Nice little wizard at https://www.ssllabs.com/ssltest/index.html if you want to check how secure you’re SSL protected web site is
Archive for category IT
SSL Security Check
May 9
So, I’m building a Global Server Load balancing solution based on NetScaler and I made a mistake entering in the IP address for the local GSLB site. I deleted the site and then went to create a new local site but whatever I do the site creation fails with the following error.
It turns out that, when the site is created NetScaler records the GSLB local site IP in its list of IP addresses. The RTM version of NetScaler 10.0 (build 54.6) has a bug in that it doesn’t delete this IP address.
Bacause a Global Site IP already exists, you cannot “add” another one. So, if you need to change the IP address used for the local GSLB site, you just need to delete the IP address recorded here and you are good to go. The other choice it to update the firmware to the current version as this bug is fixed in build 54.7.
Let Me Get That For You
May 4
Ever wanted to send someone a search term ? Well, here’s a fun way to do it. Simply use http://lmgtfy.com/?q= followed by your search term. For example:
Netscaler 10 has been released recently and something very odd happens when you log on to the console for the first time ….. you don’t get the initial configuration menu !
This sort of stops you being able to update the device IP address to configure it further. To get the configuration menu back, simply type in configns and press return.
Excellent article at – http://www.shaunritchie.co.uk/xenapp-slow-logon-troubleshooting-and-optimisation
Here are some “rule of thumb” figures you can use when sizing a set of disks for IOPS
|
RPM |
IOPS |
|
SSD |
6000 |
|
15,000 |
175 |
|
10,000 |
125 |
|
7,200 |
75 |
|
5,400 |
50 |
The above are for individual disks or those configured in RAID 0. Don’t forget to take account of your RAID penalty !
Desktop Director gives you a nifty little helpdesk application that allows support personnel an insight into the end user experience when connecting to XenDesktop or XenApp.
This blog post details installing Desktop Director in a pure XenApp environment. My XenApp server is running Xenapp 6.5. The process itself is relatively simplistic but the first thing you need to do is get a copy of the software. This is available in the downloads section of the Citrix site, just log on with your MyCitrix id, browse to XenApp 6.5 (I access Enterprise Edition) and expand out the language you prefer. You should see a link like the below:
This separate iso contains the installation binaries. Simply access the ISO (burn it to disk or present it up to your VM etc) and open the Desktop Director folder. Double click on InstallDesktopDirector and work through the guided installation.
Desktop Director has 2 pre-requisites, .NT Framework 3.5 and IIS. The install routine took care of the installation of both of these for me. When asked for a XenDesktop controller I entered in the FQDN of my XenApp 6.5 controller server.
Once Desktop Director has been installed we need to configure the solution. This involves the following:
- Configure Desktop Director to contact one of our XenApp controllers.
- Allow Desktop Director through the firewall on the XenApp servers (port 2513).
- Configure each XenApp server for remote management.
To configure the Desktop Director server to contact XenApp, access the IIS Management Console and drill down to the DesktopDirector virtual application. In the right hand pane you will see “Application Settings”.
Double clicking allows us to configure the application settings. For XenDesktop an entry already exists for Service.AutoDiscoveryAddresses and it is this field that we populated earlier. This can be edited and the address of our XenApp server removed. For desktop Director to monitor XenApp we need to add another field for the application, Service.AutoDiscoveryAddressesXA.
To do this we simply click on the Add button on the top right of the screen.
We then name and populate our field.
We enter the server address of one controller per XenApp farm: Any of the other controllers in a XenApp farm are then used automatically for failover. Desktop Director does not load balance between controllers. If we are running multiple farms we separate the names of the designated controlelrs with commas. The Value field will look as below:
FarmAController,FarmBController
Once that’s done we just need to configure our XenApp servers. The next two steps can either be done manually or by using a GPO, for more than 2 or 3 servers, use of a GPO is the preferred method.
First we allow Desktop Director to connect to the controller servers on port 2513 (the old CMC port).
To maintain security the rule can be restricted to only allow access from the Desktop Director server.
We then enable Windows Remote Management on each XenApp worker server (Session Host). This can be done by running the WinRM QuickConfig command on each host.
This does three things.
-
It creates a listener to listen on port 80 (which will need to be allowed through the firewall if it isn’t already).
-
It sets the WinRM service to automatically start.
