• Category: Netscaler

Upgrade Netscaler via REST API Install Command

With the recent release of Netscaler firmware 11.1 from Citrix brings a new NITRO API command called "install" which allows firmware upgrades from the API.  I got pretty excited when I saw this and decided to take a look since I always felt this would be a great feature to have.  This post goes through how it functions and includes a powershell script that uses the new functionality for future firmware releases.


Add a comment

Read more: Upgrade Netscaler via REST API Install Command

  • Category: Netscaler

Scoring an A+ for Netscaler from SSLLABS with Powershell


UPDATE 6-13-16: Updated Script to reflect Citrix blog with updated ciphers

UPDATE 2-21-16: Script now creates STS policy and enables Forward Secrecy resulting in A+ for all SSL VIPS!

Citrix released a blog early summer of 2015 outlining steps to take to harden SSL virtual servers to receive an "A+" from SSLLABS.  While the steps are easy to follow and doesn't take a lot of time for one Netscaler instance it can be time consuming for multiple instances. I created the following script to automate the process for all Load Balanced Servers (SSL), Netscaler Gateways and Content Switches (SSL) found on a Netscaler.  If need be you can even harden the management ports.  Simply edit the switches to reflect your environment and run. The script doesn't require any snapins but does require PowerShell 3.0 or greater for REST. Please feel free to leave any feedback on github or the comments below.




Thanks to Carl Stalhood for a great starting point on the Netscaler API portion!

Add a comment
  • Category: Netscaler

2Factor with Google Authenticator and Netscaler

Update January 9, 2018

This post is extremely old and before Citrix offered a real OTP solution.  Please use Carl's guide found here.

If you use 2factor for common websites like Gmail, Wordpress or maybe even your work chances you heard of the Google Authenticator app.  It's a very inexpensive way to add an additional layer of security for authentication and can be used for a wide variety of purposes. In this post we will configure an Ubuntu 14.04 server to work with Netscaler Gateway as a RADIUS server.  Lets get started.

I would like to thank the author of http://www.supertechguy.com/help/security/freeradius-google-auth for a great starting point.

Add a comment

Read more: 2Factor with Google Authenticator and Netscaler

  • Category: Netscaler

Redirect to Full Store Web Path with Netscaler

I hate having to edit single files on multiple servers since it can cause consistency issues and a pain if you need to make changes.  To redirect users to the full Storefront URL it took editing\creating a javascript snippet pointing to the full Storefront web URL.  By using the Netscaler for this process saves the time needed to touch each server and one less thing to worry about. 

add rewrite action rw_action_storefront replace HTTP.REQ.URL "\"/Citrix/StoreWeb\""
add rewrite policy rw_pol_storefront "HTTP.REQ.URL.EQ(\"/\")" rw_action_storefront


Add a comment
  • Category: Storefront

Speed up Storefront with ASPNET.config change script

I got sick of having to manually edit Aspnet.config files to disable signature checking so Storefront would load faster.  I created a script that once run from a single storefront server will pull the list of servers in the Storefront cluster and quickly look for Aspnet.config files remotely.  If the file is found not to have the tweak it will back the file up, add the "generatePublisherEvidence" line and restart IIS.

  • Uses new Powershell modules
  • Disables .NET signature checking
  • Enables pool sockets
  • Disables netbios via WMI


Download from Github



Add a comment
  • Category: Storefront

Storefront HTTP redirect and rewrite for PNAGENT

From time to time I run into clients that have very old thin clients but want to make the jump to Storefront.  While Storefront does offer "Legacy PNAGENT" it only can be utilized using the base URL, which if you are using Netscaler Gateway it must be HTTPS.  This can be a problem with old thin clients since they probably won't understand the newer SSL certs that are out there since they lack the ability to update root CAs.  The only way for these devices to function is to utilize HTTP instead of HTTPS. 

Add a comment

Read more: Storefront HTTP redirect and rewrite for PNAGENT