Author: Carl Stalhood

Navigation

• Lights Out Module (LOM)
  • LOM IP Configuration
  • LOM Firmware Upgrade
• SDX IP Configuration
• Management Service Firmware – Upgrade to 11.0 build 55
• SDX Software Bundle Upgrade – Upgrade beyond 11.0 build 55
• Management Service NTP
• Licensing
• Management Service Alerting
• Management Service nsroot Password and AAA
• SSL Certificate and Encryption
• SDX/XenServer LACP Channels
• VPX Instances:
  • VPX Instances – Provision
  • VPX Instances – Manage
  • VPX Instance – Firmware Upgrade
• Management Service Monitoring
• Management Service Backup

LOM IP Configuration

There are two ways to set the IP address of the Lights Out Module (LOM):

• Crossover Ethernet cable from a laptop with an IP address in the 192.168.1.0 network.
• ipmitool from the NetScaler SDX XenServer command line

Ipmitool Method:

1. On NetScaler SDX appliance, SSH to the XenServer IP address (this is not the Service VM IP). On NetScaler MPX appliance, SSH to the NetScaler NSIP.
2. Default XenServer credentials are root/nsroot. Default MPX credentials are nsroot/nsroot.
3. If MPX, run shell. XenServer is already in the shell.
4. Run the following:

   ipmitool lan set 1 ipaddr x.x.x.x
   ipmitool lan set 1 netmask 255.255.255.0
   ipmitool lan set 1 defgw ipaddr x.x.x.x

   

5. You should now be able to connect to the LOM using a browser.

Laptop method:

1. Configure a laptop with static IP address 192.168.1.10 and connect it to the Lights Out Module port.
   
2. In a Web browser, type the IP address of the LOM port. For initial configuration, type the port’s default address: http://192.168.1.3
3. In the User Name and Password boxes, type the administrator credentials. The default username and password are nsroot/nsroot.
4. In the Menu bar, click Configuration and then click Network.
   
5. Under Options, click Network and type values for the following parameters:
   1. IP Address—The IP address of the LOM port.
   2. Subnet Mask—The mask used to define the subnet of the LOM port.
   3. Default Gateway—The IP address of the router that connects the appliance to the network.
      
6. Click Save.
7. Disconnect the laptop and instead connect a cable from a switch to the Lights Out Module.

LOM Firmware Upgrade

The LOM firmware at https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade differs depending on the hardware platform. The LOM firmware for the 8000 series is different than the 11000 series. Do not mix them up.

Note: the SDX Update Bundle does not include LOM firmware update so you must update it separately.

1. Determine which firmware level you are currently running. You can point your browser to the LOM and login to the see the firmware level. Or you can run ipmitool mc info from the XenServer shell.
   
2. If your LOM firmware is older than 3.0.2, follow the instructions at http://support.citrix.com/article/CTX137970 to upgrade the firmware.
3. If your LOM firmware is version 3.02 or later, follow the instructions at http://support.citrix.com/article/CTX140270 to upgrade the firmware. This procedure is shown below.
4. Now that the firmware is version 3.0.2 or later, you can upgrade to 3.39. Click the Maintenance menu and then click Firmware Update.
   
5. On the right, click Enter Update Mode.
   
6. Click OK when prompted to enter update mode.
   
7. Click Choose File and browse to the extracted bin file.
   
8. After the file is uploaded, click Upload Firmware.
   
9. Click Start Upgrade.
   
10. The Upgrade progress will be displayed.
    
11. After upgrade is complete, click OK to acknowledge the 1 minute message.
    
12. The LOM will reboot.
13. After the reboot, login and notice that the LOM firmware is now 3.39.
    

SDX IP Configuration

Default IP for Management Service is 192.168.100.1/16 bound to interface 0/1. Use laptop with crossover cable to reconfigure. Point browser to http://192.168.100.1. Default login is nsroot/nsroot.

Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot. Note: XenServer IP and Management Service IP must be on the same subnet.

There should be no need to connect to XenServer directly. Instead, all XenServer configuration (e.g. create new VM) is performed through the Management Service (SVM). To change the XenServer IP, make the change through the Management Service as detailed below:

1. Point a browser to http://192.168.100.1 and login as nsroot/nsroot.
2. When you first login to the SDX Management Service, the Welcome! Wizard appears. Click Management Network.
   
3. Configure the IP addresses. Management Service IP Address and XenServer IP Address must be different but on the same subnet.
4. You can change the password at this time or later. Click Done.
   
5. Click the System Settings box.
   
6. Enter a Host Name.
7. Select the time zone and click Continue.
   
8. Click the Licenses box.
   
9. Click Add New License.
   
10. In the Manage Licenses section, allocate licenses normally.
    
    
11. Then click Continue.
    

Another way to login to the Management Service virtual machine is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.

The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label="Management Service VM"

Then run /usr/lib/xen/bin/xenconsole <dom-id>

Or if 11.0 build 64 or newer, run /usr/lib64/xen/bin/xenconsole <dom-id>

Management Service Firmware – Upgrade to 11.0

NetScaler SDX 11.0 and newer now bundle all updates in a single package. To take advantage of this improved installation experience, you must first upgrade the Service VM to 11.0. Once it’s 11.0 you no longer need to upgrade the Service VM separately from the rest of the appliance.

1. If your SDX SVM (Management Service) is running 10.5 build 57 or newer then you can skip this section and proceed with installing the SDX Bundle.
2. NetScaler SDX 11.0 build 55 contains a separate installer for just the Management Service (SVM Upgrade Package).  The newer builds of NetScaler SDX 11.0 don’t seem to have a separate SVM Upgrade Package so you’ll need to upgrade SVM to 11.0 build 55 first. Then use the Software Bundle method to upgrade beyond build 55 as detailed in the next section.
   
3. If the webpage says NetScaler SDX on top then you are connected to the Service VM.
4. Switch to the Configuration tab.
   
5. In the navigation pane, expand Management Service, and then click Software Images.
   
6. In the right pane, click Upload.
   
7. In the Upload Management Service Software Image dialog box, click Browse, navigate to the folder that contains the build-svm file, and then double-click the build file.
8. Click Upload.
   

To upgrade the Management Service:

1. In the navigation pane, click System.
   
2. In the System pane, under System Administration, click Upgrade Management Service.
   
3. In the Upgrade Management Service dialog box, in Build File, select the file of the build to which you want to upgrade the Management Service.
4. If you see a Documentation File field, ignore it.
5. Click OK.
   
6. Click Yes if asked to continue.
   
7. If desired, go back to the Software Images node and delete older firmware files.
   

SDX Platform Software Bundle

Starting with SDX 11.0, all updates are bundled together and installed at once.

1. Make sure your Management Service (SVM) is running SDX 11.0 or newer. If not, see the separate SVM upgrade procedure in the previous section.
2. Download the latest SDX Platform Software bundle from Downloads > NetScaler ADC > Service Delivery Appliances.
   
   
3. Login to the SDX Management Service, go to Configuration > System.
   
4. On the right, in the right column, click Upgrade Appliance.
   
5. Browse to the build-sdx-11.0.tgz software bundle and click OK.
   
   
6. It should show you the estimated installation time. Check boxes next to the instances that need configs saved. Click Upgrade.
   
7. Click Yes to continue with the upgrade.
   
8. The Management Service displays installation progress.
   
   Once the upgrade is complete, click Login.
9. 
10. The Information page will be displayed showing the version of XenServer, Management Service (Build), etc.
    

Management Service NTP

1. On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
   
2. To add a new NTP server, in the right pane, click Add.
   
3. In the Create NTP Server dialog box enter the NTP server name (e.g. pool.ntp.org) and click Create.
   
4. In the right pane click NTP Synchronization.
   
5. In the NTP Synchronization dialog box, select Enable NTP Sync. Click OK.
   

Management Service Alerting

Syslog

1. On the Configuration tab, expand System > Auditing and click Syslog Servers.
   
2. In the right pane click the Add button.
   
3. Enter a name for the server.
4. Enter the IP address of the Syslog server.
5. Select log levels and click Create.
   
6. On the right is Syslog Parameters.
   
7. You can configure the Date Format and Time Zone. Click OK.
   

Mail Notification

1. On the Configuration tab, expand System > Notifications and click Email.
   
2. In the right pane, on the Email Servers tab, click Add.
   
3. Enter the DNS name of the mail server and click Create.
   
4. In the right pane, switch to the Email Distribution List tab and click Add.
   
5. Enter a name for the mail profile.
6. Enter the destination email address and click Create.
   

System SNMP

1. Go to System > SNMP.
   
2. On the right, click Configure SNMP MIB.
   
3. Enter information as desired and click OK. Your SNMP management software will read this information.
   
4. Under the SNMP node, configure normal SNMP including: Trap Destinations, Managers, Alarms, etc.
   
   
5. MIBs can be downloaded from the Downloads tab.
   
   

Instance SNMP

1. The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand NetScaler, expand Events, and click Event Rules.
   
2. On the right, click Add.
   
3. Give the rule a name.
4. Select the Major and Critical severities and move them to the right. Scroll down.
   
5. For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them then only the configured entities will be alerted. Scroll down.
   
