(External Pentest) Citrix - Checklist - NetScaler Gateway 11.1 Virtual Server - Carl Stalhood
(External Pentest) Citrix - Checklist - NetScaler Gateway 11.1 Virtual Server - Carl Stalhood
(External Pentest) Citrix - Checklist - NetScaler Gateway 11.1 Virtual Server - Carl Stalhood
17 Comments
Navigation
Custom Theme
SSL Redirect
Disclaimer / EULA
Other Customizations
For basic ICA Proxy connectivity to XenApp/XenDesktop, you don’t need to install any NetScaler
Gateway Universal licenses on the NetScaler appliance.
However, if you need SmartAccess features (e.g. EPA scans), or VPN, then you must install Net-
Scaler Gateway Universal licenses. These licenses are included with the Platinum editions of Xe-
nApp / XenDesktop, Advanced or Enterprise editions of XenMobile, and the Platinum edition of
NetScaler.
NetScaler 11.1 build 49 and later come with built-in Gateway Universal licenses: NetScaler
Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and NetScaler
Platinum Edition = unlimited licenses.
When you create a NetScaler Gateway Virtual Server, the ICA Only setting determines if you
need NetScaler Gateway Universal licenses or not. If the Virtual Server is set to ICA Only, then
you don’t need licenses. But if ICA Only is set to false then you need a NetScaler Gateway Uni-
versal license for every user that connects to this NetScaler Gateway Virtual Server. Enabling
ICA Only disables all non-ICA Proxy features, including: SmartAccess, SmartControl, and VPN.
If you don’t need any non-ICA Proxy features, then you don’t need any Gateway Universal li-
censes, and you can skip to the next section.
If you are running NetScaler Platinum Edition 11.1 build 49 or later, then you already have un-
limited licenses and can skip to the next section.
For other NetScaler editions and older builds, you can install more Gateway Universal licens-
es. The Gateway Universal licenses are allocated to the case sensitive hostname of each appli-
ance. If you have an HA pair, and if each node has a different hostname, allocate the Gateway
Universal licenses to the first hostname, and then reallocate the same licenses to the other
hostname.
To upload the allocated Gateway Universal licenses to the appliance, go to System > Licenses. A
reboot is required.
After NetScaler Gateway Universal licenses are installed on the appliance, they won’t necessari-
ly be available for usage until you make a configuration change as detailed below:
5. Change the Maximum Number of Users to your licensed limit. In NetScaler 11.1 build 49
and newer, this value should already match the number of licensed users. In older builds,
you must manually configure this setting, and if not configured, then it defaults to only 5
concurrent connections.
6. If desired, check the box for Enable Enhanced Authentication Feedback. Click OK.
1. Create a certificate for the NetScaler Gateway Virtual Server. The certificate must match the
name users will use to access the Gateway.
2. For email discovery in Citrix Receiver, the certificate must have subject alternative names
(SAN) for discoverReceiver.email.suffix (use your email suffix domain name). If you have
multiple email domains then you’ll need a SAN for each one.
9. Check the box next to ICA Only. This option disables SmartAccess and VPN features
but does not require any additional licenses.
10. Check the box next to DTLS, and click OK.
11. DTLS enables EDT protocol, UDP Audio, and Framehawk. 💡
12. EDT requires UDP 443 on client side, and UDP 1494/2598 on server side.
13. DTLS (including EDT), will not work if Mac Based Forwarding is enabled. 💡
16. Select a previously created certificate that matches the NetScaler Gateway DNS name and
click Select.
20. In the Basic Authentication section, click the plus icon in the top right.
21. Note: it’s also possible to disable authentication on Gateway and make StoreFront do it in-
stead as described in Citrix CTX200066 How to Log On to StoreFront When Authentication
is Disabled on NetScaler Gateway VIP. However, it’s more secure to require Gateway to au-
thenticate the users before the user can communicate with StoreFront.
23. If you used the authentication dashboard to create the LDAP server then you probably
haven’t created the corresponding policy yet. Click the plus icon to create a new policy.
24. Use the Server drop-down to select the previously created LDAP server.
25. Give the policy a name. The policy name can match the Server name.
26. In the Expression box, enter ns_true, or select it from the Saved Policy Expressions drop-
down. Click Create.
30. Scroll down to the Profiles section and click the pencil icon.
31. In the TCP Profile drop-down select nstcp_default_XA_XD_profile and click OK.
32. In the Policies section, click the plus icon near the top right.
33. Select Session, select Request and click Continue.
35. Select one of the Receiver session policies and click Select. It doesn’t matter in which order
you bind them.
41. Select the other Receiver session policy and click Select.
42. There’s no need to change the priority number. Click Bind.
43. The two policies are mutually exclusive so there’s no need to adjust priority. Click Close.
44. On the right, in the Advanced Settings section, click Published Applications.
48. To bind another Secure Ticket Authority server, on the left, in the Published Applications
section, click where it says 1 STA Server.
51. This view shows if the STAs are reachable or not. To refresh the view, close the STA Bind-
ings list and reopen it.
bind vpn vserver gateway.corp.com -policy "Receiver for Web" -priority 110
bind vpn vserver gateway.corp.com -policy Corp-Gateway -priority 100
52. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configura-
tion including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport
Security.
set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
After you’ve created the Gateway Virtual Server, run the following tests:
1. Citrix CTX200890 – Error: “1110” When Launching Desktop and “SSL Error” While Launch-
ing an Application Through NetScaler Gateway: You can use OpenSSL to verify the certifi-
cate. Run the command: openssl s_client -connect gateway.corp.com:443. Replace the
FQDN with your FQDN. OpenSSL is installed on the NetScaler or you can download and in-
stall it on any machine.
2. Go to https://www.ssllabs.com/ssltest/ and check the security settings of the website. Citrix
Blogs – Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update.
Gateway Portal Theme
Citrix Blog Post Branding your Deployment Part 2: Matching NetScaler to StoreFront explains
NetScaler Gateway Portal Themes, how to edit the Portal Theme CSS, and warns about GUI
changes overwriting CSS file changes.
If you want the logon page for NetScaler Gateway to look more like StoreFront 3.0 and newer,
enable the built-in RfWebUI or X1 theme. RfWebUI is optimized for Unified Gateway (Clientless
VPN) since it provides the exact same appearance and user experience as StoreFront 3.x. The
Unified Gateway RfWebUI theme can display RDP Links and Web Links (bookmarks) along with
the familiar StoreFront apps and desktops. Note: RfWebUI requires StoreFront 3.6 or newer.
1. Go to NetScaler Gateway > Virtual Servers and edit an existing Virtual Server.
2. On the right, in the Advanced Settings section, click Portal Themes.
3. On the left, Change the Portal Theme drop-down to RfWebUI. Click OK.
4. Click Done.
5. When you access the NetScaler Gateway login page you’ll see the theme.
Custom Theme
You can also your own theme by starting from one of the built-in themes:
4. In the Look and Feel section, there are two sub-sections: one for Home Page and one for
Common Attributes.
5. The Home Page is for Unified Gateway (aka VPN Clientless Access). Notice that the Web-
sites Sections can be disabled.
6. The Help Legend link shows you what the other fields modify.
7. If you want to modify the logon page, use the Common Attributes sub-section.
8. The Help Legend link shows you what the fields modify.
13. Make changes as desired (e.g. Password Field Titles) and click OK.
14. At the top of the screen, click the link to Click to Bind and View Configured Theme.
15. Select a Gateway Virtual Server and click Bind and Preview.
16. The logon page is displayed.
18. Citrix CTX209526 NetScaler; How to Copy a Portal Theme from the Device running version
11.0 to another Device running 11.0.
SSL Redirect
Use one of the following procedures to configure a redirect from http to https. Responder
method is preferred.
Responder method
For email-based discovery, add a SRV record to each public email suffix DNS zone. Here are
sample instructions for a Windows DNS server:
3. In the Resource Record Type dialog box, select Service Location (SRV) and then click Cre-
ate Record.
4. In the New Resource Record dialog box, click in the Service box and enter the host value
_citrixreceiver.
5. Click in the Protocol box and enter the value _tcp.
6. In the Port number box, enter 443.
7. In the Host offering this service box, specify the fully qualified domain name (FQDN) for
your NetScaler Gateway Virtual Server in the form servername.domain (e.g. gateway.com-
pany.com)
Create an AppExpert > Responder > Policy with Action = DROP and Expression =
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/NSGiOSplugin"). Either bind the
Responder Policy Globally, or bind it to the Gateway vServers.
In your Gateway Session Policies, on the Client Experience tab, set the Plug-in Type to
Java. If any of them are set to Windows/MAC OS X, then VPN for iOS is allowed.
To view active ICA sessions, click the NetScaler Gateway node on the left, and then click ICA
Connections on the right.
show vpn icaconnection
When two factor authentication is configured on NetScaler Gateway, the user is prompted for
User name, Password, and Password 2.
