Duo two-factor authentication with NetScaler Gateway

I been seeking an alternative for second factor authentication with Citrix NetScaler for a while, just sick of RSA and all its complexity and upgrades and tokens, etc.  During my search for another method I was directed to Duo and was immediately excited about it.  Duo combines modern two-factor authentication with advanced endpoint security solutions to protect users from account takeovers and data breaches.

Duo integrates with Citrix NetScaler Gateway to add two-factor authentication with Radius and back-end authentication services for LDAP.

03_ns_gtw_duo

Screenshots below are from my Apple Watch and iPhone using the “Push” option

IMG_4118  IMG_4119  IMG_4121

Environment:

  • Citrix NetsScaler 11.0Build 63.16.nc
  • StoreFront 3.5

To integrate Duo with your NetScaler Gateway, you will need to install a local proxy service on a server within your network. Before proceeding, you should locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports Windows and Linux systems (in particular, we recommend Windows Server 2008 R2 or later, Red Hat Enterprise Linux 6 or later, CentOS 6 or later, or Debian 6 or later).

Then you’ll need to:

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Citrix NetScaler in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname.

Install the Duo Authentication Proxy

The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).

  1. Download the Duo Authentication Proxy for Windows.
  2. On the Windows system you have chosen to host the Duo Authentication Proxy, launch the proxy installer and follow the on-screen prompts.
Configure the Proxy
After the installation completes, you will need to configure the proxy.

The Duo Authentication Proxy configuration file is named authproxy.cfg, and is located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at:

Platform Default Configuration Path
Windows (64-bit) C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
Windows (32-bit) C:\Program Files\Duo Security Authentication Proxy\conf\authproxy.cfg
Linux /opt/duoauthproxy/conf/authproxy.cfg

Your Auth Proxy config will look something like this.

[ad_client]
host=IP Address of your LDAP server (I use an LDAP VIP on NetScaler)
service_account_username=An LDAP Service account (Read only)
service_account_password=LDAP_Password
search_dn=dc=domain,dc=com (you can specify an OU, etc, but pointing to your root makes it easier and you can then select a user group.)

[radius_server_iframe]
type=citrix_netscaler
ikey=Your Duo integration key
skey=Your Duo secret key
api_host=Your Duo API hostname
failmode=safe
client=ad_client
radius_ip_1=IP address of NetScaler (NSIP) or Subnet IP address (SNIP) if you have a pair
radius_secret_1=Radius Shared Key between your NetScaler and Auth Proxy server
port=1812

[radius_server_auto]
ikey=Your Duo integration key
skey=Your Duo secret key
api_host=Your Duo API hostname
failmode=safe
client=ad_client
radius_ip_1=IP address of NetScaler (NSIP) or Subnet IP address (SNIP) if you have a pair
radius_secret_1=Radius Shared Key between your NetScaler and Auth Proxy server
port=18120

[cloud] (This section is to allow LDAP synch from the Duo Admin console to your LDAP environment
ikey=Your Duo integration key for the Authentication Proxy (not NetScaler)
skey=Your Duo secret key for the Authentication Proxy (not NetScaler)
api_host=Your Duo API hostname for the Authentication Proxy (not NetScaler)

01_ns_gtw_duo02_ns_gtw_duo

Done, now lets do some NetScaler work.  The steps below will create a new NetScaler Gateway which will score an A+ with SSLLABS.COM

1. Create your DUO Radius Policy and Server, in the sample below I am using ns_true which will allow all traffic.  You can certainly get creative and configure headers with Citrix Receiver information such as “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver”

add authentication radiusAction duo_ctx_web_srv -serverIP YOUR_AUTH_PROXY_SERVER -serverPort 1812 -authTimeout 60 -radKey “Radius Shared Key between your NetScaler and Auth Proxy server” -encrypted -encryptmethod ENCMTHD_3 -accounting ON
add authentication radiusPolicy duo_ctx_web_pol ns_true duo_ctx_web_srv

2. Create your new Custom Cipher group, then bind the Ciphers to it.

add ssl cipher custom_ciphers

bind ssl cipher custom_ciphers -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher custom_ciphers -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher custom_ciphers -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher custom_ciphers -cipherName SSL3-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName SSL2-DES-CBC3-MD5
bind ssl cipher custom_ciphers -cipherName SSL3-EDH-DSS-DES-CBC3-SHA
bind ssl cipher custom_ciphers -cipherName SSL3-EDH-RSA-DES-CBC3-SHA

3. Create your Strict Transport Security Rewrite policy

add rewrite action rw_action_sts_header insert_http_header Strict-Transport-Security “\”max-age=157680000\””
add rewrite policy rw_pol_sts_config TRUE rw_action_sts_header

4. Create your SSL redirect from HTTP

add responder action http_to_https redirect “\”https://\” + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE” -responseStatusCode 302
add responder policy http_to_https_pol HTTP.REQ.IS_VALID http_to_https RESET

add service ns_redirect_dummy 127.0.0.1 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED cip-header -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

5. Create your HTTP NetScaler Gateway VIP and bind the HTTP to HTTPS redirect responder

add lb vserver remote_ns_gtw_redirect HTTP YOUR_IP_ADDRESS 80 -persistenceType NONE -cltTimeout 180
bind lb vserver remote_ns_gtw_redirect ns_redirect_dummy
bind lb vserver remote_ns_gtw_redirect -policyName http_to_https_pol -priority 100 -gotoPriorityExpression END -type REQUEST

6. Create your NetScaler Gateway

add vpn vserver remote_ns_gtw SSL YOUR_IP_ADDRESS 443 -maxAAAUsers 9045 -downStateFlush DISABLED -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -appflowLog ENABLED
set ssl vserver remote_ns_gtw -dh ENABLED -dhFile “/nsconfig/ssl/dhkey2048.key” -ssl3 DISABLED
bind vpn vserver remote_ns_gtw -staServer “http://YOUR_STA_SERVER:180”
bind vpn vserver remote_ns_gtw -staServer “http://YOUR_OTHER_STA_SERVER:180”
bind vpn vserver remote_ns_gtw -portaltheme X1

7. Bind your DUO Radius Policy and Server (The sample below binds an already existing StoreFront 3.5 Session Policy) – NOTICE THE 120 REWRITE POLICY (rw_pol_sts_config) This is done as I later bind 2 additional Rewrite policies to automatically select the “I accept the Terms & Conditions” checkbox and enable the “Log On” button

bind vpn vserver remote_ns_gtw -policy duo_ctx_web_pol -priority 100
bind vpn vserver remote_ns_gtw -policy web_sf35_policy -priority 100
bind vpn vserver remote_ns_gtw -policy rw_pol_sts_config -priority 120 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver remote_ns_gtw -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _noCacheRest -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver remote_ns_gtw -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE

8. Bind your SSL certificate and custom Ciphers to your NetScaler Gateway

bind ssl vserver remote_ns_gtw -cipherName custom_ciphers
bind ssl vserver remote_ns_gtw -certkeyName wildcard

9. Bind the ECC curves, they are required for PFS w/ ECDHE ciphers

bind ssl vserver remote_ns_gtw -eccCurveName P_256
bind ssl vserver remote_ns_gtw -eccCurveName P_384
bind ssl vserver remote_ns_gtw -eccCurveName P_224
bind ssl vserver remote_ns_gtw -eccCurveName P_521

10. Set up Rewrite policies to automatically select the “I accept the Terms & Conditions” checkbox and enable the “Log On” button.  In the end you will have 3 Rewrite policies enabled.  One for selecting the checkbox automatically, the other for enabling the “Log On” button, and finally one to enable HSTS/STS which you will need to achieve the A+ score.

bind vpn vserver remote_ns_gtw -policy ns_gtw_eula_checked_pol -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
bind vpn vserver remote_ns_gtw -policy ns_gtw_LogonAutoEnable_rw_pol -priority 110 -gotoPriorityExpression END -type RESPONSE

04_ns_gtw_duo

05_ns_gtw_duo

11. Set up for firewal NATs and ACL, for this example I am using Cisco

object network obj-YOUR_IP (DMZ I hope :))
host YOUR_IP

nat (dmz,outside) static YOUR_EXTERNAL_IP
object network obj-YOUR_IP

access-list EXT-INBOUND extended permit tcp any4 host YOUR_IP eq www
access-list EXT-INBOUND extended permit tcp any4 host YOUR_IP eq https

That is it! Hope this helps:)

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Set up a maintenance page on Netscaler Gateway

From time to time there may be a need to bring your remote access down due to scheduled maintenance.  Sure all sorts of communication will be sent out, but the cold fact is that users don’t read or remember😛

Below are the steps on how to manually display a maintenance page on your NetScaler Gateway  to inform that the site is down.

