Documente Academic
Documente Profesional
Documente Cultură
5 Essentials
and Networking
Citrix Course CNS-205-5I
Exercise Workbook
Table of Contents
Module 1: Getting Started ............................................................................ 21
Module 1: Getting Started Exercises ..................................................................................... 23
Exercise 1-1: Performing an Initial Configuration ............................................................... 23
Before You Begin ............................................................................................................. 23
Exercise 1-1: Step-by-Step (Configuration Utility) .............................................................. 23
Performing an Initial Configuration (Configuration Utility) .................................................... 23
Before You Begin ............................................................................................................. 25
Exercise 1-1: Step-by-Step (Command-Line Interface) ..................................................... 25
Performing an Initial Configuration (Command-Line Interface) ........................................... 25
Exercise 1-2: Performing Basic Administration ................................................................. 28
Before You Begin ............................................................................................................. 28
Exercise 1-2: Step-by-Step (Configuration Utility) .............................................................. 28
Enabling and Disabling Features (Configuration Utility) ...................................................... 28
Viewing the Running and Saved Configurations (Configuration Utility) ............................... 29
Identifying the NetScaler Product Type (Configuration Utility) ............................................ 30
Performing a Configuration Backup (Configuration Utility) ................................................. 30
Exercise 1-2: Step-by-Step (Command-Line Interface) ..................................................... 31
Enabling and Disabling Features (Command-Line Interface) .............................................. 31
Viewing the Running and Saved Configurations (Command-Line Interface) ....................... 31
Identifying the NetScaler Product Type (Command-Line Interface) .................................... 32
Performing a Configuration Backup (Command-Line Interface) ......................................... 32
Exercise 1-3: Upgrading a NetScaler System .................................................................. 33
Before You Begin ............................................................................................................. 33
Exercise 1-3: Step-by-Step (Configuration Utility) .............................................................. 34
Upgrading the NetScaler System ...................................................................................... 34
Verifying the NetScaler Upgrade (Configuration Utility) ...................................................... 35
Exercise 1-3: Step-by-Step (Command-Line Interface) ..................................................... 35
Upgrading the NetScaler System (Command-Line Interface) ............................................ 35
Verifying the NetScaler Upgrade (Command-Line Interface) .............................................. 36
10
11
Configuring the Kiwi Syslog Daemon and Viewing SNMP Alerts (Configuration Utility) .... 216
Exercise 14-2: Step-by-Step (Command-Line-Interface) ................................................. 217
Configuring SNMP Settings (Command-Line Interface) ................................................... 217
Configuring the Kiwi Syslog Daemon and Viewing SNMP Alerts (Command-Line
Interface) ......................................................................................................................... 218
12
Credits
Role
Contributors
Instructional Designers:
Technical Specialist:
Nataniel De Leon
Graphic Artists:
Tyler Fromma
Manager:
Leslie Keelan
Editors:
Translation Coordinator:
Yashica Burgess
Notices
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or
use of this publication. Citrix specifically disclaims any expressed or implied warranties,
merchantability, or fitness for any particular purpose. Citrix reserves the right to make any changes
in specifications and other information contained in this publication without prior notice and
without obligation to notify any person or entity of such revisions or changes.
Copyright 2015 Citrix Systems, Inc. All Rights Reserved.
No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or information storage and retrieval
systems, for any purpose other than the purchasers personal use, without express written
permission of:
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, FL 33309
USA
http://www.citrix.com
The following marks are service marks, trademarks or registered trademarks of their respective
owners in the United States and other countries.
Mark
Owner
DSA
FreeBSD
Google Chrome
Google, Inc.
OpenView
Hewlett-Packard Company
Intel
Intel Corporation
WhatsUp
Ipswitch, Inc.
Mark
Owner
Kerberos
Kerberos, LLC
Linux
Linus Torvalds
Microsoft Corporation
Firefox
Mozilla Corporation
UNIX
OpenSSL
Oracle Corporation
Pearson VUE
PCI
RSA
SAP
SAP, Inc.
Secureauth
Secureauth Corporation
Shibboleth
SolarWinds
Splunk
Splunk, Inc.
SSH
Thawte
Symantec Corporation
Toolwire
Toolwire
VeriSign
Verisign, Inc.
Wireshark
Other product and company names mentioned herein might be the service marks, trademarks or
registered trademarks of their respective owners in the United States and other countries.
Lab Overview
Lab Diagram
Lab IP Addresses
Below is a list of the IP addresses used:
Name
Address
Virtual Machines
NS_VPX_0
10.0.0.100
NS_VPX_1
10.0.0.110
NS_VPX_2
10.30.0.120
NS_VPX_3
10.0.0.130
WebBlue
10.29.0.205
WebGreen
10.0.0.210
WebRed
10.30.0.215
Win7Client
10.0.0.103
AD.training.lab
10.29.0.11
LAMP 1
10.29.0.13
LAMP 2
10.29.0.14
Virtual IP Addresses
testsrv
lb_vsrv_rbg
lb_vsrv_mysql
lb_vsrv_radius_auth
lb_vsrv_radius_acct
ssl_vsrv_rbg
lb_vsrv_redirecttossl
cs_vsrv_rbg
Name
Address
Cluster IP
10.0.0.150
Ext_Kiwi
10.0.0.93
site_TOK
10.0.0.94
gslb_svc_FRK
10.0.0.66
gslb_svc_TOK
10.0.0.76
10.29.0.11
Subnet IP Addresses
NS_VPX_0
10.30.0.90
NS_VPX_1
10.0.0.91
NS_VPX_2
10.30.0.92
NS_VPX_3
10.0.0.93
Cluster Node 1
10.0.0.61
Cluster Node 2
10.30.0.62
Cluster Node 3
10.0.0.63
Module 1
Getting Started
22
AD.training.lab
NS_VPX_0
Win7Client
23
1.
2.
3.
4.
Log on to the Win7Client virtual machine using the Training\CitrixAdmin account and
Password1 for the credentials.
a. Click the Win7Client VM on the lab environment screen to access the graphical user
interface (GUI).
b. Move the mouse to the top of the VM window to display the hidden drop-down menu
and then click the Ctrl-Alt-Del button to send the command to the VM.
c. Log on using Training\CitrixAdmin and Password1 credentials.
Log on to the NetScaler configuration utility in the Chrome web browser using the
nsroot/nsroot credentials.
a. Launch a Google Chrome browser window from the Win7Client desktop.
b. Type http://10.0.0.100 in the address bar and press Enter.
c. Type nsroot in the User Name field, type nsroot in the Password field, and then
click Login.
The initial configuration wizard for your NetScaler virtual appliance appears.
a. Click Subnet IP Address.
b. Type 10.30.0.90 in the Subnet IP Address field.
c. Verify that the Netmask is set to 255.255.255.0.
d. Click the + sign to the right of Subnet IP Address and add SNIP 10.0.0.90 then
click Create.
e. Click Done.
f. Click Host Name, DNS IP Address, and TimeZone.
g. Type 10.29.0.11 in the DNS IP Address field.
h. Select your current time zone from the Time Zone drop-down list.
i. Click Done.
j. Click Licenses.
k. Verify that Upload license files from a local computer is selected.
l. Click Browse.
m. Select the NetScaler_VPX1_PLT_Citrix_Education_Expires_20180109.lic file.
n. Click Open.
o. Click Reboot. When the device is done rebooting, log on again using the
nsroot/nsroot credentials.
nsroot
Add a network time protocol (NTP) server to the NetScaler using 10.29.0.11 as the server
address.
a. Select System > NTP Servers on the left.
b. Click Add in the NTP Servers pane.
The Create NTP Server window appears.
24
c.
Type 10.29.0.11 in the NTP Server field and then click Create.
The Create NTP Server window closes.
d.
e.
f.
g.
Click Action in the NTP Servers pane and select NTP Synchronization.
Select the ENABLED radio button and then click OK.
Click the Floppy Disk icon in the upper-right corner of the configuration utility
window to save the NetScaler configuration.
Click Yes to confirm saving the running configuration.
AD.training.lab
NS_VPX_0
Win7Client
Connect to the NetScaler system from the command-line interface using PuTTY and open the
NS_VPX_0 saved session. Log on using the nsroot credentials.
a. Log on to the Win7Client virtual machine using the Training\CitrixAdmin account
and Password1 for the credentials.
1. Click the Win7Client VM on the lab environment screen to access the
graphical user interface (GUI).
2. Move the mouse to the top of the VM window to display the hidden
drop-down menu and then click the Ctrl+Alt+Del button to send the
command to the VM.
3. Log on using Training\CitrixAdmin and Password1 credentials.
b. Launch the PuTTY command-line interface application from the Win7Client desktop.
25
This lab environment uses PuTTY as the SSH client. Other SSH clients may be
used to connect to the command-line interface, but their configuration and
operation are not covered in this course.
2.
c. Select NS_VPX_0 from the Saved Sessions pane and click Open.
d. Type nsroot at the logon prompt and press Enter.
e. Type nsroot at the Password prompt and press Enter.
Configure the NetScaler to your local time zone.
a. Enter the following command to configure the time zone:
config ns
The Review Configuration Parameters menu appears.
b.
c.
d.
e.
f.
g.
h.
3.
add
Set up a network time protocol (NTP) server on the NetScaler using 10.29.0.11 as a server,
enable NTP synchronization, and save the NetScaler configuration.
a. Enter the following command to add a NTP server to the NetScaler:
add ntp server 10.29.0.11
b.
c.
26
5.
6.
7.
b. Review the list to determine which features are available without a license.
Use WinSCP to install a license on a NetScaler.
a. On the Win7Client desktop, double-click the WinSCP icon.
b. Select NS_VPX_0 and click Login.
c. Type nsroot in the Username field and click OK.
d. Type nsroot in the Password field and click OK.
e. In the left pane of the WinSCP window, double-click the uppermost folder, doubleclick Desktop, and then double-click the NetScaler License folder. The location is
C:\Users\administrator.TRAINING\Desktop\NetScaler License
f. In the right pane of the WinSCP window, double-click the uppermost folder, doubleclick nsconfig, and then double-click license. The location is /flash/nsconfig/license
g. Click and drag the NetScaler_VPX1_PLT_Citrix_Education_Expires_20180109.lic
from the left pane to the right pane.
h. Click Copy when the Copy window appears.
The license is copied to the NetScaler file system.
8.
i. Close the WinSCP window and click OK to confirm ending the session.
Examine the features available with a license on a NetScaler.
27
a.
Enter the following command in PuTTY to view the list of licensed NetScaler features:
show license
AD.training.lab
NS_VPX_0
Win7Client
Enable the SSL Offloading, HTTP Compression, Load Balancing, Content Switching, Content
Filter, and Rewrite features.
a. Navigate to System > Settings in the left pane.
b. Click Configure Basic Features on the right.
The Configure Basic Features dialog opens.
c.
28
2.
3.
Content Switching
Click OK.
the Responder feature.
Navigate to System > Settings.
Click Configure Advanced Features on the right. The Configure Advanced Features
dialog opens.
c. Select the following feature:
Responder
d. Click OK.
Save the NetScaler configuration.
a. Click the Floppy Disk icon on the top-right corner of the configuration utility.
b. Click Yes to confirm.
d.
Enable
a.
b.
2.
Click Close.
The Running Configuration dialog box closes.
c.
d.
Click OK.
29
2.
In the Command field near the bottom of the screen, type shell and then click Go
to access the NetScaler shell.
Create an archive file of the NetScaler configuration.
a. In the Command field, type tar cvzf /var/tmp/backup.tgz
/flash/nsconfig and then click Go to create a backup file of the NetScaler
configuration.
An archive of the nsconfig directory named backup.tgz is created in the /var/tmp
directory. This archive will serve as a backup for the NetScaler configuration.
3.
30
b. Click Close.
Copy the newly-created backup of the NetScaler configuration from /var/tmp/backup.tgz to
your desktop using WinSCP.
a. Launch WinSCP on your Win7Client desktop.
b. Double-click the NS_VPX_0 in the Saved sessions pane to start the session. The
window may be hidden by other open windows. Minimize other windows to view it.
c. Type nsroot in the Username field and click OK.
d. Type nsroot in the Password field and click OK.
e. In the right pane, double-click the folder icon at the top to navigate up one level to
/root.
f.
Navigate to var > tmp and drag the backup.tgz file from the right pane to the left
pane.
The Copy dialog box opens.
g.
h.
Click Copy.
Close the WinSCP application and then click OK in the Confirm message.
Enable the SSL Offloading, Compression Control, Load Balancing, Content Switching, Content
Filtering, Rewrite, and Responder features.
a. Enter the following command in PuTTY to view the NetScaler features:
show ns feature
b.
2.
Access the command-line interface for NS_VPX_0 using PuTTY and log on using the nsroot
credentials.
View the current running configuration.
31
a.
b.
3.
1.
c.
2.
Copy the newly created backup of the NetScaler configuration from /var/tmp/backup.tgz to
your Win7Client desktop using WinSCP.
a. Launch WinSCP from the Win7Client desktop.
b. Double-click the NS_VPX_0 in the saved sessions pane.
c. Type nsroot in the Username field, and press Enter.
d. Type nsroot in the Password field and press Enter.
e. In the right pane, double-click the folder icon at the top of the pane to navigate up
one level to /<root>.
f. Navigate to var > tmp and drag the backup.tgz file from the right pane to the left
pane.
The Copy dialog box opens.
g.
h.
Click Copy.
Close the WinSCP window and click OK to confirm.
AD.training.lab
NS_VPX_0
Win7Client
33
Note the version of the NetScaler system displayed above the toolbar.
The version shows NS 10.5 51.10.nc.
2.
3.
4.
Upgrade the NetScaler to build version 52.11.nc using the upgrade files in the
/var/nsinstall/build_10.5_52_11_nc directory.
a. Click Next on the Introduction screen and then select Appliance next to File
Location.
b. To the right of the File Path field, click Browse.
c. Scroll down, double click the nsinstall folder and then double-click the build-10.552.11_nc folder.
d. Select the NS10.5 Build 52.11.nc file and click Select.
e. Click Next and then click Next on the Manage Licenses screen.
Finish the NetScaler upgrade process.
a. On the Clean-up/Reboot screen, select the box next to Automatically move files to
create space in flash.
b. Click Yes to confirm the deletion of all unused kernels on the flash.
c. Select Reboot after successful installation, click Next and then click Finish.
The NetScaler will restart upon successful completion of the upgrade process.
When the NetScaler restarts, the browser will lose its connection. Wait for the
NetScaler to restart and then click the Refresh icon in the Chrome browser
window (on the Win7Client) to access the log on screen for the NetScaler.
34
Verify that the NetScaler has been upgraded to build version 52.11.
a. Log on to the NetScaler configuration utility using the nsroot credentials.
b. Verify that NS10.5 52.11.nc. is displayed above the toolbar.
Use the PuTTY command-line to view the current NetScaler version and save the
configuration.
a. Enter the following command to view the NetScaler version:
show ns version
The NetScaler version shows as 10.5 Build 51.10.nc
b.
Enter the following command in PuTTY to save the NetScaler configuration, so you
can return to the current configuration if the upgrade fails:
save ns config
2.
35
c.
Enter the following command in PuTTY to extract the new build file:
tar xvzf build-10.5-52.11_nc.tgz
d.
e.
f.
Enter Y when prompted to restart NS_VPX_0 after the installation has completed.
Click OK in the message to acknowledge that PuTTY was unexpectedly closed and
then wait for NS_VPX_0 to restart.
Verify that the NetScaler has been upgraded to build version 52.11.
a. After the NetScaler has restarted, log on to the PuTTY command-line interface for
NS_VPX_0 with the nsroot credentials.
b. Enter the following command to verify that the NetScaler has been updated to version
NS10.5: Build 52.11.nc:
show version
36
Module 2
Basic Networking
38
AD.training.lab
NS_VPX_0
WebBlue
WebGreen
WebRed
Win7Client
39
Add a static route to the NetScaler using 10.29.0.0 as the Network, 255.255.255.0 as the
Netmask, and 10.30.0.254 as the Gateway.
a. Navigate to System > Network > Routes and click Add.
b. Type 10.29.0.0 in the Network field.
c. Type 255.255.255.0 in the Netmask field.
d. Type 10.30.0.254 in the Gateway field.
e. Click Create.
Type 10.30.0.254 in the Host Name field, type 4 in the Count field, and then
click Run.
Valid results will look similar to the following output:
40
Type 10.29.0.205 in the Host Name field, type 4 in the Count field, and then
click Run.
Valid results will look similar to the following output:
41
3.
4.
Click the Floppy Disk icon in the upper-right corner of the configuration utility
window and then click Yes to confirm the saving of the configuration.
42
Enter the following command to enable the 1/1 interface on the NetScaler:
enable interface 1/1
2.
Enter the following command to add a SNIP address to the NetScaler system using 10.30.0.90
as the IP Address and 255.255.255.0 as the Netmask with Management Access enabled:
add ns ip 10.30.0.90 255.255.255.0 -type SNIP mgmtAccess ENABLED
3.
4.
5.
Enter the following command to add the network route for the back-end network:
add route 10.29.0.0 255.255.255.0 10.30.0.254
Enter the following command to ping the Gateway IP address on the back-end network:
ping 10.30.0.254
Valid results will look similar to the following output:
43
2.
3.
Enter the following command to ping the WebBlue, WebGreen, and WebRed servers to verify
that the NetScaler device has connectivity to the backend:
ping 10.29.0.205
ping 10.0.0.210
ping 10.30.0.215
Press Ctrl + C to stop the ping.
44
Enter the following command to save the configuration if the ping is successful.
If the pings do not work, check your configuration settings within the configuration utility and
the command-line interface.
save ns config
45
46
Module 3
High Availability
48
AD.training.lab
Win7Client
2.
3.
49
a.
b.
c.
d.
4.
On NS_VPX_3 (the 10.0.0.130 tab), navigate to System > Network > Interfaces.
In the Interfaces pane on NS_VPX_3, scroll to the right to verify that HA Monitoring
is enabled on interfaces 0/1.
In the lab environment, ON will not be displayed in the HA Monitoring
column even though it is ON. This step appears here as a best practice for
implementation in an actual environment.
2.
50
Configure NS_VPX_3 to stay secondary during the election process for High Availability.
a. On NS_VPX_3, navigate to System > High Availability.
b. Click 0 in the ID column and then click Edit.
c. Select STAY SECONDARY (Remain in Listen Mode) in the High Availability Status
drop-down menu.
d. Click OK. The Node State should now display as Staysecondary.
Configure NS_VPX_1 and NS_VPX_3 to function as a high availability pair. Set NS_VPX_3 as
the remote node on NS_VPX_1 and specify both nodes to use the nsroot logon credentials.
Module 3: High Availability
a.
b.
c.
3.
4.
Type 10.0.0.130 in the Remote Node IP Address field, verify that Configure
remote system to participate in High Availability setup, Turn off HA Monitor on
interfaces/channels that are down are all selected.
d. In the Remote System Login Credential fields, enter the nsroot credentials and then
click Create.
Refresh the NetScaler system configurations and verify that NS_VPX_3 is setup as the
Secondary node on NS_VPX_1.
a. On NS_VPX_1, navigate to System > High Availability.
b. On NS_VPX_1, click the Refresh button in the upper-right corner of the
configuration utility window.
c. On NS_VPX_1, verify that 10.0.0.110 appears as Primary and 10.0.0.130 appears as
Secondary in the Master State column.
d. On NS_VPX_3, navigate to System > High Availability.
e. On NS_VPX_3, click the Refresh button in the upper-right corner of the
configuration utility window.
f. On NS_VPX_3, verify that 10.0.0.110 appears as Primary and 10.0.0.130 appears as
Secondary in the Master State column.
Enable the NS_VPX_3 Node State to actively participate in High Availability.
a. On NS_VPX_3, navigate to System > High Availability.
b. Click ID 0 in the High Availability pane and click Edit.
c. Select ENABLED (Actively Participate in HA) in the High Availability Status dropdown list.
d. Click OK.
51
c.
d.
2.
3.
2.
52
3.
4.
2.
53
g.
h.
On NS_VPX_1, enter the following command to view the interfaces on the system:
show interface
Notice which interfaces are in an Up state versus a Down state. Interfaces in an Up
state should correspond to the critical interfaces in the previous step.
i.
j.
On NS_VPX_3, enter the following command to view the interfaces on the system:
show interface
Notice which interfaces are in an Up state versus a Down state. Interfaces in an Up
state should correspond to the critical interfaces.
54
b.
c.
d.
e.
On NS_VPX_1, enter the following command to view the status of the node and note
the Master State of each node:
show ha node
The Master State for NS_VPX_1 should show as Primary and NS_VPX_3 should show
as Secondary.
f.
On NS_VPX_3, enter the following command to view the status of the node and note
the Master State of each node:
show ha node
The Master State for NS_VPX_1 should show as Primary and NS_VPX_3 should show
as Secondary.
g.
55
Compare which IP addresses are the same and which are different on each system.
Also note which subnet IPs of the system are preserved and which subnet IPs of the
system are overwritten.
b.
On NS_VPX_3 (10.0.0.130), enter the following command to verify the status of the
system IP addresses:
show ns ip
c.
On NS_VPX_1, enter the following command to verify the status of the nodes:
show ha node
NS_VPX_1 (10.0.0.110) should be the Primary node.
d.
On NS_VPX_3, enter the following command to verify the status of the nodes:
show ha node
NS_VPX_1 (10.0.0.110) should be the Primary node.
e.
f.
g.
h.
i.
56
j.
2.
On NS_VPX_1, enter the following command to remove the secondary node from the high
availability configuration:
rm ha node 1
3.
On NS_VPX_3, enter the following command to remove the secondary node from the high
availability configuration:
rm ha node 1
4.
On NS_VPX_1, enter the following command to verify the high availability status:
show ha node
5.
On NS_VPX_3, enter the following command to verify the high availability status:
show ha node
6.
7.
Close the PuTTY sessions for NS_VPX_1 and NS_VPX_3. Click OK in the PuTTY Exit
Confirmation messages.
Shut down the NS_VPX_1 and NS_VPX_3 virtual machines.
a. Select All VMs from the drop-down menu at the top of the Win7Client window.
b. Click the Pause icon for the NS_VPX_1 VM to shut it down.
c. Click the Pause icon for the NS_VPX_3 VM to shut it down.
57
58
Module 4
Securing NetScaler
60
AD.training.lab
NS_VPX_0
Win7Client
Active Directory
Value
AD Domain Controller
10.29.0.11
DC=Training,DC=LAB
Administrator BindDN
CitrixAdmin@training.lab
Administrator Password
Password1
samAccountName
Group
User
Password
Policy
Domain Admins
citrixadmin
Password1
Superuser
Remote Users
user1
Password1
Show Only
61
Type testuser in the User Name field and then type Password1 in the Password
and Confirm Password fields.
Click Insert and then select read-only in the Command Policies pane.
Click Insert and then click Create.
The Create System User dialog box closes.
2.
f.
g.
Test the
a.
b.
c.
Click the Floppy Disk icon and then click Yes to save the current configuration.
Click Logout to log off from of the current session.
new administrator account by attempting to enable a feature.
Log on to the configuration utility with the testuser and Password1 credentials.
Navigate to System > Settings.
Click Configure Basic Features on the right.
The Configure Basic Features dialog box opens.
d.
e.
f.
g.
Select a feature to enable and click OK. The user only has read-only permissions, so
the change should not work.
Click OK in the Error message that indicates that testuser does not have permission to
enable features.
Click Close.
Click Logout to log off from the current session.
1.
2.
3.
Enter 10.0.0.100 in the address field of the Chrome browser to access the NS_VPX_0
configuration utility.
Log on using the nsroot credentials.
Examine the expression for the superuser policy.
a. Navigate toSystem > User Administration > Command Policies in the left pane.
b. Select the superuser policy in the Command Policies section and click Edit.
Note the policy allows any command to be permitted using the .* expression.
4.
c. Click Close.
Create a new policy called show_only that only allows the "show" command using the string
(^show\s+.*) as the command.
a. Click Add in the Command Policies section.
b. Type show_only in the Policy Name field.
c. Select ALLOW from the Action drop-down list.
d. Click inside the Command Spec field, clear any existing text, and then type
(^show\s+.*)
e. Click Create.
2.
63
3.
4.
5.
64
6.
Navigate to Traffic Management > Load Balancing > Servers and click Add.
Type testsrv in the Server Name field.
Type 10.29.0.224 in the IP Address field.
Click OK then click OK then click Done.
The CitrixAdmin user was allowed to add the server.
g.
h.
Click the Floppy Disk icon in the upper-right corner of the configuration utility.
Click Yes to confirm saving the configuration.
Launch a PuTTY session to NS_VPX_0 (10.0.0.100) and log on using the nsroot credentials.
Create a new system account with read-only permissions on the NetScaler system:
a. Enter the following command in PuTTY to create a new system user:
add system user testuser Password1
b.
65
These command policies can be used to control the permissions allowed for
delegated administration.
c.
Enter the following command to configure the testuser with read-only permissions
and a priority of 1:
bind system user testuser read-only 1
d.
Launch a PuTTY session to NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to show the system command policies:
show system cmdPolicy
3.
Enter the following command to examine the expression for the superuser policy :
show system cmdPolicy superuser
Note the policy allows any command to be permitted using the .* expression.
4.
Enter the following command to create a new policy named show_only that only allows the
show command using the string (^show\s+.*) as the command spec:
add system cmdPolicy show_only ALLOW "(^show\s+.*)"
Enter the following commands to add the Active Directory groups, Domain Admins and
Remote Users to the NetScaler system:
add system group "Domain Admins"
add system group "Remote Users"
66
Group names must correspond to the group in the directory service and are case
sensitive.
2.
Enter the following command to grant superuser access to the Domain Admins Active
Directory group:
bind system group "Domain Admins" -policyName superuser 1
3.
Enter the following command to grant show-only access to the Remote Users Active Directory
group:
bind system group "Remote Users" -policyName show_only 10
4.
