API tools faq
paste
Advertisement
cephurs

vEmqxi0a.Shitrix CVE-2019-19781 *.cmcm.lu

cephurs
May 1st, 2020
564
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 30.87 KB | None | 0 0
raw download clone embed print report diff
  1. #NS12.0 Build 57.19
  2. # Last modified by `save config`, Thu Nov 21 14:54:12 2019
  3. set ns config -IPAddress 192.168.201.3 -netmask 255.255.255.192
  4. enable ns feature WL LB SSL SSLVPN REWRITE RESPONDER CH
  5. enable ns mode FR L3 Edge USNIP PMTUD
  6. set system parameter -doppler DISABLED
  7. set system user nsroot 277855a38c14171c5fe774481c35149c2a3b36a1e119940c1719e880ed13200a0374b7fae6844e9161a93c55d1802094873fcdd5ab25b9a3a24972060180192d9dde24f7d -encrypted -hashmethod SHA512
  8. set rsskeytype -rsstype ASYMMETRIC
  9. set lacp -sysPriority 32768 -mac 00:50:56:a2:47:e0
  10. set ns hostName CMNSGW
  11. set interface 0/1 -autoneg DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype VMXNET3 -ifnum 0/1
  12. set interface LO/1 -haMonitor OFF -haHeartbeat OFF -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype Loopback -ifnum LO/1
  13. add ns ip6 fe80::250:56ff:fea2:47e0/64 -scope link-local -type NSIP -vlan 1 -vServer DISABLED -mgmtAccess ENABLED -dynamicRouting ENABLED
  14. add ns ip 192.168.201.3 255.255.255.192 -type NSIP -vServer DISABLED -gui SECUREONLY -mgmtAccess ENABLED -dynamicRouting ENABLED
  15. add ns ip 192.168.201.4 255.255.255.192 -vServer DISABLED
  16. set nd6RAvariables -vlan 1
  17. set snmp alarm APPFW-BUFFER-OVERFLOW -timeout 1
  18. set snmp alarm APPFW-COOKIE -timeout 1
  19. set snmp alarm APPFW-CSRF-TAG -timeout 1
  20. set snmp alarm APPFW-DENY-URL -timeout 1
  21. set snmp alarm APPFW-FIELD-CONSISTENCY -timeout 1
  22. set snmp alarm APPFW-FIELD-FORMAT -timeout 1
  23. set snmp alarm APPFW-POLICY-HIT -timeout 1
  24. set snmp alarm APPFW-REFERER-HEADER -timeout 1
  25. set snmp alarm APPFW-SAFE-COMMERCE -timeout 1
  26. set snmp alarm APPFW-SAFE-OBJECT -timeout 1
  27. set snmp alarm APPFW-SESSION-LIMIT -timeout 1
  28. set snmp alarm APPFW-SQL -timeout 1
  29. set snmp alarm APPFW-START-URL -timeout 1
  30. set snmp alarm APPFW-VIOLATIONS-TYPE -timeout 1
  31. set snmp alarm APPFW-XML-ATTACHMENT -timeout 1
  32. set snmp alarm APPFW-XML-DOS -timeout 1
  33. set snmp alarm APPFW-XML-SCHEMA-COMPILE -timeout 1
  34. set snmp alarm APPFW-XML-SOAP-FAULT -timeout 1
  35. set snmp alarm APPFW-XML-SQL -timeout 1
  36. set snmp alarm APPFW-XML-VALIDATION -timeout 1
  37. set snmp alarm APPFW-XML-WSI -timeout 1
  38. set snmp alarm APPFW-XML-XSS -timeout 1
  39. set snmp alarm APPFW-XSS -timeout 1
  40. set snmp alarm CLUSTER-BACKPLANE-HB-MISSING -time 86400 -timeout 86400
  41. set snmp alarm CLUSTER-NODE-HEALTH -time 86400 -timeout 86400
  42. set snmp alarm CLUSTER-NODE-QUORUM -time 86400 -timeout 86400
  43. set snmp alarm CLUSTER-VERSION-MISMATCH -time 86400 -timeout 86400
  44. set snmp alarm COMPACT-FLASH-ERRORS -time 86400 -timeout 86400
  45. set snmp alarm CONFIG-CHANGE -timeout 86400
  46. set snmp alarm CONFIG-SAVE -timeout 86400
  47. set snmp alarm HA-BAD-SECONDARY-STATE -time 86400 -timeout 86400
  48. set snmp alarm HA-NO-HEARTBEATS -time 86400 -timeout 86400
  49. set snmp alarm HA-SYNC-FAILURE -time 86400 -timeout 86400
  50. set snmp alarm HA-VERSION-MISMATCH -time 86400 -timeout 86400
  51. set snmp alarm HARD-DISK-DRIVE-ERRORS -time 86400 -timeout 86400
  52. set snmp alarm HA-STATE-CHANGE -timeout 86400
  53. set snmp alarm HA-STICKY-PRIMARY -timeout 86400
  54. set snmp alarm PORT-ALLOC-FAILED -time 3600 -timeout 3600
  55. set snmp alarm SYNFLOOD -timeout 1
  56. add policy patset ST_WB_CKIES192_168_201_6
  57. add policy patset XDM_UrlSet
  58. bind policy patset ns_vpn_client_useragents AGEE -index 1 -charset ASCII
  59. bind policy patset ns_vpn_client_useragents CitrixReceiver -index 2 -charset ASCII
  60. bind policy patset ns_vpn_client_useragents AGMacClient -index 3 -charset ASCII
  61. bind policy patset ns_vpn_client_useragents "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0" -index 4 -charset ASCII
  62. bind policy patset ns_vpn_client_useragents "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0" -index 5 -charset ASCII
  63. bind policy patset ns_aaa_activesync_useragents Apple-iPhone -index 1 -charset ASCII
  64. bind policy patset ns_aaa_activesync_useragents Apple-iPad -index 2 -charset ASCII
  65. bind policy patset ns_aaa_activesync_useragents SAMSUNG-GT -index 3 -charset ASCII
  66. bind policy patset ns_aaa_activesync_useragents "SAMSUNG GT" -index 4 -charset ASCII
  67. bind policy patset ns_aaa_activesync_useragents AirWatch -index 5 -charset ASCII
  68. bind policy patset ns_aaa_activesync_useragents "TouchDown(MSRPC)" -index 6 -charset ASCII
  69. bind policy patset ns_cvpn_default_inet_domains mdm.cmcm.lu:8443 -index 2
  70. bind policy patset ns_videoopt_quic_abr_sni_whitelist googlevideo.com -index 1
  71. bind policy patset ns_videoopt_quic_abr_sni_whitelist c.youtube.com -index 2
  72. bind policy patset ns_videoopt_quic_abr_sni_blacklist manifest.googlevideo.com -index 1
  73. bind policy patset ns_videoopt_quic_abr_sni_blacklist redirector.googlevideo.com -index 2
  74. bind policy patset ST_WB_CKIES192_168_201_6 CsrfToken -index 1
  75. bind policy patset ST_WB_CKIES192_168_201_6 ASP.NET_SessionId -index 2
  76. bind policy patset ST_WB_CKIES192_168_201_6 CtxsPluginAssistantState -index 3
  77. bind policy patset ST_WB_CKIES192_168_201_6 CtxsAuthId -index 4
  78. bind policy patset XDM_UrlSet "/zdm/header.jsp" -index 4
  79. bind policy patset XDM_UrlSet "/zdm/console" -index 1
  80. bind policy patset XDM_UrlSet "/zdm/login.jsp" -index 2
  81. bind policy patset XDM_UrlSet "/zdm/log.jsp" -index 3
  82. bind policy patset XDM_UrlSet "/zdm/login_xdm_uc.jsp" -index 5
  83. add ns httpProfile _XM_SSL_OFFLOAD_HTTP_PROFILE -conMultiplex DISABLED
  84. set cmp parameter -policyType ADVANCED
  85. add server cmsv30 192.168.10.30
  86. add server cmsv31 192.168.10.31
  87. add server cmsv50 192.168.10.50
  88. add server 192.168.201.2 192.168.201.2
  89. add server cmsv34 192.168.10.34
  90. add server CMXENAPP2 192.168.10.134
  91. add service 192.168.201.2_80 192.168.201.2 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CustomServerID 3215509762 -CKA NO -TCPB NO -CMP NO
  92. add service 192.168.10.34_80 cmsv34 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
  93. add serviceGroup svgrp_ldap TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
  94. add serviceGroup svgrp_Storefront HTTP -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
  95. add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
  96. add ssl certKey "*.cmcm.lu" -cert cmcm_lu.pfx -key cmcm_lu.pfx -inform PFX -passcrypt "wap0Ds+Ki5WWCXpKJDJbFg==" -expiryMonitor DISABLED
  97. add ssl certKey AlphaSSL_CA -cert ca.crt
  98. add ssl certKey AlphaSSL-Intermediate-SHA256-G2 -cert "AlphaSSL CA - SHA256 - G2 - Intermediate.crt"
  99. add ssl certKey STAR.cmcm.lu -cert STAR_cmcm_lu.pfx -key STAR_cmcm_lu.pfx -inform PFX -passcrypt "MMcl7X9G4LO6I/aJD+5TTw=="
  100. add ssl certKey COMODO_CA -cert STAR_cmcm_lu.ca-bundle
  101. add ssl certKey COMODO_CA_ic1 -cert STAR_cmcm_lu.ca-bundle_ic1
  102. link ssl certKey "*.cmcm.lu" AlphaSSL-Intermediate-SHA256-G2
  103. link ssl certKey AlphaSSL-Intermediate-SHA256-G2 AlphaSSL_CA
  104. link ssl certKey STAR.cmcm.lu COMODO_CA
  105. link ssl certKey COMODO_CA COMODO_CA_ic1
  106. add authentication radiusAction Vasco -serverIP 192.168.201.11 -serverPort 1812 -radKey 6848b2e5ad4e2bef47f5a5c814621f79939db84a7c322912258e8bfe624c529a -encrypted -encryptmethod ENCMTHD_3
  107. add authentication ldapAction 192.168.201.8_LDAP -serverIP 192.168.201.8 -ldapBase "ou=users,ou=cmcm,dc=cmcm,dc=loc" -ldapBindDn s-ldapXenMobile@cmcm.loc -ldapBindDnPassword f61e29a723a01c70191655e4fdce4467e7b337b0be306ebde42cc396f8204d05 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName userPrincipalName
