Bloggarkiv

Optimizing web content with Citrix Netscaler

This post, is based upon a session I had for a partner in Norway. How can we use Netscaler to optimize web content?

Let’s face it, the trends are chaging

* Users are becoming less patient (meaging that they demand that applications/services respond quicker. (more then 40% of users drop out if the website takes mroe then 5 – 10 seconds to load) think about how that can affect a WebShop or eCommerce site ?

* More and more mobile traffic (Mobile phones, ipads, laptops. Communicating using 3G/4G or WLAN for that matter) and to that we can add that there is more data being sent across the network as well. Site web applications become more and more complex, with more code and more components as well.

* More demands to availability (Users are demaing that services are available at almost every hour. If we think about it about 5 – 10 years ago, if something was down for about 10 min we didn’t think that much about it, but now ?

* More demands to have secure communication. It wasn’t that long ago that Facebook and Google switched to SSL as default when using their services. With more and more hacking attempts happening online it requires a certain amount of security.

So what can Netscaler do in this equation ?

* Optimizing content with Front-end optimization, Caching and Compression

With the latest 10.5 release, Citrix has made a good jump into web content optimization. With features like lazy loading of images, HTML comment removal, minify JS and inline CSS.  And adding it that after content is being optimized the content can be compressed using gZIP or DEFLATE and sent across the wire (NOTE: that most web servers like Apache and IIS support GZIP and Deflate but it is much more efficient to do this on a dedicated ADC)

And with using Caching to store often accessed data it makes the Netscaler a good web optimization platform.

* Optimizing based upon endpoints.

With the current trend and more users connecting using mobile devices which are using the internett with a wireless conenction. If needs a better way to communicate as well. A god example here is TCP congeston. On a wireless you have a higher amount of packet loss and this requires using for instance TCP Congestion Westwood which is much better suites on wireless connections. Also using features like MTCP (on supported devices) allows for higher troughput as well. And that we can place different TCP settings on different services makes it much more agile.

* High availability

Using features like load balancing and GSLB allows us to deliver a high availabilty and scale solution. And using features like AppQOE to allows us to prioritize traffic in a eCommerce setting might be a valuable asset. Think the scenario if we have a web shop, where most of our buying customers come from a regular PC while most mobile users that are connecting are mostly checking the latest offers. If we ever where to reach our peak in traffic it is useful to prioritize traffic based upon endpoint connecting.

* Secure content

With Netscaler it allows us to create specific SSL profile which we can attack to different services. For instance older applications which are used by everyone might not have the high requirement regarding security, but on the other hand PCI-DSS requires a high level of security. Add to the mix that we can handle many common DDoS attacks on TCP level and on HTTP. We can also use Application firewall which handles many application based attacks, when an own learning feature it can block users which are not following the common user pattern on a website. And that we can specify common URLs which users are not allowed to access.

So to summerize, the Netscaler can be a good component to optimizing and securing traffic, with a lot of exiting stuff happening in the next year! Smilefjes stay tuned.

Netscaler and Office365 SAML iDP setup

With Netscaler 10.5, Citrix announced the support for SAML Identity Provider on the Netscaler feature. That basically meant that we could in theory use the Netscaler as an identity provider for Office365 / Azure AD. Now I have been trying to reverse engineering the setup since Citrix hasen’t created any documentation regarding the setup.

But now! Citrix recently announced the setup of Netscaler iDP setup for Office365 setup http://support.citrix.com/article/CTX200818

Yay!

on another part Citrix also released a new build of Netscaler VPX (build 56.12) which fixes the CPU utilization bug on Vmware you can see more about the release note here –> http://support.citrix.com/article/CTX200818

And there is also a new PCI DSS report which shows compliance for version 3.

Setting up a secure XenApp enviroment– Netscaler

Now I had the pleasure of talking PCI-DSS compliant XenApp enviroment for a customer. Now after working with it for the last couple of days there are lot of usefull information that I thought I would share.

