Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 208
  • Last Modified:

Citrix NetScaler - possible to view client IP for a particular user?

Client has a NetScaler VPX 200 (11.0 63.16.nc).

They have asked if it possible to provide them with the 'IP list for access 'user12345' for the month of July please ?'. They would like to know the IP addresses for a particular user's client devices as they believe there has been a security breach.

Is this possible?

Mark Galvin
Mark Galvin
  • 2
1 Solution
Dirk KotteSECommented:
dont know a logfile on the netscaler.
but at xenapp/xendesktop (if used) you can see endpoint-IP.
Within director / sessions you can see all endpoint-IP's used.
If you use rdius for authentication you should find endpoint IPs at the authentication log from radius server.
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Using XenApp 6.5 so no Director app. Not using radius for auth. Using AD.
Dirk KotteSECommented:
i check my logfiles (/var/log) at my NS.
there are different logs with enduser-ip.
- messages contains some informations about filed logons
- ns.log contains informations about successfull and failed logons (and many other data)

Jul 28 10:31:49 <local0.warn> 07/28/2016:08:31:49 GMT ns 0-PPE-0 : AAA LOGIN_FAILED 161160 0 :  User dirk - Client_ip - Failure_reason "External authentication server denied access" - Browser Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Jul 28 10:36:44 <local0.info> 07/28/2016:08:36:44 GMT ns 0-PPE-0 : SSLVPN HTTPREQUEST 161244 0 : Context dirk@ - SessionId: 192- gateway.mydomain.de User dirk: Group(s) N/A : Vserver - 07/28/2016:08:36:44 GMT GET /Citrix/xxxxxxxXA6-5/endpoints/v1 - -

Open in new window

A lot will depend on your AAA setup in the Netscaler..
If the Netscaler is the authentication point, then you should be able to look at the Netscaler logs and search for the user's login name.  (Get backups of those logs *immediately* before the accidentally get overwritten.

A simple findstr should pop up the list of entries from either the AAA or ns.log files.  
If you want to get fancy with powershell and RegEx, you can extract *just* the list of dates/times, the user name & the ip address.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now