  1. Create a maintenance html page (code included below)
  2. Create a Responder action which will redirect the traffic to the maintenance page.
  3. Create a Responder policy to only be used when the traffic contains a specific fqdn (ex: remote.company.com) as well as specific index.html file.
  4. Bind your Responder policy to your NetScaler Gateway vServer

Environment:

  • Citrix NetsScaler 11.0Build 63.16.nc
  • StoreFront 3.5

Lets get started:

  1. Create your maintenance.html page and upload to the Netscaler, in my case I am using a very customized theme and uploaded to /var/netscaler/logon/themes/nameoftheme/custom_media

<!doctype html>
<title>Site Maintenance</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>

<article>
<h1>We&rsquo;ll be back soon!</h1>

Sorry for the inconvenience but we’re performing maintenance between the hours of midnight to 4 am. If you need to you can always contact us, otherwise we’ll be back online shortly!

— Information Technology Support Center

</article>

01-maint

2. Create a Responder action to redirect to your new maintenance.html file

add responder action ns_gateway_maint_action redirect “\”https://remote.company.com/logon/themes/Default/custom_media/maintenance.html\”” -responseStatusCode 302

3. Create a Responder policy and assign the action from step 2.  In my case, I am hosting several sites on a single gateway, so I needed to specify the hostname header and index.html file of my NetScaler Gateway site😛

add responder policy ns_gateway_maint_policy “HTTP.REQ.HOSTNAME.EQ(\”remote.company.com\”) && HTTP.REQ.URL.CONTAINS(\”index.html\”)” ns_gateway_maint_action

4. Bind your new responder policy to your NetScaler Gateway site

bind vpn vserver external_portal -policy ns_gateway_maint_policy -priority 100 -gotoPriorityExpression END -type REQUEST

Next time your users go to your Gateway, in my case https://remote.company.com, they will all be redirected to the maintenance page, once work is done, you can unbind the policy and users will again be redirected to your Gateway main page.

unbind vpn vserver internal_portal -policy ns_gateway_maint_policy

ns11_rw_final

Hope this helps:)

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

NetScaler SSL A+ Secured VIPs

Below are the steps I followed to score an A+ with Qualys while working on a new XenMobile:) and NetScaler Unified Gateway deployment.

There are some caveats however since Citrix is now delivering TLS1.2 with TLS_FALLBACK-protection across all NetScaler products.  Good right? well if you are running a version below 10.5.57.7.nc you will need to update your NS appliances.

10.5.57.7.nc is available to all NetScaler and NetScaler Gateway customers.  With this release and above, you now can achieve and A+ regardless of the hardware platform including VPX running on your own hypervisor, MPX or SDX .

Environment:

  • Citrix NetsScaler 11.0Build 63.16.nc
  • XenMobile 10.3
  • StoreFront 3.0

Lets gets started:

Bind specific Ciphers to your SSL vServer, then disable RC4 by creating our own Cipher Group.

Please note TLS1-AES-256-CBC-SHA is needed to support older SOCKS-clients such as Receivers prior to 4.2.100 running on Windows and several others.  This includes the XenMobile WorxMail client in STA-mode.

In the future this might change as Citrix moves forward with TLS1.2 support across their products.

set ssl vserver portal_netscaler -tls1 ENABLED
set ssl vserver portal_netscaler -tls11 DISABLED
set ssl vserver portal_netscaler -tls12 ENABLED
set ssl vserver portal_netscaler -ssl2 DISABLED
set ssl vserver portal_netscaler -ssl3 DISABLED
unbind ssl vserver portal_netscaler -cipherName ALL
bind ssl vserver portal_netscaler -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl vserver portal_netscaler -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl vserver portal_netscaler -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl vserver portal_netscaler -cipherName TLS1-AES-256-CBC-SHA

Crate a new Cipher Group from the default Cipher Group and disable the RC4 suite as you will be capped to a B.  There are some weaknesses with the  RC4 Cipher Suite that could enable an attacker to decrypt the key stream.  You can read more on how an attack against TLS/RC4 is possible by reviewing this PDF (http://cr.yp.to/talks/2013.03.12/slides.pdf)

add ssl cipher DEFAULT_no_RC4
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES-256-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES-256-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-EDH-RSA-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-EDH-DSS-DES-CBC3-SHA
bind ssl cipher DEFAULT_no_RC4 -cipherName SSL3-DES-CBC3-SHA

Bind the new SSL Cipher Group to your vServer

bind ssl vserver portal_netscaler -cipherName DEFAULT_no_RC4

The above will get you to an A- Score:

ssl_a_minus

You can also enable Forward Secrecy, with the new firmware it’s now possible to enable PFS for all modern Clients/Browser and receive an A+

Follow the instructions below and score A+

https://blog.cjharms.info/2014/05/enable-forward-secrecy-and-secure.html

ssl_a_plus

Hope this helps :)

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

 

NetScaler Gateway 11 footer customization

Ran into difficulties customizing a new NetScaler 11 Gateway.  Although I was happy to finally be able to apply themes per NetScaler Gateway vServer, I quickly saw that this new option presents new challenges if you are looking to customize beyond what the themes allow.

Our goal was to add footer information on the front page in order to provide Help Desk contact info, a Citrix Receiver download link and the RSA Self Service portal.   With NS 11, the problem is that the index.html file is no longer constructed the same as it was with 10.x.

Lets understand this a bit more.

With NetScaler Gateway 11, the logon form and pretty much the entire index.html body, is generated by 2 javascript files (gateway_login_view.js and gateway_login_form_view.js).

  1. gateway_login_view.js – creates the body and tables for the actual form
  2. gateway_login_form_view.js – creates the form itself, username and password fields, domain dropdown box, etc.

This naturally creates a headache if you are use to working with the 10.x firmware.  As with 10.x you can accomplish most of the customization by directly modifying the index.html file, and creating a custom global policy user interface.  On the other hand, this presented a challenge if you had to run multiple Gateway vServers  with a custom UI, and you had to get pretty creative on how to overcome  it.

For NS 11, I read a post where someone was struggling with a similar situation, luckily it pointed me in the right direction.  The post suggested to modify or create a new gateway_login_view.js  and/or gateway_login_form_view.js (you can read the post here).  

Rather than modifying existing code or creating new files then having to deal with responder policies, etc.  I figure I try to do this via the NetScaler Rewrite Policies and Actions to make it look something like the picture below.

ns11_rw_final

Environment:

  • Citrix NetsScaler 11.0Build 63.16.nc
  • StoreFront 3.0
  • RSA 8.1

Let’s get started.

  1. Add links at the bottom of the authentication page, unfortunately rewrite actions have a 255 character limit which you can easily bypass by adding “+” to the expression. Click here to view/download the syntax as WordPress messes with it.

2. Enable the EULA box by default:

add rewrite action ns_gtw_eula_checked_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”type=\’checkbox\’ checked\”” -pattern “type=\’checkbox\'”
add rewrite policy ns_gtw_eula_checked_pol “HTTP.REQ.URL.CONTAINS(\”gateway_login_form_view.js\”)” ns_gtw_eula_checked_action
bind vpn vserver portal_netscaler -policy ns_gtw_eula_checked_pol -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

3. Enable the Logon Button by default:

add rewrite action ns_gtw_LogonAutoEnable_rw_act replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”\’disabled\’:\’\’\”” -pattern “\’disabled\’:\’disabled\'”
add rewrite policy ns_gtw_LogonAutoEnable_rw_pol “HTTP.REQ.URL.CONTAINS(\”gateway_login_form_view.js\”)” ns_gtw_LogonAutoEnable_rw_act
bind vpn vserver portal_netscaler -policy ns_gtw_LogonAutoEnable_rw_pol -priority 120 -gotoPriorityExpression END -type RESPONSE

Hope this helps:)

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Automatic NetScaler Gateway 11 EULA Acceptance

With the new release of Citrix NetScaler 11, we now have the  option to setup an End User License Agreement for users prior to logging in.  After getting the NetScaler Gateway configured and enabling EULA policies, I thought it would be useful to have the check box enabled, and the Log On button turned on by default.

Below are the steps on how to set up Rewrite Policies and Rewrite Actions on the NetScaler to automatically check  the EULA acceptance box, as well as turn on the Log on button.

The default behavior is to have users select the box every time prior to authenticating to the NetScaler Gateway😦

unchecked_eula

Environment:

  • Citrix NetsScaler 11.0Build 63.16.nc
  • StoreFront 3.0
  • RSA 8.1

Fix:

Enable the check box

add rewrite action ns_gtw_eula_checked_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”type=\’checkbox\’ checked\”” -pattern “type=\’checkbox\'”
add rewrite policy ns_gtw_eula_checked_pol “HTTP.REQ.URL.CONTAINS(\”gateway_login_form_view.js\”)” ns_gtw_eula_checked_action
bind vpn vserver name_of_your_ns_gtw_vip -policy ns_gtw_eula_checked_pol -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

Enable the Logon button – By default this is disabled in the gateway_login_form_view.js file

add rewrite action ns_gtw_LogonAutoEnable_rw_act replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”\’disabled\’:\’\’\”” -pattern “\’disabled\’:\’disabled\'”
add rewrite policy ns_gtw_LogonAutoEnable_rw_pol “HTTP.REQ.URL.CONTAINS(\”gateway_login_form_view.js\”)” ns_gtw_LogonAutoEnable_rw_act
bind vpn vserver name_of_your_ns_gtw_vip -policy ns_gtw_LogonAutoEnable_rw_pol -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

Final result – The Checkbox and Logon box will be enabled when users go to the NetScaler Gateway site.

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Provide Citrix Receiver download link on NetScaler Gateway authentication page based on Client OS

While working on a new StoreFront/NetScaler Gateway implementation, I was asked to provide a Citrix Receiver link on the NetScaler Gateway authentication page, although I thought this was a pretty simple task, I figure we would make this fancier and detect the Client OS then provide the proper Citrix Receiver the company wanted to deploy.

Before you get started, I suggest reading the articles below.  These guides will give you a great understanding on the steps necessary to modify the NetScaler Gateway logon page.

Remember that the changes will be lost if the NetScaler reboots, so please make sure to follow the steps below after you are done.

Apply customization:

Putty in to NS

  • shell
  • mkdir /var/ns_gui_custom
  • cd /netscaler
  • tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

Now apply the package to your AGEE sites

  • In the configuration utility, under the Configuration tab, expand “NetScaler Gateway” and then click “Global Settings“.
  • In the details pane, under Settings, click Change global settings.
  • In Global NetScaler Gateway Settings, click the Client Experience tab.
  • Next to UI theme, click Custom and then click OK.
  • Save NS config and done!

Read these before getting started:

Environment:

  • Citrix NetsScaler 10.5 Safe Harbor Build 56.22.nc
  • StoreFront 2.6

Lets get started:)

Goals:

  • Create Receiver Download link based on OS (Windows, Mac, iOS and Linux)
  • Create Support Contact information
  • Create footer information

The final look (had to blur company info, logos and links)

final_page

Back up the index.html file under /var/netscaler/gui/vpn.  In this case this deployment is already set up with the StoreFront 3.0 look and feel, so I just need to mess with the index.html

Around line 15.  Lets add some CSS so we can then use to display the text.  Your code should look like this

<style type=”text/css”>
body
{
display : none;
visibility: hidden;
}

#auth-footer-disclaimer-wrapper {
width: 100%;
position: absolute;
bottom: 10px;
text-align: center;
}

#auth-footer-disclaimer {
color: white;
width: 80%;
margin: 0px auto;
font-family: tahoma, helvetica, arial;
font-size: 7pt;
}

#auth-footer-help-info {
color: white;
width: 80%;
margin: 0px auto;
font-family: tahoma, helvetica, arial;
font-size: 10pt;
}
#auth-footer-qrc-links {
color: white;
position: relative;
text-align: center;
font-family: source sans pro, segoe ui, arial;
font-size: 10pt;
padding: 10px;
}

#auth-footer-qrc-links a, a:link, a:visited {
color: white;
text-decoration: underline;
}

#auth-footer-qrc-links a:hover {
color: white;
text-decoration: underline;
}

</style>

Now lets create that java script for browser detection script to detect the presentation of ICA client download links

Inset this around line 87 after

function setFocus(obj)
{
if (obj != null) {
obj.focus();
}
}

You will need to insert the javascript here.  However WordPress is not allowing me to display it😦

Take a look at the index.html file link

Now around line 236, look for

div id=”logonbelt-bottomshadow”

Then inset the code to call the CSS you used as well as the link and text you defined before

<!– Display Citrix Receiver link // –>
<div id=”auth-footer-qrc-links”>

document.write(dlLink);

Here is the entire Index.html file

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

 

 

NetScaler Gateway front page à la StoreFront 3.0

Below are the steps on how to brand the NetScaler Gateway front page to look similar to the new release of StoreFront 3.0.

