Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Implementing NetScaler VPX??? - Second Edition
Implementing NetScaler VPX??? - Second Edition

Implementing NetScaler VPX??? - Second Edition: Implement the new features of Citrix NetScaler 11 to optimize and deploy secure web services on multiple virtualization platforms

Arrow left icon
Profile Icon Marius Sandbu
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Empty star icon 4 (3 Ratings)
Paperback Oct 2015 202 pages 1st Edition
eBook
$9.99 $35.99
Paperback
$43.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Marius Sandbu
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Empty star icon 4 (3 Ratings)
Paperback Oct 2015 202 pages 1st Edition
eBook
$9.99 $35.99
Paperback
$43.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$9.99 $35.99
Paperback
$43.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Implementing NetScaler VPX??? - Second Edition

Chapter 1. NetScaler VPX™ 11 – Basics and Setup

Welcome to the first chapter of the second edition of this book. Throughout the course of this book, we will cover most of the different areas where NetScaler serves its purpose. The first chapter will cover a short introduction of what Citrix NetScaler is and some of its features. Throughout this book, we will focus on how to set up and deploy a NetScaler VPX in a virtualized environment. The book will mostly show you how to set up and deploy in Hyper-V, but the process is not that different for vSphere and XenServer. I will also provide a short description on the deployment of NetScaler on public cloud providers such as Amazon and Azure.

So to sum it up, here's what we will cover throughout this chapter:

  • Introduction to NetScaler and what's new in software version 11
  • The definition of application delivery controller
  • NetScaler gateway
  • Differences between VPX, MPX, and SDX
  • Editions and models
  • Setup and configuring the basics
  • Some deployment scenarios

Getting started with NetScaler®

NetScaler was an acquisition that Citrix made back in 2005, and it is one of the bestselling products in their portfolio today, pivotal in many large enterprises. Today, many of the largest IT organizations such as Microsoft, Google, and eBay, to mention a few, use NetScaler in front of their websites and services to ensure availability.

Note

We can check the kind of frontend solution an organization uses in most cases on their website by using a free web tool from http://www.netcraft.com/. For example, for eBay go to http://searchdns.netcraft.com/?restriction=site+contains&host=ebay.com.

NetScaler can be defined as a network appliance with the primary role of delivering services to end clients who connect to it. It does this by using different features, such as load balancing, high availability, gateway solutions, and so on. The commonly used term for it is Application Delivery Controller (ADC), as users in many cases connect to their services through, for example, a load-balanced web service such as NetScaler. It also has many features to optimize network traffic, such as web caching, compression, and SSL offloading, to give a service optimal performance. In addition, it includes features such as an application firewall, URL rewriting, frontend optimization, global server load balancing, and gateway function for XenApp/XenDesktop, to name a few. We will cover some of these features in greater detail in a later chapter.

So, NetScaler's whole purpose is to ensure that a service or an application is delivered through different availability and performance features. The following diagram presents some of the different uses of NetScaler and shows how users can access their different applications and services:

Getting started with NetScaler®

As we can see in the diagram, we can ensure content is delivered to users in many ways. Also, there are features that allow us to bridge different infrastructures, such as public cloud providers. We will delve into some of the features in the rest of the chapters.

NetScaler includes a variety of features; some information about the different features and the product itself can be found in the Citrix eDocs available at http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html. eDocs is an ideal place for knowledge and support documentation about setup and configuration of the different features included in NetScaler.

NetScaler comes in three different flavors:

  • MPX—Physical appliance
  • SDX—Physical appliance with hypervisor capabilities
  • VPX—Virtual appliance

MPX

The MPX is a physical appliance of NetScaler, which again comes in different models. As an example, the MPX 5550 is the starting platform that consists of an Intel CPU with 8 GB of RAM, and can handle up to 5,000 concurrent SSL VPN sessions and up to 175,000 HTTP requests every second. The MPX 5550 has a maximum throughput of 0.5 Gbps, but it can be upgraded to the 5650, which has 1 Gbps throughput. This only requires a change of license, as it still runs on the same hardware. A long list of different models that suit most business needs is available, depending on the number of users and the kind of service and bandwidth required. The largest physical appliance available is the MPX 21550, which has up to 50 Gbps of throughput.

Note

One of the benefits of NetScaler is that if we need better performance or more bandwidth, we can in many cases just upgrade the platform license to the next edition. You can refer to the NetScaler datasheet to see which platforms can be upgraded and check the specifications of the different platforms at http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-sheet.pdf.

All of the MPX models come with special SSL chips, which are specifically used to handle encrypted traffic (SSL traffic). NetScaler uses an architecture called nCore, which allows it to intelligently load balance the SSL operations among the chips available on the hardware. This allows for faster handling of SSL traffic on the platform. Also, an important point to remember is that each platform has a limit to the number of SSL-based operations and throughput it can handle each second, which can be viewed in the datasheet mentioned earlier.

SDX

The SDX is a special platform available on many of the same models as the MPX, as it uses the same underlying hardware. The difference is that the SDX itself cannot perform load balancing or any other NetScaler functions, as it is just a virtualization platform that runs a virtual NetScaler (VPX) on top of itself. By default, when purchasing an SDX, it ships with five VPXs. SDX runs a customized version of XenServer, and from there we can create multiple VPX instances running on top of it, which has all of the NetScaler features. This platform is better suited for multitenant environments; it is also suitable when we want to isolate the traffic into separate instances with dedicated bandwidth, VLANs, and/or applications.

