NetScaler Gateway 11 Virtual Server

July 5, 2015, 2:11 pm

Navigation

= Recently Updated

NetScaler Gateway Universal Licenses

For basic ICA Proxy connectivity to XenApp/XenDesktop, you don’t need to install any NetScaler Gateway licenses on the NetScaler appliance. However, if you need SmartAccess features (e.g. EPA scans) or VPN then you must install NetScaler Gateway Universal licenses. These licenses are included with some editions of XenApp, XenDesktop, XenMobile, and the Platinum version of NetScaler.

When you create a NetScaler Gateway Virtual Server, the ICA Only setting determines if you need NetScaler Gateway Universal licenses or not. If the Virtual Server is set to ICA Only then you don’t need licenses. But if ICA Only is set to false then you need a NetScaler Gateway Universal license for every user that connects to this NetScaler Gateway Virtual Server. Enabling ICA Only disables all SmartAccess, SmartControl, and VPN features.

After NetScaler Gateway Universal licenses are installed on the appliance, they won’t necessarily be available for usage until you make a configuration change as detailed below:

On the left, expand System and click Licenses. On the right, in the Maximum NetScaler Gateway Users Allowed field is the number of licensed users for NetScaler Gateway Virtual Servers that are not set to ICA Only.
On the left, under NetScaler Gateway, click Global Settings.
In the right column of the right pane, click Change authentication AAA settings.
Change the Maximum Number of Users to your licensed limit. This field has a default value of 5 and administrators frequently forget to change it thus only allowing 5 users to connect.
If desired, check the box for Enable Enhanced Authentication Feedback. Click OK.
```
set aaa parameter -enableEnhancedAuthFeedback YES -maxAAAUsers 200
```
Then edit the NetScaler Gateway Virtual Server.
In the Basic Settings section, click the pencil icon near the top right.
Click More.
In the Max Users field, either enter 0 (for unlimited/maximum) or enter a number that is equal to or less than the number of licensed users. Click OK.
```
set vpn vserver gateway.corp.com -maxAAAUsers 0
```

Create Gateway Virtual Server

Create a certificate for the NetScaler Gateway Virtual Server. The certificate must match the name users will use to access the Gateway. For email discovery in Citrix Receiver, the certificate must have subject alternative names (SAN) for discoverReceiver.email.suffix (use your email suffix domain name). If you have multiple email domains then you’ll need a SAN for each one.
On the left, right-click NetScaler Gateway and click Enable Feature.
On the left, expand NetScaler Gateway and click Virtual Servers.
On the right, click Add.
Name it gateway.corp.com or similar.
Enter a new VIP that will be exposed to the Internet. Note: new to NetScaler 11.0 is the ability to set it to Non Addressable, which means you can place it behind a Content Switching Virtual Server.
Click More.
In the Max Users field enter 0.
In the Max Login Attempts field, enter your desired number. Then enter a timeout in the Failed Login Timeout field.
Check the box next to ICA Only. This option disables SmartAccess and VPN features but does not require any additional licenses.
Check the box next to DTLS and click OK. DTLS enables UDP Audio and Framehawk. Note: DTLS is not yet supported for double-hop ICA.
In the Certificates section, click where it says No Server Certificate.
Click the arrow next to Click to select.
Select a previously created certificate that matches the NetScaler Gateway DNS name and click Select.
Click Bind.
If you see a warning about No usable ciphers, click OK.
Click Continue.
In the Authentication section, click the plus icon in the top right.
Select LDAP, select Primary and click Continue.
If you used the authentication dashboard to create the LDAP server then you probably haven’t create the corresponding policy yet. Click the plus icon to create a new policy.
Use the Server drop-down to select the previously created LDAP server.
Give the policy a name. It can match the LDAP Server name.
In the Expression box, enter ns_true or select it from the Saved Policy Expressions drop-down. Click Create.
Click Bind.
Or for two-factor authentication, you will need to bind two policies to Primary and two polices to Secondary:
- Primary = LDAP for Browsers (User-Agent does not contain CitrixReceiver)
- Primary = RADIUS for Receiver Self-Service (User-Agent contains CitrixReceiver)
- Secondary = RADIUS for Browsers (User-Agent does not contain CitrixReceiver)
- Secondary = LDAP for Receiver Self-Service (User-Agent contains CitrixReceiver)
Click Continue.
Scroll down to the Profiles section and click the pencil icon.
In the TCP Profile drop-down select nstcp_default_XA_XD_profile and click OK.
In the Policies section, click the plus icon near the top right.
Select Session, select Request and click Continue.
Click the arrow next to Click to select.
Select one of the Receiver session policies and click Select. It doesn’t matter which order you bind them.
There’s no need to change the priority number. Click Bind.
Repeat these steps to bind the second policy. In the Policies section, click the plus icon near the top right.
Select Session, select Request and click Continue.
Click Add Binding.
Click the arrow next to Click to select.
Select the other Receiver session policy and click Select.
There’s no need to change the priority number. Click Bind.
The two policies are mutually exclusive so there’s no need to adjust priority. Click Close.
On the right, in the Advanced Settings section, click Published Applications.
Click where it says No STA Server.
Add a Controller in the https://<Controller_FQDN> or http://<Controller_FQDN> format, depending on if SSL is enabled on the XenApp Controller or not. This must be a FQDN or IP address. Short names don’t work.
For the Address Type, select IPV4. Click Bind.
To bind another Secure Ticket Authority server, on the left, in the Published Applications section, click where it says 1 STA Server.
Click Add Binding. Enter the URL for the second controller.
The State is probably down. Click Close.
In the Published Applications section, click STA Server.

Now they should be up and there should be a unique Auth ID for each server. Click OK.

add vpn vserver gateway.corp.com SSL 10.2.2.200 443 -icaOnly ON -dtls ON -tcpProfileName nstcp_default_XA_XD_profile

bind vpn vserver gateway.corp.com -policy "Receiver Self-Service" -priority 100

bind vpn vserver gateway.corp.com -policy "Receiver for Web" -priority 110

bind vpn vserver gateway.corp.com -policy Corp-Gateway -priority 100

bind vpn vserver gateway.corp.com -staServer "http://xdc01.corp.local"
bind vpn vserver gateway.corp.com -staServer "http://xdc02.corp.local"

bind vpn vserver gateway.corp.com -portaltheme X1

If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.

bind ssl vserver MyvServer -certkeyName MyCert

set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver MyvServer -cipherName ALL

bind ssl vserver MyvServer -cipherName Modern

bind ssl vserver MyvServer -eccCurveName ALL

bind vpn vserver MyvServer -policy insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

Verify SSL Settings

After you’ve created the Gateway Virtual Server, run the following tests:

Citrix CTX200890 – Error: “1110” When Launching Desktop and “SSL Error” While Launching an Application Through NetScaler Gateway: You can use OpenSSL to verify the certificate. Run the command: openssl s_client -connect gateway.corp.com:443. Replace the FQDN with your FQDN. OpenSSL is installed on the NetScaler or you can download and install it on any machine.
Go to https://www.digicert.com/help/ to verify the certificate chain.
Go to https://www.ssllabs.com/ssltest/ and check the security settings of the website. Citrix Blogs – Scoring an A+ at SSLlabs.com with Citrix NetScaler

Gateway Portal Theme

Citrix Blog Post Branding your Deployment Part 2: Matching NetScaler to StoreFront explains NetScaler Gateway Portal Themes, how to edit the Portal Theme CSS, and warns about GUI changes overwriting CSS file changes.

If you want the logon page for NetScaler Gateway to look more like StoreFront 3.0, NetScaler 11.0 build 62 and newer have a built-in X1 theme:

Go to NetScaler Gateway > Virtual Servers and edit an existing Virtual Server.
On the right, in the Advanced Settings section, click Portal Themes.
On the left, click where it says No Portal Theme.
Click to select.
Select the built-in X1 theme and click Select.
Click Bind.

Click Done.

bind vpn vserver gateway.corp.com -portaltheme X1

When you access the NetScaler Gateway login page you’ll see the theme.

You can also create your own theme by starting from one of the built-in themes:

Go to NetScaler Gateway > Portal Themes.
On the right, click Add.
Give it a name and select X1 as the Template Theme.
In the Look and Feel section there are two sub-sections: one for Home Page and one for Other Pages. In each of these sections is an Attribute Legend link that shows you what you can edit.
The Home Page is for Unified Gateway (aka VPN Clientless Access).
If you want to modify the logon page, use the Other Pages sub-section.
Make changes as desired and click OK.
In the Locale section, select a language and click OK.
On the right, in the Advanced Settings section, click Login Page.
Make changes as desired (e.g. Password Field Titles) and click OK.
At the top of the screen, click the link to Click to bind and view configured theme.
Select a Gateway Virtual Server and click Preview.
The logon page is displayed.
You could go to /var/netscaler/logon/themes/StoreFront3/css and make more changes to custom.css but this file gets overwritten any time you make a change in the Portal Themes section of the NetScaler GUI.

Jason Samuel – How to fix Green Bubble theme after upgrading to NetScaler 11 Unified Gateway details the following:

Change the NetScaler Unified Gateway logo to match the older Citrix Receiver logo.
Restore the older favicon.
And other observations regarding the Green Bubbles theme in NetScaler 11.0

SSL Redirect – Down vServer Method

This procedure details the Down vServer method of performing an SSL redirect. An alternative is to use the Responder method.

On the left, expand Traffic Management, expand Load Balancing, and click Virtual Servers.
On the right, click Add.
Give it a name of Gateway-HTTP-SSLRedirect or similar.
Set the IP Address so it matches the VIP of the NetScaler Gateway vServer. Click OK.
Do not select any services. This redirect only works if the vServer is Down. Click Continue.
On the right, in the Advanced Settings column, click Protection.
Enter https://gateway.corp.com or similar into the Redirect URL Click Save.

Then click Done.

add lb vserver gateway.corp.com-HTTP-SSLRedirect HTTP 10.2.2.200 80 -redirectURL "https://gateway.corp.com"

All SSL Redirect Virtual Servers are supposed to be Down. They don’t work if they are not down. By contrast, the Responder method uses redirect Virtual Servers that are Up.

Public DNS SRV Records

For email-based discovery, add a SRV record to each public email suffix DNS zone. Here are sample instructions for a Windows DNS server:

In Server Manager, click Tools > DNS Manager
In the left pane of DNS Manager, select your DNS domain in the forward or reverse lookup zones. Right-click the domain and select Other New Records.
In the Resource Record Type dialog box, select Service Location (SRV) and then click Create Record.
In the New Resource Record dialog box, click in the Service box and enter the host value _citrixreceiver.
Click in the Protocol box and enter the value _tcp.
In the Port number box, enter 443.
In the Host offering this service box, specify the fully qualified domain name (FQDN) for your NetScaler Gateway Virtual Server in the form servername.domain (e.g. gateway.company.com)

Block Citrix VPN for iOS

Andrew Morgan Blocking the new Citrix VPN iOS connection to Netscaler gateway and Citrix CTX201129 Configuration for Controlled Access to Different VPN Plugin Through NetScaler Gateway for XenMobile Deployments: do one or both of the following:

Create an AppExpert > Responder > Policy with Action = DROP and Expression = REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/NSGiOSplugin"). Either bind the Responder Policy Globally or bind it to the Gateway vServers.
In your Gateway Session Policies, do not set the Plugin type to Windows/Mac OS X.

View ICA Sessions

To view active ICA sessions, click the NetScaler Gateway node on the left and then click ICA Connections on the right.

show vpn icaconnection

Customize Logon Page

Logon Page Labels

When two factor authentication is configured on NetScaler Gateway, the user is prompted for User name, Password, and Password 2.

The Password field labels can be changed to something more descriptive, such as Active Directory or RSA:

To change the labels, edit a Portal Theme:

Go to NetScaler Gateway > Portal Themes and edit an existing theme. You can’t edit the built-in themes so you’ll have to create one if you haven’t already.
On the right, in the Advanced Settings column, click Login Page.
In the Login Page section, change the two Password fields to your desired text.
Click OK.
In the Portal Theme section you can Click to bind and view configured theme to Preview your changes.
On Platinum Edition appliances, you might have to invalidate the loginstaticobjects Content Group (Optimization > Integrated Caching > Content Groups) before the changes appear. This seems to be true even if Integrated Caching is disabled.

Logon Security Message (Disclaimer, EULA)

You can force users to agree to a EULA before they are allowed to login.

Clicking the Terms & Conditions link allows the user to view the EULA text that you have entered.

Do the following to configure the EULA:

Go to NetScaler Gateway > Resources > EULA.
On the right, click Add.
Give the EULA a name and enter some text. You can even enter HTML code. See the example posted by Chris Doran at Citrix Discussions.
Click Create.
Edit a Gateway Virtual Server.
On the right, in the Advanced Settings column click EULA.
Click where it says No EULA.
Click the arrow next to Click to select.
Select the EULA and click Select.
Click Bind.

Logon Page Links

Citrix CTX202444 How to Customize NetScaler Gateway 11 logon Page with Links shows how to add links to the NetScaler Gateway 11 logon page.

In WinSCP, go to /netscaler/ns_gui/vpn/js and edit the file gateway_login_form_view.js.
Scroll down to line 40 and insert the code copied from the article. Feel free to change the link.
Scroll down to line 140 and insert the line form.append(link_container);
Since this is an if block, insert the line in both the if section and the else section (line 148). Both should be after the append field_login line and before the append(form) line.
Save the file and verify your results.
If you reboot your appliance then your changes will be lost. To preserve your changes after a reboot, copy the modified file to /var.
Then edit /nsconfig/rc.netscaler and add a cp line to copy the modified file from /var to /netscaler/ns_gui/vpn/js. This is the same procedure as older NetScaler firmware. Feel free to reboot your appliance to confirm that the changes are still applied.

Other Customizations

Craig Tolley Customising the NetScaler 11 User Interface – Adding Extra Content: add new sections to login page. These sections pull content from local HTML files.

UDP Audio Through Gateway

From John Crawford at Citrix Discussions and Marius Sandbu Enabling Citrix Receiver audio over Netscaler Gateway with DTLS

Note: If you have NetScaler 11 build 62 or newer then enabling DTLS on the Gateway also enables Framehawk. See VDA > Framehawk for Framehawk configuration.

Requirements for UDP Audio:

Citrix Receiver 4.2 or newer
NetScaler Gateway 10.5.e (enhancement build) or NetScaler 11
UDP 443 allowed to NetScaler Gateway Virtual Server
UDP 16500-16509 allowed from NetScaler SNIP to VDAs

To enable UDP Audio through Gateway, make changes on both the NetScaler Gateway Virtual Server and in Receiver:

Edit the NetScaler Gateway Virtual Server. In the Basic Settings section click the edit (pencil) icon.
Click More.
Enable the DTLS option and click OK.
After enabling DTLS, it probably won’t work until you unbind the Gateway certificate and rebind it.

Client-side configuration

There are two methods of enabling RTP on the client side:

Edit default.ica on the StoreFront server
Use GPO to modify the client-side config

To edit the default.ica file on the StoreFront server (h/t Vipin Borkar): Edit the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica and add the following lines to the Application section:

EnableRtpAudio=true
EnableUDPThroughGateway=true
AudioBandwidthLimit=1

To use GPO to modify the client-side config:

Copy the receiver.admx (and .adml) policy template into PolicyDefinitions if you haven’t already.
Edit a GPO that applies to Receiver machines. You can also edit the local GPO on a Receiver machine.
Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver.
Edit the setting Client audio settings.
Enable the setting.
Set audio quality as desired. Higher quality = higher bandwidth.
Check to Enable Real-Time Transport.
Check to Allow Real-Time Transport through Gateway. Click OK.

Next step

Configure StoreFront to use NetScaler Gateway

Unified Gateway

Unified Gateway FAQ at docs.citrix.com

The Unified Gateway wizard in NetScaler 11 relies on Clientless Access and the built-in portal. See Jens Trendelkamp NetScaler Gateway Single Sign-On to Storefront in Clientless Access Mode to learn how to enable iFrame in StoreFront so it can be embedded in the Clientless Access portal.

Unified Gateway means Content Switching for NetScaler Gateway. There are two methods of Content Switching:

Create a Content Switching Virtual Server that has a Content Switching policy that directs requests to a NetScaler Gateway
Create a NetScaler Gateway Virtual Server that has Content Switching policies that direct requests to Load Balancing Virtual Servers.

In either case you can only have one Gateway Virtual Server in the Content Switching configuration.

Content Switching vServer with Gateway as Target

When creating a Gateway Virtual Server, you can change the IP Address Type to Non Addressable. This means you can only access the Gateway through a Content Switching Virtual Server.
On the left, go to Traffic management > Content Switching > Policies.
On the right click Add.
Give the policy a name.
Click the plus icon next to the Action field.
Give the Action a name.
Change the selection to NetScaler Gateway Virtual Server.
Click the arrow to select a Gateway Virtual Server and click Create.
Back in the policy screen, enter an expression. There are several options for selecting traffic that should be directed to the Gateway:
- Hostname
- The built-in is_vpn_url expression
- Any path that starts with /Citrix/.
```
http.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("mygateway.corp.com") && (is_vpn_url || http.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/Citrix/"))
```
Click Create when done.
Add or Edit a Content Switching Virtual Server.
Click where it says No Content Switching Policy Bound.
Click the arrow to select a Content Switching policy and click Bind.

Gateway vServer with Load Balancing vServer as Target

Another option is to bind Content Switching policies to a Gateway Virtual Server:

On the left, go to Traffic Management > NetScaler Gateway > Policies > Content Switching.
On the right, click Add to create a Content Switching Policy with an Action that points to a Load Balancing Virtual Server.
On the left, go to NetScaler Gateway > Virtual Servers.
On the right, edit an existing NetScaler Gateway Virtual Server.
On the right in the Advanced Settings section, click Content Switching Policies.
Click where it says No Content Switching Policies.
Select a Content Switching policy that sends traffic to a Load Balancing Virtual Server and click Bind.
Repeat for additional Content Switching policies that redirect to Load Balancing Virtual Servers. You cannot bind Content Switching policies that redirect to NetScaler Gateway Virtual Servers.

StoreFront – Rewrite X-Citrix-Via

When NetScaler Gateway communicates with StoreFront, it adds a header called X-Citrix-Via that contains the FQDN entered in the user’s address bar. StoreFront uses this header to find a matching Gateway object so StoreFront knows how to handle the authentication. In NetScaler 11.0 and newer, you can create a rewrite policy to change this header. This is useful when changing URLs or using DNS aliases for Gateways. See CTX202442 FAQ: Modify HTTP Header X-Citrix-Via on NetScaler for more details.

Here’s a sample rewrite policy for this header:

enable ns feature REWRITE

add rewrite action rwact_storefront replace "HTTP.REQ.HEADER(\"X-Citrix-Via\")" "\"mystorefront.mydomain.com\""

add rewrite policy rwpol_storefront "HTTP.REQ.HEADER(\"X-Citrix-Via\").NE(\"mystorefront.mydomain.com\")" rwact_storefront

bind vpn vserver mygateway-vs -policy rwpol_storefront -priority 100 -type REQUEST

↧

NetScaler 11 Certificates

July 5, 2015, 3:08 pm

≫ Next: NetScaler Gateway 11 RADIUS Authentication

≪ Previous: NetScaler Gateway 11 Virtual Server

Navigation

Here are three methods of creating certificates for NetScaler:
If the server certificate is signed by an intermediate authority, import the intermediate certificate and bind it.
Replace the management certificate and then force SSL access for management.
Update certificates before they expire.

= Recently Updated

Convert .PFX Certificate to PEM Format

You can export a certificate from Windows and import it to NetScaler. However, Windows certificates can’t be imported on NetScaler in their native PFX format and must first be converted to PEM as detailed below:

On the Windows server that has the certificate, run mmc.exe and add the certificates snap-in.
Right-click the certificate and click Export.
On the Export Private Key page, select Yes, export the private key and click Next.
On the Export File Format page, ensure Personal Information Exchange is selected and click Next.
Save it as a .pfx file. Don’t put any spaces in the filename.
In NetScaler 11, it is no longer necessary to first convert the .PFX file to PEM format since Traffic Management > SSL > Certificates > Install will convert the .PFX file for you. Note: when the PFX is converted to PEM the key is not encrypted.
Browse (Local) to the PFX file in both the certificate file and key file fields, enter the PFX password, and then click Install.
If you click the arrow next to the certificate you’ll see that NetScaler created a new file with a .ns extension.
If you look inside this file by going to Traffic Management > SSL > Manage Certificates / Keys / CSRs, notice that the RSA Private Key is not encrypted, encoded, or password protected.
If you want to encrypt your key file (recommended), use the older method of converting from PFX to PEM. In the NetScaler Configuration GUI, on the left expand Traffic Management and click SSL.
In the right column of the right pane, click Import PKCS#12 in the Tools section.
In the Import PKCS12 File dialog box:
1. In the Output File Name field, enter a name (e.g. Citrix.cer) for a new file where the PEM certificate and key will be placed.
2. In the PKCS12 File field, click Browse and select the previously exported .pfx file.
3. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
4. Change the Encoding Format selection to DES3. This causes the new Output file to be encrypted.
5. Enter a password for the Output file and click OK.
If you browse to the /nsconfig/ssl directory on the NetScaler and view the new .cer file you just created, you’ll see both the certificate and the private key in the same file. You can use the Manage Certificates / Keys / CSRs link to view the files.

Notice that the file contains both the certificate and the RSA Private key.
On the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
On the right, click Install.
In the Install Certificate dialog box:
1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
2. In the Certificate File Name field, browse the appliance and select the .cer file you just created.
3. In the Private Key File Name field, browse the appliance and select the same .cer file you just created. Both the certificate and the private key are in the same file.
4. If the file is encrypted, enter the password.
5. Click Install. You can now link an intermediate certificate to this SSL certificate and then bind this SSL certificate to SSL and/or NetScaler Gateway Virtual Servers.
To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center.

Create Key and Certificate Request

You can create a key pair and Certificate Signing Request directly on the NetScaler appliance. The Certificate Signing Request can then be signed by an internal or public Certificate Authority.

Most Certificate Authorities let you add Subject Alternative Names when submitting the Certificate Signing Request to the Certificate Authority and thus there’s no reason to include Subject Alternative Names in the Certificate Signing Request. You typically create a Certificate Signing Request with a single DNS name. Then when submitting the Certificate Signing Request to the Certificate Authority you type in additional DNS names. For a Microsoft Certificate Authority, you can enter Subject Alternative Names in the Attributes box of the Web Enrollment wizard. For public Certificate Authorities, you purchase a UCC certificate or purchase a certificate option that lets you type in additional names.

If you instead want to create a Certificate Signing Request on NetScaler that has Subject Alternative Names embedded in it as request attributes, see Citrix Blog Post How to Create a CSR for a SAN Certificate Using OpenSSL on a NetScaler Appliance. These instructions are performed on the NetScaler command line using OpenSSL. Or you can instead create a Subject Alternative Name certificate on Windows.

On the left, expand Traffic Management, and click SSL.
On the right, in the left column, click Create RSA Key.
Give the .key file a descriptive name.
Set the Key Size to 2048 bits
Set the PEM Encoding Algorithm to DES3 and enter a password. This encrypts the key file.
Click OK. You will soon create a certificate using the keys in this file.
On the right, in the right column, click Create Certificate Signing Request (CSR).
In the Request File Name field, enter the name of a new file.
In the Key Filename field, browse to the previously created .key file.
If the key file is encrypted, enter the password.
In the State field, enter your state name without abbreviating.
In the Organization Name field, enter your official Organization Name.
Enter the City name.
Enter IT or similar as the Organization Unit.
In the Common Name field, enter the FQDN of the SSL enabled-website. If this is a wildcard certificate, enter * for the left part of the FQDN.
Scroll down and click Create.
At the top of the screen you’ll see a green banner. Click here to view.
You can then copy the contents and send it to your Certificate Authority.
Or, on the right side of the right pane, click Manage Certificates / Keys / CSRs.
Find the .csr file you just created and View it.
Copy the contents of the file and send it to the certificate administrator. Request the signed certificate to be returned in Apache or Base64 format.
After you get the signed certificate, on the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
On the right, click Install.
In the Install Certificate dialog box:
1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
2. In the Certificate File Name field, browse Local and select the .cer file you received from the Certificate Authority.
3. In the Private Key File Name field, browse the appliance and select the key file you created earlier.
4. If the key file is encrypted, enter the password.
5. Click Install.
The certificate is now added to the list. Notice the Expiry Date. You can now bind this certificate to any SSL Offload, NetScaler Gateway, or Content Switching Virtual Server.
To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center.

Intermediate Certificate

If your Server Certificate is signed by an intermediate Certificate Authority, then you must install the intermediate Certificate Authority’s certificate on the NetScaler. This Intermediate Certificate then must be linked to the Server Certificate.

Sometimes the public Certificate Authority will give you the Intermediate certificate as one of the files in a bundle. If not, log into Windows and double-click the signed certificate.
On the Certification Path tab, double-click the intermediate certificate (e.g. Go Daddy Secure Certificate Authority. It’s the one in the middle).
On the Details tab, click Copy to File.
In the Welcome to the Certificate Export Wizard page, click Next.
In the Export File Format page, select Base-64 encoded and click Next.
Give it a file name and click Next.
In the Completing the Certificate Export Wizard page, click Finish.
In the NetScaler configuration GUI, expand Traffic Management, expand SSL, and click Certificates.
On the right, click Install.
Name it Intermediate or similar.
Browse locally for the Intermediate certificate file.
Click Install. You don’t need a key file.
Highlight the server certificate, open the Action menu and click Link.
The previously imported Intermediate certificate should already be selected. Click OK.

Create Certificate with NetScaler as Certificate Authority

If you don’t have an internal Certificate Authority, you can use NetScaler as a Certificate Authority. The NetScaler Certificate Authority can then be used to sign Server Certificates. This is a simple method for creating a new management certificate. The main problem with this method is that the NetScaler root certificate must be manually installed on any machine that connects to the NetScaler.

On the left, expand Traffic Management, and click SSL.
On the right, in the left column, click Root-CA Certificate Wizard.
In the Key Filename field, enter root.key or similar. This is a new file.
In the Key Size field, enter at least 2048.
Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
Click Create.
In the Request File Name field, enter root.csr or similar. This is a new file.
If the key file is encrypted, enter the password.
Scroll down.
In the State field, enter the non-abbreviated state name.
In the Organization Name field, enter the name of your organization.
Fill in other fields as desired.
In the Common Name field, enter a descriptive name for this Certificate Authority.
Click Create .
In the Certificate File Name field, enter root.cer or similar. This is a new file.
Change the Validity Period to 3650 (10 years) or similar.
If the key file is encrypted, enter the password in the PEM Passphrase field.
Click Create.
In the Certificate-Key Pair Name field, enter a friendly name for this Certificate Authority certificate.
If the key file is encrypted, enter the password in the Password field.
Click Create.
Click Done.
In the right pane, in the left column, click Server Certificate Wizard.
In the Key Filename field, enter mgmt.key or similar. This is a new file.
In the Key Size field, enter at least 2048.
Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
Click Create.
In the Request File Name field, enter mgmt.csr or similar. This is a new file.
If the key file is encrypted, enter the password.
Scroll down.
In the State field, enter the non-abbreviated state name.
In the Organization Name field, enter the name of your organization.
Fill in other fields as desired.
In the Common Name field, enter the hostname (FQDN) of the appliance.
Click Create.
In the Certificate File Name field, enter mgmt.cer or similar. This is a new file.
Change the Validity Period to 3650 (10 years) or similar.
Scroll down.
In the CA Certificate File Name field, browse to the root.cer file.
In the CA Key File Name field, browse to the root.key file.
If the key file is encrypted, enter the password.
In the CA Serial File Number field, enter the name of a new file that will contain serial numbers.
Click Create.
In the Certificate-Key Pair Name field, enter a friendly name for this management certificate.
If the key file is encrypted, enter the password in the Password field.
Click Create.
Click Done.

Replace Management Certificate

In NetScaler versions prior to 11.0 build 64, the default management certificate (ns-server-certificate) key size is only 512 bits.

If you try to use Internet Explorer to connect to the NSIP using SSL, Internet Explorer will consider 512 bits to be unsafe and probably won’t let you connect. Notice there’s no option to proceed.

You can configure Internet Explorer to accept the 512-bit certificate by running Certutil ‑setreg chain\minRSAPubKeyBitLength 512 on the same machine where Internet Explorer is running.

When you upgrade to 11.0 build 64 or newer, the management certificate remains at whatever was installed previously. If it was never replaced, then the management certificate is still only 512 bits. To replace the certificate with a new 2048-bit self-signed certificate, simply delete the existing ns-server-certificate certificate and reboot.

Go to Traffic Management > SSL.
On the right, in the right column, click Manage Certificates.
Highlight any file named ns-* and delete them. This takes several seconds.
Then go to System and reboot.
After a reboot the ns-server-certificate will be recreated as self-signed with 2048-bit key size.

Or you can create and bind a new management certificate. The key file and Certificate Signing Request are created using the normal means. You can use the NetScaler as your Certificate Authority or you can use an existing internal Certificate Authority. Citrix CTX135480 How to Change the Size of the NetScaler Certificate to More Than 1024 Bits.

Only one certificate will be loaded on both nodes in a High Availability pair so make sure the certificate matches the names of both nodes. This is easily doable using a Subject Alternative Name certificate. Here are some names the management certificate should match (note: a wildcard certificate won’t match all of these names):

The FQDN for each node NSIP in a High Availability pair. Example: ns01.corp.local and ns02.corp.local
The shortnames (left label) for each node NSIP in a High Availability pair. Example: ns01 and ns02
The NSIP IP address for each node in a High Availability pair. Example: 192.168.123.14 and 192.168.123.29
If you enabled management access on your SNIPs, add names for the SNIPs:
- FQDN for the SNIP. Example: ns.corp.local
- Shortname for the SNIP. Example: ns
- SNIP IP address. Example: 192.168.123.30

If you are creating a Subject Alternative Name certificate, it’s probably easiest to do the following:

Create the certificate using the Certificates snap-in on a Windows box. You can add the Subject Alternative Names in the certificate request wizard. The Subject Alternative Names for the IP addresses must be added as IP address (v4). The other Subject Alternative Names are added as DNS.
Export the certificate and Private Key to a .pfx file.
On the NetScaler, use the Import PKCS#12 tool to convert the .pfx to PEM format. Then follow one of the procedures below to replace the management certificate.

There are two methods of replacing the management certificate:

Use the Update Certificate button for ns-server-certificate in the NetScaler GUI. This automatically updates all of the Internal Services bindings too.
- You cannot rename the certificate in the NetScaler GUI. It remains as ns-server-certificate.
- If your new management certificate is a wildcard that you need to use for other SSL entities, then you will bind ns-server-certificate to those entities instead of a more descriptive name. You can’t re-upload the wildcard certificate again with a different GUI name.
Or manually Bind the new certificate to the Internal Services.

Update Certificate Method

The Update Certificate button method is detailed below:

You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
On the left, expand Traffic Management, expand SSL and click Certificates.
On the right, highlight ns-server-certificate and click Update.
Check the box next to Click to update Certificate/Key.
Browse to the new management certificate. It could be on the appliance or it could be on your local machine.
If the PEM certificate is encrypted, enter the password.
Check the box next to No Domain Check. Click OK.
Click Yes to update the certificate.
You can now connect to the NetScaler using https protocol. The certificate should be valid and it should have a 2048 bit key.
Putty (SSH) to the appliance.
Run the following command to see the internal services.
show service –internal | grep –i "ns"
For each internal service, run the following command to disable SSL3. Replace ServiceName with the name of each internal service.
set ssl service ServiceName -ssl3 disabled
For each internal service, run the following command to remove RC4 ciphers. Replace ServiceName with the name of each internal service.
unbind ssl service ServiceName -cipherName RC4
Repeat this process on the second appliance.

Manual Binding Method

The manual Binding to Internal Services method is detailed below:

You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
On the left, expand Traffic Management, expand SSL and click Certificates.
Use the Install button to install the certificate if you haven’t already done so.
On the right, highlight the new management certificate, open the Action menu and click Details.
Verify that the Public Key Size is now 2048. Click OK.
On the left, expand Traffic Management, expand Load Balancing and click Services.
On the right, switch to the Internal Services tab.
You will see multiple services. Edit one of them.
Scroll down and click where it says 1 Client Certificate.
Highlight the existing management certificate and click Unbind.
Click Yes to remove the selected entity.
Click Add Binding.
Click where it says Click to select.
Select the new management certificate and Select.
Click Bind and click Close.
Scroll to the SSL Parameters section and click the pencil icon.
Uncheck the box next to SSLv3. Make sure TLSv11 and TLSv12 are enabled. Click OK.
On the right, in the Advanced Settings column, click SSL Ciphers.
On the left, in the SSL Ciphers section, select the Cipher Group that has all RC4 ciphers removed and click OK. See Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) for recommended ciphers.
If you see a warning about No usable ciphers, click OK and ignore it.
Repeat for the rest of the internal services.

Force Management SSL

By default, administrators can connect to the NSIP using HTTP or SSL. This section details how to disable HTTP.

Internet Explorer will not accept the default 512-bit management certificate included on the appliance so make sure you replace the default management certificate or use a different browser.

Connect to the NSIP using https.
On the left, expand System, expand Network and click IPs.
On the right, highlight your NetScaler IP and click Edit.
Near the bottom, check the box next to Secure access only and then click OK.
Repeat this on the secondary appliance.
Repeat for any SNIPs that have management access enabled.

SSL Certificate – Update

If your certificate is about to expire, do the following:

Create updated certificate files in PEM format. One option is to create a key file and Certificate Signing Request directly on the NetScaler. Another option is to convert a PFX file to a PEM file. Don’t install the certificate yet but instead simply have access to the key file and certificate file in PEM format.
In NetScaler, navigate to Traffic Management > SSL > Certificates.
On the right, highlight the certificate you intend to update and click Update.
Check the box next to Click to update the Certificate/Key.
Browse to the updated certificate and key files (if you imported a PFX then the certificate and key files are the same file).
Click Yes to update the certificate.
Click OK. This will automatically update every Virtual Server on which this certificate is bound.
Certificates can also be updated in Citrix Command Center.

↧

NetScaler Gateway 11 RADIUS Authentication

July 5, 2015, 4:02 pm

≫ Next: NetScaler 11 System Configuration

≪ Previous: NetScaler 11 Certificates

For two-factor authentication using Azure Multi-factor Authentication, see Jason Samuel How to deploy Microsoft Azure MFA & AD Connect with Citrix NetScaler Gateway

Citrix CTX125364 How to Configure Dual Authentication on NetScaler Gateway Enterprise Edition for Use with iPhone and iPad.

Two-factor authentication to NetScaler Gateway requires the RADIUS protocol to be enabled on the two-factor authentication product.

On your RADIUS servers you’ll need to add the NetScaler appliances as RADIUS Clients. When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP). Use the correct IP(s) when adding the appliances as RADIUS Clients. And adjust firewall rules accordingly.

For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS then you’ll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.

When configuring the NetScaler Gateway Virtual Server, you can specify both a Primary authentication policy and a Secondary authentication policy. Users are required to successfully authenticate against both before being authorized for NetScaler Gateway.

For browser-based StoreFront, you need two authentication policies:

Primary = LDAPS authentication policy pointing to Active Directory Domain Controllers.
Secondary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.

For Native Citrix Receivers (non-browser including mobile), the authentication policies are swapped:

Primary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.
Secondary = LDAPS authentication policy pointing to Active Directory Domain Controllers.

If you need to support both web browsers (PCs) and mobile devices, you’ll need at least four authentication policies as shown below.

Primary:

Priority 90 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver
Priority 100 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver

Secondary:

Priority 90 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver
Priority 100 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver

The policies are detailed below:

Create an LDAP server.
For RADIUS, on the left, expand Authentication and click Dashboard.
On the right, click Add.
Change Choose Server Type to RADIUS.
Give the server a name.
Specify the IP address of the RADIUS load balancing Virtual Server.
Enter the secret key specified when you added the NetScalers as RADIUS clients on the RADIUS server. Click Create.
```
add authentication radiusAction RSA -serverIP 10.2.2.210 -serverPort 1812 -radKey Passw0rd
```
Since you can’t create authentication policies from the authentication dashboard, go to NetScaler Gateway > Policies > Authentication > RADIUS.
On the right, in the Policies tab, click Add.
Name it RSA-SelfService or similar.
Select the RADIUS server created earlier.
Enter an expression. You will need two policies with different expressions. The expression for Receiver Self-Service is HTTP.HEADER User-Agent CONTAINS CitrixReceiver.

Click Create.

add authentication radiusPolicy RSA-Web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA

add authentication radiusPolicy RSA-SelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA

add authentication ldapPolicy Corp-Gateway-Web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Corp-Gateway

add authentication ldapPolicy Corp-Gateway-SelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Corp-Gateway

Create another policy to match the ones shown below. Both RADIUS policies are configured with the same RADIUS server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS):

Name Expression Server

RSA-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver RSA

RSA-Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver RSA
Go to the NetScaler Gateway\Policies\Authentication\LDAP node.
On the Policies tab, create two policies with the expressions shown below. Both LDAP policies are configured with the same LDAP server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS).

Name Expression Server

LDAP-Corp-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver LDAP-Corp

LDAP-Corp-Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver LDAP-Corp

When you create the NetScaler Gateway Virtual Server, bind the policies as shown in the following table. Priority doesn’t matter because they are mutually exclusive.

Policy Name	Type	Bind Point
LDAP-Corp-Web	LDAP	Primary
RSA-SelfService	RADIUS	Primary
LDAP-Corp-SelfService	LDAP	Secondary
RSA-Web	RADIUS	Secondary

bind vpn vserver gateway.corp.com -policy Corp-Gateway-Web -priority 100

bind vpn vserver gateway.corp.com -policy RSA-SelfService -priority 110

bind vpn vserver gateway.corp.com -policy RSA-Web -priority 100 -secondary

bind vpn vserver gateway.corp.com -policy Corp-Gateway-SelfService -priority 110 -secondary

The session policy for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to Primary.
```
set vpn sessionAction "Receiver Self-Service" -ssoCredential SECONDARY
```
On the StoreFront server, when creating the NetScaler Gateway object, change the Logon type to Domain and security token.

↧

NetScaler 11 System Configuration

July 5, 2015, 6:32 pm

≫ Next: Horizon View Load Balancing – NetScaler 11

≪ Previous: NetScaler Gateway 11 RADIUS Authentication

Navigation

This page contains the following topics:

= Recently Updated

Customer User Experience Improvement Program

You might be prompted to enable the Customer User Experience Improvement Program. Either click Enable or click Skip.
You can enable or disable Customer Experience Improvement Program by going to System > Settings.
On the right is Change CUXIP Settings.
Make your selection and click OK.

set system parameter -doppler ENABLED

Welcome Wizard

NetScaler has a Welcome! Wizard that lets you set the NSIP, hostname, DNS, licensing, etc. It appears automatically the first time you login.

Click the Subnet IP Address box.
You can either enter a SNIP for one of your interfaces or you can click Do it later.
```
add ns ip 172.16.1.11 255.255.255.0 -type SNIP
```
Click the Host Name, DNS IP Address, and Time Zone box.
Enter a hostname. Your NetScaler Gateway Universal licenses are allocated to this hostname. In a High Availability pair each node can have a different hostname.
Enter one or more DNS Server IP addresses. Use the plus icon on the right to add more servers.
Change the time zone to GMT-05:00-CDT-America/Chicago or similar.

Click Done.

set ns hostname ns02

add dns nameServer 192.168.123.11

set ns param -timezone "GMT-05:00-CDT-America/Chicago"

Click Yes to save and reboot.
Click the Licenses box.
You can click Add New License to license the appliance now. Or do it later.

On the far right side of the screen is displayed the Host ID you need when allocating licenses.

License files are stored in /nsconfig/license.
Then click Continue.

Licensing – VPX Mac Address

To license a NetScaler VPX appliance, you will need its MAC address.

One method is to look in the GUI.
In the right pane, look down for the Host Id field. This is the MAC address you need for license allocation.
Or go to System > Licenses.
On the right, click Manage Licenses.
Click Add New License.
On the far right side of the screen the Host ID is displayed.
Another option is to SSH to the appliance and run shell.
Then run lmutil lmhostid. The MAC address is returned.

Licensing – Citrix.com

Login to citrix.com.
Click Activate and Allocate Licenses.
Check the box next to a Citrix NetScaler license and click Continue.
If this is a NetScaler MPX license then there is no need to enter a host ID for this license so click Continue. If this is a NetScaler VPX license, enter the lmutil lmhostid MAC address into the Host ID field and click Next.

For a VPX appliance, you can also get the Host ID by looking at the System Information page.
Click Confirm.
Click OK when asked to download the license file.
Click Download.
Click Save and put it somewhere where you can get to it later.
If you purchased NetScaler Gateway Universal Licenses, allocate them. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
Enter your appliance hostname as the Host ID for all licenses.
Click Confirm.
Click OK when prompted to download your license file.
Click Download.
Click Save.
If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses and reallocate them to the other hostname.

Install Licenses on Appliance

In the NetScaler Configuration GUI, on the left, expand System and click Licenses.
On the right, click Manage Licenses.
Click Add New License.
If you have a license file, select Upload license files from a local computer and then click Browse.

License files are stored in /nsconfig/license.
Click Reboot when prompted. Login after the reboot.
After rebooting, the Licenses node should look something like this. Notice that Maximum ICA Users Allowed is set to Unlimited.
Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwitdh or else packets will drop.

Upgrade Firmware

Citrix CTX127455 – How to Upgrade Software of the NetScaler Appliances in a High Availability Setup

Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. At the very least, watch the Security Bulletins to determine which versions and builds resolve security issues. You can also subscribe to the Security Bulletins at http://support.citrix.com by clicking the Alerts link on the top right.
Make sure you Save the config before beginning the upgrade.
Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
Start with the Secondary appliance.
Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
In the NetScaler GUI, with the top left node (System) selected, click, click System Upgrade.
Browse to the build…tgz file. If you haven’t downloaded firmware yet then you can click the Download Firmware link.
Click Upgrade.
The firmware will upload.
You should eventually see a System Upgrade window with text in it. Click Yes when prompted to reboot.
Once the Secondary is done, login and failover the pair.
Then upgrade the firmware on the former Primary.

To install firmware by using the command-line interface

To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
Copy the software from your computer to the /var/nsinstall directory on the appliance.
Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
At a command prompt, type shell.
At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
To view the contents of the directory, type ls.
To unpack the software, type tar -xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
To start the installation, at a command prompt, type ./installns.
When the installation is complete, restart NetScaler.
When the NetScaler restarts, at a command prompt type what or show version to verify successful installation.

High Availability

Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The exceptions are mainly network interface configurations.

High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.

Prepare the secondary appliance:
1. Configure a NSIP but don’t configure a SNIP. You can click Do It Later to skip the wizard.
2. License the secondary appliance.
3. Upgrade firmware on the secondary appliance.
On the primary appliance, on the left, expand System, expand Network and click Interfaces.
On the right, look for any interface that is currently DOWN. You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface and click Disable. Repeat for the remaining disconnected interfaces.
```
show interface
disable interface 1/1
```
On the left, expand System and click High Availability.
On the right, click Add.
Enter the other NetScaler’s IP address.
Enter the other NetScaler’s login credentials and click Create.

add ha node 1 192.168.123.14

Note: this command must be run separately on each appliance.
If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.

Eventually it will say SUCCESS.
If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
To enable Fail-safe mode, on the right, edit Node ID 0 (the local appliance).
Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down and click OK.
set ha node -failSafe ON
Run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed in the next section.
You can force failover of the primary appliance by opening the Actions menu and clicking Force Failover.

force ha failover

If your firewall (e.g. Cisco ASA) doesn’t like Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table

Multiple Interfaces – VLANs

You should never connect multiple interfaces to a single VLAN unless you are bonding the interfaces using LACP, Channel, or the new Interface Pair feature, or the new Redundant Interface Set feature. See Webinar: Troubleshooting Common Network Related Issues with NetScaler

Note: A Redundant Interface Set is configured almost identically to a Channel except that the Channel ID starts with LR instead of LA.

If you only have one interface (one VLAN) then skip this section.

You will need one SNIP for each connected network. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces.

If the appliance is connected to both DMZ and internal then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall.

The NSIP subnet is special so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any network that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).

On the left, expand System and click Settings.
On the right, in the left column, click Configure modes.
Check the box next to MAC Based Forwarding and click OK. This configures the NetScaler to respond on the same interface the request came in on and thus bypasses the routing table. This setting can work around misconfigured routing tables. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).

enable mode mbf
Add a subnet IP for every network the NetScaler is connected to. Expand System, expand Network, and click IPs.
On the right, click Add.
Enter the Subnet IP Address for this network. This is the source address the NetScaler will use when communicating with any other service on this network. The Subnet IP can also be referred to as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
Enter the netmask for this network. When you create a VLAN object later, all IPs on this subnet will be bound to an interface.
Ensure the IP Type is set to Subnet IP. Scroll down.

add ns ip 172.16.1.11 255.255.255.0 -type SNIP
Under Application Access Controls decide if you want to enable GUI management on this SNIP. This is particularly useful for High Availability pairs because when you point your browser to the SNIP only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for the DMZ network.
Click Create when done. Continue adding SNIPs for each connected network (VLAN).

set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
On the left, expand System, expand Network and click VLANs.
On the right, click Add.
Enter a descriptive VLAN Id. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged then any ID will work.
Check the box next to the physical interface that is connected to the network. You can put multiple VLANs on the same physical interface if you tag the VLANs. Select Tagged if needed.
- If your switches do not allow untagged packets then you will need to use the tagall interface option to tag NetScaler High Availability heartbeat packets. See CTX122921 – Citrix NetScaler Interface Tagging and Flow of High Availability Packets
Switch to the IP Bindings tab.
Check the box next to the Subnet IP for that network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.
```
add vlan 50
bind vlan 50 -ifnum 1/1 -IPAddress 172.16.1.11 255.255.255.0
```
The default route should use the router in the DMZ, not the internal router. Most likely the default route is set to an internal router. On the left, expand System, expand Network and click Routes.
On the right, click Add.
Internal networks are only accessible through an internal router. Add a static route to the internal networks and set the Gateway to an internal router. Then click Create.

add route 192.168.0.0 255.255.0.0 192.168.123.1
On the right, delete the 0.0.0.0 route. Don’t do this unless the NetScaler has a route to the IP address of the machine you are running the NetScaler Configuration Utility on.

rm route 0.0.0.0 0.0.0.0 192.168.123.1
Then click Add.
Set the Network to 0.0.0.0 and the Netmask to 0.0.0.0. Enter the IP address of the DMZ router and click Create.

add route 0.0.0.0 0.0.0.0 172.16.1.1

DNS Servers

To configure DNS servers, expand Traffic Management, expand DNS and click Name Servers.
On the right, click Add.
Enter the IP address of a DNS server and click Create.
The NetScaler must be able ping each of the DNS servers or they will not be marked as UP. The ping originates from the SNIP. If you are unwilling to enable Ping then you will need to load balance your DNS servers on the local NetScaler appliance.

add dns nameServer 192.168.123.11

NTP Servers

Citrix Knowledgebase Article CTX120952 – How to Configure Network Time Protocol on NetScaler Software Release 9.0 and Later

On the left, expand System and click NTP Servers.
On the right, click Add.
Enter the IP Address of your NTP Server (or pool.ntp.org) and click Create.

add ntp server pool.ntp.org
Open the Action menu and click NTP Synchronization.
Select ENABLED and click OK.

enable ntp sync
You can click the System node to view the System Time.
Putty to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
Ntpdate –u pool.ntp.org will cause an immediate NTP time update.

Citrix Knowledgebase article CTX200286 – NTP Configuration on NetScaler to Avoid Traffic Amplification Attack:

Replace the following line in /etc/ntp.conf file, if it exists:
> restrict default ignore

Add the following lines in file /etc/ntp.conf:

# By default, exchange time with everybody, but don't allow configuration:
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely:

restrict 127.0.0.1
restrict ::1

Restart NTP using the following commands:

root@ns# ps -aux |grep "ntp"
root@ns# kill <PID obtained from step above>
root@ns# /usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf

Citrix Knowledgebase Article CTX200355 – Citrix Security Advisory for NTP Vulnerabilities: By default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in deployments where customers have enabled NTP on the appliance, it is likely that these vulnerabilities will impact NetScaler.

We recommend that customers apply the following remediation:

Open the NetScaler’s ntp.conf file in /etc and add the following lines:

restrict -4 default notrap nopeer nomodify noquery

restrict -6 default notrap nopeer nomodify noquery

In addition to adding the above two lines, all other ‘restrict‘ directives should be reviewed to ensure that they contain both ‘nomodify‘ and ‘noquery‘ and that the file contains no ‘crypto‘ directives.

When this editing is complete, save the file and copy it to the /nsconfig directory. The NTP service must then be restarted for the changes to take effect. As with all changes, Citrix recommends that this is evaluated in a test environment prior to releasing to production.

SYSLOG Server

Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog

The NetScaler will by default store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Command Center.

On the left, expand System, expand Auditing, and click Syslog.
On the right, switch to the Servers tab and click Add.
Enter a name for the Syslog server.
Specify the IP Address of the SYSLOG server, 514 as the port, and the Log Levels you’d like to send to it.
Check the box for TCP Logging if you want the client IP. Note: TCP Logging requires significant disk space on the Syslog server.
Select your desired Time Zone and then click Create.

add audit syslogAction CommandCenter 192.168.123.12 -logLevel ALL -timeZone LOCAL_TIME
On the right, switch to the Policies tab and then click Add.
Give the policy a descriptive name, select the Syslog server, and then click Create.

add audit syslogPolicy CommandCenter ns_true CommandCenter
While still on the Policies tab, open the Actions menu and click Global Bindings.
Click the arrow next to Click to select.
Select the Syslog policy you want to bind and click Select.
Click Bind.
Select the Syslog policy you want to bind and click Select.
Then click Bind.
Click Done.

bind system global CommandCenter -priority 100

SNMP – MIB, Traps, and Alarms

On the left, expand System and click SNMP.
On the right, click Change SNMP MIB.
Change the fields as desired. Your SNMP tool (e.g. Citrix Command Center) will read this information. Click OK.

set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp
Expand System, expand SNMP, and click Community.
On the right, click Add.
Specify a community string and the Permission and click Create.

add snmp community public GET
On the left, under SNMP, click Traps.
On the right, click Add.

Specify a trap destination and Community Name and click Create.

add snmp trap generic 192.168.123.12 -communityName public
add snmp trap specific 192.168.123.12 -communityName public

On the left, under SNMP, click Managers.
On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
Change the selection to Management Network.
Specify the IP of the Management Host and click Create.

add snmp manager 192.168.123.12
The Alarms node allows you to enable SNMP Alarms and configure thresholds.
You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm and 50% normal with a Critical severity.

set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
You can also configure the MEMORY alarm.

set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical

From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.

ifTotXoﬀSent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
ifErrRxNoBuﬀs – .1.3.6.1.4.1.5951.4.1.1.54.1.30
ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31

Call Home

Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical NetScaler (MPX or SDX) with an active support contract, you many optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.

On the left, expand System and click Diagnostics.
On the right, in the left column, in the Technical Support Tools section, click Call Home.
Check the box next to Enable Call Home.
Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.

Change nsroot Password

Expand System, expand User Administration and click Users.
On the right, right-click nsroot and click Change Password.
Specify a new password and click OK.

set system user nsroot Passw0rd

TCP, HTTP, SSL, and Security Settings

Citrix whitepaper – Secure Deployment Guide for NetScaler MPX, VPX, and SDX Appliances

Citrix Knowledgebase articles:

On the left, expand System and click Settings.
On the right side of the right pane, click Change TCP parameters.
Check the box for Window scaling (near the top).
Scroll down and check the box for Selective Acknowledgement. Click OK.

set ns tcpParam -WS ENABLED -SACK ENABLED
On the right, click Change HTTP parameters.
Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.

set ns param -cookieversion 1
Check the box next to Drop invalid HTTP requests.
Scroll down and click OK.

set ns httpParam -dropInvalReqs ON

You can run the following command to see statistics on the dropped packets:

nsconmsg -g http_err_noreuse_ -d stats
Implement Responder policies to prevent Shellshock attack against back-end web servers. See Citrix CTX200277 NetScaler Defends Against Shellshock Attack.

add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES

add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP ‑logAction ShellShock_Log

bind responder global ShellShock_policy 10 END -type REQ_DEFAULT

The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:

Maximum logon attempts on NetScaler Gateway Virtual Server
Rate Limiting for IP.SRC and HTTP.REQ.URL.
nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
Syslog logging
External website monitoring
Obfuscate the Server header in the HTTP response
Disable management access on SNIPs
Change nsroot strong password, use LDAP authentication, audit local accounts
Don’t enable Enhanced Authentication Feedback
SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers. Also see Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) .
2-factor authentication
Command Center and Insight Center
Review IPS/IDS & Firewall logs

Management Authentication

Load balancing of authentication servers is strongly recommended since during an authentication attempt only one LDAP server is chosen. If you instead bound multiple LDAP servers it would try all of them and for incorrect passwords will lock out the user sooner than expected.

Expand System, expand Authentication, and then click LDAP.
On the right, switch to the Servers tab. Then click Add.
Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
Change the Security Type to SSL.
Enter 636 as the Port. Scroll down.
In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
Enter the credentials of the LDAP bind account in userPrincipalName format.
Check the box next to BindDN Password and enter the password. Scroll down.
In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
On the right, check the box next to Allow Password Change.
It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local

You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.

memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local

Citrix 132802 How to Use the ldapsearch Utility on the NetScaler Gateway Enterprise Edition Appliance to Validate a Search Filter

An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.

Scroll down to distinguishedName, double-click it and then copy it to the clipboard.

Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
Scroll down and click Nested Group Extraction to expand it.
If desired, change the selection to Enabled.
Set the Group Name Identifier to samAccountName.
Set Group Search Attribute to –<< New >>– and enter memberOf.
Set Group Search Sub-Attribute to –<< New >>– and enter CN.
Example of LDAP Nested Group Search Filter Syntax

Scroll down and click Create.

add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED

Switch to the Policies tab and click Add.
Enter the name LDAPS-Corp-Mgmt or similar.
Select the previously created LDAPS-Corp-Mgmt server.
On the bottom, in the Expressions area, type in ns_true.

Click Create.

add authentication ldapPolicy Corp-Mgmt ns_true Corp-Mgmt

Click Global Bindings in the right pane.
Click where it says Click to select.
Select the newly created LDAP policy and click Select.
Click Bind.
Click Done.
```
bind system global Corp-Mgmt
```
Under System, expand User Administration and click Groups.
On the right, click Add.
In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
In the Command Policies section, click Insert.
Select the superuser policy and click Insert.

Click Create.

bind system group "NetScaler Admins" -policyName superuser 100

Now you should be able to login to NetScaler using an Active Directory account.

Backup and Restore

11.0 build 64 has an improved backup and restore mechanism.

Go to System > Backup and Restore.
On the right, click the Backup button.
Give the backup file a name.
For Level, select Full and click Backup.
Once the backup is complete, you can download the file.

To restore:

If you want to restore the system and if the backup file is not currently on the appliance, you click the Backup button. Yes, this seems backwards.
Change the selection to Add.
Browse Local to the previously downloaded backup file.
Then click Backup. This uploads the file to the appliance and adds it to the list of backup files.
Now you can right-click the backup and click Restore.

Next Steps

Return to NetScaler Procedures list

↧

Horizon View Load Balancing – NetScaler 11

July 8, 2015, 3:26 pm

≫ Next: Global Server Load Balancing (GSLB) – NetScaler 11

≪ Previous: NetScaler 11 System Configuration

Navigation

Use this procedure to load balance Horizon View Connection Servers, Horizon View Security Servers, and/or VMware Access Points.

Overview

A typical Horizon View Installation will have at least six connection servers:

Two Internal View Connection Servers – these need to be load balanced on an internal VIP
Two DMZ View Security Servers – these need to be load balanced on a DMZ VIP
The DMZ View Security Servers are paired with two additional internal View Connection Servers. There is no need to load balance the internal Paired Connection Servers. However, we do need to monitor them.

If you are using Access Points instead of Security Servers then you’ll have the following machines. Server pairing is not necessary.

Two Internal View Connection Servers – these need to be load balanced on an internal VIP
Two DMZ VMware Access Point appliances – these need to be load balanced on a DMZ VIP

This topic is focused on traditional View Security Servers but could be easily adapted for Access Point appliances. The difference is that with Access Points there are no paired servers and thus there’s no need to monitor the paired servers. The VIP ports are identical for both solutions.

This topic primarily focuses on NetScaler GUI configuration. Alternatively, you can skip directly to the CLI commands.

Monitors

Users connect to Horizon View Connection Server, Horizon View Security Server, and Access Point appliances on four ports: TCP 443, TCP 8443, TCP 4172, and UDP 4172. Users will initially connect to port 443 and then be redirected to one of the other ports on the same server initially used for the 443 connection. If one of the ports is down, the entire server should be removed from load balancing. To facilitate this, create a monitor for each of the ports (except UDP 4172).

Note: TLS 1.0 is disabled in Horizon View 6.2.1. If you are running NetScaler VPX, which doesn’t support TLS 1.2 on the back end, then you’ll need to enable TLS 1.0 (and HTML Blast) in Horizon View or else the monitors won’t work.

In NetScaler VPX 11.0 build 64, secure HTTP monitors attached to SSL_BRIDGE services try to use TLS 1.2 instead of TLS 1.0. To fix this problem, run set ssl parameter -svctls1112disable enable -montls1112disable enable as detailed at CTX205578 Back-End Connection on TLS 1.1/1.2 from NetScaler to IIS Servers Break.

On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
On the right, click Add.
Name it View-PCOIP or similar.
Change the Type drop-down to TCP.
In the Destination Port field, enter 4172.
Scroll down and click Create.
On the right, click Add.
Name it View-Blast or similar.
Change the Type drop-down to TCP.
In the Destination Port field, enter 8443.
Scroll down and click Create.
On the right, click Add.
Name it View-SSL or similar.
Change the Type drop-down to HTTP-ECV.
In the Destination Port field, enter 443.
Scroll down and check the box next to Secure.
On the Special Parameters tab, in the Send String section, enter GET /broker/xml
In the Receive String section, enter clientlaunch-default
Scroll down and click Create.
Note: this step does not apply to Access Points. View Security Servers are paired with View Connection Servers. If the paired View Connection Server is down, then we should probably stop sending users to the corresponding View Security Server. Let’s create a monitor that has a specific IP address in it. Right-click the existing View-SSL monitor and click Add.
Note: this step does not apply to Access Points. Normally a monitor does not have any Destination IP defined, which means it uses the IP address of the service that it is bound to. However, we intend to bind this monitor to the View Security Server but we need it to monitor the paired View Connection Server, which is a different IP address. Type in the IP address of the paired View Connection Server. Then rename the monitor so it includes the View Connection Server name.
Note: this step does not apply to Access Points. Since we are embedding an IP address into the monitor, you have to create a separate monitor for each paired View Connection Server IP.

Servers

Create Server Objects for the DMZ Security Servers, DMZ Access Point appliances and the internal non-paired Connection Servers. Do not create Server Objects for the Paired Connection Servers.

On the left, expand Traffic Management, expand Load Balancing, and click Servers.
On the right, click Add.
Enter a descriptive server name, usually it matches the actual server name.
Enter the IP address of the View Connection Server or View Security Server.
Enter comments to describe the server. Click Create.
Continue adding View Connection Servers or View Security Servers.

Services

For Internal Connection Servers (not the paired servers), load balancing monitoring is very simple:

Create services for SSL 443
To verify server availability, monitor port TCP 443 on the same server.
If tunneling is disabled then internal users connect directly to View Agents and UDP/TCP 4172 and TCP 8443 are not used on Internal Connection Servers. There’s no need to create services and monitors for these ports.

Security Servers and Access Point appliances are more complex:

The PCoIP Secure Gateway and HTML Blast Secure Gateway are typically enabled on Security Servers and Access Points but they are not typically enabled on internal Connection Servers.
All traffic initially connects on TCP 443. For Security Servers and Access Points, the clients then connect to UDP 4172 or TCP 8443 on the same Security Server or Access Point. If UDP 4172 or TCP 8443 are down, then you probably want to make sure TCP 443 is also brought down.
Each Security Server is paired with an internal Connection Server. If the internal Connection Server is down then the Security Server should be taken down.
To accommodate these failure scenarios, bind multiple monitors to the View Security Server. If any of the monitors fails then NetScaler will no longer forward traffic to 443 on that particular server.

If you have two View Security Servers (or Access Points) named VSS01 and VSS02, the configuration is summarized as follows (scroll down for detailed configuration):

Server = VSS01, Protocol = SSL_BRIDGE, Port = 443
- Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
- Monitor = SSL (443) for paired View Connection Server VCS01. This monitor is not needed on Access Points.
Server = VSS02, Protocol = SSL_BRIDGE, Port = 443
- Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
- Monitor = SSL (443) for paired View Connection Server VCS02. This monitor is not needed on Access Points.
Server = VSS01, Protocol = TCP, Port = 4172
- Monitor = PCoIP (TCP 4172)
Server = VSS02, Protocol = TCP, Port = 4172
- Monitor = PCoIP (TCP 4172)
Server = VSS01, Protocol = UDP, Port = 4172
- Monitor = PCoIP (TCP 4172)
Server = VSS02, Protocol = UDP, Port = 4172
- Monitor = PCoIP (TCP 4172)
Server = VSS01, Protocol = SSL_BRIDGE, Port = 8443
- Monitor = Blast (8443)
Server = VSS02, Protocol = SSL_BRIDGE, Port = 8443
- Monitor = Blast (8443)

If you are not using HTML Blast then you can skip 8443. If you are not using PCoIP Secure Gateway, then you can skip the 4172 ports.

On the left, expand Traffic Management, expand Load Balancing, and click Services.
On the right, click Add.
Give the Service a descriptive name (e.g. svc-VSS01-SSL).
Change the selection to Existing Server and select the View Security Server or internal (non-paired) View Connection Server you created earlier.
Change the Protocol to SSL_BRIDGE and click OK.
On the left, in the Monitors section, click where it says 1 Service to Load Balancing Monitor Binding.
Ignore the current monitor and click Add Binding.
Click the arrow next to Click to select.
Select the View-SSL monitor and click Select.
Then click Bind.
If this server will host PCoIP Secure Gateway and/or Blast Secure Gateway, add monitors for them too. If any of those services fails, then 443 needs to be marked DOWN.
If this is a View Security Server, also add a monitor that has the IP address of the paired View Connection Server. If the paired View Connection Server is down, then stop sending connections to this View Security Server.
The Last Response should indicate Success. If you bound multiple monitors to the Service, then the member will only be UP if all monitors succeed. There’s a refresh button on the top-right. Click Close when done.
Then click Done.
Right-click the first service and click Add.
Change the name to match the second View Server.
Select Existing Server and use the Server drop-down to select to the second View Server.
The remaining configuration is identical to the first server. Click OK.
You will need to configure the monitors again. They will be identical to the first server except for the monitoring of the paired View Connection Server. Click Done when done.
Add another Service for PCoIP on TCP 4172.
1. Name = svc-VSS01-PCoIPTCP or similar.
2. Server = Existing Server, select the first View Server.
3. Protocol = TCP
4. Port = 4172.
5. Monitors = View-PCoIP. You can add the other monitors if desired.
Repeat for the 2^nd View Security Server.
Add another Service for PCoIP on UDP 4172.
1. Name = svc-VSS01-PCoIPUDP or similar.
2. Existing Server = first View Server
3. Protocol = UDP
4. Port = 4172.
5. Monitors = View-PCoIP. You can add the other monitors if desired.
Repeat for the 2^nd View Server.
Add another Service for HTML Blast on SSL_BRIDGE 8443.
1. Name = svc-VSS01-HTMLBlast or similar.
2. Existing Server = the first View Server
3. Protocol = SSL_BRIDGE
4. Port = 8443.
5. Monitors = View-Blast. You can add the other monitors if desired.
Repeat for the 2^nd View Server.
The eight services should look something like this:
Repeat these instructions to add the internal (non-paired) View Connection Servers except that you only need to add services for SSL_BRIDGE 443 and only need monitoring for 443.

Load Balancing Virtual Servers

Create separate load balancers for internal and DMZ.

Internal load balances the two non-paired Internal View Connections Servers.
DMZ load balances the two View Security Servers or Access Point appliances.

The paired View Connection Servers do not need to be load balanced.

For the internal View Connection Servers you only need a load balancer for SSL_BRIDGE 443. If tunneling is disabled then you don’t need load balancers for the other ports (UDP/TCP 4172 and SSL_BRIDGE 8443).

However, tunneling is enabled on the View Security Servers so you will need separate load balancers for each port number. Here is a summary of the Virtual Servers:

Virtual Server on SSL_BRIDGE 443 – bind both View SSL Services.
Virtual Server on UDP 4172 – bind both View PCoIPUDP Services.
Virtual Server on TCP 4172 – bind both View PCoIPTCP Services.
Virtual Server on SSL_BRIDGE 8443 – bind both View Blast Services.

Do the following to create the Virtual Servers:

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right click Add.
Name it View-SSL-LB or similar.
Change the Protocol to SSL_BRIDGE.
Specify a new internal VIP. This one VIP will be used for all of the Virtual Servers.
Enter 443 as the Port.
Click OK.
On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
Click the arrow next to Click to select.
Select the two View-SSL Services and click Select.
Click Bind.
Click Continue.
Then click Done. Persistency will be configured later.
If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP UDP 4172:
1. Same VIP as the 443 Load Balancer.
2. Protocol = UDP, Port = 4172
3. Services = the PCoIP UDP Services.
If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP TCP 4172:
1. Same VIP as the 443 Load Balancer.
2. Protocol = TCP, Port = 4172
3. Services = the PCoIP TCP Services.
If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for HTML Blast SSL_BRIDGE 8443:
1. Same VIP as the 443 Load Balancer.
2. Protocol = SSL_BRIDGE, Port = 8443
3. Services = the HTML Blast SSL_BRIDGE Services.
This gives you four Virtual Servers on the same VIP but different protocols and port numbers.

Persistency Group

For Security Servers and Access Points, users will first connect to SSL_BRIDGE 443 and be load balanced. Subsequent connections to the other port numbers must go to the same load balanced server. Create a Persistency Group to facilitate this.

If tunneling is disabled on the internal View Connection Servers then you probably only have one load balancer for those servers and thus you could configure persistence directly on that one load balancer instead of creating a Persistency Group. However, since the View Security Servers and Access Points have multiple load balancers then you need to bind them together into a Persistency Group.

On the left, under Traffic Management, expand Load Balancing and click Persistency Groups.
On the right, click Add.
Give the Persistency Group a name (e.g. View).
Change the Persistence to SOURCEIP.
Enter a timeout that is equal to or greater than the timeout in View Administrator, which defaults to 10 hours (600 minutes).
In the Virtual Server Name section, click Add.
Move all four View Security Server / Access Point Load Balancing Virtual Servers to the right. Click Create.

CLI Commands

Here’s a list of CLI commands for the configuration shown above:

add server VSS01 10.2.2.23
add server VSS02 10.2.2.24
add lb monitor View-PCoIP TCP -destPort 4172
add lb monitor View-Blast TCP -destPort 8443
add lb monitor View-SSL HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -secure YES
add lb monitor View-SSL-VCS01 HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -destIP 10.2.2.19 -destPort 443 -secure YES
add lb monitor View-SSL-VCS02 HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -destIP 10.2.2.20 -destPort 443 -secure YES
add service svc-VSS01-SSL VSS01 SSL_BRIDGE 443
add service svc-VSS02-SSL VSS02 SSL_BRIDGE 443
add service svc-VSS01-PCoIPTCP VSS01 TCP 4172
add service svc-VSS02-PCoIPTCP VSS02 TCP 4172
add service svc-VSS01-PCoIPUDP VSS01 UDP 4172
add service svc-VSS02-PCoIPUDP VSS02 UDP 4172
add service svc-VSS01-HTMLBlast VSS01 SSL_BRIDGE 8443
add service svc-VSS02-HTMLBlast VSS02 SSL_BRIDGE 8443
bind service svc-VSS02-HTMLBlast -monitorName View-Blast
bind service svc-VSS01-HTMLBlast -monitorName View-Blast
bind service svc-VSS02-PCoIPUDP -monitorName View-PCoIP
bind service svc-VSS01-PCoIPUDP -monitorName View-PCoIP
bind service svc-VSS02-PCoIPTCP -monitorName View-PCoIP
bind service svc-VSS01-PCoIPTCP -monitorName View-PCoIP
bind service svc-VSS02-SSL -monitorName View-PCoIP
bind service svc-VSS02-SSL -monitorName View-SSL-VCS02
bind service svc-VSS02-SSL -monitorName View-Blast
bind service svc-VSS02-SSL -monitorName View-SSL
bind service svc-VSS01-SSL -monitorName View-PCoIP
bind service svc-VSS01-SSL -monitorName View-SSL-VCS01
bind service svc-VSS01-SSL -monitorName View-Blast
bind service svc-VSS01-SSL -monitorName View-SSLadd lb vserver View-SSL-LB SSL_BRIDGE 10.2.2.203 443
add lb vserver View-PCoIPUDP-LB UDP 10.2.2.203 4172
add lb vserver View-PCoIPTCP-LB TCP 10.2.2.203 4172
add lb vserver View-HTMLBlast-LB SSL_BRIDGE 10.2.2.203 8443
bind lb vserver View-SSL-LB svc-VSS01-SSL
bind lb vserver View-SSL-LB svc-VSS02-SSL
bind lb vserver View-PCoIPUDP-LB svc-VSS01-PCoIPUDP
bind lb vserver View-PCoIPUDP-LB svc-VSS02-PCoIPUDP
bind lb vserver View-PCoIPTCP-LB svc-VSS01-PCoIPTCP
bind lb vserver View-PCoIPTCP-LB svc-VSS02-PCoIPTCP
bind lb vserver View-HTMLBlast-LB svc-VSS01-HTMLBlast
bind lb vserver View-HTMLBlast-LB svc-VSS02-HTMLBlast
bind lb group View View-SSL-LB
bind lb group View View-PCoIPUDP-LB
bind lb group View View-PCoIPTCP-LB
bind lb group View View-HTMLBlast-LB
set lb group View -persistenceType SOURCEIP -timeout 600

Horizon View Configuration

On the View Security Servers (or View Connection Servers), request a certificate that matches the FQDN that resolves to the Load Balancing VIP.
Make sure the private key is exportable.
Set the Friendly Name to vdm and restart the View Security Server services.
In View Administrator, go to View Configuration > Servers.
On the right, switch to the Security Servers tab.
Highlight a server and click Edit.
Change the URLs to the FQDN that resolves to the load balancing VIP.
Change the PCoIP URL to the VIP. For View Security Servers, this is typically a public IP that is NAT’d to the DMZ Load Balancing VIP.

↧

Global Server Load Balancing (GSLB) – NetScaler 11

July 8, 2015, 4:21 pm

≫ Next: Web Interface Load Balancing – NetScaler 11

≪ Previous: Horizon View Load Balancing – NetScaler 11

Navigation

= Recently Updated

GSLB Planning

Citrix Blog Post Global Server Load Balancing: Part 1 explains how DNS queries work and how GSLB fits in.

Citrix has a good DNS and GSLB Primer.

When configuring GSLB, don’t forget to ask “where is the data?”. For XenApp/XenDesktop, DFS multi-master replication of user profiles is not supported so configure “home” sites for users. More information at Citrix Blog Post XenDesktop, GSLB & DR – Everything you think you know is probably wrong!

GSLB can be enabled both externally and internally. For external GSLB, configure it on the DMZ NetScaler appliances and expose it to the Internet. For internal GSLB, configure it on internal NetScaler appliances. Note: Each NetScaler appliance only has one DNS table so if you try to use one NetScaler for both public and internal then be aware that external users can query for internal GSLB-enabled DNS names. NetScaler 11.0 build 64 supports GSLB in Admin Partitions so this might a workaround for single-appliance deployments.

Some IP Addresses are needed on each NetScaler pair:

ADNS IP: An IP that will listen for ADNS queries. For external, create a public IP for the ADNS IP and open UDP 53 so Internet-based DNS servers can access it. This can be an existing SNIP on the appliance.
GSLB Site IP / MEP IP: A GSLB Site IP that will be used for NetScaler-to-NetScaler communication, which is called MEP or Metric Exchange Protocol. The IP for ADNS can also be used for MEP / GSLB Site.
- RPC Source IP: If running NetScaler 11.0 build 64 or newer then the GSLB Site IP can be anything and RPC traffic (MEP) can be sourced from the GSLB IP. For older NetScaler builds, RPC traffic is sourced from a SNIP, even if this is different than the GSLB Site IP. In older builds, it’s less confusing if you use a SNIP as the GSLB Site IP.
- Public IP: For external GSLB, create public IPs that are NAT’d to the GSLB Site IPs. The same public IP used for ADNS can also be used for MEP. MEP should be routed across the Internet so NetScaler can determine if the remote datacenter has Internet connectivity or not.
- MEP Port: Open port TCP 3009 between the two NetScaler GSLB Site IPs. Make sure only the NetScalers can access this port on the other NetScaler. Do not allow any other device on the Internet to access this port. This port is encrypted.
- GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 from the NSIP (management IP) to the remote public IP that is NAT’d to the GSLB Site IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP.
DNS Queries: The purpose of GSLB is to resolve a DNS name to one of several potential IP addresses. These IP addresses are usually public IPs that are NAT’d to existing Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIPs in each datacenter.
IP Summary: In summary, for external GSLB, you will need a minimum of two public IPs in each datacenter:
- One public IP that is NAT’d to the IP that is used for ADNS and MEP (GSLB Site IP). You only need one IP for ADNS / MEP no matter how many GSLB names are configured. MEP (GSLB Site IP) can be a different IP, if desired.
- One public IP that is NAT’d to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
- If you GSLB-enable multiple DNS names, each DNS name usually resolves to different IPs. This usually means that you will need additional public IPs NAT’d to additional VIPs.

ADNS

Identify an IP that you will use for ADNS. This is typically a SNIP.
Configure a public IP for the ANDS Service IP and configure firewall rules.
On the left, expand Load Balancing and click Services.
On the right, click Add.
Name the service ADNS or similar.
In the IP Address field, enter an appliance SNIP.
In the Protocol field, select ADNS. Then click OK.
Scroll down and click Done.
On the left of the console, expand System, expand Network and then click IPs.
On the right, you’ll see the SNIP as now being marked as the ADNS svc IP. If you don’t see this yet, click the Refresh icon.
Repeat on the other appliance in the other datacenter.

Metric Exchange Protocol

Select an IP to be the GSLB Site IP. In NetScaler 11.0 build 64 and newer, this can be any IP. In older builds, you can use the same SNIP and same public IP used for ADNS.
Open the firewall rules for Metric Exchange Protocol.
On the left, expand Traffic Management, right-click GSLB and enable the feature.
Expand GSLB and click Sites.
On the right, click Add.
Add the local site first. Enter a descriptive name and in the Site Type select LOCAL.
In the Site IP Address field, enter an IP that this appliance will listen for MEP traffic. This IP must be in the default Traffic Domain. (Note: NetScaler 11.0 build 64 supports GSLB in Admin Partitions).
For external GSLB, in the Public IP Address field, enter the public IP that is NAT’d to the GSLB Site IP. For internal GSLB, there’s no need to enter anything in the Public IP field. Click Create.
Go back to System > Network > IPs and verify that the IP is now marked as a GSLB site IP. If you don’t see it yet, click the Refresh button.
If you want to use the GLSB Sync Config feature, then you’ll need to edit the GSLB site IP and enable Management Access.
When you enable Management Access on a dedicated GSLB site IP, SSH is already selected by default. That’s all you need.
Go to the other appliance and also create the local GSLB site using its GSLB site IP and its public IP that is NAT’d to the GSLB site IP.
In System > Network > IPs on the remote appliance, there should now be a GSLB site IP. This could be a SNIP. If GSLB Sync is desired, enable management access on that IP and ensure SSH is enabled.
Now on each appliance add another GSLB Site, which will be the remote GSLB site.
Enter a descriptive name and select REMOTE as the Site Type.
Enter the other appliance’s actual GSLB Site IP as configured on the appliance. This IP does not need to be reachable.
In the Public IP field, enter the public IP that is NAT’d to the GSLB Site IP on the other appliance. For MEP, TCP 3009 must be open to this IP from the local GSLB Site IP. For GSLB sync, TCP 22, and TCP 3008 must be open to this IP from the local NSIP. Click Create.
Repeat on the other appliance.
MEP will not function yet since the NetScalers are currently configured to communicate unencrypted on TCP 3011. To fix that, on the left, expand System, expand Network and click RPC.
On the right, edit the new RPC address (the other site’s GSLB Site IP) and click Open.
On the bottom, check the box next to Secure.
In NetScaler 11.0 build 64 or newer, if your GSLB Site IP is not a SNIP then you’ll need to change the RPC Node to use the local GSLB Site IP as the source IP. Uncheck IPv6 first. Then enter the local GSLB Site IP. Click OK when done.
Do the same thing on the other appliance.
If you go back to GSLB > Sites, you should see it as active.

GSLB Services

Start on the appliance in the primary data center. This appliance should already have a Virtual Server for the web service or NetScaler Gateway service that you are trying to GSLB enable.
On the left, expand Traffic Management > GSLB and click Services.
On the right, click Add.
The service name should be similar to the DNS name that you are trying to GSLB. Include the site name in the service name.
Select the LOCAL Site.
On the bottom part, select Virtual Servers and then select a Virtual Server that is already defined on this appliance. It should automatically fill in the other fields. If you see a message asking if you wish to create a service object, click Yes.
Make sure the Service Type is SSL.
The Public IP field contains the actual IP Address that the GSLB ADNS service will hand out. Make sure this Public IP is user accessible. It doesn’t even need to be a NetScaler owned IP.
Scroll down and click OK.
Attach a monitor under the following conditions:
- If the GSLB Service IP is in a non-default Traffic Domain then you will need to attach a monitor. GSLB cannot determine the state of Virtual Servers in non-default Traffic Domains.
- If the GSLB Service IP is not hosted on a NetScaler. Only monitors can determine if it is up or not.
- Otherwise, there’s no need to bind a monitor.
If you intend to do GSLB active/active and if you need site persistence then you can configure your GSLB services to use Connection Proxy or HTTP Redirect. See Citrix Blog Post Troubleshooting GSLB Persistence with Fiddler for more details.
Click Done.
On the DR datacenter NetScaler, create a GSLB Service.
Select the REMOTE site that is hosting the service.
Since the service is on a different appliance and not this one, you won’t be able to select it using the Virtual Servers option. Instead, click New Server.
For the Server IP, enter the actual VIP configured on the other appliance. The DR NetScaler will use MEP to communicate with the primary NetScaler to find a Virtual Server with this VIP. The primary NetScaler will use MEP to tell the DR NetScaler if this Virtual Server is up or not. The Server IP configured here does not need to be reachable by this appliance.
In the Public IP field, enter the IP address that will be handed out to clients. This is the IP address that users will use to connect to the service.
Change the Service Type to match the Virtual Server defined on the other appliance.
Click OK and then click Done.
If active/active, add a GSLB service for the VIPs in each datacenter. If the service is active in two datacenters you will create two GSLB services on each appliance. Each GSLB service resolves to a different VIP.
If you configured a GSLB service for a VIP that is on a remote appliance then the GSLB Service will show as Up if MEP was successful at finding the Virtual Server VIP on the other appliance.

GSLB Virtual Server

The GSLB Virtual Server is the entity that the DNS name is bound to.

On the left, expand Traffic Management > GLSB and click Virtual Servers.
On the right, click Add.
Give it a descriptive name. For active/active, you can name it the same as your DNS name. For active/passive, you will create two GSLB Virtual Servers, one for each datacenter, so include Active or Passive in the Virtual Server name.
Click OK.
On the right, in the Advanced Settings column, click Service.
On the left, click where it says No GSLB Virtual Server to GSLBService Binding.
Click the arrow next to Click to select.
Check the box next to an existing GSLB Service and click Select. If your GSLB is active/passive then only bind one service.
If your GSLB is active/active then bind multiple GSLB Services. Also, you’d probably need to configure GSLB persistence (Source IP or cookies).
Click Bind.
On the right, in the Advanced Settings column, click Domains.
On the left, click where it says No GSLB Virtual Server Domain Binding.
Enter the FQDN that GSLB will resolve.
If this GSLB is active/passive, there are two options:
- Use the Backup IP field to specify the IP address that will be handed out if the primary NetScaler is inaccessible or if the VIP on the primary appliance is marked down for any reason.
- Or, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
Click Bind.
Click Done.
If you are configuring active/passive using the backup GSLB Virtual Server method, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
On the left, if you expand DNS, expand Records and click Address Records, you’ll see a new DNS record for the GSLB domain you just configured. Notice it is marked as GSLB DOMAIN.
Create an identical GSLB Virtual Server on the other NetScaler appliance. The other NetScaler needs to resolve the DNS name in an identical fashion.
You can also synchronize the GSLB configuration with the remote appliance by going to Traffic Management > GSLB.
On the right, click Sychronize configuration on remote sites.
Use the check boxes on the top, if desired. It’s usually a good idea to Preview the changes before applying them. Then click OK to begin synchronization.

Some notes regarding GSLB Sync:

It’s probably more reliable to do it from the CLI by running sync gslb config and one of the config options (e.g. -preview).
GSLB Sync runs as a script on the BSD shell and thus always uses the NSIP as the source IP.
GSLB Sync connects to the remote GSLB Site IP on TCP 3008 (if RPC is Secure) and TCP 22.

DNS Delegation

DNS Delegation instructions will vary depending on what product is being used to host the public DNS zone. This section details Microsoft DNS but it should be similar in BIND or web-based DNS products.

If you are enabling GSLB for the domain gateway.corp.com, you’ll need to create a delegation at the server that is hosting the corp.com DNS zone. For public GSLB, you need to edit the public DNS zone for corp.com.

There are two ways to delegate GSLB-enabled DNS names to NetScaler ADNS:

Delegate the individual record. For example, delegate gateway.corp.com to the two NetScaler ADNS services (gslb1.corp.com and gslb2.corp.com).
Delegate an entire subzone. For example, delegate the subzone gslb.corp.com to the two NetScaler ADNS services. Then create a CNAME record in the parent DNS zone for gateway.corp.com that is aliased to gateway.gslb.corp.com. When DNS queries make it to NetScaler, they will be for gateway.gslb.corp.com and thus gateway.gslb.corp.com needs to be bound to the GSLB Virtual Server instead of gateway.corp.com. For additional delegations, simply create more CNAME records.

This section covers the first method – delegating an individual DNS record:

Run DNS Manager.
First, create Host Records pointing to the ADNS services running on the NetScalers in each data center. These host records for ADNS are used for all GSLB delegations no matter how many GSLB delegations you need to create.
The first Host record is gslb1 (or similar) and should point to the DMZ SNIP (public IP) on one of the NetScaler appliances that is enabled for ADNS.
The second Host record is gslb2 and should point to the DMZ SNIP (public IP) on the other NetScaler appliance that is enabled for ADNS.
If you currently have a host record for the service that you are delegating to GSLB (gateway.corp.com), delete it.
Right-click the parent DNS zone and click New Delegation.
In the Welcome to the New Delegation Wizard page, click Next.
In the Delegated Domain Name page, enter the left part of the DNS record that you are delegating (e.g. gateway). Click Next.
In the Name Servers page, click Add.
This is where you specify gslb1.corp.com and gslb2.corp.com. Enter gslb1.corp.com and click Resolve. Then click OK. If you see a message about the server not being authoritative for the zone, ignore the message.
Then click Add to add the other GSLB ADNS server.
Once both ADNS servers are added to the list, click Next.
In the Completing the New Delegation Wizard page, click Finish.
If you run nslookup against your Microsoft DNS server, it will respond with Non-authoritative answer. That’s because it got the response from NetScaler and not from itself.
You can also point nslookup to your NetScaler ADNS services and submit DNS queries.

That’s all there is to it. Your NetScalers are now DNS servers. For active/passive, the NetScalers will hand out the public IP address of the primary data center. When the primary data center is not accessible, GSLB will hand out the Backup IP, which is the DR data center.

Geo Location Database

If you want to use DNS Policies or Static Proximity GSLB Load Balancing or Responders based on user’s location, import a geo location database. Common free databases are:

GeoLite Legacy – http://dev.maxmind.com/geoip/legacy/geolite/
IP2Location Lite – http://lite.ip2location.com/

For IP2Location, see the blog post Add IP2Location Database as NetScaler’s Location File for instructions on how to import.

For GeoLite Legacy:

Download the GeoLite Country database CSV from http://dev.maxmind.com/geoip/legacy/geolite/.
On the NetScaler appliance, create the directory /var/geoip.
Copy the location database to the appliance.
In the NetScaler GUI, on the left, expand AppExpert, expand Location and click Static Database (IPv4).
On the right, click Add.
Browse to the location database file.
In the Location Format field, select geoip-country and click Create.
When you open a GSLB Service, the public IP will be translated to a location.

You can use the Geo locations in a DNS Policy, static proximity GSLB Load Balancing, or Responders:

Citrix Knowledgebase article CTX130701 – How to Block Access to a Website Using a Location Database Based on User’s Country
Neil Spellings blog post – Using Netscaler HTTP callouts for real-time GeoIP and anonymous proxy detection
Citrix Docs.citrix.com – Overriding Static Proximity Behavior by Configuring Preferred Locations

↧

Web Interface Load Balancing – NetScaler 11

July 8, 2015, 4:44 pm

≫ Next: NetScaler SDX 11

≪ Previous: Global Server Load Balancing (GSLB) – NetScaler 11

Navigation

This procedure is only needed if you are running Web Interface instead of StoreFront.

Monitor

On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
On the right, click Add.
Name it Web Interface or similar.
Change the Type drop-down to CITRIX-WEB-INTERFACE.
If you will use SSL to communicate with the Web Interface servers, then scroll down and check the box next to Secure.
Switch to the Special Parameters tab.
In the Site Path field, enter the path of a XenApp Web site (e.g. /Citrix/XenApp/).
- Make sure you include the slash (/) on the end of the path or else the monitor won’t work.
- The site path is also case sensitive.
Click Create.