Enter the following command to create an "auth_ldap_srv" entry for the LDAP server with
10.29.0.11 as the IP address and 389 as the port:
add authentication ldapAction auth_ldap_srv
-serverIP 10.29.0.11 -ldapBase "DC=Training,DC=Lab"
-ldapBindDn CitrixAdmin@training.lab
-ldapBindDnPassword Password1
-ldapLoginName samAccountName -groupAttrName memberOf
-subAttributeName CN
5.
Enter the following command to create an "auth_ldap_policy" authentication policy for the
LDAP server with an expression of ns_true:
add authentication ldapPolicy auth_ldap_policy ns_true
auth_ldap_srv
6.
7.
67
68
Module 5
Basic Load
Balancing
70
AD.training.lab
NS_VPX_0
WebBlue
WebGreen
WebRed
Win7Client
Log on to the NS_VPX_0 (10.0.0.100) configuration utility with the nsroot credentials.
Create the "srv_red" server with 10.30.0.215 for the IP address.
a. Navigate to Traffic Management > Load Balancing > Servers.
b. Click Add in the Servers pane.
The Create Server dialog box opens.
c.
3.
Type srv_red in the Server Name field and then type 10.30.0.215 in the IP
Address field.
d. Click Create.
Create the "srv_green" server with 10.0.0.210 for the IP address.
71
a.
b.
4.
Type srv_green in the Server Name field and then type 10.0.0.210 in the IP
Address field.
c. Click Create.
Create the "srv_blue" server with 10.29.0.205 for the IP address.
a. Click Add in the Servers pane.
The Create Server dialog box opens.
b.
c.
Type srv_blue in the Server Name field and then type 10.29.0.205 in the IP
Address field.
Click Create.
Create an HTTP service called "svc_red" that will be associated with the WebRed web server.
a. Navigate to Traffic Management > Load Balancing > Services.
b. Click Add in the Services pane.
The Load Balancing Service dialog box opens.
c.
d.
e.
f.
2.
72
3.
Create an HTTP service called "svc_green" that will be associated with the WebGreen web
server.
a. Click Add in the Services pane.
The Create Service dialog box opens.
b.
c.
d.
e.
4.
Begin the configuration of a "lb_vsrv_rbg" load-balancing virtual server that will be associated
with the red, blue, and green services.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers.
b. Click Add in the Load Balancing Virtual Servers pane.
c. Type lb_vsrv_rbg in the Name field.
d. Verify that HTTP is selected from the Protocol drop-down menu and that 80 is
entered in the Port field.
e. Type 10.0.0.80 in the IP Address field.
f. Click OK.
g. Click the No Load Balancing Virtual Server Service Binding option below Service to
bind the Services.
h. Click the Click to select in the Select Service field.
i. Select the svc_red radio button.
j. Click OK and then click Bind.
k. Click the 1 Load Balancing Virtual Server Service Binding option below Service to
bind the Services.
l. Click Add Binding.
m. Click the Click to select in the Select Service field.
n. Select the svc_blue radio button.
o. Click OK and then click Bind.
73
p.
q.
r.
s.
t.
u.
v.
w.
2.
2.
3.
74
2.
Launch a PuTTY session to NS_VPX_0 (10.0.0.100) and log on using the nsroot credentials.
Configure the WebRed, WebBlue, and WebGreen web servers as load-balancing servers on the
NetScaler.
a. Enter the following commands to create the Red, Blue, and Green web servers:
add server srv_blue 10.29.0.205
add server srv_green 10.0.0.210
add server srv_red 10.30.0.215
75
3.
Create the svc_red, svc_blue, and svc_green HTTP services that will be associated with the web
servers.
a. Enter the following commands to create HTTP services for Red, Blue, and Green web
servers:
add service svc_blue srv_blue HTTP 80
add service svc_green srv_green HTTP 80
add service svc_red srv_red HTTP 80
4.
Create the lb_vsrv_rbg load-balancing virtual server that will be associated with the WebRed,
WebBlue, and WebGreen web servers using RoundRobin for the load balancing method.
a. Enter the following command to create the load-balancing virtual server
add lb vserver lb_vsrv_rbg HTTP 10.0.0.80 80 lbMethod ROUNDROBIN
b.
Bind the services to the load-balancing virtual server using the following commands:
bind lb vserver lb_vsrv_rbg svc_blue
bind lb vserver lb_vsrv_rbg svc_green
bind lb vserver lb_vsrv_rbg svc_red
2.
76
a.
Enter the following command in the PuTTY session to set the persistence for the
existing load-balancing virtual server to COOKIEINSERT:
set lb vserver lb_vsrv_rbg -persistenceType COOKIEINSERT
3.
4.
AD.training.lab
NS_VPX_0
Win7Client
WebBlue
WebGreen
WebRed
77
3.
78
Open a new browser tab and browse to http://10.0.0.80/home.php. Refresh the page
several times.
The page load balances between the RED, BLUE, and GREEN servers while the
monitor status shows as UP.
2.
Ensure
a.
b.
c.
d.
that the red service for the mon_RBG_HTTPECV monitor is successfully responding.
Switch to the configuration utility for NS_VPX_0.
Navigate to Traffic Management > Load Balancing > Services.
Select the svc_red service and click Edit
Click 1 Service to Load Balancing Monitor Binding in the Monitors section at the
bottom of the screen.
e. Note the information for the configured monitor.
The monitor details display the response status "Success - Pattern found in
response."
3.
4.
e. Click OK.
Clear the cache before the next test to avoid issues with the browser caching the server
response. Close additional instances, if more than one browser window is open.
a. Open the Firefox browser from the Win7Client desktop.
b. In the Firefox browser, navigate to Tools > Options > Privacy
c. Click clear your recent history on the Privacy page.
d. Click Clear Now to clear the cache and then click OK to close the Options dialog box.
79
If you are using another browser, the steps required to clear the cache will
differ.
5.
6.
7.
8.
Ensure
a.
b.
c.
Ensure
a.
b.
c.
d.
80
1.
Enter the following command in the PuTTY session to create a load-balancing HTTP-ECV
monitor named "mon_RBG_HTTPECV" and configure the monitor to use a send string of
"GET /home.php" and a receive string of "serverinfo":
add lb monitor mon_RBG_HTTPECV HTTP-ECV -send "GET /home.php" recv "serverinfo"
-interval 5 SEC -downTime 5 SEC
The Receive parameter (-recv) uses a string value and should be set to a string or
phrase which appears on the website in the first 24 KB of the response. For this
exercise, specify "serverinfo". Other valid strings include "Viewing this page" and "This
page indicates". String matches are case sensitive.
2.
Enter the following command to bind the load-balancing HTTP-ECV monitor to the service:
bind service svc_red -monitorName mon_RBG_HTTPECV
2.
3.
4.
Enter the following command to ensure that the red service for the mon_RBG_HTTPECV
monitor is successfully responding:
show service svc_red
The monitor details display the response status "Success - Pattern found in response".
81
5.
Enter the following command to change the monitor string to the invalid string "bad string":
set lb monitor mon_RBG_HTTPECV HTTP-ECV -recv "bad string"
For this step, set the Receive parameter (-recv) to a string not found on the page; this
creates a failed status. Any string not found on the page could be used.
6.
Clear the cache before the next test to avoid issues with the browser caching the server
response. Close additional instances if more than one browser window is open.
a. Open the Firefox browser from the Win7Client desktop.
b. In the Firefox browser, navigate to Tools > Options > Privacy tab.
c. Click clear your recent history on the Privacy page.
d. Click Clear Now to clear the cache and then click OK to close the Options dialog box.
If you are using another browser, the steps required to clear the cache will
differ.
7.
8.
Enter the following command to ensure that the monitor state for the mon_RBG_HTTPECV
monitor is Enabled:
show lb monitor mon_RBG_HTTPECV
9.
Enter the following command to ensure that the red service for the mon_RBG_HTTPECV
monitor is no longer responding:
show service svc_red
The service state shows as DOWN and the monitor response shows "Failure - Pattern not
found in response."
10. Enter the following command to unbind the mon_RBG_HTTPECV monitor from the scv_red
service:
unbind service svc_red -monitorName mon_RBG_HTTPECV
11. Enter the following command to verify svc_red is now bound to the tcp-default monitor and
the state is UP:
show service svc_red
82
AD.training.lab
NS_VPX_0
LAMP_1
LAMP_2
Win7Client
From the lab environnment screen, click the Play icon for the LAMP_1 and LAMP_2 virtual
machines.
To access the lab environment screen, click the All VMs option in the drop-down
menu at the top of the VM.
2.
Switch to the configuration utility for NS_VPX_0 in the Win7Client and add the netscalersql
database user.
a. Navigate to System > User Administration > Database Users and click Add.
b. Type netscalersql in the User Name field.
c. Type netscaler in the Password field.
d. Type netscaler in the Confirm Password field.
83
3.
4.
5.
6.
7.
84
e. Click Create.
Create the lamp_1 server with the IP address 10.29.0.13.
a. Navigate to Traffic Management > Load Balancing > Servers and click Add.
b. Type lamp_1 in the Server Name field.
c. Type 10.29.0.13 in the IP Address field.
d. Click Create.
Create the lamp_2 server with the IP address 10.29.0.14.
a. Navigate to Traffic Management > Load Balancing > Servers and then click Add.
b. Type lamp_2 in the Server Name field.
c. Type 10.29.0.14 in the IP Address field.
d. Click Create.
Create the svc_mysql_lamp1 service for the lamp_1 server using MYSQL as the protocol and
3306 as the port.
a. Navigate to Traffic Management > Load Balancing > Services and click Add.
b. Type svc_mysql_lamp1 in the Service Name field.
c. Select the Existing Server Radio button.
d. Select lamp_1 from the Server drop-down menu.
e. Select MYSQL from the Protocol drop-down menu.
f. Type 3306 in the Port field.
g. Click OK and then click in the field below Monitors.
h. Click Add Binding then in the field Click to select and check the radio button next to
ping then click OK.
i. Click Bind, then click Close then Done.
Create the svc_mysql_lamp2 service for the lamp_2 server using MYSQL as the protocol and
3306 as the port.
a. Navigate to Traffic Management > Load Balancing > Services and click Add.
b. Type svc_mysql_lamp2 in the Service Name field.
c. Select the Existing Server Radio button.
d. Select lamp_2 from the Server drop-down menu.
e. Select MYSQL from the Protocol drop-down menu.
f. Type 3306 in the Port field.
g. Click OK and then click in the field below Monitors.
h. Click Add Binding then in the field Click to select and check the radio button next to
ping then click OK.
i. Click Bind, then click Close then Done.
Create the lb_vsrv_mysql virtual server with the IP address 10.0.0.18 on port 3306.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers and click Add.
Module 5: Basic Load Balancing
8.
9.
d.
e. Click the Play button on the task bar. The query should return one record.
10. Close the HeidiSQL window and click No in the Confirm box.
Create the mon_mysql_ecv monitor to monitor the imdb database for queries for actors with a
last name of Tazova.
85
a.
b.
c.
d.
Navigate to Traffic Management > Load Balancing > Monitors and click Add.
Type mon_mysql_ecv in the Name field.
Select MYSQL-ECV from the Type drop-down menu.
Click the Special Parameters tab and type the following values in the specified fields:
User Name: netscalersql
Database: imdb
Query: select * from actors where actors.last_name = "Tazova"
Expression: MYSQL.RES.ATLEAST_ROWS_COUNT(1)
Verify that the expression is correct before continuing to the next step.
2.
3.
e. Click Create.
Bind the mon_mysql_ecv monitor to the MYSQL services.
a. Navigate to Traffic Management > Load Balancing > Services.
b. Select the svc_mysql_lamp1 service and click Edit
c. Click 1 Service to Load Balancing Monitor Binding in the Monitors section.
d. Click Add Binding and then click Click to select in the Select Monitor field.
e. Select the mon_mysql_ecv monitor, click OK and then click Bind.
f. Click Close and then click Done.
g. Select the svc_mysql_lamp2 service and click Edit.
h. Click 1 Service to Load Balancing Monitor Binding in the Monitors section.
i. Click Add Binding then click Click to select in the Select Monitor field.
j. Select the mon_mysql_ecv monitor, click OK, and then click Bind.
k. Click Close and then click Done.
Verify that the MYSQL-ECV monitor is working.
a. Select the svc_mysql_lamp1 service and then click Edit.
b. Click 1 Service to Load Balancing Monitor Binding in the Monitors section.
c. Highlight mon_mysql_ecv in the Configured pane. The Last Response should show
Success - Pattern found in response.
d. Click Xon the top right to close the Monitors window and then click Done.
86
2.
3.
Start the LAMP_1 and LAMP_2 virtual machines in the lab environment.
a. Move the mouse pointer to the top of the Win7Client VM and click All VMs in the
drop-down menu to display the lab environment.
b. Select LAMP_1 and then click Play.
c. Select LAMP_2 and then click Play.
d. Select the Win7Client virtual machine in the lab environment to access its desktop.
From the Win7Client desktop, launch a PuTTY session to NS_VPX_0 (10.0.0.100) and log on
using the nsroot credentials.
Enter the following command at the PuTTY command line for NS_VPX_0 to add the
netscalersql database:
add db user netscalersql -password netscaler
4.
Enter the following command to create the LAMP_1 server with the IP address 10.29.0.13:
add server lamp_1 10.29.0.13
5.
