Shanmuga Kavasam

616: Accelerate Your NetScaler Skills
Hands-on Lab Exercise Guide
Joshua Travers & Steven Barnes

Americas Technical Readiness Cloud Networking
May 2015
Table of Contents
Table of Contents....................................................................................................................... 1
Overview .................................................................................................................................... 5
Introduction ................................................................................................................................ 8
Lab Preparation ........................................................................................................................10
Attach XenCenter to Your XenServer (ZFS) 10
Module 1 ...................................................................................................................................12
Exercise 1 (Configuration Utility) ...............................................................................................13
Initial NetScaler Setup and Basic Load Balancing .....................................................................13
Module 2 ...................................................................................................................................18
NetScaler Configuration SNIP, VIP ...........................................................................................20
Exercise 2 (CLI Command) .......................................................................................................25
NetScaler Configuration SNIP, VIP ...........................................................................................25
Module 3 ...................................................................................................................................26
Define Server Load-Balancing Properties, Virtual Server, and Services ....................................26
Creating Servers, Services and Load-Balancing Virtual Servers ...............................................28
Creating Servers, Services and Load-Balancing Virtual Servers ...............................................35
Verify Load-Balancing Service is Active on Web Servers ..........................................................36
Module 5 ...................................................................................................................................38
Content Switching .....................................................................................................................38
Exercise 6 .................................................................................................................................46
Bonus Content Switching Policy ................................................................................................46
Module 7 ...................................................................................................................................51
URL Transformation using the Rewrite Feature ........................................................................51
Bonus URL Transformation Policy ............................................................................................61
| 1 |
Module 9 ...................................................................................................................................65
Web Application Firewall ...........................................................................................................65
Module 10 .................................................................................................................................89
High Availability.........................................................................................................................89
Exercise 10 (Configuration Utility) .............................................................................................90
Exercise 10 (CLI Command) .....................................................................................................95
Module 11 .................................................................................................................................96
Clustering..................................................................................................................................96
Exercise 11 (Configuration Utility) .............................................................................................97
Clustering..................................................................................................................................97
Exercise 11 (CLI Command) ...................................................................................................107
Clustering................................................................................................................................108
Module 12 ...............................................................................................................................108
Global Server Load Balancing.................................................................................................109
Exercise 12 (Configuration Utility) ...........................................................................................110
Exercise 13 (Bonus) ................................................................................................................136
Bonus Configure GSLB for WebGoat ......................................................................................136
Module 14 ...............................................................................................................................137
Admin Partitions ......................................................................................................................137
| 2 |
137
Exercise 15 .............................................................................................................................149
Bonus Admin Partitions ...........................................................................................................149
Module 16 ...............................................................................................................................150
Data Stream............................................................................................................................150
Data Stream............................................................................................................................151
Data Stream............................................................................................................................162
Module 17 ...............................................................................................................................164
AAA for Traffic Management ...................................................................................................164
Module 18 ...............................................................................................................................180
AAA SAML Assertion ..............................................................................................................180
| 3 |
| 4 |
Overview
Hands-on Training Module
Objective
This lab training will provide hands-on experience on a wide range of core features that Citrix
NetScaler has to offer. This lab is designed to allow the student to pick and choose the exercises of
choice.
Prerequisites
Basic NetScaler or ADC familiarity is desired.
Audience
Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support.
Lab Environment Details

The system diagram of the lab is shown below:
| 5 |
The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All
windows applications such as XenCenter, (the XenServer GUI management tool), are accessed
from the Student Desktop.
Lab Guide Conventions

This symbol indicates particular attention must be paid to this step
Special note to offer advice or background information

reboot Text the student enters or an item they select is printed like this
VMDemo Filename mentioned in text or lines added to files during editing
Start Bold text indicates reference to a button or object
Focuses attention on a particular part of the screen (R:255 G:20 B:147)

Shows where to click or select an item on a screen shot (R:255 G:102 B:0)
List of Virtual Machines Used

VM Name IP Address Description / OS
NetScaler-A 192.168.10.15 Citrix NetScaler VPX

NetScaler-B 192.168.10.17 Citrix NetScaler VPX
Site1-WebServerA 192.168.10.115 Linux WebServer
Site1-WebServerB 192.168.10.116 Linux WebServer
Site1-
192.168.10.11 Windows 2012 Server
AD.Training.lab
Site1-SQLServer-
192.168.10.12 Windows 2012 Server with SQL Server 2012
OLTP
Site1-SQLServer-
192.168.10.13 Windows 2012 Server with SQL Server 2012
DW
| 6 |
Required Lab Credentials
The credentials required to connect to the environment and complete the lab exercises are shown
within the step by step instructions
VM Name Username Password
NetScaler-A nsroot nsroot

NetScaler-B nsroot nsroot
Site1-AD.Training.lab Training/Administrator Citrix123
| 7 |
Introduction
The Citrix NetScaler product line optimizes delivery of applications over the Internet and private
networks, combining app security, optimization, and traffic management into a single, integrated
appliance. You install a NetScaler appliance in your server room and route all connections to your
managed servers through it. The NetScaler features that you enable and the policies you set are
then applied to control and manage incoming and outgoing traffic.
NetScaler Functionality
NetScaler content switching and load balancing dramatically improve the throughput and scalability
of an internet application by decoupling each application request/response flow from the underlying
transport.
Content switching and load balancing ensure the most efficient use of transport protocols and
resources, even in a scenario where the content is encrypted or compressed.
The NetScaler system manages the complete life cycle of the request/response transaction. With
this management, the NetScaler system is uniquely equipped to direct and control application
requests most efficiently, from the client to the server and back again.
Connection multiplexing (also known as connection reuse) allows the servers to handle much fewer
connections than are received by the NetScaler system.
Note** Connection multiplexing reduces the use of your back-end servers. This functionality is by
default with NetScaler.
The efficient use of the HTTP specification provides a significant boost to the effective capacity of
the server by reducing server CPU load. With this separation, the NetScaler system can use the
TCP proxy architecture to multiplex and reuse the server-side TCP connection independently from
a client-side connection. This reuse of established and idle server-side TCP connections reduces
the TCP overhead on web servers.
NetScaler Overview
Citrix NetScaler is an application switch that performs application-specific traffic analysis to
intelligently distribute, optimize, and secure layer-4 through layer-7 (L4-L7) network traffic for web
applications. For example, a NetScaler system makes load-balancing decisions on individual HTTP
requests rather than on the basis of long-lived TCP connections, so that the failure or slowdown of
a server is managed much more quickly and with fewer disruptions to clients. NetScaler
functionalities are broadly categorized into features, such as switching, security, protection and farm
optimization.
Switching
When deployed in front of application servers, a NetScaler system ensures ideal distribution of
traffic. You can segment application traffic according to information in the body of an HTTP or TCP
request, and on the basis of L4-L7 header information such as URL, application data type, or
cookie. Numerous load-balancing algorithms and extensive server health checks improve
application availability by ensuring that client requests are directed to the correct servers
| 8 |
Security and Protection
NetScaler security and protection features protect web applications from application-layer attacks. A
NetScaler system provides built-in defenses against denial-of-service (DoS) and distributed denial
of service (DDoS) attacks and supports features that protect applications against legitimate surges
in application traffic that would otherwise overwhelm the servers. An available, built-in firewall can
protect web applications from application-layer attacks, including buffer overflow exploits, SQL
injection attempts, and cross-site scripting attacks. In addition, the firewall provides identity theft
protection by securing confidential corporate information and sensitive customer data
Optimization
Optimization features offload resource-intensive operations such as Secure Sockets Layer (SSL)
processing, data compression, client keep-alive, TCP buffering, and the caching of static and
dynamic content from servers. Optimization improves server performance in the farm and therefore
speeds up applications. A NetScaler system supports several transparent TCP optimizations, which
mitigate problems caused by high latency and congested network links, accelerating the delivery of
applications while requiring no configuration changes to clients or servers.
| 9 |
Lab Preparation
Attach XenCenter to Your XenServer (ZFS)
Overview
This lab is designed to cover a wide spectrum of the vast NetScaler feature set. We will touch on
several core features and common use cases found in NetScaler deployments. You will see how
NetScaler is managed and optimized, and cover topics including initial tune-up, networking and
licensing. In addition, you'll get hands-on with load balancing, content switching, URL transform with
Rewrite, SSL offload and more.
XenCenter is a graphical user interface application used for managing one or more XenServers.
You will be using XenCenter to manage the XenServer needed for the lab.
Step by step guidance

Step Action
1. Citrix XenCenter should launch automatically on the Student Desktop. If not, launch
using the shortcut.
2.
Click Add Server to add your XenServer to XenCenter.
| 10 |
Step Action
3. Enter the parameters shown below:
IP
192.168.10.5
Address
Username hypervisoradmin
Password Password1!
You can ignore the user
credentials shown in the lab
guide. New Credentials will be
provided when you launched
the lab.
Click Add.
4.
Your Physical XenServer name

will be different.
XenCenter will attach to your physical XenServer. You will see your VMs running.
Summary
You have attached XenCenter to your XenServer.
| 11 |
Module 1
NetScaler Licensing
You must properly license a NetScaler system before you can deploy it to distribute, optimize, or secure
networking traffic for web application. After you have obtained the licenses you must install the licenses on
your appliance and then verify that you have enabled the features corresponding to the licenses. If you do not
install a license on the appliance, the First-time Setup Wizard appears, which provides options for licensing
including installation.
Possible licenses include:
 NetScaler upgrade license

 NetScaler option license
 NetScaler Gateway Universal license
 NetScaler Gateway Platform license
The NetScaler platform is responsible for enabling all necessary features and includes five SSL VPN
connections. This license is allocated by default to host name “ANY”. The rest of the NetScaler licenses need
to be allocated to the HOST ID (MAC) of the appliance in order to enable the corresponding features. In the
case of high availability, two licenses will be required. For more information about licensing your NetScaler,
see Citrix article CTX121062 at http://support.citrix.com
By purchasing an upgrade license, customers are able to upgrade their NetScaler from one edition to another.
For example, customers with Standard Edition may purchase the standard Edition upgrade to Enterprise or
Platinum Edition.
A NetScaler option license provides enablement of additional features to augment the features already
supported by the platform license. These option features include AppCompress, AppCache, Application
Firewall, Global Server Load Balancing (GSLB), and NetScaler Insight Center for NetScaler. NetScaler
options licenses are not mandatory.
The NetScaler Gateway Universal license will allow you to increase SSL VPN concurrent usage so that you
are not restricted to five SSL VPN connections. This license floats across high availability pairs. You need to
allocate the universal license to the NetScaler Licensing Hostname, which you can configure in
/nsconfig/rc.conf.
| 12 |
Exercise 1 (Configuration Utility)
Initial NetScaler Setup and Basic Load Balancing
Overview
As mentioned earlier, before starting the configuration process the NetScaler needs to be properly licensed.
Licenses are allocated based on the MAC address of the appliance (known as the host ID), and can be
downloaded here. For this lab, we have already downloaded the proper licenses and placed them on in
C:\Licenses on the Student Desktop.
Throughout this lab we will be using the following NetScalers:
VM Name IP Address Description / OS
NetScaler-A 192.168.10.15 Citrix NetScaler VPX
NetScaler-B 192.168.10.17 Citrix NetScaler VPX
| 13 |
Step Action
1. Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as
the nsroot user for this task.
Begin the licensing lab by verifying the host id of the NetScaler-A (192.168.10.15). You will use this
information for allocating the license file. Connect to the NetScaler system from the command-line
interface using PuTTY and open NetScaler – A. Log on using the nsroot credentials.
 Launch PuTTY command-line interface application from the virtual machine.
 Type in the IP address of NetScaler-A and click open
 Type nsroot/nsroot at the logon prompt
 Enter the CLI command ‘shell’ and the command ‘lmutil lmhostid –ether’.
 Take note of the FLEXnet host ID of this NetScaler we will need to reference this ID to the
license file in the steps below.
| 14 |
2. Login to the NetScaler-A (192.168.10.15) navigating to http://192.168.10.15 in your web browser
 Username: nsroot
 Password: nsroot
3. Verify that the network configuration matches the screenshot below and continue.
| 15 |
4. Upload the license file “06e089e0b0f1.lic”. If not going through the wizard, license configuration can
be found at System > Licenses > Update in the GUI.

th
Select the 4 Item labeled Licensing. Select “Upload files from a local computer” You will
find the licenses in a folder located C:\Licenses
 This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select the one
matched to the HostID of this NetScaler. Often when troubleshooting the process of a license,
the host and a date need to be verified. Wrong Host and incongruent time tends to be the issue.
 Open the license file with notepad and check the date and host ID and note which goes to
which.
 Go to Start Menu > Computer > Local Disk (C:), and then click Licenses
 In the Licenses Folder you will find 4 licenses.
 Select the first license, right click and select open with Notepad.
 You need to find the license file that goes with the host ID identified earlier and then upload
that license to the NetScaler.
| 16 |
5. Once the license has been uploaded to the NetScaler click, Reboot. (Due to the licensing
change the NetScaler requires a reboot in order for the license to take effect.
6. After the NetScaler has rebooted you are able to verify the licenses by logging in and going to
System > Licenses. Since you have uploaded a Platinum License, all features should have a
green check as well due to the Platinum license.
Exercise Summary
In this exercise you successfully licensed a NetScaler with a Platinum license.
| 17 |
Module 2
NetScaler-owned IP Addresses
The NetScaler system uses different types of IP addresses for management and proxying
connections to the server. These IP addresses are:
 NetScaler IP (NSIP) addresses
 Mapped IP (MIP) addresses
 Subnet IP (SNIP) addresses
 Virtual IP (VIP) addresses
NetScaler IP Address
The NetScaler IP address (NSIP) is a unique IP address and the primary address for management
and general system access. When NetScaler systems participate in high-availability configuration,
the NSIP address is used for primary communication between members of the high-availability
configuration, and the NSIP is the only active IP address on the secondary member in a high-
availability pair. The NSIP can be accessed from any enabled interface on the NetScaler system.
An NSIP address must be configured on a new NetScaler system.
Configuring an initial NSIP address or changing the NSIP address or subnet mask requires a restart
of the NetScaler system. When configuring changes using the command-line interface, save the
configuration first, change the NSIP address, and then restart the NetScaler system
Mapped IP Address
A mapped IP (MIP) address is used for external connections from the NetScaler system. MIP
addresses are used for connectivity in the absence of an SNIP address. For example, the MIP
address is the proxy IP address of last resort. MIP addresses, like SNIP addresses, are used as the
proxy address for NetScaler system-to-server communication. MIP addresses are still used even
when the USNIP mode is globally disabled.
The MIP address should be available across all subnets and should never be bound to a VLAN. It is
only active on the primary unit of a high-availability pair, like every other IP address on the system
other than the NSIP address, and shows as passive on the secondary unit.
When both a MIP address and a SNIP address are configured on the same subnet, the NetScaler
system will use the SNIP address to communicate with servers by default (since USNIP mode is
enabled). If USNIP mode is disabled, the MIP address will be used.
If multiple IP addresses are present on a subnet, the NetScaler will use the MIP addresses in a
round-robin fashion.
| 18 |
Subnet IP Address
The subnet IP (SNIP) address is used in connection management and server monitoring. An SNIP
address provides the NetScaler system with an Address Resolution Protocol (ARP) presence in
subnets to which the system might not be directly connected.
A NetScaler system should have a SNIP address configured for each directly connected subnet.
When a SNIP is added to a NetScaler system, a static route entry is automatically added to the
NetScaler system routing table; this route identifies the SNIP address as the default gateway on the
NetScaler system for the corresponding subnet.
The Use Subnet IP (USNIP) mode can affect how the SNIP address is used by the NetScaler
system to communicate with servers. USNIP mode is enabled by default. When USNIP mode is
enabled, the SNIP address functions as a proxy IP and is used by the NetScaler system for
NetScaler-system-to-server communication. In this mode, the server will see the SNIP address as
the source IP address in packets received from the NetScaler system.
If USNIP mode is disabled, the SNIP address is not used to send traffic from the NetScaler system
to the servers. Instead, a mapped IP address must be available. In most environments, USNIP
mode is left enabled.
Individual SNIP addresses can be enabled to allow management access. When management
access is enabled, connections to the NetScaler command-line interface over SSH and connections
to the web-based configuration utility can be made using the SNIP address (as if it were a NSIP).
Using management-enabled SNIP addresses allows you to connect to the NetScaler system from a
subnet other than the one where the NSIP is located. It also simplifies managing NetScaler systems
in a high-availability configuration, since only the primary unit will respond to the SNIP.
Management access is not enabled by default. Unlike the NSIP address, but like every other type of
IP address, SNIP addresses are only active on the primary unit of a high-availability pair and show
as passive on the secondary unit.
If multiple SNIP addresses are present on a subnet, the NetScaler will alternate between the SNIP
addresses in round-robin manner when communicating with servers.
Virtual IP Address
Virtual IP (VIP) addresses are used for client-to-NetScaler-system communication. Virtual IP
addresses are assigned to virtual servers on the NetScaler system. VIP addresses are generally
presented to the clients as a logical abstraction of a physical server behind the NetScaler system.
When the VIP address is a public IP address, it usually corresponds to the DNS entry for a domain.
A VIP address is automatically created when a virtual server is added. A virtual server is identified
as a unique combination of IP address and port number.
Disabling or changing the status of a VIP address will affect all virtual server using the VIP address.
| 19 |
NetScaler Configuration SNIP, VIP
Step Action
1. Use an HTTP connection to the NetScaler– A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
 In the main configurations screen:
o Navigate to System > Network > IPs
| 20 |
2. Add a SNIP (Subnet IP address) to the NetScaler using 192.168.10.16 as the IP Address, 255.255.255.0 as
the Netmask.
 Navigate to System > Network > IPs and click Add.
 Type 192.168.10.16 in the IP Address field
 Type 255.255.255.0 in the Netmask field
 Type: Subnet IP
 Click Create
| 21 |
3. Verify the SNIP, Subnet IP Address is enabled and showing green.
| 22 |
4. Next Step is to configure the Virtual IP. VIP is used for Load Balancing Virtual Server IP addresses, and
needs to be configured in the Load Balancing section in subsequent steps.
Add a VIP (Virtual IP address) to the NetScaler using 192.168.10.125 as the IP Address, 255.255.255.0 as
the Netmask.
 Navigate to System > Network > IPs and click Add.
 Type 192.168.10.125 in the IP Address field
 Type 255.255.255.0 in the Netmask field
 Type: Virtual IP
 Click Create
Alternatively, VIP IP Addresses can be directly configured as part of LB vserver configuration. In this lab we
will define it by adding it in the IPs Options.
| 23 |
5. After this step, we have three IP addresses configured on NetScaler as depicted in the figure below
A VIP is used for Load Balancing Virtual Server IP address, and

