Citrix SSL Forward proxy’s Default authorization is to ALLOW ANY instead of DENY ANY

As per current design the DEFAULT Authorization of Citrix SSL Forward proxy is ALLOW ANY instead of DENY ANY. Hence, filed an Enhancement request with Citrix Development team.

While Citrix Development team is working on an enhancement request to make the DEFAULT Authorization as DENY ANY, We have a workaround as shown in the below configuration snippet to achieve the same requirement (i.e Default DENY ANY)

Sample Configuration Snippet:

———————————————-

The below configuration will take care of all requests that come in with a port value in the URL or HOST Header and Deny the access if the destination ports are not with :443 or :80

NOTE: Like port :443 or :80 mentioned in the below patset, You can also add the “ : <port number>“ in patset which is required to be allowed via Citrix ADC Proxy.

> add patset allowed_ports

> bind policy patset allowed_ports “:443”

> bind policy patset allowed_ports “:80”

>add responder policy web only ‘(HTTP.REQ.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT) || (HTTP.REQ.URL.HOSTNAME.PORT.LENGTH.GT(1) && HTTP.REQ.URL.HOSTNAME.PORT.EQUALS_ANY(“allowed_ports”).NOT)’ RESET

> bind cs vs SSL-FORWARDPROXY Vserver -policyname web_only -priority 10

Related:

  • No Related Posts

Commonly Used Options and Filters with nstcpdump.sh NetScaler Script

  • -i<Interface_Number>: to restrict recording of the packets to the specified interface. You can use this option multiple times to select multiple interfaces.

Note: The -i, -r and -F are not supported on NetScaler 10.5 and the following message will be displayed when any command is used with this option:

nstcpdump.sh: utility to view/save/sniff LIVE packet capture on NETSCALER boxtcpdump version 4.0.0libpcap version 1.0.0Usage: tcpdump [-aAdDefKlLnNOpqRStuUvxX] [ -c count ][ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ][ -i interface ] [ -M secret ] [ -r file ][ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ][ -y datalinktype ] [ -z command ] [ -Z user ][ expression ]NOTE: tcpdump options -i, -r and -F are NOT SUPPORTED by this utility

For NetScaler 10.5, if you want to filter traffic based on the interface, then the following command can be used:

start nstrace –size 0 –tcpdump ENABLED –filter CONNECTION.INTF.EQ(“1/1”)

Filter Expressions

The following is a list of some options you can use in the filter expression. You can combine multiple expressions by using the boolean operators.

  • host <IP_Address>: to restrict recording of the packets to or from the specified host IP address.

  • net <Subnet_Address> mask <Netmask>: to restrict recording of the packets from the specified subnet.

  • port <Port_Number>: to restrict recording of the packets for the specified TCP or UDP port.

  • portrange <From_Port_Number>-<To_Port_Number>: to restrict recording of the packets for the specified range of the TCP or UDP port numbers.

  • dst port <Port_Number>: to restrict recording of the packets for the specified destination TCP or UDP port numbers.

  • src port <Port_Number>: to restrict recording of the packets from the specified source TCP or UDP port numbers.

  • tcp: to restrict recording of the packets only to the TCP packets. This option is a substitute for the ip proto x option.

  • udp: to restrict recording of the packets only to the UDP packets.

  • arp: to restrict recording of the packets only to the ARP packets.

  • icmp: to restrict recording of the packets only to the ICMP packets.

The operators that can be used with filter expressions are ==, eq, !=, neq, >, gt, <, lt, >=, ge, <=, le, and BETWEEN. Additionally, multiple sets of qualifiers can be used with boolean && or || operator.

Examples

The following are some of the examples for running the nstcpdump.sh script:

  • root@ns# nstcpdump.sh -X dst host 10.102.13.14 and port 80

    The output of this command is displayed on stdout and consists of all tcp port 80 traffic destined to the 10.102.13.14 IP address.

  • root@ns# nstcpdump.sh -w /var/trace/trace1.cap -i 1/1 -i ½

    The output of this command is directed to the /var/trace/trace1.cap file and consists of all traffic on the interfaces 1/1 and 1/2.

  • root@ns# nstcpdump.sh -w /var/trace/trace2.cap host 10.102.13.14 and not port 443

    The output of this command is directed to the /var/trace/trace2.cap file and consists of all traffic to or from the host IP address 10.102.13.14 and which does not have destination or source port as 443.

  • root@ns# nstcpdump.sh host 10.102.13.14 and host 10.102.13.15

    The output of this command is displayed on stdout and consists of all traffic between the host 10.102.13.14 and 10.102.1315 IP addresses.

Sample Output

The following is a sample output of the nstcpdump.sh script:

root@103# nstcpdump.sh port 80Setting 1000 pages (4000 KB) of trace buffers ... Done.Enabling all nic trace mode=6 ... Done.Changing trace packet length from 0 to 0 ... Done.Saving current trace data in file 'pipe' for '3600' seconds ... in TCPDUMP format18:17:13.391479 10.198.4.112.29221 > 10.198.4.41.http: S 1430428239:1430428239(0) win 8190 <mss 1460>18:17:13.391599 10.198.4.41.http > 10.198.4.112.29221: R 0:0(0) ack 1430428240 win 0 (DF)18:17:13.691462 10.198.4.112.29217 > 10.198.4.204.http: R 1430282160:1430282160(0) win 980018:17:13.691467 10.198.4.112.29217 > 10.198.4.204.http: R 1430282160:1430282160(0) win 980018:17:16.091528 127.0.0.2.61049 > localhost.http: S 1430522929:1430522929(0) win 8190 <mss 1460>18:17:16.091566 localhost.http > 127.0.0.2.61049: S 1213225328:1213225328(0) ack 1430522930 win 57344 <mss 1460> (DF)18:17:16.091570 127.0.0.2.61049 > localhost.http: F 1:1(0) ack 1 win 819018:17:16.091585 localhost.http > 127.0.0.2.61049: . ack 2 win 58400 (DF)18:17:16.091654 localhost.http > 127.0.0.2.61049: F 1:1(0) ack 2 win 58400 (DF)18:17:16.091665 127.0.0.2.61049 > localhost.http: . ack 2 win 8190/div>

