Citrix Application Delivery Management (ADM) 12.1

Last Modified: Jun 17, 2020 @ 10:15 am

Navigation

The older 12.0 version of NetScaler MAS is detailed in a different post.

💡 = Recently Updated

Change Log

Planning

Why ADM?

Citrix Application Delivery Management (ADM), formerly known as NetScaler Management and Analytics System (MAS), enables every Citrix ADC (formerly known as NetScaler) administrator to achieve the following:

  • Alert notifications – Receive email alerts whenever something goes down. For example, if a Load Balancing service goes down, you can receive an email alert.
    • ADM can email you for any Major SNMP trap produced by any ADC appliance.
  • Automatically backup all Citrix ADC instances.
    • ADM can even transfer the backups to an external system, which is then backed up by a normal backup tool.
  • SSL Certificate Expiration – Alert you when SSL certificates are about to expire.
    • Show you all SSL certificates across all ADC appliances.
  • Configuration Record and Play – Use the Configuration Recorder to configure one ADC appliance, and then push out the same configuration changes to additional appliances. This is the easiest method of managing ADC appliances in multiple datacenters.
  • AppFlow Reporting – Receive ICA AppFlow traffic from ADC and show it in graphs.
    • Integrate ADM with Citrix Director so Help Desk can see the AppFlow data.

Everything listed above is completely free, so there’s no reason not to deploy ADM.

ADM Overview

For an overview of ADM, see Citrix’s YouTube video Citrix NetScaler MAS: Application visibility and control in the cloud.

Cloud vs on-prem

ADM is available both on-premises, and as a Cloud Service. For the Cloud Service, you import a ADM Agent appliance to an on-prem hypervisor, or deploy a ADM Agent to AWS or Azure. The ADM Agent is the broker between the Cloud Service and the on-prem (or cloud hosted) Citrix ADC appliances. For more info on the ADM Cloud Service, see the following:

The rest of this article focuses on the on-premises version, but much of it also applies to the Cloud Service.

On-premises ADM Licensing:

  • Instance management is free (unlimited). This includes Configuration Jobs, Instance Backups, Network Functions/Reporting. Basically everything in the Networks node is free.
  • Analytics and Application monitoring are free for up to 30 Virtual Servers (Load Balancing, Citrix Gateway, Content Switching, etc.).

ADM version – The version/build of Citrix ADM must be the same or newer than the version/build of the Citrix ADC appliances being monitored. ADM 12.1 can monitor 12.0 and older ADC appliances.

HDX Insight

See CTX239748 for a list of HDX Insight Quality Improvements in Citrix Gateway 12.1. These include:

  • NSAP protocol for reduced performance impact on ADC
  • EDT support

HDX Insight Requirements (aka AppFlow Analytics for Citrix ICA traffic):

  • Your ADC appliance must be running Enterprise Edition or Platinum Edition.
  • ADC must be 10.1 or newer.
  • HDX Insight works with the following Receivers:
    • Receiver for Windows must be 3.4 or newer. Or upgrade to Workspace app.
    • Receiver for Mac must be 11.8 or newer. Or upgrade to Workspace app.
    • Receiver for Linux must be 13 or newer. Or upgrade to Workspace app.
    • Notice no mobile Receivers. See the Citrix Receiver Feature Matrix for the latest details.
  • For ICA Session Reliability with AppFlow: NetScaler 10.5 build 54 and newer.
    • For ICA Session Reliability, AppFlow, and ADC High Availability: NetScaler 11.1 build 49 and newer.
  • For EDT (UDT-based ICA), Citrix ADC must be 12.1 build 49 or newer.
  • AppFlow statistics are only generated when ICA traffic flows through a Citrix Gateway. Internally, when a user clicks an icon from StoreFront, an ICA connection is established directly from Receiver to the VDA, thus bypassing the internal ADC. Here are some methods of getting ICA traffic to flow through an internal ADC:
  • A new Receiver / Workspace app Virtual Channel named NetScaler App Experience or NSAP can dramatically reduce the CPU needed on the ADC to process AppFlow. Details at Citrix Blog Post HDX Insight 2.0. NSAP requires the following:
    • VDA 7.17 or newer, including VDA 1903. VDA 7.15 (LTSR) does not include the NSAP functionality.
    • Workspace app or Receiver 4.10 and newer.
    • ADC 12.0 build 57.24 or newer, including ADC 12.1.
  • For ICA round trip time calculations, in a Citrix Policy, enable the following settings:
    • ICA > End User Monitoring > ICA Round Trip Calculation
    • ICA > End User Monitoring > ICA Round Trip Calculation Interval
    • ICA > End User Monitoring > ICA Round Trip Calculation for Idle Connections
  • Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide contains the following contents:
    • Introduction
    • Prerequisites for Configuring HDX Insight
    • Troubleshooting
      • Issues Related to ICA parsing
      • Error Counter details
    • Checklist before Contacting Citrix Technical Support
    • Information to collect before Contacting Citrix Technical support
    • Known Issues

Citrix CTX204274 How ICA RTT is calculated on NetScaler Insight: ICA RTT constitutes the actual application delay. ICA_RTT = 1 + 2 + 3 + 4 +5 +6:

  1. Client OS introduced delay
  2. Client to NS introduced network delay (Wan Latency)
  3. NS introduced delay in processing client to NS traffic (Client Side Device Latency)
  4. NS introduced delay in processing NS to Server (XA/XD) traffic (Server Side Device Latency)
  5. NS to Server network delay (DC Latency)
  6. Server (XA/XD) OS introduced delay (Host Delay)

Multi-Datacenter Deployment Architecture

In a main datacenter, import two Citrix ADM appliances into the same subnet and configure them as an HA pair with a Floating IP address.

In a DR datacenter, import a Citrix ADM appliance, and configure it to replicate with the main datacenter.

For Citrix ADC appliances in additional datacenters, import two ADM Agent appliances into each datacenter, and configure them as remote agents to the main datacenter. Two ADM Agents per datacenter enables HA. The virtual appliance for ADM Agent is different than the normal ADM appliance.

Import ADM Appliance

If you are upgrading an existing MAS, skip to the Upgrade section.

To import a ADM Appliance into vSphere, do the following. The same process is used for DR ADM appliance. The ADM Agent appliance is different from the normal ADM appliances that are detailed in this section.

  1. Go to the ADM 12.1 download page. Expand NetScaler MAS Release 12.1. Expand Product Software. Click the latest release of 12.1.
  2. Download the Citrix ADM image for ESX.
  3. Then extract the .zip file.
  4. In vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  5. In the Select an OVF Template page, select Local file, and browse to the Citrix ADM .ovf files. If vCenter 6.5+, select all three files. Click Next.

