal processing.

Q: LB vServer (HTTP) does not load balance the hits on the vServer correctly when LB method is Least Connection. Uneven number of hits seen on the 2 load balanced backend services.

A: In the “Least Connection” method of load balancing, the number of connections per service is the value that we take into account, not the number of hits to the service.

Q: Does the TCP profile bound on the CS VIP or the corresponding LB VIP takes precedence?

A: NetScaler will use the TCP profile bound on the Content Switch vServer for front-end/client connection

The TCP profile bound to the Load Balancing vServer will not be used if the connection is made through the Content Switching vServer

The TCP profile bound to the Load Balancing vServer will be applied only if the client establishes the connection with the Load Balancing VIP directly

If no TCP profile is bound to the Content Switch vServer, the default TCP profile will be used

Q: Can a VIP address be bound to netprofile/ ipset in Cluster?

A: This is currently not allowed. You will see the error “ERROR: Operation not permitted” while trying to do this. This is supported starting from 11.1 build 58.x and 12.0 build 33.x (Issue ID: 664024)

Q: Are active sessions dropped while disabling a service or a member of a service group?

A: Yes, the active connections are dropped if we do not do a “Graceful” disable of the service. Active connections are maintained if the “Graceful” checkbox is selected.

Traffic Management ->LB-> ServiceGroup-> Manage Member -> Select member then click disable -.> Check Graceful and click ok

Q: What does the “Graceful” option do while disabling a service?

A: This checkbox indicates graceful shutdown of the service. System will wait for all outstanding connections to this service to be closed before disabling the service.

Gracefully disabled services will maintain all current connections until these have timed-out/gracefully closed. All new connections will be sent to the enabled services.

Just disabling the services, will migrate all existing connections to the enabled service

State

Results

Graceful shutdown is enabled and a wait time is specified.

Service is shut down after the last of the current active client connections is served, even if the wait time has not expired. The appliance checks the status of the connections once every second. If the wait time expires, any open sessions are closed.

Graceful shutdown is disabled and a wait time is specified.

Service is shut down only after the wait time expires, even if all established connections are served before expiration.

Graceful shutdown is enabled and no wait time is specified.

Service is shut down only after the last of the previously established connections is served, regardless of the time taken to serve the last connection.

Graceful shutdown is disabled and no wait time is specified.

No graceful shutdown. Service is shut down immediately after the disable option is chosen or the disable command is issued. (The default wait time is zero seconds.)

Q: NS 10.5: NetProfile does not work intermittently and traffic is sourced from the wrong SNIP

A: This has been identified as an issue in the build of 10.5 and is fixed in 11.1 (Issue ID: 536377)

Q: Why does SSL VIP use HTTP/1.1 despite configuring HTTP/2 in the HTTP profile bound?

A: In the SSL handshake, we see in the client hello that client supports http2 over TLS (h2), however the VIP chooses HTTP 1.1.

HTTP/2 only supports TLS version 1.2 or higher for HTTP/2 over TLS (h2). HTTP/2 doesn’t support any of the ciphers suites that are listed in the following article.

https://http2.github.io/http2-spec/#BadCipherSuites

Ensure that HTTP/2 supported Ciphers are bound to the VIP

Q: Can we view SSL counters/ statistics specific to a vServer or a VIP?

A: This is currently not possible. An enhancement request with the Product management has been raised for this:

ENH0234441: Display of per vServer/service stats with “stat ssl” command

ENH0234442: SSL per vServer/service stats should be displayed with nsconmsg -s ConSSL output

Q: What does the spillover count (SO) for a vServer in the ConLb output indicate?

A: If you have spillover configured or have a backup vServer and spillover occurs, they will be sent to the backup and the counter will increment. If you do not have spillover configured or a backup vServer configured, then the connection is reset and the spillover counter will still increment. The incrementing counter is indicative of requests being reset when you have no spillover configured.

When you do have spillover configured and requests are actually being spilled over, the counter is going to increment. Thus the counter increments in either scenario. Hence, if you know you don’t have spillover configured and you see spillover hits, then you should consider setting up spillover so that requests are processed instead of being reset.

Q: What are the ways to protect a Load Balancing vServer against Failure when it goes DOWN?

A: “Disable Primary When Down”: If you want the backup virtual server to remain in control until you manually enable the primary virtual server even if the primary virtual server comes back up, select “Disable Primary When Down”. For more information on “Configuring a Backup Load Balancing Virtual Server” refer docs:

http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration/config-backup-vserver.html

“Connection fail over”: Connection fail over helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection fail over (or connection mirroring-CM) refers to keeping active an established TCP or UDP connection when a fail over occurs. The new primary NetScaler appliance has information about the connections established before the fail over and continues to serve those connections. After failover, the client remains connected to the same physical server. Setup supported for connection failover are Service type –> ANY, UDP, TCP, FTP, SSL_BRIDGE.

For more information on “Connection failover” refer

http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration/connection-failover.html

Other methods can be viewed in the following link: https://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration.html

Q: Can we integrate MFA with LB vServer?

A: Yes, this can be done by configuring AAA vserver which can be configured as SAML SP. Microsoft MFA can be configured as SAML IDP if it has access to the LDAP/Radius.

Related:

Error: “Previous Upload to cis.citrix.com failed. Network Error While Connecting cis.citrix.com” with Code 10


The error message indicates that the Call Home upload toCitrix.comfailed. This can happen due to multiple reasons, including there was simply no connectivity from the License Server toCitrix.com, or the presence of a Firewall or Network Proxy in the environment.


To troubleshoot the underlying cause of the failure, please follow the steps below:

  1. Make sure the License Server has network connectivity and can connect tocis.citrix.comover port 443
  2. If you will have to configure a proxy, please refer to the following documentation for the steps:Configure a Proxy server.Please note that Licensing service needs to be restarted for the changes to take effect.
  3. If there are no proxies required to reachcis.citrix.comfrom the server, it is possible that there was a network error at the time of upload attempt and that has been resolved since then. Once an upload fails, the Upload failure status is tracked through an XML file (Upload_result.xml). So even when the network issue is resolved or when Call Home is subsequently disabled after an upload failure, unless the XML file is manually deleted, you will continue to see the error. The following steps will get rid of the error message:
    1. Browse toC:Program Files (x86)CitrixLicensingLSresourceusagefolder.
    2. Take a copy of the contents of this folder for backup purposes and empty this folder.
    3. Restart theCitrix Webservice for Licensing servicefrom the Services console.
  4. If none of the steps above resolved the issue, you can disable Call Home following the steps outlined inCTX220679

Related:

Error: Previous Upload to cis.citrix.com failed. Uploader failed for reason “Network Error while connecting cis.citrix.com” with code 10


The error message indicates that the Call Home upload toCitrix.comfailed. This can happen due to multiple reasons, including there was simply no connectivity from the License Server toCitrix.com, or the presence of a Firewall or Network Proxy in the environment.


To troubleshoot the underlying cause of the failure, please follow the steps below:

  1. Make sure the License Server has network connectivity and can connect tocis.citrix.comover port 443
  2. If you will have to configure a proxy, please refer to the following documentation for the steps:Configure a Proxy server.Please note that Licensing service needs to be restarted for the changes to take effect.
  3. If there are no proxies required to reachcis.citrix.comfrom the server, it is possible that there was a network error at the time of upload attempt and that has been resolved since then. Once an upload fails, the Upload failure status is tracked through an XML file (Upload_result.xml). So even when the network issue is resolved or when Call Home is subsequently disabled after an upload failure, unless the XML file is manually deleted, you will continue to see the error. The following steps will get rid of the error message:
    1. Browse toC:Program Files (x86)CitrixLicensingLSresourceusagefolder.
    2. Take a copy of the contents of this folder for backup purposes and empty this folder.
    3. Restart theCitrix Webservice for Licensing servicefrom the Services console.
  4. If none of the steps above resolved the issue, you can disable Call Home following the steps outlined inCTX220679

Related:

Error: “Previous Upload to cis.citrix.com Failed. Network Error While Connecting cis.citrix.com” with Code 6

The error message indicates that the Call Home upload toCitrix.comfailed. This can happen due to multiple reasons, including there was simply no connectivity from the License Server toCitrix.com, or the presence of a Firewall or Network Proxy in the environment.


To troubleshoot the underlying cause of the failure, please follow the steps below:

  1. Make sure the License Server has network connectivity and can connect tocis.citrix.comover port 443
  2. If you will have to configure a proxy, please refer to the following documentation for the steps:Configure a Proxy server.Please note that Licensing service needs to be restarted for the changes to take effect.
  3. If there are no proxies required to reachcis.citrix.comfrom the server, it is possible that there was a network error at the time of upload attempt and that has been resolved since then. Once an upload fails, the Upload failure status is tracked through an XML file (Upload_result.xml). So even when the network issue is resolved or when Call Home is subsequently disabled after an upload failure, unless the XML file is manually deleted, you will continue to see the error. The following steps will get rid of the error message:
    1. Browse toC:Program Files (x86)CitrixLicensingLSresourceusagefolder.
    2. Take a copy of the contents of this folder for backup purposes and empty this folder.
    3. Restart theCitrix Webservice for Licensing servicefrom the Services console.
  4. If none of the steps above resolved the issue, you can disable Call Home following the steps outlined inCTX220679

Related: