Exchange Microsoft NetScaler

Converting SSL certicates

Often when we you buy / get a new certificate you need to have another certificate depending on your needs.

PEM Format

The PEM format is the most common format that CA’s issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers like Citrix NetScaler use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with JAVA related platforms.

PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

OpenSSL Commands to Convert SSL Certificates

There are several online convertors for SSL certificates but I urge you to use convert the certificate locally via OpenSSL. You don’t wont to store your PRIVATE key on someone else it’s machine. If you do it locally you have the private key on your machine. I good point here is that you should have some form of disk encryption on your laptop in event that your PC/laptop is stolen that the keys remain safe. Use the following OpenSSL commands to convert SSL certificate to different formats:

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes


Exchange NetScaler XenMobile

NetScaler: Configuring ActiveSync Filtering with XenMobile XNC

NetScaler: Configuring ActiveSync Filtering with XenMobile Netscaler Connector (XNC)

When you have XenMobile XNC then it is possible to filter ActiveSync requests going thru the NetScaler.

It works as follows:

  1. The NetScaler appliance sits between the client and the XNC and CAS servers.
  2. All requests from the client devices go to the NetScaler appliance.
  3. The NetScaler then sends a request to the XNC with the device details to retrieve information about the device, whether the device is a whitelisted one or a blacklisted one.
  4. Based on the response from the XNC, the NetScaler either drops the connection from a blacklisted device or forwards the request from a whitelisted device to the backend server.

You need the following features on the NetScaler and configure this properly:

  • Load Balancing
  • SSL
  • HTTP Callout
  • Responder
  • Integrated Caching (IC)

This mean that you need NetScaler Enterprise + IC or NetScaler Platinum.

Integrated Caching is needed because of performance reasons. With IC it has the capability of storing the callout response from the XNC in the local cache. For subsequent requests from the same device, the NetScaler reuses the stored callout response to make decisions locally to either drop the connection or forward the request.

The process as mentioned above now on technical level:

  1. First, an ActiveSync request is sent from the client to the NetScaler.
  2. Then, the NetScaler sends a request to the XNC server for information on the client device details.
  3. Then, the XNC server sends the response – allow or deny to the NetScaler.
  4. If the request is allowed, NetScaler forwards it to the server. If the response is deny, NetScaler drops the request.
  5. For a request that is allowed, the NetScaler send the server’s response to the client.


  • MIP:
  • VIP:
  • Exchange CAS:
  • XNC:

Below is an example configuration:

Step 1
enable ns feature LB SSL IC RESPONDER
add ns ip -type MIP

Step 2
add service XNC1 HTTP 9080
add lb vserver active_sync_filter_vserver HTTP 0
bind lb vserver active_sync_filter_vserver XNC1

Step 3
add service CAS1 SSL 443
add lb vserver ExchangeCAS SSL 443
bind lb vserver ExchangeCAS CAS1

Step 4
add ssl certKey customercert -cert “/nsconfig/ssl/customercert.cert” -key “/nsconfig/ssl/customercert.key”
bind ssl vserver ExchangeCAS -certkeyName customercert

Step 5
add policy httpCallout active_sync_filter
add policy httpCallout active_sync_filter_deviceid

Step 6
set policy httpCallout active_sync_filter -vServer active_sync_filter_vserver -returnType TEXT -hostExpr “\”callout.asfilter.internal\”” -urlStemExpr “\”/services/ActiveSync/Authorize\”” -parameters user(HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic “).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE) agent(HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url((“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType(“json”) -resultExpr “HTTP.RES.BODY(20)”

Step 7
set policy httpCallout active_sync_filter_deviceid -vServer active_sync_filter_vserver -returnType TEXT -hostExpr “\”callout.asfilter.internal\”” -urlStemExpr “\”/services/ActiveSync/Authorize\”” -parameters user(HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic “).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE) agent(HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url((“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType(“json”) DeviceId(HTTP.REQ.URL.QUERY.VALUE(“DeviceId”)) – resultExpr “HTTP.RES.BODY(20)”

