CNS 222 2I en Student Manual 1 3 Days Softlayer v05
Short Description
La ultima version de este maravilloso libro de XenServer and XenDesktop....
Description
Table of Content
ot
N
Course Overview............................................................................................................................2 Module 1 - Getting Started...........................................................................................................16 Introduction to NetScaler..................................................................................................18 Feature Overview.............................................................................................................27 Platforms and Licensing...................................................................................................39 Deployment Scenarios......................................................................................................44 Architectural Overview......................................................................................................49 File System and Configuration Files.................................................................................55 Initial Setup and Management..........................................................................................63 Backup, Restore, and Upgrade........................................................................................70 Module 2 - Basic Networking........................................................................................................74 NetScaler-Owned IP Addresses.......................................................................................79 Networking Topology........................................................................................................90 Interfaces and VLANs.......................................................................................................99 Routing...........................................................................................................................114 Traffic-Handling Modes...................................................................................................125 Access Control Lists.......................................................................................................137 Network Address Translation..........................................................................................145 Module 3 - NetScaler Platforms..................................................................................................153 NetScaler MPX...............................................................................................................155 NetScaler VPX................................................................................................................167 NetScaler SDX................................................................................................................174 Multi-Tenant SDX...........................................................................................................180 SDX Interface Allocation Scenarios................................................................................201 SDX Administration.........................................................................................................216 Module 4 - High Availability (HA)................................................................................................228 NetScaler High Availability..............................................................................................230 High-Availability Configuration........................................................................................241 Additional HA Settings....................................................................................................248 Managing High Availability..............................................................................................262 Troubleshooting High Availability....................................................................................266 Module 5 - Basic Load Balancing...............................................................................................272 Load-Balancing Overview...............................................................................................274 Load-Balancing Methods and Monitors..........................................................................292 Different Load-Balancing Traffic Types..........................................................................318 Advanced Monitoring and Third-Party Service Deployment...........................................340 Advanced Service Configuration Options.......................................................................347 Load-Balancing Protection..............................................................................................357
e
al
es rr
fo
or
n tio
bu
ri st di
ot
N
Troubleshooting Load Balancing....................................................................................365 Module 6 - SSL Offload..............................................................................................................375 SSL Overview.................................................................................................................377 SSL Configuration...........................................................................................................384 SSL Offload Overview....................................................................................................401 Troubleshooting SSL Offload..........................................................................................415 SSL Vulnerabilities and Protections................................................................................423 Module 7 - Securing the NetScaler.............................................................................................430 Authentication, Authorization, and Auditing....................................................................432 Configuring External Authentication...............................................................................449 Admin Partitions..............................................................................................................459 Partition Management.....................................................................................................470 Module 8 - Monitoring and Troubleshooting...............................................................................477 NetScaler Logging..........................................................................................................480 Monitoring.......................................................................................................................499 Dashboard, Reporting, Diagnostics, and Visualizer......................................................509 Troubleshooting..............................................................................................................517 AppFlow, Command Center, and Insight........................................................................524
e
al
es rr
fo
or n tio
bu
ri st di
ot
N e
al
es rr
fo or n tio
bu
ri st di
1 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
2 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
3 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
4 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
5 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
6 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
7 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
8 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
9 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
10 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
11 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
12 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
13 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
14 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
15 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
16 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
17 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The Citrix NetScaler product line delivers applications over the Internet and private networks, combining application-level security, optimization, and traffic management into a single, integrated appliance.
or
n tio
bu
ri st di
18 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Even though multiplexing is done at TCP level still it is not applicable to all the services type supported over TCP. NetScaler supports connection multiplexing for HTTP, SSL and DataStream
or
n tio
bu
ri st di
19 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
NetScaler content switching and load balancing:
e
• Improve the throughput and scalability of an Internet application infrastructure.
or
• Decouple each application request/response flow from the underlying transport.
ri st di
The NetScaler system manages the complete life cycle of the request/response transaction. The NetScaler sits between clients and servers and functions as a proxy.
bu
The NetScaler receives requests from the clients, processes the request (if necessary), and then forwards it on to the server.
n tio
The NetScaler appliance can direct requests sent to the same Web host to different servers with different content using Content Switching. Essentially, NetScaler separates the HTTP request from the TCP connection on which the request is delivered. As a result, the NetScaler is able to multiplex and offload TCP connections, maintain persistent connections, and manage traffic at the request level. This improves throughput and scalability. Connection process: NetScaler receives and terminates connections. It can Decrypt/authenticate/analyze every request. Queue and dispatch valid requests. Switch requests and multiplex over persistent connections.
20 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
The connection is first established.
or
Data is submitted.
e
al
This is a typical TCP connection with an HTTP Request/Response.
n tio
bu
ri st di
The connection is then deallocated and torn down.
21 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
• TCP connection is established.
al
On the client side, the client sees the NetScaler as the server.
• TCP connection is torn down.
ri st di
• HTTP response is returned.
or
• HTTP request is submitted.
On the server side, the server sees the NetScaler as the client.
bu
n tio
The NetScaler established a TCP connection to the server once - instead of tearing down the session after a single transaction, it is kept alive. The NetScaler then sends client requests to the server, receives the response, and then returns the response to the client. The TCP session between the NetScaler and the server is not torn down and instead is used for many requests from clients. This is the Request Switching process. TCP offload == reduces server CPU load. Faster delivery of responses to clients through persistent connections. SSL offload, TCP offload, compression, caching, and web logging. Analyze/Optimize responses. Persistent connections, fast ramp, and client keep alive.
22 © 2017 Citrix Authorized Content
ot
N or
NetScaler terminates connection.
e
Client transmits requests.
al
Connection Multiplexing flow:
es rr
fo Key Notes:
NetScaler transmits client requests. Other clients follow same procedure.
bu
ri st di
NetScaler establishes server connection (or reuses existing connection if MUX).
Multiple client requests are transmitted across common server connection (MUX).
n tio
The connections on the backend are symmetric– not used asymmetrically. Methods to Disable Multiplexing. On Each Service
• By setting the maxreq to 1, disables the multiplexing. This indicates that each client connection is tied to single server connection in a 1:1 fashion. set service “service” -maxreq 1 At a Global Level • The following command disables the multiplexing at a global level on the NetScaler appliance. It ensures that the server connection is not placed in the reuse pool to be used by some other client, though the same server connection can be used by the same client. nsapimgr -ys httpnoreuse=1 Using the HTTP Profile
23 © 2017 Citrix Authorized Content
• Starting NetScaler software release 9.2, you can disable connection multiplexing from the command line interface either at a global level or at each service by using an HTTP profile. set ns httpParam [-conMultiplex ( ENABLED | DISABLED )] Additional Resources: Connection Multiplexing in NetScaler: https://www.citrix.com/blogs/2012/03/08/connection-multiplexing-in-netscaler/
ot
N e
al
es rr
fo or n tio
bu
ri st di
23 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
24 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
25 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Switching – can segment application traffic according to information in the body of an HTTP or TCP request, and on the basis of L4-L7 header information such as URL, application data type, or cookie. NetScaler also can manipulate traffic at L2 and L3.
or
ri st di
Security and Protection - An available, built-in firewall can protect web applications from application-layer attacks, including buffer overflow exploits, SQL injection attempts, and crosssite scripting attacks. A NetScaler system provides built-in defenses against denial-of-service (DoS) and distributed denial of service (DDoS) attacks.
n tio
bu
Granular analysis and data collection using AppFlow and Insight.
26 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
This graphic shows features are controlled by the AppExpert policy framework.
or n tio
bu
ri st di
27 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Application availability using layer-4 through layer-7 load-balancing and content-switching functions.
or
Application acceleration with caching content and compression. • Offloading SSL/TLS encryption and decryption from servers.
ri st di
• Reducing server requests through connection multiplexing. Security with web application firewall and SSL VPN.
bu
Optimizing web content on 4G and LTE networks.
n tio
Providing network analytics to troubleshoot end-user experience issues.
The features you can take advantage of with your NetScaler may depend on the license type that is installed. For more information refer to the NetScaler Datasheet: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-datasheet.pdf. Types of NetScaler Licenses: • Retail NetScaler (physical box) License: This is a license for the physical appliance. This license helps to enable all necessary features of the appliance and 5 Secure Socket Layer (SSL) Virtual Private Network (VPN) connections. By default, this license is allocated to hostname "ANY" in the My Account web site. This allocation cannot be changed. • Other NetScaler licenses: These licenses include Internal, Partner Use, DEMO, EVALUATION, or VPX. You need to allocate these licenses to the Host ID of the appliance. 28 © 2017 Citrix Authorized Content
• NetScaler Gateway Express License: The Express license is used with the NetScaler VPX and allows for up to five concurrent user connections. • NetScaler Gateway Platform License (ICA license): The Platform license allows unlimited user connections to published applications on XenApp or virtual desktops from XenDesktop. • NetScaler Gateway Universal License (CCU license): This license allows VPN connections to the network from the NetScaler Gateway Plug-in, a SmartAccess logon point, or WorxHome, WorxWeb, or WorxMail.
ot
N e
al
es rr
fo or n tio
bu
ri st di
28 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
NetScaler Data Sheet, platform and feature options: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-datasheet-full.pdf.
or
ri st di
Feature information on Surge Protection, Surge Queue and Priority Queuing: https://www.citrix.com/blogs/2014/07/28/surge-protection-surge-queue-and-priority-queueing/. GSLB basics: https://support.citrix.com/article/CTX123976.
n tio
bu
29 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
NetScaler Data Sheet, platform and feature options: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-datasheet-full.pdf.
or
n tio
bu
ri st di
FIPS – either built in FIPS support or to Thales nShield external device info: http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/support_for_thales.html.
30 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Additional Acceleration features HTTP compression and Integrated caching.
or
Additional Resources:
n tio
bu
ri st di
NetScaler Data Sheet, platform and feature options: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-datasheet-full.pdf.
31 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
NetScaler Data Sheet, platform and feature options: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-datasheet-full.pdf.
or
n tio
bu
ri st di
32 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
*HDX Insight is not supported in Standard Edition.
or
Admin Partitions allow a NetScaler to be subdivided into separate configuration and administrative boundaries. Each partition can be assigned its own networking via VLANs, and each partition maintains a separate running and saved configuration.
ri st di
Insight Center can analyze SD-WAN as well under WAN Insight. Command center can be used to send batch commands.
n tio
bu
Additional Resources:
NetScaler Data Sheet, platform and feature options: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-datasheet-full.pdf.
33 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler reduces the total cost of ownership with caching, compression, SSL and TCP offloading.
or
In the Enterprise and Platinum editions, NetScaler can automatically direct requests with content to a cache farm.
ri st di
In addition, N-tier multilayer load balancing support of cache servers is included in these versions.
n tio
bu
NetScaler reduces server load, enabling fewer servers to do more.
34 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
35 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
36 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Citrix offers NetScaler MPX appliances that are FIPS (Federal Information Processing Standard) compliant and support more than 4.5 Gbps of SSL throughput.
or ri st di
Additional Resources:
For more information about FIPS-enabled NetScaler systems: http://support.citrix.com/article/CTX129543.
n tio
bu
37 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Citrix TriScale technology revolutionizes enterprise cloud networks by providing unrivaled capabilities that smartly and affordably scale application and service delivery infrastructures without additional complexity.
or
Additional Resources:
n tio
bu
ri st di
Citrix NetScaler Burst Packs offer even more flexibility. Burst Packs enable you to convert an existing NetScaler MPX hardware or VPX virtual appliance deployment to the highest performance available for the particular platform for enhanced capacity for up to 90 days. This allows you to provision only the necessary performance for durations of limited peak traffic (such as the holiday shopping season in the United States), reducing capital and operational expenses, lengthy procurement cycles, and installation times for new appliances.
TriScale clustering tech note White Paper: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-triscaleclustering-tech-note.pdf.
38 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Platform - This is a license for the physical appliance. This license helps to enable all necessary features of the appliance and 5 Secure Sockets Layer (SSL) Virtual Private Network (VPN) connections. By default, this license is allocated to hostname "ANY" in the My Account web site. This allocation cannot be changed.
or
Burst Packs - make networking more elastic.
ri st di
NetScaler Gateway Universal - SmartAccess.
Internal.
•
Partner Use.
•
Demo.
•
Evaluation.
•
VPX.
n tio
•
bu
Other NetScaler licenses (You need to allocate these licenses to the Host ID of the appliance):
All features are not available with all editions of NetScaler and some features can be enabled through option licenses. To benefit from the right features of NetScaler that you want to use, you must have the correct license and edition of the product.
39 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
40 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler can be deployed in either of two physical modes: inline and one-arm.
or n tio
bu
ri st di
41 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
When deploying NetScaler as a new technology, consider it a new device in the environment and not a replacement for an existing load balancer. In this case, you will not need to consider any existing configurations.
or
n tio
bu
ri st di
42 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
With displacement, a NetScaler system replaces another traffic manager and attempts to meet the configuration of the old device as well as any new or current needs of the environment not being met.
or
n tio
bu
ri st di
43 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
44 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
45 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
46 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
NS kernel runs on top of BSD (process).
e
al
NetScaler runs two kernels. BSD starts up the device and loads the NetScaler kernel.
or
NS kernel is responsible for CPU, SSL hardware, and NIC hardware.
ri st di
Query NS Kernel - for CPU / Memory performance/usage data; ssl stats, NIC traces, and all NS performance/configuration data. BSD is responsible for the filesystem (read/writes) and the startup process.
bu
Memory – shared.
n tio
BSD - basic utilities that you would expect on BSD Linux, but some things are not fully supported. TOP and tcpdump will not give you expected or complete results. All metric data that NetScaler generates is written to log files. Writes to log files are done via BSD, but data comes from NetScaler. Config NetScaler via NS kernel or CLI. Browse filesystem via BSD shell. SNMP v3 processing is handled in the BSD kernel; SNMP v3 was introduced in NetScaler 8.0.
47 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
48 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler uses multiple CPU cores for packet handling. The NetScaler architecture includes the underlying NetScaler kernel and the cores, which are separate packet engines. The packet engines are designed to work independently; however, the cores communicate with each other using core-to-core messaging.
or
ri st di
Each packet engine runs independently and flow distribution is handled via RSS in hardware (MPX) or software. Underlying processes must access information across cores.
bu
n tio
The newnslog log file contains a performance snapshot (7-sec) of everything on the NetScaler. It is maintained in binary, and you need to use the nsconmsg utility to extract information.
49 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Few features like Application Firewall and NetScaler Gateway require additional Licenses.
or n tio
bu
ri st di
50 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
51 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
52 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Once the VAR is full user will not be able to access the GUI of NetScaler and in order to access GUI we need to clear the old files in VAR directory.
or
All the logs older than 30 days should be deleted from the VAR for optimum performance.
n tio
bu
ri st di
The /var drive is on the hard drive and mostly used for logging. The config is running off the /flash drive. The NetScaler can actually run and continue to handle traffic with a failed hard drive since all critical components are on the flash drive. (This is not recommended.)
53 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Running configuration is in memory but not written to ns.conf. Students may be familiar with this concept from Cisco and other network devices.
or n tio
bu
ri st di
54 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
If an unwanted config is encountered, rename the older config “ns.conf” and restart the system to restore.
or
Each time you save the config on the NetScaler, it rolls this file and appends a number (by default up to 5).
n tio
bu
ri st di
55 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The /nsconfig directory mounts to flash/nsconfig and stores the config files.
or n tio
bu
ri st di
56 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
From the configuration utility - highlight diagnostics under system and use the tool “Saved v/s Running.”
or
CLI command to compare saved and running config: diff ns config – outtype CLI.
n tio
bu
ri st di
Using the NetScaler tools, you can compare any two Conf files to view the differences.
57 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
58 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
59 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
60 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
It’s always advisable to use SNIP for management purposes while using HA. Connect to NetScaler on HTTPS instead of HTTP for enhanced security.
or
For the MPX, the default management IP (NSIP) is 192.168.100.1/16.
n tio
bu
ri st di
For the VPX, you are required to define the IP when you first start the VM.
61 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
62 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
From the CLI, you can also set all the initial networking parameters using the “set ns config” command.
or
Additionally, you could use a menu-driven CLI utility such as the “config ns” utility that we will use in the labs.
n tio
bu
ri st di
63 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes: Save ns config
They all do the same thing.
n tio
bu
ri st di
Save c
or
Save config
e
al
For command abbreviation- You can type:
64 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
65 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Use your labs this week to explore the console you are less familiar with.
or n tio
bu
ri st di
66 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
67 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
After 10.5 version of NetScaler a new feature Backup and Restore is added for simplification of the Process.
or n tio
bu
ri st di
68 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
69 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
70 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
71 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The Open System Interconnection (OSI) model defines a networking framework to implement protocols in seven layers. There is really nothing to the OSI model. In fact, it's not even tangible. The OSI model doesn't perform any functions in the networking process. It is a conceptual framework so we can better understand complex interactions that are happening.
or
ri st di
Physical (Layer 1)
n tio
bu
OSI Model, Layer 1 conveys the bit stream - electrical impulse, light or radio signal — through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier, including defining cables, cards and physical aspects. Fast Ethernet, RS232, and ATM are protocols with physical layer components. Layer 1 Physical examples include Ethernet, FDDI, B8ZS, V.35, V.24, RJ45. Data Link (Layer 2)
At OSI Model, Layer 2, data packets are encoded and decoded into bits. It furnishes transmission protocol knowledge and management and handles errors in the physical layer, flow control and frame synchronization. The data link layer is divided into two sub layers: The Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sub layer controls how a computer on the network gains access to the data and permission to transmit it. The LLC layer controls frame synchronization, flow control and error checking. Layer 2 Data Link examples include PPP, FDDI, ATM, IEEE 802.5/ 802.2, IEEE 802.3/802.2, HDLC, Frame Relay. Network (Layer 3) Layer 3 provides switching and routing technologies, creating logical paths, known as virtual
72 © 2017 Citrix Authorized Content
circuits, for transmitting data from node to node. Routing and forwarding are functions of this layer, as well as addressing, internet working, error handling, congestion control and packet sequencing. Layer 3 Network examples include AppleTalk DDP, IP, IPX. Transport (Layer 4) OSI Model, Layer 4, provides transparent transfer of data between end systems, or hosts, and is responsible for end-to-end error recovery and flow control. It ensures complete data transfer. Layer 4 Transport examples include SPX, TCP, UDP. Session (Layer 5)
ot
N
This layer establishes, manages and terminates connections between applications. The session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the applications at each end. It deals with session and connection coordination.
fo
Presentation (Layer 6)
es rr
Layer 5 Session examples include NFS, NetBIOS names, RPC, SQL.
e
al
This layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa. The presentation layer works to transform data into the form that the application layer can accept. This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems. It is sometimes called the syntax layer.
or
ri st di
Layer 6 Presentation examples include encryption, ASCII, EBCDIC, TIFF, GIF, PICT, JPEG, MPEG, MIDI.
n tio
bu
Application (Layer 7)
OSI Model, Layer 7, supports application and end-user processes. Communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that exist entirely in the application level. Tiered application architectures are part of this layer. Layer 7 Application examples include WWW browsers, NFS, SNMP, Telnet, HTTP, FTP.
