Updating NetScaler Gateway using custom theme

Since version 10.1 NetScaler (Gateway) uses a new mechanism for deploying and maintaining custom design themes for login pages. This works quite a bit better than the old way with manual boot scripts to copy customized files. But it still is prone to issues especially after updating the NetScaler firmware.

Before updating firmware, make sure to set the theme back to „Default“. This will not impact your users, because you do this on the SECONDARY node in your HA pair, which is not taking connections at that time. After the update, set the theme to „Custom“ again and re-implement customization, force HA failover and repeat on the other node.

What might happen, if you change this procedure? A couple of chances to mess things up:

  • No login possible through or malfunction of admin UI. The Configuration Utility is part of the ns_gui folder being deployed through the custom theme mechanism. If theme stays at „Custom“, the updated files will not be part of the customized ns_gui folder and thus the admin UI will be old and possibly incompatible with the new firmware.
  • No login possible through or malfunction of NetScaler Gateway and AAA-TM. If the files for login, tmlogin et al. are not updated, they might be missing changes needed for correct function with new firmware. Furthermore, the client components (Gateway Plugin, EPA Plugin) will not be updated and especially establishing an SSL-VPN will fail subsequently;
  • Update-downgrade-loop of Gateway Plugin: Even if you noticed that the client components need an update and you manually uploaded the new AGEE_setup.exe to your NetScaler Gateway (after you have manually updated the admin_ui folder in your ns_gui_custom folder to be able to login again…) and your clients have successfully updated, they will still fail to establish SSL-VPN connections. First they were told they need to update Gateway Plugin to a new version, which they thought they downloaded from the NetScaler Gateway, but they got the same old version. Now they have the new version installed, but upon connection they will be told they need to downgrade to an older version. After which they would be told to update again. This is due to another file not being updated, which compares the client’s version to its own information – which still has the old firmware version.

There might be even more issues, but at least these have been seen in the wild already. So make sure to simply go back to default and redo the customization. A script for creating the archive out of the newly customized files might be helpful. Yes, the archive. Make sure to recreate it after every customization, because it will be extracted and its contents will be used upon every NetScaler boot.

Update: Thanks to Stuart Carroll (@stuart_carroll) for the comment on using Rewrite feature to modify default themes to reduce risks even more. Whenever possible (complexity of customization is limited, of course), this is the best way to go. See our (German, sorry) post on using Rewrite for customizing Clientless Access view to get an idea on that.

Vasco Authentication Server for the Enterprise

We did some deployments with Vasco Identikey Server for multi-factor authentication already. The solution is not only feasible for One-Time-Password authentication as first and protecting factor in addition to the usual AD or other LDAP directory auth with username and Password, but it also provides one-stop-authentication in mixed environments and enables different „single-sign-on“ scenarios.

Just this week, I did my first deployment with the Virtual Appliances Vasco provides (be aware though that they need to be licensed in addition to the Identikey Server component you usually install on Windows or Linux). They work like a charm. The setup is really Enterprise-ready as in this case it aims at 1,000 users to be authenticated using username, password and an OTP from a physical Vasco Digipass Go6. You don’t want to assign those devices to 1,000 (or even 50) users manually. And you don’t want to create those users manually in Identikey Server.

For user import, you could go for a CSV list import or a filtered LDAP sync. We did decide for Dynamic User Registration (DUR) with back-end authentication against Active Directory. You can use group membership as a requirement for registration. Additionally, we configured Self-Assignment for the Digipasses. So now a user receives his or her Digipass and then connects to the NetScaler Gateway login page and enters

  1. Username (is automatically converted to lower case to prevent multiple user objects to be created in case somebody hits a shift key)
  2. Digipass serial number, AD password, current OTP <– all concatenated in the „Token“ field
  3. AD password (third field could be removed and AD-auth delegated to Identikey server for all cases, but we decided to keep it and do AD-auth from Identikey for DUR only)

Identikey server figures out a new user and starts DUR: password is validated against AD, okay, user created. OTP is checked against expected current value from serialnumber, okay, Digipass assigned. On subsequent logins, the Token field takes only the OTP. AD password is validated by NetScaler Gateway on its own (second authentication cascade) and finally the user is logged on and signed in to the Webinterface/Storefront showing available apps and desktops. Done.

The setup of replication between the Virtual Appliances was a breeze as well. Worked instantly and replicates the database and configuration of the Authentication Server bidirectonally. Just like that.

Citrix Receiver für HTML 5 unterstützt HDX Insight und Cloudbridge

Der neue Citrix Receiver für HTML 5 in Version 1.5 unterstützt nun HDX Insight und die WAN-Beschleunigung mit Citrix CloudBridge. Durch die höhere Anwendungstransparenz wird der Überblick über die verwendeten Applikationen im Netz, deren Laufzeiten und Start-/Endzeiten deutlich vereinfacht.

Der Receiver in dieser Version kann ab StoreFront Version 1.4 auf dem Server aktualisiert werden und kommt automatisch bei der Einrichtung einer StoreFront-Umgebung ab Version 2.6. Die Verwendung der CloudBridge-Version 7.3.1  bringt zusätzliche Vorteile bei Kompression des Datenstroms und der Anwendung von QoS in Kombination mit dem neuen Citrix Receiver.

 Quelle: http://ow.ly/3vDmn4

Why IT Security matters, today: for engineering companies

Recently, a customer of ours pointed me to grabcad.com, a community where engineers from all over the world publish CAD models et al. to boast their skills and “to help other engineers and to speed up development”. What you can find there are full blown models from almost all major engineering and development vendors. Stuff they would never want to appear outside their own premises, because it is their core value, their intellectual property!

Our customer is happy to have Citrix XenDesktop in place as environment even for their engineers, who work from Hungary. Due to restrictive policies they don’t have a chance to copy models outside the network – even e-mail fails, because the files are larger than the maximum allowed attachment size (one reason why you would want to keep that down).

This is a striking argument showing what you can gain with XenApp and XenDesktop and what risks are out there for your IP. It is much easier to provide centralized compute power even for 3D modelling and put your data into a safe harbor network zone only accessible from these instances than to deploy all sorts of content inspection, data leak prevention and port security to cut the possibilities for efficient performance of your workforces.

This is an example I quickly found on GrabCAD showing a complete V12 motor with all nuts and bolts. 22MB, online (browser) 3D viewer enabling selection of assemblies, explode view of all or selected assemblies and so on. Stunning.