What's the over/under of another CVE in less than 30 days? 😜

So we were looking to disable AAA vservers on entities to close down holes if they can't patch immediately. Seems you can't disable a AAA vserver at all. The function is there but it doesn't work. We pulled the cert and that downed it. Anyone else see that in their environment?

So the SDX license is still permanent?? I think I just need to update the ones on the ADM console but they have made this process a bit much

Saw that this morning. They really don’t like that Kevin Beaumont is calling it Citrix bleed 2 😂

Anyone running Imprivata MFA having an issue with the rewrite for the Authentication overlay after going to 14.1 Build 47.46? (It works fine with 43.56) I see the policy hit no changes to the gateway login page.

Anyone able to get IOCs from citrix on 6543?

I opened a case like their blog says but haven’t gotten a response yet

What will technically happen here tomorrow? NS Docs says "NetScaler instance stops its normal operations after the license expiry, including configuration loss and complete shutdown of traffic processing." but is that true? I thought everything will work, until I REBOOT a VPX? Thank you!

After upgrading to 13.1 59.19nc, my radius/duo auto has broken for WEB only connections. I can SSH in just fine with the same engine. What's odd is, when entering my username/password, the URL goes to login/loginview?errorcode=1034, instead of the normal /login/do_login to enter my passcode... Then of course entering my passcode doesn't work and it just bombs me out. NPS is fine as it says "granted access", and Duo is sends a response code 11, but never gets a return response code 2.... Has anyone seen this? Did some Radius things change in this build?

Does anyone have any experience with setting up the automated telemetry on NetScaler Console? The proxy is set, the proxy allows the correct URLs, but the run diagnostics still fail without any useful information. Is there logging somewhere for this process?

For this, Web App Firewall protection for VPN virtual servers and authentication virtual servers, does this enable the WAF under security? How do we look at the profiles?

hey gang. we proxy all internal and external users through NS gateway. we have one delivery group that we want to block external connections from accessing. I've been playing with access policy at the delivery group level but haven't figured it out yet. anyone done this before?

Has anyone encountered an issue with NetScaler Console (on-premises, version 14.1, build 47.46) where HDX Insight and Gateway Insight stop processing data after some time? We noticed that everything started working again after a restart.

Would anyone happen to have an 11.1 or 12.1 sdx upgrade firmware available? We have a client with an SDX on 11.0 that needs upgrading, and Citrix pulled those stepping stone versions off their website.

Let me check

Be honest — how many of you apply new NetScaler builds immediately upon release, but only in cases where Citrix has not publicly disclosed any vulnerabilities or CVEs related to that build?

Regarding NetScaler flexed capacity when the term expires there is now grace period it seems - https://docs.netscaler.com/en-us/netscaler-console-service/manage-licenses/scenario-license-expiry.html has anyone already dealt with this in a CSP renewal mode? The term is expiring for the customer and there is a grace period for DaaS but not for NetScaler that one is ending exact on the date the term ends. And the whole problem is I don't have any new licenses regarding this beforehand.

Hello, I Wrote that we can have free netscaler vpx express licence. If we use netscaler with express licence, is it possible to use it to load balance storefront url and wem ? Is it possible to configure it in HA mode ? Thanks.

Has anyone been able to get RFC violation blocking working on the AAA and VPN profiles with the WAF? The only thing I can find about it is this forum post from 2023 where someone is seeing the same behavior as me (not blocking RFC violations) despite it being enabled in the profiles and the global WAF settings. Maybe it is fixed in 14.1? I’m still on 13.1 https://community.citrix.com/forums/topic/250977-invalid-rfc/

After being contacted by a couple of customers regarding the updates sent out by Nationaal Cyber Security Centrum regarding CVE-2025-5777 and CVE-2025-6543 for NetScaler, I've decided to bundle a set of tests for indicators of compromise into one shell script. This script is based on one of my old IoC scripts for CVE-2023-3419, combined with information from an article provided by my fellow former CitrixCTP, @Deyda. For more information, check the article at: https://jantytgat.com/posts/netscaler/security/indicators-of-compromise/ It is by no means perfect, as I had to cobble this up from vacation, but here we are... hope it helps!

Ran into this and after a couple of weeks butting our heads against it we think we found the issue. Wanted to share to help other people out. Had a client that was changing linux clients to only communicate to this API engine on TLS 1.3 and it stopped working. Customer has a Content Switch with CAs bound, and the Enhanced SSL Profile was not configured for client authentication certs. Had an SSL Policy that when a certain URL was hit, it would enable client based auth. The Load Balancer bound under a CSW policy had CAs bound with Responder rules set if they didn't have the proper client certificate the session was dropped. And if they did have a certificate matching their CA client based authentication it was set to mandatory. Would work with TLS 1.2. Would not work on TLS 1.3. So what we found as to why it wasn't working. Our SSL Policies can't work with TLS 1.3 due to HTTP.REQ.URL not being valid in order of operations of TLS 1.3 negotiations. So the policy was never hit and turning on the Client Authentication being mandatory. To fix it we had to modify the Enhanced SSL Profile on Content Switch setting Client Authentication enabled, but set to optional so that both the Content Switch and Load Balancer has client auth functionality.

Article and script have been updated after some feedback Also added an extra check to the script.

Looking for ideas to troubleshoot session drops. The issue only happens when connecting through NetScaler – direct connections to CVAD work fine. While copying a file from a client-mapped drive to the CVAD session, the session drops after about 20MB. In ns.log, I only see: SSLVPN ICAEND_CONNSTAT – no specific error or explanation. After the disconnect, the affected client is completely unable to reach the NetScaler Gateway for exactly 5 minutes. Traffic seems blocked during that time (logon website not reachable), but other users continue to access the Gateway without issues. Logs: • No errors on Client in event logs. • VDA: Connection broken unexpectedly for user… • VDA: in the same time: The Citrix TDICA Transport Driver connection’s session reliability timeout expired. • VDA: in the same time: The Citrix TDICA Transport Driver connection from x.x.x.x has been closed. Any ideas what could be causing this?

Is it possible to check for domain membership on MacOs devices via an EPA scan?

I have a responder policy bound to the NS GW Virtual server that looks for /cgi/logout in the request url see screenshot (invoked when users click the log off in storefront) it was working fine for years and redirecting to a IDP (okta) signout url https://oktaorg.co.uk/login/signout but it now hangs on a blank white screen. I can still see the reponder policy being hit on the Netscaler. I pulled up developer tools on MS Edge/Chrome and can see CSP blocking some resources any one seen something similar in new 13.1 firmware?

Citrix NetScaler VPX VMware Tools Since the upgrade to 13.1 59.19.nc I get regular reports, that vCenter and Veeam complain about not running VMware Tools. A reboot fixes that problem temporary, but that is no solution. For example, with open Gateway session I can't reboot during work hours. Two questions: 1. Anybody else affected? 2. Is there a way to restart the services on the shell, instead of a reboot?

Quick question: does anyone still see a valid use case for allowing client-initiated TLS renegotiation — even if it’s limited to “*secure*” renegotiation via -denySSLReneg NONSECURE? From what I understand: • This still allows clients to initiate renegotiation (RFC 5746 compliant), which can open the door to DoS attacks, even if not MITM. • In most Citrix Gateway setups (VPN, CVAD), client side renegotiation seems completely unnecessary. So I’m wondering: • Have you seen any real-world need for client renegotiation in 2025? • Any compatibility issues after setting -denySSLReneg ALL? • Shouldn’t this be the default from a security standpoint? Curious to hear your thoughts. Cheers, Artur

Hi folks..Q about LOM and SDX: Trying to configure the LOM via Xen shell and ipmitool according to the edocs...no good. I can set the IP etc but it will not work. Also done the unlock according to CTX477557 Am I missing something here or do we really need to do this onsite (very crap:) )?

Regarding the latests builds, has anyone else noticed that the enable httpOnlyCookie parameter was silently enabled (https://docs.netscaler.com/en-us/netscaler-gateway/current-release/vpn-user-config/enforce-httponly-flag-on-authentication-cookies.html)? Most of the issues have been faced with the default csp header stuff, but this broke one portal integration stuff at one of our customers " By default, the HttpOnly flag is enabled in the following NetScaler Gateway builds: • 14.1-43.56 and later • 13.1-59.19 and later "