Professional Documents
Culture Documents
May 2015
Table of Contents
Table of Contents....................................................................................................................... 1
Overview .................................................................................................................................... 5
Introduction ................................................................................................................................ 8
Lab Preparation ........................................................................................................................10
Attach XenCenter to Your XenServer (ZFS) 10
Module 1 ...................................................................................................................................12
Exercise 1 (Configuration Utility) ...............................................................................................13
Initial NetScaler Setup and Basic Load Balancing .....................................................................13
Module 2 ...................................................................................................................................18
Exercise 2 (Configuration Utility) ...............................................................................................20
NetScaler Configuration SNIP, VIP ...........................................................................................20
Exercise 2 (CLI Command) .......................................................................................................25
NetScaler Configuration SNIP, VIP ...........................................................................................25
Module 3 ...................................................................................................................................26
Define Server Load-Balancing Properties, Virtual Server, and Services ....................................26
Exercise 3 (Configuration Utility) ...............................................................................................28
Creating Servers, Services and Load-Balancing Virtual Servers ...............................................28
Exercise 3 (CLI Command) .......................................................................................................35
Creating Servers, Services and Load-Balancing Virtual Servers ...............................................35
Exercise 4 (Configuration Utility) ...............................................................................................36
Verify Load-Balancing Service is Active on Web Servers ..........................................................36
Module 5 ...................................................................................................................................38
Content Switching .....................................................................................................................38
Exercise 5 (Configuration Utility) ...............................................................................................39
Content Switching .....................................................................................................................39
Exercise 5 (CLI Command) .......................................................................................................45
Content Switching .....................................................................................................................45
Exercise 6 .................................................................................................................................46
Bonus Content Switching Policy ................................................................................................46
Module 7 ...................................................................................................................................51
URL Transformation using the Rewrite Feature ........................................................................51
Exercise 7 (Configuration Utility) ...............................................................................................52
URL Transformation using the Rewrite Feature ........................................................................52
Exercise 7 (CLI Command) .......................................................................................................59
URL Transformation using the Rewrite Feature ........................................................................59
Exercise 8 (Configuration Utility) ...............................................................................................61
Bonus URL Transformation Policy ............................................................................................61
| 1 |
Module 9 ...................................................................................................................................65
Web Application Firewall ...........................................................................................................65
Exercise 9 (Configuration Utility) ...............................................................................................66
Web Application Firewall ...........................................................................................................66
Exercise 9 (CLI Command) .......................................................................................................88
Web Application Firewall ...........................................................................................................88
Module 10 .................................................................................................................................89
High Availability.........................................................................................................................89
Exercise 10 (Configuration Utility) .............................................................................................90
High Availability.........................................................................................................................90
Exercise 10 (CLI Command) .....................................................................................................95
High Availability.........................................................................................................................95
Module 11 .................................................................................................................................96
Clustering..................................................................................................................................96
Exercise 11 (Configuration Utility) .............................................................................................97
Clustering..................................................................................................................................97
Exercise 11 (CLI Command) ...................................................................................................107
Clustering................................................................................................................................108
Module 12 ...............................................................................................................................108
Global Server Load Balancing.................................................................................................109
Exercise 12 (Configuration Utility) ...........................................................................................110
Global Server Load Balancing.................................................................................................111
Exercise 12 (CLI Command) ...................................................................................................133
Global Server Load Balancing.................................................................................................133
Exercise 13 (Bonus) ................................................................................................................136
Bonus Configure GSLB for WebGoat ......................................................................................136
Module 14 ...............................................................................................................................137
Admin Partitions ......................................................................................................................137
| 2 |
137
Exercise 14 (Configuration Utility) ...........................................................................................138
Admin Partitions ......................................................................................................................138
Exercise 14 (CLI Command) ...................................................................................................147
Admin Partitions ......................................................................................................................147
Exercise 15 .............................................................................................................................149
Bonus Admin Partitions ...........................................................................................................149
Module 16 ...............................................................................................................................150
Data Stream............................................................................................................................150
Exercise 16 (Configuration Utility) ...........................................................................................151
Data Stream............................................................................................................................151
Exercise 16 (CLI Command) ...................................................................................................162
Data Stream............................................................................................................................162
Module 17 ...............................................................................................................................164
AAA for Traffic Management ...................................................................................................164
Exercise 17 (Configuration Utility) ...........................................................................................165
AAA for Traffic Management ...................................................................................................165
Exercise 17 (CLI Command) ...................................................................................................179
AAA for Traffic Management ...................................................................................................179
Module 18 ...............................................................................................................................180
AAA SAML Assertion ..............................................................................................................180
Exercise 18 (Configuration Utility) ...........................................................................................181
AAA SAML Assertion ..............................................................................................................181
Exercise 18 (CLI Command) ...................................................................................................195
| 3 |
AAA SAML Assertion ..............................................................................................................195
| 4 |
Overview
Hands-on Training Module
Objective
This lab training will provide hands-on experience on a wide range of core features that Citrix
NetScaler has to offer. This lab is designed to allow the student to pick and choose the exercises of
choice.
Prerequisites
Basic NetScaler or ADC familiarity is desired.
Audience
Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support.
| 5 |
The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All
windows applications such as XenCenter, (the XenServer GUI management tool), are accessed
from the Student Desktop.
| 6 |
Required Lab Credentials
The credentials required to connect to the environment and complete the lab exercises are shown
within the step by step instructions
VM Name Username Password
| 7 |
Introduction
The Citrix NetScaler product line optimizes delivery of applications over the Internet and private
networks, combining app security, optimization, and traffic management into a single, integrated
appliance. You install a NetScaler appliance in your server room and route all connections to your
managed servers through it. The NetScaler features that you enable and the policies you set are
then applied to control and manage incoming and outgoing traffic.
NetScaler Functionality
NetScaler content switching and load balancing dramatically improve the throughput and scalability
of an internet application by decoupling each application request/response flow from the underlying
transport.
Content switching and load balancing ensure the most efficient use of transport protocols and
resources, even in a scenario where the content is encrypted or compressed.
The NetScaler system manages the complete life cycle of the request/response transaction. With
this management, the NetScaler system is uniquely equipped to direct and control application
requests most efficiently, from the client to the server and back again.
Connection multiplexing (also known as connection reuse) allows the servers to handle much fewer
connections than are received by the NetScaler system.
Note** Connection multiplexing reduces the use of your back-end servers. This functionality is by
default with NetScaler.
The efficient use of the HTTP specification provides a significant boost to the effective capacity of
the server by reducing server CPU load. With this separation, the NetScaler system can use the
TCP proxy architecture to multiplex and reuse the server-side TCP connection independently from
a client-side connection. This reuse of established and idle server-side TCP connections reduces
the TCP overhead on web servers.
NetScaler Overview
Citrix NetScaler is an application switch that performs application-specific traffic analysis to
intelligently distribute, optimize, and secure layer-4 through layer-7 (L4-L7) network traffic for web
applications. For example, a NetScaler system makes load-balancing decisions on individual HTTP
requests rather than on the basis of long-lived TCP connections, so that the failure or slowdown of
a server is managed much more quickly and with fewer disruptions to clients. NetScaler
functionalities are broadly categorized into features, such as switching, security, protection and farm
optimization.
Switching
When deployed in front of application servers, a NetScaler system ensures ideal distribution of
traffic. You can segment application traffic according to information in the body of an HTTP or TCP
request, and on the basis of L4-L7 header information such as URL, application data type, or
cookie. Numerous load-balancing algorithms and extensive server health checks improve
application availability by ensuring that client requests are directed to the correct servers
| 8 |
Security and Protection
NetScaler security and protection features protect web applications from application-layer attacks. A
NetScaler system provides built-in defenses against denial-of-service (DoS) and distributed denial
of service (DDoS) attacks and supports features that protect applications against legitimate surges
in application traffic that would otherwise overwhelm the servers. An available, built-in firewall can
protect web applications from application-layer attacks, including buffer overflow exploits, SQL
injection attempts, and cross-site scripting attacks. In addition, the firewall provides identity theft
protection by securing confidential corporate information and sensitive customer data
Optimization
Optimization features offload resource-intensive operations such as Secure Sockets Layer (SSL)
processing, data compression, client keep-alive, TCP buffering, and the caching of static and
dynamic content from servers. Optimization improves server performance in the farm and therefore
speeds up applications. A NetScaler system supports several transparent TCP optimizations, which
mitigate problems caused by high latency and congested network links, accelerating the delivery of
applications while requiring no configuration changes to clients or servers.
| 9 |
Lab Preparation
Attach XenCenter to Your XenServer (ZFS)
Overview
This lab is designed to cover a wide spectrum of the vast NetScaler feature set. We will touch on
several core features and common use cases found in NetScaler deployments. You will see how
NetScaler is managed and optimized, and cover topics including initial tune-up, networking and
licensing. In addition, you'll get hands-on with load balancing, content switching, URL transform with
Rewrite, SSL offload and more.
XenCenter is a graphical user interface application used for managing one or more XenServers.
You will be using XenCenter to manage the XenServer needed for the lab.
2.
| 10 |
Step Action
3. Enter the parameters shown below:
IP
192.168.10.5
Address
Username hypervisoradmin
Password Password1!
You can ignore the user
credentials shown in the lab
guide. New Credentials will be
provided when you launched
the lab.
Click Add.
4.
XenCenter will attach to your physical XenServer. You will see your VMs running.
Summary
You have attached XenCenter to your XenServer.
| 11 |
Module 1
NetScaler Licensing
You must properly license a NetScaler system before you can deploy it to distribute, optimize, or secure
networking traffic for web application. After you have obtained the licenses you must install the licenses on
your appliance and then verify that you have enabled the features corresponding to the licenses. If you do not
install a license on the appliance, the First-time Setup Wizard appears, which provides options for licensing
including installation.
The NetScaler platform is responsible for enabling all necessary features and includes five SSL VPN
connections. This license is allocated by default to host name “ANY”. The rest of the NetScaler licenses need
to be allocated to the HOST ID (MAC) of the appliance in order to enable the corresponding features. In the
case of high availability, two licenses will be required. For more information about licensing your NetScaler,
see Citrix article CTX121062 at http://support.citrix.com
By purchasing an upgrade license, customers are able to upgrade their NetScaler from one edition to another.
For example, customers with Standard Edition may purchase the standard Edition upgrade to Enterprise or
Platinum Edition.
A NetScaler option license provides enablement of additional features to augment the features already
supported by the platform license. These option features include AppCompress, AppCache, Application
Firewall, Global Server Load Balancing (GSLB), and NetScaler Insight Center for NetScaler. NetScaler
options licenses are not mandatory.
The NetScaler Gateway Universal license will allow you to increase SSL VPN concurrent usage so that you
are not restricted to five SSL VPN connections. This license floats across high availability pairs. You need to
allocate the universal license to the NetScaler Licensing Hostname, which you can configure in
/nsconfig/rc.conf.
| 12 |
Exercise 1 (Configuration Utility)
Initial NetScaler Setup and Basic Load Balancing
Overview
As mentioned earlier, before starting the configuration process the NetScaler needs to be properly licensed.
Licenses are allocated based on the MAC address of the appliance (known as the host ID), and can be
downloaded here. For this lab, we have already downloaded the proper licenses and placed them on in
C:\Licenses on the Student Desktop.
| 13 |
Step by step guidance
Step Action
1. Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as
the nsroot user for this task.
Begin the licensing lab by verifying the host id of the NetScaler-A (192.168.10.15). You will use this
information for allocating the license file. Connect to the NetScaler system from the command-line
interface using PuTTY and open NetScaler – A. Log on using the nsroot credentials.
Enter the CLI command ‘shell’ and the command ‘lmutil lmhostid –ether’.
Take note of the FLEXnet host ID of this NetScaler we will need to reference this ID to the
license file in the steps below.
| 14 |
2. Login to the NetScaler-A (192.168.10.15) navigating to http://192.168.10.15 in your web browser
Username: nsroot
Password: nsroot
3. Verify that the network configuration matches the screenshot below and continue.
| 15 |
4. Upload the license file “06e089e0b0f1.lic”. If not going through the wizard, license configuration can
be found at System > Licenses > Update in the GUI.
th
Select the 4 Item labeled Licensing. Select “Upload files from a local computer” You will
find the licenses in a folder located C:\Licenses
This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select the one
matched to the HostID of this NetScaler. Often when troubleshooting the process of a license,
the host and a date need to be verified. Wrong Host and incongruent time tends to be the issue.
Open the license file with notepad and check the date and host ID and note which goes to
which.
Go to Start Menu > Computer > Local Disk (C:), and then click Licenses
Select the first license, right click and select open with Notepad.
You need to find the license file that goes with the host ID identified earlier and then upload
that license to the NetScaler.
| 16 |
5. Once the license has been uploaded to the NetScaler click, Reboot. (Due to the licensing
change the NetScaler requires a reboot in order for the license to take effect.
6. After the NetScaler has rebooted you are able to verify the licenses by logging in and going to
System > Licenses. Since you have uploaded a Platinum License, all features should have a
green check as well due to the Platinum license.
