Scoring an A+ at SSLLabs.com with Citrix NetScaler – Q2 2023 update

In 2016 Ryan Butler created a PowerShell script to update a NetScaler configuration to score an A+ at the SSL Labs SSL test. I updated this script to score an A+ in 2023.

Credits

This blog post would not be possible without the groundwork from Ryan Butler and Carl Stalhood. Ryan created the initial script and Carl provided me with a current SSL cipher list for Q2 2023.

Updates and tests

Last year, I had a few new Citrix NetScaler Gateway VPX setups, and needed a fast way to get the SSL settings right. Most of the time I used the script by Ryan, but in the meantime it was outdated. I grabbed the script and the provided SSL cipher list by Carl and got a working copy that immediately scored an A+ at SSL Labs. Sadly, I did not take my time to create a pull request over at Ryan’s GitHub to give back. Today I took my time, to tidy up the code, thanks to the Visual Studio Code PowerShell formatter and write up the changelog. Continue reading “Scoring an A+ at SSLLabs.com with Citrix NetScaler – Q2 2023 update”

Citrix NetScaler Gateway: NPS Extension for Azure MFA fails after introducing the Microsoft Domain Controller security baseline

Microsoft offers a nice set of security baseline GPOs, for direct use in your Active Directory environment. If you make use of the “MSFT Windows Server 2022 – Domain Controller” policy, your NPS installation might start to fail.

Introduction

Many of you probably have a Citrix NetScaler Gateway installation based on the following concept:

Manuel Winkel (deyda):

Microsoft Azure MFA Cloud Service in Citrix ADC

Thomas Preischl:

Citrix ADC / Netscaler Azure MFA Authentication

Those articles describe, how someone can implement Azure MFA with Microsoft Authenticator App pushOTP and an on-premises Microsoft NPS server, without making use of SAML, which is necessary, if you use the ICAProxy Gateway only license for Citrix NetScaler Gateway.
Continue reading “Citrix NetScaler Gateway: NPS Extension for Azure MFA fails after introducing the Microsoft Domain Controller security baseline”

Potentially ongoing worldwide UDP:443 (EDT) DDoS amplify attack against Citrix (NetScaler) Gateway

Since 19 December 2020 7pm CET we see a possible worldwide DDOS amplify attack against Citrix Gateway UDP:443 DTLS EDT services.

Changelog

  • 11.01.2021: Added information about the new Citrix ADC Gateway (formerly NetScaler) firmware releases, which solve the memory leak issue with -helloVerifiyRequest
  • 24.12.2020: Added information about the official Citrix Knowledge Center article CTX289674
    Added a final summary, that repeats all possible solutions
    Maked it a lot clearer, that -helloVerifiyRequest doesn’t seem to work well
  • 22.12.2020: Added a warning note, that -helloVerifiyRequest doesn’t work on all Citrix ADC (NetScaler) firmware versions
  • 21.12.2020: Added a third possible solution regarding -helloVerifiyRequest
  • 21.12.2020: Initial version

The situation

During the night from Saturday (19.12.2020) to Sunday (20.12.2020) our Zabbix Monitoring informed us, that several Citrix Gateway VPX (50) appliances were at its license cap. We investigated the situation and soon found out, that we had 0 ICA sessions on most of them, hence no explanation for the traffic.

Zabbix Citrix Gateway Throughput Monitoring Graph
Zabbix Citrix Gateway Throughput Monitoring Graph

Continue reading “Potentially ongoing worldwide UDP:443 (EDT) DDoS amplify attack against Citrix (NetScaler) Gateway”

HowTo: Create a NetScaler Load Balancing vServer for Citrix Workspace Environment Management on the CLI

Since Citrix has released Workspace Environment Management 4.2 there is now a complete section about #WEM in the Citrix eDocs. Part of the new official documentation is a section about load balancing advices. But before that, there has already been a superior blog article about that topic by Ryan Revord.
But what is still missing is a complete overview of the necessary NetScaler CLI commands. That way you can import your WEM load balancing configuration in less than a minute! As I try to do everything in NetScaler on the CLI, I documented the steps during my first WEM deployment and wanted to share them with the community. Continue reading “HowTo: Create a NetScaler Load Balancing vServer for Citrix Workspace Environment Management on the CLI”

Citrix Certified Associate & Professional – Networking (CCA-N & CCP-N)

Today I passed exam 1Y0-351 after I visited the early access classroom:
CNS-222EAI Early Access: NetScaler for Apps and Desktops
in may 2016. I already passed the CCA-N in August 2016, but forgot to post it here, if I remember correctly.

Citrix Certified Associate - Networking (CCA - N) Citrix Certified Professional - Networking (CCP - N)

I’m would like to say, that the new NetScaler Gateway classroom course CNS-222 was a great help and the instructor Paul Berr did a great job!

Since the course I barely use the WebGui anymore, and achieved great progress in CLI only configurations. I built my self several CLI templates for regular tasks and improved my skills from deployment to deployment.

You can see my earned titles here:
https://www.youracclaim.com/users/marco-hofmann