- It opens port 5985 on the server for external clients to manage the server. Again, this can be limited to the Desktop Director if required. This port is already configured as a disabled rule and can simply be enabled if required.
Once the above steps are done you should now be able to access Desktop Director using the URL http://servername/DesktopDirector.
As stated, WinRM can be configured using GPO’s and details on how to do that are at http://support.citrix.com/article/CTX125243. Equally, the firewall port (2513) can also be set using a GPO. This is true for our full administrative account. But what about helpdesk users ? Well, if they are full administrators on the XenApp servers then there is no problem. If a more restrictive assignment of rights is required this can be achieved by following the guide at http://support.citrix.com/proddocs/topic/director-200/director-cfg-machine-permission.html.
-
Management Console
- https://<vdiManagerIPAddress>/admin
- Account: vdiadmin/kaviza
- https://<vdiManagerIPAddress>/admin
-
VDI-in-a-Box appliance logon
- User: kvm/kaviza123
- User: root/kaviza123
- User: kvm/kaviza123
-
User logon from a web browser
- https://<vdiManagerIPAddress>
- User: <userid>/<password>
- https://<vdiManagerIPAddress>
-
User logon from the Java Client
- javaws http://<vdiManagerIPAddress>/dt/vdiclient.jnlp
- User: <userid>/<password>
- javaws http://<vdiManagerIPAddress>/dt/vdiclient.jnlp
-
User logon from mobile devices
- http://<vdiManagerIPAddress>/dt/PNAgent/config.xml
- User: <userid>/<password>
- http://<vdiManagerIPAddress>/dt/PNAgent/config.xml
-
Entries in CAG
- ACL: IP Addresses for VDI range for both ICA and Session reliability
- STA: vdiManagerIPAddress + path=/dt/sta
- Home Page: Java Client = http://vdiManagerIPAddress/dt/vdiclient.jnlp vdiManagerIPAddress + path=/dt/sta
- Home Page: PNAgent = http://vdiManagerIPAddress/dt/PNAgent/config.xml
- ACL: IP Addresses for VDI range for both ICA and Session reliability
-
vdiManager <-> Hypervisor
- HTTP over SSL/TLS (HTTPS):443
- HTTP over SSL/TLS (HTTPS):443
-
vdiManager <-> Active Directory
- LDAP:389
- LDAP over SSL/TLS (LDAPS):636
- LDAP:389
-
Endpoint <-> vdiManager
- HTTP over SSL/TLS (HTTPS):443
- HTTP over SSL/TLS (HTTPS):443
-
Endpoint <-> Secure Remote Access (CAG VPX)
- HTTP over SSL/TLS (HTTPS):443
- HTTP over SSL/TLS (HTTPS):443
-
Desktop Receiver <-> Virtual Desktop
- ICA:1494 or 2598
- RDP:3389
- ICA:1494 or 2598
Netscaler, with is Access Gateway Enterprise Edition (AGEE) functionality, allows you to publish resources to users, such as shares and access to internal web sites, when they are connecting externally to the network. These may include shares which are user specific. Publishing such items is relatively easy; simply create a bookmark that connects to \\LocationOfResource\%username% for later editions of AGEE or \\LocationOfResources\#<username> for earlier editions. However, what if the resource is held in a location that depends on the users membership of a department ? For example, finance department home drives are held on one server and sales department home drives are held on a different server ?
Similarly, that should be relatively easy. AGEE will extract the users group membership and you can simply publish the resource to that group on the basis that most administrators create Active Directory groups to represent a department in the organisation. To do this, access the policy manager in the “Access Gateway” node of AGEE.
Right click the Groups node under Configured Policies / Resources and select “Add”.
Then simply enter the name of the Active Directory Group (case sensitive).
Click on create and the group is added. You can then just create a bookmark and drag and drop it on to the group to publish that resource to that group. This works fine if the user is a direct member of the group that has the resource published to them. For example, if the group is “Sales” and the user is a member of “Sales” then they will be able to access the resource.
However, what happens if the user is not a member of the group Sales, but a member of a sub group, for example MajorAccounts ? In this case the user will not be able to access the resource. To overcome this we could just create a group for each resource and add users to each of those groups but for larger organisations that would be an administrative nightmare. Instead, we can use nested group extraction to find the ancestors of those groups which the user is a member of. That is, if the user is a member of the MajorAccounts group and this group is a member of the Sales group then they will have access to any resources published to the Sales group.
