Security bug: Users can change Citrix WI Site by changing path in URL

At first I thought I was going out of my mind, fortunately Citrix Tech Support has confirmed this bug and are working on a solution.

Installing a brand new pair of Citrix NetScaler MPX 5500 with the latest Citrix NetScaler build (9.3-55.6).

The Citrix NetScaler security design was made so to create 9 Access Gateway Virtual Servers all with their own Citrix Web Interface site so that all the traffic could be isolated and different kinds of security measures could be applied to the different Access Gateway Virtual Servers. There are multiple Citrix XenApp Farms in de backend where the different users would land depending of the target audience.

Read more of this post

Access Gateway: “Corrupted Content Error” when using FF7 or higher

“Corrupted Content Error” when logging on to a Citrix Access Gateway Enterprise/Web Interface for NetScaler with Mozilla Firefox 7 or Higher

I’m not yet sure if this is a Citrix issue or a Firefox issue since this problem occurs with a lot more websites with the new Firefox versions. On Citrix Access Gateway Enterprise it seems to occur when using Citrix Access Gateway Enterprise (NetScaler) and Citrix Web Interface for NetScaler (have not yet tested with Web Interface for Windows). Apparently Firefox does not like the fact that either the header Content-Length and/or Content-Disposition values change when passing from the Access Gateway to the Web Interface.

Firefox says web developers need to change there code, I have submitted a support case with Citrix Tech Support. Will let you know what the outcome will be for those interested.

Read more of this post

How to Configure Client Detection and Deployment on Citrix Web Interface for NetScaler

Edit: Updated this post for deployment using the new Citrix Receiver for Windows 3.0 and Citrix Receiver for Mac 11.4

When you are here after searching the web you have probably found out that the Web interface for NetScaler doesn’t nicely deploy (push) the Citrix client as you are used to from Citrix Web Interface for Windows. Here I am going to explain how you can deploy the Citrix Client from Web interface for NetScaler. At least for Windows and Mac. This blog post was based on a document I got from Andrew Sandford, tech support Citrix Systems Ireland. They are working on an official KB article to address this problem. In the mean time I hope this can help some people out.

1. Use WinSCP (or puTTY if you feel comfortable using commandline and tools like vi) to enter the Citrix NetScaler;

2. Go to you Citrix Web Interface directory, in my example I use /Citrix/XenApp, the default first site on Citrix NetScaler: /var/wi/tomcat/webapps/Citrix/XenApp;

Read more of this post

Citrix Allowing more Web Interface Sites on NetScaler

As stated in one of my previous blogs I mentioned that it wasn’t possible to install more then 3 Citrix Web Interface sites on for instance a Citrix NetScaler MPX 5500. If you wanted more then you would have to move to the 7500 series minimum where the limit was 25 Citrix Web Interface sites. For a lot of customers the price difference between the MPX 5500 and the MPX 7500 is not worth just a single Citrix Web interface site.

Appearently Citrix has changed his mind about these hard limits! There was ofcourse a huge gap between 3 and 25 Citrix Web Interface sites and Citrix Support explanation on why this gap existed was that the webserver used for publishing the Citrix web Interface sites could be a huge resource hog and the Citrix NetScaler MPX 7500 is equipped with better/more hardware to facilitate these number of Citrix Web Interface websites. Could be a valid reason ofcourse but you can’t tell me Citrix didn’t limit to 3 Citrix Web interface sites on purpose (marketing).

Read more of this post

Web Interface for Citrix NetScaler – Error “Import SSL certificate failed”

I always create(d) the certificate on a Microsoft IIS Server then exported it as a .pfx import into Citrix NetScaler and let the Citrix NetScaler convert it to a .pem certificate. After this step you can Install the certificate by choosing the same .pem certificate for the Certificate File Name field and Private Key File Name field (see screenshot below). Citrix NetScaler will extract the right certificate from within the .pem file.

With some certificates you would have to download the root certificate and link it to the installed certificate.

After this step you can bind the newly installed certificate to the Access Gateway Virtual Server and it will work fine!

Read more of this post

Web Interface for Citrix NetScaler – Error “Service exists with the same port and service type”

If you have created a Citrix Web Interface on NetScaler and try to add a second Web Interface on a different IP-address you might get the following error: “Service exists with the same port and service type”.

What the Citrix Web Interface for NetScaler tries to do is create the same Service (127.0.0.1:8080) which it did for the first Citrix Web Interface page.

So, all you have to do is bind the newly created Citrix Web interface Virtual Server to the already created Service which points to 127.0.0.1:8080.

Redirect Web Interface on Citrix NetScaler with Rewrite function

When you install and configure Web Interface on Citrix NetScaler nCore you probably notice that there is no option to automatically go to the default Citrix XenApp page as you were used to in a Microsoft IIS install of the Citrix Web Interface. Once you have set up Citrix Web Interface and you add the newly created address in the browser you will get an “Invalid Path” notice. This would mean you (or your users) always would have to fill in the subdirs also.

Off course this can be nicely resolved with a Rewrite function within the Citrix NetScaler and here I will show you how to.

Read more of this post

Web Interface on NetScaler nCore–first impression

I have been waiting anxiously on this feature for a while since it has been delayed by Citrix a number of times, this feature was already announced at Citrix Synergy (SF 2010) back in May. And now I had the chance to install it at a customer which was also very interested in decommisioning his (Microsoft Windows) Citrix Web Interface servers and replacing it with Web Interface on Citrix NetScaler. For me it is the chance to find out what the pros and cons are about this feature.

Installation

Installation was ok, if it was up to me the Citrix Web Interface was just like other components such as Access Gateway just to be enabled within a build. Maybe can expect this in future releases. I installed the Web Interface on a more recent build of the nCore version (Build 98.6) so I had to downgrade to get this working. Good to know is that the Access Gateway customizations were retained which I was very happy about. Because you are downgrading Citrix NetScaler asks you if you would like to import a different nsconfig file.

Creating

There are very few settings possible when working within the NetScaler GUI. There is a wizard which let’s you create the websites.

Read more of this post

Citrix Web Interface on NetScaler nCore

Just got confirmation that Web Interface on NetScaler will be generally available as of the second week of september. For this release it will only support Citrix NetScaler and more specifically only the nCore version.

For those of you that don’t know, this solution let’s you add a Citrix Web Interface module within the Citrix NetScaler. With this solution you will not need a seperate redundant Citrix Web interface solution anymore in the backend. With the implementation of a Highly Available Citrix NetScaler pair you’ll have a fully redundant Citrix infrastructure with less components.

I think this will also be a great solution for Citrix Access Gateway Enterprise, it’s too bad that this will not be supported at the GA release. I hope there will be support for the Citrix Access Gateway Enterprise soon.

You can download the “Web Interface on NetScaler 9.1.e nCore” Tech Preview Release on the Citrix Download site but you will have to install a specific NetScaler build (Build 99.8005.e) to support it. Citrix does not recommend installing this into a production environment!