Beruflich Dokumente
Kultur Dokumente
January 2017
Table of Contents
Training Overview ....................................................................................... 5
Training Overview ..................................................................................................... 6
*Exercise 3 (Optional): License and add a SNIP to your 2nd NetScaler if needed
because you want to Go another Direction ............................................................... 29
4
citrix.com
Training Overview
5
citrix.com
Training Overview
Objective
This lab training will provide hands-on experience on a wide range of core features that Citrix NetScaler
offers. This lab is designed to allow the student to pick and choose the exercises of choice, jumping
around by pasting prerequisites into the NetScaler CLI. One who is familiar with Load Balancing and
general ADC features can ramp up quickly with comparable exercises in the GUI or Command Line.
Required Prerequisites
Basic NetScaler or Application Delivery Controller familiarity is desired.
Optional Prerequisites
SQL and Database Knowledge, or a HTML and Web Security Background are beneficial.
Audience
Target
Customers
Citrix Internal Consultants
Citrix Internal Technical Support
Partners
Citrix Internal Sales Engineers
reboot Text the student enters or an item they select is printed like this
6
citrix.com
Lab Environment Details
Using a Hypervisor Host, we have several Virtual machines configured below for this lab, including a
couple NetScalers to pair, cluster, or use as individual sites, an Active Directory, SQL, WebServers and
WebGoats, and more.
Virtual Machines
VM Name IP Address Description
7
citrix.com
Credentials
User Name Password Description
8
citrix.com
Lab Scenario
The Citrix NetScaler product line optimizes delivery of applications over the Internet and private networks,
combining app security, optimization, and traffic management into a single, integrated appliance.
Customers install NetScaler in the Data Center and route all traffic to managed servers through it. The
NetScaler features and policies are then applied to control and manage incoming and outgoing traffic.
This lab will quickly progress a person through several of the common features and use cases to provide
familiarization and is built in a choose your own adventure or which way book format so one can
focus in the areas of interest. By using the CLI commands with cut/paste, one can navigate fairly quickly,
but be warned that cut/paste can aggravate some policy entries where unseen special characters transfer
in. Try typing the detail as a last resort, as cut/paste off the PDF document has been the issue many
times. Though the exercises are written in a steady flow, only the basic steps of licensing and base
provisioning are required. Remember, you are free to choose your own adventure with this lab guide as a
reference. We encourage you to explore and ask questions, but read associated steps fully and relevant
context first before reaching out for assistance.
Also, it should be noted that Module 12 covers NetScaler MAS which can be deployed immediately after
successfully setting up one or both NetScalers as directed in Module 1 and Module 2. Visiting Module 12
and then proceeding to configure Module 13 may add benefit, because you can observe changes through
MAS and even record the configurations you are performing to output into CLI scripts via Configuration
Job (See Module 12 Exercise 2).
NetScaler Functionality
NetScaler content switching and load balancing dramatically improve the throughput and scalability of an
Internet application by decoupling each application request/response flow from the underlying transport.
Content switching and load balancing ensure the most efficient use of transport protocols and resources,
even in a scenario where the content is encrypted or compressed.
The NetScaler system manages the complete life cycle of the request/response transaction. With this
management, the NetScaler system is uniquely equipped to direct and control application requests most
efficiently, from the client to the server and back again.
Connection multiplexing (also known as connection reuse) allows the servers to handle much fewer
connections than are received by the NetScaler system.
Note** Connection multiplexing reduces the use of your back-end servers. This functionality is enabled by
default with NetScaler.
The efficient use of the HTTP specification provides a significant boost to the effective capacity of the
server by reducing server CPU load. With this separation, the NetScaler system can use the TCP proxy
architecture to multiplex and reuse the server-side TCP connection independently from a client-side
connection. This reuse of established and idle server-side TCP connections reduces the TCP overhead
on web servers.
NetScaler Overview
Citrix NetScaler is an application switch that performs application-specific traffic analysis to intelligently
distribute, optimize, and secure layer-4 through layer-7 (L4-L7) network traffic for web applications. For
example, a NetScaler system makes load-balancing decisions on individual HTTP requests rather than
on the basis of long-lived TCP connections, so that the failure or slowdown of a server is managed much
more quickly and with fewer disruptions to clients. NetScaler functionalities are broadly categorized into
features, such as switching, security, protection and farm optimization.
Switching
9
citrix.com
When deployed in front of application servers, a NetScaler system ensures ideal distribution of traffic. You
can segment application traffic according to information in the body of an HTTP or TCP request, and on
the basis of L4-L7 header information such as URL, application data type, or cookie. Numerous load-
balancing algorithms and extensive server health checks improve application availability by ensuring that
client requests are directed to the correct servers
Security and Protection
NetScaler security and protection features protect web applications from application-layer attacks. A
NetScaler system provides built-in defenses against denial-of-service (DoS) and distributed denial of
service (DDoS) attacks and supports features that protect applications against legitimate surges in
application traffic that would otherwise overwhelm the servers. An available, built-in firewall can protect
web applications from application-layer attacks, including buffer overflow exploits, SQL injection attempts,
and cross-site scripting attacks. In addition, the firewall provides identity theft protection by securing
confidential corporate information and sensitive customer data
Optimization
Optimization features offload resource-intensive operations such as Secure Sockets Layer (SSL)
processing, data compression, client keep-alive, TCP buffering, and the caching of static and dynamic
content from servers. Optimization improves server performance in the farm and therefore speeds up
applications. A NetScaler system supports several transparent TCP optimizations, which mitigate
problems caused by high latency and congested network links, accelerating the delivery of applications
while requiring no configuration changes to clients or servers.
10
citrix.com
Lab Preparation
Attach XenCenter to Your XenServer (ZFS)
Overview
This lab is designed to cover a wide spectrum of the vast NetScaler feature set. We will touch on several
core features and common use cases found in NetScaler deployments. You will see how NetScaler is
managed and optimized, and cover topics including initial tune-up, networking and licensing. In addition,
you'll get hands-on with load balancing, content switching, URL transform with Rewrite, SSL offload and
more.
XenCenter is a graphical user interface application used for managing one or more XenServers.
You will be using XenCenter to manage the XenServer needed for the lab.
2.
11
citrix.com
3. Enter the parameters shown below:
IP Address 192.168.10.5
Username admin
Provided on the web portal you
Password
launched from
Click Add.
12
citrix.com
4.
Your Physical XenServer name
will be different.
XenCenter will attach to your physical XenServer. You will see your VMs running.
Summary
You have attached XenCenter to your XenServer and configured the NetScalers initial IP.
13
citrix.com
Module 1: NetScaler Licensing and
IP Addresses
14
citrix.com
NetScaler Licensing
You must properly license a NetScaler system before you can deploy it to distribute, optimize, or secure
networking traffic for web application. After you have obtained the licenses you must install the licenses
on your appliance and then verify that you have enabled the features corresponding to the licenses. If you
do not install a license on the appliance, the First-time Setup Wizard appears, which provides options for
licensing including installation.
Most common licenses include:
15
citrix.com
Exercise 1: Licensing your NetScaler
Overview
As mentioned earlier, before starting the configuration process the NetScaler needs to be properly
licensed. Licenses are allocated based on the MAC address of the appliance (known as the host ID), and
can be downloaded from Citrix.com. For this lab, we have already downloaded the proper licenses and
placed them on in C:\Licenses on the Student Desktop.
16
citrix.com
Step by Step Guidance
Step Action
1.
Use a SSH connection (PuTTY) to NetScaler A (192.168.10.15) command-line interface logged on as the
nsroot user for this task.
Begin the licensing lab by verifying the host id of the NetScaler-A (192.168.10.15). You will use this
information for allocating the license file. Connect to the NetScaler system from the command-line interface
using PuTTY and open NetScaler A. Log on using the nsroot credentials.
Enter the CLI command shell and the command lmutil lmhostid ether.
Take note of the FlexNet host ID of this NetScaler we will need to reference this ID to the license
file in the steps below.
17
citrix.com
Step Action
2.
Login to the NetScaler-A (192.168.10.15) navigating to http://192.168.10.15 in your web browser
Username: nsroot
Password: nsroot
18
citrix.com
Step Action
3.
Verify that the NetScaler IP Address configuration matches the screenshot below and continue.
When presented with the following screen, click on Subnet IP Address and to stay with the guide,
select Do it Later. Now, or later, the SNIP will be 192.168.10.16.
Under Hostname, DNS IP Address, and Time Zone enter the following and select Done.
19
citrix.com
4.
Select Licenses to upload the license file, or if not going through the wizard, license configuration can
be found at System > Licenses > Update in the GUI.
Select the 4th Item labeled Licensing. Select Upload files from a local computer You will find
the licenses in a folder located C:\Licenses.
This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select the one
matched to the HostID of this NetScaler. Often when troubleshooting the process of a license, the
host and a date need to be verified. Wrong Host and incongruent time tends to be the issue.
Open the license file with notepad and check the date and host ID and note which goes to which.
Go to Start Menu > Computer > Local Disk (C:), and then click Licenses
In the Licenses Folder you will find 4 licenses.
Select the first license, right click and select open with Notepad.
You need to find the license file that goes with the host ID identified earlier and then upload that
license to the NetScaler.
20
citrix.com
Step Action
5.
Once the license has been uploaded to the NetScaler click, Reboot. (Due to the licensing change
the NetScaler requires a reboot in order for the license to take effect.
6.
After the NetScaler has rebooted you are able to verify the licenses by logging in and going to
System > Licenses. Since you have uploaded a Platinum License, all features should have a
green check as well due to the Platinum license.
** NOTE: if you have a black X after clustering indicating this feature is disabled,
please note that it will change when you updagrade the appliance to 11.X in module 2.
In 10.5, Clustering had an add on license but is now included in Enterprise and
Platinum.
Exercise Summary
In this exercise you successfully licensed a NetScaler with a Platinum license.
21
citrix.com
If you preferred to only use the Command Line Interface (CLI) and not the (GUI), one could Secure Copy
(SCP) the license file into the /nsconfig/license directory and reboot. You can also drop into shell, from
the CLI, and view the license file with a CAT or similar command. The shell is a Unix prompt for file
maintenance, and cat is a command to read a file. From the NetScaler CLI, with superuser access, one
could read the dates and HOSTID on the file with> shell cat /nsconfig/license/xxxxxxx.lic command.
If you have a short scroll bar, like in XenServer Console, try the more command instead of cat.
Output below:
22
citrix.com
Exercise 2: NetScaler Configuration for additional IP Addresses
Overview
NetScaler uses IP Addresses to provide function and will often proxy a connection request on a VIP
mounted vServer, by connecting to the back end server using a separate TCP connection sourced from
the NetScaler Subnet IP, or SNIP. NetScalers all are active on their NSIP, or NetScaler IP, which is the
initial management IP, the source for HA Pairing, and more.
23
citrix.com
Step by Step Guidance
Step Action
1. Use an HTTP connection to the NetScaler A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
24
citrix.com
Step Action
2.
Add a SNIP (Subnet IP address) to the NetScaler using 192.168.10.16 as the IP Address, 255.255.255.0 as
the Netmask.
Type: Subnet IP
Click Create
25
citrix.com
Step Action
3. Verify the SNIP, Subnet IP Address is enabled and showing green.
26
citrix.com
4. Next Step is to configure the Virtual IP. VIP is used for Load Balancing Virtual Server IP addresses, and
needs to be configured in the Load Balancing section in subsequent steps.
Add a VIP (Virtual IP address) to the NetScaler using 192.168.10.125 as the IP Address, 255.255.255.0 as
the Netmask.
Type: Virtual IP
Click Create
Alternatively, VIP IP Addresses can be directly configured as part of LB vserver configuration. In this lab we
will define it by adding it in the IPs Options.
27
citrix.com
Step Action
5. After this step, we have three IP addresses configured on NetScaler as depicted in the figure below.
Make sure you save the running configuration. Click the Floppy Disk icon
and then click Yes to confirm saving the Running configuration
SNIP:
add ns ip 192.168.10.16 255.255.255.0 -vServer DISABLED -gui DISABLED -mgmtAccess
ENABLED
VIP:
add ns ip 192.168.10.125 255.255.255.0 -type VIP -mgmtAccess ENABLED
Exercise Summary
In this exercise you have successfully configured the other 2 of 3 mandatory IP addresses that Citrix
NetScaler needs at minimum, the NSIP, SNIP, and VIP.
28
citrix.com
*Exercise 3 (Optional): License and add a SNIP to your 2nd
NetScaler if needed because you want to Go another Direction
Overview
If you want to proceed to Module 2, you are already set. Following the normal lab guide flow,
you will add the 2nd NetScalers License in the High Availability Pair steps, Module 6 Exercise 1.
The SNIP is eventually added and used in the GSLB lab Exercise in Module 8. This optional
exercise (Module 1 Exercise 3) is in place for those who plan to jump around in the lab guide. It
is a minor step and will benefit for example if you want to choose your own adventure / go
another direction / or choose which way you want to test and work.
If following the guide in sequence, you can skip this Exercise, as it will be redundant to
steps in the HA Lab, for the licensing and IP.
If not following the lab guide in sequence, say you go straight to Clustering, you would
need this step.
29
citrix.com
Step by Step Guidance
Step Action
1. 1
Turn on NetScaler b if needed, and configure the NSIP on the console. Use 192.168.10.17, 255.255.255.0,
and for gateway, 192.168.10.1.
2. 1
. Login to the NetScaler-B (192.168.10.17) navigating to http://192.168.10.17 in your web browser
o Username: nsroot
o Password: nsroot
30
citrix.com
Step Action
3.
Add the NetScaler Subnet IP, (SNIP) using 192.168.10.18.
We will need to activate NetScaler-Bs license. You will follow the same procedure as in the Licensing Lab,
but you will use 192.168.10.17 as the NetScaler IP Address and the appropriate licenses for the
NetScaler B ( 06e089e0b0f2.lic)
Refer to the Licensing Lab for detailed licensing instructions. Below you will see the appropriate
configurations for the NetScaler B.
Upload the license file 06e089e0b0f2.lic. If not going through the wizard, license configuration can be found
at System > Licenses > Update in the GUI.
Select Upload files from a local computer You will find the licenses in a folder located
C:\Licenses
This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select
06e089e0b0f2.lic
Select Reboot
31
citrix.com
Exercise Summary
If needed to enable your own navigation in this Lab guide, you may have licensed your 2 nd NetScaler and
added a SNIP.
32
citrix.com
Module 2: Upgrading NetScaler
33
citrix.com
Module Overview
NetScaler Release 11 brought Admin Partitions to the main build and several new features like IP
Reputation, Security Insight, GeoLocation with WAF, Oauth, Unified Gateway, SSL enhancements, and
more. A comprehensive list of enhancements is listed in the release notes accompanying the release
announcement. One should take a moment to read this document before you upgrade your software.
http://docs.citrix.com/en-us/netscaler/11/release-notes.html.
Upgrade your NetScaler by the documented process found in our documents for your use case, HA Pair,
Cluster, or standalone.
34
citrix.com
Exercise 1: Upgrade to NetScaler 11
Overview
One will want to have licensed and IP addressed the NetScaler as a result of the first two exercies in
Module 1. Our NetScalers at the moment are running 10.5. We will not be using the Wizard per this note
in the documents:
Note: You cannot upgrade to NetScaler 11.0 from the following builds by using the Upgrade Wizard of the NetScaler
GUI:
Workaround: Use the command line interface to upgrade the NetScaler appliance.
Note: As a pre-requisite, you should have Citrix ID to logon to the https://www.citrix.com/download page.
If you do not have credentials and do not wish to create them or if you wish to expedite the lab and avoid
wait time during download, you can find the update firmware at the following location: C:\NS-
Firmware\build_11.1-50.10_nc.tgz. Skip to step 4 if you want to leverage the pre-downloaded firmware.
35
citrix.com
Step by Step Guidance
Step Action
1.
Open a web browser to www.citrix.com/downloads, login, and select NetScaler ADC.
36
citrix.com
Step Action
2. Select the Firmware for 11.1 with a newer release you prefer.
37
citrix.com
Step Action
3. Then, look under Firmware and click to download the file.
Note: To save time, you can find a pre-downloaded firmware update at C:\NS-Firmware\build_11.1-
50.10_nc.tgz on the student desktop, as shown in Step 9 below. No need to wait on the download.
Accept any EULA and Download Agreements, and get that file onto your Student Desktop. By default it will
save in the users Download folder as shown below.
38
citrix.com
Step Action
4. Launch WINSCP from the Student Desktop and login to your NetScaler IP, 192.168.10.15.
5.
The right frame is the NetScaler, and left frame is the Student Desktop. Double click the dot-dot (..) item in
the right frame to go up one directory and navigate to /nsconfig on the NetScaler.
39
citrix.com
Step Action
6. Click on nsconfig, and look into the nsconfig directory as shown below.
7. Copy your ns.conf back to the student PC.. Be sure to have saved your config to capture any recent work
before this point. Even if this is low risk and just a lab, it is good practice to backup first. Below, I created a
directory called Backup on the Student Desktop and copied my ns.conf, license, and ssl directories.
40
citrix.com
Step Action
8. Next, lets drop the code onto the NetScaler. On the right side of WINSCP, navigate in the NetScaler to
/var/nsinstall by double clicking the dot-dot (..) and going up a directory level twice to reach the / or root.
Then double click on var, at the bottom of the list. Then double click into nsinstall.
9. Here, you will notice a directory which was already made for you (manually) by the name of 11.1.50.10.nc.
Here we have already uploaded the latest firmware as of writing this tutorial for you to expedite the transfer
and save time. You would normally drag and drop the firmware you downloaded from the left pane (local
client) into the desired directory in the right pane (NetScaler appliance).
41
citrix.com
Step Action
10. This is an optional Step: The 50.10 code is already uploaded onto the appliance for you, you can skip this
step if you desire to.
However, if you want to practice, you can upload the firmware for example to a new directory named
something like 11.1.49.16.nc.
11. This is an optional Step: The 50.10 code is already uploaded onto the appliance for you, you can skip this
step if you desire to.
Navigate both sides of WINSCP such that the right side is in the NetScalers /var/nsinstall/11.1.xx.xx.nc
directory and the left side is on the Student Desktops C:\Users\localuser\Downloads folder.
42
citrix.com
Step Action
12. This is an optional Step: The 50.10 code is already uploaded onto the appliance for you, you can skip this
step if you desire to.
43
citrix.com
Step Action
13.
Once the code is in place on the NetScaler, proceed with a SSH connection (PuTTY) to NetScaler A
(192.168.10.15) command-line interface logged on as the nsroot user for this task.
Begin the licensing lab by verifying the host id of the NetScaler-A (192.168.10.15). You will use this
information for allocating the license file. Connect to the NetScaler system from the command-line interface
using PuTTY and open NetScaler A. Log on using the nsroot credentials.
14. Login, drop into the shell, and change directories to /var/nsinstall/11.0.65.31.nc (or something like it,
if you used anything different when creating the directory). Enter ls to show the directory contents.
44
citrix.com
Step Action
15. Run the command to extract the tarball: tar xzvf build-11.1-xx.xx_nc.tgz
45
citrix.com
Step Action
16. Execute the command: ./installns
If prompted, enter Y to continue per the above picture. The 11.1.50 I tested did not prompt me here and it
depends on the type of builds used. No problem for the lab either way.
46
citrix.com
Step Action
18. And just like that, we have NetScaler 11.1 build xx.xx. If you used the 50.10 code that was pre-seeded onto
the appliance, you will observe the expected firmware like the example below.
Exercise Summary
You downloaded NetScaler 11.1 and upgraded your node after taking a quick backup.
Note: NetScaler B is already loaded with firmware 11.1 hence no upgrade is required. However upgrade procedures
for NetScaler B would follow the same logical steps outlined above. For new releases, it is always good practice to
refer to release notes for any upgrade caveats or warnings when updating from much older appliances to latest
firmware. https://docs.citrix.com/en-us/netscaler/11-1/upgrade-downgrade-netscaler-appliance/upgrade-to-release-
11-1.html mentions for example:
You cannot upgrade to NetScaler 11.1 from the following builds by using the Upgrade Wizard of the NetScaler GUI:
47
citrix.com
Module 3: Define Server Load
Balancing Properties, Virtual Servers
and Services
48
citrix.com
Overview
NetScaler load balancing distributes end-user requests for web pages and other protected applications
across multiple servers that host or mirror the same content. You use load balancing primarily to manage
end-user requests to heavily user applications, preventing poor performance and outages and ensuring
that end users can access your protected applications. Load balancing also provides fault tolerance;
when one server that hosts a protected application becomes unavailable, the feature distributes end-user
request to the other servers that host the same application.
In a load-balancing configuration, the load-balancing virtual server is logically located between the client
and the farm and manages traffic flow to the backend servers in the farm. On the NetScaler, the
application servers are represented by virtual entities called services.
A load-balancing setup includes a load-balancing virtual server and multiple load-balanced application
servers. The virtual server receives incoming client requests, uses the load-balancing algorithm to select
an application server, and forwards the requests to the selected application server.
The load-balancing virtual server can use any of a number of algorithms, or methods, to determine how to
distribute load among the load-balanced servers that it manages. The default load balancing method is
the least connection method, in which the load-balancing NetScaler forwards each incoming client
connection to whichever load-balanced application server currently has the fewest active user
connections.
Server
A Server entity identifies a server and provides the IP address of the server. If you want to use the IP
address of the server as the name of the server object, you can enter the IP address of the server when
you create a service, and the server object is then created automatically. Alternatively, you can create the
server object first and assign it an FQDN or other name, and then specify that name instead of the IP
address when you create the service. Assigning a name (e.g. svr-StoreFront01) to a server might make it
easier work with the server, as it shows the function of the server, and not just its IP address. Always
make sure that you add an object type prefix to the name (e.g. svr-), so that you can easily identify the
object when working with the CLI.
Service
A service entity can be a logical representation of the application server itself or of an application running
on a server that hosts multiple applications. A service is defined by an IP address, port, and protocol
combination used to route requests to a specific load-balanced application server. The service identifies
the type of traffic associated with a given server. You can configure multiple services for the same server.
For example, you can configure a server to run HTTP, FTP, and TCP services/applications. The
NetScaler system directs traffic to the server using the appropriate service. When you create a service,
you associate it with a server. For load balancing, you bind services to virtual servers. Based on these
services, the virtual servers will then load-balance traffic across the available servers.
Service Group
A service group is a collection of service identified by IP address or server name. In a service group, any
management changes made to the group are propagated to all members of the group. You can also
assign a monitor the service group instead of assign one to each service.
Load-Balancing Virtual Server
A virtual server is an aggregated system entity that usually comprises multiple servers and services.
Rather than traffic being routed directly to the server, it is sent to a virtual server, which then makes a
decision about which server to forward the traffic to, based on the services bound to the virtual server.
The state of the virtual server determines whether the client requests are accepted. You need to specify
the protocol, VIP, and the port.
49
citrix.com
Virtual Machines Required for This Module
VM Name IP Address Description
50
citrix.com
Exercise 1: Creating Servers, Services, and Load Balancing
Virtual Servers
Overview
Configure basic load balancing.
Enable the Load Balancing feature in Configuration > System > Settings. Click on Configure basic
features under Modes and Features.
2.
Select Load Balancing and then click OK.
51
citrix.com
Step Action
3.
Browse to Configure modes option and ensure the settings match with the screenshot
4.
Configure Load Balancing under Configurations > Traffic Management > Load Balancing screen. If not
enabled above in step 2, enable the feature but right clicking and clicking enable in the GUI.
52
citrix.com
Step Action
5.
Set up the web servers under Traffic Management > Load balancing > Servers, by clicking on Add for a
new web server with user-defined name and IP address as 192.168.10.115, and Click Create.
You are logged on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot
credentials
o Click Add in the Servers pane the Create Server dialog box opens.
o Type Web-Server-1 in the Server Name field and then type 192.168.10.115 in the IP
Address field
o Click Create.
Click Create.
53
citrix.com
Step Action
6.
After configuring the Web-Server-1, click Create and repeat the above step for the second Web-Server-2
192.168.10.116.
54
citrix.com
Step Action
7.
Once Servers are configured, associate them with a back-end Service to add a TCP Port to the IP.
Create an HTTP service called Web_Service1 that will be associated with the Web-Server-1
server.
o Navigate to Configuration > Traffic Management > Load Balancing > Services
o Click Add in the Services pane the Load Balancing Service dialog box opens.
o Verify that HTTP is selected from the Protocol menu and 80 is entered in the Port field.
Click OK.
55
citrix.com
Step Action
8.
Click on 1 Service to Load Balancing Monitoring Binding under Monitors.
Click on Add Binding to get to the selections, after the click to select > is clicked on.
Select the http-ecv monitor, clicking the radio button to the left and then the Select button.
56
citrix.com
Step Action
9.
Click Done.
57
citrix.com
Step Action
10.
For Web-Server-2, repeat this process and create an HTTP service
called Web_Service2 that will be associated with the Web-Server-
2 server / IP Address.
If both services are not up, the Monitor must be failing. Can you ping both servers? Can you web browse to
them at their real IP on port 80? If they work direct, then NetScaler should be able to Monitor them. If they
are not directly responsive, maybe there is an issue with the WebServer.
58
citrix.com
11.
Now you will create a Load-Balancing Virtual Server and bind the services created earlier to this Virtual
Server IP.
Begin the configuration of a Web-Vip load-balancing virtual server that will be associated with the
Web-Service1 and Web-Service2 services.
o Verify that HTTP is selected from the Protocol drop-down menu and that 80 is entered in
the Port field
o Click OK
59
citrix.com
Step Action
12.
Click the No Load Balancing Virtual Server Service Binding option below Service to bind the Services.
60
citrix.com
Step Action
13.
Finish with a review of the screen and click close.
61
citrix.com
Step Action
14.
o Click Method under Advanced on the right
Note: You may need to click Refresh on the top-right before the
State shows as up
62
citrix.com
15.
Now the Web-Vip virtual server is up. Set the persistence to COOKIEINSERT and Time-out (mins)* field to
1.
o Select Edit
63
citrix.com
Step Action
16.
Check that the Web-Vip load balancing virtual server is up
17.
After all setup is complete, go ahead and Save the running configuration by click on "Save" icon in the
upper right hand corner of your NetScaler GUI.
add service Web_Service1 Web-Server-1 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip
DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -
TCPB NO -CMP NO
bind service Web_Service1 -monitorName http-ecv
add service Web_Service2 Web-Server-2 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip
DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -
TCPB NO -CMP NO
bind service Web_Service2 -monitorName http-ecv
64
citrix.com
Exercise Summary
In this exercise you have successfully configured Servers, Services, and Virtual Server all for
Server Load Balancing in Citrix NetScaler.
65
citrix.com
Exercise 2: Verify Load Balancing Service is Active on Web
Server
Overview
In this exercise you will be verifying that the configuration on the NetScaler is performing as
configured.
66
citrix.com
Step by Step Guidance
Step Action
1.
Navigate to http://192.168.10.125 in your web browser
67
citrix.com
Step Action
2.
Client request is handled by and load balanced to one of the 2 web servers.
Now, this time Web Server B is accessed because of round robin mechanism selected in load
balancing method. Requests are alternately forwarded to each web server.
68
citrix.com
Step Action
3.
Login to NetScaler-A (192.168.10.15) navigating to http://192.168.10.15 in your web browser.
From NetScaler GUI navigate to Dashboard to monitor live sessions and NetScaler application state.
Return to the http://192.168.10.125 URL (Load Balanced Virtual Server URL) in your web
browser.
Return to your NetScaler GUI page and you will see the number of HTTP Requests increasing and
matching the number of times you refreshed your Load Balanced URL.
Exercise Summary
In this exercise you have gotten familiar the Citrix NetScaler, configured basic load balancing services, and
configured monitoring services in NetScaler.
69
citrix.com
Module 4: Content Switching
70
citrix.com
Overview
Content switching allows HTTP and HTTPS traffic requests to be intercepted and switched in a method
that is transparent to the client. A NetScaler system can switch static and dynamic content.
Content switching provides the ability to direct traffic and client requests to back-end services based on
an aspect of the request beyond the IP/port pair. Content switching allows the design of a complex
internal system to appear to the public behind a single IP address. As clients connect to and request data
from a single address, the NetScaler system examines the type of connection and sends it to the
appropriate back-end service.
The NetScaler system diverts the application requests transparently to the client and the application,
allowing the application to be managed separately from the hosting site.
Note: When switching both static and dynamic requests, you must configure one load-
balancing virtual server for static requests and a separate load-balancing virtual server
for dynamic requests.
71
citrix.com
Exercise 1: Content Switching
Overview
In this section, we will create a Content Switching Virtual Server that takes requests and directs
them to the appropriate web server. The policy that will be created looks for /urlX within the
URL and directs the request to the Web server A. Requests without /urlX are redirected to Web
server B.
In this exercise you will:
Create a Content Switching Virtual Server that directs requests to the appropriate
backend service.
72
citrix.com
Step Action
2.
Create a content-switching virtual server called WebSwitch with an IP address of 192.168.10.125.
Click Add in the Content Switching Virtual Servers pane The Content Switching Virtual Server
dialog box opens.
Click OK
73
citrix.com
3.
Create two non-addressable Load Balancing Virtual Servers. Configure WebVip1 and WebVip2 as
HTTP with the Web-service1 and Web-service2 assigned respectively. Be sure to select Non
Addressable in the IP Address Type. These virtual servers will be utilized in the content switching
virtual server as a method to direct traffic to each individual server. We select non addressable so
that we are able to assign a server to the content switch while not consuming an IP address on the
network behind the NetScaler.
Create a non-addressable webvip1 load-balancing virtual server for the Web-Server-1 web server.
o Click OK This action removes the IP address and Port fields. No VIP address is assigned
to this load-balancing virtual server.
o Click No Load Balancing Virtual Servers Service Binding in the service section
74
citrix.com
Step Action
4.
Similarly, create a non-addressable webvip2 load-balancing vServer for the Web-Server-2 web service.
o Click OK This action disables the IP address and Port fields. No VIP address is assigned
to this load-balancing virtual server
o Click No Load Balancing Virtual Servers Service Binding in the service section
Click Bind.
75
citrix.com
Step Action
5.
Here is a summary of your Load Balancing Virtual servers thus far.
Note: You may need to click Refresh on the top-right before the
State shows as up
76
citrix.com
Step Action
6.
Create a Content Switching Policy. Configure the name and URL as urlswitch and /url* and create the policy
by clicking Create and then close.
Select Url
77
citrix.com
Step Action
7.
Insert the new content switching policy into the Content Switching Virtual Server that you created in step 1 of
this lab.
Click Edit
Click Select.
Under Target Load Balancing Virtual Server, Click Click to select and select webvip1. Blank out
the Priority field as you get an error setting priotity with a url policy. Click Bind.
78
citrix.com
Step Action
8.
Expand Default Load Balancing Virtual Server and select the webvip2 virtual server.
Click Bind
You now have 1 CS policy bound to webvip1 and webvip2 is set to the default load
balancing virtual server.
79
citrix.com
Step Action
9.
Test the configuration to observer the content-switching behavior. Specify port 81 in the browser.
You are able to verify that content switching policy urlswitch directs the requests into this to the WebVip1. Not
specifying the /urlX directs you to WebVip2, which would be the (Default) policy.
Exercise Summary
In this exercise you have configured Content Switching based on URL and tested that it works.
80
citrix.com
Exercise 2: Content Switching
Overview
In this section, we will unbind the urlswitch policy and create a new policy that detects
languages via the HTTP header set by the browser. We will redirect requests accordingly.
In this exercise you will:
Create a URL switch
Unbind the original urlswitch policy from the WebSwitch Content Switching Virtual Server.
Click on the WebSwitch Content Switching Virtual Server, and click Edit
Select urlswitch
Click yes
Click Close
81
citrix.com
Step Action
2.
Add a new content switching policy into the Content Switching Virtual Server that you created in step 1 of
this lab. First make sure that you switch back to default syntax.
Select WebSwitch
Ensure that it shows Switch to Classic Syntax under the expression* box
Dont click and switch, we are verifying you are not on Classic Syntax. Please proceed.
82
citrix.com
Step Action
3.
Navigate back top and provide the policy with the name Language and select Expression
83
citrix.com
Step Action
4.
