This is something I have been wanting to do for some time now, and now that I am doing a lot of research for my upcoming book, this subject poped up in my head…. How can we automate setup on a Citrix Netscaler ?

Citrix Netscaler has a NITRO protocol which is in essence a REST interface, which means that we have an API to communicate with on the Netscaler. We can also make custom applications using C# and JAVA since within the NITRO SDK comes with common libraries for both.

You can download the Netscaler SDK for each build in mycitrix.com
Link to the latest SDK –> http://www.citrix.com/downloads/netscaler-adc/sdks/netscaler-sdk-release-101.html

Extract the Csharp tar file and browse into the lib folder. Here we have to import the two library files.

$path1 = Resolve-Path Newtonsoft.Json.dll
[System.Reflection.Assembly]::LoadFile($path1)
$path = Resolve-Path nitro.dll
[System.Reflection.Assembly]::LoadFile($path)

After we have imported the library files we can start a connection to Netscaler. First of we can either code the variables here NSIP, Username and password before or we can use read-host command. In this example the NSIP of the Netscaler is set to 192.168.88.3 and the username and password is default nsroot As you can see security is my top priority

$nsip = «192.168.88.3″
$user = «nsroot»
$pass = «nsroot»

$nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,”http”)
$session = $nitrosession.login($user,$pass)

This COM object is the one that contains the common services against the Netscaler for instance

• Login / Logout
• Save Config
• Restart
• Enable / Disable features

If we wanted to for instance do a restart we would need to use the same object. For instance some examples to save config and restart.

$session = $nitrosession.save_config()

$session = $nitrosession.reboot($true)

Since the Com object is already loaded we can just run the commands directly. Just to name a few (refer to the SDK documentation for info about all the classes)
So what are some of the basic configurations that we need to do on a Netscaler? First of we need to change the default hostname for instance.

$hostname = New-Object com.citrix.netscaler.nitro.resource.config.ns.nshostname
$hostname.hostname = «NSpowershell»;
$ret_value=[com.citrix.netscaler.nitro.resource.config.ns.nshostname]::update($nitrosession,$hostname) 

Next we should also add an DNS server to the Netscaler so It can do hostname lookups.

$dns = New-object com.citrix.netscaler.nitro.resource.config.dns.dnsnameserver
$dns.ip = «192.168.88.10″;
$ret_value=[ com.citrix.netscaler.nitro.resource.config.dns.dnsnameserver]::add($nitrosession,$dns)

And then if we want it to do load-balancing we first need to add a server or two which we want it to load-balace.

$server1 = New-Object com.citrix.netscaler.nitro.resource.config.basic.server
$server1.name = «Powershell»;
$server1.ipaddress = «192.168.88.100″;  
$ret_value=[com.citrix.netscaler.nitro.resource.config.basic.server]::add($nitrosession,$server1)

Next we need to bind that server to a service.

$service1 = New-Object com.citrix.netscaler.nitro.resource.config.basic.service
$service1.name = «IIS»;
$service1.servicetype = «HTTP»;
$service1.monitor_name_svc =»http»;
$service1.port=»80″;
$service1.servername=»MSSQL»;
$ret_value=[com.citrix.netscaler.nitro.resource.config.basic.service]::add($nitrosession,$service1)

And lastly create a load balanced vServer and do a service to vServer binding.

$lbvserver1 = New-Object com.citrix.netscaler.nitro.resource.config.lb.lbvserver
$lbvserver1.name=”lbvip_sample”;
$lbvserver1.servicetype=”http”;
$lbvserver1.port=»8080″;
$lbvserver1.ipv46=»192.168.88.25″;
$lbvserver1.lbmethod=»ROUNDROBIN»;
$lbvserver1.servicename=»IIS»      
$ret_value=[com.citrix.netscaler.nitro.resource.config.lb.lbvserver]::add($nitrosession,$lbvserver1)

$lb_to_service = New-object com.citrix.netscaler.nitro.resource.config.lb.lbvserver_service_binding
$lb_to_service.name = «lbvip_sample»;
$lb_to_service.servicename = «IIS»;
$ret_value=[com.citrix.netscaler.nitro.resource.config.lb.lbvserver_service_binding]::add($nitrosession,$lb_to_service)

And of course lastly remember to save the config of the Netscaler

So there you have it, some example Netscaler/PowerShell commands! I just getting started here myself so I will return when I have some more usefull commands and im going to make a custom setup script as well

Today I got a news from a birdie about a new Netscaler release which is coming that has the codename Tagma. The new build which is coming that has loads of different new features and the Java GUI is almost dead.

The rumor is that Beta 1 of the release is coming soon… Im guessing Synergy release.

