Updating Citrix Gateway to 13.0-64.35 and Storefront to 1912 CU1

by Stan Czerno September 26, 2020 12:01 CST

I have updated Citrix StoreFront to 1912 CU1 (1912.0.1000) because of CVE-2020-8200. https://support.citrix.com/article/CTX277455

I also update my VPX Citrix Gateway from 13.0-58.30 to 13.0-64.35 (NS13.0 64.35.nc) because of https://support.citrix.com/article/CTX281474.

Storefront was a very easy upgrade. I did have to make a few tweaks to my customization, but if you are not changing things other than logos, you'll be fine.

Citrix Gateway was an interesting upgrade, however. The upload of the firmware kept timing out, even when using WinSCP. I just had to keep retrying with WinSCP to get it to upload successfully, even rebooting the VM a few times in between retries.

After I applied the new Firmware, the authentication did not work and there were no errors other than the generic/cryptic "Cannot complete your request" on the Storefront after logon.

I read the release notes at https://docs.citrix.com/en-us/citrix-adc/downloads/release-notes-13-0-64-35.html and I discovered:

Support to disable the weak Basic, Digest, and NTLM authentication globally
The SSO configuration is now made more secure by dishonoring the following weak authentication methods globally.

– Basic authentication
– Digest Access Authentication
– NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html

I added the following action and policy to my Citrix Gateway to get it to work as it was previously configured:
add VPN TrafficAction XD_traffic_action_SSO HTTP -SSO ON
add VPN TrafficPolicy XD_traffic_policy_SSO true XD_traffic_action_SSO

Then I had to bind the new policy to my Citrix Gateway vServer:
bind VPN vServer _XD_<my_IP_Address_443> -policy XD_traffic_policy_SSO -priority 100 -gotoPriorityExpression END -type REQUEST

I am still digesting the changes to SSO, but for now, I am leaving them as is. I will circle back later on to look at my options for authentication. I'm under the impression I will need to stand up ADFS or do some type of Kerberos Delegation.

cbc91dff-d2d7-460c-812f-9d01c1b1fae0|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

Tags: Citrix, Storefront, ADC

Catergories: Citrix | Storefront

Powershell Script to launch one or more Published Applications from Citrix StoreFront 1912 CU1 (1912.0.1000)I have updated my script for testing "Direct to Citrix Storefront" or "Citrix Gateway to Storefront"...Powershell Script to launch one or more Published Applications from Citrix Storefront 2.x through 3.11I have updated my script for testing Citrix Storefront or Netscaler and Storefront. The previous ver...Redirect Citrix Storefront to a different page at log off.To make Storefront redirect to a different page rather than just sit at the "You have logged off suc...

Comments are closed

Updating Citrix Gateway to 13.0-64.35 and Storefront to 1912 CU1

Related posts

Category List

Blog Tags Popularity