NetScaler

From Piszczynski
Revision as of 22:32, 15 November 2023 by Aleks (talk | contribs) (2 revisions imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Installing NetScaler

Installing:

Download .ovf - then configure

In vsphere - deploy from .ovf

Change default nsroot password

Give Netscaler IP address for management - NSIP and for internal comms - Subnet IP SNIP

Apply Licence - Licence is mapped to the MAC address of the primary interface of the netscaler

Upgrading Netscaler:

Read Release notes.

Updates are Java based and will need correct Java version to operate

Go to configuration > system > upgrade wizard

Upload the update files in the wizard, chack move files in flash and automatically reboot. If using chrome and messages are showing to wait for java app, open chrome with -no-sandbox switch before updating.

Network Time and Backing up Config

Configuration > settings > time

Setup NTP server then enable NTP sync with the actions button

Save running configuration

Configuration tab > save button in top right

Save backups to other locations

Netscaler > system > backup and restore

IP address management

Configure netscaler with virtual IP to act as a virtual server. Will need a virtual IP for each virtual server configured on the netscaler

Configure a subnet IP for each subnet interface

Routing and ip networks

Create SNIP for each interface

Enter in static routes for any other networks that are connected via subnet ip networks


High Availability

Configure a twin netscaler with the same config as the primary netscaler

Can be set in an active-passive setup - Primary manages the VIPs SNIPs & MIPs

When setting up HA make sure the secondry is set to be the secondary before enabling syncing to ensure that the primary config does not get replaced with a blank config from the secondary.

On secondary netscaler Go to configuration > High availability > Nodes > edit > (high availability status) - STAY SECONDARY -

On Primary do the same but set to - STAY PRIMARY -

To configure HA on primary go to: configuration > system > high availability > add nodes > add IP of secondary NS and username and password ( which will auto configure the secondary)

Once sync has been completed and confirmed no issues HA status can be changed to ENABLED from stay primary and stay secondary to enable HA.

Load Balancing

To setup load balancing you need:

LB Virtual server - protocol, VIP, port

Service - what server, protocol, port.

Real server - IP,Hostname

Topology: <Virtual Server>---<Service>---<Server>

Virtual server objects are bound to service objects, service objects are bound to server objects.

A monitor can be added to the service to check it is working correctly to prevent traffic being sent to down servers

To configure the load balancing:

Configure servers first:

Configuration > traffic management > load balancing > servers > Add server

Add details for servers which will be load balanced

Configure Services:

Configure a service for each server

Configuration > traffic management > load balancing > services > add service

You can select the server the service is assigned to in the drop down list when creating the service

Bind the monitor to the service, select monitors

Bind load balancing monitor to the service eg http monitor to http services

Create the Virtual server

Configuration > traffic management > load balancing > virtual servers > add

Configure the virtual server with a virtual IP (this would be ip that the users would connect to - for a website it would be the IP address the DNS points to )

Then add the service and port to the virtual IP

Then bind the virtual server to the services set up earlier

For a virtual server IP to work the netscaler will need a subnet ip in the same network that the virtual server IP is in so it will show it has a route to the network and knows what interface to use

Certificates on NetScaler

Installing a CA signed certificate:

Generate RSA key pair:

Traffic management > SSL > Create RSA Key

Select file name and keysize bits - 2048 - key format + encoding with password

Create cert signing request:

Traffic management > SSL > Create certificate signing request

select file for request and fill out details for org

Once created you can view it in the manage certificates / keys / csrs, then view and copy the request to pass it into the form at the CA you are requesting the signed cert from.

submit to CA

Download and install certificate

Traffic management > SSL > SSL certificates > install

Name the CA signed cert then find the cert and enter in the certificate file name box. Select the key file used to generate the signed cert in the key file name box (the RSA key made previously)

SSL offload:

Create load balancing virtual server and set protocol to SSL

Bind SSL certificate to virtual server - Edit > SSL certificates > select the CA signed certificate and bind

Wildcard Certificates:

Use same self generated RSA cert to do a CA signed request for a wildcard cert where the common name is a *.domain.com (wildcard)

Install wildcard certificate

Traffic management > ssl > certificates > install

select certificate and enter in the RSA cert in the Key file name section and install

Bind wildcard to where needed eg virtual servers - this will replace any certs previously bound to the VI or service


If certificates are needed to be replaced check all virtual servers and content switching servers to replace the certificate. Also make sure to install any intermediate certificate and link to the new certificate. You may need to install the intermediate certificate which can be done by opening the certificate and exporting the intermediate certificate to file - (base 64 .cer ) and then importing to the netscaler.

Netscaler Policies

Create policy

Bind to object eg virtual server, group, user

Create other netscaler users:


LDAP for internal or external:

enable authentication

Configuration > system > Settings > Configure basic features > Authentication, authorization and auditing

LDAP - setup server

Configuration > authentication > LDAP > servers > add > add details for LDAP server

Will need a service account for the LDAP query in the "administrator Bind DN" section

LDAP - Setup Policy

Create policy with expression ns_true and set request server to LDAP server previously configured

In LDAP policies select global bindings and select LDAP policy

Group can also be created on netscaler to identify users via ldap to provide permissions on NS


Xen Desktop monitors:

Create virtual server for storefront then create monitor for the service:

Traffic management > load balancing > monitors

Add new monitor for storefront

NetScaler Gateway

NS Gateway:

Can be used with citrix reciever, plug-in clientless through browser etc

Need to enable the netscaler gateway in basic features

Can use the Netscaler gateway wizard to configure - will need public IP server

certificate and client certificate

Wildcard certificate would be used usually.

IP address of gateway should be entered into DNS

Default setup for NS gateway is full tunnel


NS Gateway Access Policy:

Can configure a policy to check users device before allowing login to gateway and access to the network.

Set in Configuration > netscaler gateway > global settings > change preauthentication settings > change default action from allow to deny.

Then configure policy in ns gateway > policies

Bind policy in aaa global policies


NS Gateway LDAP authentication:

Bind LDAP policy to NS gateway virtual server

NS Gateway Authorization policies:

Can use policies to allow or deny access to resources on the network the NS gateway is providing access to

Can change the global security policy for NS gateway to Deny

Create an authorization policy for NS gateway to allow access to only some resources. Use AAA users and groups to bind the authroisation policies to for access


NS Gateway Split tunnel:

use Intranet applications to setup: Netscaler Gateway > Resources > intranet applications > add

Use this to setup the networks for split tunnel to specfic network to split tunnel too

This can then be added in global settings in client experience with split tunneling on and add the intranet applications to configured VPN intranet applications in the global settings.


Netscaler SF load balancing

Setup Virtual server > Service > monitor > bind monitor to service > add servers > bind servers to service > bind service to virtual server

Configure STA for authentication from netscaler to be used for other domain resources: In citrix storefron config in citrix studio ensure that pass-through from netscaler gateway and domain pass-through are enabled

Add the netscaler gateway on storefront and add STA to the settings for the gateway in storefront server.

If netscaler is doing a gateway along with load balancing to multiple strore front servers leave the optional subnet ip section blank

Can manage beacons to determine if user is internal or external

Create Session policy to bind to user or group to allow access to storefront - in published applications tab in policy enter web interface address as the url for the storefront

Edit the Virtual server to add STA server binding - the same as configured in the storefront (this will allow the login to the netscaler to also confirm identify with the storefront)

Content switching:

Can use content switching policies bound to virtual servers to direct traffic from specific devices to specific servers via load balancing to other virtual servers

Global Server Load Balancing:

Uses DNS to load balance services between seperate sites to forward users to the netscaler at the site providing services. Netscalers on the sites exchange MEP messages to determine which site should recieve the traffic

Retrieved from ‘http://piszczynski.com/index.php?title=NetScaler&oldid=490
Last modified
This page was last modified on 15 November 2023, at 22:32.