EUC Weekly Digest – November 17, 2018

Last Modified: Nov 17, 2018 @ 7:43 am

Interesting EUC items from last week:

Citrix

VDA

StoreFront

Receiver/Workspace app

NetScaler ADC

XenMobile / Endpoint Management

Citrix Cloud

VMware

Microsoft

Other

For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

3 thoughts on “EUC Weekly Digest – November 17, 2018”

  1. Hi, Carl,
    I need a piece of advice, I’m not sure if this is the right section for asking something like this, so I apologize if it’s not.
    I’m working on replacing Forefront TMG with virtual Netscaler appliance,
    I was able to replicate TMG’s proxy settings with a Content Switching VS and policies pointing to respective proxy points.
    But I’m having difficulties replicating TMG Firewall rules in netscaler. Advanced ACLs are not flexible enough and I tried several different types of policies: Authorization, Filter, Responder, Content Switching, etc… I’ll post a sample policy so you have a better understanding of what I’m trying to do:

    (CLIENT.IP.SRC.BETWEEN(172.28.0.0,172.28.255.255)) && (HTTP.REQ.URL.CONTAINS(“example.com”))
    && (CLIENT.IP.PROTOCOL.EQ(TCP)&&(CLIENT.TCP.DSTPORT.EQ(80)
    || CLIENT.TCP.DSTPORT.EQ(443) || CLIENT.TCP.DSTPORT.EQ(32111)
    || CLIENT.TCP.DSTPORT.EQ(3389) || CLIENT.TCP.DSTPORT.EQ(4001)||
    CLIENT.TCP.DSTPORT.EQ(4100)
    || CLIENT.TCP.DSTPORT.EQ(4172) || CLIENT.TCP.DSTPORT.EQ(50002)
    || CLIENT.TCP.DSTPORT.EQ(8009) || CLIENT.TCP.DSTPORT.EQ(9427))) || ((CLIENT.IP.PROTOCOL.EQ(UDP) && (CLIENT.UDP.DSTPORT.EQ(50002)||
    CLIENT.UDP.DSTPORT.EQ(32111)||
    CLIENT.UDP.DSTPORT.EQ(4172))))

    to be able to replicate some rules that we have in TMG, NS has to check client source ip, url address of the request, ports and protocols used.
    Default setting will be set to “Deny” and these rules are going to allow traffic through.
    Authorization policies seem to have all the qualities, but I run into a couple of issues.
    Syntax above gives me ” Invalid argument” and doesn’t let me save the policy, it only works if I take out (HTTP.REQ.URL.CONTAINS(“example.com”)), but I need it to be evaluated as well…
    Am I using incorrect syntax? or can I set two policies and reference one in the other?
    I have about 9-10 of them to start with and a Content Switching VS allows me to assign Authorization policies to it, but it needs LBVS and/or a service to point to direct traffic, if I go straight to LBVS it only allows me to bind 2 policies to it and gives me a “can’t assign this policy to policy label” error (even though I don’t use any policy labels for this)
    I’m using VPX 1000 NS12.1 48.13.nc
    Please let me know if any additional info needed.
    Thanks

    1. Another option is Responder. For the port 80 vServer, create a Responder Policy with expression (CLIENT.IP.SRC.BETWEEN(172.28.0.0,172.28.255.255)) && (HTTP.REQ.URL.CONTAINS(“example.com”))).NOT and set the action to Drop. Then bind the Responder Policy to the vServer.

      You usually don’t need to specify the destination port unless you’re doing * for port or VPN. Otherwise, if your VServer is on port 80, then the only way to reach the vServer is on port 80.

      1. wouldn’t that responder policy drop all the traffic not headed to “example.com”?
        reason why I break it down by port numbers, is because I don’t have certain protocols listed, for example:

        (CLIENT.IP.SRC.EQ(172.28.ip.ip)) && (CLIENT.IP.PROTOCOL.EQ(ICMP)||CLIENT.IP.PROTOCOL.EQ(ESP) || ((CLIENT.IP.PROTOCOL.EQ(UDP) && (CLIENT.UDP.DSTPORT.EQ(4500)||CLIENT.UDP.DSTPORT.EQ(500)))))

        ICMP and ESP are listed in CLIENT.IP.PROTOCOL.EQ, but protocol for IKE client is not, but it uses UDP port 500, si I have to list that in the policy to be allowed through…
        I tried binding these policies to a Content Switching vServer with wild card ( * ) for ports, so it should listen on all ports and then send it off to a service…
        I’m just afraid that if I set separate policies, they will be treated according to priority level and it will be “either or”
        Either it will check protocols and send off all traffic with matching ports disregarding the url, or it will read the url policy first and send off all traffic with the destination url, disregarding protocol check?

Leave a Reply