Navigation
This page contains the following topics:
- Java Security
- NetScaler VPX on vSphere Hang Issue
- Licensing:
- Upgrade Firmware
- High Availability
- Multiple Interfaces/VLANs (aka two-arm)
- DNS Servers
- NTP Servers
- Syslog Server
- SNMP Configuration
- Call Home
- Change nsroot password
- TCP, HTTP, SSL, and Security settings
- LDAP Authentication for Management
- CLI Prompt
Java Security
Citrix docs.citrix.com has information on configuring browsers for Java
When performing operations on NetScaler that require Java, you might see the message “Java Applet could not be loaded”. To fix it, do the following:
- Java uses TCP 3008 and TCP 3010 to communicate with the NetScaler NSIP (and/or SNIP). Make sure these ports are open on any firewall between the administrator workstations and the NetScaler management IPS.
- Go to Control Panel and open the Java applet.
- Switch to the Security
- Click Edit Site List.
- Click Add.
- Type in a URL to a NetScaler management IP. You must prepend http and/or https. The management IP is NSIP and/or SNIP.
- If you enter an http URL then you will see a warning message. Click Continue.
- Continue adding NetScaler management URLs to the list. Add both http and https so you can use either. Click OK when done.
- Then click OK to close the Java Control Panel applet.
- The Java site exception list is stored in %userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites and can be transferred to other users.
VPX – vSphere 5.1 and 5.5 issue
If you are licensed for VPX-1000 or higher, see Citrix Knowledgebase Article CTX139485 (Resource Requirements for Optional Multi-PE Configuration for NetScaler VPX) for correct vCPU and Memory configuration.
From VMware knowledgebase article 2092809: After applying patches to an ESXi 5.1/5.5 host, Citrix NetScaler virtual machine with e1000 vNIC loses network connectivity: After patching your ESXi host to version 5.5 Update 2 (build 2143827) or 5.1 Patch 6 (build 2191751), you experience these symptoms:
- Some Citrix NetScaler virtual machine appliance running the guest Operating System with e1000 vNIC driver loses network connectivity
- Cannot access the console after applying the patches
See VMware’s article for their workaround.
From Citrix Knowledgebase article CTX200278 – NetScaler VPX Loses Network Connectivity on VMware ESXi 5.1.0 2191751 and VMware ESXi 5.5 2143827:
- Log in to the Citrix NetScaler virtual machine appliance as nsroot
- Type
shell
. - Type the following command:
cd /flash/boot
- Type the following command:
touch /flash/boot/loader.conf.local
- Edit (vi) the file conf.local and add the following line to the end of it:
hw.em.txd=512
- Save the changes
- Restart the NetScaler virtual machine appliance
Licensing – VPX Mac Address
To license a NetScaler VPX appliance, you will need its MAC address.
- One method is to look in the GUI.
- In the right pane, look down for the Host Id This is the MAC address you need for license allocation.
- In the right pane, look down for the Host Id This is the MAC address you need for license allocation.
- Another option is to SSH to the appliance and run
shell
.- Then run
lmutil lmhostid
. The MAC address is returned.
- Then run
Licensing – Citrix.com
- Login to citrix.com.
- Click Activate and Allocate Licenses.
- Check the box next to a Citrix NetScaler license and click Continue.
- If this is a NetScaler MPX license then there is no need to enter a host ID for this license so click Continue. If this is a NetScaler VPX license, enter the
lmutil lmhostid
MAC address into the Host ID field and click Next.
For a VPX appliance, you can also get the Host ID by looking at the System Information page.
- Click Confirm.
- Click OK when asked to download the license file.
- Click Download.
- Click Save and put it somewhere where you can get to it later.
- If you purchased NetScaler Gateway Universal Licenses, allocate them. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
- Enter your appliance hostname as the Host ID for all licenses.
- Click Confirm.
- Click OK when prompted to download your license file.
- Click Download.
- Click Save.
- If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses and reallocate them to the other hostname.
Install Licenses on Appliance
- In the NetScaler Configuration GUI, on the left, expand System and click Licenses.
- On the right, click Manage Licenses.
- Click Add New License.
License files are stored in/nsconfig/license
. - If you have a license file, select Upload license files from a local computer, and then click Browse.
- Click Reboot when prompted. Login after the reboot.
- After rebooting, the Licenses node should look something like this. Notice that Maximum ICA Users Allowed is set to Unlimited.
- Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwidth or packets will drop.
Upgrade Firmware
Citrix CTX127455 – How to Upgrade Software of the NetScaler Appliances in a High Availability Setup:
- Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. At the very least, watch the Security Bulletins to determine which versions and builds resolve security issues. You can also subscribe to the Security Bulletins at http://support.citrix.com by clicking the Alerts link on the top right.
Note: Citrix sometimes refreshes firmware builds (e.g 10.1 build 130.13 replaces 10.1 build 130.10). If this happens, make sure you install the refreshed version since the original version can no longer be downloaded. If you have an HA pair running 130.10, and if one of the appliances needs to be replaced, you can’t download 130.10 and thus can’t install it on the new secondary, and thus the config won’t replicate when you join the HA pair since the node firmware versions will be different. If you don’t have access to the 130.10 firmware, your only option is to upgrade the primary to 130.13 before joining the new secondary running 130.13.
- Make sure you Save the config before beginning the upgrade.
- If you configured NetScaler Gateway to use a Custom theme, change the theme back to Default (or Green Bubble). You will have to re-create the customtheme.tar.gz file after you upgrade.
- Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
- Start with the Secondary appliance.
- Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
- In the NetScaler GUI, with the top left node (System) selected, click System Upgrade.
- Browse to the build…tgz file. If you haven’t downloaded firmware yet, then you can click the Download Firmware link.
- Click More and then check the box next to Automatically move files to create space. Click Yes to acknowledge the prompt.
- Click Upgrade.
- The firmware will upload.
- You should eventually see a System Upgrade window with text in it. It will reboot automatically.
- Or if older than 10.5 build 56, click Upgrade Wizard
- In the Introduction page, click Next.
- In the Upload Software page, browse to the build…tgz file and click Next.
- In the Manage Licenses page, click Next.
- In the Clean Up / Reboot page, check both boxes and then click Next.
