Watch out when upgrading Netscaler pre 8.1 to 9.x!
Not everybody who is upgrading their Netscaler version pre 8.1 to 9.x will read the release notes.
If you use application name based and port based interception on your Citrix Netscaler with version pre 8.1 watch out when you want to upgrade to 8.1 or 9.x.
Both application name based and port based interception was lost when Citrix decided to migrated the client from TDI to NDIS based interception. If you are upgrading and you use port based interception not only for connectivity but also for security suddenly you loose your security without knowing this. After the upgrade all systems that are defined in Intranet Applications are fully accessible through the tunnel where before only specific applications/ports where accessible. In some environments this will result in a huge security risk/breach
This was documented in the 8.1 release notes as follows:
“4. Named-based interception allows the Access Gateway to use transparent interception rules based on the application name. Port-based interception allows the Access Gateway to use transparent interception rules based on the destination port. In this release, name-based and port-based interception are not supported.”
The solution for this is the following;
To configure port-based interception, configure an intranet application with the IP address range for split tunnel interception. Then configure an authorization policy that allows or denies the IP address and port number. While this does not control which ports are intercepted, it does control the ports users can access because authorization policies are enforced after interception.
I don’t think this is a good solution and this will result in lots of work if you would like to use application name based and port based interception. It would be very nice if Citrix decided to bring application name based and port based interception back.
