Blocking the new Citrix VPN iOS connection to Netscaler gateway:

This is a fast publish article, more detail will follow.

We have discovered a potential security issue or undesired functionality with the new application release from Citrix titled Citrix VPN.

vpn

Description:

In situations where customers have netscaler gateways configured for client access from iOS devices (think integration with citrix receiver app on mobile devices) configured users can now download this application, point the application at your internet facing Netscaler Gateway and Achieve a VPN connection directly to your internal network providing their credentials.
Worryingly, where the Netscaler may be on the internal network, or not be restricted with access lists or firewall rules, the users will achieve internal connectivity via the IP Address of the Netscaler gateway and impersonate the gateway to browse the network.

Am I affected:

If you configured the Netscaler Gateway via the Wizard, used the XenMobile Access Wizard or have a configuration as above, your users will be able to utilise the VPN to achieve internal network connectivity. The best way to find out is to test.
Work around:
<-Disclaimer->
The work around may break current functionality whereby your environment may require the “Windows / MAC OS X” plugin type to function correctly. It is highly advisable that you speak with your Citrix partner / integrator if you are concerned about this issue or wish to make the change.
Work Around 1:
To work around this issue and to block any connections while we engage with Citrix, consider changing the Plugin Type to “Java”. This will block VPN connections.
Work Around 2: 
Bind the following statement, with action of “drop” to a global responder policy:
HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver/NSGiOSplugin”)
more info here:
Credits of find:
  • Andrew Morgan – Initial functionality discovery.
  • Bobby Maher – Confirmation of functionality & session type work around.
  • Rick Roetenberg – Confirmation of functionality & responder work around.

Related Posts

Presentation: Netscaler Insight, a Brief introduct... During another Great E2EVC Conference, my friend Ronnie Hamilton and I presented a session on the greatness of Netscaler Insight and we planned to...
The idiots guide to load balancing App-V LWS via a... I set about recently to load balance app-v lightweight streaming servers traffic across Netscalers. I found this task a little more tricky than I ha...

4 Comments About “Blocking the new Citrix VPN iOS connection to Netscaler gateway:

  1. Pingback: NetScaler Gateway Virtual Server | Carl Stalhood

  2. Pingback: NetScaler Gateway 11 Virtual Server | Carl Stalhood

  3. Pingback: NetScaler Gateway 11 Virtual Server | SRK Cloud

Leave a Reply