NetScaler and Exchange 2016 Outlook Anywhere Authentication Issues – Shell Shock

On a recent engagement deploying NetScaler 12.0 Load balancing for Exchange 2016, we stumbled across an issue whereby when proxying Exchange 2010 mailbox connections via the NetScaler load balanced Exchange 2016 Servers using RPC/HTTP, the connections would hang for an extended duration (timeout settings on the VIP) before falling back to RPC. When bypassing the NetScaler and going direct to the Exchange 2016 Servers there is no problem. The offending traffic seems to be that with Authentication encapsulated within

We searched high and low, checked Exchange end to end, and rebuilt all sorts of load balancing options. Eventually logged a ticket with Citrix and was lucky enough to work with one of their NetScaler guns, who after multiple tracing sessions identified the NetScaler appearing to not continue sending authentication payloads

Long story short, the configuration was still utilising the old Shell Shock Responder Policy protection method which is now defunct in NetScaler 11.(something) onwards. Issue was that the packet sizes holding Auth were big enough to trigger the responder which had an action of DROP. Remove the responder, welcome back Exchange RPC/HTTP

There are plenty of posts out there with similar issues, hopefully this helps someone else identify their problem if they have the same

There is a quick publish article here outlining the issue and resolution

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: