NetScaler Management and Analytics System (MAS) 12.1

Last Modified: Jun 23, 2018 @ 6:51 am

Navigation

The older 12.0 version of NetScaler MAS is detailed in a different post.

💡 = Recently Updated

Change Log

Planning

Why MAS?

MAS enables every NetScaler administrator to achieve the following:

  • Alert notifications – Receive email alerts whenever something goes down. For example, if a Load Balancing service goes down, you can receive an email alert.
    • MAS can email you for any Major SNMP trap produced by any NetScaler appliance.
  • Automatically backup all NetScaler instances.
    • MAS can even transfer the backups to an external system, which is then backed up by a normal backup tool.
  • SSL Certificate Expiration – Alert you when SSL certificates are about to expire.
    • Show you all SSL certificates across all NetScaler appliances.
  • Configuration Record and Play – Use the Configuration Recorder to configure one NetScaler appliance, and then push out the same configuration changes to additional appliances. This is the easiest method of managing NetScaler appliances in multiple datacenters.
  • AppFlow Reporting – Receive ICA AppFlow traffic from NetScaler and show it in graphs.
    • Integrate MAS with Citrix Director so Help Desk can see the AppFlow data.

Everything listed above is completely free, so there’s no reason not to deploy MAS.

MAS Overview

For an overview of MAS, see Citrix’s YouTube video Citrix NetScaler MAS: Application visibility and control in the cloud.

Cloud vs on-prem

MAS is available both on-premises, and as a Cloud Service. For the Cloud Service, you import a MAS Agent appliance to an on-prem hypervisor, or deploy a MAS Agent to AWS or Azure. The MAS Agent is the broker between the Cloud Service and the on-prem (or cloud hosted) NetScaler appliances. For more info on the MAS Cloud Service, see the following:

The rest of this article focuses on the on-premises version, but much of it also applies to the Cloud Service.

On-premises MAS Licensing:

  • Instance management is free (unlimited). This includes Configuration Jobs, Instance Backups, Network Functions/Reporting. Basically everything in the Networks node is free.
  • Analytics and Application monitoring are free for up to 30 Virtual Servers (Load Balancing, NetScaler Gateway, Content Switching, etc.).
    • Beyond 30 Virtual Servers, licenses can be purchased in 100 Virtual Server packs. See NetScaler MAS Licensing at Citrix Docs.
    • You can control assignment of licenses to Virtual Servers.

MAS version – The version/build of NetScaler MAS must be the same or newer than the version/build of the NetScaler appliances being monitored. MAS 12.1 can monitor 12.0 and older appliances.

HDX Insight

HDX Insight Requirements (aka AppFlow Analytics for Citrix ICA traffic):

  • Your NetScaler appliance must be running Enterprise Edition or Platinum Edition.
  • NetScaler must be 10.1 or newer.
  • HDX Insight works with the following Receivers:
    • Receiver for Windows must be 3.4 or newer.
    • Receiver for Mac must be 11.8 or newer.
    • Receiver for Linux must be 13 or newer.
    • Notice no mobile Receivers. See the Citrix Receiver Feature Matrix for the latest details.
  • For ICA Session Reliability with AppFlow: NetScaler 10.5 build 54 and newer.
    • For ICA Session Reliability, AppFlow, and NetScaler High Availability: NetScaler 11.1 build 49 and newer.
  • AppFlow statistics are only generated when ICA traffic flows through a NetScaler. Internally, when a user clicks an icon from StoreFront, an ICA connection is established directly from Receiver to the VDA, thus bypassing the internal NetScaler. Here are some methods of getting ICA traffic to flow through an internal NetScaler:
  • For ICA round trip time calculations, in a Citrix Policy, enable the following settings:
    • ICA > End User Monitoring > ICA Round Trip Calculation
    • ICA > End User Monitoring > ICA Round Trip Calculation Interval
    • ICA > End User Monitoring > ICA Round Trip Calculation for Idle Connections
  • Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide contains the following contents:
    • Introduction
    • Prerequisites for Configuring HDX Insight
    • Troubleshooting
      • Issues Related to ICA parsing
      • Error Counter details
    • Checklist before Contacting Citrix Technical Support
    • Information to collect before Contacting Citrix Technical support
    • Known Issues

Citrix CTX204274 How ICA RTT is calculated on NetScaler Insight: ICA RTT constitutes the actual application delay. ICA_RTT = 1 + 2 + 3 + 4 +5 +6:

  1. Client OS introduced delay
  2. Client to NS introduced network delay (Wan Latency)
  3. NS introduced delay in processing client to NS traffic (Client Side Device Latency)
  4. NS introduced delay in processing NS to Server (XA/XD) traffic (Server Side Device Latency)
  5. NS to Server network delay (DC Latency)
  6. Server (XA/XD) OS introduced delay (Host Delay)

Multi-Datacenter Deployment Architecture

In a main datacenter, import two NetScaler MAS appliances into the same subnet and configure them as an HA pair with a Floating IP address.

In a DR datacenter, import a MAS appliance, and configure it to replicate with the main datacenter.

For NetScaler appliances in additional datacenters, import two MAS Agent appliances into each datacenter, and configure them as remote agents to the main datacenter. Two MAS Agents per datacenter enables HA. The virtual appliance for MAS Agent is different than the normal MAS appliance.

Import MAS Appliance

To import a MAS Appliance into vSphere, do the following. The same process is used for all types of MAS appliances in all datacenters.

  1. Download NetScaler MAS for ESX, and then extract the .zip file.
  2. In vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  3. In the Select an OVF Template page, select Local file, and browse to the NetScaler MAS .ovf files. If vCenter 6.5+, select all three files. Click Next.

  4. In the Select name and folder page, enter a name for the virtual machine, and select an inventory folder. Then click Next.
  5. In the Select a resource page, select a cluster or resource pool, and click Next.
  6. In the Review details page, click Next.
  7. In the Select storage page, select a datastore. Due to high IOPS, SSD or Flash is recommended.
  8. Change the virtual disk format to Thin Provision. Click Next.
  9. In the Select networks page, choose a valid port group, and click Finish.
  10. In the Ready to Complete page, click Finish.
  11. Before powering on the appliance, you can review its specs. Right-click the virtual machine, and click Edit Settings.
  12. Review the specs. Citrix Docs VMware ESXi Hardware Requirements has recommended specs.
  13. Citrix Docs How to Attach an Additional Disk to NetScaler MAS says that an additional disk must be added before initial deployment.
    • Use the MAS storage calculator to determine the recommended size of the disk. Ask your Citrix Partner for the tool.
    • The new disk must be larger than 120 GB.
    • In MAS 12.1, the new disk can be larger than 2 TB.
    • In MAS 12.1, the new disk can be grown later, and /mps/DiskPartitionTool.py can resize the partition, but only up to 2 TB. If you need more than 2 TB, the initial disk should be larger than 2 TB.
  14. Power on the Virtual Machine.

Appliance IP Address Configuration

  1. Open the console of the virtual machine.
  2. Configure an IP address.
  3. Enter 7 when done.

Second Disk

  1. Login as nsrecover/nsroot.
  2. Enter /mps/DiskPartitionTool.py

  3. Enter info to see that there are no existing partitions on the second disk.
  4. Enter create to create partitions on the second disk. A reboot is required.
  5. During the reboot, the database is moved to the second disk.
  6. After the reboot, the Disk Partition Tool info command shows the partition on the second disk.
  7. If you need to increase the size of the disk, reboot the MAS appliance so it detects the larger size. Then use the Disk Partition Tool resize command.

Deployment Modes

HA Pair in the Main Datacenter

First Node:

  1. Login as nsrecover/nsroot.
  2. Enter deployment_type.py.
  3. Enter 1 for NetScaler MAS Server.
  4. Enter no when prompted for NetScaler MAS Standalone deployment.
  5. For the First Server Node prompt, enter yes.
  6. Enter yes to Restart the system.

Second Node:

  1. Import another MAS appliance to the same subnet, and configure an IP address.
  2. If you added a second disk to the first MAS appliance, then you must add the same size second disk to the second MAS appliance.
  3. After configuring the new nodes’ IP address, login as nsrecover/nsroot.
  4. Enter deployment_type.py.
  5. Enter 1 for NetScaler MAS Server.
  6. Enter no when prompted for NetScaler MAS Standalone deployment.
  7. Enter no when prompted for First Server Node.
  8. Enter the IP address of the first MAS node.
  9. Enter the nsroot password of the first node. The default password is nsroot.
  10. Enter a new Floating IP address.
  11. Enter yes to restart the system.

Deploy HA Configuration:

  1. Point your browser to the first appliance’s IP address, and login as nsroot/nsroot.
  2. If you see CUXIP, either Skip or Enable the Customer User Experience Improvement Program.
  3. Click Get Started
  4. Select Two servers deployed in High Availability Mode, and click Next.
  5. You should see both nodes. At the top right, click the Deploy button.
  6. Click Yes when prompted to restart.
  7. After deployment, you can now use the Floating IP to manage the appliance.
  8. System > Deployment lets you see the HA nodes. Note: HA failover only occurs after three minutes of no heartbeats.
  9. On the top right is a HA Settings button that lets you change the Floating IP.

