CCA A21 Basic Administration for Citrix NetScaler 9.2 Exam Cram Notes

Abbreviations

MIP = Mapped IP Address

NSIP = NetScaler IP Address

SNIP = Subnet IP Address

VIP = Virtual IP Address

USIP = Use Source IP

USNIP = Use Subnet IP

GSLB = Global Server Load Balancing

MBF = MAC-based forwarding

RHI = Route Health Injection

INAT = Inbound Network Address Translation

RNAT = Reverse Network Address Translation

1. Planning the Network Deployment and Architecture

Configure a NetScaler device as a DNS proxy in order to load balance external DNS servers.

Use Link Aggregation to increase the capacity and availability of a single communication channel between the NetScaler and another connected device.

Two ways to configure NetScaler to be able to use DNS views that support GSLB records:

i. Configure as an ADNS

ii. Configure as a DNS proxy

ISP Cloud SaaS multi-tenant NetScaler with traffic isolation using VLAN segmentation – to specify that the VIP for a customer will only listen to requests coming from their VLAN, configure: Network-aware policies

To configure NetScaler systems to load balance datacentres for DR: enable GSLB and use the proximity method

SSL_BRIDGE used where the traffic should be encrypted end-to-end but there is no certificate configured on the virtual server

Servers are on separate subnets from the NetScaler appliance but still routed through the NetScaler. Two configurations required on the NetScaler so it communicates correctly in this environment:

i. USNIP mode is enabled

ii. SNIPs (for server subnets) on the NetScaler system is configured

Best practices for load balancing cache servers on a NetScaler device:

- URL hash

- Domain hash

- Destination IP hash

GSLB to keep content available for both datacenters in geographically dispersed locations

The SSL Session Reuse setting on the SSL virtual server reduces CPU utilization on the back-end.

We have multiple ISPs, and would like to use all of them for internet connections – although some ISP routers are faster than others; and plan to use NetScaler Load Balancing and Failover. To ensure all ISP connections are being used while avoiding retransmission or out-of-order packets, we configure link load balancing with destination IP-based persistence.

Configure the SSL offload feature on the NetScaler to accelerate performance from Web servers when delivering secure web applications in the network environment.

Best practices to deploy a NetScaler system in the following environment:

- All traffic to pass through the NetScaler

- Outbound connections to the internet from a non-routable subnet

- Two Web server farms to be load balanced by the fewest connections

- All consumer web site traffic to be secured with SSL

- All traffic to pass through a network firewall prior to passing through the NetScaler

- Fault tolerance

- Traffic bridging disabled

1. Configure RNAT functionality

2. Deploy the NetScaler system with HA

3. Deploy the NetScaler system in an inline configuration

2. Installing and Configuring the Citrix NetScaler

Two options an administrator can leverage when setting the nsroot password during the initial setup of a NetScaler system:

- The Setup Wizard

- The set system user command

Command to change the NSIP on the NetScaler:

> config ns

Using NetScaler for load balancing and failover, with multiple ISPs, and ensuring return traffic maintains the same path as the inbound traffic use: Link load balancing with RNAT and USNIP enabled

Load balance by Source IP Hash ensures all requests coming from a specified network are sent to the same server.

A NetScaler is in a DMZ whose gateway is 10.54.80.1/24 and there are no configured routes; an appropriate routing configuration for the NetScaler is:

> add route 0.0.0.0 0.0.0.0 10.54.80.1

Two ways to configure a NetScaler system to allow a Web server log to record the original client IP address for incoming traffic: USIP and Client IP insertion

A server farm with new more performant servers; to maintain the load balancing method but use the new servers to improve performance by sending more traffic their way; the advanced option to configure this is: service weights

Configure virtual server and services, so existing connections stay open when service is marked down, but NOT when a virtual server is marked down:

- set lb vserver lbv1 –downStateFlush ENABLED

- set service svc1 –downStateFlush DISABLED

To configure a health check for SVC1 – which transfers HTTPS traffic – so that a probe is only sent when there is no traffic to the server: a HTTP-inline monitor with the secure parameter selected

A NetScaler system would use round robin as the load balancing method instead of a configured least connection, if the NetScaler is using slow start mode for the virtual server.

