NetScaler Times newsletter for Week 27 - 2024

13.1 updates and changes to the 12.1 FIPS and NDcPP..

Hello Everyone

It’s Andrew again over at Cloud Software Group. This NetScaler Times update aims to provide you with valuable pointers to keep you up-to-date! 🚀

I would greatly appreciate your continued engagement and feedback, my contact details are at the bottom of this newsletter.

Agenda for this week:

1. Build status and updates

2. NetScaler Console Data management.

3. Support and Security Bulletins.

4. NetScaler Community & Labs site

5. Feedback on this newsletter

1. Build status and updates

The details for the various builds have been listed below, as this helps plan for new releases in your environment. Starting from 2023 for 14.1 there will be the following:

1. Firmware will have a 3-year upgrade cycle, where new features are added, called the ‘Feature Phase’.

2. The ‘Maintenance Phase’ then starts, and it is then supported for another 3 years with bug fixes and security updates.

3. There will then be 1 year of extended support with security fixes only. The expectation is to use this time to move off before the EOL for the firmware.

As shown below, 13.1 and 13.0 are now in the Maintenance phase.

Typically, the guidance for NetScaler & NetScaler Console(aka ADM) build releases is that the Management platform needs to be the same or newer than the NetScaler(s) that it manages. I typically, go with the latest for NetScaler Console.

The NetScaler has multiple form factors to support different environments. NetScaler is built on a single operating system with a software-based architecture, so the behaviour will be the same no matter which is used — hardware, virtual machine, bare metal, or container.

Current Build Versions:

Builds as of this week.

There are quite a few updates this week. This looks to be a filtering down of some of the recent 14.1 changes to the 13.1. Here are the details:

NetScaler firmware update 13.1-53.23

Authentication, authorisation, and auditing: Web App Firewall protection for authentication and VPN virtual servers

NetScaler SDX Appliance: Additional upgrade validations for NetScaler SDX

Networking: Configurable internal HTTPS service. You can now modify the internal HTTPS service by using GUI, CLI, or NITRO APIs.

Platform.

• Support for OpenSSH version 9.x. The OpenSSH version on NetScaler is now upgraded from 8.x to 9.x.

• Support for extra management CPU for NetScaler VPX instance. For a VPX instance running on SDX, you have only one management CPU by default. With this enhancement, you can now add an extra management CPU when you provision or edit a VPX instance with two or more dedicated CPU cores.

• Improved SSL performance for encryption algorithms SSL performance of the following encryption algorithms is enhanced for NetScaler running on Intel processors that support Intel AVX-512: RSA 2048/4096, ChaCha20-Poly1305,AES-GCM.

NetScaler 13.1 FIPS firmware update 13.1-37.188

Authentication, authorisation, and auditing

• RADIUS authentication support on FIPS-certified appliances

  On FIPS platform, RADIUS authentication is now supported on Transport Layer Security (TLS). Previously, RADIUS authentication was supported only on the UDP protocol. As a result, RADIUS authentication was not supported on FIPS environments as FIPS allowed only TLS protocol. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-radius-for-tls.html

• Traversal from Root domain to Tree domain for Kerberos SSO authentication is supported

  Traversal from Root domain to Tree domain is now supported during Kerberos SSO authentication for backend server from NetScaler appliance. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/kerberos-single-sign-on/setup-citrix-adc-single-sign-on.html.

Platform

• Support for OpenSSH version 9.x

  The OpenSSH version on NetScaler is now upgraded from 8.x to 9.x.

• VMware ESX 7.0 update 1c support on NetScaler VPX instance

  The NetScaler VPX instance now supports the VMware ESX version 7.0 Update 1c (Build 1732555).