72 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
73 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The NetScaler is fundamentally a TCP proxy at layer 4 that reuses connections to the server, when using TCP Multiplexing.
or
This reuse is done by proxying, at layer 3, the IP address of the client that the server sees.
n tio
bu
ri st di
74 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
75 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
As soon as we configure a SNIP or a MIP a direct route is created and cannot be deleted. All the NetScaler owned IP addresses can be removed apart from NSIP.
or
ri st di
If SNIP exists, you can remove the MIPs. The NetScaler uses NSIP and SNIPs to communicate with the servers when the MIP is removed. Therefore, you must also enable use SNIP (USNIP) mode. rm ns ip can be used to remove the NetScaler owned IP.
n tio
bu
Additional Resources:
Product Document lint to Configuring NetScaler Owned IP Addresses: http://docs.citrix.com/en-us/netscaler/11/networking/ip-addressing/configuring-netscaler-ownedip-addresses.html
76 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Initial IP of MPX is 192.168.100.1/16 VPX NSIP configured at console.
or n tio
bu
ri st di
77 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes: A VIP is not a virtual server.
e
al
A VIP address is the IP address associated with a virtual server.
or
It is the public IP address to which clients connect.
n tio
bu
ri st di
An appliance managing a wide range of traffic may have many VIPs configured.
78 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Subnet IP (SNIP) address –USNIP must be enabled (if you disable then you must have MIP).
or
A SNIP address is used in connection management and server monitoring. You can specify multiple SNIP addresses for each subnet. SNIP addresses can be bound to a VLAN.
ri st di
When a SNIP is added to a NetScaler system, a static route entry is automatically added to the NetScaler system routing table; this route identifies the SNIP address as the default gateway on the NetScaler system for the corresponding subnet.
n tio
bu
SNIP addresses can provide the NetScaler system with network presence in different subnets. The NetScaler system can be managed through any of the SNIP addresses. SNIP addresses can also be used in place of MIP addresses for communication to servers local to the SNIP address by enabling the Use Subnet IP mode. When enabling VLAN support on the NetScaler system, particular IP addresses can be associated with specific VLANs. These VLAN IP addresses are another form of SNIP address. With Use SNIP (USNIP) mode enabled, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default. When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service. When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in roundrobin manner.
79 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
If the mapped IP address is the first in the subnet, the NetScaler appliance adds a route entry, with this IP address as the gateway to reach the subnet.
or
As of NetScaler 9.3 creation of a MIP is not Mandatory and MIPs are no longer necessary on the NetScaler they only remain as legacy functionality.
n tio
bu
ri st di
80 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
When USNIP mode is enabled, the SNIP address functions as a proxy IP and is used by the NetScaler system for NetScaler-system-to-server communication.
or n tio
bu
ri st di
81 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Monitoring probes are still sent with the Source IP address as an MIP or SNIP address.
or
The appliance reuse pool for connections is still maintained for each server but the reuse pool itself is fragmented by the client IP address.
n tio
bu
ri st di
Idle client connection stays until a background timer, the zombie timeout process, decides to close the connection.
82 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
An IP Set is a set of IP addresses which are configured on the appliance as SNIP. An IP Set has a meaningful name that helps in identifying the usage of the IP addresses contained in it. Note the example here is “IP_SET_BACKEND”
An IP Set can be bound to a net profile.
or
•
ri st di
n tio
bu
A net profile can be bound to load balancing or content switching virtual servers, services, service groups, or monitors. A net profile has NetScaler owned IP addresses (SNIPs and VIPs) that can be used as the source IP address. It can be a single IP address or a set of IP addresses, referred to as an IP Set.
83 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
84 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
85 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
86 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Normally NetScaler would be cabled into switch. The two-arm diagram is symbolic. A separate management interface does not count as an arm. Only traffic VLANS.
or
n tio
bu
ri st di
Arms do not refer to interfaces, but VLANs to which NetScaler is connected. So one interface with tagged VLANS would be “two-arm.”
87 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
One-arm topology uses a single subnet.
One-arm mode features less service disruption.
or
One-arm mode may or may not have a separate management interface.
n tio
bu
ri st di
One-arm mode supports link aggregation to satisfy bandwidth requirements.
88 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
In a two-arm topology, it is connected to the client network and is connected to the server network, ensuring that all traffic flows through the NetScaler system. The basic variations of two-arm topology are multiple subnets, typically with the NetScaler system on a public subnet and the servers on a private subnet, and transparent mode, with both the NetScaler system and the servers on the public network.
or
ri st di
Often, characteristics of the network determine whether you will deploy in one-arm or two-arm mode. We recommend two-arm mode if the requirements are met.
MPX/SDX
n tio
More complex and likely service disruption to insert.
bu
You may or may not have a separate management interface in two-arm mode.
Two-arm mode supports transparent compression and SSL offload.
Two-arm mode is commonly called “inline mode.” The client connects to VIP and the NetScaler terminates the connection.
89 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Two-arm mode is commonly called “inline mode.” The client connects to VIP and the NetScaler terminates the connection.
or
A user initiates a request to a VIP representing the Private servers.
n tio
bu
ri st di
90 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
After performing the defined NetScaler process, the NetScaler forwards the request to the backend server.
or n tio
bu
ri st di
91 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The server responds to the NetScaler (SNIP).
or n tio
bu
ri st di
92 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The NetScaler then forwards the response to the client.
or n tio
bu
ri st di
93 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
94 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
95 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Because a NetScaler appliance functions as a TCP proxy, it translates IP addresses before sending packets to a server. When you configure a virtual server, clients connect to a VIP address on the NetScaler instead of directly connecting to a server. As determined by the settings on the virtual server, the appliance selects an appropriate server and sends the client's request to that server. By default, the appliance uses a SNIP address to establish connections with the server.
or
ri st di
n tio
bu
In this diagram, the first view describes the behavior of a NetScaler system configured with a virtual server. The client IP address (CIP) connects to the VIP address on the NetScaler system. The NetScaler system, in turn, uses either its mapped IP address or an appropriate subnet IP address, if one exists on the server’s subnet and the USNIP option is set to contact the server at its IP address (SIP). The NetScaler system is fundamentally a TCP (layer-4) proxy that separates the client connections from the server connections and manages separate connection tables for client and server connections. As a TCP proxy device, the NetScaler system responds to client connections that are targeted at servers residing behind it, hiding the network topography. The NetScaler system is not a UDP proxy.
96 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The NetScaler does not act like many other networking devices in that IP addresses are not directly associated with interfaces. The IPs are “owned” by the NetScaler and can be used on any available interface (more like switch behavior).
or
NetScaler interfaces are like switch ports and not host interfaces.
ri st di
If you need to associate an IP address with an interface, this is done through VLAN configuration.
n tio
bu
97 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Make sure one interface is associated with one VLAN to avoid MAC moves.
or n tio
bu
ri st di
98 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
99 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
100 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
In some environments, the speed of a single interface is not adequate for the amount of traffic that needs to be managed by the NetScaler system. To address this, multiple interfaces on the NetScaler system can be combined into a single, logical, high-bandwidth 802.3ad interface. The resulting aggregated interface will be treated, for configuration, as a single interface. The aggregate interface link speed will be the sum of the speed of the bound physical interfaces. The switch connected to the aggregate interfaces on the NetScaler system must also support 802.3ad.
or
ri st di
n tio
bu
The add channel command will create the virtual interface. Physical interfaces can be added to the channel as part of the add command, or through the use of the bind channel command after the interface is created. Two to four physical interfaces can be bound to a single link aggregation channel. If these interfaces are of differing speeds, they will all function at the lowest common speed when aggregated. You can use the following command syntax to configure LACP: • add channel • bind channel • Argument variables include: • lanum = LA/1 or LA/2 • ifnum = typical interface specifications include: 1/1, 1/2, 2/1, or 2/2 You can type the following command in the CLI to set configuration of the specified link aggregate channel. • set channel –speed AUTO
101 © 2017 Citrix Authorized Content
Additional Resources: How to set up Link Aggregation Channel and VLAN Trunking on NetScaler: http://support.citrix.com/article/CTX117113 How to Configure a NetScaler Appliance Using Link Aggregation to Connect Pairs of Interfaces to the Cisco Switches: http://support.citrix.com/article/CTX109843
ot
N e
al
es rr
fo or n tio
bu
ri st di
101 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
As part of the LR feature, we have introduced a parameter called LR Min ThrLink Redundancy (LR) offers the ability of a hot standby link (or channel). During the normal operation, one link/channel will be operational which handles all the traffic. A second link/channel will be designated as the standby. When the primary link/channel goes down or is administratively shut down, the standby link/channel will become live and start handling the traffic.
or
ri st di
•
n tio
bu
Threshold: This parameter ensures that when a channel’s available bandwidth drops below the configured minimum threshold limit, the channel is administratively shut down. With LR, the standby channel will take over from the primary channel once the minimum threshold is achieved. For example, assume that each channel to the remove switch from NetScaler has two 1-gig links. The minimum threshold is configured to be 1.5Gbps. When one link on the primary channel goes down, the channel’s available bandwidth is only 1-gig, which falls below threshold value. Now, this complete channel is administratively shut down and the standby channel takes over.
102 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
To bind multiple VLANs to the same interface, the VLANs must be tagged either with the VLANto-interface binding, or by using the -tagall or –trunk ON interface option.
or
High Availability heartbeats are always untagged and on the native VLAN, unless the NSVLAN is configured using the set ns config -nsvlan command or the interface is configured with the trunk ON option.
n tio
bu
ri st di
103 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
104 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
All the Interfaces are by default in VLAN 1 and We need to make sure that Interfaces are assigned to proper VLAN to avoid MAC move issues.
or ri st di
Additional Resources:
Product Documentation Understanding VLANs: http://docs.citrix.com/enus/netscaler/11/networking/interfaces/understanding-vlans.html
n tio
bu
105 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
An interface can be part of any number of tagged VLANs.
or
When an interface is bound to a VLAN Natively, its Native VLAN changes from the current one to new one.
n tio
bu
ri st di
When an interface is bound to a particular VLAN as a tagged member, it’s just added to the new VLAN as a tagged member.
106 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
We recommend not changing the NSVLAN unless there is a compelling reason to do so.
or
Additional Resources:
n tio
bu
ri st di
FAQ: The “trunk” or “tagall” Option of NetScaler: http://support.citrix.com/article/CTX115575
107 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
108 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
109 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Because simple routing is not the primary role of a NetScaler, the main objective of running dynamic routing protocols is to enable route health injection (RHI), so that an upstream router can choose the best among multiple routes to a topographically distributed virtual server. RHI is very useful, and NetScaler does it well.
or
Routing Information Protocol (RIP) version 2. Open Shortest Path First (OSPF) version 2. Border Gateway Protocol (BGP).
Routing Information Protocol next generation (RIPng) for IPv6. Open Shortest Path First (OSPF) version 3 for IPv6. ISIS Protocol.
110 © 2017 Citrix Authorized Content
n tio
bu
ri st di
The NetScaler supports the following dynamic routing protocols: Dynamic routing info stored in the ZebOS.conf.
ot
N es rr
fo Key Notes:
e
al
The default route should point to an Internet gateway and internal, often summarized, routes point inward.
or n tio
bu
ri st di
111 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
If a manually created (static) route goes down, a backup route is not automatically activated. You must manually delete the inactive primary static route. However, if you configure the static route as a monitored route, the NetScaler appliance can automatically activate a backup route.
or
bu
ri st di
Static route monitoring can also be based on the accessibility of the subnet. A subnet is usually connected to a single interface, but it can be logically accessed through other interfaces. Subnets bound to a VLAN are accessible only if the VLAN is up. VLANs are logical interfaces through which packets are transmitted and received by the NetScaler. A static route is marked as DOWN if the next hop resides on a subnet that is unreachable.
n tio
Note: In a high-availability (HA) setup, the default value for monitored state routes (MSRs) on the secondary node is UP. The value is set to avoid a state transition gap upon failover, which could result in dropping packets on those routes. Weighted Static Routes - When the NetScaler appliance makes routing decisions involving routes with equal distance and cost, that is, Equal Cost Multi-Path (ECMP) routes, it balances the load between them by using a hashing mechanism based on the source and destination IP addresses. For an ECMP route, however, you can configure a weight value. The NetScaler then uses both the weight and the hashed value for balancing the load.
112 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Some deployment topologies may require the incoming and outgoing paths to flow through different routers. MAC-based forwarding would break this topology design.
or n tio
bu
ri st di
113 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
114 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Network Interface can be shared with other Traffic Domains.
or
Additional Resources:
n tio
bu
ri st di
Supported features for traffic domains: http://docs.citrix.com/enus/netscaler/11/networking/traffic-domains.html#par_richtext_3
115 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
MAC-Based Forwarding improves the performance of a NetScaler appliance by avoiding multiple address resolution protocol (ARP) or route table lookups when forwarding packets. This mode helps in supporting multiple routers with the ability to return the responses to the router that forwarded the original set of network packets to the appliance.
or
n tio
bu
ri st di
MBF alters the way the NetScaler appliance routes the server replies back to clients. MBF caches the MAC address of the uplink router that forwarded the client request to the appliance. When a reply is received, it is passed through to the same router that sent the client request without going through any route lookup. If MBF is disabled, then the return path is determined by a route lookup, or is sent to the default route if no specific route exists.
116 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
MBF is primarily an optimization feature. You can always enable it in one-arm mode to improve performance because NetScaler does not look at the route table to reply. Try to avoid MBF in two-arm mode because you lose some control (the NetScaler will not honor the route table for replies). If an issue arises with asymmetrical routing, try PBR first before resorting to MBF.
or
MBF is an optimizing technique.
• MBF is useful for VPN Connections. • MBF routes on Layer 2. • Don’t use MBF to “fix” routing issues.
bu
ri st di
•
• MBF breaks Firewall Clustering. • MBF breaks Link Load Balancing. • Connections to NIC Teaming Servers (without LACP).
117 © 2017 Citrix Authorized Content
n tio
• Policy-Based Routing (PBR) is often a good alternative to MBF.
ot
N e
al
es rr
fo or n tio
bu
ri st di
118 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
119 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
n tio
bu
ri st di
• MAC-Based Forwarding Mode.
or
• Layer 3 (L3) Mode.
e
• Layer 2 (L2) Mode.
al
An appliance can use the following modes to forward the packets it receives:
120 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
Traffic flow diagram and the scenarios. https://docs.citrix.com/en-us/netscaler/11/gettingstarted-with-vpx/configure-system-management-settings/configure-packet-forwardingmodes.html
or
n tio
bu
ri st di
121 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
122 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Used mostly in some LB deployments.
or
Part of the NetScaler system suite of performance enhancements revolves around maintaining one connection to the client and multiplexing another to the server. This requires the NetScaler system to translate the client’s IP address to either a MIP address or SNIP address. This behavior will not be desired in some situations. In these cases, you can enable Use Source IP mode. The result is that the client’s actual IP address is used to connect to the back end server.
ri st di
You should consider a number of performance considerations before activating this feature:
bu
n tio
• Multiplexing can only be used for connections originating from the same client IP address. This means that significantly more sessions will be established between the NetScaler system and the server. This is inefficient for the NetScaler system, and requires more overhead for the server. • Surge protection is also unable to function in this environment. • USIP requires routing in the environment to direct all of the server response traffic bound for the client IP address through the NetScaler system. Notes From The Architect: • USIP can be enabled Globally or Virtual Server Level. • For HTTP protocols, this feature must be used with surge-protection OFF. For non-HTTP protocols, such as service type TCP, FTP, and others, this restriction is not applicable.
123 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
Question: Why do we have Layer 3 mode and why is it enabled by default?
e
• To answer this, let’s consider situations in which you may want to change this traffic behavior.
or
n tio
bu
ri st di
In these situations, you should use USIP. However, since this mode limits other functionality on the NetScaler, it should only be used when absolutely required. If you only want to pass the client-IP address to the application for web logging purposes, and the application is HTTPbased, you should NOT use USIP mode. Instead, you should use Client IP header insertion, which is discussed next.
124 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Client-IP header insertion is the preferred method of passing the client IP address to backend servers and applications. This allows the backend to see the Client IP address while maintaining the full proxy functionality of the NetScaler (MUX, surge protection).
or
n tio
bu
ri st di
125 © 2017 Citrix Authorized Content
ot
N es rr
fo Notes From The Architect:
e
al
The appliance does not support spanning tree protocol. To avoid loops, if you enable L2 mode, do not connect two interfaces on the appliance to the same broadcast domain.
or
to enable the L2 Mode.
n tio
bu
ri st di
126 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
By default, the NetScaler system functions as a Layer3 network device. It can be configured to function as a Layer 2 device as well. When running in Layer 2 mode, it will forward data it receives that is not addressed to its MAC address. This behavior is traditionally associated with a switch. The exceptions to this forwarding behavior are for the following traffic types:
or
ri st di
• Broadcasts that are received on an interface associated with a VLAN will not be forwarded to non-VLAN fixed interfaces.
bu
• ICMP and UDP traffic that exceeds the value set for Packet Rate filters will be dropped, according to the design.
n tio
• As this mode reduces the ability for the NetScaler system to control the traffic crossing it, security is reduced. Layer 2 functionality is only required in very specific situations and should only be used when needed.
127 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The NetScaler system can either route or bridge packets that are not destined for an IP address owned by the NetScaler - that is, the IP address is not the NSIP, a MIP, a SNIP, a configured service, or a configured virtual server.
or
By default, L3 mode (routing) is enabled and L2 mode (bridging) is disabled.
n tio
bu
ri st di
128 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
PMTUD is only supported by TCP and UDP. Other protocols do not support it.
or
PMTUD is done continually on all packets because the path between sender and receiver can change dynamically.
n tio
bu
ri st di
PMTUD is needed in network situations where intermediate links have smaller MTUs than the MTU of the end links.
129 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
130 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
131 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
132 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler compares the information in the data packet with the conditions specified in the ACL and allows or denies access . NetScaler supports following processing modes.
or
ALLOW—Process the packet.
DENY—Drop the packet.
n tio
bu
ri st di
BRIDGE—Bridge the packet to the destination without processing it. The packet is directly sent by Layer 2 and Layer 3 forwarding.
133 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
134 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Simple ACLs should be used in situations in which you immediately need to enforce the rule only for a short period of time - for example, to mitigate a DoS attack.
or
For all other situations, you should use extended ACLs.
n tio
bu
ri st di
135 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
You can use the following command to enable access control list entries in the command-line interface:
remove ns acl To display access control lists:
n tio
bu
show ns acl [aclName]
ri st di
To remove an access control list:
or
add ns acl
136 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Applied access control lists are saved to the configuration, and the active status determines whether traffic is compared against the access control list. However, if an access control list is part of the running configuration, it will be saved, regardless of applied status.
or
n tio
bu
ri st di
137 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
138 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
139 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
140 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
141 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
To create an INAT entry by using the command line interface:
e
• add inat [-tcpproxy ( ENABLED | DISABLED )] [ftp ( ENABLED | DISABLED )] [-usip ( ON |OFF )] [-usnip ( ON | OFF )] [proxyIP ]
or
n tio
bu
ri st di
142 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
An administrator can type the following command in the CLI to enable Reverse NAT (RNAT) any downstream subnet.
or
set rnat
ri st di
The NetScaler system will hide the IP address of all packets originating in that network.
n tio
bu
Reverse NAT allows server-side addresses to be translated to the MIP address or NSIP address of the NetScaler system when they send data through the system. This behavior applies to connections that are initiated from the internal servers, as opposed to client connections passed through the NetScaler system. RNAT does not alter the data portion of the communication in any way. As a result, if the application passes the host IP address as part of the data, that IP address will not be the same as the address post-RNAT. This incongruity will most likely cause that application to fail. For example, using the file transfer option in MSN messenger would not be possible through an RNAT session. The exception to this rule is FTP. Citrix has put in place specific extended functionality to support FTP through a RNAT session. An administrator can use a virtual IP address as the IP address for RNAT. This does not work with a wildcard virtual IP address. RNAT can be configured to use a virtual IP address for address translation. RNAT is configured using the “set ns rnat -natip ” command. The address provided as the value to –natip can be a MIP address, SNIP address or virtual IP address. A wildcard virtual IP address is not a valid selection for the –natip parameter. In an RNAT configuration NetScaler replaces the source IP addresses of packets generated by the backend servers with a NAT IP address that is a public IP address. 143 © 2017 Citrix Authorized Content
The default NAT IP address is a MIP address. The NetScaler system can be configured to use other NetScaler-owned IP addresses.
ot
N e
al
es rr
fo or n tio
bu
ri st di
143 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
144 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
145 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
146 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
147 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
148 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
149 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
For more information about FIPS-enabled NetScaler systems, see Citrix article CTX129543 at http://support.citrix.com/article/CTX129543.
or n tio
bu
ri st di
150 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
Managing web applications with gigabits of traffic:
e
• Most of the world's largest and highest traffic volume web sites are powered by NetScaler MPX. Emerging cloud computing architectures use the solution to exploit Citrix's massive throughput, fast SSL processing, and high-scale data compression while gaining the computing power to run all NetScaler features concurrently.
or
ri st di
Load balancing for small enterprises:
Ultra high-performance web application security:
n tio
bu
• The same nCore architecture and NetScaler feature set relied on by massive web sites is also available for small to mid-size organizations with MPX models handling up to 1 Gbps of overall performance. Additional mid-range models enable organizations to scale using Pay-As-You-Grow licensing from 2 Gbps to 6 Gbps to support growth in online traffic. • The nCore-powered, ICSA-certified NetScaler AppFirewall, the industry's fastest, detects application-layer attacks at throughput rates in excess of 12 Gbps. Running on the MPX platform, the NetScaler AppFirewall inspects all bi-directional traffic and takes advantage of a hybrid security model (positive and negative) to protect applications from all types of threats, including cross-site scripting and SQL injection. Flex tenancy: • Flex tenancy architectures manage application delivery using a two-tier approach: A flex tier at the network edge provides services common to all applications running in the datacenter, complemented by a tenant tier providing application-specific application delivery policies implemented in proximity to the application server. The performance and scalability of NetScaler MPX is ideally suited to support the "flex" tier, providing a multitude of services for
151 © 2017 Citrix Authorized Content
all applications, including global server load balancing, SSL termination and distributed denial of service (DoS) protection.
ot
N e
al
es rr
fo or n tio
bu
ri st di
151 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
If the NetScaler appliance does not respond, and you want to force a core dump and restart the appliance, you can use the NMI button. The core files help the Citrix Technical Support team to investigate the reason for the NetScaler appliance not to respond.
or
n tio
bu
ri st di
The process of dumping a core and restarting the appliance can take between 10 and 45 minutes, depending on the RAM of the appliance.
152 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
LOM Port can be used to remotely monitor and manage the appliance.
or
By connecting the LOM port to a dedicated channel that is separate from the data channel, you can make sure that connectivity to the appliance is maintained even if the data network is down. You thereby eliminate the data cable and data network as a single point of failure.
ri st di
You can use either the GUI or a shell for the following tasks: • Configuring the network settings. • Power control operations.
153 © 2017 Citrix Authorized Content
n tio
• Factory reset.
bu
• Health monitoring.
ot
N e
al
es rr
fo or n tio
bu
ri st di
154 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The LCD displays real-time statistics, diagnostic information, and active alerts. There are nine types of display screens on the LCD display.
or
n tio
bu
ri st di
They show configuration information, alerts, HTTP information, network traffic information, CPU load information, and port information for your appliance.
155 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Led Indicators No power.
Green
Appliance is receiving power.
Red
Power supply has detected an error.
or
OFF
n tio
bu
ri st di
156 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
You are prompted to enter the subnet mask, NetScaler IP address (NSIP), and gateway in that order respectively. The subnet mask is associated with both the NSIP and default gateway IP address. The NSIP is the IPv4 address of the NetScaler appliance. The default gateway is the IPv4 address for the router, which will handle external IP traffic that the NetScaler cannot otherwise route. The NSIP and the default gateway should be on the same subnet.
or
n tio
bu
ri st di
157 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
158 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
159 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
160 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
161 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The NetScaler virtual appliance product is a virtual NetScaler appliance that can be hosted on Citrix XenServer®, VMware ESX or ESXi, Linux-KVM, and Microsoft Hyper-V virtualization platforms: Softlayer
• AWS Rackspace
n tio
bu
•
ri st di
• Azure
or
•
162 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
A NetScaler virtual appliance supports all the features of a physical NetScaler, except virtual MAC (vMAC) addresses, Layer 2 (L2) mode, and link aggregation control protocol (LACP). VLAN tagging is supported on the NetScaler virtual appliances hosted on the XenServer and on VMware ESX platforms.
or
ri st di
For the VLAN tagging feature to work, do one of the following:
n tio
bu
• On the Citrix XenServer, configure tagged VLANs on a port on the switch but do not configure any VLANs on the XenServer interface attached to that port. The VLAN tags are passed through to the virtual appliance and you can use the tagged VLAN configuration on the virtual appliance. • On the VMware ESX, set the port group’s VLAN ID to 4095 on the vSwitch of VMware ESX server. Additional Resources: For more information about setting a VLAN ID on the vSwitch of VMware ESX server, see http://www.vmware.com/pdf/esx3_vlan_wp.pdf.
163 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
Architecting private or public cloud infrastructures:
e
• The adoption of cloud computing creates significant networking challenges, including the need to provide self-service capabilities and deliver elastic provisioning of application delivery services. As a software-based virtual appliance, NetScaler VPX enables rapid ondemand provisioning in both public and private cloud infrastructures. Leading cloud providers use the solution's RESTful APIs to develop self-service capabilities and dramatically reduce overall deployment cost.
or
bu
ri st di
Utilizing NetScaler within non-production environments:
n tio
• NetScaler VPX can be deployed within development, testing and staging environments, prior to promotion into production. This approach supports an improved assurance process and eliminates the cost and logistics of dedicating physical appliances for use within application development areas. NetScaler policy configurations defined in the development lab can easily be moved into production. The inherent flexibility of the virtual appliance model enables NetScaler VPX to be evaluated as part of the full application lifecycle process. Architecting scalable multi-tenant infrastructures: • In flex-tenancy architectures, application delivery is segmented into two tiers: a flex tier at the datacenter edge for shared network services using NetScaler MPX appliances, and application-specific tenant tiers using NetScaler VPX instances in close proximity to each application. Applications that vary significantly by tenant are optimized by using dedicated VPX instances. Policies are tailored to the specific needs of particular tenants—whether they are defined as an application, line of business, or user.
164 © 2017 Citrix Authorized Content
Attractive application delivery options for smaller businesses: • NetScaler VPX is ideal for small to mid-size businesses to improve widely deployed applications, such as XenDesktop and XenApp, as well as popular applications including Microsoft Exchange and SharePoint. Support for AppExpert templates enables fast and easy configuration for these and other applications.
ot
N e
al
es rr
fo or n tio
bu
ri st di
164 © 2017 Citrix Authorized Content
ot
N VPX 1000
HTTP throughput
3 Gbps
VPX 200
VPX 10 200 Mbps
al
Performance VPX 3000
e
es rr
fo Key Notes:
1 Gbps
10 Mbps
or
n tio
bu
ri st di
If additional throughput is needed, some models also support Burst Pack and Pay-As-YouGrow licensing options to help protect your initial investment and make it easier to scale up your network with a simple software license upgrade.
165 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
166 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
167 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
As a result, memory, CPU cycles, and SSL cards are resources that you can move around and definitively assign to different NetScaler instances. Emphasize the hardware benefits of MPX and the software benefits of VPX. SDX is based on XenServer.
or
ri st di
Additional Resources:
n tio
bu
NetScaler Datasheet: http://www.citrix.com/content/dam/citrix/en_us/documents/products/netscaler-data-sheet.pdf.
168 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Getting more popular with cloud computing.
Some key players in Citrix advocate strongly to continue to advance this model.
or n tio
bu
ri st di
169 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
170 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
171 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
172 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The traditional approach for multi-tenancy is to use purpose-built hardware with software features like rate limits, ACLs, and RBAs to create a logical partition or contexts. This solution uses a single entity of the device, operating system, or application. It looks good, but there are problems with this solution.
or
ri st di
Specifically:
• There is no CPU and resource isolation – one partition can greatly impact the performance of other partitions.
bu
n tio
• There is no version independence – all the tenants are forced to use same version of software. • There is no life cycle independence – if the software has a bug impacting one of the tenants, other tenants get impacted too. • There is no high availability (HA) independence – we cannot fail over a single partition. If failover has to happen, all partitions have to fail over. A single administrator controls most of the configuration. All tenants share a single resource: • Traffic domains for network segmentation. • Rate limiting for resource isolation. • RBA or roles for management isolation. • Shared entity space. Partitions are not fully isolated:
173 © 2017 Citrix Authorized Content
• No CPU or memory isolation. • No version independence. • No maintenance independence. • No per-tenant HA capability.
ot
N e
al
es rr
fo or n tio
bu
ri st di
173 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Hypervisors are very common now and public cloud providers use hypervisors like Xen to provide multi-tenant solutions.
or
The hypervisors are now enterprise class and provide stable environments for multi-tenancy.
ri st di
In a hypervisor-based solution, the hypervisor is installed on generic hardware or specialized hardware, and ADCs are run as Virtual Machines (VMs) for each tenant. The hypervisors provide brick-wall like partitioning across tenants.
n tio
bu
In this solution, VMs will get resource isolation or version and life cycle independence. NetScaler VPX is a solution that can be deployed as a VM. One problem with the hypervisor-based solution is that network performance does not scale. Generally speaking, a device capable of processing 50 Gbps traffic natively, will not be able to process 50 Gbps with virtualization.
174 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
In the hypervisor-based solution, only the hypervisor has direct access to the hardware.
or n tio
bu
ri st di
175 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
176 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
177 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler SDX was designed and built for the following reasons: SDX does not take the traditional, partitioned-based approach to multi-tenancy.
or
Rather, each instance is in fact its own instance, with its own dedicated: • Memory and CPU • Routing stack
bu
ri st di
• Kernel
n tio
This provides the foundation for the true resource and lifecycle isolation necessary for consolidating. Isolation for each NetScaler instance on SDX is provided by virtualization technologies. We use XS, which includes CPU, Memory, and other components. For hardware acceleration, both for Networking and for crypto, we use SRIOV technology that provides similar isolation in hardware. Complete per-tenant isolation. Memory and CPU isolation. Separate entity spaces. Version independence. Lifecycle independence. Completely isolated networks. A single license for each appliance provides system throughput limits and a maximum number 178 © 2017 Citrix Authorized Content
of virtual instances.
ot
N e
al
es rr
fo or n tio
bu
ri st di
178 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
179 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
SR-IOV is a PCI standard that provides IO virtualization.
or
With IO virtualization a physical device or function like NIC can be carved into virtual devices or functions.
ri st di
The virtual functions can be assigned to virtual machines. The virtual machine will have direct access to hardware using a virtual function. IOMMU translates the guest’s physical addresses to host physical addresses.
bu
With IO virtualization VMs can efficiently share the IO devices.
n tio
Latest NICs like Intel 82599 and Intel 82576 controllers support SR-IOV.
180 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
With IO virtualization, each VF gets its own hardware RX and TX queues and has direct access to the hardware.
or
MAC and VLAN filters are associated with each VF.
ri st di
When the NIC receives a packet, two levels of filtering are applied. In the first phase, MAC filtering is applied to the find the right VF based on the destination MAC address. Then VLAN filtering is applied later to the packet.
bu
A packet is queued to a VF only if both MAC and VLAN filters pass.
There is no hypervisor involvement in the data path.
n tio
When a VF transmits a packet, it queues the packet in the TX queue and the HW fetches the packet for actual transmission. Packet switching is done at the hardware level, resulting in higher network performance. Hardware provides MAC and VLAN filtering capabilities to isolate the traffic across VMs. Using IO virtualization technologies, we can get the required isolation without sacrificing the performance.
181 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
For NetScaler SDX, we use the same hardware that NetScaler MPX uses for highperformance networking.
or
We use XenServer for virtualization. The hardware and XenServer Hypervisor support SR-IOV. Therefore, hypervisor is no longer a performance bottleneck in the SDX.
ri st di
Also, we have a management service running on the SDX for management of the SDX. It provides services like creation, modification, and deletion of VPXs.
n tio
bu
ServiceVM provides services similar to the services provided by XenCenter for XenServer hosts. You can automate many of the management tasks by using NITRO API provided by the ServiceVM. Multiple NetScaler VPXs can be provisioned on the SDX to provide a multi-tenant solution. NetScaler VPX and NetScaler MPX use the same software, so NetScaler VPX is as robust as NetScaler MPX.
182 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
On NetScaler SDX, instances get dedicated and shared resources. The memory resources are dedicated to an instance. Similarly, the SSL devices assigned to the VPX instance are dedicated. A VPX can be assigned zero or more SSL devices.
or
ri st di
The CPU resources can be dedicated or shared depending on the requirements. Each instance can get as many as five (5) dedicated cores (10 hyper-threads). The dedicated CPU allocation can be useful for instances running production traffic. For the instances that are created for testing or training purposes, shared CPU resource allocation can be used.
n tio
bu
Allocation of the network devices is flexible in NetScaler SDX. The devices can be shared or dedicated based on the security or compliance requirements. Finally, throughput and packetsper-second rate limits can be imposed on the VPX instance to control the network usage of an instance.
183 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler SDX allows fine-grained control over the allocation of the CPU resource to an instance.
or
At present, SDX has two (2) six-core processors. Enabling hyper-threading results in 12 logical cores per CPU and a total of 24 logical cores per system.
ri st di
In this slide, CPU cores 3-8 are dedicated to VPX1. CPU cores 15-18 are dedicated to VPX2. CPU cores 21-22 are shared by VPX3 and VPX4.
n tio
bu
184 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The data plane CPU for each instance can also be a hard allocation. However, at a certain instance count (11 or more) some of the instances will need to share cores.
or n tio
bu
ri st di
185 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
First, each instance has its own NetScaler OS kernel, and these kernels can be upgraded independently. So, for example, when the next version of NetScaler operating system becomes available, some of the instances can be upgraded, while others can be left. This gives us the flexibility to consolidate and still meet the individual requirements of different apps.
or
n tio
bu
ri st di
Second, HA is also done at the instance level.
186 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Each instance gets its own kernel. So it has its own IP stack, its own routing tables, VLANs (more on that later), connection tables, and so on.
or
For the data plane, our use of SR-IOV provides very strong isolation.
n tio
bu
ri st di
We have a lot of flexibility for how we can isolate on the management plane as well.
187 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
188 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
To upgrade, a customer is shipped a hard drive. If you want to put your current MPX config on the SDX, make sure you copy all relevant config files and other directories (for example, certs).
or n tio
bu
ri st di
189 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
190 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
191 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
192 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Each VPX instance has dedicated VF, therefore performance is not impacted by other VPX instances.
or n tio
bu
ri st di
193 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
194 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
195 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
196 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
197 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
198 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
199 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
200 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
201 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
202 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Data and management plane isolation support network segmentation use cases. Support for multiple management networks.
Very strong data plane isolation options. • Dedicate interfaces to instances.
Multiple management networks. • Supports hierarchical networking. Flexible data ports. • Dedicate interface for a zone. • Share interfaces within a zone. Traffic isolation at hardware level. • MAC and VLAN filtering.
203 © 2017 Citrix Authorized Content
n tio
• Share interfaces without VLAN filtering.
bu
• Share interfaces with VLAN filtering.
ri st di
• Separate NSIPs from each other.
or
• Separate ServiceVM from NSIPs.
ot
N es rr
fo Key Notes:
e
al
In an HA pair, we can fail over an individual instance on device A to device B, without having to flop the entire device and every instance on the device. Embedded within this is the ability to have an active instance on both devices.
or
On SDX, we have:
ri st di
•
The ability to upgrade an instance without upgrading the entire device.
•
The ability to fail an instance over without failing over the entire device.
n tio
bu
204 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
205 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
206 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
We can upgrade XenServer of SDX from CLI of SVM. Command : do xenupgrade custom [image_name=]
or
The exact command is "do xenupgrade upgrade image_name=XenServer-6.1.0-install-sdx.iso"
n tio
bu
ri st di
207 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
208 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
209 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
210 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
211 © 2017 Citrix Authorized Content
ot
N To Complete a Factory Reset:
al
es rr
fo Key Notes:
e
• From dom0 (XenServer CLI) you can execute the following steps.
• 2. sfdisk /dev/sda -A 1 • 3. reboot
n tio
bu
ri st di
• 1. sfdisk --change-id /dev/sda 1 c
or
• Ensure to have a serial access console of the appliance before doing this
212 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
xe patch-list
or
How to check the XenServer version
e
How to check the hot fixes installed:
xe host-list params=memory-total
al
How to check memory of the SDX:
uname -r
ri st di
How to verify XenServer supplemental pack version xe host-list params=software-version xe host-list params=memory-free
How to verify the dom id’s
xl list
How to console into the Instances
xl console
How to configure SVM IP from cli
Ctrl + ]
n tio
How to exit out from console
bu
How to verify free memory of SDX
• 1. Logon the XenServer shell and then login to SVM via console • 2. type “networkconfig” at the SVM shell prompt and you see the following:
213 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
When you log on to the SDX, you land on the homepage which gives you some basic monitoring information.
or n tio
bu
ri st di
214 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
215 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
216 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
217 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
218 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
219 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
220 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
HA configuration is made of two (or more) NetScalers working in a HA configuration. NetScaler HA is active-passive. (Primary/Secondary).
or
HA Doesn’t cover Upstream router failure , Servers down/failure. Except for unique NSIP address in ns.conf.
ri st di
Paired NetScalers share a configuration.
The ns.conf will have different node ID listing for the “paired” system.
bu
Other differences are only present if using the “independent network config” option.
n tio
221 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
High availability ensures that if one node experiences failure, the other node can take over because it has an identical configuration and it is on standby. This is an Active/Passive pair. On the NetScaler, we refer to the active system as the primary and the passive system as the secondary.
or
n tio
bu
ri st di
HA can be configured in two modes, One Arm HA and Two Arm HA.
222 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
GARP is send out by new primary for all the floating IPs on an HA failover. Its staggered (40 packets every 200ms) and we send 2 GARPs/ IP.
or
With use of VMAC we can avoid transmission of GARPs: -garpOnVridIntf (set L2Param) -> Send GARP messages on VRID-configured interfaces upon failover.
n tio
bu
ri st di
•
223 © 2017 Citrix Authorized Content
ot
N e
• UDP Port 3003 - ha heartbeat.
al
HA Communication:
es rr
fo Key Notes:
or
• TCP Port 3010 (3008-secured) – Sync.
ri st di
• TCP Port 3011 (3009-secured) - Propagation.
On Secondary if there is a incarnation no. mismatch/ force sync, it wakes up nssync process.
bu
Fetch Primary’s RPC node information and compare it with it’s own information. Opens RPC session on TCP port 3010 successfully, if RCP node passwords are correct.
Clear config on Secondary node
n tio
Invokes nsconf process and pull running config from Primary node (/var/nssynclog/ns_com_cfg.conf) batch –f /tmp/ns_com_cfg.conf Nssync put to sleep.
If propagation is disabled on the primary, changes to config are not propagated to secondary. If propagation is disabled on the secondary, changes propagated from the primary are not applied to secondary.
224 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
or
• set interface -hamonitor off.
e
• disable interface .
al
Be sure all unused interfaces have monitoring suppressed.
• Resolution: disable interface.
n tio
bu
ri st di
If any interface has a line containing “ENABLED, down, …,MONITOR ON, …” the system will never become primary. Usually it will stay as secondary with undefined primary.
225 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Propagation can be disabled set HA node -haProp DISABLED Following Commands are not Propagated:
or
• Node specific commands like add node, rm node, set node e.t.c. • Channel configuration.
n tio
bu
ri st di
• Interface specific config like set interface, bind interface e.t.c.
226 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
227 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
File Synchronization in NetScaler High Availability Setup: http://support.citrix.com/article/CTX138748
or n tio
bu
ri st di
228 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
229 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
230 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
231 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
or
• set interface -hamonitor off.
e
• disable interface
al
Be sure all unused interfaces have monitoring suppressed
n tio
bu
ri st di
232 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The NSIP address can be changed using the “set ns config” command; this change requires a restart.
or n tio
bu
ri st di
233 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Citrix does not recommend configuring stay primary/secondary after initial setup. In the event of flapping (device going up and down), this configuration would be disruptive. We recommend letting the secondary device serve traffic until the cause of the failover is determined, and manually fail back if a user prefers to keep one device as primary.
or
ri st di
• Configure HA by going to System > Settings > HA and adding the remote node. • Citrix recommends that you set the status of the desired secondary node to stay secondary when nodes are configured.
• Save configuration changes. From the CLI on each node: add HA node
n tio
• Set HA monitoring to OFF on unimportant interfaces.
bu
• Disable unused interfaces.
This practice ensures that an accidental failover does not occur during the configuration process, resulting in changes being made to the secondary rather than the primary node. Any changes that are made to the secondary node are not propagated to the primary node. If you do not use stay secondary, then the nodes may accidently switch roles, and a blank config from the secondary (if it promoted itself to primary) could overwrite your desired config.
234 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes: CLI: show ha node.
e
al
You can also verify on the LCD of a physical NetScaler.
or n tio
bu
ri st di
235 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
236 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
237 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
238 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
ENABLED state means normal HA operation without any constraints or preferences.
or
STAYPRIMARY configuration keeps the node in primary state if it is healthy, even if the peer node was the primary node initially.
ri st di
STAYSECONDARY is used to force the secondary device to stay as secondary, independent of the state of the primary device.
Split brain:
n tio
bu
If you issue the STAYPRIMARY command on the primary device, then it gets “preferred node” status and will fail back when it recovers from a failure. • Where both the nodes are healthy and claim primary state; they don’t hear about the other node at all. Sample conditions that trigger split brain : • All the interfaces connecting to peer node are disabled. • Interface connecting to peer node is tagged. Tie breaker to choose Primary when split brain is resolved: • Node which is Primary for longer interval before split brain. • Higher NSIP.
239 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
240 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Without Fail Safe mode enabled, if both nodes are experiencing failed health checks, then they both can demote themselves to secondary.
or
Then you would have both nodes refusing to handle traffic, which causes problems.
ri st di
To mitigate this scenario, you need to enable Fail Safe mode, so one system will stay primary even if both are experiencing failures.
bu
When there is a heartbeat failure, the secondary reaches the lost heartbeat threshold and promotes itself to primary.
n tio
If you issue the STAYPRIMARY command on the primary device, then it gets preferred node status and will fail back when it recovers from a failure.
241 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
To communicate with other NetScaler Gateway appliances, each appliance requires knowledge of the other appliances, including how to authenticate on NetScaler Gateway.
or
RPC nodes are internal system entities used for system-to-system communication of configuration and session information. One RPC node exists on each NetScaler Gateway and stores information, such as the IP addresses of the other NetScaler Gateway appliance and the passwords used for authentication. The NetScaler Gateway that makes contact with another NetScaler Gateway checks the password within the RPC node.
ri st di
n tio
bu
NetScaler Gateway requires RPC node passwords on both appliances in a high availability pair. Initially, each NetScaler Gateway is configured with the same RPC node password. To enhance security, you should change the default RPC node passwords. You use the configuration utility to configure and change RPC nodes. Note: The NetScaler Gateway administrator password and the RPC node password must be the same. RPC nodes are implicitly created when adding a node or adding a Global Server Load Balancing (GSLB) site. You cannot create or delete RPC nodes manually. Important: You should also secure the network connection between the appliances. You can configure security when you configure the RPC node password by selecting the Secure check box. To create or change an RPC node password and enable a secure connection: • In the configuration utility, in the navigation pane, expand System > Network > Advanced and then click RPC.
242 © 2017 Citrix Authorized Content
• In the details pane, select the node and then click Open. • In Password and Confirm Password, type the new password. • In Source IP Address, type the system IP address of the other NetScaler Gateway appliance. To use an IPv6 address, select IPv6 and then enter the IP address. • Click Secure and then click OK. CLI command: set ns rpcNode {-password } [-srcIP ] [-secure ( YES | NO )]
ot
N e
al
es rr
fo or n tio
bu
ri st di
242 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
To disable sync set HA node -hasync DISABLED
or n tio
bu
ri st di
243 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
244 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Use force ns failover command on either the primary or the secondary Application Switch.
or
When the two nodes of an HA pair are running different versions of the system software, the nodes goes to the listen mode.
n tio
bu
ri st di
In this mode, neither command propagation nor synchronization work.
245 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
HA MON interfaces that are not bound to an FIS are known as critical interfaces (CI) because if any of them fails, failover is triggered.
or
An FIS does not create an active and standby Interfaces or channels. It also does not prevent bridging loops when connecting to links to the same VLAN. • add fis Removing FIS
246 © 2017 Citrix Authorized Content
n tio
• unbind fis
bu
• bind fis
ri st di
Adding FIS :
ot
N es rr
fo Key Notes:
e
al
Some older routers are not GARP aware. Some networks do not allow GARP for security reasons (ARP cache poisoning).
or
It should be clear that if NetScalers are in separate subnets, GARP is not possible.
n tio
bu
ri st di
247 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
In this diagram, each NetScaler should ensure that the router is available to it. If not, a failover should occur.
or n tio
bu
ri st di
248 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
249 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
250 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
251 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Advantage of managing from SNIP is to ensure configuration occurs on primary NetScaler.
or n tio
bu
ri st di
252 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The two nodes of a high-availability pair can run on different versions of NetScaler code. However, it is best practice to disable command propagation and automatic configuration sync; this will prevent command conflicts between the different NetScaler platforms.
or
n tio
bu
ri st di
253 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
254 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
255 © 2017 Citrix Authorized Content
ot
N al
Synchronization Failure:
es rr
fo Key Notes:
e
• The ha_err_sync_failure counter increments when a NetScaler high-availability synchronization failure is detected.
or
bu
ri st di
• The ha_err_sync_failure counter tracks the number of times the primary and secondary appliance failed to synchronize the configuration after the last transition. A synchronization failure results in mismatched configuration. The synchronization failure can occur because the Remote Procedural Call (RPC) password on the primary and secondary appliance is not the same.
n tio
Ensure that the primary and secondary appliances can communicate with each other. The management and heartbeat packets are sent on the L2 layer. The L2 layer connectivity between the two appliances in the high-availability setup must allow the heartbeat packets to be received within 3 seconds on port 3003. Ensure that any configured Access Control Lists (ACLs) on a third-party appliance permits the communication between the primary and the secondary appliances. Run the following command to ensure that the nsnetsvc process is active:
root@GA-NS4# ps auxw | grep -i nsnetsvc | grep -v grep
root 256 0.0 0.2 18568 5668 ?? Ss Wed05PM 0:14.33 /netscaler/nsnetsvc File Synchronization failure: check ACLs try running CLI command: sync HA files ALL Unexpected failover: • If the NetScaler appliances are failing over unexpectedly, view events from the diagnostics section of the Configuration Utility or run the nsconmsg –d event command from the shell prompt to display the current events that might be causing the failover. The following are 256 © 2017 Citrix Authorized Content
possible causes: • Interface is down. • SSL acceleration card is down. • System stopped responding.
ot
N e
al
es rr
fo or n tio
bu
ri st di
256 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
257 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
258 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
259 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
260 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
261 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Load balancing is the most straightforward method of scaling out an application server infrastructure. As application demand increases, new servers can be easily added to the resource pool, and the load balancer will immediately begin sending traffic to the new server.
or
n tio
bu
ri st di
262 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The fundamental object types used within the NetScaler to define the load balancing relationships are the service and the Vserver.
or
• The service represents the target server’s IP, port and protocol. • The VServer represents the virtual server’s IP, port and protocol.
n tio
bu
ri st di
263 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
In a basic load balancing setup, clients send their requests to the IP address of a virtual server configured on the NetScaler appliance. The virtual server distributes them to the load-balanced application servers according to a preset pattern, called the load balancing algorithm. In some cases, you might want to assign the load balancing virtual server a wildcard address instead of a specific IP address.
or
ri st di
End user makes a request.
The request is sent to a virtual server on the NetScaler (VServer = IP address + port + protocol)
bu
The request is forwarded to the back-end server.
n tio
Once the VServer receives the request, the vserver makes a load-balancing decision takes place based on the assigned load-balancing method and results of the service monitor. The incoming load is distributed across the pool of available services. The method of this distribution is dependent of the traffic being balanced. Before requests are sent to backend services, their health is verified to ensure they are able to accept connections. Persistence tables are synchronized for failover if systems are operating in HA pair– the connection will drop and need to be reestablished, but it will be reestablished to the same backend server. A Citrix NetScaler can balance TLS traffic as well as SSL. There also exist special definitions to support FTP, both active and passive. Generic TCP and UDP traffic are tracked by port number.
264 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Load balancing virtual server. The IP address, port, and protocol combination to which a client sends connection requests for a particular load-balanced website or application. If the application is accessible from the Internet, the virtual server IP (VIP) address is a public IP address. If the application is accessible only from the local area network (LAN) or wide area network (WAN), the VIP is usually a private (ICANN non-routable) IP address.
or
ri st di
LB VServer:
• Determines load-balancing criteria. (Load-Balancing Method).
bu
• Client facing. • LB Methods determine how load is distributed. • Virtual IP + Port + Protocol.
n tio
• Traffic Management from L4 (TCP/UDP) - L7 (FTP, HTTP, HTTPS).
Service. The IP address, port, and protocol combination used to route requests to a specific load-balanced application server. A service can be a logical representation of the application server itself, or of an application running on a server that hosts multiple applications. After creating a service, you bind it to a load balancing virtual server. Service and Service Group: • Service Entity: IP Address + Port + Protocol. • Service Group Entity: Group of services (used for ease of administration). • Faces servers.
265 © 2017 Citrix Authorized Content
• Logical representation of a server or app on a server. Monitor. An entity on the NetScaler appliance that tracks a service and ensures that it is operating correctly. The monitor periodically probes (or performs a health check on) each service to which you assign it. If the service does not respond within the time specified by the time-out, and a specified number of health checks fail, that service is marked DOWN. The NetScaler appliance then skips that service when performing load balancing, until the issues that caused the service to quit responding are fixed. Monitor: • Entity: tracks health of a service. It is always bound to a service. • Dynamically takes a service UP or DOWN, based on results of monitor probes.
N
ot
• Periodic probes - if server does not respond within a specified response timeout, the number of probes fail and the service is marked DOWN.
Metric Table
es rr
fo
• LB VServer is DOWN if all services are DOWN.
e
al
Name for the metric table. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.
or
CLI Users: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my metrictable" or 'my metrictable').
ri st di
Server:
n tio
bu
Server object. A virtual entity that enables you to assign a name to a physical server instead of identifying the server by its IP address. If you create a server object, you can specify its name instead of the server's IP address when you create a service. Otherwise, you must specify the server's IP address when you create a service, and the IP address becomes the name of the server. • IP Address - can be named or unnamed. Persistence group: When you have load-balanced servers that handle several different types of connections (such as Web servers that host multimedia), you can configure a virtual server group to handle these connections. To create a virtual server group, you bind different types of virtual servers, one for each type of connection that your load balanced servers accept, into a single group. You then configure a persistence type for the entire group.
265 © 2017 Citrix Authorized Content
You can configure either source IP-based persistence or HTTP cookie-based persistence for persistence groups. After you set persistence for the entire group, you cannot change it for individual virtual servers in the group. If you configure persistence on a group and then add a new virtual server to the group, the persistence of the new virtual server is changed to match the persistence setting of the group. When persistence is configured on a group of virtual servers, persistence sessions are created for initial requests, and subsequent requests are directed to the same service as initial request, regardless of the virtual server in the group that receives each client request.
• add server
ot
N
CLI commands:
• add service
fo
• add lb vserver VIP
es rr
• bind lb vserver -policyname -priority • bind lb monitor -state [enabled/disabled] -weight
e
al or n tio
bu
ri st di
265 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Same protocols as services supported.
Note: Multiple virtual server types on NetScaler.
or
Cache redirection (CR VServer). GSLB VServer. LB VServer.
AAA TM VServer. The port number must be between 0 and 65535. The same IP address can listen on different ports.
266 © 2017 Citrix Authorized Content
n tio
SSL Gateway VServer.
bu
SSL VServer.
ri st di
Content switching (CS VServer).
ot
N es rr
fo Key Notes:
e
al
Multiple services can be bound to same server on different ports or protocols.
or n tio
bu
ri st di
267 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Load balancing for L7 protocols works at layer 7, for example when LB HTTP each individual request is load balanced.
ri st di
CLI command:
or
Multiple services can be bound to same server on different ports and protocols. • add service Some of the available service types:
bu
n tio
HTTP - Used for load-balanced servers that accept HTTP traffic, such as standard web sites and web applications. The HTTP service type enables the NetScaler appliance to provide compression, content filtering, caching, and client keep-alive support for your layer-7 web servers. This service type also sUPports virtual server IP port insertion, redirect port rewriting, Web 2.0 Push, and URL redirection support. Because HTTP is a TCP-based application protocol, you can also use the TCP service type for web servers. If you do so, however, the NetScaler appliance is able to perform only layer-4 load balancing. It cannot provide any of the layer-7 support described earlier. TCP - For non-RFC implementation or HTTP services - Used for servers that accept many different types of TCP traffic, or that accept a type of TCP traffic for which a more specific type of service is not available. You can also use the ANY service type for these servers. FTP - Ensures that NetScaler takes care of specifics of the FTP protocol - You can also use TCP or ANY service types for FTP servers. UDP - Used for servers that accept UDP traffic. You can also use the ANY service type. SSL - Used for servers that accept HTTPS traffic, such as ecommerce web sites and shopping 268 © 2017 Citrix Authorized Content
cart applications. The SSL service type enables the NetScaler appliance to encrypt and decrypt SSL traffic (perform SSL offloading) for your secure web applications. It also supports HTTP persistence, content switching, rewrite, virtual server IP port insertion, Web 2.0 Push, and URL redirection. You can also use the SSL_BRIDGE, SSL_TCP, or TCP service types. If you do so, however, the NetScaler performs only layer-4 load balancing. It cannot provide SSL offloading or any of the layer-7 support described above. NNTP - Used for servers that accept Network News Transfer Protocol (NNTP) traffic, typically Usenet sites.
ot
N
DNS - Used for servers that accept DNS traffic, typically nameservers. With the DNS service type, the NetScaler appliance validates the packet format of each DNS request and response. It can also cache DNS responses. You can apply DNS policies to DNS services. You can also use the UDP service type for these services. If you do, however, the NetScaler appliance can only perform layer-4 load balancing. It cannot provide support for DNS-specific features.
fo
e
al
es rr
DNS-TCP: Used for servers that accept DNS traffic, where the NetScaler appliance acts as a proxy for TCP traffic sent to DNS servers. With services of the DNS-TCP service type, the NetScaler appliance validates the packet format of each DNS request and response and can cache DNS responses, just as with the DNS service type.