  108. add vpn portaltheme X1-CMCM -basetheme X1
  109. add authentication radiusPolicy mobile_Vasco_pol "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Vasco
  110. add authentication radiusPolicy nonmobile_Vasco_pol "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Vasco
  111. add authentication ldapPolicy 192.168.201.8_LDAP_pol NS_TRUE 192.168.201.8_LDAP
  112. add authentication ldapPolicy mobile_ldap_pol "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" 192.168.201.8_LDAP
  113. add authentication ldapPolicy nonmobile_ldap_pol "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" 192.168.201.8_LDAP
  114. set lb parameter -sessionsThreshold 150000
  115. add lb vserver _XM_MAM_LB_192.168.201.9_8443 SSL 192.168.201.9 8443 -persistenceType CUSTOMSERVERID -rule "HTTP.REQ.COOKIE.VALUE(\"ACNODEID\")" -cltTimeout 180
  116. add lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 SSL 192.168.201.5 443 -persistenceType SOURCEIP -timeout 1440 -cltTimeout 180 -httpProfileName _XM_SSL_OFFLOAD_HTTP_PROFILE
  117. add lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 SSL 192.168.201.5 8443 -persistenceType SOURCEIP -cltTimeout 180 -httpProfileName _XM_SSL_OFFLOAD_HTTP_PROFILE
  118. add lb vserver lb_ldap TCP 192.168.201.8 389 -persistenceType NONE -cltTimeout 9000
  119. add lb vserver lb_Storefront HTTP 192.168.201.10 80 -persistenceType SOURCEIP -timeout 60 -cltTimeout 180
  120. set cache parameter -via "NS-CACHE-10.0:   3"
  121. add vpn vserver _XM_XenMobileGateway SSL 192.168.201.6 443 -Listenpolicy NONE
  122. add vpn vserver _XD_192.168.201.7_443 SSL 192.168.201.7 443 -Listenpolicy NONE -deploymentType ICA_STOREFRONT -vserverFqdn myapps.cmcm.lu
  123. set aaa parameter -maxAAAUsers 505
  124. set ns rpcNode 192.168.201.3 -password b987ee67e56905bc2763aaadc9d606a374e34cbfa872f71382c39b75c9a7d5694a861a8db4f3f5d78c02269221e224a1 -encrypted -encryptmethod ENCMTHD_3 -srcIP 192.168.201.3
  125. add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
  126. add rewrite policy enforce_STS true insert_STS_header
  127. bind cmp global ns_adv_nocmp_xml_ie -priority 8700 -gotoPriorityExpression END -type RES_DEFAULT
  128. bind cmp global ns_adv_nocmp_mozilla_47 -priority 8800 -gotoPriorityExpression END -type RES_DEFAULT
  129. bind cmp global ns_adv_cmp_mscss -priority 8900 -gotoPriorityExpression END -type RES_DEFAULT
  130. bind cmp global ns_adv_cmp_msapp -priority 9000 -gotoPriorityExpression END -type RES_DEFAULT
  131. bind cmp global ns_adv_cmp_content_type -priority 10000 -gotoPriorityExpression END -type RES_DEFAULT
  132. add vpn clientlessAccessProfile ST_WB_RW_192.168.201.6
  133. add vpn clientlessAccessProfile NO_RW_192.168.201.6
  134. set vpn clientlessAccessProfile ST_WB_RW_192.168.201.6 -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies ST_WB_CKIES192_168_201_6
  135. add vpn clientlessAccessPolicy CLT_LESS_RF_192.168.201.6 TRUE ST_WB_RW_192.168.201.6
  136. add vpn clientlessAccessPolicy CLT_LESS_192.168.201.6 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" NO_RW_192.168.201.6
  137. set appflow param -cqaReporting ENABLED
  138. add responder policy XDM_Admin_Console_Drop "HTTP.REQ.URL.STARTSWITH_ANY(\"XDM_UrlSet\")" DROP
  139. add cache contentGroup DEFAULT
  140. set cache contentGroup NSFEO -maxResSize 1994752
  141. add cache contentGroup BASEFILE -relExpiry 86000 -weakNegRelExpiry 600 -maxResSize 256 -memLimit 2
  142. add cache contentGroup DELTAJS -relExpiry 86000 -weakNegRelExpiry 600 -insertAge NO -maxResSize 256 -memLimit 1 -pinned YES
  143. add cache contentGroup ctx_cg_poc -relExpiry 86000 -weakNegRelExpiry 600 -insertAge NO -maxResSize 500 -memLimit 256 -pinned YES
  144. add cache policy _nonGetReq -rule "!HTTP.REQ.METHOD.eq(GET)" -action NOCACHE
  145. add cache policy _advancedConditionalReq -rule "HTTP.REQ.HEADER(\"If-Match\").EXISTS || HTTP.REQ.HEADER(\"If-Unmodified-Since\").EXISTS" -action NOCACHE
