fbpx
Citrix Synergy 2018 Perspective: CTA Chris Schrameyer

Citrix Synergy 2018 Perspective: CTA Chris Schrameyer

Citrix Synergy 2018 – An Insiders Perspective

This year’s Synergy was special for me.  I was given the opportunity to participate like never before.  My roles this year included:

  • Citrix CTA
  • External Speaker – Lunch Table Tech Chat Leader
  • CUGC – Local Leader, Midwest XL leadership committee, and participant in the CUCG leadership workshop.
  • Citrix Insider

(more…)

Synergy 2018: Days 2 and 3

Synergy 2018: Days 2 and 3

 

Day 2 at Citrix Synergy

Synergy was a very busy time for me. So much so that my intention to do daily blogs… didn’t happen.

So- here’s a 2 in one with an added wrap up bonus!

For those that don’t know- Citrix is talking about themselves and what they are doing on stage exactly once, the first day’s Keynote. The second two days had Super Sessions with leadership personalities outside of even the tech world. Think of it as a value-add for your conference ticket. The sessions were not streamed live, you had to be there to hear them.

Synergy Super Session: Dr. Condoleezza Rice

Dr. Condoleezza Rice (@CondoleezzaRice) started day 2 with a rousing speech.

I love the matter-of-fact way that Dr. Rice speaks. I always have, in fact. “It may feel like the tectonic plates are shifting under our feet… That is because… They are.” That little nod to yesterday’s earthquake got everyone listening.

Dr. Rice talked about her remarkable early life. About not being a victim… world politics… leadership qualities and what everyday kindness really look like. But her perspectives on modern security I think took the center stage. And let’s be honest, she would know. She talked about how rather than attacking from the front as we expect- modern bad actors come from the side; causing disruption rather than directly assaulting.

 

Talking about Powers Acting Badly… I have rarely thought about how Disruption is their biggest weapon. Guess what? You need to be aware and ready because the days of physical disruption are gone. #cybersecurity #citrixsynergy

— DJ Eshelman (@TheXenMaster) May 9, 2018

 

The greatest challenge is not what they can do to us, but what we can do to ourselves- @CondoleezzaRice nails it at #CitrixSynergy @citrix

— DJ Eshelman (@TheXenMaster) May 9, 2018

The speech was followed by an onstage chat with Tim Minahan. Dr. Rice said she didn’t want to run for President; she understands too much of what goes into it I guess. Still, we were all disappointed to hear she wouldn’t try!

 

Principles to live by per Dr Rice: (1) be twice as good, you will be confident (2) never be a victim, you lose control (3) don’t take on others’ prejudice – they don’t want to sit next to you because you are different, they can move #citrixsynergy https://t.co/tNyDS7Xi0s

— David Le Strat (@dlestrat) May 9, 2018

You can get Dr. Rice’s new book Political Risk on Kindle, Hardback or Audible (with a free month trial) [ctxpro.com participates in the Amazon affiliate program- purchases support this site!]

pano_20180509_0929571935823196095045593.jpg

Lunch Table Tech Chats

After some much needed herbal tea to soothe my very sore throat (I had great broadcast voice in the morning but it was difficult to get the volume needed) I headed to lunch to talk with more people about Application Delivery.

 

Having some tea to help my voice clear up before the Lunch Table Chats at #CitrixSynergy Come join the conversation about your thoughts on Networking in the Cloud era! pic.twitter.com/4dpCgujACt

— DJ Eshelman (@TheXenMaster) May 9, 2018

Right after grabbing a Lego Mini-Fig for my wife of course…

The afternoon was great- I attended a few sessions and volunteered at the Citrix User Group Community booth once again. On Day 2 we had ALREADY run out of most shirt sizes and were reduced to handing out “Extra Large and Extra Larger” shirts to folks!

CUGC Booth at Synergy

The evening for me was quite good. I went to a Citrix Sales appreciation dinner, where oddly enough I didn’t really talk with any sales folks at all- but did have several GREAT conversations about where people are in their Citrix journey- even some heart touching stories from some folks that will be joining us in the CTXPro Membership when it launches! Connecting with people is why I went to Synergy.

Ready for the shocker? I was in bed by 11 pm! Either I’m getting older or wiser… or both.

Synergy Day 3 in pictures…

Super Session Michael Lewis

Michael Lewis super session

CTPs and CTAs ready for a session

CTPs and CTAs ready for a session

 

IGEL giving out a hefty prize to a lucky winner

IGEL giving out a hefty prize to a lucky winner

Robert Randolph Band

Robert Randolph and the Family Band!

check out who liked my Instagram post!

Synergy Badge 2018

Synergy Day 3

Day 3 started with spending an hour with Michael Lewis- renowned author of books like Moneyball and The Blind Side. I think his talk fed well into Citrix’s announcement regarding how they were moving forward in Analytics.

How when the stock market spent millions to quite literally shorten the distance of fiber optic links because they couldn’t click fast enough, the need for seeing ahead into things we didn’t know before is important.

 

If someone said to me “You’re not clicking it fast enough” I would probably counter with “Have you tried turning it off and on again?” #CitrixSynergy pic.twitter.com/PObF2ujAQd

— DJ Eshelman (@TheXenMaster) May 10, 2018

 

The fact that we are living in a world of literally moving the Earth to gain a better experience is what @citrix is all about. #CitrixSynergyEarthquake #CitrixSynergy

— DJ Eshelman (@TheXenMaster) May 10, 2018

But more important is that we are now getting answers to questions we didn’t even know we had. From finding the cause of behavior of overworked cops to weather, analytics are a part of our story. Why is this important? “You can’t change the decision maker but you can change the decision making environment.”

Oh- and you may be wondering, why so many tweets? If you were following me you know that I used the #citrixsynergy tag a lot. It was because with every one, a dollar was being donated to STEM programs. Over $51,000 was donated! That’s a lot of tweets!

The morning was again filled with sessions, and I even took the opportunity to do a very brief Facebook Live for my Facebook Group (which you should totally join!) before a well-attended session on multi-datacenter setups.

After the final day of Tech Chats, the CUGC leaders that were at Synergy gathered for a training session in how to conduct effective meetings. It was extremely useful and I can’t wait to put some of what we learned into practice!

What a good looking group at the #myCUGC Leadership Workshop! Looking forward to some amazing local meetings! #CitrixSynergy pic.twitter.com/S0OZGPSn5C

— Citrix User Group Community (CUGC) (@myCUGC) May 10, 2018

The rest of the afternoon for me was spent in Synergy Park attending to the CUGC table once again, until the final night party at House of Blues!

 

@rrtfb #HouseofBlues rockin #CitrixSynergy afterparty #guitarsofinstagram

A post shared by TheCitrixCoach (@thecitrixcoach) on

If I’m not listening to Metal or Hard Rock- I’m playing Blues. Sometimes, literally. So I was right up front at House of Blues! Great show (though the line to get in was a bit ridiculous, and it took forever to get any food!)

 

The evening was great; a bunch of CTAs and CTPs found their way to a corner bar and chatted the night away. Great memories with old and new friends. Great to get to know Neil Spellings a bit more; we ended up walking back together as we both had early flights! Fitting, since we’re both known for our Synergy prep guides – but neither of us talked about them.

The next morning – insanely early – I boarded a plane home, after a chat with my buddy Carl Webster. By the way- I’m just going to say if you haven’t done so already – support his website! There’s a donation button. Do it!

 

Citrix Synergy 2018 Summary

So- the common question: Did you have a great Synergy this year?

And the answer is of course yes. Even if it wasn’t as well attended, I always enjoy Anaheim more than Vegas or Orlando – but this was the first year I was there representing not a company or a sponsor… but YOU.

That’s right- I was sent to Synergy as a Citrix Technology Advocate, and I did my best to do just that. I met so many more people this year than I have in years past. I gave out over 150 cards, interacted with folks on Twitter and of course the Lunch Table Tech Chats and CUGC events.

So- what am I hearing?

There remains confusion about Citrix products from a NAMING standpoint, not a ‘what it does’ standpoint. Though it was heavily downplayed at Synergy, Citrix did announce some changes to the portfolio on their website. This does away with several names – most notably “Xen” and “NetScaler” but also “ShareFile”. A few of these I’m okay with, a few not so much if I’m being honest. I was ready to give up Xen. But honestly NetScaler and Sharefile were fine from a market alignment standpoint. What they were not fine with however is a name that identifies what it does. And that is essentially what Citrix is after. Each new product name will contain “Citrix” and then a brief description of what it does.

Here’s a rundown of what to expect:

Citrix Workspace

This will be a category that will encompass several technologies formerly known as either “Workspace Suite” or “XenDesktop” along with some new things.

  • Citrix Workspace App – announced at Synergy, this expands the capabilities of Receiver to include apps, files and even some analytics and security capability. I haven’t been this excited since Dazzle. Ask me about it later…
  • Citrix Content Collaboration = ShareFile
  • Citrix Endpoint Management = XenMobile (Secure Mail and Secure Web apps remain unchanged in name)
  • Citrix Secure Browser = XenApp secure browser
  • Citrix Hypervisor = XenServer
  • Citrix App Layering = Unidesk
  • Citrix Virtual Apps = XenApp
  • Citrix Virtual Desktops = XenDesktop

Citrix Networking

This will be the most controversial, but when you think about it will be the most challenging to change from a technical product standpoint. Bottom line- a few of these software-based items will be easy. But don’t expect Citrix to be sending out new physical NetScalers to replace yours.

  • Citrix ADC = NetScaler ADC
  • Citrix SD-WAN = NetScaler SD-WAN
  • Citrix Web Firewall = NetScaler App Security, App Firewall and Web App Security
  • Citrix Gateway = NetScaler Unified Gateway AND NetScaler Access Gateway
  • Citrix Application Delivery Management = NetScaler MAS
  • Citrix Secure Web Gateway = NetScaler Secure Web Gateway
  • Citrix Intelligent Traffic Management = Cedexis Platform

So- many people missed the Cedexis acquisition. I have to admit that I’m having trouble with where it fits into the core sometimes but here’s the thing: Think of how many apps your company uses today. Now tell me how many of those are either SaaS (either Web browser or web-delivered like Office 365) or has components that tie in that way? So, while this makes some sense- I can give you a perspective from attendees that came to my Tech Chat table… people don’t think of SaaS as “Applications”. Citrix, if you’re listening- changing what “App Delivery” means is something people don’t seem to be ready for. Everyone who came to my tables wanted to talk about XenApp.