Another news is that Citrix and Cisco’s partnership has gone to the next level, with integration of the Netscaler in the Cisco Nexus Fabric. (This makes the CCNA Data Center certification even more relevant!)

The integration gives numerous benefits such as easier setup, reduced downtime because of dynamic route updates, and with the integration of RISE gives better visibility into the datacenter by elimnating the need to hide source IP addresses through full proxy ADC services.

You can read more about it here –> http://www.citrix.com/news/announcements/apr-2014/google-and-citrix-collaborate-on-new-ways-to-deliver-business-cr.html?utm_source=twitterfeed&utm_medium=linkedin

and when I know more about the Tagma release I will let you know!

I was just acccepted into the Netscaler command beta and already took it for a test drive. So for those who are not familier with Commad Center it is a product from Citrix which allows for easy management / monitoring of Netscaler products (including Netscaler VPX/MPX/SDX and Netscaler gateway and cloudbridge products.

The product is not like Insight or Netscaler which runs as an virtual appliance, this is a java based software which needs to run on top of Windows Server (It does not support yet) and it stores data in a mySQL database.

Now im not going to show the setup, but how the admin console looks like (Since the setup is really straight forward)
The admin GUI is available using https://ip:8443 (using the default ports) and username root and password public

After login I am shown an overview pane which shows the status of the devices which I have added to the Command Center

Now before I show how to add a device, there is some cool stuff here which is quite useful and that is configuration part here!

Now i can schedule a software update to automatically stop a ha node and change node and do update, reboot and then change the node. I can do certificate management and have a central repostiory I can also do deployment automation

Now adding a device here is quite simple, choose Citrix Network –> Add Device. Firstly you need to create a device profile which contains user credentials and SNMP info

And for what product you are going to use these credentials against. It will then do a discovery using NITRO API and SNMP against the device/s. After that I can see that the device is showing as operational. If I click on the name here it will automatically connect to the device using the management IP.

So if I now do a change on a device which is added to the Command Center it will show SNMP traps for every change that I do.

Now if I go into the monitoring pane, it will list out all services which are setup on a device. Both regular load balanced services and Netscaler gateways.

I can also setup integration with an SMTP server to allow command center to send out alerts on email if a critical event has happend.

So if you have more then two Netscaler nodes I suggest implementing Command Center since it allows for ease of management and reporting. One issue I still have with it is that it does not support Windows Server 2012 but this is still beta 2 and im guessing it will show up later on.

With 2012 R2 and RDS Microsoft has gotten better at devilering remote terminal server sessions. And since the cost of RDS is quite low compared to other platforms such as Vmware or Citrix.

RDS Gateway is a feature which allow us to tunnel RDP traffic inside HTTP packets or HTTPS to be exact and it can be used as an gateway to other servers, which makes it a suitble server to place in the DMZ.

Borrowed from technet: http://i.technet.microsoft.com/dynimg/IC470916.jpg

The problem with is that you do not have any high-availability functions on it, whcih makes it a bit hazzle to setup in a larger deployment. Sure we can use a farm but this is not a fully highly availble solution

With server 2012, Microsoft also added the use of UDP protocol to deliver the graphical while TCP is more used to maintain a session and control actions and such. It is also possible to disable UDP but you get a more sluggish experience.

Connection when UDP is enabled

So basically a RDS Gateway in 2012 R2 is a service which responds to TCP HTTPS (443) and UDP (3391)
Now how could this look like with a Netscaler in front, used to load balace between different RDS gateway servers ?

NOTE: This guide is going to assume that we are going to load balance 443 and 3391.
First we need to go into the Netscaler and add the different back-end servers which run the RDS gateway feature.

Next we need to attach a service to the back-end servers. Now since the RDS Gateway feature uses more then one port (and services in Netscaler is typically 1 Protocol 1 Port binding) we need to use the ANY protocol and we need to enther * in the port field. (We are going to use ACLs later to lock down the system) since this in general means that Netscaler will load balace any protocol and all ports.

Now we can use a https monitor against the backend servers since https:443 is used to establish the connection. The problem is that since we entered * in the port field the built-in https monitor will fail since it does not know which port to prope. Therefore you should create a custom https monitor where you enter the specific port nr 443.

Which then again should be bound to the service. After you have created a service for each backend server (or service group) we need to create a load balanced service which is bound to Protocol ANY and Port ANY

Now the ANY protocol acts like a bridge so you do not need to put any certificates on this vServer but use it as an regular extension on the all-ready in place deployment

After you have created the service remember that you need to put ACLs in place for UDP 3391 and TCP 443 since the Netscaler will now by default load balance any requests to any back-end servers.

Also you should use persistency based upon how long you want the user to be able to use the same session on the gateway.