  146. add cache policy _personalizedReq -rule "HTTP.REQ.HEADER(\"Cookie\").EXISTS || HTTP.REQ.HEADER(\"Authorization\").EXISTS || HTTP.REQ.HEADER(\"Proxy-Authorization\").EXISTS || HTTP.REQ.IS_NTLM_OR_NEGOTIATE" -action MAY_NOCACHE
  147. add cache policy _uncacheableStatusRes -rule "! ((HTTP.RES.STATUS.EQ(200)) || (HTTP.RES.STATUS.EQ(304)) || (HTTP.RES.STATUS.BETWEEN(400,499)) || (HTTP.RES.STATUS.BETWEEN(300, 302)) || (HTTP.RES.STATUS.EQ(307))|| (HTTP.RES.STATUS.EQ(203)))" -action NOCACHE
  148. add cache policy _uncacheableCacheControlRes -rule "((HTTP.RES.CACHE_CONTROL.IS_PRIVATE) || (HTTP.RES.CACHE_CONTROL.IS_NO_CACHE) || (HTTP.RES.CACHE_CONTROL.IS_NO_STORE) || (HTTP.RES.CACHE_CONTROL.IS_INVALID))" -action NOCACHE
  149. add cache policy _cacheableCacheControlRes -rule "((HTTP.RES.CACHE_CONTROL.IS_PUBLIC) || (HTTP.RES.CACHE_CONTROL.IS_MAX_AGE) || (HTTP.RES.CACHE_CONTROL.IS_MUST_REVALIDATE) || (HTTP.RES.CACHE_CONTROL.IS_PROXY_REVALIDATE) || (HTTP.RES.CACHE_CONTROL.IS_S_MAXAGE))" -action CACHE -storeInGroup DEFAULT
  150. add cache policy _uncacheableVaryRes -rule "((HTTP.RES.HEADER(\"Vary\").EXISTS) && ((HTTP.RES.HEADER(\"Vary\").INSTANCE(1).LENGTH > 0) || (!HTTP.RES.HEADER(\"Vary\").STRIP_END_WS.SET_TEXT_MODE(IGNORECASE).eq(\"Accept-Encoding\"))))" -action NOCACHE
  151. add cache policy _uncacheablePragmaRes -rule "HTTP.RES.HEADER(\"Pragma\").EXISTS" -action NOCACHE
  152. add cache policy _cacheableExpiryRes -rule "HTTP.RES.HEADER(\"Expires\").EXISTS" -action CACHE -storeInGroup DEFAULT
  153. add cache policy _imageRes -rule "HTTP.RES.HEADER(\"Content-Type\").SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"image/\")" -action CACHE -storeInGroup DEFAULT
  154. add cache policy _personalizedRes -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS || HTTP.RES.HEADER(\"Set-Cookie2\").EXISTS" -action NOCACHE
  155. add cache policy ctx_images -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS_INDEX(\"ctx_file_extensions\").BETWEEN(101,150)" -action CACHE -storeInGroup ctx_cg_poc
  156. add cache policy ctx_web_css -rule "HTTP.REQ.URL.ENDSWITH(\".css\")" -action CACHE -storeInGroup ctx_cg_poc
  157. add cache policy ctx_doc_pdf -rule "HTTP.REQ.URL.ENDSWITH(\".pdf\")" -action CACHE -storeInGroup ctx_cg_poc
  158. add cache policy ctx_web_JavaScript -rule "HTTP.REQ.URL.ENDSWITH(\".js\")" -action CACHE -storeInGroup ctx_cg_poc
  159. add cache policy ctx_web_JavaScript-Res -rule "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"application/x-javascript\")" -action CACHE -storeInGroup ctx_cg_poc
  160. add cache policy ctx_NOCACHE_Cleanup -rule TRUE -action NOCACHE
  161. add cache policylabel _reqBuiltinDefaults -evaluates REQ
  162. add cache policylabel _resBuiltinDefaults -evaluates RES
  163. bind cache policylabel _reqBuiltinDefaults -policyName _nonGetReq -priority 100 -gotoPriorityExpression END
  164. bind cache policylabel _reqBuiltinDefaults -policyName _advancedConditionalReq -priority 200 -gotoPriorityExpression END
  165. bind cache policylabel _reqBuiltinDefaults -policyName _personalizedReq -priority 300 -gotoPriorityExpression END
  166. bind cache policylabel _resBuiltinDefaults -policyName _uncacheableStatusRes -priority 100 -gotoPriorityExpression END
  167. bind cache policylabel _resBuiltinDefaults -policyName _uncacheableVaryRes -priority 200 -gotoPriorityExpression END
  168. bind cache policylabel _resBuiltinDefaults -policyName _uncacheableCacheControlRes -priority 300 -gotoPriorityExpression END
  169. bind cache policylabel _resBuiltinDefaults -policyName _cacheableCacheControlRes -priority 400 -gotoPriorityExpression END
  170. bind cache policylabel _resBuiltinDefaults -policyName _uncacheablePragmaRes -priority 500 -gotoPriorityExpression END
  171. bind cache policylabel _resBuiltinDefaults -policyName _cacheableExpiryRes -priority 600 -gotoPriorityExpression END
  172. bind cache policylabel _resBuiltinDefaults -policyName _imageRes -priority 700 -gotoPriorityExpression END
