March 12, 2019 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | >
March 12, 2019 [04:29:40] *** cwegener <cwegener!~cwegener@120.17.231.42> has joined #Citrix[04:49:50] *** cwegener <cwegener!~cwegener@120.17.231.42> has quit IRC (Read error: Connection reset by peer)[04:50:32] *** cwegener <cwegener!~cwegener@120.17.231.42> has joined #Citrix[05:06:42] *** kahnibus <kahnibus!~Alex@129.3.29.171> has quit IRC (Ping timeout: 250 seconds)[05:13:49] *** cwegener <cwegener!~cwegener@120.17.231.42> has quit IRC (Ping timeout: 255 seconds)[05:36:31] *** cwegener <cwegener!~cwegener@120.17.231.42> has joined #Citrix[07:06:09] *** cwegener <cwegener!~cwegener@120.17.231.42> has quit IRC (Read error: Connection reset by peer)[07:09:39] *** BobFrankly <BobFrankly!~IceChat77@unaffiliated/bobfrankly> has quit IRC (Ping timeout: 246 seconds)[07:22:28] *** cwegener <cwegener!~cwegener@120.17.231.42> has joined #Citrix[07:49:03] *** cwegener <cwegener!~cwegener@120.17.231.42> has quit IRC (Quit: WeeChat 2.4)[10:06:46] *** DotHack <DotHack!~lars@static-40-206-112-80.thenetworkfactory.nl> has joined #Citrix[13:09:16] *** braynyac <braynyac!uid6699@gateway/web/irccloud.com/x-kkxidbnvphmwggzs> has joined #Citrix[13:24:46] <braynyac> morning everyone![13:25:09] <braynyac> I'm super stoked today! Got approved for the EUC Master's Retreat![14:08:25] <cs-bot> <benjamin.crill> I was thinking about going to that. Not sure I can swing it and Synergy in the same month with the wife[14:10:32] <braynyac> I hear ya there. Mine was OK with it, as it's only for Friday + the weekend.[14:40:20] *** kahnibus <kahnibus!~Alex@129.3.29.171> has joined #Citrix[14:51:47] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has joined #Citrix[14:51:51] <Olivier83> hi[15:02:53] <cs-bot> <benjamin.crill> I might try and see if she wants to attend with me. It's a vacation honey :slightly_smiling_face:[15:04:28] *** tabulara1a <tabulara1a!~tabularas@darwin.fragilegeek.com> has joined #Citrix[15:07:45] *** BobFrankly <BobFrankly!~IceChat77@unaffiliated/bobfrankly> has joined #Citrix[15:07:52] <braynyac> lol. Mine told me she wanted to go, and when I told her how much it was, she declined.[15:09:55] *** tabularasa <tabularasa!~tabularas@darwin.fragilegeek.com> has quit IRC (*.net *.split)[15:11:23] <cs-bot> <benjamin.crill> holy crap it may have worked! :slightly_smiling_face:[15:11:29] <cs-bot> <benjamin.crill> mine is onboard[15:14:39] <cs-bot> <masterslacker> anyone enabled HDX Adaptive Display and has it working through NetScaler? I have policy enabled and works direct, but not through NS. and DTLS is enabled already. What am I missing?[15:15:00] <braynyac> masterslacker - yes[15:15:31] <cs-bot> <benjamin.crill> @braynyac can give you ALL the details :slightly_smiling_face:[15:16:12] <braynyac> couple things: do you have UDP 443 open from outside to NS (assuming you are testing from outside?); also, you will likely have to unbind / rebind your SSL cert on your NS. You can do this in one step, no need to unbind, get out of the menu, go back in and re-bind.[15:16:47] <braynyac> lastly, make sure your NS code is on a supported version.[15:17:30] <cs-bot> <masterslacker> let me check if UDP 443 is open. I guess I would have to rebind the cert after business hours.[15:18:06] <cs-bot> <masterslacker> thanks. I will give that a try and let you know if worked[15:18:26] <braynyac> Yeah, the 443 one got me initially, then it was the NS version[15:19:25] <cs-bot> <masterslacker> what is supported version?[15:19:40] <cs-bot> <masterslacker> I am on 11[15:19:41] <braynyac> Oh, also need to make sure that MBF (MAC Based Forwarding) is _NOT_ enabled. That was a fun one to fix...[15:19:44] <braynyac> 11 what?[15:19:45] <braynyac> lemme check[15:20:28] <braynyac> NetScaler: Minimum versions 11.1 build 51.21, 12.0 build 35.6. We recommend minimum versions 11.1 build 55.10 or 12.0 Build 53.6 as these versions include important DTLS fragmentation fixes[15:20:36] <braynyac> from here: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/technical-overview/hdx/adaptive-transport.html[15:21:09] <cs-bot> <masterslacker> ah, I am on 11.0.x.x[15:21:15] <cs-bot> <masterslacker> I guess its time to upgrade[15:21:27] <braynyac> I can tell you from experience that version definitely does not work =)[15:22:14] <BobFrankly> is 11 still getting patches?[15:22:19] <braynyac> Yes[15:22:25] <cs-bot> <masterslacker> does Adaptive Transport really helps sesssions with higher latency?[15:22:37] <braynyac> depends on how much higher latency[15:22:40] <BobFrankly> why? is 12 incompatible with older hardware appliances?[15:22:52] <braynyac> are you talking <100 ms? Or greater than 100ms?[15:23:04] <cs-bot> <masterslacker> I got users from India whos latency jumps from 200-500 all through the day[15:23:06] <braynyac> If >100ms, I think I would start looking at FrameHawk[15:23:16] <braynyac> yeah, check out FrameHawk instead[15:24:05] <cs-bot> <masterslacker> Tried framehawk, but I need to get it enforced only for some set of users and not all users. It supposed to be dynamic, but I might have same NS limitation[15:24:10] <cs-bot> <masterslacker> must be missing something[15:25:38] <braynyac> well, framehawk is a per-user setting, so you could apply to a security group[15:26:13] <cs-bot> <masterslacker> thats what I did. Policy is applying (as observed from Director), but its still no using Framehawk[15:26:22] <cs-bot> <masterslacker> got to check NS requirements for that[15:26:34] <cs-bot> <masterslacker> I thorugh it was same DTLS setting needs to be enabled[15:26:36] <cs-bot> <masterslacker> which it is[15:27:41] <braynyac> https://support.citrix.com/article/CTX205257[15:28:07] <braynyac> looks like you need UDP 443 open externally, and DTLS on the NS, so I would assume you need to upgrade the NS. Do you have a test VPX you could use to verify?[15:28:52] <cs-bot> <masterslacker> yes[15:28:58] <cs-bot> <masterslacker> spinning it up now[15:29:43] <cs-bot> <masterslacker> my MAC Based Fwd is also enabled on the box[15:30:13] <cs-bot> <masterslacker> could it be disabled per NS VS?[15:30:20] <cs-bot> <masterslacker> or whole feature needs to be disabled?[15:31:27] <braynyac> not sure I understand...[15:32:18] <braynyac> MBF is enabled on the NS instance. So if I have an SDX with 3x VPX, I have to disable MBF on all 3 instances[15:34:22] <cs-bot> <masterslacker> I guess I was asking if just like DTLS, I can toggle it at NS vServer level[15:37:19] <braynyac> It's not per vServer / VIP, it's at the NS level. If you have it enabled, might want to look at this article:[15:38:47] <braynyac> https://nerdscaler.com/2017/07/26/disable-mac-based-forwarding-enable-policy-based-routing/[15:38:57] <braynyac> I was able to get mine sorted with that[15:39:13] <braynyac> took me a while, though. Had to find lots of ways to test and verify it![15:39:23] <braynyac> (during a maintenance window, of course!)[15:39:45] *** Thuryn <Thuryn!~Thuryn@216.106.72.146.reverse.socket.net> has joined #Citrix[15:40:48] <cs-bot> <masterslacker> braynyac, thank you! I will review and give it a try in the lab first[15:45:57] <braynyac> No problem! One caveat that I had (as I alluded to earlier) - try your connections from a site, rather than from the DC. We have a VIP on our NS for our SSRS instance, which works great from within the DC, but when I tried to access it from a remote site (directly), not so much. I was able to remote to a thin client on the remote site for testing, to verify that my PBR config was correct.[15:47:07] <cs-bot> <masterslacker> in my case, we have VPXs HA pairs and only use it as NS gateway[15:47:25] <cs-bot> <masterslacker> 1 pair in primary and 1 pair in secondary DC[15:47:35] <cs-bot> <masterslacker> but sure, I will check from outside[15:47:45] <cs-bot> <masterslacker> what did you have to do to fix it?[15:48:06] <braynyac> Policy Based Routing (PBR) - that is the article I linked to above.[15:48:18] <braynyac> You have to tell the NS to route correctly.[15:48:29] <braynyac> Took me a while to wrap my head around it. Uncon helped =)[15:49:02] <cs-bot> <masterslacker> gotch'ya[15:55:51] <cs-bot> <masterslacker> creating routes is not my strongest suit. Will see how that goes. Might have to get some examples from our networking guy. I am the "citrix" guy and NS has always been my weakest point[15:56:50] <braynyac> same here! That's why I used the nerdscaler blog post. It outlined pretty well what I wanted to accomplish. I modified his code with my IP's and copy / pasted it, and all was well =). Your mileage may vary, of course.[15:57:42] <cs-bot> <masterslacker> can I not just print route right now and make sure that post disabling of MBF it looks the same?[15:57:55] <braynyac> not quite[15:58:45] <braynyac> PBR works before normal routing (@uncon, correct me if I'm wrong), and doesn't show in the routing table.[15:59:29] <cs-bot> <masterslacker> so PBRs, can you preconfigure and then assign to Vserver later after I disabled MBF, or it is all or nothing?[15:59:48] <braynyac> One sec...[16:00:37] <cs-bot> <masterslacker> I have about 120 customer subnets here that we are hosting. I presume that my policy will be quite long if I am to hit every subnet[16:03:44] <braynyac> check this out: https://www.carlstalhood.com/netscaler-11-1-system-configuration/#dedicatedmgmt[16:04:08] <braynyac> I might want to get someone more knowledgeable to help you with this - I'm still a complete newb. Might be worth some consulting time, even...[16:04:16] <braynyac> 120+ networks is a LOT[16:04:37] <braynyac> MBF is all or nothing[16:06:44] <cs-bot> <masterslacker> well, baby steps. Going to upgrade firmware first and then test it on lab vpx. Including PBR.[16:06:48] <cs-bot> <masterslacker> thanks for the tips[16:12:27] <cs-bot> <masterslacker> for framehaw, do I only need UDP 443 from outside to NS, or do I need 3224-3324 as well?[16:12:40] <cs-bot> <masterslacker> or those are internal UDP ports?[16:24:15] <braynyac> Only UDP 443, those are internal ports[16:27:56] <cs-bot> <masterslacker> thanks[16:29:08] <cs-bot> <masterslacker> now I have to switch gears and deal with customers who are blaming Citrix for their poorly written database backend application locking up and crashing due to deadlocks... This one is going tight back to their dba[16:29:35] <cs-bot> <ncasagrande> i have edt/udp working for windows laptops just fine via netscaler, however thin clients (linux) don't seem to be.[16:30:00] *** DotHack <DotHack!~lars@static-40-206-112-80.thenetworkfactory.nl> has quit IRC (Read error: Connection reset by peer)[16:32:08] <cs-bot> <ncasagrande> i have edt/udp working but for windows only, linux thin clients seem to not work[16:38:03] <braynyac> We're trying to find a way to only use EDT externally. We are moving to SD-WAN internally, which precludes the need for EDT.[16:50:44] <kahnibus> silly question... I am trouble shooting some odd print issues with my published apps. Could someone tell me how to get the "citrix print drivers" to reinstall? Like the Citrix PDF universal Printer, Citrix Universal Printer, Citrix XPS Printer?[16:53:38] <cs-bot> <masterslacker> interesting NS 11.1.57.11 does not have DTLS as an option[16:54:17] <cs-bot> <masterslacker> kahnibus- I believe those are enabled/disabled via Citrix policy[16:55:47] <kahnibus> Masterslacker ... interesting....I have four app servers and two of them have the above mentioned drivers while the other two do not....they all should be getting citrix policy though[16:57:28] <cs-bot> <masterslacker> part of same DG?[16:57:35] <kahnibus> yup yup[16:57:55] <cs-bot> <masterslacker> and you already restarted related services on those XA servers?[16:58:03] <cs-bot> <masterslacker> spooler and citrix print...[16:58:12] <kahnibus> the citrix print service? yes[16:58:29] <cs-bot> <masterslacker> does director confirm that policy is applied?[17:02:05] <Thuryn> so... when using PBR, a "deny" entry just means "use the main routing table" right?[17:03:30] <kahnibus> masterslacker it does and when i compare it to other "working" app servers they appear identical in policues[17:10:14] <Thuryn> https://www.carlstalhood.com/netscaler-11-1-system-configuration/#dedicatedmgmt[17:10:15] <Thuryn> ugh[17:10:45] <Thuryn> "Check the box next to MAC Based Forwarding (MBF), and click OK. More info on MAC Based Forwarding can be found at (article you won't read until it's a problem)."[17:36:28] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has quit IRC (Read error: Connection reset by peer)[17:37:40] *** paradizelost <paradizelost!~paradizel@216.16.108.133> has quit IRC (Ping timeout: 250 seconds)[17:38:33] *** paradizelost <paradizelost!~paradizel@216.16.108.133> has joined #Citrix[18:35:33] <cs-bot> <masterslacker> kahnibus, there are few articles out there how to troubleshoot policies . here is one of them.. CTX134961[18:37:44] <cs-bot> <masterslacker> you can also find policies under HKLM\Software\Policies\Citrix (or under wow6432node)[18:37:59] <cs-bot> <masterslacker> there are server assigned and session assigned policies in there[18:39:29] <cs-bot> <masterslacker> ps, masterslacker = AnotherCTXadm , Just got tired authenticating into IRC chat[19:22:18] * Biny hands braynyac a pbr[19:27:21] <kahnibus> thanks![19:31:58] <cs-bot> <ncasagrande> director will show udp under the details of the session[20:13:18] <kahnibus> so on the same app servers that are having this issue... the windows event logs on said servers are showing this : Client printer auto-creation failed. The printer driver is not allowed based on the Driver Mapping List policy. Check your Driver Mapping List policy in the Citrix Policy Manager. Client name: (DESKTOP-MOBHTAL) Printer: (Microsoft XPS Document Writer (from DESKTOP-MOBHTAL) in session 105) Printer driver: (MICROSOFT XPS DOCUMENT WRITER V4)[20:13:23] <kahnibus> i feel like they are related to my issue[20:24:53] <hardlock> hey anyone using skype with rtme?[20:24:56] <Biny> yes[20:25:13] <hardlock> is it working stable? which version?[20:25:23] <Biny> 2.6? I think; no issues[20:25:35] <Biny> waiting for support for teams so we can migrate to that[20:25:39] <hardlock> we are having issues. calls drop randomly[20:25:56] <hardlock> and its really hard to debug that[20:26:11] <hardlock> two citrix cases later we dont know whats causing the drops[20:26:16] <Biny> yeah on real issues here. theres not much to configure[20:26:44] <Biny> we _had_ issues with remote linux TC's talking to in house users[20:27:09] <hardlock> thing is. same client has no drops using the native skype client[20:27:14] <hardlock> windows laptops[20:27:24] <hardlock> so people say: its a citrix issues[20:27:27] <hardlock> like always[20:27:43] <hardlock> *issue[20:27:54] <hardlock> but i really think its a network issue[20:27:56] <Biny> what version of skype though? O365's? or standalone?[20:27:59] <hardlock> we have paket loss[20:28:17] <hardlock> packet loss. not very heavy, but we have it randomly[20:28:22] <hardlock> onprem[20:28:34] <hardlock> but branch office[20:28:36] <Biny> so your skype is hosted on prem?[20:28:42] <Biny> vs o365?[20:28:58] <hardlock> skype server is in the datacenter, user is in a branch office[20:29:02] <Biny> and the client using the native skype client on a windows laptop is using the exact same version as in citrix?[20:29:30] <hardlock> oh yeah.. office is licensed as o365[20:29:43] <hardlock> but not using cloud services[20:30:07] <hardlock> so yes. its the same skype version[20:30:20] <hardlock> its a rather new branch[20:30:33] <hardlock> which might be an issue as well[20:30:36] <Biny> Skype on Citrix through HDX redirects to local endpoint tha tplaces all the traffic[20:30:37] <hardlock> monthly i think[20:30:45] <Biny> the traffic doesn't come through the vda/vdi at all[20:30:47] <hardlock> yeah i know[20:30:54] <Biny> so in essence; it's acting the same way both methods[20:30:58] <hardlock> thats why its strange that native skype doesnt have the issue[20:31:07] <hardlock> the call routing is the same[20:36:03] <hardlock> are u on o365 too?[20:36:10] <Biny> yes[20:36:34] <Biny> v 16.0.11328.20144 x86[20:37:29] <hardlock> ill check tomorrow. now chatting from ipad[20:38:00] <hardlock> i have somehow the impression that the rtme is more sensitive to packetloss than the native client[20:38:11] <hardlock> i mean its a guess[21:15:09] *** kahnibus <kahnibus!~Alex@129.3.29.171> has quit IRC (Quit: Leaving)[21:21:22] * braynyac hands the PBR back to Biny[21:21:29] <braynyac> Thanks, but no thanks. I like _real_ beer =)[21:21:34] <braynyac> just ask @hardlock =D[21:23:29] <hardlock> good old bud light![21:24:06] <|Atum|> Netscaler theory question[21:24:07] <|Atum|> 1. Check for double file extensions.[21:24:09] <|Atum|> 2. ../../ etc cannot be uploaded.[21:24:10] <|Atum|> 3. A white-list of allowable mime types.[21:24:12] <|Atum|> AppFW should be able to do this yes? I've not ever done appfw. Can similar be done in responder with drops?[21:24:13] <|Atum|> #1 Some whiz-bang regex to check for this?[21:24:15] <|Atum|> #2 I was thinking HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(URLENCODED).CONTAINS("../") ?[21:24:16] <|Atum|> #3 Patternset with mimetypes HTTP.REQ.Header("Content-Type").Contains_Any("patternSet_mimetypes") ?[21:25:27] <braynyac> eeewww!!!![21:25:40] <|Atum|> Don't hate me because I'm beautiful[21:28:28] <braynyac> No, I don't like Bud Light! and @hardlock keeps trying to foist his on me[21:31:33] <hardlock> i should have taken some pics of you[21:31:49] <hardlock> id photoshop a bud light on them right now[21:31:53] <hardlock> :P[21:32:17] <braynyac> lol[21:32:28] <hardlock> Atum appfw does protect against lfi attacks[21:32:30] <braynyac> You going to be at Synergy this year?[21:33:08] <hardlock> i registered yeah. but not sure because company situation is difficult here[21:33:15] <braynyac> got it[21:33:49] <hardlock> thinking of gettong a new job[21:33:57] <hardlock> getting[21:34:13] <hardlock> i want to be in the management just like you[21:34:20] <|Atum|> hardlock: can you elaborate? "lfi attacks" -- are we talking about the directory listing type?[21:34:22] <hardlock> i need my own engineer too[21:34:38] <hardlock> LFI local file inclusion[21:34:41] <|Atum|> fwiw it was particularly difficult to test, all browsers and even invoke-webrequest automatically protect against that... i had to grab curl and use --path-as-is lol[21:34:53] <hardlock> ../../ is a typicsl LFI attack[21:35:03] <|Atum|> Ya[21:35:04] <|Atum|> got it[21:35:08] <hardlock> typical. argh. ipad is not a good irc client[21:35:40] <|Atum|> So, in a nutshell, AppFW likely a better solution? There seems to already be an appfw profile bound. Can multiple be bound, or would i be binding new rules to the existing set?[21:36:20] <hardlock> AppFW is exactly the right thing - if you have a premium edition adc[21:36:34] <|Atum|> Let me verify licensing[21:38:47] <braynyac> hardlock: that's the problem with management - finding good engineers.