Servers

On the left, expand Traffic Management, expand Load Balancing, and click Servers.
On the right, click Add.
Enter a descriptive server name, usually it matches the actual server name.
Enter the IP address of the server.
Enter comments to describe the server. Click Create.
Continue adding Web Interface servers.

Service Group

On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
On the right, click Add.
Give the Service Group a descriptive name (e.g. svcgrp-WI-SSL).
Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure the Web Interface Monitor has Secure enabled.
Scroll down and click OK.
Click where it says No Service Group Member.
If you did not create server objects then enter the IP address of a Web Interface Server. If you previously created a server object then change the selection to Server Based and select the server object.
Enter 80 or 443 as the port. Then click Create.
To add more members, click where it says 1 Service Group Member and then click Add. Click Close when done.
On the right, under Advanced Settings, click Monitors.
On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
Click the arrow next to Click to select.
Select the Web Interface monitor and click Select.
Then click Bind.
To verify if the monitor is working or not, on the left, in the Service Group Members section, click the Service Group Members line.
Highlight a member and click Monitor Details.
The Last Response should indicate that Set-Cookie header was found. Click Close twice when done.
Then click Done.

Load Balancing Virtual Server

Create or install a certificate that will be used by the SSL Virtual Server. This certificate must match the DNS name for the load balanced Web Interface servers.
On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right click Add.
Name it Web Interface-SSL-LB or similar.
Change the Protocol to SSL.
Specify a new internal VIP.
Enter 443 as the Port.
Click OK.
On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
Click the arrow next to Click to select.
Select your Web Interface Service Group and click Select.
Click Bind.
Click Continue.
Click where it says No Server Certificate.
Click the arrow next to Click to select.
Select the certificate for this Web Interface Load Balancing Virtual Server and click Select.
Click Bind.
Click Continue.
On the right, in the Advanced Settings column, click Persistence.
Select SOURCEIP persistence. Note: COOKIEINSERT also works with Web Interface. However, it doesn’t work with StoreFront.
Set the timeout to match the timeout of Web Interface.
The IPv4 Netmask should default to 32 bits.
Click OK.

If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.

bind ssl vserver MyvServer -certkeyName MyCert

set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver MyvServer -cipherName ALL

bind ssl vserver MyvServer -cipherName Modern

bind ssl vserver MyvServer -eccCurveName ALL

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP that listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443. This section details the Down vServer method. Alternatively you can configure the Responder method.

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right, find the SSL Virtual Server you’ve already created, right-click it and click Add. Doing it this way copies some of the data from the already created Virtual Server.
Change the name to indicate that this new Virtual Server is an SSL Redirect.
Change the Protocol to HTTP on Port 80.
The IP Address should already be filled in. It must match the original SSL Virtual Server. Click OK.
Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
On the right, in the Advanced Settings column, click Protection.
In the Redirect URL field, enter the full URL including https://. For example: https://citrix.company.com/Citrix/XenApp. Click OK.
Click Done.
When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for the redirect to work.

↧

NetScaler SDX 11

July 9, 2015, 3:49 pm

≫ Next: NetScaler Gateway 11 – RDP Proxy

≪ Previous: Web Interface Load Balancing – NetScaler 11

Navigation

SDX IP Configuration
Management Service Firmware – Upgrade to 11.0 build 55
SDX Software Bundle Upgrade – Upgrade beyond 11.0 build 55
Management Service NTP
Licensing
Management Service Alerting
Management Service nsroot Password and AAA
SSL Certificate and Encryption
SDX/XenServer LACP Channels
VPX Instances:
Management Service Monitoring
Management Service Backup

SDX IP Configuration

Default IP for Management Service is 192.168.100.1/16 bound to interface 0/1. Use laptop with crossover cable to reconfigure. Point browser to http://192.168.100.1. Default login is nsroot/nsroot.

Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot. Use the Management Service virtual machine to configure. XenServer and Management Service IPs must be on the same subnet.

When you first login to the SDX Management Service, the Welcome! Wizard appears. Click Management Network.
Configure the IP addresses. Management Service IP Address and XenServer IP Address must be different but on the same subnet.
You can change the password at this time or later. Click Done.
Click the System Settings box.
Enter a Host Name.
Select the time zone and click Continue.
Click the Licenses box.
Click Add New License.
In the Manage Licenses section, allocate licenses normally.
Then click Continue.

Another way to login to the Management Service virtual machine is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.

The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label="Management Service VM"

Then run /usr/lib/xen/bin/xenconsole <dom-id>

Or if 11.0 build 64 or newer, run /usr/lib64/xen/bin/xenconsole <dom-id>

Management Service Firmware – Upgrade to 11.0

NetScaler SDX 11.0 and newer now bundle all updates in a single package. To take advantage of this improved installation experience, you must first upgrade the Service VM to 11.0. Once it’s 11.0 you no longer need to upgrade the Service VM separately from the rest of the appliance.

NetScaler SDX 11.0 build 55 contains a separate installer for just the Management Service (SVM Upgrade Package). The newer builds of NetScaler SDX 11.0 don’t seem to have a separate SVM Upgrade Package so you’ll need to upgrade SVM to 11.0 build 55 first. Then use the Software Bundle method to upgrade beyond build 55 as detailed in the next section.
If the webpage says NetScaler SDX on top then you are connected to the Service VM.
Switch to the Configuration tab.
In the navigation pane, expand Management Service, and then click Software Images.
In the right pane, click Upload.
In the Upload Management Service Software Image dialog box, click Browse, navigate to the folder that contains the build-svm file, and then double-click the build file.
Click Upload.

To upgrade the Management Service:

In the navigation pane, click System.
In the System pane, under System Administration, click Upgrade Management Service.
In the Upgrade Management Service dialog box, in Build File, select the file of the build to which you want to upgrade the Management Service.
If you see a Documentation File field, ignore it.
Click OK.
Click Yes if asked to continue.
If desired, go back to the Software Images node and delete older firmware files.

SDX Platform Software Bundle

Starting with SDX 11.0, all updates are bundled together and installed at once.

Make sure your Management Service (SVM) is running SDX 11.0 or newer. If not, see the separate SVM upgrade procedure in the previous section.
Download the latest SDX Platform Software bundle from Downloads > NetScaler ADC > Service Delivery Appliances.
Login to the SDX Management Service, go to Configuration > System.
On the right, in the right column, click Upgrade Appliance.
Browse to the .tgz software bundle and click OK.
It should show you the estimated installation time. Click Upgrade.
The Management Service displays installation progress.
Once the upgrade is complete, click Login.
The Information page will be displayed showing the version of XenServer, Management Service (Build), etc.

Management Service NTP

On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
To add a new NTP server, in the right pane, click Add.
In the Create NTP Server dialog box enter the NTP server name (e.g. pool.ntp.org) and click Create.
In the right pane click NTP Synchronization.
In the NTP Synchronization dialog box, select Enable NTP Sync. Click OK.

Management Service Alerting

Syslog

On the Configuration tab, expand System > Auditing and click Syslog Servers.
In the right pane click the Add button.
Enter a name for the server.
Enter the IP address of the Syslog server.
Select log levels and click Create.
On the right is Syslog Parameters.
You can configure the Date Format and Time Zone. Click OK.

Mail Notification

On the Configuration tab, expand System > Notifications and click Email.
In the right pane, on the Email Servers tab, click Add.
Enter the DNS name of the mail server and click Create.
In the right pane, switch to the Email Distribution List tab and click Add.
Enter a name for the mail profile.
Enter the destination email address and click Create.

System SNMP

Go to System > SNMP.
On the right, click Configure SNMP MIB.
Enter information as desired and click OK. Your SNMP management software will read this information.
Under the SNMP node, configure normal SNMP including: Trap Destinations, Managers, Alarms, etc.
MIBs can be downloaded from the Downloads tab.

Instance SNMP

The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand NetScaler, expand Events, and click Event Rules.
On the right, click Add.
Give the rule a name.
Select the Major and Critical severities and move them to the right. Scroll down.
For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them then only the configured entities will be alerted. Scroll down.
Click Save.
Select an Email Distribution List and click Done.

Management Service nsroot Password and AAA

To change the password of the default user account

On the Configuration tab, in the navigation pane, expand System, and then click Users.
In the Users pane, click the default user account, and then click Edit.
In the Configure System User dialog box, in Password and Confirm Password, enter the password of your choice. Click OK.

To create a user account

In the navigation pane, expand System, and then click Users. The Users pane displays a list of existing user accounts, with their permissions.
To create a user account, click Add.
In the Create System User or Modify System User dialog box, set the following parameters:
- Name*—The user name of the account. The following characters are allowed in the name: letters a through z and A through Z, numbers 0 through 9, period (.), space, and underscore (_). Maximum length: 128. You cannot change the name.
- Password*—The password for logging on to the appliance.
- Confirm Password*—The password.
- Session Timeout
- Groups —The user’s privileges on the appliance. Possible values:
  - owner—The user can perform all administration tasks related to the Management Service.
  - readonly—The user can only monitor the system and change the password of the account.
Click Create. The user that you created is listed in the Users pane.

AAA Authentication

If you would like to enable LDAP authentication for the Service VM, do that under Configuration > System > Authentication > LDAP.
In the right pane, click Add.
This is configured identically to NetScaler. Enter a Load Balancing VIP for LDAP. Change the Security Type to SSL and Port to 636. Scroll down.
Enter the Base DN in LDAP format.
Enter the bind account.
Check the box for Enable Change Password.
Click Retrieve Attributes and scroll down.
For Server Logon Attribute select sAMAccountName.
For Group Attribute select memberOf.
For Sub Attribute Name select cn.
To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
If desired configure Nested Group Extraction
Click Create.
Expand System, expand User Administration and click Groups.
Click Add.
Enter the case sensitive name of the Active Directory group.
Select the admin permission.
Configure the Session Timeout. Click Create.
On the left, under System, click User Administration.
On the right click User Lockout Configuration.
If desired, check the box next to Enable User Lockout and configure the maximum logon attempts. Click OK.
On the left, under System, click Authentication.
On the right, click Authentication Configuration.
Change the Server Type to LDAP.
Select the LDAP server you created and click OK.

SSL Certificate and Encryption

Replace SDX Management Service Certificate

Before enabling secure access to the Management Service web console, you probably want to replace the Management Service certificate.

PEM format: The certificate must be in PEM format. The Management Service does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a NetScaler instance.
On the left, click System.
On the right, click Install SSL Certificate.
Select the certificate and key files in PEM format. If the key file is encrypted, enter the password. Then click OK. The Management Service will restart so there will be an interruption.
After the Management Service restarts, connect to it using HTTPS. You can’t make this change if you are connected using HTTP.
On the Configuration tab, click System.
On the right, click Change System Settings.
Check the box next to Secure Access Only and click OK. This forces you to use HTTPS to connect to the Management Service.

SSL Encrypt Management Service to NetScaler Communication

From http://support.citrix.com/article/CTX134973: Communication from the Management Service to the NetScaler VPX instances is HTTP by default. If you want to configure HTTPS access for the NetScaler VPX instances, then you have to secure the network traffic between the Management Service and NetScaler VPX instances. If you do not secure the network traffic from the Management Service configuration, then the NetScaler VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

Log on to the Management Service .
On the Configuration tab, click System.
On the right, click Change System Settings.
Change Communication with NetScaler Instance to https, as shown in the following screen shot:
Run the following command on the NetScaler VPX instance, to change the Management Access (-gui) to SECUREONLY:

set ns ip ipaddress -netmask netmask -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet ENABLED -ftp ENABLED -gui SECUREONLY -ssh ENABLED -snmp ENABLED - mgmtAccess ENABLED -restrictAccess DISABLED -dynamicRouting ENABLED -ospf DISABLED -bgp DISABLED -rip DISABLED -hostRoute DISABLED -vrID 0

Or in the NetScaler instance management GUI go to Network > IPs, open the NSIP and then check the box next to Secure access only.

SDX/XenServer LACP Channels

To use LACP, configure Channels in the Management Service, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel.

In the Management Service, on the Configuration tab, expand System and click Channels.
On the right, click Add.
Select a Channel ID.
For Type, select LACP or STATIC. If using Cisco vPC then LACP is required. The other two options are for switch independent load balancing.
In the Interfaces tab, click Add.
Move the Channel Member interfaces to the right by clicking the plus icon.
On the Settings tab, for LACP you can select Long or Short, depending on switch configuration. Short is the default.
Click Create when done.
Click Yes when asked to proceed.
The channel will then be created on XenServer.

VPX Instances – Provision

To create an admin profile

Admin profiles specify the user credentials that are used by the Management Service when provisioning the NetScaler instances, and later when communicating with the instances to retrieve configuration data. The user credentials specified in an admin profile are also used by the client when logging on to the NetScaler instances through the CLI or the configuration utility.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. This profile cannot be modified or deleted. However, you should override the default profile by creating a user-defined admin profile and attaching it to the instance when you provision the instance. The Management Service administrator can delete a user-defined admin profile if it is not attached to any NetScaler instance.

Important: Do not change the password directly on the NetScaler VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.

On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Admin Profiles.
In the Admin Profiles pane, click Add.
In the Create Admin Profile dialog box, set the following parameters:
- Profile Name*—Name of the admin profile. The default profile name is nsroot. You can create user-defined profile names.
- User Name—User name used to log on to the NetScaler instances. The user name of the default profile is nsroot and cannot be changed.
- Password*—The password used to log on to the NetScaler instance. Maximum length: 31 characters.
- Confirm Password*—The password used to log on to the NetScaler instance.
Click Create. The admin profile you created appears in the Admin Profiles pane.

To upload a NetScaler VPX .xva file

You must upload a NetScaler VPX .xva file to the SDX appliance before provisioning the NetScaler VPX instances.

Download the Virtual Appliance XVA from the SDX Software Bundle Download Page.
On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Software Images.
On the right, switch to the XVA Files tab and then click Upload.
In the Upload NetScaler Instance XVA dialog box, click Browse and select the XVA image file that you want to upload. Click Upload. The XVA image file appears in the NetScaler XVA Files pane after it is uploaded.

To provision a NetScaler instance

On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Instances.
In the NetScaler Instances pane, click Add.
In the Provision NetScaler Wizard follow the instructions in the wizard.
Click Create. The NetScaler instance you provisioned appears in the NetScaler Instances pane.

The wizard will ask for the following info:

Name* – The host name assigned to the NetScaler instance.
IP Address* – The NetScaler IP (NSIP) address at which you access a NetScaler instance for management purposes. A NetScaler instance can have only one NSIP. You cannot remove an NSIP address.
Netmask* – The subnet mask associated with the NSIP address.
Gateway* – The default gateway that you must add on the NetScaler instance if you want access through SSH or the configuration utility from an administrative workstation or laptop that is on a different network.
Nexthop to Management Service (11.0 build 64 and newer) – Adds a static route on the NSIP network so SDX Management Service can communicate with the instance NSIP. Only needed if instance default gateway and instance NSIP are on separate networks.
XVA File* – The .xva image file that you need to provision. This file is required only when you add a NetScaler instance.
Feature License* – Specifies the license you have procured for the NetScaler. The license could be Standard, Enterprise, and Platinum.
Admin Profile* – The profile you want to attach to the NetScaler instance. This profile specifies the user credentials that are used by the Management Service to provision the NetScaler instance and later, to communicate with the instance to retrieve configuration data. The user credentials used in this profile are also used while logging on to the NetScaler instance by using the GUI or the CLI. It is recommended that you change the default password of the admin profile. This is done by creating a new profile with a user-defined password. For more information, see Configuring Admin Profiles.
Total Memory (MB)* – The total memory allocated to the NetScaler instance.
#SSL Cores* – Number of SSL cores assigned to the NetScaler instance. SSL cores cannot be shared. The instance is restarted if you modify this value.
Throughput (Mbps)* – The total throughput allocated to the NetScaler instance. The total used throughput should be less than or equal to the maximum throughput allocated in the SDX license. If the administrator has already allocated full throughput to multiple instances, no further throughput can be assigned to any new instance.
Packets per second* – The total number of packets received on the interface every second.
CPU – Assign a dedicated core or cores to the instance or the instance shares a core with other instance(s).
User Name* – The root user name for the NetScaler instance administrator. This user has superuser access, but does not have access to networking commands to configure VLANs and interfaces. (List of non-accessible commands will be listed here in later versions of this document)
Password* – The password for the root user.
Shell/Sftp/Scp Access* – The access allowed to the NetScaler instance administrator.
Interface Settings – This specifies the network interfaces assigned to a NetScaler instance. You can assign interfaces to an instance. For each interface, if you select Tagged, specify a VLAN ID.
- Important:The interface ID numbers of interfaces that you add to an instance do not necessarily correspond to the physical interface numbering on the SDX appliance. For example, if the first interface that you associate with instance 1 is SDX interface 1/4, it appears as interface 1/1 when you log on to the instance and view the interface settings, because it is the first interface that you associated with instance 1.
- If a non-zero VLAN ID is specified for a NetScaler instance interface, all the packets transmitted from the NetScaler instance through that interface will be tagged with the specified VLAN ID. If you want incoming packets meant for the NetScaler instance that you are configuring to be forwarded to the instance through a particular interface, you must tag that interface with the VLAN ID you want and ensure that the incoming packets specify the same VLAN ID.
- For an interface to receive packets with several VLAN tags, you must specify a VLAN ID of 0 for the interface, and you must specify the required VLAN IDs for the NetScaler instance interface.
NSVLAN ID – An integer that uniquely identifies the NSVLAN. Minimum value: 2. Maximum value: 4095.
Tagged – Designate all interfaces associated with the NSVLAN as 802.1q tagged interfaces.
Interfaces – Bind the selected interfaces to the NSVLAN.

Here are screenshots from the wizard:

In the Provision NetScaler section, enter a name for the instance.
Enter the NSIP, mask, and Gateway.
Nexthop to Management Service is new in 11.0 build 64 and newer. If the default gateway is on a different network than the NSIP, then enter a next hop router address on the NSIP network so the SDX Management Service can communicate with the NSIP.
In the XVA File field, you can Browse > Local to select an XVA file on your file system. Or you can Browse > Appliance and select an XVA file that has already been uploaded.
Change the Feature License to Platinum.
Select an Admin Profile created earlier.
Enter a Description. Scroll down.
In the Resource Allocation section, change the Total Memory to 4096.
For SSL Chips, specify between 1 and 16.
For Throughput, partition your licensed bandwidth. If you are licensed for 8 Gbps, make sure the total of all VPX instances does not exceed that number.
Burstable is also an option. Fixed bandwidth can’t be shared with other instances. Burstable can be shared. See Bandwidth Metering in NetScaler SDX at docs.citrix.com
For CPU, select one of the Dedicated options. Then scroll down.
In the Instance Administration section, enter a new local account that will be created on the VPX. This is in addition to the nsroot user. Note, not all functionality is available to this account. Scroll down.
In the Network Settings section, leave 0/1 selected and deselect 0/2.
Click Add to connect the VPX to more interfaces.
If you have Port Channels, select one of the LA interfaces.
Try not configure any VLAN settings here. If you do, XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Click Add.
In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN. Click Done.
After a couple minutes the instance will be created. Click Close.
In your Instances list, click the IP address to launch the VPX management console. Do the following at a minimum (instructions in the NetScaler System Configuration page):
1. Enable MAC Based Forwarding – System > Settings > Configure Modes > MAC Based Forwarding
2. Add SNIPs for each VLAN – System > Network > IPs
3. Add VLANs and bind to SNIPs – System > Network > VLANs
4. Change default gateway – System > Network > Routes > 0.0.0.0
5. Create another instance on a different SDX and High Availability pair them together – System > High Availability

Applying the Administration Configuration

At the time of provisioning a NetScaler VPX instance, the Management Service creates some policies, instance administration (admin) profile, and other configuration on the VPX instance. If the Management Service fails to apply the admin configuration at this time due to any reason (for example, the Management Service and the NetScaler VPX instance are on different subnetworks and the router is down or if the Management Service and NetScaler VPX instance are on the same subnet but traffic has to pass through an external switch and one of the required links is down), you can explicitly push the admin configuration from the Management Service to the NetScaler VPX instance at any time.

On the Configuration tab, in the navigation pane, click NetScaler.
In the NetScaler Configuration pane, click Apply Admin Configuration.
In the Apply Admin Configuration dialog box, in Instance IP Address, select the IP address of the NetScaler VPX instance on which you want to apply the admin configuration.
Click OK.

VPX Instances – Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP address and SSL certificates from SDX rather than from inside the VPX instance. The SDX Management Service does not have the ability to create certificates so it’s probably best to do that from within the VPX instance.

To view the console of a NetScaler instance

Connect to the Management Service using https.
Viewing the console might not work unless you replace the Management Service certificate.
In the Management Service, go to Configuration > NetScaler > Instances.
On the right, right-click an instance and click Console.
The instance console then appears.
Another option is to use the Lights Out Module and the xl console command as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

To start, stop, delete, or restart a NetScaler instance

On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
In the Instances pane, right-click the NetScaler instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
In the Confirm message box, click Yes.

Creating a Subnet IP Address on a NetScaler Instance

You can create or delete a SNIP during runtime without restarting the NetScaler instance.

On the Configuration tab, in the navigation pane, click NetScaler.
In the NetScaler Configuration pane, click Create IP.
In the Create NetScaler IP dialog box, specify values for the following parameters.
- IP Address* – Specify the IP address assigned as the SNIP or the MIP address.
- Netmask* – Specify the subnet mask associated with the SNIP or MIP address.
- Type* – Specify the type of IP address. Possible values: SNIP.
- Save Configuration* – Specify whether the configuration should be saved on the NetScaler. Default value is false.
- Instance IP Address* – Specify the IP address of the NetScaler instance.
Click Create.

Create a VLAN on a NetScaler instance

Go to NetScaler > Instances.
Right-click an instance and click VLAN Bindings.
Click Add.
Enter a VLAN ID and select an interface.
Check the box for Tagged if needed.
Notice there’s no way to bind a SNIP. You do that inside the instance. Click Create.

To save the configuration on a NetScaler instance

On the Configuration tab, in the navigation pane, click NetScaler.
In the NetScaler pane, click Save Configuration.
In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the NetScaler instances whose configuration you want to save.
Click OK.

Change NSIP of VPX Instance

If you change NSIP inside of VPX instead of using the Modify Instance wizard in the Service VM, see article http://support.citrix.com/article/CTX139206 to adjust the XenServer settings.

Enable Call Home

On the Configuration tab, in the navigation pane, click the NetScaler node.
On the right, click Call Home.
Enter an email address to receive communications regarding NetScaler Call Home.
Check the box next to Enable Call Home.
Select the instances to enable Call Home and click OK.
You can view the status of Call Home by expanding NetScaler and clicking Call Home.
The right pane indicates if it’s enabled or not. You can also configure Call Home from here.

VPX Instance – Firmware Upgrade

Upload NetScaler Firmware Build Files

To upgrade a VPX instance from the Management Service, first upload the firmware build file.

Download the NetScaler firmware using the normal method.
In the Configuration tab, on the left, expand NetScaler and click Software Images.
On the right, in the Software Images tab click Upload.
Browse to the build…tgz file and click Open.

Upgrading Multiple NetScaler VPX Instances

You can upgrade multiple instances at the same time.

To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
Right-click an instance and click Upgrade.
In the Upgrade NetScaler dialog box, in Build File, select the NetScaler upgrade build file of the version you want to upgrade to. Ignore the Documentation File. Click OK.

Management Service Monitoring

To view syslog, in the navigation pane, expand System, click Auditing and then click Syslog Message in the right pane.
To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
To view Management Service events, on the Configuration tab, in the expand System and click Events.
NetScaler > Entities lets you see the various Load Balancing entities configured on the instances.
To view instance alerts, go to NetScaler > Events > All Events.
There is also event reporting.

Management Service Backups

The SDX appliance automatically keeps three backups of the Service VM configuration that are taken daily at 12:30 am.

Backups in NetScaler SDX 11.0 contain the following:

Single bundle image
NetScaler XVA image
NetScaler upgrade image
Management Service image
Management Service configuration
NetScaler SDX configuration
NetScaler configuration

You can go to Management Service > Backup Files to backup or restore the appliance’s configuration. And you can download the backup files.

You can configure the number of retained backups by clicking System on the left and then clicking Backup Policy in the right pane.

↧

NetScaler Gateway 11 – RDP Proxy

September 7, 2015, 7:35 am

≫ Next: NetScaler Scripting

≪ Previous: NetScaler SDX 11

RDP Proxy

NetScaler 10.5.e and NetScaler 11 support RDP Proxy through NetScaler Gateway. No VPN required. There are two ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

Bookmarks on the Clientless Access portal page.
After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.

You can have one Gateway vServer that authenticates the user and a different Gateway vServer to proxy the RDP connection. The Gateways use Secure Ticket Authority (STA) for mutual authentication. See Stateless RDP Proxy at docs.citrix.com for more information.

Links:

Kenny Baldwin blog post RDP-Proxy on NetScaler!
Citrix Blog Post RDP Gateway on a NetScaler SSLVPN Virtual Server
Citrix CTX200853 How to Configure RDP Profile on NetScaler Gateway
RDP Proxy section in Unified Gateway FAQ at docs.citrix.com
Anton van Pelt NetScaler Gateway = RD Gateway

Here are some requirements for RDP Proxy:

NetScaler Enterprise Edition or Platinum Edition. There’s also a CCU add-on for Standard Edition.
NetScaler Gateway Universal Licenses.
TCP 443 and TCP 3389 opened to the NetScaler Gateway Virtual Server.
TCP 3389 opened from the NetScaler SNIP to the RDP Servers.

Do the following to configure RDP Proxy:

Expand NetScaler Gateway, expand Policies, right-click RDP and click Enable Feature.
Click RDP on the left. On the right, switch to the Client Profiles tab and click Add.
Give the Client Profile a name and configure it as desired. Scroll down.
In the RDP Host field, enter the FQDN that resolves to the RDP Proxy listener, which is typically the same FQDN as NetScaler Gateway.
Near the bottom is a Pre Shared Key. Enter a password and click OK. You’ll need this later.
On the right, switch to the Server Profiles tab and click Add.
Give the Server Profile a name.
Enter the IP of the Gateway Virtual Server you’re going to bind this to.
Enter the same Pre Shared Key you configured for the RDP Client Profile. Click Create.
If you want to put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
On the right, click Add.
Give the Bookmark a name.
For the URL, enter rdp://MyRDPServer using IP or DNS.
Check the box next to Use NetScaler Gateway As a Reverse Proxy and click Create.
Create more bookmarks as desired.
Create or edit a session profile/policy.
On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
On the Remote Desktop tab, select the RDP Client Profile you created earlier.
If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
On the Published Applications tab, make sure ICA Proxy is OFF.
Edit or Create your Gateway Virtual Server.
In the Basic Settings section, click More.
Use the RDP Server Profile drop-down to select the RDP Server Profile you created earlier.
Scroll down. Make sure ICA Only is not checked.
Bind a certificate.
Bind authentication policies.
Bind the session policy/profile that has the RDP Client Profile configured.
You can bind Bookmarks to either the NetScaler Gateway Virtual Server or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
On the left, in the Published Applications section, click where it says No Url.
Bind your Bookmarks.
Since this NetScaler Gateway Virtual Server has ICA Only unchecked, make sure your NetScaler Gateway Universal licenses are configured correctly. On the left, expand NetScaler Gateway and click Global Settings.
On the right, click Change authentication AAA settings.
Change the Maximum Number of Users to your licensed limit.
If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).
Connect to your Gateway and login.
If you configured Bookmarks, simply click the Bookmark.
Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter IP address (e.g. rdpproxy/192.168.1.50) or DNS names (/rdpproxy/myserver).
Then open the downloaded .rdp file.
You can view the currently connected users by going to NetScaler Gateway > Policies > RDP and on the right is the Connections tab.

↧

NetScaler Scripting

November 7, 2015, 8:42 am

≫ Next: SmartAccess / SmartControl – NetScaler 11

≪ Previous: NetScaler Gateway 11 – RDP Proxy

PowerShell

You can use any scripting language that supports REST calls. This section is based on PowerShell 3 and its Invoke-RestMethod cmdlet.

NetScalerPowerShell.zip contains PowerShell functions that use REST calls to configure a NetScaler appliance. It only takes a few seconds to wipe a NetScaler and configure it with almost everything detailed on this site. A glaring omission is file operations including licenses, certificate files, and customized monitor scripts and the PowerShell script assumes these files are already present on the appliance.

Download Now!

Most of the functions should work on 10.5 and 11.0 with a few obvious exceptions like RDP Proxy. Here are some other differences between 10.5 and 11.0:

PUT operations in NetScaler 11 do not need an entity name in the URL; however 10.5 does require entity names in every PUT URL.
https URL for REST calls works without issue in NetScaler 11 but NetScaler 10.5 had inconsistent errors. http works without issue in NetScaler 10.5.

