Navigation
- Change Log
- VPX Virtual Hardware – VMXNET3
- Customer User Experience Improvement Program (CUXIP)
- Welcome Wizard
- Licensing:
- 100% CPU
- Upgrade Firmware
- High Availability
- Networking
- DNS Servers
- NTP Servers
- Syslog Server
- SNMP Configuration
- Call Home
- Change nsroot password
- TCP, HTTP, SSL, and Security settings
- Management Authentication – LDAP
- CLI Prompt
- Backup and Restore
💡 = Recently Updated
Change Log
- 2024 April 25 – added info from Dynamically increase the primary disk size on NetScaler VPX
- 2023 Dec 9 – VPX hardware – added link to Manually adjust NetScaler VPX Disk Space
- 2022 Nov 8 – Upgrade firmware – verify date in /nsconfig/license before upgrading
- 2022 May 30 – VPX Hardware – added second disk in 13.1 build 22.50 and newer
- 2021 Nov 9 – Upgrade firmware – added additional configuration after security update.
- 2021 Sep 2 – Upgrade firmware – added script to check for features removed from ADC 13.1
- 2021 Feb 22 – Upgrade firmware – added HA Sync VLAN for ISSU support
- 2019 Sep 26 – Multiple subnets – added link to Best practices for network configurations at Citrix Docs
VPX Virtual Hardware
Magnus Andersson Deploy Citrix ADC VPX On Nutanix AHV
VMware Compatibility (source = Support matrix for Citrix ADC at Citrix Docs)
- Citrix ADC 13.1 build 21.50 and newer support VMware ESXi 7.0 update 3c.
- Citrix ADC 13.0 build 71 and newer supports ESXi 7.0.
Download and import VPX:
- Download Citrix ADC VPX Release 13.1 or NetScaler Release 14.1 Virtual Appliance.
- Download one of the VPX Packages for New Installation.
- Extract the downloaded .zip file.
- In vSphere Client, Deploy OVF template.
Before powering on the appliance, edit the virtual hardware.
- If you are licensed for VPX 1000 or higher, increase the CPU count. VPX 1000 is licensed for 4 vCPUs.
- Consider setting Memory to 4 GB for each packet engine. A VPX 200 has one packet engine. A VPX 1000 has three packet engines.
- Change the NIC Adapter type to VMXNET3 or SR-IOV.
- Citrix CTX224576 NetScaler VPX Loses Network Connectivity Intermittently on VMware ESXi After Upgrading to Version 12.0 recommends VMXNET3 as a workaround to network connectivity issues in recent Citrix ADC VPX builds.
- If you choose to use VMXNET3 instead of E1000, make sure all of the NICs are VMXNET3. You cannot mix NIC types.
- If you already licensed your appliance, jot down the E1000 MAC address, and configure the new VMXNET3 NIC with the same MAC address as the E1000 NIC so you don’t have to redo your license file.
- To change the NIC Adapter Type, remove the existing NIC, click OK to close Edit Settings, then go back into Edit Settings and Add New Device.
- NetScaler 14.1 build 21 and later let you expand size of Hard Disk 1 and after the reboot NetScaler will automatically expand the /var partition, which you can see by running
df -h
in the shell.
- ADC 13.1 build 21.50 and later let you add a second disk to the ADC for storage of logs and crash files. These log and crash files tend to consume disk space on the main drive, which prevents firmware updates, so moving them to a second disk should allow firmware updates to succeed. You can add the second disk at any time, but pre-existing files will not be moved, so it’s best to add the second disk when the VPX is first deployed.
- The new disk is mounted under
/var/crash
.
- The
/var/crash
directory has several folders that are symlinked from the first drive to the second drive.
- The new disk is mounted under
- NetScaler 14.1 build 21 and later let you expand size of Hard Disk 1 and after the reboot NetScaler will automatically expand the /var partition, which you can see by running
df -h
in the shell.
- Or see NetScaler Article Manually adjust NetScaler VPX Disk Space to use gpart to increase the partition size.
Auto-Provision IP Address
When importing VPX into a hypervisor, you can use VM advanced configuration parameters to set the NSIP. See CTX128250 How to Auto-Provision NetScaler VPX Appliance on a VMware ESX or ESXi Host, and CTX128236 How To Auto-Provision NetScaler VPX on XenServer.
Power On VPX and configure NSIP
- After importing the VPX OVF file and changing the NICs to VMXNET3, power on the Citrix ADC VPX appliance.
- Configure the management IP from the VM’s console.
- Then point your browser to the management IP using either http or https and login as nsroot with password nsroot.
- In ADC 13.0 build 67 and newer, you’ll be prompted to change the default nsroot password.
Customer User Experience Improvement Program
- You might be prompted to enable the Customer User Experience Improvement Program. Either click Enable, or click Skip.
- You can also enable or disable the Customer Experience Improvement Program by going to System > Settings.
- On the right is Change CUXIP Settings.
- Make your selection and click OK.
- See https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip for additional places where CEIP is enabled.
set system parameter -doppler ENABLED
Welcome Wizard
Citrix ADC has a Welcome! Wizard that lets you set the NSIP, hostname, DNS, licensing, etc. It appears automatically the first time you login.
- Click the Subnet IP Address box.
- You can either enter a SNIP for one of your production interfaces, or you can click Do it later and add SNIPs later after you configure Port Channels and VLANs.
Note: If you have a dedicated management network, to prevent the management network from being used for outgoing traffic, don’t put a SNIP on the management subnet.
add ns ip 10.2.2.60 255.255.255.0 -type SNIP
- Click the Host Name, DNS IP Address, Time Zone and NTP Server box.
- Enter a hostname. In a High Availability pair each node can have a different hostname. You typically create a DNS record that resolves the hostname to the NSIP (management IP).
- Enter one or more DNS Server IP addresses. Use the plus icon on the right to add more servers.
- Change the time zone to GMT-05:00-CDT-America/Chicago or similar.
- Add one or more NTP Servers.
- Click Done.
set ns hostname ns02 add dns nameServer 10.2.2.11 set ns param -timezone "GMT-06:00-CST-America/Chicago
" - Click Yes to save and reboot.
- Click the Licenses box.
- On the far right side of the screen you’ll see the Host ID. You’ll need this to allocate your licenses at mycitrix.com. See below for detailed instructions on how to allocate the license to this Host ID.
- On the left, select Upload license files, and click Browse.
- Browse to the license file, open it, and click Reboot when prompted.
- License files are stored in /nsconfig/license.
- After the reboot and logging in, a box will pop up showing you the installed license, including Days to Expiration.
- Also look in the top left corner to make sure it doesn’t say ADC VPX (Freemium). The number in the parentheses should match the MPX or VPX model number.
- 30 days prior to license expiration will be a banner at the top of the GUI. It also sends an SNMP trap.
- In ADC 13.1 build 24 and newer, you can adjust the number of days before expiration by clicking Manage Licenses, and then edit the Notification Settings on the bottom.
Licensing – VPX Mac Address
To license a Citrix ADC VPX appliance, you will need its MAC address.
- Go to the Configuration tab.
- In the right pane, look down for the Host Id field. This is the MAC address you need for license allocation.
- Another option is to SSH to the appliance and run
shell
. - Then run
lmutil lmhostid
. The MAC address is returned.
License Allocation at MyCitrix.com
Allocate a Citrix ADC VPX license:
- Login to http://mycitrix.com.
- On the left, click Manage Licenses.
- If you are activating an eval license, at the bottom of the page, click Don’t see a new license and enter the eval license key.
- In the blue Find a license by… box, change the drop-down to Product name, enter adc in the text box, and click Search.
- Select one of your ADC VPX licenses, open the Select an action menu, and click Allocate licenses.
- Change the quantity to 1.
- In the Host field, enter the Host ID (Mac Address) you got from your VPX appliance.
- Click Create license file.
- Click Yes, create license file.
- Click Download license file and save it somewhere.
In Citrix ADC Standard Edition or higher, some Citrix Gateway Universal Licenses are included in your Citrix ADC platform license. There is no need to allocate a license file for these built-in licenses.
- Citrix ADC Standard Edition comes with 500 Gateway Universal licenses
- Citrix ADC Advanced Edition comes with 1,000 Gateway Universal licenses
- Citrix ADC Premium Edition comes with unlimited Gateway Universal licenses
Citrix Gateway VPX Enterprise Edition does not come with any Gateway Universal Licenses. Citrix Gateway VPX Enterprise Edition is a Gateway-only edition that has fewer features than Citrix ADC Standard Edition.
If you need more Gateway Universal licenses than your ADC Edition provides, then you can acquire Gateway Universal licenses by purchasing Citrix Virtual Apps and Desktops (CVAD) Premium Edition, Citrix Endpoint Management Enterprise Edition, or a la carte. Then allocate the additional Citrix Gateway Universal licenses at mycitrix.com.
- Search for gateway licenses, select Citrix Gateway Universal License, open the Select an action menu, and click Allocate licenses.
- Change the quantity, or leave it set to allocate all licenses.
- Enter your appliance hostname (not Mac address). If you have two appliances in a HA pair, allocate these licenses to the first appliance hostname, then reallocate them to the second appliance hostname.
- To get a Citrix ADC’s hostname, login to the ADC as nsroot, and then click the gear icon on the top right.
- In the third row, notice the case sensitive Host Name.
- To get a Citrix ADC’s hostname, login to the ADC as nsroot, and then click the gear icon on the top right.
- Click Create license file.
- Click Yes, create license file.
- Click OK when prompted to download your license file. Save it somewhere you know where you are saving it.
- If you have two appliances in a High Availability pair with different hostnames then you will need to return the Citrix Gateway Universal licenses and reallocate them to the other hostname. The Select an action menu has a Return allocations option.
Install Licenses on Appliance
If you haven’t already installed licenses on your appliance, then do the following:
- If the Setup wizard is open, click the fourth row for Licenses.
- Otherwise, in the Citrix ADC Configuration GUI, on the left, expand System, and click Licenses.
- On the top right, click Manage Licenses.
- Click Add New License.
- If you have a license file, select Upload license files, and then click Browse. Select the license file(s), and click Open.
- License files are stored in
/nsconfig/license
.
- License files are stored in
- Click Reboot when prompted.
- After reboot, log in. If you allocated and installed your license correctly, then the top left should no longer say Freemium.
- A window will appear showing the installed license.
- Notice that Maximum ICA Users Allowed is set to Unlimited.
- Maximum NetScaler Gateway Users Allowed will vary depending on your Citrix ADC Edition.
- Days to Expiration is shown.
- Note: the Citrix ADC SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwidth or packets will drop.
VPX 100% CPU
Citrix ADC VPX packet engine consumes 100% of the hypervisor CPU. VPX 200 and lower only have one packet engine, so it’s probably consuming around 50% CPU.
You can change this behavior by doing the following:
- On the left, go to System > Settings.
- On the right, in the bottom of the second column, click Change VPX Configuration Settings.
- Change the CPU Yield drop-down to YES, and click OK.
- After making this change, you can see an immediate drop-off in CPU consumption.
Upgrade Firmware
Citrix CTX241500 Citrix ADC Firmware Release Cycle:
- Versions that end in x.1 (e.g. 11.1, 12.1, 13.1, 14.1 etc.) get three years of maintenance releases after one year of feature releases (new features).
- Versions that end in x.0 (e.g. 12.0, 13.0, 14.0, etc.) get one year of maintenance releases after one year of feature releases (new features).
See the Health Check article for the latest firmware versions that resolve security vulnerabilities.
License – Newer firmware is enforcing license subscription dates in the license file. If you don’t have pooled licensing, then check the CSS dates in your license file:
- On NetScaler ADC, go to /nsconfig/license and edit your license file.
- Make sure the left date is newer than today. If not, then you’ll need to go to http://citrix.com/account and re-download the license file for this appliance. The newer license file should have a newer date.
Classic Policies – Gateway Classic Policies (classic authentication policies, classic Session Policies, classic Authorization Policies, etc.) still work in NetScaler 14.1, so it’s not necessary to convert your Gateway Classic Policies to Gateway Advanced Policies before you upgrade.
In ADC 13.1 and newer, some non-Gateway features have been removed. To verify that your config does not use the removed features, see Citrix’s Github for a validation script. NetScaler 14.1 build 17 and newer have an upgrade option in the GUI to Enable NSPEPI Tool to check the config before upgrading.
- Go to the root of the Github ADC-scripts repository, click the green Code button and then click Download ZIP. Unzip it after downloading.
- Use WinSCP or similar to upload the files to the ADC. In the nspepi folder, upload the files nspepi and check_invalid_config to /netscaler on the ADC. Also upload the \nspepi\nspepi2 folder to the /netscaler/nspepi2 folder on the ADC. Replace the existing files.
- SSH to ADC and run shell.
- Run the following commands and then review the output:
cd /netscaler chmod +x check_invalid_config ./check_invalid_config /nsconfig/ns.conf
NetScaler Console (formerly known as Citrix ADM) can upgrade firmware. NetScaler Console can also schedule the firmware upgrade instead of doing it immediately. NetScaler Console does a precheck to make sure there are no upgrade issues. For more details, see Creating Maintenance Tasks at NetScaler Docs.
To upgrade firmware using the NetScaler GUI (source = Upgrade a high availability pair at NetScaler Docs):
- To do an ISSU upgrade (zero downtime, no TCP disconnects), NetScaler Docs says that HA Sync VLAN should be configured. In a typical deployment where NSIP is not on a tagged VLAN, set it to VLAN 1. Set it on each node at System > High Availability > Nodes > 0 > Edit.
- Download firmware. Ask your Citrix Partner or Citrix Support for recommended versions and builds. You want the Firmware Build, not the VPX (Virtual Appliance).
Note: Firmware for NetScaler Gateway is identical to firmware for NetScaler. Either one will work on either appliance type.
- Watch the Security Bulletins to determine which versions and builds resolve security issues. You can subscribe to the Security Bulletins at http://support.citrix.com by clicking your avatar on the top right after logging in and then clicking My support alerts.
- Some security updates require additional configuration. For example, CTX330728 requires the nsapimgr_wr.sh command.
nsapimgr_wr.sh -ys maxclientForHttpdInternalService=30
- Some security updates require additional configuration. For example, CTX330728 requires the nsapimgr_wr.sh command.
- Save config – Make sure you Save the config before beginning the upgrade. If you do this on the Primary, then both nodes will save their configs.
- License – Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum upload speed to 20 Mbps.
- Backup – Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
- Start with the Secondary appliance.
- Disk Cleanup – VPXs usually don’t have enough free space to perform the upgrade.
- NetScaler 14.1 build 21 and later let you expand size of Hard Disk 1 and after the reboot NetScaler will automatically expand the /var partition, which you can see by running
df -h
in the shell.
- If you SSH to the appliance, run
shell
, runcd /var
, then you can run the following command to see disk space consumption sorted by highest:du -d 1 | sort -n -r
- /var/nsinstall has old firmware upgrades that can be deleted.
- Check /var/netscaler/nsbackup for old backup files.
- A common consumer of disk is the counter files located in /var/nslog.
- Also look in /var/core for crash dumps.
- NetScaler 14.1 build 21 and later let you expand size of Hard Disk 1 and after the reboot NetScaler will automatically expand the /var partition, which you can see by running
- In the Citrix ADC GUI, with the top left node System selected, on the right, click System Upgrade.
- Click Choose File and browse to the build…tgz file.
- NetScaler 14.1 build 17 and newer have an upgrade option to Enable NSPEPI Tool to check the config before upgrading.
- Click Upgrade.
- The firmware will upload.
- You should eventually see a System Upgrade window with text in it. If you previously saved your config, then click Yes when asked to reboot. Otherwise, click No, save your config, and then click Reboot.
- Go back to the System node. On the right, click the Reboot button.
- Click OK to reboot.
- After the reboot, after you login, you can see the firmware version by clicking your name on the top right of the browser window.
- Once the Secondary is done, login, go to System, and click the Migration button to start the zero downtime upgrade as detailed at NetScaler Docs. This is a new feature in ADC 13.
- Or go to System > High Availability > Nodes and do a Force Failover.
- Or go to System > High Availability > Nodes and do a Force Failover.
- Click Start Migration. It will take some time for client connections to drain off of the Primary and move to the upgraded appliance.
- You can go back into the Migration window and click the link labelled Click to show migration details to see if the failover is complete or not.
- Then upgrade the firmware on the former Primary.
- Go to System > HA > Nodes and verify the Synchronization State. If one of them is disabled, then edit the node, and check the box next to Secondary node will fetch the configuration from Primary.
To install firmware by using the command-line interface
- To upload the software to the Citrix ADC, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
- Create a version directory under
/var/nsinstall
(e.g. /var/nsinstall/14.1.36.27). - Copy the software from your computer to the
/var/nsinstall/<version>
(e.g. /var/nsinstall/14.1.26.27) directory on the appliance. - Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
- At a command prompt, type
shell
. - At a command prompt, type
cd /var/nsinstall/<version>
to change to the nsinstall directory. - To view the contents of the directory, type
ls
. - To unpack the software, type
tar -xvzf build_X_XX.tgz
, wherebuild_X_XX.tgz
is the name of the build to which you want to upgrade. - To start the installation, at a command prompt, type
./installns
. - When the installation is complete, restart Citrix ADC.
- When the Citrix ADC restarts, at a command prompt type
what
orshow version
to verify successful installation. - To failover the pair without downtime, enter
migrate ns
and wait for connections to drain off the former primary appliance. - Then repeat these steps to upgrade the former primary appliance.
High Availability
Configure High Availability as soon as possible to ensure that almost all configurations are synchronized across the two appliances. The synchronization exceptions are mainly network interface configurations (e.g. LACP).
High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.
- Prepare the secondary appliance:
- The secondary appliance must be the same hardware as the primary appliance.
- Login to the second appliance and configure a NSIP.
- Don’t configure a SNIP. In Step 2, Subnet IP Address, you can click Do It Later to skip the wizard. You’ll get the SNIP later when you pair it with the primary.
- Configure Hostname, Time Zone, and NTP Servers.
- Don’t configure DNS since you’ll get those addresses when you pair it. However, if NTP points to a DNS name, then NTP won’t work until you pair the appliance.
- License the secondary appliance. The new secondary appliance must be the same edition (License Type) as the former primary appliance.
- Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
- On the secondary appliance, go to System > High Availability > Nodes.
- On the right, edit the local node.
- Change High Availability Status to STAY SECONDARY and click OK. If you don’t do this then you run the risk of losing your config when you pair the appliances.
set ha node -hastatus STAYSECONDARY
- Change High Availability Status to STAY SECONDARY and click OK. If you don’t do this then you run the risk of losing your config when you pair the appliances.
- On the primary appliance, on the left, expand System, expand Network, and click Interfaces.
- On the right, look for any interface that is currently DOWN.
- You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface, and click Disable. Repeat for the remaining disconnected interfaces.
show interface disable interface 1/1
- On the primary appliance, on the left, expand System, expand High Availability, and click Nodes.
- On the right, edit node 0.
- Change the High Availability Status to STAY PRIMARY, and click OK.
- Change the High Availability Status to STAY PRIMARY, and click OK.
- On the right, click Add.
- Enter the other Citrix ADC’s NSIP address.
- Enter the other Citrix ADC’s login credentials, and click Create.
add ha node 1 192.168.123.14
Note: this CLI command must be run separately on each appliance.
- If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS. Keep refreshing until it says SUCCESS.
- Edit Node ID 0 (the local appliance).
- Change High Availability State back to ENABLED.
- Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy.
- Scroll down, and click OK.
set ha node -failSafe ON
- Change High Availability State back to ENABLED.
- If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
- On the secondary appliance, go to System > High Availability > Nodes and edit the local node 0.
- Change it from STAY SECONDARY to ENABLED. Also enable Fail-safe Mode. Click OK.
- On the new secondary appliance, go to System > Network > Routes, and make sure you don’t have two 0.0.0.0/0.0.0.0 routes. Joining an appliance to an HA pair causes the default route on the primary appliance to sync to the secondary appliance. But, it doesn’t delete the default gateway that was formerly configured on the secondary appliance.
- From the Citrix ADC CLI (SSH), run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed later..
- You can also disable HA heartbeats on specific network interfaces (System > Network > Interfaces).
- Note: Make sure HA heartbeats are enabled on at least one interface/channel.
- Note: this is an interface configuration, which means this configuration change is not propagated to the other node.
- To do an ISSU upgrade (zero downtime, no TCP disconnects), Citrix Docs says that HA Sync VLAN should be configured. In a typical deployment where NSIP is not on a tagged VLAN, set it to VLAN 1. Set it on each node at System > High Availability > Nodes > 0 > Edit.
HA Failover
- HA Failover changes the MAC address associated with VIPs and SNIPs. If your firewall (e.g. Cisco ASA) doesn’t like Gratuitous ARP, then see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table
- ADC 13 adds a graceful node Migrate operation which drains sessions instead of drops sessions.
- Once migration is started, the two nodes no longer synchronize their configurations. The only way to clear the migration status is to reboot the Secondary. See zero downtime upgrade at Citrix Docs.
- Go to System, and click the Migrate button to start the Migrate operation.
- Click Start Migration. It will take some time for client connections to drain off of the Primary and move to the upgraded appliance.
migrate ns
- To clear the migration and allow nodes to be failed over again, reboot the secondary.
- Go to System > HA > Nodes and verify the Synchronization State. If one of them is disabled, then edit the node, and check the box next to Secondary node will fetch the configuration from Primary.
- Instead of Migrate, you can do a Force Failover, which does not require a reboot, and the nodes continue synchronizing.
- Go to System > High Availability > Nodes, open the menu named Select Action, and do a Force Failover.
force ha failover
- Go to System > High Availability > Nodes, open the menu named Select Action, and do a Force Failover.
Port Channels on Physical Citrix ADC MPX
If you are configuring a Citrix ADC MPX (physical appliance), and if you plugged in multiple cables, and if more than one of those cables is configured on the switch for the same VLAN(s), then you must bond the interfaces together by configuring a Port Channel.
- On the switch, create a Port Channel, preferably with LACP enabled.
- The Port Channel can be an Access Port (one VLAN), or a Trunk Port (multiple VLANs).
- On the Citrix ADC, configure LACP on the network interfaces, or create a Channel manually. Both methods are detailed below.
Also see Webinar: Troubleshooting Common Network Related Issues with NetScaler.
LACP Port Channel
To configure Port Channels on a Citrix ADC, you can either enable LACP, or you can configure a Channel manually. If your switch is configured for LACP, do the following on Citrix ADC to enable LACP on the member interfaces.
- Go to System > Network > Interfaces.
- On the right, edit one of the Port Channel member interfaces.
- Scroll down.
- Check the box next to Enable LACP.
- In the LACP Key field, enter a number. The number you enter here becomes the channel number. For example, if you enter 1, Citrix ADC creates a Channel named LA/1. All member interfaces of the same Port Channel must have the same LACP Key. Click OK when done.
- Continue enabling LACP on member interfaces and specifying the key (channel number). If you are connected to two port channels, one set of member interfaces should have LACP Key 1, while the other set of member interfaces should have LACP Key 2.
- In an HA pair, you must perform this interface configuration separately on both nodes. The LACP commands are not propagated across the HA pair.
- If you go to System > Network > Channels.
- You’ll see the LACP Channels on the right. These were created automatically after you set the LACP Key on the interface.
- If you edit a Channel, there’s a LACP Details tab that shows you the member interfaces.
Manual Channel
If your switch ports are not configured for LACP, then you can instead create a Channel manually.
- Go to System > Network > Channels.
- On the right, click Add.
- At the top, choose an unused Channel ID (e.g. LA/1).
- On the bottom, in the Bind/Unbind section, click Add.
- Click the plus icon next to each member interface to move it to the right. Then click Create.
Redundant Interface Set
You can also configure the Citrix ADC for switch-independent teaming. Create a Channel manually, but select a Channel ID starts with LR instead of LA. This is called Link Redundancy or Redundant Interface Set.
Channel Minimum Throughput
Channels can be configured so that a High Availability failover occurs when the Channel throughput drops below a configured value. For example, if you have four members in a Channel, you might want a High Availability failover to occur when two of the member interfaces fail.
- Go to System > Network > Channels, and edit a Channel.
- Near the top, enter a minimum threshold value in the Throughput field. If the total bonded throughput drops below this level, a High Availability failover will occur.
Trunk Port and High Availability
If you are trunking multiple VLANs across the channel, and if every VLAN is tagged (no native VLAN), then a special configuration is needed to allow High Availability heartbeats across the channel.
- Go to System > Network > VLAN.
- Add a VLAN object.
- Bind the VLAN to a channel or interface. To bind multiple VLANs to a single interface/channel, the VLANs must be tagged.
- Configure one of the VLANs as untagged. Only untag one of the VLANs. Which one you untag doesn’t matter. If your switch doesn’t allow untagged packets, don’t worry, we’ll fix that soon.
- If your switch doesn’t allow untagged packets, go to System > Network > Channels, and edit the channel.
- Scroll down and switch to the tab named Settings.
- Set Tag all VLANs to ON to cause Citrix ADC to tag all packets, including the VLAN you formerly marked as untagged.
- We essentially moved the VLAN tagging from the VLAN to the Channel/Interface, which means VLAN tagging happens lower in the network stack so High Availability heartbeat packets are also tagged.
- Note: in an HA pair, you must perform this Tagall configuration separately on both nodes. The Tagall command is not propagated across the HA pair.
Common physical interface configuration
Here is a common Citrix ADC networking configuration for a physical Citrix ADC MPX that is connected to both internal and DMZ.
Note: If the appliance is connected to both DMZ and internal, then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then Citrix ADC could use an internal SNIP to connect to the internal server: in other words, traffic comes into a DMZ VLAN, but goes out an internal VLAN. A more secure approach is to have different appliances for internal and DMZ. Or use Citrix ADC SDX, partitioning, or traffic domains.
- 0/1 connected to a dedicated management network. NSIP is on this network.
- No data on 0/1 – 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, LA/1, etc.) and don’t connect any cables to 0/1.
- No SNIP on management network – To prevent Citrix ADC from using this dedicated management interface for outbound data traffic, don’t put a SNIP on this management network, and configure the default gateway (route 0.0.0.0) to use a router on a different data network (typically the DMZ VLAN). However, if there’s no SNIP on this VLAN, and if the default gateway is on a different network, then there will be asymmetric routing for management traffic, since inbound management traffic goes in 0/1, but reply traffic goes out LA/1 or LA/2. To work around this problem, enable Mac Based Forwarding, or configure Policy Based Routing. Both of these options are detailed in the next section.
- Management VLAN tagging – It’s easiest if the switch port for this dedicated management interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the Citrix ADC.
- 10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
- Access Port – If only one internal VLAN, configure the switch ports/channel as an Access Port.
- Trunk Port – If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
- Tag HA heartbeat packets – If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then Citrix ADC needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
- 1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). The default gateway (route 0.0.0.0) points to a router on a DMZ VLAN so replies can be sent to Internet clients.
- Access Port – If only one DMZ VLAN, configure the switch ports/channel as an Access Port.
- Trunk Port – If multiple DMZ VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
- Tag HA heartbeat packets – If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then Citrix ADC needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
Dedicated Management Subnet
If your Citrix ADC is connected to multiple subnets, then one of those subnets could be a Dedicated Management Subnet. If you have a subnet that is for NSIP only, and if you don’t want to use the NSIP subnet for data traffic, then you’ll want to move the default route off of the NSIP subnet and onto a different data subnet. However, moving the default route breaks traffic from the NSIP. To work around this problem, create PBRs for the NSIP traffic, including both replies from NSIP, and traffic sourced by the NSIP (e.g. Syslog).
Citrix Blog Post Separating NetScaler Management and Data Traffic for DISA STIGs also uses PBRs.
- Go to System > Network > PBRs. You can also search the menu for PBRs.
- On the right, click Add.
- Give the PBR a name (e.g. NSIP)
- Set the Next Hop Type drop-down to New.
- In the Next Hop field, enter the router IP address that is on the same network as the NSIP.
- In the Configure IP section, set the first Operation drop-down to =.
- In the Source IP Low field, enter the NSIP. This causes the PBR to match all traffic with NSIP as the Source IP address.
- In an HA pair, the PBR command is synced and applied to both nodes in the pair. To accommodate this, in the Source IP Low field, enter the lower NSIP address. Then in the Source IP High field, enter the higher NSIP address.
- You don’t need anything else.
- Scroll down, and click Create. This rule routes any traffic with NSIP as source IP address through a router on the NSIP subnet. The default route will be ignored, but only for NSIP traffic.
- DNS traffic is special. To handle DNS traffic sourced by the NSIP, create another PBR by right-clicking the existing one, and clicking Add.
- Change the name to NSIP-DNS or similar.
- Change the Action drop-down to DENY, which tells ADC that traffic matching this PBR should use normal routing instead of overriding to a different gateway.
- Change the Priority to a lower number than the original PBR so this rule is matched before the general NSIP rule. Scroll down.
- In the Configure IP section, remove all settings.
- In the Configure Protocol section, click the Protocol drop-down, and select UDP (17).
- Above the two Destination port fields, change the Operation to =.
- In the Destination port Low field, enter 53.
- Scroll down, and click Create.
- Make sure the DENY PBR is higher in the list (lower priority number) than the ALLOW PBR.
- Then open the Action menu, and click Apply.
- Click Yes to apply.
add ns pbr NSIP-DNS DENY -destPort = 53 -nextHop 10.2.2.1 -protocol UDP -priority 5 add ns pbr NSIP ALLOW -srcIP = 10.2.2.126-10.2.2.127 -nextHop 10.2.2.1 apply ns pbrs
Floating Management IP
If you want a floating management IP that is always on the Primary appliance, here’s a method of granting management access without adding a SNIP to the management subnet:
- Create a Load Balancing Service on HTTP 80 on IP address 127.0.0.1. Note: Citrix ADC doesn’t allow creating a Load Balancing service on IP address 127.0.0.1 and port 443 (SSL).
- The IP address you enter is 127.0.0.1. When you view the Load Balancing Service, it shows the local NSIP. After a HA failover, the IP Address will change to the other NSIP.
- The IP address you enter is 127.0.0.1. When you view the Load Balancing Service, it shows the local NSIP. After a HA failover, the IP Address will change to the other NSIP.
- Create a Load Balancing Virtual Server using a VIP on the management subnet. Protocol = SSL. Port number = 443. Bind a certificate.
- Bind the loopback:80 service to the Load Balancing Virtual Server. In summary: the front end is 443 SSL, while the LB Service is 80 HTTP.
- Bind the loopback:80 service to the Load Balancing Virtual Server. In summary: the front end is 443 SSL, while the LB Service is 80 HTTP.
- Add the new VIP to the PBRs so the replies go out the correct interface. Re-apply the PBRs after you modify them.
- You should then be able to point your browser to https://Step2VIP to manage the appliance.
- You can perform the same loopback trick for 22 SSH. Create a Load Balancing Service on TCP 22 on IP address 127.0.0.1.
- Create a Load Balancing Virtual Server using the same management VIP specified earlier. Protocol = TCP. Port number = 22.
- Bind the loopback:TCP:22 service to the Load Balancing Virtual Server.
- Bind the loopback:TCP:22 service to the Load Balancing Virtual Server.
- You should then be able to point your SSH Client to <Step2VIP> to manage the appliance.
- CLI Commands for the floating management VIP:
add service mgmt 127.0.0.1 HTTP 80 add service mgmt-SSH 127.0.0.1 TCP 22 add lb vserver mgmt-SSL SSL 10.2.2.128 443 add lb vserver mgmt-SSH TCP 10.2.2.128 22 bind lb vserver mgmt-SSL mgmt bind lb vserver mgmt-SSH mgmt-SSH set ns pbr NSIP-DNS DENY -srcIP = 10.2.2.126-10.2.2.128 -destPort = 53 -protocol UDP -priority 5 set ns pbr NSIP ALLOW -srcIP = 10.2.2.126-10.2.2.128 -nextHop 10.2.2.1 apply ns pbrs
Multiple Subnets / Multiple VLANs
Best practices for network configurations at Citrix Docs and Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.
If this is a physical MPX appliance, see the previous Port Channel section first.
If you only connected Citrix ADC to one subnet (one VLAN) then skip ahead to DNS servers.
Configuration Overview
The general configuration process for multiple subnets is this:
- Create a SNIP for each subnet/VLAN.
- Create a VLAN object for each subnet/VLAN.
- Bind the VLAN object to the SNIP for the subnet.
- Bind the VLAN object to the Port Channel or single interface that is configured for the VLAN/subnet.
SNIPs for each VLAN
You will need one SNIP for each connected subnet/VLAN. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. Citrix ADC uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.
NSIP Subnet
The NSIP subnet is special, so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any network that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as an access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).
Configure Subnets/VLANs
To configure Citrix ADC with multiple connected subnets:
- Add a subnet IP for every network the Citrix ADC is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
- On the right, click Add.
- Enter the Subnet IP Address for this network/subnet. The SNIP will be the source IP address the Citrix ADC will use when communicating with any other service/server on this network. The Subnet IP is also known as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
- Enter the netmask for this network.
- Ensure the IP Type is set to Subnet IP. Scroll down.
add ns ip 172.16.1.11 255.255.255.0 -type SNIP
- Under Application Access Controls, decide if you want to enable GUI management on this SNIP. This feature can be particularly useful for High Availability pairs, because when you point your browser to the SNIP, only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for a DMZ network.
- Click Create when done. Continue adding SNIPs for each connected network (VLAN).
set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
- On the left, expand System, expand Network, and click VLANs.
- On the right, click Add.
- Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged, then any ID (except 1) will work.
- In the Interface Bindings section, check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
- If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
- If your switches do not allow untagged packets, then you will need to use the tagall interface option to tag Citrix ADC High Availability heartbeat packets. See CTX122921 Citrix NetScaler Interface Tagging and Flow of High Availability Packets
- If you don’t tag the VLAN, then the Citrix ADC interface/channel is removed from VLAN 1, and instead put in this VLAN ID.
- Switch to the tab named IP Bindings.
- Check the box next to the Subnet IP for this network. This lets Citrix ADC know which interface is used for which IP subnet. Click Create when done.
add vlan 50 bind vlan 50 -ifnum LA/1 -IPAddress 172.16.1.11 255.255.255.0
- Add static routes to the internal networks through an internal router.
- On the left, expand System, expand Network, and click Routes.
- On the right, click Add.
- Make sure NULL Route is set to No.
- Set the Gateway (next hop) to an internal router.
- Then click Create.
add route 10.2.0.0 255.255.0.0 10.2.2.1
- The default route should be changed to use a router on the DMZ network (towards the Internet). Before deleting the existing default route, either enable Mac Based Forwarding, or create a Policy Based Route, so that the replies from NSIP can reach your machine. You usually only need to do this for dedicated management networks.
- Note: PBR is recommended over MBF, because PBR can handle traffic sourced by NSIP (e.g Syslog traffic), while MBF cannot.
- Mac Based Forwarding sends replies out the same interface they came in on. However, MBF ignores the routing table, and doesn’t handle traffic sourced by the NSIP (e.g. LDAP traffic). To enable MBF:
- On the left, expand System, and click Settings.
- On the right, in the left column, click Configure modes.
- Check the box next to MAC Based Forwarding (MBF), and click OK. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).
enable mode mbf
- Go back to System > Network > Routes.
- On the right, delete the 0.0.0.0 route. Don’t do this unless the Citrix ADC has a route, PBR, or MBF to the IP address of the machine you are running the browser on.
rm route 0.0.0.0 0.0.0.0 10.2.2.1
- Then click Add.
- Set the Network to 0.0.0.0, and the Netmask to 0.0.0.0.
- Make sure NULL Route is set to No.
- Enter the IP address of the DMZ (or data) router, and click Create.
add route 0.0.0.0 0.0.0.0 172.16.1.1
- On the right, delete the 0.0.0.0 route. Don’t do this unless the Citrix ADC has a route, PBR, or MBF to the IP address of the machine you are running the browser on.
DNS Servers
- To configure DNS servers, expand Traffic Management, expand DNS, and click Name Servers.
- On the right, click Add.
- Enter the IP address of a DNS server, and click Create.
- Note: The Citrix ADC must be able ping each of the DNS servers, or they will not be marked as UP. The ping originates from the SNIP.
add dns nameServer 10.2.2.11
- Citrix ADC includes DNS Security Options, which are useful if you use this Citrix ADC to provide DNS services to clients (e.g. DNS Proxy/Load Balancing, GSLB, etc.). You can configure them at Security > DNS Security.
- Additional DNS Security Options are detailed at DNS security options at Citrix Docs.
NTP Servers
- On the left, expand System, and click NTP Servers.
- On the right, click Add.
- Enter the IP Address of your NTP Server (or pool.ntp.org), and click Create.
add ntp server pool.ntp.org
- On the right, open the Action menu, and click NTP Synchronization.
- Select ENABLED, and click OK. This starts the NTP daemon in BSD to perform the NTP sync.
enable ntp sync
- You can click the System node to view the System Time.
- If you need to manually set the time:
- SSH (Putty) to the Citrix ADC appliances.
- Run shell to access BSD.
- Run date to manually set the time. Run date –help to see the syntax.
- Ntpdate –u pool.ntp.org will cause an immediate NTP time update. You’ll need to disable NTP Sync before you can run this command.
SYSLOG Server
Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog
The Citrix ADC will, by default, store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Application Delivery Management (ADM).
- On the left, expand System, expand Auditing, and click Syslog.
- On the right, switch to the Servers tab, and click Add.
- Enter a name for the Syslog server.
- You can change Server Type to Server Domain Name, and enter a FQDN.
- Enter the IP Address or FQDN of the SYSLOG server, and 514 as the port.
- Configure the Log Levels you’d like to send to it by clicking CUSTOM – typically select everything except DEBUG.
- Select your desired Time Zone and Date Format.
- You can optionally enable other logging features. User Configurable Log Messages lets you use Responder policies to generate log entries.
- Then click Create.
add audit syslogAction MySyslogServer 10.2.2.12 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING -timeZone LOCAL_TIME -userDefinedAuditlog YES add audit syslogAction MySyslogServer syslog.corp.local -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING -timeZone LOCAL_TIME -userDefinedAuditlog YES
- On the right, switch to the Policies tab, and then click Add.
- Give the policy a descriptive name,
- Change the Expression Type selection to Advanced Policy.
- Select the previously created Syslog server.
- And then click Create.
add audit syslogPolicy MySyslogServer true MySyslogServer
- While still on the Policies tab, open the Actions menu, and click Classic Policy Global Bindings or Advanced Policy Global Bindings, depending on which one you chose when creating the Syslog policy.
- Click Add Binding.
- Click where it says Click to select.
- Click the radio button next to the Syslog policy you want to bind, and then click the blue Select button at the top of the page.
- Change the Priority to 100 or similar.
- If you don’t select anything in Global Bind Type, then it defaults to SYSTEM_GLOBAL.
- Click Bind.
- Click Done.
bind audit syslogGlobal -policyName MySyslogServer -priority 100 bind system global MySyslogServer -priority 100
- Click Add Binding.
SNMP – MIB, Traps, and Alarms
- On the left, expand System, and click SNMP.
- On the right, click Change SNMP MIB.
- Change the fields as desired. Your SNMP tool (e.g. Citrix Application Delivery Management (ADM)) will read this information. Click OK.
- This configuration needs to be repeated on the other node.
set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp
- Expand System, expand SNMP, and click Community.
- On the right, click Add.
- Specify a community string, and the Permission, and click Create.
add snmp community public GET
- On the right, click Add.
- On the left, under SNMP, click Traps.
- On the right, click Add.
- Specify a trap destination. The fields will vary for V2 vs V3. Click Create. You’ll have to add the Trap Destinations twice so you can select both Generic and Specific.
add snmp trap generic 10.2.2.12 -communityName public add snmp trap specific 10.2.2.12 -communityName public
- On the right, click Add.
- On the left, under SNMP, click Managers.
- On the right, click Add.
- Change the selection to Management Network.
- Specify the IP of the Management Host, and click Create.
add snmp manager 10.2.2.12
- On the right, click Add.
- The Alarms node allows you to enable SNMP Alarms and configure thresholds.
- You can Edit an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm, and 50% normal, with a Critical severity.
set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
- You can also configure the MEMORY alarm.
set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical
- You can Edit an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm, and 50% normal, with a Critical severity.
From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.
- ifTotXoffSent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
- ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
- ifErrRxNoBuffs – .1.3.6.1.4.1.5951.4.1.1.54.1.30
- ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31
Call Home
Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical Citrix ADC (MPX or SDX) with an active support contract, you may optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.
Call Home at Citrix Docs has information on how it work.
From the Citrix ADC release notes: Call Home is now enhanced to send Citrix ADC usage metrics to Citrix Insight Services (CIS) periodically. Citrix collects the data to understand how the appliance works and how to improve the product. By default, Call Home sends the metrics once in every 7 days. For more information, see Call Home at Citrix Docs.
To enable Call Home:
- On the left, expand System, and click Diagnostics.
- On the right, in the left column, in the Technical Support Tools section, click Call Home.
- Check the box next to Enable Call Home.
- Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
- If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.
Change nsroot Password
- In ADC 13.0 build 67 and newer, you’ll be forced to change the default nsroot password.
- If you want to force strong passwords for local accounts, go to System > Settings, and on the right, click Change Global System Settings
- Scroll down to the Password section.
- You can change Strong Password to Enable Local, and also specify a Min Password Length. Click OK.
- Expand System, expand User Administration, and click Users.
- On the right, right-click nsroot, and click Change Password.
- Specify a new password and click OK.
set system user nsroot Passw0rd
TCP, HTTP, SSL, and Security Settings
Citrix Docs Introduction to best practices for Citrix ADC MPX, VPX, and SDX security
Best practice settings:
- On the left, expand System, and click Settings.
- On the right, in the right column, click Change TCP parameters.
- Check the box for Window scaling (near the top) and set the Factor to 8.
- Scroll down and check the box for Selective Acknowledgement.
- Nagle’s algorithm should not be checked.
- Click OK.
set ns tcpParam -WS ENABLED -SACK ENABLED
- Check the box for Window scaling (near the top) and set the Factor to 8.
- On the right, click Change HTTP parameters.
- Under Cookie, change the selection to Version1. This causes Citrix ADC to set Cookie expiration to a relative time instead of an absolute time.
set ns param -cookieversion 1
- Check the box next to Drop invalid HTTP requests. Note: this might break some web sites.
- Scroll down, and click OK.
set ns httpParam -dropInvalReqs ON
- Under Cookie, change the selection to Version1. This causes Citrix ADC to set Cookie expiration to a relative time instead of an absolute time.
- From Citrix CTX232321 Recommended TCP Profile Settings for Full Tunnel VPN/ICAProxy from NetScaler Gateway 11.1 Onwards:
- Expand System, and click Profiles.
- On the right, on the tab named TCP Profiles, edit the nstcp_default_profile.
- Enable Window Scaling with a factor of 8.
- Set Minimum RTO (in millisec) = 600.
- Set TCP Buffer Size (bytes) = 600000
- Set TCP Send Buffer Size (bytes) = 600000
- Change TCP Flavor = BIC.
- Enable Selective Acknowledgement. Don’t enable Nagle’s algorithm.
- Click OK when done.
- You can run the following command to see statistics on the dropped packets:
nsconmsg -g http_err_noreuse_ -d stats
- See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run
kill -HUP `cat /var/run/sshd.pid`
to restart SSHD.Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,hmac-ripemd160
Citrix Knowledgebase articles:
- CTX228148 How to Lock Down the NetScaler Management Interfaces with ACLs
- Also see CTP George Spiers How to secure management access to NetScaler and create unique certificates in a highly available setup
- CTX109011 How to Secure SSH Access to the NetScaler Appliance with Public Key Authentication
- CTX127917 How to Configuring the Rate Limiting Feature of a NetScaler Appliance to Mitigate a DDoS Attack
- CTX131681 How to Use NetScaler Appliance to Avoid Layer 7 DDoS Attacks
- CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD
The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:
- Maximum logon attempts on Citrix Gateway Virtual Server
- Rate Limiting for IP.SRC and HTTP.REQ.URL.
- nstcp_default_XA_XD_profile TCP profile on the Citrix Gateway Virtual Server.
- Syslog logging
- External website monitoring
- Obfuscate the Server header in the HTTP response
- Disable management access on SNIPs
- Change nsroot strong password, use LDAP authentication, audit local accounts
- Don’t enable Enhanced Authentication Feedback
- SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers.
- 2-factor authentication
- Citrix Application Delivery Management (ADM)
- Review IPS/IDS & Firewall logs
Management Authentication – LDAP
Load balancing of LDAP servers is strongly recommended. If you bind multiple LDAP servers instead of load balancing them, Citrix ADC will try each of the LDAP servers, and for incorrect passwords, will lock out the user sooner than expected. But if you instead load balance your LDAP servers, the authentication attempt will only be sent to one of them.
- Expand System, expand Authentication, expand Basic Policies, and then click LDAP.
- On the right, switch to the Servers tab. Then click Add.
- Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for Citrix Gateway.
- Change the selection to Server IP. Enter the VIP of the Citrix ADC load balancing vServer for LDAP.
- Change the Security Type to SSL.
- Enter 636 as the Port. Scroll down.
- In the Connection Settings section, in the Base DN field, enter your Active Directory DNS domain name in LDAP format.
- In the Administrator Bind DN field, enter the credentials of the LDAP bind account in userPrincipalName format.
- Enter the Administrator Password (bind account password). Click Test LDAP Reachability. Scroll down.
- In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
- On the right, check the box next to Allow Password Change.
- It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
memberOf=CN=Citrix ADC Administrators,OU=Citrix,DC=corp,DC=local
You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this, users will need to be direct members of the filtered group.memberOf:1.2.840.113556.1.4.1941:=CN=Citrix ADC Administrators,OU=Citrix,DC=corp,DC=local
Citrix 132802 How to Use the ldapsearch Utility on the NetScaler Gateway Enterprise Edition Appliance to Validate a Search FilterAn easy way to get the full distinguished name of the group is through Active Directory Users & Computers. Make sure Advanced Features is enabled in the View menu. Double-click the group object. Switch to the Attribute Editor tab. Find Distinguished Name and copy it.Scroll down to distinguishedName, double-click it, and then copy it to the clipboard.
Back on the Citrix ADC, in the Search Filter field, type in memberOf=, and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
- Scroll down and click More to expand it.
- For Nested Group Extraction, if desired, change the selection to Enabled.
- Set the Group Name Identifier to samAccountName.
- Set Group Search Attribute to –<< New >>–, and enter memberOf.
- Set Group Search Sub-Attribute to –<< New >>–, and enter CN.
- Example of LDAP Nested Group Search Filter Syntax
- Scroll down, and click Create.
add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=Citrix ADC Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
- On the left, go to System > Authentication > Advanced Policies > Policy.
- On the right, click Add.
- Enter the name LDAPS-Corp-Mgmt or similar.
- Change the Action Type drop-down to LDAP.
- Select the previously created LDAPS-Corp-Mgmt server.
- On the bottom, in the Expression area, type in true.
- Click Create.
add authentication Policy LDAPS-Corp-Mgmt -rule true -action LDAPS-Corp-Mgmt
- Click Global Bindings in the right pane.
- Click where it says Click to select.
- Click the radio button next to the newly created LDAP policy, and then click the blue Select button at the top of the page.
- Click Bind.
- Click Done.
bind system global LDAPS-Corp-Mgmt -priority 100 -gotoPriorityExpression NEXT
- Click where it says Click to select.
- Under System, expand User Administration, and click Groups.
- On the right, click Add.
- In the Group Name field, enter the case sensitive name of the Active Directory group containing the Citrix ADC administrators.
- ADC 13.0 build 41 and newer lets you restrict a group to the CLI only. Note that GUI access requires API permissions.
- ADC 13.0 build 41 and newer lets you restrict a group to the CLI only. Note that GUI access requires API permissions.
- In the Command Policies section, click Bind.
- Select the superuser policy, and click Insert.
- Scroll down, and click Create.
add system group "Citrix ADC Admins" -timeout 900 bind system group "Citrix ADC Admins" -policyName superuser 100
- On the right, click Add.
- To prevent somebody from creating an nsroot account in LDAP (Active Directory) and then using that external nsroot account to login to ADC, disable external authentication on the local nsroot account.
- On the left, go to System > User Administration > Users.
- On the right, edit the nsroot user.
- At the top of the page, in the System User section, click the pencil icon.
- Uncheck the box next to Enable External Authentication and then click Continue.
- Click Save and then click Done.
- On the left, go to System > User Administration > Users.
- If you logout:
- You should be able to login to Citrix ADC using an Active Directory account.
Management Authentication – Two Factor
Citrix ADC supports two factor authentication for management access. The technology is based on nFactor but works in all editions of ADC (no licensing restrictions). Here’s a summary of the configuration steps with more detail coming later:
- The first authentication factor must be an Advanced Authentication Policy that is bound globally. Classic Authentication Policies will not work.
- Create a Login Schema to ask for the second factor password (i.e. passcode).
- This Login Schema is for second factor only and has no effect on the first factor. The second factor Login Schema should only ask for a single password prompt. It doesn’t appear to be possible to ask for both factors using the same Login Schema.
- Login Schema for the second factor does not use the normal nFactor language files and you instead must hard code the password prompt label for the second factor logon field directly in the Login Schema .xml file.
- Create an Advanced Authentication Server and Policy for the second factor (e.g. RADIUS).
- Create an Authentication Policy Label with Feature Type set to RBA_REQ. This is not the default so make sure you change the Feature Type drop-down field.
- When creating the Policy Label, select the Login Schema for the second factor.
- Bind the second factor Advanced Authentication Policy to the Policy Label.
- Go to Global Bindings for Authentication, edit the existing authentication binding, click Next Factor, and select your new Policy Label. That’s it.
Here are detailed configuration instructions for adding a second authentication factor to the management logon page.
- Login Schema XML File:
- Point WinSCP to your ADC appliance.
- Navigate to /nsconfig/loginschema/LoginSchema and download the SingleAuth.xml file.
- Rename the file to MgmtNextFactor.xml or something like that.
- Edit the file.
- Look for the <Requirement> element with ID of passwd. Then look for the Label and set the Text field to whatever you want displayed on the second password page. Save the file when done.
- The Label Text you enter will be shown on the second factor logon page.
- In WinSCP, change the directory to /nsconfig/loginschema, which is one directory up from where you downloaded the file.
- Upload your modified file.
- RADIUS Authentication Server:
- Follow the link for instructions to create a RADIUS Server. Only create the Server object. The Policy object will be created later when creating the Authentication Policy Label.
add authentication radiusAction RADIUSMgmt -serverName 10.2.2.42 -serverPort 1812 -radKey b746744 -encrypted -encryptmethod ENCMTHD_3
- Follow the link for instructions to create a RADIUS Server. Only create the Server object. The Policy object will be created later when creating the Authentication Policy Label.
- On the left, go to System > Authentication > Advanced Policies > Policy Label.
- On the right, click Add.
- Name the Policy Label MgmtNextFactor or similar.
- In the Login Schema field, click Add.
- Name the Login Schema MgmtNextFactor or similar.
- In the Authentication Schema field, click the pencil icon.
- On the left, select the Login Schema .xml file you uploaded earlier.
- On the top right, click the blue Select button. Do NOT click Create on the bottom left until you’ve clicked this blue Select button.
- The window collapses showing you the Login Schema file that you selected. Now you can click Create.
add authentication loginSchema MgmtNextFactor -authenticationSchema "/nsconfig/loginschema/MgmtNextFactor.xml"
- Back in the Authentication Policy Label screen, notice that you can edit the Login Schema object from here.
- Change the Feature Type drop-down to RBA_REQ. If you don’t do this, then you won’t be able to bind this later.
- Click Continue.
add authentication policylabel MgmtNextFactor -type RBA_REQ -loginSchema MgmtNextFactor
- In the Policy Label’s Policy Binding field, click Add.
- Name the Authentication Policy RADIUSMgmt or similar.
- Change the Action Type drop-down to RADIUS.
- Select the RADIUS server that you created earlier. Or you can Add one from here.
- In the Expression box, enter the word true and then click Create.
add authentication Policy RADIUSMgmt -rule true -action RADIUSMgmt
- Back in the Policy Label Policy Binding screen, click Bind.
bind authentication policylabel MgmtNextFactor -policyName RADIUSMgmt -priority 100 -gotoPriorityExpression NEXT
- The Authentication Policy Label configuration is complete so click Done.
- On the left, go to System > Authentication > Advanced Policies > Policy.
- On the right, click the Global Bindings button.
- You should already have an Advanced Authentication Policy bound globally.
add authentication ldapAction LDAPS-Corp-Mgmt -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword 5054fc33f673bf4c5c6 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED add authentication Policy LDAPS-Corp-Mgmt -rule true -action LDAPS-Corp-Mgmt bind system global LDAPS-Corp-Mgmt -priority 100 -gotoPriorityExpression END
- Right-click your existing global binding and click Edit Binding.
- In the Next Factor field, click where it says Click to select.
- Click the small circle next to your Management Next Factor Policy Label and then click the blue Select button at the top of the page.
- Back in the Policy Binding screen, click Bind.
bind system global LDAPS-Corp-Mgmt -priority 100 -nextFactor RADIUSMgmt -gotoPriorityExpression END
- Click Done to close the Global Authentication Policy Binding screen.
CLI Prompt
- When you connect to the Citrix ADC CLI prompt, by default, the prompt is just a
>
.
- You can run
set cli prompt %u@%h
to make it the same as a UNIX prompt. See Citrix Docs for the cli prompt syntax.
Backup and Restore
Citrix Application Delivery Management (ADM) can automatically backup your instances. Or you can do it manually:
- Save the configuration.
- On the left, expand System, and click Backup and Restore.
- On the right, click Backup/Import.
- Give the backup file a name.
- For Level, select Full, and click Backup.
- Once the backup is complete, you can download the file.
For a PowerShell script, see John Billekens Create offline backups of the NetScaler config
To restore:
- If you want to restore the system, and if the backup file is not currently on the appliance, click the Backup/Import button.
- Change the selection to Import.
- Browse Local to the previously downloaded backup file.
- Then click Backup. This uploads the file to the appliance and adds it to the list of backup files.
- Now you can select the backup, and click Restore.
Hi Carl,
I hope you see this message. I having issues with my setup. So, I import the NSVPX 14.1 to WMWare Player Workstation 17, and the installation/import was successful but when I tried to access the NSIP through browser it is not accessible.
My FW is currently disabled.
NSIP: 10.25.64.201
GW: 10.25.65.201
Is that two different NICs/subnets? If so, open the console of the machine and enter the following:
enable ns mode mbf
Then you’ll need to fix routing in the NetScaler config.
Hi,
we are trying to-do a fresh install of Citrix AD 14.1 on Hyper-v 2022, we can configure an IP (pingable) but we can’t connect to the WEB GUI? Any idea?
Thanks,
P.
How many NICs/networks? Try a single NIC/network.
Hi Carl, We recently upgraded to NS 13.1 and have just become aware that HTTP DOS is deprecated in favour of APPQoE.
The Citrix documentation leaves a lot to be desired – as usual….
Do you have any guidance on how we can configure APPQoE to achieve DOS protection? I did some searching but couldnt find any relevant article – apologies if i have missed it!
Hi Carl,
I tried upgrading my ADC to 14.1 this weekend and when I logged into it, everything was unlicensed (LB, CSG, CS, etc). If I’m reading this https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/manage-licenses/flexed-capacity-license
correctly, we have to move to using ADM (now Console) to do the licensing? Do we have to use Citrix Cloud or is ADM still going to be available on-prem?
I don’t suppose you’ve got a walk through on that yet? 🙂
Use WinSCP to connect to NetScaler. Go to /nsconfig/license. Edit the newest file. There are dates in the INCREMENT row. Are they expired? If so, go to https://citrix.com/account and re-download the license file.
Thanks, that was it. I thought it was weird that the same license file was fine through all the 13.x upgrades this year but failed on 14.1.
Do you know if this flex license system is going to be required in the future?
Mike
Flex replaces Pooled Licensing. It’s an alternative to fixed bandwidth term licenses.
If I use 10/1 and 10/2 in a channel for data, and port 0/1 for a dedicated management network, should I be worried about lack of redundancy on the management network as there’s only a single port being used?
You can move the NSIP to a VLAN that is on a Port Channel and disconnect 0/1.
HA Heartbeats go out all interfaces, not just 0/1.
Hi Carl, we want to publish the management server via Citrix ADC but because the traffic to the management server is routed (static) over de management IP we can’t.
Any idea how to force this single virtual server to route ICA traffic via de SNIP and overrule the static route?
Net Profile lets you specify a SNIP that Gateway should use.
You can add /32 routes.
Hi Carl, thanks for your reply. If I create a net_profile to specify the SNIP address as source it does not overwrite the /32 route that is present to route to the management server. Sounds logic. As the default route is pointing to the internet. I guess the only thing we can do is enable management on the SNIP. There is a firewall behind it anyway.
You can add a PBR to send all traffic with a source IP of your SNIP to whatever next hop you want.
Hi Carl,
Question, is it possible to configure HA and synchronization heartbeat not in NSIP?
We have a customer that has an HA pair but they want to configure HA pair only via data port where SNIP resides. Also they want that when the time management network down still the the status of HA is normal and the access to applications still working.
For short they only want the management of Netscaler ADC to work as for management purposes only, so in case the management switches or network down still the ADC serves its purpose to users.
Thank you,
GJ.
See https://docs.netscaler.com/en-us/citrix-adc/current-release/system/high-availability-introduction/restricting-high-availability-synchronization-traffic-to-a-vlan.html. I’m not sure what IPs it uses.
HA Heartbeats are enabled/disabled at each interface/channel.
Is it ok to use the virtual server (load balanced LDAPS) for DNS (SNIP) or should I put my two domain controllers separately? I’m not sure if some part of the ADC uses the management IP address for DNS lookup or it all goes through the SNIP. This has been one interesting learning experience! I’ve never touched a NS before but it sure does make my head hurt 🙂 Thanks for all you do! I have 6 days left on my license (out of 30) and I hope I can make it.
DNS requests are NSIP to 127.0.0.2, which then uses SNIP to send to DNS servers.
Hi Carl,
after the upgrade to the NS14.1-8.50 firmware it seems that the floating IP management part for the SSL part no longer works.
In fact, the part relating to the mgmt service is lost.
For example:
> show service -summary
————————————————– ——————————————-
Name State IP Addr Port Protocol MaxClients MaxReqs
————————————————– ——————————————-
1 DC01…OCAL UP 192.168.5.31 53 DNS 0 0
2 DC02…OCAL UP 192.168.5.30 53 DNS 0 0
3 mgmt-SSH UP 127.0.0.1 22 TCP 256 0
Done
>
If I try to recreate the mgmt service, as per your example, I get the following error:
> add service mgmt 127.0.0.1 HTTP 80
ERROR: Resource already exists
>
and obviously then I can’t bind the service with the lb mgmt-SSL virtual server and consequently the floating IP for the management GUI over HTTPS doesn’t work.
In the configuration I don’t find any reference to services that use 127.0.0.1 on port 80 except in the internal services (nshttpd-gui-127.0.0.1-80).
If I connect with this service to the mgmt-SSL lb the floating point seems to work because it shows me the management page er HTTS, but even if I use the correct credentials it DOES NOT allow me to authenticate…
Do you know how to resolve or other workaround?
Thank you very much!
Best regrds,
Fabio.
I see the same in 14.1. Citrix might have closed a loophole.
Thanks for the answer, but there is a solution?
Thanks,
Fabio.
Hi Carl,
Can you configure a ‘Floating Management IP’ without the dedicated mgmt subnet in version 14.1?
I had it working on older versions but keep getting ‘Resource already exists’ when creating the load balancing service as it clashes with Internal Services.
Thanks
Dave
Hi Carl,
Followed your steps which were great! when i create the first citrix gateway, the state shows as down. netscaler has same routes as the old pair (currently still active) and has the same firewall rules for the new gateway. the netscaler can ping out externally and hit all required internal IPs. i can see that the “web interface” shows as disabled in the licensing features but it is enabled on the old ones – can this be the issue and is there a guide to enable this as i dont see an option in features in the gui for this or on command line?
Thanks in advance
Web Interface is a really old feature that should not be used.
Down on Gateway usually means that a certificate is not bound to the Gateway. Or do you mean the STAs are down?
No problem, noted.
The Gateway had the cert assigned (although the chain was incomplete) i have then recreated it using the gateway wizard and it now works (with the cert chain still incomplete) so not sure where i had gone wrong!
Is it possible to send custom logs to the local syslog server?
(Rather than an external one.)
Link this? https://www.citrix.com/blogs/2020/08/25/citrix-adc-syslog-configuration-the-missing-pieces/
Hi Carl,
Configuring NSVLAN
https://docs.netscaler.com/en-us/citrix-adc/current-release/networking/interfaces/configuring-nsvlan.html
set ns config -nsvlan -ifnum … [-tagged (YES|NO)]
set ns config -nsvlan 300 -ifnum 1/1 1/2 1/3 -tagged YES
set ns config -nsvlan 100 -ifnum 1/1 -tagged no
What is the different with -tagged (YES|NO)]?
And how about the HA heartbeat flow? Thanks.
If your NSVLAN is on a trunk port and if your switch requires the VLAN to be tagged, then set tagged to YES.
NSVLAN restricts the NSIP to a VLAN, which is restricted to an interface channel. I think HA heartbeat still uses all interfaces unless you disable HA Heartbeat on those interfaces. HA Sync is on the NSIP interface/VLAN.
Thank you Carl.
I have a new pair of MPX 5901,
for simplicity, NSIP, SNIP, VIP will the same subnet, i will use one interface in netscaler, it is ok?
Could you provide more best practices design (one arm, two arm) for us, thank you again.
You should do a port channel for interface redundancy. Or you can connect each node in the pair to different switches.
Hello,
How do I make a connection using the DOMAIN user through the secondary NS
For some reason it doesn’t work only through the secondary.
Through the main NS everything is fine
Are you asking about management? Are you load balancing LDAP? Do your NetScalers have a dedicated management interface? If so, did you configure PBRs?
Hi
Yes it is for managment
I habe dedicated managment intreface
No it is no load balnce.
When I make on the ldap server test connection on the secendary it is fail
Try configuring PBRs.
Facing issues with HA Synch but HA failover works fine without user interruption.
Have 2 HA pairs and in both pairs , High Availability Synch fails, “unable to connect to primary, please check the network connectivity from secondary to Primary.” Upgraded Firmware NS13.122.47nc a month before but did not notice the synch issue and not sure its related to firmware upgrade . TLS1.2 is enabled in the SSL profile applied to all Internal services. Any thoughts
Hi Carl,
I’m sure i’ve seen this somewhere but i can’t find it anywhere.
I have 2x HA pairs of VPX 13.0, the LDAPS virtual server is configured with an internal IP (ie 192.168.0.123). On one of the HA pairs i can use my domain account to log into the secondary node but on the other HA pair i can’t, it just comes back with the following ‘Invalid username or password’.
They “should” be configured identically but i can’t figure it out.
Thanks
Dave
Do you have a PBR for all NSIP-sourced traffic to be sent through the NSIP network’s router?
Thanks for the quick reply.
PBR hasn’t been configured on either pair.
We are presently running NS13.0.82.45.nc, can I directly perform inplace upgrade unto build-13.1-37.38_nc_64?
We are only using if for StoreFront Load balancing.
I thought I read somewhere once that a migration would be needed to move unto NS13.1.x, but could no longer trace it.
Thanks
Yes, you can skip minor builds while upgrading.
13.1 still has all the Classic policies that Citrix Gateway supported in 13.0.
Hi Carl,
I am working on migrating from two physical MPX appliances to a pair of VPX’s and wanted your take on something. I can’t find documentation on how to deploy VPX’s with 10G interfaces. We are running on a Dell VxRail, of which has all 10G physical interfaces and all of our VM’s are using the VMXNET3 NIC and show a Speed of 10G. That is not the case with our VPX’s, as they are showing only 1G.
Is there a configuration requirement needed for 10G? Our ESXi environment is vSphere 7.0
Are you able to exceed 1 GB on single NIC in VPX? NIC speed shown in guest doesn’t always match the host uplink. Higher speeds might need SR-IOV.
Hi Taylor, did you find an answer to this question ? We are currently having the same interrogation over here. Our vmxnet3 nics are recognized as 1G instead of 10G. We know that we could use SR-IOV to achieve that, but vmxnet3 should be able to do 10G.
Please let us know !
Hello Carl,
I’ve been searching the internet on how to install ADC 13.0 on a VirtualBox VM for lab testing only. I have not really found anything that really help me. Only that it can be done. I know you are the expert. Is this possible? If so, can you point me to something I can follow so I can get this done.
Thanks in advance if you can help.
I have always appreciated your wonderful instructions of Citrix.
I have found a weird thing in ADC VPX regarding the CPU 100% on VMware.
I have installed v13.1 33.47 on VMware 7.0.3
When I leave it as default in CPU Yield, CPU consumption alerts came up in Vsphere.
When I change it to Yes in CPU Yield, CPU consumption level turns to low.
But ping response time is slower than before so I did ping to local interface and it’s slow as well. without CPU Yield ‘YES’ ping results are less than 1ms but with ‘YES’ it is 2~6ms. Ping to gateway is slow as well.
I am curious if it is known issue.
dear Carl,
May i ask a stupid question? The nspepi tool creates a new_ns.conf file with updated configuration. This seems to be fine, but how do i get this back into the running configuration?
The explanation in Github “Move the configuration into production as per your normal configuration upgrade processes”… doesn’t help me much.
I tried copying it to /nsconfig/ns.conf and rebooting the ADC (secondary) without saving the configuration. but after the reboot, it gots the ‘old’ config back from the primary. I guess there must be an obvious way that i overlooked…
For HA pairs, try updating and replacing the configs on both nodes separately but at the same time. Shut down both. Power on one. Then power on the other.
Another option is to wipe the config on one, update the config on the other, and then rebuild the pair.
Thanks for the fast response. Before shutting down both ADCs, which would make the whole system unavailable, i first tried another idea (with the snapshots ready to revert to, in case it would fail ;).
I disabled synchronization on both sides, updated secondary, failover, updated other one, enabled synchronization, force synchronization on both sides.
It seems to work fine, did you see any danger in this approach?
That’s another option. 🙂
I ended up doing the same ‘shut down and restart both together’ trick to deal with the same issue Roel had. It works well but it does require an outage.
The stumbling point for updating configuration like this seems to be the automatic re-enabling of HA sync on reboot. It would be useful in some cases to be able to reboot the secondary while being able to guarantee that HA sync will not restart until I’m ready for it. For software upgrades this isn’t an issue since different versions typically won’t sync. For configuration changes from a prepared ns.conf file it is a bit of a pain.
Is there something I’m missing that would make this process easier?
Just FYI if anyone runs into HA errors on version 13
HA Sync Error after Upgrade : “Unable to connect to Primary. Please check the network connectivity from secondary to Primary”
Enable TLS1.2 on internal services for 3008 port and RPC secure communication will be successful.
https://support.citrix.com/article/CTX282530/ha-sync-error-after-upgrade-unable-to-connect-to-primary-please-check-the-network-connectivity-from-secondary-to-primary
I think the release notes for this week’s ADC firmware release say the same. Thanks for the reminder.
I tried this troubleshooting months ago and it didn’t work but thanks for sharing
Seems the link to “Magnus Andersson Deploy Citrix ADC VPX On Nutanix AHV” is broken. Redirects me to spam site.
This link works: https://magander.se/deploy-citrix-adc-vpx-on-nutanix-ahv/
Thanks for pointing it out. I updated the link.
HI Carl
Not sure if this is the right forum.
We are experiencing intermittent nslog files not getting zipped, after a firmware upgrade, was hoping that you can provide some advice on what we need to look for.
All our ADC are in Azure, 2 ADC got impacted with this behavior out of HA pairs we have in DR/Prod
So far we see this happening @5am or @6am. When this first occured couple of nslog file was not getting zipped and caused an outage – we demoted primary and remove this from HA
FW Updated to NetScaler NS13.0: Build 86.17.nc
Thanks
Like this? https://support.citrix.com/article/CTX205014/netscaler-newnslog-files-not-compressed-which-results-in-var-directory-getting-full
Hi Carl, amazing work as always. I’ve two questions if you don’t mind. I’ve gone with the setup of a vpx ha pair with the nsips in a mgmt network and the snip in a dmz network. I’m trying to keep the nsip to mgmt only buy using the pbr rules above.
1. I’ve found the ldap service group will only go through the snip if i create a pbr deny rule for ldaps similiar to your pbr rule nsip-dns, is that expected. Will all monitors try and use the nsip?
2. In system>authentication>basic poilices>ldap?server I can’t get the authentication ldap server to connect to the ldaps virtual server. Using the ip of the ldaps vip i get, ‘Either ‘10.1.1.11’ is not an LDAP server or port ‘636’ is not a LDAP port.’ Using the DNS name is get ‘Either ‘ldap.domain.local’ is not an LDAP server or port ‘636’ is not a LDAP port’. I’ve tried with a cert containing the name about and both domain controllers in the SAN and also a wildcard cert. Any ideas?
Only perl monitors, like the LDAP monitor, use NSIP. You can instead do a generic TCP monitor and that will use the SNIP.
ADC LDAP uses NSIP as source to reach the VIP. Anything blocking that route? You can run nstcpdump.sh host <Your_LDAP_VIP> to see the source and the traffic.
Thanks Carl, all green and working :-).
Hi Carl.
After a few months with the VPX’s set to HA, now my client wants to use specific certificates on each node for hostname matching.
I have been checking on the internet and it seems that it is not an easy task thinking about the synchronization.
So I would like to ask you what should be a better option:
1.- Create a folder called not_sync_cert (for example) and copy the key and certificate and then install and bind the services.
2.- import the certificates and simply install them and then link to the services. (this is where I’m worried about timing)
3.- Create a wildcard certificate to share the service.
Could you guide me on this issue?
Regards
I usually create a cert with Subject Alternative Names for each NSIP and bind it to the internal services.
Carl, I’m seeing a strange issue with my Always On VPN clients. ADC 13.0.84.11, After the users login to Secure Access Client, DNS and Default Gateway point to a random IP in the Internet IPs Pool vs what is expected which would be 10.0.0.1. This causes DNS to fail for clients. Any thoughts?
Hi Carl,
Without DNS PBR or not, netscaler always using SNIP to qurey DNS (SNIP and DNS in the same segment)
Yes. Always SNIP.
If you don’t deny DNS in your PBRs, then PBRs for NSIP interfere with how ADC resolves DNS names. ADC uses NSIP to talk to 127.0.0.2, which then uses SNIP to talk to DNS. PBR interferes with the first part of the conversation.
Hi Carl,
Could you explain more details about why config DNS pbr.
I tested in my lab seam it no the same result with https://www.citrix.com/blogs/2018/07/23/separating-netscaler-management-and-data-traffic-for-disa-stigs/
DNS does an internal loopback from NSIP to 127.0.0.2 or something like that. I needed DNS to bypass PBR. I have not tried the PBR in this blog.
You can do “nstcpdump.sh port 53” to see the DNS traffic.
I’m running two sites with an VPX and ADC [with a DMZ and Internal interface. If I want to segregate the traffic on a single device is admin partitions the current best practice?
I also am running a management interface without a SNIP and only the NSIP with the default route on the DMZ port and I don’t seem to lose connection to the NSIP? Havn’t done the entire PRB bit for setup and somehow am getting away with it? Does that make sense?
Sounds like you have “MAC based forwarding” enabled. We had that set on our MPX devices but I made sure to use the proper PBR config when we migrated to VPX.
Admin Partitions are Citrix’s preferred way of creating separate routing tables on a single appliance. However, not everything works. https://docs.citrix.com/en-us/citrix-adc/current-release/admin-partition/admin-partition-config-types.html
MBF handles reply traffic. PBR handles routing of traffic initiated by the NSIP (e.g., syslog, snmp, etc.). If ADC only has a route through the a SNIP network then ADC might use the SNIP instead. You can do a nstcpdump.sh to see what source IP ADC is using.
Hello Carl,
I was going through your dedicated Management interface where you introduce PBR on the NSIP.
I’m going to have an ADC sit in a DMZ, but was going to have the NSIP sit in the trusted network. The ADC would have two interfaces, one in the trusted network where the NSIP resides, and one in the DMZ network. I would tag that DMZ network with a VLAN and associate that VLAN with a Traffic Domain. The VIP and SNIP’s would all be in the TD. The idea is that user traffic would pass through the DMZ – the SNIP would be involved with all backend traffic (including monitors). Would that accomplish something similar to your PBR methodology? This way, we can fully manage the ADC (SNMP, HTTPS access, LDAP management auth) without extra inbound firewall rules.
Thoughts?
nevermind… looks like Traffic Domains are going to be deprecated (fired up a 13.1 box). Admin Partitions it is!
I wouldn’t rely on Traffic Domains since they seem to be deprecated. Partitions are the replacement. https://github.com/citrix/ADC-scripts
Hi Carl,
I have configured 2fa same way you did but some how not receiving the Mfa password .
After Ldap authentication I am going to Mfa page but not getting the code .
Can you please suggest.
Thanks
Aman
Try doing “cat /tmp/aaad.debug” to see what’s happening.
Thank you Carl for all this great and detailed information. I’m working on deploying new VPX’s to replace our current MPX’s. The planning has been going good so far. One thing we did not have for our MPX’s is a virtual server for floating management via HTTPS and SSH. On our new VPX’s, I set up both.
However, I’m noticing that the active node always displays this error every 10 seconds on the console:
” sshd: error: Fssh_key_exchange_identification: Connection closed by remote host”
When I delete the management SSH virtual server and service, the error stops. Do you think more configuration is needed if we want to use a management SSH virtual server? Thanks!
It’s the monitor on the SSH service object that’s causing the error messages. Not sure how to get around this since you can’t unbind default monitors.
I was able to bind the “ping” monitor to the service which overwrote the default “tcp-default” monitor.
Hi Carl,
Something would like to seek your advise;
I am using responder policy associated with Audit Message Action to log the traffic activities(for content switch, virtual server, global…etc). However, i realized that if the audit message action’s expression has no value return(ie. CLIENT.TCP.LB_VSERVER.NAME), the entire me message will become “blank”. I am wondering how can i get rid of this?
Say, i have following expression;
“dropped_connection ” + CLIENT.IP.SRC + “:” + CLIENT.TCP.SRCPORT + ” ” + CLIENT.TCP.LB_VSERVER.NAME + ” (” + CLIENT.IP.SRC.LOCATION + “)”
If there is no value for “CLIENT.TCP.LB_VSERVER.NAME”, it won’t display the other but the entire message would be blank.
Rgds,
Willis
Have you tried SYS.VSERVER().NAME?
Hi Carl, is there any benefit of using multiple subnets and VLANs for different load balanced services vs if using single network and single VLAN on which you have a SNIP and NSIP and same SNIP is talking to different backend servers. Our Cybersecurity team is purposing to use different subnet, VLAN and SNIP of each service we load balance through ADC. Thanks.
It depends on where you want to control access. If you use one SNIP for everything, then the ADC administrator is responsible for not mis-configuring the ADC to allow access to where it shouldn’t. If you use different SNIPs for different services, then the network firewall can control access.
One option for configuring multiple SNIPs is Net Profiles.
Carl – thanks so much for all your detailed explanation. I had one question about the new ISSU HA migration feature. Looking through Citrix’s guide, they make it seem like the HA SYNC VLAN config is a prerequisite in order to use the new migration feature: https://docs.citrix.com/en-us/citrix-adc/current-release/upgrade-downgrade-citrix-adc-appliance/issu-high-availability.html. Maybe I’m misinterpreting Citrix’s guidance, but I don’t see the “Sync VLAN” configured in your HA setup. How do you interpret their language on this?
I’m not sure since I haven’t done a 13.0 ISSU upgrade yet since all of my customers are on 12.1. I added a note about the Sync VLAN just in case it’s required.
Hi Carl. We installed a new 13.0 environment, here also the same, the management VLAN cannot be selected for the Sync VLAN in HA configuration. All other VLANs (Data VLANs) are selectable.
Hi Carl,
can we add VPX to MPX NetScaler (at same version) as a HA pair using the above steps ?
It’s not supported to mix different hardware in the same pair.
Citrix ADC HA pair in aws in different zone not working properly the eip migrates to secondary node when failover but when we try to fail over again the EIP doesn’t go back to the primary noe
Upgrading from 12 to 13 broke my multi-domain gateway configuration (2 domains, 2 LDAP 2 Authentication Policies, 2 Session Policies).The session and LDAP policies don’t seem to match post upgrade. I have had a case open with Citrix for a few months on this one Any ideas are greatly appreciated.
Had you look on this: https://blog.norz.at/aaa-default-settings-changed-with-citrix-adc-netscaler-13-built-41-20/
They changed default authorization policy settings under Security > AAA – Application Traffic > Change Global settings > Default Authorization Action from Allow to Deny
I’m trying to update an ADC from 12.1 55.18 to 12.1 57.18. When I run the update in the GUI, it doesn’t work. In running it through a cli session, I see and error “/usr/bin/perl^M: bad interpreter: No such file or directory” and it fails. This system was originally created from an iso image, so do I just need to install a perl package?
From an ISO image? Is this a physical machine with Linux OS? In that case you should be running the BLX image. Or is this a virtual machine? If so, deploy a VPX. In either case, you can move your configs to the new appliances.
I get the same error when trying to run the check_invalid_config command. Tried in both 13.0 and 13.1 clean install VPX. “-bash: ./check_invalid_config: /usr/bin/perl^M: bad interpreter: No such file or directory”
Hi Carl,
Regarding two factor Management Authentication – do you know if it’s possible to use a combination of LDAP + Local, rather than the second factor being RADIUS?
Thanks,
Andrew.
I assume it could be any Advanced Authentication Policy, but I haven’t tried Local.
The supported authentication servers are listed at https://docs.citrix.com/en-us/citrix-adc/13/system/authentication-and-authorization-for-system-user/two-factor-authentication-for-system-users-and-external-users.html.
Hi Carl
Have you ran into the issue with STAs after upgrade to ver 13? 12.1 was OK but since 13 STAs are DOWN, unless using as IP. DNS works fine. Tried re-adding etc – no go
Hi Carl, any thoughts on what performance hit we might see if we do enable the cpuyield vpxparam setting? I’d like to stop VMware reporting 100%CPU for our NetScaler VPX 1000 machines, but not at the expense of affecting users. Citrix have obviously defaulted to “don’t yield” for a reason, just wondered what you thought? Thanks
100% CPU is Citrix’s method of reserving CPU. You can enable Yield if you configure CPU reservation in your hypervisor.
Sir,
I have query, My NSIP is on different subnet & SNIP,VIP & LB IPs are on different Subnet & VLAN.
Could you please let me know what Network routing I need to do in this scenario.
Traffic is allowed from firewall even though nothing is working.
https://www.carlstalhood.com/system-configuration-citrix-adc-13/#dedicatedmgmt should have the info.
Carl, I have a question that I wonder you’d have the answer for.
I’m using the ADC VPX 12.x Freemium version as a load balancer in front of Horizon Connection Servers. This works just fine. Previous versions required me to go and get a free license, but it looks like the Freemium version has a license built in and there’s nothing else for me to do. In the last month or so, both appliances, one in production and one in DR, have totally lost their config. All that’s left are the base IP addresses. The last time this happened, I know that I had saved the config to the appliance, but it was nowhere to be found. So, I reconfigured it and made sure I had a back up on the appliance and also I downloaded it to my local drive. I then went and did the same thing to my DR one.
Today, the DR one lost its config. I found the saved config on the appliance and restored it, but nothing came back. I then got the one I’d saved locally and restored it and got the same thing. So, I reconfigure it again and this time created a clone copy of the appliance.
However, do you have any idea why this would be happening? Is there some gotcha with the free license that comes built into the appliance? If I look at the license item in the config menu, none is listed, but the summary says i have the free express license and that I am licensed for load balancing.
Also, if I have successfully save off the config, and the restore seems to complete without error, why does it not restore?
What build of ADC?
NS12.1 build 55.18.nc. When I look under System and licenses I see license type of standard, model ID 20 and licensing mode of Express. Load balancing has a green check mark. Label at the top of the console says Citrix ADC VPX Freemium. thanx…
Carl, any thoughts on this? thanx so much,
Are you seeing any crashes or core dumps in /var/crash or /var/core?
I didn’t see anything that looked like a crash. The crash directory had one file called “g” and the core had 2; “1” and “bounds”. The thing that seemed weird to me, which made me ask about the licensing for the Freemium version was the both machines seemed to die around 1 year after I’d installed it, but it was not exactly 1 year.
The Express license used to expire after a year. Maybe there’s a bug in the code.
Should I perhaps upgrade to a newer version? Are they still producing the Freemium versions? However, does any of that explain why I wouldn’t be able to restore from the backup? As I said at the top, the backup seems to go OK and it seems to restore without error, but none of the config is actually restored.
So, perhaps I’m missing something as well. I just downloaded 13.0.52.24 and installed it in my lab. I attempted to restore the file that I saved from the 12.x appliance and that didn’t work. So, I thought that perhaps it was a version difference, So I created a virtual server under the load balancing section and then I did a full backup. Then I deleted the virtual server and restored from the backup; nothing. This seems so simple, but I’m obviously missing something.
What process are you using to restore? If you’re doing the built-in restore function, then you need to reboot after restoring. Make sure you don’t click the Save button when rebooting.
So, in the backup restore, I think I know what the issue was. I’ve tested this in my lab. My guess is that when I was building the VPX appliances, when I finished I neglected to hit the icon for save running config. If that’s true, then, from my understanding, it would reboot into a blank machine and the backup would not back up my config. I’ve tested this by making sure that I’ve saved the running config first and then doing the back up and that seems to restore just fine. For my production attempts, I had tried the restore from the GUI, but again, I’m suspecting I didn’t have anything backed up. In my test, I’ve done the backup from the GUI, but then restored from the CLI.
Carl, a different question. We’re looking to purchase a license from Citrix for our ADC VPX appliances – at least the one we have at the DR site. Here’s my config. I have a VMWare UAG as the first hop, which directs to the ADC VPX appliance which is being used strictly as a load balancer and the load balancer points to the two connection servers. First question: when a user makes a connection from their computer to get a Horizon desktop, once that connection is made is the VPX still involved in the actual data throughput or does it step out of the way so the desktop would talk thru the gateway to the user and the VPX really isn’t used anymore? I’m trying to figure out if the VPX 10 license is good enough or do I need more throughput. And in a similar vein, from what I’ve read it appears that the freemium version allows 250 simultaneous SSL connections. While I “might” have more than that initially coming thru at the same time in a DR scenario, once everyone was connected, I’d only have a handful ever trying to access a new desktop at any one time. So, again, is the VPX 10 standard license good enough or should I look at something else? The guy I was talking to from our VAR seems to think that the VPX steps out of the way once the connection is made and the VPX 10 or perhaps the VPX 25 standard license would be good enough for this, but I’l like a second opinion. Thanx…Jon
UAG sends HTTP traffic to Connection Servers through the load balancing VIP. Once the user launches a session, the connection is now PCoIP or Blast. UAG sends PCoIP or Blast directly to the Horizon Agent, not through a load balancer.
Thanx for the reply…appreciate your input.
Jon
Carl, I run several VMs and containers at home and am looking for a remote access solution. I’m just 1 guy so it is not worth a lot of $, really looking for freemium or opensource solutions. I like the netscaler because ive used those at work before. Do you know if the freemium license will work for 1 user for a remote sslvpn? Or is there some other direction you might recommend?
Freemium does not include Citrix Gateway.
If Windows, you can install Routing and Remote Access and using VPN to connect.
Hi Carl,
I have downloaded Netscaler ADC 13.0-47.22 freemium edition with my citrix account(Not a corporate account ),How can i download 30 days platinum license file from citrix site.
Unfortunately you will have to contact a Citrix sales rep to get an eval license. Partners no longer have access.
Hi Carl, I just deploy an ADC VPX 13 on VMWARE. I notice the Guest OS is Oracle Solaris 10 (64-bit). Is this correct or do I need to change it to FreeBSD? So far the ADC is running fine without any issue,
I never change the OS.
Regarding NTP configuration in initial setup with GUI in v13.0 41.20.nc. You will se an error message stating that the “file does not exits”. You will not be able to save host name, dns server, timezone or ntp server. To resolve this problem(bug), you need to ssh in to the shell and execute the command: cp /etc/ntp.conf /nsconfig/ntp.conf. Now you can save the config of hostname, dns ip address, timezone and ntp server:-)
Hi Carl, thanks for your detailed guides, they have been invaluable in setting up our new environment! Could you tell me which Netscaler licence would be required to provide users with a web interface via NS to our storefront? I have been told (and purchased) Citrix Gateway Advanced VPX is correct but when I load the licence Web Interface is not listed as a licenced option?
Are you trying to host HTML pages on your NetScaler? NetScaler has an old Web Interface feature, and a WebFront feature that nobody used. Most people just proxy HTTP to the StoreFront servers and let HTML be served by StoreFront. See https://www.carlstalhood.com/netscaler-gateway-12-ica-proxy/
Note: the Portal Theme named RfWebUI borrows some of the WebFront technology.
No I just want to proxy HTTP to the StoreFront, I’m finding my Citrix terminology is quite out of date as I buiilt our last farm back in 2012 based on SG, WebInterface and XA6.5! I’ll look at the page you suggest, thanks!