  173. bind cache policylabel _resBuiltinDefaults -policyName _personalizedRes -priority 800 -gotoPriorityExpression END
  174. bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel _reqBuiltinDefaults
  175. bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel _resBuiltinDefaults
  176. set ns encryptionParams -method AES256 -keyValue b6901d7f0a37170a284b4e48a62d6f0db4b23fce17eac5d7cac8e3c0c81725a0943536d13d6e4d5c73a10306752321b199afa820fb1e4c8002eb7e4e9a2579bef63da35962b557c04780a90ae52e2737 -encrypted -encryptmethod ENCMTHD_3
  177. bind lb vserver _XM_MAM_LB_192.168.201.9_8443 192.168.201.2_80
  178. bind lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 192.168.201.2_80
  179. bind lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 192.168.201.2_80
  180. bind lb vserver lb_ldap svgrp_ldap
  181. bind lb vserver lb_Storefront svgrp_Storefront
  182. bind lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -policyName XDM_Admin_Console_Drop -priority 100 -gotoPriorityExpression END -type REQUEST
  183. bind lb vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -policyName XDM_Admin_Console_Drop -priority 100 -gotoPriorityExpression END -type REQUEST
  184. add dns nameServer 192.168.10.30
  185. add dns nameServer 192.168.10.31
  186. set ns diameter -identity netscaler.com -realm com
  187. set subscriber gxInterface -pcrfRealm pcrf.com -holdOnSubscriberAbsence YES -servicePathAVP 262099 -servicePathVendorid 3845
  188. set ns tcpbufParam -memLimit 512
  189. set dns parameter -dns64Timeout 1000
  190. add dns nsRec . a.root-servers.net -TTL 3600000
  191. add dns nsRec . b.root-servers.net -TTL 3600000
  192. add dns nsRec . c.root-servers.net -TTL 3600000
  193. add dns nsRec . d.root-servers.net -TTL 3600000
  194. add dns nsRec . e.root-servers.net -TTL 3600000
  195. add dns nsRec . f.root-servers.net -TTL 3600000
  196. add dns nsRec . g.root-servers.net -TTL 3600000
  197. add dns nsRec . h.root-servers.net -TTL 3600000
  198. add dns nsRec . i.root-servers.net -TTL 3600000
  199. add dns nsRec . j.root-servers.net -TTL 3600000
  200. add dns nsRec . k.root-servers.net -TTL 3600000
  201. add dns nsRec . l.root-servers.net -TTL 3600000
  202. add dns nsRec . m.root-servers.net -TTL 3600000
  203. add dns addRec l.root-servers.net 199.7.83.42 -TTL 3600000
  204. add dns addRec b.root-servers.net 192.228.79.201 -TTL 3600000
  205. add dns addRec d.root-servers.net 199.7.91.13 -TTL 3600000
  206. add dns addRec j.root-servers.net 192.58.128.30 -TTL 3600000
  207. add dns addRec h.root-servers.net 198.97.190.53 -TTL 3600000
  208. add dns addRec f.root-servers.net 192.5.5.241 -TTL 3600000
  209. add dns addRec mdm.cmcm.lu 192.168.201.9
  210. add dns addRec k.root-servers.net 193.0.14.129 -TTL 3600000
  211. add dns addRec a.root-servers.net 198.41.0.4 -TTL 3600000
  212. add dns addRec c.root-servers.net 192.33.4.12 -TTL 3600000
  213. add dns addRec m.root-servers.net 202.12.27.33 -TTL 3600000
  214. add dns addRec i.root-servers.net 192.36.148.17 -TTL 3600000
  215. add dns addRec g.root-servers.net 192.112.36.4 -TTL 3600000
  216. add dns addRec e.root-servers.net 192.203.230.10 -TTL 3600000
  217. add dns suffix cmcm.loc
  218. set lb monitor ldns-dns LDNS-DNS -query . -queryType Address
  219. set lb monitor stasecure CITRIX-STA-SERVICE -interval 2 MIN
  220. set lb monitor sta CITRIX-STA-SERVICE -interval 2 MIN
  221. add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password ecf34ff2a023fde44c21d48ee6fb3d1b1ed0747c10fd6e969f8a07f4840b5fda -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -baseDN "DC=cmcm,DC=loc" -bindDN "CN=s-ldap XenMobile,CN=Users,DC=cmcm,DC=loc" -filter cn=builtin
  222. add lb monitor mon_Storefront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -storename Mobility
  223. bind serviceGroup svgrp_ldap cmsv30 389
  224. bind serviceGroup svgrp_ldap cmsv31 389
  225. bind serviceGroup svgrp_ldap -monitorName mon_ldap
