Recenlty I have been involved at a customer where we deployed a new NetScaler pair with the latest and greatest firmware version. We ran into an issue with certificates. In this blog I will talk about the issues we ran into and how you can solve them.

When running NetScaler firmware 12.1.48.13 and you want to install a PFX certificate there is a possibility that you receive the following error (No certificates present in the certificate bundle file):

If you do succeed to install the PFX on NetScaler you might get an error whilst binding the certificate to a vServer:

Certificate is not server certificate

 

These errors seem to be a bug in the GUI of NetScaler. You can solve this by doing the following:

  • Upload the certificate file to /nsconfig/ssl
  • SSH into NetScaler and run: add ssl certkey <name_of_certificate> -cert /nsconfig/ssl/<Name_of_pfx> -key /nsconfig/ssl/ <name_of_pfx) -password <enteryourpasswordhere>

After running this on the CLI you are able to bind your certificate to vServers again.

Hope this helps you in adding certificates to your NetScaler again!

<UPDATED: 24-07-2018 - Changed command to add ssl certkey due to recent comments, my bad, I think it was a typo! </UPDATED>

 

Write comment (7 Comments)

While I was working on a side project I found the need to have some kind of logging while using my Spoof User Profile program. I did some code editing and now the new version of the Spoof User Profile program uses logging when switching the state key(s).

The path of logging is made configurable, in two ways:

  1. By using a environment variable SPOOF:
  2. By using a parameter /LOC=<path to logging>

The /LOC takes precedence over the evironment variable.

You can download the program from the Download Section. Download the program there and leave me a comment with your ideas about the program!

Write comment (0 Comments)

In a previous blog I wrote about adding a footer to the NetScaler gateway. Since that post Citrix included the RfWebUI theme

Citrix has posted a support article how to add a footer to this theme.

Specifically from that article the following piece of code is extracted

add rewrite action rw_act_insert_loginfooter_2 insert_after_all "HTTP.RES.BODY(120000).SET_TEXT_MODE(IGNORECASE)" q{"(\"<div style='text-align:center;color:white;font-size:15px;'>Experiencing technical difficulties?<br>Open the"+" <a style='color:white;text-decoration:underline' href='http://citrix.com'>Citrix Guide</a> or Report an issue to the"+" <a style='color:white;text-decoration:underline' href='mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.'>Citrix Support</a>team</div>\")"} -search "text(\"customAuthBottom\")"

add rewrite policy rw_pol_insert_loginfooter_2 "HTTP.REQ.URL.CONTAINS(\"/LogonPoint/index.html\")" rw_act_insert_loginfooter_2

Sticking to that code you will end up with the following

Actually the lines from the article of Citrix should be changed, whereas

<a style='color:white;text-decoration:underline' href='mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.'>Citrix Support</a>team</div>\")"}  is used it should be:

<a style='color:white;text-decoration:underline' href='mailto:This email address is being protected from spambots. You need JavaScript enabled to view it.'>Citrix Support</a> team</div\")"

When that is applied there will be no text visible that is not wanted or accounted for.

You will end up with this:

For every theme it is possible to add a footer to the login box. Which makes the need for manually customizing the portal theme less relevant and thus makes customizing the NetScaler portal more sustainable. That is a good thing if you ask me.

Write comment (0 Comments)

I recently was involved in an assignment which involved upgrading Immidio Flex+ to VMware UEM. This upgrade is fairly simple, but can be pretty annoying for end-users, where an upgrade may impact their user experience.

First of all, I will try to explain what group policy extensions are and what they do. Group Policy extensions are extension (well duh) of the standard Microsoft Group Policy objects. They rely on the group policy service, have their own .adm(x) templates and are processed by the group policy engine.

Write comment (0 Comments)

My colleague Arno Meijroos was at a customer where they were experiencing disconnects when using Citrix Receiver 4.6. When the customer used Receiver 4.5 no disconnects occured.

NetScaler was running on Firmware version 11.1.50.10. An MPX was used.

Whilst looking at trace files on NetScaler and Client side all that was noticable was that the connection was terminated on the NetScaler side.

On the NetScaler custom cipher suites were defined to get an A+ rating in SSL Labs.

After working a little with Citrix Support they came with the following work-around:

Unbind the following ciphers from the custom cipher suite.

TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

After removing these two ciphers from the suite no disconnects happen anymore.

 

For now I would advice to stay on receiver 4.5 or if there is any need for receiver 4.6 remove the ciphers as described above from your cipher suite.

Write comment (2 Comments)