But Xen’s dead baby. Xen’s dead.

Citrix Analytics

This new cloud-based capability was actually one of the more exciting new features- because of what it can do for security and support. I’ll go into this in another post because there is a LOT here. Needless to say, I’m excited to finally see this come about.

Oh- let me answer the most popular question: “Will this be Cloud-Only?” The answer is not exactly. On-Premises installs will have a connection agent – however, when you think about what makes this work; an on-prem solution is not going to be practical. This is using real-time analytics across thousands of instances for behavior-based intelligence. If you’re struggling with this I’d simply say that you need to stop thinking in terms of DAT files and think in terms of pre-cognition. Knowing a threat exists by what behavioral triggers exist, instead of by looking for the results.

Finally- the question I got over and over again (I mean, other than “you don’t look like your picture”) was – “Since they are killing Xen … What are you going to do about your Twitter Handle?”

Well- here’s the thing. I have known about this renaming for some time, yes- we were given some special NDA access to this process to give Citrix feedback about it. (We voiced a lot of your concerns, by the way…)
But the reality is that I have been wanting to change “TheXenMaster” for quite some time now. After being called that by someone (I’ve forgotten who) I decided to run with it. But I’ll be honest- it doesn’t fit my personality. So I’d been working to find a new persona; one that uplifts and encourages. Unfortunately I couldn’t take over the abandoned Twitter username for this, so I kept a definitive modifier out in front once again.

Going forward- I will be on Social Media as @TheCitrixCoach

I have registered this in several places so far:

more to come! I’d encourage you to follow me on any of these outlets!

Whew! I’m tired. I think I’m going to wrap this up and call it another successful Synergy!

Synergy 2018: Day 1

Synergy 2018: Day 1

Very early in the morning, I woke with a start thinking someone was in my hotel room shaking my bed. Turns out that the Earth itself was shaking.

So, it was with that early adrenaline rush that I went to the Keynote for Citrix Synergy. Along the way, I did an exclusive Behind The Scenes video using my super-secret CTA powers to get early access to Synergy Park and the Expo. To get access to that video, just join our new Facebook Group.

Keynote Announcements

First, CEO David Henshall announced that it was like Citrix was shaking the world… This was the first moment I realized that I was not crazy; my bed really had been moving. I’ll be honest- I did a quick check of the news and verified that everyone was okay! On to business.

I’m not going to play-by-play the announcements – if you want that, I’d suggest Meri’s Citrix blog about Day 1. What I will do is mention some key takeaways and thoughts.

First- Citrix is the process of re-formulating the way it’s presented in the world- so you will see names like “Citrix Workspace” “Citrix Networking” and “Citrix Analytics”. This is something Citrix is working on in the background to eliminate mystery terms (I mean, how does XenDesktop really tell you it is a virtual workspace?). I have been part of the background conversation about this and can tell you that the decision NOT to focus in on naming changes was wise. So I will also not be talking about it here. I will be discussing it with my members- if you aren’t already, get signed up for my membership waitlist at https://ctxpro.com/membership
You want photos? Here’s some photos!

Here’s how the Citrix Story will look going forward:

Citrix Workspace, Citrix Networking and Citrix Analytics are the future of Citrix

The new Workspace App was announced. Think of it as Receiver ++

This is actually a pretty big deal not only for aggregating resources but also in terms of having Analytics right in your workspace. So- contextually showing you relevant content both from Citrix sources and other feeds from SSO, from ShareFile documents to even workflows within ServiceNow (another integration announced).

 

Did you know that IT Complexity is one of the leading causes of baldness? Mostly from hair being ripped out.

But Citrix is focusing in on this to reduce how much IT Complexity is costing.
State of IT: User Experience is down, Business Risk and IT Complexity are up

IT Complexity costs $800/user year

There was a fun little demo where she actually spilled coffee on her laptop (like, for real) to demonstrate how quickly you can roam your workspace from device to device. It’s the classic Citrix story.

"oh no, I spilled coffee on my laptop..."

 

In my mind, Analytics is one of the key things Citrix is doing to keep market dominance in this space. This is one of those ‘behind the scenes’ benefits to ‘going cloud’.Citrix's view on Analytics - Workspace, User Behavior, Modeling and Policy Control

 

Of course- we need to talk about the Cedexis acquisition, right? Announcement of Citrix Intellegent Traffic Management (Cedexis)

Demonstration of Analytics in Citrix Cloud

 

So the keynote got people talking, for sure… which means its time to talk about talking!

