NetScaler Times Newsletter for Week 51
Happy Christmas/Holidays!
Hello everyone! We have a mix of updated links, and articles for all things NetScaler related! The sections are:
1. A review of a recent build update.
2. Build updates.
3. Useful articles from Citrix Cloud Developer forum.
4. Citrix Blogs worth another look
5. AOB
BTW. I am still transitioning back to the NetScaler name, so there might be a mix of references!
There are a number of different Citrix products covered here. The Citrix ADC/NetScaler is an Application Delivery Controller that runs in the cloud and on-prem. It is supported by a management platform called Citrix Application Delivery Manager (ADM for short) which can run as a service or on-prem.
1. Configure auto delayed TROFS state, what the **** is TROFS?
Looking over a recent build update, I spotted this added to 13.1.37.38.
You can configure graceful movement of members in a service group to the TROFS state when IP addresses are removed from the DNS response. When auto delayed TROFS is enabled, Citrix ADC waits for the highest response timeout across all monitors attached to the service group before moving the members to the TROFS state.
I re-read this three times and still struggled to get my head around what was added and why. I ended up getting some help from the TRM and created this case study to try and explain it.
https://forum.developer.cloud.com/s/article/NetScaler-case-studies-TROFS-update-in-13-1-Build-37-38
Again, credit where credit is due, I couldn’t have done this without Michal Grabczyk and Lakshmi Prasanna Guru’s. Thanks for the help!
2. Build updates for this week.
Firmware gets changed from time to time, here are the most recent builds in each appliance type. These were first mentioned in the two Week 48 newsletters, but if you missed those here are the latest versions. Most weeks I just focus on the latest of each build, however this week there is some 13.0 NetScaler updates too.
Unchanged - Current ADC Build. Dec 1, 2022, Citrix ADC 13.1-37.38.
Here are the release notes for this one:
Updated - Current 13.0 ADC Build. Dec 16, 2022, Citrix ADC 13.0-89.7
Citrix ADC SDX Appliance
"Gateway" and "Nexthop" fields are optional while provisioning or editing the VPX
In a Citrix ADC SDX appliance Management Service, the "Gateway" and "Nexthop" fields are no longer mandatory for provisioning, editing, taking backup, or restoring VPX when the following conditions are met, either of the following options is true:
· "Manage through the internal network" is enabled for VPX.
· VPX IP address is in the same subnet as the Management Service IP address. VPX is provisioned with version 13.0-88.9 or 13.1-37.8, and their higher versions.
Enhancements to show the presence of the disk correctly
Enhancements are made to determine the state of the disk on a Citrix ADC SDX appliance. The state of the disk is now shown correctly when the disk is present.
Citrix Gateway
Support for HttpOnly flag on authentication cookies
The HttpOnly flag is now supported on the authentication cookies of VPN scenarios that is, NSC_Authentication, authorization, and auditingC and NSC_TMAS cookies. The NSC_TMAS authentication cookie is used during the nFactor authentication and the NSC_Authentication, authorization, and auditingC cookie is used for the authenticated session. The HttpOnlyflag on a cookie restricts the cookie access using the JavaScript document cookie option. This helps in preventing cookie theft due to cross-site scripting.
Unchanged - Current ADM Build. Nov 29, 2022, Citrix ADM 13.1 Build 37.38
Here are the release notes for this one:
Updated Citrix App Delivery and Security Service. Release 13.1-40.27 (13th dec)
Set the rate limit type for your application
When you enable the rate limit protection for your application, you can now set the limit type in the rate limit policy. The limit type defines how the requests must spread over the specified time frame.
Bursty: Use this limit type if your application traffic is sporadic. It is helpful if the load peaks anytime within the set time frame.
Smooth: Use this limit type if your application traffic is consistent. It evenly spreads the load across each time slice of the set time frame.
Rate limit policy supports sending the response 429
You can now configure a rate limit action to send a response with a status code 429. This code suggests that there are too many requests for the application.
When the incoming requests exceed the limit, this action displays the 429 code to a user.
Enable bot TPS for your application
You can now enable bot TPS (Transactions Per Second) for your application as part of security protections. With this feature, you can detect the incoming bot traffic based on the following:
Number of transactions per second
Surge in transactions (%) in the last 30 minutes
Support to upload a configuration file while migrating the ADC configuration to the CADS service
You can now upload a source configuration file instead of manually typing or copy-pasting the commands. This option is specifically helpful when you have large configuration files.
https://docs.citrix.com/en-us/citrix-app-delivery-and-security/whats-new.html
Updated - ADM Service. Release unlisted number. December 13, 2022
Management and Monitoring
Citrix ADM security advisory now supports the identification and remediation of CVE-2022-27518.
Identification of CVE-2022-27518 requires a combination of a version scan and config scan, and remediation requires an upgrade of the vulnerable ADC instances to a release and build that has the fix.
For more information about how to remediate CVE-2022-27518, see Security Advisory .
NOTE
It might take a couple of hours for the security advisory system scan to conclude and reflect the impact of CVE-2022-27518 in the security advisory module. To see the impact sooner, you can start an on-demand scan by clicking Scan Now.
3. Citrix Developer Cloud Forum.
Remote Rate Limiting rules with HTTP Callout
I have always found that HTTP callout was a powerful feature. Rick Davis has created this article:
In general, as request load increases, compute capacity can be scaled to meet demand as needed. However, not all back-end systems are so easily scaled. Sometimes even a moderate traffic load increase for a resource-constrained service could make it unresponsive. NetScaler rate limiting can protect services through the enforcement of flexible traffic quotas. This HTTP Callout based use case is helpful where service capacity may be different among tenants and/or application resources and the rule set for when to apply rate limiting quotas is managed by an external API server.
https://forum.developer.cloud.com/s/article/Centralized-API-Rate-Limiting
Securing APIs: Don’t let Auth be your weakest link
You are the weakest link, goodbye! Sara Austin posted a piece about securing API’s, always worth another look..
APIs are a critical infrastructure component and help to drive the modern digital economy. If your organization is using APIs, you can’t afford for them to go down. If your APIs are attacked successfully, it can lead to data loss, frustrated customers, and hits on your revenue and reputation. Strong authentication (Who is the client or user?) and authorization (What can the client or user do?) practices are essential to ensuring your APIs are secure.
https://forum.developer.cloud.com/s/article/Securing-APIs-Don-t-let-Auth-be-your-weakest-link
4. Blogs worth a look
Build a wall around your country!
Ronan does a great walk-through using Geo blocking to reduce your public visibility and stay off the hackers’ radar.
Constructing a wall around your country has been a controversial theme in recent years, but in the times, we live in, this concept applied to IT adds great value from a cyber security perspective. The internet, by its nature, is an interconnected global network, allowing a single person on a device in one part of the world, connect to a resource thousands of kilometres away in milliseconds.
https://citrixie.wordpress.com/2022/03/16/build-a-wall-around-your-country/
5. AOB
Getting a JSON appliance list
We ran a partner webinar last Thursday, one of the follow up questions was related to JSON.
Question: Does Citrix have plans for a feature in ADM to export instance data to json?
Response: A great question! I asked one of the PM’s in the ADM team and he came back with this
We don’t export in JSON today nor we have anything in future. But a CSV can be converted to JSON with free utilities online today. Is that a problem for the customer?
This wasn’t something that I had looked at before, so I opened a browser and had a look for something that could do the conversion. In this case I used ‘Google’, however, other search option are available!
Have a great week!