Exercise Summary
In this exercise you successfully licensed a NetScaler with a Platinum license.
| 17 |
Module 2
NetScaler-owned IP Addresses
The NetScaler system uses different types of IP addresses for management and proxying
connections to the server. These IP addresses are:
NetScaler IP Address
The NetScaler IP address (NSIP) is a unique IP address and the primary address for management
and general system access. When NetScaler systems participate in high-availability configuration,
the NSIP address is used for primary communication between members of the high-availability
configuration, and the NSIP is the only active IP address on the secondary member in a high-
availability pair. The NSIP can be accessed from any enabled interface on the NetScaler system.
An NSIP address must be configured on a new NetScaler system.
Configuring an initial NSIP address or changing the NSIP address or subnet mask requires a restart
of the NetScaler system. When configuring changes using the command-line interface, save the
configuration first, change the NSIP address, and then restart the NetScaler system
Mapped IP Address
A mapped IP (MIP) address is used for external connections from the NetScaler system. MIP
addresses are used for connectivity in the absence of an SNIP address. For example, the MIP
address is the proxy IP address of last resort. MIP addresses, like SNIP addresses, are used as the
proxy address for NetScaler system-to-server communication. MIP addresses are still used even
when the USNIP mode is globally disabled.
The MIP address should be available across all subnets and should never be bound to a VLAN. It is
only active on the primary unit of a high-availability pair, like every other IP address on the system
other than the NSIP address, and shows as passive on the secondary unit.
When both a MIP address and a SNIP address are configured on the same subnet, the NetScaler
system will use the SNIP address to communicate with servers by default (since USNIP mode is
enabled). If USNIP mode is disabled, the MIP address will be used.
If multiple IP addresses are present on a subnet, the NetScaler will use the MIP addresses in a
round-robin fashion.
| 18 |
Subnet IP Address
The subnet IP (SNIP) address is used in connection management and server monitoring. An SNIP
address provides the NetScaler system with an Address Resolution Protocol (ARP) presence in
subnets to which the system might not be directly connected.
A NetScaler system should have a SNIP address configured for each directly connected subnet.
When a SNIP is added to a NetScaler system, a static route entry is automatically added to the
NetScaler system routing table; this route identifies the SNIP address as the default gateway on the
NetScaler system for the corresponding subnet.
The Use Subnet IP (USNIP) mode can affect how the SNIP address is used by the NetScaler
system to communicate with servers. USNIP mode is enabled by default. When USNIP mode is
enabled, the SNIP address functions as a proxy IP and is used by the NetScaler system for
NetScaler-system-to-server communication. In this mode, the server will see the SNIP address as
the source IP address in packets received from the NetScaler system.
If USNIP mode is disabled, the SNIP address is not used to send traffic from the NetScaler system
to the servers. Instead, a mapped IP address must be available. In most environments, USNIP
mode is left enabled.
Individual SNIP addresses can be enabled to allow management access. When management
access is enabled, connections to the NetScaler command-line interface over SSH and connections
to the web-based configuration utility can be made using the SNIP address (as if it were a NSIP).
Using management-enabled SNIP addresses allows you to connect to the NetScaler system from a
subnet other than the one where the NSIP is located. It also simplifies managing NetScaler systems
in a high-availability configuration, since only the primary unit will respond to the SNIP.
Management access is not enabled by default. Unlike the NSIP address, but like every other type of
IP address, SNIP addresses are only active on the primary unit of a high-availability pair and show
as passive on the secondary unit.
If multiple SNIP addresses are present on a subnet, the NetScaler will alternate between the SNIP
addresses in round-robin manner when communicating with servers.
Virtual IP Address
Virtual IP (VIP) addresses are used for client-to-NetScaler-system communication. Virtual IP
addresses are assigned to virtual servers on the NetScaler system. VIP addresses are generally
presented to the clients as a logical abstraction of a physical server behind the NetScaler system.
When the VIP address is a public IP address, it usually corresponds to the DNS entry for a domain.
A VIP address is automatically created when a virtual server is added. A virtual server is identified
as a unique combination of IP address and port number.
Disabling or changing the status of a VIP address will affect all virtual server using the VIP address.
| 19 |
Exercise 2 (Configuration Utility)
NetScaler Configuration SNIP, VIP
Step by step guidance
Step Action
1. Use an HTTP connection to the NetScaler– A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
| 20 |
2. Add a SNIP (Subnet IP address) to the NetScaler using 192.168.10.16 as the IP Address, 255.255.255.0 as
the Netmask.
Type: Subnet IP
Click Create
| 21 |
3. Verify the SNIP, Subnet IP Address is enabled and showing green.
| 22 |
4. Next Step is to configure the Virtual IP. VIP is used for Load Balancing Virtual Server IP addresses, and
needs to be configured in the Load Balancing section in subsequent steps.
Add a VIP (Virtual IP address) to the NetScaler using 192.168.10.125 as the IP Address, 255.255.255.0 as
the Netmask.
Type: Virtual IP
Click Create
Alternatively, VIP IP Addresses can be directly configured as part of LB vserver configuration. In this lab we
will define it by adding it in the IPs Options.
| 23 |
5. After this step, we have three IP addresses configured on NetScaler as depicted in the figure below
Exercise Summary
In this exercise you have successfully configured the 3 mandatory IP addresses that Citrix
NetScaler needs.
| 24 |
Exercise 2 (CLI Command)
NetScaler Configuration SNIP, VIP
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the
nsroot user for this task.
o SNIP:
add ns ip 192.168.10.16 255.255.255.0 -vServer DISABLED -gui DISABLED -mgmtAccess
ENABLED
o VIP:
add ns ip 192.168.10.125 255.255.255.0 -type VIP -mgmtAccess ENABLED
| 25 |
Module 3
Define Server Load-Balancing Properties, Virtual
Server, and Services
Overview
NetScaler load balancing distributes end-user requests for web pages and other protected
applications across multiple servers that host or mirror the same content. You use load balancing
primarily to manage end-user requests to heavily user applications, preventing poor performance
and outages and ensuring that end users can access your protected applications. Load balancing
also provides fault tolerance; when one server that hosts a protected application becomes
unavailable, the feature distributes end-user request to the other servers that host the same
application.
In a load-balancing configuration, the load-balancing virtual server is logically located between the
client and the farm and manages traffic flow to the serves in the farm. On the NetScaler, the
application servers are represented by virtual entities called services.
A load-balancing setup includes a load-balancing virtual server and multiple load-balanced
application servers. The virtual server receives incoming client requests, uses the load-balancing
algorithm to select an application server, and forwards the requests to the selected application
server.
The load-balancing virtual server can use any of a number of algorithms, or methods, to determine
how to distribute load among the load-balanced servers that it manages. The default load balancing
method is the least connection method, in which the load-balancing NetScaler forwards each
incoming client connection to whichever load-balanced application server currently has the fewest
active user connections.
Server
A Server entity identifies a physical server and provides the IP address of the server. If you want to
use the IP address of the server as the name of the server object, you can enter the IP address of
the server when you create a service, and the server object is then created automatically.
Alternatively, you can create the server object first and assign it an FQDN or other name, and then
specify that name instead of the IP address when you create the service.
Service
A service entity can be a logical representation of the application server itself or of an application
running on a server that hosts multiple applications. A service is defined by an IP address, port, and
protocol combination used to route requests to a specific load-balanced application server. The
service identifies the type of traffic associated with a given server. You can configure multiple
services for the same server. For example, you can configure a server to run HTTP, FTP, and TCP
services/applications. The NetScaler system directs traffic to the server using the appropriate
service. When you create a service, you associate it with a server. For load balancing, you bind
services to virtual servers. Based on these services, the virtual servers will then load-balance traffic
across the available servers.
Service Group
| 26 |
A service group is a collection of service identified by IP address or server name. In a service
group, any management changes made to the group are propagated to all members of the group.
A virtual server is an aggregated system entity that usually comprises multiple servers and services.
Rather than traffic being routed directly to the server, it is sent to a virtual server, which then makes
a decision about which server to forward the traffic to, based on the services bound to the virtual
server. The state of the virtual server determines whether the client requests are accepted. You
need to specify the protocol, VIP, and the port.
| 27 |
Exercise 3 (Configuration Utility)
Creating Servers, Services and Load-Balancing Virtual
Servers
Step by step guidance
Step Action
1. Use an HTTP connection to the NetScaler– A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
Enable the Load Balancing feature in Configuration > System > Settings. Click on Configure basic
features under “Modes and Features”.
3. Browse to “Configure modes” option and ensure the settings match with the screenshot
| 28 |
4. All the Load Balancing Configuration is done from the Configurations > Traffic Management > Load
Balancing screen.
5. Set up two web servers in Servers tab. Click on Add tab to add new web server with user-defined name and
IP address as 192.168.10.115 and Click Create. Similarly add second server using its own IP address
192.168.10.116
Use an HTTP connection to the NetScaler– A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
Log on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot credentials
o Click Add in the Servers pane – the Create Server dialog box opens.
o Type Web-Server-1 in the Server Name field and then type 192.168.10.115 in the IP
Address field
o Click Create.
Similarly, create the “Web-Server-2” server with 192.168.10.116 for the IP address.
o Click Add in the Servers pane – the Create Server dialog box opens.
o Type Web-Server-2 in the Server Name field and then type 192.168.10.116 in the IP
Address field
o Click Create.
| 29 |
6. After configuring the Web-Server-1 you will have to click Create. Repeat the step for the second Web-Server-
2
| 30 |
7. Once Servers are setup, add them as a back-end Service.
Use an HTTP connection to the NetScaler– A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
Log on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot credentials
Create an HTTP service called “Web-Service1” that will be associated with the Web-Server-1 server.
o Click Add in the Services pane – the Load Balancing Service dialog box opens.
o Verify that HTTP is selected from the Protocol menu and 80 is entered in the Port field.
Now similarly create an HTTP service called “Web-Service2” that will be associated with the Web-
Server-2 server.
Begin the configuration of a “Web-Vip” load-balancing virtual server that will be associated with the
Web-Service1 and Web-Service2 services.
o Verify that HTTP is selected from the Protocol drop-down menu and that 80 is entered in
the Port field
o Click OK
o Click the “No Load Balancing Virtual Server Service Binding” option below Service to bind
the Services.
o Click the “1 Load Balancing Virtual Server Service Binding” option below Service to bind
the Services
Note: You may need to click Refresh on the top-right before the
State shows as up
Make sure you save the running configuration. Click the Floppy Disk icon
and then click Yes to confirm saving the Running configuration
| 32 |
9. Now the Web-Vip virtual server is up. Set the persistence to COOKIEINSERT and Time-out (mins)* field to 1.
o Select Edit
11. After all setup is complete, go ahead and Save the running configuration by click on "Save" icon in the upper
right hand corner of your NetScaler GUI. Make sure you save the running configuration.
Click the Floppy Disk icon and then click Yes to
confirm saving the Running configuration
| 33 |
Exercise Summary
In this exercise you have successfully configured Servers, Services, and Virtual Server all for
Server Load Balancing in Citrix NetScaler.
| 34 |
Exercise 3 (CLI Command)
Creating Servers, Services and Load-Balancing Virtual
Servers
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task.
enable ns feature LB
add ns ip 192.168.10.125 255.255.255.0 -type VIP
add server web-server1 192.168.10.115
add server web-server2 192.168.10.116
add service web-service web-server1 HTTP 80
add service web-service1 web-server2 HTTP 80
add lb vserver Web-VIP HTTP 192.168.10.125 80 -persistenceType COOKIEINSERT -timeout 1 -lbMethod
ROUNDROBIN -cltTimeout 180
bind lb vserver Web-VIP web-service
bind lb vserver Web-VIP web-service1
| 35 |
Exercise 4 (Configuration Utility)
Verify Load-Balancing Service is Active on Web
Servers
Overview
In this exercise you will be verifying that the configuration on the NetScaler is successful and
identify the load balancing method is performing as configured.
| 36 |
2. Client request is handled by and load balanced to one of the 2 web servers.
Refresh the browser after 1 minute. Since with COOKIEINSER persistence, you are directed to the
same server until the cookie expires (In this case; 1 minute).
Now, this time Web Server B is accessed because of round robin mechanism selected in load
balancing method. Requests are alternately forwarded to each web server.
From NetScaler GUI navigate to Dashboard to monitor live sessions and NetScaler application state.
Return to the http://192.168.10.125 URL (Load Balanced Virtual Server URL) in your web
browser
Return to your NetScaler GUI page and you will see the number of HTTP Requests increasing and
matching the number of times you refreshed your Load Balanced URL.
Exercise Summary
In this exercise you have gotten familiar the Citrix NetScaler, configured basic load balancing services, and configured
monitoring services in NetScaler
| 37 |
Module 5
Content Switching
Content switching allows HTTP and HTTPS traffic requests to be intercepted and switched in a
method that is transparent to the client. A NetScaler system can switch static and dynamic content.
Content switching provides the ability to direct traffic and client requests to back-end services based
on an aspect of the request beyond the IP/port pair. Content switching allows the design of a
complex internal system to appear to the public behind a single IP address. As clients connect to
and request data from a single address, the NetScaler system examines the type of connection and
sends it to the appropriate back-end service.
The NetScaler system diverts the application requests transparently to the client and the
application, allowing the application to be managed separately from the hosting site.
Note: When switching both static and dynamic requests, you must configure one load-
balancing virtual server for static requests and a separate load-balancing virtual server
for dynamic requests.
When requests reach the content-switching virtual server, the NetScaler system applies the
content-switching policies to them. The requests are then routed to the appropriate load-balancing
virtual servers bound to the policies. The load-balancing virtual servers then send them to the
services.
The content-switching feature allows the NetScaler system to replace application logic for
redirecting traffic to servers. Content-switching virtual servers can send client requests only to other
virtual servers.
| 38 |
Exercise 5 (Configuration Utility)
Content Switching
Overview
In this section, we will create a Content Switching Virtual Server that takes requests and directs
them to the appropriate web server. The policy that will be created looks for ‘/urlX’ within the URL
and directs the request to the Web server A. Requests without ‘/urlX’ are redirected to Web server
B.
Log on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot credentials
Click Add in the Content Switching Virtual Servers pane – The Content Switching Virtual Server
dialog box opens.
Click OK
| 39 |
Click Done
| 40 |
3. Create two non-addressable Load Balancing Virtual Servers. Configure WebVip1 and WebVip2 as
HTTP with the Web-service1 and Web-service2 assigned respectively. Be sure to select ‘Non
Addressable’ in the IP Address Type. These virtual servers will be utilized in the content switching
virtual server as a method to direct traffic to each individual server. We select non addressable so
that we are able to assign a server to the content switch while not consuming an IP address on the
network behind the NetScaler.
Create a non-addressable “webvip1” load-balancing virtual server for the Web-Server-1 web server.
o Click OK – This action disables the IP address and Port fields. No VIP address is assigned
to this load-balancing virtual server
o Click No Load Balancing Virtual Servers Service Binding in the service section
o Click Bind
o Click OK
o Click Done
Similarly, create a non-addressable “webvip2” load-balancing virtual server for the Web-Server-2
web server.
o Click OK – This action disables the IP address and Port fields. No VIP address is assigned
to this load-balancing virtual server
o Click No Load Balancing Virtual Servers Service Binding in the service section
o Click Bind
o Click OK
o Click Done
| 41 |
4. Here is a summary of your Load Balancing Virtual servers thus far.
Note: You may need to click Refresh on the top-right before the
State shows as up
5. Create a Content Switching Policy. Configure the name and URL as urlswitch and /url* and create the
policy by clicking Create and then close.
Click Add in the Content Switching Policies pane. – The Create Content Switching Policy dialog box
opens.
Select Url
| 42 |
6. Insert the new content switching policy into the Content Switching Virtual Server that you created in step 1 of
this lab.
Click Edit
Click OK
Under Target Load Balancing Virtual Server, Click Click to select and select webvip1
7. Expand Default Load Balancing Virtual Server and select the webvip2 virtual server. You now have 1 CS
policy bound to webvip1 and webvip2 is set to the default load balancing virtual server.
Click Create
| 43 |
8. Test the configuration to observer the content-switching behavior.
You are able to verify that content switching policy urlswitch directs the requests into this to the WebVip1.
Not specifying the /urlX directs you to WebVip2, which would be the (Default) policy.
Exercise Summary
In this exercise you have configured Content Switching based on URL and tested that it works.
| 44 |
Exercise 5 (CLI Command)
Content Switching
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task.
enable ns feature cs
add cs vserver WebSwitch HTTP 192.168.10.125 81
add lb vserver WebVip1 HTTP 0.0.0.0 0
bind lb vserver WebVip1 Web-Service
add lb vserver WebVip2 HTTP 0.0.0.0 0
bind lb vserver WebVip2 Web-service1
add cs policy urlswitch -url ‘//url/url1*’
bind cs vserver WebSwitch -policyName urlswitch -targetLBVserver WebVip1
bind cs vserver WebSwitch -lbvserver WebVip2
| 45 |
Exercise 6
Bonus Content Switching Policy
Overview
In this section, we will unbind the urlswitch policy and create a new policy that detects languages
via the HTTP header set by the browser. We will redirect requests accordingly.
Unbind the original utlswitch policy from the WebSwitch Content Switching Virtual Server.
Click Edit
Select urlswitch
Click yes
Click Close
| 46 |
2. Add a new content switching policy into the Content Switching Virtual Server that you created in step 1 of
this lab. First make sure that you switch back to default syntax.
Select WebSwitch
Ensure that it shows Switch to Classic Syntax under the expression* box
| 47 |
3. Navigate back top and provide the policy with the name Language and select Expression
Select WebSwitch
Select Expression
4. Configure the new policy, language, to detect the English language within the HTTP request header:
HTTP.REQ.HEADER("Accept-Language").CONTAINS("en")
HTTP.REQ.HEADER("Accept-Language").CONTAINS("en")
Select Create
Note: When using the Expression Editor to create the expression; do not include the
quotation marks as the Expression Editor will automatically add the quotations for you.
For example; just type Accept-Language for the header not “Accept-Language”
| 48 |
5. Set the target of this policy to WebVip1, accept any messages about GoTo Expressions if you encounter
them here, and configure the Priority to 10. Verify the configuration and continue by clicking OK
Click Ok
Click Bind
Set priority to 10
Click Ok
Select Done
| 49 |
6. Test this content switching policy by heading to http://192.168.10.125:81 in Internet Explorer and set your
language to anything but English in the browser. You can find this under Tools, Internet Options, and
Languages. Navigate to Internet Explorer browser
Select settings
Click on tools
Once you switch from English you will be sent to WebVip2 instead of WebVip1 and the name of the
server will be changed from 'Web Server – A ' to 'Web Server – B'.
| 50 |
Exercise Summary
In this exercise you have gotten familiar with Citrix NetScaler content switching functionality.
Configured basic Content Switching virtual server and policies. And Configured advanced content
switching virtual server to detect the language field of a http header.
Module 7
URL Transformation using the Rewrite Feature
Rewrite refers to the rewriting of some information in the requests or responses handled by the
NetScaler system. Rewriting can help in providing access to the requested content without
exposing unnecessary details about the website’s actual configuration. A few situations in which the
rewrite feature is useful are described below:
To improve security, the NetScaler can rewrite all the http:// links to https:// in the response
body
In the SSL offload deployment, the non-secure links in the response have to be converted
into secure links. Using the rewrite option, you can rewrite all the http:// links to https to
ensure that the outgoing responses from NetScaler to the client have the secured links.
If a website has to show an error page, you can show a custom error page instead of the
default 4044 Error page.
If you want to launch a new website but use the old URL, you can use the rewrite option.
| 51 |
When a topic in a site has a complicated URL, you can rewrite it with a simple, easy-to-
remember URL
You can append the default page name to the URL of a website.
When you enable the rewrite feature, NetScaler can modify the headers and body of HTTP request
and responses
For more information about the rewrite feature, including rewrite action and policy examples, see
Citrix eDocs at http://edocs.citrix.com
| 52 |
1. Use an HTTP connection to the NetScaler– A (192.168.10.15) configuration utility logged on as the nsroot
user for this task.
Log on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot credentials
a. a new URL Transformation Profile named “Ferrysburg” by going to AppExpert, Rewrite, URL
Create
Transformation, Profiles and clicking Add. Fill in the Name field with “Ferrysburg” and click Create.
o Click on Add
o Type ferrysburg
o Select Create
| 53 |
2. Open the Ferrysburg profile by selecting it and clicking Edit, or double clicking. Add a new URL
Transformation Action by clicking ‘Insert’ at the bottom of the dialog window.
o Select ferrysburg
o Click on Edit
o Click on Insert
| 54 |
3. Configure the new URL Transformation Action “actFerrysburg”. URL Transformation Action is used to take
requests from url1 and respond via url2. The configuration for actFerrysburg is below.
o Select ferrysburg
o Click on Edit
o Click on Insert
o Select Ok
| 55 |
4. Click Insert if you have not already, verify that the action is enabled by the green checkbox under enabled
and click OK to close the dialog.
| 56 |
5. Create a new URL Transformation Policy by heading to AppExpert, Rewrite, URL Transformation,
Policies and clicking add. This new policy will be used to check if the URL contains "url1" and fire the URL
Transformation Action that was added in step 2 and 3. Add “Ferrysburg” for the name, attach the
Ferrysburg Profile under the Profile drop down, and add the expression:
HTTP.REQ.URL.PATH.GET(1).CONTAINS(“url1”).
o Click Add
o HTTP.REQ.URL.PATH.GET(1).CONTAINS(“url1”)
o Select Done
o Select Create
Note: When using the Expression Editor to create the expression; do not include the
quotation marks as the Expression Editor will automatically add the quotations for you.
For example; just type url1 for the header not “url1”
| 57 |
6. Bind the new policy under the Default Global bind point. You will need to open the Policy Manager and select
Default Global, finally insert the newly created policy. Open and bind the policy by clicking Policy Manager.
Select Default Global and click Continue. Select the Ferrysburg policy at Priority 100. Finally click Bind
followed by Done.
o Select Default Global from the drop down menu under Bind Point* field
o Click on Click to select under Policy Binding and select Ferrysburg Policy
Select Bind
Select Create
Verify the policy is active and bound by checking for the green checkmark under Active. If it does not
show active, refresh the GUI by clicking on the refresh icon next to the “Help Icon”
| 58 |
7. Verify the Ferrysburg URL Transformation Policy is active by directing your web browser (New Incognito
Window) to http://192.168.10.125/url1. You will see a response from URL2 from either Web-Server A or B, if
the policy is active and working correctly. You may have to close re-open the browser.
| 59 |
enable ns feature rewrite
add transform profile Ferrysburg -type URL
set transform profile Ferrysburg -type URL -onlyTransformAbsURLinBody OFF"
add transform action actFerrysburg Ferrysburg 1000 –state ENABLED
set transform action actFerrysburg -priority 1000 -reqUrlFrom '192.168.10.125/url1' -reqUrlInto
'192.168.10.125/url2' -resUrlFrom '192.168.10.125/url2' -resUrlInto '192.168.10.125/url1' -state ENABLED
add transform policy Ferrysburg ‘HTTP.REQ.URL.PATH.GET(1).CONTAINS(\"url1\")’ Ferrysburg
bind transform global Ferrysburg 100
show transform profile Ferrysburg
| 60 |
Exercise 8 (Configuration Utility)
Bonus URL Transformation Policy
Overview
You will create a URL Transformation policy yourself. This policy will be used to transform the
Request URL named “SpringLake” and Respond with “/url3”. This configuration is used to cloak or
change the external view from the internal webserver. The configurations for the bonus lab is below.
o Click on Add
o Type SpringLake
o Select Create
2. Open the SpringLake profile by selecting it and clicking Edit, or double clicking. Add a new URL
Transformation Action by clicking ‘Insert’ at the bottom of the dialog window.
o Select SpringLake
o Click on Edit
o Click on Insert
| 61 |
3. Configure the new URL Transformation Action “SpringLake”. URL Transformation Action is used to take
requests from url1 and respond via url2. The configuration for SpringLake is below.
o Select SpringLake
o Click on Edit
o Click on Insert
o Select Ok
| 62 |
4. Create a new URL Transformation Policy by heading to AppExpert, Rewrite, URL Transformation,
Policies and clicking add. This new policy will be used to check if the URL contains "url1" and fire the URL
Transformation Action that was added in step 2 and 3. Add “SpringLake” for the name, attach the
SpringLake Profile under the Profile drop down, and add the expression:
HTTP.REQ.URL.PATH.GET(1).CONTAINS(“SpringLake”).
o Click Add
o HTTP.REQ.URL.PATH.GET(1).CONTAINS(“SpringLake”)
o Select Done
o Select Create
Note: When using the Expression Editor to create the expression; do not include the
quotation marks as the Expression Editor will automatically add the quotations for you.
For example; just type SpringLake for the header not “SpringLake”
5. Bind the new policy under the Default Global bind point. You will need to open the Policy Manager and select
Default Global, finally insert the newly created policy. Open and bind the policy by clicking Policy Manager.
Select Default Global and click Continue. Select the SpringLake policy at Priority 100. Finally click Bind
followed by Done.
o Select Default Global from the drop down menu under Bind Point* field
o Click on Click to select under Policy Binding and select SpringLake Policy
Select Bind
Select Create
| 63 |
6. Verify the SpringLake URL Tran sformation Policy is active by directing your web browser to
http://192.168.10.125/SpringLake . You will see a response from URL3 from either Web-Server A or B, if the
policy is active and working correctly. You may have to close re-open the browser.
Exercise Summary
In this exercise you have gotten familiar with Citrix NetScaler rewrite functionality. Configuring URL
Transformation policies to transparently rewrite a request. And configuring URL policies to
transparently rewrite a request hiding the internal architecture of the web servers.
| 64 |
Module 9
Web Application Firewall
Organizations have a crucial need to protect their data and information from unauthorized users
and hackers. A network firewall does not provide enough protection against unauthorized access to
web applications. Rather, the best practice is to implement an application firewall in addition to a
network firewall to protect critical applications, especially those that contain customer and employee
data.
Application Firewall protects web application from malicious attacks and unauthorized usage.
Application Firewall examines all incoming and outgoing traffic between protected web servers and
users for evidence of attacks or misuse of web server resources. It also blocks all known and
unknown attacks.
Application firewall can be run as a stand-alone implementation on the NetScaler hardware and
functions as a dedicated Application Firewall appliance. Application Firewall is also available as a
feature within the NetScaler Application Delivery System, which includes Application Firewall
functionality in addition to other NetScaler operating system features. Application Firewall integrated
with Citrix NetScaler is available with NetScaler Enterprise and Platinum editions.
The figure shows how application attacks are mounted. Application Firewall protects critical web
applications and defends the infrastructure of any organization from identity theft, lost revenue,
brand erosion and other negative outcomes caused by application attacks.
| 65 |
Exercise 9 (Configuration Utility)
Web Application Firewall
Overview
In this lab, we will begin working with the Application Firewall feature of NetScaler. We will test the
security functionality of the AppFirewall through a web service called WebGoat that is served via
both webservers in the environment
First, create two new WebGoat services for both servers. Do this by going to Traffic Management, Load
Balancing, Services, and adding the “webgoat-service” and “webgoat-service1”. The Protocol will be
HTTP and the Server fields and Ports will be web-server1 port 8080 and web-server2 port 8080
respectively. Add a tcp monitor to the service and click Done.
Log on to the NetScaler-A (192.168.10.15) configuration utility with the nsroot credentials
Create an HTTP service called “Webgoat-Service” that will be associated with the Web-Server-1
server.
o Click Add in the Services pane – the Load Balancing Service dialog box opens.
o Verify that HTTP is selected from the Protocol menu and 8080 is entered in the Port field.
Similarly, create an HTTP service called “Webgoat-Service1” that will be associated with the Web-
Server-2 server.
o Click Add in the Services pane – the Load Balancing Service dialog box opens.
| 66 |
o Verify that HTTP is selected from the Protocol menu and 8080 is entered in the Port field.
| 67 |
2. Create a new “WebGoat-VIP” Load Balancing Virtual Server by going to Traffic Management, Load
Balancing, Virtual Servers, and clicking Add.
Begin the configuration of a “WebGoat-VIP” load-balancing virtual server that will be associated with
the WebGoat-Service and WebGoat-Service1 services.
o Verify that HTTP is selected from the Protocol drop-down menu and that 8080 is entered in
the Port field
o Click OK
o Click the “No Load Balancing Virtual Server Service Binding” option below Service to bind
the Services.
o Click the “1 Load Balancing Virtual Server Service Binding” option below Service to bind
the Services
| 68 |
3. Go to the Method and Persistence tab and choose Round Robin as the LB Method. Under the
Persistence section choose COOKIEINSERT, Time-out ‘0’. Finally click ok.
| 69 |
5. NetScaler Application Firewall is able to utilize security signatures from various security vendors such as
Snort. These signatures are attached within policies that are created within this section. To begin we will
head to Security, Application Firewall, and Signatures. To download the latest signatures from Snort click
on *Default Signatures, select Action, and finally Update Version. Agree to the update by selecting Yes.
The latest security signatures will be downloaded.
Note: If Application Firewall is not enabled yet that’s ok. You can still update the signatures.
We will enable AppFirewall in subsequent steps.
o Select Action
Next we will need to define our own version of the *Default Signatures
| 70 |
6. The Add Signatures Object dialog opens and we will create a name, AppFWSignatures, and verify the
signatures that are being imported. Here we could select to block or not block various signatures. For the
purposes of this lab, we will leave the defaults selected. After glancing over the signatures, select OK.
Begin by enabling the Application Firewall feature. Do this by right clicking on Security, Application
Firewall and clicking Enable Feature.
| 71 |
8. Add an AppFW profile by going to Security, Application Firewall, Profiles and clicking Add. Fill in the
Profile name “AppFWProfile”, select Web 2.0 Application, and choose Basic Defaults. Click on Create
and close the dialog.
o Select Add
o Type AppFWProfile
o Select Web 2.0 Application from the drop down menu under Profile Type
o Select Create
| 72 |
9. Configure the newly created AppFWProfile by double clicking on it. Head to the Security Checks tab. Under
the Start URL unselect Block and select Log and Stat. Credit Card row select Log and Stat, under the
HTML SQL Injection row select Block Log and Stat.
o Next to Start URL row unselect Block and select Log and Stat
o Next to HTML SQL Injection row select Block, Log and Stat
| 73 |
10. Open the Credit Card profile by double clicking on it and change the status of each card to Protected. After
protecting each card, move to the General tab and select X-Out. Click OK twice to back out of all dialog
boxes.
o Select each Credit Card and click on the lock icon at the bottom left to protect the credit
cards
o Select X-Out
o Select Ok
| 74 |
11. Next, we will attach the AppFWSignatures to this profile. To do this we will move to the Settings tab and
scroll to the Common Settings field. Here we will select AppFWSignatures under the Signatures drop
down. Finally click OK and close the dialog
o Click OK
| 75 |
12. Now you will need to create an AppFirewall policy by going to Security, Application Firewall, Policies,
Firewall and clicking Add. Configure the Policy Name, Profile, and Expression as below. This step creates
a policy for AppFirewall called AppFWPolicy that links the recently created profile and adds an expression
to fire the policy or not. The expression used is “HTTP.REQ.IS_VALID” which will trigger the AppFWProfile
if the incoming connection is a HTTP Request and it is valid. Click Create and Close was complete.
o Click Add
HTTP.REQ.IS_VALID
o Click Create
13. Now we have an Application Firewall policy but it is not bound; meaning it is not enabled. You will need to
enable the policy through the policy manager. Go to the policy manager by clicking Action and Policy
Manager.
| 76 |
14. Insert the AppFWPolicy into the Default Global policy. Do this by clicking the Default Global bind point,
selecting to Bind the Policy, by choosing the AppFWPolicy. Finally click Bind and then close once
complete.
o Select Default Global from the drop down menu under Bind Point*
o Click Continue
o Select Bind
Note: Binding the policy to the Default Global bind point will enable the policy on all Virtual
Servers that are available within the NetScaler. You are also able to bind policies to other
specific bind points such as Content Switching Virtual Servers, or even load balancing virtual
servers like in the image below
o Verify that the policy is enabled via the green check under Active.
| 77 |
15. Test the new Application Firewall policy via the WebGoat url that was configured earlier. You can enable and
disable the Application Firewall feature to test WebGoat security vulnerabilities with Application Firewall
enabled or disabled. You can do this by right clicking on Application Firewall under Security, Application
Firewall and selecting Disable Feature or Enable Feature, like in step 7 above:
Note: This makes for a quick way to see before and after protecting
| 78 |
16. Be sure to reset WebGoat each time with the "restart this lesson" link.
Note: To test with WebGoat, remember a couple of key points. Practice before a demo. Restart the
lesson after each exploit to test WebGoat, or it may not ‘work’ on subsequent tries. The NetScaler
needs to see the cookies and entire activity, so when you enable the WebApplicationFirewall feature,
open a fresh browser. A stale browser may not get the same effect, and in real life people are not
turning the WAF feature on and off like this.
IMPORTANT: Never try the attacks you learn here in the readl world. Many times a newbie has
expereinced disgrace by playing around and starting some undesirable consequences. Keep the hacks
to just WebGoat, or within a Contract and detailed Statement of Work. Ethical Hacking, etc.. etc..
NO SURPRISES.
Go back and turn the NetScaler WebApplicationFirewall off. You need to establish a baseline, and if the
WAF is on, it will block you by redirecting you to the root of TomCat. We have it configured to do this when
an exploit happens, so be careful not to follow a red herring. Go ahead and turn the WAF Feature off until
you have a hack working, then turn it on, and open a fresh browser, and start with WAF on to try it again…
| 79 |
17. If you leave the WAF on, success will redirect you to the TomCat Root like this:
s
It says "It Works" but it is not what you are looking for. NetScaler redirected you to the root because the
Redirect Rule in the WAF Profile is configured to do just that.
When WebGoat works, you stay within WebGoat and it congratulates you. Also, WebGoat is a tutorial. On
the first screen it tells you the answers are hidden at the top right under the solution link. Why not use that
and cut/paste where helpful?
| 80 |
18. Begin: To start the WebGoat Application, scroll down and click on start WebGoat:
o Navigate to http://192.168.10.125:8080/WebGoat/attack
o If you don’t receive the following page as shown below; close and open a new browser
You can see already your Application Firewall policy is taking hits:
| 81 |
19. For SQL injection go to Injection Flaws, String SQL Injection:
o Navigate to http://192.168.10.125:8080/WebGoat/attack
o On the left hand side select Injection Flows and then click on String SQL Injection
o Click on Go!
We are modifying the select string, shown under the text field for convenience, and after the match criteria
you sneak in "or is true" to match everything, and get all of the data back. The Solution for this lesson shows
the example Erwin' OR '1'='1 (the outer ‘ticks’ are implied for you).
Note the “* Congratulations.”, and all the 'credit card examples'. They may well not be real credit card
numbers, and the NetScaler will use an algorithm to take action on for information leakage prevention and
DLP. It does not x-out the fake numbers. We will turn the NetScaler on and see it protect next.
| 82 |
20. Turn the WAF back on:
Try Again (close and open your browser, login guest / guest, Start WebGoat... set up accordingly).
o Navigate to http://192.168.10.125:8080/WebGoat/attack
o If you don’t receive the following page as shown below; close and open a new browser
o On the left hand side select Injection Flows and then click on String SQL Injection
o Click on Go!
| 83 |
*** Well, It works is true. Application Firewall redirected you per your configuration for trying to hack.
21. Let’s check the logs:
o Click on Apply
One could use CLI and view the /var/log directory with a grep, but the tool is right there with a pull down
menu. Set the module to APPFW and have a look.
| 84 |
22. Let’s stop blocking and keep playing with it. (You should be thinking to click on WebGoat's Restart Lesson
Link).
Under WebApplicationFirewall in the NetScaler GUI, select the Profile and the Security Checks Tab.
Let’s try "Transform" to neutralize the SQL tick. Double click on HTML SQL Injection, the
line in the above screen shot where we unchecked can be double clicked on.
o Navigate to Security > Application Firewall > Profiles
o Click OK
| 85 |
23. Let’s check the logs. Security – Application Firewall – Policies – Firewall – Auditing – Syslog messages
o Click on Apply
Gotcha! On a Sniffer Trace, you would see the Erwin part has double quotes now and not single quotes.
Above, the WebGoat screen shot even calls it out. ‘Erwin“ OR “1”=”1’. The double tic (“) and single tic (‘) are
different to SQL.
| 86 |
Ok, Let’s stop transforming and let you back into the site…. By now you are used to going into the App
Firewall Profile that our Globally Bound Policy is set to.
Click 'OK' on both windows, and lets go back and Run WebGoat again. (I know you are thinking Restart the
Lesson).
| 88 |
add lb vserver WebGoat-VIP HTTP 192.168.10.125 8080 -persistenceType COOKIEINSERT -timeout 0 -
lbMethod ROUNDROBIN
bind lb vserver WebGoat-VIP webgoat-service
bind lb vserver WebGoat-VIP webgoat-service1
en ns feature appfw
import appfw signatures ‘local:_192_168_10_250_1434589897740/default_signatures.xml’ AppFWSignatures
add appfw profile AppFWProfile -defaults basic
set appfw profile AppFWProfile -type HTML XML
set appfw profile AppFWProfile -creditCardAction log stats
set appfw profile AppFWProfile -creditCard amex dinersclub discover jcb mastercard visa
set appfw profile AppFWProfile -creditCardXOut on
set appfw profile AppFWProfile -creditCardMaxAllowed 1
set appfw profile AppFWProfile -startURLAction block log stats -startURLClosure OFF -denyURLAction block log
stats -RefererHeaderCheck OFF -cookieConsistencyAction none -cookieTransforms OFF -cookieEncryption
none -cookieProxying none -addCookieFlags none -fieldConsistencyAction none -CSRFtagAction none -
crossSiteScriptingAction block log stats -crossSiteScriptingTransformUnsafeHTML OFF -
crossSiteScriptingCheckCompleteURLs OFF -SQLInjectionAction block log stats -
SQLInjectionTransformSpecialChars OFF -SQLInjectionCheckSQLWildChars OFF -fieldFormatAction block log
stats -defaultFieldFormatMinLength 0 -defaultFieldFormatMaxLength 65535 -bufferOverflowAction bloc
set appfw learningsettings AppFWProfile -startURLMinThreshold 1 -startURLPercentThreshold 0 -
cookieConsistencyMinThreshold 1 -cookieConsistencyPercentThreshold 0 -CSRFtagMinThreshold 1 -
CSRFtagPercentThreshold 0 -fieldConsistencyMinThreshold 1 -fieldConsistencyPercentThreshold 0 -
crossSiteScriptingMinThreshold 1 -crossSiteScriptingPercentThreshold 0 -SQLInjectionMinThreshold 1 -
SQLInjectionPercentThreshold 0 -fieldFormatMinThreshold 1 -fieldFormatPercentThreshold 0 -
XMLWSIMinThreshold 1 -XMLWSIPercentThreshold 0 -XMLAttachmentMinThreshold 1 -
XMLAttachmentPercentThreshold 0
add appfw policy AppFWPolicy ‘HTTP.REQ.IS_VALID’ AppFWProfile
bind appfw global AppFWPolicy 100
Module 10
High Availability
A high availability deployment of two Citrix NetScalers can provide uninterrupted operation in any
transaction. In a high-availability pair configuration, only one system is active. This system, which is
known as the primary, actively accepts connections and manages servers. All shared IP addresses
are active on the primary system only.
| 89 |
The Secondary system monitors the health of the primary system. If the secondary system is in a
healthy state, it is ready to actively accept connections if the primary system is experiencing issues.