Pro Tip: Dont copy and paste this expression from the Word doc,
it messes with the quotes and throws a syntax error. Instead,
type it up manually into the Express Editor
Configure the new policy, language, to detect the English language within the HTTP request header:
HTTP.REQ.HEADER("Accept-Language").CONTAINS("en")
HTTP.REQ.HEADER("Accept-Language").CONTAINS("en")
Click on Create
84
citrix.com
Step Action
5.
Set the target of this policy to WebVip1. Accept any messages about GoTo Expressions if you encounter
them here, and configure the Priority to 10. Verify the configuration and continue by clicking OK
Set priority to 10
Click Bind
85
citrix.com
6.
Test this content switching policy by heading to http://192.168.10.125:81 in Internet Explorer and set your
language to anything but English in the browser. You can find this under Tools, Internet Options, and
Languages. Navigate to Internet Explorer browser
Select settings
Once you switch from English you will be sent to WebVip2 instead of WebVip1 and the name of the
server will be changed from 'Web Server A ' to 'Web Server B'.
86
citrix.com
Exercise CLI Commands
Use an SSH connection (PuTTY) to NetScaler A (192.168.10.15) command-line interface logged on as the nsroot
user for this task.
# Uncomment code below if Exercise 1 was skipped or not completed.
# enable ns feature cs
# add cs vserver WebSwitch HTTP 192.168.10.125 81
# add lb vserver WebVip1 HTTP 0.0.0.0 0
# bind lb vserver WebVip1 Web-Service
# add lb vserver WebVip2 HTTP 0.0.0.0 0
# bind lb vserver WebVip2 Web-service1
Exercise Summary
In this exercise you have gotten familiar with Citrix NetScaler content switching functionality.
Configured basic Content Switching virtual server and policies. And Configured advanced
content switching virtual server to detect the language field of a http header.
87
citrix.com
Module 5: URL Transformation using
the Rewrite Feature
88
citrix.com
Overview
Rewrite refers to the rewriting of some information in the requests or responses handled by the NetScaler
system. Rewriting can help in providing access to the requested content without exposing unnecessary
details about the websites actual configuration. A few situations in which the rewrite feature is useful are
described below:
To improve security, the NetScaler can rewrite all the http:// links to https:// in the response body
In the SSL offload deployment, the non-secure links in the response have to be converted into
secure links. Using the rewrite option, you can rewrite all the http:// links to https to ensure that
the outgoing responses from NetScaler to the client have the secured links.
If a website has to show an error page, you can show a custom error page instead of the default
404 Error page.
If you want to launch a new website but use the old URL, you can use the rewrite option.
When a topic in a site has a complicated URL, you can rewrite it with a simple, easy-to-remember
URL
You can append the default page name to the URL of a website.
When you enable the rewrite feature, NetScaler can modify the headers and body of HTTP request and
responses
For more information about the rewrite feature, including rewrite action and policy examples, see Citrix
eDocs at http://docs.citrix.com.
89
citrix.com
Exercise 1: URL Transform with Rewrite
Overview
In this section, we will create a URL Transformation Profile that takes requests and directs them
to the appropriate web server. The profile that will be created looks for /url1 within the URL and
directs the request to '/url2' all while being transparent to the user.
90
citrix.com
Step by Step Guidance
Step Action
1.
Use an HTTP connection to the NetScaler A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
Log on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot credentials
91
citrix.com
Step Action
2.
Create a new URL Transformation Profile named RewriteURL by going to AppExpert, Rewrite, URL
Transformation, Profiles and clicking Add. Fill in the Name field with RewriteURL and click Create.
o Click on Add
o Type RewriteURL
o Select Create
92
citrix.com
Step Action
3.
Open the RewriteURL profile by selecting it and clicking Edit, or double clicking. Add a new URL
Transformation Action by clicking Insert at the bottom of the dialog window.
o Select RewriteURL
o Click on Edit
o Click on Insert
93
citrix.com
Step Action
4.
Configure the new URL Transformation Action actRewriteURL. URL Transformation Action is used to take
requests from url1 and respond via url2. The configuration for actRewriteURL is below.
o Select Insert
o Select Ok
94
citrix.com
Step Action
5.
Click Insert if you have not already, verify that the action is enabled by the green checkbox under enabled
and click OK to close the dialog.
95
citrix.com
Step Action
6.
Create a new URL Transformation Policy by heading to AppExpert, Rewrite, URL Transformation,
Policies and clicking add. This new policy will be used to check if the URL contains "url1" and fire the URL
Transformation Action that was added in step 2 and 3. Add RewriteURL for the name, attach the Profile
under the Profile drop down, and add the expression:
HTTP.REQ.URL.PATH.GET(1).CONTAINS(url1).
o Click Add
o HTTP.REQ.URL.PATH.GET(1).CONTAINS(url1)
o Select Done
o Select Create
96
citrix.com
Step Action
7.
Bind the new policy under the Default Global bind point. You will need to open the Policy Manager and
select Default Global, finally insert the newly created policy. Open and bind the policy by clicking Policy
Manager. Select Default Global and click Continue. Select the policy at Priority 100. Finally click Bind
followed by Done.
o Select Default Global from the drop down menu under Bind Point* field
o Click on Click to select under Policy Binding and select RewriteURL_pol Policy
Select Bind
97
citrix.com
Step Action
8.
Verify the policy is active and bound by checking for the green checkmark under Active. If it does not
show active, refresh the GUI by clicking on the refresh icon next to the Help Icon
9.
Verify the RewriteURL Transformation Policy is active by directing your web browser (New Incognito
Window) to http://192.168.10.125/url1. You will see a response from URL2 from either Web-Server A or B,
if the policy is active and working correctly. You may have to close re-open the browser.
Exercise Summary
In this exercise you have successfully Set up a URL based rewrite.
98
citrix.com
Exercise 2: Vanity URL Transformation Policy
Overview
You will create a URL Transformation policy yourself. This policy will be used to transform the
Request URL named RequestURL and Respond with /url3. This configuration is used to
cloak or change the external view from the internal webserver. The configurations for the bonus
lab is below.
o Click on Add
o Type RequestURL
o Select Create
99
citrix.com
Step Action
2.
Open the RequestURL profile by selecting it and clicking Edit, or double clicking. Add a new URL
Transformation Action by clicking Insert at the bottom of the dialog window.
o Select RequestURL
o Click on Edit
o Click on Insert
100
citrix.com
Step Action
3.
Configure the new URL Transformation Action RequestURL_act. This URL Transformation Action will be
used to take requests for RequestURL and respond with content from url3. The configuration for
RequestURL_act is below.
o Select Ok
101
citrix.com
Step Action
4.
Create a new URL Transformation Policy by heading to AppExpert, Rewrite, URL Transformation,
Policies and clicking add. This new policy will be used to check if the URL contains url1 and fire the URL
Transformation Action that was added in step 2 and 3. Add RequestURL_pol for the name, attach the
RequestURL Profile under the Profile drop down, and add the expression:
HTTP.REQ.URL.PATH.GET(1).CONTAINS(RequestURL).
o Click Add
o HTTP.REQ.URL.PATH.GET(1).CONTAINS(RequestURL)
o Select Done
o Select Create
102
citrix.com
Step Action
5.
Bind the new policy under the Default Global bind point. You will need to open the Policy Manager and
select Default Global, finally insert the newly created policy. Open and bind the policy by clicking Policy
Manager. Select Default Global and click Continue. Select the RequestURL policy at Priority 110.
Finally click Bind followed by Done.
o Select Default Global from the drop down menu under Bind Point* field
o Click on Click to select under Policy Binding and select RequestURL Policy
Select Bind
Select Create
103
citrix.com
Step Action
6.
Verify the Request URL Transformation Policy is active by directing your web browser to
http://192.168.10.125/RequestURL. You will see a response from URL3 from either Web-Server A or B, if
the policy is active and working correctly. You may have to close re-open the browser.
Exercise Summary
In this exercise you have gotten familiar with Citrix NetScaler rewrite functionality. Configuring
URL Transformation policies to transparently rewrite a request. And configuring URL policies to
transparently rewrite a request hiding the internal architecture of the web servers.
104
citrix.com
Module 6: Web Application Firewall
105
citrix.com
Overview
Organizations have a crucial need to protect their data and information from unauthorized users and
hackers. A network firewall does not provide enough protection against unauthorized access to web
applications. Rather, the best practice is to implement an application firewall in addition to a network
firewall to protect critical applications, especially those that contain customer and employee data.
Hackers gain access to applications of an organization by exploiting vulnerabilities introduced by human
error and incomplete vendor updates, and by using new attack methods.
Application Firewall protects web application from malicious attacks and unauthorized usage. Application
Firewall examines all incoming and outgoing traffic between protected web servers and users for
evidence of attacks or misuse of web server resources. It also blocks all known and unknown attacks.
Application firewall can be run as a stand-alone implementation on the NetScaler hardware and functions
as a dedicated Application Firewall appliance. Application Firewall is also available as a feature within the
NetScaler Application Delivery System, which includes Application Firewall functionality in addition to
other NetScaler operating system features. Application Firewall integrated with Citrix NetScaler is
available with NetScaler Enterprise and Platinum editions.
The figure shows how application attacks are mounted. Application Firewall protects critical web
applications and defends the infrastructure of any organization from identity theft, lost revenue, brand
erosion and other negative outcomes caused by application attacks.
106
citrix.com
Virtual Machines Required for This Module
VM Name IP Address Description
107
citrix.com
Exercise 1: Web Application Firewall
Overview
In this lab, we will begin working with the Application Firewall feature of NetScaler. We will test
the security functionality of the AppFirewall through a web service called WebGoat that is
served via both webservers in the environment.
In this exercise you will:
Create the vServers and Services
Step Action
1.
Start by enabling the highly available WebGoat servers by creating a new Load Balancing Virtual Server.
First, create a new WebGoat service group for both servers. Do this by going to Traffic Management,
Load Balancing, and adding a new Service Group: Webgoat-Servicegroup. The Protocol will be HTTP
and the Server fields and Ports will be web-server1 port 8080 and web-server2 port 8080 respectively.
Add a tcp monitor to the service and click Done.
Log on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot credentials
Create an HTTP service group called Webgoat-Servicegroup that will be associated with the Web-
Server-1 and Web-Server-2 servers.
o Click Add in the Services pane the Load Balancing Service Group dialog box opens.
o Click OK
108
citrix.com
o Add a service group member by clicking No Service Group Members
o Enter in 8080 for port and click Select Server drop down
109
citrix.com
2.
Select both Web-Servers from the selection menu.
Hit done
Click Bind
Click Done
3.
Verify your service group is in the UP state under Service Groups
110
citrix.com
4.
Create a new WebGoat-VIP Load Balancing Virtual Server by going to Traffic Management, Load
Balancing, Virtual Servers, and clicking Add.
Begin the configuration of a WebGoat-VIP load-balancing virtual server that will be associated with
the WebGoat-Servicegroup.
o Verify that HTTP is selected from the Protocol drop-down menu and that 8080 is entered
in the Port field
o Click OK
o Click the No Load Balancing Virtual Server Servicegroup Binding option below
Service to bind the Services.
111
citrix.com
o Under Select Service Group Name drop down, select the Webgoat-Servicegroup we
created earlier
o Click Bind
5.
For the load balancing vserver, add Method and Persistence and choose Round Robin as the LB
Method. Under the Persistence section choose COOKIEINSERT, Time-out 0. Finally click ok.
o Click OK
o Click OK
112
citrix.com
Finally click Done to complete configuring the loadbalancing vserver.
6.
Test the new WebGoat-VIP by going to http://192.168.10.125:8080/WebGoat/attack the username is guest
and the password is guest.
7.
Now we will configure the Application Firewall feature of the NetScaler. Begin by enabling the Application
Firewall feature, or verifying it is enabled. One quick visual queue regarding the features state is the
presence of a yellow ! symbol, like in the below screen shot. One can turn the feature on and off here
conveniently for testing and demonstration here, by right clicking on Security, Application Firewall and
clicking Enable/Disable Feature.
113
citrix.com
8.
NetScaler Application Firewall is able to utilize security signatures from various security vendors such as
Snort. These signatures are attached within policies that are created within this section. To begin we will
head to Security, Application Firewall, and Signatures. To download the latest signatures from Snort
click on *Default Signatures, select Action, and finally Update Version. Agree to the update by
selecting Yes. The latest security signatures will be downloaded.
Note: If Application Firewall is not enabled yet thats ok. You can still update the signatures
post subsequent steps.
o Select Yes to agree to update the latest security signatures or OK if you signatures are
already up to date.
114
citrix.com
Next we will need to define our own version of the *Default Signatures
9.
The Add Signatures Object dialog opens and we will create a name, AppFWSignatures, and verify the
signatures that are being imported. Here we could select to block or not block various signatures. For the
purposes of this lab, we will leave the defaults selected. After glancing over the signatures, select OK.
115
citrix.com
10.
Add an AppFW profile by going to Security, Application Firewall, Profiles and clicking Add. Fill in the
Profile name AppFWProfile, select Web 2.0 Application, and choose Basic Defaults. Click on Create
and close the dialog.
o Select Add
o Type AppFWProfile
o Select Web 2.0 Application from the drop down menu under Profile Type
o Select OK
11.
Configure the newly created AppFWProfile by double clicking on it. Head to the Security Checks tab. Under
the Start URL unselect Block and select Log and Stat. Credit Card row select Log and Stat, under the
HTML SQL Injection row select Block Log and Stat.
o Next to Start URL row unselect Block and select Log and Stats
o Next to HTML SQL Injection row select Block, Log and Stats
116
citrix.com
12.
Open the Credit Card profile by selecting it and clicking Action Settings. Change the status of each card
to Protected. After protecting each card, move to the General tab and select X-Out.
o Select X-Out
117
citrix.com
o Select Ok
o Select OK
o Select OK
13.
Next, we will attach the AppFWSignatures to this profile. To do this we will move to the Settings tab and
scroll to the Common Settings field. Here we will select AppFWSignatures under the Signatures drop
down.
118
citrix.com
o Scroll down to Common Settings.
o Click OK
14.
Now you will need to create an AppFirewall policy by going to Security, Application Firewall, Policies,
Firewall and clicking Add. Configure the Policy Name, Profile, and Expression as below. This step
creates a policy for AppFirewall called AppFWPolicy that links the recently created profile and adds an
expression to fire the policy or not. The expression used is HTTP.REQ.IS_VALID which will trigger the
AppFWProfile if the incoming connection is a HTTP Request and it is valid. Click Create and Close was
complete.
o Click Add
HTTP.REQ.IS_VALID
119
citrix.com
o Click Create
15.
Now we have an Application Firewall policy but it is not bound; meaning it is not enabled. You will need to
enable the policy through the policy manager. Go to the policy manager by clicking Action and Policy
Manager.
16.
Insert the AppFWPolicy into the Default Global policy. Do this by clicking the Default Global bind point,
selecting to Bind the Policy, by choosing the AppFWPolicy. Finally click Bind and then close once
complete.
o Select Default Global from the drop down menu under Bind Point*
o Click Continue
o Select Bind
120
citrix.com
Note: Binding the policy to the Default Global bind point will enable the policy on all Virtual
Servers that are available within the NetScaler. You are also able to bind policies to other
specific bind points such as Content Switching Virtual Servers, or even load balancing virtual
servers like in the image below
o Verify that the policy is enabled via the green check under Active.
17.
Test the new Application Firewall policy via the WebGoat url that was configured earlier. You can enable
and disable the Application Firewall feature to test WebGoat security vulnerabilities with Application
Firewall enabled or disabled. You can do this by right clicking on Application Firewall under Security,
Application Firewall and selecting Disable Feature or Enable Feature, like in step 7 above:
121
citrix.com
Note: Enabling and disabling AppFirewall feature makes for a quick way
to see before and after protecting
18.
Be sure to reset WebGoat each time with the "restart this lesson" link.
Note: To test with WebGoat, remember a couple of key points. Practice before a demo. Restart the
lesson after each exploit to test WebGoat, or it may not work on subsequent tries. The NetScaler
needs to see the cookies and entire activity, so when you enable the WebApplicationFirewall feature,
open a fresh browser. A stale browser may not get the same effect, and in real life people are not
turning the WAF feature on and off like this.
IMPORTANT: Never try the attacks you learn here in the readl world. Many times a newbie has
expereinced disgrace by playing around and starting some undesirable consequences. Keep the hacks
to just WebGoat, or within a Contract and detailed Statement of Work. Ethical Hacking, etc.. etc..
NO SURPRISES.