  6. In the Select name and folder page, enter a name for the virtual machine, and select an inventory folder. Then click Next.
  7. In the Select a resource page, select a cluster or resource pool, and click Next.
  8. In the Review details page, click Next.
  9. In the Select storage page, select a datastore. Due to high IOPS requirement, SSD or Flash is recommended.
  10. Change the virtual disk format to Thin Provision. Click Next.
  11. In the Select networks page, choose a valid port group, and click Finish.
  12. In the Ready to Complete page, click Finish.
  13. Before powering on the appliance, you can review its specs. Right-click the virtual machine, and click Edit Settings.
  14. Review the specs. Citrix Docs VMware ESXi Hardware Requirements has recommended specs.
  15. The OVF defaults to 8 vCPU and 32 GB of RAM.
  16. You can add a second hard disk at this time.
  17. Citrix Docs Attach an additional disk to Citrix ADM says that an additional disk must be added before initial deployment.
    • Use the ADM storage calculator to determine the recommended size of the disk. Ask your Citrix Partner for the tool.
    • The new disk must be larger than 120 GB.
    • In ADM 12.1, the new disk can be larger than 2 TB.
    • In ADM 12.1, the new disk can be grown later, and /mps/DiskPartitionTool.py can resize the partition, but only up to 2 TB. If you need more than 2 TB, the initial disk should be larger than 2 TB.
  18. Power on the Virtual Machine.

Appliance IP Address Configuration

  1. Open the console of the virtual machine.
  2. Configure IP address information.
  3. Enter 7 when done.

Second Disk

  1. SSH to the appliance and login as nsrecover/nsroot.
  2. Enter /mps/DiskPartitionTool.py

  3. Enter info to see that there are no existing partitions on the second disk.
  4. Enter create to create partitions on the second disk. A reboot is required.
  5. During the reboot, the database is moved to the second disk.
  6. After the reboot, the Disk Partition Tool info command shows the partition on the second disk.
  7. If you need to increase the size of the disk, reboot the ADM appliance so it detects the larger size. Then use the Disk Partition Tool resize command.

Deployment Modes

HA Pair in the Main Datacenter

First Node:

  1. SSH to the first node and login as nsrecover/nsroot.
  2. Enter deployment_type.py.
  3. Enter 1 for Citrix ADM Server.
  4. Enter no when prompted for Citrix ADM Standalone deployment.
  5. For the First Server Node prompt, enter yes.
  6. Enter yes to Restart the system.

Second Node:

  1. Import another ADM appliance to the same subnet, and configure an IP address.
    • Latency to the HA node must not exceed 10 ms.
    • The HA nodes must be on the same subnet.
  2. If you added a second disk to the first ADM appliance, then you must add the same size second disk to the second ADM appliance.
  3. Configure the new nodes’ IP address.
  4. SSH to the second appliance, login as nsrecover/nsroot, and run the Disk Partition tool.
  5. SSH to the second appliance, login as nsrecover/nsroot, and run deployment_type.py.
  6. Enter 1 for Citrix ADM Server.
  7. Enter no when prompted for Citrix ADM Standalone deployment.
  8. Enter no when prompted is this is First Server Node.
  9. Enter the IP address of the first MAS node.
  10. Enter the nsroot password of the first node. The default password is nsroot.
  11. Enter a new Floating IP address.
  12. Enter yes to restart the system.

Deploy HA Configuration:

  1. Point your browser to the first appliance’s IP address, and login as nsroot/nsroot.
  2. If you see Customer User Experience Improvement Program, click Enable, or click Skip.
  3. The System > Deployment page is displayed. In the top right, click Deploy.
  4. Click Yes to reboot.
  5. After deployment, you can now use the Floating IP to manage the appliance.
  6. After the reboot, login again. You’ll see a Wizard to add instances.

After the add instance wizard is complete, you can manage High Availability.

  1. System > Deployment lets you see the HA nodes.
  2. You can Force Failover from here. Note: HA failover only occurs after three minutes of no heartbeats.
  3. On the top right is a HA Settings button that lets you change the Floating IP.

DR Node

Requirements for the DR node:

  • The main datacenter must have an HA pair of ADM appliances. Standalone in the main datacenter is not supported.
  • Latency from the main datacenter HA pair to the DR node must not exceed 200 ms.

To configure a DR node:

  1. Import another ADM appliance into a remote datacenter, and configure an IP address.
  2. If you added a second disk to the main datacenter ADM appliances, then you must add the same size second disk to the DR ADM  appliance.
  3. After configuring the new nodes’ IP address, SSH to the DR appliance and login as nsrecover/nsroot.
  4. Enter deployment_type.py.
  5. Enter 2 for Remote Disaster Recovery Node.
  6. Enter the Floating IP address of the HA pair in the main datacenter.
  7. Enter the nsroot password, which is nsroot by default.
  8. The DR node registers with the MAS HA Pair.
  9. Point your browser to the Floating IP Address and login.
  10. Go to System > System Administration.
  11. On the right, in the right column, click Disaster Recovery Settings.
  12. The Registered Recovery Node should already be filled in.
  13. Check the box next to Enable Disaster Recovery, and click Apply Settings.
  14. Click Yes to enable DR.
  15. A System Backup is performed and replicated to the DR appliance.
  16. Disaster Recovery is not automatic. See the manual DR procedure at at Citrix Docs.
    • /mps/scripts/pgsql/pgsql_restore_remote_backup.sh

ADM Agents

The virtual appliance for ADM Agent is different than the normal ADM appliance.

  1. Download the ADM Agent from the main ADM download page. Scroll down the page to find the ADM Agent images. Note: The ADM Agent has a newer build number than the ADM image due to a security vulnerability.
  2. Extract the downloaded .zip file.
  3. Import the .ovf to vSphere.

  4. Edit the settings of the virtual machine to see the allocated CPU and Memory.
  5. Power on the ADM Agent virtual machine.
  6. At the virtual machine’s console, configure an IP address.
  7. Login as nsrecover/nsroot.
  8. Run /mps/register_agent_onprem.py
  9. Enter the floating IP address of the main ADM HA Pair. Enter nsroot credentials.
  10. The Agent will be registered and services restarted.
  11. Login to the ADM Floating IP.
  12. Go to Networks > Agents.
  13. On the right, select the ADM Agent, and then click Attach Site.
  14. In the Site drop-down, if you don’t see your site, then you can click the Add button to create a new site.
  15. Enter a name, enter a search location, and click Get Location to get the coordinates. Click Create when done.
  16. Click Save to attach the site.
  17. For HA, import two ADM Agents into the same Site.

ADM Appliance Maintenance

Add Instances

Citrix ADM must discover Citrix ADC instances before they can be managed. Citrix Docs How Citix ADM discovers instances.