Now PCI-DSS compliance is needed for any merchant who accepts credit cards for instance an e-commerce size. Or using some sort of application. So this includes all sorts of

* Different procedures for data shredding and logging

* Access control

* Logging and authorization

Now the current PCI-DSS standard is in version 3 –> https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

The different requirements and assesment procedures can be found in this document. Now Citrix has also created a document for how to setup a compliant XenApp enviroment https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/pci-dss-success-achieving-compliance-and-increasing-web-application-availability.pdf you can also find some more information here –> http://www.citrix.com/about/legal/security-compliance/security-standards.html

Now instead of making this post a pure PCI-DSS post I decided to do a more “howto secure yout XenApp enviroment” and what kind of options we have and where a weakness might be.

Now a typical enviroment might looks like this.

image

So let’s start by exploring the first part of the Citrix infrastructure which is the Netscaler, in a typical enviroment it might be located in the DMZ. Where the front-end firewall has statefull packet inspection to see what traffic goes back and forth. The best way to do a secure setup of Netscaler is one-armed mode and use routing to backend resources and then have another Firewall in between to do deep packet inspection.

First thing we need to do with Netscaler when setting up Netscaler Gateway for instance is to disable SSL 3.0 and default (We should have MPX do to TLS 1.1 and TLS 1.2 but with VPX we are limited to TLS 1.0

Also important to remember th use TRUSTED third party certificates from known vendors, without any known history. Try to avoid SHA-1 based certificates, Citrix now supports SHA256.

Important to setup secure access to management only (since it by default uses http)

image

This can be done by using SSL profiles which can be attached to the Netscaler Gateway

image

Also define NONSECURE SSL renegotiation. Also we need to define some TCP parameters. Firstly make sure that TCP SYN Cookie is enabled, this allows for protection against SYN flood attacks and that SYN Spoof Protection is enabled to protect against spoofed SYN packets.

image

Under HTTP profiles make sure that the Netscaler drops invalid HTTP requests

image

Make sure that ICA proxy migration is enabled, this makes sure that there is only 1 session at a time established for a user via the Netscaler

image

Double hop can also be an option if we have multiple DMZ sones or a private and internal zone.

Specify a max login attempts and a timeout value, to make sure that your services aren’t being hammered by a dictonary attack

image

Change the password for the nsuser!!!

image

Use an encrypted NTP source which allows for timestamping when logging. (Running at version 4 and above) and also verify that the timezones are running correctly.

image

Sett up a SNMP monitoring based solution or Command Center to get monitoring information from Netscaler, or use a Syslog as well to get more detailed information. Note that you should use SNMP v3 which gives both Authentication and encryption.

Use LDAPS based authetication against the local active directory server, since LDAP is pure-text based, and use TLS not SSL, and make sure that the Netscaler verifies the server certificate on the LDAP server

image

It also helps to setup two-factor authentication to provide better protection against user thefts. Make sure that if you are using a two factor authentication vendor that it uses CHAP authentication protocol instead of PAP. Since CHAP is much more secure authentication protocol then PAP

Use NetProfiles to control traffic flow from a particular SNIP to backend resources (This allows for easier management when setting up firewall rules for Access.

image

Enable ARP spoof validation, so we don’t have any forging ARP requests where the Netscaler is placed (DMZ Zone)

image

Use a DNSSEC based DNS server, this allows for signed and validated responses. This way you cannot its difficult to hijack a DNS or do MITM on DNS queries.  Note that this requires that you add a nameserver with both TCP and UDP enabled. (Netscaler can function as both a DNSSEC enabled authoritative DNS server and proxy mode for DNSSEC)

If you wish to use Netscaler as an VPN access towards the first DMZ zone, first things you need to do is

1: Update the SWOT library

image

Create a preauthetnication policy to check for updated antivirus software

image

Same goes for Patch updates

image

In most cases try to use the latest firmware, Citrix does release a new Netscaler firmware atleast one every three months which contains bug fixes and security patches as well.

Do not activate enhanced authentication feedback, this enabled hackers to learn more about lockout policies and or if the user is non existant or locked out, disabled and so on.

image

Set up STA communication using HTTPS (Which requires a valid certificate and that Netscaler trusts the root CA) You also need to setup Storefront using a valid certificate from a trusted Root CA. This should not be a internal PKI root CA since third party vendors have a much higher form a physical security.

If you for some reason cannot use SSL/TLS based communication with backend resources you can use MACSec which is a layer 2 feature which allows for encrypted traffic between nodes on ethernet.

Troubleshooting DNS and LDAP connections Netscaler

So this is something I’ve struggeled a bit with in the past, also see it on a couple of forums post on Citrix, and there are as always not so detailed info on how to verify on “WHAT THE HELL IS WRONG WITH THE D*** CONNECTION TO DNS AND LDAP!!!”

So therefore I decided to write this post, since both DNS and LDAP are crucial in adding to the Netscaler.

So lets start with DNS. There are a couple of ways to add DNS on the Netscaler. Either its UDP, TCP or TCP & UDP. Now UDP is the one that is typical used since a default DNS uses UDP, TCP is more for Zone transfers and so on.

So what happens if we add a DNS server using UDP, Well the Netscaler is going to do a ping against the DNS server to see if it is alive (So if ICMP is blocked it will show as DOWN) It will check every 20 seconds to see if it respons on UDP/53. Also imporatant to note that it does use the SNIP address to communicate with the DNS server.

How can we verify that it can do name lookup ? (By default most of the built-in cmdlets like nslookup, dig and so on do not work with Netscaler since it has its own DNS feature built-in, and those cmdlets will only query the local DNS not the external one.

So to test DNS use the command

show dns addRec hostanem

image

So if we switch from UDP to TCP it will try to use TCP Handshake to verify if it is available, but not going to give use the regular DNS query. So what if we cannot reach the DNS server? Using ping from the cmdlet uses NSIP by default

but with ping in Netscaler we can define a source address (Which we can set to be one of the SNIP addresses.)

ping ip-address –S source-address

image

If you make a trace file you can also see that it works as it should.

image

If your SNIP does not have access to the DNS server you need to either define ACLs which allow it to communicate with the DNS server, create a new SNIP which has local access to the DNS server or define a policy based routing which define where the SNIP needs to go to inorder to access the DNS servers.

For instance if I want to setup a specific route for my DNS traffic from my SNIP ( I can setup a PBR) which looks like this (This is a policy route only for ICMP)

image

After I create the PBR I have to run the command apply pbrs

So that took take of DNS, what about LDAP ? When we setup LDAP servers in Netscaler we have the ability to do retrieve attributes button, great! well almost… it uses the endpoint client IP to retrieve attributes (not the NSIP itself) so it by default uses NSIP. So we can use PING to verify network connectivity. We can also use telnet to verify connectivity since telnet originates from the NSIP.

Shell –-> Telnet

open 192.168.60.1 389 (This can try to connect to the LDAP port 389)

image

How can you verify it works ? It says connected, if it stands on Trying…. the port is not available. If you want to can change that the Netscaler uses SNIP instead of NSIP, this can be done by setting up a load balanced AD server role, then point the LDAP authentication policy to that vServer.

Troubleshooting DNS and LDAP connections Netscaler

So this is something I’ve struggeled a bit with in the past, also see it on a couple of forums post on Citrix, and there are as always not so detailed info on how to verify on “WHAT THE HELL IS WRONG WITH THE D*** CONNECTION TO DNS AND LDAP!!!”

So therefore I decided to write this post, since both DNS and LDAP are crucial in adding to the Netscaler.

So lets start with DNS. There are a couple of ways to add DNS on the Netscaler. Either its UDP, TCP or TCP & UDP. Now UDP is the one that is typical used since a default DNS uses UDP, TCP is more for Zone transfers and so on.