122
citrix.com
Go back and turn the NetScaler WebApplicationFirewall off. You need to establish a baseline, and if the
WAF is on, it will block you by redirecting you to the root of TomCat. We have it configured to do this when
an exploit happens, so be careful not to follow a red herring. Go ahead and turn the WAF Feature off until
you have a hack working, then turn it on, and open a fresh browser, and start with WAF on to try it again
19.
If you leave the Application Firewall Feature on, by default a successful policy match and profile block will
redirect you to the Web Server Root like this. The config is the 2nd screen shot below on the settings tab for
redirect URL showing as /:
s
It says It Works on this page but it is not what you were looking for. NetScaler redirected you to the root
of the web server because the Redirect Rule in the WAF Profile is configured to do just that.
123
citrix.com
When WebGoat works, you stay within the WebGoat website and it congratulates you. WebGoat is
essentially a tutorial and we are adding NetScaler to it to practice our protections. On the first screen it tells
you the answers are hidden at the top right under the solution link. Why not use that and cut/paste where
helpful?
20.
Begin: To start the WebGoat Application, scroll down and click on start WebGoat:
o Navigate to http://192.168.10.125:8080/WebGoat/attack
o If you dont receive the following page as shown below; close and open a new browser
124
citrix.com
You can see already your Application Firewall policy is taking hits:
21.
For SQL injection go to Injection Flaws, String SQL Injection:
o Navigate to http://192.168.10.125:8080/WebGoat/attack
o On the left hand side select Injection Flaws and then click on String SQL Injection
o Click on Go!
125
citrix.com
We are modifying the select string, shown under the text field for convenience, and after the match criteria
you sneak in or is true to match everything, and get all of the data back. The Solution for this lesson shows
the example Erwin' OR '1'='1 (the outer ticks are implied for you).
Note the * Congratulations., and all the 'credit card examples'. They may well not be real credit card numbers, and the NetScaler will use an algorithm to take action on for information leakage prevention and DLP. It does not x-out the fake numbers. We will turn the NetScaler on and see it protect next.
22.
Turn the WAF back on:
126
citrix.com
Try Again (close and open your browser, login guest / guest, Start WebGoat... set up accordingly).
o Navigate to http://192.168.10.125:8080/WebGoat/attack
o If you dont receive the following page as shown below; close and open a new browser
o On the left hand side select Injection Flaws and then click on String SQL Injection
o Click on Go!
127
citrix.com
o It works is true. Application Firewall redirected you to the / root of the website per your
configuration, when blocking your hack. You did not get what you wanted, but you did get the root
page that is the default for TomCat Web Server because your Web App Firewall Profile was
configured to do so.
23.
Lets check the logs:
o Click on Apply
128
citrix.com
One could use CLI and view the /var/log directory with a grep, but the tool is right there with a pull down
menu. Set the module to APPFW and have a look.
24.
Lets stop blocking and keep playing with it. (Remember to click on WebGoat's Restart Lesson Link).
Under WebApplicationFirewall in the NetScaler GUI, select the Profile and the Security Checks Tab.
129
citrix.com
Lets try "Transform" to neutralize the SQL tick. Double click on HTML SQL Injection, the line in the above
screen shot where we unchecked can be double clicked on.
o Select Click HTML SQL injection row and click Action Settings
o Click OK
25.
Go back to WebGoat, Restart the Lesson, and try again.
o On the left hand side select Injection Flows and then click on String SQL Injection
o Click on Go!
Notice (as in the below screen shot) you are not blocked, or given access. This time the SQL was neutral
so the back end server matched nothing:
26.
Lets check the logs. Security Application Firewall Policies Firewall Auditing Syslog messages
o Click on Apply
131
citrix.com
Gotcha! On a Sniffer Trace, you would see the Erwin part has double quotes now and not single quotes.
Above, the WebGoat screen shot even calls Special charecters out. Erwin OR 1=1. The double tic ()
and single tic () are different to SQL.
Ok, Lets stop transforming and let you back into the site. By now you are used to going into the App
Firewall Profile that our Globally Bound Policy is set to.
Click 'OK' on both windows, and lets go back and Run WebGoat again. (Remember to Restart the
Lesson).
132
citrix.com
27.
Go back to WebGoat, Restart the Lesson, and try again.
o On the left hand side select Injection Flows and then click on String SQL Injection
o Click on Go!
o Click on Apply
Considering we are set to not Block, and not set to transform it. All we had on was to log it, and
here is the log entry.
133
citrix.com
28.
That's good, but what about all those credit card numbers shown? We still have our Credit Card
Protections on and set to X-Out responses with CC#s.
o Select OK
o Select OK
IMPORTANT: Be sure to save you configuration by clicking the save Floppy Disk
at the top right of the Web GUI
134
citrix.com
Exercise CLI Commands
Use an SSH connection (PuTTY) to NetScaler A (192.168.10.15) command-line interface logged on as the nsroot
user for this task.
enable ns feature LB CS REWRITE AppFw
add serviceGroup Webgoat-Servicegroup HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip
NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver WebGoat-VIP HTTP 192.168.10.125 8080 -persistenceType COOKIEINSERT -
timeout 0 -lbMethod ROUNDROBIN -backupLBMethod LEASTCONNECTION -cltTimeout 180
add appfw profile AppFWProfile -startURLAction none -creditCardAction log stats -
creditCard visa mastercard discover amex jcb dinersclub -creditCardXOut ON -
responseContentType "application/octet-stream" -XMLSQLInjectionAction none -
XMLXSSAction none -XMLWSIAction none -XMLValidationAction none -signatures
appfwsignatures -type HTML XML
# The above (add appfw profile) is dependent on the signature file existing.
bind appfw profile AppFWProfile -denyURL "/core(/.*)?$" -comment "Unix core file
attacks" -state DISABLED
bind appfw profile AppFWProfile -denyURL "[\\/]etc[\\/](passwd|group|hosts)" -comment
"Unix file attacks" -state DISABLED
bind appfw profile AppFWProfile -denyURL q{([ /=]|\t|\n)(ls|rm|cat)([ ;'\"&].*)?$} -
comment "Command injection attack" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*[+][.]htr" -comment "HTR source
disclosure" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*/[?][SM]=[AD]" -comment "Apache
possible directory index disclosure vulnerability" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*/[?]wp-" -comment "Netscape enterprise
server directory indexing vulnerability" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*/NULL[.]printer" -comment "Printer
buffer overflow" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*/default[.]ida[?]N+" -comment CodeRed -
state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*/publisher" -comment "Netscape
enterprise server web publishing vulnerability" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*Admin[.]dll" -comment Nimbda-3 -state
DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*/winnt/" -comment Nimbda-4 -state
DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*[+]dir" -comment "IIS executable file
parsing vulnerability-1" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*/georgi[.]asp" -comment "IIS executable
file parsing vulnerability-2" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*[.](bat|ini|exe)(|[?].*)$" -comment
"IIS executable file parsing vulnerability-3" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*[.](cgi|pl|php|bat)([/?].*)?[|]" -
comment "Script exploit" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*[.]asp/.*" -comment "Microsoft IIS UNC
mapped virtual host vulnerability" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*[.]htx" -comment "Microsoft IIS UNC
path disclosure vulnerability" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*[.]id[aq]" -comment "Index server
buffer overflow" -state DISABLED
bind appfw profile AppFWProfile -denyURL
"^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$" -comment "Access attacks" -
state DISABLED
135
citrix.com
bind appfw profile AppFWProfile -denyURL
"^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$" -comment "Password file attacks" -
state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*dvwssr[.]dll" -comment "Front Page
server extensions buffer overflow-1" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*fp30reg[.]dll" -comment "Front Page
server extensions buffer overflow-2" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*null[.]htw" -comment "Webhits source
disclosure" -state DISABLED
bind appfw profile AppFWProfile -denyURL "debug[.][^/?]*(|[?].*)$" -comment "Debug
attacks" -state DISABLED
bind appfw profile AppFWProfile -denyURL q/system( |\t|\n)*[(]/ -comment "System
command attacks" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]*/_vti_bin/shtml[.]" -comment "Front
Page server extensions path disclosure vulnerability" -state DISABLED
bind appfw profile AppFWProfile -denyURL
"^[^?]+[?](.*[=].*[&])*wsdl([&].*[=].*)*([#].*)?$" -comment "WSDL scanning attack:
?wsdl" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]+[/]([^.])+[.]wsdl([?][^#]*)?([#].*)?$"
-comment "WSDL scanning attack: .wsdl" -state DISABLED
bind appfw profile AppFWProfile -denyURL "^[^?]+[/]wsdl([?][^#]*)?([#].*)?$" -comment
"WSDL scanning attack: /wsdl" -state DISABLED
bind appfw profile AppFWProfile -comment "For all images" -excludeResContentType
"image/.*"
bind appfw profile AppFWProfile -comment "For all videos" -excludeResContentType
"video/.*"
bind appfw profile AppFWProfile -comment "For all audio files" -excludeResContentType
"audio/.*"
bind appfw profile AppFWProfile -comment "For all pdf files" -excludeResContentType
"application/pdf"
bind appfw profile AppFWProfile -comment "For all PostScript files" -
excludeResContentType "application/postscript"
bind appfw profile AppFWProfile -startURL
"^[^?]+[.](html?|shtml|js|gif|jpg|jpeg|png|swf|pif|pdf|css|csv)$"
bind appfw profile AppFWProfile -startURL "^[^?]+[.](cgi|aspx?|jsp|php|pl)([?].*)?$"
bind appfw profile AppFWProfile -XMLAttachmentURL ".*"
bind appfw profile AppFWProfile -XMLDoSURL ".*" -XMLMaxElementDepthCheck ON -
XMLMaxElementNameLengthCheck ON -XMLMaxElementsCheck ON -XMLMaxElementChildrenCheck ON
-XMLMaxAttributesCheck ON -XMLMaxAttributeNameLengthCheck ON -
XMLMaxAttributeValueLengthCheck ON -XMLMaxCharDATALengthCheck ON -XMLMaxFileSizeCheck
ON -XMLMinFileSizeCheck ON -XMLBlockPI ON -XMLBlockDTD ON -XMLBlockExternalEntities ON
-XMLMaxEntityExpansionsCheck ON -XMLMaxEntityExpansionDepthCheck ON -
XMLMaxNamespacesCheck ON -XMLMaxNamespaceUriLengthCheck ON -XMLSOAPArrayCheck ON
bind appfw profile AppFWProfile -XMLValidationURL ".*" -XMLValidateSOAPEnvelope ON
bind appfw profile AppFWProfile -XMLWSIURL ".*" -XMLWSIChecks "BP1201, R1000, R1001,
R1003, R1004, R1005, R1006, R1007, R1011, R1012, R1013, R1014, R1015, R1031, R1032,
R1033, R1109, R1111, R1126, R1132, R1140, R1141, R2113, R2211, R2714, R2729, R2735,
R2738, R2740, R2744"
add appfw policy AppFWPolicy HTTP.REQ.IS_VALID AppFWProfile
bind appfw global AppFWPolicy 100 END -type REQ_OVERRIDE
bind lb vserver WebGoat-VIP Webgoat-Servicegroup
bind serviceGroup Webgoat-Servicegroup Web-Server-1 8080
bind serviceGroup Webgoat-Servicegroup Web-Server-2 8080
bind serviceGroup Webgoat-Servicegroup -monitorName http
136
citrix.com
Exercise Summary
In this exercise you have successfully set up the Secure Reverse proxy and added Web Application Firewall
protections.
137
citrix.com
Module 7: High Availability
138
citrix.com
Overview
A high availability deployment of two Citrix NetScalers can provide uninterrupted operation in any
transaction. In a high-availability pair configuration, only one system is active. This system, which is
known as the primary, actively accepts connections and manages servers. All shared IP addresses are
active on the primary system only.
The Secondary system monitors the health of the primary system. If the secondary system is in a healthy
state, it is ready to actively accept connections if the primary system is experiencing issues. The process
prevents downtime and ensures that the services provided by the NetScaler system remain available
even if one system ceases to function.
Note: High availability packets are sent untagged by default, which can be an issue with a switch that handles tagged
packets only.
139
citrix.com
Exercise 1: High Availability Pair
Overview
In this lab, we will create a highly available pair of NetScalers by utilizing NetScaler-B and the
already configured NetScaler-A.
Refer to the Licensing Lab for detailed licensing instructions. Below you will see the appropriate
configurations for the NetScaler B.
Login to Citrix XenCenter using the credentials you received and Start NetScaler B
192.168.10.17
o Username: nsroot
o Password: nsroot
140
citrix.com
Step Action
2
The HA Pair will health check between unit NSIPs and both HA Pair units share the VIPs and
SNIPs between the Active and Passive nodes. We do not need an individual SNIP on the second
unit for HA Pairing, and any config on the second unit will be overwritten; however, if needed to
proceed in the Wizard, we can add the NetScaler Subnet IP, (SNIP) using 192.168.10.18. This will
be overwritten when the Primary syncs to it for HA, but the baseline process wizard wants a license
and a snip. One can exit the wizard as an option. Or proceed as follows:
Upload the license file 06e089e0b0f2.lic. If not going through the wizard, license configuration can
be found at System > Licenses > Update in the GUI.
o Select the 4th Item labeled Licensing. Select Upload files from a local computer You
will find the licenses in a folder located C:\Licenses
o This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select
06e089e0b0f2.lic
o Select Reboot
141
citrix.com
3
Enable High Availability by heading to System, High Availability on the NetScaler B (192.168.10.17) and
Select (STAY SECONDARY) for the High Availability Status* under the IP Address. On NetScaler A
(192.168.10.15) select (STAY PRIMARY) and click on Add button, specify the Remote Node IP Address
(192.168.10.17) as below and click OK. Selecting stay primary and secondary is not necessary in the lab,
but is a good practice in the Customer Data Center.
Under High Availability Status* select STAY SECONDARY (Remain in Listen Mode)
Click OK
Click OK
Verify that Configure remote system to participate in High Availability Setup, Turn off HA
Monitor on interfaces/channels that are down and Turn on INC (Independent Network
Configuration) mode on self-node are all selected. INC is an option to see, but is only used when
each node has a different set of IPs. We do not need INC mode in this lab but want to point it out.
Click Create
142
citrix.com
Step Action
4
Validate that two nodes have been created in System > High Availability > Nodes and the node status is
shown as UP.
In a few moments as you refresh the high availability node (by clicking refresh symbol button in the top right
corner of the screen) you will see the synchronization state move from in progress to success.
On NetScaler A 192.168.0.15, click the Refresh button in the upper-right corner of the
configuration utility window
On NetScaler B 192.168.0.17, click the Refresh button in the upper-right corner of the
configuration utility window
Primary NSA:
Secondary NSB:
143
citrix.com
5
Enable the NetScaler B 192.168.0.17 Node State to actively participate in High Availability
o Select ENABLED (Actively Participate in HA) in the High Availability Status drop-down
list
o Click OK
Enable the NetScaler A 192.168.0.15 Node State to actively participate in High Availability
o Select ENABLED (Actively Participate in HA) in the High Availability Status drop-down
list
o Click OK
144
citrix.com
Step Action
6
Note: Node Configuration options. By opening nodes listed in this section of the high availability
configuration allows you to select advanced HA options. One to point out would be HA Failsafe mode.
145
citrix.com
7
With a HA Pair, one would always want to manage on the active node, but which NSIP to pick? Best practice
is to manage on a SNIP, which is always on the active unit. To enable management access control via a
subnet IP you will head to System, Network, and IPs. Here you will select the subnet IP 192.168.10.16.
Click Open and select Enable Management Access control within the Application Access Controls
section of the dialog window. Click OK.
Scroll down to the bottom and select Enable Management Access controls under Application
Access Controls tab.
Save your configuration by clicking the save disk at the top right of the web GUI. Test high availability and try
turning off the primary node and watching as the secondary node take over. Additionally, you can select
force failover from within the GUI.