The following table contains the details of the entry highlighted in the preceding output:

Timestamp Source IP Source Port Direction Destination IP Destination Port TCP Flags Sequence Number Additional Info

18:17:13.391479

10.198.4.112

.29221 > 10.198.4.41 .http: S 1430428239:1430428239(0) win 8190 <mss 1460>

Related:

  • No Related Posts

How to Use Netsh to Remove an Older Certificate Before Adding Another on a DDC

Use ” delete sslcert ”

This deletes SSL server certificate bindings and the corresponding client certificate policies for an IP address and port.

delete sslcert [ipport=]IP Address:port

Parameters

**[ipport=]**IP Address:port

Specifies the IPv4 or IPv6 address and port for which the SSL certificate bindings will be deleted.

Examples

delete sslcert ipport=1.1.1.1:443

delete sslcert ipport=0.0.0.0:443

delete sslcert ipport=[::]:443

Related:

  • No Related Posts

Lost at Sea No More – Busan Launches Hyperledger-Based Logistics Platform

The Busan Port Authority (BPA) will launch their integrated logistics platform Chain Portal. The Hyperledger-powered platform is expected to increase efficiency of port operations and cargo movements. A pilot for the platform will be run for the next two weeks until the scheduled hard launch on the 6th of April.

Chain Portal boasts an efficient and practical information sharing system that collects and shares information about cargo and ship movements through Korea’s largest, and Asia’s 6th largest container port. BPA will provide ITT and terminal status information in real-time to users around the world. Users can download and integrate the openAPI into their website to track the information being broadcast on the service, increasing the transparency of the platform.

The ITT system shares information to shipping companies, carriers, terminal operators, and transport operators when transporting cargo from dock to dock. Up until now, operators complained of lag in their preparation capabilities due to a lack of usable information. With the new system, operators will be able to audit any number of actionable details about shipments and prepare for their efficient distribution with greater foresight.

Some of the shipping details available on Chain Portal’s front page.

In 2018, the Ministry of Science and ICT and the Ministry of Martime Affairs and Fisheries looked to establish a blockchain-based integrated issuance service between container docks to pilot a system to enhance port logistics through. An official from BPA stated that after verifying the feasibility of blockchain integration into port logistics technology with the previous pilot project, they moved forward with the plans to develop Chain Portal.

BPA plans to prioritize the ITT system aspect of Chain Portal to Busan New Port, which consists of Busan New Port International Terminal, Busan New port, Hanjin Busan Container Terminal, PSA Hyundai Busan New Port, BNC, and Busan New Port Multi-purpose Terminal. They plan to apply the new system to all of Busan Port by the second half of 2020.

Overall, Chain Portal is expected to reduce terminal congestion, improve productivity, reduce load/unload times, and increase distribution efficiency. An official at BPA lauds the platform as the beginning of BPA’s role as a leader for other ports to adopt blockchain technology into their daily operations to improve service quality overall.

Telegram Channel- https://t.me/TheNewsAsia

Telegram Chat (partner) – https://t.me/cryptodakurobinhooders

Twitter – @TheNewsDotAsia

Facebook – https://www.facebook.com/groups/chains.asia/

email – hello@thenews.asia

Related:

WSS_HTTPS_8084 SERVICE

I do not need a solution (just sharing information)

Hello, how are you?

I have an issue, here I have 3 services to WSS, one with port 8080, another with port 8443 and another with port 8084, this with port 8084 the service is down.

All of those services are using the IP 200.186.128.164 as Host.

This IP is from Brazil…

But, I don’t know wich impact this can has here in our environment. If I lost one of those services, what can happens?

0

Related:

Error: Lost connection to lmgrd, heartbeat timeout expired, exiting. EXITING DUE TO SIGNAL 28 Exit Reason 5 in License server

This issue can occur when there is a break in the communication within the 7279 daemon port of the licensing server. The break can occur because of a random port scanning on the server.

Verify the lmadmin.log file for the Licensing server in the c:program filescitrixlicensinglslogs folder. This lmadmin.log file initially shows that there is a continued break in communication.

User-added image

The c:program filescitrixlicensinglslogsCITRIX.log file gives more information about the loss of connection to the Licensing Server:

User-added image

The preceding error indicates that there is a loss of connection, because the heartbeat is timing out.

In this scenario, the application event log shows a consistent entry from McLogEvent. This entry is a port monitoring software function from McAfee:

User-added image

The port scanning software is interrupting the established connections to the Citrix Licensing server causing the heartbeat to the port to timeout and eventually causing the service to lockup.

Related:

Firewall Rules for SMTP Relay services.

I need a solution

Dear all,

I have (C#) application which connect to SMTP relay services on port 35, i have added a fiewwall rule with ..

Any computer and Remote port 35 to allow, which works with Telnet SEP allow telnet communcation pass through, But from my application i cant able to reach the relay server at all, no events logged also in SEP Client.

Any soulution for this. 

Thanks in advance.

0

Related:

  • No Related Posts