Table of Contents
Introduction
As you might know I’m a big fan of the integrated WAF for Gateway an AAA (With newer 14.1 – also for WebGUI MGMT) – I’ve stumbled across some issues where that WAF is blocking some “own” Citrix products or auth-processes.
This is a list of my findings where I’m trying to update the relexation rules, so you’re able to fix the issue with an exclusion / whitelist. I’m always sharing these findings with Citrix Support so they can hopefully engineer on that to optimize future Firmware Builds.
Please comment if you found other examples so I can extend that.
Update 10.02.26
With Build 14.1 60.57, the relaxation rules for Kerberos / Negotiate are not needed, anymore, see NSHELP-41301:
NEW: With 14.1 60.57, I’ve noticed the WAF now is blocking RDP-Proxy Feature of NetScaler. The RDP-File from the cVPN Portal with RDP-Bookmarks deployed to, never downloads. I’ve added also a relaxation rule below and reported back to NetScaler.
Solution
How did I get these URL’s / findings? Use NetScaler Console or ns.log (searching for the buzzword APPFW) to check where WAF is blocking your Flow.
Here’s my latest list of relexation rules for different WAF integrated Profiles, depending on different NetScaler feature implementations with a short description of the issue:
###Relexation rules for configuring Whitelist for WAF for Auth / VPN / Portal settings on integrated WAF on NetScaler ###WAF blocking Negotiate (Kerberos) SSO Auth Policy for AAA nFactor Flows (See more Details on my separate Blog https://www.julianjakob.com/netscaler-negotiate-sso-and-waf/ ###Fixed in 14.1 60.57, relaxation rule not needed, anymore bind appfw profile ns-aaa-default-appfw-profile -restValidation "POST:/nf/auth/doNegotiate.do“ ###WAF blocking Logoff of the AOVPN User-Tunnel from Secure Access Client when User is shutting down the Notebook (Session will continue to run, which can result in other issues) bind appfw profile ns-aaa-default-appfw-profile -restValidation "GET:/cgi/logout" ###WAF blocking AOVPN Secure Access Client to connect Machine and User-Tunnel (Configured nFactor Auth with EPA for Machine-Cert Check, followed by Negotiate Kerberos SSO Auth-Policy) bind appfw profile ns-aaa-default-appfw-profile -restValidation "POST:/nf/auth/webview/done" bind appfw profile ns-vpn-default-appfw-profile -restValidation "POST:/nf/auth/doEPA.do" bind appfw profile ns-vpn-default-appfw-profile -restValidation "POST:/p/u/setClient.do" bind appfw profile ns-vpn-default-appfw-profile -restValidation "POST:/cgi/tlogin" ###Added 10.02.26 - WAF blocking download of RDP File when NetScaler is used in cVPN Portal-Mode with RDP-Proxy Feature enabled ###replace TS01.contoso.local with your RDP-Server FQDN, configured in your RDP Bookmark(s). You have to set a relexation rule for every RDP-Server. bind appfw profile ns-vpn-default-appfw-profile -restValidation "GET:/rdpproxy/TS01.contoso.local"
Summary
Please help to further improve the integrated WAF with sharing Feedback and Findings.
We see the same issues on 13.1 including Pré-authentication EPA scans.
It seems the POST of the /pluginResults from the EPA Plugin got blocked also.
Nice findings…
Cheers,
Koen
https://www.blubyte.eu/blog