The process prevents downtime and ensures that the services provided by the NetScaler system
remain available even if one system ceases to function.
Note: High availability packets are sent untagged by default, which can be an issue with a switch that handles
tagged packets only.
A pair of NetScaler systems must be configured to become a high-availability pair. The process for
configuring a high-availability pair involves first configuring the primary node then configuring the
secondary node.
Citrix recommends that you set the status of the desired secondary node to stay secondary when
nodes are configured. This practice ensures that an accidental failover does not occur during the
configuration process, resulting in changes being made to the secondary rather than the primary
node. Any changes that are made to the secondary node are not propagated to the primary node.
In a high-availability configuration, you can designate which interfaces to monitor for failing events.
A failover occurs when any high-availability monitored interface goes down, if a particular interface
is not being used, or if a failover is not required upon failure, the high-availability monitor should be
disabled.
| 90 |
Step by step guidance
Step Action
1. We will need to activate its license. You will follow the same procedure as in the Licensing Lab, but you will
use 192.168.10.17 as the NetScaler IP Address and the appropriate licenses for the NetScaler – B (
“06e089e0b0f2.lic”)
Refer to the Licensing Lab for detailed licensing instructions. Below you will see the appropriate
configurations for the NetScaler –B.
o Username: nsroot
o Password: nsroot
| 91 |
2. We will also have to set the NetScaler Subnet IP, (SNIP). We will use 192.168.10.18
nd
o Select the 2 Item labeled Subnet IP Address.
Upload the license file “06e089e0b0f2.lic”. If not going through the wizard, license configuration
can be found at System > Licenses > Update in the GUI.
th
o Select the 4 Item labeled Licensing. Select “Upload files from a local computer” You
will find the licenses in a folder located C:\Licenses
o This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select
“06e089e0b0f2.lic”
o Select Reboot
| 92 |
3. Enable High Availability by heading to System, High Availability on the NetScaler – B (192.168.10.17) and
Select (STAY SECONDARY). On NetScaler –A (192.168.10.15) select (STAY PRIMARY) and click on Add
button, specify the Remote Node IP Address (192.168.10.17) as below and click OK.
Under High Availability Status* select STAY SECONDARY (Remain in Listen Mode)
Click OK
Under High Availability Status* select STAY PRIMARY (Remain in Listen Mode)
Click OK
Verify that Configure remote system to participate in High Availability Setup, Turn off HA
Monitor on interfaces/channels that are down and Turn on INC (Independent Network
Configuration) mode on self-node are all selected
| 93 |
4. In a few moments as you refresh the high availability node (by clicking refresh symbol button in the top right
corner of the screen) you will see the synchronization state move from in progress to success.
On NetScaler A – 192.168.0.15, click the Refresh button in the upper-right corner of the
configuration utility window
On NetScaler B – 192.168.0.17, click the Refresh button in the upper-right corner of the
configuration utility window
Enable the NetScaler B – 192.168.0.17 Node State to actively participate in High Availability
o Select ENABLED (Actively Participate in HA) in the High Availability Status drop-down
list
o Click OK
Enable the NetScaler A – 192.168.0.15 Node State to actively participate in High Availability
o Select ENABLED (Actively Participate in HA) in the High Availability Status drop-down
list
o Click OK
Note: Node Configuration options. By opening nodes listed in this section of the high availability
| 94 | configuration allows you to select advanced HA options. One to point out would be HA Failsafe mode.
5. To enable management access control via a subnet IP you will head to System, Network, and IPs. Here
you will select the subnet IP 192.168.10.16. Click Open and select Enable Management Access control…
within the Application Access Controls section of the dialog window. Click OK.
Scroll down to the bottom and select Enable Management Access controls under Application
Access Controls tab.
Be sure to save your configuration by clicking the save disk at the top right of the web GUI.
To test high availability try turning off the primary node and watching as the secondary node takes over.
Additionally, you can select force failover from within the GUI.
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler High Availability functionality and
configuring a pair of highly available NetScalers, utilizing NetScaler-A, and NetScaler-B.
Use an SSH connection (PuTTY) to NetScaler– B (192.168.10.17) command-line interface logged on as the nsroot user
for this task.
add ns ip 192.168.10.18 255.255.255.0 -type SNIP -arp ENABLED -icmp ENABLED -vServer ENABLED -telnet
ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -icmpResponse NONE -ownerNode
255 -arpResponse NONE
set HA node -haStatus STAYSECONDARY -haSync ENABLED -haProp ENABLED -helloInterval 200 -
deadInterval 3 -failSafe OFF -maxFlips 0 -maxFlipTime 0
| 95 |
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task.
set HA node -haStatus STAYPRIMARY -haSync ENABLED -haProp ENABLED -helloInterval 200 -deadInterval
3 -failSafe OFF -maxFlips 0 -maxFlipTime 0"
add HA node 1 192.168.10.17 -inc ENABLED
Use an SSH connection (PuTTY) to NetScaler– B (192.168.10.17) command-line interface logged on as the nsroot user
for this task.
set HA node -haStatus ENABLED -haSync ENABLED -haProp ENABLED -helloInterval 200 -deadInterval 3 -
failSafe OFF
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task.
set HA node -haStatus ENABLED -haSync ENABLED -haProp ENABLED -helloInterval 200 -deadInterval 3 -
failSafe OFF
Module 11
Clustering
A NetScaler Cluster is a group of NetScaler nCore systems working together as a single system
image. Each system of the cluster is called a node. A NetScaler cluster can include as few as 2 or
as many as 32 NetScaler nCore hardware or virtual systems as nodes.
The client traffic is distributed between the nodes to provide high availability, high throughput, and
scalability.
| 96 |
A NetScaler cluster is formed by grouping NetScaler systems that satisfy requirements specified in
Hardware and Software Requirements. One of the cluster nodes is designated as a configuration
coordinator (CCO). As the name suggests, this node coordinates all cluster configurations. The
CCO also owns the cluster IP address which is the management address of the cluster. You
configure the cluster by accessing the CCO through the cluster IP address.
You cannot configure an individual node by accessing it through the NetScaler IP (NSIP) address.
Nodes accessed through the NSIP address are available in read-only mode. This means that you
can only view the configurations and the statistics.
The configurations performed through the cluster IP address are propagated to the cluster nodes
through a physical medium called the cluster backplane. The backplane is a logical grouping of
physical connections, as are the client data plane and the server data plane.
The VIP addresses that you define on a cluster are available on all the nodes of the cluster (striped
addresses). You can define MIP and SNIP addresses to be available on all nodes (striped
addresses) or only on a single node (spotted addresses). The details of traffic distribution in a
cluster depend on the algorithm used, but the same logical entities process the traffic in each case.
Traffic is distributed only to nodes that are in the ACTIVE state, both administratively and
operationally, and in the UP health state.
| 97 |
1. Before we start to configure clustering, we will need to disable high availability. To do this head to
NetScaler-A System, High Availability. Select the secondary node and click delete. Accept the prompt to
remove the selected node and remove the HA node from the remote system.
Accept the prompt to remove the selected node and remove the HA node from the remote system
Accept the prompt to remove the selected node and remove the HA node from the remote system
2. First, save the configuration on the NetScaler-A. To do this, go to System and click on the save icon.
You also must save the configuration on NetScaler-B. To do this, go to System and click on the save icon.
| 98 |
3. Navigate to NetScaler-A. We will fist create a cluster node by heading to System, Cluster, Nodes and
clicking Add. A prompt requesting that a cluster instance must be present will popup. Add this instance by
clicking yes.
A prompt requesting that a cluster instance must be present will popup Click Yes
Next, we will configure the cluster IP address for the cluster. Configure the cluster as below using
(192.168.10.130) be sure to select backplane interface 1/1. Continue by clicking create.
Select 1/1 interface from the drop down menu under Backplane interface*
Note: The below screenshot represents the Instance ID, not Node ID
| 99 |
4. A prompt will ask you to reboot before the changes take effect you will select No so that we are able to
make one configuration change before the reboot.
Double click on the cluster node 192.168.10.15 and change the State to PASSIVE, verify the configuration
and continue.
Head to System and click Reboot. Be sure to select Save configuration and click OK.
| 100 |
5. Join the NetScaler to the Cluster
After the NetScaler-A reboots, login to the newly created Cluster Management IP at http://192.168.10.130.
Here we will select continue on the configuration page, as we will set this up later.
Click Continue
| 101 |
6. We will add NetScaler-B to the cluster by heading to System, Cluster, Nodes, and clicking Add. Configure
this node with the NetScaler-B information below.
Both the cluster node and configuration coordinator credentials are the standard NetScaler credentials you
have been using for this lab. Once you click Create you will be asked to reboot this node, accept the
prompt and wait for the NetScaler-B to join the cluster.
| 102 |
7. Verify that both nodes are in the PASSIVE admin state and INACTIVE operational state. Also, verify the
backplane configuration.
Note: You will have to wait a few moments while NS-B reboots. During this time, click the refresh
button next to save to refresh the view.
Here we will need to recreate a Subnet IP address for the NetScaler appliance cluster. We will head to
System, Network, IPs, and click Add. Fill out IP, Netmask, and Owner for the 192.168.10.16 SNIPs. Be
sure Subnet IP is selected as the IP Type for each IP Address and Owner Node is ALL_NODES.
Verify that ALL_NODES is selected from the drop down menu under Owner Node*
| 103 |
9. Configuring the Cluster State to Active
Configure the state of each cluster node to ACTIVE by heading to System, Cluster, and selecting each
node. Configure the state of each to ACTIVE.
Navigate to System > Cluster > Nodes and select node 192.168.10.15 Click Edit
10. Verify that both the admin and operational state of each node in the cluster is ACTIVE.
Note: You may have to refresh your view to see the new state
| 104 |
11. Define a Linkset
Create a Linkset by heading to System, Network, and Linkset. Click Add and configure the Linkset name
LS/1 and add interfaces 1/1/1 and 0/1/1 to the configured column of the dialog. Click Create.
Add interfaces 1/1/1 and 0/1/1 to the configured column of the dialog
Click on Create
Head to System, Settings and select Configure Modes. Configure the modes as below.
o Fast Ramp
o Edge Configuration
o Use Subnet IP
Click OK
| 105 |
13. Define NetScaler cluster load balanced virtual server
In this step, we will configure a simple load balanced server to test the cluster configuration. Below is the
final configuration of the load balanced server. You will configure this server the exact same way you
configured the load balance virtual server in the beginning of this lab. You will need to recreate the Web-
Services. You can do this by clicking the ‘+’ icon, when binding services to the VIP.
Note: You can use the CLI reference at the end of the Load Balancing Module above. You can use
that to create the load balanced virtual server
Type in the IP address of the Cluster Node (192.168.10.130) and click open
o enable ns feature LB
| 106 |
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler Clustering functionality.
Configuring a pair of clustered NetScalers utilizing NetScaler-A, and NetScaler-B. Configured a
linkset of interfaces. And created a load balanced virtual server to test the clustered NetScaler
instances.
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task.
add cluster instance 1
add cluster node 0 192.168.10.15 -state PASSIVE -backplane 0/1/1
enable cluster instance 1
save ns config
reboot –warm
add ns ip 192.168.10.130 255.255.255.255 -type CLIP
show cluster instance
show cluster node
Use an SSH connection (PuTTY) to Cluster IP (192.168.10.130) command-line interface logged on as the nsroot user for
this task.
add cluster node 1 192.168.10.17 -state PASSIVE -backplane 1/1/1
show cluster node *expect unknown for now.
save ns config
Use an SSH connection (PuTTY) to NetScaler– B (192.168.10.17) command-line interface logged on as the nsroot user
for this task.
join cluster -clip 192.168.10.130 -password nsroot
save ns config
reboot -warm
Use an SSH connection (PuTTY) to Cluster IP (192.168.10.130) command-line interface logged on as the nsroot user for
this task.
show cluster node
add ns ip 192.168.10.16 255.255.255.0 -type SNIP -ownerNode 1
add ns ip 192.168.10.18 255.255.255.0 -type SNIP -ownerNode 2
***Node 1 already had this SNIP, so it may take some tweaking.
sh ip
set cluster node 0 -state ACTIVE
set cluster node 2 -state ACTIVE
show cluster node -should both be active.
***if a node stalls, do a rm cluster and a join cluster again.
sh ip
Add the link set. We can do CLAG and ECMP as options, but the all virtual lab is easiest with LinkSet.
Use an SSH connection (PuTTY) to Cluster IP (192.168.10.130) command-line interface logged on as the nsroot user for
this task.
add linkset LS/1
bind linkset LS/1 –ifnum 0/1/1
bind linkset LS/1 -ifnum 1/1/1
show linkset LS/1
save ns config
Module 12
| 108 |
Global Server Load Balancing
Global Server Load Balancing (GSLB) directs DNS requests to the best-performing GSLB site in a
distributed internet environment. GSLB enables distribution of traffic across multiple sites, manages
disaster recovery, and ensures that applications are consistently accessible.
GSLB Concepts
GSLB is a DNS-based solution that load balances services between geographically distributed
locations. GSLB operates under many of the same general principles as load balancing, but it relies
on DNS for directing client requests.
With ordinary DNS, when a client sends a DNS request, it receives a list of IP addresses of the
domain or service. Generally, the client chooses the first IP address in the list and initiates a
connection with that server. The DNS server uses a technique called DNS round robin to cycle
through the IP addresses on the list, sending the first IP address to the end of the list and promoting
the others after it responds to each DNS request. This technique ensures equal distribution of the
load, but it does not support disaster recovery, load balancing based on load or proximity of
servers, or persistence.
When you configure GSLB and enable MEP, the NetScaler systems use the DNS infrastructure to
connect the client to the datacenter that best meets the criteria that you set. The criteria can
designate the least-loaded datacenter, the closest datacenter, the datacenter that responds most
quickly to requests from the client’s location, a combination of those metrics, or SNMP metrics. An
appliance keeps track of the location, performance, load, and availability of each datacenter and
uses these factors to select the datacenter to which a client request will be sent.
A GSLB configuration consists of a group of GSLB entities on each appliance in the configuration.
These entities include GSLB sites, GSLB services, GSLB virtual servers, load-balancing, content-
switching, or Gateway virtual servers, and ADNS services.
GSLB Entities
A GSLB configuration includes entities on the NetScaler system that direct client traffic to
applications and resources. The following items are entities in a GSLB environment.
GSLB site
A GSLB site is typically a datacenter in which a NetScaler system is located. The terms “local site”
and “remote site” refer to the site in relation to the NetScaler systems in the GSLB deployment.
Each GSLB site is managed by a NetScaler system that is local to that site. Each of these systems
treats its own site as the local site and all other sites, managed by other systems, as remote sites.
GSLB service
| 109 |
A GSLB service is a representation of a load-balancing or content-switching virtual server, although
it can represent any type of virtual server. The GSLB service determines how incoming traffic is
routed.
ADNS Service
The ADNS service accepts incoming client requests for domains for which the NetScaler system is
authoritative.
Navigate to System > Cluster > Nodes and Select the node that is not the local node, in this
case 192.168.10.17, and click Remove.
Enter nsroot/nsroot for the credentials and click OK to remove the node
Repeat this step on the local node after the secondary node has been removed
Accept any warnings that appear in this step and be sure to close the Create Cluster Node dialog
box if it appears
Ip ipip
| 111 |
2. Login to NetScaler-A and configure the Subnet IP Address and Netmask Verify the configuration of the
NSIP and continue. Verify that the correct licenses are applied to this appliance and continue. Finally,
select done. Repeat the process on the NetScaler-B, the configuration is below.
| 112 |
3. Next, we will configure the modes of both appliances. Configure the modes by heading to System,
Settings. Select Configure Modes and be sure that the modes are configured as below.
Ensure that the boxes are checked according to the screenshot shown below
Ensure that the boxes are checked according to the screenshot shown below
Next, we will need to enable GSLB on both NetScalers. To do so we will need to enable Load Balancing
by heading to System, Settings, and clicking Configure Basic Features. From here, we will select
Load Balancing. You should do it for both NetScaler-A and NetScaler-B
Next, we will need to enable Global Server Load Balancing by clicking on Configure Advanced Features.
Here we will be sure to select Global Server Load Balancing. Leave the other options as they are
configured now.
Scroll down to the bottom and select Enable Management Access controls under Application
Access Controls tab.
Scroll down to the bottom and select Enable Management Access controls under Application
Access Controls tab.
| 114 |
5. Define GSLB Sites
While logged into the NetScaler-A, Configure a GSLB Site for both NetScalers, NS-A and NS-B. Be sure
to select the Type as either Remote or Local depending on which NetScaler you are currently configuring.
To do so head to Traffic Management, GSLB, Sites. The remaining configuration can be found in the two
images below (the pictures are provided for NetScaler-A).
Navigate to Traffic Management > GSLB > Sites and then click Add
Click Create
Navigate to Traffic Management > GSLB > Sites and then click Add
Click Create
Note: The NS-B Site Metric MEP Status will show as down until NS-B Site is configured on a
remote GSLB Site
Navigate to Traffic Management > GSLB > Sites and then click Add
While logged in to NetScaler-B, define a Load Balance Server to utilize within the GSLB configurations
that will occur in the next step. To do so head to Traffic Management, Load Balancing, Servers and
click Add. Configure the WebServer Name and IP Address.
Navigate to Traffic Management > Load Balancing > Servers and Click Add
| 116 |
7. Define GSLB Configuration on NetScaler-B
While logged in to NetScaler-B begin to configure GSLB by heading to Traffic Management, GSLB.
Select the GSLB, Virtual Servers
Navigate to Traffic Management > GSLB > Virtual Servers and Click Add
| 117 |
8. Verify the default GSLB parameters and continue.
| 118 |
9. Under the GSLB Services click on the Add button to begin to configure a service under local site.
o Navigate to Traffic Management > GSLB > Services and Click Add
o Type 192.168.10.125_gslb_srvc
o Type* is IP Based
o Port* 80
Create a new Virtual Server for this Service by clicking the Virtual Server icon next to the
drop-down list.
Under the Create Virtual Server dialog, define the WebVIP Name, IP Address as 192.168.10.125
and port as 80. Select Add under Services to create a new service for this Virtual Server.
o Click OK
| 119 |
10. Define the new service’s name as WebService, be sure that WebServer is the Server selected
and the port and protocol are 80 and HTTP, and finally ensure TCP default monitor is bound.
o Navigate to Traffic Management > Load Balancing > Services and Click Add
| 120 |
11. Configure the Load Balancing Method as Round Robin, and Persistence as COOKIEINSERT with
Time-out set to 1 min under the Method and Persistence tabs. Finally click done.
o Add Method tab from the right pane under advanced and set Load Balancing Method
as Round Robin
o Add Persistence from the right pane under advanced and set Persistence to
COOKIEINSERT Time-out to 1 min
| 121 |
12. While still logged in to NetScaler-B, create the Remote Service for NS-A. Configure the Service
IP as 192.168.10.126 and the Port as 80.
o Navigate to Traffic Management > GSLB > Services and Click Add
o Type 192.168.10.126_gslb_srvc
o Type* is IP Based
o Port* 80
o Add Service from the right pane under Advanced and Click on “0 GSLB Virtual
Server to GSLBService Bindings”
Note: The 192.168.10.126_gslb_srvc might show down at first until you configure the service on
NS-A
| 122 |
13. Define Load Balancing Server for NetScaler-B
While logged in to NS-B, define a Load Balance Server to utilize within the GSLB configurations that will
occur in the next step. To do so head to Traffic Management, Load Balancing, Servers and click Add.
Configure the WebServer1 Name and IP Address. Click Create and then Close.
Navigate to Traffic Management > Load Balancing > Servers and Click Add
While logged in to NetScaler-A begin to configure GSLB by heading to Traffic Management, GSLB.
Select Virtual Servers. Add, and define the Domain Name as www.webserver.com. Verify the additional
configuration below.
Navigate to Traffic Management > GSLB > Virtual Servers and Click Add
| 123 |
Add the Domain binding from the right side menu
15. Accept the default GSLB Parameters and begin to configure the GSLB sites. Click on the Services and
Configure the Service IP as 192.168.10.125 and Port as 80. Click Create.
Navigate to Traffic Manag192ement > GSLB > Services and Click Add
Type 192.168.10.125_gslb_srvc
Type* is IP Based
Port* 80
Click OK
| 124 |
| 125 |
16. Add a new service for NS-A. Configure the Service IP and Port as 192.168.10.126 and 80 and click on
the new virtual server icon.
Navigate to Traffic Management > GSLB > Services and Click Add
Type 192.168.10.126_gslb_srvc
Type* is IP Based
Port* 80
Create a new Virtual Server for this Service by clicking the Virtual Server icon next to the
drop-down list.
17. Configure the Web-Vip’s name, IP Address, and port as below. Click on the Add button under
Services to create a new Service.
Under the Create Virtual Server dialog, define the Web-Vip Name, IP Address as 192.168.10.126
and port as 80. Select Add under Services to create a new service for this Virtual Server.
| 126 |
o Enter 192.168.10.126 under IP Address*
o Click OK
Configure the WebService1’s name; verify the Server configuration; and configure the Protocol
and Port, finally ensure the default TCP monitor is bound and click done.
o Navigate to Traffic Management > Load Balancing > Services and Click Add
18. Configure the Load Balancing Method as Round Robin, and Persistence to COOKIEINSERT with
Time-out set to 1min under the Method and Persistence tab. Finally click done.
| 127 |
Click on “0 Load Balancing Virtual Server Service Binding”
Add Method tab from the right pane under advanced and set Load Balancing Method as Round
Robin
Add Persistence from the right pane under advanced and set Persistence to COOKIEINSERT
Time-out to 1 min
o Add the Service tab on the right hand side pane under Advanced
| 128 |
o Click “No GSLB Virtual Server to GSLBService Binding”
Login to NetScaler B (192.168.10.17) and create an ADNS service so that we can test our GSLB
configurations on the client machine. To do this head to Traffic Management, Load Balancing, Services
and click Add. Configure the Service Name as DNS, the Server as 192.168.10.135, the Protocol as
ADNS, and the Port as 53.
Click Add
Click Ok
| 129 |
20. Configure the Client’s DNS
Configure the newly created DNS Server on the client machine as the preferred DNS server as
192.168.10.135
Click on Properties
| 130 |
21. Verify the GSLB Configuration using the GSLB Vizualizer
Head to the main GSLB page by going to Traffic Management, GSLB. Open the GSLB Visualizer by
clicking GSLB Visualizer under Settings
| 131 |
22. Verify GSLB Connectivity using Ping and a Web Browser
Open the Windows Command prompt and run ping www.webserver.com. You should see pings from
either server 125 or 126. Wait a few moments and try again. You should see the GSLB Round Robin LB
method change your DNS resolution to the other server.
Test your GSLB configuration via Internet Explorer. Open an internet explorer window and head to
www.webserver.com.