  226. bind serviceGroup svgrp_Storefront cmsv34 80
  227. bind serviceGroup svgrp_Storefront CMXENAPP2 80
  228. bind serviceGroup svgrp_Storefront -monitorName mon_Storefront
  229. add route 0.0.0.0 0.0.0.0 192.168.201.1
  230. set ssl parameter -denySSLReneg FRONTEND_CLIENT
  231. set ssl service vpndbssvc_-662974853 -sessReuse ENABLED -sessTimeout 120
  232. set ssl service nsrnatsip-127.0.0.1-5061 -eRSA ENABLED -sessReuse DISABLED
  233. set ssl service nskrpcs-127.0.0.1-3009 -eRSA ENABLED -sessReuse DISABLED
  234. set ssl service nshttps-::1l-443 -eRSA ENABLED -sessReuse DISABLED
  235. set ssl service nsrpcs-::1l-3008 -eRSA ENABLED -sessReuse DISABLED
  236. set ssl service nshttps-127.0.0.1-443 -eRSA ENABLED -sessReuse DISABLED
  237. set ssl service nsrpcs-127.0.0.1-3008 -eRSA ENABLED -sessReuse DISABLED
  238. set ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -sessReuse ENABLED -sessTimeout 15 -clientAuth ENABLED -clientCert Optional -sslRedirect ENABLED -ssl3 DISABLED
  239. set ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -ssl3 DISABLED
  240. set ssl vserver _XM_XenMobileGateway -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
  241. set ssl vserver _XD_192.168.201.7_443 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED
  242. add ssl action _XM_MDM_XenMobileMDM_ACTION -clientCert ENABLED -certHeader NSClientCert
  243. add ssl policy _XM_MDM_XenMobileMDM_POLICY -rule CLIENT.SSL.CLIENT_CERT.EXISTS -action _XM_MDM_XenMobileMDM_ACTION
  244. add vpn sessionAction AC_OS_192.168.201.6_A_ -splitDns BOTH -sessTimeout 10080 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://mdm.cmcm.lu:8443"
  245. add vpn sessionAction AC_WB_192.168.201.6_A_ -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://mdm.cmcm.lu:8443/Citrix/StoreWeb" -icaProxy OFF -wihome "https://mdm.cmcm.lu:8443/Citrix/StoreWeb" -ClientChoices OFF -clientlessVpnMode ON -SecureBrowse ENABLED
  246. add vpn sessionAction AC_AG_PLG_192.168.201.6_A_ -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "https://mdm.cmcm.lu:8443/Citrix/StoreWeb" -icaProxy OFF -ClientChoices OFF -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://mdm.cmcm.lu:8443"
  247. add vpn sessionAction AC_OS_192.168.201.7 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential SECONDARY -icaProxy ON -wihome "http://lb_stfdmz.cmcm.loc/Citrix/MobilityWeb" -ClientChoices OFF -ntDomain CMCM -clientlessVpnMode OFF -storefronturl "http://lb_stfdmz.cmcm.loc" -sfGatewayAuthType domain
  248. add vpn sessionAction AC_WB_192.168.201.7 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "http://lb_stfdmz.cmcm.loc/Citrix/MobilityWeb" -ClientChoices OFF -ntDomain CMCM -clientlessVpnMode OFF -sfGatewayAuthType domain
  249. add vpn sessionPolicy PL_OS_192.168.201.6 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" AC_OS_192.168.201.6_A_
  250. add vpn sessionPolicy PL_WB_192.168.201.6 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_192.168.201.6_A_
  251. add vpn sessionPolicy PL_AG_PLG_192.168.201.6 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT && HTTP.REQ.HEADER(\"Referer\").EXISTS.NOT" AC_AG_PLG_192.168.201.6_A_
  252. add vpn sessionPolicy PL_OS_192.168.201.7 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OS_192.168.201.7
  253. add vpn sessionPolicy PL_WB_192.168.201.7 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_192.168.201.7
  254. set vpn parameter -forceCleanup none -clientConfiguration all -tag 10
  255. bind audit syslogGlobal -policyName SETSYSLOGPARAMS_ADV_POL -priority 2000000000
  256. bind audit nslogGlobal -policyName SETNSLOGPARAMS_ADV_POL -priority 2000000000
  257. bind tunnel global ns_tunnel_msdocs -priority 4000
  258. bind tunnel global ns_tunnel_mimetext -priority 6000
  259. bind tm global -policyName SETTMSESSPARAMS_ADV_POL -priority 65534 -gotoPriorityExpression NEXT
  260. bind vpn vserver _XM_XenMobileGateway -staServer "http://192.168.10.34"
  261. bind vpn vserver _XM_XenMobileGateway -staServer "https://mdm.cmcm.lu:8443"