  1. Once you’ve built all of the nodes, point your browser to the Citrix ADM Floating IP address, and login as nsroot/nsroot.
  2. Deployment should already be done, so click Next.
  3. On the Add New Instances page, click Add Instance near the top right.
  4. Enter the NSIP address of a Citrix ADC appliance.
    • CItrix ADM supports up to 400 ms latency to the instances.
  5. Click Edit next to ns_nsroot_profile.
  6. Check the box next to Change Password.
  7. Type in the nsroot password, and then scroll down.
  8. The Citrix ADC Profile defaults to using https for instance communication. You can change it by unchecking Use global settings for Citrix ADC communication.
  9. Click OK.
  10. Select the Site for the instance. You can click Add to create a Site.
  11. For remote sites, you can optionally choose a ADM Agent.
  12. Then click OK to add the instance.
  13. A progress window will appear. Click Close when complete.
  14. You can add more instances, or just click Next.
  15. In the Customer Identity page, make your choice, then click Next or Skip.
  16. In the Done page, click Finish.

To add more instances later:

  1. Click the top left hamburger icon.
  2. Go to Networks > Instances > Citrix ADC.
  3. On the right, select a tab (e.g. MPX), and then click Add.
  4. To edit, or create new Admin Profiles, go to Networks > Instances > Citrix ADC, and on the right is a Profiles button.

  5. ADM 12.1 build 49 and newer lets you assign Tags to instances. See How to create tags and assign to instances at Citrix Docs.

  6. You can then search instances based on the Tags.

Citrix ADC SDX

  1. At Networks > Instances > Citrix ADC, on the SDX tab, you can click Add to discover a SDX appliance, and all VPXs on that SDX appliance. You don’t have to discover the VPXs separately.
  2. In the Add Citrix ADC SDX page, click the Edit button next to the Profile Name drop-down to edit nssdx_default_profile. Or you can click the Add button to create a new SDX Profile. Note: SDX profiles are different than VPX profiles.
  3. Enter the credentials for the SDX SVM Management Service.
  4. For Citrix ADC Profile, select an admin profile that has nsroot credentials for the VPX instances. After the VPXs are discovered, ADM uses the ADC Profile to login to each VPX. If you don’t have a VPX Admin Profile in your drop-down list, click the Add button. Note: You can only select one ADC Profile. If each VPX instance has different nsroot credentials, you can fix it after SDX discovery has been performed. The ADC Profile is different than the SDX Profile.

    1. In the Create Citrix ADC Profile page, enter the nsroot credentials for the VPX instances, and then scroll down.
    2. Enter a new SNMP Security Name or Community String.
    3. Then click Create.
  5. Back in the Configure ADC SDX Profile page, enter a new Community string for the SDX SVM. This appears to be SNMP v2 only.
  6. You can uncheck the box for Use global settings for SDX communication, and change the protocol.
  7. Click OK when done.
  8. Back in the Add Citrix ADC SDX page, select a Site, and optionally an Agent.
  9. Click OK to start discovery.
  10. After discovery is complete, switch to the VPX tab. You should automatically see the VPX instances.
  11. To specify the nsroot credentials for a VPX, right-click the VPX, and click Edit.

    1. In the Modify Citrix ADC VPX page, either select an existing Profile Name, or click the Add button to create a new one. Click OK when done. It should start rediscovery automatically.
  12. After fixing the nsroot credentials, right-click the VPX instance, and click Configure SNMP. ADM will configure the VPX to send SNMP Traps to ADM.

Instance management

  • REST API proxy – Citrix ADM can function as a REST API proxy server for its managed instances. Instead of sending API requests directly to the managed instances, REST API clients can send the API requests to Citrix ADM. See Citrix CTX228449 NetScaler MAS as an API Proxy Server
  • Citrix ADC VPX Check-In/Check-Out Licensing – You can allocate VPX licenses to Citrix ADC instances on demand from Citrix ADM. The Licenses are stored and managed by Citrix ADM, which has a licensing framework that provides scalable and automated license provisioning. A Citrix ADC VPX instance can check out the license from the Citrix ADM when a Citrix ADC VPX instance is provisioned, or check back in its license to Citrix ADM when an instance is removed or destroyed. See Citrix CTX228451 NetScaler VPX Check-In/Check-Out Licensing with NMAS

Licenses

Virtual Server License Packs

Without licenses, you can enable analytics features on only 30 Virtual Servers. You can install additional licenses in 100 Virtual Server packs. More info at Licensing at Citrix Docs.

  1. On the left, go to Networks > Licenses.
  2. On the right, notice the Host ID.
  3. At mycitrix.com, allocate your Citrix ADM licenses to this Host ID.
  4. Then use the Browse button to upload the allocated license file.
  5. Click Finish after uploading the license file to apply it.
  6. The License Expiry Information section shows you the number of installed licenses and when they expire.
  7. You can use the Notification Settings section to email you when licenses are almost fully consumed or about to expire.
  8. If you don’t have an Email server setup yet, click the Add button to create one.

Allocate licenses to Virtual Servers

You can manually unassign an automatically-allocated ADM Virtual Server license and reassign it to a different Virtual Server.

  1. Go to Networks> Licenses > System Licenses to see the number of currently installed licenses, and the number of managed virtual servers.
  2. By default, Auto-select Virtual Servers is enabled. If you disable this setting, then the Click to select button appears.
  3. Click the Click to select button.
  4. The top right shows you the number of licensed Virtual Servers.
  5. In the left, select the type of Virtual Server you want to unlicense or license.
  6. On the right, the License Type column indicates if the Virtual Server is licensed or not.
  7. Select a Virtual Server you want to license, and then click the Apply Basic License button. Note: you might have to unlicense a different Virtual Server first.
  8. Click Close when done.

