prevent brut force with Citrix ADC

Prevent brute force attacks with Citrix ADC

Prevent brute force attacks with Citrix ADC?

You want to prevent brute force attacks on your internal website? You can easily prevent brute force attacks with Citrix ADC. I will explain in this article what a brute force attack is, why it is dangerous although a password policy is used and how the brute force attack can be prevented or mitigated with the Citrix ADC. As a prerequisite I assume that you have already set up an Authentication Server or a Citrix Gateway. The configuration in my article was done on Citrix ADC 12.1. All configurations also can be made on Citrix Gateway.

What is a brute force attack?

With a brute force attack an attacker usually try to crack your logins. All possible combinations of user names and passwords are tried out. If one of the username/password combinations is correct, the attacker is through the barrier and in your system.

We have a password policy and use secure passwords? Why is brute force still a danger to our company?

Many companies use the email address or at least the email alias as login name. This makes it easier for users to remember their logins. The problem with this is that the user names can be easily found out.
In addition, user accounts are blocked after a certain number of incorrect logins for greater security in the company. I would always recommend that. The problem with this is that a company can be harmed if the user accounts are blocked with a brute force attack. This happens when the brute force attack reaches the maximum number of login failures. With this method you can block several thousand user accounts within minutes.

How can I easily prevent brute force attacks with the Citrix ADC?

With the help of Citrix ADC, you can set up additional protection for user accounts. For example, if the Active Directory password policy contains a maximum of 5 logon attempts, you can prohibit logging on to the Citrix ADC after 3 failed attempts. Thus the user on the Citrix is blocked for a given time for the logon. Further logon attempts are no longer passed through to your Active Directory.
The user can therefore continue to log on internally even though his user is blocked from logging on to the Citrix ADC from external. This setting can be activated and configured separately for each Citrix Gateway Virtual Server and for each Authentication Virtual Server.

How is this configured on the Citrix ADC?

First click either on the Authentication Virtual Server or on the Citrix Gateway Virtual Server you want to edit. You can also select it and click “Edit”.

prevent brut force with Citrix ADC - Edit the vServer
prevent brut force with Citrix ADC – Edit the vServer

ow to find the Virtual Servers:

Authentication Virtual Server: Configuration > Security > AAA- Application Traffic > Virtual Servers

Citrix Gateway Virtual Server: Configuration > Citrix Gateway > Virtual Servers

Note: This setting also applies to VPN Servers and Unified Gateway Servers.

Configure “Max Login Attempts” and “Failed Login Timeout”

Now we edit the values “Max Login Attempts” and “Failed Login Timeout” in the respective virtual server.For this we click on next to “Basic Settings” on the pen for editing and unfold the point “More”.

Max Login Attempts: The maximal count of failed logon attempts the user can have until we lock his account on Citrix ADC

Failed Login Timeouts: The time the user will be locked on Citrix ADC

Here we for example I configure the following values:

prevent brut force with Citrix ADC - Edit the vServer configuration
prevent brut force with Citrix ADC – Edit the vServer configuration

Once the setting has been made, you can go back from the configuration of the respective virtual server with “Done”.

The settings can also be configured via the Citrix ADC CLI

In both examples a maximum number of 3 false logins is set. If this is reached, the user is locked for 30 minutes.

Authentication Virtual Server:

set authentication <Your vServername> -maxLoginAttempts 3 -failedLoginTimeout 30

Citrix Gateway Virtual Server:

set vpn <Your vServername>  -maxloginAttempts 3 -failedLoginTimeout 30

Let’s test our configuration

To test if we can prevent the brute force attack with the Citrix ADC we go to the login page of our vServer. I will logon 3 times with correct username but wrong password.

prevent brut force with Citrix ADC - LoginPage
prevent brut force with Citrix ADC – LoginPage

After 3 unsuccessful login attempts the user account will be locked. You will see the following message is displayed on the Citrix ADC during the fourth login attempt:
“You have exceeded the maximum login attempts. Please contact your administrator.”

prevent brut force with Citrix ADC - Useraccount locked
prevent brut force with Citrix ADC – Useraccount locked

Our user account in the Active Directory is still normally released for login and not locked.

So our configuration works! ツ Nice…

Thus it is relatively easy to prevent user blocking by brute force attacks with the Citrix ADC.
The user account will be unlocked after 30 minutes and the user can log in via the Citrix ADC again.

Releasing the user lock on the Citrix ADC again

Sometimes, as an administrator, you have to unlock a user before the lockout period expires for logging on again. Since we use an external authentication source, this is not possible via the WebGUI of the Citrix ADC. However, we can do this through the CLI of the Citrix ADC. To do this, we register via SSH with Putty ( on the Citrix, for example.

We can now unlock the locked user with the following command:

unlock aaa user <Loginname of the User>

I hope as always that you liked the article and that it will help you. If you have any questions or suggestions, please write me a comment. Also read my other articles about Citrix ADC here.

Otherwise I am happy about a Like on Facebook, Xing or if you follow me on Twitter. You will find the social media buttons on top and on bottom of my page. You can also share my article if you like.

Leave a Comment

Your email address will not be published. Required fields are marked *