6. Click Save.
   
7. Select an Email Distribution List and click Done.
   

Management Service nsroot Password and AAA

To change the password of the default user account

1. On the Configuration tab, in the navigation pane, expand System, and then click Users.
   
2. In the Users pane, click the default user account, and then click Edit.
   
3. In the Configure System User dialog box, in Password and Confirm Password, enter the password of your choice. Click OK.
   

To create a user account

1. In the navigation pane, expand System, and then click Users. The Users pane displays a list of existing user accounts, with their permissions.
   
2. To create a user account, click Add.
   
3. In the Create System User or Modify System User dialog box, set the following parameters:
   • Name*—The user name of the account. The following characters are allowed in the name: letters a through z and A through Z, numbers 0 through 9, period (.), space, and underscore (_). Maximum length: 128. You cannot change the name.
   • Password*—The password for logging on to the appliance.
   • Confirm Password*—The password.
   • Session Timeout
   • Groups —The user’s privileges on the appliance. Possible values:
     • owner—The user can perform all administration tasks related to the Management Service.
     • readonly—The user can only monitor the system and change the password of the account.
       
4. Click Create. The user that you created is listed in the Users pane.

AAA Authentication

1. If you would like to enable LDAP authentication for the Service VM, do that under Configuration > System > Authentication > LDAP.
   
2. In the right pane, click Add.
   
3. This is configured identically to NetScaler. Enter a Load Balancing VIP for LDAP. Change the Security Type to SSL and Port to 636. Scroll down.
   
4. Enter the Base DN in LDAP format.
5. Enter the bind account.
6. Check the box for Enable Change Password.
7. Click Retrieve Attributes and scroll down.
   
8. For Server Logon Attribute select sAMAccountName.
9. For Group Attribute select memberOf.
10. For Sub Attribute Name select cn.
11. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
    
12. If desired configure Nested Group Extraction
13. Click Create.
    
14. Expand System, expand User Administration and click Groups.
    
15. Click Add.
    
16. Enter the case sensitive name of the Active Directory group.
17. Select the admin permission.
18. Configure the Session Timeout. Click Create.
    
19. On the left, under System, click User Administration.
    
20. On the right click User Lockout Configuration.
    
21. If desired, check the box next to Enable User Lockout and configure the maximum logon attempts. Click OK.
    
22. On the left, under System, click Authentication.
    
23. On the right, click Authentication Configuration.
    
24. Change the Server Type to LDAP.
25. Select the LDAP server you created and click OK.
    

SSL Certificate and Encryption

Replace SDX Management Service Certificate

Before enabling secure access to the Management Service web console, you probably want to replace the Management Service certificate.

1. PEM format: The certificate must be in PEM format. The Management Service does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a NetScaler instance.
2. On the left, click System.
   
3. On the right, click Install SSL Certificate.
   
4. Select the certificate and key files in PEM format. If the key file is encrypted, enter the password. Then click OK. The Management Service will restart so there will be an interruption.
   
   
   
5. After the Management Service restarts, connect to it using HTTPS. You can’t make this change if you are connected using HTTP.
6. On the Configuration tab, click System.
   
7. On the right, click Change System Settings.
   
8. Check the box next to Secure Access Only and click OK. This forces you to use HTTPS to connect to the Management Service.
   

SSL Encrypt Management Service to NetScaler Communication

From http://support.citrix.com/article/CTX134973: Communication from the Management Service to the NetScaler VPX instances is HTTP by default. If you want to configure HTTPS access for the NetScaler VPX instances, then you have to secure the network traffic between the Management Service and NetScaler VPX instances. If you do not secure the network traffic from the Management Service configuration, then the NetScaler VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

1. Log on to the Management Service .
2. On the Configuration tab, click System.
   
3. On the right, click Change System Settings.
   
4. Change Communication with NetScaler Instance to https, as shown in the following screen shot:
   
5. Run the following command on the NetScaler VPX instance, to change the Management Access (-gui) to SECUREONLY:

set ns ip ipaddress -netmask netmask -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet ENABLED -ftp ENABLED -gui SECUREONLY -ssh ENABLED -snmp ENABLED - mgmtAccess ENABLED -restrictAccess DISABLED -dynamicRouting ENABLED -ospf DISABLED -bgp DISABLED -rip DISABLED -hostRoute DISABLED -vrID 0

Or in the NetScaler instance management GUI go to Network > IPs, open the NSIP and then check the box next to Secure access only.

SDX/XenServer LACP Channels

To use LACP, configure Channels in the Management Service, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel.

1. In the Management Service, on the Configuration tab, expand System and click Channels.
   
2. On the right, click Add.
   
3. Select a Channel ID.
4. For Type, select LACP or STATIC. If using Cisco vPC then LACP is required. The other two options are for switch independent load balancing.
   
5. In the Interfaces tab, click Add.
   
6. Move the Channel Member interfaces to the right by clicking the plus icon.
   
7. On the Settings tab, for LACP you can select Long or Short, depending on switch configuration. Short is the default.
8. Click Create when done.
   
9. Click Yes when asked to proceed.
   
10. The channel will then be created on XenServer.
    

VPX Instances – Provision

To create an admin profile

Admin profiles specify the user credentials that are used by the Management Service when provisioning the NetScaler instances, and later when communicating with the instances to retrieve configuration data. The user credentials specified in an admin profile are also used by the client when logging on to the NetScaler instances through the CLI or the configuration utility.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. This profile cannot be modified or deleted. However, you should override the default profile by creating a user-defined admin profile and attaching it to the instance when you provision the instance. The Management Service administrator can delete a user-defined admin profile if it is not attached to any NetScaler instance.

Important: Do not change the password directly on the NetScaler VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.

1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Admin Profiles.
   
2. In the Admin Profiles pane, click Add.
   
3. In the Create Admin Profile dialog box, set the following parameters:
   • Profile Name*—Name of the admin profile. The default profile name is nsroot. You can create user-defined profile names.
   • User Name—User name used to log on to the NetScaler instances. The user name of the default profile is nsroot and cannot be changed.
   • Password*—The password used to log on to the NetScaler instance. Maximum length: 31 characters.
   • Confirm Password*—The password used to log on to the NetScaler instance.
     
4. Click Create. The admin profile you created appears in the Admin Profiles pane.

To upload a NetScaler VPX .xva file

You must upload a NetScaler VPX .xva file to the SDX appliance before provisioning the NetScaler VPX instances.

1. Download the Virtual Appliance XVA from the SDX Software Bundle Download Page.
   
2. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Software Images.
   
3. On the right, switch to the XVA Files tab and then click Upload.
   
4. In the Upload NetScaler Instance XVA dialog box, click Browse and select the XVA image file that you want to upload. Click Upload. The XVA image file appears in the NetScaler XVA Files pane after it is uploaded.
   
   

To provision a NetScaler instance

1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Instances.
   
2. In the NetScaler Instances pane, click Add.
   
3. In the Provision NetScaler Wizard follow the instructions in the wizard.
4. Click Create. The NetScaler instance you provisioned appears in the NetScaler Instances pane.