146
citrix.com
Exercise CLI Commands
Complete Step 1 and 2 above to license and prepare the 2nd NetScaler (or Module 1 Optional Exercise 3), before
starting the CLI Command exercise
Use an SSH connection (PuTTY) to NetScaler B (192.168.10.17) command-line interface logged on as the nsroot
user for this task.
add ns ip 192.168.10.18 255.255.255.0 -type SNIP -arp ENABLED -icmp ENABLED -vServer
ENABLED -telnet ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -
mgmtAccess ENABLED -restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -
icmpResponse NONE -ownerNode 255 -arpResponse NONE
set HA node -haStatus STAYSECONDARY -haSync ENABLED -haProp ENABLED -helloInterval 200
-deadInterval 3 -failSafe OFF -maxFlips 0 -maxFlipTime 0
Use an SSH connection (PuTTY) to NetScaler A (192.168.10.15) command-line interface logged on as the nsroot
user for this task.
set HA node -haStatus STAYPRIMARY -haSync ENABLED -haProp ENABLED -helloInterval 200 -
deadInterval 3 -failSafe OFF -maxFlips 0 -maxFlipTime 0
add HA node 1 192.168.10.17 -inc ENABLED
Use an SSH connection (PuTTY) to NetScaler B (192.168.10.17) command-line interface logged on as the nsroot
user for this task.
set HA node -haStatus ENABLED -haSync ENABLED -haProp ENABLED -helloInterval 200 -
deadInterval 3 -failSafe OFF
Use an SSH connection (PuTTY) to NetScaler A (192.168.10.15) command-line interface logged on as the nsroot
user for this task.
set HA node -haStatus ENABLED -haSync ENABLED -haProp ENABLED -helloInterval 200 -
deadInterval 3 -failSafe OFF
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler High Availability functionality
and configuring a pair of highly available NetScalers, utilizing NetScaler-A, and NetScaler-B.
147
citrix.com
Module 8: Clustering
148
citrix.com
Overview
A NetScaler Cluster is a group of NetScaler nCore systems working together as a single system image.
Each system of the cluster is called a node. A NetScaler cluster can include as few as 2 or as many as 32
NetScaler nCore hardware or virtual systems as nodes.
The client traffic is distributed between the nodes to provide high availability, high throughput, and
scalability.
How Clustering works
A NetScaler cluster is formed by grouping NetScaler systems that satisfy requirements specified in
Hardware and Software Requirements. One of the cluster nodes is designated as a configuration
coordinator (CCO). As the name suggests, this node coordinates all cluster configurations. The CCO also
owns the cluster IP address which is the management address of the cluster. You configure the cluster by
accessing the CCO through the cluster IP address.
You cannot configure an individual node by accessing it through the NetScaler IP (NSIP) address. Nodes
accessed through the NSIP address are available in read-only mode. This means that you can only view
the configurations and the statistics.
The configurations performed through the cluster IP address are propagated to the cluster nodes through
a physical medium called the cluster backplane. The backplane is a logical grouping of physical
connections, as are the client data plane and the server data plane.
The VIP addresses that you define on a cluster are available on all the nodes of the cluster (striped
addresses). You can define MIP and SNIP addresses to be available on all nodes (striped addresses) or
only on a single node (spotted addresses). The details of traffic distribution in a cluster depend on the
algorithm used, but the same logical entities process the traffic in each case. Traffic is distributed only to
nodes that are in the ACTIVE state, both administratively and operationally, and in the UP health state.
149
citrix.com
Exercise 1: Clustering
Overview
In this lab, we will create a clustered active/active pair of NetScalers by utilizing
NetScaler-A and NetScaler-B. If you have not Licensed NetScaler-B yet, the steps are shown in
Module 1 *Optional Exercise 3: License and add a SNIP to your 2nd NetScaler if needed because you
want to Go another Direction and may have missed those steps in the HA part above. Link------
.Error! Bookmark not defined.
Add NetScaler-B
150
citrix.com
Step by Step Guidance
Step Action
1
Before we start to configure clustering, we will may need to disable high availability. To do this head to
NetScaler-A System, High Availability. Select the secondary node and click delete. Accept the prompt
to remove the selected node and remove the HA node from the remote system.
Accept the prompt to remove the selected node and remove the HA node from the remote
system
Accept the prompt to remove the selected node and remove the HA node from the remote
system
2
First, save the configuration on NetScaler-A. To do this, go to System and click on the save icon in the
upper right.
You also should save the configuration on NetScaler-B by clicking the save icon there.
151
citrix.com
Step Action
3
Navigate to NetScaler-A. We will fist create a cluster node by heading to System, Cluster, Nodes and
clicking Add. A prompt requesting that a cluster instance must be present will popup. Add this instance by
clicking yes.
A prompt requesting that a cluster instance must be present will popup Click Yes
Next, we will configure the cluster IP address for the cluster. Configure the cluster as below using
(192.168.10.130) be sure to select backplane interface 1/1. Continue by clicking create.
Note: The below screenshot represents the Instance ID, not Node ID
152
citrix.com
Step Action
4
In the next Configuration pane, Select 1/1 interface from the drop down menu under Backplane interface*
Follow the prompt to reboot, or head to System and click Reboot. Be sure to select Save configuration
and click OK.
153
citrix.com
Step Action
5 Join the NetScaler to the Cluster
After the NetScaler-A reboots, login to the newly created Cluster Management IP at http://192.168.10.130.
Here we will select continue on the configuration page, as we will set this up later.
Click Continue
You could add the SNIP for all nodes here, or skip with a continue if you like.
154
citrix.com
Step Action
6
We will add NetScaler-B to the cluster by heading to System, Cluster, Nodes, and clicking Add. Configure
this node with the NetScaler-B information below.
Both the cluster node and configuration coordinator credentials are the standard NetScaler credentials you
have been using for this lab. Once you click Create you will be asked to reboot this node, accept the
prompt and wait for the NetScaler-B to join the cluster.
155
citrix.com
Step Action
7
Click Yes to reboot NS-B when prompted
8
Verify that both nodes are in the PASSIVE admin state and INACTIVE operational state. Also, verify
the backplane configuration.
Note: You will have to wait a few moments while NS-B reboots. During this time, click the refresh
button next to save to refresh the view.
156
citrix.com
Step Action
9 Define NetScaler Subnet IP Addresses
Here we will need to recreate a Subnet IP address for the NetScaler appliance cluster. We will head to
System, Network, IPs, and click Add. Fill out IP, Netmask, and Owner for the 192.168.10.16 SNIPs. Be
sure Subnet IP is selected as the IP Type for each IP Address and Owner Node is ALL_NODES.
Verify that ALL_NODES is selected from the drop down menu under Owner Node*
157
citrix.com
Step Action
10 Configuring the Cluster State to Active
Configure the state of each cluster node to ACTIVE by heading to System, Cluster, and selecting each
node. Configure the state of each to ACTIVE.
Navigate to System > Cluster > Nodes and select node 192.168.10.15 Click Edit
11
Verify that both the admin and operational state of each node in the cluster is ACTIVE.
Note: You may have to refresh your view to see the new state
158
citrix.com
Step Action
12
Define a Linkset
Create a Linkset by heading to System, Network, and Linkset. Click Add and configure the Linkset name
LS/1 and add interfaces 1/1/1 and 0/1/1 to the configured column of the dialog. Click Create.
Add interfaces 1/1/1 and 0/1/1 to the configured column of the dialog
Click on Create
159
citrix.com
Step Action
13
Define NetScaler cluster configuration
Head to System, Settings and select Configure Modes. Configure the modes as below.
o Fast Ramp
o Edge Configuration
o Use Subnet IP
Click OK
160
citrix.com
14
Define NetScaler cluster load balanced virtual server
In this step, we will configure a simple load balanced server to test the cluster configuration. Below is the
final configuration of the load balanced server. You will configure this server the exact same way you
configured the load balance virtual server in the beginning of this lab. You will need to recreate the Web-
Services. You can do this by clicking the + icon, when binding services to the VIP.
Note: You can use the CLI reference at the end of the Load Balancing Module above. You can use
that to create the load balanced virtual server
Type in the IP address of the Cluster Node (192.168.10.130) and click open
One could cut/paste the above into cli with Putty and validate by browsing to the vServer.
http://192.168.10.125.
161
citrix.com
Exercise CLI Commands
NS A & NS B
Use an SSH connection (PuTTY) to NetScaler A (192.168.10.15) command-line interface logged on as the nsroot
user for this task.
add cluster instance 1
add cluster node 0 192.168.10.15 -state PASSIVE -backplane 0/1/1
enable cluster instance 1
save ns config
reboot warm
add ns ip 192.168.10.130 255.255.255.255 -type CLIP
show cluster instance
show cluster node
Use an SSH connection (PuTTY) to Cluster IP (192.168.10.130) command-line interface logged on as the nsroot
user for this task.
add cluster node 1 192.168.10.17 -state PASSIVE -backplane 1/1/1
show cluster node *expect unknown for now.
save ns config
Use an SSH connection (PuTTY) to NetScaler B (192.168.10.17) command-line interface logged on as the nsroot
user for this task.
join cluster -clip 192.168.10.130 -password nsroot
save ns config
reboot -warm
Use an SSH connection (PuTTY) to Cluster IP (192.168.10.130) command-line interface logged on as the nsroot
user for this task.
show cluster node
add ns ip 192.168.10.16 255.255.255.0 -type SNIP -ownerNode 1
add ns ip 192.168.10.18 255.255.255.0 -type SNIP -ownerNode 2
## Node 1 already had this SNIP, so it may take some tweaking.
sh ip
set cluster node 0 -state ACTIVE
set cluster node 2 -state ACTIVE
show cluster node -should both be active.
## If a node stalls, do a rm cluster and a join cluster again.
sh ip
Add the link set. We can do CLAG and ECMP as options, but the all virtual lab is easiest with LinkSet.
Use an SSH connection (PuTTY) to Cluster IP (192.168.10.130) command-line interface logged on as the nsroot
user for this task.
add linkset LS/1
bind linkset LS/1 ifnum 0/1/1
bind linkset LS/1 -ifnum 1/1/1
show linkset LS/1
save ns config
162
citrix.com
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler Clustering functionality.
Configuring a pair of clustered NetScalers utilizing NetScaler-A, and NetScaler-B, configured a
linkset of interfaces, and created a load balanced virtual server to test the clustered NetScaler
instances.
163
citrix.com
Module 9: Global Server Load
Balancing
164
citrix.com
Overview
Global Server Load Balancing (GSLB) directs DNS requests to the best-performing GSLB site in a distributed Internet
environment. GSLB enables distribution of traffic across multiple sites, manages disaster recovery, and ensures that
applications are consistently accessible.
GSLB Concepts
GSLB is a DNS-based solution that load balances services between geographically distributed locations. GSLB
operates under many of the same general principles as load balancing, but it relies on DNS for directing client
requests.
With ordinary DNS, when a client sends a DNS request, it receives a list of IP addresses of the domain or service.
Generally, the client chooses the first IP address in the list and initiates a connection with that server. The DNS
server uses a technique called DNS round robin to cycle through the IP addresses on the list, sending the first IP
address to the end of the list and promoting the others after it responds to each DNS request. This technique ensures
equal distribution of the load, but it does not support disaster recovery, load balancing based on load or proximity of
servers, or persistence.
When you configure GSLB and enable MEP, the NetScaler systems use the DNS infrastructure to connect the client
to the datacenter that best meets the criteria that you set. The criteria can designate the least-loaded datacenter, the
closest datacenter, the datacenter that responds most quickly to requests from the clients location, a combination of
those metrics, or SNMP metrics. An appliance keeps track of the location, performance, load, and availability of each
datacenter and uses these factors to select the datacenter to which a client request will be sent.
A GSLB configuration consists of a group of GSLB entities on each appliance in the configuration. These entities
include GSLB sites, GSLB services, GSLB virtual servers, load-balancing, content-switching, or Gateway virtual
servers, and ADNS services.
GSLB Entities
A GSLB configuration includes entities on the NetScaler system that direct client traffic to applications and resources.
The following items are entities in a GSLB environment.
GSLB site
A GSLB site is typically a datacenter in which a NetScaler system is located. The terms local site and remote site
refer to the site in relation to the NetScaler systems in the GSLB deployment. Each GSLB site is managed by a
NetScaler system that is local to that site. Each of these systems treats its own site as the local site and all other
sites, managed by other systems, as remote sites.
GSLB service
A GSLB service is a representation of a load-balancing or content-switching virtual server, although it can represent
any type of virtual server. The GSLB service determines how incoming traffic is routed.
A GSLB virtual server enables client requests to be forwarded to the appropriate GSLB site. A GSLB virtual server is
assigned one or more GSLB services and load balances the incoming traffic among the services. The GSLB virtual
server evaluates the configured GSLB methods (algorithms) to select the appropriate service to which a client
request will be sent. DNS virtual servers are only necessary in a DNS proxy configuration. Otherwise, in an ADNS
configuration, each GSLB site will use the locally configured DNS service with mirrored static DNS records for each
site in the configuration.
165
citrix.com
Load-balancing or content-switching virtual server
Load-balancing or content-switching virtual servers load balance incoming traffic to the appropriate server.
ADNS Service
The ADNS service accepts incoming client requests for domains for which the NetScaler system is authoritative.
166
citrix.com
Exercise 1: GSLB
Overview
In this lab, we will create a simple Global Server Load Balance environment by utilizing both NetScalers as
independent sites within this lab.
Below describes the high level configurations steps for GSLB as provided in further detail below.
NetScaler-B Configuration
a. Pre-requisites
NetScaler-A Configuration
a. Pre-requisites
Step Action
1.
Pre-requisites
Before we start to configure GSLB, we may need to prep NetScaler-B, or delete any Cluster or HA Config
you may have in place. You can do GSLB with a Cluster or HA Pair, but we have just 2 nodes in this
environment and need them to each represent a site. To remove HA, Clustering, or prepare, three
solutions are offered in this step:
1). If you have not Licensed NetScaler-B yet, the steps are shown in Module 1 *Optional Exercise 3
on page Error! Bookmark not defined.: License and add a SNIP to your 2nd NetScaler if
needed because you chose to Go another Direction. In the normal workflow, the 2nd NetScaler is
167
citrix.com
licensed on introduction in the HA Module. We are happy to have you start with GSLB here, once licensed
with both NetScalers ready. The next step in this Exercise will verify these settings and readd SNIP if lost
in the Cluster Removal below.
2). If you need to remove the HA Pair configurations, steps are in the start of the Clustering Module, and
are here for the Adventurer who came to this module by another path. Before we start to configure GSLB,
we may need to disable high availability. To do this head to NetScaler-A System, High Availability.
Select the secondary node and click delete. Accept the prompt to remove the selected node and remove
the HA node from the remote system.
Accept the prompt to remove the selected node and remove the HA node from the remote
system
Accept the prompt to remove the selected node and remove the HA node from the remote
system
3). If you need to delete configs for clustering, head to System, Cluster, Nodes on Cluster IP
(192.168.10.130). Select the node that is not the local node, in this case 192.168.10.17, and click
Remove. Fill out the credentials and click OK to remove the node. Repeat this step on the local node
after the secondary node has been removed. Accept any warnings that appear in this step and be sure
to close the Create Cluster Node dialog box if it appears.
Navigate to System > Cluster > Nodes and Select the node that is not the local node, in this
case 192.168.10.17, and click Remove.
Enter nsroot/nsroot for the credentials and click OK to remove the node.
Repeat this step on the local node after the secondary node has been removed .
168
citrix.com
Accept any warnings that appear in this step and be sure to close the Create Cluster Node dialog
box if it appears.
2.
Login to NetScaler-A and if needed, use the wizard, GUI or CLI to configure the Subnet IP Address and
Netmask, verify the configuration of the NSIP and continue. Verify that the correct licenses are applied to
this appliance and continue. Finally, select done. Repeat the process on the NetScaler-B, the
configuration is below.
3.
Next, we will check the modes, features, and advanced features of both appliances. Configure the modes
by heading to System, Settings. Select Configure Modes and be sure that the modes are configured as
below. (Keep your navigation window open for convenience).
169
citrix.com
Navigate to System > Settings > Configure Modes
Ensure that the boxes are checked according to the screenshot shown below
Ensure that the boxes are checked according to the screenshot shown below
Next, we will need to enable GSLB on both NetScalers. To do so we will need to enable Load Balancing
by heading to System, Settings, and clicking Configure Basic Features. From here, we will select
Load Balancing. You should do it for both NetScaler-A and NetScaler-B
4.
Next, we will need to enable Global Server Load Balancing by clicking on Configure Advanced
Features. Here we will be sure to select Global Server Load Balancing. Leave the other options as
they are configured now.
170
citrix.com
Navigate to System > Settings > Configure Advanced Features
5.
You can enable management to be accessed on the subnet IP addresses. Head to System, Network,
IPs, and click on the Subnet IP that is listed. Click on Open and select Enable Management Access
Scroll down to the bottom and select Enable Management Access controls under
Application Access Controls tab.
Scroll down to the bottom and select Enable Management Access controls under
Application Access Controls tab.
171
citrix.com
6. Define Load Balancing vServers for WebServer-1
As a pre-requisite for this module, it is expected you have a Load Balancing vServer already configured
on both NetScaler Appliances at each site. Feel free to execute Module 3 to set up a load balancer for
webserver-1 with vip 192.168.10.125 and webserver-2 with vip 192.168.10.126 vServers on NetScaler
A and NetScaler B respectively. Load Balancer for Webserver-1 should be load balancing server Web-
Server-1 (192.168.10.115) and Load Balancer for Webserver-2 should be load balancing server Web-
Server-2 (192.168.10.116). When complete, your configuration should resemble the screen shots below:
NetScaler A:
NetScaler B:
add lb vserver Web-VIP HTTP 192.168.10.125 80 -persistenceType COOKIEINSERT -timeout 1 -lbMethod ROUNDROBIN -cltTimeout 180
172
citrix.com
add server web-server2 192.168.10.116
add lb vserver Web-VIP HTTP 192.168.10.126 80 -persistenceType COOKIEINSERT -timeout 1 -lbMethod ROUNDROBIN -cltTimeout 180
7.
Configure an ADNS Service
While logged on, create an ADNS service so that we can test our GSLB configurations on the client
machine. You could do a DNS LoadBalancing vServer and Service to your real DNS, but in this case we
are trying for the most simple of tests. To create an ADNS Service, head to Traffic Management, Load
Balancing, Services and click Add. Configure the Service Name as DNS, the Server as
192.168.10.135 for A and 192.168.10.136 for B, the Protocol as ADNS, and the Port as 53.
Click Add
Click Ok
Click Done
Now validate the NetScaler owns this new IP that it can act as the Authoritative DNS server for. Navigate
to System > Network > IPs and validate you see a ADNS svc IP.
173
citrix.com
While logged into the NetScaler-A, Configure a GSLB Site for both NetScalers, NS-A local, and NS-B
remote. Select the Type as either Remote or Local depending on which NetScaler you are currently
configuring. To do so head to Traffic Management, GSLB, Sites. The remaining configuration can be
found in the two images below (the pictures are provided for NetScaler-A).
Navigate to Traffic Management > GSLB > Sites and then click Add
Click Create
Navigate to Traffic Management > GSLB > Sites and then click Add
Click Create
Note: The NS-B Site Metric MEP Status will show as down until NS-B Site is configured on a
remote GSLB Site
174
citrix.com
9.
Do the similar process with the sites reversed as local and remote on NetScaler-B.
Navigate to Traffic Management > GSLB > Sites and then click Add
Click Create
Navigate to Traffic Management > GSLB > Sites and then click Add
Click Create
After both NetScalers have had their sites configured, you are able to see the Remote Site Metric MEP
Status as Active. Verify the configurations on each NetScaler. It might require to click Refresh button
after a moment or two to see the following result.
175
citrix.com
10. Define GSLB Service on NetScaler-B (192.168.10.17)
Under the GSLB Services click on the Add button to begin to configure a service under local site.
o Navigate to Traffic Management > GSLB > Services and Click Add
o Type LOCAL
o Type* is IP Based
o Port* 80
Add an existing Virtual Server for this Service by clicking the Virtual Server radio button and
selecting the dropdown to select webserver-2 Virtual Server.
Click OK
176
citrix.com
11. Next click on Monitors under the Advanced Settings on the right pane.
Click Bind
Click Done
177
citrix.com
12.
Now we will add another service of the virtual server located in the remote NS-A site.
o Navigate to Traffic Management > GSLB > Services and Click Add
o Type REMOTE
o Type* is IP Based
o Port* 80
Add a new Server for this Service by clicking the New Server radio button and selecting the
dropdown and entering the VIP of webserver-1 we configured on the remote appliance
(192.168.10.125).
Click OK
178
citrix.com
13. Next click on Monitors under the Advanced Settings on the right pane.
Click Bind
Click Done
While logged in to NetScaler-B begin to configure GSLB by heading to Traffic Management, GSLB.
Select the GSLB, Virtual Servers
179
citrix.com
Navigate to Traffic Management > GSLB > Virtual Servers and Click Add
Click OK
15.
Add two GSLB Virtual Server GSLB Service Bindings as shown below by clicking on No
GSLB Virtual Server GSLB Service Binding
180
citrix.com
Select both services for webserver-1 and webserver-2 that we added previously to the Binding
16.
Add the GSLB Virtual Server Domain Binding.
181
citrix.com
17. Under ADNS Service ensure the ADNS server we created earlier is bound. If not, then Add the
ADNS service.
18.
Configure GSLB on NetScaler-A
We will now configure NetScaler-A in a similar fashion as we did with NetScaler-B. Refer to steps above
for additional details to configure the following on NetScaler-A to configure GSLB:
1. Configure NetScaler-A with a functioning Load Balancing vServer named Webserver-1 with an IP
of 192.168.10.125 backed by webserver IP 192.168.10.115. Navigate to Traffic Management >
Load Balancing > Virtual Servers to confirm or configure.
Webserver-1:
182
citrix.com
19.
2. If you have not already, configure NetScaler-A with a functioning ADNS service named DNS with the
IP 192.168.10.136. Navigate to Traffic Management > Load Balancing > Services to confirm or
configure.
20.
3. Confirm NetScaler-A is configured with both GSLB sites named NS-A and NS-B. Navigate to Traffic
Management > GSLB > Sites to confirm.
Sites:
183
citrix.com
NS-A: NS-B
21.
4. On NetScaler-A, configure two GSLB services named 192.168.10.125_gslb_srvc (based on
Existing Virtual Server) and 192.168.10.126_gslb_srvc (based on New Server IP) corresponding
to sites NS-A and NS-B respectively. Navigate to Traffic Management > GSLB > Service to confirm
or configure.
184
citrix.com
Two Services Configured:
192.168.10.125_gslb_srvc:
192.168.10.126_gslb_srvc
22.
5. On NetScaler-A configure GSLB vServer with the name www.webserver.com and bound with both
GSLB services 192.168.10.126_gslb_srvc and 192.168.10.126_gslb_srvc. The GSLB vServer must
have a FQDN domain binding of www.webserver.com and bound ADNS Service. Navigate to
Traffic Management > GSLB > vServer to confirm or configure.
185
citrix.com
www.webserver.com vServer:
23.
Configure the Clients DNS
Configure the newly created DNS Server on the client machine as the preferred DNS server as
192.168.10.135 & 136. This is a lab trick that will enable testing and demonstration as the PC resolves
names only at the NetScalers ADNS Service. Not a normal use case, but good for our lab, like one might
bypass DNS with a local host file. In Production one would use both ADNS IPs as options to resolve for
redundancy, so one ADNS Service is at each site and either will work.
Click on Properties
186
citrix.com
Change the Alternate DNS Server address to 192.168.10.136
24
Verify the GSLB Configuration using the GSLB Vizualizer
Head to the main GSLB page by going to Traffic Management, GSLB. Open the GSLB Visualizer by
clicking GSLB Visualizer under Settings
187
citrix.com
25
Verify GSLB Connectivity using Ping and a Web Browser
Open the Windows Command prompt and run ping www.webserver.com. You should see pings from
either server 125 or 126. Wait a few moments and try again. You should see the GSLB Round Robin LB
method change your DNS resolution to the other server. GSLB is seen to simply change the IP Address
that your DNS Stack resolves for you. After resolution, your client will proceed and communicate with the
resolved IP. Ping is a good way to show it.
Test your GSLB configuration via Internet Explorer. Open an internet explorer window and head to
www.webserver.com and you will see WebServer-A being hosted from NetScaler-A or WebServer-B
being hosted from NetScaler-B. Ideally when configuring GSLB, you will be load balancing the same web
application hosted from two different sites for your end users. Here we have made it more explicit by
backing two different websites (Webserver A and Webserver B) to visually show load balancing across
appliances.
188
citrix.com
Note: Be sure to change back the client's desktop preferred DNS
to 192.168.10.11 to not impact another exercise.
add ns ip 192.168.10.16 255.255.255.0 -type SNIP -arp ENABLED -icmp ENABLED -vServer ENABLED -
telnet ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -icmpResponse NONE -ownerNode
255 -arpResponse NONE
set ns ip 192.168.10.16 -netmask 255.255.255.0 -arp ENABLED -icmp ENABLED -vServer DISABLED -
telnet ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -hostRoute DISABLED -icmpResponse NONE -
arpResponse NONE
add gslb site NS-A LOCAL 192.168.10.16 -publicIP 192.168.10.16 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
add gslb site NS-B REMOTE 192.168.10.18 -publicIP 192.168.10.18 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
190
citrix.com
Use an SSH connection (PuTTY) to NetScaler B (192.168.10.17) command-line interface logged on as the nsroot
user for this task.
add ns ip 192.168.10.18 255.255.255.0 -type SNIP -arp ENABLED -icmp ENABLED -vServer ENABLED -
telnet ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -icmpResponse NONE
enable ns feature LB
set ns ip 192.168.10.18 -netmask 255.255.255.0 -arp ENABLED -icmp ENABLED -vServer DISABLED -
telnet ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -hostRoute DISABLED -icmpResponse NONE -
arpResponse NONE
add gslb site NS-A REMOTE 192.168.10.16 -publicIP 192.168.10.16 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
add gslb site NS-B LOCAL 192.168.10.18 -publicIP 192.168.10.18 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
191
citrix.com
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler GSLB functionality. Configuring a pair of NetScalers
utilizing NetScaler-A and NetScaler-B via Global Server Load Balancing.
192
citrix.com
Module 10: Admin Partitions
193
citrix.com
Overview
The NetScaler ADC provides an infrastructure called admin partitions that can be used to logically partition a
NetScaler ADC.
This means that each admin partition can function as a logical NetScaler ADC.
The following graphical representation shows a NetScaler ADC as a multi-tenant platform that can be used to service
multiple customers, departments, or applications.
194
citrix.com
Virtual Machines Required for This Module
VM Name IP Address Description
195
citrix.com
Exercise 1: Admin Partitions
Overview
Configure a basic Admin Partition.
Navigate to the Configuration > System > User Administration and select Users
Click on Add
196
citrix.com
Step Action
2.
Add 2 users with user names Admin-A, and Admin-B. Set both passwords to password1. You
can also add the CLI Prompt as shown below. Click Save to save the user creation, and Done to
finish.
Click Save
Click Done
Click Continue
197
citrix.com
Step Action
3. Create the Admin Partitions
Navigate to Configuration > System > Partition Administration > Partitions and click
Configure
Add the Partition with the configuration settings below, and click Continue
By default, a VLAN 1 is created which cannot be unbound. Click continue on the Network
Isolation, to accept the single VLAN and no Bridgegroups
198
citrix.com
Step Action
4.
Bind user Admin-A to the Company-A partition, by expanding Users, and click on Insert. Click
Save and Done to complete
o Click on No User
o Click insert
199
citrix.com
Step Action
5.
Create a second Partition, Company-B by repeating the same steps as Company-A. Reminder
to bind the Admin-B user to the Company-B partition.
o Bind user Admin-B to the Company-B partition, by expanding Users, and click on
Insert. Click Save and Done to complete
o Click on No User
o Click insert
After you have created 2 partitions. Now we will configure these partitions independently with
their own settings. To do this lets first switch to the Company-A Partition. Navigate to the
partition menu on the top of the screen. And select Company-A
200
citrix.com
Step Action
6.
Click Yes to confirm the submission
Now you will see the dashboard of the new Admin Partition for Company-A
7.
Navigate to Configuration > System > Settings, and select Configure Modes
Select only User Source IP, and MAC Based Forwarding, click OK
201
citrix.com
Step Action
8.
Now while under Configuration > System > Settings select Configure Basic Features
Navigate to Configuration > Traffic Management, and expand. Note that Load Balancing, and
SSL Offload are enabled and Content Switching is not.
202
citrix.com
Step Action
9.
Navigate back up to the Partitions menu and switch to Partition Company-B, click Yes again to
confirm the submission.
Navigate to Configuration > System > Settings, and select Configure Modes.
Note the different modes configured by default from the ones we selected in Company-A
partition. Lets leave theses default.
203
citrix.com
Step Action
10.
Now while under Configuration > System > Settings select Configure Basic Features
This time considering we are in the Company-B partition we will select SSL Offload, and
Content Switching. Click OK
add system user Admin-A password1 -externalAuth DISABLED -promptString Company-A -timeout
900 -logging DISABLED
add system user Admin-B password1 -externalAuth DISABLED -promptString Company-B -timeout
900 -logging DISABLED
add ns partition Company-A -maxBandwidth 5120 -minBandwidth 10240 -maxConn 1024 -maxMemLimit
10
add ns partition Company-B -maxBandwidth 5120 -minBandwidth 10240 -maxConn 1024 -maxMemLimit
10
In partition A
204
citrix.com
enable ns mode USIP MBF
enable ns feature LB
In Partition B
stat ns partition
enable ns feature CS
Exercise Summary
In this exercise you have created 2 users for the purpose of owing partitions. Created 2
independent partitions and bound independent users to these partitions. And configured the
partitions independently from each other with different settings.
205
citrix.com
Module 11: Data Stream
206
citrix.com
Overview
The NetScaler DataStream feature provides an intelligent mechanism for request switching
at the database layer by distributing requests based on the SQL query being sent.
When deployed in front of database servers, a NetScaler ensures optimal distribution of traffic
from the application servers and Web servers. Administrators can segment traffic according to
information in the SQL query and on the basis of database names, usernames, character sets,
and packet size.
You can either configure load balancing to switch requests based on load balancing algorithms
or elaborate the switching criteria by configuring content switching to make a decision based on
SQL query parameters. You can further configure monitors to track the state of database
servers.
Note: NetScaler DataStream is supported only for MySQL and MS SQL databases. For information about
the supported protocol version, character sets, special queries, and transactions, see the
Appendix NetScaler DataStream Reference.
207
citrix.com
Exercise 1: Data Stream
Overview
The demo environment consists of 2 SQL Server instances replicating an OLTP (Online Transactional
Processing) and DW (Data Warehouse) database setup.
Many organizations use this type of setup to capture and process data efficiently where the OLTP
database is used primarily for transactional SQL transactions. (Creates, updates, inserts) and the DW
database is used to store data in a proper schema in order for the SQL transactions to be accessed
quickly.
It is extremely important for organizations to be able to understand their data. With many features
released by Microsoft to help DBAs (Database Administrators) with this scenario, these features are
typically structured in a tiered licensing model, which can be expensive and complex to deploy.
Citrix NetScaler DataStream feature is included in all editions of NetScaler. DataStream can improve
database performance by intelligently understanding the SQL transactions and switching the content
dynamically to the appropriate database. At the same by default it manipulates the TDS protocol to
enable SQL server side multiplexing, reducing SQL server overhead and increasing speed of transaction
time.
208
citrix.com
Step by Step Guidance
Step Action
1.
Navigate to NetScaler A 192.168.10.15 by typing http://192.168.10.15 in your browser
Add the user that you have used to create the SQL server databases.
o Username: dsu
o Password: Password1
209
citrix.com
Step Action
2.
Add 2 Database Servers
o IP Address: 192.168.10.12
o Click Create
o IP Address: 192.168.10.13
o Click Create
210
citrix.com
Step Action
3. Add a Monitor
Add a Monitor
o Click Add
o Name: MSSQL_mon1
o Type: MSSQL-ECV
Input a User Name (name must match SQL Server db username) : dsu
Input Database : ns
Expression: MSSQL.RES.ATLEAST_ROWS_COUNT(0)
Click Create
Note: You have now created a monitor that will check with the SQL Server instances on the NS
Database and query it expecting 0 rows returned.