To configure a NetScaler to dynamically advertise virtual IP addresses, directly connected and static routes, to upstream routers: configure Route Health Injection (RHI)

To configure a NetScaler device so that a set of back-end servers in a LAN can initiate connections to the internet, with ACLs configured in the environment, configure:

RNAT for the subnet that includes the LAN IP addresses

To configure a NetScaler-owned IP address for server-side connections, in an environment in which USNIP mode is globally enabled on the NetScaler system:

Add an IP of type SNIP

There is one application (only one) on a Web server farm, which requires client IP address to function correctly. In the NetScaler load balancing environment, use Advanced Service Option to configure Client IP header insertion appropriately.

A NetScaler is connected through interface 1/1 to VLAN10; the NetScaler is also connected through interface 1/2 to VLAN 20. To configure the NetScaler for VLAN10:

> add vlan 10

> bind vlan 10 –ifnum 1/1

To leverage existing application templates to configure new web applications requires an administrator to provide new public endpoints and back-end services for the application.

When USIP is configured for services, must configure the NetScaler system as the default router for the servers in the environment.

In an environment where Route Health Injection (RHI) and GSLB are NOT configured:

Configure a redirect URL string or the name of a backup virtual server so the web farm will receive traffic when the virtual server is marked down.

To override the routing table on a NetScaler system, use MAC-based forwarding (MBF).

In order to prevent configuration errors from typographical errors and to streamline the creation of expressions, an administrator should leverage named expressions when creating policies.

3. Managing and Securing Traffic

For a NetScaler to remove server-side compression and enable compression on the NetScaler itself:

Disable Allow Server-Side Compression (set cmp parameter –serverCmp off)

To limit access to the NetScaler GUI, configure ACLs, and apply/commit the configured ACLs.

Configuring content switching to switch between static and dynamic requests:

- Content switching feature is enabled

- Two CS policies have been created to identify static and dynamic requests

- Create a load balancing virtual server for static requests and a separate load balancing virtual server for dynamic requests

To block clients originating from CIDR 222.222.0.0/10 and notify them:

> add responder policy pol_un “CLIENT.IP.SRC.IN_SUBNET(222.222.0.0/10)” act_un

> add responder action act_un respondwith “HTTP/1.1 200 OK\r\n\r\n” + “Client:” + CLIENT.IP.SRC +” is not authorized to access URL:” + HTTP.REQ.URL.HTTP_URL_SAFE

> bind responder global pol_un 10

After enabling load balancing and compression on a NetScaler; to create a compression policy to compress JavaScript pages using the GZIP format, use the following CLI commands to create and associate the policy:

> add cmp policy

> bind cmp global

With the necessary features enabled and appropriate services bound to the load balancing virtual servers. Actions to define a content switching virtual server to meet the requirements of – different website traffic goes to different servers:

- Add the named expressions

- Create the appropriate content switching policy and add the content switching virtual server

- Bind the load balancing virtual server and policy to the content switching virtual server

- Bind the default load balancing virtual server to the content switching virtual server without associating a policy

The expression to be used in a content switching policy to switch based on the domain – www.domain.com:

REQ.HTTP.HEADER Host == www.domain.com

Created a policy expression to identify URLs with the .JSP suffix; to use this to prevent .JSP URLs from being compressed when the HTTP response is achieved, add a compression policy with the policy expression and action specified, and then bind the policy.

Steps to complete the URL transformation process (in order to modify complex URLs that are difficult to remember):

i. Enable the Rewrite feature

ii. Create the URL transformation profile

iii. Create and bind the URL transformation policy for HTTP requests and responses

Content filtering policy expression to explicitly drop trace and connect methods:

REQ.HTTP.METHOD == TRACE || REQ.HTTP.METHOD == CONNECT

Configure Connection-based spill over type to divert SSL connections to a backup server once they exceed a specified threshold.

Configuring services and virtual servers for connection-based content switching of TCP traffic – where traffic must be decrypted by the NetScaler, and sent as plain text to the backend server: configure SSL_TCP type of content switching virtual server, and TCP type of load balancing virtual servers for the NetScaler

Components to be configured in order to establish a basic content switching setup:

- Rule or URL-based policies

- Load balancing virtual server

- Content switching virtual server

A responder can be used – for example – where an administrator would like to set an organization’s homepage search engine type to be set to display differently based on a user’s browser.

The expression “url == *.txt || res.http.header content-encoding == text/html” can be used for caching and compression.