The Password field labels can be changed to something more descriptive, such as Active Directo-
ry or RSA:
1. Go to NetScaler Gateway > Portal Themes and edit an existing theme. You can’t edit the
built-in themes so you’ll have to create one if you haven’t already.
2. On the right, in the Advanced Settings column, click Login Page.
3. In the Login Page section, change the two Password fields to your desired text. Click OK.
4. If using the RfWebUI theme, the default text size for the form field labels is 17px. However,
the Portal Themes editor defaults to 12px. You can change it back to 16px or 18px by edit-
ing Form Font Size in the Look and Feel > Common Attributes section.
5. In the Portal Theme section at the top of the page, you can Click to bind and View Config-
ured Theme to Preview your changes.
6. On Platinum Edition appliances, you might have to invalidate the loginstaticobjects Con-
tent Group (Optimization > Integrated Caching > Content Groups) before the changes ap-
pear. This seems to be true even if Integrated Caching is disabled.
Logon Security Message (Disclaimer, EULA)
You can force users to agree to a EULA before they are allowed to login.
Clicking the Terms & Conditions link allows the user to view the EULA text that you have
entered.
3. Give the EULA a name and enter some text. You can even enter HTML code. See the exam-
ple posted by Chris Doran at Citrix Discussions.
4. Click Create.
The original themes (Default, Green Bubble, and X1) use files from /netscaler/ns_gui/vpn/js
and /var/netscaler/logon/themes. A commonly edited file
is /netscaler/ns_gui/vpn/js/gateway_login_form_view.js since this file is responsible for render-
ing the logon form.
The new RfWebUI theme is different than the original themes, because it pulls files
from /var/netscaler/logon/LogonPoint/receiver. This means the customizations for NetScaler
11.0 won’t work with the new RfWebUI theme. When reviewing customization guides for Net-
Scaler 11, be aware that most of them won’t work for the RfWebUI theme.
Other Customizations
CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page – Part
2 at CUGC explains how to add text to the RfWebUI theme logon page. The process for RfWebUI
is quite different than the older themes:
CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page – Part 1
at CUGC explains how to modify custom.css and en.xml to add text below the logon box on the
Logon Page. No Rewrite policies or source code modifications needed.
Citrix CTX215817 NetScaler : How to Customize Footer of NetScaler Gateway Login Page. This ar-
ticle does not work with the RfWebUI theme, but it works with the X1 theme.
Mike Roselli at Netscaler 11 Theme Customization – How to Add Links and Verbiage at discus-
sions.citrix.com has sample rewrite policies to customize the NetScaler Gateway logon page
with additional HTML.
Craig Tolley Customising the NetScaler 11 User Interface – Adding Extra Content: add new sec-
tions to login page. These sections pull content from local HTML files.
Daniel Ruiz Set up a maintenance page on NetScaler Gateway: configure a Responder policy (see
the blog post for sample HTML code). During maintenance, manually bind the Responder policy
to the Gateway. Manually remove the policy after maintenance is complete.
From John Crawford at Citrix Discussions and Marius Sandbu Enabling Citrix Receiver audio
over Netscaler Gateway with DTLS
Note: Enabling DTLS on the Gateway also enables Framehawk and EDT. See Citrix Policy Settings
for Framehawk configuration.
To enable UDP Audio through Gateway, make changes on both the NetScaler Gateway Virtual
Server and in Receiver:
1. Edit the NetScaler Gateway Virtual Server. In the Basic Settings section click the edit (pen-
cil) icon.
2. Click More.
3. Enable the DTLS option, and click OK.
4. After enabling DTLS, it probably won’t work until you unbind the Gateway certificate and
rebind it.
Client-side configuration
To edit the default.ica file on the StoreFront server (h/t Vipin Borkar): Edit the file C:\inet-
pub\wwwroot\Citrix\Store\App_Data\default.ica and add the following lines to the Applica-
tion section:
EnableRtpAudio=true
EnableUDPThroughGateway=true
AudioBandwidthLimit=1
To use GPO to modify the client-side config:
1. Copy the receiver.admx (and .adml) policy template into PolicyDefinitions if you haven’t
already.
2. Edit a GPO that applies to Receiver machines. You can also edit the local GPO on a Receiver
machine.
3. Go to Computer Configuration > Policies > Administrative Templates > Citrix Compo-
nents > Citrix Receiver.