DR Node

  1. The main datacenter must have an HA pair of MAS appliances. Standalone in the main datacenter is not supported. However, the DR MAS appliance is standalone.
  2. Import another MAS appliance into a remote datacenter, and configure an IP address.
  3. If you added a second disk to the main datacenter MAS appliances, then you must add the same size second disk to the DR MAS appliance.
  4. After configuring the new nodes’ IP address, login as nsrecover/nsroot.
  5. Enter deployment_type.py.
  6. Enter 2 for Remote Disaster Recovery Node.
  7. Enter the Floating IP address of the HA pair in the main datacenter.
  8. Enter the nsroot password, which is nsroot by default.
  9. The DR node registers with the MAS HA Pair.
  10. Point your browser to the Floating IP Address and login.
  11. Go to System > System Administration.
  12. On the right, in the right column, click Disaster Recovery Settings.
  13. The Registered Recovery Node should already be filled in.
  14. Check the box next to Enable Disaster Recovery, and click Apply Settings.
  15. Click Yes to enable DR.
  16. A System Backup is performed and replicated to the DR appliance.
  17. Disaster Recovery is not automatic. See the manual DR procedure at at Citrix Docs.
    • /mps/scripts/pgsql/pgsql_restore_remote_backup.sh

MAS Agents

The virtual appliance for MAS Agent is different than the normal MAS appliance.

  1. Download the MAS Agent from the main MAS download page. Scroll down the page to find the MASAGENT images.
  2. Extract the downloaded .zip file.
  3. Import the .ovf to vSphere.

  4. Edit the settings of the virtual machine to see the allocated CPU and Memory.
  5. Power on the MAS Agent virtual machine.
  6. At the virtual machine’s console, configure an IP address.
  7. Login as nsrecover/nsroot.
  8. Run /mps/register_agent_onprem.py
  9. Enter the floating IP address of the main MAS HA Pair.
  10. Login to the MAS Floating IP.
  11. Go to Networks > Agents.
  12. On the right, select the MAS Agent, and then click Attach Site.
  13. In the Site drop-down, if you don’t see your site, then you can click the plus icon to create a new site.
  14. Enter a name, enter a search location, and click Get Location to get the coordinates. Click Create when done.
  15. Click Save to attach the site.
  16. For HA, import two MAS Agents into the same Site.

MAS Appliance Maintenance

Add Instances

NetScaler MAS must discover NetScaler instances before they can be managed. Citrix Docs How NetScaler MAS Discovers Instances.

  1. Once you’ve built all of the nodes, point your browser to the NetScaler MAS Floating IP address, and login as nsroot/nsroot.
  2. If you see the What is NetScaler Management and Analytics System screen, then click Get Started.
  3. Deployment should already be done, so click Next.
  4. On the Add New Instances page, click Add Instance near the top right.

  5. Enter the NSIP address of a NetScaler appliance.
  6. Click the pencil next to ns_nsroot_profile.
  7. Type in the nsroot password, and then scroll down.
  8. The NetScaler Profile defaults to using https for instance communication. You can change it by unchecking Use global settings for NetScaler communication.
  9. Enter an SNMP v3 Security Name that NetScaler MAS will configure on the appliance.
  10. Click OK.
  11. Select the Site for the instance. You can click the plus icon to create a Site.
  12. For remote sites, you can optionally choose a MAS Agent.
  13. Then click OK to add the instance.
  14. A progress window will appear.
  15. You can add more instances, or just click Finish.
  16. To add more instances later, click the top left hamburger icon, go to Networks > Instances > NetScaler ADC. On the right, select a tab (e.g. MPX), and then click Add.

  17. To edit, or create new Admin Profiles, go to Networks > Instances > NetScaler ADC, and on the right is a Profiles button.

NetScaler SDX

  1. At Networks > Instances > NetScaler ADC, on the SDX tab, you can click Add to discover a SDX appliance, and all VPXs on that SDX appliance. You don’t have to discover the VPXs separately.
  2. In the Add NetScaler SDX page, click the pencil icon next to the Profile Name drop-down to edit nssdx_default_profile. Or you can click the plus icon to create a new SDX Profile. Note: SDX profiles are different than VPX profiles.
  3. Enter the credentials for the SDX SVM Management Service.
  4. For NetScaler Profile, select an admin profile that has nsroot credentials for the VPX instances. After the VPXs are discovered, MAS uses the NetScaler Profile to login to each VPX. If you don’t have a VPX Admin Profile in your drop-down list, click the plus icon. Note: You can only select one NetScaler Profile. If each VPX instance has different nsroot credentials, you can fix it after SDX discovery has been performed. The NetScaler Profile is different than the SDX Profile.

    1. In the Create NetScaler Profile page, enter the nsroot credentials for the VPX instances, and then scroll down.
    2. Enter a new SNMP Security Name or Community String.
    3. Then click Create.
  5. Back in the Configure NetScaler SDX Profile page, enter a new Community string for the SDX SVM. This appears to be SNMP v2 only.
  6. You can uncheck the box for Use global settings for SDX communication, and change the protocol. Click OK when done.
  7. Back in the Add NetScaler SDX page, select a Site, and optionally an Agent.
  8. Click OK to start discovery.
  9. After discovery is complete, switch to the NetScaler VPX tab. You should automatically see the VPX instances.
  10. To specify the nsroot credentials for a VPX, right-click the VPX, and click Edit.

    1. In the Modify NetScaler VPX page, either select an existing Profile Name, or click the plus icon to create a new one. Click OK when done. It should start rediscovery automatically.
  11. After fixing the nsroot credentials, right-click the VPX instance, and click Configure SNMP. MAS will configure the VPX to send SNMP Traps to MAS.

Instance management

  • REST API proxy – NetScaler MAS can function as a REST API proxy server for its managed instances. Instead of sending API requests directly to the managed instances, REST API clients can send the API requests to NetScaler MAS. See Citrix CTX228449 NetScaler MAS as an API Proxy Server
  • NetScaler VPX Check-In/Check-Out Licensing – You can allocate VPX licenses to NetScaler VPX instances on demand from NetScaler MAS. The Licenses are stored and managed by NetScaler MAS, which has a licensing framework that provides scalable and automated license provisioning. A NetScaler VPX instance can check out the license from the NetScaler MAS when a NetScaler VPX instance is provisioned, or check back in its license to NetScaler MAS when an instance is removed or destroyed. See Citrix CTX228451 NetScaler VPX Check-In/Check-Out Licensing with NMAS

Licenses

Virtual Server License Packs

Without licenses, you can enable analytics features on only 30 Virtual Servers. You can install additional licenses in 100 Virtual Server packs. More info at NetScaler MAS Licensing at Citrix Docs.

  1. On the left, go to Networks > Licenses.
  2. On the right, notice the Host ID.
  3. At mycitrix.com, allocate your NetScaler MAS licenses to this Host ID.
  4. Then use the Browse button to upload the allocated license file.
  5. Click Finish after uploading the license file to apply it.
  6. The License Expiry Information section shows you the number of installed licenses and when they expire.
  7. You can use the Notification Settings section to email you when licenses are almost fully consumed or about to expire.
  8. If you don’t have an Email server setup yet, click the plus icon to create one.

Allocate licenses to Virtual Servers

You can manually unassign a MAS Virtual Server license and reassign it to a different Virtual Server.

  1. Go to Networks> Licenses > System Licenses to see the number of currently installed licenses, and the number of managed virtual servers.
  2. By default, Auto-select Virtual Servers is enabled. If you disable this setting, then the Click to select button appears.
  3. Click the Click to select button.
  4. The top right shows you the number of licensed Virtual Servers.
  5. In the left, select the type of Virtual Server you want to unlicense or license.
  6. On the Licensed tab, select one or more Virtual Servers, and click the Unlicense button. This returns licenses to the pool.
  7. Switch to the Unlicensed tab.
  8. Select a Virtual Server you want to license, and then click the License button.
  9. Click the blue back arrow when done.