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler GSLB functionality. Configuring a
pair of NetScalers utilizing NetScaler-A and NetScaler-B via Global Server Load Balancing.
| 132 |
Exercise 12 (CLI Command)
Global Server Load Balancing
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task.
add ns ip 192.168.10.16 255.255.255.0 -type SNIP -arp ENABLED -icmp ENABLED -vServer ENABLED -telnet
ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -icmpResponse NONE -ownerNode
255 -arpResponse NONE
disable ns mode L2 USIP CKA TCPB MBF SRADV DRADV IRADV SRADV6 DRADV6enabe
set ns ip 192.168.10.16 -netmask 255.255.255.0 -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet
ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -hostRoute DISABLED -icmpResponse NONE -
arpResponse NONE
add gslb site NS-A LOCAL 192.168.10.16 -publicIP 192.168.10.16 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
add gslb site NS-B REMOTE 192.168.10.18 -publicIP 192.168.10.18 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
add gslb service 192.168.10.125_gslb_srvc 192.168.10.125 HTTP 80 -publicIP 192.168.10.125 -siteName NS-B
-state ENABLED -cip DISABLED -sitePersistence NONE -cookieTimeout 0 -maxBandwidth 0 -maxAAAUsers 0 -
monThreshold 0 -appflowLog ENABLED
| 133 |
add gslb service 192.168.10.126_gslb_srvc 192.168.10.126 HTTP 80 -publicIP 192.168.10.126 -publicPort 80 -
siteName NS-A -state ENABLED -cip DISABLED -sitePersistence NONE -cookieTimeout 0 -maxBandwidth 0 -
maxAAAUsers 0 -monThreshold 0 -appflowLog ENABLED
add service webservice1 webserver1 HTTP 80 -cacheable NO -pathMonitor NO -pathMonitorIndv NO -sc OFF -
rtspSessionidRemap OFF -CustomServerID None -maxBandwidth 0 -accessDown NO -state ENABLED -
downStateFlush ENABLED -IPMapping 0.0.0.0 -appflowLog ENABLED -td 0 -processLocal DISABLED
add service DNS 192.168.10.135 ADNS 53 -cacheable NO -pathMonitor NO -pathMonitorIndv NO -sc OFF -
rtspSessionidRemap OFF -CustomServerID None -maxBandwidth 0 -accessDown NO -state ENABLED -
downStateFlush ENABLED -IPMapping 0.0.0.0 -appflowLog ENABLED -td 0 -processLocal DISABLED
Use an SSH connection (PuTTY) to NetScaler– B (192.168.10.17) command-line interface logged on as the nsroot user
for this task.
add ns ip 192.168.10.18 255.255.255.0 -type SNIP -arp ENABLED -icmp ENABLED -vServer ENABLED -telnet
ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -state ENABLED -icmpResponse NONE
disable ns mode L2 USIP CKA TCPB MBF SRADV DRADV IRADV SRADV6 DRADV6
enable ns feature LB
| 134 |
disable ns feature IC SSLVPN AAA REWRITE AppFw
set ns ip 192.168.10.18 -netmask 255.255.255.0 -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet
ENABLED -ftp ENABLED -gui DISABLED -ssh ENABLED -snmp ENABLED -mgmtAccess ENABLED -
restrictAccess DISABLED -dynamicRouting DISABLED -hostRoute DISABLED -icmpResponse NONE -
arpResponse NONE
add gslb site NS-A REMOTE 192.168.10.16 -publicIP 192.168.10.16 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
add gslb site NS-B LOCAL 192.168.10.18 -publicIP 192.168.10.18 -metricExchange ENABLED -
nwMetricExchange ENABLED -sessionExchange ENABLED -triggerMonitor ALWAYS
add gslb service 192.168.10.126_gslb_srvc 192.168.10.126 HTTP 80 -publicIP 192.168.10.126 -siteName NS-A
-state ENABLED -cip DISABLED -sitePersistence NONE -cookieTimeout 0 -maxBandwidth 0 -maxAAAUsers 0 -
monThreshold 0 -appflowLog ENABLED
| 135 |
Exercise 13 (Bonus)
Bonus Configure GSLB for WebGoat
Overview
In this exercise you will Configure GSLB for WebGoat using the www.webgoat.com GSLB Domain
| 136 |
Module 14
Admin Partitions
The NetScaler ADC provides an infrastructure called admin partitions that can be used to logically
partition a NetScaler ADC.
This means that each admin partition can function as a logical NetScaler ADC.
The following graphical representation shows a NetScaler ADC as a multi-tenant platform that can
be used to service multiple customers, departments, or applications.
| 137 |
Exercise 14 (Configuration Utility)
Admin Partitions
Step by step guidance
Step Action
1. Create users for Admin Partitions
| 138 |
2. Add 2 users with user names Admin-A, and Admin-B. Set both passwords to password1. You can
also add the CLI Prompt as shown below. Click Save to save the user creation, and Done to finish.
o Click Save
o Click Done
o Click Save
o Click Done
| 139 |
3. Create the Admin Partitions
Navigate to Configuration > System > Partition Administration > Partitions and click Configure
Add the Partition with the configuration settings below, and click Continue
| 140 |
4. Bind user Admin-A to the Company-A partition, by expanding Users, and click on Insert. Click
Save and Done to complete
o Click on No User
o Click insert
| 141 |
5. Create a second Partition, Company-B by repeating the same steps as Company-A. Reminder to
bind the Admin-B user to the Company-B partition.
o Bind user Admin-B to the Company-B partition, by expanding Users, and click on Insert.
Click Save and Done to complete
o Click on No User
o Click insert
After you have created 2 partitions. Now we will configure these partitions independently with their
own settings. To do this lets first switch to the Company-A Partition. Navigate to the partition menu
on the top of the screen. And select Company-A
| 142 |
6. Navigate to Configuration > System > Settings, and select Configure Modes
Select only User Source IP, and MAC Based Forwarding, click OK
| 143 |
7. Now while under Configuration > System > Settings select Configure Basic Features
Navigate to Configuration > Traffic Management, and expand. Note that Load Balancing, and SSL
Offload are enabled and Content Switching is not.
| 144 |
8. Navigate back up to the Partitions menu and switch to Partition Company-B, click Yes again to
confirm the submission.
Navigate to Configuration > System > Settings, and select Configure Modes.
Note the different modes configured by default from the ones we selected in Company-A partition.
Let’s leave theses default.
| 145 |
9. Now while under Configuration > System > Settings select Configure Basic Features
This time considering we are in the Company-B partition we will select SSL Offload, and Content
Switching. Click OK
Exercise Summary
In this exercise you have created 2 users for the purpose of owing partitions. Created 2
independent partitions and bound independent users to these partitions. And configured the
partitions independently from each other with different settings.
| 146 |
Exercise 14 (CLI Command)
Admin Partitions
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task
add system user Admin-A ‘password1’ -externalAuth DISABLED -promptString Company-A -timeout 900 -
logging DISABLED
add system user Admin-B ‘password1’ -externalAuth DISABLED -promptString Company-B -timeout 900 -
logging DISABLED
add ns partition Company-A -maxBandwidth 5120 -minBandwidth 10240 -maxConn 1024 -maxMemLimit 10
add ns partition Company-B -maxBandwidth 5120 -minBandwidth 10240 -maxConn 1024 -maxMemLimit 10
In partition A
enable ns feature LB
In Partition B
stat ns partition
enable ns feature CS
| 147 |
disable ns feature REWRITE
| 148 |
Exercise 15
Bonus Admin Partitions
Overview
In this exercise Create a third user, and partition. Configure this partition with the following settings:
5120 kbps Minimum Bandwidth
Use Source IP only
SSL offload, Load Balancing, and Content switching
| 149 |
Module 16
Data Stream
Overview
The NetScaler® DataStream™ feature provides an intelligent mechanism for request switching at
the database layer by distributing requests based on the SQL query being sent.
When deployed in front of database servers, a NetScaler ensures optimal distribution of traffic from
the application servers and Web servers. Administrators can segment traffic according to
information in the SQL query and on the basis of database names, usernames, character sets, and
packet size.
You can either configure load balancing to switch requests based on load balancing algorithms or
elaborate the switching criteria by configuring content switching to make a decision based on an
SQL query parameters. You can further configure monitors to track the state of database servers.
Note: NetScaler DataStream is supported only for MySQL and MS SQL databases. For information
about the supported protocol version, character sets, special queries, and transactions, see the
Appendix NetScaler DataStream Reference.
| 150 |
Exercise 16 (Configuration Utility)
Data Stream
Overview
The demo environment consists of 2 SQL Server instances replicating an OLTP (Online
Transactional Processing) and DW (Data Warehouse) database setup.
Many organizations use this type of setup to capture and process data efficiently where the OLTP
database is used primarily for transactional SQL transactions. (Creates, updates, inserts) and the
DW database is used to store thdsuead data in a proper schema in order for the SQL transactions
to be accessed quickly.
It is extremely important for organizations to be able to understand their data. With many features
released by Microsoft to help DBA’s (Database Administrators) with this scenario, these features
are typically structured in a tiered licensing model, which can be expensive and complex to deploy.
Citrix NetScaler DataStream feature is included in all editions of NetScaler. DataStream can
improve database performance by intelligently understanding the SQL transactions and switching
the content dynamically to the appropriate database. At the same by default it manipulates the TDS
protocol to enable SQL server side multiplexing, reducing SQL server overhead and increasing
speed of transaction time.
| 151 |
2. Add 2 Database Servers
Navigate to Traffic Management > Load Balancing > Servers
Add your MSSQL_OLTP Server (Server Name & IP Address)
o Server Name: MSSQL_OLTP
o IP Address: 192.168.10.12
o Click Create
Add your MSSQL_DW Server (Server Name & IP Address)
o Server Name: MSSQL_DW
o IP Address: 192.168.10.13
o Click Create
| 152 |
3. Add a Monitor
Note: You have now created a monitor that will check with the SQL Server instances on the NS
Database and query it expecting 0 rows returned.
| 153 |
4. Add the SQL Server Services
| 154 |
5. Bind the monitor created in the previous step both services just created
| 155 |
6. Add a load balancing virtual servers & bind to a service
Note: We selected ‘Non Addressable’ to demonstrate the conservation of IPv4 addresses. The Load Balancing
Virtual Servers will represent an IP of 0.0.0.0. This is done because users will access the VIP of the CS server and all
communication is done internally to the Load Balancing servers.
We are also leaving the default Load Balancing ‘Method’ as ‘Least Connection’
| 156 |
7. Add a content switch Action to NetScaler
Note: You now should have 2 actions: Writes and Reads bound to the 2 Load Balancing Virtual Servers
| 157 |
8. Add a content switching policy to NetScaler
Navigate to Traffic Management > Content Switching > Policies
Click Add
Type MSSQL_CS_Reads under Name*
Select Reads from the Action drop down menu
Under Expression enter MSSQL.REQ.QUERY.COMMAND.CONTAINS(“select”)
Click Create
Add another MSSQL_CS_Writes policy
Click Add
Type MSSQL_CS_Writes under Name*
Select Writes from the Action drop down menu
Under Expression input:
MSSQL.REQ.QUERY.COMMAND.CONTAINS(“create”)||MSSQL.REQ.QUERY.COMMAN
D.CONTAINS(“insert”)
Click Create
Note: The purpose of creating these policies is to enable NetScaler to identify what is a write transaction and what
is a read transaction in the content of the SQL query
| 158 |
9. Create a Content Switching Virtual Server
Navigate to Traffic Management > Content Switching > Virtual Servers
Click Add
Type MSSQL_CVS1 under Name* field
Select ‘MSSQL’ from the ‘Protocol’ drop down
Select ‘IP Address’ from the ‘IP Address Type’ drop down
Input a ‘IP Address’ 192.168.10.150 (This is the IP Address that users will connect to via
DB Client such as SQL Management Studio)
Input 1433 under port
Click Continue
Bind the 2 policies created in previous step to the Content Switching Virtual Server. You will
have to assign each binding a priority. 100, 110 will work.
o Click on No Content Switching Policy Bound
o Click on Click to select
o Select MSSQL_CS_Reads
o Enter 100 under Priority
o Click Bind
o Click on 1 Content Switching Policy Bound
o Click on Click to select
o Select MSSQL_CS_Writes
o Enter 110 under Priority
o Click Bind
o Click Ok
o Click on 0 Default Switching Policy Bound
o Click on Click to select
o Select MSSQL_LB_DW
o Enter 110 under Priority
o Click Bind
o Click Ok
Note: You now have configured a Content Switching Virtual Server that has the 2 Load Balancing Virtual Servers
bound via the Actions we also created.
| 159 |
10. How to Demonstrate Content Switching using SQL Queries via Microsoft Management Studio:
Add all 3 instances to SSMS (SQL Server Management Studio) using the database user created and added to NetScaler
First, Second Instance, and the Content Switching Virtual Server.
“ignore any warning such as”
Click Ok
Right Click on the Content Switching Virtual Server, and select ‘New Query’
| 160 |
To test the ‘reads’ Policy use the following query:
11. Launch a new query
Right Click on the Content Switching Virtual Server, and select ‘New Query’
Note: This query is designed to create a database on the appropriate server. The Database name is
“NEW_TEST_DB”
To demonstrate its working as expected, navigate to the GIM_OLTP database and expand the database catalog.
You will note that the new database now exists in this instance because that is where the write policy is bound
too.
Exercise Summary
In this exercise you have familiarized yourself with Data Stream for MS SQL Server. Created and
configured database load balancing and content switching. And worked with MS SQL Server
database tools.
| 161 |
Exercise 16 (CLI Command)
Data Stream
Use an SSH connection (PuTTY) to NetScaler– A (192.168.10.15) command-line interface logged on as the nsroot user
for this task
add lb monitor MSSQL_mon1 MSSQL-ECV -userName dsu -LRTM DISABLED -resptimeoutThresh 0 -retries 3 -
failureRetries 0 -alertRetries 0 -successRetries 1 -IPMapping 0.0.0.0 -state ENABLED -reverse NO -transparent
NO -ipTunnel NO -tos NO -secure NO -database ns -sqlQuery ‘select * from test’ -evalRule
‘MSSQL.RES.ATLEAST_ROWS_COUNT(0)’ -mssqlProtocolVersion 2012 -storedb DISABLED
enable ns feature cs
| 162 |
add cs action reads -targetLBVserver MSSQL_LB_DW
add cs vserver MSSQL_CVS1 -td 0 MSSQL 192.168.10.150 -range 1 1433 -state ENABLED -stateupdate
DISABLED -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -redirectPortRewrite
DISABLED -downStateFlush ENABLED -disablePrimaryOnDown DISABLED -insertVserverIPPort OFF -
Listenpolicy none -mssqlServerVersion 2008R2 -l2Conn OFF -appflowLog ENABLED -icmpVsrResponse
PASSIVE -RHIstate PASSIVE
bind cs vserver MSSQL_CVS1 -policyName MSSQL_CS_Reads -priority 100 -gotoPriorityExpression END -type
REQUEST
bind cs vserver MSSQL_CVS1 -policyName MSSQL_CS_Writes -priority 110 -gotoPriorityExpression END -type
REQUEST
| 163 |
Module 17
AAA for Traffic Management
Overview
Most networks concentrate their user credentials in one centralized location. This aids in
management and security. The NetScaler system can use common authentication, authorization,
and auditing (AAA) systems for its system users. AAA can also be applied to traffic passing through
it.
AAA for Application Traffic uses authentication virtual servers to provide AAA functionality for load
balancing and content switching traffic. This allows the NetScaler to perform authentication,
authorization, auditing functionality in front of traffic management virtual servers. This gives
administrators the ability to provide single sign-on, access control, session, and traffic policy
capabilities for non-VPN traffic. AAA for Application Traffic uses the NetScaler to manage access
requirements for multiple web sites without needing full VPN style connectivity.
AAA for Application Traffic uses many of the policy types and design concepts as the SSLVPN
functionality, but streamlined for access control only.
| 164 |
Exercise 17 (Configuration Utility)
AAA for Traffic Management
Overview
The AAA feature supports authentication, authorization, and auditing for all application traffic. To
use AAA, you must configure authentication virtual servers to handle the authentication process
and traffic management virtual servers to handle the traffic to web applications that require
authentication.
Login with:
o Username: Training\administrator
o Password: Citrix123
| 165 |
Navigate to Start Menu
2. Type Active Directory Users and Computer and Click it
| 166 |
Fill out fields for new user. (In our example we are using the username of “aaauser”. Click next.
3. o Type aaauser under Name Field
o Type Password1 for password
o Click Next
o Select Password never expires
o Click Next and then Finish
| 167 |
Select “Forward Lookup Zones” from the left hand menu pane, then double click the Training.lab
5. zone
Right click on the white space and select “New Host (A or AAAA)
| 168 |
Add a host entry for the load balancing VIP.
6. o Hostname: WebServer
o IP Address: 192.168.10.125
Add a second host entry for the AAA VIP (click ok and done once complete)
7. o Hostname: aaavs
o IP Address: 192.168.10.175
We are also going to add 2 additional DNS entries for the SAML exercise later on in this lab.
8.
Note: You will not be able to access the below IP’s or hosts until the SAML exercise
o Hostname: aaasp
o IP Address: 192.168.10.176
o Hostname: aaaidp
o IP Address: 192.168.10.177
Note: To verify the DNS entries are correct, using the command prompt (Run as Administrator) on
your machine, perform a ping test on both FQDNs that were just created in DNS. If the ping test is
unsuccessful, type the following commands to flush the DNS cache on the machine. Once the
cache is flushed, retry the ping test.
Ipconfig /flushdns
Ipconfig /registerdns
| 169 |
9. Creating an LDAP policy on NetScaler using Active Directory
| 170 |
11. Scroll down to Other Settings. Under Server Logon Name Attribute select the following value.
Server Logon Name Attribute: sAMAccountName
Group attribute: memberof
Sub Attribute Name: cn
You know have successfully created a Directory Server for authentication. The next step is to create a policy.
| 171 |
13. Create the LDAP policy using the following values from the screenshot below. (ns_true)
Type LDAP under Name*
Select ns_true from the Saved Policy Expressions tab in the Expression Editor box
| 172 |
15. Provide the following values for the certificate. Screenshot below, and click OK once finished
Type AAA under Certificate File Name*
Type aaavs.training.lab under Fully Qualifies Domain Name*
Under Country select UNITED STATES
You have now created and installed a Server Test Certificate. We will bind this Certificate to our
AAA vServer that we create in subsequent sections.
| 173 |
16. Creating a AAA virtual Server
Navigate to Security > AAA-Application Traffic > Virtual Servers, and click Add
Provide the Basic Settings using the following values and click Ok when finished.
o Name: AAA-vs
o IP Address: 192.16810.175
o Protocol: SSL
o Port: 443
o Authentication Domain: Training.lab
| 174 |
Next step is to create the Server Certificate. You will see the Certificate menu appear once you
17. click OK from the previous step.
| 175 |
Bind the LDAP policy. And select Primary as the Type. Click Continue.
19.
Bind the LDAP policy created in previous steps. And Leave the priority at 100. Click Bind to finish.
Finally click Continue at the bottom of the Authentication Virtual Server screen, and then Done to
complete.
After hitting the refresh button your AAA vServer should show green representing an Up State.
| 176 |
Bind the AAA vServer to the Load Balancing vServer created in earlier steps. If config is erased
20. please reference the CLI Commands in Exercise 3 to restore the config for the Load Balancing
section.
Provide the values for the Authentication option as shown below, click OK when finished
21.
o Select Form Based Authentication
o Type aaavs.training.lab under Authentication FQDN
o Select AAA-vs from the dropdown menu under Authentication Virtual Server
125
Finally click Done. You know have bound the AAA vServer to your load balanced vServer. The
purpose of this is to authenticate users against LDAP to access the backend WebServers.
| 177 |
22. Testing the AAA-TM vServer
To test using a web browser (Open up a new incognito browser) navigate to the FQDN
(http:\\webserver.training.lab) in a “Private Browser or Incognito Browser” of the load balancing
Virtual IP Address.
Now you should be able to login with the aaauser created in earlier steps
o User name: aaauser
o Password: Passsword1
| 179 |
add ssl certKey AAA -cert AAA-root.cert -key AAA-root.key -inform PEM -expiryMonitor ENABLED -
notificationPeriod 30
Module 18
AAA SAML Assertion
The Security Assertion Markup Language (SAML) is an XML-based standard for
exchanging authentication and authorization tokens between servers which authenticate
users (the Identity Provider or IdP) and servers that host user applications (Service
Providers). The NetScaler ADC supports SAML authentication and authorization with HTTP
POST-binding, in which the ADC responds to user requests with a 200 OK that contains a
form-auto post with the required authentication token.
The NetScaler ADC supports attribute extraction from SAML assertions, and encrypted
SAML assertions. The NetScaler implementation of SAML allows signing certificates of less
than 2048 bits, but displays a warning message. It also supports the SHA256 hash
algorithm for signatures and digests. Citrix recommends that all signing certificates be of at
least 2048 bits, and that you use SHA256 as SHA-1 is no longer considered secure.
| 180 |
Exercise 18 (Configuration Utility)
AAA SAML Assertion
Step Action
| 181 |
1. Create a SAML policy
Navigate to Security > AAA Application Traffic > Policies > Authentication > Basic Policies >
SAML
Select the “Servers” tab, and click Add
Fill out the following parameters in the appropriate fields, and click OK when finished.
o Name: saml-sp
o IDP Certificate Name : Select the AAA certificate created earlier
o Redirect URL: https://aaaidp.training.lab/saml/login
o Signing Certificate Name: Select the AAA certificate created earlier
o Issuer Name: aaaidp.training.lab
o Authentication Class Types: Password
o SAML Binding: Post
o Select Create
| 182 |
Fill out the parameters in their appropriate fields, and click create once finished.
3. o Name: saml-pol
o Server: Select the server we just created in previous steps
Saml-sp
o Expression: ns_true
| 183 |
4. Create a SAML IdP policy
o Navigate to Security > AAA Application Traffic > Policies > Authentication > Basic
Policies > SAML IDP
Fill out the parameters in their appropriate fields, and click create once finished
o Name: saml-idp-prof
o Assertion Consumer Service Url (ACS): http://webserver.training.lab/samlauth
o SP Certificate Name: Select the AAA created earlier
AAA
o IDP Certificate Name: Select the AAA again created earlier
AAA
o Issuer Name: aaaidp.training.lab
o Audience: http://webserver.training.lab
| 184 |
Select Policies Tab, and click Add
5.
Fill out the parameters in their appropriate fields, and click create once finished
o Name: saml-idp-pol
o Action: select the profile we just created.
Saml-idp-prof
o Expression: HTTP.REQ.URL.CONTAINS("saml")
| 185 |
6. Creating the Service Provider (SP) and Identity Provider (IdP) AAA vServers
Navigate to Security > AAA > Application Traffic > Virtual Servers, and select Add
Provide the Basic Settings for the SP (Service Provider) AAA vServer, and click OK once complete
o Name: aaasp.training.lab
o IP Address: 192.168.10.176
o Authentication Domain: Training.lab
| 186 |
Bind the AAA Server Certificate created in earlier steps, click Continue once completed
7.
| 187 |
Select the + icon on Basic Authentication Policies
8.
Choose SAML as the policy, and Primary as the type, and click Continue
9. Bind the saml-pol policy we created as the SP policy in earlier steps. Click Bind to continue
| 188 |
10. Create the IdP AAA vserver
Navigate back to Security > AAA > Application Traffic > Virtual Servers, and select Add
Provide the Basic Settings for the IdP (Identity Provider) AAA vServer, and click OK once complete
o Name: aaaidp.training.lab
o IP Address: 192.168.10.177
o Authentication Domain: Training.lab
| 189 |
Bind the AAA Server Certificate created in earlier steps, click Continue once complete
11. o Click on No Server Certificate and select AAA
o Click Continue
| 190 |
First let’s bind the SAMLIDP policy.
13. o Select SAMLIDP from the drop down menu under Choose Policy*
o Select Primary for the type
Next, Bind the sam-idp-pol created in earlier steps. Click Bind to continue
14. o Click on Click to select and select saml-idp-pol
| 191 |
Clicking the + icon again on Basic Authentication Policies, we will now bind the LDAP policy
15. created earlier.
Select LDAP as the policy and Primary as the type. Click continue once complete
o Select LDAP from the drop down menu under Choose Policy*
o Select Primary for the type
Bind the LDAP policy created earlier and click Bind to continue.
Priority set 100
| 192 |
Binding the SP AAA vServer to the Load Balancing WebServer
16.
o Navigate to Traffic Management > Load Balancing > Virtual Servers, and Edit the
existing Web-Vip virtual server.
o Locate the Authentication tab. If there is already an authentication vServer bound from
previous AAA exercise we will override it now.
o Select the Edit icon on the Authentication settings, and Add in the following:
Select Form Based-Authentication
Authentication FQDN: aaasp.training.lab
Authenticaiton Virtual Server: Select aaasp.training.lab
| 193 |
Testing the SAML assertion flow (Open up an incognito browser)
17. o In your web browser navigate to http://webserver.training.lab, and note that it will redirect
you to Https://aaaidp.training.lab/saml/login Click on Advanced to proceed.
Click on Proceed to aaaidp.training.lab (unsafe). This is because we are using a test certificate for
lab purposes.
You are now directed to the AAA idp vServer for authentication.
Login in with your AAA user credentials created in earlier steps.
o Username: aaauser
o Password: Password1
| 194 |
Exercise Summary
In this section you successfully configured NetScaler as a Service Provider (SP) endpoint in a
SAML 2.0 assertion. Configured NetScaler as an Identity Provider (IdP) endpoint in a SAML 2.0
assertion. And Completed a successful SP initiated assertion flow using NetScaler as both
endpoints
add authentication vserver aaasp.training.lab SSL 192.168.10.176 -range 1 443 -state ENABLED -authentication
ON -AuthenticationDomain training.lab -td 0 -appflowLog ENABLED
add authentication vserver aaaidp.training.lab SSL 192.168.10.177 -range 1 443 -state ENABLED -
authentication ON -AuthenticationDomain training.lab -td 0 -appflowLog ENABLED
| 195 |
pq OFF -sc OFF -rtspNat OFF -m IP -dataOffset 0 -sessionless DISABLED -connfailover DISABLED -cacheable
NO -soMethod NONE -soPersistence DISABLED -soPersistenceTimeOut 2 -healthThreshold 0 -
redirectPortRewrite DISABLED -downStateFlush ENABLED -insertVserverIPPort OFF -disablePrimaryOnDown
DISABLED -AuthenticationHost aaasp.training.lab -Authentication ON -authn401 OFF -authnVsName
aaasp.training.lab -push DISABLED -pushLabel none -pushMultiClients NO -l2Conn OFF -oracleSer
About Citrix
Citrix Systems, Inc. designs, develops and markets technology solutions that enable information
technology (IT) services. The Enterprise division and the Online Services division constitute its two
segments. Its revenues are derived from sales of Enterprise division products, which include its
| 196 |
Desktop Solutions, Datacenter and Cloud Solutions, Cloud-based Data Solutions and related
technical services and from its Online Services division's Web collaboration, remote access and
support services. It markets and licenses its products directly to enterprise customers, over the
Web, and through systems integrators (Sis) in addition to indirectly through value-added resellers
(VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July
2012, the Company acquired Bytemobile, provider of data and video optimization solutions for
mobile network operators.
http://www.citrix.com
| 197 |