- If you select the option to automatically move files, you will be asked to delete unused kernels. Click Yes.
- In the Summary page, click Finish. The upgrade will begin. Do not disturb your browser session until you see that it is rebooting. It will run several commands after uploading the files.
- If you are asked to enable Call Home, select Yes, and click Go.
- When you see the message Rebooting… it is then safe to close the window.
- Once the Secondary is done, login and failover the pair.
- Then upgrade the firmware on the former Primary.
To install firmware by using the command-line interface
- To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
- Create a version directory under
/var/nsinstall
(e.g. /var/nsinstall/10.5.63). - Copy the software from your computer to the /var/nsinstall/<version> (e.g. /var/nsinstall/11.5.63) directory on the appliance.
- Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
- At a command prompt, type
shell
. - At a command prompt, type
cd /var/nsinstall
to change to the nsinstall directory. - To view the contents of the directory, type
ls
. - To unpack the software, type
tar -xvzf build_X_XX.tgz
, wherebuild_X_XX.tgz
is the name of the build to which you want to upgrade. - To start the installation, at a command prompt, type
./installns
. - When the installation is complete, restart NetScaler.
- When the NetScaler restarts, at a command prompt type
what
orshow version
to verify successful installation.
High Availability
Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The exceptions are mainly network interface configurations.
High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.
- Prepare the secondary appliance:
- Configure a NSIP.
- Don’t configure a SNIP. You can click Do It Later to skip the wizard.
- Configure Hostname and Time Zone. Don’t configure DNS since you’ll get those addresses when you pair it.
- License the secondary appliance.
- Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
- On the secondary appliance, go to System > High Availability, double-click the local node, and change High Availability Status to STAY SECONDARY. If you don’t do this, then you run the risk of losing your config when you pair the appliances. See Terence Luk Creating a Citrix NetScaler High Availability pair without wiping out an existing configuration for more information.
set ha node -hastatus STAYSECONDARY
- On the primary appliance, on the left, expand System, expand Network and click Interfaces.
- On the right, look for any interface that is currently DOWN. You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface, and click Disable. Repeat for the remaining disconnected interfaces.
show interface disable interface 1/1
- On the left, expand System, and click High Availability.
- On the right, click Add.
- Enter the other NetScaler’s IP address.
- Enter the other NetScaler’s login credentials, and click Create.
add ha node 1 192.168.123.14
Note: this command must be run separately on each appliance. - If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.
- Eventually it will say SUCCESS.
- To enable Fail-safe mode, on the right, edit Node ID 0 (the local appliance).
- Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down and click OK.
set ha node -failSafe ON
- If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
- On the secondary appliance, go to System > High Availability, edit the local node, and change it from STAY SECONDARY to ENABLED.
- From the CLI, run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed in the next section.
- You can Force Failover of the primary appliance by opening the Actions menu, and clicking Force Failover.
force ha failover
If your firewall (e.g. Cisco ASA) doesn’t like the Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table
Multiple Interfaces – VLANs
Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.
You should never connect multiple interfaces to a single VLAN unless you are bonding the interfaces using LACP, Channel, or the new Redundant Interface Set feature in 10.5.e. See Webinar: Troubleshooting Common Network Related Issues with NetScaler
NetScaler VPX defaults to two connected interfaces, so if you only have one subnet, disconnect one of those interfaces.
Common interface configuration: Here is a common NetScaler networking configuration for a NetScaler that is connected to both internal and DMZ.
Note: If the appliance is connected to both DMZ and internal then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then NetScaler could use an internal SNIP to connect to the internal server. A more secure approach is to have different appliances for internal and DMZ. Or use NetScaler SDX, partitioning, or traffic domains.
- 0/1 connected to a dedicated management network. NSIP is on this network.
- 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, etc.) and don’t connect any cables to 0/1.
- To prevent NetScaler from using this interface for outbound data traffic, don’t put a SNIP on this network, and configure the default gateway to use a different data network. However, if there’s no SNIP, and if default gateway is on a different network, then there will be asymmetric routing for management traffic since inbound is 0/1 but outbound is LA/1. To work around this problem, enable Mac Based Forwarding. Or create a Policy Based Route.
- It’s easiest if the switch port for this interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the NetScaler.
- 10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
- If only one internal VLAN, configure the switch ports/channel as an Access Port.
- If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
- If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
- 1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). Default gateway points to a router on a DMZ VLAN so replies can be sent to Internet clients.
- If only one internal VLAN, configure the switch ports/channel as an Access Port.
- If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
- If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
SNIPs: You will need one SNIP for each connected subnet. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. NetScaler uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.
NSIP: The NSIP subnet is special so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any subnet that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).
To configure multiple connected subnets:
- On the left, expand System, and click Settings.
- On the right, in the left column, click Configure modes.
- Check the box next to MAC Based Forwarding and click OK. This configures the NetScaler to respond on the same interface the request came in on and thus bypasses the routing table. This setting can work around misconfigured routing tables. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).
enable mode mbf
- Add a subnet IP for every network the NetScaler is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
- On the right, click Add.
- Enter the Subnet IP Address for this network. This is the source address the NetScaler will use when communicating with any other service on this network. The Subnet IP can also be referred to as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
- Enter the netmask for this network. When you create a VLAN object later, all IPs on this subnet will be bound to an interface.
- Ensure the IP Type is set to Subnet IP. Scroll down.
add ns ip 172.16.1.11 255.255.255.0 -type SNIP
- Under Application Access Controls decide if you want to enable GUI management on this SNIP. This is particularly useful for High Availability pairs, because when you point your browser to the SNIP only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for the DMZ network.
- Click Create when done. Continue adding SNIPs for each connected network (VLAN).
set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
- On the left, expand System, expand Network and click VLANs.
- On the right, click Add.
- Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged then any ID will work.
- Check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
- If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
- If your switches do not allow untagged packets then you will need to use the tagall interface option to tag NetScaler High Availability heartbeat packets. See CTX122921 – Citrix NetScaler Interface Tagging and Flow of High Availability Packets
- If you don’t tag the VLAN, then the NetScaler interface/channel is removed from VLAN 1 and instead put in this VLAN ID.
- Switch to the IP Bindings tab.
- Check the box next to the Subnet IP for this network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.
add vlan 50 bind vlan 50 -ifnum 1/1 -IPAddress 172.16.1.11 255.255.255.0
- The default route should use the router in the DMZ, not the internal router. Most likely the default route is set to an internal router. On the left, expand System, expand Network, and click Routes.
- On the right, click Add.
- Internal networks are only accessible through an internal router. Add a static route to the internal networks, and set the Gateway to an internal router. Then click Create.
add route 192.168.0.0 255.255.0.0 192.168.123.1
- Before deleting the existing default route, either enable Mac Based Forwarding, or create a Policy Based Route, so that the replies from NSIP can reach your machine. To create a PBR, go to System > Network > PBRs.
- The source IP is the NSIP, and next hop is a router on the same network as the NSIP. Destination is not needed.
- Then open the Action menu, and click Apply.
add ns pbr NSIP ALLOW -srcIP = 10.2.2.59 -nextHop 10.2.2.1 apply ns pbrs
- Go back to System > Network > Routes. On the right, delete the 0.0.0.0 route. Don’t do this unless the NetScaler has a route to the IP address of the machine you are running the NetScaler Configuration Utility on.
rm route 0.0.0.0 0.0.0.0 192.168.123.1
- Then click Add.
- Set the Network to 0.0.0.0, and the Netmask to 0.0.0.0.
- Make sure NULL Route is set to No.
- Enter the IP address of the DMZ (or data) router, and click Create.
add route 0.0.0.0 0.0.0.0 172.16.1.1
DNS Servers
- To configure DNS servers, expand Traffic Management, expand DNS, and click Name Servers.
- On the right, click Add.
- Enter the IP address of a DNS server and click Create.
- Note: The NetScaler must be able ping each of the DNS servers or they will not be marked as UP. The ping originates from the SNIP.
add dns nameServer 192.168.123.11
NTP Servers
- On the left, expand System, and click NTP Servers.
- On the right, click Add.
- Enter the IP Address of your NTP Server (or pool.ntp.org) and click Create.
add ntp server pool.ntp.org
- Open the Action menu and click NTP Synchronization.
- Select ENABLED and click OK.
enable ntp sync
- You can click the System node to view the System Time.
- If you need to manually set the time, SSH (Putty) to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
- Ntpdate –u pool.ntp.org will cause an immediate NTP time update.
Citrix Knowledgebase article CTX200286 – NTP Configuration on NetScaler to Avoid Traffic Amplification Attack:
- Replace the following line in /etc/ntp.conf file, if it exists:
> restrict default ignore
- Add the following lines in file /etc/ntp.conf:
# By default, exchange time with everybody, but don't allow configuration: restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely: restrict 127.0.0.1 restrict ::1
- Restart NTP using the following commands:
> shell root@ns# ps -aux |grep "ntp" root@ns# kill <PID obtained from step above> root@ns# /usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf
Citrix Knowledgebase Article CTX200355 – Citrix Security Advisory for NTP Vulnerabilities: By default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in deployments where customers have enabled NTP on the appliance, it is likely that these vulnerabilities will impact NetScaler.
We recommend that customers apply the following remediation:
Open the NetScaler’s ntp.conf file in /etc and add the following lines:
restrict -4 default notrap nopeer nomodify noquery restrict -6 default notrap nopeer nomodify noquery
In addition to adding the above two lines, all other ‘restrict‘ directives should be reviewed to ensure that they contain both ‘nomodify‘ and ‘noquery‘ and that the file contains no ‘crypto‘ directives.
When this editing is complete, save the file and copy it to the /nsconfig directory. The NTP service must then be restarted for the changes to take effect. As with all changes, Citrix recommends that this is evaluated in a test environment prior to releasing to production.
SYSLOG Server
Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog
The NetScaler will by default store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Command Center.
- On the left, expand System, expand Auditing, and click Syslog.
- On the right, switch to the Servers tab and click Add.
- Enter a name for the Syslog server.
- Specify the IP Address of the SYSLOG server, 514 as the port, and the Log Levels you’d like to send to it.
- Check the box for TCP Logging if you want the client IP. Note: TCP Logging requires significant disk space on the Syslog server.
- Select your desired Time Zone and then click Create.
add audit syslogAction CommandCenter 192.168.123.12 -logLevel ALL -timeZone LOCAL_TIME
- On the right, switch to the Policies tab, and then click Add.
- Give the policy a descriptive name, select the Syslog server, and then click Create.
add audit syslogPolicy CommandCenter ns_true CommandCenter
- While still on the Policies tab, open the Actions menu and click Global Bindings.
- Click Bind.
- Check the box next to the Syslog policy you want to bind and click Insert.
- Then click OK.
bind system global CommandCenter -priority 100
SNMP – MIB, Traps, and Alarms
- On the left, expand System, and click SNMP.
- On the right, click Change SNMP MIB.
- Change the fields as desired. Your SNMP tool (e.g. NetScaler Management and Analytics System) will read this information. Click OK.
- This configuration needs to be repeated on the other node.
set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp
- Expand System, expand SNMP, and click Community.
- On the right, click Add.
- Specify a community string and the Permission and click Create.
add snmp community public GET
- On the left, under SNMP, click Traps.
- On the right, click Add.
- Specify a trap destination and Community Name and click Create.
add snmp trap generic 192.168.123.12 -communityName public add snmp trap specific 192.168.123.12 -communityName public
- On the left, under SNMP, click Managers.
- On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
- Change the selection to Management Network.
- Specify the IP of the Management Host and click Create.
add snmp manager 192.168.123.12
- The Alarms node allows you to enable SNMP Alarms and configure thresholds.
- You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm and 50% normal with a Critical severity.
set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
- You can also configure the MEMORY alarm.
set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical
From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.
- ifTotXo?Sent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
- ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
- ifErrRxNoBu?s – .1.3.6.1.4.1.5951.4.1.1.54.1.30
- ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31
Call Home
Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical NetScaler (MPX or SDX) with an active support contract, you many optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.
- On the left, expand System and click Diagnostics.
- On the right, in the left column, in the Technical Support Tools section, click Call Home.
- Check the box next to Enable Call Home.
- Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
- If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.
Change nsroot Password
- Expand System, expand User Administration and click Users.
- On the right, select nsroot, and click Change Password.
- Specify a new password and click OK.
set system user nsroot Passw0rd
TCP, HTTP, SSL, and Security Settings
Citrix Knowledgebase articles:
- How to Configuring the Rate Limiting Feature of a NetScaler Appliance to Mitigate a DDoS Attack
- How to Use NetScaler Appliance to Avoid Layer 7 DDoS Attacks
- On the left, expand System and click Settings.
- On the right side of the right pane, click Change TCP parameters.
- Check the box for Window scaling (near the top).
- Scroll down and check the box for Selective Acknowledgement. Click OK.
set ns tcpParam -WS ENABLED -SACK ENABLED
- On the right, click Change HTTP parameters.
- Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.
set ns param -cookieversion 1
- Check the box next to Drop invalid HTTP requests and click OK.
set ns httpParam -dropInvalReqs ON
- You can run the following command to see statistics on the dropped packets:
nsconmsg -g http_err_noreuse_ -d stats
- On the left, under Traffic Management, click SSL.
- On the right, in the right column, click Change advanced SSL settings.
- Change the Deny SSL Renegotiation selection to NONSECURE. Click OK.
set ssl parameter -denySSLReneg NONSECURE
- See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run
kill -HUP `cat /var/run/sshd.pid`
to restart SSHD.Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,hmac-ripemd160
- Implement Responder policies to prevent Shellshock attack against back-end web servers. See Citrix CTX200277 NetScaler Defends Against Shellshock Attack.
add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP ?logAction ShellShock_Log bind responder global ShellShock_policy 10 END -type REQ_DEFAULT
The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:
- Maximum logon attempts on NetScaler Gateway Virtual Server
- Rate Limiting for IP.SRC and HTTP.REQ.URL.
- nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
- Syslog logging
- External website monitoring
- Obfuscate the Server header in the HTTP response
- Disable management access on SNIPs
- Change nsroot strong password, use LDAP authentication, audit local accounts
- Don’t enable Enhanced Authentication Feedback
- SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers. Also see Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) .
- 2-factor authentication
- Command Center and Insight Center
- Review IPS/IDS & Firewall logs
Management Authentication
Load balancing of authentication servers is strongly recommended since during an authentication attempt only one LDAP server is chosen. If you instead bound multiple LDAP servers it would try all of them and for incorrect passwords will lock out the user sooner than expected.
- Expand System, expand Authentication, and then click LDAP.
- On the right, switch to the Servers tab. Then click Add.
- Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
- Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
- Change the Security Type to SSL.
- Enter 636 as the Port. Scroll down.
- In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
- Enter the credentials of the LDAP bind account in userPrincipalName format.
- Check the box next to BindDN Password and enter the password. Scroll down.
- In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
- On the right, check the box next to Allow Password Change.
- It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
Citrix 132802 How to Use the ldapsearch Utility on the NetScaler Gateway Enterprise Edition Appliance to Validate a Search FilterAn easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.Scroll down to distinguishedName, double-click it and then copy it to the clipboard.
Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
- Scroll down and click Nested Group Extraction to expand it.
- If desired, change the selection to Enabled.
- Set the Group Name Identifier to samAccountName.
- Set the Group Search Attribute to memberOf.
- Set the Group Search Sub-Attribute to CN.
- Example of LDAP Nested Group Search Filter Syntax
- Scroll down and click Create.
add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
- Switch to the Policies tab and click Add.
- Enter the name LDAPS-Corp-Mgmt or similar.
- Select the previously created LDAPS-Corp-Mgmt server.
- On the bottom, in the Expressions area, type in ns_true.
- Click Create.
add authentication ldapPolicy Corp-Mgmt ns_true Corp-Mgmt
- Click Global Bindings in the right pane.
- Click where it says Click to select.
- Select the newly created LDAP policy, and click OK.
- Enter 100 for the priority, and click Bind.
- Click Done.
bind system global Corp-Mgmt
- Under System, expand User Administration and click Groups.
- On the right, click Add.
- In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
- In the Command Policies section, click Insert.
- Select the superuser policy, and click Insert.
- Click Create.
add system group "NetScaler Admins" -timeout 900 bind system group "NetScaler Admins" -policyName superuser 100
- If you logout:
- You should be able to login to NetScaler using an Active Directory account.
CLI Prompt
- When you connect to the NetScaler CLI prompt, by default, the prompt is just a
>
.
- You can run
set cli prompt %u@%h
to make it the same as a UNIX prompt. See Citrix Docs for the cli prompt syntax.
If we have configured LA channel on netscaler, which mac address is used? LA channel mac address or physical interfaces mac address? is channel’s mac address different from physical mac of unterface
I think the channel’s Mac address is from one of the member interfaces.
Hi Carl!
Is it possible to include Monitor Last Response in the syslog message?
Carl, I am trying to add a new syslog server but get the error “Auditlog service exists with this server information” We had created one with the incorrect name so deleted that and saved the configuration.. So presuming the netscaler saves this info somewhere, any idea how to get around it? ( I haven’t rebooted, and don’t really want to..) but if needs must..
Go to System > Diagnostics > Running Configuration. Search for the conflicting server.
I also have this message “Auditlog service exists with this server information” but I cannot find the conflicting server. Any idea of the string I should be looking for?
Hi Carl,
I had a working condition with the LDAP authentication in netscaler gateway, suddenly we started facing issue with the LDAP and on aaad.debug we got an error code 4009. After trouble shooting we found the DN account privilege as been changed from DOMAIN ADMIN to Read ONLY and after reverting the privilege it started working fine. Does the DN account require a domain admin rights?
Default permissions in AD allow any users to browse the entire directory. It’s possible that somebody changed the default permissions.
Hello Carl,
I have a question regarding section “Multiple Interfaces – VLANs”, point 22: would it also be sufficient, to add a static route to the internal router via route add (instead for example using MAC based forwarding)?
Kind regards
Holgi
Depends on your network. You usually want default route to point to DMZ, and static routes for internal.
I was just wondering why you recommend using PBR or MAC based forwarding instead of just using a static route.
To handle the NSIP being on a non-routable subnet. NetScaler doesn’t have a true dedicated management network, so I use MBF and PBR to simulate one. If NSIP is on your data subnet, then you probably don’t need special networking configurations.
Ok, thank you.
Actually I have problems with my static route to the “management gateway” so I thought there is a general reason for MBF or PBF. I will have to check my configuration in depth…
Hi Carl,
I need clarification.
Is it requirement to have a SNIP in the VIP network?
Should I configure a SNIP in every network the NetScaler is connected to? (include where I put the VIPS?)
Thanks!
I usually do, yes. Alternatively, you can pre-create a VIP with the correct subnet mask and bind that VIP/mask to the VLAN. If you let a vServer config create the VIP, it creates it with a 32-bit mask.
Hi Carl,
I wanted to upgrad a VPX from 10.5 to 11.1, uploaded the file and it got stuck on Installing Load Balancing Pack, it never came back up.
Why could this be? Is there another set up steps to follow?
Any help is appreciated!
Sincerely,
Sometimes the display does not update. If you refresh your browser, did it upgrade anyways? I usually have to resort to the CLI method.
No, it did not upgrade.
its 10.5 build 56.22, would that be it? I read that for versions 57 and below, one must do it CLI, correct?
Hi Carl,
Can snmp be disabled? or can default snmp community name public be renamed?
thanks
Joshua
I don’t think you’ll have one defined unless you have SDX or MAS or Command Center.
Carl, do you have any information on configuring the messages that show up in the dashboard to go to an remote syslog server? Neither the syslog, or nslog seems to capture this information.
I have two Netscaler Gateways running in HA mode. I recently setup the SSL VPN portion. The SSL VPN is running in Intranet mode with an IP pool. The IP pool is in a different VLAN than the SNIP and NSIP etc.. When I connect to the VPN it wont connect because it doesn’t know how to get back to the VLAN that the IP pool is in. I should be able to get this working without moving the gateways to the same VLAN as the IP pool. If I create a static route on the core switch to point the traffic back to the gateways what IP on the gateway and I pointing the traffic back to. Do I want to use the SNIP address or the NSIP address in my static route?
VLAN that the gateway ppliances are currently in 10.155.10.1/23
VLAN that the IP pool is using 10.155.53.1/24
NSIP 10.155.11.212
SNIP 10.155.11.245
Create a static route on the core router with destination = IP Pool and next hop = NetScaler SNIP.
the following static route on my core switch does not do the trick
ip route 10.155.53.0 255.255.255.0 10.155.11.245
The Netscaler Plug-in gets an address from the pool, but will not connect to anything with that IP. The default route on the Netscaler is 0.0.0.0 .0.0.0.0 10.155.10.1. The Citrix servers for storefront are in the 10.155.10.0 VLAN so if I was to change the default route on the Netscaler to 0.0.0.0 0.0.0.0 10.155.53.1 i assume that would break the connection from the Netscalers back to the Citrix Farm?
Split Tunnel is enabled? If so, did you configure Intranet Applications?
Default Authorization = Deny? If so, did you configure Authorization Policies and bind them to the AAA Group or vServer?
Split Tunneling is not enabled
Intranet mode works if i use an IP address from the VLAN that matches the SNIP and NSIP
for example 10.155.11.200 255.255.255.255 for the Intranet IP. I do not have enough free IP addresses in this VLAN so I need to use VLAN 53.
Hi Carl, is there a best practices document or guide that would help a new SDX setup for two zones, Intranet and DMZ?
thanks,
Duane
Just create two separate VPX, one for each zone. One instance connects to DMZ and the other connects to Intranet. These are separate VLANs, and usually separate cables (interfaces). Be careful when configuring management on the DMZ instance because you don’t want data traffic to go out the management interface. I have more up-to-date instructions at https://www.carlstalhood.com/netscaler-11-1-system-configuration/#portchannel
Thank you, sir. I also have read some of your comments about issues around firewalls concerning the dmz zone. what specifics should I be aware of?
Hi Carl, we are using netscaler to load balance storefront and provide remote access but using traffic domains. We are using the default traffic domain 0 for DMZtraffic and TD 2 for internal. Internally this works fine but when we try to access externally we login and receive – “Http/1.1 Internal Server Error 43554”. I have configured the session policy to use IP to rule out DNS. Appreciate your thoughts? I dont even see any errors in SF when i try to login. regards Alex
So Gateway in Traffic Domain 0 is trying to reach the StoreFront VIP in Traffic Domain 2? Any firewall between them? SNIP in TD 0 can route to the SF VIP? Maybe you need to create a new VIP in TD 0 so Gateway can reach it. http://docs.citrix.com/en-us/netscaler/11-1/networking/traffic-domains/inter-traffic-domain-entity-bindings.html
where is the best practices document for implementing an HA SDX pair to load balance between two separate zones, like an intranet and a dmz?
Are you asking if a single instance should be connected to multiple security zones? I would say no. On SDX, you can easily create a separate VPX for each security zone.
So I was just looking through the release documents. Looks like port 80 seems to fail for the GUI in these scenarios intermittently. This is not just the build I’m on, but other versions of 11.0. If you connect to the GUI via 443, everything works fine.
Yes, I setup the PBR as a range since the NSIP’s are back to back. .20 and .21. And that replicated between HA nodes.
Are you able to get to the console of the appliance you can’t access? Can you run a nstrace to see how the NSIP traffic is flowing?
I just built an HA pair with two interfaces, default gateway on the non-mgmt interface. I verified that I could not reach the NSIP from the 3rd network unless I enable MBF or PBR. I created the PBR rule, applied it, and it worked on both nodes, even after failing over a few times. This is on 11.1-60. Maybe you found a bug somewhere?
So I followed your post above about multiple VLANs above and am seeing some odd behavior. I setup an HA pair of VPX’s in our DMZ, where 1 Nic is setup in the DMZ and 1nic on our internal network. The internal LAN Nic is going to be used just for management. I saw above you didn’t suggest that? or did I miss interpret that? To finish the build, I put 1 SNIP on the DMZ VLAN and also setup a PBR to tell the management IPs where to respond internal. The odd behavior is that I loose gui access to the active node. Passive works fine. When I fail over node, they switch places and the new active looses the gui and the passive now comes up. Even weirder is that I can ping each node and even SSH into them. I am running 11.67.12nc. But I’ve also seen the same behavior on a 10.5 pair we own.
The problem with connecting a single NetScaler to two security zones is that it’s too easy to misconfigure it and allow traffic to bypass the firewall. The security team would need to trust the NetScaler admins to not do that. It’s too bad NetScaler doesn’t have a dedicated traffic domain for mgmt.
Did you create PBRs for both NSIPs?
Hi Carl,
My question is about High Availability in Netscaler.
If I had a Netscaler gateway feature enable, all configuration like portal for Storefront and apps in XA and XD will replicated to the secondary node?
If you’re using Portal Themes in the GUI, then yes. But any files you modified will probably have to be manually copied to both nodes.
i try to upgrade a NS 10.5.56 HA Pair / internal Loadbalancer with NS 11.1.47.14 Firmware, but after upgrade the second node, the virtual servers are red/down, so i dont make a failover, and dont upgrade the primary. or is it normal that the virtual servers are red and down?
It’s normal for them to be down. You can open a service group, click the members line, click Monitor Details to see the reason.
hmm ok, Last Response – Probe skipped – node secondary.
that sounds, that when i make a failover it will work than?
It should, yes.
yep, looks good, but i was afraid, because it looks now not same as in NS 10.5, i mean there in HA Pair you see both nodes, virtual server – green, that is different now, passive node leaves vservers now red 🙂
Thanks for some useful tips for a newbie (especially MAC based forwarding). I believe you may have some issues, though, in the section on Multiple Interfaces/VLANs. At step 19 you add a route to 192.168.0.0/16 via 192.168.123.1. At step 20 the additional route shows as 172.16.1.0/24 via 172.16.1.11 which was added at step 16 as being on VLAN 50 (or 172 in the second picture), and you delete the 0.0.0.0 route via 192.168.123.1. At steps 21 & 22 you add it back in again. After some thought, I think I know what the intention is, but the example is confusing.
Looks like I’ve been negligent on my 10.5 documentation. I just changed the screenshot and CLI command. It should be been changing the default gateway to the DMZ VLAN, which in this example is 172.16.1.1. Thanks for noticing.
Hi Carl,
Great article. I have two queries:
I have built two vpx with dmz nsip 192.168.120.1 & 2. The primary vpx .1 has a subnet ip (for storefront, cx, backend server, etc) of 192.168.180.25 and a license and cert and monitors/virtual servers configured. I want to create a ha pair. My questions are as follows:
a. Do I need to license for the 2nd vpx.
b. Do I need to configure anything on vpx2 – license/subnet ip/monitors, etc – will all that not get synched from the primary vpx. I understood all we had to do was create a nsip on vpx2 and then all get’s synched when the HA is setup.
Thanks.
FK
The 2nd appliance must be licensed.
The 2nd appliance needs a NSIP. Everything else comes from the 1st appliance except network interface configuration and maybe NTP.
They both have a nsip. only primary has a subnet ip to talk to backend servers. They both have the same number of network interfaces. I don’t know what you mean by “except network interface configuration”
Enable/disable interfaces, put interfaces in LACP channels, speed/duplex settings, etc. Usually not needed on VPXs.
Understood. Apologies for asking the obvious. I have a simple setup nsip in dmz and snip in lan side for backend server and nothing special. Only load balancing xen app deployment. I did assume that HA config will replicate all setting from vpx1 to vpx2 – just wasn’t sure if I needed to configure the snip on vpx2. Looks like I don’t.
Thanks Carl for you prompt responses 🙂
Hi Carl,
Great article. I am trying to implement rate limiting and it works well using expressions:
CLIENT.IP.SRC
HTTP.REQ.URL
What I would like to do is exclude our internal subnet from matching this policy as our servers communicate through the NetScaler at a much higher rate this what we want to allow clients to connect, so I implemented this:
CLIENT.IP.SRC
HTTP.REQ.URL
CLIENT.IP.SRC.INSUBNET(10.0.0.0/8).NOT
Although it still seems to match/drop my 10.0.0.0/8 traffic when the rate is reached. Any idea on how to prevent this?
Thanks,
Ben
Are you saying the expressions is not matching as it should but the action is performed anyways? Or is there a problem with your expression?
The rate limiter is working but seems to be matching all traffic, even when it’s sourced from a 10.0.0.0/8 address with the following applied on the selector:
CLIENT.IP.SRC
HTTP.REQ.URL
CLIENT.IP.SRC.INSUBNET(10.0.0.0/8).NOT
I’m trying to work out a way to rate limit all traffic globally (HTTP) to 6 requests/per second but excluding any traffic from this policy that has an IP source address of 10.0.0.0/8 (as 10.0.0.0/8 is our internal network and is trusted, it also communications at a much higher rate then 6req/sec).
Thanks,
Ben
Are you trying to limit each source IP to 6 requests/sec? Or are you trying to limit the total traffic to a URL to be 6 requests/sec?
I assume you have a Responder policy. Can you simply exclude the subnet from your Responder expression?
Hi,
How can I redirect incoming users who type one https site to another https site in their browser?
Thanks in advance.
If on the same VIP then you need a certificate that matches both names. Or you can enable SNI (Server Name Indication) and bind both certificates.
If different VIPs, simply bind a Responder policy to the whichever one you’re redirecting from.
Hi Carl,
I have a question about upgrading to version 11 that I have been unable to find a clear answer on. We did a POC with Netscaler VPX 10.5-56.22 using a Platinum license. We have now purchased a standard license which I have applied to my 2 Netscalers. In order to upgrade to Netscaler 11 do I have to create new appliances and move all my settings over? Or can I perform an inplace upgrade? I have upgraded the firmware to version 11 but that does not give me the portal themes feature I want to use.
Make sure you Gateway Global Settings don’t have a Custom theme configured.
Carl you are the best! I did have a custom theme applied. Turning it back to default resolved my issue. Thanks for all your help!!!
Carl, the Netscaler configured vlans are all untagged. When trying to enable the “Tag all VLAN’s” option I get an Operation not permitted message. We’re running the VPX on Hyper-V so I guess I’m running against an limitation ( See http://support.citrix.com/article/CTX124610).
That KB states at the bottom that VLAN tags ARE supported after 9.3 in the VPX. Check to see if you are using a Legacy type adapter in HyperV. That NIC doesn’t have a large enough MTU support for the VLAN tag. As long as the underlying NIC capability for jumbo frames, it’ll work. Just be careful in switching it out as it’ll likely change the MAC and affect the licensing (need to re-key).
Hi Carl,
I see recently lots of failovers per day on my version, 10.5 53.9, VPX installation. nsconmsg events show IP address conflicts with the mac-addr of the other node for the NSIP and configured VIP’s before a HA failover occurs.
41481 254 PPE-0 interface(0/1): No HA heartbeats (Last received: Wed Mar 9 17:30:26 2016
; Missed 15 heartbeats) Wed Mar 9 17:30:29 2016
41482 0 PPE-0 remote node 10.1.104.202: DOWN Wed Mar 9 17:30:29 2016
41483 0 PPE-0 self node 10.1.104.201: Claiming Wed Mar 9 17:30:29 2016
41484 0 PPE-0 interface(0/1): HA heartbeats received Wed Mar 9 17:30:29 2016
41485 0 PPE-0 self node 10.1.104.201: Primary Wed Mar 9 17:30:30 2016
The configuration sync is no problem. Interface 0/1 configured untagged to the Inside LAN vlan.
Can you give me a hint how to troubleshoot this ?
Thanks, Maurice
53.9 is not exactly a recent build.
Do you have multiple interfaces? If so, are heartbeats working on all of them?
53.9 is indeed an old but stable version. If this HA issue is bug related then I may want to upgrade.
The VPX is 2 armed configured; interface 1/1 connected and configured for DMZ VLAN and 0/1 to internal DATA VLAN. Both nodes show in the output of “show ha node” :
..
Interfaces on which heartbeats are not seen : 1/1
..
grtz,
Maurice
Is 1/1 a tagged VLAN? If so, turn off tagging on the NetScaler VLAN then go to the interface in NetScaler and select “Tag All”. This will cause heartbeat packets to be tagged using the “untagged” VLAN ID and the switch should pass them between nodes. This should improve HA reliability..
Hi Carl any recommendations toward to disaster recovering a Netscaler VPX? Can I rebuild the VPX via OVF, and restore using the full backup? If so how do I get the full backup config onto new VPX?
NetScaler 11.0 build 64 lets you import a backup.
My method is to restore /nsconfig/ssl, restore /nsconfig/license (if MAC hasn’t changed), restore /nsconfig/ns.conf and reboot. Also restore any Gateway logon page customizations.
Thanks! I’ll give that a try.
Hi Carl, wondering if you could help. I have an SDX 11515 and want LDAP authentication to a AD server. I have search filter of memberof=CN=GROUP,OU=ouGroup,DC=TEST,DC=GLOBAL,DC=EUROPE,DC=net however still seems to refuse LDAP. The firewall ports are open on 389 and tested via the SVM using telnet.
Citrix docs specifiy the following Search Filter—String to be combined with the default LDAP user search string to form the value. For example, vpnallowed=true with ldaploginame samaccount and the user-supplied username bob would yield an LDAP search string of: (&(vpnallowed=true)(samaccount=bob).
Does it work without the filter?
Have you tried the filter in ldp.exe?
You can also try it in a NetScaler instance where you have aaad.debug as a troubleshooting resource.
Hi Carl,
Nice explanation. Just a query. Whats the max trap destination we can configure.
I’m not aware of any limit. How many do you need?
Thanks Carl,
we just got a new domain name and want to get users using the new URL and be redirected to the current one in access gateway. How can I achieve this in access gateway and ensure users only type and see new one in browser?
New dns name will also be https, I assume I will have to include an SSL certificate for it.
You can use SNI to bind both certs and use a Responder to do the redirect. Or you can do two different vServers on different VIPs, each with different certs, and configure a Responder on one of them.
Hi Carl,
thanks for this great site!
I’m troubleshooting a case where one-arm Netscaler VPX deployment constantly failovers between Netscaler nodes due to HA heartbeat failures (No HA heartbeats).
I’m thinking the issue is caused by the fact that the both interfaces 0/1 and 1/1 have been configured to the same VLAN.
Question: In one arm mode, can the second interface 1/1 be disabled or does there always need to be an additional interface to the management interface 0/1?
If you are only connected to one VLAN and there’s no port channel then you should disable all but one interface. On physical appliances, I usually leave 1/1 plugged in and skip 0/1.
Heartbeat issues could mean that you’re using tagged packets on your management network but the heartbeats aren’t tagged. There’s a workaround for this.
Carl,
I have a similar one-arm setup on VPX deployment. I have disabled Interface 0/1 to prevent bridge loops and am seeing DNS probes occasionally failing in addition to HA heartbeat failures. HA monitoring can’t be disabled for 0/1 as it isn’t a supported feature on VPX platform. I’m wondering if i need to use 0/1 as the active interface and disable 1/1, also potentially enabling tag all VLANS on 0/1 to resolve heartbeat failure.
Hi Carl,
i have got a HA Pair in a 2 arm configuration. I wish to convert this to a one arm configuration but I cannot remove the SNIP address – error:an existing route relies on the presence of this subnet.
I have tried to remove the route I get error:operation not permitted. what is the correct procedure to remove a SNIP?
I am able to disable the interface and remove the vlan but that is all i can do.
Any ideas?
thanks
Duncan
Do you have a VLAN object that is bound to the SNIP?
You can also go to System > Diagnostics > Running Config and search it for your SNIP to see where else it’s being used.
Carl Hello good evening, I have the following question: if I have my domain .local1 + relationship of trust with the domain .local2, should add to the device NetScaler an LDAP server for each domain (.local1 and .local2) so they can access my application server.
Thank you
Yes, you must add each domain. See https://www.carlstalhood.com/netscaler-gateway-ldap-authentication/#domains
Hi Carl,
you mention the additional SNMP OIDs which are useful for monitoring. Are there any instructions on how to use them,?
Load the SNMP MIBs into your SNMP tool and configure your SNMP tool to monitor those OIDs.
Hello Carl, very good article.
I would not recommend to activate MBF in most of the case.
I would rather use simple routing table.
MBF implies the creation of a specific layer 2 table with all clients IP address which is parse for every response.
MBF should be use only to avoid asymmetric routing on multiple operator routers.
Stephane
I agree that routing should be properly configured on every appliance. However, there are many scenarios where only MBF will work. For example, if you put NSIP on a dedicated management VLAN and change the default gateway to a different VLAN then you might need MBF so replies to administrators are sent out the management VLAN instead of the default gateway. Sometimes you can use static routes to fix this problem but not always. This is especially important for DMZ NetScalers where NSIP is on an internal management network (not my recommendation).
Carl,
I followed your guide and im not getting anywhere fast. I had existing LDAP policies that allow for logon to the netscaler if globally bound. I created a secondary policy for one domain to allow only NSAdmins to login. This policy fails to let the users login who belong to that group. aaad.debug is showing a 4009 reject error. I tried with sAMAccountName and also UserPrincipalName.
Try doing the same LDAP Search Filter in ldp.exe or similar. If you look in aaad.debug, it should give you the full LDAP query.
Hi Carl,
Quick question regarding Licensing. If I have Universal Licenses for 500 users that I want to use on an HA pair. Can I install the same license on both of my NetScalers? or do i have to split them up 250/250?
I look forward to your reply.
Thank you
Sincerely
You can install all 500 on both. Allocate to one hostname. Then reallocate to the other hostname.
Carl,
I’ve got NSIP configured as 172.16.210.8 . The default route is 0.0.0.0 0.0.0.0 172.16.210.14 (which is an interface on the firewall). I’ve created a VIP for 2 servers – 10.190.114.11 . When I ping the VIP from my inside network I don’t get reply. In the FW I see that the ICMP is allowed and it is going to 10.190.114.11 but when that VIP replies it comes back via Netscaler’s default route. Both 10.190.114.0 and 172.16.210.0 live on the same FW on 2 different interfaces.
Today I had a call with Citrix regarding this issue. They suggested to add SNIP for 10.190.114.0 network. I did that. So now Netscaler has 10.190.114.10 for SNIP and 10.190.114.11 for VIP (with servers behind it). In the ARP table we now can see 10.190.114.0 (before adding SNIP we couldn’t).
Well, that didn’t help the issue. We still going through one interface and coming back from another (default one).
Any ideas what I am doing wrong on NS?
Thank you,
-Joanna
For replies, NetScaler uses the routing table by default. You can override this behavior by enabling Mac Based Forwarding. When enabled, NetScaler keeps track of which interface the request came in on and responds out the same interface. Otherwise you’ll need to add static routes so it gets back to your PC.
Thanks Carl! That did the trick. I read that the MBF has to be disabled if GSLB is enabled. We do not have that in place but if one day we decide to go that way will I have to disable MBF? If so my current one-arm design won’t work anymore.
I just don’t want to put something in place and then re-design it in the future.
Thanks.
-Joanna
I’m not aware of any issues with MBF and GSLB. I have many NetScalers with both enabled. GSLB is nothing more than a DNS resolver so GSLB has no special dependency on networking configuration.
I’ve created a new Instance for internal traffic only. Looking at the old Netscaler, which is administered by the application group and which is going to be going away once this new VPX is in place, there’s only 1 subnet used for NSIP, MIP and VIP. Is it a good idea to keep it like that? I prefer not to make many changes to this environment since it is working and I’d like to move everything over to the new Instance as is, without IPs changes.
Thank you as always!
-Joanna
That’s fine too. Many one-arm configs only have one interface. If that one subnet is different than your SVM subnet then don’t bind the instance to interface 0/1.
Carl,
I have an SDX with 5 licenses for 5 Instances. I configured the SDX using our internal IP subnet which is associated with interface 0/1 . I’d like to create 1 Instance for 5 different DMZs (VLANs) and 1 Instance for a couple Internal networks.
When I create a DMZ Instance with VLAN 211 and subnet 172.16.211.0 even though I pointed to our firewall for its gateway 172.16.211.14 the Instance still wants to use interface 0/1 for management. Well, subnet on 0/1 doesn’t get trunked to interface 10/1 (used for DMZs only). So when new Instance is created it comes up as DOWN. When I connect to it under Network-IP-Routes I can see that the static route for default route 0.0.0.0 0.0.0.0 is pointing to our Internal subnet not the DMZ. The subnet that is issued to interface 0/1.
So, does my SDXs IP and gateway have to be in the DMZ subnet? Will every new Instance whether it is built for DMZ or Internal traffic need to depend on interface 0/1 ?
Thanks,
-Joanna
When creating the VM, did you uncheck the 0/1 interface? Feel free to uncheck it.
SDX SVM must be able to communicate with the NSIP of the appliance. I think it uses TCP 22, TCP 80 and TCP 443.
Do you need to tag the VLAN containing the NSIP? If so then you need to configure NSVLAN or Tagall.
Carl, thank you for replying. I had to recreate the Instance for everything to work.
So now interfaces 0/1 and 0/2 are unchecked and interface 10/1 has 3 VLANS
vlan 210 – 172.16.210.0
vlan 211 – 172.16.211.0
vlan 212 – 172.16.212.0
Default route 0.0.0.0 0.0.0.0 is pointing to 172.16.211.14 which is a trunk interface on the firewall. Firewall is the gateway for all 3 vlans.
I was planning to add 2 more DMZs to interface 10/1
vlan 114 – 10.190.114.0
vlan 115 – 10.190.115.0
The 2 subnets on 10.190.x.x point to the same firewall but they live on a different trunk port.
In the Instance under Data Interfaces I selected 10/1 with Allowed Untagged Traffic being TRUE and no VLANs listed.
Under Management VLAN settings I put Vlan 211 as Vlan for management traffic and selected NSVLAN and Tagged (as per your suggestion) and under Interfaces I selected once again 10/1.
Could you please confirm that all of the above is correct? With all the multiple DMZ subnets and one default gateway I want to make sure that I configure everything correctly.
Thanks so much!
-Joanna
Are the new VLANs in a different security zone? If so, it is OK for the NetScaler to be connected multi-homed to both security zones?
With a single traffic domain there is only one routing table and one default gateway. If you create traffic domains (doesn’t work with all features) then you could have multiple routing tables and multiple default gateways.
By not entering VLANs at the SVM layer, you instead create the VLANs inside the instance. This is how I normally do it.