I’m a huge fan of running common open source packages in Docker containers. It greatly simplifies deployment, re-deployment, maintenance and backup of software that can be very complicated otherwise. In my lab, I have ended up with enough containers that one Docker host can’t house them all. My solution was to create a multi-node Docker Swarm cluster. Like many clustered solutions, this poses the question of “how am I going to load balance this”. Here…
After years of using a Synology NAS, I have finally started to migrate my backup workflows to their native products (Hyper Backup and Active Backup) in my home environment. I quickly ran into a roadblock when I found that Hyper Backup doesn’t support Windows SMB file shares as a destination. Fortunately, it does support custom S3 servers. Using Minio, I was able to complete my backup workflow with the native Synology tools. This was a…
NetScaler (yeah, yeah, we’re supposed to call it ADC now) has a very cool IP Reputation feature that allows admins to easily block traffic from known-bad IP addresses. Unfortunately, because it’s so straightforward to use there’s not a ton of information available on how to troubleshoot it when it doesn’t work. I’ve been fighting an issue with it, and a recent NetScaler update helped me finally solve it.
Let’s Encrypt has proven to be a fantastic solution to obtaining and maintaining SSL certificates. It’s completely free and once it’s setup, you never need to worry about certificate renewal again. The only drawback is that it requires automation. Let’s Encrypt certificates are only valid for 90 days, and you’re expected to renew them programmatically. This makes using them with a NetScaler somewhat difficult. As I’ve mentioned before, Ryan Butler has bailed us out with…
A while back, I wrote a post on integrating NetScaler nFactor with Duo for 2 factor authentication. The implementation in that post included some workarounds for two limitations between nFactor and Duo. These workarounds were great, but they made the configuration more complicated. They also had some limitations. The good news is that we don’t need them anymore.
Some time ago, I replaced LastPass with the Bitwarden password manager for personal use. I wanted something that had the features of LastPass, but could be self hosted. Bitwarden checks all of those boxes with a really slick set of clients, a Docker based server package and a super responsive developer. The Docker container comes with a really easy to use script to launch it, configure it…and update it. I have a scheduled job that…
I’ve been using the Sophos XG firewall on a virtual machine as a perimeter firewall at home for some time. They provide a fantastic enterprise feature set free for home users. Recently though, I had a problem with the Sophos XG Web Console. It suddenly became inaccessible with no configuration changes and no meaningful errors.
NetScaler’s NITRO is very powerful and feature rich API. It is robust to the point where you can manage nearly 100% of NetScaler functionality through it. This makes enterprise level programmatic management and orchestration of NetScaler fleets a reality. The one drawback is that since it’s a REST API it can be a bit difficult to interface with directly without some kind of wrapper or library. Powershell is very useful for anything from quick and…
It’s always been annoying to pay for and manage the SSL certificates in the lab environments I manage. That’s why I was a very early adopter of Let’s Encrypt. It’s a fantastic resource for free, hands-off SSL certificates…as long as you’re on a platform that supports it. Unfortunately NetScaler is, at this time, not one of those platforms. Lucky for us, there are folks like Ryan Butler out there. He created an awesome python script…
UPDATE: Citrix and Duo have made some changes that simplify this configuration. I discuss a new variation of this configuration in this post. Duo has become prevalent enough that I check it’s compatibility any time I’m looking at a new remote access system. Duo actually publishes a solid how-to on integrating with NetScaler, specifically Gateway. Unfortunately, this method relies on the old NetScaler Basic Authentication Policy framework and uses some secret sauce internal to both NetScaler…