NetScaler SDX 12 / Citrix ADC SDX 12.1

Last Modified: Dec 21, 2018 @ 5:49 pm

Navigation

Change Log

  • 2018 Dec 21 – updated screenshots for SDX 12.1
  • 2018 Mar 20 – updated upgrade instructions for 12.0 build 57
  • 2018 Mar 20 – in Provision VPX section, added Crypto Units info

Overview

Citrix CTX226732 Introduction to Citrix NetScaler SDX.

Citrix ADC SDX is normal Citrix ADC hardware, but runs XenServer hypervisor, and several virtual machines that are listed below:

  • Service VM (aka Management Service, aka SVM) – every SDX comes with this Virtual Machine. This VM enables the SDX Administrator to create additional VMs on XenServer. It’s analogous to vCenter, except each SDX has its own SVM.
    • It’s not possible to build this VM yourself. If it something happens to it, your only choice is to do a factory reset on the physical appliance, which deletes all local virtual machines, and recreates the Service VM.
    • Each Service VM only manages the VMs on the local SDX. Each SDX has its own Service VM. To manage multiple SDXs, use Citrix Application Delivery Management (ADM).
    • XenServer on SDX is a special build. Do not attempt to directly upgrade XenServer, patch XenServer, configure XenServer, etc. Instead, all upgrades and configurations should be performed by the Service VM.
  • Citrix ADC VPX Instances – you create one or more Citrix ADC instances on top of XenServer.
    • The number of Citrix ADC instances you can create is limited by your SDX license. Most models let you buy more instances.
    • The physical resources (CPU, Memory, NICs, SSL Chips, FIPS HSM) of the SDX are partitioned to the different instances.
    • The amount of bandwidth (throughput) available to the VPX instances depends on your license. For example, the 14040 SDX license gives you 40 Gbps of throughput, which is partitioned across the instances.
    • The Citrix ADC instances are created from a normal XenServer .xva template.
    • Each VPX has its own NSIP. Once the VPX is provisioned, you connect to the NSIP, and configure it like a normal Citrix ADC .

If the top left of the window says SDX, then you are logged into the Management Service (aka Service VM, aka SVM). If it says VPX, then you are logged into an instance.

High Availability – Citrix ADC SDX does not have any High Availability capability at the XenServer or SVM layer. In other words, every SDX is completely standalone. To achieve HA, you create Citrix ADC VPX instances on two separate SDXs, and pair the VPX instances in the normal fashion. See Citrix ADC High Availability.

Why Citrix ADC VPX on top of SDX instead of normal hypervisors?

  • VPX on SDX gets physical access to SSL chips. These SSL ASICs are not available on normal hypervisors. SSL Chips provide significantly higher SSL throughput than normal hypervisors.
  • VPX on SDX gets SR-IOV access to the Network interfaces. This enables full 40 Gbps throughput to a single VM.
  • The SDX NICs can filter VLANs to different instances, thus ensuring that VPX instances cannot cross security boundaries by adding the wrong VLANs.
  • Some SDXs have Hardware Security Modules (HSM) for FIPS compliance. The VPXs on SDX can utilize this hardware security resource.

SDX Networking

  • Management port – Every SDX has a 0/1 port.
    • The SVM and XenServer management IP are on this NIC.
    • You need a minimum of two IPs on a management network connected to the 0/1 port.
    • SVM and XenServer cannot use any of the data ports for management.
  • LOM port – Every SDX has a Lights Out Management (LOM) port.
    • The LOM port gives you out-of-band console access to XenServer. Once you’re on XenServer, you can use Xen commands to see the SVM console, and/or VPX consoles.
  • Data ports – The remaining interfaces can be aggregated into port channels. Port channels are configured at XenServer, and not from inside the VPXs. Use the Service VM to create channels, and then connect the VPXs to the channels.
  • VPX networking – When VPXs are created, you specify which physical ports to connect the virtual machine to.
    • If you want the VPX NSIP to be on the same subnet as SVM and XenServer, then connect the VPX to 0/1.
    • Connect the VPX to one or more LA/x interfaces (port channels).
    • Once the VPX is created, log into it, and create VLAN objects in the normal fashion. VLAN tagging is handled by the VPX, not XenServer.
    • On SVM, when creating the VPX instance, you can specify a list of allowed VLANs. The VPX administrator is only allowed to add VLANs that are in this list.
  • SVM to NSIP – SVM must be able to communicate with every VPX NSIP. If VPX NSIP is on a different subnet than SVM, then ensure that routing/firewall allows this connection.

LOM IP Configuration

There are two ways to set the IP address of the Lights Out Module (LOM):

  • ipmitool from the Citrix ADC SDX XenServer command line
    • For MPX, you can run ipmitool from the BSD shell.
  • Crossover Ethernet cable from a laptop with an IP address in the 192.168.1.0 network.

Ipmitool Method:

  1. For SDX, SSH to the XenServer IP address (not the Service VM IP).
    • For MPX, SSH to the Citrix ADC NSIP.
  2. Default XenServer credentials are root/nsroot.
    1. Default MPX credentials are nsroot/nsroot.
  3. If MPX, run shell. XenServer is already in the shell.
  4. Run the following:
    ipmitool lan set 1 ipaddr x.x.x.x
    ipmitool lan set 1 netmask 255.255.255.0
    ipmitool lan set 1 defgw ipaddr x.x.x.x

  5. You should now be able to connect to the LOM using a browser.

Laptop method:

  1. Configure a laptop with static IP address 192.168.1.10 and connect it to the Lights Out Module port.
  2. In a Web browser, type the IP address of the LOM port. For initial configuration, type the LOM port’s default address: http://192.168.1.3
  3. In the User Name and Password boxes, type the administrator credentials. The default username and password are nsroot/nsroot.
  4. In the Menu bar, click Configuration, and then click Network.
  5. Under Options, click Network, and type values for the following parameters:
    1. IP Address—The IP address of the LOM port.
    2. Subnet Mask—The mask used to define the subnet of the LOM port.
    3. Default Gateway—The IP address of the router that connects the appliance to the network.
  6. Click Save.
  7. Disconnect the laptop, and instead connect a cable from a switch to the Lights Out Module.

