In situations where customers have netscaler gateways configured for client access from iOS devices (think integration with citrix receiver app on mobile devices) configured users can now download this application, point the application at your internet facing Netscaler Gateway and Achieve a VPN connection directly to your internal network providing their credentials.
Worryingly, where the Netscaler may be on the internal network, or not be restricted with access lists or firewall rules, the users will achieve internal connectivity via the IP Address of the Netscaler gateway and impersonate the gateway to browse the network.
Am I affected:
If you configured the Netscaler Gateway via the Wizard, used the XenMobile Access Wizard or have a configuration as above, your users will be able to utilise the VPN to achieve internal network connectivity. The best way to find out is to test.
The work around may break current functionality whereby your environment may require the “Windows / MAC OS X” plugin type to function correctly. It is highly advisable that you speak with your Citrix partner / integrator if you are concerned about this issue or wish to make the change.
Work Around 1:
To work around this issue and to block any connections while we engage with Citrix, consider changing the Plugin Type to “Java”. This will block VPN connections.
Work Around 2:
Bind the following statement, with action of “drop” to a global responder policy:
Jarian and I talk daily on twitter with a host of friends and community members about the weekly movers and shakers. There’s long been talk about an End User Computing podcast and over a few beers we finally decided we’d give it a go.
FrontLine Chatter is a podcast every fortnight focusing on EUC industry news. Each episode will be roughly 30 minutes long and we’ll invite a member of panel from the EUC community to tell their story or talk about a technology of their choice.
Our first episode is now live with the wonderfully colorful and interesting Rory Monaghan, talking all about application compatibility, Unidesk, VMware’s appvolumes acquisition and the other hidden gems Rory has been testing.
So what are you waiting for! Head over now and catch our first podcast.
Our next podcast (2 weeks from now) will be with industry hero Kees Baggerman, talking about moving from being a senior End User Computing consultant to working for Nutanix, His first 3 months with Nutanix, his view of the industry and some talk about User Environment Virtualisation (UEV). So drop back soon!
Just a quick drop and run post. While working with a particularly secure environment, many facets of ShareFile’s plugins would either not work, or certain features would not work.
Trying to find which Domain’s and URL’s were being used and called in order to categorise them was a royal pain in the ass inside of a secure virtual desktop, so here’s the list below if you’re facing the same task:
<yourdomain>.sharefile.com (or .eu)
secure.sf-api.com (and/or .eu)
if you want a sweeping statement, just whitelist sf-api.com and sf-api.eu.
Note, if you want full compatibility with all IE versions, also stick the domains in trusted sites.
* The external DNS name of your storage zone controller