So what happens if we add a DNS server using UDP, Well the Netscaler is going to do a ping against the DNS server to see if it is alive (So if ICMP is blocked it will show as DOWN) It will check every 20 seconds to see if it respons on UDP/53. Also imporatant to note that it does use the SNIP address to communicate with the DNS server.

How can we verify that it can do name lookup ? (By default most of the built-in cmdlets like nslookup, dig and so on do not work with Netscaler since it has its own DNS feature built-in, and those cmdlets will only query the local DNS not the external one.

So to test DNS use the command

show dns addRec hostanem

image

So if we switch from UDP to TCP it will try to use TCP Handshake to verify if it is available, but not going to give use the regular DNS query. So what if we cannot reach the DNS server? Using ping from the cmdlet uses NSIP by default

but with ping in Netscaler we can define a source address (Which we can set to be one of the SNIP addresses.)

ping ip-address –S source-address

image

If you make a trace file you can also see that it works as it should.

image

If your SNIP does not have access to the DNS server you need to either define ACLs which allow it to communicate with the DNS server, create a new SNIP which has local access to the DNS server or define a policy based routing which define where the SNIP needs to go to inorder to access the DNS servers.

For instance if I want to setup a specific route for my DNS traffic from my SNIP ( I can setup a PBR) which looks like this (This is a policy route only for ICMP)

image

After I create the PBR I have to run the command apply pbrs

So that took take of DNS, what about LDAP ? When we setup LDAP servers in Netscaler we have the ability to do retrieve attributes button, great! well almost… it uses the endpoint client IP to retrieve attributes (not the NSIP itself) so it by default uses NSIP. So we can use PING to verify network connectivity. We can also use telnet to verify connectivity since telnet originates from the NSIP.

Shell –-> Telnet

open 192.168.60.1 389 (This can try to connect to the LDAP port 389)

image

How can you verify it works ? It says connected, if it stands on Trying…. the port is not available. If you want to can change that the Netscaler uses SNIP instead of NSIP, this can be done by setting up a load balanced AD server role, then point the LDAP authentication policy to that vServer.

How to use AppQoE on Netscaler

So the last couple of days I’ve been doing a bit of research on Netscaler and prioritizing traffic based upon where the endpoint is coming from. This is where AppQoE comes in. AppQoE is just a combination of different roles into one role, HTTPDoS, Priority Queuing, and SureConnect.

So what if we have a vServer which is getting pounded by traffic, so how do we prioritize the traffic ? So in AppQoE we have two things. Policies and Actions.

Let’s say that we want to divide traffic into two priority groups. One which are android based devices and another which are windows phone devices. Android based devices are given high priority and Windows phones are given lower priority. There are four priorities we can define in AppQoE. HIGH, NORMAL, LOW and LOWEST. And the Netscaler will process traffic from top to bottom. Meaning that Android traffic is priorited over Windows Phone based traffic.

So I have an example expression here for android devices.

image

My action looks like this

image

What is does is basically bind HIGH priority traffic sign to my AppQoE policy, so not much work I have to do here. but next I have to create an AppQoE policy to my Windows Phone users.

image

My AppQoE action looks like this. Now important to see that the policy queue depth defines how many connenctions needs to be active before it is moved to LOWEST priority. I also have to define max connections, if there are requests over the maximum amount of connenctions I have the Netscaler display a custom wait page ( I choose NS, because then I can use a custom HTML code on the Netscaler, if I choose ACS I can choose another web server for instance.

image

Now i can attach this policy to a vServer. (NOTE that SureConnect cannot be enabled for a vServer if used with AppQoE)

image

Now stay tuned for how to setup this with HTTP DOS inorder to protect from HTTP attacks as well with AppQoe.

Using Netscaler to block IP adresses based upon pattern sets and URL responder

Ever wanted a simple way to block pesky IP-adresses which are giving you much unwated traffic on your webservers? Of course there is the possibility to use ACLs but the become cumbersone if we need to add every IP adress to an ACL (They also get unmanageable)

Another option we have is to use pattern sets. Pattern sets are basically an index with different strings which we can then use against an expression to evaluate if they fall within the category or not.

