Block Windows XP using selective Ciphers on Citrix NetScaler

As you probably know Windows XP is no longer being supported by Microsoft. No (security) updates will be made available for Windows XP making it possibly vulnerable for future exploits.

As an organization you will have to decide what you are going to do about these (probably unmanaged) Windows XP workplaces. There will still be a lot of home workers that use Windows XP and see no reason to upgrade since ’’it works fine’’, from an organization perspective these work places could potentially form a threat to the business. Especially when al sorts of direct connections are being made such as SSL/VPN, but let’s not forget the still very popular Citrix client drive mappings.

From a technical stand point of view we can easily block incoming Windows XP connection to our Citrix NetScaler Gateway virtual server or AAA virtual server (or any other SSL publication) using a selective group of Ciphers.

Quoted from Wikipedia: “a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure”.

Read more of this post

Choose your NetScaler … wisely

I spend a lot of my time breaking down the different models of Citrix NetScaler appliances and different Software Editions within the Citrix NetScaler portfolio.

I decided to set up a blog about this since the path is usually pretty much (lengthy but) the same. This does not mean the answer is always easy because there are a lot of questions that need to be answered.

The first thing I would like to get off my chest is the following: Stop seeing/selling the Citrix NetScaler as a replacement for Secure Gateway. It is so much more than that. I often have discussions with various engineers and consultants telling me that Citrix NetScaler is so expensive for a Remote Access solution because Secure Gateway always used to be free. No offense but a Citrix NetScaler solution belongs to the networking department, not the Citrix XenApp sys admin department. Or maybe limited.

Read more of this post

Creating user customizable announcements for NetScaler Access Gateway

A customer would like to designate a number of people for customizing announcements on the Access Gateway Enterprise page.  This way the organization can announce important changes, planned downtime or other announcements. The advantage of this is that a network engineer does not need to be bothered for displaying all sorts of messages on the Access Gateway by fiddling with the files on the appliances.


Read more of this post

[BUG] ERROR: Feature(s) not licensed [AAA]

This week I was implementing a pair of Citrix NetScaler Standard Edition appliances, mostly to be used for Access Gateway features. As always I started of with the latest Citrix NetScaler firmware which is 73.5 as of this writing. I was configuring Pre-Authentication Policies within GUI, later on I was testing HA failover and noticed that the Pre-Authentication policies were missing after doing a HA Failover.


Read more of this post

To EPA or not to EPA …

For anyone who has not worked with NetScaler Gateway Endpoint Protection Analysis before. It is pre-check before the user get to see the Gateway Logon page it has to comply certain rules that we have programmed the Gateway with. Sometimes I here people say that there is no future for EPA, but I would like to show a use-case which still is actively deployed using NetScaler Gateway and EPA’s.

This feature was already present with the Citrix Access Gateway Advanced using Citrix Advanced Access Control Option Server, yes did it! :-).

What it does is that upon client request it will launch a small piece of Citrix client software to check if the client meets our requirements for connecting. This is triggered by using an ActiveX component within Internet Explorer of Firefox. If the software is not installed it will prompt the user to do so.

Read more of this post

[BUG] Citrix (Branch) Repeater reboots spontaneously

Deployed the newest Citrix Repeater firmware on to two Citrix Repeater 8540 series. Only one appliance gave the error statement “Internal consistency checking has detected an unexpected restart (1)” and initiated a dump. Transferred the diagnostic files to Citrix Support where they were analyzed which confirmed a bug (BUG0354515).


It seems to be caused by a uninitialized variable during Auto App Discovery within ICA.

In all honesty it happened only once, so I still mark the event as an incident. Citrix has confirmed the bug (BUG0354515) and it will be fixed in the next minor ( or major (7.x) software release (they are not yet sure).


Update: Citrix Support has indicated that the bug will be fixed in release 6.2.1.

Performance degrades when enabling Citrix (Branch) Repeater Traffic Acceleration

An interesting problem where a customer has a PoC environment to see if Citrix Repeaters would add value to the Citrix XenApp/XenDesktop implementation over a WAN connection with the help of a Citrix Repeaters 8540 on each end.

Whenever the Traffic Acceleration mode was enabled performance of the XenApp/XenDesktop connection was worse then having Traffic Acceleration disabled. Movies would play frame by frame, it would take ages to move a AutoCAD object from A to B within a drawing.

The ‘receiving’ Citrix Repeater’s Log mentioned Fragmented IP Packets are being received.

Read more of this post


Get every new post delivered to your Inbox.

Join 44 other followers