How to Add a Domain Name Drop-Down for NetScaler Gateway 11

You may have a scenario where users might need to authenticate to different authentication servers (LDAP Domain Controllers) based on their domain. This article describes how to add a drop-down menu with domain names on the logon page for NetScaler Gateway version 11, and have the NetScaler send the authentication request to the appropriate server. While Citrix Support Article CTX118657 describes a procedure to add domain names to the NetScaler logon page, the article is targeted for NetScaler firmware version 10.x, and will not work with version 11.

Citrix has actually added built-in support for a domain drop-down in version 11, but it is not quite fully functional. With a little bit of tweaking, however, it can be up and running in no time.

Note: The following modifications are provided as-is, and are not officially supported by Citrix Tech Support. You may be asked to reverse these changes when calling in for support.

INSTRUCTIONS:

CTX118657 contains four sections:

• Create the drop-down menu with the list of domain names
• Create a cookie on the user’s computer with the domain selected by the user
• Create a procedure to ensure that the modifications will survive a reboot
• Modify the authentication policy to be selected based on the cookie created

In this post, we will deal with the first two sections. Please refer to the support article for the remaining two sections.

Create the drop-down menu with the list of domain names

The first step is to give NetScaler the list of domain names. To do that, open PuTTY session to the NSIP of your NetScaler, and issue the following command:

> set vpn vServer "<AG vServer>" –userDomains Domain1,Domain2,Domain3

Now fire up WinSCP and go to the directory /netscaler/ns_gui/vpn/js.

Make a backup copy of gateway_login_form_view.js, and search for:

The correct cookie name should be userDomains:

At this point, if you saved the file, and refreshed the NetScaler logon screen, you would see the domain drop-down:

You may notice that there are still two issues … while the drop-down is now being displayed (and there is an entry corresponding to each domain), all the entries are blank!

  

The second issue is more of a cosmetic issue … the screen would look a lot better if the length of the drop-down was the same as the text boxes above it.

To correct the first issue, go back to gateway_login_form_view.js and search for:

The reason that the entries are blank is because the second attribute is incorrect. It should be “text”:

Alternatively, either of the following lines would also work:

   

var option = '<option value="' + domains[j] + '">' + domains[j] + '</option>';

var option = $("<option></option>").val(domains[j]).html(domains[j]);  

Now save the file and refresh the logon page. We now have our drop-down populated with our domains:

 

However, we want to stretch the drop-down to match the length of the text boxes above. We can do that by adding cascading style sheet (CSS) overrides for the height and width of the drop-down. There are 3 built-in themes with NetScaler 11 – Default, Greenbubble, and X1, and the overrides are different for each theme.

In WinSCP, browse to each theme directory, /var/netscaler/logon/themes/<theme>/css/, and create a file called custom.css. Insert the appropriate override values for each theme.

For the default theme, insert:

.domain_select {
       width: 176px;
       height: 23px;
}

For the Greenbubble theme, insert:

.domain_select {
       width: 208px;
       height: 28px;
}

For the X1 theme, insert:

.domain_select {
      width: 361px;
      height: 42px;
}

After saving custom.css, our domain drop-down is now aligned with the rest of the input fields:

Default theme

Greenbubble theme

X1 Theme

Now that we’ve completed the drop down, let’s move on to the next section.
 

Create a cookie on the user’s computer with the domain selected by the user

Fire up WinSCP and make a backup of /netscaler/ns_gui/vpn/login.js.

Add the following JavaScript functions after the first line where indicated above:

 function getCookie(name) {
    // use: getCookie("name");
    var re = new RegExp(name + "=([^;]+)");
    var value = re.exec(document.cookie);
    return (value != null) ? unescape(value[1]) : null;  }

  var today = new Date();
  var expiry = new Date(today.getTime() + 28 * 24 * 3600 * 1000); // +28 days
  var expired = new Date(today.getTime() - 24 * 3600 * 1000); // less 24 hours

  function setCookie(name, value) { 
    // use: setCookie("name", value);
    document.cookie=name + "=" + escape(value) + "; path=/; expires=" + 
                expiry.toGMTString();
  }

  function setDomainCookie(form) {
    setCookie("domainvalue", form.domainvalue.value);
    return true;
  }

Save the file. Now go back to gateway_login_form_view.js (in the js directory).