Enable AppFlow / Insight

  1. Go to Networks > Instances > NetScaler ADC. On the right, switch to one of the instance type tabs (e.g. VPX).
  2. Select an instance, open the Select Action menu, and click Configure Analytics.
  3. At the top of the page are boxes you can check.
  4. In the Application List page, with Load Balancing selected in the View list, select your StoreFront load balancer, and then click Enable AppFlow. If you don’t see your Virtual Server in this list, then you need to assign a license.
  5. In the Enable AppFlow window, do the following:
    1. In the larger Expression box, type in true.
    2. For newer NetScaler appliances, change the Transport Mode selection to Logstream instead of IPFIX. Notice the firewall requirement for TCP port 5557.
    3. Select Web Insight.
    4. If App Firewall is enabled on the vServer, then also select Security Insight.
    5. Client Side Measurement injects JavaScript in HTTP responses to measure page load times and can sometimes cause problems in Receiver.
  6. Click OK.
  7. Use the View drop-down to select VPN.
  8. Right-click a NetScaler Gateway Virtual Server, and click Enable AppFlow.
  9. In the Enable AppFlow window, do the following:
    1. In the Select Expression drop-down, select true.
    2. For newer NetScaler appliances, change the Transport Mode to Logstream. Notice the firewall warning.
    3. Select both ICA and HTTP. The HTTP option is for Gateway Insight.
    4. The TCP option is for the second appliance in double-hop ICA. If you need double-hop, then you’ll also need to run set appflow param -connectionChaining ENABLED on both appliances. See Enabling Data Collection for NetScaler Gateway Appliances Deployed in Double-Hop Mode at Citrix Docs for more information.
  10. Click OK.
  11. By default, with AppFlow enabled, if a NetScaler High Availability pair fails over, all Citrix connections will drop, and users must reconnect manually. NetScaler 11.1 build 49 adds a new feature to replicate Session Reliability state between both HA nodes.
    1. From Session Reliability on NetScaler High Availability Pair at Citrix Docs: Enabling this feature will result in increased bandwidth consumption, which is due to ICA compression being turned off by the feature, and the extra traffic between the primary and secondary nodes to keep them in sync.
    2. On a NetScaler 11.1 build 49 and newer appliance, go to System > Settings.
    3. On the right, in the Settings section, click Change ICA Parameters.
    4. Check the box next to Session Reliability on HA Failover, and click OK.
  12. In a NetScaler 12 instance, at System > AppFlow > Collectors, you can see if the Collector (MAS) is up or not. However, NetScaler uses SNIP to verify connectivity, but AppFlow is sent using NSIP, so being DOWN doesn’t necessarily mean that AppFlow isn’t working. Citrix CTX227438 After NetScaler Upgrade to Release 12.0 State of AppFlow Collector Shows as DOWN.

  13. AppFlow for ICA (HDX Insight) information can be viewed in NetScaler MAS under the Analytics > HDX Insight node.

Citrix Blog Post – NetScaler Insight Center – Tips, Troubleshooting and Upgrade

Enable Syslog on Instance

MAS can configure NetScaler instances to send Syslog to MAS. Note: this might increase disk space consumption on the MAS appliances.

  1. Go to Networks > Instances > NetScaler ADC. On the right, select a tab..
  2. On the right, select an instance, open the Select Action drop-down, and click Configure Syslog.
  3. Uncheck All and check the other boxes. You probably don’t want Debug or None. Click OK.

MAS nsroot Password

Changing the nsroot password also changes the nsrecover password.

  1. In MAS, go to System > User Administration > Users.
  2. On the right, select the nsroot account, and click Edit.
  3. Check the box next to Change Password and enter a new password.
  4. You can also specify a session timeout by checking the box next to Configure Session Timeout.
  5. Click OK.

Management Certificate

The certificate to upload must already be in PEM format. If you have a .pfx, you must first convert it to PEM (separate certificate and key files). You can use a NetScaler to convert the .pfx, and then download the converted certificate from the appliance.

  1. Go to System > System Administration.
  2. On the right, in the Set Up NetScaler MAS section, click Install SSL Certificate.
  3. Click Choose File to browse to the PEM format certificate and key files. If the keyfile is encrypted, enter the password. Click OK.
  4. Click Yes to reboot the system.

System Configuration

  1. Go to System > System Administration.
  2. On the right, modify settings (e.g. Change Time Zone) as desired.

  3. Click Change System Settings.

    1. Check the box next to Enable Session Timeout, and specify a value.
    2. By default, at NetworksInstances > NetScaler ADC , if you click a blue IP address link, it opens the instance in a new web page, and logs in automatically using the nsroot credentials. If you want to force MAS users to login using non-nsroot credentials, in Modify System Settings, check the bottom box for Prompt Credentials for Instance Login.

    3. Click OK when done.
  4. Configure SSL Settings lets you disable TLS 1 and TLS 1.1.

    1. Click the Protocol Settings section in the Edit Settings section on the right side of the screen.
    2. On the left, uncheck TLSv1 and TLSv1.1. Then click OK and Close.
    3. A restart is required.