needs to be configured in Load Balancing Section in subsequent
steps
Exercise Summary
In this exercise you have successfully configured the 3 mandatory IP addresses that Citrix
NetScaler needs.
| 24 |
Exercise 2 (CLI Command)
NetScaler Configuration SNIP, VIP
 Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the
nsroot user for this task.
o SNIP:
 add ns ip 192.168.10.16 255.255.255.0 -vServer DISABLED -gui DISABLED -mgmtAccess
ENABLED
o VIP:
 add ns ip 192.168.10.125 255.255.255.0 -type VIP -mgmtAccess ENABLED
| 25 |
Module 3
Define Server Load-Balancing Properties, Virtual
Server, and Services
Overview
NetScaler load balancing distributes end-user requests for web pages and other protected
applications across multiple servers that host or mirror the same content. You use load balancing
primarily to manage end-user requests to heavily user applications, preventing poor performance
and outages and ensuring that end users can access your protected applications. Load balancing
also provides fault tolerance; when one server that hosts a protected application becomes
unavailable, the feature distributes end-user request to the other servers that host the same
application.
In a load-balancing configuration, the load-balancing virtual server is logically located between the
client and the farm and manages traffic flow to the serves in the farm. On the NetScaler, the
application servers are represented by virtual entities called services.
A load-balancing setup includes a load-balancing virtual server and multiple load-balanced
application servers. The virtual server receives incoming client requests, uses the load-balancing
algorithm to select an application server, and forwards the requests to the selected application
server.
The load-balancing virtual server can use any of a number of algorithms, or methods, to determine
how to distribute load among the load-balanced servers that it manages. The default load balancing
method is the least connection method, in which the load-balancing NetScaler forwards each
incoming client connection to whichever load-balanced application server currently has the fewest
active user connections.
Server
A Server entity identifies a physical server and provides the IP address of the server. If you want to
use the IP address of the server as the name of the server object, you can enter the IP address of
the server when you create a service, and the server object is then created automatically.
Alternatively, you can create the server object first and assign it an FQDN or other name, and then
specify that name instead of the IP address when you create the service.
Service
A service entity can be a logical representation of the application server itself or of an application
running on a server that hosts multiple applications. A service is defined by an IP address, port, and
protocol combination used to route requests to a specific load-balanced application server. The
service identifies the type of traffic associated with a given server. You can configure multiple
services for the same server. For example, you can configure a server to run HTTP, FTP, and TCP
services/applications. The NetScaler system directs traffic to the server using the appropriate
service. When you create a service, you associate it with a server. For load balancing, you bind
services to virtual servers. Based on these services, the virtual servers will then load-balance traffic
across the available servers.
Service Group
| 26 |
A service group is a collection of service identified by IP address or server name. In a service
group, any management changes made to the group are propagated to all members of the group.
Load-Balancing Virtual Server
A virtual server is an aggregated system entity that usually comprises multiple servers and services.
Rather than traffic being routed directly to the server, it is sent to a virtual server, which then makes
a decision about which server to forward the traffic to, based on the services bound to the virtual
server. The state of the virtual server determines whether the client requests are accepted. You
need to specify the protocol, VIP, and the port.
| 27 |
Creating Servers, Services and Load-Balancing Virtual
Servers
Step Action
user for this task.
Enable the Load Balancing feature in Configuration > System > Settings. Click on Configure basic
features under “Modes and Features”.
2. Select Load Balancing and then click OK.
3. Browse to “Configure modes” option and ensure the settings match with the screenshot
| 28 |
4. All the Load Balancing Configuration is done from the Configurations > Traffic Management > Load
Balancing screen.
5. Set up two web servers in Servers tab. Click on Add tab to add new web server with user-defined name and
IP address as 192.168.10.115 and Click Create. Similarly add second server using its own IP address
192.168.10.116
Use an HTTP connection to the NetScaler– A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
 Log on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot credentials
 Create the “Web-Server-1” server with 192.168.10.115 for the IP address.
o Navigate to Traffic Management > Load Balancing > Servers
o Click Add in the Servers pane – the Create Server dialog box opens.
o Type Web-Server-1 in the Server Name field and then type 192.168.10.115 in the IP
Address field
o Click Create.
 Similarly, create the “Web-Server-2” server with 192.168.10.116 for the IP address.
o Navigate to Traffic Management > Load Balancing > Servers
o Click Add in the Servers pane – the Create Server dialog box opens.
o Type Web-Server-2 in the Server Name field and then type 192.168.10.116 in the IP
Address field
o Click Create.
| 29 |
6. After configuring the Web-Server-1 you will have to click Create. Repeat the step for the second Web-Server-
2
| 30 |
7. Once Servers are setup, add them as a back-end Service.
Use an HTTP connection to the NetScaler– A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
 Create an HTTP service called “Web-Service1” that will be associated with the Web-Server-1 server.
o Navigate to Traffic Management > Load Balancing > Services
o Click Add in the Services pane – the Load Balancing Service dialog box opens.
o Type Web-Service1 in the Service Name field
o Select the Existing Server radio button
o Select Web-Server-1 from the Server menu
o Verify that HTTP is selected from the Protocol menu and 80 is entered in the Port field.
o Select “1 Service to Load Balancing Monitoring Binding” under Monitors
o Select Add Binding radio button
o Select Click to select and choose http-ecv monitor
o Click OK and then click Done
 Now similarly create an HTTP service called “Web-Service2” that will be associated with the Web-
Server-2 server.
| 31 | o Navigate to Traffic Management > Load Balancing > Services

8. Now you will create a Load-Balancing Virtual Server and bind the services created earlier to this Virtual Server
IP.
 Begin the configuration of a “Web-Vip” load-balancing virtual server that will be associated with the
Web-Service1 and Web-Service2 services.
o Navigate to Traffic Management > Load Balancing > Virtual Servers
o Click Add in the Load Balancing Virtual Servers pane
o Type Web-Vip in the Name field
o Verify that HTTP is selected from the Protocol drop-down menu and that 80 is entered in
the Port field
o Type 192.168.10.125 in the IP Address field
o Click OK
o Click the “No Load Balancing Virtual Server Service Binding” option below Service to bind
the Services.
o Click the Click to select in the Select Service field
o Select the Web-Service1 radio button
o Click OK and then click Bind
o Click the “1 Load Balancing Virtual Server Service Binding” option below Service to bind
the Services
o Click Add Binding
o Select the Web-Service2 radio button
o Click Add Binding
o Click Close and then click OK
o Click Method under Advanced on the right
o Select ROUNDROBIN from the Load Balancing Method drop-down menu
Note: You may need to click Refresh on the top-right before the
State shows as up
Make sure you save the running configuration. Click the Floppy Disk icon
and then click Yes to confirm saving the Running configuration
| 32 |
9. Now the Web-Vip virtual server is up. Set the persistence to COOKIEINSERT and Time-out (mins)* field to 1.
o Click on the Web-Vip load balancing virtual server
o Select Edit
o Click Persistence under Advanced on the right
o Select COOKIEINSERT from the persistence drop-down menu
o Type the number 1 under the Time-out (mins)* field
10. Check that the “Web-Vip” load balancing virtual server is up
11. After all setup is complete, go ahead and Save the running configuration by click on "Save" icon in the upper
right hand corner of your NetScaler GUI. Make sure you save the running configuration.
Click the Floppy Disk icon and then click Yes to
confirm saving the Running configuration
| 33 |
Exercise Summary
In this exercise you have successfully configured Servers, Services, and Virtual Server all for
Server Load Balancing in Citrix NetScaler.
| 34 |
Creating Servers, Services and Load-Balancing Virtual
Servers
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task.
 enable ns feature LB
 add ns ip 192.168.10.125 255.255.255.0 -type VIP
 add server web-server1 192.168.10.115
 add server web-server2 192.168.10.116
 add service web-service web-server1 HTTP 80
 add service web-service1 web-server2 HTTP 80
 add lb vserver Web-VIP HTTP 192.168.10.125 80 -persistenceType COOKIEINSERT -timeout 1 -lbMethod
ROUNDROBIN -cltTimeout 180
 bind lb vserver Web-VIP web-service
 bind lb vserver Web-VIP web-service1
| 35 |
Verify Load-Balancing Service is Active on Web
Servers
Overview
In this exercise you will be verifying that the configuration on the NetScaler is successful and
identify the load balancing method is performing as configured.

Step Action
1. Navigate to http://192.168.10.125 in your web browser
| 36 |
2. Client request is handled by and load balanced to one of the 2 web servers.
To test the load balancing configuration with COOKIEINSERT persistence enabled:
 Refresh the browser after 1 minute. Since with COOKIEINSER persistence, you are directed to the
same server until the cookie expires (In this case; 1 minute).
 Now, this time Web Server B is accessed because of round robin mechanism selected in load
balancing method. Requests are alternately forwarded to each web server.
Note: Make sure to wait 1 minute before accessing webserver

again to allow for the COOKIEINSERT persistence to timeout
3. Login to NetScaler-A (192.168.10.15) navigating to http://192.168.10.15 in your web browser
From NetScaler GUI navigate to Dashboard to monitor live sessions and NetScaler application state.
 Return to the http://192.168.10.125 URL (Load Balanced Virtual Server URL) in your web
browser
 Refresh the web browser a few times
 Return to your NetScaler GUI page and you will see the number of HTTP Requests increasing and
matching the number of times you refreshed your Load Balanced URL.
Exercise Summary
In this exercise you have gotten familiar the Citrix NetScaler, configured basic load balancing services, and configured
monitoring services in NetScaler
| 37 |
Module 5
Content Switching
Content switching allows HTTP and HTTPS traffic requests to be intercepted and switched in a
method that is transparent to the client. A NetScaler system can switch static and dynamic content.
Content switching provides the ability to direct traffic and client requests to back-end services based
on an aspect of the request beyond the IP/port pair. Content switching allows the design of a
complex internal system to appear to the public behind a single IP address. As clients connect to
and request data from a single address, the NetScaler system examines the type of connection and
sends it to the appropriate back-end service.
The NetScaler system diverts the application requests transparently to the client and the
application, allowing the application to be managed separately from the hosting site.
Note: When switching both static and dynamic requests, you must configure one load-
balancing virtual server for static requests and a separate load-balancing virtual server
for dynamic requests.
A typical content-switching configuration consists of a content-switching virtual server, content-

switching policies and load-balancing virtual servers.
When requests reach the content-switching virtual server, the NetScaler system applies the
content-switching policies to them. The requests are then routed to the appropriate load-balancing
virtual servers bound to the policies. The load-balancing virtual servers then send them to the
services.
The content-switching feature allows the NetScaler system to replace application logic for
redirecting traffic to servers. Content-switching virtual servers can send client requests only to other
virtual servers.
| 38 |
Content Switching
Overview
In this section, we will create a Content Switching Virtual Server that takes requests and directs
them to the appropriate web server. The policy that will be created looks for ‘/urlX’ within the URL
and directs the request to the Web server A. Requests without ‘/urlX’ are redirected to Web server
B.

Step Action
user for this task.
 Verify the content-switching feature is enabled.
o Navigate to Traffic Management > Content Switching
o Right Click Content Switching and select Enable Feature
2. Create a content-switching virtual server called WebSwitch with an IP address of 192.168.10.125.
 Navigate to Traffic Management > Content Switching > Virtual Servers
 Click Add in the Content Switching Virtual Servers pane – The Content Switching Virtual Server
dialog box opens.
 Type WebSwitch in the Name field
 Verify that the Protocol is set to HTTP
 Type 192..168.10.125 in the IP Address field
 Verify that the port is set to 81
 Click OK
| 39 |
 Click Done
| 40 |
3.  Create two non-addressable Load Balancing Virtual Servers. Configure WebVip1 and WebVip2 as
HTTP with the Web-service1 and Web-service2 assigned respectively. Be sure to select ‘Non
Addressable’ in the IP Address Type. These virtual servers will be utilized in the content switching
virtual server as a method to direct traffic to each individual server. We select non addressable so
that we are able to assign a server to the content switch while not consuming an IP address on the
network behind the NetScaler.
 Create a non-addressable “webvip1” load-balancing virtual server for the Web-Server-1 web server.
o Click Add to display the load balancing virtual servers pane
o Type webvip1 in the Name field
o Verify that HTTP is selected in the Protocol field
o Select Non Addressable from the IP Address Type drop-down menu
o Click OK – This action disables the IP address and Port fields. No VIP address is assigned
to this load-balancing virtual server
o Click No Load Balancing Virtual Servers Service Binding in the service section
o Click Click to select in the Select Service field
o Select the Web-service1 radio button and click OK
o Click Bind
o Click OK
o Click Done
 Similarly, create a non-addressable “webvip2” load-balancing virtual server for the Web-Server-2
web server.
o Click Add to display the load balancing virtual servers pane
o Type webvip2 in the Name field
o Verify that HTTP is selected in the Protocol field
o Select Non Addressable from the IP Address Type drop-down menu
o Click OK – This action disables the IP address and Port fields. No VIP address is assigned
to this load-balancing virtual server
o Click No Load Balancing Virtual Servers Service Binding in the service section
o Click Click to select in the Select Service field
o Select the Web-service2 radio button and click OK
o Click Bind
o Click OK
o Click Done
| 41 |
4. Here is a summary of your Load Balancing Virtual servers thus far.
Note: You may need to click Refresh on the top-right before the
State shows as up
5. Create a Content Switching Policy. Configure the name and URL as urlswitch and /url* and create the
policy by clicking Create and then close.
 Navigate to Traffic Management > Content Switching > Policies
 Click Add in the Content Switching Policies pane. – The Create Content Switching Policy dialog box
opens.
 Type urlswitch in the Name field
 Select Url
 Type /url* in the URL field
 Save the NetScaler configuration
Make sure you save the running configuration.

| 42 |
6. Insert the new content switching policy into the Content Switching Virtual Server that you created in step 1 of
this lab.
 Click on the WebSwitch Content Switching Virtual Server
 Click Edit
 Select No Content Switching Policy
 Click Click to select and select urlswitch
 Click OK
 Under Target Load Balancing Virtual Server, Click Click to select and select webvip1
7. Expand Default Load Balancing Virtual Server and select the webvip2 virtual server. You now have 1 CS
policy bound to webvip1 and webvip2 is set to the default load balancing virtual server.
 Click No Default Load Balancing Virtual Server Bound
 Select webvip2 from the drop down menu
 Click Create
| 43 |
8. Test the configuration to observer the content-switching behavior.
 Open a browser and browse to http://192.168.10.125/url1, http://192.168.10.125/url2, and

http://192.168.10.125:81/
You are able to verify that content switching policy urlswitch directs the requests into this to the WebVip1.
Not specifying the /urlX directs you to WebVip2, which would be the (Default) policy.
Exercise Summary
In this exercise you have configured Content Switching based on URL and tested that it works.
| 44 |
Content Switching
for this task.
 enable ns feature cs
 add cs vserver WebSwitch HTTP 192.168.10.125 81
 add lb vserver WebVip1 HTTP 0.0.0.0 0
 bind lb vserver WebVip1 Web-Service
 add lb vserver WebVip2 HTTP 0.0.0.0 0
 bind lb vserver WebVip2 Web-service1
 add cs policy urlswitch -url ‘//url/url1*’
 bind cs vserver WebSwitch -policyName urlswitch -targetLBVserver WebVip1
 bind cs vserver WebSwitch -lbvserver WebVip2
| 45 |
Exercise 6
Bonus Content Switching Policy
Overview
In this section, we will unbind the urlswitch policy and create a new policy that detects languages
via the HTTP header set by the browser. We will redirect requests accordingly.

Step Action
1. Begin by unbinding the original urlswitch policy from the Content Switching >Virtual Servers by opening
the WebSwitch, virtual server and expanding the Content Switching Policy and clicking Unbind. Click Close
finish.
Unbind the original utlswitch policy from the WebSwitch Content Switching Virtual Server.
 Click on the WebSwitch Content Switching Virtual Server
 Click Edit
 Select 1 Content Switching Policy
 Select urlswitch
 Select unbind from the top bar
 Click yes
 Click Close
| 46 |
2. Add a new content switching policy into the Content Switching Virtual Server that you created in step 1 of
this lab. First make sure that you switch back to default syntax.
 Select WebSwitch
 Click on No Content Switching Policy Bound
 Click the + icon beside “Select Policy”
 Ensure that it shows Switch to Classic Syntax under the expression* box
| 47 |
3. Navigate back top and provide the policy with the name Language and select Expression
 Select WebSwitch
 Click on No Content Switching Policy Bound
 Click the + icon beside “Select Policy”
 Type language under the Name field
 Select Expression
4. Configure the new policy, language, to detect the English language within the HTTP request header:
HTTP.REQ.HEADER("Accept-Language").CONTAINS("en")
 Navigate to Expression Editor
 Click on Expression Editor
 Use Expression Editor to Build the following expression:
HTTP.REQ.HEADER("Accept-Language").CONTAINS("en")
 Select Create
Note: When using the Expression Editor to create the expression; do not include the
quotation marks as the Expression Editor will automatically add the quotations for you.
For example; just type Accept-Language for the header not “Accept-Language”
| 48 |
5. Set the target of this policy to WebVip1, accept any messages about GoTo Expressions if you encounter
them here, and configure the Priority to 10. Verify the configuration and continue by clicking OK
 Navigate to Target Load Balancing Virtual Server
 Click Click to select
 Select Webvip1 virtual server
 Click Ok
 Click Bind
 If you receive “Priority is mandatory for advanced expressions” click Ok
 Set priority to 10
 Click Ok
 Select Done

| 49 |
6. Test this content switching policy by heading to http://192.168.10.125:81 in Internet Explorer and set your
language to anything but English in the browser. You can find this under Tools, Internet Options, and
Languages. Navigate to Internet Explorer browser
 Select settings
 Click on tools
 Click on Language at the bottom of the page
 Add any language and remove English
 Navigate to http://192.168.10.125:81 on your Internet Explorer browser
 Once you switch from English you will be sent to WebVip2 instead of WebVip1 and the name of the
server will be changed from 'Web Server – A ' to 'Web Server – B'.
| 50 |
Exercise Summary
In this exercise you have gotten familiar with Citrix NetScaler content switching functionality.
Configured basic Content Switching virtual server and policies. And Configured advanced content
switching virtual server to detect the language field of a http header.
Module 7
URL Transformation using the Rewrite Feature
Rewrite refers to the rewriting of some information in the requests or responses handled by the
NetScaler system. Rewriting can help in providing access to the requested content without
exposing unnecessary details about the website’s actual configuration. A few situations in which the
rewrite feature is useful are described below:
 To improve security, the NetScaler can rewrite all the http:// links to https:// in the response
body
 In the SSL offload deployment, the non-secure links in the response have to be converted
into secure links. Using the rewrite option, you can rewrite all the http:// links to https to
ensure that the outgoing responses from NetScaler to the client have the secured links.
 If a website has to show an error page, you can show a custom error page instead of the
default 4044 Error page.
 If you want to launch a new website but use the old URL, you can use the rewrite option.
| 51 |
 When a topic in a site has a complicated URL, you can rewrite it with a simple, easy-to-
remember URL
 You can append the default page name to the URL of a website.
When you enable the rewrite feature, NetScaler can modify the headers and body of HTTP request
and responses
For more information about the rewrite feature, including rewrite action and policy examples, see
Citrix eDocs at http://edocs.citrix.com

Overview
In this section, we will create a URL Transformation Profile that takes requests and directs them to
the appropriate web server. The profile that will be created looks for ‘/url1’ within the URL and
directs the request to '/url2' all while being transparent to the user.

Step Action
| 52 |
user for this task.
 Start by enabling the Rewrite Feature
o Navigate to AppExpert > Rewrite
o Right Click Rewrite
o Click on Enable Feature
a. a new URL Transformation Profile named “Ferrysburg” by going to AppExpert, Rewrite, URL
Create
Transformation, Profiles and clicking Add. Fill in the Name field with “Ferrysburg” and click Create.
o Navigate to AppExpert > Rewrite > URL Transformation
o Expand URL Transformation and select Profiles
o Click on Add
o Type ferrysburg
o Select Create
| 53 |
2. Open the Ferrysburg profile by selecting it and clicking Edit, or double clicking. Add a new URL
Transformation Action by clicking ‘Insert’ at the bottom of the dialog window.
o Navigate to AppExpert > Rewrite > URL Transformation > Profiles
o Select ferrysburg
o Click on Edit
o Click on Insert
| 54 |
3. Configure the new URL Transformation Action “actFerrysburg”. URL Transformation Action is used to take
requests from url1 and respond via url2. The configuration for actFerrysburg is below.
o Select ferrysburg
o Click on Edit
o Click on Insert
o Type actFerrysburg under the Name field
o Set priority to 1000
o Check Enabled box
o Type 192.168.10.125/url1 under the Request URL Form field
o Type 192.168.10.125/url2 under the Request URL Into field
o Select Ok
| 55 |
4. Click Insert if you have not already, verify that the action is enabled by the green checkbox under enabled
and click OK to close the dialog.

| 56 |
5. Create a new URL Transformation Policy by heading to AppExpert, Rewrite, URL Transformation,
Policies and clicking add. This new policy will be used to check if the URL contains "url1" and fire the URL
Transformation Action that was added in step 2 and 3. Add “Ferrysburg” for the name, attach the
Ferrysburg Profile under the Profile drop down, and add the expression:
HTTP.REQ.URL.PATH.GET(1).CONTAINS(“url1”).
o Navigate to AppExpert > Rewrite > URL Transformation > Policies
o Click Add
o Type Ferrysburg under the Name* field
o Select ferrysburg from the drop down menu under Profile*
o Click on Expression Editor on the top right of the Expression* box
o Use Expression Editor to Build the following expression:
o HTTP.REQ.URL.PATH.GET(1).CONTAINS(“url1”)
o Select Done
o Select Create
For example; just type url1 for the header not “url1”
| 57 |
6. Bind the new policy under the Default Global bind point. You will need to open the Policy Manager and select
Default Global, finally insert the newly created policy. Open and bind the policy by clicking Policy Manager.
Select Default Global and click Continue. Select the Ferrysburg policy at Priority 100. Finally click Bind
followed by Done.
o Click on the Policy Manager button
o Select Default Global from the drop down menu under Bind Point* field
o Leave the Connection Type* to Request
o Click on Click to select under Policy Binding and select Ferrysburg Policy
o Leave the priority to 100
 Select Bind
 Select Create
Verify the policy is active and bound by checking for the green checkmark under Active. If it does not
show active, refresh the GUI by clicking on the refresh icon next to the “Help Icon”
| 58 |
7. Verify the Ferrysburg URL Transformation Policy is active by directing your web browser (New Incognito
Window) to http://192.168.10.125/url1. You will see a response from URL2 from either Web-Server A or B, if
the policy is active and working correctly. You may have to close re-open the browser.

for this task.
| 59 |
 enable ns feature rewrite
 add transform profile Ferrysburg -type URL
 set transform profile Ferrysburg -type URL -onlyTransformAbsURLinBody OFF"
 add transform action actFerrysburg Ferrysburg 1000 –state ENABLED
 set transform action actFerrysburg -priority 1000 -reqUrlFrom '192.168.10.125/url1' -reqUrlInto
'192.168.10.125/url2' -resUrlFrom '192.168.10.125/url2' -resUrlInto '192.168.10.125/url1' -state ENABLED
 add transform policy Ferrysburg ‘HTTP.REQ.URL.PATH.GET(1).CONTAINS(\"url1\")’ Ferrysburg
 bind transform global Ferrysburg 100
 show transform profile Ferrysburg
| 60 |
Bonus URL Transformation Policy
Overview
You will create a URL Transformation policy yourself. This policy will be used to transform the
Request URL named “SpringLake” and Respond with “/url3”. This configuration is used to cloak or
change the external view from the internal webserver. The configurations for the bonus lab is below.

Step Action
1. Create a new URL Transformation Profile named “SpringLake” by going to AppExpert, Rewrite, URL
Transformation, Profiles and clicking Add. Fill in the Name field with “SpringLake” and click Create.
o Navigate to AppExpert > Rewrite > URL Transformation
o Expand URL Transformation and select Profiles
o Click on Add
o Type SpringLake
o Select Create
2. Open the SpringLake profile by selecting it and clicking Edit, or double clicking. Add a new URL
Transformation Action by clicking ‘Insert’ at the bottom of the dialog window.
o Select SpringLake
o Click on Edit
o Click on Insert
| 61 |
3. Configure the new URL Transformation Action “SpringLake”. URL Transformation Action is used to take
requests from url1 and respond via url2. The configuration for SpringLake is below.
o Select SpringLake
o Click on Edit
o Click on Insert
o Type SpringLake under the Name field
o Set priority to 1000
o Check Enabled box
o Type 192.168.10.125/ SpringLake under the Request URL Form field
o Type 192.168.10.125/ SpringLake under the Request URL Into field
o Select Ok
| 62 |
4. Create a new URL Transformation Policy by heading to AppExpert, Rewrite, URL Transformation,
Policies and clicking add. This new policy will be used to check if the URL contains "url1" and fire the URL
Transformation Action that was added in step 2 and 3. Add “SpringLake” for the name, attach the
SpringLake Profile under the Profile drop down, and add the expression:
HTTP.REQ.URL.PATH.GET(1).CONTAINS(“SpringLake”).
o Click Add
o Type SpringLake under the Name* field
o Select SpringLake from the drop down menu under Profile*
o Click on Expression Editor on the top right of the Expression* box
o Use Expression Editor to Build the following expression:
o HTTP.REQ.URL.PATH.GET(1).CONTAINS(“SpringLake”)
o Select Done
o Select Create
For example; just type SpringLake for the header not “SpringLake”
5. Bind the new policy under the Default Global bind point. You will need to open the Policy Manager and select
Default Global, finally insert the newly created policy. Open and bind the policy by clicking Policy Manager.
Select Default Global and click Continue. Select the SpringLake policy at Priority 100. Finally click Bind
followed by Done.
o Click on the Policy Manager button
o Select Default Global from the drop down menu under Bind Point* field
o Leave the Connection Type* to Request
o Click on Click to select under Policy Binding and select SpringLake Policy
o Leave the priority to 100
 Select Bind
 Select Create
| 63 |
6. Verify the SpringLake URL Tran sformation Policy is active by directing your web browser to
http://192.168.10.125/SpringLake . You will see a response from URL3 from either Web-Server A or B, if the
policy is active and working correctly. You may have to close re-open the browser.
Exercise Summary
In this exercise you have gotten familiar with Citrix NetScaler rewrite functionality. Configuring URL
Transformation policies to transparently rewrite a request. And configuring URL policies to
transparently rewrite a request hiding the internal architecture of the web servers.
| 64 |
Module 9
Web Application Firewall
Organizations have a crucial need to protect their data and information from unauthorized users
and hackers. A network firewall does not provide enough protection against unauthorized access to
web applications. Rather, the best practice is to implement an application firewall in addition to a
network firewall to protect critical applications, especially those that contain customer and employee
data.
Hackers gain access to applications of an organization by exploiting vulnerabilities introduced by

human error and incomplete vendor updates, and by using new attack methods.
Application Firewall protects web application from malicious attacks and unauthorized usage.
Application Firewall examines all incoming and outgoing traffic between protected web servers and
users for evidence of attacks or misuse of web server resources. It also blocks all known and
unknown attacks.
Application firewall can be run as a stand-alone implementation on the NetScaler hardware and
functions as a dedicated Application Firewall appliance. Application Firewall is also available as a
feature within the NetScaler Application Delivery System, which includes Application Firewall
functionality in addition to other NetScaler operating system features. Application Firewall integrated
with Citrix NetScaler is available with NetScaler Enterprise and Platinum editions.
The figure shows how application attacks are mounted. Application Firewall protects critical web
applications and defends the infrastructure of any organization from identity theft, lost revenue,
brand erosion and other negative outcomes caused by application attacks.
| 65 |
Overview
In this lab, we will begin working with the Application Firewall feature of NetScaler. We will test the
security functionality of the AppFirewall through a web service called WebGoat that is served via
both webservers in the environment

Step Action
1. Start by enabling the highly available WebGoat servers by creating a new Load Balancing Virtual Server.
***Use Firefox Web browser for this exercise
First, create two new WebGoat services for both servers. Do this by going to Traffic Management, Load
Balancing, Services, and adding the “webgoat-service” and “webgoat-service1”. The Protocol will be
HTTP and the Server fields and Ports will be web-server1 port 8080 and web-server2 port 8080
respectively. Add a tcp monitor to the service and click Done.
 Create an HTTP service called “Webgoat-Service” that will be associated with the Web-Server-1
server.
o Type Webgoat-Service in the Service Name field
o Select Click to select and choose tcp monitor
 Similarly, create an HTTP service called “Webgoat-Service1” that will be associated with the Web-
Server-2 server.
o Type Webgoat-Service1 in the Service Name field
| 66 |
o Select Click to select and choose tcp monitor
| 67 |
2. Create a new “WebGoat-VIP” Load Balancing Virtual Server by going to Traffic Management, Load
Balancing, Virtual Servers, and clicking Add.
 Begin the configuration of a “WebGoat-VIP” load-balancing virtual server that will be associated with
the WebGoat-Service and WebGoat-Service1 services.
o Click Add in the Load Balancing Virtual Servers pane
o Type WebGoat-Vip in the Name field
o Verify that HTTP is selected from the Protocol drop-down menu and that 8080 is entered in
the Port field
o Type 192.168.10.125 in the IP Address field
o Click OK
o Click the “No Load Balancing Virtual Server Service Binding” option below Service to bind
the Services.
o Select the WebGoat-Service radio button
o Click the “1 Load Balancing Virtual Server Service Binding” option below Service to bind
the Services
o Click Add Binding
o Select the WebGoat-Service1 radio button
o Click Add Binding
o Click Close and then click OK
| 68 |
3. Go to the Method and Persistence tab and choose Round Robin as the LB Method. Under the
Persistence section choose COOKIEINSERT, Time-out ‘0’. Finally click ok.
o Click Method under Advanced on the right
o Select ROUNDROBIN from the Load Balancing Method drop-down menu
o Click Persistence under Advanced on the right
o Select COOKIEINSERT from the persistence drop-down menu
o Type the number 0 under the Time-out (mins)* field
4. Test the new WebGoat-VIP by going to http://192.168.10.125:8080/WebGoat/attack the username is “guest”

and the password is “guest”.
The website URL is case sensitive. Make sure you type it

exactly as you see it.
| 69 |
5. NetScaler Application Firewall is able to utilize security signatures from various security vendors such as
Snort. These signatures are attached within policies that are created within this section. To begin we will
head to Security, Application Firewall, and Signatures. To download the latest signatures from Snort click
on *Default Signatures, select Action, and finally Update Version. Agree to the update by selecting Yes.
The latest security signatures will be downloaded.
Note: If Application Firewall is not enabled yet that’s ok. You can still update the signatures.
We will enable AppFirewall in subsequent steps.
o Navigate to Security > Application Firewall > Signatures
o Click *Default Signatures
o Select Action
o Click on Update Version
o Select Yes to agree to update the latest security signatures
 Next we will need to define our own version of the *Default Signatures
o Select *Default Signatures and click Add.
| 70 |
6. The Add Signatures Object dialog opens and we will create a name, AppFWSignatures, and verify the
signatures that are being imported. Here we could select to block or not block various signatures. For the
purposes of this lab, we will leave the defaults selected. After glancing over the signatures, select OK.
o Type AppFWSignatures and click Ok
7. Define an application firewall profile.
Begin by enabling the Application Firewall feature. Do this by right clicking on Security, Application
Firewall and clicking Enable Feature.
o Navigate to Security > Application Firewall
o Right Click Application Firewall
o Select Enable Feature
| 71 |
8. Add an AppFW profile by going to Security, Application Firewall, Profiles and clicking Add. Fill in the
Profile name “AppFWProfile”, select Web 2.0 Application, and choose Basic Defaults. Click on Create
and close the dialog.
o Navigate to Security > Application Firewall > Profiles
o Select Add
o Type AppFWProfile
o Select Web 2.0 Application from the drop down menu under Profile Type
o Select Create
| 72 |
9. Configure the newly created AppFWProfile by double clicking on it. Head to the Security Checks tab. Under
the Start URL unselect Block and select Log and Stat. Credit Card row select Log and Stat, under the
HTML SQL Injection row select Block Log and Stat.
o Select AppFWProfile and click Edit
o Click the Security Checks tab
o Next to Start URL row unselect Block and select Log and Stat
o Next to Credit Card row select Log and Stat
o Next to HTML SQL Injection row select Block, Log and Stat
| 73 |
10. Open the Credit Card profile by double clicking on it and change the status of each card to Protected. After
protecting each card, move to the General tab and select X-Out. Click OK twice to back out of all dialog
boxes.
o Double Click Credit Card row
o Select each Credit Card and click on the lock icon at the bottom left to protect the credit
cards
o Select the General tab
o Select X-Out
o Select Ok
| 74 |
11. Next, we will attach the AppFWSignatures to this profile. To do this we will move to the Settings tab and
scroll to the Common Settings field. Here we will select AppFWSignatures under the Signatures drop
down. Finally click OK and close the dialog
o Navigate to the Settings tab
o Scroll down to Common Settings
o Select AppFWSignatures from the Signatures drop down menu
o Click OK
| 75 |
12. Now you will need to create an AppFirewall policy by going to Security, Application Firewall, Policies,
Firewall and clicking Add. Configure the Policy Name, Profile, and Expression as below. This step creates
a policy for AppFirewall called AppFWPolicy that links the recently created profile and adds an expression
to fire the policy or not. The expression used is “HTTP.REQ.IS_VALID” which will trigger the AppFWProfile
if the incoming connection is a HTTP Request and it is valid. Click Create and Close was complete.
o Navigate to Security > Application Firewall > Policies > Firewall
o Click Add
o Type AppFWPolicy in the Name* Field
o Select AppFWProfile from the Profile* drop down menu
o Create the following Expression under in the Expression box:
 HTTP.REQ.IS_VALID
o Click Create
13. Now we have an Application Firewall policy but it is not bound; meaning it is not enabled. You will need to
enable the policy through the policy manager. Go to the policy manager by clicking Action and Policy
Manager.
o Click on Policy Manager
| 76 |
14. Insert the AppFWPolicy into the Default Global policy. Do this by clicking the Default Global bind point,
selecting to Bind the Policy, by choosing the AppFWPolicy. Finally click Bind and then close once
complete.
o Click on Policy Manager
o Select Default Global from the drop down menu under Bind Point*
o Click Continue
o Click on Click to select and bind the AppFWPolicy
o Select Bind
Note: Binding the policy to the Default Global bind point will enable the policy on all Virtual
Servers that are available within the NetScaler. You are also able to bind policies to other
specific bind points such as Content Switching Virtual Servers, or even load balancing virtual
servers like in the image below
o Verify that the policy is enabled via the green check under Active.
| 77 |
15. Test the new Application Firewall policy via the WebGoat url that was configured earlier. You can enable and
disable the Application Firewall feature to test WebGoat security vulnerabilities with Application Firewall
enabled or disabled. You can do this by right clicking on Application Firewall under Security, Application
Firewall and selecting Disable Feature or Enable Feature, like in step 7 above:
o Select Enable/Disable Feature
Note: This makes for a quick way to see before and after protecting
| 78 |
16. Be sure to reset WebGoat each time with the "restart this lesson" link.
Note: To test with WebGoat, remember a couple of key points. Practice before a demo. Restart the
lesson after each exploit to test WebGoat, or it may not ‘work’ on subsequent tries. The NetScaler
needs to see the cookies and entire activity, so when you enable the WebApplicationFirewall feature,
open a fresh browser. A stale browser may not get the same effect, and in real life people are not
turning the WAF feature on and off like this.
IMPORTANT: Never try the attacks you learn here in the readl world. Many times a newbie has
expereinced disgrace by playing around and starting some undesirable consequences. Keep the hacks
to just WebGoat, or within a Contract and detailed Statement of Work. Ethical Hacking, etc.. etc..
NO SURPRISES.
Go back and turn the NetScaler WebApplicationFirewall off. You need to establish a baseline, and if the
WAF is on, it will block you by redirecting you to the root of TomCat. We have it configured to do this when
an exploit happens, so be careful not to follow a red herring. Go ahead and turn the WAF Feature off until
you have a hack working, then turn it on, and open a fresh browser, and start with WAF on to try it again…
 For now start with Web AppFirewall disabled
o Ensure that the feature is Disabled
| 79 |
17. If you leave the WAF on, success will redirect you to the TomCat Root like this:
s
It says "It Works" but it is not what you are looking for. NetScaler redirected you to the root because the
Redirect Rule in the WAF Profile is configured to do just that.
When WebGoat works, you stay within WebGoat and it congratulates you. Also, WebGoat is a tutorial. On
the first screen it tells you the answers are hidden at the top right under the solution link. Why not use that
and cut/paste where helpful?
| 80 |
18. Begin: To start the WebGoat Application, scroll down and click on start WebGoat:
o Navigate to http://192.168.10.125:8080/WebGoat/attack
o If you don’t receive the following page as shown below; close and open a new browser
o Log in using guest/guest credentials
You can see already your Application Firewall policy is taking hits:
o Notice the number of hit on the right hand side
| 81 |
19. For SQL injection go to Injection Flaws, String SQL Injection:
o On the left hand side select Injection Flows and then click on String SQL Injection
o Type the following SQL Injection code Erwin’ OR ‘1’=’1
o Click on Go!
We are modifying the select string, shown under the text field for convenience, and after the match criteria
you sneak in "or is true" to match everything, and get all of the data back. The Solution for this lesson shows
the example Erwin' OR '1'='1 (the outer ‘ticks’ are implied for you).
Note the “* Congratulations.”, and all the 'credit card examples'. They may well not be real credit card
numbers, and the NetScaler will use an algorithm to take action on for information leakage prevention and
DLP. It does not x-out the fake numbers. We will turn the NetScaler on and see it protect next.
| 82 |
20. Turn the WAF back on:
o Click on Enable Feature
Try Again (close and open your browser, login guest / guest, Start WebGoat... set up accordingly).
o If you don’t receive the following page as shown below; close and open a new browser
o Log in using guest/guest credentials
For SQL injection go to Injection Flaws, String SQL Injection:
o On the left hand side select Injection Flows and then click on String SQL Injection
o Type the following SQL Injection code Erwin’ OR ‘1’=’1
o Click on Go!
| 83 |
*** Well, It works is true. Application Firewall redirected you per your configuration for trying to hack.
21. Let’s check the logs:
o Navigate to System > Auditing
o Under Audit Messages select Syslog messages
o On the right hand side under Filter By > Module
o Select APPFW from the drop down menu
o Click on Apply
One could use CLI and view the /var/log directory with a grep, but the tool is right there with a pull down
menu. Set the module to APPFW and have a look.
| 84 |
22. Let’s stop blocking and keep playing with it. (You should be thinking to click on WebGoat's Restart Lesson
Link).
Under WebApplicationFirewall in the NetScaler GUI, select the Profile and the Security Checks Tab.
o Uncheck Block on the HTML SQL injection row
Let’s try "Transform" to neutralize the SQL tick. Double click on HTML SQL Injection, the
line in the above screen shot where we unchecked can be double clicked on.
o Double Click HTML SQL injection row
o Check the Transform SQL special characters box
o Click OK
| 85 |
23. Let’s check the logs. Security – Application Firewall – Policies – Firewall – Auditing – Syslog messages
o Navigate to System > Auditing
o Under Audit Messages select Syslog messages
o On the right hand side under Filter By > Module
o Select APPFW from the drop down menu
o Click on Apply
Gotcha! On a Sniffer Trace, you would see the Erwin part has double quotes now and not single quotes.
Above, the WebGoat screen shot even calls it out. ‘Erwin“ OR “1”=”1’. The double tic (“) and single tic (‘) are
different to SQL.
| 86 |
Ok, Let’s stop transforming and let you back into the site…. By now you are used to going into the App
Firewall Profile that our Globally Bound Policy is set to.
o Double Click HTML SQL Injection
o Uncheck Transform SQL special characters
On the General Tab, you can deselect transform.
Click 'OK' on both windows, and lets go back and Run WebGoat again. (I know you are thinking Restart the
Lesson).
| 87 |  Go back to WebGoat, Restart the Lesson, and try again.

for this task.
 add service webgoat-service web-server1 HTTP 8080
 add service webgoat-service1 web-server2 HTTP 8080
| 88 |
 add lb vserver WebGoat-VIP HTTP 192.168.10.125 8080 -persistenceType COOKIEINSERT -timeout 0 -
lbMethod ROUNDROBIN
 bind lb vserver WebGoat-VIP webgoat-service
 bind lb vserver WebGoat-VIP webgoat-service1
 en ns feature appfw
 import appfw signatures ‘local:_192_168_10_250_1434589897740/default_signatures.xml’ AppFWSignatures
 add appfw profile AppFWProfile -defaults basic
 set appfw profile AppFWProfile -type HTML XML
 set appfw profile AppFWProfile -creditCardAction log stats
 set appfw profile AppFWProfile -creditCard amex dinersclub discover jcb mastercard visa
 set appfw profile AppFWProfile -creditCardXOut on
 set appfw profile AppFWProfile -creditCardMaxAllowed 1
 set appfw profile AppFWProfile -startURLAction block log stats -startURLClosure OFF -denyURLAction block log
stats -RefererHeaderCheck OFF -cookieConsistencyAction none -cookieTransforms OFF -cookieEncryption
none -cookieProxying none -addCookieFlags none -fieldConsistencyAction none -CSRFtagAction none -
crossSiteScriptingAction block log stats -crossSiteScriptingTransformUnsafeHTML OFF -
crossSiteScriptingCheckCompleteURLs OFF -SQLInjectionAction block log stats -
SQLInjectionTransformSpecialChars OFF -SQLInjectionCheckSQLWildChars OFF -fieldFormatAction block log
stats -defaultFieldFormatMinLength 0 -defaultFieldFormatMaxLength 65535 -bufferOverflowAction bloc
 set appfw learningsettings AppFWProfile -startURLMinThreshold 1 -startURLPercentThreshold 0 -
cookieConsistencyMinThreshold 1 -cookieConsistencyPercentThreshold 0 -CSRFtagMinThreshold 1 -
CSRFtagPercentThreshold 0 -fieldConsistencyMinThreshold 1 -fieldConsistencyPercentThreshold 0 -
crossSiteScriptingMinThreshold 1 -crossSiteScriptingPercentThreshold 0 -SQLInjectionMinThreshold 1 -
SQLInjectionPercentThreshold 0 -fieldFormatMinThreshold 1 -fieldFormatPercentThreshold 0 -
XMLWSIMinThreshold 1 -XMLWSIPercentThreshold 0 -XMLAttachmentMinThreshold 1 -
XMLAttachmentPercentThreshold 0
 add appfw policy AppFWPolicy ‘HTTP.REQ.IS_VALID’ AppFWProfile
 bind appfw global AppFWPolicy 100
Module 10
High Availability
A high availability deployment of two Citrix NetScalers can provide uninterrupted operation in any
transaction. In a high-availability pair configuration, only one system is active. This system, which is
known as the primary, actively accepts connections and manages servers. All shared IP addresses
are active on the primary system only.
| 89 |
The Secondary system monitors the health of the primary system. If the secondary system is in a
healthy state, it is ready to actively accept connections if the primary system is experiencing issues.
The process prevents downtime and ensures that the services provided by the NetScaler system
remain available even if one system ceases to function.
Note: High availability packets are sent untagged by default, which can be an issue with a switch that handles
tagged packets only.
High-Available Node Configuration
A pair of NetScaler systems must be configured to become a high-availability pair. The process for
configuring a high-availability pair involves first configuring the primary node then configuring the
secondary node.
Citrix recommends that you set the status of the desired secondary node to stay secondary when
nodes are configured. This practice ensures that an accidental failover does not occur during the
configuration process, resulting in changes being made to the secondary rather than the primary
node. Any changes that are made to the secondary node are not propagated to the primary node.
In a high-availability configuration, you can designate which interfaces to monitor for failing events.
A failover occurs when any high-availability monitored interface goes down, if a particular interface
is not being used, or if a failover is not required upon failure, the high-availability monitor should be
disabled.

High Availability
Overview
In this lab, we will create a highly available pair of NetScalers by utilizing NetScaler-B and the
already configured NetScaler-A
| 90 |
Step Action
1. We will need to activate its license. You will follow the same procedure as in the Licensing Lab, but you will
use 192.168.10.17 as the NetScaler IP Address and the appropriate licenses for the NetScaler – B (
“06e089e0b0f2.lic”)
Refer to the Licensing Lab for detailed licensing instructions. Below you will see the appropriate
configurations for the NetScaler –B.
 Login to Citrix XenCenter using hypervisoradmin/Password1! credentials and Start NetScaler B –

192.168.10.17
 Login to the NetScaler-B (192.168.10.17) navigating to http://192.168.10.17 in your web browser
o Username: nsroot
o Password: nsroot
| 91 |
2.  We will also have to set the NetScaler Subnet IP, (SNIP). We will use 192.168.10.18
nd
o Select the 2 Item labeled Subnet IP Address.
o Enter 192.168.10.18 under Subnet IP Address*
o Leave Netmask* as 255.255.255.0
 Upload the license file “06e089e0b0f2.lic”. If not going through the wizard, license configuration
can be found at System > Licenses > Update in the GUI.
th
o Select the 4 Item labeled Licensing. Select “Upload files from a local computer” You
will find the licenses in a folder located C:\Licenses
o This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select
“06e089e0b0f2.lic”
o Select Reboot
| 92 |
3. Enable High Availability by heading to System, High Availability on the NetScaler – B (192.168.10.17) and
Select (STAY SECONDARY). On NetScaler –A (192.168.10.15) select (STAY PRIMARY) and click on Add
button, specify the Remote Node IP Address (192.168.10.17) as below and click OK.
 Login to NetScaler B – 192.168.10.17 using nsroot/nsroot credentials.
 Navigate to System > High Availability
 Click on 0 in the ID column and then click Edit
 Under High Availability Status* select STAY SECONDARY (Remain in Listen Mode)
 Click OK
 Login to NetScaler A – 192.168.10.15 using nsroot/nsroot credentials.
 Click on 0 in the ID column and then click Edit
 Under High Availability Status* select STAY PRIMARY (Remain in Listen Mode)
 Click OK
 Click on 0 in the ID column and then click Add
 Enter the IP address of NetScaler B – 192.168.10.17 under Remote Node IP Address*
 Verify that Configure remote system to participate in High Availability Setup, Turn off HA
Monitor on interfaces/channels that are down and Turn on INC (Independent Network
Configuration) mode on self-node are all selected
 Type nsroot/nsroot under Remote System Login Credentials
| 93 |
4. In a few moments as you refresh the high availability node (by clicking refresh symbol button in the top right
corner of the screen) you will see the synchronization state move from in progress to success.
 On NetScaler A – 192.168.0.15, navigate to System > High Availability
 On NetScaler A – 192.168.0.15, click the Refresh button in the upper-right corner of the
configuration utility window
 On NetScaler A – 192.168.0.15, verify that 192.168.10.15 appears as Primary and 192.168.10.17

appears as Secondary in the Master State column
 On NetScaler B – 192.168.0.17, navigate to System > High Availability
 On NetScaler B – 192.168.0.17, click the Refresh button in the upper-right corner of the
configuration utility window
 On NetScaler B – 192.168.0.17, verify that 192.168.10.15 appears as Primary and 192.168.10.17

appears as Secondary in the Master State column
 Enable the NetScaler B – 192.168.0.17 Node State to actively participate in High Availability
o On NetScaler B – 192.168.0.17, navigate to System > High Availability
o Click on 0 in the ID column and then click Edit
o Select ENABLED (Actively Participate in HA) in the High Availability Status drop-down
list
o Click OK
 Enable the NetScaler A – 192.168.0.15 Node State to actively participate in High Availability
o On NetScaler A – 192.168.0.15, navigate to System > High Availability
o Click on 0 in the ID column and then click Edit
o Select ENABLED (Actively Participate in HA) in the High Availability Status drop-down
list
o Click OK
Note: Node Configuration options. By opening nodes listed in this section of the high availability
| 94 | configuration allows you to select advanced HA options. One to point out would be HA Failsafe mode.
5. To enable management access control via a subnet IP you will head to System, Network, and IPs. Here
you will select the subnet IP 192.168.10.16. Click Open and select Enable Management Access control…
within the Application Access Controls section of the dialog window. Click OK.
 On NetScaler A – 192.168.0.15, navigate to System > Network > IPs
 Select 192.168.10.16 and Click Edit
 Scroll down to the bottom and select Enable Management Access controls under Application
Access Controls tab.
Be sure to save your configuration by clicking the save disk at the top right of the web GUI.
To test high availability try turning off the primary node and watching as the secondary node takes over.
Additionally, you can select force failover from within the GUI.
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler High Availability functionality and
configuring a pair of highly available NetScalers, utilizing NetScaler-A, and NetScaler-B.

High Availability
Complete Step 1 and 2 above before starting the CLI Command exercise
Use an SSH connection (PuTTY) to NetScaler– B (192.168.10.17) command-line interface logged on as the nsroot user
for this task.
 add ns ip 192.168.10.18 255.255.255.0 -type SNIP -arp ENABLED -icmp ENABLED -vServer ENABLED -telnet
ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -icmpResponse NONE -ownerNode
255 -arpResponse NONE
 set HA node -haStatus STAYSECONDARY -haSync ENABLED -haProp ENABLED -helloInterval 200 -
deadInterval 3 -failSafe OFF -maxFlips 0 -maxFlipTime 0
| 95 |
for this task.
 set HA node -haStatus STAYPRIMARY -haSync ENABLED -haProp ENABLED -helloInterval 200 -deadInterval
3 -failSafe OFF -maxFlips 0 -maxFlipTime 0"
 add HA node 1 192.168.10.17 -inc ENABLED
for this task.
 set HA node -haStatus ENABLED -haSync ENABLED -haProp ENABLED -helloInterval 200 -deadInterval 3 -
failSafe OFF
for this task.
 set HA node -haStatus ENABLED -haSync ENABLED -haProp ENABLED -helloInterval 200 -deadInterval 3 -
failSafe OFF
Module 11
Clustering
A NetScaler Cluster is a group of NetScaler nCore systems working together as a single system
image. Each system of the cluster is called a node. A NetScaler cluster can include as few as 2 or
as many as 32 NetScaler nCore hardware or virtual systems as nodes.
The client traffic is distributed between the nodes to provide high availability, high throughput, and
scalability.
How Clustering works
| 96 |
A NetScaler cluster is formed by grouping NetScaler systems that satisfy requirements specified in
Hardware and Software Requirements. One of the cluster nodes is designated as a configuration
coordinator (CCO). As the name suggests, this node coordinates all cluster configurations. The
CCO also owns the cluster IP address which is the management address of the cluster. You
configure the cluster by accessing the CCO through the cluster IP address.
You cannot configure an individual node by accessing it through the NetScaler IP (NSIP) address.
Nodes accessed through the NSIP address are available in read-only mode. This means that you
can only view the configurations and the statistics.
The configurations performed through the cluster IP address are propagated to the cluster nodes
through a physical medium called the cluster backplane. The backplane is a logical grouping of
physical connections, as are the client data plane and the server data plane.
The VIP addresses that you define on a cluster are available on all the nodes of the cluster (striped
addresses). You can define MIP and SNIP addresses to be available on all nodes (striped
addresses) or only on a single node (spotted addresses). The details of traffic distribution in a
cluster depend on the algorithm used, but the same logical entities process the traffic in each case.
Traffic is distributed only to nodes that are in the ACTIVE state, both administratively and
operationally, and in the UP health state.

Clustering
Overview
In this lab, we will create a clustered active/active pair of NetScalers by utilizing NetScaler-A and
NetScaler-B.

Step Action
| 97 |
1. Before we start to configure clustering, we will need to disable high availability. To do this head to
NetScaler-A System, High Availability. Select the secondary node and click delete. Accept the prompt to
remove the selected node and remove the HA node from the remote system.
 Navigate to NetScaler – A ( 192.168.10.15 ) by typing http://192.168.10.15 in your browser
 Select Secondary Node and Click Delete
 Accept the prompt to remove the selected node and remove the HA node from the remote system
 Navigate to NetScaler – B ( 192.168.10.17 ) by typing http://192.168.10.17 in your browser
 Select the 192.168.10.15 Node and Click Delete
 Accept the prompt to remove the selected node and remove the HA node from the remote system
2. First, save the configuration on the NetScaler-A. To do this, go to System and click on the save icon.
You also must save the configuration on NetScaler-B. To do this, go to System and click on the save icon.
| 98 |
3. Navigate to NetScaler-A. We will fist create a cluster node by heading to System, Cluster, Nodes and
clicking Add. A prompt requesting that a cluster instance must be present will popup. Add this instance by
clicking yes.
 Navigate to System > Cluster > Nodes and Click Add
 A prompt requesting that a cluster instance must be present will popup Click Yes
Next, we will configure the cluster IP address for the cluster. Configure the cluster as below using
(192.168.10.130) be sure to select backplane interface 1/1. Continue by clicking create.
 Leave the Default Cluster instance id* to 1
 Enter 192.168.10.130 under Cluster IP address*
 Select 1/1 interface from the drop down menu under Backplane interface*
Note: The below screenshot represents the Instance ID, not Node ID
| 99 |
4. A prompt will ask you to reboot before the changes take effect you will select No so that we are able to
make one configuration change before the reboot.
Double click on the cluster node 192.168.10.15 and change the State to PASSIVE, verify the configuration
and continue.
Head to System and click Reboot. Be sure to select Save configuration and click OK.
| 100 |
5. Join the NetScaler to the Cluster
After the NetScaler-A reboots, login to the newly created Cluster Management IP at http://192.168.10.130.
Here we will select continue on the configuration page, as we will set this up later.
 Navigate to Cluster Node ( 192.168.10.130 ) by typing http://192.168.10.30 in your browser
 Click Continue
| 101 |
6. We will add NetScaler-B to the cluster by heading to System, Cluster, Nodes, and clicking Add. Configure
this node with the NetScaler-B information below.
Both the cluster node and configuration coordinator credentials are the standard NetScaler credentials you
have been using for this lab. Once you click Create you will be asked to reboot this node, accept the
prompt and wait for the NetScaler-B to join the cluster.
 Navigate to Cluster-Node ( 192.168.10.130 ) by typing http://192.168.10.130 in your browser
 Navigate to System > Cluster > Nodes and Click Add
 Type 1 under Node id
 Enter IP address of NetScaler B – 192.168.10.17 under NetScaler IP address
 Type 1/1/1 under Backplane interface
 State leave as PASSIVE
 Type nsroot/nsroot under Cluster Node Creden192tials as well as Configuration Coordinator

Credentials
| 102 |
7. Verify that both nodes are in the PASSIVE admin state and INACTIVE operational state. Also, verify the
backplane configuration.
Note: You will have to wait a few moments while NS-B reboots. During this time, click the refresh
button next to save to refresh the view.
8. Define NetScaler Subnet IP Addresses
Here we will need to recreate a Subnet IP address for the NetScaler appliance cluster. We will head to
System, Network, IPs, and click Add. Fill out IP, Netmask, and Owner for the 192.168.10.16 SNIPs. Be
sure Subnet IP is selected as the IP Type for each IP Address and Owner Node is ALL_NODES.
 Navigate to Cluster-Node ( 192.168.10.130 ) by typing http://192.168.10.130 in your browser
 Navigate to System > Network > IPs and Click Add
 Enter the Subnet IP – 192.168.10.16 under IP Address*
 Enter the 255.255.255.0 Netmask* under Netmask*
 Select Subnet IP from the drop down menu
 Verify that ALL_NODES is selected from the drop down menu under Owner Node*
| 103 |
9. Configuring the Cluster State to Active
Configure the state of each cluster node to ACTIVE by heading to System, Cluster, and selecting each
node. Configure the state of each to ACTIVE.
 Navigate to System > Cluster > Nodes and select node 192.168.10.15 Click Edit
 Select ACTIVE from the dropdown menu under State*
 Similarly, set node 192.168.10.17 to ACTIVE
10. Verify that both the admin and operational state of each node in the cluster is ACTIVE.
Note: You may have to refresh your view to see the new state
| 104 |
11. Define a Linkset
Create a Linkset by heading to System, Network, and Linkset. Click Add and configure the Linkset name
LS/1 and add interfaces 1/1/1 and 0/1/1 to the configured column of the dialog. Click Create.
 Navigate to System > Network > Linkset and Click Add
 Type LS/1 under Linkset*
 Add interfaces 1/1/1 and 0/1/1 to the configured column of the dialog
 Click on Create
12. Define NetScaler cluster configuration
Head to System, Settings and select Configure Modes. Configure the modes as below.
 Navigate to System > Settings and select Configure Modes
 Check the following boxes:
o Fast Ramp
o Edge Configuration
o Layer 3 Mode (IP Forwarding)
o Use Subnet IP
o Path MTU Discovery
 Click OK
| 105 |
13. Define NetScaler cluster load balanced virtual server
In this step, we will configure a simple load balanced server to test the cluster configuration. Below is the
final configuration of the load balanced server. You will configure this server the exact same way you
configured the load balance virtual server in the beginning of this lab. You will need to recreate the Web-
Services. You can do this by clicking the ‘+’ icon, when binding services to the VIP.
Note: You can use the CLI reference at the end of the Load Balancing Module above. You can use
that to create the load balanced virtual server
 Launch PuTTY command-line interface application from the virtual machine.
 Type in the IP address of the Cluster Node (192.168.10.130) and click open
 Type nsroot/nsroot at the logon prompt
 Enter the following command lines in the CLI Command
o enable ns feature LB
o add ns ip 192.168.10.125 255.255.255.0 -type VIP
o add server web-server1 192.168.10.115
o add server web-server2 192.168.10.116
o add service web-service web-server1 HTTP 80
o add service web-service1 web-server2 HTTP 80
o add lb vserver Web-VIP HTTP 192.168.10.125 80 -persistenceType COOKIEINSERT -

timeout 1 -lbMethod ROUNDROBIN -cltTimeout 180
o bind lb vserver Web-VIP web-service
o bind lb vserver Web-VIP web-service1
| 106 |
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler Clustering functionality.
Configuring a pair of clustered NetScalers utilizing NetScaler-A, and NetScaler-B. Configured a
linkset of interfaces. And created a load balanced virtual server to test the clustered NetScaler
instances.

| 107 |
Clustering
NS A & NS B
for this task.
 add cluster instance 1
 add cluster node 0 192.168.10.15 -state PASSIVE -backplane 0/1/1
 enable cluster instance 1
 save ns config
 reboot –warm
 add ns ip 192.168.10.130 255.255.255.255 -type CLIP
 show cluster instance
 show cluster node
Use an SSH connection (PuTTY) to Cluster IP (192.168.10.130) command-line interface logged on as the nsroot user for
this task.
 add cluster node 1 192.168.10.17 -state PASSIVE -backplane 1/1/1
 show cluster node *expect unknown for now.
 save ns config
for this task.
 join cluster -clip 192.168.10.130 -password nsroot
 save ns config
 reboot -warm
this task.
 show cluster node
 add ns ip 192.168.10.16 255.255.255.0 -type SNIP -ownerNode 1
 add ns ip 192.168.10.18 255.255.255.0 -type SNIP -ownerNode 2
***Node 1 already had this SNIP, so it may take some tweaking.
 sh ip
 set cluster node 0 -state ACTIVE
 set cluster node 2 -state ACTIVE
 show cluster node -should both be active.
***if a node stalls, do a rm cluster and a join cluster again.
 sh ip
 Add the link set. We can do CLAG and ECMP as options, but the all virtual lab is easiest with LinkSet.
this task.
 add linkset LS/1
 bind linkset LS/1 –ifnum 0/1/1
 bind linkset LS/1 -ifnum 1/1/1
 show linkset LS/1
 save ns config
Module 12
| 108 |
Global Server Load Balancing
Global Server Load Balancing (GSLB) directs DNS requests to the best-performing GSLB site in a
distributed internet environment. GSLB enables distribution of traffic across multiple sites, manages
disaster recovery, and ensures that applications are consistently accessible.
GSLB Concepts
GSLB is a DNS-based solution that load balances services between geographically distributed
locations. GSLB operates under many of the same general principles as load balancing, but it relies
on DNS for directing client requests.
With ordinary DNS, when a client sends a DNS request, it receives a list of IP addresses of the
domain or service. Generally, the client chooses the first IP address in the list and initiates a
connection with that server. The DNS server uses a technique called DNS round robin to cycle
through the IP addresses on the list, sending the first IP address to the end of the list and promoting
the others after it responds to each DNS request. This technique ensures equal distribution of the
load, but it does not support disaster recovery, load balancing based on load or proximity of
servers, or persistence.
When you configure GSLB and enable MEP, the NetScaler systems use the DNS infrastructure to
connect the client to the datacenter that best meets the criteria that you set. The criteria can
designate the least-loaded datacenter, the closest datacenter, the datacenter that responds most
quickly to requests from the client’s location, a combination of those metrics, or SNMP metrics. An
appliance keeps track of the location, performance, load, and availability of each datacenter and
uses these factors to select the datacenter to which a client request will be sent.
A GSLB configuration consists of a group of GSLB entities on each appliance in the configuration.
These entities include GSLB sites, GSLB services, GSLB virtual servers, load-balancing, content-
switching, or Gateway virtual servers, and ADNS services.
GSLB Entities
A GSLB configuration includes entities on the NetScaler system that direct client traffic to
applications and resources. The following items are entities in a GSLB environment.
GSLB site
A GSLB site is typically a datacenter in which a NetScaler system is located. The terms “local site”
and “remote site” refer to the site in relation to the NetScaler systems in the GSLB deployment.
Each GSLB site is managed by a NetScaler system that is local to that site. Each of these systems
treats its own site as the local site and all other sites, managed by other systems, as remote sites.
GSLB service
| 109 |
A GSLB service is a representation of a load-balancing or content-switching virtual server, although
it can represent any type of virtual server. The GSLB service determines how incoming traffic is
routed.
GSLB virtual server

A GSLB virtual server enables client requests to be forwarded to the appropriate GSLB site. A
GSLB virtual server is assigned one or more GSLB services and load balances the incoming traffic
among the services. The GSLB virtual server evaluates the configured GSLB methods (algorithms)
to select the appropriate service to which a client request will be sent. DNS virtual servers are only
necessary in a DNS proxy configuration. Otherwise, in an ADNS configuration, each GSLB site will
use the locally configured DNS service with mirrored static DNS records for each site in the
configuration.
Load-balancing or content-switching virtual server

Load-balancing or content-switching virtual servers load balance incoming traffic to the appropriate
server.
ADNS Service
The ADNS service accepts incoming client requests for domains for which the NetScaler system is
authoritative.

| 110 |
Overview
In this lab, we will create a simple Global Server Load Balance environment by utilizing both
NetScalers within this lab.

Step Action
1. Before we start to configure GSLB, we will need to disable clustering. To do this head to System, Cluster,
Nodes on Cluster IP (192.168.10.130). Select the node that is not the local node, in this case
192.168.10.17, and click Remove. Fill out the credentials and click OK to remove the node. Repeat this
step on the local node after the secondary node has been removed. Accept any warnings that appear
in this step and be sure to close the Create Cluster Node dialog box if it appears.
 Navigate to System > Cluster > Nodes and Select the node that is not the local node, in this
case 192.168.10.17, and click Remove.
 Enter nsroot/nsroot for the credentials and click OK to remove the node
 Repeat this step on the local node after the secondary node has been removed
 Accept any warnings that appear in this step and be sure to close the Create Cluster Node dialog
box if it appears
Ip ipip
| 111 |
2. Login to NetScaler-A and configure the Subnet IP Address and Netmask Verify the configuration of the
NSIP and continue. Verify that the correct licenses are applied to this appliance and continue. Finally,
select done. Repeat the process on the NetScaler-B, the configuration is below.
 Navigate to System > Network > IPs click Add
 Enter 192.168.10.16 under IP address*
 Enter 255.255.255.0 under Netmask*
 Under IP Type* select Subnet IP
 Navigate to System > Network > IPs click Add
 Enter 192.168.10.18 under IP address*
 Enter 255.255.255.0 under Netmask*
 Under IP Type* select Subnet IP
| 112 |
3. Next, we will configure the modes of both appliances. Configure the modes by heading to System,
Settings. Select Configure Modes and be sure that the modes are configured as below.
 Navigate to System > Settings > Configure Modes
 Ensure that the boxes are checked according to the screenshot shown below
 Navigate to System > Settings > Configure Modes
 Ensure that the boxes are checked according to the screenshot shown below
Next, we will need to enable GSLB on both NetScalers. To do so we will need to enable Load Balancing
by heading to System, Settings, and clicking Configure Basic Features. From here, we will select
Load Balancing. You should do it for both NetScaler-A and NetScaler-B
 Navigate to System > Settings > Configure Basic Features
 Check the Load Balancing box
 Navigate to System > Settings > Configure Basic Features
 Check the Load Balancing box
Next, we will need to enable Global Server Load Balancing by clicking on Configure Advanced Features.
Here we will be sure to select Global Server Load Balancing. Leave the other options as they are
configured now.

| 113 |
 Navigate to System > Settings > Configure Advanced Features
4. Enable management to be accessed on the subnet IP addresses. Head to System, Network, IPs, and
click on the Subnet IP that is listed. Click on Open and select Enable Management Access…
 On NetScaler A – 192.168.0.15, navigate to System > Network > IPs
 Select 192.168.10.16 (Subnet IP) and Click Edit
 On NetScaler B – 192.168.0.17, navigate to System > Network > IPs
 Select 192.168.10.18 (Subnet IP) and Click Edit
| 114 |
5. Define GSLB Sites
While logged into the NetScaler-A, Configure a GSLB Site for both NetScalers, NS-A and NS-B. Be sure
to select the Type as either Remote or Local depending on which NetScaler you are currently configuring.
To do so head to Traffic Management, GSLB, Sites. The remaining configuration can be found in the two
images below (the pictures are provided for NetScaler-A).
 Navigate to Traffic Management > GSLB > Sites and then click Add
 Type NS-A in the Name field
 Select LOCAL Type drop-down menu
 Type 192.168.10.16 in the Site IP Address field
 Type 192.168.10.16 in the Public IP Address field
 Click Create
 Type NS-B in the Name field
 Select Remote Type drop-down menu
 Type 192.168.10.18 in the Site IP Address field
 Type 192.168.10.18 in the Public IP Address field
 Click Create
Note: The NS-B Site Metric MEP Status will show as down until NS-B Site is configured on a
remote GSLB Site
| 115 |  Type NS-A in the Name field

6. Define Load Balancing Service for NetScaler-A
While logged in to NetScaler-B, define a Load Balance Server to utilize within the GSLB configurations
that will occur in the next step. To do so head to Traffic Management, Load Balancing, Servers and
click Add. Configure the WebServer Name and IP Address.
 Navigate to Traffic Management > Load Balancing > Servers and Click Add
 Type WebServer under the Server Name* Field
 Enter 192.168.10.115 under IP Address
| 116 |
7. Define GSLB Configuration on NetScaler-B
While logged in to NetScaler-B begin to configure GSLB by heading to Traffic Management, GSLB.
Select the GSLB, Virtual Servers
 Navigate to Traffic Management > GSLB > Virtual Servers and Click Add
 Define the Domain Name as www.webserver.com. Verify the additional settings.
 Verify that DNS Record Type* is A
 Verify that Service Type* is HTTP
| 117 |
8.  Verify the default GSLB parameters and continue.
 Set Persistence* to NONE
 Add the Domain binding from the menu on the right.
 Use www.webserver.com as the Domain Name
| 118 |
9.  Under the GSLB Services click on the Add button to begin to configure a service under local site.
o Navigate to Traffic Management > GSLB > Services and Click Add
o Type 192.168.10.125_gslb_srvc
o Select NS-B from the Site Name* drop down menu
o Type* is IP Based
o Service Type* HTTP
o Port* 80
 Create a new Virtual Server for this Service by clicking the Virtual Server icon next to the
drop-down list.
 Under the Create Virtual Server dialog, define the WebVIP Name, IP Address as 192.168.10.125
and port as 80. Select Add under Services to create a new service for this Virtual Server.
o Type WebVIP under Name*
o Enter 192.168.10.125 under IP Address*
o Ensure Port is 80 and Protocol is HTTP
o Click OK
| 119 |
10.  Define the new service’s name as WebService, be sure that WebServer is the Server selected
and the port and protocol are 80 and HTTP, and finally ensure TCP default monitor is bound.
o Navigate to Traffic Management > Load Balancing > Services and Click Add
o Type webservice under Service Name*
o Select WebServer from the drop down menu
o Ensure protocol is HTTP and Port* is 80
| 120 |
11.  Configure the Load Balancing Method as Round Robin, and Persistence as COOKIEINSERT with
Time-out set to 1 min under the Method and Persistence tabs. Finally click done.
o Select WebVIP and Click Edit
o Click on “0 Load Balancing Virtual Server Service Binding”
o Select webservice and Bind
o Add Method tab from the right pane under advanced and set Load Balancing Method
as Round Robin
o Add Persistence from the right pane under advanced and set Persistence to
COOKIEINSERT Time-out to 1 min
 Verify the service configuration for NS-B and click done.
o Navigate to Traffic Management > GSLB> Services and ensure that