The wizard will ask for the following info:

• Name* – The host name assigned to the NetScaler instance.
• IP Address* – The NetScaler IP (NSIP) address at which you access a NetScaler instance for management purposes. A NetScaler instance can have only one NSIP. You cannot remove an NSIP address.
• Netmask* – The subnet mask associated with the NSIP address.
• Gateway* – The default gateway that you must add on the NetScaler instance if you want access through SSH or the configuration utility from an administrative workstation or laptop that is on a different network.
• Nexthop to Management Service (11.0 build 64 and newer) – Adds a static route on the NSIP network so SDX Management Service can communicate with the instance NSIP. Only needed if instance default gateway and instance NSIP are on separate networks.  💡
• XVA File* – The .xva image file that you need to provision. This file is required only when you add a NetScaler instance.
• Feature License* – Specifies the license you have procured for the NetScaler. The license could be Standard, Enterprise, and Platinum.
• Admin Profile* – The profile you want to attach to the NetScaler instance. This profile specifies the user credentials that are used by the Management Service to provision the NetScaler instance and later, to communicate with the instance to retrieve configuration data. The user credentials used in this profile are also used while logging on to the NetScaler instance by using the GUI or the CLI. It is recommended that you change the default password of the admin profile. This is done by creating a new profile with a user-defined password. For more information, see Configuring Admin Profiles.
• Total Memory (MB)* – The total memory allocated to the NetScaler instance.
• #SSL Cores* – Number of SSL cores assigned to the NetScaler instance. SSL cores cannot be shared. The instance is restarted if you modify this value.
• Throughput (Mbps)* – The total throughput allocated to the NetScaler instance. The total used throughput should be less than or equal to the maximum throughput allocated in the SDX license. If the administrator has already allocated full throughput to multiple instances, no further throughput can be assigned to any new instance.
• Packets per second* – The total number of packets received on the interface every second.
• CPU – Assign a dedicated core or cores to the instance or the instance shares a core with other instance(s).
• User Name* – The root user name for the NetScaler instance administrator. This user has superuser access, but does not have access to networking commands to configure VLANs and interfaces. (List of non-accessible commands will be listed here in later versions of this document)
• Password* – The password for the root user.
• Shell/Sftp/Scp Access* – The access allowed to the NetScaler instance administrator.
• Interface Settings – This specifies the network interfaces assigned to a NetScaler instance. You can assign interfaces to an instance. For each interface, if you select Tagged, specify a VLAN ID.
  • Important:The interface ID numbers of interfaces that you add to an instance do not necessarily correspond to the physical interface numbering on the SDX appliance. For example, if the first interface that you associate with instance 1 is SDX interface 1/4, it appears as interface 1/1 when you log on to the instance and view the interface settings, because it is the first interface that you associated with instance 1.
  • If a non-zero VLAN ID is specified for a NetScaler instance interface, all the packets transmitted from the NetScaler instance through that interface will be tagged with the specified VLAN ID. If you want incoming packets meant for the NetScaler instance that you are configuring to be forwarded to the instance through a particular interface, you must tag that interface with the VLAN ID you want and ensure that the incoming packets specify the same VLAN ID.
  • For an interface to receive packets with several VLAN tags, you must specify a VLAN ID of 0 for the interface, and you must specify the required VLAN IDs for the NetScaler instance interface.
• NSVLAN ID – An integer that uniquely identifies the NSVLAN. Minimum value: 2. Maximum value: 4095.
• Tagged – Designate all interfaces associated with the NSVLAN as 802.1q tagged interfaces.
• Interfaces – Bind the selected interfaces to the NSVLAN.

Here are screenshots from the wizard:

1. In the Provision NetScaler section, enter a name for the instance.
2. Enter the NSIP, mask, and Gateway.
3. Nexthop to Management Service is new in 11.0 build 64 and newer. If the default gateway is on a different network than the NSIP, then enter a next hop router address on the NSIP network so the SDX Management Service can communicate with the NSIP.  💡
   
4. In the XVA File field, you can Browse > Local to select an XVA file on your file system. Or you can Browse > Appliance and select an XVA file that has already been uploaded.
   
   
5. Change the Feature License to Platinum.
6. Select an Admin Profile created earlier.
7. Enter a Description. Scroll down.
   
8. In the Resource Allocation section, change the Total Memory to 4096.
9. For SSL Chips, specify between 1 and 16.
10. For Throughput, partition your licensed bandwidth. If you are licensed for 8 Gbps, make sure the total of all VPX instances does not exceed that number.
11. Burstable is also an option. Fixed bandwidth can’t be shared with other instances. Burstable can be shared. See Bandwidth Metering in NetScaler SDX at docs.citrix.com
12. For CPU, select one of the Dedicated options. Then scroll down.
    
13. In the Instance Administration section, enter a new local account that will be created on the VPX. This is in addition to the nsroot user. Note, not all functionality is available to this account. Scroll down.
    
14. In the Network Settings section, leave 0/1 selected and deselect 0/2.
15. Click Add to connect the VPX to more interfaces.
    
16. If you have Port Channels, select one of the LA interfaces.
17. Try not configure any VLAN settings here. If you do, XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Click Add.
    
18. In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN. Click Done.
    
19. After a couple minutes the instance will be created. Click Close.
    
20. In your Instances list, click the IP address to launch the VPX management console. Do the following at a minimum (instructions in the NetScaler System Configuration page):
    1. Enable MAC Based Forwarding – System > Settings > Configure Modes > MAC Based Forwarding
    2. Add SNIPs for each VLAN – System > Network > IPs
    3. Add VLANs and bind to SNIPs – System > Network > VLANs
    4. Change default gateway – System > Network > Routes > 0.0.0.0
    5. Create another instance on a different SDX and High Availability pair them together – System > High Availability
       

Applying the Administration Configuration

At the time of provisioning a NetScaler VPX instance, the Management Service creates some policies, instance administration (admin) profile, and other configuration on the VPX instance. If the Management Service fails to apply the admin configuration at this time due to any reason (for example, the Management Service and the NetScaler VPX instance are on different subnetworks and the router is down or if the Management Service and NetScaler VPX instance are on the same subnet but traffic has to pass through an external switch and one of the required links is down), you can explicitly push the admin configuration from the Management Service to the NetScaler VPX instance at any time.

1. On the Configuration tab, in the navigation pane, click NetScaler.
   
2. In the NetScaler Configuration pane, click Apply Admin Configuration.
   
3. In the Apply Admin Configuration dialog box, in Instance IP Address, select the IP address of the NetScaler VPX instance on which you want to apply the admin configuration.
4. Click OK.
   

VPX Instances – Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP address and SSL certificates from SDX rather than from inside the VPX instance. The SDX Management Service does not have the ability to create certificates so it’s probably best to do that from within the VPX instance.

To view the console of a NetScaler instance

1. Connect to the Management Service using https.
2. Viewing the console might not work unless you replace the Management Service certificate.
3. In the Management Service, go to Configuration > NetScaler > Instances.
   
4. On the right, right-click an instance and click Console.
   
5. The instance console then appears.
   
6. Another option is to use the Lights Out Module and the xl console command as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

To start, stop, delete, or restart a NetScaler instance

1. On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
   
2. In the Instances pane, right-click the NetScaler instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
3. In the Confirm message box, click Yes.
   

Creating a Subnet IP Address on a NetScaler Instance

You can create or delete a SNIP during runtime without restarting the NetScaler instance.

1. On the Configuration tab, in the navigation pane, click NetScaler.
   
2. In the NetScaler Configuration pane, click Create IP.
   
3. In the Create NetScaler IP dialog box, specify values for the following parameters.
   • IP Address* – Specify the IP address assigned as the SNIP or the MIP address.
   • Netmask* – Specify the subnet mask associated with the SNIP or MIP address.
   • Type* – Specify the type of IP address. Possible values: SNIP.
   • Save Configuration* – Specify whether the configuration should be saved on the NetScaler. Default value is false.
   • Instance IP Address* – Specify the IP address of the NetScaler instance.
4. Click Create.
   

Create a VLAN on a NetScaler instance

1. Go to NetScaler > Instances.
   
2. Right-click an instance and click VLAN Bindings.
   
3. Click Add.
   
4. Enter a VLAN ID and select an interface.
5. Check the box for Tagged if needed.
6. Notice there’s no way to bind a SNIP. You do that inside the instance. Click Create.
   

To save the configuration on a NetScaler instance

1. On the Configuration tab, in the navigation pane, click NetScaler.
   
2. In the NetScaler pane, click Save Configuration.
   
3. In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the NetScaler instances whose configuration you want to save.
4. Click OK.
   

Change NSIP of VPX Instance

If you change NSIP inside of VPX instead of using the Modify Instance wizard in the Service VM, see article http://support.citrix.com/article/CTX139206 to adjust the XenServer settings.

Enable Call Home

1. On the Configuration tab, in the navigation pane, click the NetScaler node.
   
2. On the right, click Call Home.
   
3. Enter an email address to receive communications regarding NetScaler Call Home.
4. Check the box next to Enable Call Home.
5. Select the instances to enable Call Home and click OK.
   
6. You can view the status of Call Home by expanding NetScaler and clicking Call Home.
   
7. The right pane indicates if it’s enabled or not. You can also configure Call Home from here.
   

VPX Instance – Firmware Upgrade

Upload NetScaler Firmware Build Files

To upgrade a VPX instance from the Management Service, first upload the firmware build file.

