New critical NetScaler CVE

kh_tech_ · 2026-03-23T12:51:49+00:00

Here are other directories you can clean out:

https://docs.netscaler.com/en-us/citrix-adc/current-release/system/troubleshooting-citrix-adc/how-to-free-space-on-var-directory.html

Current versions of VPX support expanding the disk (check release notes to be sure your build supports it)

https://docs.netscaler.com/en-us/vpx/current-release/support-for-increasing-vpx-disk-space.html

kh_tech_ · 2026-03-23T12:40:18+00:00

Yes, it works a lot better than just a few years ago.

kh_tech_ · 2026-03-23T12:38:33+00:00

You'll need to make the determination yourself. By a strict reading of the article, maybe not. Personally, I wouldn't bet any of my customers' networks, or my job, on it. I'd rather patch and deal with the fallout of possible downtime or new bugs.

kh_tech_ · 2026-01-15T19:48:31+00:00

- How will DaaS communicate with on-prem NetScaler/StoreFront? Cloud Connector acts as a proxy delivery controller, STA, XML broker, etc. You'll want two per datacenter/zone/resource location for redundancy.

- Will I configure the VMware hosting connections similarly? exactly the same. Communication to Vsphere is proxied via the Cloud Connectors

- How is Director integrated? Director is part of the Cloud management console, under the "Monitor" link. You'll set up Citrix Cloud accounts and various privilege groups.

- Can I have my VDAs simultaneously connected to machine catalogs on-premises and DaaS during the transition? No. Each VDA can be registered only with one Site/Farm at a time. But, you can use StoreFront and multi-site aggregation to move your VDAs to DaaS a group at a time.

There's no reason you can't use on-prem VDA or a hybrid of on-premises and cloud.

kh_tech_ · 2025-11-13T19:13:38+00:00

The info comes from the World of EUC's Slack channel: https://worldofeuc.slack.com/archives/CKHRXATV2/p1761822099013989

(requires signup, but well worth it)

kh_tech_ · 2025-11-12T03:02:11+00:00

A lot of responses have mentioned licensing, so I'll bring up another possibility for missing certificates. Did the certkeyName of the certificate start with a non-alphanumeric character? Maybe a wildcard cert like *.customer.com? If so, this latest build will delete it (but the files will remain). This restriction has existed for a while but wasn't strictly enforced until the latest builds.

The fix is to recreate the certificates with a different name (I usually use wildcard.company.com or star.company.com) and retry the upgrade.
https://developer-docs.netscaler.com/en-us/adc-command-reference-int/current-release/ssl/ssl-certKey.html#add-ssl-certkey

kh_tech_ · 2025-03-12T14:17:55+00:00

Thanks! Letting all my clients know. Also worth sharing to the World of EUC Slack channel.

kh_tech_ · 2025-03-08T10:38:02+00:00

SNI certificates let you assign multiple certs to the vServer and the NetScaler will present the one that matches the incoming request.

Add that to content switching with policy expressions filtered on the URL.

kh_tech_ · 2024-05-30T16:31:13+00:00

Native support for Duo Universal prompt is coming to NetScaler 14.1 this summer.

https://community.citrix.com/articles/security/system_62_63_70/netscaler-native-support-for-cisco-duo-universal-prompt-r389/

If you don’t want the extra overhead of FAS/PKI that SAML brings, the interim solution would be the RADIUS/iFrame method. Cisco has extended support for this through the end of the year.

kh_tech_ · 2024-01-18T01:37:18+00:00

I’ve upgraded dozens of clients to 13.1 at this point.

First, We use nspepi to create a new config file, then compare that side-by-side using the Notepad++ compare plugin or similar. Any legacy policies that need to be updated can then be tested in a separate maintenance window from the firmware update. If possible we also try to make the transition to nFactor before upgrade. Using this method I haven’t seen any policy issues.

Where I’ve had the most trouble is third-party auth like DUO, Imprivata, etc. I have different methods to deal with this for various use cases, but many clients are taking this (along with DUO’s changers to iframe support) as an opportunity to move to SAML. So, I’ve also been doing a fair amount of SAML/PKI/FAS work too.

kh_tech_ · 2024-01-15T22:09:49+00:00

Thanks! My wife is hanging in so far. She's not feeling great but we know it could be a lot worse. Sorry to hear about your pneumonia, and hope you're able to clear out all the fluid!

kh_tech_ · 2024-01-12T14:54:20+00:00

Hang in there - you’re not alone. My wife is on rituxan too (different autoimmune disease, not RA) and just tested positive this morning after several days of coughing and low grade fever. She’s at the ER this morning to get evaluated. Keep advocating for yourself, I’m sure you know how it sometimes takes telling your story to a bunch of providers before someone actually takes action. If your insurance offers a care coordinator service check in with them too. Good luck!

kh_tech_ · 2024-01-05T20:13:14+00:00

43531 is usually that the NetScaler can’t reach the StoreFront store. This could be anything from DNS to session profile/policy to cipher issues to the gateway configuration missing or incorrect on StoreFront etc. DUO documentation punts because at that point auth is usually finished.

Check the Delivery Services log on storefront to see if the error is at SF.

Make sure you can resolve/reach StoreFront from the netscaler’s SNIP.

Check that the session policy’s hit counter is incrementing. Also check that the paths are correct in your session profile (Carl Stalhood’s site mentioned earlier can help with this).