Lunch Table Tech Chats

So I’ll let you in on a little secret: Several of the CTAs (Citrix Technology Advocates) including myself have ‘speaker’ badges because we were asked to facilitate talks every day at Lunch. In years past this has been one of my favorite activities and I’m really glad Citrix asked me to host a table this year! My table’s topic is “Application Delivery and Cloud Networking” – but we’ve talked about everything from XenApp in the Cloud to MultiFactor Authentication and Federated Services.
Lunchtime Tech Chats
I even decided to have some fun with the Lego Minifigs. Since many people were telling me that I no longer look like the headshot I used on my business cards, I decided to have some fun with it with a photo that I posted to Twitter. In fact- there were a lot of Twitter posts with minifigs; all part of the fun!
When I replaced my face with a lego minifig for my business card

Day 1 Summary

As I’m looking at the clock and realizing that I’m already running late I’m going to cut this short and hit publish knowing there is much more I could say.

What I will mention is that I have been busy handing out cards and connecting with people because I am getting really excited to go beyond Consulting work and writing Content and getting more into supporting Community and doing Coaching. If you want to learn more about that, subscribe to my mailing list!

So- all in all I had a great day. A long day to be sure, but I managed to get away across town with some old friends and have a few beers and many MANY laughs.

And that’s really what Synergy is all about for me- connecting with people.

Citrix Synergy 2018: Day 0

Citrix Synergy 2018: Day 0

I arrived early for Citrix Synergy this year. I had anticipated a busy pre-conference schedule early on and boy… I was not disappointed!

TL:DR Summary

  • Updated the guide at https://ctxpro.com/synergytips
  • Attended an Executive (NDA) session with CTAs and CTPs
  • Reconnected with several folks
  • Met David Henshall (CEO)
  • Lots of people showed up at the CUGC Pre-Game
  • I met a ton of new people
  • Great time guiding first-timers at the Navigators Reception
  • Did two live videos and a few recorded sessions – exclusive behind the scenes videos at the Citrix Professionals Facebook Group.
  • No Announcements today; watch Twitter.com/TheXenMaster for those and retweet with #CitrixSynergy!
Live content from #CitrixSynergy all week- follow @TheXenMaster for live feed and tweets from the event, then visit https://ctxpro.com for daily recaps! Click To Tweet

The Synergy Recap so far

Day 0 for me followed a pretty long day -1 for me as I had flown in Sunday pretty early… so let’s cover that quickly.

Day -1 Summary

I was on the plane with some folks from NComputing, which was fun. Yesterday I was actually given one of their Pis (Workspace Hub) at the CTP briefing.

A side view of the lime-green hued NComputing Workspace Hub

After a nap (I don’t sleep well on planes), i got registration taken care of- you may have seen the tweets of the bags, but here’s a preview:

The 2018 Citrix Synergy Backpack

I have to say I like this year’s bag overall. I have downsized my laptop recently, so this fits my needs better. Note that feedback I have gotten is that this year’s bag is way better than last year! I very much agree, better padding and it doesn’t feel like it is constant trying to dislodge its rear compartment. Good work, Citrix Team.

So after picking up the badge and CTA jacket, I met up with some other CTAs and early arrivers to not only catch up but talk about the Lunch Table talks we are facilitating this week.

The Giveaway desk at Citrix Synergy

Early to bed Sunday night!

Synergy Day 0

CTA/CTP Executive Briefing

Day one started with breakfast and a two hour “what to expect” session where the CEO and other Citrix leadership were letting us know what was coming up and getting our feedback on several areas of operation. I can’t discuss these much further, but I can tell you that the praises and concerns that have been voices to me were brought to the attention of the CEO of Citrix… Hard to ask for more of a great way to start, right?

Panoramic view of CTAs and CTPs gathered at Citrix Synergy

Lunch with CTAs and CUGC Leaders

I had an impromptu lunch with a few fellow CTAs and leaders, then was back at my hotel room to prep for the evening.

Live Streams

I decided to go live on Twitter to give a “what to expect when you walk in”.

I then did a Facebook Live behind the scenes tour of what is being set up at the Synergy Park and Expo Hall. To see that, you need to join our FB Group, Citrix Professionals.

CUGC Pre-Game Reception

This event far exceeded our expectations! So many of you were there and made it a point to say hi. I was very glad to be there. I handed out a good number of cards and connected with quite a few friends new and old!

And of course, a little bit of Introvert Power Punch (Alcohol) didn’t hurt get conversations flowing. T-Shirts were given out and a good time had by all!

Navigators Reception

This was a very cool way for those that had either never been to Synergy our there after several years to learn what is new. Two hours went by in a flash as I met about 20 or so folks and gsve advice on sessions and themes to look for. My perception is that it was well received- if you were there I’d love to pass your feedback too the team, or just put your feedback into the Synergy App!

Summary

As I ended the day with some drinks first at the Marriott, then the Hyatt- I realized that I had talked myself horse. I’d been on my feet some 5 hrs straight, but I went to bed around 11 feeling fine.

What to expect next

Of course I woke up at 4am and started writing this blog… So we’ll see what tomorrow brings! Remember to watch for live updates on Twitter and join our Facebook Group for another live session right before the Keynote!

Watch for Citrix demonstrating a much tighter strategy towards a practical Workspace. Cloud and Analytics will be another theme to watch. Remember you can live stream at live.citrixsynergy.com!