Nitro REST API Documentation

NetScaler Nitro REST API documentation can be found on any NetScaler by clicking the Downloads tab. The documentation is updated whenever you upgrade your firmware.

Look for the Nitro API Documentation.

Extract the files and then launch index.html.

Start by reading the Getting Started Guide and then expand the Configuration node to see detailed documentation for every REST call.

↧

SmartAccess / SmartControl – NetScaler 11

February 4, 2016, 4:40 pm

≫ Next: Director Load Balancing – NetScaler 11

≪ Previous: NetScaler Scripting

Navigation

SmartAccess / SmartControl

SmartAccess and SmartControl let you change ICA connection behavior (e.g. disable client device mappings) based on how users connect. Decisions are based on NetScaler Gateway Virtual Server name, Session Policy name, and Endpoint Analysis scan success or failure.

SmartAccess can also control application/desktop icon visibility.

Prerequisites

Both SmartAccess and SmartControl have the same prerequisites. You can configure SmartAccess in XenApp/XenDesktop at any time but it won’t work until you do the following:

On the NetScaler, go to System > Licenses and make sure you have NetScaler Gateway Universal Licenses allocated to the appliance. The Universal licenses are allocated to the hostname of the appliance (click the gear icon), not the MAC address. In a High Availability pair, if each node has a different hostname then you can allocate the licenses to one hostname, then reallocate to the other hostname.
After installing licenses, go to NetScaler Gateway > Global Settings.
On the top right, click Change authentication AAA settings.
At the top of the page, change the Maximum Number of Users to match your installed license count. Then click OK. This setting is commonly missed and if not configured it defaults to only 5 concurrent connections.
On a XenApp/XenDesktop Controller, run PowerShell as Administrator.
Run asnp citrix.* to load the snapins.
Run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to enable Trust XML.
In StoreFront Console, go to the NetScaler Gateway node and edit (Change General Settings) the existing Gateway object.
Make sure a Callback URL is configured to resolve to a NetScaler Gateway VIP on the same appliance that authenticated the user. The Callback Gateway’s certificate must match the FQDN entered here. If you are configuring Single FQDN for internal and external then the Callback FQDN must be different than the Single FQDN.
On the NetScaler, go to NetScaler Gateway > Virtual Servers and edit your Gateway Virtual Server.
In the Basic Settings section, click the pencil icon.
Click More.
Uncheck the box next to ICA Only and click OK. This tells NetScaler Gateway to start using Universal licenses and enables the SmartAccess and SmartControl features.

Once the prerequisites are in place, do the following as detailed below:

Optionally, configure Endpoint Analysis.
Configure either SmartControl or SmartAccess.

Endpoint Analysis

Endpoint Analysis scans are completely optional. You can configure SmartControl and SmartAccess without implementing any Endpoint Analysis.

Endpoint Analysis is supported on Windows and Mac devices. Other devices, like iOS and Android, do not support Endpoint Analysis. If you want to allow mobile device connectivity, then make sure you have an access mechanism (e.g. ICA Proxy) that works if the Endpoint Analysis scan fails.

There are two methods of Endpoint Analysis: pre-authentication and post-authentication. For pre-authentication, configure an Endpoint Analysis expression in a Preauthentication Policy. For post-authentication, configure the Endpoint Analysis expression on one or more Session Policies.

With a Preauthentication Policy, if the Endpoint Analysis scan fails then users can’t login.
With a Postauthentication Policy, Endpoint Analysis doesn’t run until after the user logs in. Typically, you create multiple Session Policies. One or more policies has Endpoint Analysis expressions. Leave one policy without an Endpoint Analysis expression so there’s a fallback in case the client device doesn’t support Endpoint Analysis (e.g. mobile devices). The name of the Session Policy is then used later in Citrix Policies and Citrix Delivery Groups.

NetScaler 11 has two Endpoint Analysis engines: the classic Client Security engine and the newer OPSWAT Advanced EPA engine.

To configure OPSWAT Advanced EPA expressions:

When creating a Preauthentication Policy or Session Policy, click the OPSWAT EPA Editor link.
Use the drop-down menus to select the scan criteria. Then click Done.

See the following links for more Advanced EPA information:

Advanced Endpoint Analysis Policy Expression Reference at docs.citrix.com
Citrix Blog Post Patch Management Endpoint Analysis on NetScaler Gateway

To configure Client Security expressions:

When creating a Preauthentication Policy or Session Policy, click the Expression Editor link.
Change the Expression Type to Client Security.
Use the Component drop-down to select a component. A common configuration is to check for domain membership as detailed at CTX128040 How to Configure a Registry-Based Scan Expression to Look for Domain Membership.

Once the Policies are created, bind them to your NetScaler Gateway Virtual Server:

Edit a NetScaler Gateway Virtual Server.
Scroll down to the Policies section and click the plus icon.
Select either Preauthentication or Session and select the policy you already created. Then click Bind.

SmartControl

NetScaler 11.0 has a new SmartControl feature, where you can configure some of the SmartAccess functionality directly on the appliance. See Configuring SmartControl at docs.citrix.com for detailed instructions.

If you are using a Preauthentication Policy to run an Endpoint Analysis scan, edit the Preauth profile.
Configure the Default EPA Group with a new group name. You’ll use this group name later.
If you are instead using a Session Policy/Profile to run the post-authentication Endpoint Analysis scan, on the Security tab, use the Smartgroup field to define a group name for users that pass the scan. You’ll use this group name later.
On the left, expand NetScaler Gateway, expand Policies, and click ICA.
On the right, switch to the Access Profiles tab and click Add.
Configure the restrictions as desired and click OK.
Switch to the ICA Action tab and click Add.
Give the Action a name and select the Access Profile. Click Create.
Switch to the ICA Policies tab and click Add.
Select the previously created ICA Action.
Enter an expression. You can use REQ.USER.IS_MEMBER_OF(“MyGroup”) where MyGroup is the name of the SmartGroup you configured in the session profile or preauth scan. Click Create when done.
Edit your Gateway Virtual Server.
Scroll down to the Policies section and click the plus icon.
Change the Policy Type to ICA and click Continue.
Select the SmartControl policy you created earlier and click Bind.

SmartAccess

CTX138110 How to Configure the SmartAccess feature on Access Gateway Enterprise Edition Appliance

In XenApp/XenDesktop, edit a Citrix policy and add the Access Control filter. If you are using GPO to deliver Citrix Policies, then only Citrix Policies in the user half of the GPO support Access Control filters.

You can leave the default wildcards for farm name and condition to match all NetScaler Gateway connections. Or you can match specific NetScaler Gateway / Session Policy connections:

AG farm name = name of the NetScaler Gateway Virtual Server.
Access condition = name of the NetScaler Gateway Session Policy.

You typically create a Citrix policy to turn off all client device mappings for all external users. Then you create a higher priority Citrix policy that re-enables client device mappings for those users that passed the Endpoint Analysis scan expression on a particular Session Policy.

If you edit a Delivery Group, there’s an Access Policy page where you can hide or show the Delivery Group for all NetScaler Gateway connections or for specific NetScaler Gateway Virtual Server / Session Policy connections.

Farm name = NetScaler Gateway Virtual Server name
Filter = NetScaler Gateway Session Policy name

This configuration is only available at the entire Delivery Group. It is not possible to perform this configuration for only specific published applications unless they are on different Delivery Groups.

↧

Director Load Balancing – NetScaler 11

February 9, 2016, 12:56 am

≫ Next: NetScaler Gateway 11 – SSL VPN

≪ Previous: SmartAccess / SmartControl – NetScaler 11

Navigation

Monitor

On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
On the right, click Add.
Name it Director or similar.
Change the Type drop-down to HTTP.
If you will use SSL to communicate with the Director servers, then scroll down and check the box next to Secure.
Switch to the Special Parameters tab.
In the HTTP Request field, enter GET /Director/LogOn.aspx?cc=true
Click Create.

Servers

On the left, expand Traffic Management, expand Load Balancing, and click Servers.
On the right, click Add.
Enter a descriptive server name. Usually it matches the actual server name.
Enter the IP address of the server.
Enter comments to describe the server. Click Create.
Continue adding Director servers.

Service Group

On the left, expand Traffic Management, expand Load Balancing, and click Service Group.
On the right, click Add.
Give the Service Group a descriptive name (e.g. svcgrp-Director-SSL).
Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure the Director Monitor has Secure enabled.
Scroll down and click OK.
Click where it says No Service Group Member.
If you did not previously create server objects, then enter the IP address of a Director Server. If you previously created a server objects, then change the selection to Server Based and select the server objects.
Enter 80 or 443 as the port. Then click Create.
On the right, under Advanced Settings, click Monitors.
On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
Click the arrow next to Click to select.
Select the Director monitor and click Select.
Then click Bind.
To verify that the monitor is working, on the left, in the Service Group Members section, click the Service Group Members line.
Highlight a member and click Monitor Details.
The Last Response should be Success – HTTP response code 200 received. Click Close twice.
Then click Done.

Responder

Create a Responder policy to redirect users from the root page to /Director.

Go to AppExpert > Responder and enable the feature if it isn’t already enabled.
Go to AppExpert > Responder > Actions.
On the right, click Add.
Give the Action a name (e.g. Director_Redirect).
Change the Type to Redirect.
In the Expression box, enter "/Director", including the quotes.
Click Create.
Go to AppExpert > Responder > Policies.
On the right, click Add.
Give the Policy a name (e.g. Director_Redirect).
Select the previously created Action.
In the Expression box, enter REQ.URL.PATH.EQ("/")
Click Create.

Load Balancing Virtual Server

Create or install a certificate that will be used by the SSL Virtual Server. This certificate must match the DNS name for the load balanced Director servers.
On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right click Add.
Name it Director-SSL-LB or similar.
Change the Protocol to SSL.
Specify a new internal VIP.
Enter 443 as the Port.
Click OK.
On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
Click the arrow next to Click to select.
Select your Director Service Group and click Select.
Click Bind.
Click Continue.
Click where it says No Server Certificate.
Click the arrow next to Click to select.
Select the certificate for this Director Load Balancing Virtual Server and click Select.
Click Bind.
Click Continue.
On the right, in the Advanced Settings column, click Persistence.
Select SOURCEIP persistence.
Set the timeout to match the timeout of Director. The default timeout for Director is 245 minutes.
The IPv4 Netmask should default to 32 bits.
Click OK.
On the right, in the Advanced Settings section, add the Policies section.
On the left, in the Policies section, click the plus icon.
Select Responder in the Choose Policy drop-down and click Continue.
Select the previously created Director_Redirect policy and click Bind.

If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.

bind ssl vserver MyvServer -certkeyName MyCert

set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver MyvServer -cipherName ALL

bind ssl vserver MyvServer -cipherName Modern

bind ssl vserver MyvServer -eccCurveName ALL

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Redirect

Right-click the Director SSL Load Balancing Virtual Server and click Add.
Change the Name to Director-HTTP-SSLRedirect or something like that.
Change the Protocol to HTTP.
Click OK. This HTTP Virtual Server uses the same VIP as the SSL Load Balancer.
Bind the AlwaysUp service. See SSL Redirect – Responder Method for more information.
Bind the http_to_ssl_redirect_responderpol Responder Policy.
That’s all this LB vServer needs. Click Done when done.

SSL Warning

If you are doing SSL Offload (SSL on front end, HTTP on back end), when connecting to Director it might complain about “You are not using a secure connection”.
To turn off this warning, login to the Director servers and run IIS Manager.
On the left, navigate to Server > Sites > Default Web Site > Director.
In the middle, double-click Application Settings.
Change UI.EnableSslCheck to false.

CLI Commands

Here is a list of NetScaler CLI commands for Director Load Balancing:

add server Director01 10.2.2.18
add server Director02 10.2.2.100
add server 127.0.0.1 127.0.0.1
add service AlwaysUp 127.0.0.1 HTTP 80
add serviceGroup svcgrp-Director-HTTP HTTP
add ssl certKey wildcom -cert WildcardCorpCom_pem -key WildcardCorpCom_pem
add lb vserver Director-SSL-LB SSL 10.2.2.210 443 -persistenceType SOURCEIP -timeout 245
add lb vserver Director-HTTP-SSLRedirect HTTP 10.2.2.210 80 -persistenceType NONE
add responder action Director_Redirect redirect "\"/Director\"" -responseStatusCode 302
add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
add responder policy Director_Redirect "http.REQ.URL.PATH.EQ(\"/\")" Director_Redirect
add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact
bind lb vserver Director-HTTP-SSLRedirect AlwaysUp
bind lb vserver Director-SSL-LB svcgrp-Director-SSL
bind lb vserver Director-SSL-LB -policyName Director_Redirect -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver Director-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
add lb monitor Director HTTP -respCode 200 -httpRequest "GET /Director/LogOn.aspx?cc=true" -LRTM DISABLED -secure YES
bind serviceGroup svcgrp-Director-SSL Director01 443
bind serviceGroup svcgrp-Director-SSL Director02 443
bind serviceGroup svcgrp-Director-SSL -monitorName Director
set ssl serviceGroup svcgrp-Director-SSL -tls11 DISABLED -tls12 DISABLED
bind ssl vserver Director-SSL-LB -certkeyName wildcom
bind ssl vserver Director-SSL-LB -eccCurveName P_256
bind ssl vserver Director-SSL-LB -eccCurveName P_384
bind ssl vserver Director-SSL-LB -eccCurveName P_224
bind ssl vserver Director-SSL-LB -eccCurveName P_521

↧

NetScaler Gateway 11 – SSL VPN

March 5, 2016, 2:50 pm

≫ Next: Citrix SCOM Management Pack – NetScaler

≪ Previous: Director Load Balancing – NetScaler 11

Navigation

Overview

NetScaler Gateway supports five different connection methods:

ICA Proxy to XenApp/XenDesktop – client is built into Citrix Receiver
SSL VPN – requires NetScaler Gateway plug-in
Clientless – browser only, no VPN client, uses rewrite
Secure Browse – from MDX-wrapped mobile applications (XenMobile), uses rewrite
RDP Proxy – only RDP client is needed

If Endpoint Analysis is configured, then an Endpoint Analysis plug-in is downloaded to the Windows or Mac client.

Users use SSL to connect to NetScaler Gateway Virtual Servers.

NetScaler Gateway prompts the user for authentication.
Once the user is authenticated, NetScaler Gateway uses Session Policies to determine what happens next.

You can configure NetScaler Gateway Session Policies to only use one of the connection methods. Or NetScaler Gateway can be configured to let users choose between ICA Proxy, Clientless, and SSL VPN connection methods. Here’s a sample Client Choices screen using the X1 theme:

Enable SSL VPN in a Session Policy as detailed later. Then configure additional NetScaler Gateway objects including the following:

DNS Servers and Suffix – enable DNS resolution across the VPN tunnel
NetScaler Gateway Universal Licenses – all VPN users must be licensed.
Intranet IP addresses – give IP addresses to VPN clients. If no client IP, then VPN clients use NetScaler SNIP to communicate with internal resources. Requires routing changes on internal network.
Intranet Applications – if split tunnel is enabled, configure this object to dictate what traffic goes across the tunnel and which traffic stays local.
Authorization Policies – if default authorization is DENY, use Authorization Policies to dictate what resources can be accessed across the NetScaler Gateway connection. These Authorization Policies apply to all NetScaler Gateway connections, not just VPN.
Bookmarks – displayed on the built-in NetScaler Gateway portal page. Users click bookmarks to access resources across the VPN tunnel or clientless access (rewrite).
Endpoint Analysis Scans – block endpoints that fail security requirements. Configured in Session Policies or Preauthentication Policies.
Traffic Policies – Single Sign-on to internal web applications
AAA Groups – bind Session Policies, Authorization Policies, Intranet Applications, Intranet IPs, Bookmarks, and Traffic Policies to one or more Active Directory groups. Allows different Active Directory groups to have different NetScaler Gateway configurations.

Prerequisites

Except for ICA Proxy, all NetScaler Gateway connection methods require a NetScaler Gateway Universal License for each concurrent session. Go to System > Licenses and make sure NetScaler Gateway User licenses are installed.

Also make sure the maximum AAA users equals the number of licenses. Go to NetScaler Gateway > Global Settings > Change authentication AAA settings.

DNS usually needs to function across the VPN tunnel. Go to Traffic Management > DNS > Name Servers to add DNS servers.

Create Session Profile

You can create multiple Session Policy/Profiles, each with different settings. Then you can bind these Session Policies to different AAA groups or different NetScaler Gateway Virtual Servers. You can also bind Endpoint Analysis expressions to a Session Policy so that the Session Policy only applies to machines that pass the Endpoint Analysis scan.

If multiple Session Policies apply to a particular connection, then the settings in the policies are merged. For conflicting settings, the Session Policy with the highest priority (lowest priority number) wins. Session Policies bound to AAA groups only override Session Policies bound to NetScaler Gateway Virtual Servers if the AAA group bind point has a lower priority number. In other words, priority numbers are evaluated globally no matter where the Session Policy is bound. You can run the command nsconmsg –d current –g pol_hits to see which Session Policies are applying to a particular connection.

Do the following to enable SSL VPN. First create the Session Profile. Then create a Session Policy.

On the left, expand NetScaler Gateway, expand Policies, and click Session.
On the right, switch to the Session Profiles tab and click Add.
Name the profile VPN or similar.
In Session Profiles, every line has an Override Global checkbox to the right of it. If you check this box next to a particular field, then the field in this session profile will override settings configured globally or in a lower priority session policy.
Switch to the Network Configuration tab and check the box next to Advanced Settings.
You will find a setting that lets you select a DNS Virtual Server. Or if you don’t select anything then the tunnel will use the DNS servers configured under Traffic Management > DNS > Name Servers.
Configure the behavior when there are more VPN clients than available IPs in the address pool. This only applies if you are configuring Intranet IPs.
There are also a couple timeouts lower on the page.
Switch to the Client Experience tab. This tab contains most of the NetScaler Gateway VPN settings.
Override Plug-in Type and set it to Windows/Mac OS X.
Whenever NetScaler firmware is upgraded, all users will be prompted to upgrade their VPN clients. You can use the Upgrade drop-downs to disable the automatic upgrade.
By default, if Receiver and NetScaler Gateway Plug-in are installed on the same machine, then the icons are merged. To see the NetScaler Gateway Plug-in Settings, you right-click Receiver, open Advanced Preferences and then click NetScaler Gateway Settings.
You can configure the Session Policy/Profile to prevent NetScaler Gateway Plug-in from merging with Receiver. On the Client Experience tab, scroll down and check the box next to Advanced Settings.
Check the box next to Show VPN Plugin-in icon with Receiver. This causes the two icons to be displayed separately thus making it easier to access the NetScaler Gateway Plug-in settings.
On the Client Experience tab, override Split Tunnel and make your choice. Setting it to Off will force all traffic to use the tunnel. Setting it to On will require you to create Intranet Applications so the NetScaler Gateway Plug-in will know which traffic goes through the tunnel and which traffic goes directly out the client NIC (e.g. to the Internet).
On the Client Experience tab, Client Idle Time-out is an idle timer. Session Time-out, is a total session timer (doesn’t care if user is working or not). There are default timers in Global Settings so you should probably override the defaults and increase the timeouts.
By default, once the VPN tunnel is established, a 3-page interface appears containing bookmarks, file shares, and StoreFront. An example of the three-page interface in the X1 theme is shown below.
On the Client Experience tab, the Home Page field lets you override the 3-page interface and instead display a different webpage (e.g. Intranet or StoreFront). This homepage is displayed after the VPN tunnel is established (or immediately if connecting using Clientless Access).
On the Client Experience tab, there are more settings that control the behavior of the NetScaler Gateway plug-in. Hover your mouse over the question marks to see what they do.
Additional VPN settings can be found by clicking Advanced Settings near the bottom of the Client Experience tab.
Under Client Experience > Advanced Settings, on the General tab, there are settings to run a login script at login, enable/disable Split DNS, and enable Local LAN Access. Use the question marks to see what they do. Reliable DNS occurs when Split DNS is set to Remote.
Under Client Experience > Advanced Settings, on the General tab, is a checkbox for Client Choices. This lets the user decide if they want VPN, Clientless, or ICA Proxy (StoreFront). Without Client Choices, the VPN will launch automatically
On the main Client Experience tab, if you enabled Client Choices, you can set Clientless Access to Allow to add Clientless to the list of available connection methods.
An example of Client Choices is shown below:
The Client Experience > Advanced Settings section has additional tabs for controlling the NetScaler Gateway Plug-in. A commonly configured tab is Proxy so you can enable a proxy server for VPN users.
Back in the main Session Profile, switch to the Security tab.
Set the default authorization to Allow or Deny. If Deny (recommended), you will need to create authorization policies to allow traffic across the tunnel. You can later create different authorization policies for different groups of users.
On the Published Applications tab, set ICA Proxy to Off. This ensures VPN is used instead of ICA Proxy.
Configure the Web Interface Address to embed StoreFront into the 3-pane default portal page. Note: additional iFrame configuration is required on the StoreFront side as detailed below.
Click Create when you’re done creating the Session Profile.

Create Session Policy

In the right pane, switch to the Session Policies tab and click Add.
Give the policy a descriptive name.
Change the Action to the VPN Profile you just created.
Add a policy expression. You can enter ns_true, which applies to all connections.
Or you can add Endpoint Analysis scans. If the Endpoint Analysis scan succeeds, then the session policy is applied. If the Endpoint Analysis scan fails, then this session policy is skipped and the next one is evaluated. This is how you can allow VPN if EPA scan succeeds but all failed EPA scans will get a different session policy that only has ICA Proxy enabled.
To add an Endpoint Analysis scan, use one of the Editor links on the right.
Configure OPSWAT scans in the OPSWAT EPA Editor.
Configure Client Security Expressions in the Expression Editor.
You can combine multiple Endpoint Analysis scan expressions using Booleans (&&, ||, !). Click Create when done.

Bind Session Policy

Most of the NetScaler Gateway objects can be bound to NetScaler Gateway Virtual Server, AAA Group, or both. This section details Session Policies, but the other NetScaler Gateway objects (e.g. Authorization Policies) can be bound using similar instructions.

Bind the new session policy to a NetScaler Gateway Virtual Server or a AAA group. If you bind it only to a AAA group, then only members of that Active Directory group will evaluate the expression.
To bind to a NetScaler Gateway Virtual Server, edit a NetScaler Gateway Virtual Server (or create a new one), scroll down to the Policies section and click the Plus icon.
In the Choose Type page, select Session, Request and click Continue.
Select one or more session policies. This is where you specify a priority.
To bind to a AAA Group, go to NetScaler Gateway > User Administration > AAA Groups.
Add a group with the same name (case sensitive) as the Active Directory group name. This assumes your LDAP policies/server are configured for group extraction.
Edit the AAA Group.
On the right, in the Advanced Settings column, add the Policies section.
Click the plus icon to bind one or more Session Policies.
If you want these Session Policies to override the Session Policies bound to the NetScaler Gateway Virtual Server then make sure the Session Policies bound to the AAA Group have lower priority numbers.

NetScaler Gateway Plug-in Installation

Here is what the user sees when launching the VPN session for the first time.

And then the 3-pane interface is displayed.

Only administrators can install the NetScaler Gateway Plug-in. You can download the Gateway plug-in from the NetScaler at /var/netscaler/gui/vpns/scripts/vista and push it to corporate-managed machines. Or you can download VPN clients from Citrix.com. The VPN client version must match the NetScaler firmware version.

Authorization Policies

If your Session Profile has Security tab > Default Authorization set to Deny (recommended), then create Authorization Policies to allow access across the tunnel.

On the left, under NetScaler Gateway, expand Policies and click Authorization.
On the right, click Add.
Name the Authorization Policy.
Select Allow or Deny.
NetScaler Gateway requires you to Switch to Classic Syntax. The other syntax option is for AAA.
Enter an expression. Use the Expression Editor link to build an expression. You can specify destination IP subnets, destination port numbers, etc.
Click Create when done.
Authorization Policies are usually bound to AAA groups. This allows different groups to have different access across the tunnel.
On the right, in the Advanced Settings column, add the Authorization Policies section.
Then click where it says No Authorization Policy to bind policies.

Intranet Applications

If you enabled Split Tunnel, then you’ll need to create Intranet Applications to specify which traffic goes through the tunnel.

On the left, under NetScaler Gateway, expand Resources and click Intranet Applications.
On the right, click Add.
Enter a name for the Internal subnet.
Change the Interception Mode to TRANSPARENT.
Enter an IP subnet. Only packets destined for this network go across the tunnel.
Then click Create.
Create additional Intranet applications for each internal subnet.
Intranet Applications are usually bound to the Gateway Virtual Server but you can also bind them to AAA Groups.
On the right, in the Advanced Settings column, add the Intranet Applications section.
On the left, click No Intranet Application to bind Intranet Applications.

DNS Suffix

Specify a DNS Suffix for Split DNS to function with single label DNS names.

On the left, under NetScaler Gateway, expand Resources and click DNS Suffix.
On the right, click Add.
Enter the DNS Suffix and click Create. You can add multiple suffixes.

Bookmarks

Bookmarks are the links that are displayed in the 3-pane interface. They can point to file shares or websites.

Under NetScaler Gateway, expand Resources, and click Bookmarks.
On the right, click Add.
Give the bookmark a name and display text.
Enter a website or file share. For file shares you can use %username%.
The other fields are for Single Sign-on through Unified Gateway. Click Create.
Bookmarks (aka Published Applications > Url) are usually bound to AAA groups so different groups can have different bookmarks. But it’s also possible to bind Bookmarks to NetScaler Gateway Virtual Servers.
If NetScaler Gateway Virtual Server, add the Published Applications section to bind Bookmarks.
For AAA Group, it’s the Bookmarks section.
On the left, find the Published Applications section and click No Url to bind Bookmarks.

VPN Client IP Pools (Intranet IPs)

By default, NetScaler Gateway VPN clients use NetScaler SNIP as their source IP when communicating with internal resources. To support IP Phones or endpoint management, you must instead assign IP addresses to VPN clients.

Any IP pool you add to NetScaler must be reachable from the internal network. Configure a static route on the upstream router. The reply traffic should be routed through a NetScaler SNIP. Or the NetScaler can participate in OSPF.

When a client is assigned a client IP, this IP address persists across multiple sessions until the appliance reboots or until the appliance runs out of IPs in the pool.

Edit a NetScaler Gateway Virtual Server or a AAA group.
On the right, in the Advanced Settings section, click the plus icon next to Intranet IP Addresses.
On the left, click where it says No Intranet IP.
Enter a subnet and netmask. Click Bind.
To see the Client IP address, on the client side, right-click the NetScaler Gateway Plug-in and click Configure NetScaler Gateway.
Switch to the Profile tab to see the Client IP address.
To see the client IP on the NetScaler, go to NetScaler Gateway and on the right is Active user sessions.
Select one of the views and click Continue.
The right column contains the Intranet IP.

StoreFront in Gateway Portal

If you want to enable StoreFront to integrate with NetScaler Gateway’s default portal, edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\web.config.
On the bottom, there are three sections containing frame options. Change all three of them from deny to allow.
Also change frame-ancestors from none to self.
In NetScaler, go to NetScaler Gateway > Global Settings and click Configure Domains for Clientless Access.
Change the selection to Allow Domains, enter your StoreFront FQDN and click the plus icon.
Click OK.
In a Session Policy/Profile, on the Client Experience tab, make sure Single Sign-on to Web Applications is enabled.
On the Published Applications tab, configure the Web Interface Address to point to the StoreFront Receiver for Web page.
Configure the Single Sign-on domain to match what’s configured in StoreFront.
The Applications page of the 3-page portal should automatically show the StoreFront published icons.

Back to NetScaler 11

↧

Citrix SCOM Management Pack – NetScaler

March 20, 2016, 8:12 am

≫ Next: Citrix Federated Authentication Service (SAML)

≪ Previous: NetScaler Gateway 11 – SSL VPN

Navigation

Requirements

NetScaler Platinum Edition
NetScaler 9.3 or newer
System Center Operations Manager 2012 or newer

NetScaler Pack

Full documentation at http://docs.citrix.com/en-us/scom-management-packs/scom-management-pack-for-netscaler.html.

Install Citrix NetScaler Pack

On the System Center Operations Manager server, go to the downloaded Citrix SCOM Management Pack for NetScaler and run Citrix_SCOM_Management_Pack_for_NetScaler.exe.
In the Welcome to the InstallShield wizard for Citrix SCOM Management Pack for NetScaler page, click Next.
In the View Relevant Product Configuration page, click Next.
In the Customer Information page, enter a company name and click Next.
In the License Agreement page, click Yes.
In the Choose Destination Location page, click Next.
In the Start Copying Files page, click Next.
In the InstallShield Wizard Complete page, click Finish.

MP Agent Installation Account

Configure the MP Agent Installation Account as detailed for the XAXD Pack.