or
You also can use the TCP service type for these services. If you do, however, the NetScaler appliance only performs layer-4 load balancing of external DNS name servers. It cannot provide support for any DNS-specific features.
ri st di
n tio
bu
RTSP - Used for servers that accept Real-Time Streaming Protocol (RTSP) traffic. RTSP provides delivery of multimedia and other streaming data. Select this type to support audio, video, and other types of streamed media. You also can use the TCP service type for these services. If you do, however, the NetScaler appliance performs only layer-4 load balancing. It cannot parse the RTSP stream or provide support for RTSPID persistence or RTSP NATting. ANY - for any TCP, UDP and ICMP service. Primarily used with FW load balancing and link load balancing - where load balancing is time-based. SIP-UDP: Used for servers that accept UDP-based Session Initiation Protocol (SIP) traffic. SIP initiates, manages, and terminates multimedia communications sessions and has emerged as the standard for Internet telephony (VoIP). • You also can use the UDP service type for these services. If you do, however, the NetScaler appliance performs only layer-4 load balancing. It cannot provide support for SIP-specific features. DHCPRA: Used for servers that accept DHCP traffic. The DHCPRA service type can be used to relay DHCP requests and responses between VLANs. DIAMETER: Used for load balancing Diameter traffic among multiple Diameter
268 © 2017 Citrix Authorized Content
servers. Diameter uses message-based load balancing. SSL_DIAMETER: Used for load balancing Diameter traffic over SSL. • Services are designated as DISABLED until the NetScaler appliance connects to the associated load-balanced server and verifies that it is operational. At that point, the service is designated as ENABLED.
ot
N e
al
es rr
fo or n tio
bu
ri st di
268 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Principles are the same as a service - like an object group in Cisco, or like a distribution group in Windows, containing the same characteristics, including protocol and port, but also often are maintained on same schedule.
or
ri st di
Unbinding servers from service groups is not as convenient as unbinding servers from services. Configuring a service group enables you to manage a group of services as easily as you would a single service.
bu
After creating a service group, you can bind it to a virtual server and add services to the group.
n tio
269 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
For all service types, the Citrix NetScaler can send ICMP pings to the server address. If the server responds to the ping, the service is marked as up.
or
For any TCP service, a TCP connection can be opened to the target port. If the connection is accepted, then the Citrix NetScaler will close the connection and note that the service is up. If there is an existing TCP traffic flow to the service, the Citrix NetScaler will not send an additional monitoring check.
ri st di
n tio
bu
For HTTP, TCP and UDP services, there are predefined monitors capable of Extended Content Verification (ECV). In this case, it is not enough to see that a TCP connection was accepted; some particular reply in the connection is required to mark the service as up. For these monitors ,a request string would be configured along with an expected reply string to be received. If the reply string received by the Citrix NetScaler monitor matches, then the service is up. For DNS and FTP, there are similar monitors. A DNS query can be configured to be sent and then the reply can be examined for an error. With a FTP server, an attempt to log in can be made. If the login is successful, the service is up. Both the basic HTTP / TCP and the ECV version of those monitors can be run over SSL. In these cases the completed SSL handshake and session establishment is added to the monitoring conditions. If the SSL connection fails, but the other monitoring criteria are successful, the service will be marked as down. Transparent devices such as firewalls can be monitored by verifying that the communication can reach a network host behind the transparent device. Monitors can also be configured to check connectivity to other systems as part of the health
270 © 2017 Citrix Authorized Content
check. For example, if a database server is down, the corresponding web service that runs its front-end might need to be marked as down, even though the web server running it is functioning fine.
ot
N e
al
es rr
fo or n tio
bu
ri st di
270 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Manually creating servers allows for a naming convention and better understanding for beginners. If you simply add a service without first creating a server object, then the server object is automatically created and named after the IP address.
or
n tio
bu
ri st di
To eliminate DNS as a point of failure, it is a best practice to define server objects with an IP address instead of within FQDN.
271 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
272 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
• A request comes from a user.
al
The flow of traffic is dictated by the VServer and service relationship, which is called “binding.”
or
• It is received by the VServer object and is processed based on the vserver attributes.
ri st di
• When a load-balancing decision occurs, the request is passed to the appropriate service object. • Based on the service attributes, the request is sent to a server’s IP and port.
n tio
bu
273 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
274 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
275 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
LEASTCONNECTION - Which service currently has the fewest client connections. This is the default load-balancing algorithm.
or
ROUNDROBIN - Which service is at the top of a list of services. After that service is selected for a connection, it moves to the bottom of the list.
ri st di
LEASTRESPONSETIME - Which load-balanced server currently has the quickest response time. DOMAINHAS - A hash of the destination domain.
DESTINATIONIPHASH - A hash of the destination IP address. SOURCEIPHASH - A hash of the source IP address.
n tio
bu
URLHASH - A hash of the destination URL.
SRCIPDESTIPHASH - A hash of the source and destination IP addresses. CALLIDHASH - A hash of the call ID in the SIP header. SRCIPSRCPORTHASH - A hash of the client's IP address and port. LEASTBANDWIDTH - Which service currently has the fewest bandwidth constraints. LEASTPACKETS - Which service currently is receiving the fewest packets. CUSTOMLOAD - Data from a load monitor. TOKEN - The configured token. LRTM - Fewest active connections and the lowest average monitor response time.
276 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Least Connection is the default and is usually appropriate.
or n tio
bu
ri st di
277 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
278 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
URL hash method: When you configure the NetScaler system to use the URL hash method for load balancing the services, the NetScaler generates a hash value of the HTTP URL present in the incoming request. The NetScaler caches the hashed value of the URL, and when it receives subsequent requests that use the same URL, it forwards them to the same service.
or
n tio
bu
ri st di
Domain hash method: A load-balancing virtual server configured to use the domain hash method uses the hashed value of the domain name in the HTTP request to select a service. The domain name is taken from either the incoming URL or the Host header of the HTTP request. If the domain name appears in both the URL and the Host header, the NetScaler gives preference to the URL. Destination IP hash method: A load-balancing virtual server configured to use the destination IP hash method uses the hashed value of the destination IP address to select a server. You can mask the destination IP address to specify which part of it to use in the hash-value calculation, so that requests that are from different networks but destined for the same subnet are all directed to the same server. Source IP hash method: A load-balancing virtual server configured to use the source IP hash method uses the hashed value of the client IP address to select a service. To direct all requests from source IP addresses that belong to a particular network to a specific destination server, you must mask the source IP address. Source IP Destination IP hash method: A load-balancing virtual server configured to use the source IP destination IP hash method uses the hashed value of the source and destination IP addresses to select a service. Hashing is symmetric; the hash-value is the same regardless of the order of the source and destination IP addresses. Source IP Source Port hash method: A load-balancing virtual server configured to use the 279 © 2017 Citrix Authorized Content
source IP source port hash method uses the hash value of the source IP and source port to select a service. This ensures that all packets on a particular connection are directed to the same service. This method is used in connection mirroring and firewall load balancing. Call ID hash method: A load-balancing virtual server configured to use the call ID hash method uses the hash value of the call ID in the SIP header to select a service. Packets for a particular SIP session are therefore always directed to the same proxy server. This method is applicable to SIP load balancing.
ot
N e
al
es rr
fo or n tio
bu
ri st di
279 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
During startup of a virtual server, or whenever the state of a virtual server changes, the virtual server can initially use the round-robin method to distribute the client requests among the physical servers. This type of distribution, referred to as startup round robin, helps prevent unnecessary load on a single server as the initial requests are served. After using the roundrobin method at the startup, the virtual server switches to the load-balancing method specified on the virtual server.
or
ri st di
The Startup RR Factor works in the following manner:
n tio
bu
• If the Startup RR Factor is set to zero, the NetScaler switches to the specified load-balancing method depending on the request rate. • If the Startup RR Factor is any number other than zero, NetScaler uses the round-robin method for the specified number of requests before switching to the specified load-balancing method. • By default, the Startup RR Factor is set to zero. set lb parameter -startupRRFactor Note: You cannot set the startup RR Factor for an individual virtual server. The value you specify applies to all the virtual servers on the NetScaler appliance. You can tell if you are in slow start by comparing the configured method to current method.
280 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The NetScaler appliance has two built-in monitors that monitor TCP-based applications: tcpdefault and ping-default. When you create a service, the appropriate default monitor is bound to it automatically, so that the service can be used immediately if it is UP. The tcp-default monitor is bound to all TCP services; the ping-default monitor is bound to all non-TCP services.
or
ri st di
Tcp default is assigned to tcp-based services – it sends a tcp-syn and is successful if syn-ack is received. For non- tcp based services – a ping monitor is bound.
• Not applicable.
n tio
tcp
bu
Cannot be modified or deleted.
• The NetScaler appliance establishes a 3-way handshake with the monitor destination, and then closes the connection. • If the appliance observes TCP traffic to the destination, it does not send TCP monitoring requests. This occurs if LRTM is disabled. By default, LRTM is disabled on this monitor. http • httprequest [“HEAD /”] - HTTP request that is sent to the service. • respcode [200] - A set of HTTP response codes are expected from the service. • The NetScaler appliance establishes a 3-way handshake with the monitor destination. • After the connection is established, the appliance sends HTTP requests, and then compares the response code with the configured set of response codes.
281 © 2017 Citrix Authorized Content
tcp-ecv • send [""] - is the data that is sent to the service. The maximum permissible length of the string is 512 K bytes. • recv [""] - expected response from the service. The maximum permissible length of the string is 128 K bytes. • The NetScaler appliance establishes a 3-way handshake with the monitor destination. • When the connection is established, the appliance uses the send parameter to send specific data to the service and expects a specific response through the receive parameter. http-ecv
ot
N
• send [""] - HTTP data that is sent to the service. • recv [""] - the expected HTTP response data from the service.
es rr
fo
• The NetScaler appliance establishes a 3-way handshake with the monitor destination.
e
al
• When the connection is established, the appliance uses the send parameter to send the HTTP data to the service and expects the HTTP response that the receive parameter specifies. (HTTP body part without including HTTP headers). Empty response data matches any response. Expected data may be anywhere in the first 24K bytes of the HTTP body of the response.
ri st di
• Not Applicable.
or
ping
• The NetScaler appliance sends an ICMP echo request to the destination of the monitor and expects an ICMP echo response.
n tio
bu
281 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Interval - Time interval between two successive probes. Must be greater than the value of Response Time-out. • Min = 1
ri st di
• Max = 20940000
or
• Default = 5
• Default = 2 • Max = 20939000
n tio
• Min = 1
bu
Response Time-out - Amount of time for which the appliance must wait before it marks a probe as FAILED. Must be less than the value specified for the Interval parameter.
Down Time - Time duration for which to wait before probing a service that has been marked as DOWN. Expressed in milliseconds, seconds, or minutes. • Default = 30 • Min = 1 • Max = 20939000 Retries - Maximum number of probes to send to establish the state of a service for which a monitoring probe failed. • Default = 3 • Min = 1 • Max = 127 282 © 2017 Citrix Authorized Content
Resp Time-out Threshold - Response time threshold, specified as a percentage of the Response Time-out parameter. If the response to a monitor probe has not arrived when the threshold is reached, the appliance generates an SNMP trap called monRespTimeoutAboveThresh. After the response time returns to a value below the threshold, the appliance generates a monRespTimeoutBelowThresh SNMP trap. For the traps to be generated, the "MONITOR-RTO-THRESHOLD" alarm must also be enabled. • Max = 100
fo
• Max = 32
ot
N
Success Retries - Number of retries that must fail, out of the number specified for the Retries parameter, for a service to be marked as DOWN. For example, if the Retries parameter is set to 10 and the Failure Retries parameter is set to 6, out of the ten probes sent, at least six probes must fail if the service is to be marked as DOWN. The default value of 0 means that all the retries must fail if the service is to be marked as DOWN.
e
al
es rr
Failure Retries - Number of retries that must fail, out of the number specified for the Retries parameter, for a service to be marked as DOWN. For example, if the Retries parameter is set to 10 and the Failure Retries parameter is set to 6, out of the ten probes sent, at least six probes must fail if the service is to be marked as DOWN. The default value of 0 means that all the retries must fail if the service is to be marked as DOWN.
or
• Max = 32
n tio
bu
ri st di
282 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
283 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
You cannot edit default monitors, but you can copy and edit a copy of the default.
or
Depending on the service running on the backend server, there are a number of different health checks that the Citrix NetScaler can perform to determine the service status.
ri st di
For all service types, the Citrix NetScaler can send ICMP pings to the server address. If the server responds to the ping, the service is marked as up.
n tio
bu
For any TCP service, a TCP connection can be opened to the target port. If the connection is accepted, then the Citrix NetScaler will close the connection and note that the service is up. If there is an existing TCP traffic flow to the service, the Citrix NetScaler will not send an additional monitoring check. For HTTP, TCP and UDP services, there are predefined monitors capable of Extended Content Verification (ECV). In this case, it is not enough to see that a TCP connection was accepted; some particular reply in the connection is required to mark the service as up. For these monitors ,a request string would be configured along with an expected reply string to be received. If the reply string received by the Citrix NetScaler monitor matches, then the service is up. For DNS and FTP, there are similar monitors. A DNS query can be configured to be sent and then the reply can be examined for an error. With a FTP server, an attempt to log in can be made. If the login is successful, the service is up. Both the basic HTTP / TCP and the ECV version of those monitors can be run over SSL. In these cases the completed SSL handshake and session establishment is added to the monitoring conditions. If the SSL connection fails, but the other monitoring criteria are successful, the service will be marked as down.
284 © 2017 Citrix Authorized Content
Transparent devices such as firewalls can be monitored by verifying that the communication can reach a network host behind the transparent device. Monitors can also be configured to check connectivity to other systems as part of the health check. For example, if a database server is down, the corresponding web service that runs its front-end might need to be marked as down, even though the web server running it is functioning fine.
ot
N e
al
es rr
fo or n tio
bu
ri st di
284 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
285 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
An HTTP-ECV monitor uses the following process when performing a health check probe:
or
1. The NetScaler system establishes a TCP connection with the service destination specified by the monitor.
ri st di
2. The NetScaler system sends HTTP data specified in the send string parameter to the service.
bu
3. The NetScaler system compares the HTTP response received by the service to the expected response specified by the receive string parameter.
n tio
4. If the response matches the data in the receive string parameter, the probe is a success. If the response does not match, the probe fails. 5. If the receive string parameter is left empty, any response from the service will be considered a match. The NetScaler system looks for matching responses in the first 24K bytes of data in the body of the response. A monitor may be configured for reverse conditions. In this case, a probe is considered to have failed if the condition of the monitor is satisfied. For example, if http-ecv monitor is configured with a send string GET /file, receive string Error and -reverse YES, then a match of the string Error in the response will cause the probe to fail. If the response does not match Error, the probe is successful. Reverse conditions are specific to each monitor. The table (on the slide) contains the reverse and direct conditions for HTTP-ECV monitors.
286 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Only NetScaler can intelligently monitor MySQL and MS SQL. Citrix on Citrix – NetScaler does Citrix services better than any other appliance
or
Called in BSD Kernel. Sourced from NSIP
n tio
bu
ri st di
287 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
These monitors all have pre-configured scripts to use – to fully customize a scriptable monitor use the USER monitor (discussed later in this module).
or
Note: when the NetScaler runs a scriptable monitor (located /nsconfig/monitors) the script executes from the BSD kernel. So by default the source IP of the monitor will be the NSIP.
n tio
bu
ri st di
288 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
A scriptable monitor requires the following components.
or
Dispatcher - A process, on the appliance, that listens to monitoring requests. A dispatcher can be on the loopback IP address (127.0.0.1) and port 3013. Dispatchers are also known as internal dispatchers. A dispatcher can also be a web server that supports Common Gateway Interface (CGI). Such dispatchers are also known as external dispatchers. They are used for custom scripts that do not run on the FreeBSD environment, such as .NET scripts.
ri st di
n tio
bu
• Note: You can configure the monitor and the dispatcher to use HTTPS instead of HTTP by enabling the “secure” option on the monitor and configure it as an external dispatcher. However, an internal dispatcher understands only HTTP and cannot use HTTPS.
In a HA setup, the dispatcher runs on both the primary and secondary NetScaler appliances. The dispatcher remains inactive on the secondary appliance. Script - The script is a program that sends custom probes to the load-balanced server and returns the response code to the dispatcher. The script can return any value to the dispatcher, but if a probe succeeds, the script must return a value of zero (0). The dispatcher considers any other value as probe failure.
The NetScaler appliance is bundled with sample scripts for commonly used protocols. The scripts exist in the /nsconfig/monitors directory.
289 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
290 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Source IP SOURCEIP. Connections from the same client IP address are parts of the same persistence session.
or
HTTP Cookie COOKIEINSERT. Connections that have the same HTTP Cookie header are parts of the same persistence session.
ri st di
SSL Session ID SSLSESSION. Connections that have the same SSL Session ID are parts of the same persistence session.
n tio
bu
URL Passive URLPASSIVE. Connections to the same URL are treated as parts of the same persistence session. Custom Server ID CUSTOMSERVERID. Connections with the same HTTP HOST header are treated as parts of the same persistence session. Destination IP DESTIP. Connections to the same destination IP address are treated as parts of the same persistence session. Source and Destination IPs SRCIPDESTIP. Connections that are both from the same source IP and to the same destination IP are treated as parts of the same persistence session. SIP Call ID CALLID. Connections that have the same call ID in the SIP header are treated as parts of the same persistence session. RTSP Session ID RTSPSID. Connections that have the same RTSP Session ID are treated as parts of the same persistence session. User-Defined Rule
291 © 2017 Citrix Authorized Content
RULE. Connections that match a user-defined rule are treated as
parts of the same persistence session.
ot
N e
al
es rr
fo or n tio
bu
ri st di
291 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
When balancing HTTP or doing SSL offload, cookie insertion is recommended if persistence is needed.
or
When balancing other protocols like SMTP or LDAP, Source IP persistence is generally your best bet.
n tio
bu
ri st di
292 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
293 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Cookie insert persistence will not get an entry into the persistence table, because it is a cookie.
or n tio
bu
ri st di
294 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
295 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
296 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
297 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
298 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
299 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
HTTP load balancing is request based - A new service is chosen for each HTTP request, independent of TCP connections. As with all HTTP requests, after the Web server fulfills the request, the connection is closed.
or
ri st di
When HTTP cookie persistence is configured, the NetScaler appliance sets a cookie in the HTTP headers of the initial client request. The cookie contains the IP address and port of the service selected by the load-balancing algorithm.
n tio
bu
By default, the time-out value for Cookie Insert persistence is 120 seconds. When you configure persistence for applications for which idle time cannot be determined, set the Cookie Insert persistence time-out value to 0. With this setting, the connection does not time out. Unless you configure persistence, load-balancing, stateless protocol, such as HTTP, disrupts the maintenance of state information about client connections. Different transmissions from the same client might be directed to different servers even though all of the transmissions are part of the same session. You must configure persistence on a load-balancing virtual server that handles certain types of Web applications, such as shopping cart applications. • Version 0 – is the default – absolute time. • Version 1 – relative time. Additional Resources: Recommended Settings and Best Practices for Generic Implementation of a NetScaler Appliance: http://support.citrix.com/article/CTX121149
300 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Least Connections - When a virtual server is configured to use the Least Connection loadbalancing algorithm (or method), it selects the service with the fewest active connections. This is the default method, because, in most circumstances, it provides the best performance.
or
ri st di
Round-Robin - It continuously rotates a list of the services that are bound to it. When the virtual server receives a request, it assigns the connection to the first service in the list and then moves that service to the bottom of the list.
n tio
bu
Least Response Time - It selects the service with the fewest active connections and the lowest average response time. You can configure this method for HTTP and Secure Sockets Layer (SSL) services only. Least Bandwidth method selects the service that is currently serving the least amount of traffic, measured in megabits per second (Mbps). Least Packets method selects the service that has received the fewest packets in the last 14 seconds.
301 © 2017 Citrix Authorized Content
ot
N • add lb monitor
e
al
Adding Monitor using CLI:
es rr
fo Key Notes:
or
• [-action ] [-respCode ...] [-httpRequest ] [-customHeaders ] [-maxForwards ]
•
[-sipMethod ] [-sipURI ] [-sipregURI ]
•
[-send ] [-recv ] [-query ]
•
[-queryType ( Address | Zone )] [-scriptName ]
•
[-scriptArgs ] [-dispatcherIP ]
•
[-dispatcherPort ] [-userName ] [-password ]
•
[-radKey ] [-radNASid ] [-radNASip ]
•
[-LRTM ( ENABLED | DISABLED )] [-deviation []]
•
[-interval []] [-resptimeout []]
•
[-resptimeoutThresh ] [-retries ]
•
[-downTime []] [-destIP ] [-destPort ]
•
[-state ( ENABLED | DISABLED )] [-reverse ( YES | NO )]
•
[-transparent ( YES | NO )] [-secure ( YES | NO )]
•
[-IPAddress ...] [-group ] [-fileName ]
•
[-baseDN ] [-bindDN ] [-filter ]
•
[-attribute ] [-database ] [-sqlQuery ]
n tio
302 © 2017 Citrix Authorized Content
bu
ri st di
•
•
[-snmpOID ] [-snmpCommunity ] [-snmpThreshold ]
•
[-snmpVersion ( V1 | V2 )] [-metricTable ]
•
[-application ] [-sitePath ]
• NS1>
ot
N e
al
es rr
fo or n tio
bu
ri st di
302 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
When you request DNS resolution of a domain name, the NetScaler appliance uses the configured load-balancing method to select a DNS service. The DNS server to which the service is bound then resolves the domain name and returns the IP address as the response. The appliance also can cache DNS responses and use the cached information to respond to future requests for resolution of the same domain name. Load balancing DNS servers improves DNS response times.
or
ri st di
n tio
bu
The NetScaler appliance has two built-in monitors that can be used to monitor DNS services: DNS and DNS-TCP. When bound to a service, either monitor periodically checks the state of that DNS service by sending a DNS query to it. The query resolves to an IPv4 or IPv6 address. That IP address is then checked against the list of test IP addresses that you configure. The list can contain as many as five IP addresses. If the resolved IP address matches at least one IP address on the list, the DNS service is marked as UP. If the resolved IP address does not match any IP addresses on the list, the DNS service is marked as DOWN. DNS UDP - Is a time-based load balancer - A new service is chosen for each UDP packet. Upon selection of a service, a session is created between the service and a client for a specified period of time. When the time expires, the session is deleted and a new service is chosen for any additional packets, even if those packets come from the same client DNS TCP – Is connection based - A service is chosen for every new TCP connection. The connection persists until terminated by either the service or the client. Least Connections - When a virtual server is configured to use the least connection loadbalancing algorithm (or method), it selects the service with the fewest active connections. This is the default method, because, in most circumstances, it provides the best performance. Round-Robin – The VServer continuously rotates a list of the services that are bound to it. 303 © 2017 Citrix Authorized Content
When the virtual server receives a request, it assigns the connection to the first service in the list, and then moves that service to the bottom of the list. Least Response Time - it selects the service with the fewest active connections and the lowest average response time. You can configure this method for HTTP and Secure Sockets Layer (SSL) services only. Least Bandwidth method selects the service that is currently serving the least amount of traffic, measured in megabits per second (Mbps). Least packets method selects the service that has received the fewest packets in the last 14 seconds.
ot
N e
al
es rr
fo or n tio
bu
ri st di
303 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Query - Domain name to resolve as part of monitoring the DNS service (for example, example.com).
or
Query Type - Type of DNS record for which to send monitoring queries. Set to Address for querying A records, AAAA for querying AAAA records, and Zone for querying the SOA record.
ri st di
IP - Set of IP addresses expected in the monitoring response from the DNS server, if the record type is A or AAAA. Applicable to DNS monitors.
n tio
bu
304 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
It is recommended that you use the Least Connection method for better load balancing and lower server load. However, other methods, such as Round Robin, Least Response Time, Source IP Hash, Source IP Destination IP Hash, Least Bandwidth, Least Packets, and Source IP Source Port Hash, are also supported.
or
SQL Connection Offload • Frees memory and CPU resources.
• Scale TCP connections. • Host more databases on server. • Reduce SQL hardware.
305 © 2017 Citrix Authorized Content
n tio
SQL Multiplexing
bu
• Faster query execution.
ri st di
• Note: URL Hash method is not supported for DataStream.
ot
N es rr
fo Key Notes:
e
al
add db user - password
or
Navigate to System > User Administration > Database Users, select a user, and enter new values for the password.
n tio
bu
ri st di
306 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
307 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler DataStream is supported only for MySQL and MS SQL databases.
or
The most effective load balancing algorithm for database switching is the least connection method.
User name.
Character set.
308 © 2017 Citrix Authorized Content
n tio
Packet size.
bu
Database name.
ri st di
DataStream uses connection multiplexing to enable multiple client-side requests to be made over the same server-side connection. The following connection properties are considered :
ot
N e
al
es rr
fo or n tio
bu
ri st di
309 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
TCP based protocols, other than HTTP, can also be secured using SSL. If the incoming traffic is SSL encrypted but not HTTP, a virtual server of type SSL_TCP would be created. This server will decrypt the traffic on arrival and forward it based on the protocols defined on the services bound to it.
or
n tio
bu
ri st di
If there is a requirement that the encrypted SSL traffic must remain encrypted as it crosses the NetScaler system, then a virtual server of type SSL_BRIDGE should be chosen. The NetScaler will not decrypt the SSL data as it is received, rather it will forward the traffic unaltered to the backend services.
310 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
LDAP would use a connection-based load balancer - A service is chosen for every new TCP connection. The connection persists until terminated by either the service or the client.
or
LDAP Monitor.
bu
ri st di
• It periodically checks the LDAP service to which it is bound by authenticating and sending a search query to it. If the search is successful, the service is marked UP. If the LDAP server does not locate the entry, a failure message is sent to the LDAP monitor, and the service is marked DOWN.
n tio
• You configure the LDAP monitor to define the search that it should perform when sending a query. You can use the Base DN parameter to specify a location in the directory hierarchy where the LDAP server should start the test query. You can use the Attribute parameter to specify an attribute of the target entity. • Note: Monitor probes originate from the NetScaler IP (NSIP) address.
311 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The LDAP monitor logs on to Active Directory, performs an LDAP query, and looks for a successful response. The monitor configuration has domain specific information, so if you have multiple Active Directory domains then you will need multiple LDAP monitors. Include the domain name in the monitor name.
or
ri st di
LDAP Monitor:
n tio
bu
• It periodically checks the LDAP service to which it is bound by authenticating and sending a search query to it. If the search is successful, the service is marked UP. If the LDAP server does not locate the entry, a failure message is sent to the LDAP monitor, and the service is marked DOWN. You configure the LDAP monitor to define the search that it should perform when sending a query. You can use the Base DN parameter to specify a location in the directory hierarchy where the LDAP server should start the test query. You can use the Attribute parameter to specify an attribute of the target entity. Note: Monitor probes originate from the NetScaler IP (NSIP) address.
312 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Examples of UDP-based traffic include Domain Name System (DNS) address lookups and Network Time Protocol (NTP), both of which exist for a very short time. Generally, UDP connections exist for a very short duration. Therefore, time-based load balancing does not create any issues.
or
bu
ri st di
UDP protocol does not use connection sequence numbering. Therefore, it is difficult to confirm the successful transmission and receipt of data packets from one device to another. As a result, the only way a NetScaler appliance can track UDP connections is through the source and destination addresses and the port numbers.
n tio
On the first connection, forcibly load balance a data transfer between a source address or port number, and a destination address or port number to a physical server. Enforce a persistent connection to the same physical server for a defined duration.
313 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Link load balancing would be an example – or anything that requires a range of protocols and ports.
ri st di
Additional Resources:
or
Traffic type of ANY is also used with a port *
n tio
bu
Use Case 10: Load Balancing of Intrusion Detection System Servers: http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-idsservers.html
314 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
315 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
316 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
The guides are located at http://community.citrix.com/display/ns/Microsoft.
or n tio
bu
ri st di
317 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
318 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Inline monitors have a timeout value and a retry count when probes fail. You can select any of the following action types for the NetScaler appliance to take when a failure occurs:
or
• NONE. No explicit action is taken. You can view the service and monitor, and the monitor indicates the number of current contiguous error responses and cumulative responses checked.
ri st di
• LOG. Logs the event in ns/syslog and displays the counters.
n tio
bu
• DOWN. Marks the service DOWN and does not direct any traffic to the service. This setting breaks any persistent connections to the service. This action also logs the event and displays counters. After the service is DOWN, the service remains down for the configured down time. After the down time elapses, the inline monitor uses the configured URL to probe the service to see if it is available again. HTTP Request • The HTTP request parameter specifies the HTTP request that will be sent to the service bound to the monitor. • Default value: HEAD / Response Codes • The response codes parameter specifies a set of HTTP response codes expected from the service bound to the monitor. • Default value: 200.
319 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
320 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
321 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
A monitor may be configured for reverse conditions. In this case, a probe is considered to have failed if the condition of the monitor is satisfied.
or
For example, if http-ecv monitor is configured with a send string GET /file, receive string Error and -reverse YES, then a match of the string Error in the response will cause the probe to fail. If the response does not match Error, the probe is successful.
ri st di
Reverse conditions are specific to each monitor. The table (on the slide) contains the reverse and direct conditions for HTTP-ECV monitors.
n tio
bu
Additional Resources:
How to Configure Reverse Monitoring with Primary and Secondary Services on a NetScaler Appliance: http://support.citrix.com/article/CTX115525
322 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
323 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
324 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
Following commands to shut down a service gracefully and verify the configuration:
e
• disable service: @ [] [-graceFul (YES|NO)]
or
• show service
n tio
bu
ri st di
Persistence is maintained according to the specified method even if you enable graceful shutdown. The system continues to serve all the persistent clients, including new connections from the clients, unless the service is marked DOWN during the graceful shutdown state as a result of the checks made by a monitor.
325 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
You can set the client keep-alive parameter to configure an HTTP or SSL service to keep a client connection to a web site open across multiple client requests.
or
If client keep-alive is enabled, even when the load-balanced web server closes a connection, the NetScaler system keeps the connection between the client and itself open.
n tio
bu
ri st di
326 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Assigning weights to services allows the NetScaler system to determine how much traffic each load-balanced server can handle.
or
In a load-balancing configuration, you assign weights to services to indicate the percentage of traffic that should be sent to each service.
ri st di
Service weights allow administrators to more closely manage load-balancing decisions in an environment.
n tio
bu
Service weights are useful when one server can handle more traffic than others.
327 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Background: A NetScaler appliance operates in the proxy mode. This mode requires the appliance to initiate connections to server pools by using IP addresses, such as Mapped IP (MIP) and Subnet IP (SNIP) addresses, configured on the appliances. These IP addresses are dynamically selected from the global pool of MIP and SNIP addresses while connecting with a server. Depending on the subnet in which the physical server is placed, the NetScaler appliance decides whether a MIP or SNIP should be used. This address pool is used for sending traffic as well as monitor probes. The administrator does not have any control on the selection of the IP addresses that the appliance uses to initiate a connection. This functionality is same for the actual client requests and the appliance-generated monitoring requests.
or
n tio
bu
ri st di
Net Profile:
• A net profile (or network profile) contains an IP address or an IP set. A net profile can be bound to load-balancing or content-switching virtual servers, services, service groups, or monitors. During communication with physical servers or peers, the appliance uses the addresses specified in the profile as source IP addresses.
328 © 2017 Citrix Authorized Content
ot
N al
Net Profile
es rr
fo Key Notes:
e
• A net profile (or network profile) contains an IP address or an IP set. A net profile can be bound to load-balancing or content-switching virtual servers, services, service groups, or monitors. During communication with physical servers or peers, the appliance uses the addresses specified in the profile as source IP addresses.
or
ri st di
Usage Scenarios
n tio
Separating Server Farms
bu
• There are multiple scenarios in which you can use the Networking Profile feature of a NetScaler appliance. The following are some of the examples: • You can use a network profile to separate the backend server farms for the traffic originating from a NetScaler appliance. In deployments where back-end resources belong to multiple groups or tenants, and you do not want IP address sharing, you can use the Network Profile feature to address the concern. Differentiating Between the Monitoring and Actual Client Traffic • A NetScaler appliance uses the same source IP address for monitoring as well as for actual client traffic. Therefore, for a back-end server performing a specific operation on traffic, it is not possible to differentiate a monitoring request from the actual client request. For example, the back-end server might be logging every HTTP request or performing security check against every HTTP request. In such a scenario, there is no need to log or parse the monitoring request if the server can identify the monitoring traffic on the basis of the originating source IP address. Identifying Multiple Data Paths on the Server Side 329 © 2017 Citrix Authorized Content
• You can bind a single service to multiple virtual servers of a NetScaler appliance. Therefore, the same back-end server receives client traffic through different virtual server paths. However, there can be a logical separation for various virtual servers through which the data flows. By using the Network Profile feature, you can ensure that the service uses a different source IP address, defined in the profiles at virtual server level, when communicating to the back-end server. As a result, the backend server can use the source IP address to differentiate a traffic originating from a service entity.
ot
N e
al
es rr
fo or n tio
bu
ri st di
329 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
330 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
331 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
332 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
NetScaler Traffic Management Guide: http://support.en.ctx.org.cn/ctx132359.citrix
or n tio
bu
ri st di
333 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
Type of thresholds that, when exceeded, trigger spillover. Available settings function as follows: CONNECTION - Spillover occurs when the number of client connections exceeds the threshold.
•
DYNAMICCONNECTION - Spillover occurs when the number of client connections at the virtual server exceeds the sum of the maximum client (Max Clients) settings for bound services. Do not specify a spillover threshold for this setting, because the threshold is implied by the Max Clients settings of bound services.
•
BANDWIDTH - Spillover occurs when the bandwidth consumed by the virtual server's incoming and outgoing traffic exceeds the threshold.
•
HEALTH - Spillover occurs when the percentage of weights of the services that are UP drops below the threshold. For example, if services svc1, svc2, and svc3 are bound to a virtual server, with weights 1, 2, and 3, and the spillover threshold is 50%, spillover occurs if svc1 and svc3 or svc2 and svc3 transition to DOWN.
•
NONE - Spillover does not occur.
e
•
or
n tio
bu
ri st di
334 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
335 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Max clients - Maximum number of simultaneous open connections to the service. Max Bandwidth – Max bandwidth allowed.
or
n tio
bu
ri st di
Down state flush – ON by default - Flush all active transactions associated with a virtual server whose state transitions from UP to DOWN. Do not enable this option for applications that must complete their transactions.
336 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
337 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Load balancing methods that are applicable to LLB are round robin, destination IP hash, least bandwidth, and least packets.
or
The available persistence types are source IP address-based, destination IP address-based, and source IP and destination IP address-based.
ri st di
PING is the default monitor but configuring a transparent monitor is recommended.
n tio
bu
338 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
339 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
340 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
341 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Slow Start: The virtual server on a NetScaler appliance gets into a Slow Start mode or a Startup Round Robin mode whenever a new service is enabled or a new service occurs in the farm. The load balancing algorithm falls back to Round Robin method regardless of the configured algorithm on the virtual server.
or
ri st di
Additional Resources:
bu
NetScaler Load Balancing- Slow Start Mode: http://support.citrix.com/article/CTX108886 Load Balancing Weights: https://www.citrix.com/blogs/2010/10/01/load-balancing-weights/
n tio
342 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
Probable Reasons for the Status of a Virtual Server Being Marked as DOWN on NetScaler: http://support.citrix.com/article/CTX108960
or n tio
bu
ri st di
343 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
344 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
345 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
346 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
347 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
348 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
349 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
350 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
351 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
SSL vs TLS. SSL was coined by Netscape (owned by AOL now). Developers changed the name to TLS for legal reasons. TLS is the modern version of SSL.
or ri st di
Additional Resources:
SSL TLS timeline: http://www.carbonwind.net/blog/post/A-quickie-for-a-Friday-e28093-aSSLTLS-timeline.aspx
n tio
bu
352 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
For a client to establish a secure connection between a web browser and server, in most cases, a root certificate must be installed in the browser certificate store and on the client.
or n tio
bu
ri st di
353 © 2017 Citrix Authorized Content
ot
N e
al
We support OpenSSL.
es rr
fo Key Notes:
or
Additional Resources:
n tio
bu
ri st di
Refer to the NetScaler Datasheet at www.citrix.com for information about features and performance for specific NetScaler platforms. You may need to enter "NetScaler Datasheet" into the search field to locate this document.
354 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler Appliance does all the Encryption/Decryption and by doing that it frees the valuable CPU resources at backend.
or n tio
bu
ri st di
355 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
356 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
357 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
358 © 2017 Citrix Authorized Content
ot
N e
• Server Certificate.
al
Types of Digital Certs.
es rr
fo Key Notes:
Digital Cert formats:
ri st di
• Machine Certificate.
or
• Personal Digital Certificate (User Certs).