Oh… And if you are here- get to the registration desk early to see if they have any more of these pins:

My favorite Synergy button- "Have you tried turning it of and on again?"

I’m adding tips every day to my SynergyTips page! Today’s tip is how to smooth out that CUGC T-Shirt!

Join the new Citrix Professionals Group on Facebook! https://facebook.com/groups/citrixpros Click To Tweet
How to Prepare for Citrix Synergy

How to Prepare for Citrix Synergy

Each year I will update this page with my tips and tricks for attending Citrix Synergy, the yearly gathering of users, vendors, Citrix and usually… me.

**Not going to Synergy? Here’s a CTXPro Tip: The Keynotes will be streamed live! Sign up at https://live.citrixsynergy.com/

Let us know you’ll be there in spirit if you are watching the stream:

I can't be there, but I'm watching the #CitrixSynergy live stream. If you will be there, check out ctxpro.com/synergytips for some pointers! Click To Tweet

**Update 5/8/2018

Synergy has launched and that means it’s time to get that CUGC T-Shirt! But- it comes wrapped up in a bundle, giving it some wrinkles. Normally, these would come out in the dryer. So what if you want to wear it at the conference? FEAR NOT fair reader, I have a travel tip that will help!

Enjoy!

(more…)

NetScaler Security for the XenApp Dummy – Part 2: Design

NetScaler Security for the XenApp Dummy – Part 2: Design

We’re back, talking more NetScaler Security! This is part of our four part series using my recommended Assess (or Understand), Design (Plan), Change (Build) and Maintain (Manage) Methodology.

In Part One we went into detail on how to assess and find just how secure your NetScaler configuration really is. We went thru a few of the very many leading practices and how to determine variances from them. If you didn’t read that one, go ahead and read it… I’ll wait. If you have gone thru the article and have your spreadsheet (or notes), we’re ready to continue! Also check back on it from time to time- I’ll be updating the article every now and again when new threats or methods emerge!

NetScaler Security Goals

First, let me say outright that we are not taking actions on this step. That will come in Part 3, Change. For now, we are making a plan of action- what do we intend to do in order to address the concerns we have from our Assessment. Setting some goals is key here.

Setting NetScaler Security Goals

Let’s go thru the list and determine what we want for the best balance between simplicity to deploy and good NetScaler security. We’ll start with the Highest Urgency and Importance items.

  • Score an A+ at SSLLabs.com. Looking from my example, I can see that my NetScaler Gateway is scoring a “C”. I think having an A+ will be a good indicator of acceptable NetScaler security.
  • Ban SSL3 and TLS 1. With TLS 1.2 supported and 1.3 on the horizon, my goal will be to sunset older SSL ciphers completely for better protection.
  • Secure the NetScaler Management Interfaces. I want to make sure that the leading NetScaler security practices are followed to prevent attacks. This will include defining ACLs and restricting access to the NSIP interface. And, of course- change the NetScaler’s NSROOT password.
  • Upgrade to the Best Firmware Choice. As I mentioned in Part One, just because a firmware update has been released doesn’t mean it is automatically best to use it. In my case, I want to be sure the firmware chosen meets minimums for NetScaler security, not features as my primary concerns.
  • Address Leading Security items. Our assessment indicated at least one leading practice that is security related, so we will validate those settings.

Fine Tune for XenApp and XenDesktop

Several lower priority findings and other items marked as Low Urgency and Importance.

  • Validate Leading Practices. As the Health Check Summary from CIS indicated there were several leading practices in need of adjustment from the defaults. I’ll focus on the ones that affect overall NetScaler security.
  • Address Functionality Items. Our assessment had a few items of low priority that may affect the functionality of other systems. In fact, in our case I’m going to even add one that I know needs to be addressed for functionality of the new EDT protocol.

Design

In the Design phase, we will be determining Design Decisions – in this case declaring the configuration changes that will give us the best NetScaler security that makes sense for our use cases.

Score an A+.

I know that to get to A+ I have a lot of things to address, but I am going to first start with a pretty major caveat. Just as I noted in Part 1, we need to declare a minimum support for our SSL settings. If we go too strict, we lose the ability for certain endpoints to connect entirely. On the other hand, we may only want those with secure and updated operating systems to be able to connect at all. For our example, we know that the following is true:

  • We only support connections from up to date browsers and operating systems. All others are best effort and must meet NetScaler security minimums. That means no XP, Vista or out of date OS configurations. Sorry, for those of you stuck in 2008.
  • We do not have Thin clients in scope so the need to continue allowing TLS 1.1 to support older thin clients does not apply. We can also apply STS.

