VIRTUAL-HAWK.COM

Author: Jørgen Rosenkvist Pedersen Page 4 of 5

NetScaler configuration files

By

On January 8, 2018

In Uncategorized

When do I save the NetScaler configuration, is offend a question from my customers. Well that is not an easy question to answer, but if explain how the NetScaler configurations files work, you might see why.

The NetScaler operates with running and saved configurations. This is a lot like any Cisco product if you know them. The running configuration is only in memory and is gone if the NetScaler is power off. Beside that, the NetScaler have five saved configurations files:

Every time you save the NetScaler configuration, the ns.conf file are updated. A backup of that are saved in the ns.conf.0 file. Every other configuration file are rotated to keep the newest files on the NetScaler.

With that in mind you should properly not save the configuration every time you make a little change, doing the day. If you hit the save button repeatedly, then you will not be able to get back to an old configuration after five saves.

I normally save the configuration at the end of a day, but before I do a “Saved v/s Running”:

This will give me an list of all the changes a have made doing the day, and I can use that for my documentation.

This is an example of how the “Saved v/s Running” output is:

As you can see, you even get the commands for change the configuration back.

If you want to do it from the CLI you can use this:

With “Revision History” you can even get the different between to saved stages:

 

From CLI you can use:

Conclution:

I offend recommend that you save the configuration when you are sure that no other changes is needed. This mean that you can save when you have tested and tested again.

Beside the save on the NetScaler I have several times used the “Revision History” when customers not where sure of the changes made to the NetScaler configuration.

 

Citrix Advanced Content Switching Policy/Action

By

On January 2, 2018

In Uncategorized

If you have, many websites Load Balancing on the NetScaler you properly use Content Switching to minimize the need of IP addresses. For this to work you have policies and actions to control the traffic flow. However, do you know that with NetScaler you can use expressions to configure the Content Switching actions?

This can come in handy when managing multiple websites Load Balancing. Let me show you a short configuration to demonstrate how this I working.

I have 2 demo web sites configured demo1.virtual-hawk.com and demo2.virtual-hawk.com. I have created the servers with FQDN names, as I am using host names on the web sites.

IIS configuration:

NetScaler Server configuration:

I then created 2 service for the web sites:

2 Load Balancing Virtual Serves for the Content Switching to go to. These are “non addressable”, because all traffic will come through the Content Switching Virtual Server:

The important thing is the naming of the Load Balancing Virtual Server, as we will use that in the Content Switching Action.

I have made a Content Switching Action with expressions used for targeting the Load Balancing Virtual Server:

With the use of the expression “cs_lb_vs_” + HTTP.REQ.HOSTNAME, the action will go to cs_lb_vs_demo1.virtual-hawk.com if the client request the site demo1.virtual-hawk.com.

The Content Switching Policy, I only need 1:

Finely I created the Content Switching Virtual Sever, and bound the policy to it:

Now for the test I checked the demo1.virtual-hawk.com and demo2.virtual-hawk.com are going to the Content Switching Virtual Server on 10.11.12.171:

When I test from the browser, I get the flowing:

Conclution:

With the use of Content Switching Action expressions, we can minimize the NetScaler configuration. For any new sites, I only have to configure the Load Balancing Virtual Servers with the right naming and no more. All the Content Switching are still the same and already configured.

 

CLI Commands:

add server demo1.virtual-hawk.com 10.11.12.172

add server demo2.virtual-hawk.com 10.11.12.173

add service lb_svc_demo1.virtual-hawk.com demo1.virtual-hawk.com HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add service lb_svc_demo2.virtual-hawk.com demo2.virtual-hawk.com HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add lb vserver cs_lb_vs_demo1.virtual-hawk.com HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180

add lb vserver cs_lb_vs_demo2.virtual-hawk.com HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180

bind lb vserver cs_lb_vs_demo1.virtual-hawk.com lb_svc_demo1.virtual-hawk.com

bind lb vserver cs_lb_vs_demo2.virtual-hawk.com lb_svc_demo2.virtual-hawk.com

add cs action cs_act_http_req_hostname -targetVserverExpr “\”cs_lb_vs_\” + HTTP.REQ.HOSTNAME”

add cs policy cs_pol_http_req_hostname -rule “HTTP.REQ.HOSTNAME.CONTAINS(\”virtual-hawk.com\”)” -action cs_act_http_req_hostname

add cs vserver cs_vs_virtual-hawk.com HTTP 10.11.12.171 80 -cltTimeout 180

bind cs vserver cs_vs_virtual-hawk.com -policyName cs_pol_http_req_hostname -priority 100

Citrix HDX Adaptive Transport, Datagram Transport Layer Security (DTLS)

By

On December 21, 2017

In Uncategorized

With the new release of Citrix XenDesktop/XenApp 7.16 the HDX Adaptive Transport it now turned on by default.

With that turned on, clients connecting through NetScaler Gateway will try to connect using UDP 443. If Firewall and NetScaler Gateway is not configured to communicate on UDP 443, the client will fallback to TCP 433.

I have noticed that it takes a short time before it will do the fallback (2-5 sec.). This give a longer logon time when the users are connecting through NetScaler Gateway. With the right configuration, you can eliminate that extra wait time for the users.

First, enable DTLS (Datagram Transport Layer Security) on the NetScaler Gateway configuration:

After enabling DTLS, you need to rebind the Server Certificate again. Do a unbind and a bind, then it will work.

The next is to enable UDP 443 on the Firewall Access and NAT rules. As there are many different Firewall’s I cannot tell you the way to do it one your Firewall.

I found that you can use nMap/Xenmap to test if your configuration of the Firewall and NetScaler Gateway configuration.

Use the flowing command to do the test:

nmap -sT -sU -p 443 -Pn <FQDN>

The test has to be run from a external computer, as we are testing the Firewall and NetScaler Gateway configuration.

This will test TCP 443 and UDP 443, and give this result if you’re Firewall and NetScaler Gateway is configured to accept TCP 433 and UDP 443:

There are different ways to see if a user is connected using UDP 443.

NetScaler Gateway GUI:

NetScaler Gateway CLI:

XenDesktop/XenApp Director:

Server/VDI VDA:

Citrix HDX Adaptive Transport, Datagram Transport Layer Security is supported with Citrix Receiver 4.7 or newer.

 

Citrix NetScaler Gateway Enterprise Edition, Storefront High Availability, Poor man’s solution

By

On December 21, 2017

In Uncategorized

Belive it or not but some still have Citrix NetScaler Gateway Enterprise Edition running. The Citrix NetScaler Gateway Enterprise Edition is a special editions witch was made to replace the Access Gateway 5.x.

As you can see, many of the NetScaler features are not available:

Special the Load Balancing Feature can be a problem, as we the need another Load Balancing system to handle Storefront High Availability.

Well as the Load Balancing feature is not licensed is not the same as it is not there. It is, and we can use it, not to Load Balanced traffic between to Storefront server, but as failover. Many times this will be fine for the owners of the Citrix NetScaler Gateway Enterprise Edition.

I have to Severs with Storefront. To demonstrate the serveres is not in a Storefront Server Group as I need to different setup’s to identify witch server I am connected to.

The Server SF1 looks like this:

The Server XDC1 looks like this:

First, I create the SF1 and XDC1 Servers in the NetScaler configuration:

Then I create the Storefront monitor:

Then I create a service for each server. This has to be a service and not a service group, because we are using failover and not Load Balancing as the feature is not licensed.

 

As we are doing a Load Balancing Failover configuration, we start with the Virtual Server that will take over if the primary Server is not responding. This does not need to be direct accessible and that is why it does not have an IP address.

Then we create the Virtual Server that the clients are connecting too:

 

Just ignor the warnings, this is because the feature is not licensed, but when we test you will see that it is working as expected:

Now bind the Load Balancing Service to the Load Balancing Virtual Server:

This we know, J

Finely use the “Protection” to direct the traffic to the secondary storefront when the primary is down:

I know:

This end us up with this:

To test we connect to the virtual server of 10.11.12.163, and get the Storefront login site of the XDC1:

We will be getting this as long as the Storefront site is working on the XDC1. When I go and stop the Internet Information Service on the XDC1, the NetScaler service svc_xdc1_http goes down:

When I tests again I get the Storefront site on SF1, as the NetScaler sends the traffic to the Backup Virtual Server, because the primary service is down:

 

Conclusion:

As for now, we can use the Load Balancing Failover even when the Load Balancing is not licensed. If Citrix have any plans to change this, we do not know. There in their rights to do that, so be aware of that.

In the example a have used HTTP, but it will work with SSL too. SSL I recommended as the users will type username and password and this we be sendt on the network in clear text if using HTTP.

I do not see it to be a problem that we are using failover and not real Load Balancing. Look at the flowing about max. Connections to a single Storefront Server: https://www.citrix.com/blogs/2015/06/30/storefront-scalability-update/

I sure, that the 50 Mb through put of the Citrix NetScaler Gateway Enterprise Edition will be the limit before the Storefront.

 

NetScaler VPX Hardware

By

On December 21, 2017

In Uncategorized

Many customers are using the NetScaler VPX, on their hypervisor. This is a god supplement for the MPX or SDX platforms, if you do not need the SSL Card power of the NetScaler.

The NetScaler VPX are available in the flowing models:

Normally I see the VPX 10 to VPX 3000 at customer’s sites. The VPX 3000 comes with the XenMobile Cloude license, but is limited to XenMobile configuration and Micro VPN tunnels.

(From https://www.citrix.dk/buy/licensing/product.html)

As you can see on the models list the from VPX 1000 and up the license support multiple packed vCPU’s (1 vCPU is used for management) When installing NetScaler VPX on your hypervisor Citrix Provided a template for this. This template only add 2 vCPU’s to the virtual NetScaler as this is the same template for all models.

Many forget that it is possible to change the number of vCPU’s if they have VPX 1000 or higher licenses. If you consider changing the vCPU of your NetScaler VPX remember that every vCPU need 2 GB memory as minimum.

 

If you change this after initial install, you have to check that the extra packed CPU and memory are added. This can be done with the flowing commands:

 

Page 4 of 5

Previous

Next

Powered by WordPress & Theme by Anders Norén