Look for the line beginning var form = …  At the end of the line, you should see:

Add setDomainCookie(this); right before clean_name_cookie(); (you can optionally also correct the ‘margin’ typo!). This tells the NetScaler to save the user's domain selection before submitting the page.

Save the file.

Now go back to CTX118657, and follow the last 2 sections to complete the modification.

-Sam

Documenting Citrix StoreFront with PowerShell

Up-to-date StoreFront documentation is essential because it allows you to:

• Clone a StoreFront server group,
• Help troubleshoot any issues with the deployment, and
• Re-create servers after a crash.

Up until now, however, there was no easy way to create reliable StoreFront documentation. Carl Webster has created an amazing collection of automated documentation scripts for Citrix and Microsoft products like Active Directory, XenDesktop, and XenApp, which he offers for free on his website. After talking to Webster, I offered to build a Citrix StoreFront documentation script based on his PowerShell script template for generating documentation in Microsoft Word or Adobe PDF. Being able to use his template gives me the ability to focus just on the StoreFront piece and have Webster worry about Word versions, language packs, etc.


What are they?

The StoreFront scripts are a pair of PowerShell files which create documentation in MS Word, PDF, HTML, or formatted text. The first script (SFServer.ps1) uses the StoreFront PowerShell cmdlets to iterate through the StoreFront configuration which is output to an XML file. This file is used as input to the second script (SFClient.ps1) to produce the actual documentation.


Where can I get them?

The StoreFront scripts have been put into the public domain, and have been added to the extensive collection of scripts on Webster's website. You can always find the latest version of the scripts on his download page.

Please see the included README file for instructions on running the scripts, which may be run either command-line, or GUI (the default).
The scripts have been tested on version 2.x and version 3.0 of StoreFront, though the new features of v3.0 (e.g. App Groups) are not documented in this version.

Thank you to Webster, Barry Schiffer, and all those who helped with testing and suggestions.

Making a Splash with StoreFront - A Deep Dive!

It’s official! StoreFront is here to stay so let’s ensure StoreFront servers are production-ready through solid documentation. Documentation is essential because is allows you to:

• Clone a StoreFront server group,
• Help troubleshoot any issues, and
• Re-create servers after a crash.

Dive deep with me during my session at Citrix Synergy, where you will see how easy it is to automagically generate awesome StoreFront documentation (in MS Word or PDF format) using the StoreFront PowerShell SDK. You will learn which PowerShell cmdlets are used to document a StoreFront server group  (there are also complementary cmdlets with which you can create/modify your server group).

Plus, the techniques you will learn in this session are not limited to StoreFront! You will learn how to create an intuitive GUI for your PowerShell scripts that can modify itself based upon variables in the script. You will also learn how to add custom icons and graphics to the forms used in your scripts.

As usual, all source code for the session customizations will be made available to presentation attendees.

So join me at Citrix Synergy for SYN417: StoreFront PowerShell documentation deep dive, on Tuesday, May 12 from 4:00-4:45 PM PST time in Valencia Ballroom D. Let me show you how to produce awesome StoreFront documentation, and become more proficient in PowerShell in the process.  Hope to see you there! 

Exercise Caution When Upgrading your SSL Certificate(s)

I received a call from a client recently. They renewed the SSL certificate on their NetScaler, and while their iOS Receiver users could still authenticate and enumerate applications, they could no longer launch applications and desktops. All intermediate certificates were properly installed and linked.

The issue turned out to be the encryption method - SHA2 - used to hash the digital signature.

While SHA2 certificates have been around for a while, SHA1 certs had been the standard – until now. Microsoft has announced a new policy for CAs (Certification Authorities) who are members of the Windows Root Certificate Program (who issue publicly trusted certificates). The policy dictates that SHA1 certificates will be deprecated on January 1, 2016. After that date, only SHA2 certificates will be allowed to be issued. Unfortunately, the latest iOS (5.8) and Android (3.4) Citrix Receivers (among others) do not support SHA2 certificates when proxied through the NetScaler. See the full Receiver product matrix.