Enter the following command to create the LAMP_2 server with the IP address 10.29.0.14:
add server lamp_2 10.29.0.14
6.
Enter the following command to create the svc_mysql_lamp1 service for the LAMP_1 server
using MYSQL as the protocol and 3306 as the port:
add service svc_mysql_lamp1 lamp_1 MYSQL 3306
7.
Enter the following command to create the svc_mysql_lamp2 service for the LAMP_2 server
using MYSQL as the protocol and 3306 as the port:
add service svc_mysql_lamp2 lamp_2 MYSQL 3306
8.
Enter the following command to create the lb_vsrv_mysql virtual server with the IP address
10.0.0.18 on port 3306:
add lb vserver lb_vsrv_mysql MYSQL 10.0.0.18 3306
9.
Enter the following commands to bind the MYSQL services to the virtual load-balancing
server:
bind lb vserver lb_vsrv_mysql svc_mysql_lamp1
bind lb vserver lb_vsrv_mysql svc_mysql_lamp2
87
e. Click the Play button on the task bar. The query should return one record.
11. Close the HeidiSQL window and click No in the Confirm box.
Enter the following command in PuTTY to create the mon_mysql_ecv monitor to monitor the
imdb database for queries for actors with a last name of Tazova:
add lb monitor mon_mysql_ecv MYSQL-ECV
-userName netscalersql -database imdb
-sqlQuery "select * from actors where
actors.last_name = \"Tazova\""
-evalRule "MYSQL.RES.ATLEAST_ROWS_COUNT(1)"
2.
Enter the following commands to bind the mon_mysql_ecv monitor to the MYSQL services:
bind service svc_mysql_lamp1 -monitorName mon_mysql_ecv
bind service svc_mysql_lamp2 -monitorName mon_mysql_ecv
3.
Enter the following command to verify that the MYSQL-ECV monitor is working:
show service svc_mysql_lamp1
4.
88
AD.training.lab
NS_VPX_0
WebBlue
WebGreen
WebRed
Win7Client
2.
Create
a.
b.
c.
a load balancing service group called radius_rbg_auth with a protocol set to RADIUS.
Navigate to Traffic Management > Load Balancing > Service Groups.
Click Add. The Create Service Group dialog box opens.
Type radius_rbg_auth in the Service Group Name field and select RADIUS from
the Protocol drop-down menu.
d. Click OK.
Configure WebRed, WebBlue, and WebGreen as specified members and add a ping monitor to
the new RADIUS service group.
a. Click Members under Advanced on the right.
b. Click No Service Group Member in the Service Group Members section.
c. Select the Server Based radio button.
d. Select srv_blue from the Server Name drop-down menu.
89
3.
90
4.
2.
Create a RADIUS load balancing virtual server called lb_vsrv_radius_auth with an IP address
of 10.0.0.80 on port 1812.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers.
b. Click Add.
c. Type lb_vsrv_radius_auth in the Name field.
d. Select RADIUS in the Protocol drop-down menu.
e. Type 10.0.0.80 in the IP Address field and type 1812 in the Port field.
f. Click OK and then click OK again.
Bind the radius_rbg_auth service group to the new virtual server using Token for the loadbalancing method and CLIENT.UDP.RADIUS.USERNAME for the rule.
a. Click Service Group under Advanced on the right.
91
b.
3.
4.
Click No Load Balancing Virtual Server Service Group Binding in the Service
Group section.
c. Click Click to select in the Select Service Group Name field.
d. Click the radius_rbg_auth radio button to bind the service group to the virtual server.
e. Click OK and then click Bind.
f. Click Method under Advanced on the right.
g. Select TOKEN in the Load Balancing Method drop-down menu.
h. Delete None from the Expression window and then type
CLIENT.UDP.RADIUS.USERNAME in the Expression window.
i. Click OK.
j. Click the Persistence under Advanced on the right.
k. Click RULE in the Persistence drop-down menu.
l. Verify that CLIENT.UDP.RADIUS.USERNAME appears in the Expression window.
m. Click OK.
n. Click Done.
Create a RADIUS load balancing virtual server called lb_vsrv_radius_acct with an IP address of
10.0.0.80 and a port of 1813.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers.
b. Click Add.
c. Type lb_vsrv_radius_acct in the Name field.
d. Select RADIUS in the Protocol drop-down menu.
e. Type 10.0.0.80 in the IP Address field.
f. Type 1813 in the Port field.
g. Click OK and then click OK again.
h. Click Service Group under Advanced on the right.
i. Click No Load Balancing Virtual Server ServiceGroup Binding in the Service Group
section.
j. Click Click to select in the Select Service Group Name field.
k. Click the radius_rbg_acct radio button to bind it to the virtual server.
l. Click OK and click Bind.
m. Click Done.
Verify that the Radius authentication and accounting virtual servers are UP.
1.
2.
3.
4.
5.
93
Enter the following command in PuTTY to create a RADIUS service group called
radius_rbg_auth:
add serviceGroup radius_rbg_auth RADIUS
2.
Enter the following commands to configure WebRed, WebBlue, and WebGreen as specified
members of the new RADIUS service group:
bind serviceGroup radius_rbg_auth srv_blue 1812
bind serviceGroup radius_rbg_auth srv_green 1812
bind serviceGroup radius_rbg_auth srv_red 1812
3.
Enter the following command to create a RADIUS service group called radius_rbg_acct:
add serviceGroup radius_rbg_acct RADIUS
4.
Enter the following commands to bind the service group to the WebBlue, WebGreen, and
WebRed servers:
bind serviceGroup radius_rbg_acct srv_blue 1813
bind serviceGroup radius_rbg_acct srv_green 1813
bind serviceGroup radius_rbg_acct srv_red 1813
5.
Enter the following commands to verify that both service groups are ENABLED and Up:
show serviceGroup radius_rbg_acct
show serviceGroup radius_rbg_auth
94
1.
Enter the following command in PuTTY to create a RADIUS load-balancing virtual server
called lb_vsrv_radius_auth with an IP address of 10.0.0.80 on port 1812 using Token for the
load-balancing method and client.udp.radius.username for the rule:
add lb vserver lb_vsrv_radius_auth RADIUS 10.0.0.80 1812
-persistenceType RULE -lbMethod TOKEN
-rule client.udp.radius.username
2.
Enter the following command to bind the radius_rbg_auth service group to the new virtual
server:
bind lb vserver lb_vsrv_radius_auth radius_rbg_auth
3.
Enter the following command to create a RADIUS load-balancing virtual server called
lb_vsrv_radius_acct with an IP address of 10.0.0.80 on port 1813 using Token for the loadbalancing method and client.udp.radius.username for the rule:
add lb vserver lb_vsrv_radius_acct RADIUS 10.0.0.80 1813
-persistenceType RULE -lbMethod TOKEN
-rule client.udp.radius.username
4.
Enter the following command to bind the radius_rbg_acct service group to the new virtual
server:
bind lb vserver lb_vsrv_radius_acct radius_rbg_acct
5.
Enter the following commands to verify that the Radius authentication and accounting virtual
servers are Up:
show lb vserver lb_vsrv_radius_acct
show lb vserver lb_vsrv_radius_auth
2.
95
3.
4.
Click Continue multiple times to submit additional requests. Verify that the Response
status is still Good.
f. Close the RADIUS test client window.
View the RADIUS persistence sessions that were created with the RADIUS authentication
requests.
a. Switch to the PuTTY command-line interface for NS_VPX_0.
b. Enter the following command to view the persistence sessions:
show persistentSessions lb_vsrv_radius_auth
Persistence sessions from the RADIUS authentication requests are displayed.
96
Module 6
SSL Offload
98
AD.training.lab
NS_VPX_0
WebBlue
WebGreen
WebRed
Win7Client
Use the NetScaler certificate tools to create an RSA key file called TestKey.pem with a key size
of 2048 and DES3 as the encoding algorithm.
a. Navigate to Traffic Management > SSL and then click Create RSA Key under SSL
Keys.
b. Type TestKey.pem in the Key Filename field and then type 2048 in the Key Size
field.
c. Select F4 as the Public Exponent Value and verify that PEM is selected as the Key
Format.
d. Select DES3 as the PEM Encoding Algorithm and type Password1 in the PEM
Passphrase and Confirm PEM Passphrase fields.
99
e.
Click OK.
Use the NetScaler certificate tools to create a certificate request named TestCSR.csr using
TestKey.pem as the key file and the MillennialGadgets.com company information.
a. Navigate to Traffic Management > SSL and then click Create Certificate Signing
Request (CSR) under SSL Certificates.
b. Type TestCSR.csr in the Request File Name field.
c. To the right of the Key Filename field, select Appliance from the Browse drop-down
list.
d. Select TestKey.pem from the current directory and click Open.
e. Type Password1 in the PEM Passphrase field.
f. Provide the following information in the corresponding Distinguished Name Fields:
State or Province Name: California
Organization Name: MillennialGadgets.com
Common Name: MillennialGadgets.com
g. Type Password1 in the Challenge Password field.
This password does not have to be same as the PEM passphrase. However,
outside of the lab environment, it is recommended that you specify a secure
passphrase.
h.
i.
100
Use the NetScaler certificate tools to create a self-signed certificate named TestCert.cert with a
validity period of 1825 days.
a.
2.
3.
Navigate to Traffic Management > SSL and then click Create Certificate under SSL
Certificates.
b. Type TestCert.cert in the Certificate File Name field.
c. Verify that PEM is selected as the Certificate Format, and then select Server as the
Certificate Type.
d. Click Browse next to the Certificate Request File Name field, select TestCSR.csr in the
displayed directory and then click Open.
e. Type 1825 in the Validity Period field.
Use the NetScaler certificate tools to continue creating a self-signed certificate named
TestCert.cert using ns-root.cert and ns-root.key as the CA certificate file and CA key file.
a. Click Browse next to the CA Certificate File Name field, select ns-root.cert in the
current directory and click Open.
b. Verify that PEM is selected as the CA Certificate File format.
c. Click Browse next to the CA Key File Name field, select ns-root.key in the current
directory and then click Open.
d. Verify that PEM is selected as the CA Key File Format.
e. Type Password1 in the PEM Passphrase field.
Use the NetScaler certificate tools to complete creating a self-signed certificate named
TestCert.cert using ns-root.srl as the CA serial number file.
a. Click Browse next to the CA Serial File Number field, select ns-root.srl in the
displayed directory and click Open.
b. Click OK.
2.
Create
a.
b.
c.
a certificate-key pair on the NetScaler system using the new certificate and key.
Navigate to Traffic Management > SSL > Certificates and then click Install.
Type TestCertKey in the Certificate-Key Pair Name field.
Click Browse next to Certificate File Name field, select TestCert.cert in the displayed
directory, and click Open.
d. Click Browse next to the Key File Name field and select TestKey.pem in the displayed
directory and click Open.
e. Verify that PEM is selected as the Certificate Format and type Password1 in the
Password field
f. Click Install to create the certificate-key pair.
Verify that TestCertKey is displayed in the SSL Certificates pane and the status is shown as
Valid.
101
2.
102
3.
Click the Floppy Disk icon in the upper-right corner of the configuration utility to save the
running configuration and then click Yes to confirm.
Open a secure connection to the virtual server and test the SSL offload configuration.
a. Open an Internet Explorer browser window and browse to
https://10.0.0.81/home.php.
b. Select Continue to this web site (not recommended).
This certificate error is displayed within the browser because the test certificate
was not created by a trusted certificate authority and a root certificate was not
installed. Disregard these errors for this lab exercise.
c.
d.
Create an RSA Key called TestKey.pem with a key size of 2048 and DES3 as the encoding
algorithm.
a. Enter the following command in PuTTY to create the RSA key file:
create ssl rsakey TestKey.pem 2048 -exponent F4 keyform PEM -des3 -password Password1
2.
Create a certificate request called TestCSR.csr using TestKey.pem as the key file and the
MillennialGadgets.com company information.
103
a.
3.
Create a self-signed certificate named TestCert.cert with a validity period of 1825 days.
a. Enter the following command to create the SSL certificate:
create ssl cert TestCert.cert TestCSR.csr SRVR_CERT
-CAcert /nsconfig/ssl/ns-root.cert
-CAkey /nsconfig/ssl/ns-root.key CAserial /nsconfig/ssl/ns-root.srl
4.
Create the Certificate Key Pair by using the created RSA Key and Certificate.
a. Enter the following command to create the certkey:
add ssl certkey TestCertKey -cert TestCert.cert key TestKey.pem
-password Password1
b.
5.
Create an SSL virtual server called ssl_vsrv_rbg, bind the certificate key-pair to the virtual
server and then bind the services to the virtual server.
a. Enter the following command in PuTTYto create the SSL virtual server:
add lb vserver ssl_vsrv_rbg SSL 10.0.0.81 443
104
b.
Enter the following command to bind the certificate-key pair to the SSL virtual server:
bind ssl vserver ssl_vsrv_rbg -certkeyName TestCertKey
c.
Enter the following commands to bind services to the SSL virtual server:
bind lb vserver ssl_vsrv_rbg svc_blue
bind lb vserver ssl_vsrv_rbg svc_green
bind lb vserver ssl_vsrv_rbg svc_red
d.
