Hey all! I am an nFactor weakling and need some guidance. I have a situation that I think I have a solution for, but want to pass it by those more knowledgeable with building nFactor logic. I am working with the Citrix Adaptive Authentication service. My current nFactor logic is fairly simple. I have a single Authentication Policy bound with a priority of 100 and a "true" expression to send all authentication attempts to Duo SSO with SAML. The next and final factor is an unauthenticated LDAP UPN match. In this flow, as long as the user successfully authenticates to Duo and their UPN matches AD, they're good to go and can launch resources. I have a new requirement to send a subset of users to a different Duo SSO configuration based upon egress IP. What I am thinking about doing is creating a new Duo SSO policy, setting the expression to match the egress IP, and binding the Authentication Policy with a lower number priority than my existing "catch all" policy. Is this the proper away to go about configuring nFactor in this situation?

I have a non-addressed Gateway configured on a NetScaler, which is accessed via a Content Switch. The gateway is solely used for VPN connections (using SAC). Do I need to configure the Gateway insights to be enabled: • Only on the non-addressed Gateway vServer • On the GW vServer and CS vServer • On the GW, CS and AAA vServer I need to be able to report who has been connecting to VPN and generate some level user session amounts.

Our netscaler has 3 different gateways, but they all use the same SNIP. Is there a way, in Director, ADM, or the ADC itself to determine what gateway users came in from (historical report preferred). Even in ADM I am only seeing the ADC source, not the Vserver.

Is it just me, but the NetScaler stuff is greyed out in community.citrix.com?

Attempting to configure SNI enabled HTTP monitors. We have SNI enabled on AAA/GW, certs bound as SNI. These also happen to be GSLB GWs. With no monitor bound to the GSLB GW service, SNI works fine. Enabling customers existing GSLB service monitor shows the site down. Remove it, it comes back up. Found we would need to enable SNI in a backend SSL profile that is bound to the GSLB monitor. However that results in Time out during SSL handshake stage. I may need to set a customer header now, based on this? https://docs.netscaler.com/en-us/citrix-adc/current-release/ssl/config-ssloffloading.html#configure-and-bind-a-secure[…]end-service-by-using-the-gui Does this seem like the proper path? Enable SNi in SSL backend profile with the common name of one of the bound SSL certs, and modify/create new monitor that checks the host header via a custom header monitor. Anyone have any gotchas with this?

Working with the updated Console on-prem, in particular identifying clients using older ciphers and protocols. When trying to access Transaction logs we see this message. Web Transactions is not enabled for Virtual Server , Please enable from Networks > Instances > NetScaler > Configure Analytics to see the data. Looks like that is a service path, is this something that is not enabled yet on-prem?

I would like to create a central NetScaler Gateway for two different domains. The gateway is not exposed externally, and authentication is required to be LDAP only. StoreFront resides in Domain A, and both Domain A and Domain B have been added as trusted domains. How can I ensure that users are not required to enter their domain when logging in? Example: • Instead of:

domainA.local\user1

• Instead of:

domainB.local\user2

• Users should only need to enter their username (e.g.,

user1

or

user2

). The usernames are unique, and there is a two-way trust between the domains.

You can use a AAA vServer for the authentication with an authentication profile. Setup authentication policies and profiles for each domain and then set the authentication with domain A priority 100 and domain B priority 110. Then use the Authentication profile on the Gateway.

Or, more simply, use group extraction and create a group in Domain A containing the members of Domain B. https://docs.netscaler.com/en-us/netscaler-gateway/current-release/authentication-authorization/configure-ldap/ng-authorize-ldap-group-extraction-multi-domains-con.html#:~:text=To%20configure%20NetScaler%20Gateway%20for,policy%20and%20one%20authentication%20policy.

Seeing an interesting NetScaler Console on-premise issue. I have a client with a large amount of NetScalers managed behind Console, if we setup RBAC and select specific instances for users we see huge cpu and processor spikes, and major lag in the web gui. But if we change it to All instances instead of limiting the response is instantaneous and no cpu and memory spikes. So it looks like selecting individuals basically sets up multiple pulls from the DB, instead of just masking items not on their list. Anyone else seen this?

Can a User, who is part of "Protected Users" login to Netscaler Gateway without any additional idP? I would like to create PAWs for Tier0 and LDAP + Radius is not possible AFAIK (uses NTLM and not Kerberos).

Is anyone feeling adventurous and running VPX on ESXi 8.0 Update 3d? Citrix is taking their time validating this version. They validated ESXi 7.0 Update 3s relatively quickly, but there's still no news for 8.0. https://docs.netscaler.com/en-us/vpx/current-release/supported-hypervisors-features-limitations.html

Had a client where they stopped receiving metrics from their netscalers on Console on-prem. Other things were all working fine, SNMP, Syslog, Appflow, etc. Just no metrics. Rebooted the console and it was fine. Looking in the Audit Log messages we see frequent messages like the following. "InstanceUser - Command "rm analytics profile telemetry_metrics_profile" - Status "Failed" - Message " rm analytics profile telemetry_metrics_profile [0;31;49mERROR: No such resource [name, telemetry_metrics_profile][0;39;49m >" running against multiple netscalers on repeat. Anyone have any information on that metrics collector so I can dig in? Is it just prometheus? Are there any logs specific to it I can review?

