Академический Документы
Профессиональный Документы
Культура Документы
Course Overview............................................................................................................................2
Module 1 - Getting Started...........................................................................................................16
Introduction to NetScaler..................................................................................................18
Feature Overview.............................................................................................................27
Platforms and Licensing...................................................................................................39
Deployment Scenarios......................................................................................................44
Architectural Overview......................................................................................................49
File System and Configuration Files.................................................................................55
Initial Setup and Management..........................................................................................63
Backup, Restore, and Upgrade........................................................................................70
N
NetScaler-Owned IP Addresses.......................................................................................79
fo
Networking Topology........................................................................................................90
rr
Traffic-Handling Modes...................................................................................................125
al
NetScaler MPX...............................................................................................................155
di
NetScaler VPX................................................................................................................167
st
NetScaler SDX................................................................................................................174
ri
Multi-Tenant SDX...........................................................................................................180
bu
NetScaler Logging..........................................................................................................480
Monitoring.......................................................................................................................499
fo
Troubleshooting..............................................................................................................517
es
Key Notes:
The Citrix NetScaler product line delivers applications over the Internet and private networks,
al
integrated appliance.
or
di
st
ri bu
tio
n
Key Notes:
Even though multiplexing is done at TCP level still it is not applicable to all the services type
al
supported over TCP. NetScaler supports connection multiplexing for HTTP, SSL and
e
DataStream
or
di
st
ri bu
tio
n
Key Notes:
NetScaler content switching and load balancing:
al
The NetScaler system manages the complete life cycle of the request/response transaction.
di
The NetScaler sits between clients and servers and functions as a proxy.
st
The NetScaler receives requests from the clients, processes the request (if necessary), and
ri
The NetScaler appliance can direct requests sent to the same Web host to different servers
tio
Essentially, NetScaler separates the HTTP request from the TCP connection on which the
request is delivered. As a result, the NetScaler is able to multiplex and offload TCP
connections, maintain persistent connections, and manage traffic at the request level. This
improves throughput and scalability.
Connection process:
NetScaler receives and terminates connections.
It can Decrypt/authenticate/analyze every request.
Queue and dispatch valid requests.
Switch requests and multiplex over persistent connections.
Key Notes:
This is a typical TCP connection with an HTTP Request/Response.
al
e
Data is submitted.
The connection is then deallocated and torn down.
di
st
ribu
tio
n
Key Notes:
On the client side, the client sees the NetScaler as the server.
al
On the server side, the server sees the NetScaler as the client.
ri bu
The NetScaler established a TCP connection to the server once - instead of tearing down the
session after a single transaction, it is kept alive.
tio
The NetScaler then sends client requests to the server, receives the response, and then returns
n
Key Notes:
Connection Multiplexing flow:
al
e
Multiple client requests are transmitted across common server connection (MUX).
tio
Additional Resources:
Connection Multiplexing in NetScaler:
https://www.citrix.com/blogs/2012/03/08/connection-multiplexing-in-netscaler/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
Key Notes:
Switching – can segment application traffic according to information in the body of an HTTP or
al
TCP request, and on the basis of L4-L7 header information such as URL, application data type,
e
Security and Protection - An available, built-in firewall can protect web applications from
application-layer attacks, including buffer overflow exploits, SQL injection attempts, and cross-
di
site scripting attacks. A NetScaler system provides built-in defenses against denial-of-service
st
Key Notes:
This graphic shows features are controlled by the AppExpert policy framework.
al
e
or
di
st
ri bu
tio
n
Key Notes:
Application availability using layer-4 through layer-7 load-balancing and content-switching
al
functions.
e
The features you can take advantage of with your NetScaler may depend on the license type
n
Additional Resources:
NetScaler Data Sheet, platform and feature options:
al
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-
e
sheet-full.pdf.
or
Additional Resources:
NetScaler Data Sheet, platform and feature options:
al
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-
e
sheet-full.pdf.
or
FIPS – either built in FIPS support or to Thales nShield external device info:
http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/support_for_thales.html.
di
st
ri bu
tio
n
Key Notes:
Additional Acceleration features HTTP compression and Integrated caching.
al
e
or
Additional Resources:
NetScaler Data Sheet, platform and feature options:
di
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-
st
sheet-full.pdf.
ri bu
tio
n
Additional Resources:
NetScaler Data Sheet, platform and feature options:
al
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-
e
sheet-full.pdf.
or
di
st
ri bu
tio
n
Key Notes:
*HDX Insight is not supported in Standard Edition.
al
e
Additional Resources:
tio
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-
sheet-full.pdf.
Key Notes:
NetScaler reduces the total cost of ownership with caching, compression, SSL and TCP
al
offloading.
e
In the Enterprise and Platinum editions, NetScaler can automatically direct requests with
or
In addition, N-tier multilayer load balancing support of cache servers is included in these
st
versions.
ri
Key Notes:
Citrix offers NetScaler MPX appliances that are FIPS (Federal Information Processing
al
Standard) compliant and support more than 4.5 Gbps of SSL throughput.
e
or
Additional Resources:
di
http://support.citrix.com/article/CTX129543.
ri bu
tio
n
Key Notes:
Citrix TriScale technology revolutionizes enterprise cloud networks by providing unrivaled
al
capabilities that smartly and affordably scale application and service delivery infrastructures
e
Citrix NetScaler Burst Packs offer even more flexibility. Burst Packs enable you to convert an
existing NetScaler MPX hardware or VPX virtual appliance deployment to the highest
di
performance available for the particular platform for enhanced capacity for up to 90 days. This
st
allows you to provision only the necessary performance for durations of limited peak traffic
ri
(such as the holiday shopping season in the United States), reducing capital and operational
bu
expenses, lengthy procurement cycles, and installation times for new appliances.
tio
Additional Resources:
n
Key Notes:
Platform - This is a license for the physical appliance. This license helps to enable all necessary
al
features of the appliance and 5 Secure Sockets Layer (SSL) Virtual Private Network (VPN)
e
connections. By default, this license is allocated to hostname "ANY" in the My Account web
or
Other NetScaler licenses (You need to allocate these licenses to the Host ID of the appliance):
bu
• Internal.
tio
• Partner Use.
• Demo.
n
• Evaluation.
• VPX.
All features are not available with all editions of NetScaler and some features can be enabled
through option licenses. To benefit from the right features of NetScaler that you want to use,
you must have the correct license and edition of the product.
Key Notes:
NetScaler can be deployed in either of two physical modes: inline and one-arm.
al
e
or
di
st
ri bu
tio
n
Key Notes:
When deploying NetScaler as a new technology, consider it a new device in the environment
al
and not a replacement for an existing load balancer. In this case, you will not need to consider
e
Key Notes:
With displacement, a NetScaler system replaces another traffic manager and attempts to meet
al
the configuration of the old device as well as any new or current needs of the environment not
e
being met.
or
di
st
ri bu
tio
n
Key Notes:
NetScaler runs two kernels. BSD starts up the device and loads the NetScaler kernel.
al
e
performance/configuration data.
st
BSD is responsible for the filesystem (read/writes) and the startup process.
ri bu
BSD - basic utilities that you would expect on BSD Linux, but some things are not fully
supported. TOP and tcpdump will not give you expected or complete results.
tio
Memory – shared.
n
All metric data that NetScaler generates is written to log files. Writes to log files are done via
BSD, but data comes from NetScaler.
Config NetScaler via NS kernel or CLI. Browse filesystem via BSD shell.
SNMP v3 processing is handled in the BSD kernel; SNMP v3 was introduced in NetScaler 8.0.
Key Notes:
NetScaler uses multiple CPU cores for packet handling. The NetScaler architecture includes
al
the underlying NetScaler kernel and the cores, which are separate packet engines. The packet
e
engines are designed to work independently; however, the cores communicate with each other
or
(MPX) or software.
st
The newnslog log file contains a performance snapshot (7-sec) of everything on the NetScaler.
It is maintained in binary, and you need to use the nsconmsg utility to extract information.
tio
n
Key Notes:
Few features like Application Firewall and NetScaler Gateway require additional Licenses.
al
e
or
di
st
ri bu
tio
n
Key Notes:
Once the VAR is full user will not be able to access the GUI of NetScaler and in order to access
al
All the logs older than 30 days should be deleted from the VAR for optimum performance.
or
The /var drive is on the hard drive and mostly used for logging. The config is running off the
di
/flash drive. The NetScaler can actually run and continue to handle traffic with a failed hard
st
drive since all critical components are on the flash drive. (This is not recommended.)
ri bu
tio
n
Key Notes:
Running configuration is in memory but not written to ns.conf.
al
e
Students may be familiar with this concept from Cisco and other network devices.
or
di
st
ri bu
tio
n
Key Notes:
If an unwanted config is encountered, rename the older config “ns.conf” and restart the system
al
to restore.
e
Each time you save the config on the NetScaler, it rolls this file and appends a number (by
or
default up to 5).
di
st
ri bu
tio
n
Key Notes:
The /nsconfig directory mounts to flash/nsconfig and stores the config files.
al
e
or
di
st
ri bu
tio
n
Key Notes:
From the configuration utility - highlight diagnostics under system and use the tool “Saved v/s
al
Running.”
e
CLI command to compare saved and running config: diff ns config – outtype CLI.
or
Using the NetScaler tools, you can compare any two Conf files to view the differences.
di
st
ri bu
tio
n
Key Notes:
It’s always advisable to use SNIP for management purposes while using HA.
al
e
Key Notes:
From the CLI, you can also set all the initial networking parameters using the “set ns config”
al
command.
e
Additionally, you could use a menu-driven CLI utility such as the “config ns” utility that we will
or
Key Notes:
For command abbreviation- You can type:
al
e
Save ns config
or
Save config
Save c
di
Key Notes:
Use your labs this week to explore the console you are less familiar with.
al
e
or
di
st
ri bu
tio
n
Key Notes:
After 10.5 version of NetScaler a new feature Backup and Restore is added for simplification of
al
the Process.
e
or
di
st
ri bu
tio
n
Key Notes:
The Open System Interconnection (OSI) model defines a networking framework to implement
al
protocols in seven layers. There is really nothing to the OSI model. In fact, it's not even
e
tangible. The OSI model doesn't perform any functions in the networking process. It is
or
a conceptual framework so we can better understand complex interactions that are happening.
Physical (Layer 1)
di
st
OSI Model, Layer 1 conveys the bit stream - electrical impulse, light or radio signal — through
the network at the electrical and mechanical level. It provides the hardware means of sending
ri
and receiving data on a carrier, including defining cables, cards and physical aspects. Fast
bu
Ethernet, RS232, and ATM are protocols with physical layer components.
tio
Layer 1 Physical examples include Ethernet, FDDI, B8ZS, V.35, V.24, RJ45.
n
The session layer sets up, coordinates, and terminates conversations, exchanges,
ot
and dialogues between the applications at each end. It deals with session and
connection coordination.
fo
Presentation (Layer 6)
es
(e.g., encryption) by translating from application to network format, and vice versa.
e
The presentation layer works to transform data into the form that the application layer
can accept. This layer formats and encrypts data to be sent across a network,
or
layer.
st
Layer 6 Presentation examples include encryption, ASCII, EBCDIC, TIFF, GIF, PICT,
ri
Application (Layer 7)
tio
are considered, and any constraints on data syntax are identified. Everything at this
layer is application-specific. This layer provides application services for file
transfers, e-mail, and other network software services. Telnet and FTP are
applications that exist entirely in the application level. Tiered application architectures
are part of this layer.
Layer 7 Application examples include WWW browsers, NFS, SNMP, Telnet, HTTP,
FTP.
Key Notes:
The NetScaler is fundamentally a TCP proxy at layer 4 that reuses connections to the server,
al
This reuse is done by proxying, at layer 3, the IP address of the client that the server sees.
or
di
st
ri bu
tio
n
Key Notes:
As soon as we configure a SNIP or a MIP a direct route is created and cannot be deleted.
al
e
All the NetScaler owned IP addresses can be removed apart from NSIP.
or
If SNIP exists, you can remove the MIPs. The NetScaler uses NSIP and SNIPs to communicate
with the servers when the MIP is removed. Therefore, you must also enable use SNIP (USNIP)
di
mode.
st
Additional Resources:
tio
http://docs.citrix.com/en-us/netscaler/11/networking/ip-addressing/configuring-netscaler-owned-
ip-addresses.html
Key Notes:
Initial IP of MPX is 192.168.100.1/16 VPX NSIP configured at console.
al
e
or
di
st
ri bu
tio
n
Key Notes:
A VIP address is the IP address associated with a virtual server.
al
e
Key Notes:
Subnet IP (SNIP) address –USNIP must be enabled (if you disable then you must have MIP).
al
e
A SNIP address is used in connection management and server monitoring. You can specify
multiple SNIP addresses for each subnet. SNIP addresses can be bound to a VLAN.
or
When a SNIP is added to a NetScaler system, a static route entry is automatically added to the
di
NetScaler system routing table; this route identifies the SNIP address as the default gateway
st
SNIP addresses can provide the NetScaler system with network presence in different subnets.
bu
The NetScaler system can be managed through any of the SNIP addresses. SNIP addresses
can also be used in place of MIP addresses for communication to servers local to the SNIP
tio
When enabling VLAN support on the NetScaler system, particular IP addresses can be
associated with specific VLANs. These VLAN IP addresses are another form of SNIP address.
With Use SNIP (USNIP) mode enabled, a SNIP is the source IP address of a packet sent from
the NetScaler to the server, and the SNIP is the IP address that the server uses to access the
NetScaler. This mode is enabled by default.
When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The
NetScaler determines the next hop for a service from the routing table, and if the IP address of
the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the
service.
When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round-
robin manner.
Key Notes:
If the mapped IP address is the first in the subnet, the NetScaler appliance adds a route entry,
al
As of NetScaler 9.3 creation of a MIP is not Mandatory and MIPs are no longer necessary on
or
Key Notes:
When USNIP mode is enabled, the SNIP address functions as a proxy IP and is used by the
al
Key Notes:
Monitoring probes are still sent with the Source IP address as an MIP or SNIP address.
al
e
The appliance reuse pool for connections is still maintained for each server but the reuse pool
itself is fragmented by the client IP address.
or
Idle client connection stays until a background timer, the zombie timeout process, decides to
di
Key Notes:
An IP Set is a set of IP addresses which are configured on the appliance as SNIP. An IP Set
al
has a meaningful name that helps in identifying the usage of the IP addresses contained in it.
e
A net profile can be bound to load balancing or content switching virtual servers, services,
st
service groups, or monitors. A net profile has NetScaler owned IP addresses (SNIPs and VIPs)
ri
that can be used as the source IP address. It can be a single IP address or a set of IP
bu
Key Notes:
Normally NetScaler would be cabled into switch. The two-arm diagram is symbolic.
al
e
A separate management interface does not count as an arm. Only traffic VLANS.
or
Arms do not refer to interfaces, but VLANs to which NetScaler is connected. So one interface
with tagged VLANS would be “two-arm.”
di
st
ri bu
tio
n
Key Notes:
One-arm topology uses a single subnet.
al
e
Key Notes:
In a two-arm topology, it is connected to the client network and is connected to the server
al
network, ensuring that all traffic flows through the NetScaler system. The basic variations of
e
two-arm topology are multiple subnets, typically with the NetScaler system on a public subnet
or
and the servers on a private subnet, and transparent mode, with both the NetScaler system
and the servers on the public network.
di
Often, characteristics of the network determine whether you will deploy in one-arm or two-arm
st
You may or may not have a separate management interface in two-arm mode.
bu
MPX/SDX
n
Key Notes:
Two-arm mode is commonly called “inline mode.” The client connects to VIP and the NetScaler
al
Key Notes:
After performing the defined NetScaler process, the NetScaler forwards the request to the
al
backend server.
e
or
di
st
ri bu
tio
n
Key Notes:
The server responds to the NetScaler (SNIP).
al
e
or
di
st
buri
tio
n
Key Notes:
The NetScaler then forwards the response to the client.
al
e
or
di
st
ri bu
tio
n
Key Notes:
Because a NetScaler appliance functions as a TCP proxy, it translates IP addresses before
al
sending packets to a server. When you configure a virtual server, clients connect to a VIP
e
settings on the virtual server, the appliance selects an appropriate server and sends the client's
request to that server. By default, the appliance uses a SNIP address to establish connections
di
In this diagram, the first view describes the behavior of a NetScaler system configured with a
ri
virtual server. The client IP address (CIP) connects to the VIP address on the NetScaler
bu
system. The NetScaler system, in turn, uses either its mapped IP address or an appropriate
subnet IP address, if one exists on the server’s subnet and the USNIP option is set to contact
tio
The NetScaler system is fundamentally a TCP (layer-4) proxy that separates the client
connections from the server connections and manages separate connection tables for client
and server connections.
As a TCP proxy device, the NetScaler system responds to client connections that are targeted
at servers residing behind it, hiding the network topography.
The NetScaler system is not a UDP proxy.
Key Notes:
The NetScaler does not act like many other networking devices in that IP addresses are not
al
directly associated with interfaces. The IPs are “owned” by the NetScaler and can be used on
e
NetScaler interfaces are like switch ports and not host interfaces.
di
If you need to associate an IP address with an interface, this is done through VLAN
st
configuration.
ri bu
tio
n
Key Notes:
Make sure one interface is associated with one VLAN to avoid MAC moves.
al
e
or
di
st
ri bu
tio
n
Key Notes:
In some environments, the speed of a single interface is not adequate for the amount of traffic
al
that needs to be managed by the NetScaler system. To address this, multiple interfaces on the
e
NetScaler system can be combined into a single, logical, high-bandwidth 802.3ad interface.
or
The resulting aggregated interface will be treated, for configuration, as a single interface. The
aggregate interface link speed will be the sum of the speed of the bound physical interfaces.
di
The switch connected to the aggregate interfaces on the NetScaler system must also support
st
802.3ad.
ri
The add channel command will create the virtual interface. Physical interfaces can be added to
bu
the channel as part of the add command, or through the use of the bind channel command after
the interface is created. Two to four physical interfaces can be bound to a single link
tio
aggregation channel. If these interfaces are of differing speeds, they will all function at the
n
Key Notes:
As part of the LR feature, we have introduced a parameter called LR Min ThrLink Redundancy
al
(LR) offers the ability of a hot standby link (or channel). During the normal operation, one
e
link/channel will be operational which handles all the traffic. A second link/channel will be
or
designated as the standby. When the primary link/channel goes down or is administratively shut
down, the standby link/channel will become live and start handling the traffic.
di
Threshold: This parameter ensures that when a channel’s available bandwidth drops below the
st
configured minimum threshold limit, the channel is administratively shut down. With LR, the
ri
standby channel will take over from the primary channel once the minimum threshold is
bu
achieved.
tio
• For example, assume that each channel to the remove switch from NetScaler has two 1-gig
links. The minimum threshold is configured to be 1.5Gbps. When one link on the primary
n
channel goes down, the channel’s available bandwidth is only 1-gig, which falls below
threshold value. Now, this complete channel is administratively shut down and the standby
channel takes over.
Key Notes:
To bind multiple VLANs to the same interface, the VLANs must be tagged either with the VLAN-
al
High Availability heartbeats are always untagged and on the native VLAN, unless the NSVLAN
or
is configured using the set ns config -nsvlan command or the interface is configured with the -
trunk ON option.
di
st
ri bu
tio
n
Key Notes:
All the Interfaces are by default in VLAN 1 and We need to make sure that Interfaces are
al
Additional Resources:
di
us/netscaler/11/networking/interfaces/understanding-vlans.html
ri bu
tio
n
Key Notes:
An interface can be part of any number of tagged VLANs.
al
e
When an interface is bound to a VLAN Natively, its Native VLAN changes from the current one
to new one.
or
When an interface is bound to a particular VLAN as a tagged member, it’s just added to the
di
Key Notes:
We recommend not changing the NSVLAN unless there is a compelling reason to do so.
al
e
or
Additional Resources:
FAQ: The “trunk” or “tagall” Option of NetScaler: http://support.citrix.com/article/CTX115575
di
st
ri bu
tio
n
Key Notes:
Because simple routing is not the primary role of a NetScaler, the main objective of running
al
dynamic routing protocols is to enable route health injection (RHI), so that an upstream router
e
can choose the best among multiple routes to a topographically distributed virtual server. RHI is
or
the ZebOS.conf.
st
Key Notes:
The default route should point to an Internet gateway and internal, often summarized, routes
al
point inward.
e
or
di
st
ri bu
tio
n
Key Notes:
If a manually created (static) route goes down, a backup route is not automatically activated.
al
You must manually delete the inactive primary static route. However, if you configure the static
e
route as a monitored route, the NetScaler appliance can automatically activate a backup route.
or
Static route monitoring can also be based on the accessibility of the subnet. A subnet is usually
connected to a single interface, but it can be logically accessed through other interfaces.
di
Subnets bound to a VLAN are accessible only if the VLAN is up. VLANs are logical interfaces
st
through which packets are transmitted and received by the NetScaler. A static route is marked
ri
Note: In a high-availability (HA) setup, the default value for monitored state routes (MSRs) on
tio
the secondary node is UP. The value is set to avoid a state transition gap upon failover, which
could result in dropping packets on those routes.
n
Weighted Static Routes - When the NetScaler appliance makes routing decisions involving
routes with equal distance and cost, that is, Equal Cost Multi-Path (ECMP) routes, it balances
the load between them by using a hashing mechanism based on the source and destination IP
addresses. For an ECMP route, however, you can configure a weight value. The NetScaler
then uses both the weight and the hashed value for balancing the load.
Key Notes:
Some deployment topologies may require the incoming and outgoing paths to flow through
al
Key Notes:
Network Interface can be shared with other Traffic Domains.
al
e
or
Additional Resources:
Supported features for traffic domains: http://docs.citrix.com/en-
di
us/netscaler/11/networking/traffic-domains.html#par_richtext_3
st
ri bu
tio
n
Key Notes:
MAC-Based Forwarding improves the performance of a NetScaler appliance by avoiding
al
multiple address resolution protocol (ARP) or route table lookups when forwarding packets.
e
This mode helps in supporting multiple routers with the ability to return the responses to the
or
router that forwarded the original set of network packets to the appliance.
MBF alters the way the NetScaler appliance routes the server replies back to clients.
di
MBF caches the MAC address of the uplink router that forwarded the client request to the
st
appliance. When a reply is received, it is passed through to the same router that sent the client
ri
request without going through any route lookup. If MBF is disabled, then the return path is
bu
determined by a route lookup, or is sent to the default route if no specific route exists.
tio
n
Key Notes:
MBF is primarily an optimization feature. You can always enable it in one-arm mode to improve
al
performance because NetScaler does not look at the route table to reply. Try to avoid MBF in
e
two-arm mode because you lose some control (the NetScaler will not honor the route table for
or
replies). If an issue arises with asymmetrical routing, try PBR first before resorting to MBF.
• MBF is an optimizing technique.
di
Key Notes:
An appliance can use the following modes to forward the packets it receives:
al
Additional Resources:
Traffic flow diagram and the scenarios. https://docs.citrix.com/en-us/netscaler/11/getting-
al
started-with-vpx/configure-system-management-settings/configure-packet-forwarding-
e
modes.html
or
di
st
ri bu
tio
n
Key Notes:
Used mostly in some LB deployments.
al
e
Part of the NetScaler system suite of performance enhancements revolves around maintaining
one connection to the client and multiplexing another to the server. This requires the NetScaler
or
system to translate the client’s IP address to either a MIP address or SNIP address. This
behavior will not be desired in some situations. In these cases, you can enable Use Source IP
di
mode. The result is that the client’s actual IP address is used to connect to the back end server.
st
You should consider a number of performance considerations before activating this feature:
ri bu
• Multiplexing can only be used for connections originating from the same client IP address.
This means that significantly more sessions will be established between the NetScaler
tio
system and the server. This is inefficient for the NetScaler system, and requires more
overhead for the server.
n
Key Notes:
Question: Why do we have Layer 3 mode and why is it enabled by default?
al
• To answer this, let’s consider situations in which you may want to change this traffic
e
behavior.
or
In these situations, you should use USIP. However, since this mode limits other functionality on
di
the NetScaler, it should only be used when absolutely required. If you only want to pass the
client-IP address to the application for web logging purposes, and the application is HTTP-
st
based, you should NOT use USIP mode. Instead, you should use Client IP header insertion,
ri
Key Notes:
Client-IP header insertion is the preferred method of passing the client IP address to backend
al
servers and applications. This allows the backend to see the Client IP address while
e
maintaining the full proxy functionality of the NetScaler (MUX, surge protection).
or
di
st
ri bu
tio
n
do not connect two interfaces on the appliance to the same broadcast domain.
e
Key Notes:
By default, the NetScaler system functions as a Layer3 network device. It can be configured to
al
function as a Layer 2 device as well. When running in Layer 2 mode, it will forward data it
e
receives that is not addressed to its MAC address. This behavior is traditionally associated with
or
a switch. The exceptions to this forwarding behavior are for the following traffic types:
• Broadcasts that are received on an interface associated with a VLAN will not be forwarded to
di
• ICMP and UDP traffic that exceeds the value set for Packet Rate filters will be dropped,
ri
• As this mode reduces the ability for the NetScaler system to control the traffic crossing it,
tio
security is reduced. Layer 2 functionality is only required in very specific situations and
should only be used when needed.
n
Key Notes:
The NetScaler system can either route or bridge packets that are not destined for an IP
al
address owned by the NetScaler - that is, the IP address is not the NSIP, a MIP, a SNIP, a
e
Key Notes:
PMTUD is only supported by TCP and UDP. Other protocols do not support it.
al
e
PMTUD is done continually on all packets because the path between sender and receiver can
change dynamically.
or
PMTUD is needed in network situations where intermediate links have smaller MTUs than the
di
Key Notes:
NetScaler compares the information in the data packet with the conditions specified in the ACL
al
BRIDGE—Bridge the packet to the destination without processing it. The packet is directly sent
di
Key Notes:
Simple ACLs should be used in situations in which you immediately need to enforce the rule
al
only for a short period of time - for example, to mitigate a DoS attack.
e
Key Notes:
You can use the following command to enable access control list entries in the command-line
al
interface:
e
Key Notes:
Applied access control lists are saved to the configuration, and the active status determines
al
whether traffic is compared against the access control list. However, if an access control list is
e
Key Notes:
To create an INAT entry by using the command line interface:
al
proxyIP <ip_addr|ipv6_addr>]
di
st
ri bu
tio
n
Key Notes:
An administrator can type the following command in the CLI to enable Reverse NAT (RNAT)
al
The NetScaler system will hide the IP address of all packets originating in that network.
di
Reverse NAT allows server-side addresses to be translated to the MIP address or NSIP
st
address of the NetScaler system when they send data through the system. This behavior
ri
applies to connections that are initiated from the internal servers, as opposed to client
bu
RNAT does not alter the data portion of the communication in any way. As a result, if the
application passes the host IP address as part of the data, that IP address will not be the same
n
as the address post-RNAT. This incongruity will most likely cause that application to fail. For
example, using the file transfer option in MSN messenger would not be possible through an
RNAT session. The exception to this rule is FTP. Citrix has put in place specific extended
functionality to support FTP through a RNAT session.
An administrator can use a virtual IP address as the IP address for RNAT. This does not work
with a wildcard virtual IP address.
RNAT can be configured to use a virtual IP address for address translation. RNAT is configured
using the “set ns rnat <network> -natip <address>” command. The address provided as the
value to –natip can be a MIP address, SNIP address or virtual IP address. A wildcard virtual IP
address is not a valid selection for the –natip parameter.
In an RNAT configuration NetScaler replaces the source IP addresses of packets generated by
the backend servers with a NAT IP address that is a public IP address.
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
Additional Resources:
For more information about FIPS-enabled NetScaler systems, see Citrix article CTX129543 at
al
http://support.citrix.com/article/CTX129543.
e
or
di
st
ri bu
tio
n
Key Notes:
Managing web applications with gigabits of traffic:
al
• Most of the world's largest and highest traffic volume web sites are powered by NetScaler
e
MPX. Emerging cloud computing architectures use the solution to exploit Citrix's massive
or
throughput, fast SSL processing, and high-scale data compression while gaining the
computing power to run all NetScaler features concurrently.
di
• The same nCore architecture and NetScaler feature set relied on by massive web sites is
ribu
also available for small to mid-size organizations with MPX models handling up to 1 Gbps
of overall performance. Additional mid-range models enable organizations to scale using
tio
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
Key Notes:
If the NetScaler appliance does not respond, and you want to force a core dump and restart the
al
appliance, you can use the NMI button. The core files help the Citrix Technical Support team to
e
The process of dumping a core and restarting the appliance can take between 10 and 45
minutes, depending on the RAM of the appliance.
di
st
ri bu
tio
n
Key Notes:
LOM Port can be used to remotely monitor and manage the appliance.
al
e
By connecting the LOM port to a dedicated channel that is separate from the data channel, you
can make sure that connectivity to the appliance is maintained even if the data network is
or
down. You thereby eliminate the data cable and data network as a single point of failure.
di
You can use either the GUI or a shell for the following tasks:
st
• Health monitoring.
bu
• Factory reset.
n
Key Notes:
The LCD displays real-time statistics, diagnostic information, and active alerts.
al
e
They show configuration information, alerts, HTTP information, network traffic information, CPU
load information, and port information for your appliance.
di
st
ri bu
tio
n
Key Notes:
Led Indicators
al
e
OFF No power.
or
Key Notes:
You are prompted to enter the subnet mask, NetScaler IP address (NSIP), and gateway in that
al
order respectively. The subnet mask is associated with both the NSIP and default gateway IP
e
address. The NSIP is the IPv4 address of the NetScaler appliance. The default gateway is the
or
IPv4 address for the router, which will handle external IP traffic that the NetScaler cannot
otherwise route. The NSIP and the default gateway should be on the same subnet.
di
st
ri bu
tio
n
Key Notes:
The NetScaler virtual appliance product is a virtual NetScaler appliance that can be hosted on
al
Citrix XenServer®, VMware ESX or ESXi, Linux-KVM, and Microsoft Hyper-V virtualization
e
platforms:
or
• Softlayer
di
• Azure
st
• AWS
ri
• Rackspace
bu
tio
n
Key Notes:
A NetScaler virtual appliance supports all the features of a physical NetScaler, except virtual
al
MAC (vMAC) addresses, Layer 2 (L2) mode, and link aggregation control protocol (LACP).
e
VLAN tagging is supported on the NetScaler virtual appliances hosted on the XenServer and
or
• On the Citrix XenServer, configure tagged VLANs on a port on the switch but do not
st
configure any VLANs on the XenServer interface attached to that port. The VLAN tags are
ri
passed through to the virtual appliance and you can use the tagged VLAN configuration on
bu
• On the VMware ESX, set the port group’s VLAN ID to 4095 on the vSwitch of VMware ESX
server.
n
Additional Resources:
For more information about setting a VLAN ID on the vSwitch of VMware ESX server, see
http://www.vmware.com/pdf/esx3_vlan_wp.pdf.
Key Notes:
Architecting private or public cloud infrastructures:
al
• The adoption of cloud computing creates significant networking challenges, including the
e
delivery services. As a software-based virtual appliance, NetScaler VPX enables rapid on-
demand provisioning in both public and private cloud infrastructures. Leading cloud
di
providers use the solution's RESTful APIs to develop self-service capabilities and
st
• NetScaler VPX can be deployed within development, testing and staging environments,
tio
Key Notes:
Performance VPX 3000 VPX 1000 VPX 200 VPX 10
al
e
If additional throughput is needed, some models also support Burst Pack and Pay-As-You-
Grow licensing options to help protect your initial investment and make it easier to scale up
di
Key Notes:
As a result, memory, CPU cycles, and SSL cards are resources that you can move around and
al
definitively assign to different NetScaler instances. Emphasize the hardware benefits of MPX
e
Additional Resources:
st
NetScaler Datasheet:
ri
http://www.citrix.com/content/dam/citrix/en_us/documents/products/netscaler-data-sheet.pdf.
bu
tio
n
Key Notes:
Getting more popular with cloud computing.
al
e
Some key players in Citrix advocate strongly to continue to advance this model.
or
di
st
ri bu
tio
n
Key Notes:
The traditional approach for multi-tenancy is to use purpose-built hardware with software
al
features like rate limits, ACLs, and RBAs to create a logical partition or contexts. This solution
e
uses a single entity of the device, operating system, or application. It looks good, but there are
or
• There is no CPU and resource isolation – one partition can greatly impact the performance of
st
other partitions.
ri bu
• There is no version independence – all the tenants are forced to use same version of
software.
tio
• There is no life cycle independence – if the software has a bug impacting one of the tenants,
other tenants get impacted too.
n
• There is no high availability (HA) independence – we cannot fail over a single partition. If
failover has to happen, all partitions have to fail over.
A single administrator controls most of the configuration.
All tenants share a single resource:
• Traffic domains for network segmentation.
• Rate limiting for resource isolation.
• RBA or roles for management isolation.
• Shared entity space.
Partitions are not fully isolated:
Key Notes:
Hypervisors are very common now and public cloud providers use hypervisors like Xen to
al
The hypervisors are now enterprise class and provide stable environments for multi-tenancy.
or
hardware, and ADCs are run as Virtual Machines (VMs) for each tenant.
st
In this solution, VMs will get resource isolation or version and life cycle independence.
bu
One problem with the hypervisor-based solution is that network performance does not scale.
Generally speaking, a device capable of processing 50 Gbps traffic natively, will not be able to
n
Key Notes:
In the hypervisor-based solution, only the hypervisor has direct access to the hardware.
al
e
or
di
st
ri bu
tio
n
Key Notes:
NetScaler SDX was designed and built for the following reasons:
al
e
Rather, each instance is in fact its own instance, with its own dedicated:
• Kernel
di
• Routing stack
ri bu
This provides the foundation for the true resource and lifecycle isolation necessary for
consolidating.
tio
Isolation for each NetScaler instance on SDX is provided by virtualization technologies. We use
n
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
Key Notes:
SR-IOV is a PCI standard that provides IO virtualization.
al
e
With IO virtualization a physical device or function like NIC can be carved into virtual devices or
functions.
or
The virtual functions can be assigned to virtual machines. The virtual machine will have direct
di
Latest NICs like Intel 82599 and Intel 82576 controllers support SR-IOV.
tio
n
Key Notes:
With IO virtualization, each VF gets its own hardware RX and TX queues and has direct access
al
to the hardware.
e
When the NIC receives a packet, two levels of filtering are applied. In the first phase, MAC
di
filtering is applied to the find the right VF based on the destination MAC address. Then VLAN
st
When a VF transmits a packet, it queues the packet in the TX queue and the HW fetches the
tio
Packet switching is done at the hardware level, resulting in higher network performance.
Hardware provides MAC and VLAN filtering capabilities to isolate the traffic across VMs.
Using IO virtualization technologies, we can get the required isolation without sacrificing the
performance.
Key Notes:
For NetScaler SDX, we use the same hardware that NetScaler MPX uses for high-
al
performance networking.
e
We use XenServer for virtualization. The hardware and XenServer Hypervisor support SR-IOV.
or
Also, we have a management service running on the SDX for management of the SDX. It
st
ServiceVM provides services similar to the services provided by XenCenter for XenServer
bu
hosts. You can automate many of the management tasks by using NITRO API provided by the
ServiceVM.
tio
Multiple NetScaler VPXs can be provisioned on the SDX to provide a multi-tenant solution.
n
NetScaler VPX and NetScaler MPX use the same software, so NetScaler VPX is as robust as
NetScaler MPX.
Key Notes:
On NetScaler SDX, instances get dedicated and shared resources. The memory resources are
al
dedicated to an instance. Similarly, the SSL devices assigned to the VPX instance are
e
The CPU resources can be dedicated or shared depending on the requirements. Each instance
can get as many as five (5) dedicated cores (10 hyper-threads). The dedicated CPU allocation
di
can be useful for instances running production traffic. For the instances that are created for
st
Allocation of the network devices is flexible in NetScaler SDX. The devices can be shared or
bu
dedicated based on the security or compliance requirements. Finally, throughput and packets-
tio
per-second rate limits can be imposed on the VPX instance to control the network usage of an
instance.
n
Key Notes:
NetScaler SDX allows fine-grained control over the allocation of the CPU resource to an
al
instance.
e
At present, SDX has two (2) six-core processors. Enabling hyper-threading results in 12 logical
or
In this slide, CPU cores 3-8 are dedicated to VPX1. CPU cores 15-18 are dedicated to VPX2.
st
Key Notes:
The data plane CPU for each instance can also be a hard allocation. However, at a certain
al
instance count (11 or more) some of the instances will need to share cores.
e
or
di
st
ri bu
tio
n
Key Notes:
First, each instance has its own NetScaler OS kernel, and these kernels can be upgraded
al
independently. So, for example, when the next version of NetScaler operating system becomes
e
available, some of the instances can be upgraded, while others can be left. This gives us the
or
flexibility to consolidate and still meet the individual requirements of different apps.
Second, HA is also done at the instance level.
di
st
ri bu
tio
n
Key Notes:
Each instance gets its own kernel. So it has its own IP stack, its own routing tables, VLANs
al
For the data plane, our use of SR-IOV provides very strong isolation.
or
We have a lot of flexibility for how we can isolate on the management plane as well.
di
st
ri bu
tio
n
Key Notes:
To upgrade, a customer is shipped a hard drive. If you want to put your current MPX config on
al
the SDX, make sure you copy all relevant config files and other directories (for example, certs).
e
or
di
st
ri bu
tio
n
Key Notes:
Each VPX instance has dedicated VF, therefore performance is not impacted by other VPX
al
instances.
e
or
di
st
ri bu
tio
n
Key Notes:
Data and management plane isolation support network segmentation use cases.
al
e
Key Notes:
In an HA pair, we can fail over an individual instance on device A to device B, without having to
al
flop the entire device and every instance on the device. Embedded within this is the ability to
e
On SDX, we have:
di
• The ability to fail an instance over without failing over the entire device.
ri bu
tio
n
Key Notes:
We can upgrade XenServer of SDX from CLI of SVM.
al
e
Key Notes:
To Complete a Factory Reset:
al
• From dom0 (XenServer CLI) you can execute the following steps.
e
• Ensure to have a serial access console of the appliance before doing this
or
• 2. sfdisk /dev/sda -A 1
st
• 3. reboot
ri bu
tio
n
Key Notes:
How to check memory of the SDX: xe host-list params=memory-total
al
e
Key Notes:
When you log on to the SDX, you land on the homepage which gives you some basic
al
monitoring information.
e
or
di
st
ri bu
tio
n
Key Notes:
HA configuration is made of two (or more) NetScalers working in a HA configuration.
al
e
The ns.conf will have different node ID listing for the “paired” system.
ri bu
Other differences are only present if using the “independent network config” option.
tio
n
Key Notes:
High availability ensures that if one node experiences failure, the other node can take over
al
the NetScaler, we refer to the active system as the primary and the passive system as the
or
secondary.
HA can be configured in two modes, One Arm HA and Two Arm HA.
di
st
ri bu
tio
n
Key Notes:
GARP is send out by new primary for all the floating IPs on an HA failover.
al
e
Its staggered (40 packets every 200ms) and we send 2 GARPs/ IP.
or
upon failover.
st
ri bu
tio
n
Key Notes:
HA Communication:
al
On Secondary if there is a incarnation no. mismatch/ force sync, it wakes up nssync process.
st
Fetch Primary’s RPC node information and compare it with it’s own information. Opens RPC
ri
session on TCP port 3010 successfully, if RCP node passwords are correct.
bu
Invokes nsconf process and pull running config from Primary node
tio
(/var/nssynclog/ns_com_cfg.conf)
n
Key Notes:
Be sure all unused interfaces have monitoring suppressed.
al
If any interface has a line containing “ENABLED, down, …,MONITOR ON, …” the system will
di
never become primary. Usually it will stay as secondary with undefined primary.
st
Key Notes:
Propagation can be disabled set HA node -haProp DISABLED
al
e
• Node specific commands like add node, rm node, set node e.t.c.
• Interface specific config like set interface, bind interface e.t.c.
di
• Channel configuration.
st
ri bu
tio
n
Additional Resources:
File Synchronization in NetScaler High Availability Setup:
al
http://support.citrix.com/article/CTX138748
e
or
di
st
ri bu
tio
n
Key Notes:
Be sure all unused interfaces have monitoring suppressed
al
Key Notes:
The NSIP address can be changed using the “set ns config” command; this change requires a
al
restart.
e
or
di
st
ri bu
tio
n
Key Notes:
Citrix does not recommend configuring stay primary/secondary after initial setup. In the event of
al
flapping (device going up and down), this configuration would be disruptive. We recommend
e
letting the secondary device serve traffic until the cause of the failover is determined, and
or
• Citrix recommends that you set the status of the desired secondary node to stay secondary
st
Key Notes:
You can also verify on the LCD of a physical NetScaler.
al
e
Key Notes:
ENABLED state means normal HA operation without any constraints or preferences.
al
e
STAYPRIMARY configuration keeps the node in primary state if it is healthy, even if the peer
node was the primary node initially.
or
If you issue the STAYPRIMARY command on the primary device, then it gets “preferred node”
ri
Split brain:
tio
• Where both the nodes are healthy and claim primary state; they don’t hear about the other
node at all.
n
Key Notes:
Without Fail Safe mode enabled, if both nodes are experiencing failed health checks, then they
al
Then you would have both nodes refusing to handle traffic, which causes problems.
or
To mitigate this scenario, you need to enable Fail Safe mode, so one system will stay primary
di
When there is a heartbeat failure, the secondary reaches the lost heartbeat threshold and
ri
If you issue the STAYPRIMARY command on the primary device, then it gets preferred node
tio
Key Notes:
To communicate with other NetScaler Gateway appliances, each appliance requires knowledge
al
RPC nodes are internal system entities used for system-to-system communication of
or
configuration and session information. One RPC node exists on each NetScaler Gateway and
stores information, such as the IP addresses of the other NetScaler Gateway appliance and the
di
passwords used for authentication. The NetScaler Gateway that makes contact with another
st
NetScaler Gateway requires RPC node passwords on both appliances in a high availability pair.
bu
Initially, each NetScaler Gateway is configured with the same RPC node password. To enhance
tio
security, you should change the default RPC node passwords. You use the configuration utility
to configure and change RPC nodes.
n
Note: The NetScaler Gateway administrator password and the RPC node password must be
the same.
RPC nodes are implicitly created when adding a node or adding a Global Server Load
Balancing (GSLB) site. You cannot create or delete RPC nodes manually.
Important: You should also secure the network connection between the appliances. You can
configure security when you configure the RPC node password by selecting the Secure check
box.
To create or change an RPC node password and enable a secure connection:
• In the configuration utility, in the navigation pane, expand System > Network > Advanced and
then click RPC.
Key Notes:
To disable sync set HA node -hasync DISABLED
al
e
or
di
st
buri
tio
n
Key Notes:
Use force ns failover command on either the primary or the secondary Application Switch.
al
e
When the two nodes of an HA pair are running different versions of the system software, the
nodes goes to the listen mode.
or
Key Notes:
HA MON interfaces that are not bound to an FIS are known as critical interfaces (CI) because if
al
An FIS does not create an active and standby Interfaces or channels. It also does not prevent
or
Adding FIS :
st
Removing FIS
tio
Key Notes:
Some older routers are not GARP aware. Some networks do not allow GARP for security
al
It should be clear that if NetScalers are in separate subnets, GARP is not possible.
or
di
st
ri bu
tio
n
Key Notes:
In this diagram, each NetScaler should ensure that the router is available to it. If not, a failover
al
should occur.
e
or
di
st
ri bu
tio
n
Key Notes:
Advantage of managing from SNIP is to ensure configuration occurs on primary NetScaler.
al
e
or
di
st
ri bu
tio
n
Key Notes:
The two nodes of a high-availability pair can run on different versions of NetScaler code.
al
However, it is best practice to disable command propagation and automatic configuration sync;
e
this will prevent command conflicts between the different NetScaler platforms.
or
di
st
ri bu
tio
n
Key Notes:
Synchronization Failure:
al
• The ha_err_sync_failure counter tracks the number of times the primary and secondary
di
can occur because the Remote Procedural Call (RPC) password on the primary and
ri
Ensure that the primary and secondary appliances can communicate with each other. The
tio
management and heartbeat packets are sent on the L2 layer. The L2 layer connectivity
between the two appliances in the high-availability setup must allow the heartbeat packets to
n
Key Notes:
Load balancing is the most straightforward method of scaling out an application server
al
infrastructure. As application demand increases, new servers can be easily added to the
e
resource pool, and the load balancer will immediately begin sending traffic to the new server.
or
di
st
ri bu
tio
n
Key Notes:
The fundamental object types used within the NetScaler to define the load balancing
al
• The service represents the target server’s IP, port and protocol.
or
• The VServer represents the virtual server’s IP, port and protocol.
di
st
ri bu
tio
n
Key Notes:
In a basic load balancing setup, clients send their requests to the IP address of a virtual server
al
configured on the NetScaler appliance. The virtual server distributes them to the load-balanced
e
application servers according to a preset pattern, called the load balancing algorithm. In some
or
cases, you might want to assign the load balancing virtual server a wildcard address instead of
a specific IP address.
di
The request is sent to a virtual server on the NetScaler (VServer = IP address + port + protocol)
ri bu
Once the VServer receives the request, the vserver makes a load-balancing decision takes
place based on the assigned load-balancing method and results of the service monitor.
tio
The incoming load is distributed across the pool of available services. The method of this
distribution is dependent of the traffic being balanced.
Before requests are sent to backend services, their health is verified to ensure they are able to
accept connections.
Persistence tables are synchronized for failover if systems are operating in HA pair– the
connection will drop and need to be reestablished, but it will be reestablished to the same
backend server.
A Citrix NetScaler can balance TLS traffic as well as SSL. There also exist special definitions
to support FTP, both active and passive. Generic TCP and UDP traffic are tracked by port
number.
Key Notes:
Load balancing virtual server. The IP address, port, and protocol combination to which a client
al
application is accessible from the Internet, the virtual server IP (VIP) address is a public IP
or
address. If the application is accessible only from the local area network (LAN) or wide area
network (WAN), the VIP is usually a private (ICANN non-routable) IP address.
di
LB VServer:
st
• Client facing.
• Traffic Management from L4 (TCP/UDP) - L7 (FTP, HTTP, HTTPS).
tio
Service. The IP address, port, and protocol combination used to route requests to a specific
load-balanced application server. A service can be a logical representation of the application
server itself, or of an application running on a server that hosts multiple applications. After
creating a service, you bind it to a load balancing virtual server.
Service and Service Group:
• Service Entity: IP Address + Port + Protocol.
• Service Group Entity: Group of services (used for ease of administration).
• Faces servers.
Monitor. An entity on the NetScaler appliance that tracks a service and ensures that it
is operating correctly. The monitor periodically probes (or performs a health check on)
each service to which you assign it. If the service does not respond within the time
specified by the time-out, and a specified number of health checks fail, that service is
marked DOWN. The NetScaler appliance then skips that service when performing
load balancing, until the issues that caused the service to quit responding are fixed.
Monitor:
• Entity: tracks health of a service. It is always bound to a service.
• Dynamically takes a service UP or DOWN, based on results of monitor probes.
N
• Periodic probes - if server does not respond within a specified response timeout,
the number of probes fail and the service is marked DOWN.
ot
Metric Table
es
Name for the metric table. Must begin with an ASCII alphanumeric or underscore (_)
al
character, and must contain only ASCII alphanumeric, underscore, hash (#), period
(.), space, colon (:), at (@), equals (=), and hyphen (-) characters.
e
CLI Users: If the name includes one or more spaces, enclose the name in double or
or
Server object. A virtual entity that enables you to assign a name to a physical server
ri
instead of identifying the server by its IP address. If you create a server object, you
bu
can specify its name instead of the server's IP address when you create a service.
Otherwise, you must specify the server's IP address when you create a service, and
tio
Server:
• IP Address - can be named or unnamed.
Persistence group:
When you have load-balanced servers that handle several different types of
connections (such as Web servers that host multimedia), you can configure a virtual
server group to handle these connections. To create a virtual server group, you bind
different types of virtual servers, one for each type of connection that your load
balanced servers accept, into a single group. You then configure a persistence type
for the entire group.
CLI commands:
N
• add server
ot
Key Notes:
Same protocols as services supported.
al
e
GSLB VServer.
st
ri
LB VServer.
bu
SSL VServer.
tio
AAA TM VServer.
The port number must be between 0 and 65535.
The same IP address can listen on different ports.
Key Notes:
Multiple services can be bound to same server on different ports or protocols.
al
e
or
di
st
ri bu
tio
n
Key Notes:
Load balancing for L7 protocols works at layer 7, for example when LB HTTP each individual
al
Multiple services can be bound to same server on different ports and protocols.
or
CLI command:
di
HTTP - Used for load-balanced servers that accept HTTP traffic, such as standard web sites
and web applications. The HTTP service type enables the NetScaler appliance to provide
tio
compression, content filtering, caching, and client keep-alive support for your layer-7 web
servers. This service type also sUPports virtual server IP port insertion, redirect port rewriting,
n
Web 2.0 Push, and URL redirection support. Because HTTP is a TCP-based application
protocol, you can also use the TCP service type for web servers. If you do so, however, the
NetScaler appliance is able to perform only layer-4 load balancing. It cannot provide any of the
layer-7 support described earlier.
TCP - For non-RFC implementation or HTTP services - Used for servers that accept many
different types of TCP traffic, or that accept a type of TCP traffic for which a more specific type
of service is not available. You can also use the ANY service type for these servers.
FTP - Ensures that NetScaler takes care of specifics of the FTP protocol - You can also use
TCP or ANY service types for FTP servers.
UDP - Used for servers that accept UDP traffic. You can also use the ANY service type.
SSL - Used for servers that accept HTTPS traffic, such as ecommerce web sites and shopping
to DNS services. You can also use the UDP service type for these services. If you do,
however, the NetScaler appliance can only perform layer-4 load balancing. It cannot
ot
DNS-TCP: Used for servers that accept DNS traffic, where the NetScaler appliance
rr
acts as a proxy for TCP traffic sent to DNS servers. With services of the DNS-TCP
service type, the NetScaler appliance validates the packet format of each DNS
es
request and response and can cache DNS responses, just as with the DNS service
al
type.
e
You also can use the TCP service type for these services. If you do, however, the
NetScaler appliance only performs layer-4 load balancing of external DNS name
or
RTSP - Used for servers that accept Real-Time Streaming Protocol (RTSP) traffic.
st
RTSP provides delivery of multimedia and other streaming data. Select this type to
support audio, video, and other types of streamed media. You also can use the TCP
ri bu
service type for these services. If you do, however, the NetScaler appliance performs
only layer-4 load balancing. It cannot parse the RTSP stream or provide support for
tio
ANY - for any TCP, UDP and ICMP service. Primarily used with FW load balancing
and link load balancing - where load balancing is time-based.
SIP-UDP: Used for servers that accept UDP-based Session Initiation Protocol (SIP)
traffic. SIP initiates, manages, and terminates multimedia communications sessions
and has emerged as the standard for Internet telephony (VoIP).
• You also can use the UDP service type for these services. If you do, however, the
NetScaler appliance performs only layer-4 load balancing. It cannot provide
support for SIP-specific features.
DHCPRA: Used for servers that accept DHCP traffic. The DHCPRA service type can
be used to relay DHCP requests and responses between VLANs.
DIAMETER: Used for load balancing Diameter traffic among multiple Diameter
Key Notes:
Principles are the same as a service - like an object group in Cisco, or like a distribution group
al
in Windows, containing the same characteristics, including protocol and port, but also often are
e
Unbinding servers from service groups is not as convenient as unbinding servers from
services.
di
st
Configuring a service group enables you to manage a group of services as easily as you would
a single service.
ri bu
After creating a service group, you can bind it to a virtual server and add services to the group.
tio
n
Key Notes:
For all service types, the Citrix NetScaler can send ICMP pings to the server address. If the
al
For any TCP service, a TCP connection can be opened to the target port. If the connection is
or
accepted, then the Citrix NetScaler will close the connection and note that the service is up. If
there is an existing TCP traffic flow to the service, the Citrix NetScaler will not send an
di
For HTTP, TCP and UDP services, there are predefined monitors capable of Extended Content
ri
Verification (ECV). In this case, it is not enough to see that a TCP connection was accepted;
bu
some particular reply in the connection is required to mark the service as up. For these
tio
monitors ,a request string would be configured along with an expected reply string to be
received. If the reply string received by the Citrix NetScaler monitor matches, then the service
n
is up.
For DNS and FTP, there are similar monitors. A DNS query can be configured to be sent and
then the reply can be examined for an error. With a FTP server, an attempt to log in can be
made. If the login is successful, the service is up.
Both the basic HTTP / TCP and the ECV version of those monitors can be run over SSL. In
these cases the completed SSL handshake and session establishment is added to the
monitoring conditions. If the SSL connection fails, but the other monitoring criteria are
successful, the service will be marked as down.
Transparent devices such as firewalls can be monitored by verifying that the communication
can reach a network host behind the transparent device.
Monitors can also be configured to check connectivity to other systems as part of the health
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
Key Notes:
Manually creating servers allows for a naming convention and better understanding for
al
beginners. If you simply add a service without first creating a server object, then the server
e
To eliminate DNS as a point of failure, it is a best practice to define server objects with an IP
address instead of within FQDN.
di
st
ri bu
tio
n
Key Notes:
The flow of traffic is dictated by the VServer and service relationship, which is called “binding.”
al
• It is received by the VServer object and is processed based on the vserver attributes.
or
• When a load-balancing decision occurs, the request is passed to the appropriate service
di
object.
st
• Based on the service attributes, the request is sent to a server’s IP and port.
ri bu
tio
n
Key Notes:
LEASTCONNECTION - Which service currently has the fewest client connections. This is the
al
ROUNDROBIN - Which service is at the top of a list of services. After that service is selected
or
time.
ri
Key Notes:
Least Connection is the default and is usually appropriate.
al
e
or
di
st
ri bu
tio
n
Key Notes:
URL hash method: When you configure the NetScaler system to use the URL hash method for
al
load balancing the services, the NetScaler generates a hash value of the HTTP URL present in
e
the incoming request. The NetScaler caches the hashed value of the URL, and when it
or
receives subsequent requests that use the same URL, it forwards them to the same service.
Domain hash method: A load-balancing virtual server configured to use the domain hash
di
method uses the hashed value of the domain name in the HTTP request to select a service.
st
The domain name is taken from either the incoming URL or the Host header of the HTTP
ri
request. If the domain name appears in both the URL and the Host header, the NetScaler gives
bu
Destination IP hash method: A load-balancing virtual server configured to use the destination IP
hash method uses the hashed value of the destination IP address to select a server. You can
n
mask the destination IP address to specify which part of it to use in the hash-value calculation,
so that requests that are from different networks but destined for the same subnet are all
directed to the same server.
Source IP hash method: A load-balancing virtual server configured to use the source IP hash
method uses the hashed value of the client IP address to select a service. To direct all requests
from source IP addresses that belong to a particular network to a specific destination server,
you must mask the source IP address.
Source IP Destination IP hash method: A load-balancing virtual server configured to use the
source IP destination IP hash method uses the hashed value of the source and destination IP
addresses to select a service. Hashing is symmetric; the hash-value is the same regardless of
the order of the source and destination IP addresses.
Source IP Source Port hash method: A load-balancing virtual server configured to use the
Key Notes:
During startup of a virtual server, or whenever the state of a virtual server changes, the virtual
al
server can initially use the round-robin method to distribute the client requests among the
e
physical servers. This type of distribution, referred to as startup round robin, helps prevent
or
unnecessary load on a single server as the initial requests are served. After using the round-
robin method at the startup, the virtual server switches to the load-balancing method specified
di
• If the Startup RR Factor is set to zero, the NetScaler switches to the specified load-balancing
bu
• If the Startup RR Factor is any number other than zero, NetScaler uses the round-robin
method for the specified number of requests before switching to the specified load-balancing
n
method.
• By default, the Startup RR Factor is set to zero.
set lb parameter -startupRRFactor <positive_integer>
Note: You cannot set the startup RR Factor for an individual virtual server. The value you
specify applies to all the virtual servers on the NetScaler appliance.
You can tell if you are in slow start by comparing the configured method to current method.
Key Notes:
The NetScaler appliance has two built-in monitors that monitor TCP-based applications: tcp-
al
default and ping-default. When you create a service, the appropriate default monitor is bound to
e
it automatically, so that the service can be used immediately if it is UP. The tcp-default monitor
or
is bound to all TCP services; the ping-default monitor is bound to all non-TCP services.
Tcp default is assigned to tcp-based services – it sends a tcp-syn and is successful if syn-ack is
di
received.
st
tcp
• Not applicable.
n
• The NetScaler appliance establishes a 3-way handshake with the monitor destination, and
then closes the connection.
• If the appliance observes TCP traffic to the destination, it does not send TCP monitoring
requests. This occurs if LRTM is disabled. By default, LRTM is disabled on this monitor.
http
• httprequest [“HEAD /”] - HTTP request that is sent to the service.
• respcode [200] - A set of HTTP response codes are expected from the service.
• The NetScaler appliance establishes a 3-way handshake with the monitor destination.
• After the connection is established, the appliance sends HTTP requests, and then compares
the response code with the configured set of response codes.
• recv [""] - the expected HTTP response data from the service.
• The NetScaler appliance establishes a 3-way handshake with the monitor
fo
destination.
rr
• When the connection is established, the appliance uses the send parameter to
es
send the HTTP data to the service and expects the HTTP response that the
receive parameter specifies. (HTTP body part without including HTTP headers).
al
Empty response data matches any response. Expected data may be anywhere in
e
ping
• Not Applicable.
di
• The NetScaler appliance sends an ICMP echo request to the destination of the
st
Key Notes:
Interval - Time interval between two successive probes. Must be greater than the value of
al
Response Time-out.
e
• Default = 5
or
• Min = 1
di
• Max = 20940000
st
Response Time-out - Amount of time for which the appliance must wait before it marks a probe
ri
as FAILED. Must be less than the value specified for the Interval parameter.
bu
• Default = 2
tio
• Min = 1
• Max = 20939000
n
Down Time - Time duration for which to wait before probing a service that has been marked as
DOWN. Expressed in milliseconds, seconds, or minutes.
• Default = 30
• Min = 1
• Max = 20939000
Retries - Maximum number of probes to send to establish the state of a service for which a
monitoring probe failed.
• Default = 3
• Min = 1
• Max = 127
as DOWN.
ot
• Max = 32
fo
Failure Retries - Number of retries that must fail, out of the number specified for the
rr
Retries parameter, for a service to be marked as DOWN. For example, if the Retries
parameter is set to 10 and the Failure Retries parameter is set to 6, out of the ten
es
probes sent, at least six probes must fail if the service is to be marked as DOWN.
al
The default value of 0 means that all the retries must fail if the service is to be marked
as DOWN.
e
• Max = 32
or
di
st
ri bu
tio
n
Key Notes:
You cannot edit default monitors, but you can copy and edit a copy of the default.
al
e
Depending on the service running on the backend server, there are a number of different health
checks that the Citrix NetScaler can perform to determine the service status.
or
For all service types, the Citrix NetScaler can send ICMP pings to the server address. If the
di
For any TCP service, a TCP connection can be opened to the target port. If the connection is
ri
accepted, then the Citrix NetScaler will close the connection and note that the service is up. If
bu
there is an existing TCP traffic flow to the service, the Citrix NetScaler will not send an
additional monitoring check.
tio
For HTTP, TCP and UDP services, there are predefined monitors capable of Extended Content
n
Verification (ECV). In this case, it is not enough to see that a TCP connection was accepted;
some particular reply in the connection is required to mark the service as up. For these
monitors ,a request string would be configured along with an expected reply string to be
received. If the reply string received by the Citrix NetScaler monitor matches, then the service
is up.
For DNS and FTP, there are similar monitors. A DNS query can be configured to be sent and
then the reply can be examined for an error. With a FTP server, an attempt to log in can be
made. If the login is successful, the service is up.
Both the basic HTTP / TCP and the ECV version of those monitors can be run over SSL. In
these cases the completed SSL handshake and session establishment is added to the
monitoring conditions. If the SSL connection fails, but the other monitoring criteria are
successful, the service will be marked as down.
Key Notes:
An HTTP-ECV monitor uses the following process when performing a health check probe:
al
e
1. The NetScaler system establishes a TCP connection with the service destination specified by
the monitor.
or
2. The NetScaler system sends HTTP data specified in the send string parameter to the
di
service.
st
3. The NetScaler system compares the HTTP response received by the service to the expected
ri
4. If the response matches the data in the receive string parameter, the probe is a success. If
tio
a match. The NetScaler system looks for matching responses in the first 24K bytes of data in
the body of the response.
A monitor may be configured for reverse conditions. In this case, a probe is considered to have
failed if the condition of the monitor is satisfied.
For example, if http-ecv monitor is configured with a send string GET /file, receive string Error
and -reverse YES, then a match of the string Error in the response will cause the probe to fail.
If the response does not match Error, the probe is successful.
Reverse conditions are specific to each monitor. The table (on the slide) contains the reverse
and direct conditions for HTTP-ECV monitors.
Key Notes:
Only NetScaler can intelligently monitor MySQL and MS SQL.
al
e
Citrix on Citrix – NetScaler does Citrix services better than any other appliance
or
Key Notes:
These monitors all have pre-configured scripts to use – to fully customize a scriptable monitor
al
Note: when the NetScaler runs a scriptable monitor (located /nsconfig/monitors) the script
or
executes from the BSD kernel. So by default the source IP of the monitor will be the NSIP.
di
st
ri bu
tio
n
Key Notes:
A scriptable monitor requires the following components.
al
e
Dispatcher - A process, on the appliance, that listens to monitoring requests. A dispatcher can
be on the loopback IP address (127.0.0.1) and port 3013. Dispatchers are also known as
or
internal dispatchers. A dispatcher can also be a web server that supports Common Gateway
Interface (CGI). Such dispatchers are also known as external dispatchers. They are used for
di
custom scripts that do not run on the FreeBSD environment, such as .NET scripts.
st
• Note: You can configure the monitor and the dispatcher to use HTTPS instead of HTTP by
ri
enabling the “secure” option on the monitor and configure it as an external dispatcher.
bu
However, an internal dispatcher understands only HTTP and cannot use HTTPS.
In a HA
tio
setup, the dispatcher runs on both the primary and secondary NetScaler appliances. The
dispatcher remains inactive on the secondary appliance.
n
Script - The script is a program that sends custom probes to the load-balanced server and
returns the response code to the dispatcher. The script can return any value to the dispatcher,
but if a probe succeeds, the script must return a value of zero (0). The dispatcher considers any
other value as probe failure.
The NetScaler appliance is bundled with sample scripts for
commonly used protocols. The scripts exist in the /nsconfig/monitors directory.
Key Notes:
Source IP SOURCEIP. Connections from the same client IP address are parts
al
HTTP Cookie COOKIEINSERT. Connections that have the same HTTP Cookie
or
SSL Session ID SSLSESSION. Connections that have the same SSL Session ID are
st
URL Passive URLPASSIVE. Connections to the same URL are treated as parts of
bu
N
ot
fo
rr
es
al
e
or
di
st
ri
bu
tio
n
Key Notes:
When balancing HTTP or doing SSL offload, cookie insertion is recommended if persistence is
al
needed.
e
When balancing other protocols like SMTP or LDAP, Source IP persistence is generally your
or
best bet.
di
st
ri bu
tio
n
Key Notes:
Cookie insert persistence will not get an entry into the persistence table, because it is a cookie.
al
e
or
di
st
ri bu
tio
n
Key Notes:
HTTP load balancing is request based - A new service is chosen for each HTTP request,
al
independent of TCP connections. As with all HTTP requests, after the Web server fulfills the
e
When HTTP cookie persistence is configured, the NetScaler appliance sets a cookie in the
HTTP headers of the initial client request. The cookie contains the IP address and port of the
di
By default, the time-out value for Cookie Insert persistence is 120 seconds. When you
ri
configure persistence for applications for which idle time cannot be determined, set the Cookie
bu
Insert persistence time-out value to 0. With this setting, the connection does not time out.
tio
Unless you configure persistence, load-balancing, stateless protocol, such as HTTP, disrupts
the maintenance of state information about client connections. Different transmissions from the
n
same client might be directed to different servers even though all of the transmissions are part
of the same session. You must configure persistence on a load-balancing virtual server that
handles certain types of Web applications, such as shopping cart applications.
• Version 0 – is the default – absolute time.
• Version 1 – relative time.
Additional Resources:
Recommended Settings and Best Practices for Generic Implementation of a NetScaler
Appliance: http://support.citrix.com/article/CTX121149
Key Notes:
Least Connections - When a virtual server is configured to use the Least Connection load-
al
balancing algorithm (or method), it selects the service with the fewest active connections. This
e
is the default method, because, in most circumstances, it provides the best performance.
or
Round-Robin - It continuously rotates a list of the services that are bound to it. When the virtual
server receives a request, it assigns the connection to the first service in the list and then
di
Least Response Time - It selects the service with the fewest active connections and the lowest
ri
average response time. You can configure this method for HTTP and Secure Sockets Layer
bu
Least Bandwidth method selects the service that is currently serving the least amount of traffic,
measured in megabits per second (Mbps).
n
Least Packets method selects the service that has received the fewest packets in the last 14
seconds.
Key Notes:
Adding Monitor using CLI:
al
Key Notes:
When you request DNS resolution of a domain name, the NetScaler appliance uses the
al
configured load-balancing method to select a DNS service. The DNS server to which the
e
service is bound then resolves the domain name and returns the IP address as the response.
or
The appliance also can cache DNS responses and use the cached information to respond to
future requests for resolution of the same domain name. Load balancing DNS servers improves
di
The NetScaler appliance has two built-in monitors that can be used to monitor DNS services:
ri
DNS and DNS-TCP. When bound to a service, either monitor periodically checks the state of
bu
that DNS service by sending a DNS query to it. The query resolves to an IPv4 or IPv6 address.
That IP address is then checked against the list of test IP addresses that you configure. The list
tio
can contain as many as five IP addresses. If the resolved IP address matches at least one IP
n
address on the list, the DNS service is marked as UP. If the resolved IP address does not
match any IP addresses on the list, the DNS service is marked as DOWN.
DNS UDP - Is a time-based load balancer - A new service is chosen for each UDP packet.
Upon selection of a service, a session is created between the service and a client for a
specified period of time. When the time expires, the session is deleted and a new service is
chosen for any additional packets, even if those packets come from the same client
DNS TCP – Is connection based - A service is chosen for every new TCP connection. The
connection persists until terminated by either the service or the client.
Least Connections - When a virtual server is configured to use the least connection load-
balancing algorithm (or method), it selects the service with the fewest active connections. This
is the default method, because, in most circumstances, it provides the best performance.
Round-Robin – The VServer continuously rotates a list of the services that are bound to it.
Key Notes:
Query - Domain name to resolve as part of monitoring the DNS service (for example,
al
example.com).
e
Query Type - Type of DNS record for which to send monitoring queries. Set to Address for
or
querying A records, AAAA for querying AAAA records, and Zone for querying the SOA record.
di
IP - Set of IP addresses expected in the monitoring response from the DNS server, if the
st
Key Notes:
It is recommended that you use the Least Connection method for better load balancing and
al
lower server load. However, other methods, such as Round Robin, Least Response Time,
e
Source IP Hash, Source IP Destination IP Hash, Least Bandwidth, Least Packets, and Source
or
SQL Multiplexing
• Scale TCP connections.
n
Key Notes:
add db user <username> - password <password>
al
e
Navigate to System > User Administration > Database Users, select a user, and enter new
values for the password.
or
di
st
ri bu
tio
n
Key Notes:
NetScaler DataStream is supported only for MySQL and MS SQL databases.
al
e
The most effective load balancing algorithm for database switching is the least connection
method.
or
over the same server-side connection. The following connection properties are considered :
st
User name.
ri
Database name.
bu
Packet size.
tio
Character set.
n
Key Notes:
TCP based protocols, other than HTTP, can also be secured using SSL. If the incoming traffic
al
is SSL encrypted but not HTTP, a virtual server of type SSL_TCP would be created. This
e
server will decrypt the traffic on arrival and forward it based on the protocols defined on the
or
NetScaler system, then a virtual server of type SSL_BRIDGE should be chosen. The NetScaler
st
will not decrypt the SSL data as it is received, rather it will forward the traffic unaltered to the
ri
backend services.
bu
tio
n
Key Notes:
LDAP would use a connection-based load balancer - A service is chosen for every new TCP
al
connection. The connection persists until terminated by either the service or the client.
e
LDAP Monitor.
or
• It periodically checks the LDAP service to which it is bound by authenticating and sending a
di
search query to it. If the search is successful, the service is marked UP. If the LDAP server
does not locate the entry, a failure message is sent to the LDAP monitor, and the service is
st
marked DOWN.
ri bu
• You configure the LDAP monitor to define the search that it should perform when sending a
tio
query. You can use the Base DN parameter to specify a location in the directory hierarchy
where the LDAP server should start the test query. You can use the Attribute parameter to
n
Key Notes:
The LDAP monitor logs on to Active Directory, performs an LDAP query, and looks for a
al
successful response. The monitor configuration has domain specific information, so if you have
e
multiple Active Directory domains then you will need multiple LDAP monitors. Include the
or
• It periodically checks the LDAP service to which it is bound by authenticating and sending a
st
search query to it. If the search is successful, the service is marked UP. If the LDAP server
ri
does not locate the entry, a failure message is sent to the LDAP monitor, and the service is
bu
marked DOWN.
tio
You configure the LDAP monitor to define the search that it should perform when sending a
query. You can use the Base DN parameter to specify a location in the directory hierarchy
n
where the LDAP server should start the test query. You can use the Attribute parameter to
specify an attribute of the target entity.
Note: Monitor probes originate from the NetScaler IP (NSIP) address.
Key Notes:
Examples of UDP-based traffic include Domain Name System (DNS) address lookups and
al
Network Time Protocol (NTP), both of which exist for a very short time. Generally, UDP
e
connections exist for a very short duration. Therefore, time-based load balancing does not
or
the successful transmission and receipt of data packets from one device to another. As a result,
st
the only way a NetScaler appliance can track UDP connections is through the source and
ri
On the first connection, forcibly load balance a data transfer between a source address or port
tio
Key Notes:
Link load balancing would be an example – or anything that requires a range of protocols and
al
ports.
e
Additional Resources:
st
http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-ids-
bu
servers.html
tio
n
Additional Resources:
The guides are located at http://community.citrix.com/display/ns/Microsoft.
al
e
or
di
st
ri bu
tio
n
Key Notes:
Inline monitors have a timeout value and a retry count when probes fail. You can select any of
al
the following action types for the NetScaler appliance to take when a failure occurs:
e
• NONE. No explicit action is taken. You can view the service and monitor, and the monitor
or
indicates the number of current contiguous error responses and cumulative responses
checked.
di
• DOWN. Marks the service DOWN and does not direct any traffic to the service. This setting
ri
breaks any persistent connections to the service. This action also logs the event and
bu
displays counters.
tio
After the service is DOWN, the service remains down for the configured down time. After the
down time elapses, the inline monitor uses the configured URL to probe the service to see if it
n
is available again.
HTTP Request
• The HTTP request parameter specifies the HTTP request that will be sent to the service
bound to the monitor.
• Default value: HEAD /
Response Codes
• The response codes parameter specifies a set of HTTP response codes expected from the
service bound to the monitor.
• Default value: 200.
Key Notes:
A monitor may be configured for reverse conditions. In this case, a probe is considered to have
al
For example, if http-ecv monitor is configured with a send string GET /file, receive string Error
or
and -reverse YES, then a match of the string Error in the response will cause the probe to fail.
If the response does not match Error, the probe is successful.
di
st
Reverse conditions are specific to each monitor. The table (on the slide) contains the reverse
and direct conditions for HTTP-ECV monitors.
ri bu
tio
Additional Resources:
How to Configure Reverse Monitoring with Primary and Secondary Services on a NetScaler
n
Appliance: http://support.citrix.com/article/CTX115525
Key Notes:
Following commands to shut down a service gracefully and verify the configuration:
al
Persistence is maintained according to the specified method even if you enable graceful
di
shutdown. The system continues to serve all the persistent clients, including new connections
st
from the clients, unless the service is marked DOWN during the graceful shutdown state as a
result of the checks made by a monitor.
ri bu
tio
n
Key Notes:
You can set the client keep-alive parameter to configure an HTTP or SSL service to keep a
al
If client keep-alive is enabled, even when the load-balanced web server closes a connection,
or
the NetScaler system keeps the connection between the client and itself open.
di
st
ri bu
tio
n
Key Notes:
Assigning weights to services allows the NetScaler system to determine how much traffic each
al
environment.
ri
Service weights are useful when one server can handle more traffic than others.
bu
tio
n
Key Notes:
Background: A NetScaler appliance operates in the proxy mode. This mode requires the
al
(MIP) and Subnet IP (SNIP) addresses, configured on the appliances. These IP addresses are
or
dynamically selected from the global pool of MIP and SNIP addresses while connecting with a
server. Depending on the subnet in which the physical server is placed, the NetScaler
di
appliance decides whether a MIP or SNIP should be used. This address pool is used for
st
sending traffic as well as monitor probes. The administrator does not have any control on the
ri
selection of the IP addresses that the appliance uses to initiate a connection. This functionality
bu
is same for the actual client requests and the appliance-generated monitoring requests.
Net Profile:
tio
• A net profile (or network profile) contains an IP address or an IP set. A net profile can be
n
Key Notes:
Net Profile
al
• A net profile (or network profile) contains an IP address or an IP set. A net profile can be
e
monitors. During communication with physical servers or peers, the appliance uses the
addresses specified in the profile as source IP addresses.
di
Usage Scenarios
st
• There are multiple scenarios in which you can use the Networking Profile feature of a
ri bu
• You can use a network profile to separate the backend server farms for the traffic originating
n
Additional Resources:
NetScaler Traffic Management Guide: http://support.en.ctx.org.cn/ctx132359.citrix
al
e
or
di
st
ri bu
tio
n
Key Notes:
Type of thresholds that, when exceeded, trigger spillover. Available settings function as follows:
al
• CONNECTION - Spillover occurs when the number of client connections exceeds the
e
threshold.
or
virtual server exceeds the sum of the maximum client (Max Clients) settings for bound
services. Do not specify a spillover threshold for this setting, because the threshold is implied
st
• BANDWIDTH - Spillover occurs when the bandwidth consumed by the virtual server's
bu
• HEALTH - Spillover occurs when the percentage of weights of the services that are UP
drops below the threshold. For example, if services svc1, svc2, and svc3 are bound to a
n
virtual server, with weights 1, 2, and 3, and the spillover threshold is 50%, spillover occurs if
svc1 and svc3 or svc2 and svc3 transition to DOWN.
• NONE - Spillover does not occur.
Key Notes:
Max clients - Maximum number of simultaneous open connections to the service.
al
e
Down state flush – ON by default - Flush all active transactions associated with a virtual server
whose state transitions from UP to DOWN. Do not enable this option for applications that must
di
Key Notes:
Load balancing methods that are applicable to LLB are round robin, destination IP hash, least
al
Key Notes:
Slow Start: The virtual server on a NetScaler appliance gets into a Slow Start mode or a
al
Startup Round Robin mode whenever a new service is enabled or a new service occurs in the
e
farm. The load balancing algorithm falls back to Round Robin method regardless of the
or
Additional Resources:
ri
Additional Resources:
Probable Reasons for the Status of a Virtual Server Being Marked as DOWN on NetScaler:
al
http://support.citrix.com/article/CTX108960
e
or
di
st
ri bu
tio
n
Key Notes:
SSL vs TLS. SSL was coined by Netscape (owned by AOL now). Developers changed the
al
name to TLS for legal reasons. TLS is the modern version of SSL.
e
or
Additional Resources:
di
SSLTLS-timeline.aspx
ri bu
tio
n
Key Notes:
For a client to establish a secure connection between a web browser and server, in most cases,
al
a root certificate must be installed in the browser certificate store and on the client.
e
or
di
st
ri bu
tio
n
Key Notes:
We support OpenSSL.
al
e
or
Additional Resources:
Refer to the NetScaler Datasheet at www.citrix.com for information about features and
di
performance for specific NetScaler platforms. You may need to enter "NetScaler Datasheet"
st
Key Notes:
NetScaler Appliance does all the Encryption/Decryption and by doing that it frees the valuable
al
Key Notes:
Types of Digital Certs.
al
• Server Certificate.
e
• Machine Certificate.
di
• pem - (Privacy Enhanced Mail) - PEM formats file have Base64 encoded DER certificate,
ri
enclosed between the tags "BEGIN CERTIFICATE" and "END CERTIFICATE". This format
bu
can have multiple certificates. PEM standards are meant to provide message confidentiality
and integrity to emails.
tio
• p7b, .p7c - PKCS#7 - PKCS #7 is a container which may contain plain data, signed data,
encrypted data, or combination of these. It may also contain set of certificates needed to
validate the certification chain.
• p12 - PKCS#12 - This format usually contains X509 certificates, public and private key. It is
protected by password.
• pfx - PFX (Personal Information Exchange) - Files have both the private and public keys.
This format is preferred for creating certificates to authenticate applications or websites.
Since this format has private keys, this file is password protected.
Key Notes:
There are many well recognized Certificate Authorities(CA) who can issue certificates. Some of
al
the well- known certificate authorities are Verisign, GoDaddy, GlobalSign, Digicert, StartCom,
e
Trustwave, Secom etc. These Certificate Authorities can issue certificate in the below
or
mentioned formats.
PEM - Privacy Enhanced Mail.
di
st
Key Notes:
The Key size should be larger than 512 bits and the Maximum size supported by Citrix
al
NetScaler is 4096 .
e
Key Notes:
Public/private key architecture.
al
e
Public keys are in the root certificate and stored on the client and used to encrypt traffic.
or
Key Notes:
Self-signing is appropriate for testing and POC. It is not recommended for most production
al
environments.
e
or
di
st
ri bu
tio
n
Key Notes:
Command-line syntax:
al
Key Notes:
Client certificates are used for cert-based authentication and not needed for SSL Offload.
al
e
or
di
st
ri bu
tio
n
Key Notes:
A NetScaler appliance supports the PEM and DER formats for SSL certificates. Other
al
applications, such as client browsers and some external secure servers, require various public
e
key cryptography standard (PKCS) formats. The NetScaler can convert the PKCS#12 format
or
(the personal information exchange syntax standard) to PEM or DER format for importing a
certificate to the appliance, and can convert PEM or DER to PKCS#12 for exporting a
di
certificate. For additional security, conversion of a file for import can include encryption of the
st
Additional Resources:
tio
Key Notes:
The certificate can be installed in the Configuration Utility.
al
e
Additional Resources:
di
http://support.citrix.com/article/CTX109260
ri bu
tio
n
Key Notes:
There are two different states of revocation:
al
• 1) Revoked: A certificate is irreversibly revoked if, for example, it is discovered that the
e
• The most common reason for revocation is the user no longer being in sole possession of
the private key (e.g., the token containing the private key has been lost or stolen).
st
• 2) Hold: This reversible status can be used to note the temporary invalidity of the certificate
ri
(e.g., if the user is unsure if the private key has been lost). If, in this example, the private key
bu
was found and nobody had access to it, the status could be reinstated, and the certificate is
tio
Key Notes:
When you update an SSL certificate, it minimizes the time the virtual servers are not available
al
compared to the time that is taken to manually unbind an SSL certificate, delete the SSL
e
certificate, add a new SSL certificate, and bind the new SSL certificate.
or
[-inform (DER|PEM)][-noDomainCheck]
st
ri bu
tio
n
Key Notes:
The certificate can be installed in the Configuration Utility.
al
e
Additional Resources:
di
http://support.citrix.com/article/CTX109260
ri bu
tio
n
Key Notes:
Configuring SNI.
al
e
Key Notes:
The figure provides an overview of a strict SSL offload scenario in which all SSL-encrypted
al
communication between the web servers and the client is handled by the NetScaler system.
e
Communication between the NetScaler system and the backend server is unencrypted,
or
providing load reduction on the server and allowing the server to focus on performing the
application role instead of on managing SSL encryption and decryption processes.
di
st
ri bu
tio
n
Key Notes:
The figure provides an overview of a strict SSL offload scenario in which all SSL encrypted
al
communication between the web servers and the client is handled by the NetScaler system.
e
Communication between the NetScaler system and the backend server is unencrypted,
or
providing load reduction on the server and allowing the server to focus on performing the
application role instead of on managing SSL encryption and decryption processes.
di
st
ri bu
tio
n
Key Notes:
If it re-encrypts traffic, then it does not send back unencrypted traffic.
al
e
or
di
st
ri bu
tio
n
Key Notes:
Once the CA has issued the certificate, then it needs to be installed on the NetScaler.
al
e
Once installed, the certificate must be bound to a virtual server to encrypt traffic and to identify
itself.
or
di
st
ri bu
tio
n
Key Notes:
Once the CA has issued the certificate, then it needs to be installed on the NetScaler.
al
e
Once installed, the certificate must be bound to a virtual server to encrypt traffic and to identify
itself.
or
Remember that you still need to bind in your http services or service groups as we did in the
di
Key Notes:
Termination at Web server would be SSL Bridge.
al
e
Key Notes:
Front-end SSL with back-end SSL is more secure but puts more load on back-end servers.
al
e
SSL Bridge is most secure because traffic never gets decrypted until it gets to target server but
poor performance and NetScaler can do very little with the traffic.
or
di
st
ri bu
tio
n
Key Notes:
The NetScaler performs the below mentioned activities in an end-to-end SSL configuration:
al
• Front-end (Client-side) Encryption: The NetScaler terminates the secure Client side session
e
• Back-end (Server-side) Encryption: The NetScaler initiates a secure connection with the
di
• SSL session multiplexing: NetScaler appliance uses SSL session multiplexing to reuse
existing SSL sessions with the back-end web servers. Doing this avoids CPU-intensive key
ri
exchange (full handshake) operations and reduces the overall number of SSL sessions on
bu
the server thereby accelerating the SSL transaction while maintaining end-to-end security.
tio
n
Key Notes:
The NetScaler supports SSL acceleration for Other TCP protocols with and without end-to-end
al
encryption.
e
To configure SSL offloading with Other TCP protocols, create a virtual server of type SSL_TCP,
or
bind a certificate-key pair and TCP based services to the virtual server, and configure SSL
actions and policies based on the type of traffic expected and the acceleration to be provided.
di
st
ri bu
tio
n
Key Notes:
SSL Bridge basically turns the NetScaler into a SSL proxy. No certs are required and it does
al
If you need persistence, then you can configure SSL Session ID persistence. So, even though
di
the NetScaler does not decrypt the SSL traffic, it can track the SSL session ID for persistence.
st
ri bu
tio
n
Key Notes:
Secure because de-encryption occurs at one place in the internal network.
al
e
Key Notes:
If this occurs after HA failover, confirm that the SSL certs synced.
al
e
or
di
st
ri bu
tio
n
Key Notes:
This protection is on by default.
al
e
or
di
st
buri
tio
n
Key Notes:
it is usually a best practice to disable SSLv3 and TLSv1.
al
e
or
di
st
ri bu
tio
n
Key Notes:
To create a user-defined cipher group, first you create a cipher group and then you bind ciphers
al
If your MPX appliance does not have any licenses, then only the EXPORT cipher is bound to
or
Additional Resources:
ri
https://docs.citrix.com/en-us/netscaler/10-1/ns-tmg-wrapper-10-con/ns-ssl-wrapper-con-10/ns-
tio
ssl-customize-ssl-config-con/ns-ssl-user-defined-cipher-groups-tsk.html
n
Key Notes:
To disable SSLv3 on a specific VServer, run the following command from the NSCLI:
al
Additional Resources:
di
http://support.citrix.com/article/CTX200238
ri bu
tio
n
Key Notes:
AAA provides security for a distributed Internet environment by allowing any client with the
al
proper credentials to connect securely to protected application servers from anywhere on the
e
Internet.
or
The AAA feature allows a site administrator to manage access controls with
the NetScaler appliance instead of managing these controls separately for each application. ...
di
The AAA feature supports authentication, authorization, and auditing for all application traffic.
st
This feature incorporates the three security features of authentication, authorization, and
ri
auditing.
bu
Authentication enables the NetScaler ADC to verify the client’s credentials, either locally or with
tio
a third-party authentication server and allow only approved users to access protected servers.
Authorization enables the ADC to verify which content on a protected server it should allow
n
Key Notes:
KCD – Kerberos Constrained Delegation. Not supported in Gateway SSL VPN or NS
al
management.
e
AAA Users and Groups – used for AAA-Application Traffic and NetScaler Gateway.
di
st
ri bu
tio
n
Key Notes:
Nsroot:
al
• This account is the default administrative account for the NetScaler system and cannot be
e
disabled or removed from the system. Citrix recommends changing the default account
or
password.
di
• A NetScaler root administrator can configure the maximum concurrent session limit for
system users. By restricting the limit, you can reduce the number of open connections and
st
improve server performance. As long as the CLI count is within the configured limit,
ri
concurrent users can log on the configuration utility any number of times. However, if the
bu
number of CLI sessions reaches the configured limit, users can no longer log on to the
configuration utility.
tio
• To create a local AAA user account by using the command line interface:
n
• At the command prompt, type the following commands to create a local AAA user account
and verify the configuration:
• add aaa user <username> [–password <password>]
• show aaa user
• To configure AAA local users by using the configuration utility:
• Navigate to Security > AAA - Application Traffic > Users
• In the details pane, do one of the following:
• To create a new user account, click Add.
• To modify an existing user account, select the user account, and then click Open.
• In the Create AAA User dialog box, in the User Name text box, type a name for the user.
additional security, else the default password is enforced. Initially, all NetScaler
ot
appliances are configured with the same default RPC node password.
• Note: In NetScaler 11.0 hash value or encrypted string for RPC node password will
fo
look different even though they are configured to be the same. This is by design.
rr
Key Notes:
The Management Service also supports authentication requests from SSH. The SSH
al
• You can configure the NetScaler appliance to authenticate user access with one or more
di
LDAP servers. LDAP authorization requires identical group names in Active Directory, on the
LDAP server, and on the appliance. The characters and case must also be the same.
st
• By default, LDAP authentication is secured by using SSL/TLS protocol. There are two types
ri bu
of secure LDAP connections. In the first type, the LDAP server accepts the SSL/TLS
connection on a port separate from the port used to accept clear LDAP connections. After
tio
users establish the SSL/TLS connection, LDAP traffic can be sent over the connection. The
second type allows both unsecure and secure LDAP connections and is handled by a single
n
port on the server. In this scenario, to create a secure connection, the client first establishes
a clear LDAP connection. Then the LDAP command StartTLS is sent to the server over the
connection. If the LDAP server supports StartTLS, the connection is converted to a secure
LDAP connection by using TLS.
• The port numbers for LDAP connections are:389 for unsecured LDAP connections.
• 636 for secure LDAP connections.
• 3268 for Microsoft unsecure LDAP connections.
• 3269 for Microsoft secure LDAP connections.
• LDAP connections that use the StartTLS command use port number 389. If port numbers
389 or 3268 are configured on the appliance, it tries to use StartTLS to make the connection.
If any other port number is used, connection attempts use SSL/TLS. If StartTLS or SSL/TLS
to use a RADIUS authentication server, use the following guidelines: If you enable
ot
use of the NAS IP, the appliance sends its configured IP address to the RADIUS
server, rather than the source IP address used in establishing the RADIUS
fo
connection.
rr
• If you configure the NAS ID, the appliance sends the identifier to the RADIUS
server. If you do not configure the NAS ID, the appliance sends its host name to
es
• When the NAS IP is enabled, the appliance ignores any NAS ID that was
e
Authentication Protocol.
ri
Version 2).
• If your deployment of the appliance is configured to use RADIUS authentication
n
Key Notes:
Authentication policies determine when the action should be applied.
al
e
the Action of the policy is the target authentication server. And like all policies on the NetScaler,
st
they need to be bound before they take effect. It is common to bind authentication policies
globally, but not required; you could bind to a single VServer if required and then authentication
ri
would only take place when traffic was processed by that VServer.
bu
tio
n
Key Notes:
Best Practice is the disable external authentication for local accounts – including nsroot.
al
e
or
di
st
ri bu
tio
n
Key Notes:
Command policies define which commands a delegated administrator is allowed to execute.
al
These are defined in Regex – the NetScaler supports Perl based regex.
e
Key Notes:
read-only Allows read-only access to all show commands except show runningconfig, show
al
ns.conf , and the show commands for the NetScaler appliance command group.
e
operator Allows read-only access and access to commands to enable and disable services
or
network Allows full access, except to the set and unset SSL commands, sh ns.conf, sh
st
Sysadmin Allows full access, except no access to the NetScaler shell, cannot perform user
configurations, cannot perform partition configurations, and some other configurations as stated
n
Additional Resources:
Configuring Users, User Groups, and Command Policies: http://docs.citrix.com/en-
us/netscaler/11/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-config-users-and-grps-tsk.html
Key Notes:
Following are few Build-In Command policies:
al
• read-only - Read-only access to all show commands except show ns runningConfig, show ns
e
ns.conf, and the show commands for the NetScaler command group.
or
• Operator - Read-only access and access to commands to enable and disable services and
di
servers.
st
• Network - Full access, except to the set and unset SSL commands, show ns ns.conf, show
ns runningConfig, and show gslb runningConfig commands.
ri bu
• Sysadmin - [Included in NetScaler 11.0 and later] A sysadmin is lower than a superuser is
terms of access allowed on the appliance. A sysadmin user can perform all NetScaler
tio
operations with the following exceptions: no access to the NetScaler shell, cannot perform
user configurations, cannot perform partition configurations, and some other configurations
n
Key Notes:
You can configure the NetScaler appliance to authenticate user access with one or more
al
RADIUS servers. If you are using RSA SecurID, SafeWord, or Gemalto Protiva products, use a
e
RADIUS server.
or
Your configuration might require using a network access server IP address (NAS IP) or a
network access server identifier (NAS ID). When configuring the appliance to use a RADIUS
di
• If you enable use of the NAS IP, the appliance sends its configured IP address to the
ri
RADIUS server, rather than the source IP address used in establishing the RADIUS
bu
connection.
tio
• If you configure the NAS ID, the appliance sends the identifier to the RADIUS server. If you
do not configure the NAS ID, the appliance sends its host name to the RADIUS server.
n
• When the NAS IP is enabled, the appliance ignores any NAS ID that was configured by
using the NAS IP to communicate with the RADIUS server.
Radius message type:
• Access-Request. Sent by a RADIUS client to request authentication and authorization for a
network access connection attempt.
• Access-Accept. Sent by a RADIUS server in response to an Access-Request message. This
message informs the RADIUS client that the connection attempt is authenticated and
authorized.
• Access-Reject. Sent by a RADIUS server in response to an Access-Request message. This
message informs the RADIUS client that the connection attempt is rejected. A RADIUS
server sends this message if either the credentials are not authentic or the connection
Key Notes:
To use the aaad.debug tool, begin at the CLI, access the shell, change to the /tmp directory,
al
and begin the debugging process by typing the following command: cat aaad.debug
e
or
di
st
ri bu
tio
n
Key Notes:
This Feature was released in NetScaler v11.
al
e
By partitioning a NetScaler appliance, you are in-effect creating multiple instances of a single
NetScaler appliance. Each instance has its own configurations and the traffic of each of these
or
partitions is isolated from the other by assigning each partition a dedicated VLAN or a shared
VLAN.
di
st
A partitioned NetScaler has one default partition and the admin partitions that are created. To
set up an admin partition, you must first create a partition with the relevant resources (memory,
ri
maximum bandwidth, and connections). Then, specify the users that can access the partition
bu
and the level of authorization for each of the users on the partition.
tio
VLANs can be bound to a partition as a “Dedicated” VLAN or a “Shared” VLAN. Based on your
deployment, you can bind a VLAN to a partition to isolate its network traffic from other
n
partitions.
Dedicated VLAN – A VLAN bound only to one partition with “Sharing” option disabled and must
be a tagged VLAN. For example, in a client-server deployment, for security reasons a system
administrator creates a dedicated VLAN for each partition on the server side.
Shared VLAN – A VLAN bound (shared across) to multiple partitions with “Sharing” option
enabled. For example, in a client-server deployment, if the system administrator does not have
control over the client side network, a VLAN is created and shared across multiple partitions.
Citrix recommends you to bind a Dedicated or Shared VLAN to multiple partitions. You can bind
only a tagged VLAN to a partition. If there are untagged VLANs, you must enable them as
“Shared” VLANs and then bind them to other partitions. This ensures that you control traffic
packets (for example, LACP, LLDP, and xSTP packets) handled in the default partition. If you
Additional Resources:
Benefits and Uses of Admin Partitions: http://docs.citrix.com/en-us/netscaler/11-
1/admin-partition/admin-partition-benefits-and-uses.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
Key Notes:
You can avail yourself of the following benefits by using Admin Partitions for your deployment:
al
• Reduces the cost of ADC ownership without compromising on performance and ease-of-
or
use.
di
Isolates traffic between different applications by the use of dedicated VLANs for each partition.
tio
Key Notes:
Consideration of these specific isolation issues will help determine what the environment will
al
look like.
e
or
di
st
ri bu
tio
n
Additional Resources:
NetScaler 11 Admin Partitions Demo Video:
al
https://www.youtube.com/watch?v=zMCKQ3uKQa4
e
us/netscaler/11/system/admin-partition/admin-partition-config-types.html
di
st
ri bu
tio
n
Key Notes:
NetScaler MAS provides a seamless way of managing all partitions owned by an administrator
al
To enable multiple users to manage different admin partitions, you have to create groups and
or
assign users and the respective partitions to those groups. Each user is able to view and
manage only the partitions in the group to which the user belongs. Each admin partition is
di
Additional Resources:
tio
Additional Resources:
NetScaler SDX defines Multi-tenancy across the software and hardware layers of NetScaler
al
ADC: https://www.citrix.com/blogs/2014/11/20/multi-tenancy-redefined-with-admin-partitions/
e
or
di
st
ri bu
tio
n
Key Notes:
Rollover for syslog: 1 hour or 100 KB. Stated rollover is 25 files, though technically this is 26
al
(0-25). The conf file does not indicate time-based rollover, but this is clearly what is observed.
e
Key Notes:
You can view syslog messages through the Configuration Utility.
al
e
From CLI:
or
• shell
• cd /var/log
di
• tail ns.log
st
ri bu
tio
n
Key Notes:
DNS logging support facilitates better diagnosis of issues:
al
NetScaler will support logging for the following entities configured on NetScaler:
ri
Policy-based logging:
• It can log a message when a particular DNS policy is hit.
• A custom message can be defined using policy infrastructure which will be logged on
hitting policy.
Key Notes:
Any policy on the NetScaler consists of an expression or rule and an action. For auditing, the
al
expression is ns_true (which is true 100% of the time) and the action is the target log server.
e
You configure SYSLOG and/or NSLOG policies. Each policy includes a rule, which is an
expression identifying the messages to be logged and a SYSLOG or NSLOG (depending on
di
the type of policy) action. The action specifies the server to which the log message should be
st
sent, the level of the messages to be logged, and the data format of the logged messages. You
ri
You must bind the audit log policies to their respective global entities (SYSTEM, RNAT, VPN) to
tio
enable logging of all NetScaler system events. By defining the priority level, you can set the
evaluation order of the audit server logging. The higher the priority number, the lower is the
n
priority of evaluation.
Key Notes:
ns_true is a NetScaler policy expression that is 100% true, so it will match everything.
al
e
Configuring the NetScaler Appliance for Audit Logging. On the NetScaler appliance, you
configure SYSLOG and/or NSLOG policies. Each policy includes a rule, which is an expression
or
identifying the messages to be logged, and a SYSLOG or NSLOG (depending on the type
of policy) action.
di
st
Source port.
bu
Destination port.
tio
Source IP.
n
Destination IP.
Number of bytes transmitted and received.
Time period for which the connection is open.
You can enable TCP logging on individual load balancing virtual servers. You must bind the
audit log policy to a specific load balancing virtual server that you want to log.
When using the NetScaler as the audit log server, by default, the ns.log file is rotated (new file
is created) when the file size reaches 100K and the last 25 copies of the ns.log are archived
and compressed with gzip. To accommodate more archived files after 25 files, the oldest
archive is deleted. You can modify the 100K limit or the 25 file limit by updating the following
entry in the /etc/newsyslog.conf file:/var/log/ns.log 600 25 100 * Z where, 25 is the number of
archived files to be maintained and 100K is the size of the ns.log file after which the file will be
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
Additional Resources:
NS trace product documentation: https://docs.citrix.com/en-
al
us/netscaler/11/reference/netscaler-command-reference/basic/nstrace.html
e
or
di
st
ri bu
tio
n
Key Notes:
Nstrace syntax.
al
• nstrace.sh
e
or
dumps packets in NS format, can be viewed using NETSTAT utility (release specific).
• nstrace.sh -sz 0 -tcpdump 1
di
dumps packet of all length and in tcmpdump format, which can re read using ethereal.
st
m with 1 will dump only transmitted packets, with 2 will dump packets buffered for transmission,
n
Key Notes:
Time per file (sec).
al
e
Minimum value: 1.
Size.
di
Key Notes:
Example CLI; start nstrace -size 0 -traceformat PCAP -filter
al
This command captures the trace with the IP address (in this example, the IP address of the
or
VIP) and the back-end connection, because the link option is enabled. The size is 0, which
captures the entire packet, and the trace is saved in PCAP format.
di
st
ri
Additional Resources:
bu
http://support.citrix.com/article/CTX120941
n
Key Notes:
Make sure you use the Developers’ Edition of Wireshark, which has NetScaler-specific
al
information.
e
• It is not the default download, so students should make sure they get the correct version.
or
di
st
ri bu
tio
n
Key Notes:
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for collecting
al
and organizing information about managed devices on IP networks and for modifying that
e
The NetScaler acts as an SNMP agent, responding to queries from an SNMP management
system.
di
st
The SNMP agent receives requests on UDP port 161. The manager may send requests from
any available source port to port 161 in the agent. The agent response will be sent back to the
ri
source port on the manager. The manager receives notifications on port 162. The agent may
bu
Key Notes:
Generic Traps and Specific Traps
al
• All SNMP alerts can be sent or only those exceeding a minimum security level can be sent.
st
ri bu
tio
n
Key Notes:
UDP 161, 162.
al
e
Setup triggers. NetScaler SNMP Agent generates Traps sends info to SNMP Manager.
Importable Management Information Base (MIB) file. MIB is collection of definitions. Like a
di
template of objects.
st
Key Notes:
Threshold-based traps, or alarms, depend on a trigger from an administrator-defined threshold.
al
e
Key Notes:
SNMPv3 primarily added security and remote configuration enhancements to SNMP. Due to
al
lack of security with the use of SNMP, network administrators were using other means, such as
e
SNMPv3 address issues related to the large-scale deployment of SNMP, accounting, and fault
management. Currently, SNMP is predominantly used for monitoring and performance
di
management.
st
SNMPv3 defines a secure version of SNMP and also facilitates remote configuration of the
ri
SNMP entities.
bu
SNMPv3 provides a secure environment for the management of systems covering the
tio
following:
n
Key Notes:
SNMP Set
al
• Accept SNMP SET requests sent to the NetScaler appliance and allow SNMP managers to
e
write values to MIB objects that are configured for write access.
or
• Log any SNMP trap events (for SNMP alarms in which logging is enabled) even if no trap
st
listeners are configured. With the default setting, SNMP trap events are logged if at least one
trap listener is configured on the appliance.
ri bu
Send partition name as a varbind in traps. By default, the partition names are not sent as a
varbind.
n
Key Notes:
If each pull-down menu has 100 entries, that would be 1,000,000 possible permutations of
al
things to view.
e
or
di
st
ri bu
tio
n
Key Notes:
Historical Performance Data.
al
• This should not be viewed as a replacement for external performance monitoring solution
e
pair.
di
Key Notes:
The Network Visualizer is a tool that you can use to view the network configuration of
al
a NetScaler node, including the network configuration of the nodes in a high availability (HA)
e
deployment.
or
You can also modify the configuration of VLANs, interfaces, channels, and bridge groups, and
perform HA configuration tasks.
di
st
ri
Additional Resources:
bu
10-con/ns-nw-interfaces-intro-wrapper-con/ns-nw-interfaces-using-the-nw-vsualzer-tsk.html
n
Key Notes:
CLI Show Commands (common examples):
al
• show ha node
e
• show license
or
• show ns feature
di
• show ns mode
st
• show running
ri
• show license
bu
• show ns.conf
tio
• show version
n
• show hardware
• show server
• show service
• show lb vserver
• show vlan
• show interface
• show arp
• show route
Additional Resources:
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
Key Notes:
Additional Information that the show techsupport command generates:
al
• Syslogs.
e
• Web logs.
or
• SNMP alarms.
di
Key Notes:
Upload the file created with the show techsupport command.
al
e
or
di
st
ri bu
tio
n
Key Notes:
AppFlow use actions and policies to send records for a selected flow to specific set of
al
collectors. An AppFlow action specifies which set of collectors will receive the AppFlow records.
e
Policies, which are based on Advanced expressions can be configured to select flows for which
or
flow records will be sent to the collectors specified by the associated AppFlow action.
UDP 4739.
di
st
CPU-intensive.
tio
Additional Resources:
Product Documentation on what is Appflow: http://docs.citrix.com/en-
us/netscaler/11/system/ns-ag-appflow-intro-wrapper-con.html
Key Notes:
Four basic streams of communication that can be reported on using AppFlow when processing
al
Responder traffic or traffic generated purely from the NetScaler will only be Client-to-VIP or
bu
VIP-to-client.
tio
n
Key Notes:
It follows the basic principle of having an “Action.” In this case, a Collector is bound to a policy
al
with an expression that causes the action to trigger. This policy is then bound globally or to the
e
vServer in question.
or
di
st
ri bu
tio
n
Key Notes:
Virtual Appliance installs on all major hypervisors.
al
e
Additional Resources:
st
ri
0/understanding-insight-center.html
tio
n
Additional Resources:
How to Enable Web Insight Data Collection: https://docs.citrix.com/en-us/netscaler-insight/11-
al
0/enable-data-collection/ni-enable-web-insight-tsk.html
e
cases.html
di
st
ri bu
tio
n
Key Notes:
DNS Client – Insight resolves host names instead of only IP address.
al
e
or
di
st
ri bu
tio
n
Key Notes:
POC version has internal database, but Citrix recommends using an external database.
al
e