Open a secure connection to the virtual server and test the SSL offload configuration.
a. Open a Firefox browser window and browse to https://10.0.0.81/home.php.
b. Click I Understand the Risks, click Add Exception and then click Confirm Security
Exception to continue to the web site.
A certificate error will be displayed within the browser because the test
certificate was not created by a trusted certificate authority and a root
certificate was not installed. Disregard these errors for this lab exercise.
c.
105
106
Module 7
108
AD.training.lab
NS_VPX_1
NS_VPX_2
Web_Blue
Web_Green
Web_Red
Win7Client
Variable
Frankfurt
Tokyo
NSIP
10.0.0.110
10.30.0.120
SNIP
10.0.0.91
10.30.0.92
10.0.0.93
10.30.0.93
VIP1
10.0.0.66
10.30.0.76
VIP2
10.0.0.68
10.30.0.78
Variable
IP Address
10.29.0.11
109
2.
110
c.
d.
2.
3.
Create a "gslb_svc_FRK" GSLB service on the Frankfurt NetScaler and configure the service to
communicate over HTTP on port 80.
a. Navigate to Traffic Management > GSLB > Services and then click Add.
b. Type gslb_svc_FRK in the Service Name field and select site_FRK from the Site
Name drop-down menu.
c. Select LOCAL from the Site Type drop down menu.
d. Verify that HTTP is selected as the Service Type and 80 appears in the Port field.
e. Select Virtual Servers radio button and then select lb_vsrv_FRK from the Virtual
Server drop-down menu.
f. Click OK and then click Done.
Create a "gslb_svc_TOK" GSLB service on the Frankfurt NetScaler and configure the service to
communicate over HTTP on port 80.
a. Click Add
b. Type gslb_svc_TOK in the Service Name field, select site_TOK from the Site
Name drop-down menu.
c. Select Remote from the Site Type drop down menu.
d. Verify that HTTP is selected as the Service Type and 80 appears in the Port field.
e. Select New Server and type 10.30.0.78 in the Server IP field. This is the SNIP for
site_TOK on NS_VPX_2.
f. Click OK.
g. Click Done.
Verify that the state for gslb_svc_FRK service shows as UP.
The gslb_svc_TOK service will show as DOWN until the remote GSLB service is
configured.
111
2.
3.
2.
3.
4.
Add the "site_FRK" and "site_TOK" GSLB sites to the Frankfurt NetScaler.
a. Enter the following command to add the Frankfurt GSLB site:
add gslb site site_FRK 10.0.0.93
b.
2.
3.
113
Enter the following command to add the gslb_svc_FRK service to the Frankfurt NetScaler:
add gslb service gslb_svc_FRK srv_FRK HTTP 80 publicIP 10.0.0.68
-publicPort 80 -siteName site_FRK
2.
3.
Enter the following command to add the GSLB virtual server GSLB_vsrv_global of type HTTP
using round robin for the load-balancing method:
add gslb vserver GSLB_vsrv_global HTTP -lbMethod ROUNDROBIN
The LB method is being set to Round Robin for purposes of the lab demonstration
only. A production implementation of GSLB would not be based on round robin.
2.
114
Bind the Frankfurt and Tokyo GSLB services to the GSLB virtual server.
a.
Enter the following command to bind the Frankfurt GSLB service to the GSLB virtual
server:
bind gslb vserver GSLB_vsrv_global serviceName gslb_svc_FRK
b.
Enter the following command to bind the Tokyo GSLB service to the GSLB virtual
server:
bind gslb vserver GSLB_vsrv_global serviceName gslb_svc_TOK
3.
4.
Enter the following command to display the GSLB virtual server GSLB_vsrv_global:
show gslb vserver GSLB_vsrv_global
AD.training.lab
NS_VPX_1
NS_VPX_2
Web_Blue
Web_Green
Web_Red
Win7Client
115
Variable
Frankfurt
Tokyo
NSIP
10.0.0.110
10.30.0.120
SNIP
10.0.0.91
10.30.0.92
10.0.0.93
10.30.0.93
VIP1
10.0.0.66
10.30.0.76
VIP2
10.0.0.68
10.30.0.78
Variable
IP Address
10.29.0.11
116
2.
Synchronize the GSLB settings from the Frankfurt NetScaler to the Tokyo NetScaler.
a. Switch to the Frankfurt NetScaler (10.0.0.110).
b. Navigate to Traffic Management > GSLB and click Synchronize configuration on
remote sites.
The Synchronize GSLB Configuration window appears.
c.
d.
Select Force Sync from the Synchronization Option and then select site_TOK from
the GSLB Site Name drop-down menu.
Click OK.
117
Log on to the PuTTY command-line interface for Tokyo NetScaler (NS_VPX_2) using the
nsroot credentials.
Enter the following command to enable the GSLB feature:
enable ns feature gslb
Add the "site_FRK" and "site_TOK" GSLB sites to the Tokyo NetScaler.
a. Enter the following command to add the Frankfurt GSLB site:
add gslb site site_FRK 10.0.0.93
b.
2.
3.
Synchronize the GSLB settings from the Frankfurt NetScaler to the Tokyo NetScaler.
a. In the PuTTY command-line interface for the Frankfurt NetScaler (NS_VPX_1), enter
the following command to save the configuration:
save ns config
118
b.
In the PuTTY command-line interface for the Frankfurt NetScaler (NS_VPX_1), enter
the following commands to force sync the local GSLB configuration to the remote
GSLB site:
sync gslb config -forceSync site_TOK
y
An automated script will sync all settings from the local site to the remote site.
c.
AD.training.lab
NS_VPX_1
NS_VPX_2
Web_Blue
Web_Green
Web_Red
Win7Client
Variable
Frankfurt
Tokyo
NSIP
10.0.0.110
10.30.0.120
119
Variable
Frankfurt
Tokyo
SNIP
10.0.0.91
10.30.0.92
10.0.0.93
10.30.0.93
VIP1
10.0.0.66
10.30.0.76
VIP2
10.0.0.68
10.30.0.78
Variable
IP Address
10.29.0.11
1.
2.
120
3.
4.
Create an authoritative DNS service using the 10.0.0.66 LB VS IP address on the Frankfurt
NetScaler.
a. Navigate to Traffic Management > DNS > Name Servers and click Add.
b. Select the DNS Virtual Server radio button then click the DNS Virtual Server drop
down menu and select lb_vsrv_dns virtual server.
c. The Protocol should state UDP.
d. Click Create.
Switch to the Frankfurt NetScaler command-line interface and ping the www.gslbdomain.com
domain to verify the DNS setup.
a. Launch a PuTTY session from the Win7Client desktop and open the NS_VPX_1 saved
session.
b. Log on to the NS_VPX_1 command-line interface using the nsroot credentials.
c. Enter the following command to ping the www.gslbdomain.com domain several times:
ping www.gslbdomain.com
Note the IP address, then press CTRL+C to stop the ping.
If GSLB is configured correctly on both systems, the ping response should alternate between
the VIP addresses of the Frankfurt and Tokyo NetScaler systems during alternating tests.
Be aware that pinging the address from multiple locations at once can hide the roundrobin load-balancing behavior, since subsequent requests can be load balanced
(correctly) back to the first server.
5.
Enable
a.
b.
c.
d.
e.
f.
Open the Local Area Network settings for the Win7Client virtual machine.
121
a.
2.
Click Start > Control Panel on the Win7Client to open the Control Panel dialog box
on the hosted workstation.
b. Click Network and Sharing Center, and then click Local Area Connection.
c. Click Properties to open the Local Area Connection Properties dialog box.
Configure the local DNS settings to use the 10.0.0.66 LB virtual server.
a. Highlight Internet Protocol Version 4 (TCP/IPv4).
b. Click Properties to open the Internet Protocol (TCP/IP) Properties dialog box.
c. Select Use the following DNS server addresses.
d. Set the Preferred DNS Server to 10.0.0.66.
It is recommended to use only one NetScaler system as a DNS.
3.
2.
3.
4.
122
If ping responses are displaying alternating IP addresses as expected, but the content
in the web browsers is not reflecting load balancing between the Frankfurt and Tokyo
NetScaler systems, close all open web browsers. Repeat the test with only one web
browser and close and open the browser between each test.
5.
Switch back to the command prompt on the Win7Client virtual machine and perform an
nslookup on the www.gslbdomain.com domain.
a. Switch to the Win7Client command prompt.
b. Perform an nslookup using the following command:
nslookup www.gslbdomain.com
The GSLB virtual server returns two IP addresses, 10.0.0.68 and 10.30.0.78.
2.
Open the Local Area Network settings for the Win7Client virtual machine.
a. Click Start > Control Panel to open the Control Panel dialog box on the hosted
workstation.
b. Click Network and Internet, click Network and Sharing Center, and then click Local
Area Connection.
c. Click Properties to open the Local Area Connection Properties dialog box.
Configure the local DNS settings to use the 10.0.0.66 LB virtual server.
a. Highlight Internet Protocol Version 4 (TCP/IPv4).
b. Click Properties to open the Internet Protocol (TCP/IP) Properties dialog box.
c. Select Use the following DNS server addresses.
d. Set the Preferred DNS Server to 10.0.0.66.
It is recommended to use only one NetScaler system as a DNS.
3.
4.
123
c.
In the Win7Client virtual machine, use an SSH connection (PuTTY) to the NS_VPX_1 commandline interface logged on as the nsroot user for this task.
1.
In the PuTTY command-line interface for the Frankfurt NetScaler (NS_VPX_1), enter the
following command to bind the domain alias www.gslbdomain.com to the GSLB virtual server:
bind gslb vserver GSLB_vsrv_global domainName www.gslbdomain.com
2.
Enter the following command to create an authoritative DNS service on the Frankfurt
NetScaler:
add dns nameserver lb_vsrv_dns -state ENABLED
3.
Enter the following command to ping the domain name from the NetScaler command-line
interface and verify the results:
ping www.gslbdomain.com
Note the IP address and then press CTRL+C to stop the ping.
4.
Enter the following command to repeat the ping to domain name from the PuTTY commandline interface and verify that the other site is responding to the ping:
ping www.gslbdomain.com
Note the IP address then press CTRL+C to stop the ping.
If GSLB is configured correctly on both systems, the ping response should alternate between
the VIP addresses of the Frankfurt and the Tokyo NetScaler systems during alternating tests.
124
Be aware that pinging the address from multiple locations at once can hide the roundrobin load-balancing behavior, since subsequent requests can get load balanced
(correctly) back to the first server.
5.
In the Win7Client virtual machine, use an SSH connection (PuTTY) to the NS_VPX_1 and
NS_VPX_2 command-line interfaces logged on as the nsroot user for this task.
1.
2.
Enter the following command to display the GSLB virtual server GSLB_vsrv_global:
show gslb vserver gslb_vsrv_global
3.
4.
2.
Open the Local Area Network settings for the Win7Client virtual machine.
a. Click Start > Control Panel to open the Control Panel dialog box on the hosted
workstation.
b. Click Network and Sharing Center, and then click Local Area Connection 2.
c. Click Properties to open the Local Area Connection Properties dialog box.
Configure the local DNS settings to use the 10.0.0.66.
125
a.
b.
c.
d.
3.
2.
3.
4.
5.
126
Switch back to the command prompt on the Win7Client virtual machine and perform an
nslookup on the www.gslbdomain.com domain.
Module 7: Global Server Load Balancing
a.
b.
The GSLB virtual server returns two IP addresses, 10.0.0.68 and 10.30.0.78.
2.
Open the Local Area Network settings for the Win7Client virtual machine.
a. Click Start > Control Panel to open the Control Panel dialog box on the hosted
workstation.
b. Click Network and Internet, click Network and Sharing Center, and then click Local
Area Connection.
c. Click Properties to open the Local Area Connection Properties dialog box.
Configure the local DNS settings to use the 10.0.0.66 LB virtual server.
a. Highlight Internet Protocol Version 4 (TCP/IPv4).
b. Click Properties to open the Internet Protocol (TCP/IP) Properties dialog box.
c. Select Use the following DNS server addresses.
d. Set the Preferred DNS Server to 10.0.0.66.
It is recommended to use only one NetScaler system as a DNS.
3.
4.
127
Ensure that you are pointing to the correct DNS server. For this lab, you should point to one
of the ADNS IP addresses on either the Frankfurt or Tokyo NetScaler systems.
Ensure that you set the DNS setting on the correct network connection if multiple networks
are present. Consult with your instructor if required.
Ensure that your web browser does not have a proxy server configured.
Ensure that you are not connecting from a workstation behind a firewall that is blocking UDP
port 53 (DNS).
If the issue exists during the browser test, clear the cache between test runs. For best results,
close and re-open the browser between each test.
If the issue is at the ping response from the workstation and only 1 IP address is being
returned, verify that the GSLB sites, services, and virtual servers appear as UP and that MEP
status shows as UP/Active.
Multiple browser instances can also affect the results. Close all open browsers and start from a
fresh session. Close and open browsers between tests.
Conduct tests from only one hosted workstation at a time.
Ensure that the GSLB and load-balancing (LB) features are ENABLED on both NetScaler
systems.
Verify on the NetScaler system that the resolution is alternating between GSLB services.
Example: From the command-line interface on a given NetScaler system, ping
www.gslbdomain.com; stop and re-ping. Verify that you receive the two expected IP addresses.
Other Issues
128
Verify that the correct IP addresses are used for the load-balancing virtual server, GSLB
services, and GSLB virtual server. Confirm that sites, virtual servers, services, and domains are
bound appropriately.
Verify that MEP is functioning and that both sites and services show as UP on both NetScaler
systems. Using the configuration utility instead of the command-line interface may be easier to
quickly verify the configured settings.
Module 8
AppExpert Classic
Policy Engine
130
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
Create an expression named red_url for URL requests that contain "/red.php".
a. Navigate to AppExpert > Expressions > Classic Expressions and then click Add.
The Create Policy Expression dialog box opens.
131
b.
c.
2.
3.
c.
Click Create.
Create the cf_red_url content filter policy using the red_url policy expression.
a. Navigate to Security > Protection Features > Filter and then click Add.
The Create Filter Policy dialog box opens.
b.
c.
d.
e.
2.
132
a.
Select the cf_red_url policy, click Action and then click Global Bindings.
The Filter Global Filter Policy Binding dialog box opens.
b.
c.
d.
e.
f.
g.
2.
3.
133
1.
Unbind
a.
b.
c.
d.
e.
f.
Launch the PuTTY command-line interface application from the Win7Client desktop.
Select NS_VPX_0 from the saved sessions and then log on to PuTTY using the nsroot
credentials.
Enter the following command to create the red_url policy expression:
add policy expression red_url "REQ.HTTP.URL == /red.php"
4.
Enter the following command to create the cf_red_url filter using the red_url policy with a
request action of DROP:
add filter policy cf_red_url -rule red_url -reqAction DROP
5.
134
6.
Verify that the red.php page does not load from the red server.
The pages are being load-balanced, so the server that presents the page may differ in
color from the content on the page.
a.
Open the Firefox browser from the Win7Client desktop and browse to
http://10.0.0.80/red.php.
The browser will display a "The connection was reset" page and the red content will
not load.
2.
3.
135
1.
136
Module 10
Rewrite, Responder,
and URL Transform
10
138
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
3.
139
3.
Switch to the configuration utility for NS_VPX_0 at http://10.0.0.100 and log on using the
nsroot credentials if necessary.
Add the rw_act_SendToHome rewrite action to replace an unspecified URL path with
"/home.php."
a. Navigate to AppExpert > Rewrite > Actions and then click Add.
b. Type rw_act_SendToHome in the Name field.
c. Select REPLACE from the Type drop-down menu.
d. Type HTTP.REQ.URL.PATH in the Expression to choose target location field.
e. Type "/home.php" in the Expression to Replace with field.
f. Click Create.
Add the req_pol_SendToHome rewrite policy using the rw_act_SendToHome action that
matches the forward slash (/) character.
a. Navigate to Rewrite > Policies and then click Add.
b. Type req_pol_SendToHome in the Name field.
c. Select rw_act_SendToHome from the Action drop-down menu.
d. Type HTTP.REQ.URL.PATH.EQ("/") in the Expression field.
Verify that the expression is typed correctly before moving on.
4.
5.
6.
7.
140
e. Click Create.
Globally bind the rewrite policy.
a. Click the Policy Manager button in the AppExpert > Rewrite > Rewrite Policies
screen.
b. Select Override Global from the Bind Point drop-down menu.
c. Click Continue.
d. Click Click to select in the Select Policy field.
e. Select the req_pol_SendToHome radio button and then click OK.
f. Click Bind.
g. Click Done.
Click the Floppy Disk icon to save the NetScaler configuration and then click Yes to confirm
the save.
Switch to the Firefox browser on the Win7Client desktop.
Browse to http://10.0.0.80/ to verify the rewrite policy.
Module 10: Rewrite, Responder, and URL Transform
The home.php page for one of the RGB servers is displayed without having to specify it in the
URL.
8.
Open Firefox and browse to the RBG virtual server by navigating to http://10.0.0.80.
Note that the index page is displayed for one of the Red, Blue, or Green (RBG) servers.
2.
Log on to the PuTTY command-line interface for NS_VPX_0 using the nsroot credentials.
Enter the following command to add the rw_act_SendToHome rewrite action to replace the
URL path "/home.php":
add rewrite action rw_act_SendToHome REPLACE HTTP.REQ.URL.PATH
'"/home.php"'
141
3.
Enter the following command to add the req_pol_SendToHome rewrite policy using the
re_act_SendToHome action:
add rewrite policy req_pol_SendToHome
'HTTP.REQ.URL.PATH.EQ("/")' rw_act_SendToHome
The policy is not yet active.
4.
5.
6.
7.
Switch to the Firefox browser and browse to http://10.0.0.80 to verify that the rewrite
policy is working correctly. The "home.php" page for one of the RBG servers is displayed
without having to specify it in the URL.
Enter the following command in PuTTY to unbind the rewrite policy so it doesn't impact
future exercises:
unbind rewrite global req_pol_SendToHome
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
142
3.
3.
Switch to the configuration utility for NS_VPX_0 and log on using the nsroot credentials, if
necessary.
Add the rw_act_RemoveSrvID rewrite action to remove the Server ID from the header.
a. Navigate to AppExpert > Rewrite > Actions and then click Add.
b. Type rw_act_RemoveSrvID in the Name field.
c. Select DELETE_HTTP_HEADER from the Type drop-down menu.
d. Type Server in the Header Name field.
e. Click Create.
Add a "res_pol_RemoveSrvID" rewrite policy to remove the Server ID with an IS_VALID
HTTP response.
143
4.
3.
4.
144
a.
b.
c.
d.
e.
Switch to the configuration utility for NS_VPX_0 and log on using the nsroot
credentials, if necessary.
Navigate to AppExpert > Rewrite > Policies and then click the Policy Manager
button.
Select Response from the Connection Type drop-down menu and then click
Continue.
Select the res_pol_RemoveSrvID and click Unbind.
Click Yes and then click Done.
3.
View the header information for the server that is hosting the RBG web page.
a. Browse to the RBG virtual server by navigating to the http://10.0.0.80 index
page.
b. Select one of the items below Started in HttpFox that does not say (Cache) in the
Result column in HttpFox.
c. View the header information in the Response header pane.
Verify that the Server header is displayed as Microsoft-IIS/7.5.
145
1.
2.
Switch to the NS_VPX_0 command-line interface (PuTTY) and log on using the nsroot
credentials, if necessary.
Enter the following command to add the rw_act_RemoveSrvID rewrite action to remove the
Server ID from the header:
add rewrite action rw_act_RemoveSrvID delete_http_header
Server
3.
Enter the following command to add the res_pol_RemoveSrvID rewrite policy to remove the
Server ID:
add rewrite policy res_pol_RemoveSrvID 'HTTP.RES.IS_VALID'
rw_act_RemoveSrvID
4.
4.
146
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
2.
147
3.
4.
5.
6.
7.
148
Add the res_pol_NewSrvID rewrite policy using the rw_act_NewSrvID action with an http
IS_VALID response.
a. Select the Policies node and click Add.
b. Type res_pol_NewSrvID in the Name field.
c. Select rw_act_NewSrvID from the Action drop-down menu.
d. Type HTTP.RES.IS_VALID in the Expression field.
e. Click Create.
Bind the res_pol_NewSrvID rewrite policy globally.
a. Click the Policy Manager button in the Rewrite Policies screen.
b. Verify that Override Global is selected in the Bind Point field and select Response
from the Connection Type drop-down menu.
c. Click Continue.
d. Click Add Binding.
e. Click Click to select under Select Policy.
f. Select the res_pol_NewSrvID radio button and click OK.
g. Click Bind.
h. Click Done.
Add the rw_act_NoCache rewrite action to insert "no-cache" in the cache-control of the HTTP
Header.
a. Select the Actions node and click Add.
b. Type rw_act_NoCache in the Name field.
c. Select INSERT_HTTP_HEADER from the Type drop-down menu.
d. Type Cache-Control in the Header Name field.
e. Type "no-cache" in the Expression to Replace with field.
f. Click Create.
Add the res_pol_NoCache rewrite policy using the rw_act_NoCache action.
a. Click the Policies node and then click Add.
b. Type res_pol_NoCache in the Name field.
c. Select rw_act_NoCache from the Action drop-down menu.
d. Type HTTP.RES.IS_VALID in the Expression field.
e. Click Create.
Bind the res_pol_NoCache policy globally.
a. Click the Policy Manager button.
b. Verify that Override Global is selected in the Bind Point field.
c. Select Response from the Connection Type drop-down menu.
d. Click Continue.
e.
f.
g.
h.
i.
4.
5.
149
Enter the following command in PuTTY to add the rw_act_NewSrvID rewrite action to insert
the HTTP header "Unspecified" for the Server value:
add rewrite action rw_act_NewSrvID insert_http_header "Server"
"\"Unspecified\""
2.
Enter the following command to add the res_pol_NewSrvID rewrite policy using the
rw_act_NewSrvID action:
add rewrite policy res_pol_NewSrvID 'HTTP.RES.IS_VALID'
rw_act_NewSrvID
3.
Enter the following command to bind the rewrite policy res_pol_NewSrvID globally:
bind rewrite global res_pol_NewSrvID 20 NEXT -type RES_OVERRIDE
4.
Enter the following command to add the rw_act_NoCache rewrite action to insert the string
"no-cache" in the cache-control of the HTTP Header:
add rewrite action rw_act_NoCache insert_http_header "CacheControl" "\"no-cache\""
5.
Enter the following command to add the res_pol_NoCache rewrite policy using the
rw_act_NoCache action:
add rewrite policy res_pol_NoCache 'HTTP.RES.IS_VALID'
rw_act_NoCache
6.
150
4.
Unbind the res_pol_NewSrvID and res_pol_NoCache policies so they don't impact future
exercises.
a. Enter the following command in PuTTY to unbind the res_pol_NewSrvID policy:
unbind rewrite global res_pol_NewSrvID
b.
AD.training.lab
151
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
152
Create a load-balancing virtual server for the Red, Blue, and Green servers named
lb_vsrv_redirecttossl with the IP address 10.0.0.81 on the standard HTTP port.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers and then click
Add.
b. Type lb_vsrv_redirecttossl in the Name field.
c. Verify that HTTP is selected for the Protocol and 80 as the value for the Port.
d. Type 10.0.0.81 in the IP Address field.
e. Click OK.
f. Click No Load Balancing Virtual Server Service Binding in the Service section.
g. Click Click to select in the Select Service field.
h. Select the svc_red radio button and then click OK.
i. Click Bind.
j. Click 1 Load Balancing Virtual Server Service Binding in the Service section.
k. Click Add Binding.
l. Click Click to select in the Select Service field.
m. Select the svc_blue radio button and then click OK.
n. Click Bind and then click Close.
o. Click 2 Load Balancing Virtual Server Service Binding in the Service section.
p. Click Add Binding.
q. Click Click to select in the Select Service field.
r. Select the svc_green radio button and then click OK.
Module 10: Rewrite, Responder, and URL Transform
s.
t.
2.
Create a Responder action to redirect any URL, including path and query, from HTTP to
HTTPS.
a. Navigate to AppExpert > Responder > Actions and then click Add.
b. Type rs_act_sendtossl in the Name field.
c. Select Redirect from the Type drop-down menu.
d. Type the following text in the Expression field.
"https://" + HTTP.REQ.HOSTNAME +
HTTP.REQ.URL.PATH_AND_QUERY
Add a space before and after the + symbols in the expression.
e.
Click Create.
The following error appears: "Input expression is unsafe."
3.
f.
Enable
a.
b.
4.
Modify the rs_act_sendtossl action to convert unsafe URL characters to safe URL characters.
a. Select the rs_act_sendtossl action and click Edit.
b. Modify the Target expression as follows:
"https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE +
HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE
5.
c.
d.
Create
a.
Deselect the Bypass Safety Check option below the Expression field.
Click OK.
a policy named rs_pol_sendtossl for for the rs_act_sendtossl action.
Navigate to AppExpert > Responder > Policies and click Add.
153
b.
c.
d.
e.
6.
7.
f. Click Create.
Bind the rs_pol_sendtossl policy to the lb_vsrv_redirecttossl virtual server.
a. Click the Policy Manager button in the Responder Policies screen.
b. Select Load Balancing Virtual Server from the Bind Point drop-down menu.
c. Verify that HTTP is selected under Protocol.
d. Select lb_vsrv_redirecttossl from the Virtual Server drop-down list and then click
Continue.
e. Click Click to select in the Select Policy field.
f. Select the rs_pol_sendtossl radio button and click OK.
g. Click Bind and then click Done.
Save the NetScaler configuration.
a. Click the Floppy Disk icon to save the configuration.
b. Click Yes to confirm saving the configuration.
b.
c.
Verify that the first entry in the Started column pane contains 302 in the Result field
and the Type and URL fields identify the redirected change.
Browse to http://10.0.0.81/blue.php?demo=value1&demo2=value2.
The URL and query will be redirected to an HTTPS connection.
154
4.