NetScaler Monitoring Account

On the NetScaler appliances, run the following commands to add a local account and bind it to a restrictive cmdPolicy. Replace the password with a secure password. If you leave the password off the command, then NetScaler will prompt you.

add system cmdPolicy polNetScalerMonitoring ALLOW (^show\s+system\s+\S+)|(^show\s+system\s+\S+\s+.*)|(^show\s+configstatus)|(^show\s+configstatus\s+.*)|(^shell\s+nsconmsg\s+-K\s+\S+\s+.*)

add system user usrNetScalerMonitoring MyPassword

bind system user usrNetScalerMonitoring read-only 1

bind system user usrNetScalerMonitoring polNetScalerMonitoring 1

show system user usrNetScalerMonitoring

SCOM Device Discovery

System Center Operations Manager uses SNMP to communicate with NetScaler. If Windows Firewall is enabled on the SCOM server, enable some Inbound and Outbound rules.
Inbound Rule: Operations Manager Ping Response.
Inbound Rule: Operations Manager SNMP Response.
Inbound Rule: Operations Manager SNMP Trap Listener.
Outbound Rule: Operations Manager Ping Request.
Outbound Rule: Operations Manager SNMP Request.
Make sure the NetScaler is configured with an SNMP community string at System > SNMP > Community.
If you have SNMP Managers configured, then make sure SCOM is in the list.
In SCOM Console, go to the Administration workspace, right-click, and click Discovery Wizard.
Select Network devices and click Next.
In the General Properties page, give the discovery rule a name. Select a SCOM server and resource pool to run the discovery rule. Then click Next.
In the Discovery Method page, select Explicit discovery and click Next.
In the Default Accounts page, if you are using SNMPv2 (instead of SNMPv3) to connect to NetScaler, then you can add the community string now. Click Create Account.
In the General Properties page, give the community string a display name and click Next.
In the Credentials page, enter the community string and click Create.
Then click Next.
In the Devices page, click Add.
Enter the hostname of the device.
Select the SNMP version.
If SNMPv2, select the community string. If SNMPv3, you can add the user account now.
Click OK when done.
Add more devices. Then click Next.
In the Schedule Discovery page, select how often you want this rule to run and click Next.
In the Summary page, click Save.
Click Yes to distribute the accounts.
In the Completion page, click Close.

Install Citrix NetScaler Agent

The Citrix SCOM Agent for NetScaler must be installed on the same SCOM server that is running the device discovery rule.

On the SCOM server, go to \\scom01\CitrixMPShare\NetScaler MP and run mpns_x64.msi.
In the Welcome to the InstallShild Wizard for Citrix SCOM Management Pack Agent for NetScaler page, click Next.
In the Ready to Install the Program page, click Install.
In the InstallShield Wizard Completed page, click Finish.

Import Management Packs

In SCOM Console, go to Administration workspace, right-click Management Packs and click Import Management Packs.
Click Add and then click Add from disk.
Connecting to the online catalog is not required.
Browse to C:\Program Files (x86)\Comtrade\NetScaler MP\Management Packs and select all of the .mp files. Click Open.
Click Install.
Click Close when done.

NetScaler Monitoring RunAs Account

In SCOM console, go to Administration workspace, right-click and click Create Run As Account.
In the Introduction page, click Next.
In the General Properties page, change the account type to Basic Authentication.
Give the account a display name and click Next.
In the Credentials page, enter the credentials of the local monitoring account on the NetScalers and click Next.
In the Distribution Security page, best practice is to select More secure. But you’ll need to manually specify every agent that should receive these credentials. Click Create.
In the Completion page, click Close.
In the Administration workspace, go to Run As > Profiles.
Double-click Citrix NetScaler Appliance Action Account.
In the Introduction page, click Next.
In the General Properties page, click Next.
In the Run As Accounts page, click Add.
Select the previously created NetScaler monitoring account.
Change the selection to A selected class, group, or object. Then click Select > Object.
Search for the NetScaler appliances these credentials apply to, click Add, and then click OK.
Then click OK.
Click Save.
In the Completion page, if the Run As account is configured for Secure Distribution then click the link to specify Agents to receive the credentials.

Use Management Pack

In the Monitoring workspace, under Citrix NetScaler, your appliance should eventually show up. These views should give you an inventory of the NetScaler configuration, current health status, etc.

Citrix SCOM Management Packs – XenApp/XenDesktop

↧

Citrix Federated Authentication Service (SAML)

May 31, 2016, 9:32 am

≫ Next: nFactor Authentication for NetScaler Gateway 11

≪ Previous: Citrix SCOM Management Pack – NetScaler

Navigation

Overview

Citrix Federated Authentication Service enables users to login to NetScaler Gateway and StoreFront using SAML authentication.

Citrix Federated Authentication Service uses Microsoft Certificate Authority to issue certificates on behalf of users. These certificates are used for the StoreFront and Virtual Delivery Agent logon process.

Requirements:

Microsoft Certificate Authority in Enterprise mode
XenApp/XenDesktop 7.9
StoreFront 3.6
NetScaler Gateway
Receiver for Web only. Receiver Self-Service doesn’t support web-based authentication.

Install Service and Configure

The service should be installed on a secure, standalone server that does not have any other Citrix components installed.

On the Federated Authentication Service server, go to the XenDesktop 7.9 ISO and run AutoSelect.exe.
On the bottom right, click Federated Authentication Service.
In the Licensing Agreement page, select I have read, understand, and accept the terms of the license agreement and click Next.
In the Core Components page, click Next.
In the Firewall page, click Next.
In the Summary page, click Install.
In the Finish Installation page, click Finish.

On the StoreFront 3.6 server, run the following command:

& "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"

Run the following commands. Adjust the store name as required.

$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

If you have multiple StoreFront servers, Propagate Changes.

On a Delivery Controller, run the following commands:

asnp citrix.*
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

On the Federated Authentication Service server, browse to C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions. Copy the file and folder.
Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the file and folder. If this path doesn’t exist, then copy them to C:\Windows\PolicyDefinitions.
Edit a GPO that applies to all StoreFront servers, all Federated Authentication Service servers, and all VDAs.
Navigate to Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication.
Edit the setting Federated Authentication Service.
Enable the setting and click Show.
Enter the FQDN of the Federated Authentication Service server.
Click OK twice.
On the Federated Authentication Service server, run gpupdate.
From the Start Menu, run Citrix Federated Authentication Service as administrator. Make sure you run it elevated.
The Federated Authentication Service FQDN should already be in the list (from group policy). Click OK.
In Step 1: Deploy certificate templates, click Start.
Click OK to add certificate templates to Active Directory. Sufficient permission is required.
In Step 2: Setup Certificate Authority, click Start.
Select a Certificate Authority to issue the certificates and click Ok.
In Step 3: Authorize this Service, click Start.
Step 3 automatically submits an online request for the Registration Authority certificate to the CA and stores the non-exportable private key in the standard Microsoft Enhanced RSA and AES Cryptographic Provider. Alternatively, you can submit the certificate request manually and store the private key in TPM or HSM as detailed at Federated Authentication Service private key protection at Citrix Docs.
Select the issuing Certificate Authority and click OK.
Go to the Certificate Authority Console > Pending Requests. Find the pending request and Issue it.
In a minute or two, Federated Authentication Service will recognize the issued certificate and Step 3 will turn green.
Switch to the User Rules tab.
Use the Certificate Authority drop-down to select the issuing Certificate Authority.
Use the Certificate Template drop-down to select the Citrix_SmartcardLogon template.
Click Edit next to List of StoreFront servers that can use this rule.
Remove Domain Computers from the top half and instead add your StoreFront servers. You could add an Active Directory security group instead of individual StoreFront servers.
On the bottom half, make sure Assert Identity is Allowed. Click OK.
By default, all users and all VDAs are allowed. You can click the other two Edit boxes to change this.
When done, click Apply.
Click OK when Rule updated successfully.
To further restrict who can be issued certificates, go to your Certificate Authority’s Properties and use the Enrollment Agents tab to restrict enrollment agents.

SAML on NetScaler Gateway

Dennis Radstake SAML authentication for Citrix XenDesktop and XenApp has some ADFS configuration instructions.

Export the signing certificate from your SAML iDP. The iDP could be ADFS, Okta, Ping, etc.
Import the SAML signing certificate (without private key) to NetScaler. NetScaler uses this certificate to sign the SAML authentication request.
Import a certificate with private key for SAML assertion verification. You’ll also need to import this certificate (without private key) on your SAML iDP. The SAML iDP will use this certificate to sign the SAML assertions. NetScaler will then use the private key to verify the SAML signatures.
Go to NetScaler Gateway > Policies > Authentication > SAML > Servers and click Add.
Enter the information for authenticating with SAML. This configuration will vary depending on your SAML iDP.
Select the SAML iDP’s certificate that NetScaler will use to sign SAML authentication requests.
Enter the URL to the SAML iDP’s authentication page. NetScaler Gateway will redirect users to this URL.
Select the certificate that the SAML iDP will use to sign SAML assertions. NetScaler uses the private key to verify the signature.
Enter an Issuer Name that the SAML iDP is expecting for the Relying Party.
Click Create when done.
On the right, switch to the Policies tab and click Add.
Give the policy a name, select the SAML Server, and enter ns_true for the expression. Click Create.
Edit your Session Policy/Profile. On the Published Applications tab, make sure Single Sign-on Domain is not configured.
Edit your Gateway Virtual Server. Go to the Authentication section and add a policy.
Bind the SAML policy. This is the only authentication policy you need. You can remove all other authentication policies.
In StoreFront 3.6, right-click the store and click Manage Authentication Methods.
Make sure Pass-through from NetScaler Gateway is selected.
Click the gear icon on the right and click Configure Delegated Authentication.
Check the box next to Fully delegate credential validation to NetScaler Gateway and click OK.
In StoreFront, add a NetScaler Gateway object that matches the NetScaler Gateway Virtual Server that has SAML enabled.
On the Authentication Settings page, make sure you configure a Callback URL. It won’t work without it.
Then assign (Configure Remote Access Settings) the Gateway to your Store.

↧

nFactor Authentication for NetScaler Gateway 11

June 18, 2016, 8:49 am

≫ Next: NetScaler 11.1 System Configuration

≪ Previous: Citrix Federated Authentication Service (SAML)

Navigation

Overview

nFactor lets you configure an unlimited number of authentication factors. You are no longer limited to just two factors. Each authentication factor performs the following tasks:

nFactor requests credentials from the user. These credentials can be anything supported by NetScaler including:
- SAML
- Certificate
- oAuth
- Kerberos
- Forms-based authentication (traditional web-based logon page) for LDAP, RADIUS, etc.
  - Multiple passwords can be collected with one form.
  - Or prompt the user multiple times throughout the authentication chain.
  - The logon page can contain a domain drop-down.
nFactor evaluates the credentials. The results can be:
- Authentication success
- Authentication failure
- Group extraction
- Attribute extraction from SAML, Certificate, etc.
Based on the evaluation results, do one of the following:
- Allow access
- Use authentication evaluation results to select next factor
- Deny access
Multiple factor evaluations can be chained together. The chosen next factor is based on the results of the prior factor. This can continue indefinitely. The next factor can do one of the following:
- Prompt the user for more credentials
- Evaluate the already entered next set of credentials
- Use policy expression to select another next factor (no authentication). This is typically used with group extraction so that groups determine the next factor.

Here are some nFactor use cases, but the combinations are almost limitless:

Authentication method based on Active Directory group: Logon screen asks for user name only. Extract user’s groups from Active Directory. Based on user’s Active Directory groups, either ask user for certificate, or ask user for LDAP password. If LDAP, the username doesn’t need to be entered again.
Ask for Certificate first:
- If certificate, perform LDAP
- If no certificate, perform LDAP + RADIUS
Two-factor with passwords checked in specific order: Logon screen with two password fields. Check the first password. If the first password succeeds, then check the second password. This lets you check RADIUS before LDAP.

In NetScaler 11.0 build 62 and newer, you can configure nFactor on AAA authentication servers.

In NetScaler 11.0 build 66 and newer, you can configure nFactor in the AAA feature and bind it to NetScaler Gateway Virtual Servers. Thus NetScaler Enterprise Edition is required.

Note: nFactor works with browser clients, but it does not work with Receiver Self-Service (native Receiver).

nFactor configuration summary (detailed instructions below):

The first factor (Advanced Authentication Policy and Login Schema) is bound directly to a AAA Virtual Server.
Next factors are Authentication Policy Labels that are chained to Advanced Authentication Policies in prior factors.
Authentication Profile links AAA nFactor with NetScaler Gateway.

AAA Virtual Server

Create AAA Virtual Server

To use nFactor with NetScaler Gateway, you first configure it on a AAA Virtual Server. Then you later bind the AAA Virtual Server to the NetScaler Gateway Virtual Server.

If AAA feature is not already enabled, go to Security > AAA, right-click AAA and Enable Feature.
Go to Security > AAA > Virtual Servers.
On the right, click Add.
Give the Virtual Server a name.
If you are only using this AAA Virtual Server for NetScaler Gateway, then you can change the IP address Type to Non Addressable. It’s also possible to content switch to AAA.
Enter an Authentication Domain and click OK.
In the Certificates section, click where it says No Server Certificate.
Click to select.
Select a certificate for the AAA Virtual Server and click Select. Since this AAA Virtual Server is not directly addressable, the chosen certificate doesn’t matter.
Click Bind.
Click Continue.
You probably don’t have any Advanced Authentication Policies yet so just click Continue.

AAA Portal Theme

If this AAA Virtual Server is used not just for NetScaler Gateway, but also for traffic management (Load Balancing, Content Switching), then you might want to change the AAA Portal theme.

Go to NetScaler Gateway > Portal Themes and add a theme.
After adjusting it as desired, at the top of the portal theme editing page, Click to Bind and View Configured Theme.
Change the selection to Authentication.
Use the Authentication Virtual Server Name drop-down to select the AAA Virtual Server and click Bind and Preview.

Client Certificate Authentication

If one of your authentication Factors is certificate, then you must perform some SSL configuration on the AAA Virtual Server:

Go to Traffic Management > SSL > Certificates and install the root certificate for the issuer of the client certificates. Root certificates do not have a key file.
Go to Security > AAA > Virtual Servers and edit an existing AAA Virtual Server.
On the left, in the SSL Parameters section, click the pencil icon.
Check the box next to Client Authentication.
Make sure Client Certificate drop-down is set to Optional, and click OK.
On the left, in the Certificates section, click where it says No CA Certificate.
Click to select.
Select the root certificate for the issuer of the client certificates and click Select.
Click Bind.

Login Schema

Login Schema XML File

Login Schema is an XML file providing the structure of forms-based authentication logon pages.

nFactor implies multiple authentication Factors that are chained together. Each Factor can have different Login Schema pages/files. In some authentication scenarios, users could be presented with multiple logon screens.

Or you can have one Factor gather information that can be passed on to later Factors so that the later Factors don’t need to display another Login Schema. This is particularly useful for traditional two-password logon screens (LDAP + RADIUS) since each password is evaluated in a separate Factor:

The first password is evaluated in the first factor (e.g. LDAP). If successful, then proceed to the second factor.
The second factor (e.g. RADIUS) evaluates the second password. However, the second password has already been entered so there’s no need to ask the user for it again. To prevent a Login Schema from being shown to the user, select noschema (LSCHEMA_INT) in the Authentication Policy Label.

Several Login Schema .xml files are included with NetScaler under /nsconfig/loginschema/LoginSchema. You can easily duplicate and modify these files. You can also download login schemas from support.citrix.com.

After duplicating one of the existing .xml files, you can edit it as desired. You can change the labels. Or you can configure fields to pre-fill information from previous Factors as shown below:

The login schema can also contain a domain drop-down. See CTX201760 nFactor – Domain Drop-Down in First Factor then Different Policy Evaluations Based on Groups for a sample configuration.

Login Schema Profile

To configure a Login Schema Profile:

Create or Edit a Login Schema .XML file based on your nFactor design.
Go to Security > AAA > Login Schema.
On the right, switch to the Profiles tab and click Add.
In the Authentication Schema field, click the pencil icon.
Click the LoginSchema folder to see the files in it.
Select one of the files. You can see a preview on the right. The labels can be changed by editing the file under /nsconfig/loginschema/LoginSchema/.
On the top right, click Select.
Give the Login Schema a name.
You typically need to use the entered credentials elsewhere. For example, you might need to use the username and one of the passwords to later Single Sign-on to StoreFront. Near the bottom of the Login Schema Profile, enter unique values for the indexes. These values can be between 1 and 16.
You can also configure these values on your noschema profiles so that passwords received from a previous factor can be put into a different Index.
Later you reference these index values in a Traffic Policy/Profile by using the expression HTTP.REQ.USER.ATTRIBUTE(#).
Click Create.
Note: if you later edit the Login Schema .xml file, the changes might not be reflected until you edit the Login Schema Profile and select the .xml file again

Login Schema Policy

Login Schemas can be bound directly to a AAA Virtual Server. If one of the Advanced Authentication policies bound directly to the AAA Virtual Server is forms-based, then bind the Login Schema directly to the AAA Virtual Server. If you are binding the Login Schema directly to a AAA Virtual Server, then you must first create a Login Schema Policy expression that is linked to the Login Schema Profile.

Or Login Schemas can be bound to an Authentication Policy Label (described later). If you are binding a Login Schema to an Authentication Policy Label, then there’s no need to create a Login Schema policy expression.

To create and bind a Login Schema Policy:

On the left, go to Security > AAA > Login Schema.
On the right, switch to the Policies tab and click Add.
Use the Profile drop-down to select the Login Schema Profile you already created.
Enter a Default Syntax expression in the Rule box and click Create.
On the left, go to Security > AAA > Virtual Servers and edit an existing AAA Virtual Server.
On the right, in the Advanced Settings column, click Login Schemas.
On the left, in the Login Schemas section, click where it says No Login Schemas.
Click to select.
Select the Login Schema policy and click Select. Only Login Schema Policies appear in this list. Login Schema Profiles (without a policy) do not appear.
Click Bind.

Advanced Authentication Policies

Authentication policies are a combination of policy expression and policy action. If the expression is true, then evaluate the action.

The Action is always an authentication server (LDAP, RADIUS, etc.).

The policy expression can be either in classic syntax, or in the newer default syntax.

The policy type is either Basic or Advanced. Basic policies can only use classic syntax. Advanced policies only use the newer default syntax. Both types of policies use the same Actions (authentication servers).

nFactor requires Advanced Authentication Policies; Basic policies won’t work.

Create Advanced Authentication Policy

You will need Authentication Actions/Servers (e.g. LDAP, RADIUS, CERT, SAML, etc.)

When creating an Advanced Authentication Policy, there’s a plus icon that lets you create Authentication Actions/Servers.

Or you can create Authentication Actions prior to creating the Advanced Authentication Policy. The Authentication Actions are located under the Security > AAA > Policies > Basic Policies > <Action Type> node. On the right, switch to the Servers tab to create the Actions/Servers. Once the Actions are created, use the instructions below to create the Advanced Authentication Policy. There’s no need to create a Basic Authentication Policy.

To create an Advanced Authentication Policy:

Go to Security > AAA > Authentication > Advanced Policies > Policy.
On the right, click Add. You typically create at least one Authentication Policy for each Factor. When you create multiple Authentication Policies for one Factor, NetScaler checks each policy in priority order until one of them succeeds.
Use the Action Type drop-down to select the Action Type (e.g. LDAP). The Action Type depends on your nFactor flow design.
If you don’t currently have any Actions configured, of if you want to create a new one, click the plus icon next to the Action drop-down. The Actions/Servers are created in the normal fashion.
In the Expression box, enter an expression using the Default Syntax. ns_true won’t work because that’s Classic syntax. There’s an Expression Editor link on the right. Or hit Ctrl+Space to see your options. true is a valid Default expression. Click Create when done.
Create more Advanced Authentication Policies as needed for your nFactor design.

Bind Advanced Authentication Policy to AAA

Only the Advanced Authentication Policies for the first Factor are bound directly to the AAA Virtual Server. The Advanced Authentication Policies for the remaining Factors are bound to Authentication Policy Labels as detailed in the next section.

Go to Security > AAA > Virtual Servers.
Edit an existing AAA Virtual Server.
On the left, in the Advanced Authentication Policies section, click where it says No Authentication Policy.
Click to select.
Select the Advanced Authentication Policy and click Select.
The Select Next Factor field can optionally point to an Authentication Policy Label as detailed in the next section. The Next Factor is only evaluated if this Advanced Authentication Policy succeeds.
If this Advanced Authentication Policy fails, then the Goto Expression determines what happens next. If it is set to NEXT, then the next Advanced Authentication Policy bound to this Factor is evaluated. If it is set to END, of if there are no more Advanced Authentication Policies bound to this Factor, then authentication is finished and marked as failed.
Click Bind.

LDAP Group Extraction

Sometimes you only want to extract a user’s groups from Active Directory but have don’t actually want to authenticate with LDAP. These groups can then be used to select the next authentication Factor.

To configure an LDAP Action/Server for only group extraction:

Make sure Authentication is unchecked.
Make sure the Group Attribute and Sub Attribute Name are filled in.

Authentication Policy Label

When configuring the first Factor, you bind two objects to the AAA Virtual Server:

Login schema – for forms-based authentication
Advanced Authentication Policy

When binding the Advanced Authentication Policy to the AAA Virtual Server, there’s a field to Select Next Factor. If the Advanced Authentication Policy succeeds, then the Next Factor is evaluated.

The Next Factor is actually an Authentication Policy Label.

Authentication Policy Labels contain three objects:

Login Schema
Advanced Authentication Policies
Next Factor – the next Authentication Policy Label

Here’s the flow:

User connects to AAA or NetScaler Gateway Virtual Server.
If forms-based authentication, the Login Schema bound to the AAA Virtual Server is displayed.
Advanced Authentication Policies bound to the AAA Virtual Server are evaluated.
1. If the Advanced Authentication Policy is successful, go to the configured Next Factor, which is an Authentication Policy Label.
  1. If Next Factor is not configured, then authentication is complete and successful.
2. If the Advanced Authentication Policy fails, and if Goto Expression is Next, then evaluate the next bound Advanced Authentication Policy.
3. If none of the Advanced Authentication Policies are successful, then authentication failed.
If the Next Factor Authentication Policy Label has a Login Schema bound to it, display it to the user.
Evaluate the Advanced Authentication Policies bound to the Next Factor Authentication Policy Label.
1. If the Advanced Authentication Policy is successful, go to the configured Next Factor, which is an Authentication Policy Label.
  1. If Next Factor is not configured, then authentication is complete and successful.
2. If the Advanced Authentication Policy fails, and if Goto Expression is Next, then evaluate the next bound Advanced Authentication Policy.
3. If none of the Advanced Authentication Policies are successful, then authentication failed.
Continue evaluating the Next Factor Authentication Policy Label until authentication succeeds or fails. You can chain together an unlimited number of Authentication Policy Labels.

If you are binding a Login Schema to an Authentication Policy Label, then you only need the Login Schema Profile. There’s no need to create a Login Schema Policy.

Not every Factor needs a Login Schema (logon page). It’s possible for a prior Factor to gather all of the credential information and simply pass it on to the next Factor. If you don’t need a Login Schema for a particular Authentication Policy Label, simply select LSCHEMA_INT, which is mapped to noschema. Or create a new Login Schema Profile based on noschema.

Create Authentication Policy Label

To create an Authentication Policy Label:

Authentication Policy Labels are configured at Security > AAA > Policies > Authentication > Advanced Policies > PolicyLabel.
On the right, click Add.
Give the Policy Label a name.
Select a Login Schema Profile. This can be one that is set to noschema if you don’t actually want to display anything to the user. Then click Continue.
In the Policy Binding section, Click to select.
Select an Advanced Authentication Policy that evaluates this Factor. Click Select.
Use the Goto Expression drop-down to select NEXT or END. If you want to bind more Advanced Authentication Policies to this Factor, then select NEXT.
In the Select Next Factor field, if you chain another Factor, Click to select and bind the next Authentication Policy Label (Next Factor).
Or don’t select anything, and if this Advanced Authentication Policy succeeds, then authentication is successful and complete. This ends the chaining.
Click Bind when done.
You can click Add Binding to add more Advanced Authentication Policies to this Policy Label (Factor). Or you can bind Advanced Authentication Policies to the next Policy Label (Next Factor). Click Done.

Bind Authentication Policy Label

Once the Policy Label (Factor) is created, you bind it to an existing Advanced Authentication Policy binding. This is how you chain Factors together.

Either edit an existing AAA Virtual Server that has an Advanced Authentication Policy already bound to it.
Or edit a different Authentication Policy Label.
On the left, in the Advanced Authentication Policies section, click the bindings.
Right-click an existing binding and click Edit Binding.
In the Select Next Factor field, Click to select.
Select the Policy Label for the Next Factor and click Select.
Click Bind.
Click Done.

nFactor for NetScaler Gateway

AAA Authentication Profile

Authentication Profile lets you bind a AAA Virtual Server to NetScaler Gateway. This is what enables nFactor on NetScaler Gateway.

Go to Security > AAA > Authentication Profile.
On the right, click Add.
Give the Authentication Profile a name.
In the Authentication Host field, it wants a URL to redirect users to your AAA Virtual Server. If you do this configuration from the CLI then this field is optional. But in the GUI it is required. NetScaler Gateway does not need to redirect so it doesn’t matter what you enter here.
In the Authentication Virtual Server field, Click to select.
Select the AAA Virtual Server that has Login Schema, Advanced Authentication Policy, and Authentication Policy Labels configured. The AAA Virtual Server does not need an IP address. Click Select.
Then click Create.
Go to NetScaler Gateway > Virtual Servers.
On the right, edit an existing Gateway Virtual Server.
In the Basic Settings section, click the pencil icon.
Click More.
Use the Authentication Profile drop-down to select the Authentication Profile you just created.
If one of your Factors is client certificates, then you’ll need to configure SSL Parameters and CA certificate as detailed in the next section.
When you browse to your Gateway, you’ll see the nFactor authentication screens.

Gateway Client Certificate Authentication

If one of your authentication Factors is certificate, then you must perform some SSL configuration on the NetScaler Gateway Virtual Server:

Go to Traffic Management > SSL > Certificates and install the root certificate for the issuer of the client certificates. Certificate Authority certificates do not need key files.
Go to NetScaler Gateway > Virtual Servers, and edit an existing NetScaler Gateway Virtual Server that is enabled for nFactor.
On the left, in the SSL Parameters section, click the pencil icon.
Check the box next to Client Authentication.
Make sure Client Certificate drop-down is set to Optional, and click OK.
On the left, in the Certificates section, click where it says No CA Certificate.
Click to select.
Select the root certificate for the issuer of the client certificates and click Select.
Click Bind.

nFactor Single Sign-on to StoreFront

When performing Single Sign-on to StoreFront, nFactor defaults to using the last entered password. If LDAP is not the last entered password, then you need to create a Traffic Policy/Profile to override the default nFactor behavior.

Go to NetScaler Gateway > Policies > Traffic.
On the right, switch to the Traffic Profiles tab.
Click Add.
Give the Traffic Profile a name.
In the Protocol section, select HTTP. Scroll down.
In the SSO Expression fields, enter an HTTP.REQ.USER.ATTRIBUTE(#) expression that matches the indexes specified in the Login Schema.
Click Create.
On the right, switch to the Traffic Policies tab and click Add.
Give the policy a name.
Select the previously created Traffic Profile.
Enter a classic expression (e.g. ns_true) and click Create.
Edit an existing NetScaler Gateway Virtual Server.
Scroll down to the Policies section and click the plus icon.
Select Traffic > Request and click Continue.
Select the previously created Traffic Policy.
Bind the Traffic Policy.