Enable AppFlow / Insight / Analytics

  1. Go to Networks > Instances > Citrix ADC.
  2. On the right, switch to one of the instance type tabs (e.g. VPX).
  3. Select an instance, open the Select Action menu, and click Configure Analytics.
  4. At the top of the page are boxes you can check.
  5. Down the page, in the Application List section, with Load Balancing selected in the View list, select your StoreFront load balancer, and then click Enable AppFlow. If you don’t see your Virtual Server in this list, then you first need to assign a Virtual Server License.
  6. In the Enable AppFlow window, do the following:
    1. In the larger Expression box, type in true.
    2. For newer ADC appliances, change the Transport Mode selection to Logstream instead of IPFIX. Notice the firewall requirement for TCP port 5557.
    3. Select Web Insight.
    4. If App Firewall is enabled on the vServer, then also select Security Insight.
    5. Client Side Measurement injects JavaScript in HTTP responses to measure page load times and can sometimes cause problems in Receiver / Workspace app.
  7. Click OK.
  8. Use the View drop-down to select Citrix Gateway.
  9. Right-click a Citrix Gateway Virtual Server, and click Enable AppFlow.
  10. In the Enable AppFlow window, do the following:
    1. In the Select Expression drop-down, select true.
    2. For newer ADC appliances, change the Transport Mode to Logstream. Notice the firewall warning.
    3. Select both ICA and HTTP. The HTTP option is for Gateway Insight.
    4. The TCP option is for the second appliance in double-hop ICA. If you need double-hop, then you’ll also need to run set appflow param -connectionChaining ENABLED on both appliances. See Enabling Data Collection for NetScaler Gateway Appliances Deployed in Double-Hop Mode at Citrix Docs for more information.
    5. The AppFlow processing impact on the ADC is much reduced if you run VDA 7.16 or newer (including VDA 1903), Workspace app or Receiver 4.10 and newer, and ADC 12.0 build 57.24 or newer (including NetScaler 12.1). VDA 7.15 (LTSR) does not include the new AppFlow NSAP functionality. Details at Citrix Blog Post HDX Insight 2.0.
  11. Click OK.
  12. Login to the Citrix ADC (not ADM), and go to System > Settings.
  13. On the right, click Configure Modes.
  14. If you are using LogStream, then make sure ULFD is checked. Click OK.

    enable mode ulfd
  15. On the right, click Change Global System Settings.
  16. Scroll down to ICA port(s) and enter 1494 and 2598. Click OK. (Source = Citrix Discussions)

    set ns param -icaPort 1494 2598
  17. On the right, click Change HTTP Parameters.
  18. At the top, add 80 and 443 to the Http Ports list. Click OK. (Source = Citrix Discussions)

    set ns param -httpPort 80 443
  19. By default, with AppFlow enabled, if a ADC High Availability pair fails over, all Citrix connections will drop, and users must reconnect manually. NetScaler 11.1 build 49 and newer have a feature to replicate Session Reliability state between both HA nodes.
    1. From Session Reliability on NetScaler High Availability Pair at Citrix Docs: Enabling this feature will result in increased bandwidth consumption, which is due to ICA compression being turned off by the feature, and the extra traffic between the primary and secondary nodes to keep them in sync.
    2. On a NetScaler 11.1 build 49 and newer ADC appliance, go to System > Settings.
    3. On the right, in the Settings section, click Change ICA Parameters.
    4. Check the box next to Session Reliability on HA Failover, and click OK.
  20. In a NetScaler 12 or newer instance, at System > AppFlow > Collectors, you can see if the Collector (ADM) is up or not. However, ADC uses SNIP to verify connectivity, but AppFlow is sent using NSIP, so being DOWN doesn’t necessarily mean that AppFlow isn’t working. Citrix CTX227438 After NetScaler Upgrade to Release 12.0 State of AppFlow Collector Shows as DOWN.

  21. On the ADM appliance, AppFlow for ICA (HDX Insight) information can be viewed MAS under the Analytics > HDX Insight node.

Citrix Blog Post – NetScaler Insight Center – Tips, Troubleshooting and Upgrade

Enable Syslog on Instance

ADM can configure ADC instances to send Syslog to ADM. Note: this will increase disk space consumption on the ADM appliances.

  1. Go to Networks > Instances > Citrix ADC. On the right, select a tab..
  2. On the right, select an instance, open the Select Action drop-down, and click Configure Syslog.
  3. Uncheck All and check the other boxes. You probably don’t want Debug or None. Click OK.

ADM nsroot Password

Changing the nsroot password also changes the nsrecover password.

  1. In ADM , go to System > User Administration > Users.
  2. On the right, select the nsroot account, and click Edit.
  3. Check the box next to Change Password and enter a new password.
  4. You can also specify a session timeout by checking the box next to Configure Session Timeout.
  5. Click OK.

Management Certificate

The certificate to upload must already be in PEM format. If you have a .pfx, you must first convert it to PEM (separate certificate and key files). You can use a ADC to convert the .pfx, and then download the converted certificate from the appliance.

  1. Go to System > System Administration.
  2. On the right, in the Set Up Citrix ADM section, click Install SSL Certificate.
  3. Click Choose File to browse to the PEM format certificate and key files. If the keyfile is encrypted, enter the password. Click OK.
  4. Click Yes to reboot the system.

System Configuration

  1. Go to System > System Administration.
  2. On the right, modify settings (e.g. Change System Time Zone) as desired.

  3. Click Change System Settings.

    1. Check the box next to Enable Session Timeout, and specify a value.
    2. By default, at NetworksInstances > Citrix ADC , if you click a blue IP address link, it opens the instance in a new web page, and logs in automatically using the nsroot credentials. If you want to force ADM users to login using non-nsroot credentials, in Modify System Settings, check the bottom box for Prompt Credentials for Instance Login.

    3. Click OK when done.
  4. Configure SSL Settings lets you disable TLS 1 and TLS 1.1.

    1. Click the Protocol Settings section in the Edit Settings section on the right side of the screen.
    2. On the left, uncheck TLSv1 and TLSv1.1. Then click OK and Close.
    3. A restart is required.

Message of the Day

In ADM 12.1 build 50 and newer, you can configure a Message of the day.

  1. In ADM, on the left, go to System > System Administration.
  2. On the right, in the System Settings section, click Configure message of the day.
  3. Enter a message and click OK.
  4. When you login to ADM, you’ll be shown the message.

Prune Settings

  1. At System > System Administration, on the left are Prune Settings.
  2. System Prune Settings …

    1. …defaults to deleting System Events, Audit Logs, and Task Logs after 15 days. System events are generated by the MAS appliance, which is different than Instance events (SNMP traps) that are generated by ADC appliances.
    2. MAS can initiate a purge automatically as the database starts to get full.
    3. If you click the pencil next to the purge threshold value, you can configure an alarm for when the database gets full.

  3. To see the current database disk usage, go to System > Statistics.
  4. Instance Events prune Settings controls when instance SNMP traps are pruned, which defaults to 40 days.

  5. If you are sending Syslog from instances to MAS, Instance Syslog Purge Settings controls when the log entries are purged.

Backup Settings

  1. In the right column, under Backup Settings, are additional settings.
  2. System Backup Settings defines how many MAS backups you want to keep.

  3. Instance Backup Settings lets you configure how often the instances are backed up.

    1. You probably want to increase the number of instance backups, or decrease the backup interval.
    2. There is an option to perform a backup whenever the ADC configuration is saved.
    3. The Enable External Transfer checkbox lets you transfer the backups to an external system so it can be backed up by your backup tool.

