Interesting EUC items from last week:
Citrix
- This week, Citrix announced the acquisition of Sapho – Citrix Blog Post
VDA
- Known issues for Citrix CVAD 1808 on Windows Server 2019 – Citrix KB article
StoreFront
Receiver/Workspace app
- Citrix Cloud Workspace Brand Personalization Service (Tech Preview) – Citrix Blog Post
NetScaler ADC
- Download Citrix NetScaler Release (Maintenance Phase) 12.0 Build 59.9 – replaces build 59.8
- Download Citrix NetScaler Release (Maintenance Phase) 11.1 Build 60.13
- Anycast support in Citrix ADC GSLB – Citrix Docs
XenMobile / Endpoint Management
- What’s new in Citrix Endpoint Management 10.18.19 – Citrix Docs
- Download Citrix Secure Mail and Secure Web MDX files updated Nov 7
Citrix Cloud
- What’s new in Citrix Application Delivery Manager (cloud) November 16, 2018 – Configure AppFlow on multiple virtual servers – Citrix Docs
- What’s New in Citrix Security Analytics November 16, 2018 – search for Access Control data; provide feedback regarding a risk indicator – Citrix Docs
VMware
- Upcoming VMware Horizon 7.7 new features – built-in HA for UAG appliances (no need for load balancer), Windows 2019 support – VMware Blog Post
- What’s New with Horizon 7 on VMware Cloud on AWS – VMware Blog Post
- Download Workspace ONE® Intelligent Hub
- Workspace ONE Intelligence What’s New In Q3 2018 – YouTube
- VMware Identity Manager and Workspace ONE Intelligence Feature Walk-through – YouTube
Microsoft
- Mapped drives may fail to reconnect after starting and logging onto a Windows 10 1809 device – workaround scripts – Microsoft knowledgebase
Other
- Digital Workspace and DaaS Cheat sheet – 22 characteristics of 6 different vendors – CTP Christiaan Brinkhoff
- SPECviewperf 13 benchmark results for Citrix XenDesktop on Citrix XenServer with NVIDIA Tesla P4, P6, and P40 cards on Cisco UCS C240 M5 and B200 M5 servers – Cisco White Paper
For more immediate updates, follow me at http://twitter.com/cstalhood.
For a list of updates at carlstalhood.com, see the Detailed Change Log.
Hi, Carl,
I need a piece of advice, I’m not sure if this is the right section for asking something like this, so I apologize if it’s not.
I’m working on replacing Forefront TMG with virtual Netscaler appliance,
I was able to replicate TMG’s proxy settings with a Content Switching VS and policies pointing to respective proxy points.
But I’m having difficulties replicating TMG Firewall rules in netscaler. Advanced ACLs are not flexible enough and I tried several different types of policies: Authorization, Filter, Responder, Content Switching, etc… I’ll post a sample policy so you have a better understanding of what I’m trying to do:
(CLIENT.IP.SRC.BETWEEN(172.28.0.0,172.28.255.255)) && (HTTP.REQ.URL.CONTAINS(“example.com”))
&& (CLIENT.IP.PROTOCOL.EQ(TCP)&&(CLIENT.TCP.DSTPORT.EQ(80)
|| CLIENT.TCP.DSTPORT.EQ(443) || CLIENT.TCP.DSTPORT.EQ(32111)
|| CLIENT.TCP.DSTPORT.EQ(3389) || CLIENT.TCP.DSTPORT.EQ(4001)||
CLIENT.TCP.DSTPORT.EQ(4100)
|| CLIENT.TCP.DSTPORT.EQ(4172) || CLIENT.TCP.DSTPORT.EQ(50002)
|| CLIENT.TCP.DSTPORT.EQ(8009) || CLIENT.TCP.DSTPORT.EQ(9427))) || ((CLIENT.IP.PROTOCOL.EQ(UDP) && (CLIENT.UDP.DSTPORT.EQ(50002)||
CLIENT.UDP.DSTPORT.EQ(32111)||
CLIENT.UDP.DSTPORT.EQ(4172))))
to be able to replicate some rules that we have in TMG, NS has to check client source ip, url address of the request, ports and protocols used.
Default setting will be set to “Deny” and these rules are going to allow traffic through.
Authorization policies seem to have all the qualities, but I run into a couple of issues.
Syntax above gives me ” Invalid argument” and doesn’t let me save the policy, it only works if I take out (HTTP.REQ.URL.CONTAINS(“example.com”)), but I need it to be evaluated as well…
Am I using incorrect syntax? or can I set two policies and reference one in the other?
I have about 9-10 of them to start with and a Content Switching VS allows me to assign Authorization policies to it, but it needs LBVS and/or a service to point to direct traffic, if I go straight to LBVS it only allows me to bind 2 policies to it and gives me a “can’t assign this policy to policy label” error (even though I don’t use any policy labels for this)
I’m using VPX 1000 NS12.1 48.13.nc
Please let me know if any additional info needed.
Thanks
Another option is Responder. For the port 80 vServer, create a Responder Policy with expression (CLIENT.IP.SRC.BETWEEN(172.28.0.0,172.28.255.255)) && (HTTP.REQ.URL.CONTAINS(“example.com”))).NOT and set the action to Drop. Then bind the Responder Policy to the vServer.
You usually don’t need to specify the destination port unless you’re doing * for port or VPN. Otherwise, if your VServer is on port 80, then the only way to reach the vServer is on port 80.
wouldn’t that responder policy drop all the traffic not headed to “example.com”?
reason why I break it down by port numbers, is because I don’t have certain protocols listed, for example:
(CLIENT.IP.SRC.EQ(172.28.ip.ip)) && (CLIENT.IP.PROTOCOL.EQ(ICMP)||CLIENT.IP.PROTOCOL.EQ(ESP) || ((CLIENT.IP.PROTOCOL.EQ(UDP) && (CLIENT.UDP.DSTPORT.EQ(4500)||CLIENT.UDP.DSTPORT.EQ(500)))))
ICMP and ESP are listed in CLIENT.IP.PROTOCOL.EQ, but protocol for IKE client is not, but it uses UDP port 500, si I have to list that in the policy to be allowed through…
I tried binding these policies to a Content Switching vServer with wild card ( * ) for ports, so it should listen on all ports and then send it off to a service…
I’m just afraid that if I set separate policies, they will be treated according to priority level and it will be “either or”
Either it will check protocols and send off all traffic with matching ports disregarding the url, or it will read the url policy first and send off all traffic with the destination url, disregarding protocol check?