Prune Settings

  1. On the left are Prune Settings.
  2. System Prune Settings …

    1. Defaults to deleting System Events, Audit Logs, and Task Logs after 15 days. System events are generated by the MAS appliance, which is different than Instance events (SNMP traps) that are generated by NetScaler appliances.
    2. MAS can initiate a purge automatically as the database starts to get full.
    3. If you click the pencil next to the purge threshold value, you can configure an alarm for when the database gets full.

  3. To see the current database disk usage, go to System > Statistics.
  4. Instance Events prune Settings controls when instance SNMP traps are pruned, which defaults to 40 days.

  5. If you are sending Syslog from instances to MAS, Instance Syslog Purge Settings controls when the log entries are purged.

Backup Settings

  1. In the right column, under Backup Settings, are additional settings.
  2. System Backup Settings defines how many MAS backups you want to keep.

  3. Instance Backup Settings lets you configure how often the instances are backed up.

    1. You probably want to increase the number of instance backups, or decrease the backup interval.
    2. There is an option to perform a backup whenever the NetScaler configuration is saved.
    3. The Enable External Transfer checkbox lets you transfer the backups to an external system so it can be backed up by your backup tool.

Analytics Settings

  1. There are more settings at Analytics > Settings.
  2. ICA Session Timeout can be configured by clicking the link.

    • Two minutes of non-existent traffic must occur before the session is considered idle. Then this idle timer starts.
  3. You can configure how the App Score (Application Dashboard) is calculated.

  4. Analytics > Settings > Data Persistence lets you configure how long Analytics data is retained. Adjusting these values could dramatically increase disk space consumption. See CTX224238 How Do I Increase Granularity of Data Points Stored on NetScaler MAS Analytics?.

    • To see the current database disk usage, go to System > Statistics.

NTP Servers

  1. On the left, click System > NTP Servers.
  2. On the right, click Add.
  3. Enter an NTP server, and click Create.

  4. After adding NTP servers, click the NTP Synchronization button.
  5. Check the box next to Enable NTP Synchronization, and click OK.
  6. Click Yes to restart.

Syslog

This is for log entries generated by MAS, and not for log entries generated by instances.

  1. Go to System > Auditing > Syslog Servers.
  2. On the right, click Add.
  3. Enter the syslog server IP address, and select Log Levels. Click Create.
  4. You can click Syslog Parameters to change the timezone and date format.

System Email Notifications

  1. Go to System > Notifications > Email.
  2. On the right, on the Email Servers tab, click Add.
  3. Enter the SMTP server address, and click Create.
  4. On the right, switch to the Email Distribution List tab, and click Add.
  5. Enter an address for a destination distribution list, and click Create.
  6. On the left, click System > Notifications.
  7. On the right, click Change Notification Settings.
  8. Move notification categories (e.g. UserLogin) to the right.
  9. Check the box next to Send Email. Select a notification distribution list. Then click OK.

Authentication

  1. Go to System > Authentication > LDAP.
  2. On the right, click Add.
  3. This is configured identically to NetScaler. Enter a Load Balancing VIP for LDAP.
    1. Change the Security Type to SSL, and Port to 636. Scroll down.
    2. Enter the Base DN in LDAP format.
    3. Enter the bind account credentials.
    4. Check the box for Enable Change Password.
    5. Click Retrieve Attributes, and scroll down.
    6. For Server Logon Attribute, select sAMAccountName.
    7. For Group Attribute, select memberOf.
    8. For Sub Attribute Name, select cn.
    9. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
    10. If desired, configure Nested Group Extraction.
  4. Click Create.
  5. On the left, go to System > User Administration > Groups.
  6. On the right, click Add.

    1. Enter the case sensitive name of your NetScaler Admins AD group.
    2. Move the admin Permission to the right.
    3. The Configure User Session Timeout checkbox lets you configure a session timeout.
    4. Click Next.
    5. On the Authorization Settings page, if you are delegating limited permissions, you can uncheck these boxes and delegate specific entities.
    6. Click Create Group.
    7. In the Assign Users page, click Finish. Group membership comes from LDAP, so there’s no need to add local users.
  7. On the left, go to System > User Administration.
  8. On the right, click User Lockout Configuration.
  9. If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
  10. On the left, go to System > Authentication.
  11. On the right, click Authentication Configuration.
  12. Change the Server Type to EXTERNAL, and click Insert.
  13. Select the LDAP server you created, and click OK.
  14. Make sure Enable fallback local authentication is checked, and click OK.