Step 8
add responder policy active_sync_filter “HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”).NOT && HTTP.REQ.URL.STARTSWITH(\”/Microsoft-Server-ActiveSync\”) && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\”callout.asfilter.internal\”).NOT && SYS.HTTP_CALLOUT(active_sync_filter).SET_TEXT_MODE(IGNORECASE).CONTA INS(\”allow\”).NOT” DROP

Step 9
add responder policy active_sync_filter_deviceid “HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”) && HTTP.REQ.URL.STARTSWITH(\”/Microsoft-Server-ActiveSync\”) && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\”callout.asfilter.internal\”).NOT && SYS.HTTP_CALLOUT(active_sync_filter_deviceid).SET_TEXT_MODE(IGNORECA SE).CONTAINS(\”allow\”).NOT” DROP

If you have NetScaler Gateway or NetScaler Standard you still can use the XNC but it can have a significant impact because every request needs to go the backend server. See step 18.

Step 10
set cache parameter -memLimit 200 -via “NS-CACHE-10.1: 180”
add cache selector Url_Match “HTTP.REQ.URL.QUERY.VALUE(\”url\”)”

Step 11
add cache selector DeviceId_Match HTTP.REQ.URL.PATH HTTP.REQ.HOSTNAME “HTTP.REQ.URL.QUERY.VALUE(\”DeviceId\”) + \”-\” + HTTP.REQ.URL.QUERY.VALUE(\”user\”)”

Step 12
add cache contentGroup Req_with_DeviceId -relExpiry 300 -hitSelector DeviceId_Match

Step 13
add cache contentGroup Req_without_DeviceId -relExpiry 300 -hitSelector Url_Match

Step 14
add cache policy cache_req_with_DeviceId -rule “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”callout\”) && HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”)” -action CACHE -storeInGroup Req_with_DeviceId

Step 15
add cache policy cache_req_without_DeviceId -rule “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”callout\”) && HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”).NOT && HTTP.REQ.URL.QUERY.CONTAINS(\”url\”)” -action CACHE -storeInGroup Req_without_DeviceId

Step 16
bind lb vserver active_sync_filter_vserver -policyName cache_req_without_DeviceId -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver active_sync_filter_vserver -policyName cache_req_with_DeviceId -priority 100 -gotoPriorityExpression END – type REQUEST

Step 17
bind lb vserver ExchangeCAS -policyName active_sync_filter_deviceid -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver ExchangeCAS -policyName active_sync_filter – priority 100 -gotoPriorityExpression END -type REQUEST

Step 18 (WITHOUT IC license)
bind lb vserver ExchangeCAS -policyName active_sync_filter_deviceid -priority 90 -gotoPriorityExpression END -type REQUEST

bind lb vserver ExchangeCAS -policyName active_sync_filter -priority 100 -gotoPriorityExpression END -type REQUEST





NetScaler XenApp

NetScaler 10.1 Maximum ICA users

Last week I received a question from a new 10.1 NetScaler Gateway implementation that when more then 5 users where logged in on the CAG the following error was shown:

“Error: Login exceeds maximum allowed users”

But when you do a “show license” Maximum ICA users = “Unlimited” is shown.

For more info:

These 5 users where using the 5 built-in platform licenses meant for SSL VPN/ MicroVPN and other nice things!

To resolve this issue if you are only using it for XenApp/ Desktop simply change the “Smart-Access Mode” to “Basic Mode” on the CAG vServer.


NetScaler – Java update breaks GUI

A few days ago Oracle released Java update 7u51. This update contains security updates which breaks the applet which is used to configure the NetScaler via the GUI. When you have installed the update and try to open the GUI you’ll get the following warning as shown in the screenshot below.


To overcome this issue you have 2 options:

  1. Use an older version of Java (not recommended).
  2. Use the new feature in this Java version (They saw it coming 🙂 ) Which uses an Execption Site List check  it out:    all you have to do is add the NetScaler address to this list.