Category: NetScaler

Updated: NetScaler Active/Passive HA in Azure with multiple NICs/IPs (DSR/Floating IP)

I wrote a blog post for NetScaler active/passive HA in Azure with multiple NICs two days ago, and I’ve been trying to figure out if this was the best way to do it. In the other post, I was using IPPattern in NetScaler to set the vServers to a /31 – which does work but…



NetScaler Active/Passive HA in Azure with multiple NICs/IPs

Update: I’ve found out that there’s a much easier way of doing the below in Azure – take a look at the updated blog post: Updated: NetScaler Active/Passive HA in Azure with multiple NICs/IPs (DSR/Floating IP) —— There are a lot of information out there about setting up NetScaler HA in Azure. One way is…



Citrix changing default ICA Protocol from TCP to UDP Q4 2017

For XenApp/XenDesktop versions released in Q4 2017 or later (version 7.16 or newer), the default protocol for ICA traffic will be changed from ICA TCP to Enlightened Data Transport (EDT). EDT is a recently-developed protocol from Citrix and is UDP based, unlike traditional ICA which is is TCP based. One of the reasons Citrix developed…



RfWebUI idle timeout

There seems to be an issue with the idle timeout in RfWebUI (verified in NetScaler version 12.0) and I’ve created a workaround until it is solved. It is all based on a JavaScript that checks if the user is logged on, if logged on it starts a timer and when the timer is reached logs…



Remove ”Password 2” from RfWebUI

Update: Seems like the first method actually removes a password field when changing password. This shouldn’t do that:

Original post: Have you had an issue with RfWebUI where you need to remove the ”Password 2”-field when for example using RADIUS as primary authentication source (challenge based) and LDAP as secondary? As always, the great…



Publishing XenMobile Self-Help Portal via NetScaler AAA

In our deployments of XenMobile we always recommend that our customers use the Two Factor option for enrollment, requiring username, password as well as a PIN created in the administration GUI of the appliance, for the added security. In larger organizations this can put some toll on the administrators which is why there is a…



Prepopulate username with NetScalers RfWebUI

We’ve been seeing an issue with AAA in front of ADFS where credentials entered at the service provider (Office 365 for example) doesn’t populate the username in the NetScaler login, which works with ADFS. This isn’t the biggest issue, but something that makes it annoying to use AAA instead of pure ADFS. We were able…



DirectAccess with Teredo Protocol requires ICMP traffic to be allowed

With Microsoft DirectAccess (DA) you have three different protocols that you can utilize, with 6To4 and Teredo being the primary ones and IPHTTPS being the fallback if both primary fail/are not configured correctly (6To4 is attempted before Teredo). One thing that is different with Teredo protocol is that the DirectAccess server will send a one-time…



NetScaler user authentication to backend with cookies

A system one of my co-workers are load balancing and configuring AAA/SSO uses cookies for authentication. The username is inserted using a cookie, for example ”username=simon”. It’s very easy to first of all identify this cookie and modify it to another value, which makes it insecure. The idea we got was to stop exposing the cookie…



NetScaler SD-WAN WANOP – Hur initieras en optimerad TCP-session?

NetScaler SD-WAN WANOP Edition försöker optimera all trafik som passerar enhetens interface men det är TCP sessionens Handshake som avgör om en den ska optimeras eller ej. Sessioner som bedöms som icke-otimerbara passerar enhetens interface utan påverkan men sessioner som istället bedöms som optimerabara kommer att dra nytta av den nätverksoptimering som SD-WAN WANOP erbjuder….