NetScaler
Basics
- A Netscaler is deployed in front of Server farm & functions as a Transparent Proxy between Client & server without requiring any client-side Configuration.
#ship #show connectiontable
#config ns OR #set ns config -Ipaddress <IP> -netmask <mask>
#add ns ip <IP> <subnet mask> -mgmtAccess [Enabled|Disabled] -type MIP
- Adding Virtual Server automatically creates a VIP
- VLAN tagging does not propagate in NS HA Pairs
- Can create null routes to prevent routing loops
- 2 interfaces should not be plugged into same port or vlan unless using link aggregation
- No IP to Interface mapping => Floating IP config
- Why? In HA, when Primary failes, secondary takes over, no loss of Service.
- When the Backend Application expects request for a specific Hostname or redirect you to that hostname, Netscaler should be configured as below:
- Configure the VIP for the same Hostname - Use URL Transformation to achieve the same
LB Methods
Least Connection = Service with fewest active connections Round Robin = Rotates a list of services Least Response time(LRTM) = Fewest active connections & lowest average responce time Least Bandwidth = service serving least amount of traffic measured in mbps Least Packets = service that received fewest packets Source IP Hash Destination IP Hash
Persistence Methods
SOURCE IP = COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session. SSL Session = Connections having same SSL session ID RULE = All connection matching a user defined rule URL Passive = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded Dest IP = SRC IP DST IP = CALL ID = Same Caller ID in SIP Header
NetScaler Topology Diagram
- StoreFront and License server can be installed in the same server to save lab resources.
SNIP:x.x.x.79 VIP:(NS Gateway) :x.x.x.87
NS IP address details
Integrating with SAML Server
You need to have a SAML Server to achieve below setups:
NetScaler as SP
- IP Address Scheme
10.107.88.70 SAML Server saml.testlab.com 10.107.88.69 Netscaler VIP aaavip.testlab.com 10.107.88.79 Netscaler SNIP samlvip.testlab.com 10.107.88.93 Backend Server 10.107.88.80 LDAP Server ad.testlab.com
Configuration
add ns ip 10.107.88.78 255.255.255.224 -type NSIP -vServer DISABLED -mgmtAccess ENABLED -dynamicRouting ENABLED add ns ip 10.107.88.67 255.255.255.224 -type VIP -snmp DISABLED add ns ip 10.107.88.87 255.255.255.224 -vServer DISABLED -gui DISABLED -ssh DISABLED -mgmtAccess ENABLED add service Server3 Ubuntu_Server HTTP 8083 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service Server4 Ubuntu_Server HTTP 8084 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO add service Server1 Ubuntu_Server HTTP 8081 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES add service Server2 Ubuntu_Server HTTP 8082 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key add ssl certKey web.testlab.com -cert web.testlab.com.CER add ssl certKey sf.testlab.com -cert sf.testlab.com.cer -key sf.testlab.com.key -passcrypt "gScQiu+ULgg=" add ssl certKey testlab-root -cert root.cer -passcrypt "gScQiu+ULgg=" add ssl certKey IDP-Cert -cert idp.crt add authentication samlIdPProfile SAML-IDP-Profile -samlIdPCertName sf.testlab.com -assertionConsumerServiceURL "https://saml.testlab.com/simplesaml/" add lb vserver Saml-Test-Srv SSL 10.107.88.79 443 -persistenceType SOURCEIP -cltTimeout 180 -AuthenticationHost aaavip.testlab.com -Authentication ON -authnVsName Saml-vServer add authentication vserver Saml-vServer SSL 10.107.88.69 443 set ns encryptionParams -method AES256 -keyValue 4bd351ed61dbec30ef34ffeafc8d94acdd35e3336fa0b881780f72b293ec33c89ea91201302a0649da1970d4e5fcb5c50a83c0f95c28a29e9b57c9619dd6259b4c55debd1eff2f6ce714fe5974675220 -encrypted -encryptmethod ENCMTHD_3 bind lb vserver Saml-Test-Srv Server3 add dns nameServer 10.107.88.80 add lb monitor STAMONNHOP-webServer CITRIX-STA-SERVICE-NHOP -LRTM DISABLED -interval 2 MIN -resptimeout 4 -downTime 5 -destIP 10.107.88.93 -destPort 8083 add authentication samlAction Saml-vServer -samlIdPCertName sf.testlab.com -samlSigningCertName sf.testlab.com -samlRedirectUrl "https://saml.testlab.com/simplesaml/saml2/idp/SSOService.php" -samlUserField sAMAccountName -samlRejectUnsignedAssertion OFF -samlIssuerName testlab-AD-CA -Attribute1 sAMAccountName -logoutURL "https://saml.testlab.com/simplesaml/saml2/idp/SingleLogoutService.php" -skewTime 30 add authentication samlPolicy Saml-Policy ns_true Saml-vServer bind authentication vserver Saml-vServer -policy Saml-Policy -priority 100 bind ssl vserver Saml-Test-Srv -certkeyName sf.testlab.com bind ssl vserver Saml-Test-Srv -certkeyName testlab-root -CA -ocspCheck Optional bind ssl vserver Saml-vServer -certkeyName sf.testlab.com set ns param -timezone "GMT+05:30-IST-Asia/Kolkata"
Screenshots
This section is under construction. |
Logs
This section is under construction. |
Packet Captures
This section is under construction. |
NetScaler as IDP
This section is under construction. |
Troubleshooting
- For Netscaler:
> set syslogParams -logLevel ALL
API Calls
- Reboot Netscaler
curl -s -k -X POST -H 'Content-Type:application/vnd.com.citrix.netscaler.reboot+json' --basic --user nsroot:pwd@123 -d '{"reboot":{"warm":true}}' http://10.107.88.78/nitro/v1/config/reboot/
- Last Boot time
curl -s -k -X GET -H 'Content-Type:application/json' --basic --user nsroot:pwd@123 http://10.107.88.78/nitro/v1/stat/system?attrs=starttime
- References
{{#widget:DISQUS
|id=networkm
|uniqid=NetScaler
|url=https://aman.awiki.org/wiki/NetScaler
}}