NetScaler SSLVPN, Split-Tunneling. When configuring Split-Tunnel to ON, you configure the customer internal network, which is routed through the tunnel. Everything else is going via local breakout, decided after dns-resolution. The other one is to set REVERSE and configure all IP's (or FQDN's when using WFP driver in CSA-Client) which should go via local breakout, everything else is going through tunnel. Is there an option to configure split-tunneling in dependance of a proxy-pac file? So everything which is listed in pac, go through tunnel, everything else local breakout? The pacfile is getting ignored after dns-resolution points to a local breakout (example youtube) and so there's no security when surfing local. I know there are solutions like Cisco Umbrella which is designed to solve exactly that issue with a DNS-based proxy. Just wondering if NetScaler can solve that, too. I've found that statement which sounds great "If you use Full VPN Tunnel with PAC, you must disable Citrix Gateway split tunneling. If split tunneling is on and you configure a PAC file, the PAC file rules override the Citrix ADC split tunneling rules. A proxy server configured in a traffic policy does not override the Citrix ADC split tunneling rules" but it's related to SecureHub / XenMobile (Source https://docs.citrix.com/en-us/xenmobile/server/advanced-concepts/xenmobile-deployment/sso-proxy-mdx-apps.html) thanks for any idea!

I find it interesting that Citrix can't have multiple NetScaler Gateways behind their content switch. Meanwhile my homebuilt OPNSense router with caddy setup for layer 4 proxy has no problem with it at all.

Is there any way to use IPRep with CLIENT.PROXY.SRCIP_STR instead of Client.IP.SRC? The IPREP_IS_MALICIOUS is not a valid suffix. NetScaler is behind an haproxy, and actual client ips are only available inside the proxy portion of the packet.

With Netscaler (as SP) in OIDC/Oauth2 I'm getting the user's UUID in preferred_username. I can pass it automatically in SAML (NetScaler as SAML IdP) in the NameID. But if I would need to add the value in preferred_username to a custom claim in SAML, how could I do that? Is there a way to store the preferred_username in one of the internal attributes and then add it to SAML IdP claim? I’ve done this with LDAP but the OAuth SP action is a bit confusing

I am working on an Azure migration and need to move an existing Netscaler to another subscription. Since Azure does not support direct migration of this SKU I am wondering what's the best way to approach it? Just build a new NS in another subscription and configure from scratch (I don't have build automation for NS)? Or maybe build a base NS, install certs, and then restore config from ADM? What do you guys think?

Hey Team, I've updated a customer NS to 14.1 43.50 where X1 Themes was in usage. I know they are deprecated for a long time, but still there. Since that Build, when a X1 Theme is bound to a NSGW / AAA, it's hitting directly "Cannot complete your request" when browsing to the page. The previous build was 25.56 where X1 still was working fine. There's nothing official mentioned in release notes. Can anyone confirm?

Is there a way on NFactor Flow to add a suffix to ${AAA.USER.NAME} on a PrefilUserFromExpr login schema? So that user becomes, for example, user-internal.

trying to block AD group from accessing Gateway; along with blocking at SAML IDP, trying to block at gateway. We are using AAA groups and EPA as well. What I am experiencing is that if EPA passes, i can see the AD Group extraction, along with my EPA allowed group, being aggregated, in the ns.log. If EPA fails, I only see my EPA quarantine group being aggregated, and I lose my ability to filter on my AD group to block access. Is this normal behavior?

Is there a way to check if the "under the hood" -settings for DNS are set or not? https://support.citrix.com/s/article/CTX200243-dns-query-responds-with-only-one-ip-to-[…]en-connected-through-citrix-gateway-full-vpn?language=en_US In the guide there's only how to set the value, but not how to query that: root@ns> shell root@ns# nsapimgr_wr.sh -ys enable_vpn_dns_override=1 root@ns# nsapimgr_wr.sh -ys enable_vpn_dnstruncate_fix=1

tried

nsapimgr_wr.sh -d enable_vpn_dns_override

but it didn't work

What do you all do to document a SDX build? I've used Carl Webster's scripts for VPXs but don't see anything for an SDX.

Anyone seeing NetScaler crashes out of nowhere? Have a client that is seeing some external vpxes that started crashing in the last few days. Not seeing much in the logs.

Hi, is there already a way to automatically renew the certificates on the Netscalers, so that in 2029 you don't have to hire someone who only update certificates?https://www.bleepingcomputer.com/news/security/ssl-tls-certificate-lifespans-reduced-to-47-days-by-2029/

NetScaler Built-in Agent Hello I have a problem with the Builtin agent and the NetScaler Console Service. The NS is correctly registered with NS Console Service but when I run the add licenceserver 127.0.0.1 -port 27000 I have got the error

About NetScaler Zero-Touch cert management. I can see the certificates pushed to the NetScalers, but when I try binding them to a LB vServer I get this error:

Anyone using NetScaler's E-Mail OTP? It was just working fine, with the latest 14.1 it stopped working. E-Mail with the OTP is sent, but it's not accepted to logon with - nothing helpful in the debug logs

Can you use an on-prem netscaler to broker connections to full azure joined machines with HDX for Windows 365 or can this only be brokered through gw svc?