Blocking the new Citrix VPN iOS connection to Netscaler gateway:

This is a fast publish article, more detail will follow.

We have discovered a potential security issue or undesired functionality with the new application release from Citrix titled Citrix VPN.

vpn

Description:

In situations where customers have netscaler gateways configured for client access from iOS devices (think integration with citrix receiver app on mobile devices) configured users can now download this application, point the application at your internet facing Netscaler Gateway and Achieve a VPN connection directly to your internal network providing their credentials.
Worryingly, where the Netscaler may be on the internal network, or not be restricted with access lists or firewall rules, the users will achieve internal connectivity via the IP Address of the Netscaler gateway and impersonate the gateway to browse the network.

Am I affected:

If you configured the Netscaler Gateway via the Wizard, used the XenMobile Access Wizard or have a configuration as above, your users will be able to utilise the VPN to achieve internal network connectivity. The best way to find out is to test.
Work around:
<-Disclaimer->
The work around may break current functionality whereby your environment may require the “Windows / MAC OS X” plugin type to function correctly. It is highly advisable that you speak with your Citrix partner / integrator if you are concerned about this issue or wish to make the change.
Work Around 1:
To work around this issue and to block any connections while we engage with Citrix, consider changing the Plugin Type to “Java”. This will block VPN connections.
Work Around 2: 
Bind the following statement, with action of “drop” to a global responder policy:
HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver/NSGiOSplugin”)
more info here:
Credits of find:
  • Andrew Morgan – Initial functionality discovery.
  • Bobby Maher – Confirmation of functionality & session type work around.
  • Rick Roetenberg – Confirmation of functionality & responder work around.

A new end user computing podcast, FrontLine Chatter.

FrontLine-Chatter-LogoJarian and I talk daily on twitter with a host of friends and community members about the weekly movers and shakers. There’s long been talk about an End User Computing podcast and over a few beers we finally decided we’d give it a go.

FrontLine Chatter is a podcast every fortnight focusing on EUC industry news. Each episode will be roughly 30 minutes long and we’ll invite a member of panel from the EUC community to tell their story or talk about a technology of their choice.

Our first episode is now live with the wonderfully colorful and interesting Rory Monaghan, talking all about application compatibility, Unidesk, VMware’s appvolumes acquisition and the other hidden gems Rory has been testing.

So what are you waiting for! Head over now and catch our first podcast.

Our next podcast (2 weeks from now) will be with industry hero Kees Baggerman, talking about moving from being a senior End User Computing consultant to working for Nutanix, His first 3 months with Nutanix, his view of the industry and some talk about User Environment Virtualisation (UEV). So drop back soon!

Update to Caffeine for Receiver

Caffine 2Just a quick note to say I’ve finally updated Caffeine for Receiver to support receiver 4.2.

I had neglected to update this tool for a while, until I actually needed it and the remote screen saver annoyed the hell out of me. necessity is the mother of product maintenance it seems!

Anyway, I digress, check the original blog post here for the downloads and configuration options.

In other news, if you’re familiar with ThreadLocker, watch this space, it’s about to get a serious overhaul!

PS: stop asking me for a mac client, it’s not possible as there is no ICA SDK / API for mac.

ShareFile Domains and URL proxy categorisation.

sharefileJust a quick drop and run post. While working with a particularly secure environment, many facets of ShareFile’s plugins would either not work, or certain features would not work.

Trying to find which Domain’s and URL’s were being used and called in order to categorise them was a royal pain in the ass inside of a secure virtual desktop, so here’s the list below if you’re facing the same task:

  1. <yourdomain>.sharefile.com (or .eu)
  2. yourinternalstoragezonename*
  3. g.sf.api.com
  4. secure.sf-api.com (and/or .eu)
  5. <yourdomain>.sf-api.com (and/or.eu)

if you want a sweeping statement, just whitelist sf-api.com and sf-api.eu.

Note, if you want full compatibility with all IE versions, also stick the domains in trusted sites.

* The external DNS name of your storage zone controller

ThinIO facts and figures, Part 4: Storage design and dangerous assumptions.  

Welcome back to this blog series discussing our new product ThinIO. Please find the below three earlier articles in this series:

In the final blog post in this series, we’re going to discuss storage design and a frequent problem face when sizing storage. Lets get right into it:

Continue reading