NetScaler has a ton of very cool, and in my opinion sometimes underappreciated, features beyond just load balancing. One such feature is the Web App Firewall. The thing is like a Swiss Army Knife of features and functionality designed to secure web applications. And, like almost everything NetScaler on the short spectrum installation is super simple, doesn’t take more than five minutes, and will increase the security of your app tenfold at least. Or, on the long spectrum you could go super custom and design something super powerful, and fit specifically to your needs. Before continuing on I should tell you that you will need a Platinum Edition NetScaler (eval licenses are available) in order to complete these exercises. I’ll assume basic setup and licensing are already done.

For NetSaler customers read on to see some cool features you may not have known about and potentially demo them in your own lab. For Citrites and partners read on for a quick and easy way to demo a Platinum feature. Even if you are using a prebuilt lab (ie the Citrix Demo Center) the exercises towards the end of the blog should give you a good idea of a few quick things to show customers.

In this post I’m going to show you how to quickly deploy WebGoat and NetScaler App Firewall (again if you’re using something like the Citrix demo center WebGoat should already be installed). In my next post I’ll go through a few quick attacks on the WebGoat server in order to demonstrate the functionallity of App Firewall. For those of you that don’t know WebGoat is a web site that was designed specifically to teach developers how to avoid designing easily hacked websites. The service can easily be installed on a Windows or Linux box. I’ll go over a quick setup on Windows 8, but more detailed instructions and install media can be found at .

  1. Download from the above link
  2. Extract the files (I sent them straight to C:/WebGoat)
  3. Modify server_80.xml for an IP address
  4. Open C:\WebGoat\WebGoat-5.4\tomcat\conf\server_80.xml
  5. Locate the following line and replace with the IP address you would like to access WebGoat on

<!– Define a non-SSL HTTP/1.1 Connector on port 8080 –> …

<Connector address=”<WebGoat Server IP>” port=”80″ …

  1. Run
  2. To test go to <WebGoat Server IP>/WebGoat/attack (case sensitive)
  3. Guest/guest

Once you have WebGoat up and running you’re all ready to have some fun with NetScaler. In case you didn’t catch it in the steps above we modified WebGoat to be accessed through an IP address, as opposed to the default localhost, so that we can use the NetScaler to evaluate traffic before hitting the WebGoat server. The NetScaler load balancing setup in this case is pretty simple for starters. I’m assuming basic setup and licensing has already been done. 

  1. Create the LB vserver
  2. Enable ns feature lb
  3. Add server WebGoat <WebGoat Server IP>
  4. Add service WebGoat-Service WebGoat HTTP 80
  5. Add lb vserver WebGoat-VIP HTTP <WebGoat VIP>
  6. Bind lb vserver WebGoat-VIP WebGoat-Service
    1. Run sh lb vserver WebGoat-VIP to ensure that the service is up 

At this point we have WebGoat running on a server and we have a NetScaler VIP set up to load balance one server. From here there are a million possibilities. I’m going to show you how to do a quick App Firewall setup then run a few common attacks on WebGoat in order to demonstrate the functionality of App Firewall. At this point we could go through a super easy setup and just do the wizard, but I’m trying to give you a little bit of an idea how this works so I’m going to skip the wizard and do a little bit of manual config. I’ll also be switching over to the GUI for this slightly more advanced config. 

  1. If you haven’t already right click the yellow hexagon and enable Application Firewall under the Security tab. From this point on I’ll be working exclusively under the Security, Application Firewall tab and have dropped it from location references for simplicity.
  2. Create WebGoat signatures
    • Go to signatures and highlight the *Default Signatures
    • Select Add and name the profile to WebGoat-Signatures
    • Feel free to click around the signatures. I’m sticking with the defaults for now.
  • Create a WebGoat profile
    • Select profiles and add WebGoat-Profile choose Web 2.0 App as the profile type
    • Once the profile is created open it up and go to Security Checks. Here you can see all of the security checks that the App Firewall is set up to do.
    • First and foremost Start URL needs to have Block unchecked. Start url only allows directory browsing from configured links. Since we want to start at <WebGoat server>/WebGoat/attack we must turn this feature off. The other solution would be to double click Start url and add the path. I turned on learning for start url so that we can look at it later.
    • For the attacks we’ll be attempting some cross-site scripting and SQL injection so I’ve made the configurations below.

      • Lastly under settings simply bind the WEbGoat-Signatures to the profile. This setting is the last drop down box in the window.
    1. Now we have signatures bound to a profile. The next step is to tell App Firewall when to apply this security profile via a policy.
      • To do this go to Policies, Firewall, Add
      • Here there is a virtually endless possibilities as to when we can apply this profile. For example we could apply only to external IP addresses, or only to people coming in from a desktop browser, and pretty much anything else you can come up with using the extremely flexible AppExpert engine. I want the policy to apply to all traffic so I’m simply going to use HTTP.REQ.IS_VALID. In the real world we would recommend limiting this traffic only to the necessary pages as it does take a good bit of computational power on the NetScaler to parse entire pages of HTML.  


      • The last step in the process is to bind the policy to something so that it will see the incoming traffic and do things (a technical term).
      • There are a few ways to get to the Policy Manager. The easiest is form the current Policies, Firewall menu to click the Action drop down and select Policy Manager.
      • I want this policy to apply everywhere so I’m going to apply it as a Default Global policy. Again in the real world it may be beneficial to apply the policy to the VIP of the servers you want to protect in order to avoid parsing all web traffic through the NetScaler. 

    1. Remember to apply changes when you’re done and you should be good to go.

    I hope that this post helped you to see all the possibilities available to you with App Firewall. So far we’ve installed WebGoat and set up the NetScaler to front end the server. On the NetScaler we’ve bound an App Firewall policy to the WebGoat VIP that will monitor L7 traffic sent between the server and client and block any potentially malicious attacks as per our definitions. The next step is to log into WebGoat from a client and attempt some attacks. In part 2 I’ll point out a few of my favorites in order to get you started.

    If you’re looking for something to do between now and next time you could check out this link for some demos: