Citrix SSL Forward proxy’s Default authorization is to ALLOW ANY instead of DENY ANY

As per current design the DEFAULT Authorization of Citrix SSL Forward proxy is ALLOW ANY instead of DENY ANY. Hence, filed an Enhancement request with Citrix Development team.

While Citrix Development team is working on an enhancement request to make the DEFAULT Authorization as DENY ANY, We have a workaround as shown in the below configuration snippet to achieve the same requirement (i.e Default DENY ANY)

Sample Configuration Snippet:

———————————————-

The below configuration will take care of all requests that come in with a port value in the URL or HOST Header and Deny the access if the destination ports are not with :443 or :80

NOTE: Like port :443 or :80 mentioned in the below patset, You can also add the “ : <port number>“ in patset which is required to be allowed via Citrix ADC Proxy.

> add patset allowed_ports

> bind policy patset allowed_ports “:443”

> bind policy patset allowed_ports “:80”

>add responder policy web only ‘(HTTP.REQ.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT) || (HTTP.REQ.URL.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.URL.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT)’ RESET

> bind cs vs SSL-FORWARDPROXY Vserver -policyname web_only -priority 10

Related:

  • No Related Posts

Workspace App for IOS – Error ‘EAP is activated and not supported on IOS’ when connecting through Netscaler Gateway

This article is intended for Citrix administrators and technical teams only.

Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.

Users are unable to connect using Workspace App for iOS through Netscaler Gateway. The connection with Windows, Mac OS works with the Workspace app. Receiver for iOS also works correctly. If the manual configuration with the URL https://baseurl/citrix/store/discovery is used, the error message: “EAP is activated and not supported on IOS”. EAP isn’t used on this Gateway. If we use the automatic configuration with the baseURL the following error message is displayed: “Cannot add account” “All stores in the discovery document have been loaded”. In both scenarios it failes to add the account.

Related:

  • No Related Posts

Error: “Your apps are not available at this time. Please try again in a few minutes or contact your help desk with this information: Cannot contact Store”

Command line installation (CLI) is not support for NetScaler URL. But, there are 3 options available that may be helpful.

1. Export store provisioning files for users https://docs.citrix.com/en-us/storefront/2-6/dws-manage/dws-manage-store/dws-export-file.html

2. Configuring NetScaler Gateway Store via GPO https://docs.citrix.com/en-us/receiver/windows/4-5/configure/receiver-windows-configure-app-delivery-wrapper.html#par_anchortitle_80df

3. Connecting to StoreFront by Using Email-Based Discovery http://docs.citrix.com/en-us/netscaler-gateway/10-1/ng-xa-xd-integration-edocs-landing/ng-clg-integration-wrapper-con/ng-clg-session-policies-overview-con/ng-clg-storefront-policies-con/ng-clg-storefront-email-discovery-tsk.html From the end-users perspective email discovery may be easiest. But requires support configuration of DNS entry and other configuration as noted in documentation. The export store provisioning file is easy to generate file in StoreFront, but requires user to open .CR file (it’s an XML file that is FTA with Receiver) and accept configuration (click “yes* button) and certificate accept dialog may display. So, it requires some user interaction and depends on end-user training even if the training is minimal. The GPO push of NetScaler URL (Configuring NetScaler Gateway Store via GPO) requires users to be connected to the domain to receive policy and configuration.

docs.citrix.com/en-us/netscaler-gateway/10-1/ng-xa-xd-integration-edocs-landing/ng-clg-integration-wrapper-con/ng-clg-session-policies-overview-con/ng-clg-storefront-policies-con/ng-clg-storefront-email-discovery-tsk.html

Related:

  • No Related Posts

Workspace App for IOS – Error 'EAP is activated and not supported on IOS' when connecting through Netscaler Gateway

This article is intended for Citrix administrators and technical teams only.

Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.

Users are unable to connect using Workspace App for iOS through Netscaler Gateway. The connection with Windows, Mac OS works with the Workspace app. Receiver for iOS also works correctly. If the manual configuration with the URL https://baseurl/citrix/store/discovery is used, the error message: “EAP is activated and not supported on IOS”. EAP isn’t used on this Gateway. If we use the automatic configuration with the baseURL the following error message is displayed: “Cannot add account” “All stores in the discovery document have been loaded”. In both scenarios it failes to add the account.

Related:

  • No Related Posts

Error while downloding the Citrix Gateway Plugin from Downloads Tab of ADC : Forbidden you don't have permission to access

Fixed with 13.0 build 41.20 where the Citrix Access gateway plugin file for MAC OS X is present under /var/netscaler/gui/vpns/scripts/mac directory despite upgrading through CLI with or without creating a director under /var/nsinstall.

Follow the below steps:

With 13.0 build 41.20:

===================

1) Copy 13.0 build 41.20 package to /var/nsinstall via CLI.

2) Extracted the package directly under /var/nsinstall ( NOTE: No need to create any directory under /var/nsinstall to save Citrix ADC firmware package)

3) Ran ./installns

RESULT: Access the NetScaler through GUI > Download Tab > Clicked on “ Download Citrix Gateway Plug-in for Mac OS X” or “Download Citrix Gateway Plug-in for Windows” > Should be able to download the files

MAC or Vista Folder found under : / var/netscaler/gui/vpns/scripts/

Work-Around for build blow 13.0

==========================

Upgrade or Downgrade through CLI by creating a folder under /var/nsinstall or upgrade or downgrade Citrix ADC firmware prior to 13.0 via GUI.

Related:

  • No Related Posts