Microsoft has done a great job adding features to the cloud platform over the last year, one of which is Azure MFA (Multi Factor Authentication) which allows a user to login with his/hers username and password and a second option which might be a pin-code or one time pin or something else.

Now just to show how we can use Azure MFA with non-windows services I decided to give it a try with Citrix Netscaler AAA vServer. So here is a overview of how the service looks like.

The Azure MFA requires a local server component which proxies authentication attempts between the client and the authentication server. In my case I use the MFA component as an RADIUS server and then proxies RADiUS connections to the AD domain and adds the two-factor component on top.

The Netscaler AAA vServer can be used to proxy authentication attempts to backend services, such as Exchange, RDweb and such. This is the type that is also used when logging into a Netscaler Gateway session.

Now for the purpose of this demonstration, I setup a load balanced web-service which consist of two web servers. The webservers themselves have no authentication providers, so therefore I needed to create an AAA vServer on the Netscaler which users will be redirected to in order to authenticate to see the web content.

So a simple load balanced services, and then I added a AAA vServer to the service.

Note that the aaa.test.local is an internal service on the Netscaler (Make sure that DNS is in place and a nameserver is added to the Netscaler) In order to create the AAA vServer go into Security –> AAA –> Virtual Servers and choose create new.

There we need to create a new server, and make sure that the domain name is correct and that a trusted certificate is added

Then under Authentication we need to define a authentication server. Now this can be setup to forward authentication attempts to RADIUS, LDAP, LOCAL, SAML and so on. Since we want to use Azure FMA here we can use RADIUS.

Now in my case I created a authentication policy where I used the expression ns_true which means that all users going trough the Netscaler are going to recieve this policy

My authentication policy looks like this. The Authentication server here is the server which is going to get the Azure MFA service installed (I also predefined a secret key) Also important that the time-out here is put to 60 seconds, this is to grant enough time for the authentication to finish.

Remember certificates here are important! if the clients does not trust the certificate you will get a HTTP 500 error messages.

Now after this is done we can start setting up Azure MFA. First off, make sure that you have some sort of DirSync solution in place so that you can bind a local user to a user in Azure AD. If you do not have this, just google DirSync + Azure you’ll get a ton of blogposts on the subject

In my case I didn’t have DirSync setup so I created a new local UPN which resembled the usernames@domains in Azure so that the MFA service managed to bind a local user to a azure user.

Firstly you need an Azure AD domain

Then choose create new multi-factor auth provider

After you have created the provider, mark it and choose Manage. from there you can download the software.

Now download the software and make sure that you have an server which you can install it on. When installing the server components you are asked to enter a username and password for authentication, this user can be generated from the Azure portal

You are also asked to join a group, this is the same group that you created when setting up the multi-factor authenticaiton provider in Azure.

During the installation wizard you are asked to use the quick setup, here you can configure the wizard against RADIUS automatically.

Then you are also asked to enter the IP address of the RADIUS client, this is the Netscaler NSIP.

After you are done here, finish the wizard and start the MFA application. Firstly make sure that the RADIUS client info is correct

Then go into Target. Since we want the MFA server to proxy connections between the RADIUS client and the AD domain, choose Windows Domain as target

Then go into Directory Integration and choose either Active Directory or choose specific LDAP config if you need to use another AD username and password.

Next go into Users, and choose which Users are enabled for two-factor authentication. In my case I only want one. Here I can define what type of two-factor I want to use for my user.
If I choose phone-call with PIN I get a auto generated phonecall where I can enter my pin code directly.

Now I have also added my phone number so the service can reach me with a OTP. So after all this is setup I can try to login to my service.

Login with my username and password and voila! I get this text message on my phone.

After I reply with the verification code, I am successfully authenticated to the service.

Something I’ve been planning to write for a while but with all the stuff happening lately, its hard to keep track. So this is a question that comes by now and then, how does netscaler handle route entries ?

Now a Netscaler often sits between many differnet networks with a leg in DMZ, one in the internal sone and other sones. Some deployments might be two-armed with more network attached to the Netscaler, and some require it to only be using one vlan because of security requirements.

Now what decides which network the Netscaler uses to communicate with the backend servers? Since Netscaler is a L3 device it uses IP and routing tables to determine where to go.

When you are deploying a Netscaler, one of the requirements is to setup a default gateway and a subnet IP. When you add a default gateway a route entry will be added to it automatically. This route entry looks like this

Which essentially says, all traffic which I have no information about will be sent to my default gateway which is 192.168.88.1.
So if my Netscaler sits on the IP 192.168.88.2 with a prefix of / 24 and the Netscaler needs to get in touch with 192.168.89.2, then the Netscaler will go trough the default gateway.

Now also when you add a subnet-IP another route entry is added automatically where the subnet IP itself is listed as a gateway IP for reaching another subnet. This Netscaler has two SNIPs. one in the 192.168.88.0/24 network and another in the 192.168.31.0/24 network

So all traffic destined to the 192.168.31.0 network is tunneled trough the 192.168.31.127 network. Another thing that is these route entries have a prefix of /24. Meaning that the Netscaler can contact 192.168.31.127 if it needs to get in touch with an IP within that range.

Then this means that the Netscaler might have multiple paths to other subnets ? Since my default-gateway might also have access to 31 and the 88 network. Like other layer 3 devices like Cisco looks at the prefix and then decides which is closest to the target. Netscaler operates only at the cost to get to the remote location. (Thanks to Andrew for that)

Now the default gateway route has a cost of 0

But the SNIP’s have a non-existing cost value

Meaning that they are prefered paths. If I was to have multiple SNIP’s which has access to a back-end service it might also get a conflict, this can be resolved using Net-profiles, this allows you to define which source ip adress should be used to connect to the back-end services.

Create: Net-Profile

Attach Net-Profile to a service

But what if you are required to use a one-armed deployment ? and need access to several backend networks for the service/probes to work properly.

Then you need to add a new static route which might look like this. This static route entry says the following. “If you need to access the 192.168.89.0/24 network you need to contact 192.168.88.1)

This new route will be listed as a static route and will have the same cost as the default gateway, but since this gateway sits closer to the targets in the 89. network it will be prefered over the default gateway.

So hopefully this clears up some confusion for people out there!

In the many releases of Netscaler VPX (Starting with builds after 9.2) have had some minor issues with additional latency when running on VMware.

This has been a known issue for quite some time, and of course there has been a workaround available as well.

NetScaler VPX Appliance

• Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

  sysctl netscaler.ns_vpx_halt_method=2

  Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:

  sysctl netscaler.ns_vpx_halt_method=2

But! I am happy to say that this has been fixed in the latest build (126.12) so we no longer require to run the commandline to fix the latency issue

So there has been some fuzz regarding the latest release of Netscaler 10.5 (also codename Tagma) which should been the death of Java GUI within Netscaler. Not quite there yet..

So what has Citrix improved / added in this feature ? Well it is quite a lot. Citrix states that they have added over 100 new features in this release. Beta 1 has just been released to partners, and beta 2 is on its way which is coming mid may.

http://www.citrix.com/tv/#videos/10995

In the later betaes which are coming there are coming more templates to App and load balancing. But let us focus on the news that’s arrived now.

• HTML5 based GUI
• NITRO SDK for Python
• NITRO for File Operations
• NITRO for ZebOS system
• GSLB Static proximity sync
• SSL configuration Profiles
• CNAME record caching
• Multiple Port CS
• AAA Session Stickiness
• Kerberos Performance
• Jumbo Frames
• Link Redundancy
• TCP BIC and CUBIC
• SPDYv3 Gateway
• SDX Manageability
• Front End Optimization
• Insight Center Enhancements

First of is the GUI which is now mostly pure HTML 5 which makes it quite snappy! I would say that about 80% of the GUI is now HTML 5, some features such as running trace still uses Java (Im guessing this is something that is going to get fixed in a later release.

So what is new under licensing part ? We can see that there are some new features which appear here, such as Integrated Disk caching and RISE (Which is part of the Cisco platform)

There is also two new “features” within Traffic optimization

* Front End Optimization (Which converts data which is being sent back to the user, such as convert image files)

And we have content accelerator (Which is used for integration with Citrix ByteMobile)

Also setting up a new Netscaler Gateway is also alot easier since we don’t need the Java part anymore.

Also support for LLDP is here, which is a information exchange protocol kinda like CDP (from Cisco) So here is a comparison between the old GUI and the new GUI

There is also a list of new monitors which are built-in

Also support for LACP on interfaces which allows you to team NICs.

Citrix has also added some basic wizards which allow for easier setup against XenDesktop / Sharefile and such.

Also SSL profiles and DTLS profiles

We also have support for Jumbo Frames which allows for up to 9000 bytes of payload instead of 1500.

And one thing that is missing is Edgesight monitoring from Netscaler which looks like it has been removed for good. One thing which I didn’t find in the beta but is mentioned in the video is support for Oracle (which most likely coming in a later beta) o this is just my findings in the latest Beta. ill update when the next beta is coming! Looks like we have much to look forward to!

A couple of days ago I was involved in a case where ICA sessions were suddenly disconnected and the users were unable to reconnect. The setup was a simple ICA-proxy access gateway using the latest build (126) and there were no error messages on the Storefront server.

After involving Citrix support they recommended that we disable AppFlow for the access gateway (since this deployment used Netscaler Insight to monitor ICA sessions) then suddenly things started to work again.

Now I knew that I’ve seen this issue before somewhere on twitter, a quick tweet discovered that someone else has seen the issue as well.

So apparently using Appflow with session reliability is a NO-GO!

If someone has managed to test this with 10.5 please give me some feedback if this has been fixed!

Now since the release of 10.5 I have been able to test alot of the new features in the latest release. Citrix has also released new versions of Insight and Endpoint clients for Windows & Mac to match the new release.

The upgrades have so far for my part have been non-problematic (in case of a custom GUI you may need to recreate it) from 9.3 and even 10.1 builds. For those that are in a migration plan please refer to the migration document from Citrix http://support.citrix.com/proddocs/topic/ns-faq-map-10-5/ns-faq-migration.html

I have also seen a performance increase in some scenarioes.

There has also been an update on the clustering features, which didn’t caught my eye at first. http://support.citrix.com/proddocs/topic/ns-system-10-map/ns-cluster-feat-supp-ref.html Which allows us to have a Netscaler Gateway vServer running on a local Netscaler node.

Now the new build is 99% pure HTML which is great! there are still some features which still requires JRE, but this is going to be fixed in a future release.

The following features or nodes still require JRE:

• System
  • Upgrade Wizard
  • Diagnostics
  • User Administration
    • Command Policies
    • Command Policy RegEx Editor
• Visualizers
  • Network > Network Visualizer
  • Network > TCP/IP connections
  • Traffic Management > Load Balancing > Visualizer
  • Traffic Management > Content Switching > Visualizer
  • Traffic Management > GSLB > Visualizer
• Security
  • Application Firewall
    • Application Firewall wizard
    • Add/ Edit/ Import profiles
    • Signatures
      • Add
      • Update Version
      • Auto Update Settings

Citrix has also made easier integrations for their own products such as XenDesktop/XenMobile/Sharefile and so on, which makes it easier for consultants to deploy Netscaler solution to provide availability for other products.

Now all of the new features are listed here –> http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-5-map/netscaler-10-5-rn.html

One thing which I find is the most important featue in the latest build (besides the new GUI) is the front-end optimization feature which allows the Netscaler to reduce load and render times on web pages which are rendered on a client browser, after some intials tests with this feature I was able to save 60% of the load time. Since in most cases a web site is not optimized for speed, and therefore Netscaler might be an important piece there.

But to sum it up so far, I’m really impressed with the latest release and how Citrix has made Netscaler even more powerful with more then 100 more features, and makes it a more key component in most datacenters. Looking forward to the later releases to see what Citrix has up their sleeve!

On the next Netscaler Masteclass in October I will be presenting a session, regarding System Center and Netscaler. To talk about different forms of integration and monitoring.

For those who aren’t familiar with the Masterclass it is a webinar series that is hosted by Citrix, which are hosted once a month.

So sign up here if you want to know more –> http://www.citrix.com/events/netscaler-master-class.html

Had a case earlier today where a customer wanted to configure Netscaler to authenticate with UPN instead of SamAccountName. And using UPN instead of SamAccountName makes sense in many cases, since it easier for users to remember their email-address instead of their username.  So in this scenario my samAccoutName is msandbu and my UPN is marius.sandbu@demo.no

Now by default Netscaler is setup with samAccoutName under server logon name attribute. This defines what kind of account name you are allowed to logon with using Netscaler.

If you try to logon with UPN when SamAccountName is defined you will get this kind of error message on the StoreFront Server.

So Storefront strips the domain info sent from the Netscaler and tries to validate the credentials to Active Directory.

So how to fix this ?

You have to define the SSO name attribute in the LDAP credential, to samAccountName.

Then the Netscaler firstly validates the UPN, get the SamAccountName of the user and then forwards that to Storefront and logs in.

Important to remember that Storefront always tried to revalidate the info from Netscaler

With the recent announcement of the ShellShock vulnerability many vendors have done a great job with coming with patching / fixes to close the vulnerability. Citrix has released an knowledge article which shows what Citrix products are affected here –> http://support.citrix.com/article/CTX200217

But! Citrix has also released an update to AppFirewall signature to include fixes to services which are exposed via Netscaler. For instance if we have an load balanced service which is load balanced via Netscaler, and the services running in the back are affected or vulnerable we can use AppFirewall to protect them from the attack.

First we need to update the signature files (Citrix released an update yesterday) (Update version)

Then we can see that the new signature files include fixes for shellshock.

The actions are by default set to block. So when creating an appfirewall policy we can bind this to an particular vServer or URL.

Important to set signature action to block

But note that these rules only apply to services that are exposed via the Netscaler, and not the netscaler itself. Refer to the document which is posted above.

Today I presented on the Netscaler masterclass on the subject,  System Center and Netscaler and here is my presentation –> https://www.slideshare.net/secret/uSy62iG3eeoaFY

My talk consisted about using the different integrations between System Center and Netscaler, primarly on

* Virtual Machine Manager and Netscaler (Using the load balancer extention to deploy load balancing rules for service templates)
* Operations Manager and Netscaler (How to setup monitoring for Netscaler and use it together with Distributed Applications)
* Orchestrator and Netscaler (How to setup automation tasks against Netsacler using the NITRO SDK)

And as promised in the presentation here is my scripts that I use for the different tasks.

Add-Server activity (Note that this requires that the SDK is added to C:\SDK folder and that the different DLL files are added to the global assembly cache.

Set-location «c:\sdk»
[System.Reflection.Assembly]::Load(«System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a»)
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall(«C:\sdk\lib\Newtonsoft.Json.dll»)

(ADD THE DLL files to the global assembly for Orcehstrator to use for reference)

Add-Server

$path1 = Resolve-Path «C:\sdk\lib\Newtonsoft.Json.dll»
[System.Reflection.Assembly]::LoadFile($path1)
$path = Resolve-Path «C:\sdk\lib\nitro.dll»
[System.Reflection.Assembly]::LoadFile($path)

$user = «»
$pass = «»
$nsip = «»

(NOTE THAT THE CODE ABOVE NEEDS TO BE ADDED TO EACH ACTIVITY)

$nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,”http”)
$session = $nitrosession.login($user,$pass)

$server1 = New-Object com.citrix.netscaler.nitro.resource.config.basic.server
$server1.name = «»
$server1.ipaddress = «»
$ret_value=[com.citrix.netscaler.nitro.resource.config.basic.server]::add($nitrosession,$server1)

Add-Service

$service1 = New-Object com.citrix.netscaler.nitro.resource.config.basic.service
$service1.name = «»
$service1.servicetype = «»
$service1.monitor_name_svc = «»
$service1.port= «»
$service1.servername= «»
$ret_value=[com.citrix.netscaler.nitro.resource.config.basic.service]::add($nitrosession,$service1)

Create Load balanced Service

$nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,”http”)
$session = $nitrosession.login($user,$pass)

$lbvserver1 = New-Object com.citrix.netscaler.nitro.resource.config.lb.lbvserver
$lbvserver1.name=»»
$lbvserver1.servicetype=»»
$lbvserver1.port=»»
$lbvserver1.ipv46=»»
$lbvserver1.lbmethod=»»
$lbvserver1.servicename=»»
$ret_value=[com.citrix.netscaler.nitro.resource.config.lb.lbvserver]::add($nitrosession,$lbvserver1)

$lb_to_service = New-object com.citrix.netscaler.nitro.resource.config.lb.lbvserver_service_binding
$lb_to_service.name = «»
$lb_to_service.servicename = «»
$ret_value=[com.citrix.netscaler.nitro.resource.config.lb.lbvserver_service_binding]::add($nitrosession,$lb_to_vserver)

Earlier today, Google published a article regaring how hackers can exploit a vulnerability in the SSL 3.0 protocol. Which you can read more about here –> http://googleonlinesecurity.blogspot.no/2014/10/this-poodle-bites-exploiting-ssl-30.html

You can also read more about the specific attack in detail here –> https://www.openssl.org/~bodo/ssl-poodle.pdf

Microsoft recommends that you disable SSL 3.0 using Group Policy on Windows Computer, since it is by default enabled, you can read more about it here –> https://technet.microsoft.com/en-us/library/security/3009008.aspx

UPDATE::: Citrix has added a article on this exploit as well –> http://support.citrix.com/article/CTX200238

AND NOTE THAT IN THE SCREENSHOT DENY SSL RENEGOTIATION IS SET TO NO, THIS SHOULD BE PUT TO YES TO PROTECT AGAINST BEAST ATTACK.

Citrix Netscaler we can be fore flexible. For Netscaler Gateway we can define which type of SSL profiles or protocols which are going to be enabled for the session. We can create a new front-end SSL profile which we can attach to the Netscaler Gateway. Front end policies are used when a client is connecting to a vServer

Here I define that TLSv1 is enabled, and that the client cannot use SSLv3. (This is a screenshot from a VPX) and therefore TLSv1.1 and 1.2 cannot be enabled for this profile, and by default Citrix Receiver only supports TLS1 not the newer versions.

