formats

Citrix NetScaler: An ideal replacement for Microsoft TMG

NetScaler fulfils not only all the functionality in Forefront Threat Management
Gateway, but adds many additional features to optimize, protect and scale
web-based applications. One of the principle uses of NetScaler is to front-end
applications such as Microsoft Lync, SharePoint and Exchange in enterprise datacentres
of all sizes.

Citrix NetScaler is the most comprehensive Application Delivery Controller
available. NetScaler not only includes all the capabilities of TMG but it is the
most complete ADC on the market. NetScaler adds load balancing and Layer
4 connection management along with caching, compression, Layer 7 content
optimization, content filtering, URL filtering, content rewrite, policy processing,
application layer firewall, , network access control, SSL VPN and many other
modules. NetScaler installations may start by replacing TMG features but the
impact of NetScaler on application networking services has tremendous upside
as additional features are utilized. NetScaler took the added step in supporting
applications with the use of ‘AppExpert Templates’; these are abstractions
of application deployments through NetScaler. These predefined and freely
available templates provide IT administrators with configurations that optimize the
performance for a specific application.

NetScaler has been tested and validated with key Microsoft Apps including
Exchange, Lync, and SharePoint and complete deployment guides are available.
NetScaler has demonstrated proven secure access technology working in
conjunction with extensive authentication, optimization and acceleration modules.
With the broader set of application oriented features NetScaler is not just the best
product available for replacement of TMG, but it provides additional value for
Microsoft Apps and environments.

To continue read, check out this document from Citrix

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Http to https Redirect Citrix WebInterface with CSG

I`ve over the last years found several Web interfaces that supposedly should been secured with SSL and Http to HTTPS redirect.
What i`ve seen is that users follow the Citrix Article CTX127865

But what people are missing is, that even that IIS is redirecting the Main page / root page http://mywebinterface.com to https://mywebinterface.com there is no redirect for sub pages like Citrix and XenApp.
If you open your webinterface, you see that you are automatically sendt from http to https, and to sub site /Citrix/XenApp with HTTPS and it all looks good.
But if you know removes the S from https in the adress you are still able to access, and even login to the portal just without using SSL.

The problem with this is that a man-in-the-middle can perform proxy redirection and actually sniff all traffic with wireshark or similar software and get usernames and passwords sendt in clear text.
To fix this, and require ONLY SSL traffic you can do the following.

1. Continiue to use CTX127865 but redirect to complete “public” fqdn e.g. http://myportal.mycompanyurl.com/Citrix/XenApp/ instaed of internal names
2. in the host file located on the serve; %windir%\system32\drivers\etc\hosts ; Add the url/FQDN you are redirecting to acordingly to CTX127865
3. in IIS manager, for the site (mostly default web site) – go to SSL Settings and check “require SSL” and apply

Users that browse to Http will now get an errorpage , this can be used to forward to https instead of showing the error page itself.
4. open “error pages” in IIS Manager (not the one under Asp.net) and doubleclick error 403. Change from “insert Content….” to “respond with a 302 redirect and type the absolute url for the website (https) but to the root folder since you allready have a Redirect in place there and by this way will get less places to change the URL if you change anything later.
5. Create a new error code, 403.4 and create the same 302 redirect.
1

If you do have CSG on the same server as this webinterface is lokated on, you now have to edit the configuration.
6. use indirect, but remove the check for “installed on this Computer” under access options (when running the configuration wizzard again)
7. Add the FQDN to the website (the same as before, and in the hosto file) and check Secure traffic between the webinterface and the secure gateway)
Remember to change the port you`ve selected for you IIS, (most guides will tell you to change port for IIS to 442 or 444 and run CSG on 443)

2
Save the settings and perform iisreset.

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Change or publish Citrix PNAgent site with GPO

To either change, or publish the Citrix PNAgent site with GPO you can use group policy preferences..
It depends on the environment and if the clients previously have been using the PNAgent with a different server address.

If previously used, both user and computer registery key has to be changed, for new users only the HKLM Key has to be used.

Action – Replace
Hive – “HKEY_CURRENT_USER”
Key Path – SOFTWARE\Citrix\PNAgent
-OR
Key Path – SOFTWARE\Wow6432Node\Citrix\PNAgent (64-bit computers)
Value Name – ServerURL
Value Type – REG_SZ
Value Data – https://myserveraddress/Citrix/PNagent/config.xml

Action – Replace
Hive – “HKEY_LOCAL_MACHINE”
Key Path – SOFTWARE\Citrix\PNAgent
-OR
Key Path – SOFTWARE\Wow6432Node\Citrix\PNAgent (64-bit computers)
Value Name – ServerURL
Value Type – REG_SZ
Value Data – https://myserveraddress/Citrix/PNagent/config.xml

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Lost password Trend Worry Free Business Security

Ever been in the situation where former IT admin lost track of the login for the Trend WFB Console?
Then this comes in handy.