Unbind the rs_pol_sendtossl policy from the lb_vsrv_redirecttossl virtual server so it doesn't
impact future exercises.
a. Switch to the Chrome browser containing the configuration utility for NS_VPX_0 at
http://10.0.0.100.
b. Navigate to Traffic Management > Load Balancing > Virtual Servers.
c. Double-click the lb_vsrv_redirecttossl virtual server.
d. Select 1 Responder Policy under the Policies section.
e. Select the rs_pol_sendtossl policy and click Unbind.
f. Click Yes and then click Close.
g. Click Done.
Enter the following command in PuTTY to create a load-balancing virtual server for the Red,
Blue, and Green servers named lb_vsrv_redirecttossl with the IP address 10.0.0.81 on the
standard HTTP port:
add lb vserver lb_vsrv_redirecttossl HTTP 10.0.0.81 80
2.
Enter the following commands to bind the svc_red, svc_blue, and svc_green services to the
virtual server:
bind lb vserver lb_vsrv_redirecttossl svc_red
bind lb vserver lb_vsrv_redirecttossl svc_blue
bind lb vserver lb_vsrv_redirecttossl svc_green
3.
Enter the following command to create a Responder action to redirect any URL, including path
and query, from HTTP to HTTPS:
add responder action rs_act_sendtossl redirect '"https://" +
HTTP.REQ.HOSTNAME.HTTP_URL_SAFE +
HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE'
155
4.
Enter the following command to create a policy named rs_pol_sendtossl for the
rs_act_sendtossl action:
add responder policy rs_pol_sendtossl '!CLIENT.SSL.IS_SSL'
rs_act_sendtossl
5.
Enter the following command to bind the rs_pol_sendtossl policy to the lb_vsrv_redirecttossl
virtual server:
bind lb vserver lb_vsrv_redirecttossl policyName rs_pol_sendtossl -priority 10
6.
4.
156
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
2.
3.
4.
157
5.
6.
a. Click Insert.
b. Type /bing in the Key field.
c. Type http://www.bing.com in the Value field.
d. Click Insert.
Click Create in the String Map window.
Add the search_stringmap_act responder action for the string map.
a. Navigate to Responder > Actions and click Add.
b. Type search_stringmap_act in the Name field.
c. Select Redirect from the Type drop-down menu.
d. Type the following string in the Expression field:
HTTP.REQ.URL.MAP_STRING("search_redirects").HTTP_URL_SAFE
Verify that the string appears correctly in the Expression field before
proceeding to the next step.
7.
e. Click Create.
Add the search_stringmap_pol responder policy for the string map action.
a. Navigate to Responder > Policies and click Add.
b. Type search_stringmap_pol in the Name field.
c. Select search_stringmap_act from the Action drop-down menu.
d. Verify that Global undefined-result action is selected in the Undefined-Result Action
field.
e. Type the following string in the Expression field:
HTTP.REQ.URL.IS_STRINGMAP_KEY("search_redirects")
Verify that the string appears correctly in the Expression field before
proceeding to the next step.
8.
158
f. Click Create.
Bind the search_stringmap_pol policy to the lb_vsrv_rbg virtual server.
a. Click the Policy Manager button in the Responder Policies screen.
b. Select Load Balancing Virtual Server from the Bind Point drop-down menu.
c. Verify that HTTP is selected in the Protocol field.
d. Verify that lb_vsrv_rbg is selected in the Virtual Server field.
e. Click Continue.
f. Click Click to select in the Select Policy field.
Module 10: Rewrite, Responder, and URL Transform
9.
4.
159
Enter the following command in PuTTY to create a string map policy named search_redirects:
add policy stringmap search_redirects
2.
Enter the following command to bind the string map policy using the key /yahoo and the value
http://www.yahoo.com:
bind policy stringmap search_redirects "/yahoo"
"http://www.yahoo.com"
3.
Enter the following command to bind the string map policy using the key /google and the
value http://www.google.com:
bind policy stringmap search_redirects "/google"
"http://www.google.com"
4.
Enter the following command to bind the string map policy using the key /bing and the value
http://www.bing.com:
bind policy stringmap search_redirects "/bing"
"http://www.bing.com"
5.
6.
Enter the following command to create the search_stringmap_pol responder policy for the
search_stringmap_act responder action:
add responder policy search_stringmap_pol
"HTTP.REQ.URL.IS_STRINGMAP_KEY(\"search_redirects\")"
search_stringmap_act
7.
Enter the following command to bind the search_stringmap_pol responder policy to the
lb_vsrv_rbg virtual server:
bind lb vserver lb_vsrv_rbg -policyName search_stringmap_pol
-priority 100 -gotoPriorityExpression END
8.
160
4.
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
161
Switch to the Chrome browser with the configuration utility for NS_VPX_0.
Add a "rs_act_RespondWithCustom" custom responder action.
a. Navigate to AppExpert > Responder > Actions and click Add.
b. Type rs_act_RespondWithCustom in the Name field.
c. Select Respond with in the Type drop-down menu.
d. Type the following text in the Expression field:
"http/1.1 200 OK\r\n\r\n" + "Client: " + CLIENT.IP.SRC +
" is not authorized to
access URL:" + HTTP.REQ.URL.HTTP_URL_SAFE
Verify that the string appears correctly in the Expression field before
proceeding to the next step. A space should appear before and after each +
symbol in the expression.
3.
e. Click Create.
Add the rs_pol_RespondWithCustom responder policy using the rs_act_RespondWithCustom
action for any URL that contains "private."
a. Click the Policies node and click Add.
b. Type rs_pol_RespondWithCustom in the Name field.
c. Select rs_act_RespondWithCustom from the Action drop-down menu.
d. Type HTTP.REQ.URL.PATH.CONTAINS("private") in the Expression field.
Verify that the string appears correctly in the Expression field before
proceeding to the next step.
4.
162
e. Click Create.
Bind the rs_pol_RespondWithCustom policy globally.
a. Click the Policy Manager button in the Responder Policies screen.
b. Select Default Global from the Bind Point drop-down menu.
Module 10: Rewrite, Responder, and URL Transform
5.
c. Click Continue
d. Select the rs_pol_RespondWithCustom radio button and click OK.
e. Click Bind.
f. Click Done.
Save the NetScaler configuration.
a. Click the Floppy Disk icon.
b. Click Yes to confirm saving the changes.
4.
Use the HttpFox add-on to verify that the proper response code was generated.
a. Refresh the page and verify that the HTTP response code HTTP/1.x 200 OK was
properly generated.
This responder value in the Response Header indicates a successful response to the
client browser.
b.
Browse to http://10.0.0.80/.
The page loads as expected. The Responder policy allows redirection for a successful
page load.
5.
6.
163
Use the PuTTY command-line interface for NS_VPX_0 and log on using the nsroot
credentials, if necessary.
Enter the following command to add the rs_act_RespondWithCustom custom responder action
for unauthorized requests:
add responder action rs_act_RespondWithCustom respondwith
("http/1.1 200 OK\r\n\r\n"
+ "Client: " + CLIENT.IP.SRC + " is not authorized to access
URL: "
+ HTTP.REQ.URL.HTTP_URL_SAFE)
3.
Enter the following command to add the rs_pol_RespondWithCustom responder policy for
requests in the URL that contains "private":
add responder policy rs_pol_RespondWithCustom
'HTTP.REQ.URL.PATH.Contains("private")'
rs_act_RespondWithCustom
4.
5.
164
An attempt to browse to /private results in the NetScaler system returning the custom response
text: Client: x.x.x.x is not authorized to access URL: /private
4.
Use the HttpFox add-on to verify that the proper response code was generated.
a. Refresh the page and verify that the HTTP response code HTTP/1.x 200 OK was
properly generated.
This responder value in the Response Header indicates a successful response to the
client browser.
b.
Browse to http://10.0.0.80/.
The page loads as expected. The Responder policy allows redirection for a successful
page load.
5.
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
165
3.
Browse to http://10.0.0.80/international_red.php.
You will receive a Server Error 404 - File or directory not found. You will correct this issue in
the next exercise using a responder to transform the URL.
4.
Switch to the configuration utility for NS_VPX_0 and log on using the nsroot credentials, if
necessary.
Add the trns_remote_URL transform profile to transform requests for "/dist_page.php" into
"/international_page.php".
a. Navigate to AppExpert > Rewrite > URL Transformation > Profiles.
b. Click Add.
c. Type trns_remote_URL in the Name field.
d. Type the following text in the Comments field.
"Transform /dist_page.php (actual) to
/international_page.php (display)"
3.
166
e. Click Create.
Add the act_trns_DistToInt transform action to the trns_remote_URL profile with a priority of
50.
a. Select the trns_remote_URL profile and click Edit.
b. Click the Insert button to add an action.
Module 10: Rewrite, Responder, and URL Transform
4.
c.
d.
5.
6.
7.
167
3.
Browse to http://10.0.0.80/international_red.php.
The same page loads as appeared when you typed http://10.0.0.80/dist_red.php.
The URL displays "international_red.php," but the content that is loading is the "dist_red.php"
page.
The server request is load-balanced and accesses the alternate pages, international_blue.php
and international_green.php, resulting in the dist_blue.php and dist_green.php content,
respectively.
4.
5.
1.
2.
3.
Browse to http://10.0.0.80/international_red.php.
You will receive a Server Error 404 - File or directory not found. You will correct this issue in
the next exercise using a responder to transform the URL.
Switch to the PuTTY command-line interface for NS_VPX_0 and log on using the nsroot
credentials, if necessary.
Enter the following command to add the trns_remote_URL transform profile:
add transform profile trns_remote_URL
3.
Enter the following command to configure the profile comment to display the dist_page.php
for requests to international_page.php:
set transform profile trns_remote_URL -type URL -comment
"'Transform /dist_page.php (actual) to /international_page.php
(display)'"
4.
5.
Enter the following command to configure the act_trns_DistToInt transform action to display
the dist_page.php for requests to international_page.php:
set transform action act_trns_DistToInt -priority 50 reqUrlFrom
"http://10.0.0.80/international_(.*)" reqUrlInto "http://10.0.0.80/dist_$1"
-resUrlFrom "http://10.0.0.80/dist_(.*)" resUrlInto "http://10.0.0.80/international_$1"
169
6.
Enter the following command to create the trns_pol_remote transform policy to use the
trns_remote_URL profile:
add transform policy trns_pol_remote TRUE trns_remote_URL
7.
8.
3.
Browse to http://10.0.0.80/international_red.php.
The same page loads as expected.
The URL displays "international_red.php," but the content that is loading is the "dist_red.php"
page.
The server request is load-balanced and accesses the alternate international_blue.php and
international_green.php, resulting in the dist_blue.php and dist_green.php content,
respectively.
4.
5.
170
Module 11
Content Switching
11
172
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
173
Create a non-addressable "lb_vsrv_red" load-balancing virtual server for the WebRed web
server.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers.
b. Click Add to display the Load Balancing Virtual Servers pane.
c. Type lb_vsrv_red in the Name field.
This virtual server is dedicated to iPhone users.
d.
e.
f.
2.
g. Click No Load Balancing Virtual Servers Service Binding in the Service section.
h. Click Click to select in the Select Service field.
i. Select the svc_red radio button and click OK.
j. Click Bind.
k. Click OK.
l. Click Done.
Create a non-addressable "lb_vsrv_blue" load-balancing virtual server for the WebBlue web
server.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers.
b. Click Add to display the Load Balancing Virtual Servers pane.
c. Type lb_vsrv_blue in the Name field.
This virtual server is dedicated for Internet Explorer 6 users.
d.
174
e.
f.
3.
g. Click No Load Balancing Virtual Servers Service Binding in the Service section.
h. Click Click to select in the Select Service field.
i. Select the svc_blue radio button and click OK.
j. Click Bind.
k. Click OK.
l. Click Done.
Create a non-addressable "lb_vsrv_green" load-balancing virtual server for the WebGreen web
server.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers.
b. Click Add to display the Load Balancing Virtual Servers pane.
c. Type lb_vsrv_green in the Name field.
This virtual server is dedicated for default users.
d.
e.
f.
g.
h.
i.
j.
k.
l.
Click No Load Balancing Virtual Servers Service Binding in the Service section.
Click Click to select in the Select Service field.
Select the svc_green radio button and click OK.
Click Bind.
Click OK.
Click Done.
All three load balancing servers will be in the Down state at this time.
175
Create a policy expression that will respond to requests from iPhone clients.
a. Navigate to AppExpert > Expressions > Advanced Expressions.
b. Click Add in the Advanced Expressions pane.
The Create Advanced Expression dialog box opens.
c.
Type iPhone in the Expression Name field and click Expression Editor on the top
right of the Expression field.
The Expression Editor dialog box opens.
d.
e.
f.
g.
h.
i.
j.
2.
Create a policy expression that responds to requests from Internet Explorer 6 clients.
a. Click Add in the Expressions pane. The Create Advanced Expression dialog box
opens.
b. Type IE6 in the Expression Name field and click Expression Editor to the right of
Expression.
The Expression Editor dialog box opens.
c.
d.
e.
f.
g.
h.
i.
176
2.
c.
d.
e.
f.
g.
h.
i.
j.
Create
a.
3.
177
2.
3.
178
Change the browser user agent to iPhone and test the results using the following steps:
1. Click Tools > Default User Agent > iPhone 3.0 in Firefox.
2. Click the browser Refresh button.
The Red server displays to iPhone mobile users using the iPhone Content
Switching policy.
d.