Sample Configurations

From Citrix Docs: Sample deployments using nFactor authentication:

Getting two passwords up-front, pass-through in next factor. Read
Group extraction followed by certificate or LDAP authentication, based on group membership. Read
SAML followed by LDAP or certificate authentication, based on attributes extracted during SAML.Read
SAML in first factor, followed by group extraction, and then LDAP or certificate authentication, based on groups extracted. Read
Prefilling user name from certificate. Read
Certificate authentication followed by group extraction for 401 enabled traffic management virtual servers. Read
Username and 2 passwords with group extraction in third factor.Read
Certificate fallback to LDAP in same cascade; one virtual server for both certificate and LDAP authentication. Read
LDAP in first factor and WebAuth in second factor.Read
Domain drop down in first factor, then different policy evaluations based on group.Read

Certificate auth: If Successful, LDAP only. If Failure, LDAP+RADIUS

This scenario is described in Citrix Blog Post Configuration Notes on nFactor

The authentication process flows like this:

User connects to NetScaler Gateway.
NetScaler Gateway asks user for certificate.
If user selects a certificate, NetScaler Gateway compares certificate signature to the CA certificate that is bound to the NetScaler Gateway. If it doesn’t match, then user certificate is ignored.
Bound to the NetScaler Gateway Virtual Server is an Authentication Profile, which links NetScaler Gateway to AAA nFactor.
Certificate authentication: The lowest priority number authentication policy on the AAA Virtual Server is Certificate. If there’s a valid user certificate:
1. Extract the user’s userPrincipalName from the certificate.
2. Next Factor = policy label that displays a logon screen (Single-factor Login Schema)
3. The username field is pre-populated with the userPrincipalName attribute extracted from the certificate.
4. User is prompted to enter the LDAP password only.
5. LDAP policy/server is configured to use userPrincipalName to login to LDAP.
6. If successful, NetScaler Gateway authentication is complete. Next step is to Single Sign-on to StoreFront.
7. If LDAP authentication fails, then NetScaler Gateway authentication fails, and the user is prompted to try LDAP-only authentication again.
LDAP authentication: If certificate authentication fails, try next authentication policy bound to the AAA Virtual Server, which is a different LDAP Policy.
1. Bound to the AAA Virtual Server is a Dual Factor Login Schema that asks for username, LDAP password, and RADIUS password.
2. LDAP policy/server is configured to use sAMAccountName to login to LDAP. SAMAccountName means users don’t have to enter full userPrincipalName.
3. If LDAP authentication is successful:
  1. Put username in Credential Index 1 and put password in Credential Index 2. These will later be used by a Traffic Policy to Single Sign-on to StoreFront.
  2. Proceed to next factor (Policy Label), which is RADIUS.
4. If LDAP authentication fails, NetScaler Gateway login fails, and the user is prompted to try two-factor authentication again.
RADIUS authentication: the second factor Policy Label is configured with Noschema. This means no additional logon form is displayed because the RADIUS password was already collected in the previous factor.
1. When multiple passwords are collected, they are tried in order. The first password was used by the previous factor. The second password is tried by this factor (Policy Label).
2. RADIUS policy/profile attempts authentication.
3. If RADIUS authentication is successful, NetScaler Gateway authentication is complete. Next step is Single Sign-on to StoreFront.
4. If RADIUS authentication fails, NetScaler Gateway login fails, and the user is prompted to try two-factor authentication again.
Single Sign-on to StoreFront: NetScaler Gateway uses the last password collected by nFactor to Single Sign-on with StoreFront. If the last password is LDAP, then no additional configuration is needed. If the last password is not LDAP, then a Traffic Policy/Profile is needed.
1. Bound to the NetScaler Gateway Virtual Server is a Traffic Policy.
2. The Traffic Policy/Profile users Credential Index 1 for username and Credential Index 2 for Password. These are the same indexes configured in the Dual Factor Login Schema.

The order of configuration doesn’t match the authentication flow because some objects have to be created before others.

# Create Auth vServer, bind server cert, bind CA cert for client certificates
# Enable Optional client certificates
add authentication vserver nFactorAAA SSL 0.0.0.0 443 -AuthenticationDomain corp.com
bind ssl vserver nFactorAAA -certkeyName WildCorpCom
bind ssl vserver nFactorAAA -certkeyName CorpRoot -CA -ocspCheck Optional
set ssl vserver nFactorAAA -clientAuth ENABLED -clientCert Optional -ssl3 DISABLED

# Create auth policy for LDAP-UPN
add authentication ldapAction Corp-UserPrincipalName -serverIP 10.2.2.220 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword "MyPassword" -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
add authentication Policy Corp-UserPrincipalName -rule true -action Corp-UserPrincipalName

# Create PolicyLabel LDAPPasswordOnly with Single-factor Login Schema
add authentication loginSchema SingleAuth -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth-Corp.xml"
add authentication policylabel LDAPPasswordOnly -loginSchema SingleAuth
bind authentication policylabel LDAPPasswordOnly -policyName Corp-UserPrincipalName -priority 100 -gotoPriorityExpression NEXT

# Create Cert policy and bind to AAA vServer with LDAPPasswordOnly PolicyLabel as Next Factor
# Cert policy must have lower priority number than LDAP-SAM policy
add authentication certAction Cert_Auth_Profile -userNameField SubjectAltName:PrincipalName
add authentication Policy Cert_Auth_Policy -rule true -action Cert_Auth_Profile
bind authentication vserver nFactorAAA -policy Cert_Auth_Policy -priority 100 -nextFactor LDAPPasswordOnly -gotoPriorityExpression NEXT

# Create LDAP-SAM Auth Policy
add authentication ldapAction Corp-Gateway -serverIP 10.2.2.220 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword "MyPassword" -ldapLoginName samaccountname -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
add authentication Policy Corp-SAMAccountName -rule true -action Corp-Gateway

# Create RADIUS Auth Policy
add authentication radiusAction RADIUS-Action -serverIP 10.2.2.42 -serverPort 1812 -radKey MyKey
add authentication Policy RADIUS-Policy -rule true -action RADIUS-Action

# Create Dual-factor Login Schema and bind directly to AAA vServer
# This Login Schema is only shown if Cert auth fails
add authentication loginSchema DualAuth -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -userCredentialIndex 1 -passwordCredentialIndex 2
add authentication loginSchemaPolicy DualAuth -rule true -action DualAuth
bind authentication vserver nFactorAAA -policy DualAuth -priority 100 -gotoPriorityExpression END

# Create RADIUS Policy Label with noschema and RADIUS Auth Policy
add authentication loginSchema Noschema -authenticationSchema noschema
add authentication policylabel NoSchema-RADIUS -loginSchema Noschema
bind authentication policylabel NoSchema-RADIUS -policyName RADIUS-Policy -priority 100 -gotoPriorityExpression NEXT

# Bind LDAP-SAM Auth Policy to AAA vServer with RADIUS as next factor
# LDAP-SAM Auth Policy must have higher priority number than Cert Policy
bind authentication vserver nFactorAAA -policy Corp-SAMAccountName -priority 110 -nextFactor NoSchema-RADIUS -gotoPriorityExpression NEXT

# Create Authentication Profile to link AAA with Gateway. Bind to Gateway.
add authentication authnProfile nFactor -authnVsName nFactorAAA -AuthenticationHost aaa.corp.com
add vpn vserver gateway.corp.com SSL 10.2.2.220 443 -icaOnly ON -dtls ON -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -appflowLog ENABLED -authnProfile nFactor

# Enable Optional Client certs on Gateway
set ssl vserver gateway.corp.com -clientAuth ENABLED -clientCert Optional -ssl3 DISABLED
bind ssl vserver gateway.corp.com -certkeyName CorpRoot -CA -ocspCheck Optional

# Create Traffic Policy to SSON to StoreFront. Bind to Gateway.
add vpn trafficAction nFactorSSO http -kcdAccount NONE -userExpression "http.req.user.attribute(1)" -passwdExpression "http.req.user.attribute(2)"
add vpn trafficPolicy nFactorSSO ns_true nFactorSSO
bind vpn vserver gateway.corp.com -policy nFactorSSO -priority 100

↧

NetScaler 11.1 System Configuration

May 11, 2016, 7:16 am

≫ Next: NetScaler 11.1 Certificates

≪ Previous: nFactor Authentication for NetScaler Gateway 11

Navigation

= Recently Updated

VPX Hardware

NetScaler VPX Release 11.1 supports new VPX models on ESXi. These new models include: VPX 25, VPX 5G, VPX 25G, etc. See the NetScaler VPX datasheet for more info.

NetScaler VPX Release 11.1 also supports changing the NIC type to VMXNET3 or SR-IOV. The imported appliance comes with E1000 NICs so you’ll have to remove the existing virtual NICs and add new VMXNET3 NICs.

NetScaler for Azure can now be upgraded to 11.1. It will be possible to upgrade to future releases of NetScaler firmware. More details by Thomas Goodwin at Citrix Discussions.

Customer User Experience Improvement Program

You might be prompted to enable the Customer User Experience Improvement Program. Either click Enable or click Skip.
You can enable or disable Customer Experience Improvement Program by going to System > Settings.
On the right is Change CUXIP Settings.
Make your selection and click OK.

set system parameter -doppler ENABLED

Welcome Wizard

NetScaler has a Welcome! Wizard that lets you set the NSIP, hostname, DNS, licensing, etc. It appears automatically the first time you login.

Click the Subnet IP Address box.
You can either enter a SNIP for one of your interfaces or you can click Do it later.
```
add ns ip 10.2.2.60 255.255.255.0 -type SNIP
```
Click the Host Name, DNS IP Address, and Time Zone box.
Enter a hostname. Your NetScaler Gateway Universal licenses are allocated to this hostname. In a High Availability pair each node can have a different hostname.
Enter one or more DNS Server IP addresses. Use the plus icon on the right to add more servers.
Change the time zone to GMT-05:00-CDT-America/Chicago or similar.

Click Done.

set ns hostname ns02

add dns nameServer 10.2.2.11

set ns param -timezone "GMT-05:00-CDT-America/Chicago"

Click Yes to save and reboot.
Click the Licenses box.
You can click Add New License to license the appliance now. Or do it later.

License files are stored in /nsconfig/license.
Then click Continue.

Licensing – VPX Mac Address

To license a NetScaler VPX appliance, you will need its MAC address.

Go to the Configuration tab.
In the right pane, look down for the Host Id field. This is the MAC address you need for license allocation.
Another option is to SSH to the appliance and run shell.
Then run lmutil lmhostid. The MAC address is returned.

Licensing – Citrix.com

Login to citrix.com.
Click Activate and Allocate Licenses.
Check the box next to a Citrix NetScaler license and click Continue.
If this is a NetScaler MPX license then there is no need to enter a host ID for this license so click Continue. If this is a NetScaler VPX license, enter the lmutil lmhostid MAC address into the Host ID field and click Next.

For a VPX appliance, you can also get the Host ID by looking at the System Information page.
Click Confirm.
Click OK when asked to download the license file.
Click Download.
Click Save and put it somewhere where you can get to it later.
If you purchased NetScaler Gateway Universal Licenses, allocate them. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
Enter your appliance hostname as the Host ID for all licenses.
Click Confirm.
Click OK when prompted to download your license file.
Click Download.
Click Save.
If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses and reallocate them to the other hostname.

Install Licenses on Appliance

In the NetScaler Configuration GUI, on the left, expand System and click Licenses.
On the right, click Manage Licenses.
Click Add New License.
If you have a license file, select Upload license files from a local computer and then click Browse. Select the license file and click Open.

License files are stored in /nsconfig/license.
Click Reboot when prompted. Login after the reboot.
After rebooting, the Licenses node should look something like this. Notice that Maximum ICA Users Allowed is set to Unlimited.
Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwidth or packets will drop.

Upgrade Firmware

Citrix CTX127455 – How to Upgrade Software of the NetScaler Appliances in a High Availability Setup

Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. At the very least, watch the Security Bulletins to determine which versions and builds resolve security issues. You can also subscribe to the Security Bulletins at http://support.citrix.com by clicking the Alerts link on the top right.
Make sure you Save the config before beginning the upgrade.
Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
Start with the Secondary appliance.
Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
In the NetScaler GUI, with the top left node (System) selected, click System Upgrade.
Click Choose File and browse to the build…tgz file. If you haven’t downloaded firmware yet then you can click the Download Firmware link.
Click Upgrade.
The firmware will upload.
You should eventually see a System Upgrade window with text in it. Click Yes when prompted to reboot.
Once the Secondary is done, login and failover the pair.
Then upgrade the firmware on the former Primary.

To install firmware by using the command-line interface

To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
Create a version directory under /var/nsinstall (e.g. /var/nsinstall/11.1.47).
Copy the software from your computer to the /var/nsinstall/<version> (e.g. /var/nsinstall/11.1.47) directory on the appliance.
Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
At a command prompt, type shell.
At a command prompt, type cd /var/nsinstall/<version> to change to the nsinstall directory.
To view the contents of the directory, type ls.
To unpack the software, type tar -xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
To start the installation, at a command prompt, type ./installns.
When the installation is complete, restart NetScaler.
When the NetScaler restarts, at a command prompt type what or show version to verify successful installation.

High Availability

Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The exceptions are mainly network interface configurations.

High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.

Prepare the secondary appliance:
1. Configure a NSIP.
2. Don’t configure a SNIP. In Step 2, Subnet IP Address, you can click Do It Later to skip the wizard. You’ll get the SNIP later when you pair it.
3. Configure Hostname and Time Zone. Don’t configure DNS since you’ll get those addresses when you pair it.
4. License the secondary appliance.
5. Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
On the secondary appliance, go to System > High Availability, double-click the local node, and change High Availability Status to STAY SECONDARY. If you don’t do this then you run the risk of losing your config when you pair the appliances. See Terence Luk Creating a Citrix NetScaler High Availability pair without wiping out an existing configuration for more information.
On the primary appliance, on the left, expand System, expand Network and click Interfaces.
On the right, look for any interface that is currently DOWN.
You need to disable those disconnected interfaces before enabling High Availability. Select the disconnected interface and click Disable. Repeat for the remaining disconnected interfaces.
```
show interface
disable interface 1/1
```
On the left, expand System and click High Availability.
On the right, click Add.
Enter the other NetScaler’s IP address.
Enter the other NetScaler’s login credentials and click Create.

add ha node 1 192.168.123.14

Note: this CLI command must be run separately on each appliance.
If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.
Eventually it will say SUCCESS.
To enable Fail-safe mode, edit Node ID 0 (the local appliance).
Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down and click OK.

set ha node -failSafe ON
If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
On the secondary appliance, go to System > High Availability, edit the local node, and change it from STAY SECONDARY to ENABLED.
Run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed in the next section.
You can also disable HA heartbeats on specific interfaces. Make sure it’s enabled on at least one interface/channel.
You can force failover of the primary appliance by opening the Actions menu and clicking Force Failover.

force ha failover

If your firewall (e.g. Cisco ASA) doesn’t like Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table

Multiple Interfaces – VLANs

Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.

Channels: You should never connect multiple interfaces to a single VLAN unless you are bonding the interfaces using LACP, Manual Channel, or Redundant Interface Set. See Webinar: Troubleshooting Common Network Related Issues with NetScaler.

NetScaler VPX defaults to two connected interfaces, so if you only have one subnet, disconnect one of those interfaces.

A Redundant Interface Set is configured almost identically to a Manual Channel except that the Channel ID starts with LR instead of LA.

If you only connected NetScaler to one subnet (one VLAN) then skip this section.

Common interface configuration: Here is a common NetScaler networking configuration for a NetScaler that is connected to both internal and DMZ.

Note: If the appliance is connected to both DMZ and internal then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then NetScaler could use an internal SNIP to connect to the internal server. A more secure approach is to have different appliances for internal and DMZ. Or use NetScaler SDX, partitioning, or traffic domains.

0/1 connected to a dedicated management network. NSIP is on this network.
- 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, etc.) and don’t connect any cables to 0/1.
- To prevent NetScaler from using this interface for outbound data traffic, don’t put a SNIP on this network, and configure the default gateway to use a different data network. However, if there’s no SNIP, and if default gateway is on a different network, then there will be asymmetric routing for management traffic since inbound is 0/1 but outbound is LA/1. To work around this problem, enable Mac Based Forwarding.
- It’s easiest if the switch port for this interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the NetScaler.
10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
- If only one internal VLAN, configure the switch ports/channel as an Access Port.
- If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
- If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). Default gateway points to a router on a DMZ VLAN so replies can be sent to Internet clients.
- If only one internal VLAN, configure the switch ports/channel as an Access Port.
- If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
- If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.

SNIPs: You will need one SNIP for each connected subnet. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. NetScaler uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.

NSIP: The NSIP subnet is special so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any network that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as an access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).

On the left, expand System, and click Settings.
On the right, in the left column, click Configure modes.
Check the box next to MAC Based Forwarding and click OK. This configures the NetScaler to respond on the same interface the request came in on and thus bypasses the routing table. This setting can work around misconfigured routing tables. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).
```
enable mode mbf
```
Add a subnet IP for every network the NetScaler is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
On the right, click Add.
Enter the Subnet IP Address for this network. This is the source address the NetScaler will use when communicating with any other service on this network. The Subnet IP can also be referred to as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
Enter the netmask for this network. When you create a VLAN object later, all IPs on this subnet will be bound to an interface.
Ensure the IP Type is set to Subnet IP. Scroll down.
```
add ns ip 172.16.1.11 255.255.255.0 -type SNIP
```
Under Application Access Controls decide if you want to enable GUI management on this SNIP. This is particularly useful for High Availability pairs, because when you point your browser to the SNIP only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for the DMZ network.
Click Create when done. Continue adding SNIPs for each connected network (VLAN).
```
set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
```
On the left, expand System, expand Network and click VLANs.
On the right, click Add.
Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged then any ID will work.
Check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
- If your switches do not allow untagged packets then you will need to use the tagall interface option to tag NetScaler High Availability heartbeat packets. See CTX122921 – Citrix NetScaler Interface Tagging and Flow of High Availability Packets
If you don’t tag the VLAN then the NetScaler interface/channel is removed from VLAN 1 and instead put in this VLAN ID.
Switch to the IP Bindings tab.
Check the box next to the Subnet IP for this network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.
```
add vlan 50
bind vlan 50 -ifnum LA/1 -IPAddress 172.16.1.11 255.255.255.0
```
The default route should use the router in the DMZ, not the internal router. Most likely the default route is set to an internal router. On the left, expand System, expand Network and click Routes.
On the right, click Add.
Internal networks are only accessible through an internal router. Add a static route to the internal networks and set the Gateway to an internal router. Then click Create.

add route 10.2.0.0 255.255.0.0 10.2.2.1
On the right, delete the 0.0.0.0 route. Don’t do this unless the NetScaler has a route to the IP address of the machine you are running the NetScaler Configuration Utility on.

rm route 0.0.0.0 0.0.0.0 10.2.2.1
Then click Add.
Set the Network to 0.0.0.0 and the Netmask to 0.0.0.0.
Make sure NULL Route is set to No.
Enter the IP address of the DMZ router and click Create.

add route 0.0.0.0 0.0.0.0 172.16.1.1

DNS Servers

To configure DNS servers, expand Traffic Management, expand DNS and click Name Servers.
On the right, click Add.
Enter the IP address of a DNS server and click Create.
Note: The NetScaler must be able ping each of the DNS servers or they will not be marked as UP. The ping originates from the SNIP.

add dns nameServer 10.2.2.11

NTP Servers

On the left, expand System and click NTP Servers.
On the right, click Add.
Enter the IP Address of your NTP Server (or pool.ntp.org) and click Create.

add ntp server pool.ntp.org
Open the Action menu and click NTP Synchronization.
Select ENABLED and click OK.

enable ntp sync
You can click the System node to view the System Time.
If you need to manually set the time, SSH (Putty) to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
Ntpdate –u pool.ntp.org will cause an immediate NTP time update.

Citrix Knowledgebase article CTX200286 – NTP Configuration on NetScaler to Avoid Traffic Amplification Attack:

Replace the following line in /etc/ntp.conf file, if it exists:
> restrict default ignore

Add the following lines in file /etc/ntp.conf:

# By default, exchange time with everybody, but don't allow configuration:
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely:

restrict 127.0.0.1
restrict ::1

Restart NTP using the following commands:

> shell
root@ns# ps -aux |grep "ntp"
root@ns# kill <PID obtained from step above>
root@ns# /usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf

We recommend that customers apply the following remediation:

Open the NetScaler’s ntp.conf file in /etc and add the following lines:

restrict -4 default notrap nopeer nomodify noquery

restrict -6 default notrap nopeer nomodify noquery

SYSLOG Server

Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog

The NetScaler will by default store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Command Center.

On the left, expand System, expand Auditing, and click Syslog.
On the right, switch to the Servers tab and click Add.
Enter a name for the Syslog server.
Specify the IP Address of the SYSLOG server, 514 as the port, and the Log Levels you’d like to send to it.
Check the box for TCP Logging if you want the client IP. Note: TCP Logging requires significant disk space on the Syslog server.
Select your desired Time Zone and then click Create.

add audit syslogAction CommandCenter 10.2.2.12 -logLevel ALL -timeZone LOCAL_TIME
On the right, switch to the Policies tab, and then click Add.
Give the policy a descriptive name, select the Syslog server, and then click Create.

add audit syslogPolicy CommandCenter ns_true CommandCenter
While still on the Policies tab, open the Actions menu and click Global Bindings.
Click the arrow next to Click to select.
Select the Syslog policy you want to bind and click Select.
Click Bind.
Click Done.

bind system global CommandCenter -priority 100

SNMP – MIB, Traps, and Alarms

On the left, expand System, and click SNMP.
On the right, click Change SNMP MIB.
Change the fields as desired. Your SNMP tool (e.g. NetScaler Management and Analytics System) will read this information. Click OK. This configuration needs to be repeated on the other node.

set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp
Expand System, expand SNMP, and click Community.
On the right, click Add.
Specify a community string and the Permission and click Create.

add snmp community public GET
On the left, under SNMP, click Traps.
On the right, click Add.

Specify a trap destination and Community Name and click Create.

add snmp trap generic 10.2.2.12 -communityName public
add snmp trap specific 10.2.2.12 -communityName public

On the left, under SNMP, click Managers.
On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
Change the selection to Management Network.
Specify the IP of the Management Host and click Create.

add snmp manager 10.2.2.12
The Alarms node allows you to enable SNMP Alarms and configure thresholds.
You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm and 50% normal with a Critical severity.

set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
You can also configure the MEMORY alarm.

set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical

From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.

ifTotXoﬀSent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
ifErrRxNoBuﬀs – .1.3.6.1.4.1.5951.4.1.1.54.1.30
ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31

Call Home

On the left, expand System and click Diagnostics.
On the right, in the left column, in the Technical Support Tools section, click Call Home.
Check the box next to Enable Call Home.
Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.

Change nsroot Password

Expand System, expand User Administration and click Users.
On the right, select nsroot and click Change Password.
Specify a new password and click OK.

set system user nsroot Passw0rd

TCP, HTTP, SSL, and Security Settings

Citrix whitepaper – Secure Deployment Guide for NetScaler MPX, VPX, and SDX Appliances

Citrix Knowledgebase articles:

On the left, expand System and click Settings.
On the right side of the right pane, click Change TCP parameters.
Check the box for Window scaling (near the top).
Scroll down and check the box for Selective Acknowledgement. Click OK.

set ns tcpParam -WS ENABLED -SACK ENABLED
On the right, click Change HTTP parameters.
Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.

set ns param -cookieversion 1
Check the box next to Drop invalid HTTP requests.
Scroll down and click OK.

set ns httpParam -dropInvalReqs ON

You can run the following command to see statistics on the dropped packets:

nsconmsg -g http_err_noreuse_ -d stats
See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run kill -HUP `cat /var/run/sshd.pid` to restart SSHD.
```
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-ripemd160
```

Implement Responder policies to prevent Shellshock attack against back-end web servers. See Citrix CTX200277 NetScaler Defends Against Shellshock Attack.

add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES

add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP ‑logAction ShellShock_Log

bind responder global ShellShock_policy 10 END -type REQ_DEFAULT

The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:

Maximum logon attempts on NetScaler Gateway Virtual Server
Rate Limiting for IP.SRC and HTTP.REQ.URL.
nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
Syslog logging
External website monitoring
Obfuscate the Server header in the HTTP response
Disable management access on SNIPs
Change nsroot strong password, use LDAP authentication, audit local accounts
Don’t enable Enhanced Authentication Feedback
SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers. Also see Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) .
2-factor authentication
Command Center and Insight Center
Review IPS/IDS & Firewall logs

Management Authentication

Expand System, expand Authentication, and then click LDAP.
On the right, switch to the Servers tab. Then click Add.
Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
Change the Security Type to SSL.
Enter 636 as the Port. Scroll down.
In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
Enter the credentials of the LDAP bind account in userPrincipalName format.
Check the box next to BindDN Password and enter the password. Click Test Connection. Scroll down.
In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
On the right, check the box next to Allow Password Change.
It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local

You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.

memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local

Citrix 132802 How to Use the ldapsearch Utility on the NetScaler Gateway Enterprise Edition Appliance to Validate a Search Filter

An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.

Scroll down to distinguishedName, double-click it and then copy it to the clipboard.

Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
Scroll down and click More to expand it.
For Nested Group Extraction, if desired, change the selection to Enabled.
Set the Group Name Identifier to samAccountName.
Set Group Search Attribute to –<< New >>– and enter memberOf.
Set Group Search Sub-Attribute to –<< New >>– and enter CN.
Example of LDAP Nested Group Search Filter Syntax

Scroll down and click Create.

add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED

Switch to the Policies tab and click Add.
Enter the name LDAPS-Corp-Mgmt or similar.
Select the previously created LDAPS-Corp-Mgmt server.
On the bottom, in the Expressions area, type in ns_true.

Click Create.

add authentication ldapPolicy Corp-Mgmt ns_true Corp-Mgmt

Click Global Bindings in the right pane.
Click where it says Click to select.
Select the newly created LDAP policy and click Select.
Click Bind.
Click Done.
```
bind system global Corp-Mgmt
```
Under System, expand User Administration and click Groups.
On the right, click Add.
In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
In the Command Policies section, click Insert.
Select the superuser policy and click Insert.

Click Create.

add system group "NetScaler Admins" -timeout 900
bind system group "NetScaler Admins" -policyName superuser 100

If you logout:
You should be able to login to NetScaler using an Active Directory account.

Backup and Restore

Go to System > Backup and Restore.
On the right, click the Backup button.
Give the backup file a name.
For Level, select Full and click Backup.
Once the backup is complete, you can download the file.

To restore:

If you want to restore the system and if the backup file is not currently on the appliance, you click the Backup button. Yes, this seems backwards.
Change the selection to Add.
Browse Local to the previously downloaded backup file.
Then click Backup. This uploads the file to the appliance and adds it to the list of backup files.
Now you can select the backup and click Restore.

Next Steps

Return to NetScaler Procedures list

↧

NetScaler 11.1 Certificates

July 1, 2016, 3:58 pm

≫ Next: SSL Virtual Servers – NetScaler 11.1

≪ Previous: NetScaler 11.1 System Configuration

Navigation

Here are three methods of creating certificates for NetScaler:
If the server certificate is signed by an intermediate authority, import the intermediate certificate and bind it.
Replace the management certificate and then force SSL access for management.
Update certificates before they expire.

= Recently Updated

Convert .PFX Certificate to PEM Format

You can export a certificate from Windows and import it to NetScaler.

On the Windows server that has the certificate, run mmc.exe and add the certificates snap-in.
Right-click the certificate and click Export.
On the Export Private Key page, select Yes, export the private key and click Next.
On the Export File Format page, ensure Personal Information Exchange is selected and click Next.
Save it as a .pfx file. Don’t put any spaces in the filename.
Go to Traffic Management > SSL. If the SSL feature is disabled, right-click it and click Enable Feature.
In NetScaler 11.1, it is no longer necessary to first convert the .PFX file to PEM format since NetScaler will convert it for you automatically. Note: when the PFX is automatically converted to PEM, the key is not encrypted.
Go to Traffic Management > SSL > Certificates.
There are now three different certificate nodes. Server Certificates have private keys. These certificates are intended to be bound to SSL vServers.
Client Certificates also have private keys but they are intended to be bound to Services so NetScaler can perform client-certificate authentication against back-end web servers.
CA Certificates don’t have private keys. These certificates can authenticate client certificates. Or you can link Server Certificates to CA Certificates to create a trust chain.
On the left, click Server Certificates. On the right, click Install.
Browse (Local) to the PFX file.
Enter the PFX password, and then click Install.
If you click the information icon next to the certificate, you’ll see that NetScaler created a new file with a .ns extension.
If you look inside this file by going to Traffic Management > SSL > Manage Certificates / Keys / CSRs, notice that the RSA Private Key is not encrypted, encoded, or password protected.
If you want to encrypt your key file (recommended), use the older method of converting from PFX to PEM. In the NetScaler Configuration GUI, on the left expand Traffic Management and click SSL.
In the right column of the right pane, click Import PKCS#12 in the Tools section.
In the Import PKCS12 File dialog box:
1. In the Output File Name field, enter a name (e.g. Wildcard.cer) for a new file where the PEM certificate and key will be placed.
2. In the PKCS12 File field, click Browse and select the previously exported .pfx file.
3. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
4. Change the Encoding Format selection to DES3. This causes the new Output file to be encrypted.
5. Enter a password for the Output file and click OK.
If you browse to the /nsconfig/ssl directory on the NetScaler and view the new .cer file you just created, you’ll see both the certificate and the private key in the same file. You can use the Manage Certificates / Keys / CSRs link to view the files.
Notice that the file contains both the certificate and the RSA Private key.
Also, the Private Key is encrypted.
On the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
On the right, click Install.
In the Install Certificate dialog box:
1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
2. In the Certificate File Name field, browse the appliance and select the .cer file you just created.
3. If the file is encrypted, enter the password.
4. If desired, check the box next to Notify When Expires.
5. Click Install. You can now link an intermediate certificate to this SSL certificate and then bind this SSL certificate to SSL and/or NetScaler Gateway Virtual Servers.
To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

Create Key and Certificate Request

You can create a key pair and Certificate Signing Request directly on the NetScaler appliance. The Certificate Signing Request can then be signed by an internal or public Certificate Authority.