Also important to remember is that when we have an SDX, we can have multiple VPX instances running—all with different software versions.

VPX

The VPX is available for XenServer, KVM, VMware, and Hyper-V, or as an instance on the SDX platform. The VPX can also be deployed on public cloud providers such as Microsoft Azure or Amazon Web Services.

There is a minor difference between running VPX in a regular virtual environment and as part of an SDX environment. In an SDX environment, the VPX has access to the onboard SSL chips and is able to handle SSL traffic accordingly. In a regular virtual environment, the VPX can handle only limited SSL traffic, as it is dependent on the virtualization host CPUs. Regular CPUs are not designed to handle SSL traffic as well as SSL chips; therefore, they have a soft limit on how many SSL connections they can handle. This can be seen in the NetScaler datasheet mentioned earlier.

Barry Schiffer has written an excellent article on NetScaler sizing and what model to choose, which I would recommend taking a look at if you are unsure of what to use. This article is available at http://www.barryschiffer.com/citrix-NetScaler-platform-sizing-guide/.

NetScaler also has different types of editions, and depending on the level, it will grant access to the different features. The three editions are Standard, Enterprise, and Platinum.

Standard is the most basic edition and contains most of the basic features, such as load balancing, SQL load balancing, NetScaler Gateway (formerly known as Access Gateway), network optimization, HTTP/URL rewrite, and more. The Enterprise edition gives us Global Server Load Balancing (GSLB), HTTP compression, AAA management, frontend optimization and surge protection. Lastly, the Platinum edition gives us CloudBridge, full NetScaler Insight Center functionality, application firewall, and more. An important point to note here is that on an SDX appliance, all the VPX appliances have Platinum edition features.

There is also a dedicated Gateway instance that only has the NetScaler Gateway feature available. This only comes in a VPX 50 instance, which basically means that it has a 50 Mbps bandwidth limit and can only be used for Gateway features such as ICA-proxy, SSL VPN, or VPN. It is also available as a physical unit, the NetScaler Gateway MPX 500, which has the same limitations but up to a 500 Mbps bandwidth and a higher number of concurrent users.

Now, many of these features may be unfamiliar to you, but these will be covered throughout the later chapters.

One of the things that I mentioned earlier was that in case we needed more bandwidth or better performance, we could just upgrade the license to another platform. The same goes for features as well; if we need features that are available in the Enterprise edition and we have only the Standard edition, we just have to buy a license upgrade to access those features. If, for example, we are in a situation where we need more bandwidth for a period of time, we can also purchase something called burst licenses. Burst licenses allow us to extend our bandwidth on the appliance, for example, for 90 days.

Note

There is also a free edition of the VPX called VPX Express. The VPX Express has the same functionality as VPX standard, but it has a limit of 5 Mbps of throughput and is valid for one year at a time. It also gives you access to running up to five users with NetScaler Gateway, which we will go through in the next chapter.

What is new in version 11?

Many may be familiar with the previous releases of NetScaler and some of its capabilities. Therefore, we decided to add what is new in version 11 of NetScaler OS. Version 11 was released in June 2015, and it introduced a bunch of new features and capabilities, including the following:

  • Unified gateway
  • Partition administration
  • Media classification
  • Jumbo frames support for VPX
  • TCP Nile congestion algorithm
  • Portal theme customization
  • Web-front
  • Authentication dashboard
  • HTTP/2 support

Most of these topics will be covered throughout this book. If you wish for more information about version 11, you can read the release document at https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_55_20.html.

Licensing

When we want to set up or deploy NetScaler, we need a license in place in order to access the features we want to use. An important point to note here is that three types of licenses are available for NetScaler:

  • Platform license: This license is used for NetScaler to enable its different features, such as load balancing, content switching, and so on. It also defines the bandwidth.
  • Universal license: This license is used for NetScaler Gateway features such as SSL VPN, CVPN, SmartAccess, and Endpoint analysis.
  • Feature license: This license is used for features such as clustering, caching, compression, and so on. The specific features that can be bought as add-ons to an existing platform can be found in the datasheet.

    Note

    If you do not have access to a regular license, you can download a trial version of the latest NetScaler VPX Platinum edition from Citrix, available at http://www.citrix.com/products/netscaler-application-delivery-controller/try.html.

If you want to download a platform license for NetScaler from https://www.citrix.com/, you need to enter the MAC address of the first NIC on your appliance in the Host ID field on the website.

Note

If you are deploying a NetScaler Gateway VPX, and you want to download a platform license for it or generate universal licenses, both of these should be created with the hostname of the appliance instead of the MAC address. These licenses can be generated from the same website.

The MAC address can be found either via the CLI of the appliance or by using a hypervisor. We will look at CLI in detail in this chapter. To get hardware information from the CLI of the appliance, we have to first log in to the NetScaler System CLI, and then switch to the FreeBSD shell by typing shell and running the following command:

lmutil lmhostid

When using a hypervisor, such as the virtual machine manager PowerShell, run the following command:

Get-VM | Where { $_Name -match "VM" } | Get-SCNetworkAdapter | Select MACAddress

If you are using VMware and have PowerCLI available, you can use a similar command as follows to get the same result:

Get-NetworkAdapter -VM NameofVM

This will give you the host ID/MAC address of the appliance, which needs to be entered on https://www.citrix.com/ to generate a platform license. We will cover installing the license a little later.

Setup scenarios

When thinking about the deployment of NetScaler, a couple of things need to be taken into consideration:

  • How is the network layout between the users and the service?
  • What kind of network security is in place?
  • Is the business using Network Address Translation (NAT) or any other kind of firewall that requires configuration to allow traffic?
  • What service or application is going to be published?

A common scenario is load balancing some sort of a web service to external users. In such a scenario, a business might have a demilitarized zone and an intranet zone. One topology that can be used here is that NetScaler can be placed with one interface in the demilitarized zone and one interface in the intranet zone. This is also known as a two-armed setup. It is important to note that a two-armed setup is not necessarily two NICs connected to different networks; it may also be multiple VLANs trunked to the same NIC. This is practical for load balancing internal resources, as well because the traffic does not need to flow back and forth through the firewall multiple times.

In some cases, because of business requirements, you might have NetScaler attached to only one interface or only one VLAN that resides in the same zone. This is known as a one-armed setup. Here, NetScaler is placed, for example, in only the DMZ zone, and routing tables are in place to allow NetScaler to access the backend services. This type of topology emphasizes security. We will cover a sample scenario later in this chapter.

Now that we have gone through the different editions, features, and licensing, let us begin with the initial setup of NetScaler.

Creating our first setup

Before setting up the VPX, we need to make sure that we have the following resources available in our virtual environment:

  • 2 GB RAM
  • Two vCPUs
  • 20 GB disk space

    Note

    NetScaler VPX supports a maximum of eight virtual network interfaces, and as of now, it supports Windows Server Hyper-V 2008 R2 and Windows Server Hyper-V 2012 R2. It also supports XenServer 6.0, XenServer 6.1, and VMware Vsphere from version 4.0 up to 5.5.

After downloading NetScaler from www.mycitrix.com/, we can import the virtual machine using the Hyper-V manager by selecting Import Virtual Machine… and browsing to the download location of NetScaler VPX.

After the appliance is imported, we should change the MAC address of the network adapter to static, as the license is based on the MAC address. Hyper-V manages MAC allocation for virtual machines, and in some scenarios, a virtual machine might generate a new MAC address. Therefore, it is important to set the MAC address as static.

This can be done by navigating to Virtual Machine | Network | Advanced Features, as shown in the following screenshot:

Creating our first setup

Note

Note that the same applies for VMware and XenServer as well.

After we are done changing the MAC address to static, we can boot the virtual appliance. The initial setup must be done using the CLI to connect the virtual machine console to the appliance console. The first thing we need to enter is the NetScaler IP Address (NSIP), which is used for management purposes, then a subnet mask, and finally a default gateway. Now we can press 4 to save the settings. After this is done, we can then access the console using HTTP through the NSIP address that we entered earlier. The default username and password for the web administration GUI is nsroot and nsroot. Prior to logging in, make sure that the deployment type is set to NetScaler ADC. The management interface uses pure HTML 5, and it can be managed using any modern browser such as Internet Explorer, Google Chrome, or Firefox, for instance.

We also have the option of using SSH, so we can use any SSH-based client, such as Putty to perform management using CLI from there as well.

When logging in to the web console for the first time after the initial setup, we are presented with a wizard that allows us to enter information, such as DNS, time zone, and SNIP, and to change password settings. Alternatively, we can click on skip these tasks and go straight to the configuration dashboard. For the purpose of this book, I am going to show you how to add different configurations using regular GUI and CLI instead of using the built-in wizard. An important point to note here is that the initial setup wizard will always pop up until we have added a platform license, subnet IP, and NetScaler IP.

You can restart the initial setup in the CLI by typing the following command:

Configns

Note

When altering the configuration of NetScaler, the configurations are put into the running configuration file. If we do not save the configuration, the settings that we changed will be lost when we restart. Make sure to save the configuration using the CLI command save config, or by clicking on the Save button (represented as a floppy disk) in the GUI, after performing the changes to the configuration.

Deployment on Microsoft Azure

Microsoft and Citrix recently made NetScaler available as an appliance within Microsoft Azure, with a bring-your-own-license model, meaning that we can deploy a virtual appliance and use our own license there. However, we still need to pay Microsoft for the running instance and network traffic that is going out of Azure cloud. As of now, three versions are supported in Azure: VPX 10, VPX 200, and VPX 1000.

If we want to deploy a NetScaler VPX within Microsoft Azure, we have to use the current build available in the Microsoft Azure Marketplace. As of now, it is only available in the new management portal.

First, you need to have an active subscription in place for Microsoft Azure. Then, go to the new management portal at https://portal.azure.com.

Next, navigate to the marketplace, which can be found in the main menu, Browse | Marketplace.

Here, we type Citrix NetScaler, and it will appear in the list of options, as shown in the following screenshot:

Deployment on Microsoft Azure

From there, click on Create. Then enter the required information, such as the IP address that will be used for management, username, and password. The default here is to enter nsroot and a custom password for that user. It is important to note that Microsoft Azure has its own DHCP service, which allows all virtual instances that run in Azure to get an IP address. Before deploying the virtual instance, you should define that the NetScaler VPX must use a static IP address to make sure that it does not lose its license in case of reboot or downtime, as in Azure, a virtual appliance may be moved to another and may be given another MAC address. In order to do so, navigate to Optional Configuration | Network | IP ADDRESSES. From here, you have the option to enter a static IP for the private IP address, which allows you to retain the IP address during reboots. Note also that Azure will automatically create a virtual network within a custom private IP range. So enter an IP address within the range that is created and click on OK.

The last thing to do before provisioning NetScaler is to enter a custom endpoint that will allow you to manage the appliance externally using HTTP. This can be done from within the provisioning wizard, before going into Optional Configuration. From here, you need to add an endpoint that defines which ports can be accessed externally. Here, add port 80 private, which is the internal port on NetScaler where management resides. Then, choose port TCP and then enter a public port. The public port nr will be used for external access later.

Another thing that is important to remember if you are deploying NetScaler in Azure is that by default, the appliance is deployed as an A2 Linux virtual machine. The A2 instance has a limitation of bandwidth of 200 Mbps. If you are planning to deploy a VPX 1000, you need to change this to an A4 instance.

NetScaler in Azure also has some additional limitations, for instance, it runs in a single-IP mode, meaning that we only have one useable IP address, so we use the same IP address for management, server traffic, and load balancing. As a part of this limitation, we can therefore not use the following ports for external services:

21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000

These ports cannot be used as they are used by the NetScaler for different purposes, such as high availability, management, and so on. Even though we cannot use these ports for our services on NetScaler, we can still use, for instance, 443 as an external port, since Azure has the concept of endpoints, which allow for port forwarding from one external port to another private port on NetScaler. Another thing to remember is that some features are not supported on NetScaler in Azure, which are: Clustering, IPv6, Gratuitous ARP (GARP), L2 Mode, Tagged VLAN, Dynamic Routing Virtual MAC (VMAC), USIP, GSLB, and CloudBridge Connector.

These features cannot be used because of the limitations of the network capabilities in Microsoft Azure. Also important is the fact that the current build running in the marketplace is the only one supported, so that means that we cannot do a direct upgrade as of now.

After we have deployed NetScaler in Azure, we access it using the FQDN given to us from the cloud service using SSH on a random port, or access it using HTTP on the custom endpoint we added.

Note

By adding an HTTP-based endpoint against NetScaler in Azure, you are opening that port for all external users. You should, therefore, for security purposes, change the default password and add an endpoint ACL as soon as possible. You can also switch from HTTP to HTTPS-based traffic on the management IP. This also requires that you change the endpoint to 443 but allows for secure communication.

Deployment on Amazon Web Services

NetScaler is available as an Amazon Machine Image in the Amazon Web Services (AWS) marketplace, and like Azure, you need an active subscription to provision the virtual appliance. Head over to the management portal on http://aws.amazon.com/ and choose login to the management portal. After logging in, you have the marketplace on the right-hand side, which, for reference, is located at https://aws.amazon.com/marketplace. Once there, search for Citrix NetScaler and press Enter. Now, you will get multiple options here as shown in the following screenshot:

Deployment on Amazon Web Services

You have the option to buy a finished Citrix licensed NetScaler appliance here, or you can buy an appliance without a license like with Azure. Choose the Customer Licensed option and then click on Continue.

Note that Citrix NetScaler in Amazon requires that you have a virtual private cloud (VPC) configured with three different subnets, which are not covered in this book. In order to learn how to configure VPC and different subnets, you can read more about it at http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html.

After the VPC and subnets are in place and the three different interfaces are placed within the three subnets, it's time to provision the virtual appliance.

Now, by default, the appliance will not get a public IP address attached to it, so you have to add an elastic IP address (EIP).

This can be done through the EC2 dashboard by navigating to Network and Security | Elastic IPs | Allocate New Address. After allocating a new address, assign it to the management interface of the virtual appliance. Right-click on the address and choose Associate Address, then choose either Instance or Network Interface and find the management interface from the list. Then click on Associate.

After this, you can reach the NSIP using the EIP address on HTTP, as shown in the following screenshot:

Deployment on Amazon Web Services

To log in, use nsroot. The password will always be set to the instance ID, which can be seen from the EC2 dashboard as well.

As with Azure, there are some limitations to the deployment of NetScaler in Amazon, and some features are not supported, such as IPV6, Gratuitous ARP (GARP), L2 mode, Tagged VLAN, and Dynamic Routing Virtual MAC (VMAC). However, unlike Azure, you are not bound to a single NIC and therefore do not have the same port restrictions.

Now, inside the main administration GUI we are presented with three main panes:

  • Dashboard
  • Configuration
  • Reporting

Dashboard

The Dashboard pane gives us an overview of what is happening in NetScaler, how much CPU is used, how much memory is in use, what the throughput is, and so on. We can also view how many active sessions are using our services, such as load-balanced web services or VPN connections.

