Cisco FirePower Management Center 6.0.0 Password

In the previous versions of Cisco FirePower Management Center  < 5.x the default credentials were:

Username: admin
Password: Sourcefire

With version 6 > the default password is changed and not listed (yet) in the Cisco documentation.

Username: admin
Password: Admin123

 

 

NetScaler: Configuring ActiveSync Filtering with XenMobile XNC

NetScaler: Configuring ActiveSync Filtering with XenMobile Netscaler Connector (XNC)

When you have XenMobile XNC then it is possible to filter ActiveSync requests going thru the NetScaler.

It works as follows:

  1. The NetScaler appliance sits between the client and the XNC and CAS servers.
  2. All requests from the client devices go to the NetScaler appliance.
  3. The NetScaler then sends a request to the XNC with the device details to retrieve information about the device, whether the device is a whitelisted one or a blacklisted one.
  4. Based on the response from the XNC, the NetScaler either drops the connection from a blacklisted device or forwards the request from a whitelisted device to the backend server.

You need the following features on the NetScaler and configure this properly:

  • Load Balancing
  • SSL
  • HTTP Callout
  • Responder
  • Integrated Caching (IC)

This mean that you need NetScaler Enterprise + IC or NetScaler Platinum.

Integrated Caching is needed because of performance reasons. With IC it has the capability of storing the callout response from the XNC in the local cache. For subsequent requests from the same device, the NetScaler reuses the stored callout response to make decisions locally to either drop the connection or forward the request.

The process as mentioned above now on technical level:

  1. First, an ActiveSync request is sent from the client to the NetScaler.
  2. Then, the NetScaler sends a request to the XNC server for information on the client device details.
  3. Then, the XNC server sends the response – allow or deny to the NetScaler.
  4. If the request is allowed, NetScaler forwards it to the server. If the response is deny, NetScaler drops the request.
  5. For a request that is allowed, the NetScaler send the server’s response to the client.

Example:

  • MIP: 10.100.100.11
  • VIP: 10.100.100.21
  • Exchange CAS: 10.100.100.31
  • XNC: 10.100.100.41

Below is an example configuration:

Step 1
enable ns feature LB SSL IC RESPONDER
add ns ip 10.100.100.11 255.255.255.0 -type MIP

Step 2
add service XNC1 10.100.100.41 HTTP 9080
add lb vserver active_sync_filter_vserver HTTP 0.0.0.0 0
bind lb vserver active_sync_filter_vserver XNC1

Step 3
add service CAS1 10.100.100.31 SSL 443
add lb vserver ExchangeCAS SSL 10.100.100.21 443
bind lb vserver ExchangeCAS CAS1

Step 4
add ssl certKey customercert -cert “/nsconfig/ssl/customercert.cert” -key “/nsconfig/ssl/customercert.key”
bind ssl vserver ExchangeCAS -certkeyName customercert

Step 5
add policy httpCallout active_sync_filter
add policy httpCallout active_sync_filter_deviceid

Step 6
set policy httpCallout active_sync_filter -vServer active_sync_filter_vserver -returnType TEXT -hostExpr “\”callout.asfilter.internal\”” -urlStemExpr “\”/services/ActiveSync/Authorize\”” -parameters user(HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic “).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE) agent(HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url((“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType(“json”) -resultExpr “HTTP.RES.BODY(20)”

Step 7
set policy httpCallout active_sync_filter_deviceid -vServer active_sync_filter_vserver -returnType TEXT -hostExpr “\”callout.asfilter.internal\”” -urlStemExpr “\”/services/ActiveSync/Authorize\”” -parameters user(HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic “).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE) agent(HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url((“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType(“json”) DeviceId(HTTP.REQ.URL.QUERY.VALUE(“DeviceId”)) – resultExpr “HTTP.RES.BODY(20)”

Step 8
add responder policy active_sync_filter “HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”).NOT && HTTP.REQ.URL.STARTSWITH(\”/Microsoft-Server-ActiveSync\”) && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\”callout.asfilter.internal\”).NOT && SYS.HTTP_CALLOUT(active_sync_filter).SET_TEXT_MODE(IGNORECASE).CONTA INS(\”allow\”).NOT” DROP

Step 9
add responder policy active_sync_filter_deviceid “HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”) && HTTP.REQ.URL.STARTSWITH(\”/Microsoft-Server-ActiveSync\”) && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\”callout.asfilter.internal\”).NOT && SYS.HTTP_CALLOUT(active_sync_filter_deviceid).SET_TEXT_MODE(IGNORECA SE).CONTAINS(\”allow\”).NOT” DROP

If you have NetScaler Gateway or NetScaler Standard you still can use the XNC but it can have a significant impact because every request needs to go the backend server. See step 18.

Step 10
set cache parameter -memLimit 200 -via “NS-CACHE-10.1: 180”
add cache selector Url_Match “HTTP.REQ.URL.QUERY.VALUE(\”url\”)”

Step 11
add cache selector DeviceId_Match HTTP.REQ.URL.PATH HTTP.REQ.HOSTNAME “HTTP.REQ.URL.QUERY.VALUE(\”DeviceId\”) + \”-\” + HTTP.REQ.URL.QUERY.VALUE(\”user\”)”

Step 12
add cache contentGroup Req_with_DeviceId -relExpiry 300 -hitSelector DeviceId_Match

Step 13
add cache contentGroup Req_without_DeviceId -relExpiry 300 -hitSelector Url_Match

Step 14
add cache policy cache_req_with_DeviceId -rule “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”callout\”) && HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”)” -action CACHE -storeInGroup Req_with_DeviceId

Step 15
add cache policy cache_req_without_DeviceId -rule “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”callout\”) && HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”).NOT && HTTP.REQ.URL.QUERY.CONTAINS(\”url\”)” -action CACHE -storeInGroup Req_without_DeviceId

Step 16
bind lb vserver active_sync_filter_vserver -policyName cache_req_without_DeviceId -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver active_sync_filter_vserver -policyName cache_req_with_DeviceId -priority 100 -gotoPriorityExpression END – type REQUEST

Step 17
bind lb vserver ExchangeCAS -policyName active_sync_filter_deviceid -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver ExchangeCAS -policyName active_sync_filter – priority 100 -gotoPriorityExpression END -type REQUEST

Step 18 (WITHOUT IC license)
bind lb vserver ExchangeCAS -policyName active_sync_filter_deviceid -priority 90 -gotoPriorityExpression END -type REQUEST

bind lb vserver ExchangeCAS -policyName active_sync_filter -priority 100 -gotoPriorityExpression END -type REQUEST

 

 

 

 

NetScaler 10.1 Maximum ICA users

Last week I received a question from a new 10.1 NetScaler Gateway implementation that when more then 5 users where logged in on the CAG the following error was shown:

“Error: Login exceeds maximum allowed users”

But when you do a “show license” Maximum ICA users = “Unlimited” is shown.

For more info: http://support.citrix.com/article/CTX138561

These 5 users where using the 5 built-in platform licenses meant for SSL VPN/ MicroVPN and other nice things!

To resolve this issue if you are only using it for XenApp/ Desktop simply change the “Smart-Access Mode” to “Basic Mode” on the CAG vServer.

NetScaler – Java update breaks GUI

A few days ago Oracle released Java update 7u51. This update contains security updates which breaks the applet which is used to configure the NetScaler via the GUI. When you have installed the update and try to open the GUI you’ll get the following warning as shown in the screenshot below.

java-applet

To overcome this issue you have 2 options:

  1. Use an older version of Java (not recommended).
  2. Use the new feature in this Java version (They saw it coming 🙂 ) Which uses an Execption Site List check  it out: https://blogs.oracle.com/java-platform-group/entry/upcoming_exception_site_list_in    all you have to do is add the NetScaler address to this list.