NetScaler: Difference between revisions
no edit summary
m (Protected "NetScaler" ([Edit=Allow only logged in users] (indefinite) [Move=Allow only logged in users] (indefinite) [Delete=Allow only logged in users] (indefinite))) |
No edit summary |
||
| (14 intermediate revisions by the same user not shown) | |||
Line 1:
[[Category:
__TOC__
<br />
= Basics =
*A Netscaler is deployed in front of Server farm & functions as a Transparent Proxy between Client & server without requiring any client-side Configuration.
Line 24 ⟶ 23:
*No IP to Interface mapping => Floating IP config
*Why? In HA, when Primary failes, secondary takes over, no loss of Service.
* When the Backend Application expects request for a specific Hostname or redirect you to that hostname, Netscaler should be configured as below:
- Configure the VIP for the same Hostname
- Use URL Transformation to achieve the same
== LB Methods ==
Least Connection = Service with fewest active connections
Round Robin = Rotates a list of services
Least Response time(LRTM) = Fewest active connections & lowest average responce time
Least Bandwidth = service serving least amount of traffic measured in mbps
Least Packets = service that received fewest packets
Source IP Hash
Destination IP Hash
== Persistence Methods ==
SOURCE IP =
COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session.
SSL Session = Connections having same SSL session ID
RULE = All connection matching a user defined rule
URL Passive = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded
Dest IP =
SRC IP DST IP =
CALL ID = Same Caller ID in SIP Header
<br />
= NetScaler Topology Diagram =
[[File:Netscaler ZenDesktop.png]]
*StoreFront and License server can be installed in the same server to save lab resources.
SNIP:x.x.x.79
VIP:(NS Gateway) :x.x.x.87
= NS IP address details =
[[File:Netscaler Zendesktop 2.png|none]]
= Integrating with SAML Server =
You need to have a [[SAML Server]] to achieve below setups:
== NetScaler as SP ==
[[File:SAML Server.png]]
;IP Address Scheme
10.107.88.70 SAML Server saml.testlab.com
10.107.88.69 Netscaler VIP aaavip.testlab.com
10.107.88.79 Netscaler SNIP samlvip.testlab.com
10.107.88.93 Backend Server
10.107.88.80 LDAP Server ad.testlab.com
=== Configuration ===
<pre style="width: 97%; overflow-x: scroll;">
add ns ip 10.107.88.78 255.255.255.224 -type NSIP -vServer DISABLED -mgmtAccess ENABLED -dynamicRouting ENABLED
add ns ip 10.107.88.67 255.255.255.224 -type VIP -snmp DISABLED
add ns ip 10.107.88.87 255.255.255.224 -vServer DISABLED -gui DISABLED -ssh DISABLED -mgmtAccess ENABLED
add service Server3 Ubuntu_Server HTTP 8083 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add service Server4 Ubuntu_Server HTTP 8084 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add service Server1 Ubuntu_Server HTTP 8081 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add service Server2 Ubuntu_Server HTTP 8082 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
add ssl certKey web.testlab.com -cert web.testlab.com.CER
add ssl certKey sf.testlab.com -cert sf.testlab.com.cer -key sf.testlab.com.key -passcrypt "gScQiu+ULgg="
add ssl certKey testlab-root -cert root.cer -passcrypt "gScQiu+ULgg="
add ssl certKey IDP-Cert -cert idp.crt
add authentication samlIdPProfile SAML-IDP-Profile -samlIdPCertName sf.testlab.com -assertionConsumerServiceURL "https://saml.testlab.com/simplesaml/"
add lb vserver Saml-Test-Srv SSL 10.107.88.79 443 -persistenceType SOURCEIP -cltTimeout 180 -AuthenticationHost aaavip.testlab.com -Authentication ON -authnVsName Saml-vServer
add authentication vserver Saml-vServer SSL 10.107.88.69 443
set ns encryptionParams -method AES256 -keyValue 4bd351ed61dbec30ef34ffeafc8d94acdd35e3336fa0b881780f72b293ec33c89ea91201302a0649da1970d4e5fcb5c50a83c0f95c28a29e9b57c9619dd6259b4c55debd1eff2f6ce714fe5974675220 -encrypted -encryptmethod ENCMTHD_3
bind lb vserver Saml-Test-Srv Server3
add dns nameServer 10.107.88.80
add lb monitor STAMONNHOP-webServer CITRIX-STA-SERVICE-NHOP -LRTM DISABLED -interval 2 MIN -resptimeout 4 -downTime 5 -destIP 10.107.88.93 -destPort 8083
add authentication samlAction Saml-vServer -samlIdPCertName sf.testlab.com -samlSigningCertName sf.testlab.com -samlRedirectUrl "https://saml.testlab.com/simplesaml/saml2/idp/SSOService.php" -samlUserField sAMAccountName -samlRejectUnsignedAssertion OFF -samlIssuerName testlab-AD-CA -Attribute1 sAMAccountName -logoutURL "https://saml.testlab.com/simplesaml/saml2/idp/SingleLogoutService.php" -skewTime 30
add authentication samlPolicy Saml-Policy ns_true Saml-vServer
bind authentication vserver Saml-vServer -policy Saml-Policy -priority 100
bind ssl vserver Saml-Test-Srv -certkeyName sf.testlab.com
bind ssl vserver Saml-Test-Srv -certkeyName testlab-root -CA -ocspCheck Optional
bind ssl vserver Saml-vServer -certkeyName sf.testlab.com
set ns param -timezone "GMT+05:30-IST-Asia/Kolkata"
</pre>
=== Screenshots ===
{{UC}}
=== Logs ===
{{UC}}
=== Packet Captures ===
{{UC}}
== NetScaler as IDP ==
{{UC}}
== Troubleshooting ==
*For Netscaler:
> set syslogParams -logLevel ALL
= API Calls =
;Reboot Netscaler
curl -s -k -X POST -H 'Content-Type:application/vnd.com.citrix.netscaler.reboot+json' --basic --user nsroot:pwd@123 -d '{"reboot":{"warm":true}}' http://10.107.88.78/nitro/v1/config/reboot/
;Last Boot time
curl -s -k -X GET -H 'Content-Type:application/json' --basic --user nsroot:pwd@123 http://10.107.88.78/nitro/v1/stat/system?attrs=starttime
<br />
| |||