Configure One Identity Starling with NetScaler

There was a comment recently on the Duo integration blog post about how to do a similar integration between Citrix ADC (NetScaler) and One Identity Starling MFA. Thanks to nFactor authentication, this is a relatively simple task. One Identity Starling is very similar to Duo in that there is a ‘RADIUS agent’ that runs as a service on-prem that communicates with a cloud service. This is the first piece to be configured. Getting Started First, … Read more…

Installing Citrix ADC (NetScaler) on Proxmox

A few days ago, I did a thing and one of the first issues I had was getting a NetScaler (Citrix ADC) appliance up and running on the new host…because, you know….priorities. This scenario is certainly supported as the hypervisor is KVM, but on the initial boot, it got stuck here: And that’s no good. How did we get here? Let’s go through the basics as it’s slightly different than just importing an OVF template. … Read more…

Troubleshooting Tips for Citrix ADC (NetScaler)

I’ve collected numerous Citrix ADC (NetScaler) troubleshooting tips and commands over the years, so here they are. Note that some of these tools, file paths or methods may have changed over time. Also note: single\double quotes are inconsistent (sorry) and usually not needed. Note a third time: don’t copy paste from the web to cli\gui – things will likely get mucked up. Log File Locations ns.conf configuration file /flash/nsconfig ns.conf.x older configuration file; increments after … Read more…

Duo Prompt and NetScaler nFactor Auth

Update Sept 10 2019: After some updates to both sides of the code, this now works natively! For details, see the updated blog post here: https://blogs.serioustek.net/post/2019/09/10/duo-mfa-with-netscaler-nfactor-part-2 —– Duo Security provides a rich identity management and authentication platform and it is commonly used to enable multi-factor authentication in enterprise networks. Duo is very flexible and has examples for integrating with NetScaler here – you will see that there are two different configuration examples: one for using the … Read more…

NetScaler nFactor Authentication

In case you hadn’t noticed, lots of web services have been changing how they do authentication lately…maybe you’ve heard of some of them: Google …or Microsoft What is really going on here? The forms are applying some intelligence based on who you are or what company you work for. For example, if you work for a company that uses federated authentication for Office 365, you will be redirected back to your company’s IdP. How does … Read more…

Enabling Horizon View PCoIP Connections via NetScaler

This post is probably not necessary because the configuration is pretty simple and easy to get it working – all you need are a NetScaler running 12.0 code or later, and a view connection server v7.0.1 or later. Currently, it is limited to proxying PCoIP traffic only. NetScaler Settings for PCoIP There are two parts to the configuration on the NetScaler: PCoIP VServer Profiles – located in NetScaler Gateway > Policies > PCoIP ; this is … Read more…

NetScaler SAML and Okta

These days, SAML authentication is mainstream and web services are expected to support it in some fashion or another; the SAML 2.0 standard is over 10 years old at this point! One of the key areas of focus for NetScaler is Authentication and Authorization and as such you would expect full support of SAML – and you’d be right. But if you’ve never worked with the SAML protocol, it can seem very daunting at first! … Read more…

Getting Started with NetScaler IP Reputation

Ever wish that you could just block all network traffic from known bad IP addresses? When you start to think about the logistics of this, it would be nice if you didn’t have to manage it either. If you have NetScaler Platinum, you’ve got both of your wishes – and as an added bonus, it’s free! That’s right, if you have a NetScaler Platinum appliance and you are running build 11.0 or later, you have an … Read more…

NetScaler Authentication Error – /cgi/selfauth

While I was rebuilding my lab, I ran into an issue when building out my demo Exchange OWA front-ended by NetScaler – the error was pretty generic, I would attempt to access the OWA page, was then prompted for authentication by the NetScaler AAA engine running as a part of Unified Gateway, then I was dumped to the following error page: Http/1.1 Service Unavailable – /cgi/selfauth/xxxxx This error page is being presented by the NetScaler, … Read more…

Citrix Secure Gateway is EOL…Now What?

Is Citrix Secure Gateway really End of Life? Not really…it’s tied to the lifecycle of the latest product that it was released with which would be XenApp 6.5 – which is incidentally the last product that it works with. Secure Gateway also does not work with any version of StoreFront, so you’re stuck with Web Interface. What does secure gateway do? It allows for an SSL connection to XenApp and XenDesktop resources to be proxied from … Read more…