ADC Archive – Page 2 of 3

ADV190023 – Enable LDAPS in Windows DC and Citrix ADC

Important Info:
The scheduled update (ADV190023), regarding LDAP Signing and Channel Binding for new and existing domain controllers, scheduled for March 10, 2020, has been postponed to the second half of calendar year 2020. The March 2020 update will only provide additional auditing capabilities to identify and configure LDAP systems before they become inaccessible with the later update.

The later update results in no more connections to the domain controller, via unsigned / Clear Text LDAP on port 389. Then it is only possible to use either LDAPS via port 636 or Signed LDAP (StartTLS) on port 389.

Checklist for Citrix ADC CVE-2019-19781

Citrix has released a critical vulnerability warning (CVE-2019-19781) in all Citrix ADC & Gateway systems one week before Christmas. Several working exploits have been released since Jan. 10, 2020 and are available to everyone.

Important ! The fix from Citrix with the Responder Policy does not work on systems with version 12.1.51.16/51.19, 50.31 and older. If this version is in use, please update to the latest 12.1 version.

The exploits allow remote code to be executed anonymously, allowing unauthenticated attackers to take over the various machines with root privileges.

SAML Authentication with Azure AD as IdP and Citrix as SP

Since Citrix XenApp / XenDesktop 7.9 the Federated Authentication Service (FAS) is available. Via Citrix FAS it is possible to authenticate a user via SAML and thus connect Citrix as a service provider to existing identity providers, such as Azure-AD.

Sequence of SAML authentication

The user browse the FQDN (e.g. citrix.deyda.net) of the Citrix Gateway vServer (Service Provider) to start his VA / VD resources
The Citrix Gateway vServer directs the unauthenticated user directly to the Identity Provider (Azure-AD) to authenticate itself (saml: authnRequest)
The Identity Provider points to its SingleSignOnService URL (e.g. login.microsoftonline.com) and the user must authenticate
The user enters his AD credentials and these are checked by the Identity Provider against the user database
Upon successful verification in the user database, the IdP is informed
The IdP issues a token (SAML assertion) and sends it to the Citrix Gateway (saml: response)
Citrix Gateway checks the token (assertion signature) and extracts the UPN from the assertion token. This allows access via SSO to the VA / VD farm via FAS (The SP does not have access to the user’s credentials)

SAML Auth Azure AD & Citrix Gateway with FAS

Copy a Citrix ADC configuration to a new machine

In one of my recent projects, I had to build several Citrix ADCs in a new data center. After consultation with the customer, the same services and functions should be configured as in the old data center. The only difference was that the new data center should use different IP ranges and therefore all network settings of the Citrix ADCs and the connected services had to be adapted.

Requirements

Same version and build on all Citrix ADC
Same Citrix ADC license version on all Citrix ADC
IP addresses of the new Citrix ADC should be defined and free (NSIP, SNIP & VIP).
IP addresses of the connected machines should be known (server or server groups)
Basic configuration of the new Citrix ADC should be done (NSIP, SNIP, DNS, Timezone & License)

Microsoft Azure MFA Cloud Service in Citrix ADC

To complete my previous article, I also directly implemented and tested Microsoft Azure MFA Cloud Service in my test lab. In this post I go straight to the ToDo’s for implementation. For more information on MFA and the differences between Local and Cloud, please read my previous post.

It is important that all my information has the status of March 2019 and since it is the cloud, it will soon be obsolete again.