First we need to create the pattern set, under AppExpert –> Pattern Sets (Which is set to include all of those IP-adresses that we don’t want to access our websites.

image

Next we need an expression which has the ability to extract out the strings and evaluate them against a rule. Go into AppExpert –> Expressions –> Advanced Expressions –>

Create a new expression called CIP, where the expression looks like this

image

This will allow us when creating a responder policy to add a string in the expression. Next go into URL responder and create a new policy

image

Now the magic lies within the expression, since we created a custom saved expression we can use that, which basically just says CLIENT_IP_SRC_EQUALS_ANY”(STRING IN THE PATTERN SET nonoIPS) then RESET Connection.

Then we have to bind the policy to either a vServer or globally, and voila. Now we just have to update the pattern set next time we want to block an IP-address. But do not mistake this for an ACL it only block HTTP access.

“New” Netscaler book project in the making

Now the last couple of months I’ve again been involved with a Netscaler book project with Packt. This is a more advanced book then my previous book with was a more introduction to Citrix Netscaler.

This new book is called Mastering Netscaler which has more in-depth information regarding load balancing, appfirewall and such.

But… I kinda feel that this book just covers a fragement on what users want to read about when they buy a book about Netscaler.

Therefore in order to get things right, I was thinking about creating a third book about Netscaler which covers all the subjects, stuff you want to read about. Therefore this post is merely for you to give feedback to me Smilefjes

If you could please give me a few senteces about what YOU would want to include in a Netscaler book ? Please drop a comment below this post.

and if you are willing to help me form and maybe contribute to the outline and possibly help me write the book as well that would be great, just send me email to msandbu@gmail.com

Upcoming events and stuff

There’s alot happening lately and therefore there has been a bit quiet here on this blog. But to give a quick update on what’s happening!

In february I just recently got confirmation that I am presenting two session at NIC conference (Which is the largest IT event for IT-pros in scandinavia) (nicconf.com) Here I will be presenting 2 (maybe 3) sessions.

* Setting up and deploying Microsoft Azure RemoteApp
* Delivering high-end graphics using Citrix, Microsoft and VMware

One session will be primarly focused on Microsoft Azure RemoteApp where I will be showing how to setup RemoteApp in both Cloud and Hybrid and talk a little bit about what kind of use cases it has. The second session will focus on delivering high-end graphics and 3d applications using RemoteFX (using vNext Windows Server), HDX and PCoIP and talk and demo abit about how it works, pros and cons, VDI or RDS and endpoints so my main objective is to talk about how to deliver applications and desktops from cloud and on-premise…

And on the other end, I have just signed a contract with Packt Publishing to write another book on Netscaler, “Mastering Netscaler VPX” which will be kind of a follow up of my existing book http://www.amazon.co.uk/Implementing-Netscaler-Vpx-Marius-Sandbu/dp/178217267X/ref=sr_1_1?ie=UTF8&qid=1417546291&sr=8-1&keywords=netscaler

Which will focus more in depth of the different subjects and focused on 10.5 features as well.

I am also involved with a community project I started, which is a free eBook about Microsoft Azure IaaS where I have some very skilled norwegians with me to write this subject. Takes some time since Microsoft is always adding new content there which needs to be added to the eBook as well.

So alot is happening! more blogsposts coming around Azure and Cloudbridge.

Workaround for Netscaler VPX and VMware ESXi 5.5 Build 2143827

This is a quick post, but Citrix has published a workaround for the trouble they have with Netsacler loosing connectivity on Vmware with the latest update.

You can find the workaround here –> http://support.citrix.com/article/CTX200278 

This is only until Citrix manage to fix the issue and includes it in a newer build of Netscaler

Følg meg

Få nye innlegg levert til din innboks.

Bli med 61 andre følgere