I work adapted as a systems engineer in our sales department, where a part of my job is take the customer meetings, in a completely new context for all kinds to hear from different request. The last question that I hear is something like, "Can NetScaler do this for us?" Usually NetScaler the diverse Swiss army knife is that it is, I tend to say "yes, I'm 95% sure that it will work, but I want to see, it is my own" and "this is a PoC-worthy. "
recently, this conversation happens around Microsoft Lync 2013 mobile clients are repeat customers and all requirements sum it came to" the NetScaler implement feature a soft lock users locked out of Active Directory? "
with a Linux background, working with DevOps in a web environment, I had to prevent very little idea about the impact behind their request.
The situation
Active Directory an account locks after 10 login attempts in a period of 1 hour failed. Then there is the account manually to go an administrator and require to unlock. The number of failed logins and time are variables that can be configured in Active Directory Group Policy setting.
The resolution
meanssoft lock that the user of the test that is to be blocked maximum number of times before beating the lockout threshold. In my example I would ban users to authenticate from trying to 8 times in 1 hour.
meaning
Why is this important? When you begin your active directory to expose publicly, you should think about all the others who now have the ability to access the crown jewels have. A hacker could write a script that would lock all users in your AD in a matter of seconds due to the number of failed attempts to each user. Yes, he would have to know the user name, but pretty much use any business name a default, so if you know a user name, you have a pretty good idea of what is the default.
The solutions
There are several ways to attack this. The easiest way was to use our AAA server that can actually perform exactly what the customer wants to just fill in values in the correct fields. But this solution would not work because it had the native Microsoft Lync 2013 Mobile App support.
Another would be to inject a cookie in the communication stream that would keep track of the number of login attempts. I tried this, but also the Microsoft Lync 2013 Mobile app not understand, "Set-Cookie" properly so that solution was not possible.
Add NetScaler 10.5 (and 10.1.e) our engineering team has introduced something called variables that has the capability information request or a response to store and then store it for later use. This information could, for example, the number of users who have the "login.php" requested and completed a successful registration, so I know exactly how many users on my system were. If my system were to handle more than 1000 users unable, I could redirect users in 1001 to a backup location.
The information could also be the number of times a particular user had attempted login, which is exactly what I need to make the soft lockout in NetScaler. Before the configuration I explain done, you need to understand the authentication flow of the Lync mobile client. I've taken out a lot of non-relevant headers in the communication
REQ1. POST /webticket/webticketservice.svc HTTP / 1.1
RES1: HTTP / 1.1 401 Unauthorized
RES1 headers: WWW-Authenticate: NTLM
REQ 2: POST /webticket/webticketservice.svc HTTP / 1.1
REQ 2 body: sip is included: username@domain.com
REQ 2 header: Authorization: NTLM TlRMTVNTUAABAAAANQIIIAgACAAgAAAAAAAAACAAAABDAE8AUgBQAA ==
RES 2: HTTP / 1.1 401 Unauthorized
RES 2 header: WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAA1AokiFr9d/N0DR9YAAAAAAAAAALYAtgBAAAAABgGxHQAAAA9DAE8AUgBQAAIACABDAE8AUgBQAAEAFgBOAE4ATABZAEQASQBEAEsAMAAwADEABAAiAGMAbwByAHAALgBuAG8AdgBvAGMAbwByAHAALgBuAGUAdAADADoAbgBuAGwAeQBkAGkAZABrADAAMAAxAC4AYwBvAHIAcAAuAG4AbwB2AG8AYwBvAHIAcAAuAG4AZQB0AAUAGABuAG8AdgBvAGMAbwByAHAALgBuAGUAdAAHAAgAisOqkuCyzwEAAAAA
REQ3: POST /webticket/webticketservice.svc HTTP / 1.1
REQ3 header: Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAADiAOIAWAAAAAgACAA6AQAAEgASAEIBAAAAAAAAVAEAAAAAAABUAQAANQIIIKeEVLi35zGWzfxOwxav32AdikTNZRdBCSjFsRIQjUPegAJ+3M+Y9SABAQAAAAAAACAugY/gss8BHYpEzWUXQQkAAAAAAgAIAEMATwBSAFAAAQAWAE4ATgBMAFkARABJAEQASwAwADAAMQAEACIAYwBvAHIAcAAuAG4AbwB2AG8AYwBvAHIAcAAuAG4AZQB0AAMAOgBuAG4AbAB5AGQAaQBkAGsAMAAwADEALgBjAG8AcgBwAC4AbgBvAHYAbwBjAG8AcgBwAC4AbgBlAHQABQAYAG4AbwB2AG8AYwBvAHIAcAAuAG4AZQB0AAcACACKw6qS4LLPAQAAAABDAE8AUgBQAHAAaABpAGIAdABlAHMAdAAxAA==
RES 3: HTTP / 1.1 0 OK
RES 3 Header: Persistent-Auth: true
REQ 4: GET / ucwa / v1 / applications HTTP / 1.1
RES4: HTTP / 1.1 401 Unauthorized
REQ5: POST / ucwa / v1 / applications HTTP / 1.1
RES5: HTTP / 1.1 201 Created
RES5 body: sip: username@domain.com
This is an example of a successful logon attempt.