If you are enabling the VPN (AKA Client Choices), then I also suggest you read my Citrix NetScaler Gateway Client Choices branding post.  And finaly take a peek at my previous post on Customizing Citrix NetScaler Gateway 10.5 logon page with Dual Factor Authentication,

Please note I tested this on several 10.1 Firmware Releases as well as the 10.5 Safe Harbor Build 56.22.nc release.

Environment 

  • Citrix NetsScaler 10.5 Safe Harbor Build 56.22.nc
  • StoreFront 2.6

Lets take a look at the Default Logon Page to be utilized with Citrix Web Interface 5.x (not 5.4) to match the carbon-black look and feel

ns_gateway_default

Ok now lets make this Green Bubble, once you apply the changes, you will notice the files will change under /var/netscaler/gui/vpn

Head over to your NS management IP:

Go under NetScaler > NetScaler Gateway > Global Settings and click on “Change Global settings”
Now click on the “Client Experience” Tab and change the “UI Theme” from “Default” to “Green Bubble”

This will update the authentication page to the horrendous looking Bubble Green theme

ns_gateway_green

Now lets have some fun😛

Backup the entire  /var/netscaler/gui/vpn directory

Since I am using second factor authentication for this roll out, we need to modify the login.js file in order to customize the password fields

ns_password

 

Around line 89 you will see the showpwd function, this will need to be manipulated so it does not displays the word “Password: 1” but rather something as simple as “Password:” or whatever you like.  Your code should look this this.

function ns_showpwd_greenbubble()
{
var pwc = ns_getcookie(“pwcount”);
document.write(‘<div class=”field CredentialTypepassword”><div class=”left”><label class=”label plain”><SPAN>’ + _(“Password”));

// Original password settings with Password: 1
// if ( pwc == 2 ) { document.write(‘&nbsp;1’); }
// Removes password value 1 when using dual factor

if ( pwc == 2 ) { document.write(‘&nbsp;’); }
document.write(‘:</SPAN></label></div>’);
document.write(‘<div class=”right”><input class=”prePopulatedCredential” autocomplete=”off” spellcheck=”false” type=”Password” title=”‘ + _(“Enter password”) + ‘” name=”passwd” size=”30″ maxlength=”127″></div></div>’);
if ( pwc == 2 ) {
document.write(‘<div class=”field CredentialTypepassword”><div class=”left”><label class=”label plain”><SPAN>’ + _(“Password2″) + ‘</SPAN></label></div><div class=”right”><input class=”prePopulatedCredential” autocomplete=”off” spellcheck=”false” type=”Password” title=”‘ + _(“Enter password”) + ‘” name=”passwd1″ size=”30″ maxlength=”127″></div></div>’);
}
UnsetCookie(“pwcount”);
}

Now lets modify the “Password 2:” entry by heading over to the “en.xml” under the “resources” folder

Around line 83 change the “Password2″ String to something like “RSA Code”

<String id=”Password2″>RSA Code:</String>

Ok that takes care of the Password fields:)

ns_password2

 

Now lets modify some CSS.  Head over to “ctxs.authentication.css” in the “css” folder

Lets add that funky shadow border StoreFront 2.6 has, which by default it is missing

ns_no_shadow_border

 

Around line look for “#logonbelt-topshadow” and “#logonbelt-bottomshadow” and lets add the shadow pics StoreFront uses.

Your code should look like this when you are done, make sure you copy those files from the StoreFront servers under the media directory on your StoreFront site (Ex: c:\inetpub\wwwroot\Citrix\NetScalerGatewayWeb\media\) copy both Screen_shadow_top.png and Screen_shadow_bottom.png to the “media”folder on your NS.