1. Download the NetScaler firmware using the normal method.
   
2. In the Configuration tab, on the left, expand NetScaler and click Software Images.
   
3. On the right, in the Software Images tab click Upload.
   
4. Browse to the build…tgz file and click Open.
   
   

Upgrading Multiple NetScaler VPX Instances

You can upgrade multiple instances at the same time.

1. To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
2. On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
   
3. Right-click an instance and click Upgrade.
   
4. In the Upgrade NetScaler dialog box, in Build File, select the NetScaler upgrade build file of the version you want to upgrade to. Ignore the Documentation File. Click OK.
   
   

Management Service Monitoring

1. To view syslog, in the navigation pane, expand System, click Auditing and then click Syslog Message in the right pane.
   
2. To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
   
3. To view Management Service events, on the Configuration tab, in the expand System and click Events.
   
4. NetScaler > Entities lets you see the various Load Balancing entities configured on the instances.
   
   
5. To view instance alerts, go to NetScaler > Events > All Events.
   
   
6. There is also event reporting.
   

Management Service Backups

The SDX appliance automatically keeps three backups of the Service VM configuration that are taken daily at 12:30 am.

Backups in NetScaler SDX 11.0 contain the following:

• Single bundle image
• NetScaler XVA image
• NetScaler upgrade image
• Management Service image
• Management Service configuration
• NetScaler SDX configuration
• NetScaler configuration

You can go to Management Service > Backup Files to backup or restore the appliance’s configuration. And you can download the backup files.

You can configure the number of retained backups by clicking System on the left and then clicking Backup Policy in the right pane.

Navigation

This page contains the following topics:

• VPX Hardware
• Customer User Experience Improvement Program
• Welcome Wizard
• Licensing:
  • Get NetScaler VPX Mac Address for Licensing
  • Activate licenses at citrix.com
  • Install licenses on appliance
• Upgrade Firmware
• High Availability
• Multiple Interfaces/VLANs (aka two-arm)  💡
• DNS Servers
• NTP Servers
• Syslog Server
• SNMP Configuration
• Call Home
• Change nsroot password
• TCP, HTTP, SSL, and Security settings
• LDAP Authentication for Management
• CLI Prompt
• Backup and Restore

💡 = Recently Updated

VPX Hardware

NetScaler VPX Release 11.0 Build 65.72 and newer supports new VPX models on ESXi. These new models include: VPX 25, VPX 5G, VPX 25G, etc. See the NetScaler VPX datasheet for more info.  💡

11.0 build 65.72 and newer firmware also supports changing the NIC type to VMXNET3 or SR-IOV. The imported appliance comes with E1000 NICs so you’ll have to remove the existing virtual NICs and add new VMXNET3 NICs.

NetScaler for Azure can now be upgraded to 11.0 build 65.31 or newer. It will be possible to upgrade to future releases of NetScaler firmware. More details by Thomas Goodwin at Citrix Discussions.  💡

Customer User Experience Improvement Program

1. You might be prompted to enable the Customer User Experience Improvement Program. Either click Enable or click Skip.
   
   
2. You can enable or disable Customer Experience Improvement Program by going to System > Settings.
   
3. On the right is Change CUXIP Settings.
   
4. Make your selection and click OK.
   

set system parameter -doppler ENABLED

Welcome Wizard

NetScaler has a Welcome! Wizard that lets you set the NSIP, hostname, DNS, licensing, etc. It appears automatically the first time you login.

1. Click the Subnet IP Address box.
   
2. You can either enter a SNIP for one of your interfaces or you can click Do it later.
   

   add ns ip 172.16.1.11 255.255.255.0 -type SNIP

3. Click the Host Name, DNS IP Address, and Time Zone box.
   
4. Enter a hostname. Your NetScaler Gateway Universal licenses are allocated to this hostname. In a High Availability pair each node can have a different hostname.
5. Enter one or more DNS Server IP addresses. Use the plus icon on the right to add more servers.
6. Change the time zone to GMT-05:00-CDT-America/Chicago or similar.
7. Click Done.
   

   set ns hostname ns02
   
   add dns nameServer 192.168.123.11
   
   set ns param -timezone "GMT-05:00-CDT-America/Chicago"

8. Click Yes to save and reboot.
   
9. Click the Licenses box.
   
10. You can click Add New License to license the appliance now. Or do it later.
    
    
    On the far right side of the screen is displayed the Host ID you need when allocating licenses.
    
    License files are stored in /nsconfig/license.
11. Then click Continue.
    

Licensing – VPX Mac Address

To license a NetScaler VPX appliance, you will need its MAC address.

1. One method is to look in the GUI.
   
2. In the right pane, look down for the Host Id field. This is the MAC address you need for license allocation.
   
3. Or go to System > Licenses.
   
   
4. On the right, click Manage Licenses.
   
5. Click Add New License.
   
6. On the far right side of the screen the Host ID is displayed.
   
7. Another option is to SSH to the appliance and run shell.
8. Then run lmutil lmhostid. The MAC address is returned.
   

Licensing – Citrix.com

1. Login to citrix.com.
2. Click Activate and Allocate Licenses.
   
3. Check the box next to a Citrix NetScaler license and click Continue.
   
4. If this is a NetScaler MPX license then there is no need to enter a host ID for this license so click Continue. If this is a NetScaler VPX license, enter the lmutil lmhostid MAC address into the Host ID field and click Next.
   
   For a VPX appliance, you can also get the Host ID by looking at the System Information page.
   
5. Click Confirm.
   
6. Click OK when asked to download the license file.
   
7. Click Download.
   
8. Click Save and put it somewhere where you can get to it later.
9. If you purchased NetScaler Gateway Universal Licenses, allocate them. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
   
10. Enter your appliance hostname as the Host ID for all licenses.
    
11. Click Confirm.
    
12. Click OK when prompted to download your license file.
    
13. Click Download.
    
14. Click Save.
15. If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses and reallocate them to the other hostname.

Install Licenses on Appliance

1. In the NetScaler Configuration GUI, on the left, expand System and click Licenses.
   
2. On the right, click Manage Licenses.
   
3. Click Add New License.
   
4. If you have a license file, select Upload license files from a local computer and then click Browse.
   
   License files are stored in /nsconfig/license.
5. Click Reboot when prompted. Login after the reboot.
   
6. After rebooting, the Licenses node should look something like this. Notice that Maximum ICA Users Allowed is set to Unlimited.
   
7. Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwitdh or else packets will drop.

Upgrade Firmware

Citrix CTX127455 – How to Upgrade Software of the NetScaler Appliances in a High Availability Setup

1. Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. At the very least, watch the Security Bulletins to determine which versions and builds resolve security issues. You can also subscribe to the Security Bulletins at http://support.citrix.com by clicking the Alerts link on the top right.
2. Make sure you Save the config before beginning the upgrade.
   
3. Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
4. When upgrading from 10.5 or older, make sure the NetScaler Gateway Theme is set to Default or Green Bubbles. After the upgrade, you’ll have to create a new Portal Theme and bind it to the Gateway vServers.
5. Start with the Secondary appliance.
6. Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
   
7. In the NetScaler GUI, with the top left node (System) selected, click, click System Upgrade.
   
8. Browse to the build…tgz file. If you haven’t downloaded firmware yet then you can click the Download Firmware link.
   
9. Click Upgrade.
10. The firmware will upload.
    
11. You should eventually see a System Upgrade window with text in it. Click Yes when prompted to reboot.
    
12. Once the Secondary is done, login and failover the pair.
    
13. Then upgrade the firmware on the former Primary.

To install firmware by using the command-line interface

1. To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
2. Create a version directory under /var/nsinstall (e.g. /var/nsinstall/11.0.61).
3. Copy the software from your computer to the /var/nsinstall/<version> (e.g. /var/nsinstall/11.0.61) directory on the appliance.
4. Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
5. At a command prompt, type shell.
6. At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
7. To view the contents of the directory, type ls.
8. To unpack the software, type tar -xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
9. To start the installation, at a command prompt, type ./installns.
10. When the installation is complete, restart NetScaler.
11. When the NetScaler restarts, at a command prompt type what or show version to verify successful installation.

High Availability

Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The exceptions are mainly network interface configurations.

High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.

1. Prepare the secondary appliance:
   1. Configure a NSIP.
   2. Don’t configure a SNIP. You can click Do It Later to skip the wizard.
   3. Configure Hostname and Time Zone. Don’t configure DNS since you’ll get those addresses when you pair it.
   4. License the secondary appliance.
   5. Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
2. On the secondary appliance, go to System > High Availability, double-click the local node, and change High Availability Status to STAY SECONDARY. If you don’t do this then you run the risk of losing your config when you pair the appliances. See Terence Luk Creating a Citrix NetScaler High Availability pair without wiping out an existing configuration for more information.
   
