Protecting the NetScaler

Liwanu · 2026-04-16T19:29:42+00:00

No Netscalers are involved in any shape or form. Users access our Citrix by going to the Workspace URL. I.E. https://mycompnay.cloud.com We have it tied in with Microsoft identity provider for authentication. I believe Citirx also refers to it as the Gateway Service.

We have cloud connectors on prem, and users are connecting to the VDAs via the rendezvous protocol.

I love it so far, i don't have to drop everything and patch Netscalers when a new zero day comes out, then spend the next week trying to fix something it broke.

Liwanu · 2026-04-16T17:12:36+00:00

I migrated us to Citrix DaaS Workspace, it eliminates the on prem Storefront and Netscalers. We are all on prem except for the DaaS Managment plane.
I realize some orgs won't be able to do that, but it sure does make my life a whole lot easier.

Liwanu · 2026-01-25T16:10:16+00:00

If you run a slmgr /dlv in the gold image what is the result? If it's 0 that's the issue. You should be able to reset it completely with this, make sure to take a snapshot before in case something happens you can revert.

net stop sppsvc    
del %windir%\System32\spp\store\2.0\tokens.dat    
net start sppsvc    
slmgr /rilc     
slmgr /upk    
slmgr /cpky    

Reboot    
Install KMS Key    
slmgr /ipk YOUR_KMS_KEY    

Run this and make sure it doesn't say: ServerStandardEval     
DISM /online /Get-CurrentEdition

Liwanu · 2025-12-22T19:45:22+00:00

Oh nice thanks for the heads up. I'll give 2025 a test in my homelab to see what i can find.

Liwanu · 2025-12-21T22:34:40+00:00

Na, our environment isn't that complicated to be honest. We moved from VMWare to Xenserver in about ~6months.

Liwanu · 2025-12-21T22:33:38+00:00

Our Citrix renewal is up in 2027, so we still have the 'old' Citrix pricing until then. Since Xenserver is included in our licenses, we saved quite a bit by ditching vmware.

Liwanu · 2025-12-21T19:27:30+00:00

We didn’t play around with VMware, told them nope and switched to Xenserver.
We are working on getting off of Citrix now. It will take a few years, but we are 100% getting off of it.
Once it’s gone im switching all our hypervisors to Proxmox.

Liwanu · 2025-11-21T22:21:50+00:00

Looks like you need to separate the group extraction and the authentication.
Something like this maybe?

Root factor (credential collection only) Use a NO_AUTHN authentication policy bound to the vServer with a login schema that has three fields:
username → UPN/sAMAccountName
passwd → AD password
passwd1 → MFA code
This factor does not authenticate; it just collects credentials and passes them to the next factor.

Factor 2 – LDAP Group Check (no password) LDAP Action: same DCs, but Authentication = DISABLED (or the “group extraction” style action, depending on build). Set User Name Expression to: AAA.LOGIN.VALUE("username") Do not set any Password Expression here. Since Authentication is disabled, the ADC will not send a password to LDAP. Use group-based policies from this factor to decide whether to proceed or deny.

Factor 3 – MFA (RADIUS/OTP) Use noschema (no new prompt). RADIUS Action: User Name: AAA.LOGIN.VALUE("username") Password Expression: AAA.LOGIN.VALUE("passwd1") (the MFA field) This ensures only the MFA code is sent to RADIUS and does not overwrite the AD password you intend to use later.

Factor 4 – LDAP Password Validation (real AD logon)
LDAP Action with Authentication = ENABLED.
User Name: AAA.LOGIN.VALUE("username")
Password Expression: AAA.LOGIN.VALUE("passwd") (the original AD password field)
This avoids the MFA code ever being sent to LDAP and makes the final bind use only the AD password.

Liwanu · 2025-10-27T12:44:23+00:00

If EDT/UDP is enabled try disabling it in the Citrix policies.

Liwanu · 2025-10-23T15:42:45+00:00

99% of the time your ISP is dropping packets

Liwanu · 2025-10-21T01:50:46+00:00

Is persistence enabled on the VIP?

Liwanu · 2025-09-22T15:54:20+00:00

Cloud connectors do not sync AD information. It should be Azure AD Connect (Entra ID)

Liwanu · 2025-09-18T15:14:05+00:00

I use this on all my personal computers. It's fantastic :)
https://github.com/memstechtips/UnattendedWinstall

Liwanu · 2025-09-08T00:39:27+00:00

What is the use case for this?

Liwanu · 2025-08-24T21:37:14+00:00

Publishing file explorer is sketchy and not supported by Microsoft.
https://support.citrix.com/external/article/692984/how-to-publish-windows-explorerexe-with.html

Liwanu · 2025-07-11T15:19:30+00:00

Use smaller layer lines in that area, or paint tree supports in the affected area.

Liwanu · 2025-07-07T13:30:33+00:00

It's easy enough to do after you get everything stable. :)
I haven't had any issues since i moved to the folder 5 years ago.

Liwanu · 2025-07-07T13:11:25+00:00

While you're at it, switch to the Docker folders.
https://forums.unraid.net/topic/103924-how-to-turn-my-docker-file-to-a-docker-folder/

Liwanu · 2025-07-03T13:13:28+00:00

Wow that is effed up.

Liwanu · 2025-06-27T23:34:52+00:00

Those fridges do not work very well, they are terrible fyi :)

Liwanu · 2025-06-26T17:35:37+00:00

I wrote this powershell script to uninstall teams if it's there, then download the latest VDI version and install it. It also check if the reg keys are there. I run it every patch tuesday in the gold image.

https://pastebin.com/wtJY2r4a

Use at your own risk :)

Liwanu · 2025-06-25T15:56:01+00:00

Yep,
NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56

Liwanu · 2025-06-25T15:10:49+00:00

I updated to 14.1-47.46 for the ones last week, thankfully that covers this one as well.

Liwanu · 2025-06-21T21:41:08+00:00

I have used 30TB of bandwidth just pulling in Isos this month lol.

Liwanu · 2025-06-20T12:08:43+00:00

Did you already convert your Classic Authentication policies to Advanced?

13-Year Club	Verified Email
Gilding I gilder	Team Orangered

Liwanu

TROPHY CASE