Analytics Thresholds

  1. Go to Analytics > Settings > Thresholds.
  2. On the right, click Add.
  3. Enter a name.
  4. Use the Traffic Type drop-down to select HDXWebSecurity, or APPANALYTICS.
  5. Use the Entity drop-down to select a category of alerts. What you choose here determines what’s available as Metrics when you click Add Rule.
    1. With HDX as the Traffic Type, to add multiple rules for multiple Entity types, simply change the Entity drop-down before adding a new rule.
    2. If the Traffic Type is HDX, and the Entity drop-down is set to Users, on the bottom in the Configure Geo Details section, you can restrict the rule so it only fires for users for a specific geographical location.

  6. In the Notification Settings section, check the box to Enable Treshold.
  7. Check the box to Notify through Email, and select an existing Email Distribution List.
  8. Click Create.

Private IP Blocks

You can define Geo locations for internal subnets.

  1. Go to Networks > Sites > IP Blocks.
  2. On the right, click Add.
  3. In the Create IP Blocks page:
    1. Enter a name for the subnet.
    2. Enter the starting and ending IP address.
    3. Select a Geo Location (Country, Region, City). As you change the fields, the coordinates are automatically filled in.
  4. Click Create.

Instance Email Alerts (SNMP Traps)

You can receive email alerts whenever a NetScaler appliance sends a critical SNMP trap.

  1. On the left, go to Networks > Events > Rules.
  2. On the right, click Add.
  3. Give the rule a name.
  4. Move Severity filters (e.g. Major, Critical) to the right by clicking the plus icon next to each Severity.
  5. While scrolling down, you can configure additional alert filters. Leaving them blank will alert you for all categories, objects, and instances.
  6. On the bottom of the page, in the Event Rule Actions section, click Add Action.
  7. In the Add Event Action page:
    1. Select an Action Type (e.g. Send e-mail Action).
    2. Select the recipients (or click the plus icon to add recipients).
    3. Optionally, enter a Subject and/or Message.
    4. Emails can be repeated by selecting Repeat Email Notification until the event is cleared.
  8. Click OK.
  9. Then click Create.
  10. See the Event Management section at MAS How-to articles at Citrix Docs.

Events Digest

MAS can email you a daily digest (PDF format) of system and instance events

To enable the daily digest:

  1. Go to System > Notifications.
  2. On the right, click Configure Event Digest Settings.
  3. Uncheck the box next to Disable Event Digest.
  4. Configure the other settings as desired, and click OK.

Director Integration

Integrating NetScaler MAS with Director adds Network tabs to Director’s Trends and Session Details views. Citrix Blog Post Configure Director with Netscaler Management & Analytics System (MAS)

Requirements:

  • XenApp/XenDesktop must be licensed for Platinum Edition. This is only required for the Director integration. Without Platinum, you can still access the HDX Insight data by going visiting the NetScaler MAS website.
  • Director must be 7.11 or newer for NetScaler MAS support.

To link Citrix Director with NetScaler MAS:

  1. On the Director server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler.
  2. Enter the NetScaler MAS nsroot credentials.
  3. If HTTPS Connection (recommended), the NetScaler MAS certificate must be valid and trusted by both the Director Server and the Director user’s browser.
  4. Enter 1 for NetScaler MAS.
  5. Do this on both Director servers.

Use NetScaler MAS

Networks

Everything under the Networks node is free.

At Networks > Instances, select an instance, and view its Dashboard.

MAS 12.1 adds a series of tabs to the Instance Dashboard.

Backups are available by selecting an instance, and clicking Backup/Restore.

Networks > Network Reporting lets you create Dashboards where you can view Instance performance data.

Networks > Network Reporting > Thresholds lets you create thresholds when counters cross a threshold. For example, you might want a notification when Throughput gets close to the licensed limit.

Configuration Record and Play

Use MAS to record a configuration change on one instance, and push to other instances.

  1. Go to Networks > Configuration Jobs.
  2. On the right, click Create Job.
  3. Change the Configuration Source drop-down to Record and Play.
  4. Change the Source Instance drop-down to the instance you want to record.
  5. Click Record.
  6. MAS opens the instance GUI. Make changes as desired.
  7. When done, go back to MAS, and click Stop.
  8. MAS retrieves the changed config.
  9. On the left, you’ll see the changed commands. Drag them to the right.
  10. On the right, you can change instance-specific values to variables by simply highlighting the values. This allows you to change the values for each instance you push this config to.
  11. Proceed through the rest of the Configuration Job wizard like normal. You’ll select instances, specify variable values for each instance, and schedule the job.

Dave Brett Automating Your Netscaler 11.1 Vserver Config Using Netscaler Management and Analytics System uses a Configuration Job to deploy StoreFront load balancing configuration to an instance.