First- let’s deal with the same things I mention in my original NetScaler security article about getting the Best SSLLabs Rating (which will be updated from time to time)

First we will go with the most secure Cipher sets and configuration possible. Now- I know a few things going into this that I want to share with you:

  • First- upgrading firmware. In 2018, SSL Labs will begin downgrading scores for those that are vulnerable. When upgrading firmware, I typically start with the minimum I need and go up to the latest firmware as long as it is at least a month old. This is from experience in feature releases causing disruption for other functions. The most common I’ve seen is problems with AppFlow. If you’re using HDX Insight (and let’s be honest, you should be) this is something you need to be aware of. If you’re not using AppFlow… knock yourself out with the latest; odds are good you’ll be fine. But I can’t stress enough how important validation testing is when upgrading to new major releases (say, 11 to 12 for example). If you’re stuck or less confident- phone a friend. Or contact me using the form over to your right…
  • The way SSL Ciphers are named gets confusing in a hurry- but the names are organized in such a way that indicates a balance between security and performance. NetScaler Gateway has some pretty specific processing needs, especially when using a VPX which doesn’t have an offload chip. Therefore, the selections we’ll make as primary will be driven by performance first. This means in the case of DHE vs ECDHE, we’re going to favor ECHDE because they will perform better in our use case. If you don’t know what I’m talking about… that’s okay. I barely know myself if I’m being honest. But this what I have tested and deployed to over 50 NetScalers last year. Here’s more information if you are hungry for it: https://docs.citrix.com/en-us/netscaler/12/ssl/supported-ciphers-list-release-11.html Note again- that if you are using a FIPS Appliance, you’ll want to review this: https://docs.citrix.com/en-us/netscaler/12/ssl/fips-approved-ciphers.html The list gets complicated, but few care more about NetScaler Security than those using FIPS appliances. Best to understand what Ciphers will be supported for your appliance because the mileage varies!
    • We will make a set of Ciphers specific to NetScaler Gateway, which we will refer to as “NSG”
    • We will separate RSA from non-RSA keys for TLS 1.2 and above, because there is drama emerging there right now. To be flexible in the future, we’ll make it easy to disable the cipher set for testing.
  • Beware ROBOT. I did a re-scan of my SSLLabs assessment and found that at the end of Feb 2018, my NetScaler security score would be an F! This is due to the firmware being vulnerable to ROBOT attack. You can test for that vulnerability here: https://robotattack.org/. We will update the firmware as part of our process to deal with this threat.
  • Speaking of SSLLabs- another up and coming trend you need to be aware of is Perfect Forward Security (PFS). To explain this as briefly as possible, there are two ways to achieve PFS, by using DHE or ECDHE keys. Based on my limited testing and research, I have found that ECDHE performs better than DHE, though DHE does offer better security. If you are running an MPX or SPX appliance you may want to look into DHE (Diffe-Helman Exchange). I do not yet recommend this for VPX that are not hosted on SPX. A lot more information can be found here: https://support.citrix.com/article/CTX205282 But- as long as the ECC curves are in place (they usually are if you have any ECDHE ciphers bound, which we will), this is not a concern for you until the ‘rules’ change to favor DHE more heavily. You may also want to enable STS on your StoreFront servers if you have internal connections- but be aware that this may cause disruption to certain thin clients so TEST TEST and then TEST AGAIN!
  • Note- There are new Ciphers coming soon to support TLS 1.3 – for this article, however I am assuming that we will not have access to that firmware and I’ll update this later with those new sets. We’ll create a Cipher set name that we will keep updated as the latest and greatest and include “CurrentCiphers” in its name.

Other Recommended Settings

  • Remember that we are going to change our NSROOT Password. I thought about suggesting Active Directory integration for NetScaler as well but that is probably best for another blog post or referring you to other sites. If you’d like to learn more about the process and include it in your document, it is something I recommend as you won’t have your NSROOT password floating all over the place. https://support.citrix.com/article/CTX123782 Regardless- change your NSROOT password on a regular basis even if you have AD authentication configured.
  • Unless our testing reveals something different, we plan on implementing all the recommendations found in our Scout report. Rather than type them twice, I’ll list them in the design document below.

NetScaler Security Design Document

Pulling from all the items above, we can generate a document that lays out our plan for better NetScaler security so we can share it with others if needs be- but is also very useful if it is something that will take some time to get approved. It doesn’t have to be anything fancy, but I always advise people to write things down first – here’s something to get you started. PLEASE NOTE- these are just the items I found on my assessment example. You’ll want to include any findings you have as well!

Item Design Decision Notes
NSROOT Password Change to a complex password Store the new password securely! I use Dashlane to store and securely control sharing of passwords with 2FA security. Sign up here to get $20 off for you and give $20 for me too! Way safer than putting them in a file!
NetScaler Firmware Upgrade Firmware to latest stable within our major version release. We’ll be using the 12.0 56.20 build in our example. I chose this simply as it is the latest at the time of writing and met the criteria of not being vulnerable to CVE-2017-14602 and 2017-17382.

Guidance on the steps to expect here:

https://support.citrix.com/article/CTX127455

To prevent ROBOT Attack, make sure to get a firmware above https://support.citrix.com/article/CTX230238

Management Interfaces Only allow the NSIP as a management interface and force Secure (SSL) communication only Disable Enable Management Access control, Telnet, SSH, and GUI on all Non-Management IPs.