Browse to %programfiles%\Trend Micro\Security Server\PCCSRV\Private\
Edit ofcserver.ini and locate the field [INI_SERVER_SECTION]

Change the line ” Master_Pwd=!Crypt!somethinghere” to ” Master_Pwd=70 ”
Open the Services snapin and restart Trend Micro Security Server Master Service

You should now be able to login with the password ” 1

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Multiple Desktop Sessions Citrix XenApp 6.5 and WebInterface 5.4

When a user accesses a published Citrix Desktop via web interface, there is a chance they launch two desktops even though the allowed limit is set to one. Due to the user double clicking the published desktop icon quickly they may bypass the limit whilst Citrix Xenapp catches up.

Users rapidly clicking on published application icons can initiate multiple sessions prior to the application instance counter getting updated.
To address this problem, you can configure resource icons to become inactive for a specific period of time after the user has clicked them. During this time, further clicks are ignored and the cursor changes to indicate that the icon is no longer clickable, preventing the user from starting any further instances of the resource.

To use this feature you must modify the Citrix Web Interface configuration file (WebInterface.conf) manually. This feature can not be set up using the Citrix Web Interface Management Console.

Note: Prior making any modifications to the WebInterface.conf file manually, make sure to have the Citrix Web Interface Management Console closed.

Locate the WebInteface.conf file in this directory \Inetpub\wwwroot\Citrix\SiteName\conf
Open file with Notepad and search for the following entry:
#MultiLaunchTimeout=[Number of Seconds (2)]
Remove (#) sign and [Number of Seconds (2)]
Enter the number of seconds desired.
The entry should look like this:
For example: MultiLaunchTimeout=2
Save the file and test.
The value specifies the time for which resource icons are inactive following the initial click by the user to start the resource.
I would use a value of at least 10 seconds.

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Exchange 2010 Activesync on users in Administrators, inheritance of security

A little background: Exchange 2010 adds a passel of schema and security extensions. I am not going to discuss the schema extensions here but focus on the security additions. The security that is of interest here is all at the domain level – on the domain object. Two new security groups are added for Exchange 2010: ‘Exchange Trusted Subsystem’ and ‘Exchange Windows Permissions’ each with 17 aces (if I count correctly). Additional aces are also added for the ‘Exchange Servers’ group. The important Aces here are:
•Allow create/delete rights for msExchangeActiveSyncDevices child objects to a user object,
•Allow create/delete rights for msExchangeActiveSyncDevice child objects to the above msExchangeActiveSyncDevices object, and
•Read/ write all properties of these new objects.

I am not privy to why Microsoft does things but prior to Exchange 2010 there was no structure to contain ActiveSync device information other than the user account or the mailbox itself. With the msExchangeActiveSyncDevices object acting as a container a user can now have multiple msExchangeActiveSyncDevice objects for multiple Active Sync devices. I.e. a Phone and an iPad. Forward thinking. Very good Microsoft. Oops, I said I wasn’t going to discuss schema extensions.

So why does any of this matter? Here is why. The security that allows Exchange to create, delete, and use these new objects is all inherited from the Domain object. If it does not inherit to a user object, Exchange cannot create the new the objects. The result is simple. Move the user’s mailbox to an Exchange 2010 server and their phone stops syncing.

There can be various reasons the security is not inherited. On one extreme, you could be in a hosted environment running some variant of Microsoft Provisioning Services (MPS). On the other, a network admin that is no longer there was too clever by half and blocked security on OU’s for reasons no one remembers. Whatever the case, you can allow the security to inherit and then block it again if there is good reason. In any case, this represents a relatively permanent solution.

Finally to the issue I have seen multiple times already. There is this process that lives in relative obscurity and has been running on DC’s since the NT5 Betas—the Security Descriptor Propagator (SDPROP). It actually does the inheritance of security from parent to child objects in Active Directory. On the PDC role holder it has an additional function — it protects the security on security principles that have elevated rights. ‘Elevated Rights’ is defined as the user being a member of one of a list of built-in groups. These groups are defined as ‘Protected Groups’. Any ‘User’ that is a member of a ‘Protected Group’ has its security overwritten by the security descriptor on the AdminSDHolder object in the ‘System’ container by SDPROP and its ‘adminCount’ attribute set to ‘1’. Since inheritance is blocked on the AdminSDHolder’s security descriptor, inheritance is also blocked on the user object. This happens every time SDPROP runs on the PDC role holder. By default, that is once an hour.

The list of Protected Groups has varied from Windows 2000 RTM till now. The groups in 2008 R2 are:
•Account Operators,
•Administrators,
•Backup Operators,
•Domain Admins,
•Domain Controllers,
•Enterprise Admins,
•Print Operators,
•Read-Only Domain Controllers,
•Replicator,
•Schema Admins, and
•Server Operators.

If a user with a phone is (or has ever been) in any of these groups, directly or transitively through group nesting, even via distribution group, their phone will not work with their mailbox on an Exchange 2010 MBX role server.

The solution is obvious. Give people that need administrative rights, administrative accounts and tie their phone to a normal user account. This is best practice anyway.

If you are determined to not do this, you have several options:
•Remove the users from the groups that are causing the issue. This also requires you clear the ‘adminCount’ attribute in their account since SDPROP will not clear it for you. Then enable inheritance.

•Alter the Security on the AdminSDHolder object security descriptor by adding the new Exchange security to it. Since the aces added in Exchange 2010 are numerous, this can be a bit tedious but it will work if you get it right. Don’t forget to maintain it in the future.

•Change the behavior of SDPROP. Only four groups were protected in Windows 2000 RTM. As the list of Groups has expanded, Microsoft has provided a vehicle to modify the list. This is done by setting the dsHeuristics attribute of the Directory Service object in the configuration container. Using this attribute, you can selectively exclude Account Operators, Print Operators, Server Operators, or Backup Operators from the list of Protected Groups. Realize when you do this you are weakening the security of your forest.

•Alter the Security on the AdminSDHolder object security descriptor by allowing inheritance. Again, realize when you do this you are weakening the security of your forest.

Details of these options are discussed here:

http://support.microsoft.com/kb/817433

If you want to be proactive before you start moving mailboxes, you can search for all users in you forest that have an ‘adminCount’ of ‘1’. Lots of ways to do this. Here is an Ldifde example:

ldifde -f AdminUsers.txt -d dc= -r “(&(objectcategory=person)(objectclass=user)(admincount=1))” -l samAccountName

- or by powershell with output to file.

import-module activedirectory
get-aduser -ldapfilter “(objectcategory=person)(admincount=1)” > output.txt

Source: http://blog.pennic.com/ @ Nick

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Using 3rd Party SFP modules in Cisco Devices

All SFP modules contain in their EEPROM, a Serial Number, Vendor Name & ID, Security code and a CRC. The Switch checks this information, if it can’t verify it might give messages like the following:

%PHY-4-UNSUPPORTED_TRANSCEIVER: Unsupported transceiver found in Gi1/0/1
%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65538 has bad crc

There are two undocumented cisco commands to get 3rd party SFP modules to work:

switch(config)# service unsupported-transceiver
switch(config)# no errdisable detect cause gbic-invalid

 
Tags:
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Citrix Webinterface 5.x Slow first load

After restarting IIS, or rebooting the Web Interface server, it takes up to one minute to get the Welcome page for the first user.
This issue is caused by a CRL check sent to Verisign. If the Web Interface server cannot access the internet, the CRL check fails and times out.

Follow CTX117273 to fix this

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Internet Explorer tuning tips

Thomas has written some tuning tips for Internet Explorer on Terminalservers / Citrix

http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=351&Itemid=254

1. Disable the browser tab grow by setting it to “0″ – Saves memory
Path: User Configuration\Administrative Templates\Windows Components\Internet Explorer
Set tab process grow <- Set to 0

2. Disable all unneeded browser add-ons – Saves memory and performance
Path: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-On Management
Add-on List <- Add GUID from Add-on and set to “0″
How to find add-On GUID: IE | Extras | Add-On Management | Select Add-On | Click “More Information”

3. Disable browser Accelerators – Saves Memory
Path: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Accelerators
Turn off Accelerators <- Enable

4. Disable Suggested Sites – Saves memory and performance
Path: User Configuration\Administrative Templates\Windows Components\Internet Explorer
Turn on Suggested Sites <- Disable

5. Disable InPrivate browsing – Helps with user profiles
Path: User Configuration\Administrative Templates\Windows Components\Internet Explorer\InPrivate
Turn off InPrivate Browsing <- Enable

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Veeam backup, consolidate helper snapshot and old snapshot files not displayed in GUI

we ran into a problem where vmware vcenter reported that there should be noe snapshots left on the VM.
When checking the VMFS Lun, it where almost 0,9TB overcomitted storage. Browsing the LUN showed alot of snapshot files left behind by Veeam.

If you try to create a new snapshot that you calls “TEST”, and checks the Snapshot manager you will se two snapshots. “Consolidate Helper –0” as active snapshot + my own created snapshot: “test”
when trying to use the “delete all” i got a message “Unable to access file since it is locked”

We found that Veeam proxy attaches the disks as independend too it self when performing the job, but if the veeam backup proxy looses connectivity to the VM it never detaches the disks..
Power off the veeam proxy, detach the disks that points to the vm with problem (be careful to not select “delete from disk”) and power it back on again.

You can now create a new dummy snapshot for the VM with problems, and perform a “Delete All” to remove all the old snapshot files without any downtime

 
Tags: , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments