CUGTech Spring 2016


CUGTech Spring 2016

cug_15_aar

Jeg har nå tilbrakt 2 dager i Strømstad for å være med på Citrix User Group Norges 15-års jubileum. Som vanlig har det vært to dager fullpakket med faglige sesjoner, men også mye sosialt, god latter, god mat og drikke(!).

Sesjonene har vært holdt av noen av de mest kompetente fagpersonene fra inn- og utland. Norge var representert med folk som Marius Sandbu, Ole Christian Lona, Daniel Wedel, Bjørn Riiber, Nina Parie, Snorre Hansen med flere. Fra resten av verden stilte blant annet Douglas Brown, Shawn Bass, Rick Dehlinger og Benny Tritsch for å nevne noen.

20160607_090938I og med at flere av sesjonene gikk parallelt kunne jeg selvsagt ikke få med meg alt, men de jeg hadde anledning til å være med på bar preg av kompetente foredragsholdere og en god stemning i “familien”. Her er det høyt under taket og veldig uformelt, og alle kan bidra med spørsmål eller synspunkter slik de selv følger for det underveis.

Høydepunktet for årets brukerkonferanse var nok selve feiringen av 15-årsjubileet. Dette ble markert med en egen kake, som ble høytidelige “åpnet” av styrets leder Kenneth Beck. Du kan se en video av dette her og her.

Utover de mer produktorienterte sesjonene, ble det også avholdt noe keynotes som favnet noe bredere, i tillegg til den vanlige “Geek Speak” sesjonen. Doug Brown fikk to muligheter til å snakke om den han selv følte for i “unplugged”-varienter av en keynote. I tilegg ble det holdt en felles keynote med 5 “oldtimers” som snakket en del om Mark Templetons tid i Citrix, og hva vi kan vente oss i fremtiden derfra.

20160608_100720Apropos fremtiden; Bjørn Riiber fra Citrix hold en sesjon som dreide seg om forholdet mellom Microsoft og Citrix i de neste årene. Her kom det frem at disse to selskapene har inngått betydelige avtaler om samarbeid på alle områder, og vi kan her forvente å se at produktene vil smelte sammen både i device management, skytjenester,  applikasjonsleveranse og de fleste andre steder der både Citrix og Microsoft har interesser. Stay tuned for more. 🙂 (XenApp-apps via SCCM!!! 🙂 )

Ellers så er det tydelig at det meste dreier seg om Cloud i alle sammenhenger, og “access anywhere, anytime”. Det er tydelig at dette nå begynner å modnes som et konsept, og at vi nå kanskje er på vei over i en slags “versjon 2.0” av hva brukere kan forvente seg når de skal ha tilgang til sine data for å kunne jobbe med.

Alt i alt, så vil jeg si at dette var en veldig fin tur, og som vanlig et godt arrangement. Styret hadde funnet frem til et veldig fint sted for å holde jubileet, Strømstad Spa er et veldig trivelig hotell med gode fasiliteter. Det frister absolutt å komme tilbake hit senere en gang!

Advertisements

Netscaler Gateway plugin returns – does it work on Windows 10 Technical Preview?


August 4th, 2015 Update: This workaround has been confirmed to work on the RTM-versjon (build 10240) of Windows 10. A maintenance release for Netscaler 11 that supports Windows 10 is in the works, but the release date is not set (yet).

—–

The most popular post the last year (2014), has been the one discussing Windows 8.1 and Netscaler Gateway Plugin. Go to https://sysconsultant.sandstad.org/2013/10/18/windows-8-1-and-netscaler-gateway-plugin/ if you want to revisit that post before you continue.

Done? Good! 🙂

Now for the good news….this also works on Windows 10 Technical Preview. I am running Win10 TP (sic) build 9926, which I got through Windows Insider just now. When I tried logging on to a VPN site via Netscaler Gateway earlier, I was just prompted to run the Java client.

Tonight, I wanted to see if the same workaround the was used for Windows 8.1 also works for Win10TP. Short story, it does. 🙂 Just add a REG_SZ value named Platform in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent, and give it the value “Windows NT 6.2” (no quotes, please), and you are good to go. The plugin can be downloaded and installed as usual, and the VPN connection goes up without a hitch.

So, that was my one reason not to upgrade my home PC to Win10…:P. Stay tuned.

Workaround for Netscaler VPX and VMware ESXi 5.5 Build 2143827


Citrix has published a workaround for Netscaler on VMWare 5.5 Build 2143827,

Marius Sandbu - IT blog

This is a quick post, but Citrix has published a workaround for the trouble they have with Netsacler loosing connectivity on Vmware with the latest update.

You can find the workaround here –> http://support.citrix.com/article/CTX200278

This is only until Citrix manage to fix the issue and includes it in a newer build of Netscaler

View original post

Gamers gift


A small gift to those who are keen blog Readers. 🙂

I have hidden a Steam Key for a game somewhere on my blog. This has (of course) not been claimed yet. It’s finders keepers, so happy hunting!

First one to claim the key, please comment on this post.  🙂

G

I decorate my own cookie…dual authentication policies on Netscaler


Edit September 10th, 2015: Be aware of one thing if you plan to use the native Citrix Receiver to access applications: The workaround described in this article will break authentication for native Receiver. If you need both LDAP and RADIUS authentication, it might be better to remove the checkmark for “Authentication” in the LDAP profile. This makes the Password field disappear, but you can still use LDAP for password change and group extraction.

 

When configuring user authentication for Netscaler Gateway or other services on Netscaler, I usually rely on only one type of authentication at a time. Since most New customers want’s to use two-factor authentication with SMS One TIme Passcodes (OTP), this mostly means that I configure a RADIUS authentication policy, using SMS Passcode. The challenge rises when they want to be able to change passwords via Netscaler and Storefront, either because it’s required, or that they simply want to. So far I haven’t been able to figure out how to facilitate this via RADIUS, so the only option is to do this via LDAPS (http://support.citrix.com/article/CTX122972, Acccess Gateway 9.2 or later for version 10.x). The caveat with this approach, is that it adds a second password field on the user login page. This is quite alright when you use old-fashion RSA or other two-factor authentication methords that relies on user-held tokens that gives out OTPs, because then the user enters both the password and the OTP at the same time when logging on. SMS Passcode and other SMS-based solutions usually doesn’t send this code until after the user has entered his/her username and passord, rendering the second password Field unusable…and confusing. The solutions that I have seen so far, has involved changing the original source files on the netscaler, like logins.js, to hardcode only one password field regardless of the configuration. I’ve never really liked this approach, because it happens behind the scene, and can be a complication when it comes to upgrading the Netscaler later on. Not my favourite thing… So, I decided to find a better way! I had been looking in to using rewrite and responder for a while to fix fhis, but only came as far as getting to change the text label of the password field. Not quit what I needed. Then I spent som time examining the code in login.js (/netscaler/ns_gui/vpn/login.js), and I realized that they use a cookie to check the number of authentication Methods, one or two. The cookie is named pwcount. The contents, or rather value,  of this cookie is assigned to the variable pwc. The this variable is checked, and if the value equals 2, the second password field is visible. My simple solution: create a rewrite policy the overrides the pwcount cookie value, and always sets it to 1. Then this policy is bound to a vserver (or virtual Access Gateway) or globally on the Netscaler.

The highlighted text shows where the pwc variabel is set to the value of the pwcount cookie, and that it's checked for value.

The highlighted text shows where the pwc variabel is set to the value of the pwcount cookie, and that it’s checked for value.

The rewrite is set up as follows: Create a Rewrite Action, set the type to INSERT_HTTP_HEADER. Header Name is Set-Cookie. The Expression is “pwcount=” + 1 (this sets the value of the pwcounts cookie).

The rewrite action

The rewrite action

The policy is as follows: Action is Rewrite_PwCount (the one made above). Log Action is not set, Undefined-Result Action is set to – Global-undefined-result-action-. Expression: HTTP.REQ.HEADER(“Cookie”).CONTAINS(“pwcount”).NOT

The rewrite policy

The rewrite policy

Bind this as a Rewrite policy on the vserver. NB: On Netscaler 10.x (and maybe older), note that it should be bound as a Responder policy. The change will be effective immediately. If you need to troubleshoot this, I recommend using Firefox and the Firebug addon. That gives you easy access to cookies contents, and also allows you to add cookies or change contents at will to debug and test stuff like this. I have testet this method on Netscaler 10.1 and 10.5. It should work fine on 9.x as well. The thing to look for here, is the cookie reference in login.js. As long as you can change the value of that, you should be fine.

Revisited: Windows 8.1 and Netscaler Gateway Plugin


One of the most popular posts on this blog, is the one discussing Windows 8.1 and compatibility With Netscaler Gateway 10.1 and the Gateway plugin.

That post has now been slightly updated to reflect that build 123.x and newer has full support for Windows 8.1.

You can find the full post here.