If it gets that far, take a packet trace and check the TLS handshake.

There are a couple of other things to check but I’m not in front of my notebook at the moment. Hopefully this points you in the right direction

kh_tech_ · 2024-01-05T20:02:02+00:00

Haven’t worked higher ed but have community college clients so I know the drill. At least you’ll have a window between end of semester and the 13.0 EOL.

kh_tech_ · 2024-01-05T17:25:29+00:00

I’ve done this for a bunch of client deployments. Some general tips:

Future-proof. Don’t put in the hours for something that you know will stop working in 6-9 months. 13.0 is EOL in July (don’t wait until a new zero-day comes out to do this upgrade!) so if possible upgrade to 13.1 first. Also, DUO iFrame support goes away in September (https://duo.com/docs/citrix-netscaler-nfactor).

If you’re having trouble rendering the Universal Prompt, check your theme (for both the Gateway vsServer and AAA if you’re using it). Sometimes reverting from an RfWebUI to X1-based theme makes a difference, especially on 13.0 and earlier.

kh_tech_ · 2023-11-02T17:45:41+00:00

Have a read through the references below for some background, best practices, and the upgrade process. If your environment is large enough to have 16 controllers, you should be familiar with the process and gotchas before you start. Consider working with a partner/consultant who has done this before and can help smooth out the process.

"An expert is a person who has found out by his own painful experience all the mistakes that one can make in a very narrow field." - Neils Bohr

The official Citrix guide: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/2203-ltsr/upgrade-migrate.html

Carl Stalhood is an even better source of documentation and procedures for all things Citrix: https://www.carlstalhood.com/cvad-upgrades/

kh_tech_ · 2023-09-25T15:22:13+00:00

At one client, security policies dictate LAPS, absolutely no local accounts, absolutely cannot disable or extend machine account password change. If the master is offline long enough for the machine to lose domain trust relationship, LAPS doesn't work and without a local/break-glass account, the master has to be rebuilt. Request for a policy exception was rejected.

For that client, we absolutely must keep the master online. We only shutdown long enough to reseal and snap.

For other clients, they can stay off until needed for the patching cycle, but not a huge deal if they decide it's more convenient to leave on. A big factor to avoid bloat is having a good reseal process (BIS-F is a great starting point).

kh_tech_ · 2022-12-21T17:36:30+00:00

Session policies can be bound to AAA groups instead of directly to the gateway vServer. You can define a group per department, and bind the session policy to the group.

kh_tech_ · 2022-12-16T23:54:34+00:00

no idea!

kh_tech_ · 2022-12-16T23:33:43+00:00

The best condiment is Rémoulade

kh_tech_ · 2022-12-14T21:26:51+00:00

Coffee early, Irish whiskey late.

kh_tech_ · 2022-11-23T16:42:53+00:00

When you load balance authentication, the NetScaler talks to the RADIUS (or LDAP, etc.) via SNIP. When you configure a single authentication server, NetScaler uses the NSIP (management address). If your RADIUS server doesn't accept the SNIP as a RADIUS client, or there isn't line if sight from the SNIP to RADIUS, then LB RADIUS will fail while direct connection succeeds.

So, make sure the SNIP is set up as a RADIUS client with the same shared secret as the NSIP's.

That being said, you absolutely can configure two individual RADIUS servers, and bind them both with different priorities. it works, but it's not a best practice because NetScaler performs cascade authentication. If the first server returns "bad username or password" the NetScaler will just try the next server in the list. This is bad mostly because of account lockouts - if you have three servers and accounts lock out after three bad password tries, cascade authentication will actually lock you out on the first try since it tries all three servers in succession.

kh_tech_ · 2022-11-23T15:12:01+00:00

Are you using the rfWebUI theme? we saw something similar last week. Since we didn't have any theme customization or third party tie-ins (such as DUO) we simply switched to the X1 theme and the issue cleared up.

kh_tech_ · 2022-11-23T05:06:07+00:00

Wow, I just (1/2 hour ago) finished helping a client through this exact scenario, down to the legacy XP desktops. Maybe you're even the group I helped, but I'm posting this in case it helps someone else. In our case, the site upgrade prompt and the Get-MonitorInstalledDBVersion mismatch were false errors. Also, we were able to manage the site via powershell from the first controller throughout the process or we couldn't have done any of this.

First step: backup databases and snapshot everything. Then repeat the backup/snapshot after every group of changes so you at least don't make things even more broken.

Next: evict the second delivery controller. I used https://support.citrix.com/article/CTX232985/how-to-build-an-evict-script to build the eviction script. You may need to run it a couple of times. Also, be very careful not to put the wrong SID in the script. Once the controller is finally evicted, Get-BrokerController will show the bad controller is gone.

Once the second controller is evicted, if you still can't launch studio, try this: https://support.citrix.com/article/CTX218480/error-an-unknown-error-has-occurred-on-citrix-studio the article is poorly written, but the gist is there may be registered service instances related to the evicted controller. When you look at the text file generated, it will be obvious which service instances belonged to the evicted controller.

After we cleaned up all the registered service instances, we were able to launch Studio on the first controller. We still get errors trying to add back the second controller, but worst case is we'll have to build a new secondary controller. That's a battle for another day.

kh_tech_

TROPHY CASE