4. Edit the setting Client audio settings.
5. Enable the setting.
6. Set audio quality as desired. Higher quality = higher bandwidth.
7. Check to Enable Real-Time Transport.
8. Check to Allow Real-Time Transport through Gateway. Click OK.
Next step
When NetScaler Gateway communicates with StoreFront, it adds a header called X-Citrix-Via
that contains the FQDN entered in the user’s address bar. StoreFront uses this header to find a
matching Gateway object so StoreFront knows how to handle the authentication. In NetScaler
11.0 and newer, you can create a rewrite policy to change this header. This is useful when
changing URLs or using DNS aliases for Gateways. See CTX202442 FAQ: Modify HTTP Header X-
Citrix-Via on NetScaler for more details.
bind vpn vserver mygateway-vs -policy rwpol_storefront -priority 100 -type REQUEST
July 2, 2016 Carl Stalhood NetScaler, NetScaler 11.1, NetScaler Gateway 11.1
Kari Ruissalo
April 26, 2017 at 7:52 am
About the customizations, is there a way to change the texts in the clientless
portal in 11.1? Currently in the top-right corner text says “Hello, {Username}”
and I would want to change that to “Logged on user: {Username}”.
I tried to change the en.xml -file but it didn’t help. Next step is to use AppEx-
pert rewrite, but if you’d had something ready it’d be much easier!
John
December 15, 2016 at 4:15 pm
I upgraded from 10.5 to 11.1 and in chrome browsers the “user name” and
password” fields on the login page don’t display. The error message in the
browser is: “JavaScript is either disabled in or not supported by the Web
browser.
To continue logon, use a Web browser that supports JavaScript or enable Java-
Script in your current browser.
“.
I’m using a custom X1 theme (customized in the GUI), but this issue occurs us-
ing any of the built-in themes as well.
Carl Stalhood
December 15, 2016 at 5:10 pm
Carl Stalhood
December 16, 2016 at 8:50 am
I guess that means you don’t have NTP enabled, which you should.
Use your browser developer tools to see if there are errors in the Console.
Or compare with a working browser.
John
December 16, 2016 at 9:48 am
I'm researching.
Ramesh
August 19, 2016 at 4:57 am
Hi,
Regards
Ramesh
Carl Stalhood
August 19, 2016 at 6:07 am
Jeppe Schoubye
August 8, 2016 at 3:03 am
Hi Carl.
Great article!
One question however.. Some of your screenshots displays the Gateway login
page without the “Password 2” field. This is exactly what I’m looking for as the
procedure have changed in 11.1. Could you please add som info on how to dis-
able this field in version 11.1 (I’m using rfWebUi-theme)
Regards
Jeppe
Carl Stalhood
August 8, 2016 at 6:10 am
Are you saying that you have two-factor enabled but want to hide the 2nd
field in RfWebUI? If so, I haven’t figured out how to do that yet. RfWebUI is
quite different from X1. It behaves more like a Login Schema form – lots of
AJAX.
Jeppe Schoubye
August 8, 2016 at 7:34 am
Yes 🙂
After supplying username and password (LDAP) I receive the passcode in a
text message. This is then typed into a seperate field which is displayed.
I do not need the Password 2 field which will just confuse the users.
We were able to remove it in version 10.5 but now I need to migrate every-
thing to version 11.1.
Above in step 16 you actually have a screenshot without the Password 2
field.
Carl Stalhood
August 8, 2016 at 7:46 am
Your two-factor product should have instructions for removing the 2nd
password field. For X1 theme, the typical file to edit is
/netscaler/ns_gui/vpn/js/gateway_login_form_view.js. I don’t know how to
remove it from RfWebUI since RfWebUI does not use the gateway_login_-
form_view.js file.
Beat
November 23, 2016 at 3:48 am
did you see a solution to hide the second password field in RfWebUI?
Since the new StoreFront and unified Gateway it ist no longer suitable
to use X1 theme.. Thanks in advance…
Carl Stalhood
November 23, 2016 at 5:36 am
I have not seen anything yet. Did you post your question to http://discus-
sions.citrix.com?
Jeppe Schoubye
November 23, 2016 at 6:37 am
I’m not sure that this works in RfWebUI but I use the following method
to hide the “Password 2” field:
This will set the “pwcount” cookie to 1 which will remove the extra field
Regards
Jeppe
Tyus
July 5, 2016 at 11:26 am
Carl,
We would be using it for Citrix, Exchange , SharePoint and load balancing oth-
er items such as websites .
Carl Stalhood
July 5, 2016 at 11:32 am
For ICA Proxy, you definitely want NetScaler. It’s supported by Citrix, while
F5 is not. NetScaler has AppFlow, which I believe F5 does not.
Otherwise, both F5 and NetScaler can do normal load balancing.