Analytics Settings

  1. There are more settings at Analytics > Settings.
  2. ICA Session Timeout can be configured by clicking the link.

    • If ADM doesn’t receive AppFlow records for a session, it will consider that session has got terminated in ADC and stops monitoring that session further. The time for which ADM needs to wait before considering a session terminated is ICA session timeout. This is configurable in ADM, by default it is set to 15 minutes. (source = Citrix Discussions)
  3. You can configure how the App Score (Application Dashboard) is calculated.

  4. Analytics > Settings > Data Persistence lets you configure how long Analytics data is retained. Adjusting these values could dramatically increase disk space consumption. See CTX224238 How Do I Increase Granularity of Data Points Stored on NetScaler MAS Analytics?.

    • To see the current database disk usage, go to System > Statistics.

NTP Servers

  1. On the left, click System > NTP Servers.
  2. On the right, click Add.
  3. Enter an NTP server, and click Create.

  4. After adding NTP servers, click the NTP Synchronization button.
  5. Check the box next to Enable NTP Synchronization, and click OK.
  6. Click Yes to restart.

Syslog

This is for log entries generated by ADM, and not for log entries generated by instances.

  1. Go to System > Auditing > Syslog Servers.
  2. On the right, click Add.
  3. Enter the syslog server IP address, and select Log Levels. Click Create.
  4. You can click Syslog Parameters to change the timezone and date format.

Email Notification Server

  1. Go to System > Notifications > Email.
  2. On the right, on the Email Servers tab, click Add.
  3. Enter the SMTP server address, and click Create.
  4. On the right, switch to the Email Distribution List tab, and click Add.
  5. Enter an address for a destination distribution list, and click Create.
  6. In ADM 12.1 build 49 and newer, you can highlight a Distribution List and click the Test button.


  7. On the left, click System > Notifications.
  8. On the right, click Change Notification Settings.
  9. Move notification categories (e.g. UserLogin) to the right.
  10. Check the box next to Send Email. Select a notification distribution list. Then click OK.

Authentication

  1. Go to System > Authentication > LDAP.
  2. On the right, click Add.
  3. This is configured identically to ADC.
    1. Enter a Load Balancing VIP for LDAP.
    2. Change the Security Type to SSL, and Port to 636. Scroll down.
    3. Enter the Base DN in LDAP format.
    4. Enter the bind account credentials.
    5. Check the box for Enable Change Password.
    6. Click Retrieve Attributes, and scroll down.
    7. For Server Logon Attribute, select sAMAccountName.
    8. For Group Attribute, select memberOf.
    9. For Sub Attribute Name, select cn.
    10. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
    11. If desired, configure Nested Group Extraction.
  4. Click Create.
  5. On the left, go to System > User Administration > Groups.
  6. On the right, click Add.

    1. Enter the case sensitive name of your Citrix ADC Admins AD group.
    2. Move the admin Permission to the right.
    3. The Configure User Session Timeout checkbox lets you configure a session timeout.
    4. Click Next.
    5. On the Authorization Settings page, if you are delegating limited permissions, you can uncheck these boxes and delegate specific entities.
      • All DNS Domain Names (GSLB) is an option for Stylebooks in ADM 12.1 build 49 and newer.
    6. Click Create Group.
    7. In the Assign Users page, click Finish. Group membership comes from LDAP, so there’s no need to add local users.
  7. On the left, go to System > User Administration.
  8. On the right, click User Lockout Configuration.
  9. If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
  10. On the left, go to System > Authentication.
  11. On the right, click Authentication Configuration.
  12. Change the Server Type to EXTERNAL, and click Insert.
  13. Select the LDAP server you created, and click OK.
  14. Make sure Enable fallback local authentication is checked, and click OK.

Analytics Thresholds

  1. Go to Analytics > Settings > Thresholds.
  2. On the right, click Add.
  3. Enter a name.
  4. Use the Traffic Type drop-down to select HDXWEBSECURITY, or APPANALYTICS.
  5. Use the Entity drop-down to select a category of alerts. What you choose here determines what’s available as Metrics when you click Add Rule.
    1. With HDX as the Traffic Type, to add multiple rules for multiple Entity types, simply change the Entity drop-down before adding a new rule.
    2. If the Traffic Type is HDX, and the Entity drop-down is set to Users, on the bottom in the Configure Geo Details section, you can restrict the rule so it only fires for users for a specific geographical location.

  6. In the Notification Settings section, check the box to Enable Treshold.
  7. Check the box to Notify through Email, and select an existing Email Distribution List.
  8. Click Create.

Private IP Blocks

You can define Geo locations for internal subnets.

  1. Go to Analytics > Settings > IP Blocks.
  2. On the right, click Add.
  3. In the Create IP Blocks page:
    1. Enter a name for the subnet.
    2. Enter the starting and ending IP address.
    3. Select a Geo Location (Country, Region, City). As you change the fields, the coordinates are automatically filled in.
  4. Click Create.

Instance Email Alerts (SNMP Traps)

You can receive email alerts whenever a ADC appliance sends a critical SNMP trap.

  1. On the left, go to Networks > Events > Rules.
  2. On the right, click Add.
  3. Give the rule a name.
  4. Move Severity filters (e.g. Major, Critical) to the right by clicking the plus icon next to each Severity.
  5. While scrolling down, you can configure additional alert filters. Leaving them blank will alert you for all categories, objects, and instances.
  6. On the bottom of the page, in the Event Rule Actions section, click Add Action.
  7. In the Add Event Action page:
    1. Select an Action Type (e.g. Send e-mail Action).
    2. Select the recipients (or click the Add button to add recipients).
    3. Optionally, enter a Subject and/or Message.
    4. In ADM 12.1 build 49 and newer, if you enter a Subject, you can check Prefix severity, category, and failure object information to the custom email subject.
    5. Emails can be repeated by selecting Repeat Email Notification until the event is cleared.
  8. Click OK.
  9. Then click Create.
  10. See the Event Management section at All how to articles at Citrix Docs.

Events Digest

ADM can email you a daily digest (PDF format) of system and instance events

To enable the daily digest:

  1. Go to System > Notifications.
  2. On the right, click Configure Event Digest Settings.
  3. Uncheck the box next to Disable Event Digest.
  4. Configure the other settings as desired, and click OK.

Director Integration

Integrating Citrix ADM with Director adds Network tabs to Director’s Trends and Session Details views. Citrix Blog Post Configure Director with Netscaler Management & Analytics System (MAS)

Requirements:

  • Citrix Virtual Apps and Desktops (CVAD) must be licensed for Platinum Edition. This is only required for the Director integration. Without Platinum, you can still access the HDX Insight data by going visiting the Citrix ADM website.
  • Director must be 7.11 or newer for Citrix ADM support.

To link Citrix Director with Citrix ADM:

  1. On the Director server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler.
  2. Enter the Citrix ADM nsroot credentials.
  3. If HTTPS Connection (recommended), the Citrix ADM certificate must be valid and trusted by both the Director Server and the Director user’s browser.
  4. Enter 1 for Citrix ADM (aka MAS).
  5. Do this on both Director servers.

Use Citrix ADM

Networks

Everything under the Networks node is free.

At Networks > Instances, select an instance, and view its Dashboard.

ADM 12.1 adds a series of tabs to the Instance Dashboard.

Backups are available by selecting an instance, and clicking Backup/Restore.

Infrastructure Analytics. The ADM Cloud Service has an Infrastructure Analytics node under the Networks node. For details, see Infrastructure Analytics at Citrix Docs.

  • On the right, if you click the gear icon above the table, then the right panel changes to the Settings Panel instead of the Summary Panel. In the right panel, you can then switch to the tab named Score Thresholds to adjust how Infrastructure Analytics scores instance CPU, Memory, Disk, etc.
  • You can click the Circle Pack button to change to the Circle Pack view.

Networks > Network Reporting lets you create Dashboards where you can view Instance performance data.

Networks > Network Reporting > Thresholds lets you create thresholds when counters cross a threshold. For example, you might want a notification when Throughput gets close to the licensed limit.

Configuration Record and Play

Use ADM to record a configuration change on one instance, and push to other instances.

  1. Go to Networks > Configuration Jobs.
  2. On the right, click Create Job.
  3. Change the Configuration Source drop-down to Record and Play.
  4. Change the Source Instance drop-down to the instance you want to record.
  5. Click Record.
  6. ADM opens the instance GUI. Make changes as desired.
  7. When done, go back to ADC, and click Stop.
  8. ADC retrieves the changed config.
  9. On the left, you’ll see the changed commands. Drag them to the right.
  10. On the right, you can change instance-specific values to variables by simply highlighting the values. This allows you to change the values for each instance you push this config to.
  11. Proceed through the rest of the Configuration Job wizard like normal. You’ll select instances, specify variable values for each instance, and schedule the job.

Dave Brett Automating Your Netscaler 11.1 Vserver Config Using Netscaler Management and Analytics System uses a Configuration Job to deploy StoreFront load balancing configuration to an instance.

Analytics and Applications

This functionality requires Virtual Server licenses, which can come from your built-in 30 free licenses.

The AppFlow Analysis tools (e.g. HDX Insight) are located under the Analytics node. See Viewing HDX Insight Reports and Metrics at Citrix Docs.

Applications > Dashboard automatically includes all licensed Virtual Servers in the Others section. On the top middle, click Define Custom App to group Virtual Servers together into an application. The grouped Virtual Servers are removed from the Others list.

Applications > Configurations > Stylebooks lets you use Stylebooks to create new ADC configurations.

There are built-in Stylebooks for Exchange, SharePoint, Oracle, ADFS, etc. Or you can create your own Stylebook and use it to create ADC configurations. For details, see Stylebooks at Citrix Docs.

The Applications Node has quite a bit of functionality. See Application Analytics and Management at Citrix Docs for details.

Link:

HDX Insight

HDX Insight Dashboard displays ICA session details including the following:

  • WAN Latency
  • DC Latency
  • RTT (round trip time)
  • Retransmits
  • Application Launch Duration
  • Client Type/Version
  • Bandwidth
  • Licenses in use

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide contains the following contents:

  • Introduction
  • Prerequisites for Configuring HDX Insight
  • Troubleshooting
    • Issues Related to ICA parsing
    • Error Counter details
  • Checklist before Contacting Citrix Technical Support
  • Information to collect before Contacting Citrix Technical support
  • Known Issues

Gateway Insight

In the Analytics node is Gateway Insight.

This feature displays the following details:

  • Gateway connection failures due to failed EPA scans, failed authentication, failed SSON, or failed application launches.
  • Bandwidth and Bytes Consumed for ICA and other applications accessed through Gateway.
  • # of users
  • Session Modes (clientless, VPN, ICA)
  • Client Operating Systems
  • Client Browsers

More details at Gateway Insight at Citrix Docs.

Security Insight

The Security Insight dashboard uses data from Application Firewall to display Threat Index (criticality of attack), Safety Index (how securely ADC is configured), and Actionable Information. More info at Security Insight at Citrix Docs.

Troubleshooting

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide: Syslog messages; Error counters; Troubleshooting checklist, Logs

Citrix CTX224502 NetScaler MAS Troubleshooting Guide

Upgrade Citrix ADM

  1. For MAS 12.0 build 56 and older, you must upgrade to MAS 12.0 build 57.24 before you can upgrade to ADM 12.1. (Source = Before you upgrade at Citrix Docs)
  2. Download the latest Citrix Application Delivery Management (NetScaler MAS) Upgrade Package. You want the ADM Upgrade Package, not a ADM image. It’s around halfway down the page.
  3. Login to Citrix ADM Floating IP or Active Node. Upgrading the Active Node automatically upgrades the Passive Node.
  4. Go to System > Deployment and make sure both nodes are online and replicating.
  5. Go to System > System Administration.
  6. On the right, in the right pane, click Upgrade Citrix ADM.
  7. Browse to the build-mas-12.1…tgz Upgrade Package, and click OK. The file name starts with build-mas-12.1.
  8. Click Yes to reboot the appliance.



  9. After it reboots, login.
  10. If you upgraded from a version older than 12.1 build 50 to a version 12.1 build 50 or newer, you might be prompted to Configure Customer Identity. Make your choice.

    • You can return to the Configure Customer Identity screen by clicking the cloud icon next to your username at the top right of the page.
  11. The new firmware version will be displayed by clicking your username in the top right corner.

Upgrade Disaster Recovery Node

After you upgrade the HA pair in the primary datacenter, you can upgrade the DR node.

  1. Use WinSCP or similar to connect to the DR node using the nsrecover credentials.
  2. On the ADM DR node, navigate to /var/mps/mps_images.
  3. Create a new Directory with the same name as the 12.1 build number. Then double-click the new directory to open it.

  4. Upload the file named build-mas-12.1-##.##.tgz to the version-specific directory. This is the regular ADM upgrade file with a name starting with build-mas-12.1. It’s not the Agent upgrade file.
  5. SSH (Putty) to the DR node and login as nsrecover.
  6. Enter the following. Replace the # with the version number.
    cd /var/mps/mps_images/12.1.##.##
    tar xvzf build-mas-12.1-##.##.tgz

  7. Then enter the following. The appliance will reboot automatically.
    ./installmas

  8. After the reboot, the file /var/mps/log/install_state
  9. …shows you the installed version.

Upgrade ADM Agents

After you upgrade the ADM HA pair in the primary datacenter, and after you upgrade the DR node, you can then upgrade the ADM Agents.