After I created the protocol I can bind it to a Gateway vServer

Now If I have other load balanced vServer I can also disable SSL for these vServers, but it is important to check if the clients that are connecting actually support TLS.

NOTE: I have not verified that this works for most browsers but I verified that my client can connect to the gateway vServer using TLS and not SSL3.

QUICK NOTE:

Microsoft just updated its support matrix for Lync 2013 (Finally) Where Netscaler is listed as supported for Reverse Proxy and for Load balancing –> http://technet.microsoft.com/en-us/office/dn788945

You can also read the deployment guide for Netscaler and Lync here –> http://www.citrix.com/content/dam/citrix/en_us/documents/partner-documents/microsoft-lync-2013-citrix-netscaler-deployment-guide.pdf

So yesterday I held a session at Citrix User Group in norway regarding Netscaler and performance tuning, not so much I can really say about performance tuning in 45 minutes but I think I managed alright.

The agenda on my list was

* TCP profiles, Multipath TCP, Path MTU
* SSL profiles and tuning
* Autonegotitation and duplex
* Netscaler VPX
* Jumbo frames and LACP
* Last but not least mobilestream

Now most of this is core Netscaler optimization features, expect Mobilestream which is more related to features standing behind Netscaler. So therefore I wanted to write a blogpost about it as well.

Firstly is the TCP profiles. By default there is an TCP profile which hasen’t changed since 1999. So the Netscaler profile is by default there for compability and not for the best performance, but of course there are alot of different factors invovled here. For instance what kind of network infrastructure you have, packet loss, bandwidth, jitter, firewalls and so on.

But, the main thing is that the default profile does not:

Have Window Scaling activated (Window scaling is usefull send more packets inse the scaling window meaning that we can easier send more data)

Have Selective Acknoledgement activated (Means that we don’t need to resend all the data after a packet loss. Meaning that if we sendt packets 1, 2, 3, 4 , 5 and the sender didn’t receive packet 3 we don’t need to resend 4, 5)

Have Nagle alogrithm activated (Gathers up more data and waits until it reaches the full MTU and then sends the data)

So for instance the ICA-protocol which is very chatty and uses small packets (Which uses alot of overhead) means that it is not suiteable for the regular TCP-profile, so this is where the tcp profile

nstcp_xa_xd_profile (Which has all the features I mentioned above enabled in the policy) but of course you also have the mobile users who are jumping back and forth between different WLAN points or mobile antennas which means there is a point with total packet loss. In the default TCP profile it uses TCP reno, which tries to cut the congestion window in half when it detected a packet loss, not going to do the mobile users any good

Therefore Citrix impletented a variant of the TCP congestion features called Westwood+ which tries to determine the current bandwidth with the device and then it cuts the congestion window to reflect the current bandwidth. Which means that the mobile users can faster get to higher speeds again.

Now also with 10.5 ( I belive) is the option to enable MTCP (Multipatch TCP) so meaning that if you have mobile devices which support two atennas (one for mobile data and one for WIFI which can be used at the same time) we can have two TCP connections from the same device used to access content on the netscaler, its just a policy setting and we are good to go.

The problem is that you need to have specific applications written to leverage MTCP (Not all are there yet)

So go into System –> Profiles –> TCP Profiles (you can either use an existing one or create a new one)

Check for Window Scaling

And here for MTCP (If you need it) SACK and for Nagle.
Now there is also an downfall for Nagle since it waits until it waits until a full MTU has been reached before it sends it across the wire and the mobile user has a lot of packet loss, in theory there might be alot of data that needs to be resent across the wire. So for SQL instances for instance, don’t use Nagle!  

and the cool part is that these policies can be applied on each vServer and of course services, so dependant on the services it is hosting you can create a differnet policy.

The other thing is SSL tuning, there is a few tips here as well. First thing is quantum size. Bu default the quantum size is 8 KB meaning that the Netscaler will get 8 KB of data that is going to be sent across the wire and the sent it to the SSL chips for encrypting. We can also chance this quantum size to 16 KB meaning that more data is allowed inside the encrypted package.

So for solutions exposing for instnace downloading of large files, a 16 KB quantum size is to prefer. Regular websites which has alot of small data I recommend sticking to the 8 KB.

And then there is of course the autonegititation and duplex, which is something that everybody expects to work fine these days, but…

I still see some having issues with this and specific network devices, so you should always try to manually set the speed and duplex on the netscaler and the switch/router/firewall it is connected to.

For the VPX alot of tuning tips are the same as the MPX but….