  262. bind vpn vserver _XM_XenMobileGateway -staServer "http://192.168.10.134"
  263. bind vpn vserver _XD_192.168.201.7_443 -staServer "http://192.168.10.34"
  264. bind vpn vserver _XD_192.168.201.7_443 -staServer "http://192.168.10.134"
  265. bind vpn vserver _XM_XenMobileGateway -appController "https://mdm.cmcm.lu:8443"
  266. bind vpn vserver _XD_192.168.201.7_443 -portaltheme X1-CMCM
  267. bind vpn vserver _XM_XenMobileGateway -policy 192.168.201.8_LDAP_pol
  268. bind vpn vserver _XM_XenMobileGateway -policy CLT_LESS_192.168.201.6 -priority 80 -gotoPriorityExpression END -type REQUEST
  269. bind vpn vserver _XM_XenMobileGateway -policy CLT_LESS_RF_192.168.201.6 -priority 100 -gotoPriorityExpression END -type REQUEST
  270. bind vpn vserver _XM_XenMobileGateway -policy enforce_STS -priority 100 -gotoPriorityExpression END -type RESPONSE
  271. bind vpn vserver _XM_XenMobileGateway -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
  272. bind vpn vserver _XM_XenMobileGateway -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
  273. bind vpn vserver _XM_XenMobileGateway -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
  274. bind vpn vserver _XM_XenMobileGateway -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
  275. bind vpn vserver _XM_XenMobileGateway -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
  276. bind vpn vserver _XM_XenMobileGateway -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
  277. bind vpn vserver _XM_XenMobileGateway -policy PL_OS_192.168.201.6 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
  278. bind vpn vserver _XM_XenMobileGateway -policy PL_WB_192.168.201.6 -priority 110 -gotoPriorityExpression NEXT -type REQUEST
  279. bind vpn vserver _XM_XenMobileGateway -policy PL_AG_PLG_192.168.201.6 -priority 120 -gotoPriorityExpression NEXT -type REQUEST
  280. bind vpn vserver _XD_192.168.201.7_443 -policy mobile_Vasco_pol -priority 90
  281. bind vpn vserver _XD_192.168.201.7_443 -policy nonmobile_ldap_pol -priority 100
  282. bind vpn vserver _XD_192.168.201.7_443 -policy mobile_ldap_pol -priority 90 -secondary
  283. bind vpn vserver _XD_192.168.201.7_443 -policy nonmobile_Vasco_pol -priority 100 -secondary
  284. bind vpn vserver _XD_192.168.201.7_443 -policy enforce_STS -priority 100 -gotoPriorityExpression END -type RESPONSE
  285. bind vpn vserver _XD_192.168.201.7_443 -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
  286. bind vpn vserver _XD_192.168.201.7_443 -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
  287. bind vpn vserver _XD_192.168.201.7_443 -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
  288. bind vpn vserver _XD_192.168.201.7_443 -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
  289. bind vpn vserver _XD_192.168.201.7_443 -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
  290. bind vpn vserver _XD_192.168.201.7_443 -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
  291. bind vpn vserver _XD_192.168.201.7_443 -policy PL_OS_192.168.201.7 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
  292. bind vpn vserver _XD_192.168.201.7_443 -policy PL_WB_192.168.201.7 -priority 110 -gotoPriorityExpression NEXT -type REQUEST
  293. add ssl cipher custom-ssllabs-cipher
  294. add ssl cipher custom-ssllabs-cipher-2019
  295. bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
  296. bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 2
  297. bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 3
  298. bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 4
  299. bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
  300. bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 2
  301. bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 3
  302. bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 4
  303. bind ssl cipher custom-ssllabs-cipher-2019 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 5
  304. bind ssl service nsrnatsip-127.0.0.1-5061 -certkeyName ns-server-certificate
  305. bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate
  306. bind ssl service nshttps-::1l-443 -certkeyName ns-server-certificate
  307. bind ssl service nsrpcs-::1l-3008 -certkeyName ns-server-certificate
  308. bind ssl service nshttps-127.0.0.1-443 -certkeyName ns-server-certificate
  309. bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName ns-server-certificate
  310. bind ssl service vpndbssvc_-662974853 -eccCurveName P_256
  311. bind ssl service vpndbssvc_-662974853 -eccCurveName P_384
  312. bind ssl service vpndbssvc_-662974853 -eccCurveName P_224
  313. bind ssl service vpndbssvc_-662974853 -eccCurveName P_521
  314. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -cipherName custom-ssllabs-cipher
  315. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -cipherName custom-ssllabs-cipher
  316. bind ssl vserver _XM_XenMobileGateway -cipherName custom-ssllabs-cipher-2019
  317. bind ssl vserver _XD_192.168.201.7_443 -cipherName custom-ssllabs-cipher-2019
  318. bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -certkeyName STAR.cmcm.lu
  319. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -certkeyName STAR.cmcm.lu
  320. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -certkeyName STAR.cmcm.lu
  321. bind ssl vserver _XM_XenMobileGateway -certkeyName STAR.cmcm.lu
  322. bind ssl vserver _XD_192.168.201.7_443 -certkeyName STAR.cmcm.lu
  323. bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -eccCurveName P_256
  324. bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -eccCurveName P_384
  325. bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -eccCurveName P_224
  326. bind ssl vserver _XM_MAM_LB_192.168.201.9_8443 -eccCurveName P_521
  327. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -eccCurveName P_256
  328. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -eccCurveName P_384
  329. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -eccCurveName P_224
  330. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -eccCurveName P_521
  331. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -eccCurveName P_256
  332. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -eccCurveName P_384
  333. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -eccCurveName P_224
  334. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_8443 -eccCurveName P_521
  335. bind ssl vserver _XM_XenMobileGateway -eccCurveName P_256
  336. bind ssl vserver _XM_XenMobileGateway -eccCurveName P_384
  337. bind ssl vserver _XM_XenMobileGateway -eccCurveName P_224
  338. bind ssl vserver _XM_XenMobileGateway -eccCurveName P_521
  339. bind ssl vserver _XD_192.168.201.7_443 -eccCurveName P_256
  340. bind ssl vserver _XD_192.168.201.7_443 -eccCurveName P_384
  341. bind ssl vserver _XD_192.168.201.7_443 -eccCurveName P_224
  342. bind ssl vserver _XD_192.168.201.7_443 -eccCurveName P_521
  343. bind ssl vserver _XM_LB_MDM_XenMobileMDM_192.168.201.5_443 -policyName _XM_MDM_XenMobileMDM_POLICY -priority 100
  344. add appfw JSONContentType "^application/json$" -isRegex REGEX
  345. add appfw XMLContentType ".*/xml" -isRegex REGEX
  346. add appfw XMLContentType ".*/.*\\+xml" -isRegex REGEX
  347. add appfw XMLContentType ".*/xml-.*" -isRegex REGEX
  348. set ip6TunnelParam -srcIP ::
  349. set ptp -state ENABLE
  350. set ns param -timezone "GMT+01:00-CET-Europe/Luxembourg"
  351. set ns vpxparam -cpuyield DEFAULT
  352. set ns cqaparam -lr1probthresh 0.00e+00 -lr2probthresh 0.00e+00
  353. set qos parameters -debuglevel 0 -dumpcore 4294967295 -dumpsession 0 -dumpqp 0
  354. set urlfiltering parameter -HoursBetweenDBUpdates 24 -TimeOfDayToUpdateDB 03:00 -MaxNumberOfCloudThreads 4 -CloudKeepAliveTimeout 120000 -CloudServerConnectTimeout 1000 -CloudDBLookupTimeout 2000 -seedDBSizeLevel 1 -LocalDatabaseThreads 1
  355. set videooptimization parameter -RandomSamplingPercentage 0.00e+00
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!