  1. From the ADM 12.1 download page, at the bottom of the page, download the ADM Agent Upgrade Package. This Agent Upgrade file is different than the regular ADM upgrade file. And it is different than the files to deploy a new Agent. Find it at the bottom of the downloads page. Note that Citrix updated the ADM Agent firmware to build 50.33 or higher to resolve a security vulnerability.
  2. Use WinSCP or similar to connect to the ADM Agent using the nsrecover credentials.
  3. On the ADM Agent, navigate to /var/mps/mps_images.
  4. Create a new Directory with the same name as the 12.1 build number. Then double-click the new directory to open it.

  5. Upload the file named build-masagent-12.1-##.##.tgz to the version-specific directory. This is the ADM Agent upgrade file, and not the regular ADM upgrade file.
  6. SSH (Putty) to the ADM Agent and login as nsrecover.
  7. Enter the following. Replace the # with the version number.
    cd /var/mps/mps_images/12.1.##.##
    tar xvzf build-masagent-12.1-##.##.tgz

  8. Then enter the following. The appliance will reboot automatically.
    ./installmasagent

  9. After the reboot, the file /var/mps/log/install_state
  10. …shows you the installed version.
  11. Repeat for any additional ADM Agents.
  12. If you login to ADM and go to Networks > Agents, you should see the new Version. It will take several minutes for the version number to update.

59 thoughts on “Citrix Application Delivery Management (ADM) 12.1”

  1. Hello, I have internal CA’s for a Customer, and I am unable to get the Site to come up with the Certificate installed. I believe I have to get the Intermediate Certs installed on the ADM, but there is no where to do so?

    1. Try combining them into a single file. I’m not sure which order they need to be in. The certificate file must be PEM format.

  2. Hello again Carl, have you ever seen Citrix ADM enabled with HDX insights using IPFIX causes latency issues with users who have poor internet connection? We have had to disable analytics as it caused a slow down for users. Can’t seem to find much in regards to over heads when using IPFIX. Thanks

  3. HI Carl,
    We have recently upgraded Citrix ADC from 12.0 to 12.1 58.15 version and post which for oauth authentication, users are getting below error
    Error trying to validate Access Token. Please contact your administrator

    We have rebooted the device and checked with BW utilization and we are good with it. But not sure what causing this issue.

    Could you please advise on this?

  4. Hello Carl,
    I have newly installed citrix ADM as per above procedure, but I am getting connection refused when I try to access ADM through GUI. Command line looks good but GUI is not accessible. Can you please suggest me on this?

  5. Hi Carl. I’ve been looking on the Citrix Docs site for the steps to failback ADM to the HA pair after DR has been instigated via the script /mps/scripts/pgsql/pgsql_restore_remote_backup.sh.

    No docs seem to exist for this. Have you ever come across this info? I’ll ask Citrix Support if it’s not already known.

    Thanks

    1. I assume the DR node is now primary, which means you can add a HA node to the DR site and reconfigure one of the former nodes as a DR node.

      1. Thanks, Carl. I thought that might be a logical step.

        However, the DR node is a single one in another datacentre so the process would require adding another VM in the DR site, then setting up HA and converting an old HA node back in the other data centre for use as DR node. All seems a bit long winded ;-).

        I’d have thought Citrix would have documented this one :-(.

        1. Opened a case with Citrix on this last year. They have no procedure to revert after DR. They suggest restore from backup like that would help. Perhaps bring up original site as DR. Declare another DR making it primary, then do HA. Poorly thought out by Citrix.

          1. Wow! Very poorly thought out you’re right! Thanks for the info though. I may touch base with them to see if they have updated the process.

      1. Excellent. Thanks, Carl.

        Interesting timing! I had just raised a call with Citrix and they were getting back to me :-).

        1. Just had a document from Citrix Support with a procedure for 12.1. It differs to the reversion process for 13.0 and is much the same as Carl indicated on the initial reply above.

          Essentially you have to set up HA in DR, set up DR in the primary site, instigate DR then create HA again in primary before resetting old DR back in place. Convoluted for sure!!

          Makes version 13.0 upgrade sound like a good idea though :-).

  6. Hi Carl,

    Thanks so much this article.
    I’ve tried to test the alerts and it was working well.

    I try to use nsroot user and disable on service and it reaches to ADC administrators.
    But when I try to use other admin user(not nsroot) when disabling a service it does not notify the Administrator via email. What shoud I do? Thanks Carl! 🙂

    Regards

  7. Hi Carl,

    I’ve added our ADC VPX instance to ADM as per your instructions and everything seems to be working okay. The problem is that ADC is sending SNMP traps to ADM via SNMPv2 and that is a security problem here. So I would need to change the SNMP traps to SNMPv3. I guess the ADM configures the SNMP settings on ADC when the instance is added to ADM?

    If I look at the settings on ADC: System -> SNMP -> Traps there is no way to change the Version from V2 to V3 on traps configured to be sent to ADM.

    If I look at the settings on ADM: Networks -> Instances -> Citrix ADC -> Select the instance -> Edit -> Profile Name -> Edit -> SNMP I cannot change the SNMP version either.

    So what are the steps I need to take in order to change the SNMP traps to version 3?

    Do I need to completely remove the ADC instance from ADM and add it again, and while adding it again, create a new profile (not use ns_nsroot_profile) in which I set the SNMP to version 3?

    Or can I just add a new profile to existing instance, and set SNMPv3 on that, and the ADM makes the necessary changes also to ADC?

    Or should I just create new traps to ADC and remove the old ones? If I do this, do I need to configure something on ADM side, like SNMP User?

    Any help would be much appreciated!

    1. Definitely a new profile with v3 settings. Then Edit the instance in ADM and select the new profile. Afterwards, right-click the instance, click Configure SNMP, uncheck it, then re-check it to force SNMP to be setup again.

  8. Hi Carl.

    I recently posted on Citrix Discussions about a WAL Sync issue with HA and DR for ADM. No-one has responded however, so I wondered if any advice?

    Message in the logs is as follows:

    RemoteSystemBackupFailure – WAL file is out of sync with remote node, lag(in MB) is XXX
    (the XXX is a number that differs depending on how much the sync is out)

    Is this message supposed to clear? The value of MB has not changed for days now and there is another “clear” message to say that “File Sync to Disaster Recovery Node success”. So I think all is fine. But I’m not certain.

    Full post here:
    https://discussions.citrix.com/topic/402978-citrix-adm-disaster-recovery-node-remotesystembackupfailure-wal-file-is-out-of-sync-with-remote-node/

    Hope you can help,

    Daren

  9. Is it possible for the ADM to be the ‘collector’ for all SNMP v3 traps for NetScalers and the sole point of feed to an SNMP v3 listener? Just curious if this is possible or would all NetScalers need to feed to the listener directly?

