NetScaler

=Basics=
 * A Netscaler is deployed in front of Server farm & functions as a Transparent Proxy between Client & server without requiring any client-side Configuration.


 * 1) ship
 * 2) show connectiontable

OR
 * 1) config ns
 * 1) set ns config -Ipaddress  -netmask


 * 1) add ns ip  -mgmtAccess [Enabled|Disabled] -type MIP


 * Adding Virtual Server automatically creates a VIP
 * VLAN tagging does not propagate in NS HA Pairs
 * Can create null routes to prevent routing loops


 * 2 interfaces should not be plugged into same port or vlan unless using link aggregation


 * No IP to Interface mapping => Floating IP config
 * Why? In HA, when Primary failes, secondary takes over, no loss of Service.

- Configure the VIP for the same Hostname - Use URL Transformation to achieve the same
 * When the Backend Application expects request for a specific Hostname or redirect you to that hostname, Netscaler should be configured as below:

LB Methods
Least Connection = Service with fewest active connections Round Robin = Rotates a list of services Least Response time(LRTM) = Fewest active connections & lowest average responce time Least Bandwidth = service serving least amount of traffic measured in mbps Least Packets = service that received fewest packets Source IP Hash Destination IP Hash

Persistence Methods
SOURCE IP = COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session. SSL Session = Connections having same SSL session ID RULE = All connection matching a user defined rule URL Passive = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded Dest IP = SRC IP DST IP = CALL ID = Same Caller ID in SIP Header

= Integrating with SAML Server =

You need to have a SAML Server to achieve below setups:

NetScaler as SP


10.107.88.70	SAML Server	 saml.testlab.com 10.107.88.69	Netscaler VIP	 aaavip.testlab.com 10.107.88.79	Netscaler SNIP	 samlvip.testlab.com 10.107.88.93	Backend Server 10.107.88.80	LDAP Server     ad.testlab.com
 * IP Address Scheme

Configuration
 add ns ip 10.107.88.78 255.255.255.224 -type NSIP -vServer DISABLED -mgmtAccess ENABLED -dynamicRouting ENABLED add ns ip 10.107.88.67 255.255.255.224 -type VIP -snmp DISABLED add ns ip 10.107.88.87 255.255.255.224 -vServer DISABLED -gui DISABLED -ssh DISABLED -mgmtAccess ENABLED add service Server3 Ubuntu_Server HTTP 8083 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service Server4 Ubuntu_Server HTTP 8084 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service Server1 Ubuntu_Server HTTP 8081 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES add service Server2 Ubuntu_Server HTTP 8082 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key add ssl certKey web.testlab.com -cert web.testlab.com.CER add ssl certKey sf.testlab.com -cert sf.testlab.com.cer -key sf.testlab.com.key -passcrypt "gScQiu+ULgg=" add ssl certKey testlab-root -cert root.cer -passcrypt "gScQiu+ULgg=" add ssl certKey IDP-Cert -cert idp.crt add authentication samlIdPProfile SAML-IDP-Profile -samlIdPCertName sf.testlab.com -assertionConsumerServiceURL "https://saml.testlab.com/simplesaml/" add lb vserver Saml-Test-Srv SSL 10.107.88.79 443 -persistenceType SOURCEIP -cltTimeout 180 -AuthenticationHost aaavip.testlab.com -Authentication ON -authnVsName Saml-vServer add authentication vserver Saml-vServer SSL 10.107.88.69 443 set ns encryptionParams -method AES256 -keyValue 4bd351ed61dbec30ef34ffeafc8d94acdd35e3336fa0b881780f72b293ec33c89ea91201302a0649da1970d4e5fcb5c50a83c0f95c28a29e9b57c9619dd6259b4c55debd1eff2f6ce714fe5974675220 -encrypted -encryptmethod ENCMTHD_3 bind lb vserver Saml-Test-Srv Server3 add dns nameServer 10.107.88.80 add lb monitor STAMONNHOP-webServer CITRIX-STA-SERVICE-NHOP -LRTM DISABLED -interval 2 MIN -resptimeout 4 -downTime 5 -destIP 10.107.88.93 -destPort 8083 add authentication samlAction Saml-vServer -samlIdPCertName sf.testlab.com -samlSigningCertName sf.testlab.com -samlRedirectUrl "https://saml.testlab.com/simplesaml/saml2/idp/SSOService.php" -samlUserField sAMAccountName -samlRejectUnsignedAssertion OFF -samlIssuerName testlab-AD-CA -Attribute1 sAMAccountName -logoutURL "https://saml.testlab.com/simplesaml/saml2/idp/SingleLogoutService.php" -skewTime 30 add authentication samlPolicy Saml-Policy ns_true Saml-vServer bind authentication vserver Saml-vServer -policy Saml-Policy -priority 100 bind ssl vserver Saml-Test-Srv -certkeyName sf.testlab.com bind ssl vserver Saml-Test-Srv -certkeyName testlab-root -CA -ocspCheck Optional bind ssl vserver Saml-vServer -certkeyName sf.testlab.com set ns param -timezone "GMT+05:30-IST-Asia/Kolkata"

Troubleshooting
> set syslogParams -logLevel ALL
 * For Netscaler:

= API Calls = curl -s -k -X POST -H 'Content-Type:application/vnd.com.citrix.netscaler.reboot+json' --basic --user nsroot:pwd@123 -d '{"reboot":{"warm":true}}' http://10.107.88.78/nitro/v1/config/reboot/
 * Reboot Netscaler

curl -s -k -X GET -H 'Content-Type:application/json' --basic --user nsroot:pwd@123 http://10.107.88.78/nitro/v1/stat/system?attrs=starttime
 * Last Boot time


 * References