While Citrix has promised a NetScaler upgrade in 2004 Q2 to remedy the issue, if you are supporting remote iOS or Android users through NetScaler and you need to upgrade your SSL certificate, make sure that you purchase a SHA1 cert and not a SHA2 cert.

Note: I do find it curious, however, that Microsoft is still using a SHA1 certificate on their own site. ;-)

Synergy 2014 - Migrating Web Interface Customizations to StoreFront

Didn’t make it to Citrix Synergy this year? Not to worry! 

While this year’s session was not videotaped for SynergyTV, you can still download all presentation materials and source code:

·        Session PowerPoint presentation (includes speaker notes) 

·        Complete session source code:

o   Demo 1 – The Power of jQuery

o   Demo 2 – New StoreFront Skin

o   Demo 3 – Adding Help Desk information

o   Demo 4 – Alternate Application Views

o   Demo 5 – StoreFront Store Customization SDK

You can also view the presentation on SlideShare!
If you have any questions on the above, you can reach me at Sam.Jacobs@ipm.com

Citrix NetScaler and the Heartbleed Bug

If you haven’t heard about the 2 year old OpenSSL security flaw named Heartbleed, check out the official site for information : Heartbleed.com.  Sadly, it was just ‘discovered’ a couple days ago.

In a nutshell, it is a vulnerability in some versions of OpenSSL that allows hackers and script kiddies to steal protected information through normal interactions without detection.   It has to do with the heartbeat/handshake process that happens between the server and the client.  The easiest high level explanation I have read is that during the handshaking process, a client normally send 64kb of information to the server that the server then in turn echoes back to the client.  To exploit the vulnerability, a malicious client can send an abnormal 1kb package instead during the handshaking process and then the server will echo that 1k back but fill the rest with server memory (63kb) to make a complete package.  This server memory can contain other user sessions data including usernames, passwords, encryption keys and other privileged information.  Fortunately, it is a simple coding mistake that can be easily rectified through a patch.  Unfortunately, it has been out there for around 2 years and is/was affecting a large part of the internet.

I opened up a case with Citrix to find out if the Citrix NetScalers that handle SSL VPNs are affected by this bug and was pleased to find out that they are not.  The Netscalers use an older version of OpenSSL that is not vulnerable to this type of attack.  The Netscalers use OpenSSL 0.9.7 and affected versions are 1.0.1 and 1.0.2 versions.

You can check the open ssl version on the Netscaler by following the below steps:

Login to the netscaler using putty.
Go to the shell prompt.
type the command: openssl, press enter.
type the command: version -a, press enter.

This will give detail info about the OpenSSLl version on the Netscaler.

The Netscalers do not support the ‘TLS heartbeat’ extension in the SSL engine that is affected by the Heartbleed Bug.

You can also use the following site to check other web sites for the vulnerability here:
http://filippo.io/Heartbleed/

My colleague Carlo Costanzo (http://www.vmwareinfo.com/) tested some View Servers and some older versions of CSG using the tester above and they also came back clean.

Update: Citrix has an official link here: http://support.citrix.com/article/CTX140605

TechDev Tip - Email enabled ShareFile Folders

A client asked if ShareFile supported email-enabled folders.

They frequently exchange large documents with their clients, and wanted to know whether they could associate an email address to a ShareFile folder (e.g. clientNameDocs@ipmit.shareFile.com), and have any attachments sent to that email address get automatically uploaded to the associated folder.

Jay Tomlin (@jtmln) is now the PM of ShareFile, and informed me that ShareFile DOES, in fact, support email-enabled folders.

Full details are in this KB article but in a nutshell:

You do this by using the "Request a file" option in the folder details:

That  process will generate an upload URL which will look like this: 
https://Acme.sharefile.com/r/rebe49f54d59a

Take the tail end of that URL and use it as an email address with @mail.sharefile.com, e.g.: rebe49f54d59a@mail.sharefile.com

You might want to set up an alias that uses the client’s name, so that the email address is not so cryptic.