211
citrix.com
Step Action
4. Add the SQL Server Services
Add your MSSQL_Srvc1 Service (Server Name, IP Address, Protocol, and port)
o Name: MSSQL_Srvc1
o Port: 1433
o Protocol: MSSQL
Add your MSSQL_Srvc2 Service (Server Name, IP Address, Protocol, and port)
o Name: MSSQL_Srvc2
o Port: 1433
o Protocol: MSSQL
212
citrix.com
Step Action
5. Bind the monitor created in the previous step both services just created
213
citrix.com
Step Action
6. Add a load balancing virtual servers & bind to a service
o Click on Add
o Name: MSSQL_LB_OLTP
o Protocol: MSSQL
o IP address
o Click OK
o Click Continue
o Select Server Version as 2012 and ensure Database Specific Load Balancing is
unchecked for Disabled
o Click Done
214
citrix.com
Step Action
7.
Similarly navigate to Traffic Management > Load Balancing > Virtual Servers
o Click on Add
o Name: MSSQL_LB_DW
o Protocol: MSSQL
o IP address
o Click Continue
o Select Server Version as 2012 and ensure Database Specific Load Balancing is
unchecked for Disabled
o Click Done
Note: We selected Non Addressable to demonstrate the conservation of IPv4 addresses. The Load
Balancing Virtual Servers will represent an IP of 0.0.0.0. This is done because users will access the VIP
of the CS server and all communication is done internally to the Load Balancing servers.
We are also leaving the default Load Balancing Method as Least Connection
215
citrix.com
Step Action
8. Add a content switch Action to NetScaler
Click Add
Select MSSQL_LB_OLTP under Target Load Balancing Virtual Server* from the drop down
Click Create
Select MSSQL_LB_DW under Target Load Balancing Virtual Server* from the drop down
Click Create
Note: You now should have 2 actions: Writes and Reads bound to the 2 Load Balancing Virtual
Servers
216
citrix.com
Step Action
9. Add a content switching policy to NetScaler
Click Add
Click Create
Note: The purpose of creating this policy is to enable NetScaler to identify what is a read
transaction in the content of the SQL query
217
citrix.com
Step Action
10.
Add another MSSQL_CS_Writes policy
Click Add
Click Create
Note: The purpose of creating this policy is to enable NetScaler to identify what is a write
transaction in the content of the SQL query
11.
Validate you now have two Content Switching Policies, one for SQL Reads and the other for SQL Writes.
218
citrix.com
Step Action
12. Create a Content Switching Virtual Server
Click Add
Input an IP Address 192.168.10.150 (This is the IP Address that users will connect to via DB
Client such as SQL Management Studio)
Click OK
o
Note: You now have configured a Content Switching Virtual Server that has the 2 Load Balancing
Virtual Servers bound via the Actions which we also created.
219
citrix.com
Step Action
13.
Bind the 2 policies created in previous step to the Content Switching Virtual Server. You will have
to assign each binding a priority. 100, 110 will work.
o Select MSSQL_CS_Reads
o Click Bind
o Select MSSQL_CS_Writes
o Click Bind
o Click Close
220
citrix.com
Step Action
14.
You have now bound the 2 Load Balancing vServers you configured to the 2 Content
Switching Policies such that insert/updates goes to one and select to another, with the
following below as the default policy for all else.
o Click on no Default Virtual Server Bound
o Select MSSQL_LB_DW
o Click Bind
o Click Done
o Click Done
221
citrix.com
Step Action
15. How to Demonstrate Content Switching using SQL Queries via Microsoft Management Studio:
Add all 3 instances to SSMS (SQL Server Management Studio) using the database user created and
added to NetScaler
First, Second Instance, and the Content Switching Virtual Server.
ignore any warning such as
Click Ok
When adding the content switch server, you may see the following error. Click OK to continue.
222
citrix.com
Step Action
16. You should now see something like the following screenshot in your Object Explorer.
17.
Launch a new query
Right Click on the Content Switching Virtual Server, and select New Query
WHERE CLIENT_HOUSEHOLD_INCOME>='30000'
Note: This query is designed to select those entries in the database that average house
hold income is greater than $30,000
223
citrix.com
Step Action
18.
Launch a new query
Right Click on the Content Switching Virtual Server, and select New Query
Note: This query is designed to create a database on the appropriate server. The Database name
is NEW_TEST_DB
To demonstrate its working as expected, navigate to the GIM_OLTP database and expand the
database catalog. You will note that the new database now exists in this instance because that is
where the write policy is bound too.
224
citrix.com
add lb monitor MSSQL_mon1 MSSQL-ECV -userName dsu -LRTM DISABLED -resptimeoutThresh 0 -retries
3 -failureRetries 0 -alertRetries 0 -successRetries 1 -IPMapping 0.0.0.0 -state ENABLED -
reverse NO -transparent NO -ipTunnel NO -tos NO -secure NO -database ns -sqlQuery select *
from test -evalRule MSSQL.RES.ATLEAST_ROWS_COUNT(0) -mssqlProtocolVersion 2012 -storedb
DISABLED
enable ns feature cs
225
citrix.com
add cs vserver MSSQL_CVS1 -td 0 MSSQL 192.168.10.150 -range 1 1433 -state ENABLED -stateupdate
DISABLED -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -redirectPortRewrite
DISABLED -downStateFlush ENABLED -disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -
Listenpolicy none -mssqlServerVersion 2008R2 -l2Conn OFF -appflowLog ENABLED -icmpVsrResponse
PASSIVE -RHIstate PASSIVE
Exercise Summary
In this exercise you have familiarized yourself with Data Stream for MS SQL Server. Created
and configured database load balancing and content switching. And worked with MS SQL
Server database tools.
226
citrix.com
Module 12: AAA for Traffic
Management
227
citrix.com
Overview
Most networks concentrate their user credentials in one centralized location. This aids in management
and security. The NetScaler system can use common authentication, authorization, and auditing (AAA)
systems for its system users. AAA can also be applied to traffic passing through it.
AAA for Application Traffic uses authentication virtual servers to provide AAA functionality for load
balancing and content switching traffic. This allows the NetScaler to perform authentication, authorization,
auditing functionality in front of traffic management virtual servers. This gives administrators the ability to
provide single sign-on, access control, session, and traffic policy capabilities for non-VPN traffic. AAA for
Application Traffic uses the NetScaler to manage access requirements for multiple web sites without
needing full VPN style connectivity.
AAA for Application Traffic uses many of the policy types and design concepts as the SSLVPN
functionality, but streamlined for access control only.
228
citrix.com
Exercise 1: AAA for Traffic Management
Overview
The AAA feature supports authentication, authorization, and auditing for all application traffic. To
use AAA, you must configure authentication virtual servers to handle the authentication process
and traffic management virtual servers to handle the traffic to web applications that require
authentication.
Login with:
o Username: Training\administrator
o Password: Citrix123
229
citrix.com
Step Action
2. Navigate to Start Menu
Type Active Directory Users and Computer and Click it
230
citrix.com
Step Action
3. Fill out fields for new user. (In our example we are using the username of aaauser. Click next.
o Type aaauser under Name Field
o Type Password1 for password
o Click Next
o Select Password never expires
o Click Next and then Finish
231
citrix.com
Step Action
4.
Adding DNS entries for the FQDNs used in this exercise
o While still logged in via remote desktop to the Active Directory machine navigate to
Administrator Tools, and select DNS (double click)
232
citrix.com
Step Action
5. Select Forward Lookup Zones from the left hand menu pane, then double click the
Training.lab zone
Right click on the white space and select New Host (A or AAAA)
233
citrix.com
Step Action
6.
Add a host entry for the load balancing VIP.
o Hostname: WebServer
o IP Address: 192.168.10.125
7.
Add a second host entry for the AAA VIP (click ok and done once complete)
o Hostname: aaavs
o IP Address: 192.168.10.175
234
citrix.com
Step Action
8.
We are also going to add 2 additional DNS entries for the SAML exercise later on in this lab.
Note: You will not be able to access the below IPs or hosts until the SAML exercise
o Hostname: aaasp
o IP Address: 192.168.10.176
o Hostname: aaaidp
o IP Address: 192.168.10.177
Note: To verify the DNS entries are correct, using the command prompt (Run as Administrator) on
your machine, perform a ping test on both FQDNs that were just created in DNS. If the ping test is
unsuccessful, type the following commands to flush the DNS cache on the machine. Once the
cache is flushed, retry the ping test.
Ipconfig /flushdns
Ipconfig /registerdns
235
citrix.com
Step Action
9. Creating an LDAP policy on NetScaler using Active Directory
236
citrix.com
Step Action
10. Under Connection Settings use the following values
o Base DN: DC=training,DC=lab
o Administrator DN: administrator@training.lab
o Bind DN Password: box is checked
o Administrator Password: Citrix123
11. Scroll down to Other Settings. Under Server Logon Name Attribute select the following value.
Server Logon Name Attribute: sAMAccountName
Group attribute: memberof
Sub Attribute Name: cn
You know have successfully created a Directory Server for authentication. The next step is to create a
policy.
237
citrix.com
Step Action
12. Now Select the Policies tab, and click Add
13. Create the LDAP policy using the following values from the screenshot below. (ns_true)
Type LDAP under Name*
Select ns_true from the Saved Policy Expressions tab in the Expression Editor box
238
citrix.com
Step Action
15. Provide the following values for the certificate. Screenshot below, and click OK once finished
Type AAA under Certificate File Name*
Type aaavs.training.lab under Fully Qualifies Domain Name*
Under Country select UNITED STATES
You have now created and installed a Server Test Certificate. We will bind this Certificate to our
AAA vServer that we create in subsequent sections.
239
citrix.com
Step Action
16. Creating a AAA virtual Server
Navigate to Security > AAA-Application Traffic > Virtual Servers, and click Add
Provide the Basic Settings using the following values and click Ok when finished.
o Name: AAA-vs
o IP Address: 192.16810.175
o Protocol: SSL
o Port: 443
o Authentication Domain: Training.lab
240
citrix.com
Step Action
17. Next step is to create the Server Certificate. You will see the Certificate menu appear once you
click OK from the previous step.
18. Select AAA certificate and click OK, then Bind to complete.
241
citrix.com
Step Action
19. Bind the LDAP policy. And select Primary as the Type. Click Continue.
Bind the LDAP policy created in previous steps. And Leave the priority at 100. Click Bind to
finish.
Finally click Continue at the bottom of the Authentication Virtual Server screen, and then Done to
complete.
After hitting the refresh button your AAA vServer should show green representing an Up State.
242
citrix.com
Step Action
20. Bind the AAA vServer to the Load Balancing vServer created in earlier steps. If config is erased
please reference the CLI Commands in Exercise 3 to restore the config for the Load Balancing
section.
21. Provide the values for the Authentication option as shown below, click OK when finished
Finally click Done. You know have bound the AAA vServer to your load balanced vServer. The
purpose of this is to authenticate users against LDAP to access the backend WebServers.
243
citrix.com
22. Testing the AAA-TM vServer
To test using a web browser (Open up a new incognito browser) navigate to the FQDN
(http:\\webserver.training.lab) in a Private Browser or Incognito Browser of the load balancing
Virtual IP Address.
Now you should be able to login with the aaauser created in earlier steps
o User name: aaauser
o Password: Passsword1
244
citrix.com
Step Action
add ssl certKey AAA -cert AAA-root.cert -key AAA-root.key -inform PEM -expiryMonitor ENABLED -
notificationPeriod 30
245
citrix.com
Make sure to add Web-Vip vserver as shown in Exercise 3
Exercise Summary
In this exercise you successful created a user in Active Directory. Multiple DNS entries for the
FQDN, AAA vServers, and web server. A LDAP policy and Server in NetScaler. And a AAA
vServer that was bound to the WebServer load balancing VIP.
246
citrix.com
Module 13: NetScaler Management
and Analytics System
247
citrix.com
NetScaler MAS Overview
NetScaler Management and Analytics System (MAS) is a centralized management solution that simplifies
operations by providing administrators with enterprise-wide visibility and automating management jobs
that need to be executed across multiple instances. You can manage and monitor Citrix application
networking products that include Citrix NetScaler MPX, Citrix NetScaler VPX, Citrix NetScaler Gateway,
Citrix NetScaler SDX, Citrix NetScaler CPX, and Citrix NetScaler SD-WAN. You can use NetScaler MAS
to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single,
unified console.
NetScaler MAS, a virtual appliance that runs on Citrix XenServer, VMware ESXi, and Linux KVM also
addresses the application visibility challenge by collecting detailed information about web-application and
virtual-desktop traffic, such as flow, user-session-level information, web page performance data, and
database information flowing through the NetScaler appliances, NetScaler Gateway appliances, or
NetScaler SD-WAN appliances at your site and providing actionable reports. It enables IT administrators
to troubleshoot as well as proactively monitor customer issues in matter of minutes.
In this module, we will set up a single server deployment of NetScaler MAS and add multiple NetScaler to
manage and monitor. This module serves as a foundation to allow the student to build upon and explore
many other aspects and features of the appliance not explicitly shown in this module.
Features
Below are a few notable features of NetScaler MAS in regards to Infrastructure Management, Monitoring,
Data Analytics, and Application oversight. Orchestration is also a large part of MAS but not discussed in
this module.
Application
Enables you to monitor the applications in your deployment based on the virtual server
status.
Application Monitoring
Application Groups Enables you to define applications based on the collection of virtual servers in
NetScaler MAS. You can create an application group of Load Balancing, Content
Switching, and GSLB virtual servers.
Infrastructure
Instances Enables you to manage the NetScaler ADC, NetScaler Gateway, and NetScaler SD-
WAN instances.
Note: Currently NetScaler MAS supports only WAN Optimization functionality for
NetScaler SD-WAN instances.
citrix.com
248
Static Group: Allow you to define a device group that you can use in different tasks
such as, Configuration Jobs and so on.
Configuration Jobs Enables admins to push dynamic CLI based Configurations across multiple NetScaler
Instances seamlessly.
Configuration Audit Enables you to monitor and identify anomaly across the configurations in your
instances.
Audit template: Allows you to monitor the changes across a specific configuration.
Analytics
Web Insight Provides visibility into enterprise web applications and allows IT administrators to
monitor all web applications being served by the NetScaler ADC by providing integrated
and real-time monitoring of applications. Web Insight provides critical information such
as user and server response time, enabling IT organizations to monitor and improve
application performance.
HDX Insight Provides end-to end visibility for ICA traffic passing through NetScaler ADC. HDX
Insight enables administrators to view real-time client and network latency metrics,
historical reports, End-to-end performance data, and troubleshoot performance issues.
Security Insight Provides a single-pane solution to help you assess your application security status and
take corrective actions to secure your applications.
Gateway Insight Provides visibility into the failures that users encounter when logging on, regardless of
the access mode. You can view a list of users logged on at a given time, along with the
number of active users, number of active sessions, and bytes and licenses used by all
users at any given time.
Networking Reporting Allows you to create reports of network statistics including but not limited to TCP
connections, HTTP requests, SSL transactions, etc.
citrix.com
249
Virtual Machines Required for this Module
VM Name IP Address Description
citrix.com
250
Exercise 1: Provisioning your MAS Appliance
Overview
You can download NetScaler MAS by browsing to https://www.citrix.com/downloads.html and selecting
NetScaler MAS for your hypervisor type. A pre- imported XenServer template is provided for you in this
module to provision onto your host. Follow the instructions below to begin.
citrix.com
251
Step by Step Guidance
Step Action
1.
In XenCenter, right click on the Citrix NetScaler MAS 11.1 template to Quick Create the NetScaler MAS
appliance onto the host.
You will see the MAS Appliance show up in the left pane.
citrix.com
252
2.
Open up the console of the newly provision appliance and follow the wizard to fill in the following
information:
c. Netmask : 255.255.255.0
Enter 1 in the prompt and enter NMAS and hit the enter key.
Enter 2 in the prompt and enter 192.168.10.20 and hit the enter key.
citrix.com
253
Step Action
3. Enter 3 in the prompt and enter 255.255.255.0 and hit the enter key.
Enter 4 in the prompt and enter 192.168.10.1 and hit the enter key.
Enter 5 in the prompt and enter 192.168.10.1 and hit the enter key.
Next enter 1 in the prmpt to deploy as a single server (currently the only supported mode of dpeloyment).
Enter Yes twice to confirm and restart the applaince.
citrix.com
254
Step Action
4.
Navigate to http://192.168.10.20/ from the student desktop and login to NetScaler MAS console. Type in
nsroot for username and nsroot for password and then click Log On.
Then finally click Get Started and proceed to add an instance to manage with MAS.
citrix.com
255
Step Action
5.
Select Single Server Deployment and click Next.
Click on + New on the top right to add the NetScaler VPX Instances.
citrix.com
256
Step Action
6.