Reporting

We also have the Reporting pane, where we can run different built-in reports or create our own reports based upon different criteria. There are more than 100 built-in reports that we can use, for example, to see how many SSL connections have been used on the last day. We also have a link for documentation that redirects us to eDocs on Citrix, and a Downloads pane where we can download the SNMP MIB files, Nitro SDK, and some other files, such as integrations for System Center Operations Manager and Virtual Machine Manager.

The integration for Operations Manager allows for monitoring, and the integration for Virtual Machine Manager allows for fully automated deployment of load-balancing sets from within, for instance, a service template in Virtual Machine Manager. It also allows for automatic provisioning of more compute instance, for example, if NetScaler sees that servers that serve as load-balancing servers are running out of resources.

Configuration

The Configuration pane is where we do our configuration of services and also of NetScaler; this is where we will spend most of our time, and it also important how the GUI works and how to navigate in it.

By default, most of the features are disabled, which will appear in the GUI, as shown in the following screenshot:

Configuration

This is because if we do not need them running, NetScaler will not start the services that they depend on.

In order to enable a feature, we can right-click on it and choose enable. Alternatively, we can navigate to System | Settings | Configure Modes.

Most of the features are sorted by the tasks they do, for instance, content switching and frontend optimization are both optimization features and are placed within the Optimization menu. When working with the GUI, in most cases, we will see a plus sign, which indicates that more options are available or that we can add an option to an object:

Configuration

In many cases, we want to edit existing objects. Most of the objects in this version allow us to do so by clicking on the pencil icon.

Many of the features contain nested options, so it is important to look at the navigation bar where, for instance, you might be adding a policy and attaching it to an action, as shown in the following screenshot:

Configuration

Now, we configure some basic features before deploying any services to NetScaler:

  • DNS: This feature allows for name resolution
  • NTP: This feature allows for time synchronization
  • Syslog: This feature allows for central logging of states, auditing, and status information
  • SNMP: This feature allows NetScaler to send alarms to a designated SNMP server

Syslog and SNMP features are not needed but should be evaluated in larger deployments and for auditing and monitoring purposes. For example, NetScaler can be monitored using SNMP with System Center Operations Manager. You can read more about it at http://msandbu.wordpress.com/2013/04/02/monitoring-netscaler-with-operations-manager-2012/.

It can also be monitored using the NITRO API interface using, for instance, PowerShell or Comtrade management pack for Citrix NetScaler, which is an extension to Operations Manager.

The first to add is a DNS server to allow for name resolution. This setting can be found by navigating to Configuration | Traffic Management | DNS | Name Servers. Here, click on Add and enter the IP address of the DNS server, and leave the rest as default values. After you have added the DNS server, NetScaler will automatically start monitoring it. Make sure that ICMP is also opened in the firewall to the DNS servers; NetScaler uses ICMP with UDP to monitor if the DNS servers are available. For redundancy, you should add more than one DNS server to the list. After you have added the DNS servers, you can verify the state of the servers by going back to the Name Servers pane.

Note

DNS using TCP is only needed for zone transfers, and therefore it is not used for regular name resolution. We also have the ability to use both UDP and TCP. This is used for TCP-enabled DNS systems.

After each configuration, I am going to show the CLI-based option to perform the same action. To add a DNS server using the CLI, use the following command:

add dns nameServer IPaddress

Next, you should add an NTP server. This is important because of logging purposes, timestamps, certificates, reporting, and so on. The NTP server's configuration can be found by navigating to System | NTP Servers. Here, click on Add and enter the IP information and a key if you are using authentication. If you do not have an NTP server available in your network, you can use a public one. You can find a public NTP server at http://www.pool.ntp.org/en/.

You can also add an NTP server using the following command:

add ntp server IPaddress

After you have added the NTP server, you have to perform a sync using the following CLI command:

enable ntp sync

You also need to change the time zone of NetScaler to reflect your own time zone. This can be done by navigating to System | Settings | Change time zone.

Another important feature that you should look closer at is Syslog. Syslog is a common open standard logging feature that allows you to place logs on a central host instead of on NetScaler itself. This makes it easier to view logs from different devices that use Syslog from a single repository. This is not something that I consider as required, but it makes it easier to access and view logs.

If you do not set up Syslog, you will have to view the different logs locally on NetScaler. The Syslog feature can be enabled by navigating to System | Auditing | Servers. This requires that you have a central Syslog server in place.

If you have a central monitoring solution, you should consider configuring SNMP. SNMP consists of alarms and traps. If any abnormalities happen, such as high usage of RAM or, for example, Syslog, an alarm will trigger on NetScaler and the SNMP agent on it will send the alarm to an SNMP trap listener (which could be a central SNMP solution such as Microsoft System Center Operations Manager).

In order to allow NetScaler to be queried by an SNMP server for information, enter the following information, which can be added in the GUI by navigating to System | SNMP:

  • SNMP manager: This is the IP address of the host that is allowed access
  • SNMP community string: This is used for authentication of the appliance

In order for NetScaler to send traps whenever a critical event occurs, enter the following information:

  • Enable/Disable SNMP alarms: This defines which alarms should create a trap
  • SNMP traps: This defines which host should get the traps and the conditions for the traps

You can also change the hostname of the appliance, which by default comes with the name ns. You can change it using the following CLI command:

set ns hostname

Note that the hostname value you define here is used for licensing for the NetScaler Gateway VPX model.

You should also change the default password, as nsroot is the default password for all NetScaler appliances. This can be done using the following CLI command:

set system user nsroot password

This can also be done through the GUI by navigating to System | User Administration | Users | nsroot | Choose Action and clicking on Change password.

After you are done with this setup, you also need to add our platform license to the appliance. This can be done through the GUI by navigating to System | Licenses. Here, just click on Add license and upload the license that was generated from www.mycitrix.com/.

After adding the license, you need to reboot the appliance. You can verify that the license is properly applied by checking under the Licenses tab or by using the CLI command show license, as this will list all the features that are licensed along with the model type, as shown in the following screenshot:

Configuration

You can also see up in the top-left corner, which version of the VPX you are running from the number that is listed there.

Note that in the portal or CLI, if the model number ID is 1, it means that the license file has not been read correctly or the hostname allocation is wrong.

The last thing to do is to enable secure management of the NetScaler appliance, since by default, you can connect to it using telnet and regular HTTP, which is insecure. In order to set up secure access only, navigate to System | Network | IPs | Choose the NSIP and click on Edit. At the bottom, choose Secure Access Only and click on OK.

NetScaler® modes and features

Now that we have added the license and configured most of the basic features, such as DNS, NTP, and SNMP, it's time to take a closer look at the different modes through which NetScaler can process traffic. The different modes can be found by navigating to System | Settings | Configure Modes.

Here, there are modes that we can configure depending on the following parameters:

  • How do we want NetScaler to process network traffic such as L2 and L3?
  • Where is NetScaler placed?

Not all the advanced features are covered here, as some of them are not relevant for every environment. Information about the remaining features can be found in the Citrix article at http://support.citrix.com/article/CTX121149. The different modes here decide how NetScaler should handle different kinds of traffic. So, a quick overview of the different modes is as follows:

  • Fast Ramp: This mode bypasses the slow-start mechanism of the TCP protocol and allows for a faster increment of TCP windowing, thereby allowing for faster packet transmission. This feature is enabled by default.
  • Layer 2 mode: This mode allows NetScaler to behave as a switch and should only be used if servers are directly attached to NetScaler, or if it is being used as a transparent bridge, for example, CloudBridge.
  • Use Source IP: By default, when NetScaler connects to a backend server, it uses one of its own addresses to establish a connection. By enabling the Use Source IP mode, the end client IP address is used to connect to the backend server. This should only be used in deployments where you need direct connections from the clients, or when you have an IDS environment. Make sure that when this feature is enabled, the backend servers must have one of NetScaler's IP addresses to be used as the Gateway IP address.
  • Client Keep-Alive: This feature is mostly useful when the backend server or service does not support client keep-alive. It allows clients to maintain connectivity to the appliance even if the backend server closes the connection. This eliminates the need to reestablish the connection between the client and the backend server, and will reduce the time needed for a client to reopen the connection. This feature should only be enabled if there are performance issues with a service.
  • TCP Buffering: This feature allows the adjustment of speed between a high-speed server and a slow client. If a backend server responds too fast for a client, the appliance will buffer the packets and adjust the speed based upon the speed of the client. This allows the backend server to devote the CPU resources to other tasks. This mode should be enabled if there are performance issues or if the TCP window scaling does not work, or shows high-packet loss.
  • MAC-based Forwarding: This mode allows NetScaler to return packets based upon the MAC address of the received packet. For example, in environments where you have multiple routers, and you need to make sure that the packets are returned through the same path, you need to enable the MAC-based Forwarding mode. If this feature is disabled, the return path is based upon the route lookup. By default, this feature is not enabled.
  • Edge Configuration: Enable this feature if clients are using the link load-balancing feature.
  • Use Subnet IP: This feature allows for the use of subnet IP addresses.
  • Layer 3 mode: When the Layer 3 mode is enabled, the NetScaler appliance performs route table lookups and forwards all packets that are not destined for any NetScaler-owned IP address. This mode is enabled by default, but it should be disabled if not used for security purposes.
  • Path MTU Discovery: This mode allows network devices to share information to determine the largest MTU size that can be allowed on a network, which reduces the amount of IP packet fragmentation. This mode is enabled by default.
  • Static Route Advertisement: This mode allows for the advertisement of static routes when using dynamic routing protocols.
  • Direct Route Advertisement: This mode allows for the advertisement of direct routes when using dynamic routing protocols.
  • Intranet Route Advertisement: This mode allows for the advertisement of intranet routes when using dynamic routing protocols.
  • IPv6 Static Route Advertisement: This mode allows for the advertisement of IPv6 static routes when using dynamic routing protocols.
  • IPv6 Direct Route Advertisement: This mode allows for the advertisement of IPv6 direct routes when using dynamic routing protocols.
  • Bridge BDPUs: This mode is used for the Spanning Tree Protocol, allowing NetScaler to participate or not participate in the STP state.
  • Media Classification: This mode is used to classify media content that is passed through NetScaler.

    Note

    When using NetScaler at the edge of the network as a firewall, uncheck all the boxes for route advertisement and Path MTU discovery.

NetScaler® networking

We have gone through the basic setup of NetScaler, its different modes, and its basic features. Now, we will go deeper into the different IP addresses that can be used in NetScaler and how they operate. NetScaler can have the following different IP addresses:

  • NSIP: This is the NetScaler IP address
  • MIP: This is the mapped IP address
  • SNIP: This is the subnet IP address
  • VIP: This is the virtual IP address
  • GSLBIP: This is the Global Server Load Balancing site IP address
  • CLIP: This is the cluster IP address

We will not cover clustering as part of this book.

NSIP

As we have discussed earlier, this IP address is used for management purposes in the local NetScaler, and it is used to authenticate against services such as AD, LDAP, and Radius. We need to make sure that the NSIP address is allowed to talk through the firewall.

By default, the NSIP address is allowed to be used for management services using several protocols, such as SSH, HTTP, and HTTPS. This is also the IP address we use to communicate with NetScaler using the NITRO API. We can restrict the security level to only allow secure access by navigating to System | Network | IPs | NSIP, and then choosing Secure Access. Remember that this requires that we import a trusted certificate, as by default, it uses a self-signed certificate. If we try to connect it with a browser when running a self-signed certificate, we will get browser warnings stating it cannot verify the publisher.

MIP

Next we have the MIP address, which is used for backend server connectivity. When we add an MIP address to a network, it automatically creates a route entry with its address as the gateway to reach that particular network.

SNIP

The SNIP address is also used for backend server connectivity. When setting up a NetScaler appliance, the startup wizard requires you to enter an SNIP address. The SNIP address also creates a route entry with its address as the gateway to reach that particular network. The SNIP address is also used for connectivity against DNS/WINS servers. In order to use an SNIP address, the Use Subnet IP (USNIP) feature must be enabled.

The common feature of both these addresses is that they are used for proxy connections by users connecting to a service via a VIP address to a backend server. Most of the time, MIP was used to set up an address on the same subnet in which the NSIP was placed, and the SNIP address was used to contact backend servers, which were located on another subnet. But with the latest releases of NetScaler, there is no need to use the MIP address feature. Citrix also recommends using SNIP instead of MIP addresses.

When we want to add an SNIP or an MIP address to NetScaler, we can do this from the same pane where we saw the NSIP address, that is, by navigating to System | Network | IP addresses | Add. If we want, we can also use the following CLI command:

add ns ip 10.0.0.0 255.255.255.0 –type SNIP

We can change the type name depending on what we need. Valid parameters here are SNIP, VIP, MIP, and NSIP.

VIP is a virtual IP address. It represents a service or different services by an IP address, port, and a protocol, and depending on the configuration, it might be a load-balanced service. Clients connect to this IP address to access a service. We will have a detailed look at how the VIP address works in Chapter 2, NetScaler GatewayTM, and Chapter 3, Load Balancing.

Now, let us tie this together to understand the concept of how NetScaler processes traffic for a service. In this example, we have a web service running on a couple of web servers located on our intranet subnet 10.0.0.x. We want this service to be accessible to our external users by using NetScaler. We will place it in the DMZ with a two-arm topology, with one NIC in the intranet, and define the different IP addresses to be used. In this example, we set up an SNIP with the address as 10.0.0.2, which is used for server connectivity at the backend. Our users are placed on the Internet and will access the service using www.service1.company.com. This FQDN resolves into the VIP address on NetScaler, which is 80.80.80.80.

Remember that VIP is a virtual address, and in our example it is used to load balance the connection between the two web servers that are placed on the intranet, as shown in the following screenshot:

SNIP

So, when a client connects to the VIP of NetScaler, it terminates the connection and establishes a connection with the backend web server using its SNIP client connection to the VIP address www.service1.company.com, as shown in the earlier example. The following table shows how the packets are routed:

HTTP request

Source

Destination

IP

Client IP address

NetScaler VIP address

MAC

Default router

NetScaler MAC

From here, NetScaler establishes a connection to the backend server on behalf of the client requesting the content.

HTTP request

Source

Destination

IP

NetScaler SNIP address

Backend web server 1

MAC

NetScaler MAC

Backend web server 1

The return traffic goes in the same direction back to the client.

This is a simple overview of how the traffic flow may be with a load-balanced service. There are, of course, many factors here that decide how the traffic flows, and it is also dependent on how the network is configured.

One thing that is important to note is that the IP addresses are not associated with an interface as they are with a regular network appliance. They are active on all the interfaces, so NetScaler behaves more like a hub. This might be a problem in some cases, where TCP packets are sent and received on different interfaces, and it might cause a loop. This is where VLANs come in. We can associate an IP address with a VLAN, which we can again associate with an interface. First, we need to create a VLAN. This can be done through the GUI by navigating to Network | VLANs | Add. From here, we can enter an ID for the VLAN and give it an alias name. Then, we can bind an interface and an IP address to the VLAN. This allows an IP address to be bound to a specific virtual interface.

We can also do this via the CLI by using the following commands. First, we need to create the VLAN as follows:

add vlan 20 –aliasName "Network 1"

Next, we need to bind it to an interface:

bind vlan 2 -ifnum 1/8

Note

We have an option to choose the Tagged VLAN. This uses the 802.1 standard, but it is not supported by NetScaler VPX, and it is recommended to leave this to the hypervisor layer. If we need to tag a particular VLAN to NetScaler, we can do this under the network settings for NetScaler VPX in the Hyper-V manager. To define a Tagged VLAN, enable the option for Virtual LAN Identification for a management operation system and define a VLAN ID.

Summary

We have now gone through the basics of NetScaler, covering the basics and the definition of an ADC, how it works, and also a bit on the different models and editions we can choose from. We also went through some advanced feature modes, and how NetScaler processes traffic for a sample web service. Lastly, we looked at how NetScaler handles traffic for a load-balanced service, and how we can add VLANs.

So, to sum it up, this is what we did to get NetScaler up and running:

  • Imported the virtual machine in a virtual environment or in a public cloud
  • Performed the initial setup of NetScaler using CLI by setting the NSIP
  • Changed the default password from nsroot
  • Added a platform license to enable more features
  • Added additional IP addresses, such as SNIP, to enable backend communications
  • Added a DNS server for name lookup and an NTP server for time synchronization
  • Configured modes depending on the network topology
  • Saved the configuration

In the next chapter, we will look more closely at the NetScaler Gateway and Unified Gateway feature, which is commonly used for XenApp/XenDesktop environments, and we will also have a look at the different modes it can operate in.

Left arrow icon Right arrow icon

Key benefits

  • Learn how to design, set up, and deploy NetScaler VPX along with the new Jumbo frames in a virtual environment using your GUI as well as your CLI for both public and private clouds to make all your web applications faster and more secure
  • Enrich your networking skills utilizing the new features of AAA by following the instructions to optimize network traffic
  • A step-by-step guide that will show you how to work with the latest NetScaler, 11, by implementing its new features using sample scenarios and real-world examples

Description

With a large demand for responsive websites and availability of services, IT administrators are faced with an ever-rising need for services that are optimized for speed. NetScaler VPX is a software-based virtual appliance that provides users with the comprehensive NetScaler feature set. Implementing apps and cloud-based services is much easier with its increased service performance and integrated security features. This book will give you an insight into all the new features that NetScaler VPX™ has to offer. Starting off with the basics, you will learn how to set NetScaler up and configure it in a virtual environment including the new features available in version 11, such as unified gateway and portal theme customization. Next, the book will cover how to deploy NetScalar on Azure and Amazon, and you will also discover how to integrate it with an existing Citrix infrastructure. Next, you will venture into other topics such as load balancing Microsoft and Citrix solutions, configuring different forms of high availability Global Server Load Balancing (GSLB), and network optimization. You will also learn how to troubleshoot and analyze data using NetScaler's extensive array of features. Finally, you will discover how to protect web services using an application firewall and will get to grips with other features such as HTTP, DOS, and AAA.

Who is this book for?

This book is for Citrix administrators who are just getting started with NetScaler, have some basic networking skills This book does not require prior experience of NetScaler.

What you will learn

  • Configure different VPN solutions and learn about ICA Proxy, Unified Gateway and SSL VPN
  • Set up load balancing for SharePoint, Exchange, Lync, SQL and other Citrix components
  • Gain insights into traffic management with NetScaler, Wireshark, and Citrix Insight
  • Protect your web services with an application firewall, HTTP, DOS, and AAA
  • Optimize traffic using front-end optimization, caching, and compression
  • Deploy a high availability environment
  • Use NetScaler in public cloud providers such as Azure or Amazon
  • Advance your network knowledge of TCP and SSL optimization

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Oct 23, 2015
Length: 202 pages
Edition : 1st
Language : English
ISBN-13 : 9781785288982
Vendor :
Citrix

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Oct 23, 2015
Length: 202 pages
Edition : 1st
Language : English
ISBN-13 : 9781785288982
Vendor :
Citrix

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 141.97
Mastering Netscaler VPX
$48.99
Implementing NetScaler VPX??? - Second Edition
$43.99
Troubleshooting NetScaler
$48.99
Total $ 141.97 Stars icon
Banner background image

Table of Contents

9 Chapters
1. NetScaler VPX™ 11 – Basics and Setup Chevron down icon Chevron up icon
2. NetScaler Gateway™ Chevron down icon Chevron up icon
3. Load Balancing Chevron down icon Chevron up icon
4. Mobilestream Chevron down icon Chevron up icon
5. Optimizing NetScaler Traffic Chevron down icon Chevron up icon
6. High Availability Chevron down icon Chevron up icon
7. Security and Troubleshooting Chevron down icon Chevron up icon
8. AAA Application Traffic Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
(3 Ratings)
5 star 33.3%
4 star 33.3%
3 star 33.3%
2 star 0%
1 star 0%
Rkc Jul 04, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Very useful and simple contents.explained very well.worth to buy.every topic in this book explained very well,giving 5 star to Amazon delivery and Also to author of this book
Amazon Verified review Amazon
Amazon Customer Dec 03, 2015
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
I have had the pleasure to be engaged by Packet Publishing to review this book during the process of writing.I am a consultant, instructor and speaker with Citrix technologies as my expertise.This book is an excellent read for understanding and implementing Netscaler VPX in your environment.The book is straight to the point without be too complex for a reader who is new to the subject. Some more experienced readers might feel that they wished some more features would be covered, but I believe that this is a great starting point Marius Sandbu has chosen and picked the right set of feauters out of the wide range that Netscaler has.
Amazon Verified review Amazon
Steve J Walters Nov 21, 2016
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
Not a detail as I though
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.