SSL

• Support to ignore the common name if subject alternate name (SAN) is present in SSL certificate
  The NetScaler appliance now conforms to the RFC specification related to common name in a certificate as defined in https://tools.ietf.org/html/rfc6125%23section-6.4.4. A new parameter ndcppComplianceCertCheck is added.
  When the appliance acts as a client (back-end connection), the common name is ignored during certificate verification if both of the following conditions are met:

  • ndcppComplianceCertCheck parameter is set to YES (Default is NO).

  • SAN is present in the certificate.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/config-ssloffloading.html.

System

• New parameter added in HTTP profile

  A new parameter passProtocolUpgrade is added to the HTTP profile to prevent attacks on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.

  • If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response.

  • If this parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back end.

  The passProtocolUpgrade parameter is added to the following profiles:

  • nshttp_default_profile ENABLED by default

  • nshttp_default_strict_validation DISABLED by default

  • nshttp_default_internal_apps DISABLED by default

  • nshttp_default_http_quic_profile ENABLED by default

  Citrix recommends that this parameter be disabled by default. For more details, see the NetScaler Secure Deployment Guide.

User Interface

• The download of any core files that are present on the "Diagnostic" page ("System > Diagnostic") of the NetScaler GUI might fail with an error.

• Any of the following NetScaler upgrade operations might cause login failure for local system user accounts:

  • from NetScaler 13.0-83.x build to NetScaler 13.1-4.x build

  • from NetScaler 12.1-63.x build to NetScaler 13.1-4.x build

  • from NetScaler 12.1-63.x build to NetScaler 13.0-82.x build

  This issue is observed only for those local system user accounts that meet any of the following conditions:

  • user password was changed for the local system account on the NetScaler build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.

  • the local system user account was added on the NetScaler build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.

  Workaround:

  The system root administrator can reset the password for the local system user accounts facing the login failure issue.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/authentication-and-authorization-for-system-user/how-to-reset-nsroot-administrator-password.html

• Changing default RPC node passwords
  In HA, cluster, and GSLB deployments, a warning message appears for the nsroot and superuser login if the default RPC node password is not changed.

NetScaler Firmware 13.0

Just to call out this will be EOL in a couple of weeks. The advice is to move to 13.1 as and when possible. The docs link offers some pointers on the considerations. The main one being the change from classic to advanced polcies. Link

NetScaler 12.1 NDcPP firmware update 12.1-55.307, NetScaler 12.1 FIPS firmware update 12.1-55-307

The changes look to be quite similar to the 13.1 FIPS updates that are listed above, rather than listing all of them here. These are the specific links to the release notes for each.

NDcPP release notes link

FIPS release notes link

2. NetScaler Console Data management.

I have been asked a few times recently about NetScaler Console and how to manage the data storage. I expect this might be driven by the some recent changes to how VIPs are included to allow analytics gathering.

In this picture, I have signed into the NetScaler Console Service, to get a view of how much of my cloud tenant has taken up the storage space I have allocated.

The Menu shows: Settings-Data Storage Management.

Data Storage management

I’m unsure who designed this page, but I need to buy them a drink! It’s is so cool. In one view, I can easily see where the bulk of my data storage is being held. I can then take action to prune out the areas which are a problem.

Docs link here

3. Support and Security bulletins

These are the latest articles on the support portal knowledge base, sorted by modified date. Here are the 2 most recent security articles plus 3 recent support docs. The site is located here.

Security updates:

• Cloud Software Group Security Advisory for CVE-2024-3661

  Cloud Software Group Security Advisory for CVE-2024-3661

  Modified: 25 Jun 2024 | NetScaler,NetScaler Gateway

• NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549

  NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549

  Modified: 09 May 2024 | NetScaler,NetScaler Gateway

Support Docs

• SSH communication between Netscaler Console nodes and/or Netscaler/Netscaler-SDX instance(s) fails

  SSH communication between Netscaler Console nodes and/or Netscaler/Netscaler-SDX instance(s) fails.

  With both releases 13.1-53.17 MR and 14.1-25.53 FR - there has been an upgrade done to OpenSSH version 9.x

  Modified: 27 Jun 2024 | NetScaler,Citrix Application Delivery Management

• How to Restrict Access to NetScaler Owned IP Addresses Only from the Management Applications

  This article contains information about restricting access to NetScaler owned IP addresses only from the management applications. Uncheck the box for management access, a simple thing to remember.

  Modified: 26 Jun 2024 | NetScaler

• How to configure NetScaler Gateway in an IPv6 environment.

  How to configure NetScaler Gateway in an IPv6 environment.

  Modified: 26 Jun 2024 | NetScaler

Events

It looks like the webinars for July have yet to be posted. Isha has said that the first will be next week. I thought, rather than leave the section empty while they get the agendas together, I have picked out three sessions from the last few months that you might have missed.

Protect NetScaler Gateway/Authentication vservers using NetScaler WAF and API Security solution

10 April 2024: Hemang Raval

In today's dynamic threat landscape, securing NetScaler Gateway and Authentication vservers is paramount to safeguarding sensitive data and maintaining regulatory compliance. NetScaler WAF (Web Application Firewall) and API Security Solution offer robust protection against a wide range of cyber threats, including OWASP Top 10 vulnerabilities, API attacks, and DDoS attacks.

Join us for an interactive webinar session showcasing a solution on below:

• Enabling native WAF protection & API Security for NetScaler Gateway/AAA

  • Deploying relaxation/by-pass lists

• Monitor malicious requests to NetScaler Gateway/AAA on NetScaler Console

• Future roadmap for Gateway protections

Watch on-demand - here

NetScaler Live Demo | Strengthen your security controls with NetScaler’s Next-Gen API

15 May 2024: Konstantinos Kaltsas

APIs are essential for businesses not just for their operational benefits but also for enhancing security through mechanisms like Role-Based Access Control (RBAC). RBAC ensures that only authorized users or systems have access to specific resources based on their roles and responsibilities, reducing the risk of data breaches, unauthorized access, and API abuse.

Additionally, enhancing application security by facilitating secure data exchange protocols and encryption standards enable businesses to implement robust security measures to protect sensitive data and ensure compliance with regulatory requirements.

NetScaler Next-Gen API is a powerful modern RESTful API that allows you to programmatically configure NetScaler in a simple and intuitive way. By following a desired state and application-centric approach it drives operational efficiency and innovation but also strengthens cybersecurity defenses, making it an indispensable component of modern business strategies.

In this live session, the NetScaler experts will cover: 

• Role-based access to the Next Generation APIs for enforcing granular access controls at Application level

• Simplify TLS configuration and cipher suites management using an Application Centric approach.

• Demo: A walkthrough of how to configure advanced Applications by following these principles.

Watch on-demand - here

NetScaler Live Demo | Session hijack protection for NetScaler Gateway/AAA deployments

05 June 2024 Hemang Raval (again!)

Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user’s session while that session is still in progress. Once session ID/Cookie is compromised, an attacker can bypass even multi-factor authentication to impersonate a victim thereby getting elevated or unauthorised access to internal resources. Protecting against session hijacking within NetScaler Gateway/AAA deployments becomes crucial in today's digital era to protect high value targets and sensitive resources hosted on Citrix infrastructure.

In this live demo, the NetScaler experts will demonstrate how to prevent Bad Actors from hijacking Session for NetScaler Gateway/AAA deployments through simple Regular Expressions

• How to configure NetScaler policies and apply regular expressions to identify suspicious session activity.

• Showcase of how to create custom regex patterns tailored to specific session hijacking threats.

Watch on-demand - here

Labs

Go here for the hands-on labs. Link

5. Feedback for this newsletter

Naturally, if something you feel should be added/removed or called out, drop me a note; Andrew.Scott@cloud.com. All mistakes are mine.

I would happily get feedback on what you could do with seeing more of or what you find hard to set up. You can get all the previous newsletters plus other articles here:

Have a great week!