    Thanks in advance.

    1. Instances can send SNMP Traps to ADM. Then you can configure ADM event rules to send SNMP traps to other SNMP systems.

      1. Thanks, Carl. So does ADM do this natively with the NetScalers which are being monitored by ADM, or do I need to configure SNMP to the ADM from each NetScaler?

          1. That works very well for v2, thank you for the direction. But I see no way for this to work using v3 SNMP. Would you know if this is a limitation of ADM?

          2. On ADM, when you create an Admin Profile, there’s an option for SNMP v3. You then specify the Admin Profile when performing discovery of an ADC instance.

  10. Is there a way to install an intermediate cert on the NMAS/ADM appliance? I’ve successfully installed the server cert on the NMAS box, and I have successfully assigned and linked server certs and intermediate certs on my MPXes, but I can’t find anywhere to install/assign an intermediate cert on ADM itself, so it’s still throwing cert errors in the browser.

    Attempting to install the intermediate cert via “System Administration > Install SSL Certificate” results in an unrecoverable situation.

    Thanks in advance.

    1. For PEM certificates, I think you can put both certificates in the same file. Server certificate on top, and intermediate certificate below it.

      1. I tried that with PEM certificates today, but the ADM system only seems to recognize the server certificate. I’ll keep looking for other ways to combine them. Thanks for your help.

  11. Hi Carl can Citrix ADM (NetScaler MAS) monitor certificates expiration other than just NetScaler’s? Can it monitor certificates expiration for 3rd party systems and/or across the organization?

  12. Hi Carl,

    For the SDX, if all the instances are discovered separately does this mean that the MAS only talks the the SDX and hosted VPXs though the SVM (Management Service) IP? I’ve been looking at the ports for MAS https://support.citrix.com/article/CTX101810#NetScaler_MAS and it doesn’t say anything about SDX specifically. It sounds from your explanation that we don’t need to worry about the firewall ports for the hosted VPXs as it all works via the SDX profile.

    Thanks,

    1. When it discovers SDX, it can see the VPXs on that SDX. Then it connects to each of the VPXs to do normal ADC discovery. The SDX credentials and the VPX credentials can be different. And different VPXs can have different VPX credentials.

  13. Carl
    We Route ICA traffic (TCP/UDP 1494 and TCP/UDP 2598) through a Netscale SNIP, and then it points to storefront yhet routes it to the VDAs.

    Will ADM collect the hdx data like this for the internal users?

  14. Hello Carl, thx for your great Docs.

    we are unable to setup LDAP authentication and we see the the BindDN Password Checkbox in the “Configure LDAP Server” always lost the password after pressing ok.

    thx for your help

    1. I believe it’s normal for the password to no longer be shown. But that does mean it’s not working? You can SSH to MAS/ADM, and then run “cat /tmp/aaad.debug” to see what’s happening during authentication.

      1. the following happens:

        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/ldap_drv.c[770]: receive_ldap_user_search_event 0-8: User search succeeded, attempting user authentication(Bind) for
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[5013]: register_timer 0-8: setting timer 112
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/ldap_drv.c[1450]: receive_ldap_user_bind_event 0-8: Got user bind event.
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/ldap_common.c[439]: ns_ldap_check_result 0-8: checking LDAP result. Expecting 97 (LDAP_RES_BIND)
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/ldap_common.c[477]: ns_ldap_check_result 0-8: ldap_result found expected result LDAP_RES_BIND
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/ldap_drv.c[1459]: receive_ldap_user_bind_event 0-8: Bind OK.
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[5090]: unregister_timer 0-8: releasing timer 112
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/ldap_drv.c[1553]: receive_ldap_user_bind_event 0-8: User authentication (Bind event) for user user succeeded
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[3530]: send_accept 0-8: sending accept to kernel for : user
        Thu Dec 6 09:19:25 2018
        /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[3448]: aaad_alloc_serialize_keyValue_attrs 0-8: Total attribute values to PE : 52, pwd_last_set=131840585571172120

        and on the Web-Login “User not authorized for any operation” is shown.

      2. Hi Carl, the LDAP Bind works, we can see on the Login Page the follwing “User not authorized for any operation”

        1. Did you set the attributes for memberOf and cn so it can extract the groups? Then you need to add the group to MAS and assign permissions.

          1. Hi Carl. I was also having this problem, and your suggestion worked perfectly. I had entered the AD group name in the Default Authentication Group in the LDAP page, but I had not created a user group in MAS. I created a group with the same name, added my user ID to it, and am now able to authenticate to MAS using my AD credentials. Thanks for the very timely blog post, just one week before I needed it :¬)

  15. Hi Carl: Excellent article as usual. Question with regards to DR as it does not appear to be documented. How does one revert to the main site once the disaster is resolved, synchng the changed data back, reconfigure and making the HA pair live again?

  16. Does HDX insight / Gateway Insight work for Unified Gateways? When I go to configure insight in NMAS, the Unified gateway isn’t listed under VPN vServers to select. If I go to the Content Switching vServer, I dont get the options to enable Appflow for ICA.

    1. I wonder if you have to manually bind AppFlow policies to the ICA and HTTP bind points on the Gateway vServer and CS vServer.

  17. Thank you, Carl. I dug around the UI under Analytics / Web Insight and couldn’t find it, but navigating MAS is always a bit of a challenge for me. I am running 12.0 57.24 and not the latest 12.1. I may upgrade later today to see if there’s any additional utility or a different UI layout in the new version.

      1. thanks for prompt reply, any way you can set an example? I understand you are talking about filtering incoming raw log data and displaying it on the dashboard?

        1. The syslog viewer on MAS is at Networks > Events > Syslog Messages.

          Most of the MAS reporting functionality does not need Syslog. MAS tends to use AppFlow and SNMP Polling.

      2. Funny, I too was wondering about using MAS as a syslog server because MAS itself wasn’t giving me the information I hoped for: Reporting on TLS versions in use by clients. MAS seemingly provides only the TLS versions a Virtual Server has *enabled* for use. The closest I’ve found is a thread where you commented a couple years back:
        https://discussions.citrix.com/topic/381358-netscaler-clients-tls-version-reporting/

        Would you have any updated advice for the best way to determine TLS versions in use by clients so that we can figure out how to remove TLS 1.0/1.1? Is there something available in MAS and I’m just missing it? Or do I need to find a good syslog server and configure the NetScaler as mentioned in the link above? Anyway, thank you for this MAS article and all the others as I’ve used many of them extensively.

        1. If you enable Web Insight AppFlow on an SSL LB vServer, Web Insight Analytics should show you cipher usage.

Leave a Reply

Your email address will not be published. Required fields are marked *