The content switching feature of NetScaler is used to parse traffic, so users for one purpose go to group A servers, users for another purpose go to either group B or C servers, all other traffic goes to group D. All servers are in the same web farm. To correctly define the content switching virtual server so that traffic NOT going to groups A-C gets directed to group D:

- Bind the appropriate service to a load balancing virtual server for serving content group D

- Bind the appropriate load balancing virtual server to the content switching virtual server without a policy

Configuring SSL offloading on a NetScaler system:

- enable SSL on the NetScaler

- add the necessary service

- add an SSL-based virtual server

- Add an SSL certificate key pair to the NetScaler

- Bind the SSL certificate key pair to the virtual server

- Bind the created service to the virtual server

RES.IP.SOURCEIP qualifier designates the source IP of the outgoing packet in a classic policy for NetScaler 9.2.

To enable connection multiplexing for all client connections that hit a virtual server, select the service type:

HTTP

Must first enable the rewrite feature before a URL transformation policy can be used in a network environment.

Configuring a virtual server for encrypted traffic from clients to be decrypted prior to being forwarded to back-end servers:

SSL_TCP virtual server and TCP service

To configure services and virtual servers for connection-based content switching of TCP traffic, where the traffic must stay encrypted when passing between appliances or servers, configure:

SSL_TCP type of load balancing virtual servers, content switching virtual servers and services for the NetScaler

4. Basic Auditing and Monitoring

A type Specific SNMP trap allows an administrator to specify a minimum level of severity for events.

To create a health check that will mark HTTP service down if the bound monitor probe exceeds 40 milliseconds:

> add lb mon monitor-HTTP-1 HTTP –resptimeout 40 milli

Success Retries monitor specifies the consecutive number of successful probes required to mark a service as UP.

Use loginFailure trap on a NetScaler, for an alert to be sent whenever an SNMP app that does NOT have access privileges attempts access.

For a health check so a server receiving HTTP traffic monitors the response code of the server to actual client requests and NOT to probes: configure a HTTP-Inline Monitor

For a health check for services bound to Web server 1 and 2, which listen on TCP port 80 for HTTP and TCP port 443 for HTTPS; with Service1 receiving clear text traffic, and Service2 encrypted traffic: bind a HTTP monitor to Service1 and a HTTPS monitor to Service2

In the Dashboard, to determine the bandwidth utilization for the virtual servers see: request bytes vs. response bytes

To change an allowed IP address for performing SNMP queries on the NetScaler from 192.168.1.1 to 192.168.1.5:

- Remove SNMP manager 192.168.1.1

- Add SNMP manager 192.168.1.5

In the Dashboard, an indication that server performance has been improved after enabling caching in a network environment:

Server-side request rate decreases

3 parameters needed to monitor a configured DNS service on a NetScaler:

- Query

- Query type

- IP address

The “View Events” NetScaler Configuration Utility option would report the service states detected in the past.

When adding a new SNMP manager to a NetScaler configuration using the Configuration Utility, one must also configure an SNMP manager IP address.

Configure a User type of monitor to track the health of an IMAP service configured on a NetScaler system.

In the Configuration Utility; to configure a health check for web servers, so that the probe fails if the monitor does NOT receive the expected data in the body of the response for an encrypted HTTP request:

Add an HTTP-ECV monitor, select the secure parameter and type in the appropriate send and receive string

Configuring health checks for services bound to Web server 1 and 2, listening on TCP port 80 for HTTP, and TCP port 443 for HTTPS. Service1 receives clear text traffic and Service2 receives the encrypted traffic. To create the monitor for Service1 using the CLI:

> add lb mon monitor-SVC1-Mon HTTP –secure NO

The attribute of the TCP service that must be configured to allow traffic to pass to the associated server when the monitor assigned to the service is failing:

Access Down

5. Configuring High Availability

To display the node state in a HA pair:

> show ha node

To verify synchronization has been successful in a HA setup, execute the following command:

> show node

The NSIP (NetScaler IP) must be unique to each NetScaler in a HA Pair.

Two nodes in a HA pair are located on two separate networks, to ensure both nodes in the HA pair can synchronize configuration and propagate commands, turn off Independent Network Configuration (INC) mode setting.

Updating a NetScaler HA Pair to version 9.2 using the CLI – prior to the upgrade: place a copy of the documentation bundle in the same directory that contains the new build file.

