Installing NetScaler
Installing:
Download .ovf - then configure
In vsphere - deploy from .ovf
Change default nsroot password
Give Netscaler IP address for management - NSIP and for internal comms - Subnet IP SNIP
Apply Licence - Licence is mapped to the MAC address of the primary interface of the netscaler
Upgrading Netscaler:
Read Release notes.
Updates are Java based and will need correct Java version to operate
Go to configuration > system > upgrade wizard
Upload the update files in the wizard, chack move files in flash and automatically reboot. If using chrome and messages are showing to wait for java app, open chrome with -no-sandbox switch before updating.
Network Time and Backing up Config
Configuration > settings > time
Setup NTP server then enable NTP sync with the actions button
Save running configuration
Configuration tab > save button in top right
Save backups to other locations
Netscaler > system > backup and restore
IP address management
Configure netscaler with virtual IP to act as a virtual server. Will need a virtual IP for each virtual server configured on the netscaler
Configure a subnet IP for each subnet interface
Routing and ip networks
Create SNIP for each interface
Enter in static routes for any other networks that are connected via subnet ip networks
High Availability
Configure a twin netscaler with the same config as the primary netscaler
Can be set in an active-passive setup - Primary manages the VIPs SNIPs & MIPs
When setting up HA make sure the secondry is set to be the secondary before enabling syncing to ensure that the primary config does not get replaced with a blank config from the secondary.
On secondary netscaler Go to configuration > High availability > Nodes > edit > (high availability status) - STAY SECONDARY -
On Primary do the same but set to - STAY PRIMARY -
To configure HA on primary go to: configuration > system > high availability > add nodes > add IP of secondary NS and username and password ( which will auto configure the secondary)
Once sync has been completed and confirmed no issues HA status can be changed to ENABLED from stay primary and stay secondary to enable HA.
Load Balancing
To setup load balancing you need:
LB Virtual server - protocol, VIP, port
Service - what server, protocol, port.
Real server - IP,Hostname
Topology: <Virtual Server>---<Service>---<Server>
Virtual server objects are bound to service objects, service objects are bound to server objects.
A monitor can be added to the service to check it is working correctly to prevent traffic being sent to down servers
To configure the load balancing:
Configure servers first:
Configuration > traffic management > load balancing > servers > Add server
Add details for servers which will be load balanced
Configure Services:
Configure a service for each server
Configuration > traffic management > load balancing > services > add service
You can select the server the service is assigned to in the drop down list when creating the service
Bind the monitor to the service, select monitors
Bind load balancing monitor to the service eg http monitor to http services
Create the Virtual server
Configuration > traffic management > load balancing > virtual servers > add
Configure the virtual server with a virtual IP (this would be ip that the users would connect to - for a website it would be the IP address the DNS points to )
Then add the service and port to the virtual IP
Then bind the virtual server to the services set up earlier
For a virtual server IP to work the netscaler will need a subnet ip in the same network that the virtual server IP is in so it will show it has a route to the network and knows what interface to use
Certificates on NetScaler
Installing a CA signed certificate:
Generate RSA key pair:
Traffic management > SSL > Create RSA Key
Select file name and keysize bits - 2048 - key format + encoding with password
Create cert signing request:
Traffic management > SSL > Create certificate signing request
select file for request and fill out details for org
Once created you can view it in the manage certificates / keys / csrs, then view and copy the request to pass it into the form at the CA you are requesting the signed cert from.
submit to CA
Download and install certificate
Traffic management > SSL > SSL certificates > install
Name the CA signed cert then find the cert and enter in the certificate file name box. Select the key file used to generate the signed cert in the key file name box (the RSA key made previously)
SSL offload:
Create load balancing virtual server and set protocol to SSL
Bind SSL certificate to virtual server - Edit > SSL certificates > select the CA signed certificate and bind
Wildcard Certificates:
Use same self generated RSA cert to do a CA signed request for a wildcard cert where the common name is a *.domain.com (wildcard)
Install wildcard certificate
Traffic management > ssl > certificates > install
select certificate and enter in the RSA cert in the Key file name section and install
Bind wildcard to where needed eg virtual servers - this will replace any certs previously bound to the VI or service
If certificates are needed to be replaced check all virtual servers and content switching servers to replace the certificate. Also make sure to install any intermediate certificate and link to the new certificate. You may need to install the intermediate certificate which can be done by opening the certificate and exporting the intermediate certificate to file - (base 64 .cer ) and then importing to the netscaler.
Netscaler Policies
Create policy
Bind to object eg virtual server, group, user
Create other netscaler users:
LDAP for internal or external:
enable authentication
Configuration > system > Settings > Configure basic features > Authentication, authorization and auditing
LDAP - setup server
Configuration > authentication > LDAP > servers > add > add details for LDAP server
Will need a service account for the LDAP query in the "administrator Bind DN" section
LDAP - Setup Policy
Create policy with expression ns_true and set request server to LDAP server previously configured
In LDAP policies select global bindings and select LDAP policy
Group can also be created on netscaler to identify users via ldap to provide permissions on NS
Xen Desktop monitors:
Create virtual server for storefront then create monitor for the service:
Traffic management > load balancing > monitors
Add new monitor for storefront
NetScaler Gateway
NS Gateway:
Can be used with citrix reciever, plug-in clientless through browser etc
Need to enable the netscaler gateway in basic features
Can use the Netscaler gateway wizard to configure - will need public IP server
certificate and client certificate
Wildcard certificate would be used usually.
IP address of gateway should be entered into DNS
Default setup for NS gateway is full tunnel
NS Gateway Access Policy:
Can configure a policy to check users device before allowing login to gateway and access to the network.
Set in Configuration > netscaler gateway > global settings > change preauthentication settings > change default action from allow to deny.
Then configure policy in ns gateway > policies
Bind policy in aaa global policies
NS Gateway LDAP authentication:
Bind LDAP policy to NS gateway virtual server
NS Gateway Authorization policies:
Can use policies to allow or deny access to resources on the network the NS gateway is providing access to
Can change the global security policy for NS gateway to Deny
Create an authorization policy for NS gateway to allow access to only some resources. Use AAA users and groups to bind the authroisation policies to for access
NS Gateway Split tunnel:
use Intranet applications to setup: Netscaler Gateway > Resources > intranet applications > add
Use this to setup the networks for split tunnel to specfic network to split tunnel too
This can then be added in global settings in client experience with split tunneling on and add the intranet applications to configured VPN intranet applications in the global settings.
Netscaler SF load balancing
Setup Virtual server > Service > monitor > bind monitor to service > add servers > bind servers to service > bind service to virtual server
Configure STA for authentication from netscaler to be used for other domain resources: In citrix storefron config in citrix studio ensure that pass-through from netscaler gateway and domain pass-through are enabled
Add the netscaler gateway on storefront and add STA to the settings for the gateway in storefront server.
If netscaler is doing a gateway along with load balancing to multiple strore front servers leave the optional subnet ip section blank
Can manage beacons to determine if user is internal or external
Create Session policy to bind to user or group to allow access to storefront - in published applications tab in policy enter web interface address as the url for the storefront
Edit the Virtual server to add STA server binding - the same as configured in the storefront (this will allow the login to the netscaler to also confirm identify with the storefront)
Content switching:
Can use content switching policies bound to virtual servers to direct traffic from specific devices to specific servers via load balancing to other virtual servers
Global Server Load Balancing:
Uses DNS to load balance services between seperate sites to forward users to the netscaler at the site providing services. Netscalers on the sites exchange MEP messages to determine which site should recieve the traffic