On the left, expand Traffic Management, expand SSL, and click SSL Files.
On the right, switch to the Keys tab.
Click Create RSA Key.
Give the .key file a descriptive name.
Set the Key Size to 2048 bits
Set the PEM Encoding Algorithm to DES3 and enter a password. This encrypts the key file.
Click OK. You will soon create a certificate using the keys in this file.
On the right, switch to the CSRs tab.
Click Create Certificate Signing Request (CSR).
In the Request File Name field, enter the name of a new file.
In the Key Filename field, browse to the previously created .key file.
If the key file is encrypted, enter the password.
Feel free to change the Digest Method to SHA256.
In the Common Name field, enter the FQDN of the SSL enabled-website. If this is a wildcard certificate, enter * for the left part of the FQDN.
In the Organization Name field, enter your official Organization Name.
Enter IT or similar as the Organization Unit.
Enter the City name.
In the State field, enter your state name without abbreviating.
Scroll down and click Create.
Click the ellipsis next to the new .csr file and Download the file.
You can then open the .csr file with Notepad and send the contents to your Certificate Authority. If the CA asks you for the type of web server, select Apache. Save the CA response as a Base64 file.
After you get the signed certificate, on the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL > Certificates and click Server Certificates.
On the right, click Install.
In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
In the Certificate File Name field, browse Local and select the Base64 (Apache) .cer file you received from the Certificate Authority.
In the Private Key File Name field, browse the appliance and select the key file you created earlier.
If the key file is encrypted, enter the password.
If desired, check the box next to Notify When Expires.
Click Install.
The certificate is now added to the list. Notice the Days to Expire. You can now bind this certificate to any SSL Load Balancing, NetScaler Gateway, or SSL Content Switching Virtual Server.
To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center or Citrix NetScaler Management and Analytics. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

Intermediate Certificate

Sometimes the public Certificate Authority will give you the Intermediate certificate as one of the files in a bundle. If not, log into Windows and double-click the signed certificate.
On the Certification Path tab, double-click the intermediate certificate (e.g. Go Daddy Secure Certificate Authority. It’s the one in the middle).
On the Details tab, click Copy to File.
In the Welcome to the Certificate Export Wizard page, click Next.
In the Export File Format page, select Base-64 encoded and click Next.
Give it a file name and click Next.
In the Completing the Certificate Export Wizard page, click Finish.
In the NetScaler configuration GUI, expand Traffic Management, expand SSL, expand Certificates, and click CA Certificates.
On the right, click Install.
Name it Intermediate or similar.
Browse locally for the Intermediate certificate file.
Click Install.
Go back to Server Certificates.
Click the ellipsis next to the server certificate, and click Link.
The previously imported Intermediate certificate should already be selected. Click OK.

Create Certificate with NetScaler as Certificate Authority

On the left, expand Traffic Management, and click SSL.
On the right, in the left column, click Root-CA Certificate Wizard.
In the Key Filename field, enter root.key or similar. This is a new file.
In the Key Size field, enter at least 2048.
Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
Click Create.
In the Request File Name field, enter root.csr or similar. This is a new file.
If the key file is encrypted, enter the password.
Scroll down.
In the State field, enter the non-abbreviated state name.
In the Organization Name field, enter the name of your organization.
Fill in other fields as desired.
In the Common Name field, enter a descriptive name for this Certificate Authority.
Click Create .
In the Certificate File Name field, enter root.cer or similar. This is a new file.
Change the Validity Period to 3650 (10 years) or similar.
If the key file is encrypted, enter the password in the PEM Passphrase field.
Click Create.
In the Certificate-Key Pair Name field, enter a friendly name for this Certificate Authority certificate.
If the key file is encrypted, enter the password in the Password field.
Click Create.
Click Done.
In the right pane, in the left column, click Server Certificate Wizard.
In the Key Filename field, enter mgmt.key or similar. This is a new file.
In the Key Size field, enter at least 2048.
Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
Click Create.
In the Request File Name field, enter mgmt.csr or similar. This is a new file.
If the key file is encrypted, enter the password.
Scroll down.
In the State field, enter the non-abbreviated state name.
In the Organization Name field, enter the name of your organization.
Fill in other fields as desired.
In the Common Name field, enter the hostname (FQDN) of the appliance.
Click Create.
In the Certificate File Name field, enter mgmt.cer or similar. This is a new file.
Change the Validity Period to 3650 (10 years) or similar.
Scroll down.
In the CA Certificate File Name field, browse to the root.cer file.
In the CA Key File Name field, browse to the root.key file.
If the key file is encrypted, enter the password.
In the CA Serial File Number field, enter the name of a new file that will contain serial numbers.
Click Create.
In the Certificate-Key Pair Name field, enter a friendly name for this management certificate.
If the key file is encrypted, enter the password in the Password field.
Click Create.
Click Done.

Default Management Certificate Key Length

In NetScaler versions prior to 11.1, the default management certificate (ns-server-certificate) key size is only 512 bits. To see the key size, click the ellipsis next to ns-server-certificate and then click Details.

You can configure Internet Explorer to accept the 512-bit certificate by running Certutil ‑setreg chain\minRSAPubKeyBitLength 512 on the same machine where Internet Explorer is running.

When you upgrade to 11.1, the management certificate remains at whatever was installed previously. If it was never replaced, then the management certificate is still only 512 bits. To replace the certificate with a new 2048-bit self-signed certificate, simply delete the existing ns-server-certificate certificate files and reboot.

Go to Traffic Management > SSL.
On the right, in the right column, click Manage Certificates / Keys / CSRs.
Highlight any file named ns-* and delete them. This takes several seconds.
Then go to System and reboot.
After a reboot, if you view the Details on the ns-server-certificate, it will be recreated as self-signed with 2048-bit key size.

Replace Management Certificate

You can replace the default management certificate with a new trusted management certificate.

Only one certificate will be loaded on both nodes in a High Availability pair so make sure the management certificate matches the names of both nodes. This is easily doable using a Subject Alternative Name certificate. Here are some names the management certificate should match (note: a wildcard certificate won’t match all of these names):

The FQDN for each node NSIP in a High Availability pair. Example: ns01.corp.local and ns02.corp.local
The shortnames (left label) for each node NSIP in a High Availability pair. Example: ns01 and ns02
The NSIP IP address for each node in a High Availability pair. Example: 192.168.123.14 and 192.168.123.29
If you enabled management access on your SNIPs, add names for the SNIPs:
- FQDN for the SNIP. Example: ns.corp.local
- Shortname for the SNIP. Example: ns
- SNIP IP address. Example: 192.168.123.30

If you are creating a Subject Alternative Name certificate, it’s probably easiest to do the following:

Create the certificate using the Certificates snap-in on a Windows box. You can add the Subject Alternative Names in the certificate request wizard. The Subject Alternative Names for the IP addresses must be added as IP address (v4). The other Subject Alternative Names are added as DNS.
Export the certificate and Private Key to a .pfx file.
On the NetScaler, use the Import PKCS#12 tool to convert the .pfx to PEM format. Then follow one of the procedures below to replace the management certificate.

There are two methods of replacing the management certificate:

Use the Update Certificate button for ns-server-certificate in the NetScaler GUI. This automatically updates all of the Internal Services bindings too.
- You cannot rename the certificate in the NetScaler GUI. It remains as ns-server-certificate.
- If your new management certificate is a wildcard that you need to use for other SSL entities, then you will bind ns-server-certificate to those entities instead of a more descriptive name. You can’t re-upload the wildcard certificate again with a different GUI name.
Or manually Bind the new certificate to the Internal Services.

Update Certificate Method

The Update Certificate button method is detailed below:

You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
On the left, expand Traffic Management, expand SSL expand Certificates, and click Server Certificates.
On the right, click the ellipsis next to ns-server-certificate and click Update.
Check the box next to Click to update the certificate and key.
Browse to the new management certificate. It could be on the appliance or it could be on your local machine.
If the PEM certificate is encrypted, enter the password.
Check the box next to No Domain Check. Click OK.
Click Yes to update the certificate.
You can now connect to the NetScaler using https protocol. The certificate should be valid and it should have a 2048 bit key.
Go to Traffic Management > Load Balancing > Services.
On the right, switch to the Internal Services tab.
Click the ellipsis next to one of the services and click Edit.
Scroll down to the SSL Ciphers section. Feel free to change the ciphers to a more secure cipher group. NetScaler 11.1 no longer includes RC4 ciphers in the DEFAULT cipher group, but you might want to rearrange the ciphers.
Repeat this for each of the Internal Services.

Manual Binding Method

The manual Binding to Internal Services method is detailed below:

You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
NetScaler 11.1 requires the certificate to be a client certificate, not a server certificate. I think this means a certificate with NetScaler Cert Type set to SSL Client Authentication.
On the left, expand Traffic Management, expand SSL, expand Certificates, and click Client Certificates.
On the right, use the Install button to install the new management certificate.
On the left, expand Traffic Management, expand Load Balancing and click Services.
On the right, switch to the Internal Services tab.
You will see multiple services. Edit one of them.
Scroll down and click where it says 1 Client Certificate.
Select the existing management certificate and click Unbind.
Click Yes to remove the selected entity.
Click Add Binding.
Click where it says Click to select.
Select the new management certificate and Select.
Click Bind and click Close.
Scroll to the SSL Parameters section and click the pencil icon.
Uncheck the box next to SSLv3. Make sure TLSv11 and TLSv12 are enabled. Click OK.
On the left, in the SSL Ciphers section, click the pencil icon.
Select a more secure Cipher Group. NetScaler 11.1 no longer includes RC4 in the DEFAULT cipher group but the ciphers could be reordered in a more secure order.
Repeat for the rest of the internal services.

Force Management SSL

By default, administrators can connect to the NSIP using HTTP or SSL. This section details how to disable HTTP.

Connect to the NSIP using https.
On the left, expand System, expand Network and click IPs.
On the right, select your NetScaler IP and click Edit.
Near the bottom, check the box next to Secure access only and then click OK.
Repeat this on the secondary appliance.
Repeat for any SNIPs that have management access enabled.

SSL Certificate – Update

If your certificate is about to expire, do the following:

Create updated certificate files in PEM format. One option is to create a key file and Certificate Signing Request directly on the NetScaler. Another option is to convert a PFX file to a PEM file. Don’t install the certificate yet but instead simply have access to the key file and certificate file in PEM format.
In NetScaler, navigate to Traffic Management > SSL > Certificates > Server Certificates.
On the right, click the ellipsis next to the certificate you intend to update, and click Update.
Check the box next to Click to update the Certificate/Key.
Browse to the updated certificate and key files. If the private key is encrypted, specify the password.
Click Yes to update the certificate.
Click OK. This will automatically update every Virtual Server on which this certificate is bound.
Certificates can also be updated in Citrix Command Center or NetScaler Management and Analytics System.

↧

SSL Virtual Servers – NetScaler 11.1

July 1, 2016, 7:19 pm

≫ Next: StoreFront Load Balancing – NetScaler 11.1

≪ Previous: NetScaler 11.1 Certificates

This page contains generic SSL instructions for all SSL Virtual Servers including: Load Balancing, NetScaler Gateway, Content Switching, and AAA.

Navigation

Preparation:
SSL vServer Configuration – Bind Cert, Ciphers, ECC, and STS
SSL Tests
SSL Redirect Methods:

= Recently Updated

Cipher Group

References:

Citrix Blogs – Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update
Citrix CTX201710 Cipher/Protocol Support Matrix of NetScaler Appliances

To create a custom secure cipher group:

Citrix has a PowerShell script at Github that can automate NetScaler SSL configuration to get an A+.
The easiest way to create a cipher group is from the CLI. See Citrix Blogs Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update for cipher group CLI commands.

The last cipher is only needed for Windows XP machines. It doesn’t actually require SSL3. If you don’t need to support Windows XP, then skip that command.

add ssl cipher custom-ssllabs-cipher
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher custom-ssllabs-cipher -cipherName SSL3-DES-CBC3-SHA

Or you can create the cipher group using the GUI. Go to Traffic Management > SSL > Cipher Groups.
On the right, click Add.
Name it Modern or similar.
In the middle, click Add.
Use the search box to find a particular cipher.
Check the box next to one of the results and click the arrow to move it to the right. See Citrix Blogs Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update for recommended ciphers. The recommended ciphers vary based on the hardware platform and support for older clients.
Use the up and down arrows to order the ciphers. NetScaler prefers the ciphers on top of the list, so the ciphers at the top of the list should be the most secure ciphers.
Click Create when done.

Strict Transport Security Rewrite Policy

To get an A+ at SSLLabs.com, you need to insert the Strict-Transport-Security HTTP header in the responses. NetScaler Rewrite Policy can do this.

Go to AppExpert > Rewrite, right-click Rewrite, and click Enable Feature.
Go to AppExpert > Rewrite > Actions.
On the right, click Add.
Name the action insert_STS_header or similar.
The Type should be INSERT_HTTP_HEADER.
The Header Name should be Strict-Transport-Security.
The Expression should be the following:
```
"max-age=157680000"
```
Click Create.
On the left, go to AppExpert > Rewrite > Policies.
On the right, click Add.
Name it insert_STS_header or similar.
Select the previously created Action.
In the Expression box, enter HTTP.REQ.IS_VALID.
Click Create.
Now you can bind this Rewrite Response policy to HTTP-based SSL vServers.
When editing an SSL vServer, if the Policies section doesn’t exist on the left, then add it from the Advanced Settings column on the right.
In the Policies section on the left, click the plus icon.
Select Rewrite > Response and click Continue.
Then select the STS Rewrite Policy and click Bind.

enable ns feature rewrite

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""

add rewrite policy insert_STS_header true insert_STS_header

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

Default SSL Profile

You can use SSL Profiles to package several SSL settings together and apply the settings package (Profile) to SSL vServers and SSL Services. These settings include: disable SSLv3, bind ciphers, bind ECC curves, etc.

There are default SSL Profiles, and there are custom SSL Profiles. The default SSL Profiles are disabled by default. Once the default SSL Profiles are enabled, the default setttings apply to all SSL vServers and all SSL Services, unless you bind a custom SSL Profile. Also, once default is enabled, it’s not possible to disable it.

If you enable the default SSL Profiles, then it’s not possible to configure SNI for backend (services and service groups).

To enable the Default SSL profiles:

Make sure you are connected to the appliance using http and not https.
Go to Traffic Management > SSL.
On the right, in the right column, click Change advanced SSL settings.
Near the bottom, check the box next to Enable Default Profile. Note: this will change SSL settings on all SSL Virtual Servers to match the default SSL profile. You might want to do this during a maintenance window. Click OK when done.
If you go back into Advanced SSL Settings, notice that the Default Profile is enabled and there’s no way to disable it.
To change the default SSL profile, on the left, go to System > Profiles.
On the right, switch to the SSL Profile tab.
Click the ellipsis next to the frontend or backend default profile and click Edit. Frontend = client-side connections to SSL vServers. Backend = server-side connections (SSL Services and Service Groups).
Or you can create a new custom SSL profile.
Notice that SSLv3 is disabled by default.
If you do any SSL Offload (SSL on the client side, HTTP on the server side) then you’ll need to edit the Basic Settings section and enable SSL Redirect. Or you can create a new SSL Profile with this option enabled. It’s near the bottom of the section. With this option enabled, any 301/302 redirects from the server with HTTP locations are rewritten to HTTPS locations. You might need this option for StoreFront load balancing if doing SSL Offload.
Scroll down to the SSL Ciphers section and click the pencil icon.
Click Remove All and click OK. You must click OK before binding the custom cipher group.
Click the pencil icon again.
Click Add.
Scroll down and select your custom cipher group. Then click the arrow to move it to the right. Then click OK.
Click OK when you see the No usable ciphers message. Then click Done to close the SSL Profile.
If you edit one of your SSL Virtual Servers (e.g. Load Balancing vServer), there’s an SSL Profile section indicating that the default profile is being used. You can change the binding to a different SSL Profile.
SSL Profiles do not include forcing Strict Transport Security. You’ll still need to create the STS Rewrite Policy and bind it to every SSL vServer as detailed in the next section.

Bind Certificate, Bind Cipher Group, Disable SSLv3, Enable STS

Whether you use SSL Profiles or not, you need to bind certificates and STS Rewrite Policy to every SSL vServer.

If you enabled the Default SSL Profiles feature, you can either leave it set to the Default SSL Profile; or you can change it to a Custom SSL Profile. Or you can bind an SSL Profile without enabling the Default SSL Profiles. If you don’t use the SSL Profiles feature, then you’ll need to manually configure ciphers and SSL settings on every SSL vServer.

Do the following on every SSL vServer:

When creating an SSL Virtual Server (e.g. SSL Load Balancing vServer), on the left, in the Certificates section, click where it says No Server Certificate.
Click where it says Click to select.
Select a certificate and click Select.

Click Bind.

bind ssl vserver MyvServer -certkeyName MyCert

If you want to bind a custom SSL Profile, if Default SSL Profile is enabled, in the SSL Profile section on the left, click the pencil icon.
If the SSL Profile section isn’t on the left, then on the right, in the Advanced Settings section, click SSL Profile
Select your custom SSL Profile and click OK.
If you didn’t bind an SSL Profile, on the left, in the SSL Parameters section, click the pencil icon.
Uncheck the box next to SSLv3. Make sure TLSv11 and TLSv12 are enabled. Click OK.
```
set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
```
If you didn’t bind an SSL Profile, scroll down to the SSL Ciphers section and click the pencil icon.
Click Remove All and click OK. You must click OK before binding the custom cipher group.
Click the pencil icon again.
Click Add.
Scroll down and select your custom cipher group. Then click the arrow to move it to the right. Then click OK.

Click OK when you see the No usable ciphers message.

unbind ssl vserver MyvServer -cipherName ALL
bind ssl vserver MyvServer -cipherName Modern

SSL Virtual Servers created on newer versions of NetScaler will automatically have ECC Curves bound to them. However, if this appliance was upgraded from an older version then the ECC Curves might not be bound. If you are not using SSL Profile, then on the right, in the Advanced Settings section, click ECC Curve.
On the left, in the ECC Curve section, click where it says No ECC Curve.
Click to select.
Choose ALL and click Select.

Click Bind.

bind ssl vserver MyvServer -eccCurveName ALL

If the Policies section doesn’t exist on the left, then add it from the Advanced Settings column on the right.
In the Policies section on the left, click the plus icon.
Select Rewrite > Response and click Continue.

Select the STS Rewrite Policy and click Bind.

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Tests

After you’ve created an SSL Virtual Server, run the following tests:

Go to https://www.ssllabs.com/ssltest/ and check the security settings of the website.

SSL Redirect – SSL Load Balancing vServer Method

New in NetScaler 11.1, you can configure SSL Redirect directly in an SSL Load Balancing vServer (port 443) instead of creating a separate HTTP (port 80) Load Balancing vServer.

Limitations:

This is only an option for SSL Load Balancing vServers; it’s not configurable in Gateway vServers or Content Switching vServers.
Only one Redirect URL can be specified. Alternatively, the Responder method can handle multiple FQDNs to one VIP (e.g. wildcard certificate) and/or IP address URLs.

To configure an SSL Load Balancing vServer to redirect from HTTP to HTTPS:

Edit the SSL Load Balancing vServer (port 443).
In the Basic Settings section, click the pencil icon.
Click More.
In the Redirect from Port field, enter 80.
In the HTTPS Redirect URL field, enter https://MyFQDN. Click Continue twice.

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, then users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP but listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443.

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect.

To create the down Redirect Virtual Server:

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right, find an SSL Virtual Server you’ve already created, click the ellipsis next to it, and click Add. Doing it this way copies some of the data from the already created Virtual Server.
Or if you are redirecting NetScaler Gateway, create a new Load Balancing vServer with the same VIP as the Gateway.
Change the name to indicate that this new Virtual Server is an SSL Redirect.
Change the Protocol to HTTP on Port 80.
The IP Address should already be filled in. It must match the original SSL Virtual Server (or Gateway vServer). Click OK.
Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
On the right, in the Advanced Settings column, click Protection.
In the Redirect URL field, enter the full URL including https://. For example: https://storefront.corp.com/Citrix/StoreWeb. Click OK.
Click Done.
When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for this redirect method to work.

SSL Redirect – Responder Method

The Down Virtual Server Method is easy, but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect. This method requires the Redirect Virtual Server to be UP.

Create a dummy Load Balancing service. This dummy service can be bound to multiple Redirect Virtual Servers. Go to Traffic Management > Load Balancing > Services.
On the right, click Add.
Name it AlwaysUp or similar.
Use a loopback IP address (e.g. 127.0.0.1). After the service is created, it changes to a NetScaler-owned IP.
Click the More link.
This dummy service must always be UP so uncheck the box next to Health Monitoring. Click OK and then click Done.
```
add server 127.0.0.1 127.0.0.1
add service AlwaysUp 127.0.0.1 HTTP 80 -healthMonitor NO
```
On the left, expand AppExpert and click Responder.
If Responder is not enabled, right-click Responder and click Enable Feature.
```
enable ns feature RESPONDER
```
Under Responder, click Actions.
On the right, click Add.
Give the action a name.
Change the Type to Redirect.

Enter an expression. The following expression can be used by multiple Redirect Virtual Servers since it redirects to https on the same URL the user entered in the browser. Or you can create a Responder Action with a more specific Target. Click Create.

"https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE

add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302

On the left, under Responder, click Policies.
On the right, click Add.
Give the policy a name.
Select the previously created Responder action.

For the expression, enter the following. Then click Create.

HTTP.REQ.IS_VALID

add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact

Create a Load Balancing Virtual Server with Protocol HTTP and Port 80. The VIP should match an existing SSL Virtual Server or NetScaler Gateway Virtual Server.
Bind the AlwaysUp service and click Bind. Then click Continue.
On the right, in the Advanced Settings column, click Policies.
Click the plus icon in the top right of the Policies box.
Select Responder and click Continue.

Select the http_to_https Redirect Responder policy and click Bind. Then click Done.

add lb vserver MyvServer-HTTP-SSLRedirect HTTP 10.2.2.201 80

bind lb vserver storefront.corp.com-HTTP-SSLRedirect AlwaysUp

bind lb vserver storefront.corp.com-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST

The primary advantage of this method is that the Redirect Virtual Server is UP.

↧

StoreFront Load Balancing – NetScaler 11.1

July 2, 2016, 4:47 am

≫ Next: Domain Controller (LDAPS) Load Balancing – NetScaler 11.1

≪ Previous: SSL Virtual Servers – NetScaler 11.1

Navigation

Monitor

Note: This is a Perl monitor, which uses the NSIP as the source IP.

On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
On the right, click Add.
Name it StoreFront or similar.
Change the Type drop-down to STORERONT.
If you will use SSL to communicate with the StoreFront servers, then scroll down and check the box next to Secure.
Scroll up and switch to the Special Parameters tab.
In the Store Name field, enter the name of your store (e.g. Store).

Click Create.

add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -storename Store

Servers

On the left, expand Traffic Management, expand Load Balancing, and click Servers.
On the right, click Add.
Enter a descriptive server name, usually it matches the actual server name.
Enter the IP address of the server.
Enter comments to describe the server. Click Create.

Continue adding StoreFront servers.

add server SF01 10.2.2.57
add server SF02 10.2.2.58

Service Group

On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
On the right, click Add.
Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SSL).
Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure that the StoreFront Monitor has Secure checked.
Scroll down and click OK.
Click where it says No Service Group Member.
If you did not create server objects then enter the IP address of a StoreFront Server. If you previously created a server object then change the selection to Server Based and select the server objects.
Enter 80 or 443 as the port. Then click Create.
Click OK.
On the right, under Advanced Settings , click Monitors.
Click where it says says No Service Group to Monitor Binding.
Click the arrow next to Click to select.
Select your StoreFront monitor and click Select.
Then click Bind.
To verify that the monitor is working, on the left, in the Service Group Members section, click the Service Group Members line.
Click the ellipsis next to a member and click Monitor Details.
The Last Response should be Success – Probe succeeded. Click Close twice.
On the right, under Advanced Settings, click Settings.
On the left, in the Settings section, check the box for Client IP and enter X-Forwarded-For as the Header. Then click OK.

Then click Done.

add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For

bind serviceGroup svcgrp-StoreFront-SSL SF01 443
bind serviceGroup svcgrp-StoreFront-SSL SF02 443
bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront

If the Service Group is http and you don’t have certificates installed on your StoreFront servers (aka SSL Offload) then you’ll need to enable loopback in StoreFront.
1. In StoreFront 3.5 and newer, you enable it in the GUI console.
2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.0.
```
& "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"

Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp
```

Load Balancing Virtual Server

Create or install a certificate that will be used by the SSL Offload Virtual Server. This certificate must match the DNS name for the load balanced StoreFront servers. For email discovery in Citrix Receiver, the certificate must either be a wildcard (*.corp.local) or have a subject alternative name for discoverReceiver.domain.com (domain.com = email address suffix)
On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right click Add.
Name it lbvip-StoreFront-SSL or similar.
Change the Protocol to SSL.
Specify a new internal VIP.
Enter 443 as the Port.

Click OK.

add lb vserver lbvip-StoreFront-SSL SSL 10.2.2.221 443 -persistenceType SOURCEIP -timeout 60

On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
Click the arrow next to Click to select.
Select your StoreFront Service Group and click Select.

Click Bind.

bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL

Click Continue.
Click where it says No Server Certificate.
Click the arrow next to Click to select.
Select the certificate for this StoreFront Load Balancing Virtual Server and click Select.

Click Bind.

bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom

Click Continue.
On the right, in the Advanced Settings column, click Persistence.
On the left, in the Persistence section, select SOURCEIP. Do NOT use COOKIEINSERT persistence or Android devices will not function correctly.
Set the timeout to match the timeout of Receiver for Web.
The IPv4 Netmask should default to 32 bits.
Click OK.
If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload – 443 on client-side, 80 on server-side), and if you have enabled the Default SSL Profile, then you’ll either need to edit the Default SSL Profile to include the SSL Redirect option, or create a new custom SSL Profile with the SSL Redirect option enabled, and then bind the custom SSL Profile to this vServer.
If the default SSL Profile is not enabled, then you’ll need to edit the SSL Parameters section on the vServer, and at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web page will never display.

set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED

If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.

bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert

set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL

bind ssl vserver lbvip-StoreFront-SSL -cipherName Modern

bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL

bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

When connecting to StoreFront through load balancing, if you want to put the server name on the StoreFront webpage so you can identify the server, see Nicolas Ignoto Display server name with Citrix StoreFront 3.
Server name is displayed

SSL Redirect – SSL Load Balancing vServer Method

Users must enter https:// when navigating to the StoreFront website. To make it easier for the users, enable SSL Redirection.

This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. An alternative is to use the Responder method.

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right, find the SSL Virtual Server you’ve already created, click the ellipsis next to it and click Edit.
In the Basic Settings section, click the pencil icon.
Click the More link.
In the Redirect from Port field, enter 80.
In the HTTPS Redirect URL field, enter your StoreFront Load Balancing URL (e.g. https://storefront.corp.com).

Scroll down and click Continue twice.

set lb vserver lbvip-StoreFront-SSL -redirectFromPort 80 -httpsRedirectUrl https://storefront.corp.com

This method does not add any new vServers to the list so it’s not easy to see if this is configured.

StoreFront Base URL

Create a DNS Host record that resolves to the new VIP.
The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler Gateway. Unless you are following the Single FQDN procedure.
In the Citrix StoreFront console, right-click Server Group and click Change Base URL.
Enter the new Base URL in https://storefront.corp.com format. This must match the certificate that is installed on the load balancer. Click OK.

Subscription Replication Load Balancing

If you have multiple StoreFront clusters (separate datacenters), you might want to replicate subscriptions between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this service, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at Citrix Docs for more information.

On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
On the right, click Add.
Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SubRepl).
Change the Protocol to TCP.
Scroll down and click OK.
Click where it says No Service Group Member.
Change the selection to Server Based and select the StoreFront servers.
Enter 808 as the port. Then click Create.
Click OK.
On the right, under Advanced Settings, click Monitors.
On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
Click the arrow next to Click to select.
Select the tcp monitor and click Select.

Then click Bind and click Done.

add serviceGroup svcgrp-StoreFront-FavRepl TCP
bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808
bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right, click the ellipsis next to the existing StoreFront Load Balancing vServer, and click Add.
Name it lbvip-StoreFront-SubRepl or similar.
Change the Protocol to TCP.
Specify the same VIP that you used for SSL Load Balancing of StoreFront.
Enter 808 as the Port.
Click OK.
Click where it says No Load Balancing Virtual Server ServiceGroup Binding.
Click the arrow next to Click to select.
Select your StoreFront Subscription Replication Service Group and click Select.
Click Bind.
Click Continue.

Then click Done.

add lb vserver lbvip-StoreFront-FavRepl TCP 10.2.2.201 808 -persistenceType NONE

bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl

↧