After helping many of our customers upgrade from Netscaler ADC and Netscaler Gateway version 12.1 (end of life and vulnerable), we have identified 3 common issues and want to provide the following considerations to help those of you still solving for the remediation.
(NetScaler CVE-2023-3519)
1. Licensing
The biggest issues we are seeing with clients trying to do this themselves is that they do not update their license first. The upgrade after reboot checks the Subscription Advantage date in the license file.
- NetScaler 13.0 VPX
needs a file after May 13, 2019 - NetScaler 13.1 VPX
needs a file after Aug 23, 2021
Older license files will not work. Symptoms of it not working are missing parts of the config – especially missing SSL certs. You can run the following from the CLI to verify which license is in use and which features are enabled:
show ns license
If your license isn’t valid, you will notice that certain features are no longer enabled, such as AAA. You can also run the following to check for entries in the log:
shell cat /var/log/license.log
If the license is invalid, you will need to issue a new one from the MyCitrix portal.
Visit “How to Allocate and Install Citrix NetScaler VPX Licenses” to learn more.
2. “Error: Not a privileged user”
This error is due to a security change made to a global setting after 13.0 build 36.27. The default authorization policy in 12.1 is set to Allow, whereas in the latest version of 13.0 and 13.1 it is set to Deny. This can be overridden by binding a new Authorization Policy to your vserver or AAA Group.
From the CLI:
add authorization policy auth-pol_allow-all true ALLOW
3. “Http/1.1 Internal Server Error 43531”
This error is caused by classic expressions in session policies and can be fixed by replacing the session policies with advanced versions. This needs to be done for every gateway. Replace your classic receiver and web expressions with the following. If your existing policies are more complex than this, you will need to convert them with nspepi.
WEB:
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT
RECEIVER:
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")
We hope these tips help those of you still working on the upgrade. As always, if there’s anything Alchemy can do to help resolve this NetScaler CVE-2023-3519 threat, please let us know. Our team of Citrix engineers has already helped many organizations upgrade successfully.