LOM Firmware Upgrade

The LOM firmware at https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade differs depending on the hardware platform. The LOM firmware for the 8000 series is different than the 11000 series and the 14000 series. Do not mix them up.

SDX 12.0 build 57 and newer automatically upgrade the LOM firmware when you upgrade the SDX firmware.

Citrix ADC MPX has a new method for updating LOM as detailed at CTX218264 How to Upgrade the LOM Firmware on Any NetScaler MPX Platform

For SDX firmware older than 12.0 build 57, update the LOM firmware separately:

  1. Determine which firmware level you are currently running. You can point your browser to the LOM and login to the see the firmware level. Or you can run ipmitool mc info from the XenServer shell.
  2. If your LOM firmware is older than 3.0.2, follow the instructions at http://support.citrix.com/article/CTX137970 to upgrade the firmware.
  3. If your LOM firmware is version 3.02 or later, follow the instructions at http://support.citrix.com/article/CTX140270 to upgrade the firmware. This procedure is shown below.
  4. Now that the firmware is version 3.0.2 or later, you can upgrade to 3.39. Click the Maintenance menu and then click Firmware Update.
  5. On the right, click Enter Update Mode.
  6. Click OK when prompted to enter update mode.
  7. Click Choose File, and browse to the extracted bin file.
  8. After the file is uploaded, click Upload Firmware.
  9. Click Start Upgrade.
  10. The Upgrade progress will be displayed.
  11. After upgrade is complete, click OK to acknowledge the 1 minute message.
  12. The LOM will reboot.
  13. After the reboot, login and notice that the LOM firmware is now 3.39.

SDX IP Configuration

Default IP for Management Service is 192.168.100.1/16 bound to interface 0/1. Use a laptop with crossover cable to reconfigure the IP. Point your browser to http://192.168.100.1. Default login is nsroot/nsroot.

Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot.

  • There should be no need to connect to XenServer directly. Instead, all XenServer configuration (e.g. create new VM) is performed through the Management Service (SVM).
  • When you set the SVM’s IP Address, there is also a field to also set the XenServer IP address. XenServer IP and Management Service IP must be on the same subnet.

To change the XenServer IP, make the change through the SVM as detailed below:

  1. Point a browser to http://192.168.100.1, and login as nsroot/nsroot.
  2. When you first login to the SDX Management Service, the Welcome! Wizard appears. Click the first row for Management Network.
  3. Configure the IP addresses.
    1. Appliance Management IP = SVM (Management Service). This is the IP you’ll normally use to manage SDX.
    2. Application supportability IP = XenServer. You’ll almost never connect to this IP.
    3. The bottom has an Additional DNS checkbox that lets you enter more DNS servers.
    4. You can change the nsroot password at this time, or change it later after LDAP is configured.
  4. Click Done.
  5. Click the System Settings box.
  6. Enter a Host Name.
  7. Select the time zone, and click Continue.
  8. Click the Licenses box.
  9. Click Add License File.
  10. Allocate Citrix ADC SDX licenses normally.
    1. The SDX license defines the number of instances you can create.
    2. It also defines the amount of throughput available to the instances.
    3. The SDX license is allocated to ANY, which means you can use the same license on all SDX hardware, assuming all of them are purchased with the same license model.
  11. Click Browse to upload the license file. After uploading, click Finish and it should apply automatically.
  12. Or you can click Apply Licenses.
  13. Then click Continue.

Another way to change the Management Service IP address is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.

The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label="Management Service VM"

Then run /usr/lib64/xen/bin/xenconsole <dom-id>

SDX Platform Software Bundle

If your Citrix ADC SDX is not version 11 or newer, and if your Citrix ADC SDX is running 10.5 build 57 or later, then do the following:

  1. Go to Management Service > Software Images, and upload the Single Bundle for 12.0 or 12.1. The single bundle is around 1.5 GB.
  2. On the left, click System.
  3. On the right, click Upgrade Management Service. Select the Single Bundle upgrade file you already uploaded.
  4. Management Service will upgrade and reboot. A few minutes after that, XenServer will be upgraded. Be patient as there’s no notification that the box will reboot again.

Starting with SDX 11.0, all updates are bundled together and installed at once.

  1. Make sure your Management Service (SVM) is running SDX 10.5 build 57 or newer.
  2. Download the latest SDX Platform Software bundle from Downloads > Citrix ADC > Release 12.1 (or 12.0) > Service Delivery Appliances.

  3. Login to the SDX Management Service, and go to Configuration > System.
  4. On the right, in the right column, click Upgrade Appliance.
  5. Browse to the build-sdx-12.1.tgz software bundle, and click OK.
  6. It should show you the estimated installation time.
  7. Check boxes next to the instances that need configs saved.
  8. Click Upgrade.
  9. Click Yes to continue with the upgrade.
  10. The Management Service displays installation progress. It will take a while.
  11. Once the upgrade is complete, click Login.

  12. If you click the Configuration tab, the Information page will be displayed showing the version of XenServer, Management Service (Build), etc.

FIPS

If your SDX is a FIPS appliance, see Citrix Blog Post Meet Security Compliance and Be Scalable with NetScaler FIPS SDX for detailed HSM setup instructions:

  1. Zeroize the HSM
  2. Upgrade HSM firmware
  3. Create HSM partitions
  4. Create Citrix ADC instance and attach HSM partition:
    • Only one CPU core
  5. From inside Citrix ADC instance:
    1. Reset FIPS
    2. Initialize FIPS
    3. Create FIPS Key
    4. Create HA Pair and synchronize FIPS

DNS Servers

Older versions of SDX only let you enter one DNS server. To add more, do the following:

  1. In the Management Service, on the left, click System.
  2. On the right, click Network Configuration.
  3. On the bottom, there’s a checkbox for Additional DNS that lets you put in more DNS servers.
  4. Click OK when done.

Management Service NTP

  1. On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
  2. To add a new NTP server, in the right pane, click Add.
  3. In the Create NTP Server dialog box, enter the NTP server name (e.g. pool.ntp.org), and click Create.
  4. Click Yes when prompted to restart NTP Synchronization.
  5. In the right pane, click NTP Synchronization.
  6. In the NTP Synchronization dialog box, select Enable NTP Sync. Click OK.
  7. Click Yes when asked to restart the Management Service. This only restarts the SVM. Other instances on the same box won’t be affected.

Licensing

If you haven’t already licensed your SDX, you can upload a license file to the SDX appliance.

  1. Login to http://mycitrix.com and go to Manage Licenses.
  2. In the New Licenses section, find a Citrix ADC SDX license, and allocate it. There is no need to specify a hostname. You can use the same license file on multiple SDX appliances.

  3. On the SDX Configuration tab, in the navigation pane, expand System, and then click Licenses.
  4. In the right pane, click Add License File.
  5. Click Browse and upload the allocated license file.
  6. Click Finish.
  7. If you refresh your browser, the number shown on the top left of the window will indicate your licensed model number.

Management Service Alerting

Syslog

  1. On the Configuration tab, expand System > Auditing, and click Syslog Servers.
  2. In the right pane, click the Add button.

    1. Enter a name for the Syslog server.
    2. Enter the IP address of the Syslog server.
    3. Change the Choose Log Level section to Custom, and select log levels.
  3. Click Create.
  4. On the right is Syslog Parameters.
  5. You can configure the Date Format and Time Zone. Click OK.

Mail Notification

  1. On the Configuration tab, expand System > Notifications, and click Email.
  2. In the right pane, on the Email Servers tab, click Add.
  3. Enter the DNS name of the mail server, and click Create.
  4. In the right pane, switch to the tab named Email Distribution List, and click Add.
  5. In the Create Email Distribution List page:
    1. Enter a name for the mail profile.
    2. Select the Email Server to use.
    3. Enter the destination email address (distribution list).
  6. Click Create.
  7. SDX 12.1 and newer has a Test button for the Distribution List.

System SNMP

  1. Go to System > SNMP.
  2. On the right, click Configure SNMP MIB.
  3. Enter asset information, and click OK. Your SNMP management software will read this information.
  4. Under the SNMP node, configure normal SNMP including: Trap Destinations, Managers, Alarms, etc.

  5. MIBs can be downloaded from the Downloads tab.

Instance SNMP

  1. The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand Citrix ADC (or NetScaler), expand Events, and click Event Rules.
  2. On the right, click Add.

    1. Give the rule a name.
    2. Move the Major and Critical severities to the right.
    3. Scroll down.
    4. For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them, then only the configured entities will be alerted.
    5. Scroll down.
    6. Click Save.
  3. Select an Email Distribution List, and click Done.

Management Service nsroot Password and AAA

Change nsroot password

  1. On the Configuration tab, in the navigation pane, expand System, expand User Administration, and then click Users.
  2. On the right, in the Users pane, right-click the nsroot user account, and then click Edit.
  3. In the Configure System User dialog box, check the box next to Change Password.
  4. In Password and Confirm Password, enter the password of your choice.
  5. Scroll down and click OK.

AAA Authentication

To enable LDAP authentication for the Service VM:

  1. Go to Configuration > System > Authentication > LDAP.
  2. In the right pane, click Add.
  3. This is configured identically to Citrix ADC.
    1. Enter a Load Balancing VIP for LDAP servers.
    2. Change the Security Type to SSL, and Port to 636.
    3. Scroll down.
    4. Note: if you want to Validate LDAP Certificate, then there are special instructions for installing the root certificate on the SVM. See Installing CA certificates to the SDX/SVM for LDAPS user authentication at Citrix Discussions for details.
    5. Enter the Base DN in LDAP format.
    6. Enter the bind account in UPN format, or Domain\Username format, or DN format.
    7. Check the box for Enable Change Password.
    8. Click Retrieve Attributes, and scroll down.
    9. For Server Logon Attribute, select sAMAccountName.
    10. For Group Attribute, select memberOf.
    11. For Sub Attribute Name, select CN.
    12. To prevent unauthorized users from logging in, configure a Search Filter as detailed in the LDAP post. Scroll down.
  4. Click Create.
  5. Expand System, expand User Administration, and click Groups.
  6. On the right, click Add.
  7. In the Create System Group page:
    1. Enter the case sensitive name of the Active Directory group.
    2. Check the box next to System Access.
    3. Configure the Session Timeout.
  8. Click Create.
  9. On the left, under System, click User Administration.
  10. On the right, click User Lockout Configuration.

    1. If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
  11. On the left, under System, click Authentication.
  12. On the right, click Authentication Configuration.

    1. Change the Server Type drop-down to EXTERNAL, and click Insert.
    2. Select the LDAP server you created earlier, and click OK.
    3. Make sure Enable fallback is enabled, and click OK.

SSL Certificate and Encryption

Replace SDX Management Service Certificate

To replace the Management Service certificate:

  1. PEM format: The certificate must be in PEM format. The Management Service does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a Citrix ADC instance.
  2. On the left, click System.
  3. On the right, in the left column, in the Set Up Appliance section, click Install SSL Certificate.
  4. Select the certificate and key files in PEM format. If the key file is encrypted, enter the password. Then click OK.
  5. The Management Service will restart. Only the SVM restarts; the Citrix ADC instances do not restart.


Force HTTPS to the Management Service

  1. Connect to the SVM using HTTPS. You can’t make this upcoming change if you are connected using HTTP.
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Check the box next to Secure Access Only, and click OK. This forces you to use HTTPS to connect to the Management Service.

SSL Encrypt Management Service to Citrix ADC Communication

From http://support.citrix.com/article/CTX134973: Communication from the Management Service to the Citrix ADC VPX instances is HTTP by default. If you want to configure HTTPS access for the Citrix ADC VPX instances, then you have to secure the network traffic between the Management Service and Citrix ADC VPX instances. If you do not secure the network traffic from the Management Service configuration, then the Citrix ADC VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

  1. Log on to the Management Service .
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Change the Communication with NetScaler Instance drop-down to https, as shown in the following screen shot:
  5. Run the following command on the Citrix ADC VPX instance, to change the Management Access (-gui) to SECUREONLY:
    set ns ip ipaddress -gui SECUREONLY
  6. Or in the Citrix ADC instance management GUI, go to Network > IPs, edit the NSIP, and then check the box next to Secure access only.

SDX/XenServer LACP Channels

For an overview of Citrix ADC SDX networking, see Citrix CTX226732 Introduction to Citrix NetScaler SDX

To use LACP, configure Channels in the Management Service, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel.

  1. In the Management Service, on the Configuration tab, expand System, and click Channels.
  2. On the right, click Add.
  3. In the Create Channel page:
    1. Select a Channel ID.
    2. For Type, select LACP or STATIC. The other two options are for switch independent load balancing.
    3. In the Interfaces section, move the Channel Member interfaces to the right by clicking the right arrow.
    4. In the Settings section, for LACP you can select Long or Short, depending on switch configuration. Long is the default.
  4. Click Create when done.
  5. Click Yes when asked to proceed.
  6. The channel will then be created on XenServer.

VPX Instances – Provision

Admin profile

Admin profiles specify the nsroot user credentials for the instances. Management Service uses these nsroot credentials later when communicating with the instances to retrieve configuration data.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. To specify a different nsroot password, create a new admin profile.

  • You can create a single admin profile that is used by all instances. To delegate administration, don’t give out the nsroot password to the instance administrators. One option is to enable LDAP inside the instance before granting access to a different department.
  • When creating an instance, there’s an option to create a non-nsroot account, which has almost the same permissions as nsroot, but leaves out some SDX specific features (e.g interfaces). This is another option for delegating administration to a different team.
  • Or you can create different admin profiles for different instances, which allows you to inform the different departments the nsroot password for their VPX instances.

Important: Do not change the password directly on the Citrix ADC VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the Citrix ADC instance, selecting this profile from the Admin Profile list.

  1. On the Configuration tab, in the navigation pane, expand Citrix ADC (or NetScaler), and then click Admin Profiles.
  2. In the Admin Profiles pane, click Add.
  3. In the Create Admin Profile dialog box, set the following parameters:
    • Profile Name*—Name of the admin profile.
    • User Name—User name used to log on to the Citrix ADC instances. The user name of the default profile is nsroot and cannot be changed.
    • Password*—The password used to log on to the Citrix ADC instance. Maximum length: 31 characters.
    • Confirm Password*—The password used to log on to the Citrix ADC instance.
    • Use global settings for NetScaler communication – you can uncheck this box and change the protocol to https.
  4. Click Create. The admin profile you created appears in the Admin Profiles pane.

Upload a Citrix ADC VPX .xva file

You must upload a Citrix ADC VPX .xva file to the SDX appliance before provisioning the Citrix ADC VPX instances. XVA files are only used when creating a new instance. Once the instance is created, use normal firmware upgrade procedures.

  1. Go to the Citrix ADC VPX download page.
  2. Download the Citrix ADC VPX for XenServer.
  3. After downloading, extract the .gz file (use 7-zip). You can’t upload the .gz file to SVM. You must extract it first.
  4. On the Configuration tab, in the navigation pane, expand Citrix ADC (or NetScaler), and then click Software Images.
  5. On the right, switch to the XVA Files tab, and then click Upload.
  6. In the Upload NetScaler Instance XVA dialog box, click Browse, and select the XVA image file that you want to upload. Click Upload.
  7. The XVA image file appears in the XVA Files pane after it is uploaded.

Provision a Citrix ADC instance

  1. On the SDX Management Service, go to the Dashboard page.
  2. On the bottom right, the System Resource Utilization pane shows you the amount of physical resources that are available for allocation.
  3. Click Core Allocation to see the number of cores available for assignment.

    1. In 12.0 build 57 and newer, click Crypto Capacity to see SSL capacity.
  4. On the Configuration tab, in the navigation pane, expand Citrix ADC (or NetScaler), and then click Instances.
  5. In the NetScaler Instances pane, click Add.
  6. In the Provision NetScaler section, enter a name for the instance.
  7. Enter the NSIP, mask, and Gateway.
  8. Nexthop to Management Service – If the instance’s NSIP is on a different subnet than the SVM IP, and if the instance’s default gateway is on a different network than the NSIP, then enter a next hop router address on the instance’s NSIP network, so the instance can respond to the SDX Management Service.
  9. In the XVA File field, you can Browse > Local to select an XVA file on your local machine that hasn’t been uploaded to SDX yet. Or you can Browse > Appliance, and select an XVA file that has already been uploaded to SDX.
  10. Select an Admin Profile created earlier. Or you can click the Add button or plus icon to create a new Admin Profile.
  11. Enter a Description. Scroll down.
  12. In the License Allocation section, change the Feature License to Platinum.
  13. For Throughput, partition your licensed bandwidth. If you are licensed for 40 Gbps, make sure the total of all VPX instances does not exceed that number.
  14. For Allocation Mode, Burstable is also an option. Fixed bandwidth can’t be shared with other instances. Burstable can be shared. See Bandwidth Metering in NetScaler SDX at Citrix Docs.
  15. If SDX 12.0 build 57 or newer, in the Crypto Allocation field, allocate at least one multiple of Asymmetric Crypto Units. Clicking the up arrow should increment in the correct multiple. See Managing Crypto Capacity at Citrix Docs. You can find the minimum by dividing the total Asymmetric Crypto Units by the Crypto Virtual Interfaces. Enter in a multiple of this result.

    1. On newer Citrix ADC hardware (e.g SDX 8900), you can also specif the Symmetric Crypto Units. Again, enter a multiple of the minimum.
    2. Citrix ADC SDX older than build 57 will instead ask for SSL Chips. Some SSL/TLS features require at least one chip.
  16. In the Resource Allocation section, consider changing the Total Memory to 4096.
  17. For CPU, for production instances, select one of the Dedicated options. Dev/Test instances can use Shared CPU. Then scroll down.
  18. In the Instance Administration section, you can optionally add an instance administrator. Enter a new local account that will be created on the VPX. This instance admin is in addition to the nsroot user. Note, networking functionality is not available to this account. Scroll down.

  19. In the Network Settings section, if the VPX NSIP is on the same network as the SDX SVM, then leave 0/1 selected, and deselect 0/2.
  20. Click Add to connect the VPX to more interfaces.
  21. If you have Port Channels, select one of the LA interfaces.
  22. If you configure any VLAN settings here, then XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Click Add. Note: VLAN tagging is configured inside the instance, and not here.
  23. In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN.
  24. Click Done.
  25. After a couple minutes the instance will be created. Look in the bottom right of Chrome to see the status.
  26. Click Close when it’s done booting.
  27. If you go to the Dashboard page…
  28. If you click an instance name, you can see how the instance is connected to the physical NICs.
  29. Back in Configuration > Citrix ADC > Instances, in your Instances list, click the blue IP address link to launch the VPX management console. Or, simply point your browser to the NSIP and login.
  30. Do the following at a minimum (instructions are in the NetScaler System Configuration article):
    1. Create Policy Based Route for the NSIP – System > Settings > Network > PBRs
    2. Add SNIPs for each VLAN – System > Network > IPs
    3. Add VLANs and bind to SNIPs – System > Network > VLANs
    4. Create Static Routes for internal networks – System > Network > Routes
    5. Change default gateway – System > Network > Routes > 0.0.0.0
    6. Create another instance on a different SDX, and High Availability pair them together – System > High Availability

VPX Instances – Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP addresses, and SSL certificates, from SDX, rather than from inside the VPX instance. The SDX Management Service does not have the ability to create certificates, so it’s probably best to do that from within the VPX instance.

View the console of a Citrix ADC instance

  1. Connect to the SDX Management Service using https.
    1. Viewing the virtual machine console might not work unless you install a valid certificate for the SDX Management Service.
  2. In the Management Service, go to Configuration > Citrix ADC > Instances.
  3. On the right, right-click an instance, and click Console.
  4. The instance console then appears.
  5. Another option is to use the Lights Out Module, and the xl console command, as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

Start, stop, delete, or restart a Citrix ADC instance

  1. On the Configuration tab, in the navigation pane, expand Citrix ADC (or NetScaler), and click Instances.
  2. On the right, in the Instances pane, right-click the Citrix ADC instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
  3. In the Confirm message box, click Yes.

Create a Subnet IP Address on a Citrix ADC Instance

  1. On the Configuration tab, in the navigation pane, click Citrix ADC.
  2. On the right, in the Citrix ADC Configuration pane, click Create IP.
  3. In the Create Citrix ADC IP dialog box, specify values for the following parameters.
    • IP Address* – Specify the IP address assigned as the SNIP address.
    • Netmask* – Specify the subnet mask associated with the SNIP address.
    • Type* – Specify the type of IP address. Possible values: SNIP.
    • Save Configuration* – Specify whether the configuration should be saved on the Citrix ADC . Default value is false.
    • Instance IP Address* – Specify the IP address of the Citrix ADC instance on which this SNIP will be created.
  4. Click Create.

Create a VLAN on a Citrix ADC instance

  1. Go to Citrix ADC > Instances.
  2. On the right, right-click an instance, and click VLAN Bindings.
  3. Click Add.
  4. Enter a VLAN ID, and select an interface.
  5. Check the box for Tagged if needed.
  6. Notice there’s no way to bind a SNIP to the VLAN. You do that inside the instance. Click Create.

Save the configuration of a Citrix ADC instance

  1. On the Configuration tab, in the navigation pane, click Citrix ADC.
  2. On the right, in the Citrix ADC pane, click Save Configuration.
  3. In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the Citrix ADC instances whose configuration you want to save.
  4. Click OK.

Change NSIP of VPX Instance

The best way to change the NSIP is to edit the instance. Go to Configuration > Citrix ADC > Instances, right-click an instance, and click Edit.

Then change the IPv4 Address at the top of the page. Click Done. SVM will push the configuration change to the instance.

If you change NSIP inside of VPX instead of Editing the Instance in the Management Service, see article CTX139206 How to Change NSIP of VPX Instance in SDX to adjust the XenServer settings.

Enable Call Home

  1. On the Configuration tab, in the navigation pane, click the Citrix ADC node.
  2. On the right, click Call Home.
  3. Enter an email address to receive communications regarding Citrix ADC Call Home.
  4. Check the box next to Enable Call Home.
  5. Click Add.
  6. Select the instances to enable Call Home by moving them to the right, and click OK.
  7. You can view the status of Call Home by expanding Citrix ADC, and clicking Call Home.
  8. The right pane indicates if it’s enabled or not. You can also configure Call Home from here.

VPX Instance – Firmware Upgrade

Upload Citrix ADC Firmware Build Files

To upgrade a VPX instance from the Management Service, first upload the firmware build file.

  1. Download the Citrix ADC firmware using the normal method. It’s in the Build section.
  2. On the SDX, in the Configuration tab, on the left, expand Citrix ADC (or NetScaler), and click Software Images.
  3. On the right, in the Software Images tab, click Upload.
  4. Browse to the build…tgz file, and click Open.

Upgrade Multiple NetScaler VPX Instances

You can upgrade multiple instances at the same time:

  1. To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
  2. On the Configuration tab, in the navigation pane, expand Citrix ADC (or NetScaler), and click Instances.
  3. Right-click an instance, and click Upgrade.
  4. In the Upgrade Citrix ADC Instance dialog box, in Build File, select the Citrix ADC upgrade build file of the version you want to upgrade to. Click OK.
  5. Click Close when done.

Management Service Monitoring

  1. To view syslog, in the navigation pane, expand System, click Auditing, and then click Syslog Message in the right pane.
  2. To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
  3. To view Management Service events, on the Configuration tab, in the expand System and click Events.
  4. Citrix ADC > Entities lets you see the various Load Balancing entities configured on the instances. You might have to click Poll Now to get them to show up.
  5. To view instance alerts, go to Citrix ADC > Events > All Events.
  6. There is also event reporting.

Management Service Backups

The SDX appliance automatically keeps three backups of the Management Service configuration that are taken daily at 12:30 am.

Backups in NetScaler SDX contain the following:

  • Single bundle image
  • NetScaler XVA image
  • NetScaler upgrade image
  • Management Service image
  • Management Service configuration
  • NetScaler SDX configuration
  • NetScaler configuration

You can go to Management Service > Backup Files to backup or restore the SDX appliance’s configuration. And you can download the backup files.

You can configure the number of retained backups by clicking System on the left, and then clicking Backup Policy in the right pane.

You can even transfer the backup files to an external system.

65 thoughts on “NetScaler SDX 12 / Citrix ADC SDX 12.1”

  1. Hello Carl,

    I recently updated my Citrix ADC SDX from version 10.5 to 3.1-50.23 and overlooked some of the guidelines provided. Now, I’m unable to access the management interface, and even though the appliance (SDX 14030) is powered on, the LED isn’t illuminated. Can you provide guidance on resetting to factory settings or suggest any other solutions to regain access to the management console?

    Thank you

      1. Hi Carl,

        I’ve gone through the Citrix article, but it doesn’t reference my specific SDX version.
        Currently, I can access the LOM web page (virtual java console) and XenServer.
        Could you please guide me on how to restore the management Service VM?

        [root@netscaler-sdx ~]# uname -a
        Linux netscaler-sdx 2.6.32.43-0.4.1.xs1.6.10.777.170770xen #1 SMP Wed May 27 14:02:07 EDT 2015 i686 i686 i386 GNU/Linux

        [root@netscaler-sdx ~]# cat /etc/sdx-inventory
        SDX_VER=10.5.0-7.3
        SDX_XS=10.5.0.6.1.0-4.0
        SDX_HF=10.5.0-1.0
        LIB_UTILS=1.00-09
        MEGACLI=8.04.07-1
        NITROX=5.3-7NS
        NITROX_SCRIPTS=5.3-7NS
        E1000E=3.1.0.2-1NS
        ETHREGS=1.20.1-0NS
        ETHTOOL=3.2-1033.3NS
        I40E=1.3.49-12NS
        IGB=3.2.10-12NS
        IXGBE=3.2.9-9NS
        SDXLED=1.0.0-0ns
        XS_NETSCALER=6.1.0-100017H
        XSNS_MEGACLI=1.0.1-72410c
        XSNS_MONITOR=0.5.12-72410c

        [root@netscaler-sdx ~]# xe vm-list
        uuid ( RO) : 287376d4-c19d-4bf9-a320
        name-label ( RW): Control domain on host: netscaler-sdx
        power-state ( RO): running

        uuid ( RO) : bbdcbbe3-a6ef-af8c-a5a
        name-label ( RW): Management Service VM
        power-state ( RO): running

        1. I’m guessing your SDX is still 10.5 and never finished upgrading.

          Try the sfdisk method:

          sfdisk –change-id /dev/sda 1 c
          sfdisk /dev/sda -A 1
          reboot

          1. Hi Carl,

            I appreciate the suggestion to use the sfdisk method; it did the trick. I’ve successfully accessed the management service and upgraded the ADC SDX from 10.5 to 12.1: Build 64.16.
            However, I hit a snag when trying to upgrade the appliance to the 13.1 SDX bundle. I encountered an error stating, “Software image details couldn’t be retrieved, reason = Upgrade to 13.1-50.23 is limited due to the current unsupported XenServer version 6.1.0.” I observed that the XenServer is still on version 6.1. Could you guide me on updating the XenServer Hypervisor too?

            Many thanks

            Hypervisor Information
            Uptime 3 hours 13 minutes
            Edition Citrix XenServer
            Version 6.1

            System Information
            Platform 14030
            Product ADC SDX
            Build 12.1: Build 64.16

  2. Hi Carl,
    For the HA Heartbeat & Sync can we use 2x10G Dedicated Interfaces and connect the SDXs back to back (not going via any switch). Make All the VPXs use that dedicated interfaces configured as LA Channel to pass Heartbeat, Sync, Session information ? SDX SVM,XS & VPX management access are still going via the MGMT Ports only (0/1&0/2). Is there a documentation detailing such an option ? How does the VPX provisioning from SVM differ in this case ? How is the Failover behavior Modified in this case.

  3. Hi Carl,

    I have a requirement where my SVM is in a different OOB subnet and I need to host my VPX in a different subnet where the gateway is on a Firewall, and I am just not able to do this. Without this set-up, I won’t be able to move forward I have already deployed an instance where it is in OOB subnet and I extended the L2 vlan’s, but due to asymmetric routing it wouldn’t work.

    My SVM IP : 10.111.145.5 ( OOB Subnet )
    Gateway : 10.111.145.1

    My desired VPX NSIP should be : 10.111.20.6
    Gateway : 10.111.20.1

    PS : I tried to configure by using Nexthop to Management Service as 10.111.145.1, but it wouldn’t work. Can you please tell me how do I achieve this. Btw, I am running 11.1 version.

  4. Hi Carl,

    Great article. We have SDX and VPX’s in different subnet, I have the routing and firewall sorted inspite of this I can’t create my VPX in different subnet than my SDX.

    SDX management subnet : 10.100.145.0/24.

    I want my VPX to be in 10.110.30.0/24 as I want my default route to point to the gateway 10.110.30.1.

    I configured in this way while building new VPX instances :

    VPX NSIP : 10.100.30.10
    Gatway : 10.100.30.1

    Next Hop to Management Service : 10.100.145.1

    This configuration didn’t work as the VPX wasn’t reachable although it showed up. Am I missing something here ?

    1. If you upgrade everything to 13, then it uses a loopback NIC to communicate.

      Otherwise, you can build your new instance with whatever IP you want and then open the instance’s console to fix the networking. Note, SDX must be able to initiate the connection to the VPX so make sure firewall is open.

  5. Hi Carl, your post did help a lot in the migration that we had of a pair of Cisco ACE 4710 to a pair Citrix ADC SDX 15000-50G. Great input and all went well for the loadbalancer. Now, is it possible for the ADC to function as a Firewall and replace the Pair of Cisco ASA Services Modules that are in the same chassis with the ACE? This way we can now have the ADC doing all in single device. thanks

    1. ADC is not designed as a generic Layer 4 firewall. It has ACLs. If Layer 3 routing is disabled, then ADC only accepts traffic on its VIPs/ports. It has some DDoS protections.

      ADC does have a fully-featured Layer 7 HTTP Web App Firewall.

      You can run Palo Alto as a VM on the SDX appliance.

      1. Hi there Carl, thank you for the response and I must say the Palo Alto tip you mentioned seems very interesting, I did not even know that was possible / supported and I see both Citrix and PA support it. So that means we cannot migrate the Firewall Services Modules to the SDX, we have to coexist or we take the route you suggest to deploy the PA VM-Series Firewalls on the SDX then we can retire the Chassis completely.

  6. Hi Carl,
    I have one question regarding SDX single bundle Image upgrades. If we run SBI image, will it also upgrade VPX instances or only SDX components? or is there any option if we can upgrade the VPX instances also with single bundle image?

  7. hi Carl
    i face error on SDX for backup

    Category
    BackupFailure
    Entity
    127.0.0.1:BackupFailure: 192.168.20.1
    Message
    Uploading /mps/ns_system_backup.pl on NS 192.168.20.1failed

    i saw it just SDX system EVENT
    192.168.20.1 instans on SDX

    thak you

  8. Hello Carl, I´m new with SDX … two questions… first if I want to change the SVM and Xenserver ip address for MGMT due to I going to change the vlan, I believe that it won´t affect my instances right? and I didn´t get a request for reboot using the GUI right? just I going to lose the access until the my core change the vlan to the new one right?

    1. I don’t think a reboot is needed but I haven’t done that recently.

      Make sure the VPXs can communicate with the SVM IP address and vice versa.

      1. Thank you so much Sir, mmmm….. what do you mean with keep in eye with VPX? you mean after the change of SDX ip address of mgmt and Xenserver, double check that I can keep access through the SDX to the VPX … right?

        1. Review your routing configuration to make sure VPXs can route to the SVM IP address. In SDX, go to Configuration > NetScaler > Instances. If they are yellow, then VPXs cannot route to SVM IP.

          1. In case is yellow or red… I should tell to the network team to verify and double check before I change the ip address correct ?

          2. Red means the VM is stopped.

            Yellow means VPX NSIP can’t connect to SVM IP address.

  9. Hi Carls,

    I’m quite new with Citrix, I wnat to deploy a SDX box , is there any step by step guide. how i can create new ADC instance on SDX after initial configuration.

      1. Is there a cli to show cpu core allocation on sdx 12.1.51.19 ?
        I am hoping the gui is messed up after you allocate 14 cpu’s to a 16 cpu system with 7 vpx’s

        1. I’m not sure about CLI, but I’m sure there’s a Nitro API (REST API) call. Click Downloads to find the Nitro API documentation.

  10. Question, if you put the NSIP in the same subnet as the SVMs, do you need to create a SNIP attached to the ADCs? for example if my SDXs are on 192.168.54.0 and i create an instance within the same IP range, do I need to go into the ADC or the was shown above, and create a SNIP and attach it to that ADC, or will the ADC work fine without having a SNIP associated with its NSIP?

  11. Hi Carl, looking to move from older SDX to newer SDX, what would be the best recommended path for least disruption or outage? There are about 4 virtual instances one of which is a NS gateway.

    1. No outage means you need new IP addresses. On cutover night, change DNS records and/or NAT.

      If you want to keep the old IPs, then you’ll need to disable/delete the IPs on the old and enable on the new, which is a brief outage.

      The easy way is to build the new VPX pairs. Export configs, SSL certificates, Portal Themes, etc. from old VPXs. On cutover night, power off old VPXs and import config to the new VPX pairs.

      A more time consuming method is migrating one VIP at a time.

      1. 1.Do the new VPXs need to be the same version of the old VPXs?
        2.When you say export & import do you mean coping the below files or directories?
        a. Config = ‘ns.conf’
        b. SSL Certificates = ‘/nsconfig/ssl’ directory
        c. Portal Themes = ‘/var/netscaler/logon’ directory
        3.Do i need to worry about the interfaces lines (set interface) in ns.conf?
        4.When I power off old VPXs and import config to new VPX pairs, I am assuming new IPs would be erased and the original old IPs would take over to complete the migration?

        Thank you

        1. I usually remove interface commands from the configs before importing.

          Importing (batch command) adds but does not replace or delete.

          You can engage a Citrix Partner to help you with this migration process.

  12. Hi Carl,

    I’m interested in the two IPs used on the SDX

    Appliance Management IP = SVM (Management Service)
    Application supportability IP = XenServer

    it seems to me it would make sense to place the XenServer address on the same network as the other hypervisor hosts (XenServer, ESXi). I’m not so sure about the SVM though, what is best practice for network separation? It doesn’t really relate to either the hypervisor, the LOM (for out of band) or the NSIPs for the VPX instances.

    Where would you normally place this alongside in terms of other services?

    Thanks

  13. A question about upgrades. A previous upgrade to a VPX was done straight through the VPX console instead of through the SDX console. Now, the VPX is showing in a grey state, supposedly since the SDX now has a version mismatch from the VPX and no longer communicates with it, but the VPX is operating normally. Is there anyway to recover from this via another upgrade done properly, or some other method? I’m concerned that I might have to break the HA pair, delete the VPX and recreate in order to get the green dot again.

      1. Slight correction: The VPX instance states Out of Service from the SDX console.

        And yes, the VPX is now at 12.1 build 48 (which is killing my ability to import certs). The SDX is at 12.0 build 56. Time to update the SDXs then?

  14. Carl,
    Are you familiar with a means of updating the Network configuration of an instance, if the instance is no longer on the network?

    The issue is that in the SVM GUI, the process fails because the SDX cannot communicate with the VPX to modify the network config. So, as a result, the whole process just fails instead of just updating the SVM database and allowing you to manually adjust the network settings through the instance console.

    Tried using the xe commands against the VM on XenServer, but the network connectivity is not handled at the VM level, unfortunately.

    Any thoughts?

    1. One option is to delete the VM and recreate it.

      You might be able to make changes from the Console of the VM. In SDX, right-click the VM and click Console. However, not sure if you can sync the changes with SDX.

      1. Right. There-in lies the problem. The VPX is configured properly with proper VLANs bound and tagged… But the SVM is playing stupid… 🙁

        1. You should be able to safely change VLANs from the instance console. But if you change the NSIP from the instance console, then the SDX needs to be informed of the new NSIP.

          1. Not so much changing the VLANs or the NSIP, but rather the actual Data Interface.

            Can’t be changed unless the VPX can be managed.

            In our case, we use the Data Interface for management, as well.

  15. Hi Carl,

    Looking to do a “forklift” move from older MPX units to VPX instances on SDX. I understand that I can just copy over the nsconfig and ssl certs over from old MPX to new VPX instances, but is there a recommended way to achieve this without IP conflicts in prep before actual switchover?

    I am thinking I can just build the VPX, migrate all the config, but somehow unbind it from the production VLAN interface ports during this portion and then bind it back when I am ready for cutover. Would that be possible?

    Thanks

    1. Depending on your network config, you might be able to disable interfaces or switch ports, import the config, then disable the old interfaces, and enable the new interfaces.

      Or you can import the config with new IP addresses and change the DNS records at your leisure.

    2. Or import the config with temporary IPs and replace them with production IPs (remove from old appliance first) during a cutover. This lets you move one IP at a time.

    1. Usually, yes. It will tell you if a reboot is needed or not. Shouldn’t be a problem if your VPXs are an HA pair.

      1. Hi Carl, have a question, when i reboot an SDX appliance forcing it, the internal VPX don’s start automaticaly, in fact, the vpx stays in a kind of orphaned VM until I enter to edit mode, and click OK, only then, the vpx boots… can you hellp me?

        greetings!!!

  16. I have a question Carl what if you have multiple SDX’s and you want to cluster across them ? The UI does not appear to let me do that

  17. Hello Carl, is it possible to change the password of the nsroot/root user of the XenServer (of a SDX)? What would be the proper way to do so (passwd on the command line?)?

    1. Login to the SVM. Go to System > User Administration > Users. Change the nsroot password. Changing it in the SVM layer also changes it in XenServer.

      1. Thanks. I tried this earlier this day on a SDX running a 10.5 version with the result that the nsroot/root passwords were not changed. Is this a change in a recent version? What happens if I set the nsroot/root password manually on the XenServer via passwd?

        1. Are they not the same now?

          From Citrix Docs: “Do not change the password directly on the XenServer.”

          If the passwords are different, then you might have to call Support.

          1. Thanks again for your reply.
            I first set the nsroot password via SVM but was still able to login to the XenServer (SSH) with the standard nsroot password so I thought it would be a good idea to set the nsroot password via passwd. I have no idea, why the change did not “went through” to the XenServer. I took the same passwords (on the SVM and on the shell via passwd) so hopefully I didn’t break anything.
            BUT: there is also the user root on the XenServer (standard password: nsroot)… how do you set this password via the SVM? Because if you don’t change it you can open a SSH session as root with the default password to the XenServer shell…

          2. Here a final update on this issue:
            1. Before SDX update (version 11.0 66.11 (?) running): changing password in SVM does not change the password of root or nsroot on XenServer! (that’s why I set it via passwd, but I chose the same password for the SVM user and for nsroot/root on XenServer)
            2. After SDX update to version 11.1 55.13: update via sdx-bundle with no problem (even with set passwords for root and nsroot via passwd before), changing password in SVM now also changes password of root and nsroot on XenServer

  18. Carl,
    Do they have a way to export netscaler instances so they can be loaded on other SDXs. Moving from one set of older SDX appliances to a new set and I am looking for a way to get the instance onto the new appliance. I didn’t know if they offered a feature or if it could be done as an export inside the included XenServer.
    Thanks.

    1. You can do it the traditional way, which means export ns.conf and /nsconfig/ssl from the instance and import to a new instance elsewhere.

      1. OK, I figured that but that will leave me with a longer migration time since I have to worry about duplicate IP addresses. I was hoping I could import the VM and leave it powered down then when I have a change window power the old one down and the new one up.

Leave a Reply

Your email address will not be published. Required fields are marked *