Analytics and Applications

This functionality requires Virtual Server licenses, which can come from your built-in 30 free licenses.

The AppFlow Analysis tools (e.g. HDX Insight) are located under the Analytics node. See Viewing HDX Insight Reports and Metrics at Citrix Docs.

Applications > Dashboard automatically includes all licensed vServers in the Others section. On the top middle, click Define Custom App to group vServers together into an application. The grouped vServers are removed from the Others list.

Applications > Configurations > Stylebooks lets you use Stylebooks to create new NetScaler configurations.

There are built-in Stylebooks for Exchange, SharePoint, Oracle, ADFS, etc. Or you can create your own Stylebook and use it to create NetScaler configurations. For details, see Stylebooks at Citrix Docs.

The Applications Node has quite a bit of functionality. See Application Analytics and Management at Citrix Docs for details.

Link:

HDX Insight

HDX Insight Dashboard displays ICA session details including the following:

  • WAN Latency
  • DC Latency
  • RTT (round trip time)
  • Retransmits
  • Application Launch Duration
  • Client Type/Version
  • Bandwidth
  • Licenses in use

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide contains the following contents:

  • Introduction
  • Prerequisites for Configuring HDX Insight
  • Troubleshooting
    • Issues Related to ICA parsing
    • Error Counter details
  • Checklist before Contacting Citrix Technical Support
  • Information to collect before Contacting Citrix Technical support
  • Known Issues

Gateway Insight

In the Analytics node is Gateway Insight.

This feature displays the following details:

  • Gateway connection failures due to failed EPA scans, failed authentication, failed SSON, or failed application launches.
  • Bandwidth and Bytes Consumed for ICA and other applications accessed through Gateway.
  • # of users
  • Session Modes (clientless, VPN, ICA)
  • Client Operating Systems
  • Client Browsers

More details at Gateway Insight at Citrix Docs.

Security Insight

The Security Insight dashboard uses data from Application Firewall to display Threat Index (criticality of attack), Safety Index (how securely NetScaler is configured), and Actionable Information. More info at Security Insight at Citrix Docs.

Troubleshooting

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide: Syslog messages; Error counters; Troubleshooting checklist, Logs

Citrix CTX224502 NetScaler MAS Troubleshooting Guide

Upgrade NetScaler MAS

  1. You must upgrade to MAS 12.0 build 57.24 before you can upgrade to MAS 12.1. (Source = Before you upgrade at Citrix Docs)
  2. Download the latest Upgrade Package for NetScaler Management and Analytics System. You want the Upgrade Package, not a MAS image.
  3. Login to NetScaler MAS.
  4. Go to System > System Administration.
  5. On the right, in the right pane, click Upgrade NetScaler MAS.
  6. Browse to the build-mas-12.1…tgz Upgrade Package, and click OK.
  7. Click Yes to reboot the appliance.



  8. After it reboots, login. The new firmware version will be displayed by clicking your username in the top right corner.

8 thoughts on “NetScaler Management and Analytics System (MAS) 12.1”

  1. Thank you, Carl. I dug around the UI under Analytics / Web Insight and couldn’t find it, but navigating MAS is always a bit of a challenge for me. I am running 12.0 57.24 and not the latest 12.1. I may upgrade later today to see if there’s any additional utility or a different UI layout in the new version.

      1. thanks for prompt reply, any way you can set an example? I understand you are talking about filtering incoming raw log data and displaying it on the dashboard?

        1. The syslog viewer on MAS is at Networks > Events > Syslog Messages.

          Most of the MAS reporting functionality does not need Syslog. MAS tends to use AppFlow and SNMP Polling.

      2. Funny, I too was wondering about using MAS as a syslog server because MAS itself wasn’t giving me the information I hoped for: Reporting on TLS versions in use by clients. MAS seemingly provides only the TLS versions a Virtual Server has *enabled* for use. The closest I’ve found is a thread where you commented a couple years back:
        https://discussions.citrix.com/topic/381358-netscaler-clients-tls-version-reporting/

        Would you have any updated advice for the best way to determine TLS versions in use by clients so that we can figure out how to remove TLS 1.0/1.1? Is there something available in MAS and I’m just missing it? Or do I need to find a good syslog server and configure the NetScaler as mentioned in the link above? Anyway, thank you for this MAS article and all the others as I’ve used many of them extensively.

        1. If you enable Web Insight AppFlow on an SSL LB vServer, Web Insight Analytics should show you cipher usage.

Leave a Reply