FailSafe setting ensures traffic is handled in the most reliable way, even if both nodes in HA are unhealthy.

When configuring HA monitoring – including HA failover – on a NetScaler HA pair:

i. Disable all unused interfaces

ii. Disable HA monitoring (HAMON) for unused (or disable) interfaces

NetScaler one-armed mode – to successfully configure HA in this environment:

i. Disable all unused network interfaces

ii. Ensure the NSIP is unique on each node

On a NetScaler HA pair, if configuration changes made on the primary node are NOT synchronized to the secondary node, then the RPC node password is not identical for both nodes

NetScaler HA config: Primary node was rebooted but failover did NOT occur, because Secondary node is set to stay secondary!

Best practices for minimal downtime when upgrading a NetScaler HA pair to version 9.2:

i. Disable propagation for the HA pair

ii. Disable synchronization for the HA pair

iii. Upgrade the Secondary NetScaler unit in the HA pair first

When adding a new node to an existing NetScaler system to create a HA pair; to prevent the new node from taking over as primary, select the stay secondary setting on the new node.

NetScaler systems in a HA pair needs to exchange heartbeat packets over L3 through two routers; to achieve this HA functionality: enable Independent Network Configuration (INC)

Upgrading a NetScaler HA pair from 8.1 Standard to 9.2 Enterprise:

i. Obtain a new NetScaler license

ii. Ensure propagation and synchronization are disabled during migration

NetScaler HA pair with 4 connected interfaces configured as 2 link aggregation channel pairs – to set up HA:

i. Disable the interfaces that are not connected

ii. Enable HA monitoring on the link aggregation channel

A NetScaler HA pair; if you make changes on the secondary node, you will notice the changes are NOT visible on the GUI or CLI.

When making interface configuration changes on the primary HA node, the changes are NOT propagated to the secondary node because interface configuration changes must be performed on each node.

6. Basic Troubleshooting

An extract of Node 0’s configuration is as follows:

HA Monitor on Interfaces: 1/6 1/7 1/8

Interface on which heartbeats are not seen: 1/5 1/6

Interfaces causing partial failure: 1/6

To bring Node 0 to an UP state in a HA configuration either:

i. Disable the 1/6 interface

ii. Turn off HAMON on interface 1/6

Two interfaces connected to a DMZ. A virtual server on port 80 using HTTP to load balance web servers. Several “channel muted” messages are received when reviewing the console, high CPU utilization on the switch, and complaints about slow responses from the servers. Two fixes:

i. Set up link aggregation on the two interfaces

ii. Remove one interface from the DMZ network

After enabling compression feature, there is an extremely low count in the policy hit counter:

Manually enable compression for the services created prior to enabling the compression feature

After configuring LDAP authentication to allow domain admins to manage the NetScaler appliances, and creating an authentication server profile and policy; to verify which groups are extracted upon login:

> cat /tmp/aaad.debug

After applying a new new custom HTTP monitor, the services go down, so it is unbound and then HTTP header trace is run which finds the site is responding with a redirect. To get the service state to UP:

- Modify the custom HTTP monitor with the same redirect response code the site is sending and bind it to the service

- Modify the custom HTTP monitor with the HTTP request going to a page that responds with a 200 response code and bind it to the service

Created multiple name-based servers using the Configuration Utility, and created multiple services based on these servers, but all new services are DOWN: then configure a DNS nameserver on the NetScaler

After executing -

> enable ns feature lb

> add service s1 1.1.1.1 HTTP 80

> add service s2 1.1.1.2 HTTP 80

> add lb vserver vs1 HTTP 1.1.1.3 80

- the virtual server state is DOWN.

Action required to set the virtual server state to UP:

Bind the two services to the lb vserver vs1

If a catch-all policy is NOT defined on a content switching virtual server, users get an HTTP/1/.1 error.

HA synchronization is failing, “show node” command does not give enough information; to obtain more data to troubleshoot this issue:

- Run the show techsupport from both NetScalers

- Run /netscaler/nstrace.sh –sz 0 to gather an instance

NetScaler HA pair, trying to bind the SSL certificate to one of the SSL virtual servers, but the command fails on the secondary node and succeeds on the primary node. If the nodes are healthy with successful configuration synchronization and command propagation, then the problem is that the SSL certificate is not present on the secondary node.