[21:39:21] <hardlock> are u hiring?[21:39:45] <|Atum|> yeah platinum[21:39:52] <braynyac> I wish. You'd be at the top of my list...although we are investigating installing CU3 for XA7.15...and I know how you feel about that![21:43:41] <hardlock> frash install or update?[21:44:26] <braynyac> fresh install. We build all images with MDT.[21:44:26] <hardlock> atum appfw is a heavy topic. you have to understand a lot about web applications and network[21:44:48] <hardlock> https://docs.citrix.com/en-us/netscaler/12/application-firewall/security-checks-overview.html[21:45:07] <hardlock> you can break everything with it too[21:45:14] <|Atum|> yea... i think i need more info from the customer about how exactly this was tested... tbh the policy is bound and only those content types listed are there and that protection is already in place...[21:45:21] <|Atum|> so i wonder if they just tested direct vs the webserver instead of the vserver...[21:45:29] <|Atum|> theres an appfw profile already bound[21:45:31] <|Atum|> maybe its only in listen mode[21:46:16] <hardlock> you mean learning mode?[21:46:35] <cs-bot> <atum> ah yes... here we are. content type is in LEARN[21:46:35] <hardlock> that log can only have 20mb size max[21:46:40] <cs-bot> <atum> and starturl is in LOG[21:46:43] <hardlock> this is a exam question[21:46:54] <cs-bot> <atum> For E-N ? :)[21:47:13] <cs-bot> <atum> because I 98%'d the P-N and i dont recall appfw questions :)[21:47:14] <hardlock> P-N already[21:47:23] <cs-bot> <atum> Lucky roll of the dice i guess[21:47:37] <hardlock> when did you do the exam?[21:47:46] <hardlock> i did it recently and it was almost only appfw[21:47:59] <|Atum|> Renewed it last May[21:48:17] <hardlock> NS 12 already?[21:48:53] <|Atum|> That ../ protection is "startURL" right?[21:49:00] <|Atum|> As i understand it?[21:49:25] <hardlock> it can help but not for uploads[21:49:41] <hardlock> this limits the accepted urls over the netscaler[21:49:59] <|Atum|> I mean, since appfw policy is already bound I just need to know what to flick on to protect against the ../. I found the mimetype stuff[21:50:15] <|Atum|> what is it they're calling that attack protection?[21:50:20] <hardlock> https://docs.citrix.com/en-us/netscaler/12/application-firewall/appendixes/signatures-whitehat.html[21:50:29] <hardlock> here is remote file inclusion listed[21:50:39] <hardlock> didnt find a reference for local file inclusion[21:51:08] <hardlock> but i dont think you have to configure that manually somewhere[21:52:13] <hardlock> but this can do it probably[21:52:16] <hardlock> https://docs.citrix.com/en-us/netscaler/12/application-firewall/signatures/editing-signatures/add-signature-rule-patterns.html[21:53:45] *** Thuryn <Thuryn!~Thuryn@216.106.72.146.reverse.socket.net> has quit IRC (Quit: Leaving)[21:53:50] <hardlock> and you want enable this[21:53:52] <hardlock> https://support.citrix.com/article/CTX138858[22:12:02] *** Quimby <Quimby!~Quimby@pollux.local.li> has quit IRC (Quit: ZNC - http://znc.in)[22:53:42] <|Atum|> ahhhhhhhhhh[22:53:48] <|Atum|> seems that this appfw policy isnt in fact bound (has stats)[22:53:51] <|Atum|> im guessing it broke something lol[22:53:56] <|Atum|> I think im back to the responder idea[23:23:59] *** SixStr <SixStr!~SixStr@pool-100-2-219-130.nycmny.fios.verizon.net> has joined #Citrix[23:24:35] *** SixStr <SixStr!~SixStr@pool-100-2-219-130.nycmny.fios.verizon.net> has quit IRC (Client Quit)[23:48:59] <|Atum|> uncon: update one-liners for 12.0 policy hits? :D[23:49:25] <|Atum|> (Kindly Note:For NS 12.0、NS 12.1 version,session policies symbols changed from "pol_hits" to "pcp_hits" nsconmsg -d current -g pcp_hits)[23:55:11] <Biny> kindly note!