   
   

   set ha node -hastatus STAYSECONDARY

3. On the primary appliance, on the left, expand System, expand Network and click Interfaces.
   
4. On the right, look for any interface that is currently DOWN. You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface and click Disable. Repeat for the remaining disconnected interfaces.
   

   show interface
   disable interface 1/1

5. On the left, expand System and click High Availability.
   
6. On the right, click Add.
   
7. Enter the other NetScaler’s IP address.
8. Enter the other NetScaler’s login credentials and click Create.
   
   add ha node 1 192.168.123.14
   Note: this command must be run separately on each appliance.
9. If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.
   
   Eventually it will say SUCCESS.
   
10. To enable Fail-safe mode, edit Node ID 0 (the local appliance).
    
11. Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down and click OK.
    set ha node -failSafe ON
12. If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
    
13. On the secondary appliance, go to System > High Availability, double-click the local node, and change it from STAY SECONDARY to ENABLED.
    
14. From the CLI, run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed in the next section.
    
15. You can force failover of the primary appliance by opening the Actions menu, and clicking Force Failover.
    
    force ha failover
    If your firewall (e.g. Cisco ASA) doesn’t like Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table

Multiple Interfaces – VLANs

Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.

Channels: You should never connect multiple interfaces to a single VLAN unless you are bonding the interfaces using LACP, Manual Channel, or the new Redundant Interface Set feature. See Webinar: Troubleshooting Common Network Related Issues with NetScaler.

NetScaler VPX defaults to two connected interfaces, so if you only have one subnet, disconnect one of those interfaces.

A Redundant Interface Set is configured almost identically to a Manual Channel except that the Channel ID starts with LR instead of LA.

Common interface configuration: Here is a common NetScaler networking configuration for a NetScaler that is connected to both internal and DMZ.

Note: If the appliance is connected to both DMZ and internal then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then NetScaler could use an internal SNIP to connect to the internal server. A more secure approach is to have different appliances for internal and DMZ. Or use NetScaler SDX, partitioning, or traffic domains.

• 0/1 connected to a dedicated management network. NSIP is on this network.
  • 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, etc.) and don’t connect any cables to 0/1.
  • To prevent NetScaler from using this interface for outbound data traffic, don’t put a SNIP on this network, and configure the default gateway to use a different data network. However, if there’s no SNIP, and if default gateway is on a different network,  then there will be asymmetric routing for management traffic since inbound is 0/1 but outbound is LA/1. To work around this problem, enable Mac Based Forwarding. Or create a Policy Based Route.
  • It’s easiest if the switch port for this interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the NetScaler.
• 10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
  • If only one internal VLAN, configure the switch ports/channel as an Access Port.
  • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
  • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
• 1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). Default gateway points to a router on a DMZ VLAN so replies can be sent to Internet clients.
  • If only one internal VLAN, configure the switch ports/channel as an Access Port.
  • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
  • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.

SNIPs: You will need one SNIP for each connected subnet. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. NetScaler uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.

NSIP: The NSIP subnet is special so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any subnet that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).

To configure multiple connected subnets:

1. On the left, expand System, and click Settings.
   
2. On the right, in the left column, click Configure modes.
   
3. Check the box next to MAC Based Forwarding and click OK. This configures the NetScaler to respond on the same interface the request came in on and thus bypasses the routing table. This setting can work around misconfigured routing tables. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).
   

   enable mode mbf

4. Add a subnet IP for every network the NetScaler is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
   
5. On the right, click Add.
   
6. Enter the Subnet IP Address for this network. This is the source address the NetScaler will use when communicating with any other service on this network. The Subnet IP can also be referred to as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
7. Enter the netmask for this network. When you create a VLAN object later, all IPs on this subnet will be bound to an interface.
8. Ensure the IP Type is set to Subnet IP. Scroll down.
   

   add ns ip 172.16.1.11 255.255.255.0 -type SNIP

9. Under Application Access Controls decide if you want to enable GUI management on this SNIP. This is particularly useful for High Availability pairs, because when you point your browser to the SNIP only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for the DMZ network.
10. Click Create when done. Continue adding SNIPs for each connected network (VLAN).
    

    set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED

11. On the left, expand System, expand Network and click VLANs.
    
12. On the right, click Add.
    
13. Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged then any ID will work.
14. Check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
15. If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
    • If your switches do not allow untagged packets then you will need to use the tagall interface option to tag NetScaler High Availability heartbeat packets. See CTX122921 – Citrix NetScaler Interface Tagging and Flow of High Availability Packets
16. If you don’t tag the VLAN, then the NetScaler interface/channel is removed from VLAN 1 and instead put in this VLAN ID.
17. Switch to the IP Bindings tab.
    
18. Check the box next to the Subnet IP for this network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.
    

    add vlan 50
    bind vlan 50 -ifnum LA/1 -IPAddress 172.16.1.11 255.255.255.0
    

19. The default route should use the router in the DMZ, not the internal router. Most likely the default route is set to an internal router. On the left, expand System, expand Network and click Routes.
    
20. On the right, click Add.
    
21. Internal networks are only accessible through an internal router. Add a static route to the internal networks and set the Gateway to an internal router. Then click Create.
    

    add route 192.168.0.0 255.255.0.0 192.168.123.1

22. Before deleting the existing default route, either enable Mac Based Forwarding, or create a Policy Based Route, so that the replies from NSIP can reach your machine. To create a PBR, go to System > Network > PBRs.
    
23. The source IP is the NSIP, and next hop is a router on the same network as the NSIP. Destination is not needed.
    
24. Then open the Action menu, and click Apply.
    

    add ns pbr NSIP ALLOW -srcIP = 10.2.2.59 -nextHop 10.2.2.1
    apply ns pbrs

25. Go back to System > Network > Routes. On the right, delete the 0.0.0.0 route. Don’t do this unless the NetScaler has a route to the IP address of the machine you are running the NetScaler Configuration Utility on.
    
    

    rm route 0.0.0.0 0.0.0.0 192.168.123.1

26. Then click Add.
    
27. Set the Network to 0.0.0.0 and the Netmask to 0.0.0.0. Enter the IP address of the DMZ router and click Create.
    

    add route 0.0.0.0 0.0.0.0 172.16.1.1

DNS Servers

1. To configure DNS servers, expand Traffic Management, expand DNS and click Name Servers.
   
2. On the right, click Add.
   
3. Enter the IP address of a DNS server and click Create.
4. Note: The NetScaler must be able ping each of the DNS servers or they will not be marked as UP. The ping originates from the SNIP. If you are unwilling to enable Ping then you will need to load balance your DNS servers on the local NetScaler appliance.
   

   add dns nameServer 192.168.123.11

NTP Servers

1. On the left, expand System, and click NTP Servers.
   
2. On the right, click Add.
   
3. Enter the IP Address of your NTP Server (or pool.ntp.org) and click Create.
   
   add ntp server pool.ntp.org
4. Open the Action menu and click NTP Synchronization.
   
5. Select ENABLED and click OK.
   
   enable ntp sync
6. You can click the System node to view the System Time.
   
7. If you need to manually set the time, SSH (Putty) to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
8. Ntpdate –u pool.ntp.org will cause an immediate NTP time update.

Citrix Knowledgebase article CTX200286 – NTP Configuration on NetScaler to Avoid Traffic Amplification Attack:

1. Replace the following line in /etc/ntp.conf file, if it exists:

   >  restrict default ignore

2. Add the following lines in file /etc/ntp.conf:

   # By default, exchange time with everybody, but don't allow configuration:
   restrict -4 default kod notrap nomodify nopeer noquery
   restrict -6 default kod notrap nomodify nopeer noquery
   
   # Local users may interrogate the ntp server more closely:
   
   restrict 127.0.0.1
   restrict ::1

3. Restart NTP using the following commands:

   > shell
   root@ns# ps -aux |grep "ntp"
   root@ns# kill <PID obtained from step above>
   root@ns# /usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf

Citrix Knowledgebase Article CTX200355 – Citrix Security Advisory for NTP Vulnerabilities: By default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in deployments where customers have enabled NTP on the appliance, it is likely that these vulnerabilities will impact NetScaler.

We recommend that customers apply the following remediation:

Open the NetScaler’s ntp.conf file in /etc and add the following lines:

restrict -4 default notrap nopeer nomodify noquery
restrict -6 default notrap nopeer nomodify noquery

In addition to adding the above two lines, all other ‘restrict‘ directives should be reviewed to ensure that they contain both ‘nomodify‘ and ‘noquery‘ and that the file contains no ‘crypto‘ directives.

When this editing is complete, save the file and copy it to the /nsconfig directory. The NTP service must then be restarted for the changes to take effect. As with all changes, Citrix recommends that this is evaluated in a test environment prior to releasing to production.

SYSLOG Server

Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog

The NetScaler will by default store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Command Center.

1. On the left, expand System, expand Auditing, and click Syslog.
   
2. On the right, switch to the Servers tab and click Add.
   
3. Enter a name for the Syslog server.
4. Specify the IP Address of the SYSLOG server, 514 as the port, and the Log Levels you’d like to send to it.
5. Check the box for TCP Logging if you want the client IP. Note: TCP Logging requires significant disk space on the Syslog server.
6. Select your desired Time Zone and then click Create.
   

   add audit syslogAction CommandCenter 192.168.123.12 -logLevel ALL -timeZone LOCAL_TIME

7. On the right, switch to the Policies tab, and then click Add.
   
8. Give the policy a descriptive name, select the Syslog server, and then click Create.
   

   add audit syslogPolicy CommandCenter ns_true CommandCenter

9. While still on the Policies tab, open the Actions menu and click Global Bindings.
   
10. Click the arrow next to Click to select.
    
11. Select the Syslog policy you want to bind and click Select.
    
12. Click Bind.
    
13. Select the Syslog policy you want to bind and click Select.
    
14. Then click Bind.
    
15. Click Done.
    

    bind system global CommandCenter -priority 100

SNMP – MIB, Traps, and Alarms

1. On the left, expand System, and click SNMP.
   
2. On the right, click Change SNMP MIB.
   
3. Change the fields as desired. Your SNMP tool (e.g. NetScaler Management and Analytics System) will read this information. Click OK.
4. This configuration needs to be repeated on the other node.
   

   set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp

5. Expand System, expand SNMP, and click Community.
   
6. On the right, click Add.
   
7. Specify a community string and the Permission and click Create.
   

   add snmp community public GET

8. On the left, under SNMP, click Traps.
   
9. On the right, click Add.
   
10. Specify a trap destination and Community Name and click Create.
    

    add snmp trap generic 192.168.123.12 -communityName public
    add snmp trap specific 192.168.123.12 -communityName public

11. On the left, under SNMP, click Managers.
    
12. On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
    
13. Change the selection to Management Network.
14. Specify the IP of the Management Host and click Create.
    

    add snmp manager 192.168.123.12

15. The Alarms node allows you to enable SNMP Alarms and configure thresholds.
    
16. You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm and 50% normal with a Critical severity.
    
    

    set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical

17. You can also configure the MEMORY alarm.
    

    set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical

From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.

• ifTotXo?Sent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
• ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
• ifErrRxNoBu?s – .1.3.6.1.4.1.5951.4.1.1.54.1.30
• ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31

Call Home

Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical NetScaler (MPX or SDX) with an active support contract, you many optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.

1. On the left, expand System and click Diagnostics.
   
2. On the right, in the left column, in the Technical Support Tools section, click Call Home.
   
3. Check the box next to Enable Call Home.
4. Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
   
5. If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.
   

Change nsroot Password

1. Expand System, expand User Administration and click Users.
   
2. On the right, right-click nsroot, and click Change Password.
   
3. Specify a new password and click OK.
   

   set system user nsroot Passw0rd

TCP, HTTP, SSL, and Security Settings

Citrix Knowledgebase articles:

• CTX127917 How to Configuring the Rate Limiting Feature of a NetScaler Appliance to Mitigate a DDoS Attack
• CTX131681 How to Use NetScaler Appliance to Avoid Layer 7 DDoS Attacks
• CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD

1. On the left, expand System and click Settings.
   
2. On the right side of the right pane, click Change TCP parameters.
   
3. Check the box for Window scaling (near the top).
   
4. Scroll down and check the box for Selective Acknowledgement. Click OK.
   

   set ns tcpParam -WS ENABLED -SACK ENABLED

5. On the right, click Change HTTP parameters.
   
6. Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.
   

   set ns param -cookieversion 1

7. Check the box next to Drop invalid HTTP requests.
8. Scroll down and click OK.
   

   set ns httpParam -dropInvalReqs ON

9. You can run the following command to see statistics on the dropped packets:

   nsconmsg -g http_err_noreuse_ -d stats

10. See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run kill -HUP `cat /var/run/sshd.pid` to restart SSHD.  💡

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr
    MACs hmac-sha1,hmac-ripemd160

11. Implement Responder policies to prevent Shellshock attack against back-end web servers. See Citrix CTX200277 NetScaler Defends Against Shellshock Attack.

    add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES
    
    add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP ?logAction ShellShock_Log
    
    bind responder global ShellShock_policy 10 END -type REQ_DEFAULT

The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:

• Maximum logon attempts on NetScaler Gateway Virtual Server
• Rate Limiting for IP.SRC and HTTP.REQ.URL.
• nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
• Syslog logging
• External website monitoring
• Obfuscate the Server header in the HTTP response
• Disable management access on SNIPs
• Change nsroot strong password, use LDAP authentication, audit local accounts
• Don’t enable Enhanced Authentication Feedback
• SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers. Also see Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) .
• 2-factor authentication
• Command Center and Insight Center
• Review IPS/IDS & Firewall logs

Management Authentication

Load balancing of authentication servers is strongly recommended since during an authentication attempt only one LDAP server is chosen. If you instead bind multiple LDAP servers, it would try all of them, and for incorrect passwords, it will lock out the user sooner than expected.

1. Expand System, expand Authentication, and then click LDAP.
   
2. On the right, switch to the Servers tab. Then click Add.
   
3. Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
4. Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
5. Change the Security Type to SSL.
6. Enter 636 as the Port. Scroll down.
   
7. In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
8. Enter the credentials of the LDAP bind account in userPrincipalName format.
9. Check the box next to BindDN Password and enter the password. Scroll down.
   
10. In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
11. On the right, check the box next to Allow Password Change.
12. It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
    memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
    You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.
    memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local


    Citrix 132802 How to Use the ldapsearch Utility on the NetScaler Gateway Enterprise Edition Appliance to Validate a Search Filter
    An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.
    Scroll down to distinguishedName, double-click it and then copy it to the clipboard.
    
    
    Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
    
13. Scroll down and click Nested Group Extraction to expand it.
14. If desired, change the selection to Enabled.
15. Set the Group Name Identifier to samAccountName.
16. Set Group Search Attribute to –<< New >>– and enter memberOf.
17. Set Group Search Sub-Attribute to –<< New >>– and enter CN.
18. Example of LDAP Nested Group Search Filter Syntax
    
    
19. Scroll down and click Create.
    

    add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED

20. Switch to the Policies tab and click Add.
    
21. Enter the name LDAPS-Corp-Mgmt or similar.
22. Select the previously created LDAPS-Corp-Mgmt server.
23. On the bottom, in the Expressions area, type in ns_true.
24. Click Create.
    

    add authentication ldapPolicy Corp-Mgmt ns_true Corp-Mgmt

25. Click Global Bindings in the right pane.
    
26. Click where it says Click to select.
    
27. Select the newly created LDAP policy, and click Select.
    
28. Click Bind.
    
29. Click Done.
    

    bind system global Corp-Mgmt

30. Under System, expand User Administration and click Groups.
    
31. On the right, click Add.
    
32. In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
33. In the Command Policies section, click Insert.
    
34. Select the superuser policy, and click Insert.
    
35. Click Create.
    

    add system group "NetScaler Admins" -timeout 900
    bind system group "NetScaler Admins" -policyName superuser 100

36. Now you should be able to login to NetScaler using an Active Directory account.
    

CLI Prompt

1. When you connect to the NetScaler CLI prompt, by default, the prompt is just a >.
   
2. You can run set cli prompt %u@%h to make it the same as a UNIX prompt. See Citrix Docs for the cli prompt syntax.
   

Backup and Restore

11.0 build 64 has an improved backup and restore mechanism.

1. Go to System > Backup and Restore.
   
   
2. On the right, click the Backup button.
   
3. Give the backup file a name.
4. For Level, select Full and click Backup.
   
5. Once the backup is complete, you can download the file.
   

To restore:

1. If you want to restore the system and if the backup file is not currently on the appliance, you click the Backup button. Yes, this seems backwards.
   
2. Change the selection to Add.
3. Browse Local to the previously downloaded backup file.
   
4. Then click Backup. This uploads the file to the appliance and adds it to the list of backup files.
   
5. Now you can right-click the backup and click Restore.
   

Next Steps

Return to NetScaler Procedures list

Navigation

• Here are three methods of creating certificates for NetScaler:
  • Import .PFX Certificate to NetScaler
  • Create Key and CSR on the appliance
  • Use NetScaler as Certificate Authority
• If the server certificate is signed by an intermediate authority, import the intermediate certificate and bind it.
• Default Management Certificate Key Length
• Replace the management certificate and then force SSL access for management.
• Update certificates before they expire.

💡 = Recently Updated

Convert .PFX Certificate to PEM Format

You can export a certificate from Windows and import it to NetScaler. However, Windows certificates can’t be imported on NetScaler in their native PFX format and must first be converted to PEM as detailed below:

1. On the Windows server that has the certificate, run mmc.exe and add the certificates snap-in.
2. Right-click the certificate and click Export.
   
3. On the Export Private Key page, select Yes, export the private key and click Next.
   
4. On the Export File Format page, ensure Personal Information Exchange is selected and click Next.
   
5. Save it as a .pfx file. Don’t put any spaces in the filename.
   
6. In NetScaler 11, it is no longer necessary to first convert the .PFX file to PEM format since Traffic Management > SSL > Certificates > Install will convert the .PFX file for you. Note: when the PFX is converted to PEM, the key is not encrypted.
   
7. Browse (Local) to the PFX file in both the certificate file and key file fields, enter the PFX password, and then click Install.
   
   
8. If you click the arrow next to the certificate you’ll see that NetScaler created a new file with a .ns extension.
   
9. If you look inside this file by going to Traffic Management > SSL > Manage Certificates / Keys / CSRs, notice that the RSA Private Key is not encrypted, encoded, or password protected.
   
   
10. If you want to encrypt your key file (recommended), use the older method of converting from PFX to PEM. In the NetScaler Configuration GUI, on the left expand Traffic Management and click SSL.
    
11. In the right column of the right pane, click Import PKCS#12 in the Tools section.
    
12. In the Import PKCS12 File dialog box:
    1. In the Output File Name field, enter a name (e.g. Citrix.cer) for a new file where the PEM certificate and key will be placed.
    2. In the PKCS12 File field, click Browse and select the previously exported .pfx file.
    3. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
    4. Change the Encoding Format selection to DES3. This causes the new Output file to be encrypted.
    5. Enter a password for the Output file and click OK.
13. If you browse to the /nsconfig/ssl directory on the NetScaler and view the new .cer file you just created, you’ll see both the certificate and the private key in the same file. You can use the Manage Certificates / Keys / CSRs link to view the files.
    
    
14. Notice that the file contains both the certificate and the RSA Private key.
    
15. On the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
    
16. On the right, click Install.
    
17. In the Install Certificate dialog box:
    1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
    2. In the Certificate File Name field, browse the appliance and select the .cer file you just created.
    3. In the Private Key File Name field, browse the appliance and select the same .cer file you just created. Both the certificate and the private key are in the same file.
    4. If the private key is encrypted, enter the password.
    5. Click Install. You can now link an intermediate certificate to this SSL certificate and then bind this SSL certificate to SSL  and/or NetScaler Gateway Virtual Servers.
       
18. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center or NetScaler Management and Analytics System. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

Create Key and Certificate Request

You can create a key pair and Certificate Signing Request directly on the NetScaler appliance. The Certificate Signing Request can then be signed by an internal or public Certificate Authority.

Most Certificate Authorities let you add Subject Alternative Names when submitting the Certificate Signing Request to the Certificate Authority and thus there’s no reason to include Subject Alternative Names in the Certificate Signing Request. You typically create a Certificate Signing Request with a single DNS name. Then when submitting the Certificate Signing Request to the Certificate Authority you type in additional DNS names. For a Microsoft Certificate Authority, you can enter Subject Alternative Names in the Attributes box of the Web Enrollment wizard. For public Certificate Authorities, you purchase a UCC certificate or purchase a certificate option that lets you type in additional names.

If you instead want to create a Certificate Signing Request on NetScaler that has Subject Alternative Names embedded in it as request attributes, see Citrix Blog Post How to Create a CSR for a SAN Certificate Using OpenSSL on a NetScaler Appliance. These instructions are performed on the NetScaler command line using OpenSSL. Or you can instead create a Subject Alternative Name certificate on Windows.

1. On the left, expand Traffic Management, and click SSL.
   
2. On the right, in the left column, click Create RSA Key.
   
3. Give the .key file a descriptive name.
4. Set the Key Size to 2048 bits
5. Set the PEM Encoding Algorithm to DES3 and enter a password. This encrypts the key file.
6. Click OK. You will soon create a certificate using the keys in this file.
   
7. On the right, in the right column, click Create Certificate Signing Request (CSR).
   
8. In the Request File Name field, enter the name of a new file.
9. In the Key Filename field, browse to the previously created .key file.
10. If the key file is encrypted, enter the password.
    
11. In the State field, enter your state name without abbreviating.
12. In the Organization Name field, enter your official Organization Name.
13. Enter the City name.
14. Enter IT or similar as the Organization Unit.
15. In the Common Name field, enter the FQDN of the SSL enabled-website. If this is a wildcard certificate, enter * for the left part of the FQDN.
    
16. Scroll down and click Create.
    
17. At the top of the screen you’ll see a green banner. Click here to view.
    
    
18. You can then copy the contents and send it to your Certificate Authority.
    
19. Or, on the right side of the right pane, click Manage Certificates / Keys / CSRs.
    
20. Find the .csr file you just created and View it.
    
21. Copy the contents of the file and send it to the certificate administrator. Request the signed certificate to be returned in Apache or Base64 format.
    
22. After you get the signed certificate, on the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
    
23. On the right, click Install.
    
24. In the Install Certificate dialog box:
    1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
    2. In the Certificate File Name field, browse Local and select the .cer file you received from the Certificate Authority.
    3. In the Private Key File Name field, browse the appliance and select the key file you created earlier.
    4. If the key file is encrypted, enter the password.
    5. Click Install.
       
25. The certificate is now added to the list. Notice the Expiry Date. You can now bind this certificate to any SSL Offload, NetScaler Gateway, or Content Switching Virtual Server.
    
26. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

Intermediate Certificate

If your Server Certificate is signed by an intermediate Certificate Authority, then you must install the intermediate Certificate Authority’s certificate on the NetScaler. This Intermediate Certificate then must be linked to the Server Certificate.

1. Sometimes the public Certificate Authority will give you the Intermediate certificate as one of the files in a bundle. If not, log into Windows and double-click the signed certificate.
2. On the Certification Path tab, double-click the intermediate certificate (e.g. Go Daddy Secure Certificate Authority. It’s the one in the middle).
   
3. On the Details tab, click Copy to File.
   
4. In the Welcome to the Certificate Export Wizard page, click Next.
   
5. In the Export File Format page, select Base-64 encoded and click Next.
   
6. Give it a file name and click Next.
   
7. In the Completing the Certificate Export Wizard page, click Finish.
   
8. In the NetScaler configuration GUI, expand Traffic Management, expand SSL, and click Certificates.
   
9. On the right, click Install.
   
10. Name it Intermediate or similar.
11. Browse locally for the Intermediate certificate file.
12. Click Install. You don’t need a key file.
    
13. Highlight the server certificate, open the Action menu and click Link.
    
14. The previously imported Intermediate certificate should already be selected. Click OK.
    

Create Certificate with NetScaler as Certificate Authority

If you don’t have an internal Certificate Authority, you can use NetScaler as a Certificate Authority. The NetScaler Certificate Authority can then be used to sign Server Certificates. This is a simple method for creating a new management certificate. The main problem with this method is that the NetScaler root certificate must be manually installed on any machine that connects to the NetScaler.

1. On the left, expand Traffic Management, and click SSL.
   
2. On the right, in the left column, click Root-CA Certificate Wizard.
   
3. In the Key Filename field, enter root.key or similar. This is a new file.
4. In the Key Size field, enter at least 2048.
5. Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
6. Click Create.
   
7. In the Request File Name field, enter root.csr or similar. This is a new file.
8. If the key file is encrypted, enter the password.
9. Scroll down.
   
10. In the State field, enter the non-abbreviated state name.
11. In the Organization Name field, enter the name of your organization.
12. Fill in other fields as desired.
13. In the Common Name field, enter a descriptive name for this Certificate Authority.
14. Click Create .
    
15. In the Certificate File Name field, enter root.cer or similar. This is a new file.
16. Change the Validity Period to 3650 (10 years) or similar.
17. If the key file is encrypted, enter the password in the PEM Passphrase field.
18. Click Create.
    
19. In the Certificate-Key Pair Name field, enter a friendly name for this Certificate Authority certificate.
20. If the key file is encrypted, enter the password in the Password field.
21. Click Create.
    
22. Click Done.
    
23. In the right pane, in the left column, click Server Certificate Wizard.
    
24. In the Key Filename field, enter mgmt.key or similar. This is a new file.
25. In the Key Size field, enter at least 2048.
26. Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
27. Click Create.
    
28. In the Request File Name field, enter mgmt.csr or similar. This is a new file.
29. If the key file is encrypted, enter the password.
30. Scroll down.
    
31. In the State field, enter the non-abbreviated state name.
32. In the Organization Name field, enter the name of your organization.
33. Fill in other fields as desired.
34. In the Common Name field, enter the hostname (FQDN) of the appliance.
35. Click Create.
    
36. In the Certificate File Name field, enter mgmt.cer or similar. This is a new file.
37. Change the Validity Period to 3650 (10 years) or similar.
38. Scroll down.
    
39. In the CA Certificate File Name field, browse to the root.cer file.
40. In the CA Key File Name field, browse to the root.key file.
41. If the key file is encrypted, enter the password.
42. In the CA Serial File Number field, enter the name of a new file that will contain serial numbers.
43. Click Create.
    
44. In the Certificate-Key Pair Name field, enter a friendly name for this management certificate.
45. If the key file is encrypted, enter the password in the Password field.
46. Click Create.
    
47.  Click Done.
    

Default Management Certificate Key Length

In older NetScaler builds, the default management certificate (ns-server-certificate) key size is only 512 bits. To see the key size, right-click ns-server-certificate, and then click Details.

If you try to use Internet Explorer to connect to the NSIP using SSL, Internet Explorer will consider 512 bits to be unsafe and probably won’t let you connect. Notice there’s no option to proceed.

You can configure Internet Explorer to accept the 512-bit certificate by running Certutil ?setreg chain\minRSAPubKeyBitLength 512 on the same machine where Internet Explorer is running.

When you upgrade NetScaler, the management certificate remains at whatever was installed previously. If it was never replaced, then the management certificate is still only 512 bits. To replace the certificate with a new 2048-bit self-signed certificate, simply delete the existing ns-server-certificate certificate files and reboot.

1. Go to Traffic Management > SSL.
   
2. On the right, in the right column, click Manage Certificates / Keys / CSRs.
   
3. Highlight any file named ns-* and delete them. This takes several seconds.
   
4. Then go to System and reboot.
   
5. After a reboot, if you view the Details on the ns-server-certificate, it will be recreated as self-signed with 2048-bit key size.
   

Replace Management Certificate

You can replace the default management certificate with a new trusted management certificate.

Only one certificate will be loaded on both nodes in a High Availability pair so make sure the management certificate matches the names of both nodes. This is easily doable using a Subject Alternative Name certificate. Here are some names the management certificate should match (note: a wildcard certificate won’t match all of these names):

• The FQDN for each node NSIP in a High Availability pair. Example: ns01.corp.local and ns02.corp.local
• The shortnames (left label) for each node NSIP in a High Availability pair. Example: ns01 and ns02
• The NSIP IP address for each node in a High Availability pair. Example: 192.168.123.14 and 192.168.123.29
• If you enabled management access on your SNIPs, add names for the SNIPs:
  • FQDN for the SNIP. Example: ns.corp.local
  • Shortname for the SNIP. Example: ns
  • SNIP IP address. Example: 192.168.123.30

If you are creating a Subject Alternative Name certificate, it’s probably easiest to do the following:

1. Create the certificate using the Certificates snap-in on a Windows box. You can add the Subject Alternative Names in the certificate request wizard. The Subject Alternative Names for the IP addresses must be added as IP address (v4). The other Subject Alternative Names are added as DNS.
   
2. Export the certificate and Private Key to a .pfx file.
   
3. On the NetScaler, use the Import PKCS#12 tool to convert the .pfx to PEM format. Then follow one of the procedures below to replace the management certificate.
   

There are two methods of replacing the management certificate:

• Use the Update Certificate button for ns-server-certificate in the NetScaler GUI. This automatically updates all of the Internal Services bindings too.
  • You cannot rename the certificate in the NetScaler GUI. It remains as ns-server-certificate.
  • If your new management certificate is a wildcard that you need to use for other SSL entities, then you will bind ns-server-certificate to those entities instead of a more descriptive name. You can’t re-upload the wildcard certificate again with a different GUI name.
• Or manually Bind the new certificate to the Internal Services.

Update Certificate Method

The Update Certificate button method is detailed below:

1. You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
2. On the left, expand Traffic Management, expand SSL, and click Certificates.
   
3. On the right, highlight ns-server-certificate, and click Update.
   
4. Check the box next to Click to update Certificate/Key.
   
5. Browse to the new management certificate. It could be on the appliance or it could be on your local machine.
6. If the PEM certificate is encrypted, enter the password.
7. Check the box next to No Domain Check. Click OK.
   
8. Click Yes to update the certificate.
   
9. You can now connect to the NetScaler using https protocol. The certificate should be valid and it should have a 2048 bit key.
   
10. Putty (SSH) to the appliance.
11. Run the following command to see the internal services.
    show service –internal | grep –i "ns"
12. For each internal service, run the following command to disable SSL3. Replace ServiceName with the name of each internal service.
    set ssl service ServiceName -ssl3 disabled
13. For each internal service, run the following command to remove RC4 ciphers. Replace ServiceName with the name of each internal service.
    unbind ssl service ServiceName -cipherName RC4
14. Repeat this process on the second appliance.

Manual Binding Method

The manual Binding to Internal Services method is detailed below:

1. You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
2. On the left, expand Traffic Management, expand SSL and click Certificates.
   
3. On the right, use the Install button to install the certificate if you haven’t already done so.
4. On the right, highlight the new management certificate, open the Action menu, and click Details.
   
5. Verify that the Public Key Size is 2048. Click OK.
   
6. On the left, expand Traffic Management, expand Load Balancing, and click Services.
   
7. On the right, switch to the Internal Services tab.
   
8. You will see multiple services. Edit one of them.
   
9. Scroll down and click where it says 1 Client Certificate.
   
10. Highlight the existing management certificate, and click Unbind.
    
11. Click Yes to remove the selected entity.
    
12. Click Add Binding.
    
13. Click where it says Click to select.
    
14. Select the new management certificate, and click Select.
    
15. Click Bind, and click Close.
    
16. Scroll to the SSL Parameters section, and click the pencil icon.
    
17. Uncheck the box next to SSLv3. Make sure TLSv11 and TLSv12 are enabled. Click OK.
    
18. On the right, in the Advanced Settings column, click SSL Ciphers.
    
19. On the left, in the SSL Ciphers section, select the Cipher Group that has all RC4 ciphers removed. and click OK.
    
20. If you see a warning about No usable ciphers, click OK and ignore it.
    
21. Repeat for the rest of the internal services.
    

Force Management SSL

By default, administrators can connect to the NSIP using HTTP or SSL. This section details how to disable HTTP.

Internet Explorer will not accept the default 512-bit management certificate included on the appliance so make sure you replace the default management certificate or use a different browser.

1. Connect to the NSIP using https.
2. On the left, expand System, expand Network, and click IPs.
   
3. On the right, highlight your NetScaler IP, and click Edit.
   
4. Near the bottom, check the box next to Secure access only, and then click OK.
   
5. Citrix CTX204217 How to redirect users from HTTP to HTTPS while accessing NSIP/Management IP. Requires a Responder policy, and a nsapimgr command.  💡
6. Repeat this on the secondary appliance.
7. Repeat for any SNIPs that have management access enabled.

SSL Certificate – Update

If your certificate is about to expire, do the following:

1. Create updated certificate files in PEM format. One option is to create a key file and Certificate Signing Request directly on the NetScaler. Another option is to convert a PFX file to a PEM file. Don’t install the certificate yet, but instead, simply have access to the key file and certificate file in PEM format.
2. In NetScaler, navigate to Traffic Management > SSL > Certificates.
   
3. On the right, highlight the certificate you intend to update, and click Update.
   
4. Check the box next to Click to update the Certificate/Key.
   
5. Browse to the updated certificate and key files (if you imported a PFX then the certificate and key files are the same file).
   
6. Click Yes to update the certificate.
   
7. Click OK. This will automatically update every Virtual Server on which this certificate is bound.
8. Certificates can also be updated in Citrix Command Center or NetScaler Management and Analytics System.