More information here about restricting NSIPs to Only allow management applications: https://support.citrix.com/article/CTX126736
See the “Enable Secure Access to NetScaler GUI” at https://support.citrix.com/article/CTX111531

NetScaler Security – Interface ACLs -Allow HA Communication between NetScalers

-Allow communication from Utility servers

-Allow communication from NMAS Server

-Deny all others

This action must be performed on both NetScalers

NetScaler NSIPs: (list yours)
Utility Server IPs: (list servers or subnets that will have access)
NetScaler MAS: (If you have them- list the IP Addresses of NetScaler MAS appliances)
NetScaler Gateway – SSL Parameters TLS 1.2 only
Enable HSTS (Strict Transport Security
Disallow SSL v3, TLS 1 and 1.1

For HSTS, configure a rewrite action.

Read up on it at https://support.citrix.com/article/CTX205221

Note: this procedure is different depending on if you are using a 12.x based firmware or not. In our case we can use the instructions for 12.x at https://support.citrix.com/article/CTX224172

NetScaler Gateway – Basic Settings Enable DTLS Check box for DTLS
Traffic Management – SSL – Cipher Groups Create custom Cipher Groups NSG-TLS1.2-RSA-Ciphers

NSG-LegacyCiphers

TLS-HighSecureCurrentCiphers

Traffic Management – SSL – Ciphers Favor high performance, High security ciphers and work downward within each set.

TLS1.2-RSA group will be isolated for future removal if needed.

NSG-LegacyCiphers will only be used if older clients are in place, but I recommend creating the group just in case.

Each grouping will start with higher AES and SHA values and work downward.

TLS-HighSecureCurrentCiphers group will utilize the new ECHDE-ECDSA ciphers instead of RSA ciphers.

NSG-TLS1.2-RSA-Ciphers:
TLS1.2-ECDHE-RSA-AES256-GCM-SHA384TLS1.2-ECDHE-RSA-AES128-GCM-SHA256TLS1.2-ECDHE-RSA-AES-256-SHA384TLS1.2-ECDHE-RSA-AES-128-SHA256TLS1.2-DHE-RSA-AES256-GCM-SHA384TLS1.2-DHE-RSA-AES128-GCM-SHA256NSG-LegacyCiphers:

TLS1-ECDHE-RSA-AES256-SHA

TLS1-ECDHE-RSA-AES128-SHA

TLS1-DHE-RSA-AES-256-CBC-SHA

TLS1-DHE-RSA-AES-128-CBC-SHA

TLS1-AES-256-CBC-SHA

TLS1-AES-128-CBC-SHA

TLS-HighSecureCurrentCiphers:

TLS1.2-ECDHE-ECDSA-AES256-SHA384

TLS1.2-ECDHE-ECDSA-AES128-SHA256

TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384

TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256

SSL Parameters Disable Client and Server Side SSL Renegotiation Deny SSL Regeneration to the Frontend Client

https://support.citrix.com/article/CTX123680

TCP Defaults Enable Nagle’s Algorithm

Enable Selective Acknowledgement

Enable Window Scaling

https://support.citrix.com/article/CTX121149

Note- check with your Network Administrator to be sure the Window Scaling option will be supported (SACK is tied to Scaling.) If not, only list Nagle’s. Another key metric here is the Factor for Scaling. Typically 4 is correct but see the article at https://support.citrix.com/article/CTX113656 to be sure you will not need to adjust this value after conferring with your Network Administrator.

HTTP Parameters Drop invalid HTTP requests

Deployment Plan

Whenever possible, I believe in using a non-production test environment or components to validate changes before impacting users. Part of our Deployment Plan will involve testing these settings on a test NetScaler VPX prior to deployment in production. Once our changes are validated, we’ll set a time for a production outage so that we can roll back changes if required. For an HA deployment, it is very possible to do the updates in a way that minimizes production impacts. However, with NetScaler Gateway connections will be disrupted when we reboot. So whenever possible with this kind of update, I recommend declaring an outage or at the least setting the expectation that sessions may disrupted during a defined time window when the changes will be made.

So write out a deployment plan with a rollback plan. This is very useful especially when you must generate something for a Change Control board. Here’s the high-level plan:

  1. Save the Running Configuration of the test NetScaler VPX
  2. Export the full NetScaler Backup I recommend reviewing my fellow CTA George Spiers’ guide at http://www.jgspiers.com/netscaler-backup-restore/
  3. Run a snapshot of the NetScaler VPX
  4. Upgrade NetScaler Firmware (if HA, use the advice in the article above to list out your steps)
  5. Secure the NSIP Interface by introducing new ACLs (VERIFY before you continue)
  6. Make the other changes noted above

Next time- I’ll guide you thru the process of actually making the changes! When we’re done, you’ll have NetScaler Security at a level of confidence that will exceed most enterprise customers I’ve been visiting lately!

Securing Citrix Broker XML Service without IIS

So you want to secure the XML traffic going from StoreFront to your Controllers (Brokers)… I think that’s a good decision!

In many enterprise level deployments I encounter the following are true:

  • They want to Secure XML – the transaction between StoreFront and the Controllers that contains user information. It’s obscured over plaintext but SSL is always better!
  • They DO NOT have IIS installed on the Controllers (as in, no Director or StoreFront roles installed) to keep services isolated and lower the attack surface.