The configuration
I'll try each configuration line step by step and explain.
#Define a variable
Add ns variable lync_login_map3 type "map (text (18), ulong, 10000)" -expires 60
The variable name is "lync_login_map3" and it will contain in a position a key and a value for this key. The value can be a string that is up to 18 characters long, and the value can / be a number integer. It will allow for a maximum of 10,000 entries, and they are capable of it at the time for 60 seconds.
Variable_Configuration
#Define a function of the variable.
ns assignment one_lync_login3 -variable "$ lync_login_map3 [HTTP.REQ.BODY(500000).AFTER_REGEX(re/sip:/).BEFORE_REGEX(re--)]" -add 1
#CLEAR a variable
Add ns assignment clear_lync_login3 -variable "$ lync_login_map3 [HTTP.RES.BODY(500000).AFTER_REGEX(re/sip:/).BEFORE_REGEX(re--)]" -clear
The name of the function clear_lync_login3, it is on the variable lync_login_map3 work. It will delete the value of the key, the key will be extracted from the response that the server is doing. The key is the user name, otherwise it would not work.
#Identifying a login request
Rewrite Policy add_lync_login_pol "http.REQ.URL.EQ (" / Add / webticket webticketservice. Svc ") && HTTP.REQ.HEADER ( "permission "). LENGTH.GE (0) "one_lync_login3
policy. more than 0 charetars for login uRL, looks with a specific header value Will call the one_lync_login3 function
#Reset value
Rewrite Policy lync_reste_login_pol "http.REQ.URL.EQ (" / ucwa / v1 / Applications ") Add && http.RES. STATUS .EQ ( "201 ") "clear_lync_login3
policy that will look for second application uRL, and positive response. It will call the function clear_lync_login3
deny access
#The response to the client
Add Responder action rsp_act_lync_Denied RespondWith q { "HTTP / 1.1 401 Denied nConnection. Close nCache Control: no-cache nPragma: no-cache n n "}
the answer that is given to the customer when going over the threshold
# , Identifying when the threshold is exceeded.
Add Responder policy lync_rsp_denied "(http.REQ.URL.EQ (" / webticket / webticketservice.svc ") && http.REQ.HEADER (" permission ") .LENGTH.GE (0)) && $ lync_login_map3 [ HTTP.REQ.BODY(500000).AFTER_REGEX(re/sip:/).BEFORE_REGEX(re--) ]> 3 "rsp_act_lync_Denied
on the specific login URL of the search and headboard while bring the value of the key in the variable named lync_login_map3. If the value is more than 3, it will call the rsp_act_lync_Denied answer.
Logging
#what
Add Audit message action lync_number_of_logins Note "" user "+ HTTP.REQ.BODY (500000) .AFTER_REGEX (re / sip:. /) BEFORE_REGEX (re--) + "has tried to login " + $ lync_login_map3 [ HTTP.REQ.BODY(500000).AFTER_REGEX(re/sip:/).BEFORE_REGEX(re--) ] "-logtoNewnslog YES YES -bypassSafetyCheck
key from the desired extract and the value for the key (username) in the variable lync_login_map3
#When should log
responder policy log_num_logins_lync "http add. REQ.URL.EQ (" / webticket / webticketservice.svc ") && http.REQ.HEADER (" permission "). LENGTH.GE (0)" NOOP -logAction lync_number_of_logins
When a login request is identified, we can not respond to them that information will only be extracted and recorded.
variable
that it is people, as you have variables in action, hopefully blog can be an inspiration for what can do variables, and how to use them. I am pleased with another great usecases for variables to hear!
0 Komentar