• cer, .crt, .der - usually in binary format.
n tio
bu
• pem - (Privacy Enhanced Mail) - PEM formats file have Base64 encoded DER certificate, enclosed between the tags "BEGIN CERTIFICATE" and "END CERTIFICATE". This format can have multiple certificates. PEM standards are meant to provide message confidentiality and integrity to emails. • p7b, .p7c - PKCS#7 - PKCS #7 is a container which may contain plain data, signed data, encrypted data, or combination of these. It may also contain set of certificates needed to validate the certification chain. • p12 - PKCS#12 - This format usually contains X509 certificates, public and private key. It is protected by password. • pfx - PFX (Personal Information Exchange) - Files have both the private and public keys. This format is preferred for creating certificates to authenticate applications or websites. Since this format has private keys, this file is password protected.
359 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
There are many well recognized Certificate Authorities(CA) who can issue certificates. Some of the well- known certificate authorities are Verisign, GoDaddy, GlobalSign, Digicert, StartCom, Trustwave, Secom etc. These Certificate Authorities can issue certificate in the below mentioned formats.
or
DER - Distinguished Encoding Rule.
n tio
bu
PFX - Personal Information Exchange.
ri st di
PEM - Privacy Enhanced Mail.
360 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The Key size should be larger than 512 bits and the Maximum size supported by Citrix NetScaler is 4096 .
or
Recommended Key size is 2048.
n tio
bu
ri st di
361 © 2017 Citrix Authorized Content
ot
N Public/private key architecture.
e
al
es rr
fo Key Notes:
Public keys are in the root certificate and stored on the client and used to encrypt traffic.
or
Private keys are on the NetScaler and used to decrypt traffic.
n tio
bu
ri st di
362 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Self-signing is appropriate for testing and POC. It is not recommended for most production environments.
or n tio
bu
ri st di
363 © 2017 Citrix Authorized Content
ot
N al
Command-line syntax:
es rr
fo Key Notes:
e
• create ssl [-keyFile |-fipsKeyName ] [-keyform (DER | PEM)
or
• {-PEMPassPhrase}] -countryName -stateName -organizationName
n tio
bu
ri st di
364 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Client certificates are used for cert-based authentication and not needed for SSL Offload.
or n tio
bu
ri st di
365 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
A NetScaler appliance supports the PEM and DER formats for SSL certificates. Other applications, such as client browsers and some external secure servers, require various public key cryptography standard (PKCS) formats. The NetScaler can convert the PKCS#12 format (the personal information exchange syntax standard) to PEM or DER format for importing a certificate to the appliance, and can convert PEM or DER to PKCS#12 for exporting a certificate. For additional security, conversion of a file for import can include encryption of the private key with the DES or DES3 algorithm.
or
n tio
bu
ri st di
Additional Resources:
To see the whole procedure see the support article http://support.citrix.com/article/CTX136444
366 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
CLI commands: add ssl certkey
e
al
The certificate can be installed in the Configuration Utility.
or ri st di
Additional Resources:
How to Generate and Install a Public SSL Certificate on a NetScaler Appliance: http://support.citrix.com/article/CTX109260
n tio
bu
367 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
368 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
There are two different states of revocation:
e
• 1) Revoked: A certificate is irreversibly revoked if, for example, it is discovered that the Certificate Authority (CA) had improperly issued a certificate, or if a private-key is thought to have been compromised.
or
ri st di
•
The most common reason for revocation is the user no longer being in sole possession of the private key (e.g., the token containing the private key has been lost or stolen).
n tio
bu
• 2) Hold: This reversible status can be used to note the temporary invalidity of the certificate (e.g., if the user is unsure if the private key has been lost). If, in this example, the private key was found and nobody had access to it, the status could be reinstated, and the certificate is valid again, thus removing the certificate from future CRL’s.
369 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
When you update an SSL certificate, it minimizes the time the virtual servers are not available compared to the time that is taken to manually unbind an SSL certificate, delete the SSL certificate, add a new SSL certificate, and bind the new SSL certificate.
or
n tio
bu
ri st di
update ssl certkey [-cert ] [(-key [-password]) | -fipsKey ] [-inform (DER|PEM)][-noDomainCheck]
370 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
CLI commands: add ssl certkey
e
al
The certificate can be installed in the Configuration Utility.
or ri st di
Additional Resources:
How to Generate and Install a Public SSL Certificate on a NetScaler Appliance: http://support.citrix.com/article/CTX109260
n tio
bu
371 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
372 © 2017 Citrix Authorized Content
ot
N Add SSL virtual server
e
al
Configuring SNI.
es rr
fo Key Notes:
or
• Add lb vserver SSL X.X.X.X 443
ri st di
Enable SNI feature on the SSL virtual server
• >Set ssl vserver -snienable enabled Bind SNI certificate to SSL virtual server
bu
• > Bind sslvserver -certkeyname -SNICert
n tio
373 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
374 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
375 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The figure provides an overview of a strict SSL offload scenario in which all SSL-encrypted communication between the web servers and the client is handled by the NetScaler system. Communication between the NetScaler system and the backend server is unencrypted, providing load reduction on the server and allowing the server to focus on performing the application role instead of on managing SSL encryption and decryption processes.
or
n tio
bu
ri st di
376 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The figure provides an overview of a strict SSL offload scenario in which all SSL encrypted communication between the web servers and the client is handled by the NetScaler system. Communication between the NetScaler system and the backend server is unencrypted, providing load reduction on the server and allowing the server to focus on performing the application role instead of on managing SSL encryption and decryption processes.
or
n tio
bu
ri st di
377 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
If it re-encrypts traffic, then it does not send back unencrypted traffic.
or n tio
bu
ri st di
378 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Once the CA has issued the certificate, then it needs to be installed on the NetScaler.
or
Once installed, the certificate must be bound to a virtual server to encrypt traffic and to identify itself.
n tio
bu
ri st di
379 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Once the CA has issued the certificate, then it needs to be installed on the NetScaler.
or
Once installed, the certificate must be bound to a virtual server to encrypt traffic and to identify itself.
n tio
bu
ri st di
Remember that you still need to bind in your http services or service groups as we did in the previous load balancing module.
380 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Termination at Web server would be SSL Bridge.
Also can be re-encrypted for secure environments.
or n tio
bu
ri st di
381 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Front-end SSL with back-end SSL is more secure but puts more load on back-end servers.
or
SSL Bridge is most secure because traffic never gets decrypted until it gets to target server but poor performance and NetScaler can do very little with the traffic.
n tio
bu
ri st di
382 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
383 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
The NetScaler performs the below mentioned activities in an end-to-end SSL configuration:
e
• Front-end (Client-side) Encryption: The NetScaler terminates the secure Client side session and decrypts the data.
or
ri st di
• Back-end (Server-side) Encryption: The NetScaler initiates a secure connection with the backend servers and sends the re-encrypted data.
n tio
bu
• SSL session multiplexing: NetScaler appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers. Doing this avoids CPU-intensive key exchange (full handshake) operations and reduces the overall number of SSL sessions on the server thereby accelerating the SSL transaction while maintaining end-to-end security.
384 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The NetScaler supports SSL acceleration for Other TCP protocols with and without end-to-end encryption.
or
To configure SSL offloading with Other TCP protocols, create a virtual server of type SSL_TCP, bind a certificate-key pair and TCP based services to the virtual server, and configure SSL actions and policies based on the type of traffic expected and the acceleration to be provided.
n tio
bu
ri st di
385 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
SSL Bridge basically turns the NetScaler into a SSL proxy. No certs are required and it does the same thing as if you created a TCP VServer on port 443.
or
So why would you use SSL_Bridge?
n tio
bu
ri st di
If you need persistence, then you can configure SSL Session ID persistence. So, even though the NetScaler does not decrypt the SSL traffic, it can track the SSL session ID for persistence.
386 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Secure because de-encryption occurs at one place in the internal network. Poor performance on NetScaler since it cannot understand traffic.
or n tio
bu
ri st di
387 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
388 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
389 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
390 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
391 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
392 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
393 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
If this occurs after HA failover, confirm that the SSL certs synced.
or n tio
bu
ri st di
394 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
395 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
396 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
397 © 2017 Citrix Authorized Content
ot
N This protection is on by default.
e
al
es rr
fo Key Notes:
or n tio
bu
ri st di
398 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
it is usually a best practice to disable SSLv3 and TLSv1.
or n tio
bu
ri st di
399 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
To create a user-defined cipher group, first you create a cipher group and then you bind ciphers or cipher groups to this group.
or
If your MPX appliance does not have any licenses, then only the EXPORT cipher is bound to your SSL virtual server, service, or service group.
ri st di
Additional Resources:
n tio
bu
Configuring User-Defined Cipher Groups on the NetScaler Appliance: https://docs.citrix.com/en-us/netscaler/10-1/ns-tmg-wrapper-10-con/ns-ssl-wrapper-con-10/nsssl-customize-ssl-config-con/ns-ssl-user-defined-cipher-groups-tsk.html
400 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
To disable SSLv3 on a specific VServer, run the following command from the NSCLI:
e
• set ssl vserver -ssl3 disabled
or ri st di
Additional Resources:
Citrix Security Advisory for CVE-2014-3566 - SSLv3 Protocol Flaw: http://support.citrix.com/article/CTX200238
n tio
bu
401 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
402 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
403 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
404 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
405 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
406 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
AAA provides security for a distributed Internet environment by allowing any client with the proper credentials to connect securely to protected application servers from anywhere on the Internet.
or
bu
ri st di
The AAA feature allows a site administrator to manage access controls with the NetScaler appliance instead of managing these controls separately for each application. ... The AAA feature supports authentication, authorization, and auditing for all application traffic. This feature incorporates the three security features of authentication, authorization, and auditing.
n tio
Authentication enables the NetScaler ADC to verify the client’s credentials, either locally or with a third-party authentication server and allow only approved users to access protected servers. Authorization enables the ADC to verify which content on a protected server it should allow each user to access. Auditing enables the ADC to keep a record of each user’s activity on a protected server.
407 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
KCD – Kerberos Constrained Delegation. Not supported in Gateway SSL VPN or NS management.
or
System Users is for system administration.
n tio
bu
ri st di
AAA Users and Groups – used for AAA-Application Traffic and NetScaler Gateway.
408 © 2017 Citrix Authorized Content
ot
N al
Nsroot:
es rr
fo Key Notes:
e
• This account is the default administrative account for the NetScaler system and cannot be disabled or removed from the system. Citrix recommends changing the default account password.
or
ri st di
n tio
bu
• A NetScaler root administrator can configure the maximum concurrent session limit for system users. By restricting the limit, you can reduce the number of open connections and improve server performance. As long as the CLI count is within the configured limit, concurrent users can log on the configuration utility any number of times. However, if the number of CLI sessions reaches the configured limit, users can no longer log on to the configuration utility. • To create a local AAA user account by using the command line interface:
• At the command prompt, type the following commands to create a local AAA user account and verify the configuration: • add aaa user [–password ] • show aaa user • To configure AAA local users by using the configuration utility: • Navigate to Security > AAA - Application Traffic > Users • In the details pane, do one of the following: • To create a new user account, click Add. • To modify an existing user account, select the user account, and then click Open. • In the Create AAA User dialog box, in the User Name text box, type a name for the user.
409 © 2017 Citrix Authorized Content
• If creating a locally authenticated user account, clear the External Authentication check box and provide a local password that the user will use to log on. • Click Create or OK, and then click Close. A message appears in the status bar, stating that the user has been configured successfully. #nsinternal#: • This account is used for GSLB and high-availability communications through the rpc nodes. The command set rpcnode implicitly uses the #nsinternal# account.
ot
N
• RPC node password in GSLB setup - Ensure that the RPC node password is the same on NetScaler appliances. If you have configured Global Server Load Balancing (GSLB), then the RPC node passwords should be configured on high availability NetScaler appliances for additional security, else the default password is enforced. Initially, all NetScaler appliances are configured with the same default RPC node password.
es rr
fo
• Note: In NetScaler 11.0 hash value or encrypted string for RPC node password will look different even though they are configured to be the same. This is by design. External accounts are usually preferable to local accounts.
e
al or n tio
bu
ri st di
409 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The Management Service also supports authentication requests from SSH. The SSH authentication supports only keyboard-interactive authentication requests.
or
Configuring LDAP Authentication:
ri st di
• You can configure the NetScaler appliance to authenticate user access with one or more LDAP servers. LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the appliance. The characters and case must also be the same.
n tio
bu
• By default, LDAP authentication is secured by using SSL/TLS protocol. There are two types of secure LDAP connections. In the first type, the LDAP server accepts the SSL/TLS connection on a port separate from the port used to accept clear LDAP connections. After users establish the SSL/TLS connection, LDAP traffic can be sent over the connection. The second type allows both unsecure and secure LDAP connections and is handled by a single port on the server. In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports StartTLS, the connection is converted to a secure LDAP connection by using TLS. • The port numbers for LDAP connections are:389 for unsecured LDAP connections. • 636 for secure LDAP connections. • 3268 for Microsoft unsecure LDAP connections. • 3269 for Microsoft secure LDAP connections. • LDAP connections that use the StartTLS command use port number 389. If port numbers 389 or 3268 are configured on the appliance, it tries to use StartTLS to make the connection. If any other port number is used, connection attempts use SSL/TLS. If StartTLS or SSL/TLS
410 © 2017 Citrix Authorized Content
cannot be used, the connection fails. • When configuring the LDAP server, the case of the alphabetic characters must match that on the server and on the appliance. If the root directory of the LDAP server is specified, all of the subdirectories are also searched to find the user attribute. In large directories, this can affect performance. For this reason, Citrix recommends that you use a specific organizational unit (OU). Configuring RADIUS Authentication: • You can configure the NetScaler appliance to authenticate user access with one or more RADIUS servers. If you are using RSA SecurID, SafeWord, or Gemalto Protiva products, use a RADIUS server.
ot
N
• Your configuration might require using a network access server IP address (NAS IP) or a network access server identifier (NAS ID). When configuring the appliance to use a RADIUS authentication server, use the following guidelines: If you enable use of the NAS IP, the appliance sends its configured IP address to the RADIUS server, rather than the source IP address used in establishing the RADIUS connection.
es rr
fo
al
• If you configure the NAS ID, the appliance sends the identifier to the RADIUS server. If you do not configure the NAS ID, the appliance sends its host name to the RADIUS server.
e
• When the NAS IP is enabled, the appliance ignores any NAS ID that was configured by using the NAS IP to communicate with the RADIUS server.
or
Choosing RADIUS authentication protocols:
ri st di
• The NetScaler appliance supports implementations of RADIUS that are configured to use any of several protocols for user authentication, including: Password Authentication Protocol.
bu
• Challenge-Handshake Authentication Protocol (CHAP).
n tio
• Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP Version 1 and Version 2). • If your deployment of the appliance is configured to use RADIUS authentication and your RADIUS server is configured to use Password Authentication Protocol, you can strengthen user authentication by assigning a strong shared secret to the RADIUS server. Strong RADIUS shared secrets consist of random sequences of uppercase and lowercase letters, numbers, and punctuation, and are at least 22 characters long. If possible, use a random character generation program to determine RADIUS shared secrets. • To further protect RADIUS traffic, assign a different shared secret to each appliance or virtual server. When you define clients on the RADIUS server, you can also assign a separate shared secret to each client. If you do this, you must configure separately each policy that uses RADIUS authentication. Configuring TACACS+ Authentication:
410 © 2017 Citrix Authorized Content
• You can configure a TACACS+ server for authentication. Similar to RADIUS authentication, TACACS+ uses a secret key, an IP address, and the port number. The default port number is 49. To configure the appliance to use a TACACS+ server, provide the server IP address and the TACACS+ secret. The port needs to be specified only when the server port number in use is something other than the default port number of 49. • To configure TACACS+ authentication by using the configuration utility. • Navigate to System > Authentication > TACACS, and create the TACACS authentication policy. After the TACACS+ server settings are configured on the appliance, bind the policy to the system global entity. For more information about binding authentication policies globally, see "Binding the Authentication Policies to the System Global Entity."
ot
N e
al
es rr
fo or n tio
bu
ri st di
410 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Authentication policies determine when the action should be applied. Authentication actions determine what should be done.
or
n tio
bu
ri st di
Authentication is implemented as a policy on the NetScaler. The expression is typically global, for example: ns_true (which will match all traffic because it is true 100% of the time) and then the Action of the policy is the target authentication server. And like all policies on the NetScaler, they need to be bound before they take effect. It is common to bind authentication policies globally, but not required; you could bind to a single VServer if required and then authentication would only take place when traffic was processed by that VServer.
411 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
412 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Best Practice is the disable external authentication for local accounts – including nsroot.
or n tio
bu
ri st di
413 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Command policies define which commands a delegated administrator is allowed to execute. These are defined in Regex – the NetScaler supports Perl based regex.
or
We will discuss Admin Partitions later in this module.
n tio
bu
ri st di
414 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
read-only Allows read-only access to all show commands except show runningconfig, show ns.conf , and the show commands for the NetScaler appliance command group.
or
operator Allows read-only access and access to commands to enable and disable services and servers or place them in ACCESSDOWN mode.
ri st di
network Allows full access, except to the set and unset SSL commands, sh ns.conf, sh runningconfig, and sh gslb runningconfig commands. Allows full access. Same privileges as the nsroot user.
n tio
bu
superuser
Sysadmin Allows full access, except no access to the NetScaler shell, cannot perform user configurations, cannot perform partition configurations, and some other configurations as stated in the sysadmin command policy. Command policies define which commands a delegated administrator is allowed to execute. These are defined in RegEx – the NetScaler supports Perl-based RegEx. Additional Resources: Configuring Users, User Groups, and Command Policies: http://docs.citrix.com/enus/netscaler/11/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-config-users-and-grps-tsk.html
415 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
Following are few Build-In Command policies:
e
• read-only - Read-only access to all show commands except show ns runningConfig, show ns ns.conf, and the show commands for the NetScaler command group.
or
ri st di
• Operator - Read-only access and access to commands to enable and disable services and servers. • Network - Full access, except to the set and unset SSL commands, show ns ns.conf, show ns runningConfig, and show gslb runningConfig commands.
bu
n tio
• Sysadmin - [Included in NetScaler 11.0 and later] A sysadmin is lower than a superuser is terms of access allowed on the appliance. A sysadmin user can perform all NetScaler operations with the following exceptions: no access to the NetScaler shell, cannot perform user configurations, cannot perform partition configurations, and some other configurations as stated in the sysadmin command policy. • Superuser - Full access. Same privileges as the nsroot user.