#logonbelt-topshadow {
background: url(“../media/Screen_shadow_top.png”) no-repeat transparent;
position: relative;
top: 205px;
margin: 0 auto;
width: 1009px;
height: 15px;
}

#logonbelt-bottomshadow {
background: url(“../media/Screen_shadow_bottom.png”) no-repeat transparent;
position: relative;
bottom: 0;
margin: 205px auto 0;
width: 1009px;
height: 15px;
}

Now lets change that darn green vertical bar, which is actually a pic that Citrix calls in their code.

ns_greenbar

Look for “#logonbox-container”, you will need to crank up that Photoshop or whatever image utility you use, and paint it the color you like, then point to the new file.  As you can tell Citrix is using a file called “VerticalGreenBarOnly.png” under the media folder.  Make changes and upload the new pic file and make a call to it in the CSS.  Your code should look like this.

#logonbox-container
{
/* background: url(“../media/VerticalGreenBarOnly.png”) repeat-y scroll 0 0 transparent; */
background: url(“../media/VerticalPurpleBarOnly.png“) repeat-y scroll 0 0 transparent; */
min-height: 230px;
margin: auto;
min-width: 654px;
position: relative;
top: 205px;
}

Now lets use that StoreFront 3.0 background file, head over to your X1 installaton and grab the bg_x1.jpg file under your Sites deployment (Ex: C:\inetpub\wwwroot\Citrix\PrivateCloudWeb\media)

Upload bg_x1 to the media folder on your NS and make a call to it under “#authentication”  Your code should look like this when you are done.

#authentication
{
background-image: url(‘../media/bg_x1.jpg’);
background-size: cover;
height: 100%;
width: 100%;
}

Now lets go after that logo.  You will need to mess around with the height and width and top settings based on the size of the log you are using.

Upload your company log to the media folder on NS, then head to the “#logonbox-logoimage” section and make a call to it.  Your code will look something like this when you are done.

#logonbox-logoimage
{
background-image: url(“../media/company_logo.png”);
border: 0 none;
float: right;
height: 43px;
position: absolute;
right: 69%;
top: 92px;
width: 354px;
}

Now lets make this work with IE11, and force the index.html file to render with IE9. Lets also change the default “NetScaler Gateway” Tab to match your company name.  In my case I am also loading a custom ico file when you save the link.

Open the index.html file and modify the code so it looks something like this

<HEAD><TITLE>Name of your Company</TITLE>

<META http-equiv=”X-UA-Compatible” content=”IE=EmulateIE9″ />

<link rel=”SHORTCUT ICON” href=”/vpn/images/company_icon.ico” type=”image/vnd.microsoft.icon”>

Almost done, except that the background picture you used “bg_x1.jpg” is not dynamic, meaning it will display a static size and will not re-size on the screen based on the browser size, and you get this very annoying scroll bar at the bottom right.

ns_non_dynamic_back

The reason is Citrix is using 9px as a margin to allocate that green bar “background: url(“../media/VerticalGreenBarOnly.png”) repeat-y scroll 0 0 transparent;” So lets delete that margin and also make the background image cover the browser screen.  Your code should look like this

#logonbox-innerbox {
background: url(“../media/Screen_SemiTranslucent.png”);
display: table;
height:242px;
position: relative;
width: 100%;
/* margin-left: 9px; Remove margin on the right. Makes the front page scroll😦 */
}

#authentication
{
background-image: url(‘../media/bg_x1.jpg’);
background-size: cover;
height: 100%;
width: 100%;
}

We are done.  End result will look something like this.  Hope this helps and please remember to do the following or your will lose your work when the Netscaler is rebooted

Open Putty and log in as nsroot, then type (Note the name of the compressed file, this needs to match “customtheme.tar.gz“)

  • shell
  • mkdir /var/ns_gui_custom
  • cd /netscaler
  • tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

Now apply the package to your AGEE sites

  • In the configuration utility, under the Configuration tab, expand “NetScaler Gateway” and then click “Global Settings“.
  • In the details pane, under Settings, click Change global settings.
  • In Global NetScaler Gateway Settings, click the Client Experience tab.
  • Next to UI theme, click Custom and then click OK.
  • Save NS config and done!

ns_final

 

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Follow

Get every new post delivered to your Inbox.

Join 67 other followers