(more…)

Citrix Monitoring Webinar with ControlUP on 11/29/2017 Update: Recording now available

Citrix Monitoring Webinar with ControlUP on 11/29/2017 Update: Recording now available

(Note: This article has been updated 12/1/2017)

The worst time to find out about problems in your Citrix environment is after they are already happening. But the built-in tools (Director) don’t really always paint the full picture to give you quality Citrix monitoring. You need Proactive Citrix Monitoring and ControlUp is here to help!

Citrix Monitoring Webinar on 11-29-2017

Yoni Avital (Founder & CTO of ControlUp) and I had an hour long CUGC Connect webinar hosted by the Citrix User Group Community! Wednesday, November 29th 2017 at noon Central (US).

Yoni first showed me ControlUp almost 4 years ago and I’ve been enjoying watching them improve every year. I have loved the single-pane-of-glass approach they take to environment monitoring and engagement.

Why View the Replay?

Aside from hearing my soothing voice moderate… Yoni demoed ControlUp 7.1 which I believe excels not only at Citrix monitoring (as in XenApp/XenDesktop) but NetScaler monitoring as well!

New features also include adding nVidia vGPU at the VM and process level to your Citrix monitoring, metrics of your published applications (yay!) and a new troubleshooting feature.

 

Will there be a Demo?

YES- you’ll be able to see this all in action live in the webinar.

Is it Free?

YES- but you will need to sign up for the community at myCUGC.org and then view the replay at https://www.mycugc.org/p/fo/st/thread=2356

There were a lot of questions that were asked during the webinar- an unprecidented amount from the over 250 people attending!

So we gave Yoni all the questions that weren’t answered and he wrote them out in the thread!

I would love your feedback on the webinar, too.  Leave me a comment or connect with me on Twitter (@TheXenMaster)

As always- be sure to sign up for my free newsletter to always be informed of cool happenings like this!

A few notes:

  • This is not a paid endorsement of any product nor am I receiving any compensation for this webinar
  • I am a leader at CUGC and promote because I love it
  • I am moderating this webinar as a proud member of the Citrix Technology Advocates program

November Writing Project: Methodology Book

Have you ever wondered what methodology (standard processes) the leading consultants and professionals in the world use, and how you can do the same? I am willing to bet that many of you are like me, you have some instincts towards this but you find that the problem is that if it is all in your head, then you are the only one that work towards it.

What if your entire team could be operating off of the same methodology? What if that methodology was so compatible with others in the industry almost anyone could pick it up where you left off? What if it was so simple to categorize each step that even your management would quickly understand where you are in a process?

These are the questions I am setting out to answer in my first non-fiction book, which I started a few days ago as part of National Novel Writing Month.[NaNoWriMo for short, every November, thousands of non-professional writers are challenged to write a novel in a single month. The work must be 50,000 words but can be on any topic desired.] I was going to work on another for-fun-only Star Wars project… but given as I haven’t even shared the first result with the world, I figured maybe it was time to share something my readers could use. So, I thought about what I talk about most often that others are not always talking about. The answer I came up with, and I’m hoping is worthwhile, is a standardized Professional Services Methodology.

Because it’s no secret and you have probably seen other writings from me on the topic- I’ll clue you in. The way I formulate my methodology is Assess, Design, Change and Maintain. You may have seen other ways to view this but this is what I find the simplest way to describe each step in the process.

So in the coming weeks and months- I’ll be asking for your feedback on what elements of methodology you currently utilize. I want to know how you see things so I can best equip you for success! In the midst of this process, we are going to go thru a live example using a current relevant topic – NetScaler Security. You won’t want to miss this! Stay tuned by subscribing to this blog or the newsletter!

Do You Use a Standardized Methodology Every Day?
NetScaler Security for the XenApp Dummy – Part 1: Assess

NetScaler Security for the XenApp Dummy – Part 1: Assess

So you have this “NetScaler” thing to front end your XenApp or XenDesktop environment… But maybe you are like me and NetScaler Security isn’t what you spend most of your day dealing with. So, how can you make sure in light of recent security threats that it is running properly? In a post in 2016 I discussed how to get an A+ Rating at SSL Labs for your NetScaler Gateway in under 5 minutes. I figured it was time for an update for 2017 taking some new things into consideration but approach this from the point of view of someone like me that isn’t “A NetScaler Person.”

Given that my point of reference in 2012 was this wonderful Citrix blog article called “NetScaler for the XenApp Dummy” I thought I would pay homage with my own guide! And for the record, I’m not calling anyone a ‘dummy’. I’m just trying to take the approach of not having any assumptions so everyone can understand. I’ve learned a lot just in writing this article! So don’t be a dummy like I was- take NetScaler Security seriously even if you’re just using it for NetScaler Gateway!

In this series you’ll learn simple ways to increase your NetScaler security (especially for NetScaler Gateway) using our recommended 4-phase Methodology: Assess, Design, Change, Maintain.

Our first step will be to Assess the current state of your NetScalers and figure out what areas of risk you have.

(more…)

Subscribe To DJ's Newsletter

Subscribers to our list get free tips and tricks for Citrix professionals.
What they don't get is spam from us. We never sell information to anyone.

DJ Eshelman Headshot 2018

Watch your inbox for updates coming soon!