Citrix NetScaler - possible to view client IP for a particular user?

Client has a NetScaler VPX 200 (11.0

They have asked if it possible to provide them with the 'IP list for access 'user12345' for the month of July please ?'. They would like to know the IP addresses for a particular user's client devices as they believe there has been a security breach.

Is this possible?

LVL 13
Mark GalvinManaging Director / Principal ConsultantAsked:
Who is Participating?
CoralonConnect With a Mentor Commented:
A lot will depend on your AAA setup in the Netscaler..
If the Netscaler is the authentication point, then you should be able to look at the Netscaler logs and search for the user's login name.  (Get backups of those logs *immediately* before the accidentally get overwritten.

A simple findstr should pop up the list of entries from either the AAA or ns.log files.  
If you want to get fancy with powershell and RegEx, you can extract *just* the list of dates/times, the user name & the ip address.

Dirk KotteSECommented:
dont know a logfile on the netscaler.
but at xenapp/xendesktop (if used) you can see endpoint-IP.
Within director / sessions you can see all endpoint-IP's used.
If you use rdius for authentication you should find endpoint IPs at the authentication log from radius server.
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Using XenApp 6.5 so no Director app. Not using radius for auth. Using AD.
Dirk KotteSECommented:
i check my logfiles (/var/log) at my NS.
there are different logs with enduser-ip.
- messages contains some informations about filed logons
- ns.log contains informations about successfull and failed logons (and many other data)

Jul 28 10:31:49 <local0.warn> 07/28/2016:08:31:49 GMT ns 0-PPE-0 : AAA LOGIN_FAILED 161160 0 :  User dirk - Client_ip - Failure_reason "External authentication server denied access" - Browser Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Jul 28 10:36:44 <> 07/28/2016:08:36:44 GMT ns 0-PPE-0 : SSLVPN HTTPREQUEST 161244 0 : Context dirk@ - SessionId: 192- User dirk: Group(s) N/A : Vserver - 07/28/2016:08:36:44 GMT GET /Citrix/xxxxxxxXA6-5/endpoints/v1 - -

Open in new window

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.