“192.168.10.125_gslb_srvc” shows green.
 Verify the configuration under NS-B
| 121 |
12.  While still logged in to NetScaler-B, create the Remote Service for NS-A. Configure the Service
IP as 192.168.10.126 and the Port as 80.
o Navigate to Traffic Management > GSLB > Services and Click Add
o Type 192.168.10.126_gslb_srvc
o Select NS-A from the Site Name* drop down menu
o Site Type is REMOTE
o Type* is IP Based
o Service Type is HTTP
o Port* 80
o Select New Server and Type 192.168.10.126
 Bind the GSLB services to the GSLB Virtual Server www.webserver.com
o Navigate to Traffic Management > GSLB > Virtual Servers
o Add Service from the right pane under Advanced and Click on “0 GSLB Virtual
Server to GSLBService Bindings”
Note: The 192.168.10.126_gslb_srvc might show down at first until you configure the service on
NS-A
| 122 |
13. Define Load Balancing Server for NetScaler-B
While logged in to NS-B, define a Load Balance Server to utilize within the GSLB configurations that will
occur in the next step. To do so head to Traffic Management, Load Balancing, Servers and click Add.
Configure the WebServer1 Name and IP Address. Click Create and then Close.
 Navigate to Traffic Management > Load Balancing > Servers and Click Add
 Type WebServer1 under the Server Name* Field
 Enter 192.168.10.116 under IP Address
14. Define GSLB Configuration on NetScaler-A
While logged in to NetScaler-A begin to configure GSLB by heading to Traffic Management, GSLB.
Select Virtual Servers. Add, and define the Domain Name as www.webserver.com. Verify the additional
configuration below.
 Navigate to Traffic Management > GSLB > Virtual Servers and Click Add
 Define the Domain Name as www.webserver.com. Verify the additional settings.
 Verify that DNS Record Type* is A
 Verify that Service Type* is HTTP
| 123 |
 Add the Domain binding from the right side menu
 Use www.webserver.com for the Domain Name
15. Accept the default GSLB Parameters and begin to configure the GSLB sites. Click on the Services and
Configure the Service IP as 192.168.10.125 and Port as 80. Click Create.
 Navigate to Traffic Manag192ement > GSLB > Services and Click Add
 Type 192.168.10.125_gslb_srvc
 Select NS-B from the Site Name* drop down menu
 Site Type is REMOTE
 Type* is IP Based
 Service Type is HTTP
 Port* 80
 Select New Server and Type 192.168.10.125
 Click OK
| 124 |
| 125 |
16. Add a new service for NS-A. Configure the Service IP and Port as 192.168.10.126 and 80 and click on
the new virtual server icon.
 Navigate to Traffic Management > GSLB > Services and Click Add
 Type 192.168.10.126_gslb_srvc
 Select NS-A from the Site Name* drop down menu
 Site Type is LOCAL
 Type* is IP Based
 Service Type is HTTP
 Port* 80
 Create a new Virtual Server for this Service by clicking the Virtual Server icon next to the
drop-down list.
17. Configure the Web-Vip’s name, IP Address, and port as below. Click on the Add button under
Services to create a new Service.
 Under the Create Virtual Server dialog, define the Web-Vip Name, IP Address as 192.168.10.126
and port as 80. Select Add under Services to create a new service for this Virtual Server.
o Type Web-Vip under Name*
| 126 |
o Enter 192.168.10.126 under IP Address*
o Ensure Port is 80 and Protocol is HTTP
o Click OK
 Configure the WebService1’s name; verify the Server configuration; and configure the Protocol
and Port, finally ensure the default TCP monitor is bound and click done.
o Navigate to Traffic Management > Load Balancing > Services and Click Add
o Type webservice1 under Service Name*
o Select WebServer1 from the drop down menu
o Ensure protocol is HTTP and Port* is 80
18. Configure the Load Balancing Method as Round Robin, and Persistence to COOKIEINSERT with
Time-out set to 1min under the Method and Persistence tab. Finally click done.
 Navigate to Traffic Management > Load Balancing > Virtual Servers
 Select Web-Vip and Click Edit
| 127 |
 Click on “0 Load Balancing Virtual Server Service Binding”
 Select webservice1 and Bind
 Add Method tab from the right pane under advanced and set Load Balancing Method as Round
Robin
 Add Persistence from the right pane under advanced and set Persistence to COOKIEINSERT
Time-out to 1 min
 Verify the Service configuration and click done.
 Bind the GSLB Services to the GSLB Virtual Server www.webserver.com
o Navigate to Traffic Management > GSLB > Virtual Servers
o Click on www.webserver.com and Click Edit
o Add the Service tab on the right hand side pane under Advanced
| 128 |
o Click “No GSLB Virtual Server to GSLBService Binding”
o Click on Select Service*
o Bind both services; one at a time
19. Define ADNS Service
Login to NetScaler B (192.168.10.17) and create an ADNS service so that we can test our GSLB
configurations on the client machine. To do this head to Traffic Management, Load Balancing, Services
and click Add. Configure the Service Name as DNS, the Server as 192.168.10.135, the Protocol as
ADNS, and the Port as 53.
 Navigate to Traffic Management > Load Balancing > Services
 Click Add
 Type DNS under Service Name* Field
 Select New Server and Enter 192.168.10.135 under IP address
 Select ADNS from the Protocol* drop down menu
 Click Ok
| 129 |
20. Configure the Client’s DNS
Configure the newly created DNS Server on the client machine as the preferred DNS server as
192.168.10.135
 Navigate to the Start Menu on your machine
 Type ncpa.cpl and hit enter
 Double Click “Local Area Connection”
 Click on Properties
 Double Click “Internet Protocol Version 4 (TCP/IPv4)”
 Change the DNS server address to 192.168.10.135
| 130 |
21. Verify the GSLB Configuration using the GSLB Vizualizer
Head to the main GSLB page by going to Traffic Management, GSLB. Open the GSLB Visualizer by
clicking GSLB Visualizer under Settings
View the GSLB configuration.
| 131 |
22. Verify GSLB Connectivity using Ping and a Web Browser
Open the Windows Command prompt and run ping www.webserver.com. You should see pings from
either server 125 or 126. Wait a few moments and try again. You should see the GSLB Round Robin LB
method change your DNS resolution to the other server.
Test your GSLB configuration via Internet Explorer. Open an internet explorer window and head to
www.webserver.com.
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler GSLB functionality. Configuring a
pair of NetScalers utilizing NetScaler-A and NetScaler-B via Global Server Load Balancing.
| 132 |
for this task.
restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -icmpResponse NONE -ownerNode
255 -arpResponse NONE
 enable ns mode FR L3 Edge USNIP
 disable ns mode L2 USIP CKA TCPB MBF SRADV DRADV IRADV SRADV6 DRADV6enabe
 enable ns feature LB CS SSL AAAen
 enable ns feature LB CS AAA
 enable ns feature CS AAA
 enable ns feature AAA
 disable ns feature CMP CF IC SSLVPN REWRITE AppFw
 disable ns feature CF IC SSLVPN REWRITE AppFw
 disable ns feature IC SSLVPN REWRITE AppFw
 disable ns feature SSLVPN REWRITE AppFw
 disable ns feature SSLVPN AppFw
 disable ns feature AppFw
 enable ns feature GSLB
 set ns ip 192.168.10.16 -netmask 255.255.255.0 -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet
restrictAccess DISABLED -dynamicRouting DISABLED -hostRoute DISABLED -icmpResponse NONE -
arpResponse NONE
 add gslb site NS-A LOCAL 192.168.10.16 -publicIP 192.168.10.16 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
 add gslb site NS-B REMOTE 192.168.10.18 -publicIP 192.168.10.18 -metricExchange ENABLED -
 add gslb vserver www.webserver.com HTTP -dnsRecordType A -lbMethod LEASTCONNECTION -

persistenceType NONE -persistMask 255.255.255.255 -v6persistmasklen 128 -timeout 2 -MIR DISABLED -
disablePrimaryOnDown DISABLED -dynamicWeight DISABLED -state ENABLED -considerEffectiveState NONE
-soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -appflowLog DISABLED
 bind gslb vserver www.webserver.com -domainName www.webserver.com -TTL 5 -cookieTimeout 0
 add gslb service 192.168.10.125_gslb_srvc 192.168.10.125 HTTP 80 -publicIP 192.168.10.125 -siteName NS-B
-state ENABLED -cip DISABLED -sitePersistence NONE -cookieTimeout 0 -maxBandwidth 0 -maxAAAUsers 0 -
monThreshold 0 -appflowLog ENABLED
| 133 |
 add gslb service 192.168.10.126_gslb_srvc 192.168.10.126 HTTP 80 -publicIP 192.168.10.126 -publicPort 80 -
siteName NS-A -state ENABLED -cip DISABLED -sitePersistence NONE -cookieTimeout 0 -maxBandwidth 0 -
maxAAAUsers 0 -monThreshold 0 -appflowLog ENABLED
 add lb vserver Web-VIP HTTP 192.168.10.126 80 -range 1 -timeout 2 -backupPersistenceTimeout 2 -lbMethod

LEASTCONNECTION -rule none -Listenpolicy none -resRule none -persistMask 255.255.255.255 -
v6persistmasklen 128 -pq OFF -sc OFF -m IP -sessionless DISABLED -state ENABLED -connfailover
DISABLED -cacheable NO -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -
healthThreshold 0 -redirectPortRewrite DISABLED -downStateFlush ENABLED --IPMapping 0.0.0.0 -
disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -push DISABLED -pushLabel none -
pushMultiClients NO -l2Conn OFF -appflowLog ENABLED -icmpVsrResponse PASSIVE -RHIstate PASSIVE –
minAutoscaleMember
 add server webserver1 192.168.10.116 -state ENABLED
 add service webservice1 webserver1 HTTP 80 -cacheable NO -pathMonitor NO -pathMonitorIndv NO -sc OFF -
rtspSessionidRemap OFF -CustomServerID None -maxBandwidth 0 -accessDown NO -state ENABLED -
downStateFlush ENABLED -IPMapping 0.0.0.0 -appflowLog ENABLED -td 0 -processLocal DISABLED
 bind lb vserver Web-Vip web-service1
 set lb vserver Web-Vip -IPAddress 192.168.10.126 -IPPattern 0.0.0.0 -IPMask * -persistenceType

COOKIEINSERT -timeout 1 -persistenceBackup NONE -backupPersistenceTimeout 2 -lbMethod ROUNDROBIN
-persistMask 255.255.255.255 -v6persistmasklen 128 -pq OFF -sc OFF -rtspNat OFF -m IP -dataOffset 0 -
sessionless DISABLED -connfailover DISABLED -cacheable NO -soMethod NONE -soPersistence DISABLED -
soPersistenceTimeOut 2 -healthThreshold 0 -redirectPortRewrite DISABLED -downStateFlush ENABLED -
insertVserverIPPort OFF -disablePrimaryOnDown DISABLED -push DISABLED -pushLabel none -
pushMultiClients NO -l2Conn OFF -oracleServerVersion 10G -appflowLog ENABLED -icmpVsrResponse
 bind gslb vserver www.webserver.com -serviceName 192.168.10.125_gslb_srvc
 add service DNS 192.168.10.135 ADNS 53 -cacheable NO -pathMonitor NO -pathMonitorIndv NO -sc OFF -
rtspSessionidRemap OFF -CustomServerID None -maxBandwidth 0 -accessDown NO -state ENABLED -
downStateFlush ENABLED -IPMapping 0.0.0.0 -appflowLog ENABLED -td 0 -processLocal DISABLED
 Reference Steps 20 above to set up Client’s DNS
for this task.
restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -icmpResponse NONE
 enable ns mode FR L3 Edge USNIP
 disable ns mode L2 USIP CKA TCPB MBF SRADV DRADV IRADV SRADV6 DRADV6
 enable ns feature LB SSL
 disable ns feature CS CMP CF IC SSLVPN AAA REWRITE AppFw
 disable ns feature CS CF IC SSLVPN AAA REWRITE AppFw
 disable ns feature CF IC SSLVPN AAA REWRITE AppFw
| 134 |
 disable ns feature IC SSLVPN AAA REWRITE AppFw
 disable ns feature SSLVPN AAA REWRITE AppFw
 disable ns feature SSLVPN AAA AppFw
 disable ns feature AAA AppFw
 disable ns feature AppFw
 enable ns feature GSLB
 set ns ip 192.168.10.18 -netmask 255.255.255.0 -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet
restrictAccess DISABLED -dynamicRouting DISABLED -hostRoute DISABLED -icmpResponse NONE -
arpResponse NONE
 add gslb site NS-A REMOTE 192.168.10.16 -publicIP 192.168.10.16 -metricExchange ENABLED -
 add gslb site NS-B LOCAL 192.168.10.18 -publicIP 192.168.10.18 -metricExchange ENABLED -
 add lb vserver WebVip HTTP 192.168.10.125 80
 add server WebServer 192.168.10.115 –state ENABLED
 add service webservice WebServer HTTP 80
 bind lb vserver WebVip webservice
 add gslb service 192.168.10.125_gslb_srvc 192.168.10.125 HTTP 80 -publicIP 192.168.10.125 -publicPort 80 -

siteName NS-B -state ENABLED -cip DISABLED -sitePersistence NONE -cookieTimeout 0 -maxBandwidth 0 -
maxAAAUsers 0 -monThreshold 0 -appflowLog ENABLED
 add gslb service 192.168.10.126_gslb_srvc 192.168.10.126 HTTP 80 -publicIP 192.168.10.126 -siteName NS-A
-state ENABLED -cip DISABLED -sitePersistence NONE -cookieTimeout 0 -maxBandwidth 0 -maxAAAUsers 0 -
monThreshold 0 -appflowLog ENABLED
 add gslb vserver www.webserver.com HTTP -dnsRecordType A -lbMethod LEASTCONNECTION -

persistenceType NONE -persistMask 255.255.255.255 -v6persistmasklen 128 -timeout 2 -MIR DISABLED -
disablePrimaryOnDown DISABLED -dynamicWeight DISABLED -state ENABLED -considerEffectiveState NONE
-soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -appflowLog DISABLED
 bind gslb vserver www.webserver.com -domainName www.webserver.com -TTL 5 -cookieTimeout 0
 add server WebServer1 192.168.10.116 -state ENABLED
| 135 |
Exercise 13 (Bonus)
Bonus Configure GSLB for WebGoat
Overview
In this exercise you will Configure GSLB for WebGoat using the www.webgoat.com GSLB Domain

Step Action
1. Configure GSLB for WebGoat using the www.webgoat.com GSLB Domain. Remember that WebGoat is
running on port 8080. The GSLB Visualizer should look like this when you are finished.
| 136 |
Module 14
Admin Partitions
The NetScaler ADC provides an infrastructure called admin partitions that can be used to logically
partition a NetScaler ADC.
Each admin partition:
 Has its own NetScaler configurations.

 Has its own administrators and users. Only users associated with a partition or system
superuser can access and update the configurations.
 Uses a subset of NetScaler system resources such as bandwidth, connection pools, and
memory.
 Handles traffic that is specific for that partition.
This means that each admin partition can function as a logical NetScaler ADC.
The following graphical representation shows a NetScaler ADC as a multi-tenant platform that can
be used to service multiple customers, departments, or applications.
| 137 |
Admin Partitions
Step Action
1. Create users for Admin Partitions
 Navigate to NetScaler A – 192.168.10.15 by typing http://192.168.10.15 in your

browser
 Navigate to the Configuration > System > User Administration and select
Users
 Click on Add
| 138 |
2.  Add 2 users with user names Admin-A, and Admin-B. Set both passwords to password1. You can
also add the CLI Prompt as shown below. Click Save to save the user creation, and Done to finish.
o Type Admin-A under User Name*
o Type password1 under Password*
o Type password1 under Confirm Password*
o Type Company-A under CLI Prompt
o Click Save
o Click Done
o Type Admin-B under User Name*
o Type password1 under Password*
o Type password1 under Confirm Password*
o Type Company-B under CLI Prompt
o Click Save
o Click Done
| 139 |
3. Create the Admin Partitions
 Navigate to Configuration > System > Partition Administration > Partitions and click Configure
 Add the Partition with the configuration settings below, and click Continue
o Type Company-A under the Names Field
o Type 5120 under Minimum Bandwidth (Kbps)
o Leave the default settings for the rest
 Click continue on the Network Isolation, to accept No VLAN, or Bridgegroup
| 140 |
4.  Bind user Admin-A to the Company-A partition, by expanding Users, and click on Insert. Click
Save and Done to complete
o Click on No User
o Click insert
o Select Admin-A and click Insert
| 141 |
5.  Create a second Partition, Company-B by repeating the same steps as Company-A. Reminder to
bind the Admin-B user to the Company-B partition.
o Type Company-B under the Names Field
o Type 5120 under Minimum Bandwidth (Kbps)
o Leave the default settings for the rest
o Click continue on the Network Isolation, to accept No VLAN, or Bridgegroup
o Bind user Admin-B to the Company-B partition, by expanding Users, and click on Insert.
Click Save and Done to complete
o Click on No User
o Click insert
o Select Admin-B and click Insert
 After you have created 2 partitions. Now we will configure these partitions independently with their
own settings. To do this lets first switch to the Company-A Partition. Navigate to the partition menu
on the top of the screen. And select Company-A
 Click Yes to confirm the submission
| 142 |
6.  Navigate to Configuration > System > Settings, and select Configure Modes
 Select only User Source IP, and MAC Based Forwarding, click OK
| 143 |
7.  Now while under Configuration > System > Settings select Configure Basic Features
 Select SSL Offload, and Load Balancing, click OK
 Navigate to Configuration > Traffic Management, and expand. Note that Load Balancing, and SSL
Offload are enabled and Content Switching is not.
| 144 |
8.  Navigate back up to the Partitions menu and switch to Partition Company-B, click Yes again to
confirm the submission.
 Navigate to Configuration > System > Settings, and select Configure Modes.
 Note the different modes configured by default from the ones we selected in Company-A partition.
Let’s leave theses default.
| 145 |
9.  Now while under Configuration > System > Settings select Configure Basic Features
 This time considering we are in the Company-B partition we will select SSL Offload, and Content
Switching. Click OK
Exercise Summary
In this exercise you have created 2 users for the purpose of owing partitions. Created 2
independent partitions and bound independent users to these partitions. And configured the
partitions independently from each other with different settings.
| 146 |
Admin Partitions
for this task
 add system user Admin-A ‘password1’ -externalAuth DISABLED -promptString Company-A -timeout 900 -
logging DISABLED
 add system user Admin-B ‘password1’ -externalAuth DISABLED -promptString Company-B -timeout 900 -
logging DISABLED
 add ns partition Company-A -maxBandwidth 5120 -minBandwidth 10240 -maxConn 1024 -maxMemLimit 10
 bind system user Admin-A 0 -partitionName Company-A
 add ns partition Company-B -maxBandwidth 5120 -minBandwidth 10240 -maxConn 1024 -maxMemLimit 10
 bind system user Admin-B 0 -partitionName Company-B
In partition A
 switch ns partition Company-A
 enable ns mode USIP MBF
 disable ns mode FR L2 L3 CKA TCPB Edge USNIP
 enable ns feature SSL
 disable ns feature LB CS CMP REWRITE
 disable ns feature LB CS REWRITE
 disable ns feature CS REWRITE
 disable ns feature REWRITE
 enable ns feature LB SSL
 disable ns feature CS CMP REWRITE
 disable ns feature CS REWRITE
In Partition B
 switch ns partition Company-B
 stat ns partition
 enable ns mode FR L3 Edge USNIP PMTUD
 disable ns mode L2 USIP CKA TCPB MBF
 enable ns feature CS
 disable ns feature LB CMP REWRITE
 disable ns feature LB REWRITE
| 147 |
 Reference Steps 7,8 and 9 to see if the configuration works
| 148 |
Exercise 15
Bonus Admin Partitions
Overview
In this exercise Create a third user, and partition. Configure this partition with the following settings:
 5120 kbps Minimum Bandwidth
 Use Source IP only
 SSL offload, Load Balancing, and Content switching
| 149 |
Module 16
Data Stream
Overview
The NetScaler® DataStream™ feature provides an intelligent mechanism for request switching at
the database layer by distributing requests based on the SQL query being sent.
When deployed in front of database servers, a NetScaler ensures optimal distribution of traffic from
the application servers and Web servers. Administrators can segment traffic according to
information in the SQL query and on the basis of database names, usernames, character sets, and
packet size.
You can either configure load balancing to switch requests based on load balancing algorithms or
elaborate the switching criteria by configuring content switching to make a decision based on an
SQL query parameters. You can further configure monitors to track the state of database servers.
Note: NetScaler DataStream is supported only for MySQL and MS SQL databases. For information
about the supported protocol version, character sets, special queries, and transactions, see the
Appendix NetScaler DataStream Reference.
| 150 |
Data Stream
Overview
The demo environment consists of 2 SQL Server instances replicating an OLTP (Online
Transactional Processing) and DW (Data Warehouse) database setup.
Many organizations use this type of setup to capture and process data efficiently where the OLTP
database is used primarily for transactional SQL transactions. (Creates, updates, inserts) and the
DW database is used to store thdsuead data in a proper schema in order for the SQL transactions
to be accessed quickly.
It is extremely important for organizations to be able to understand their data. With many features
released by Microsoft to help DBA’s (Database Administrators) with this scenario, these features
are typically structured in a tiered licensing model, which can be expensive and complex to deploy.
Citrix NetScaler DataStream feature is included in all editions of NetScaler. DataStream can
improve database performance by intelligently understanding the SQL transactions and switching
the content dynamically to the appropriate database. At the same by default it manipulates the TDS
protocol to enable SQL server side multiplexing, reducing SQL server overhead and increasing
speed of transaction time.

Step Action
1.  Navigate to NetScaler A – 192.168.10.15 by typing http://192.168.10.15 in your browser
 Navigate to System > User Administration > Database Users
 Add the user that you have used to create the SQL server databases.
o Username: dsu
o Password: Password1
| 151 |
2. Add 2 Database Servers
 Navigate to Traffic Management > Load Balancing > Servers
 Add your MSSQL_OLTP Server (Server Name & IP Address)
o Server Name: MSSQL_OLTP
o IP Address: 192.168.10.12
o Click Create
 Add your MSSQL_DW Server (Server Name & IP Address)
o Server Name: MSSQL_DW
o IP Address: 192.168.10.13
o Click Create
| 152 |
3. Add a Monitor
 Navigate to Traffic Management > Load Balancing > Monitors

 Add a Monitor (Name = MSSQL_mon1, Type = MSSQL-ECV, )
o Click Add
o Name: MSSQL_mon1
o Type: MSSQL-ECV
 Switch tabs to ‘Special Parameters’ Tab
 Input a User Name (name must match SQL Server db username) : dsu
 Input Database : ns
 Input Query: select * from test
 Expression: MSSQL.RES.ATLEAST_ROWS_COUNT(0)
 Select the appropriate SQL Server Protocol Version from the drop down
o Select 2012
 Click Create
Note: You have now created a monitor that will check with the SQL Server instances on the NS
Database and query it expecting 0 rows returned.
| 153 |
4. Add the SQL Server Services

 Add your MSSQL_Srvc1 Service (Server Name, IP Address, Protocol, and port)
o Name: MSSQL_Srvc1
o Select Existing Server: MSSQL_OLTP (192.168.10.12)
o Port: 1433
o Protocol: MSSQL
 Add your MSSQL_Srvc2 Service (Server Name, IP Address, Protocol, and port)
o Name: MSSQL_Srvc2
o Select Existing Server: MSSQL_DW (192.168.10.13)
o Port: 1433
o Protocol: MSSQL
| 154 |
5. Bind the monitor created in the previous step both services just created

 Select MSSQL_Srvc1 and Click Edit
o Click on 1 Service to Load Balancing Monitoring Binding
o Click on Add Binding and click on Click to select
o Select MSSQL_mon1 and Bind
 Select MSSQL_Srvc2 and Click Edit
o Click on 1 Service to Load Balancing Monitoring Binding
o Click on Add Binding and click on Click to select
o Select MSSQL_mon1 and Bind
| 155 |
6. Add a load balancing virtual servers & bind to a service
 Navigate to Traffic Management > Load Balancing > Virtual Servers

o Click on Add
o Name: MSSQL_LB_OLTP
o Protocol: MSSQL
o IP address
o select ‘Non Addressable’ from the drop down menu
o Click on No Load Balancing Virtual Server Service Binding
o Click on Click to select and bind the MSSQL_Srvc1
 Similarly navigate to Traffic Management > Load Balancing > Virtual Servers
o Click on Add
o Name: MSSQL_LB_DW
o Protocol: MSSQL
o IP address
o select ‘Non Addressable’ from the drop down menu
o Click on No Load Balancing Virtual Server Service Binding
o Click on Click to select and bind the MSSQL_Srvc2
Note: We selected ‘Non Addressable’ to demonstrate the conservation of IPv4 addresses. The Load Balancing
Virtual Servers will represent an IP of 0.0.0.0. This is done because users will access the VIP of the CS server and all
communication is done internally to the Load Balancing servers.
We are also leaving the default Load Balancing ‘Method’ as ‘Least Connection’
| 156 |
7. Add a content switch Action to NetScaler
 Navigate to Traffic Management > Content Switching > Actions

 Click Add
 Type writes under Name Field*
 Select MSSQL_LB_OLTP under Target Load Balancing Virtual Server* from the drop
down
 Click Create
 Add another Action
 Type reads under Name Field*
 Select MSSQL_LB_DW under Target Load Balancing Virtual Server* from the drop down
 Click Create
Note: You now should have 2 actions: Writes and Reads bound to the 2 Load Balancing Virtual Servers
| 157 |
8. Add a content switching policy to NetScaler
 Navigate to Traffic Management > Content Switching > Policies
 Click Add
 Type MSSQL_CS_Reads under Name*
 Select Reads from the Action drop down menu
 Under Expression enter MSSQL.REQ.QUERY.COMMAND.CONTAINS(“select”)
 Click Create
 Add another MSSQL_CS_Writes policy
 Click Add
 Type MSSQL_CS_Writes under Name*
 Select Writes from the Action drop down menu
 Under Expression input:
MSSQL.REQ.QUERY.COMMAND.CONTAINS(“create”)||MSSQL.REQ.QUERY.COMMAN
D.CONTAINS(“insert”)
 Click Create
Note: The purpose of creating these policies is to enable NetScaler to identify what is a write transaction and what
is a read transaction in the content of the SQL query
| 158 |
9. Create a Content Switching Virtual Server
 Click Add
 Type MSSQL_CVS1 under Name* field
 Select ‘MSSQL’ from the ‘Protocol’ drop down
 Select ‘IP Address’ from the ‘IP Address Type’ drop down
 Input a ‘IP Address’ 192.168.10.150 (This is the IP Address that users will connect to via
DB Client such as SQL Management Studio)
 Input 1433 under port
 Click Continue
 Bind the 2 policies created in previous step to the Content Switching Virtual Server. You will
have to assign each binding a priority. 100, 110 will work.
o Click on No Content Switching Policy Bound
o Click on Click to select
o Select MSSQL_CS_Reads
o Enter 100 under Priority
o Click Bind
o Click on 1 Content Switching Policy Bound
o Select MSSQL_CS_Writes
o Click Bind
o Click Ok
o Click on 0 Default Switching Policy Bound
o Select MSSQL_LB_DW
o Click Bind
o Click Ok
Note: You now have configured a Content Switching Virtual Server that has the 2 Load Balancing Virtual Servers
bound via the Actions we also created.
| 159 |
10. How to Demonstrate Content Switching using SQL Queries via Microsoft Management Studio:
Add all 3 instances to SSMS (SQL Server Management Studio) using the database user created and added to NetScaler
First, Second Instance, and the Content Switching Virtual Server.
“ignore any warning such as”
 Navigate to and launch SSMS (SQL Server Management Studio).
Note**You will find the application on your desktop
 Under Server name enter the IP address of MSSQL_OLTP which is 192.168.10.12
 Select SQL Server Authentication from the Drop Down Menu
 Type dsu in the Login Field
 Type Password1 in the Password Field
 Click Ok
 Similarly Add, MSSQL_DW – 192.168.10.13 and Content Switch Server – 192.168.10.150.
 Launch a new query
 Right Click on the Content Switching Virtual Server, and select ‘New Query’
| 160 |
 To test the ‘reads’ Policy use the following query:
11. Launch a new query
 Right Click on the Content Switching Virtual Server, and select ‘New Query’
 To test the ‘writes’ policy use the following query:
 CREATE DATABASE NEW_TEST_DB
Note: This query is designed to create a database on the appropriate server. The Database name is
“NEW_TEST_DB”
To demonstrate its working as expected, navigate to the GIM_OLTP database and expand the database catalog.
You will note that the new database now exists in this instance because that is where the write policy is bound
too.
Exercise Summary
In this exercise you have familiarized yourself with Data Stream for MS SQL Server. Created and
configured database load balancing and content switching. And worked with MS SQL Server
database tools.
| 161 |
Data Stream
for this task
 add db user dsu -password ‘Password1’
 add server MSSQL_OLTP 192.168.10.12 -state ENABLED
 add server MSSQL_DW 192.168.10.13 -state ENABLED
 add lb monitor MSSQL_mon1 MSSQL-ECV -userName dsu -LRTM DISABLED -resptimeoutThresh 0 -retries 3 -
failureRetries 0 -alertRetries 0 -successRetries 1 -IPMapping 0.0.0.0 -state ENABLED -reverse NO -transparent
NO -ipTunnel NO -tos NO -secure NO -database ns -sqlQuery ‘select * from test’ -evalRule
‘MSSQL.RES.ATLEAST_ROWS_COUNT(0)’ -mssqlProtocolVersion 2012 -storedb DISABLED
 add service MSSQL_Srvc1 MSSQL_OLTP MSSQL 1433 -cacheable NO -pathMonitor NO -pathMonitorIndv NO

-sc OFF -rtspSessionidRemap OFF -CustomServerID None -maxBandwidth 0 -accessDown NO -state
ENABLED -downStateFlush ENABLED -IPMapping 0.0.0.0 -appflowLog ENABLED -td 0 -processLocal
DISABLED
 bind service MSSQL_Srvc1 -monitorName MSSQL_mon1 -monState ENABLED
 add service MSSQL_Srvc2 MSSQL_DW MSSQL 1433 -cacheable NO -pathMonitor NO -pathMonitorIndv NO -

sc OFF -rtspSessionidRemap OFF -CustomServerID None -maxBandwidth 0 -accessDown NO -state ENABLED
-downStateFlush ENABLED -IPMapping 0.0.0.0 -appflowLog ENABLED -td 0 -processLocal DISABLED
 bind service MSSQL_Srvc2 -monitorName MSSQL_mon1 -monState ENABLED
 add lb vserver MSSQL_LB_DW MSSQL -IPPattern 0.0.0.0 -IPMask * 0 -range 1 -timeout 2 -

backupPersistenceTimeout 2 -lbMethod LEASTCONNECTION -rule none -Listenpolicy none -resRule none -
persistMask 255.255.255.255 -v6persistmasklen 128 -pq OFF -sc OFF -m IP -sessionless DISABLED -state
ENABLED -connfailover DISABLED -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -
healthThreshold 0 -redirectPortRewrite DISABLED -downStateFlush ENABLED -IPMapping 0.0.0.0 -
disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -l2Conn OFF -mssqlServerVersion 2008R2 -
appflowLog ENABLED -icmpVsrResponse PASSIVE -RHIstate PASSIVE -minAutoscaleMembers 0 –
maxAutoscaleMemb
 add lb vserver MSSQL_LB_OLTP MSSQL -IPPattern 0.0.0.0 -IPMask * 0 -range 1 -timeout 2 -

backupPersistenceTimeout 2 -lbMethod LEASTCONNECTION -rule none -Listenpolicy none -resRule none -
persistMask 255.255.255.255 -v6persistmasklen 128 -pq OFF -sc OFF -m IP -sessionless DISABLED -state
ENABLED -connfailover DISABLED -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -
disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -l2Conn OFF -mssqlServerVersion 2008R2 -
appflowLog ENABLED -icmpVsrResponse PASSIVE -RHIstate PASSIVE -minAutoscaleMembers 0 -
maxAutoscaleMe" - Status "Success"
 bind lb vserver MSSQL_LB_DW MSSQL_Srvc2
 bind lb vserver MSSQL_LB_OLTP MSSQL_srvc1
 enable ns feature cs
 add cs action writes -targetLBVserver MSSQL_LB_OLTP
| 162 |
 add cs action reads -targetLBVserver MSSQL_LB_DW
 add cs policy MSSQL_CS_Reads -rule ‘MSSQL.REQ.QUERY.COMMAND.CONTAINS(\"select\")’ -action reads
 add cs policy MSSQL_CS_Writes -rule ‘MSSQL.REQ.Query.COMMAND.CONTAINS(\"create\") ||

MSSQL.REQ.QUERY.COMMAND.CONTAINS(\"inse1rt\")’ -action writes
 add cs vserver MSSQL_CVS1 -td 0 MSSQL 192.168.10.150 -range 1 1433 -state ENABLED -stateupdate
DISABLED -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -redirectPortRewrite
DISABLED -downStateFlush ENABLED -disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -
Listenpolicy none -mssqlServerVersion 2008R2 -l2Conn OFF -appflowLog ENABLED -icmpVsrResponse
PASSIVE -RHIstate PASSIVE
 bind cs vserver MSSQL_CVS1 -policyName MSSQL_CS_Reads -priority 100 -gotoPriorityExpression END -type
REQUEST
 bind cs vserver MSSQL_CVS1 -policyName MSSQL_CS_Writes -priority 110 -gotoPriorityExpression END -type
REQUEST
 bind cs vserver MSSQL_CVS1 -lbvserver MSSQL_LB_DW
 Continue Step 10 and 11 above
| 163 |
Module 17
AAA for Traffic Management
Overview
Most networks concentrate their user credentials in one centralized location. This aids in
management and security. The NetScaler system can use common authentication, authorization,
and auditing (AAA) systems for its system users. AAA can also be applied to traffic passing through
it.
AAA for Application Traffic uses authentication virtual servers to provide AAA functionality for load
balancing and content switching traffic. This allows the NetScaler to perform authentication,
authorization, auditing functionality in front of traffic management virtual servers. This gives
administrators the ability to provide single sign-on, access control, session, and traffic policy
capabilities for non-VPN traffic. AAA for Application Traffic uses the NetScaler to manage access
requirements for multiple web sites without needing full VPN style connectivity.
AAA for Application Traffic uses many of the policy types and design concepts as the SSLVPN
functionality, but streamlined for access control only.
| 164 |
Overview
The AAA feature supports authentication, authorization, and auditing for all application traffic. To
use AAA, you must configure authentication virtual servers to handle the authentication process
and traffic management virtual servers to handle the traffic to web applications that require
authentication.

Step Action
1. Creating a test user in Active Directory to be used as our user for the AAA -TM exercise.
 From your desktop launch a remote desktop connection to 192.168.10.11

 Navigate to Programs > Accessories > Remote Desktop Connection
 Type 192.168.10.11
 Login with:
o Username: Training\administrator
o Password: Citrix123
| 165 |
 Navigate to Start Menu
2.  Type Active Directory Users and Computer and Click it
 Click on Users as shown above

 Right click and select New > User
| 166 |
 Fill out fields for new user. (In our example we are using the username of “aaauser”. Click next.
3. o Type aaauser under Name Field
o Type Password1 for password
o Click Next
o Select Password never expires
o Click Next and then Finish
 Adding DNS entries for the FQDN’s used in this exercise

4. o While still logged in via remote desktop to the Active Directory machine navigate to
Administrator Tools, and select DNS (double click)
| 167 |
 Select “Forward Lookup Zones” from the left hand menu pane, then double click the Training.lab
5. zone
 Right click on the white space and select “New Host (A or AAAA)
| 168 |
 Add a host entry for the load balancing VIP.
6. o Hostname: WebServer
o IP Address: 192.168.10.125
 Add a second host entry for the AAA VIP (click ok and done once complete)
7. o Hostname: aaavs
o IP Address: 192.168.10.175
 We are also going to add 2 additional DNS entries for the SAML exercise later on in this lab.
8.
Note: You will not be able to access the below IP’s or hosts until the SAML exercise
o Hostname: aaasp
o IP Address: 192.168.10.176
o Hostname: aaaidp
o IP Address: 192.168.10.177
Note: To verify the DNS entries are correct, using the command prompt (Run as Administrator) on
your machine, perform a ping test on both FQDNs that were just created in DNS. If the ping test is
unsuccessful, type the following commands to flush the DNS cache on the machine. Once the
cache is flushed, retry the ping test.
 Ipconfig /flushdns
 Ipconfig /registerdns
| 169 |
9. Creating an LDAP policy on NetScaler using Active Directory
 Navigate back to NetScaler A – 192.168.10.15 by browsing to http://192.168.10.15 and login using

nsroot/nsroot
 Navigate to Security > AAA-Application Traffic > Policies > Authentication > Basic Policies >
LDAP
 Select the Servers tab, and click Add
 Fill out the fields using the following values.

o Name: AD
o IP Address: 192.168.10.11 (be sure to select Server IP)
o Server Type: AD
o Port: 389
 Under Connection Settings use the following values

10. o Base DN: DC=training,DC=lab
o Administrator DN: administrator@training.lab
o Bind DN Password: box is checked
o Administrator Password: Citrix123
 Click the Retrieve Attributes button to test the connection is successful.
| 170 |
11. Scroll down to Other Settings. Under Server Logon Name Attribute select the following value.
 Server Logon Name Attribute: sAMAccountName
 Group attribute: memberof
 Sub Attribute Name: cn
 Click Create to finish.
You know have successfully created a Directory Server for authentication. The next step is to create a policy.
12. Now Select the Policies tab, and click Add
| 171 |
13. Create the LDAP policy using the following values from the screenshot below. (ns_true)
 Type LDAP under Name*
 Select ns_true from the Saved Policy Expressions tab in the Expression Editor box
 Click Create to finish
14. Create a SSL test certificate

 Navigate to Traffic Management > SSL.
 Select Create and Install a Server Test Certificate under SSL Certificates from the right hand side
menu options.
| 172 |
15. Provide the following values for the certificate. Screenshot below, and click OK once finished
 Type AAA under Certificate File Name*
 Type aaavs.training.lab under Fully Qualifies Domain Name*
 Under Country select UNITED STATES
 You have now created and installed a Server Test Certificate. We will bind this Certificate to our
AAA vServer that we create in subsequent sections.
| 173 |
16. Creating a AAA virtual Server
 Navigate to Security > AAA-Application Traffic > Virtual Servers, and click Add
 Provide the Basic Settings using the following values and click Ok when finished.
o Name: AAA-vs
o IP Address: 192.16810.175
o Protocol: SSL
o Port: 443
o Authentication Domain: Training.lab
| 174 |
 Next step is to create the Server Certificate. You will see the Certificate menu appear once you
17. click OK from the previous step.
 Click on No Server Certificate to launch the Server Certificate Binding Wizard

 Click on Click to select
 Select AAA certificate and click OK, then Bind to complete.

18.
 Click Continue on Advanced Authentication Policies

 Click on the + icon to bind a Basic Authentication Policy
| 175 |
 Bind the LDAP policy. And select Primary as the Type. Click Continue.
19.
 Bind the LDAP policy created in previous steps. And Leave the priority at 100. Click Bind to finish.
 Finally click Continue at the bottom of the Authentication Virtual Server screen, and then Done to
complete.
 After hitting the refresh button your AAA vServer should show green representing an Up State.
| 176 |
 Bind the AAA vServer to the Load Balancing vServer created in earlier steps. If config is erased
20. please reference the CLI Commands in Exercise 3 to restore the config for the Load Balancing
section.

o Select Web-Vip vServer and Click Edit
o Seelct the Authentication option on the right hand side menu
 Provide the values for the Authentication option as shown below, click OK when finished
21.
o Select Form Based Authentication
o Type aaavs.training.lab under Authentication FQDN
o Select AAA-vs from the dropdown menu under Authentication Virtual Server
125
 Finally click Done. You know have bound the AAA vServer to your load balanced vServer. The
purpose of this is to authenticate users against LDAP to access the backend WebServers.
| 177 |
22. Testing the AAA-TM vServer
 To test using a web browser (Open up a new incognito browser) navigate to the FQDN
(http:\\webserver.training.lab) in a “Private Browser or Incognito Browser” of the load balancing
Virtual IP Address.
 Scroll down and click “Advanced” on the web browser
 Click proceed at the bottom.
 Now you should be able to login with the aaauser created in earlier steps
o User name: aaauser
o Password: Passsword1
 Once authenticated you will be directed to the Webserver page.

| 178 |
Exercise Summary
In this exercise you successful created a user in Active Directory. Multiple DNS entries for the
FQDN, AAA vServers, and web server. A LDAP policy and Server in NetScaler. And a AAA vServer
that was bound to the WebServer load balancing VIP.

for this task
 Complete Steps 1 through 9 above
 Enable ns feature AAA
 add authentication ldapAction AD -serverIP 192.168.10.11 -serverPort 389 -authTimeout 3 -ldapBase

‘dc=training, dc=lab’ -ldapBindDn administrator@training.lab -ldapBindDnPassword ‘Citrix123’ -ldapLoginName
sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType PLAINTEXT -svrType AD -
authentication ENABLED -requireUser YES -passwdChange DISABLED -nestedGroupExtraction OFF -
followReferrals OFF -validateServerCert NO
 add authentication ldapPolicy LDAP ns_true AD
 create ssl rsakey AAA-root.key 512 -exponent F4 -keyform PEM
| 179 |
 add ssl certKey AAA -cert AAA-root.cert -key AAA-root.key -inform PEM -expiryMonitor ENABLED -
notificationPeriod 30
 add authentication vserver AAA-vs SSL 192.168.10.175 443 -AuthenticationDomain training.lab
 bind authentication vserver AAA-vs -policy LDAP -priority 100
 bind ssl vserver AAA-vs -certkeyName AAA
Make sure to add Web-Vip vserver as shown in Exercise 3
 set lb vserver Web-Vip -IPAddress 192.168.10.125 -IPPattern 0.0.0.0 -IPMask * -timeout 1 -

backupPersistenceTimeout 2 -lbMethod ROUNDROBIN -persistMask 255.255.255.255 -v6persistmasklen 128 -
pq OFF -sc OFF -rtspNat OFF -m IP -dataOffset 0 -sessionless DISABLED -connfailover DISABLED -cacheable
NO -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -healthThreshold 0 -
redirectPortRewrite DISABLED -downStateFlush ENABLED -insertVserverIPPort OFF -disablePrimaryOnDown
DISABLED -AuthenticationHost aaavs.training.lab -Authentication ON -authnVsName AAA-vs -push DISABLED -
pushLabel none -pushMultiClients NO -l2Conn OFF -oracleServerVersion 10
Module 18
AAA SAML Assertion
The Security Assertion Markup Language (SAML) is an XML-based standard for
exchanging authentication and authorization tokens between servers which authenticate
users (the Identity Provider or IdP) and servers that host user applications (Service
Providers). The NetScaler ADC supports SAML authentication and authorization with HTTP
POST-binding, in which the ADC responds to user requests with a 200 OK that contains a
form-auto post with the required authentication token.
The NetScaler ADC supports attribute extraction from SAML assertions, and encrypted
SAML assertions. The NetScaler implementation of SAML allows signing certificates of less
than 2048 bits, but displays a warning message. It also supports the SHA256 hash
algorithm for signatures and digests. Citrix recommends that all signing certificates be of at
least 2048 bits, and that you use SHA256 as SHA-1 is no longer considered secure.
| 180 |
AAA SAML Assertion
Step Action
| 181 |
1. Create a SAML policy
 Navigate to Security > AAA Application Traffic > Policies > Authentication > Basic Policies >
SAML
 Select the “Servers” tab, and click Add
 Fill out the following parameters in the appropriate fields, and click OK when finished.
o Name: saml-sp
o IDP Certificate Name : Select the AAA certificate created earlier
o Redirect URL: https://aaaidp.training.lab/saml/login
o Signing Certificate Name: Select the AAA certificate created earlier
o Issuer Name: aaaidp.training.lab
o Authentication Class Types: Password
o SAML Binding: Post
o Select Create
 Select Policies Tab, and click Add

2.
| 182 |
 Fill out the parameters in their appropriate fields, and click create once finished.
3. o Name: saml-pol
o Server: Select the server we just created in previous steps
 Saml-sp
o Expression: ns_true
| 183 |
4.  Create a SAML IdP policy
o Navigate to Security > AAA Application Traffic > Policies > Authentication > Basic
Policies > SAML IDP
 Select Profiles and click add
 Fill out the parameters in their appropriate fields, and click create once finished
o Name: saml-idp-prof
o Assertion Consumer Service Url (ACS): http://webserver.training.lab/samlauth
o SP Certificate Name: Select the AAA created earlier
 AAA
o IDP Certificate Name: Select the AAA again created earlier
 AAA
o Issuer Name: aaaidp.training.lab
o Audience: http://webserver.training.lab
| 184 |
 Select Policies Tab, and click Add
5.
 Fill out the parameters in their appropriate fields, and click create once finished
o Name: saml-idp-pol
o Action: select the profile we just created.
 Saml-idp-prof
o Expression: HTTP.REQ.URL.CONTAINS("saml")
| 185 |
6. Creating the Service Provider (SP) and Identity Provider (IdP) AAA vServers
 Navigate to Security > AAA > Application Traffic > Virtual Servers, and select Add
 Provide the Basic Settings for the SP (Service Provider) AAA vServer, and click OK once complete
o Name: aaasp.training.lab
o IP Address: 192.168.10.176
| 186 |
 Bind the AAA Server Certificate created in earlier steps, click Continue once completed
7.
 Click continue not selecting any Advanced Authentication Policies.
| 187 |
 Select the + icon on Basic Authentication Policies
8.
 Choose SAML as the policy, and Primary as the type, and click Continue
9.  Bind the saml-pol policy we created as the SP policy in earlier steps. Click Bind to continue
 Click Continue and Done to complete.
| 188 |
10. Create the IdP AAA vserver
 Navigate back to Security > AAA > Application Traffic > Virtual Servers, and select Add
 Provide the Basic Settings for the IdP (Identity Provider) AAA vServer, and click OK once complete
o Name: aaaidp.training.lab
o IP Address: 192.168.10.177
| 189 |
 Bind the AAA Server Certificate created in earlier steps, click Continue once complete
11. o Click on No Server Certificate and select AAA
o Click Continue
 Click Continue under Advanced Authentication Policies.

12.
 Select the + icon on Basic Authentication Policies
| 190 |
 First let’s bind the SAMLIDP policy.
13. o Select SAMLIDP from the drop down menu under Choose Policy*
o Select Primary for the type
 Next, Bind the sam-idp-pol created in earlier steps. Click Bind to continue
14. o Click on Click to select and select saml-idp-pol
| 191 |
 Clicking the + icon again on Basic Authentication Policies, we will now bind the LDAP policy
15. created earlier.
 Select LDAP as the policy and Primary as the type. Click continue once complete
o Select LDAP from the drop down menu under Choose Policy*
o Select Primary for the type
 Bind the LDAP policy created earlier and click Bind to continue.
 Priority set 100
 Click Continue, and Done to complete
| 192 |
 Binding the SP AAA vServer to the Load Balancing WebServer
16.
o Navigate to Traffic Management > Load Balancing > Virtual Servers, and Edit the
existing Web-Vip virtual server.
o Locate the Authentication tab. If there is already an authentication vServer bound from
previous AAA exercise we will override it now.
o Select the Edit icon on the Authentication settings, and Add in the following:
 Select Form Based-Authentication
 Authentication FQDN: aaasp.training.lab
 Authenticaiton Virtual Server: Select aaasp.training.lab
o Click OK, and Done, to complete.
| 193 |
 Testing the SAML assertion flow (Open up an incognito browser)
17. o In your web browser navigate to http://webserver.training.lab, and note that it will redirect
you to Https://aaaidp.training.lab/saml/login Click on Advanced to proceed.
 Click on Proceed to aaaidp.training.lab (unsafe). This is because we are using a test certificate for
lab purposes.
 You are now directed to the AAA idp vServer for authentication.
 Login in with your AAA user credentials created in earlier steps.
o Username: aaauser
o Password: Password1
| 194 |
Exercise Summary
In this section you successfully configured NetScaler as a Service Provider (SP) endpoint in a
SAML 2.0 assertion. Configured NetScaler as an Identity Provider (IdP) endpoint in a SAML 2.0
assertion. And Completed a successful SP initiated assertion flow using NetScaler as both
endpoints

AAA SAML Assertion
for this task
 Complete the necessary steps from exercise 17

 add authentication samlAction SANL-SP -samLIdPCertName ns-server-certificate -samlSigningCertName AAA -
samlRedirectUrl 'https://aaaidp.training.lab/saml/login'
 add authentication samlPolicy SAML-pol ns_true SANL-SP
 add authentication samlIdPProfile saml-idp-prof -samlSPCertName AAA -samlIdPCertName AAA -

assertionConsumerServiceURL ‘http://webserver.training.lab/samlauth’ -sendPassword OFF -samlIssuerName
aaaidp.training.lab -audience ‘http://webserver.training.lab’
 add authentication samlIdPPolicy saml-idp-pol -rule ‘HTTP.REQ.URL.CONTAINS("saml")’ -action saml-idp-prof
 add authentication vserver aaasp.training.lab SSL 192.168.10.176 -range 1 443 -state ENABLED -authentication
ON -AuthenticationDomain training.lab -td 0 -appflowLog ENABLED
 bind ssl vserver aaasp.training.lab -priority 0 -certkeyName AAA -crlCheck Optional
 bind authentication vserver aaasp.training.lab -policy SAML-pol -priority 100
 add authentication vserver aaaidp.training.lab SSL 192.168.10.177 -range 1 443 -state ENABLED -
authentication ON -AuthenticationDomain training.lab -td 0 -appflowLog ENABLED
 bind ssl vserver aaaidp.training.lab -priority 0 -certkeyName AAA -crlCheck Optional
 bind authentication vserver aaaidp.training.lab -policy saml-idp-pol -priority 100
 bind authentication vserver aaaidp.training.lab -policy LDAP -priority 100
 add lb vserver Web-Vip HTTP 192.168.10.125 80 -range 1 -timeout 2 -backupPersistenceTimeout 2 -lbMethod

LEASTCONNECTION -rule none -Listenpolicy none -resRule none -persistMask 255.255.255.255 -
v6persistmasklen 128 -pq OFF -sc OFF -m IP -sessionless DISABLED -state ENABLED -connfailover
DISABLED -cacheable NO -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -
disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -push DISABLED -pushLabel none -
pushMultiClients NO -l2Conn OFF -appflowLog ENABLED -icmpVsrResponse PASSIVE -RHIstate PASSIVE –
minAutoscaleMember
 bind lb vserver Web-Vip webservice1
 set lb vserver Web-Vip -IPAddress 192.168.10.125 -IPPattern 0.0.0.0 -IPMask * -timeout 2 -

backupPersistenceTimeout 2 -lbMethod ROUNDROBIN -persistMask 255.255.255.255 -v6persistmasklen 128 -
| 195 |
pq OFF -sc OFF -rtspNat OFF -m IP -dataOffset 0 -sessionless DISABLED -connfailover DISABLED -cacheable
NO -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -healthThreshold 0 -
redirectPortRewrite DISABLED -downStateFlush ENABLED -insertVserverIPPort OFF -disablePrimaryOnDown
DISABLED -AuthenticationHost aaasp.training.lab -Authentication ON -authn401 OFF -authnVsName
aaasp.training.lab -push DISABLED -pushLabel none -pushMultiClients NO -l2Conn OFF -oracleSer
Revision: Change Description Updated By Date

1.0 Original version Joshua Travers May 2015
About Citrix
Citrix Systems, Inc. designs, develops and markets technology solutions that enable information
technology (IT) services. The Enterprise division and the Online Services division constitute its two
segments. Its revenues are derived from sales of Enterprise division products, which include its
| 196 |
Desktop Solutions, Datacenter and Cloud Solutions, Cloud-based Data Solutions and related
technical services and from its Online Services division's Web collaboration, remote access and
support services. It markets and licenses its products directly to enterprise customers, over the
Web, and through systems integrators (Sis) in addition to indirectly through value-added resellers
(VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July
2012, the Company acquired Bytemobile, provider of data and video optimization solutions for
mobile network operators.
http://www.citrix.com
| 197 |

Shanmuga Kavasam

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Shanmuga Kavasam

Uploaded by

Copyright:

Available Formats

616: Accelerate Your NetScaler Skills

Hands-on Lab Exercise Guide

Joshua Travers & Steven Barnes

Lab Environment Details

Lab Guide Conventions

Special note to offer advice or background information

Focuses attention on a particular part of the screen (R:255 G:20 B:147)

List of Virtual Machines Used

NetScaler-A 192.168.10.15 Citrix NetScaler VPX

NetScaler-A nsroot nsroot

Step by step guidance

Click Add Server to add your XenServer to XenCenter.

Your Physical XenServer name

Possible licenses include:

 NetScaler upgrade license

 NetScaler Gateway Universal license

 NetScaler Gateway Platform license

Throughout this lab we will be using the following NetScalers:

VM Name IP Address Description / OS

NetScaler-A 192.168.10.15 Citrix NetScaler VPX

NetScaler-B 192.168.10.17 Citrix NetScaler VPX

 Launch PuTTY command-line interface application from the virtual machine.

 Type in the IP address of NetScaler-A and click open

 Type nsroot/nsroot at the logon prompt

 In the Licenses Folder you will find 4 licenses.

 NetScaler IP (NSIP) addresses

 Mapped IP (MIP) addresses

 Subnet IP (SNIP) addresses

 Virtual IP (VIP) addresses

 In the main configurations screen:

o Navigate to System > Network > IPs

 Navigate to System > Network > IPs and click Add.

 Type 192.168.10.16 in the IP Address field

 Type 255.255.255.0 in the Netmask field

 Navigate to System > Network > IPs and click Add.

 Type 192.168.10.125 in the IP Address field

 Type 255.255.255.0 in the Netmask field

A VIP is used for Load Balancing Virtual Server IP address, and

Load-Balancing Virtual Server

2. Select Load Balancing and then click OK.

 Create the “Web-Server-1” server with 192.168.10.115 for the IP address.

o Navigate to Traffic Management > Load Balancing > Servers

o Navigate to Traffic Management > Load Balancing > Servers

o Navigate to Traffic Management > Load Balancing > Services

o Type Web-Service1 in the Service Name field

o Select the Existing Server radio button

o Select Web-Server-1 from the Server menu

o Select “1 Service to Load Balancing Monitoring Binding” under Monitors

o Select Add Binding radio button

o Select Click to select and choose http-ecv monitor

o Click OK and then click Done

| 31 | o Navigate to Traffic Management > Load Balancing > Services

o Navigate to Traffic Management > Load Balancing > Virtual Servers

o Click Add in the Load Balancing Virtual Servers pane

o Type Web-Vip in the Name field

o Type 192.168.10.125 in the IP Address field

o Click the Click to select in the Select Service field

o Select the Web-Service1 radio button

o Click OK and then click Bind

o Click Add Binding

o Click the Click to select in the Select Service field

o Select the Web-Service2 radio button

o Click OK and then click Bind