Configuring nested group extraction is quite simple. We simply amend the authentication server attached to our policy to enable nested group extraction. For Windows Active Directory the settings are as below:
NOTE: The Maximum Nesting Level setting determines how many levels “up” will be checked. The more levels checked will require more resources form the Netscaler which may have an effect on the scalability of the solution in large, busy deployments.
Now, this is all well and good when it works. But what if it doesn’t ? There is a caveat to this working which is not mentioned in the AGEE documentation. The search scope of the authentication policy must also include the location in Active Directory where the groups are held. For example, if the LDAP server object used by the authentication policy is scoped to the whole domain then all will be fine.
The issues with this is that, technically, this will allow any account within Active Directory to be authenticated, including service accounts and other accounts with Administrative privileges. If these accounts are compromised then, in the case of administrative users, they may also have applications published to them via XenApp which an attacker could utilise. One way to overcome this would be to not publish those applications if an Access Gateway connection is used which is easy enough to do by clearing the appropriate check box in the application properties in XenApp. Far better to never allow logons from those accounts in the first place.
This can be achieved by placing all of the users in a group and scoping the authentication to that group using a search filter. For example, we can create a group call Remote Access and add all the user accounts we want to be able to log in to that group. An example of a string for a search filter is given below:
Again, this is all well and good and easy to set up if you have a discrete set of users you want to grant access to. If it’s every user except administrative accounts then you have to remember to add the user account each and every time a new person joins the organization which is almost certain to fail on occasion. Even worse, if you have a tool for creating user accounts, such as when thousands of students enrol at the start of a new academic year, then this again increases administrative overhead, risks calls being raised where users aren’t added in or requires a re-write of the user creation tool. So, wouldn’t it be nice to use existing groups (departmental groups for example) and add those sub (departmental) groups into this group which grants rights to log on remotely ? That way, you can continue to use your user creation deployment tools and automatically grant these non-administrative accounts the rights to log on when working externally.
Unfortunately, that doesn’t work ! It only works where users are added directly to the group being filtered on, not where the membership of this group is other groups rather than the user accounts themselves. What can be done ?
The solution is to remove the search filter above but only allow certain user groups to log on. To do this we revert the above settings so that our authentication server will have settings as below:
This essentially grants remote logon rights to all users, including administrative accounts. We limit this behaviour by accessing the profile for the session policy applied to the authenticating users. We open the policy manager once again in the “Access Gateway” node of AGEE.
We access the session profile and choose to modify the Request Profile.
On the Security tab of the profile, click on the Advanced link.
Enable the Groups Allowed To Login section and add the name of the group we want to be able to login.
Above I have created a single group and nested sub groups within that group within Active Directory. In the example above, the Remote Access group contains the Sales group. This Sales group in turn contains the sub-groups holding the user accounts such as MajorAccounts, NorthernSales, SouthernSales, EMEA etc. I have also configured Nested Group Extraction as above. Now, if a user is a member of one of the nested groups they are allowed to login. This allows us to scope the search at the root level and thus ensure that all groups (for publishing resources) are within the scope of the search. This civers the situation where thereis a “flat” Active Directory structures where there is no single Organizational Unit which groups together user group OUs to allow us a common point of entry to conduct searches. As we can now extract nested group membership we can publish resources based on that group membership while restricting logins for administrative accounts and removing the administrative burden of having to individually add users to a group just to allow remote access.
Note: If you prefer, multiple groups can be added to the above field by separating the group names with comma’s.
If you want to troubleshoot nested group extraction, or at least check that groups are being assigned to users, you can use the built in Netscaler tools to monitor the logon process. To do this create an SSH connection to the active Netscaler device using your favourite client, Putty for example. Once you have logged on using the nsroot (or similar) credentials, connect with the operating system shell by typing in shell and pressing return. Then enter the command cat /tmp/aaad.debug and press return.
This will show the debug log for logons. Log on through the AGEE logon page, output similar to the below will be created:
In the example above, the user is only in the ITServices group. This is a nested member of the All Staff group which is itself a member of the Remote Access group. If you cannot see the enumerated ancestor groups (or sufficient groups) then either nested group extraction is misconfigured or you may need to increase the number of levels enumerated.