416 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
417 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
418 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
419 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
420 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
421 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
422 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
You can configure the NetScaler appliance to authenticate user access with one or more RADIUS servers. If you are using RSA SecurID, SafeWord, or Gemalto Protiva products, use a RADIUS server.
or
ri st di
Your configuration might require using a network access server IP address (NAS IP) or a network access server identifier (NAS ID). When configuring the appliance to use a RADIUS authentication server, use the following guidelines:
n tio
bu
• If you enable use of the NAS IP, the appliance sends its configured IP address to the RADIUS server, rather than the source IP address used in establishing the RADIUS connection. • If you configure the NAS ID, the appliance sends the identifier to the RADIUS server. If you do not configure the NAS ID, the appliance sends its host name to the RADIUS server. • When the NAS IP is enabled, the appliance ignores any NAS ID that was configured by using the NAS IP to communicate with the RADIUS server. Radius message type: • Access-Request. Sent by a RADIUS client to request authentication and authorization for a network access connection attempt. • Access-Accept. Sent by a RADIUS server in response to an Access-Request message. This message informs the RADIUS client that the connection attempt is authenticated and authorized. • Access-Reject. Sent by a RADIUS server in response to an Access-Request message. This message informs the RADIUS client that the connection attempt is rejected. A RADIUS server sends this message if either the credentials are not authentic or the connection
423 © 2017 Citrix Authorized Content
attempt is not authorized. • Access-Challenge. Sent by a RADIUS server in response to an Access-Request message. This message is a challenge to the RADIUS client that requires a response. • Accounting-Request. Sent by a RADIUS client to specify accounting information for a connection that was accepted. • Accounting-Response. Sent by the RADIUS server in response to the AccountingRequest message. This message acknowledges the successful receipt and processing of the Accounting-Request message.
ot
N e
al
es rr
fo or n tio
bu
ri st di
423 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
424 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
To use the aaad.debug tool, begin at the CLI, access the shell, change to the /tmp directory, and begin the debugging process by typing the following command: cat aaad.debug
or n tio
bu
ri st di
425 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
426 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
427 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
428 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
429 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
This Feature was released in NetScaler v11.
or
By partitioning a NetScaler appliance, you are in-effect creating multiple instances of a single NetScaler appliance. Each instance has its own configurations and the traffic of each of these partitions is isolated from the other by assigning each partition a dedicated VLAN or a shared VLAN.
ri st di
n tio
bu
A partitioned NetScaler has one default partition and the admin partitions that are created. To set up an admin partition, you must first create a partition with the relevant resources (memory, maximum bandwidth, and connections). Then, specify the users that can access the partition and the level of authorization for each of the users on the partition. VLANs can be bound to a partition as a “Dedicated” VLAN or a “Shared” VLAN. Based on your deployment, you can bind a VLAN to a partition to isolate its network traffic from other partitions. Dedicated VLAN – A VLAN bound only to one partition with “Sharing” option disabled and must be a tagged VLAN. For example, in a client-server deployment, for security reasons a system administrator creates a dedicated VLAN for each partition on the server side. Shared VLAN – A VLAN bound (shared across) to multiple partitions with “Sharing” option enabled. For example, in a client-server deployment, if the system administrator does not have control over the client side network, a VLAN is created and shared across multiple partitions. Citrix recommends you to bind a Dedicated or Shared VLAN to multiple partitions. You can bind only a tagged VLAN to a partition. If there are untagged VLANs, you must enable them as “Shared” VLANs and then bind them to other partitions. This ensures that you control traffic packets (for example, LACP, LLDP, and xSTP packets) handled in the default partition. If you
430 © 2017 Citrix Authorized Content
have already bound an untagged VLAN for a partition in 11.0, see “Deployment procedure for upgrading a sharable VLAN to NetScaler 11.1 software” procedure.
Additional Resources: Benefits and Uses of Admin Partitions: http://docs.citrix.com/en-us/netscaler/111/admin-partition/admin-partition-benefits-and-uses.html
ot
N e
al
es rr
fo or n tio
bu
ri st di
430 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
You can avail yourself of the following benefits by using Admin Partitions for your deployment:
e
• Allows delegation of administrative ownership of an application to the customer. Reduces the cost of ADC ownership without compromising on performance and ease-ofuse.
•
Safeguards from unwarranted configuration changes. In a non-partitioned NetScaler, authorized users of other application could intentionally or unintentionally change configurations that are required for your application. This could lead to undesirable behavior. This possibility is reduced in a partitioned NetScaler.
or
•
bu
ri st di
Accelerates and allows scaling of application deployments.
n tio
Isolates traffic between different applications by the use of dedicated VLANs for each partition. Allows application-level or localized management and reporting.
431 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
432 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
433 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
434 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
435 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Consideration of these specific isolation issues will help determine what the environment will look like.
or n tio
bu
ri st di
436 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
NetScaler 11 Admin Partitions Demo Video: https://www.youtube.com/watch?v=zMCKQ3uKQa4
or
NetScaler Configurations Supported in Partitions: https://docs.citrix.com/enus/netscaler/11/system/admin-partition/admin-partition-config-types.html
n tio
bu
ri st di
437 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
438 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
439 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
NetScaler MAS provides a seamless way of managing all partitions owned by an administrator from a single console and without disrupting other partition configurations.
or
To enable multiple users to manage different admin partitions, you have to create groups and assign users and the respective partitions to those groups. Each user is able to view and manage only the partitions in the group to which the user belongs. Each admin partition is considered as an instance in NetScaler MAS.
n tio
bu
ri st di
Additional Resources:
Manage Admin Partitions of NetScaler Instances: https://docs.citrix.com/en-us/netscalermas/11-1/Manage_Admin_Partitions_NetScaler_Instances.html NetScaler Management and Analytics System: ://www.citrix.com/products/netscalermanagement-and-analytics-system/
440 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
441 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
442 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
NetScaler SDX defines Multi-tenancy across the software and hardware layers of NetScaler ADC: https://www.citrix.com/blogs/2014/11/20/multi-tenancy-redefined-with-admin-partitions/
or n tio
bu
ri st di
443 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
444 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
445 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
446 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
447 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
448 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
449 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
450 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Rollover for syslog: 1 hour or 100 KB. Stated rollover is 25 files, though technically this is 26 (0-25). The conf file does not indicate time-based rollover, but this is clearly what is observed.
or
Rollover for nslog: Rollover is 300 MB or every 48 hours.
n tio
bu
ri st di
451 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes: From CLI:
• tail ns.log
n tio
bu
ri st di
• cd /var/log
or
• shell
e
al
You can view syslog messages through the Configuration Utility.
452 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
453 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
al
DNS logging support facilitates better diagnosis of issues:
e
• Auditing the DNS responses to the client.
or
• Auditing of DNS clients.
• Troubleshooting and error detections.
ri st di
• Detection and prevention of DNS attacks.
NetScaler will support logging for the following entities configured on NetScaler:
• Resolver and Forwarder. Policy-based logging:
n tio
• ADNS UDP and TCP service.
bu
• DNS UDP and TCP vServer.
• It can log a message when a particular DNS policy is hit. • A custom message can be defined using policy infrastructure which will be logged on hitting policy.
454 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
455 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
456 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
457 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
458 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Any policy on the NetScaler consists of an expression or rule and an action. For auditing, the expression is ns_true (which is true 100% of the time) and the action is the target log server. Then, you need to bind the policy for it to take effect.
or
bu
ri st di
You configure SYSLOG and/or NSLOG policies. Each policy includes a rule, which is an expression identifying the messages to be logged and a SYSLOG or NSLOG (depending on the type of policy) action. The action specifies the server to which the log message should be sent, the level of the messages to be logged, and the data format of the logged messages. You can bind the policies globally or to individual virtual servers.
n tio
You must bind the audit log policies to their respective global entities (SYSTEM, RNAT, VPN) to enable logging of all NetScaler system events. By defining the priority level, you can set the evaluation order of the audit server logging. The higher the priority number, the lower is the priority of evaluation.
459 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
ns_true is a NetScaler policy expression that is 100% true, so it will match everything.
or
Configuring the NetScaler Appliance for Audit Logging. On the NetScaler appliance, you configure SYSLOG and/or NSLOG policies. Each policy includes a rule, which is an expression identifying the messages to be logged, and a SYSLOG or NSLOG (depending on the type of policy) action.
ri st di
The appliance logs the following information related to TCP connections: Destination port. Destination IP.
n tio
Source IP.
bu
Source port.
Number of bytes transmitted and received. Time period for which the connection is open. You can enable TCP logging on individual load balancing virtual servers. You must bind the audit log policy to a specific load balancing virtual server that you want to log. When using the NetScaler as the audit log server, by default, the ns.log file is rotated (new file is created) when the file size reaches 100K and the last 25 copies of the ns.log are archived and compressed with gzip. To accommodate more archived files after 25 files, the oldest archive is deleted. You can modify the 100K limit or the 25 file limit by updating the following entry in the /etc/newsyslog.conf file:/var/log/ns.log 600 25 100 * Z where, 25 is the number of archived files to be maintained and 100K is the size of the ns.log file after which the file will be
460 © 2017 Citrix Authorized Content
archived.
ot
N e
al
es rr
fo or n tio
bu
ri st di
460 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
NS trace product documentation: https://docs.citrix.com/enus/netscaler/11/reference/netscaler-command-reference/basic/nstrace.html
or n tio
bu
ri st di
461 © 2017 Citrix Authorized Content
ot
N e
• nstrace.sh
al
Nstrace syntax.
es rr
fo Key Notes:
or
dumps packets in NS format, can be viewed using NETSTAT utility (release specific).
ri st di
• nstrace.sh -sz 0 -tcpdump 1
dumps packet of all length and in tcmpdump format, which can re read using ethereal. • nstrace.sh -sz 0 -tcpdump 1 -nf 3 -time 5
bu
Dumps packets for 5 seconds and rotates in 3 different files.
n tio
• nstrace.sh -sz 0 -tcpdump 1 -m 1
m with 1 will dump only transmitted packets, with 2 will dump packets buffered for transmission, with 4 will dump only received packets. • nstrace.sh –stop It will stop any instance of nstrace running in the background.
462 © 2017 Citrix Authorized Content
ot
N e
Default value: 3600.
al
Time per file (sec).
es rr
fo Key Notes:
ri st di
Size.
or
Minimum value: 1.
• Size of the captured data. Set 0 for full packet trace. • Default value: 164.
n tio
Tcpdump.
bu
• Maximum value: 1514.
• Trace is captured in TCPDUMP(.pcap) format. Default capture format is NSTRACE(.cap). • Possible values: ENABLED, DISABLED. • Default value: DISABLED. perNIC • Use separate trace files for each interface. Works only with tcpdump format. • Possible values: ENABLED, DISABLED • Default value: DISABLED filter • Filter expression for nstrace. Can be classic or default syntax.
463 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Example CLI; start nstrace -size 0 -traceformat PCAP -filter "CONNECTION.DSTIP.EQ(10.1.1.1)”) -link ENABLED
or
This command captures the trace with the IP address (in this example, the IP address of the VIP) and the back-end connection, because the link option is enabled. The size is 0, which captures the entire packet, and the trace is saved in PCAP format.
bu
ri st di
Additional Resources:
n tio
How to Capture an nstrace from the Command Line Interface of NetScaler: http://support.citrix.com/article/CTX120941
464 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Make sure you use the Developers’ Edition of Wireshark, which has NetScaler-specific information. It is not the default download, so students should make sure they get the correct version.
or
•
n tio
bu
ri st di
465 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
466 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
467 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.
or
ri st di
The NetScaler acts as an SNMP agent, responding to queries from an SNMP management system.
n tio
bu
The SNMP agent receives requests on UDP port 161. The manager may send requests from any available source port to port 161 in the agent. The agent response will be sent back to the source port on the manager. The manager receives notifications on port 162. The agent may generate notifications from any available port.
468 © 2017 Citrix Authorized Content
ot
N Generic Traps and Specific Traps
al
es rr
fo Key Notes:
e
• As many as 20 trap destinations for each trap-type can be configured.
or
• By default, SNMP traps are sourced from the NetScaler NSIP.
ri st di
• SNMP Traps can be changed to being sourced from a specific SNIP. • All SNMP alerts can be sent or only those exceeding a minimum security level can be sent.
n tio
bu
469 © 2017 Citrix Authorized Content
ot
N e
SNMP Alerting Protocol.
al
UDP 161, 162.
es rr
fo Key Notes:
or
Setup triggers. NetScaler SNMP Agent generates Traps sends info to SNMP Manager.
ri st di
Importable Management Information Base (MIB) file. MIB is collection of definitions. Like a template of objects. Object Identifier (OID) is a custom object based on a MIB.
NMP v3: Cryptography.
470 © 2017 Citrix Authorized Content
n tio
SNMP v2 Authentication.
bu
SNMP v1: Basic SNMP Protocol.
ot
N e
al
es rr
fo or n tio
bu
ri st di
471 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
472 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
Not all alarms have threshold values.
e
al
Threshold-based traps, or alarms, depend on a trigger from an administrator-defined threshold.
or n tio
bu
ri st di
473 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
SNMPv3 primarily added security and remote configuration enhancements to SNMP. Due to lack of security with the use of SNMP, network administrators were using other means, such as telnet for configuration, accounting, and fault management.
or
ri st di
SNMPv3 address issues related to the large-scale deployment of SNMP, accounting, and fault management. Currently, SNMP is predominantly used for monitoring and performance management.
bu
SNMPv3 defines a secure version of SNMP and also facilitates remote configuration of the SNMP entities.
n tio
SNMPv3 provides a secure environment for the management of systems covering the following: • Identification of SNMP entities to facilitate communication only between known SNMP entities - Each SNMP entity has an identifier called the SNMPEngineID, and SNMP communication is possible only if an SNMP entity knows the identity of its peer. Traps and Notifications are exceptions to this rule.
474 © 2017 Citrix Authorized Content
ot
N al
SNMP Set
es rr
fo Key Notes:
e
• Accept SNMP SET requests sent to the NetScaler appliance and allow SNMP managers to write values to MIB objects that are configured for write access.
or
SNMP Trap Logging –
ri st di
• Log any SNMP trap events (for SNMP alarms in which logging is enabled) even if no trap listeners are configured. With the default setting, SNMP trap events are logged if at least one trap listener is configured on the appliance.
n tio
bu
Send Partition Name in Traps.
Send partition name as a varbind in traps. By default, the partition names are not sent as a varbind.
475 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
476 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
477 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
478 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
479 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
If each pull-down menu has 100 entries, that would be 1,000,000 possible permutations of things to view.
or n tio
bu
ri st di
480 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
481 © 2017 Citrix Authorized Content
ot
N Historical Performance Data.
This should not be viewed as a replacement for external performance monitoring solution (SNMP), as performance databases are maintained individually on each member of a HA pair.
e
•
al
es rr
fo Key Notes:
or
ri st di
Click on Reporting Tab to Access.
Similar information as Dashboard but over longer period of time.
n tio
bu
Reporting is good to establish patterns and develop a traffic profile.
482 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
The Network Visualizer is a tool that you can use to view the network configuration of a NetScaler node, including the network configuration of the nodes in a high availability (HA) deployment.
or
bu
Additional Resources:
ri st di
You can also modify the configuration of VLANs, interfaces, channels, and bridge groups, and perform HA configuration tasks.
n tio
Using the Network Visualizer: https://docs.citrix.com/en-us/netscaler/10-1/ns-nw-gen-wrapper10-con/ns-nw-interfaces-intro-wrapper-con/ns-nw-interfaces-using-the-nw-vsualzer-tsk.html
483 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
484 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
485 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
486 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
• show ns mode • show running
• show version • show hardware • show server • show service • show lb vserver • show vlan • show interface • show arp • show route Additional Resources:
487 © 2017 Citrix Authorized Content
n tio
• show ns.conf
bu
• show license
ri st di
• show ns feature
or
• show license
e
• show ha node
al
CLI Show Commands (common examples):
You can also use UNIX to perform some basic troubleshooting: http://support.citrix.com/article/CTX109262
ot
N e
al
es rr
fo or n tio
bu
ri st di
487 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
ri st di
• SNMP alarms.
or
• Web logs.
e
• Syslogs.
al
Additional Information that the show techsupport command generates:
• Network topology diagrams and other deployment documentation.
n tio
bu
488 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Upload the file created with the show techsupport command.
or n tio
bu
ri st di
489 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
490 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
491 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
AppFlow use actions and policies to send records for a selected flow to specific set of collectors. An AppFlow action specifies which set of collectors will receive the AppFlow records. Policies, which are based on Advanced expressions can be configured to select flows for which flow records will be sent to the collectors specified by the associated AppFlow action.
or
Very powerful, a lot of detail. CPU-intensive.
n tio
bu
Granular filtering makes the data easy to search.
ri st di
UDP 4739.
AppFlow breaks Session Reliability. It interferes with the refreshable cookie. Additional Resources: Product Documentation on what is Appflow: http://docs.citrix.com/enus/netscaler/11/system/ns-ag-appflow-intro-wrapper-con.html
492 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
Four basic streams of communication that can be reported on using AppFlow when processing traffic with the NetScaler:
or
• From the Client to the VIP.
• From the SNIP/MIP to the back-end server. • From the VIP back to the client.
ri st di
• From the Server to the SNIP/MIP.
n tio
bu
Responder traffic or traffic generated purely from the NetScaler will only be Client-to-VIP or VIP-to-client.
493 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
It follows the basic principle of having an “Action.” In this case, a Collector is bound to a policy with an expression that causes the action to trigger. This policy is then bound globally or to the vServer in question.
or
n tio
bu
ri st di
494 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes: Easy to set up.
ri st di
Additional Resources:
or
Insight does not support IPv6.
e
al
Virtual Appliance installs on all major hypervisors.
n tio
bu
Understanding NetScaler Insight Center: https://docs.citrix.com/en-us/netscaler-insight/110/understanding-insight-center.html
495 © 2017 Citrix Authorized Content
ot
N es rr
fo Additional Resources:
e
al
How to Enable Web Insight Data Collection: https://docs.citrix.com/en-us/netscaler-insight/110/enable-data-collection/ni-enable-web-insight-tsk.html
or
Use Cases: Web insight: https://docs.citrix.com/en-us/netscaler-insight/11-0/web-insight-usecases.html
n tio
bu
ri st di
496 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
497 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
DNS Client – Insight resolves host names instead of only IP address.
or n tio
bu
ri st di
498 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
499 © 2017 Citrix Authorized Content
ot
N es rr
fo Key Notes:
e
al
POC version has internal database, but Citrix recommends using an external database. Command Center is a physical or virtual appliance or runs on Windows or Linux.
or n tio
bu
ri st di
500 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
501 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
502 © 2017 Citrix Authorized Content
ot
N e
al
es rr
fo or n tio
bu
ri st di
503 © 2017 Citrix Authorized Content
View more...
Comments