Enter the following into the GUI:
o You can add your own profile by clicking the icon for a different username and
password than the default nsroot values.
Click OK and then you will see the MAS GUI adding the two NetScaler Instances to Inventory.
citrix.com
257
Step Action
7.
Validate that the Instances are added and successfully being monitored.
You will be presented with the NetScaler MAS Application Dashboard. Your Dashboard may look slightly
different than depicted based on what is configurations on your NetScaler.
Exercise Summary
In this exercise you successfully deployed a NetScaler MAS on XenServer. You also added two
NetScaler VPXs to manage and validated success by logging into the MAS dashboard. Feel free to now
explore the console and locate interesting features and settings.
citrix.com
258
Exercise 2: MAS Application Module
Overview
In NetScaler MAS, admins can define an application based on a collection of virtual servers in NetScaler
MAS. You can create an application through either a static or dynamic configuration.
The two types of application definitions are as follows:
Static Definition of Applications In a static definition, you select the virtual servers that you want to
define in the application. You can define an application with load balancing, content switching, and GSLB
virtual servers. This definition does not get updated when new virtual servers are configured on your
NetScaler instance. You will need to manually update this list to include more virtual servers.
Dynamic Definition of Applications In a dynamic definition, you use one of the two criteria listed
below to define an application:
Servers: You specify the server or service IP address, server name, or the port of the backend
server on which the applications are running. You can enter one IP address, a range of IP
addresses, or a combination of both separated by commas. For example, you can enter
10.102.29.20, 10.102.43.10-60, 10.216.43.45.
Virtual Servers: You can specify either one of the following: the virtual server IP address, virtual
server name, or the port of the backend server on which the applications are running. You can
enter one IP address or a range of IP addresses or a combination of both separated by commas.
For example, you can enter 10.102.29.20,10.102.43.10-60,10.216.43.45.
In this exercise you will:
Configure an Application to collect analytics for Webgoat and Webserver
Configure Role Based Access for different application owners using MAS
Executing any additional Modules on the NetScalers is fine and may work to your benefit because
additional information will be reflected on the MASs dashboard as youll see at the end of this module.
citrix.com
259
Step Action
2.
Here are the configurations I have on NS-A (192.168.10.15) for load balancing and content switching
based on Module 4 and Module 6.
citrix.com
260
3. Now we will create an application definition in MAS.
Log into MAS console (192.168.10.20) with username nsroot and password nsroot.
Navigate to Applications > Dashboard and click on Applications
Click OK
Note:
citrix.com
261
Step Action
4. The new Application should now show up in the dashboard as shown below.
If you click on any of the three virtual servers that define the WebServer application (for example here I
have selected Web-Vip) you can drill down into live throughput, connections, transactions and even
Configurations of that vServer.
Note: MAS will automatically add vservers to this application based on naming convention. For example, If
we add another load balancer with web-vip in the name, it will get added to the WebServer MAS
application.
citrix.com
262
5. Navigate to Applications > Dashboard and click on Applications
Click OK
Note in the following screen shot, Configuration has been selected to show additional information.
citrix.com
263
Step Action
citrix.com
264
6. Now we will configure Role Based Access for two additional MAS application owners to have access to
WebServer and Webgoat applications separately. First we must define groups and permissions
Navigate to System > User Administration > Groups and click Add
Enter Group Name*: webserver-group
Enter Permission*: admin
Check Configure Session Timeout and set the time out interval to 15 minutes.
Check All Instances
Click Next
citrix.com
265
Step Action
7. Now we will create another group for Webgoat application.
Navigate to System > User Administration > Groups and click Add
Enter Group Name*: webgoat-group
Enter Permission*: readonly
Check Configure Session Timeout and set the time out interval to 15 minutes.
Check All Instances
Click Next
Click Finish
citrix.com
266
Step Action
8. Now we will define the actual users themselves and associate their roles and permissions.
Navigate to System > User Administration > Users and click Add
Now we will add a secondary user webgoat-admin with same password and the following configurations:
citrix.com
267
Step Action
9. Now you should have two users defined in addition to your default nsroot administrator
citrix.com
268
10. Remember, when you logged in as nsroot you were able to see all applications and virtual servers in
Applications tab in MAS. Now we will log in as webserver-admin and webgoat-admin to witness RBAC.
If currently logged in as nsroot, logout form the MAS console. Then login using username: webserver-
admin password Password01.
Navigate to Applications > Dashboard and click Applications to see that only Webserver
application shows up.
Click on Configuration under Web-VIP for the WebServer application and click on the edit icon on
the top right of the Method section of the vserver configuration.
Change the method of load balancing to SOURCEIP. Note that with webserver-admin user and
role, you are able to make configuration changes to the virtual servers.
citrix.com
269
11. Now that we have validated that the webserver-admin has admin privilege over only the webserver
application, we will validate webgoat-admins ability to monitor the webgoat application.
Logout form the MAS console. Then login using username: webgoat-admin password Password01.
Navigate to Applications > Dashboard and click Applications to see that only Webgoat
application shows up. Notice, the user only has access to the Application module.
Click on Configuration under Web-VIP for the Webgoat application and click on the edit icon on
the top right of the Method section of the vserver configuration
NOTICE: After licking OK at the top of the page you will see a denial of permission as expected.
citrix.com
270
Exercise Summary
In this exercise you have successfully added two Applications WebServer and Webgoat to MAS to
monitor. You have also added two additional users with differing permissions and roles to MAS for
Application administration. User webserver-admin can manage and configure the Webserver application
and associated virtual servers while the user webgoat-admin can only monitor the Webgoat application.
citrix.com
271
Exercise 3: MAS Analytics Module
Overview
In NetScaler MAS, admins can benefit from deep analytics on their network traffic in regards to network
performance, L7 Network Security, ICA traffic, and much more. Data is collected via Insight modules
within Analytics for Web Insight, HDX Insight, Security Insight, and Gateway Insight.
Web Insight: Web Insight enables visibility into enterprise web applications and allows IT administrators
to monitor all web applications being served by the NetScaler ADC by providing integrated and real-time
monitoring of applications. Web Insight provides critical information such as user and server response
time, enabling IT organizations to monitor and improve application performance.
HDX Insight: HDX Insight provides end-to end visibility for ICA traffic passing through NetScaler ADC.
HDX Insight enables administrators to view real-time client and network latency metrics, historical reports,
End-to-end performance data, and troubleshoot performance issues. Availability of both real-time and
historical visibility data enables NetScaler MAS to support a wide variety of use cases.
Security Insight: Web and web service applications that are exposed to the Internet have become
increasingly vulnerable to attacks. To protect applications from attack, you need visibility into the nature
and extent of past, present, and impending threats, real-time actionable data on attacks, and
recommendations on countermeasures. Security Insight provides a single-pane solution to help you
assess your application security status and take corrective actions to secure your applications.
Gateway Insight: In a NetScaler Gateway deployment, visibility into a user's access details is essential
for troubleshooting access failure issues. It provides visibility into the failures encountered by all users,
regardless of the access mode, at the time of logging on to NetScaler Gateway. You can view a list of all
available users, number of active users, number of active sessions, and bytes and licenses used by all
users at any given time. You can view the end-point analysis (EPA), authentication, single sign-on (SSO),
and application launch failures for a user. You can also view the details of active and terminated sessions
for a user.
Network Reporting: Network reporting allows for the admin to specify instance and the load balancing
virtual server on which you want to monitor the connection statistics. There are numerous reports across
L4-L7 that can be generated for network administrators. For example, admins can monitor the client and
server connections so that they can gather data about the number of active and idle connections. Admins
can then disconnect idle client connections and free up your resources.
citrix.com
272
Step by Step Guidance
citrix.com
273
Step Action
citrix.com
274
Login to MAS using Username nsroot and Password nsroot. Now we will ensure appflow is enabled and
1.
that data can be collected from the NetScaler Appliances by MAS.
Navigate to Infrastructure > Instances > NetScaler VPX and click on the more actions icon as
shown here to Enable/Disable Insight
Check all boxes under Load balancing and Content Switching and then click Enable Appflow.
Enter true in the expression and check boxes for Web Insight, Security Insight, and HTML
Injections. Once you click OK you will notice green check marks under AppFlow Logging.
citrix.com
275
2.
Before proceeding, disable AppFirewall feature on the NetScaler(s) just in case for now. In a new window,
browse to your content switch IP (http://192.168.10.125:81/url1 http://192.168.10.125:81/url2 ) and load
balancing IPs (webserver: http://192.168.10.125:80 and webgoat:
http://192.168.10.125:8080/WebGoat/attack) Feel free to browse through the webgoat site and navigate
through additional URL paths. Hit refresh a couple of times on different web pages and continue on to the
MAS console under Analytics to see data now populated on the Instances Tab.
Under Web Insight, navigate to Applications, URL, Clients, etc. so see more detail on the single HTTP
session to a backend website. Many things are hyper text and can be drilled down deeper into by clicking.
For example:
citrix.com
276
Step Action
3.
Take a second to explore the console under Web Insight and inspect the data collected by MAS. Familiarize
yourself with details within each of the sub-section under Web Insight.
citrix.com
277
Exercise 4: MAS Configuration Job
Overview
In NetScaler MAS, NetScaler admins can use the Configuration Jobs feature to extract the Front End
Optimization configuration from a NetScaler instance and replicate it on multiple instances. This feature
allows for CLI based commands to be pushed out in batch across several instances (SDX, MPX, VPX,
and CPX) using variables within the code as dynamic inputs corresponding to the instance which admin
can specify.
If you are accustomed to using the NetScaler GUI to configure a NetScaler instance, at times, you might
find it difficult to recall the exact CLI commands to create a configuration task and run it on multiple
NetScaler instances.
NetScaler MAS enables you to record the configuration tasks performed using the GUI of a NetScaler
instance and convert it into CLI commands. You can then create a configuration task from these CLI
commands and run this task on multiple instances.
There are multiple sources available to create configuration job templates with:
o Configuration Template: If you have one pre-defined, pre-saved templates (which wont be present out of the
box), you can drag-n-drop into the text editor to create a larger configuration job.
o In-built Template: These are templates that come with the appliance and by default, only one for configuring a
Syslog server will be present. You can add more later.
o Record and Play: This is where MAS will record all NITRO API calls being made to a specified instance weather
those commands are invoked via SSH CLI or GUI admin console. Those commands will then be captured into
CLI text within the editor and serve as the source of the configuration template.
o Instance: You can also extract configurations from an instance to push out to a different instance. MAS will
parse your ns.conf file into CLI based commands that can be used to the source Instances saved configuration.
o File: You can also provide a flat text file with NS CLI commands to upload and convert into a template for
configuration job.
Record and Play a NetScaler Load Balancing vserver configuration and apply it to a different
NetScaler.S
Create a configuration job template with variables and apply to a different NetScaler with different
input parameters.
citrix.com
284
Step by Step Guidance
Step Action
1.
In this step we will logon to NetScaler-A and prepare to configure a new load balancer.
Navigate to Configuration > Traffic Management > Load Balancing > Servers
Leave the browser page here. We will come back to this tab shortly. Open a new Tab in the active
browser and proceed.
citrix.com
285
2.
In the new browser tab, login to MAS using Username nsroot and Password nsroot.
Navigate to Infrastructure > Configuration Jobs and click Create Job to begin.
Give the job a name: citrix.com LBvServer and confirm the Instance type is NetScaler.
From the Configuration Source drop down select: Record and Play
citrix.com
286
Step Action
3.
Now go back to the prior tab where you are logged into NetScaler A. Click Add twice to add two
new servers one at a time.
Create two new servers with name and IPs Citrix.com-1 : 208.73.210.217 and Citrix.com-2 :
208.73.210.214 respectively
citrix.com
287
Step Action
4.
Navigate to Configuration > Traffic Management > Load Balancing > Service Groups and click Add
Add a new Service group with name Citrix.com-sg and protocol HTTP.
Click No Service Group Member to add the two servers as part of the service group.
citrix.com
288
Step Action
5.
Click Server Based
Specify port 80
Click Create
Click OK
Click Done
citrix.com
289
Step Action
6.
Now navigate to Configuration > Traffic Manager > Load Balancing > Virtual Servers
Name*: citrix.com
Protocol*: HTTP
IP Address*: 192.168.10.19
Port* : 80
citrix.com
290
Step Action
7.
Configure the method of load balancing as ROUNDROBIN and click Done when complete.
citrix.com
291
8.
Back in the MAS console, click Stop to stop recording for the Configuration Job. Once stopped, you will
see commands that were recorded during the configuration of the citrix.com vserver on NetScaler-A
Drag and drop those commands to the center of the editor pane. You should see something similar to the
following screenshot.
Highlight the Load Balancing VIP (192.168.10.19) and click Convert to Variable.
citrix.com
292
Step Action
9.
Once converted to a variable, the text becomes bright teal with a $ before and after the text $. Click on the
text variable and it will turn yellow with a pop up dialog to define the variable.
Name* : VIP
Click save
click Save and you will then see the variable name change and color change to green.
citrix.com
293
Step Action
10.
Click Save and you will notice now you have a pre-defined on the left hand side under the
commands you recorded prior.
Click Next
Click Next
citrix.com
294
11
Here you will download your Input Key File in excel format and upload the file after adding in
variable inputs.
Click Download Input Key File and save the file in your downloads folder. Double click the
downloaded file and it will open in Libre Office. Keep default settings when opening and click OK
in Libre Office.
citrix.com
295
12
When open, enter the IP 192.168.10.21 under the variable name VIP for your instance in the A column.
See example below.
Now when you execute the Configuration Job to NetScaler-B, all settings are going to be applied identical
to how it was recorded from NetScaler-A except the IP parameter input we labeled VIP for the load
balancing vserver which is going to reflect the input IP we specify in the input file (192.168.10.21).
Save the document by pressing ctrl+S in Libre Office. Select Use Text CSV Format.
Now in MAS, click Choose File and navigate to the saved file from your Downloads folder in your Student
Desktop. Click Upload when finished and then click Next.
citrix.com
296
Step Action
13
In the next pane, you can specify what MAS should do if a command were to fail upon execution.
You can Rollback Successful Commands for the commands that were successfully executed
up to the point where execution failed.
You can Stop Further Execution and at a later time point re-execute the job after possibly
making some manual changes.
Furthermore, if we had specified more than one NetScaler instance to push these configurations out to, we
can specify how these configurations get pushed out: Sequentially or in Parallel. For our purposes, either
one will suffice.
Since we do not have Email notification set up, we will not have success in providing notification when the
job is complete. It is good to know that it is possible however.
citrix.com
297
14
You will be directed to the status of the job, and if all goes well, you will successfully have executed your
configuration job, pushing out a configured vserver applications to NetScaler-B.
Check the check box next to citrix.com LBvServer and then click the button above labeled Details.
Here you get additional details regarding the job. Drill down by clicking on Execution Summary.
Now click on the IP Address of the instance to see command details and status.
citrix.com
298
Step Action
15
Now lets validate the configurations are actually observable on NetScaler-B.
Navigate to Configuration > Traffic Management > Load Balancing > Virtual Servers
Youll notice that there now is a Citrix.com LB vserver which was configured by the configuration job.
You can even record more complex configurations or even record some of the modules above to extract
and learn NetScaler CLI commands.
citrix.com
299
Authors
The following authors contributed to the creation of this deliverable.
Citrix
Steven Barnes Brian Tannous
Networking Tech Specialist Networking Tech Specialist
steven.barnes@citrix.com Brian.tannous@citrix.com
Revision History
Revision Change Description Updated By Date
1.0 Original Steve Barnes, Mayank Tahilramani January 2017
citrix.com
300
Corporate Headquarters India Development Center
Fort Lauderdale, FL, USA Bangalore, India Latin America Headquarters
Coral Gables, FL, USA
Silicon Valley Headquarters Online Division Headquarters
Santa Clara, CA, USA Santa Barbara, CA, USA UK Development Center
Chalfont, United Kingdom
EMEA Headquarters Pacific Headquarters
Schaffhausen, Switzerland Hong Kong, China
About Citrix
Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable new ways to
work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to apps, desktops, data and
communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making IT simpler and people more productive.
With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at
www.citrix.com.Copyright 2014 Citrix Systems, Inc. All rights reserved. [list Citrix trademarks (without or symbols!) in document] are trademarks of Citrix
citrix.com
301
Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be
trademarks of their respective companies.