For instnace the VPX has support for multiple packet engines meaning that you have a specific engine inside the Netscaler which runs all the different policies, handles encryption and so on. So for a regular VPX it is by default setup with 2 vCPU (One CPU for mangement and another for the packet engine) So if you have an VPX 3000 (2 vCPU and 2 GB ram might not be enough) so if you are using XenServer og Vmware you have the option to add more CPU and RAM to gain additional packet engines. (NOTE: Hyper-v does not support this feature and is capped at 2 vCPU and 2 GB ram and 2vNIC DON’T add 3 vNic)

But of course if you are running Hyper-V and Netscaler VPX make sure you have the newest drivers and make sure that VMQ (Virtual Machine Queing)

VMQ means that a VM has a dedicated Queue on the physical network card if VMQ is not working the VM has to use the default queue along with all the other VMs, with alot of Broadcom drivers that VMQ does not work.

And there is also LACP (NIC teaming, Port Channel, 802.3ad) which allows for aggreating and failover/redundacy on physical NICs (Note that this requires configuration on the switche/s and the Netscaler and it only works on the MPX and the SDX.

There is also a new feature which came with 10.5 is the suppor for Jumbo frames, this allows us to send up to 9000 MTU in an ethernet frame (the default 1500 MTU) which allows for much less overhead since there is more data in a single frame that requires less ACKs)

This only works on MPX/SDX as well, since a VPX is reliant on what the hypervisor provides.
This can be configured on per interface. But note that this requires support for jumbo frames on the switch / server, but note that this does not work out over the WAN since it stops at the router or the ISP (This they mostly support the default MTU)

But note the Netscaler also has the Path MTU feature (Which allows) to Netscaler to see the path ahead and see what the lowest minimum MTU is. This feature uses ICMP to determine what the lowest MTU is on a next-hop device. Problem is that since it uses ICMP the next hop devices might be firewalls and such and therefore it might not work. This feature is used to avoid IP fragmentation on the network.

That’s it for now, stay tuned for more Netsacler

So alot is happeing with Netscaler these days. So this is a quick post to tell abit about what is happening.

1: Netscaler appliance in coming in Azure. There is now ETA to when this is coming but this is really important to Citrix workloads. I’m also guessing that this is because of Citrix Workspace Services that i coming.

http://azure.microsoft.com/blog/2014/10/30/multiple-vm-nics-and-network-virtual-appliances-in-azure/

2: Netscaler partitions

http://www.slideshare.net/citrix/syn207-newest-and-coolest-net-scaler-features-you-should-be-jazzed-about?qid=8a786939-a19f-41ef-b7d7-172610a76a8f&v=qf1&b=&from_search=9

Heard a rumour that this is coming reaaaaly soon. with partitions a system admin would be able to logical split up a Netscaler into different entities. Think of it like a windows computer with multuple users. Every user has the option to create their own desktop background and customized GUI, and be able to use their own appliations.

So no longer do we need an SDX to do multi tenancy. Even thou we share the same hardware and OS underneath. It is a really cool feature!

This is a quick post, but Citrix has published a workaround for the trouble they have with Netsacler loosing connectivity on Vmware with the latest update.

You can find the workaround here –> http://support.citrix.com/article/CTX200278 

This is only until Citrix manage to fix the issue and includes it in a newer build of Netscaler

There’s alot happening lately and therefore there has been a bit quiet here on this blog. But to give a quick update on what’s happening!

In february I just recently got confirmation that I am presenting two session at NIC conference (Which is the largest IT event for IT-pros in scandinavia) (nicconf.com) Here I will be presenting 2 (maybe 3) sessions.

* Setting up and deploying Microsoft Azure RemoteApp
* Delivering high-end graphics using Citrix, Microsoft and VMware

One session will be primarly focused on Microsoft Azure RemoteApp where I will be showing how to setup RemoteApp in both Cloud and Hybrid and talk a little bit about what kind of use cases it has. The second session will focus on delivering high-end graphics and 3d applications using RemoteFX (using vNext Windows Server), HDX and PCoIP and talk and demo abit about how it works, pros and cons, VDI or RDS and endpoints so my main objective is to talk about how to deliver applications and desktops from cloud and on-premise…

And on the other end, I have just signed a contract with Packt Publishing to write another book on Netscaler, “Mastering Netscaler VPX” which will be kind of a follow up of my existing book http://www.amazon.co.uk/Implementing-Netscaler-Vpx-Marius-Sandbu/dp/178217267X/ref=sr_1_1?ie=UTF8&qid=1417546291&sr=8-1&keywords=netscaler

Which will focus more in depth of the different subjects and focused on 10.5 features as well.

I am also involved with a community project I started, which is a free eBook about Microsoft Azure IaaS where I have some very skilled norwegians with me to write this subject. Takes some time since Microsoft is always adding new content there which needs to be added to the eBook as well.

So alot is happening! more blogsposts coming around Azure and Cloudbridge.