Change the browser user agent to Internet Explorer 6 and test the results using the
following steps:
1. Click Tools > iPhone 3.0 > Internet Explorer > Internet Explorer 6 in
Firefox.
2. Click the browser Refresh button.
The Blue server displays to legacy browser users (MSIE 6.0) using the IE6
Content Switching policy.
e.
Change the browser user agent back to the default using the following steps:
1. Click Tools > Internet Explorer 6 > Default User Agent.
2. Click the browser Refresh button.
The Green server displays again for all users of the default Content
Switching policy.
2.
179
Launch a PuTTY connection to NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to create a policy expression to recognize iPhone users:
add policy expression iPhone "HTTP.REQ.HEADER(\"UserAgent\").CONTAINS(\"iPhone\")"
3.
Enter the following command to create a content-switching policy for the iPhone policy
expression:
add cs policy cs_pol_mobile -rule iPhone
4.
Enter the following command to create a policy expression to recognize Internet Explorer 6
users:
add policy expression IE6 "HTTP.REQ.HEADER(\"UserAgent\").CONTAINS(\"MSIE 6.0\")"
5.
Enter the following command to create a content-switching policy for the IE6 policy
expression:
add cs policy cs_pol_legacy -rule IE6
6.
180
Create a non-addressable load-balancing virtual server for the Red server and bind it to the
svc_red service.
a.
b.
Enter the following command to bind the service to the load-balancing virtual server:
bind lb vserver lb_vsrv_red svc_red
This server will be dedicated to mobile users.
The load-balancing virtual server is being created without assigning a virtual
IP address or a port.
2.
Create a non-addressable load-balancing virtual server for the Blue server and bind it to the
svc_blue service by entering the following commands:
a. Enter the following command to create the load-balancing virtual server:
add lb vserver lb_vsrv_blue HTTP
b.
Enter the following command to bind the service to the load-balancing virtual server:
bind lb vserver lb_vsrv_blue svc_blue
This server will be dedicated to legacy browser users.
3.
Create a non-addressable load-balancing virtual server for the Green server and bind it to the
svc_green service by entering the following commands:
a. Enter the following command to create the load-balancing virtual server:
add lb vserver lb_vsrv_green HTTP
b.
Enter the following command to bind the service to the load-balancing virtual server:
bind lb vserver lb_vsrv_green svc_green
This server will be dedicated to default users.
4.
Create a content-switching virtual server and bind the load-balancing virtual servers to the new
content-switching virtual server.
a. Enter the following command to create a content-switching virtual server:
add cs vserver cs_vsrv_rbg HTTP 10.0.0.84 80
b.
Enter the following commands to bind the load-balancing virtual servers and the
corresponding policies to the content-switching virtual server:
bind cs vserver cs_vsrv_rbg -lbvserver lb_vsrv_green
181
2.
182
Module 12
Optimizing Traffic
12
184
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
2.
185
3.
4.
Click Create.
The Create Compression Policy dialog box closes.
5.
186
Enable
a.
b.
c.
d.
2.
3.
2.
3.
4.
Return to the Chrome browser and access the HTTP Compression > Policies node in the
configuration utility
Click Refresh. View the number of hits and compression ratio for the cmp_pol_javascript
policy.
The hit count for cmp_pol_javascript policy should have increased.
If the hit count does not increment, the page may be displayed from the browser
cache. Clear the browser cache and then reload the page.
187
This section is provided as a reference. It covers the same configurations made using the
configuration utility. If you have completed the exercises using the configuration utility
steps, then you do not need to repeat them using the command-line interface commands.
Launch a PuTTY connection to NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to ensure that the compression feature is enabled:
enable ns feature CMP
3.
4.
Enter the following command to create the compression policy cmp_pol_javascript to compress
javascript content in the server response:
add cmp policy cmp_pol_javascript rule "HTTP.RES.HEADER(\"Content-Type\").CONTAINS
(\"javascript\")" -resAction COMPRESS
5.
Enter the following command to bind the compression policy to the lb_vsrv_rbg virtual server:
bind lb vserver lb_vsrv_rbg -policyName cmp_pol_javascript type RESPONSE
-Priority 100 -GotoPriorityExpression END
6.
7.
8.
188
2.
3.
4.
5.
Enter the following command in PuTTY to view the policy hits and compression ratio:
show cmp policy cmp_pol_javascript
The hit count for cmp_pol_javascript policy should have increased.
If the hit count does not increment, the page may be displayed from the browser
cache. Clear the browser cache then reload the page.
189
190
Module 13
Clustering
13
192
AD.training.lab
NS_VPX_0
NS_VPX_1
NS_VPX_3
Win7Client
WebBlue
WebGreen
WebRed
In the lab environment, click the Play icon for the NS_VPX_1, NS_VPX_0, and NS_VPX_3
virtual machines to start them.
Log on to the configuration utility for NS_VPX_1 using the nsroot credentials.
a. Switch to the Win7Client virtual machine and log on using the CitrixAdmin
credentials.
b. Launch the Chrome browser and browse to http://10.0.0.110.
c. Log on to the NS_VPX_1 VM using the nsroot credentials.
193
3.
4.
5.
6.
7.
Log into VPX0 10.0.0.100 with nsroot credentials and go to System, Backup and Restore and
backup the config.
a. Navigate to System > Cluster > Nodes.
b. Click the Discover NetScalers button.
c. Type 10.0.0.100 - 130 in the IP address range field.
d. Type 0/1 in the Backplane interface field.
e. Type nsroot in both User Name fields and both Password fields.
f. Click OK.
The search result should show the IP addresses for NS_VPX_0 and NS_VPX_3.
8.
194
The NS_VPX_0 and NS_VPX_3 nodes are now added to the cluster instance.
9.
From the cluster configuration utility at 10.0.0.150, navigate to Network > Linkset and
click Add.
b. Type LS/1 in the Linkset.
c. Click Add.
13. Add the available nodes to the linkset.
a. Click the + next to 0/0/1.
b. Click the + next to 1/0/1.
Copyright 2015 Citrix Systems, Inc.
195
c.
d.
In the lab environment, click Play for the NS_VPX_0, NS_VPX_1, and NS_VPX_3 virtual
machines to start them.
Add and configure the first node to the cluster with an IP address of 10.0.0.150, a backplane of
0/1, and a state of PASSIVE.
a. Switch to the NetScaler command-line interface (PuTTY) on NS_VPX_1.
b. Enter the following command to add the node to the cluster instance:
add cluster instance 1
c.
Enter the following command to add node1 to the cluster instance with interface 0/1
as the backplane interface:
add cluster node 1 10.0.0.150 -state PASSIVE backplane 0/1
d.
e.
f.
3.
196
a.
b.
From the Win7Client, open to the PuTTY command-line interface to NS_VPX_1 and
log on using the nsroot credentials.
Enter the following command to add the cluster IP to the cluster:
add ns ip 10.0.0.150 255.255.255.255 -type CLIP
c.
4.
5.
b.
6.
7.
Open a new PuTTy session to NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to add the node to the cluster:
join cluster -clip 10.0.0.150 -password nsroot
197
8.
9.
10. Open a new PuTTy session to NS_VPX_3 and log on using the nsroot credentials.
11. Enter the following command to add the node to the cluster:
join cluster -clip 10.0.0.150 -password nsroot
12. Enter the following command to save the NS_VPX_3 configuration:
save ns config
13. Enter the following commands to restart the system:
reboot -warm
reboot -warm
14. Verify that the nodes show as PASSIVE and that node1 is the CCO.
a. Return to the PuTTY command-line interface for the cluster IP at 10.0.0.150.
b. Enter the following command to verify that the nodes show as PASSIVE and that
Node ID 1 is the Configuration Coordinator:
show cluster node
15. Enter the following command to assign 10.0.0.61 as a spotted SNIP to node 1 with a subnet
mask of 255.255.255.0:
add ns ip 10.0.0.61 255.255.255.0 -type SNIP -ownerNode 1
16. Enter the following command to assign 10.30.0.62 as a spotted SNIP to node 2 with a subnet
mask of 255.255.255.0:
add ns ip 10.30.0.62 255.255.255.0 -type SNIP -ownerNode 2
17. Enter the following command to assign 10.0.0.63 as a spotted SNIP to node 3 with a subnet
mask of 255.255.255.0:
add ns ip 10.0.0.63 255.255.255.0 -type SNIP -ownerNode 3
18. Enter the following command to view and verify the cluster IP addresses:
show ip
19. Set the node state to ACTIVE on all the nodes in the cluster.
198
a.
b.
c.
Enter the following command to identify the node that did not synchronize:
show cluster node
A node that did not synchronize with the cluster will show its Health status as NOT
UP.
b.
c.
Switch the PuTTY command-line interface of the node that is not synchronized.
Enter the following command to remove the cluster instance, where n is the node
number:
rm cluster instance n
d.
e.
f.
199
22. Enter the following command to verify that the mode for each node shows as ACTIVE:
show ip
23. Configure the cluster to use the link set traffic distribution method and bind the interfaces for
all three nodes in the cluster.
Since this lab environment is virtualized, you will use the link set deployment type,
because type this does not require any router or switch configuration.
a.
b.
c.
Enter the following command to bind the interfaces connected to the link set:
bind linkset LS/1 -ifnum 0/0/1 1/0/1 2/0/1
d.
AD.training.lab
NS_VPX_0
NS_VPX_1
NS_VPX_3
WebBlue
WebGreen
WebRed
Win7Client
200
3.
4.
5.
6.
Switch to the configuration utility on the cluster IP at http://10.0.0.150 and log on using the
nsroot credentials.
Enable the load-balancing feature for the cluster.
a. Navigate to System > Settings.
b. Click Configure Basic Features.
c. Select Load Balancing and click OK to enable the feature.
Add the "srv_blue" server to the cluster with an IP address of 10.29.0.205.
a. From the configuration utility on the cluster IP at http://10.0.0.150, navigate to Traffic
Management > Load Balancing > Servers and click Add.
b. Type srv_blue in the Server Name field.
c. Type 10.29.0.205 in the IP Address field.
d. Click Create.
Add the "srv_green" server to the cluster with an IP address of 10.0.0.210.
a. From the configuration utility on the cluster IP at http://10.0.0.150, navigate to Traffic
Management > Load Balancing > Servers and click Add.
b. Type srv_green. in the Server Name field.
c. Type 10.0.0.210 in the IP Address field.
d. Click Create.
Add the "srv_red" server to the cluster with an IP address of 10.30.0.215.
a. From the configuration utility on the cluster IP at http://10.0.0.150, navigate to Traffic
Management > Load Balancing > Servers and click Add.
b. Type srv_red in the Server Name field.
c. Type 10.30.0.215 in the IP Address field.
d. Click Create.
Add the svc_blue service for HTTP to the cluster.
a. From the configuration utility on the cluster IP at http://10.0.0.150, navigate to Traffic
Management > Load Balancing > Services and click Add.
b. Type svc_blue in the Service Name field.
201
c.
d.
203
Add the Web_Blue, Web_Green, and Web_Red servers to the cluster and create the
corresponding services for HTTP.
a. Switch to the PuTTY command-line interface for the cluster IP at 10.0.0.150.
b. Log on to the NetScaler system using the nsroot credentials, if necessary.
c. Enter the following commands to add the servers:
add server srv_blue 10.29.0.205
add server srv_green 10.0.0.210
add server srv_red 10.30.0.215
d.
Enter the following command to add the HTTP services for the servers:
add service svc_blue srv_blue HTTP 80
add service svc_green srv_green HTTP 80
add service svc_red srv_red HTTP 80
2.
3.
Create the lb_vsrv_rbg load-balancing virtual server for HTTP using the IP address 10.0.0.88,
then bind the svc_blue, svc_green, and svc_red services to it.
a. Enter the following command to create the HTTP load-balancing virtual server:
add lb vserver lb_vsrv_rbg HTTP 10.0.0.88 80 lbMethod ROUNDROBIN
b.
Enter the following commands to bind the HTTP load-balancing virtual server to the
HTTP services:
bind lb vserver lb_vsrv_rbg svc_blue
bind lb vserver lb_vsrv_rbg svc_green
bind lb vserver lb_vsrv_rbg svc_red
4.
204
a.
b.
c.
d.
205
206
Module 14
Monitoring and
Management
14
208
AD.training.lab
NS_VPX_0
Win7Client
Configure the Kiwi Syslog Daemon for UDP messages on port 514.
a. From the Win7Client VM desktop, navigate to Start > All Programs > Kiwi
Enterprises > Kiwi Syslog Daemon.
The Kiwi Syslog Service Manager opens.
b.
c.
d.
e.
f.
209
4.
210
Click Custom and then select INFORMATIONAL and any other log levels you want
to display.
Type 25 in the Number of Audit Messages to be shown field and then click Run at the
bottom of the page.
The viewer will update with the specified number of messages for the selected log
levels. In most cases, systems in the lab will only have INFORMATIONAL messages
to display.
e.
Click Close.
The Audit Messages dialog box closes.
Select ns.log under File /var/log/ on the right side of the screen and then select any
historical log file from the drop-down menu.
Historical log files are maintained by default under /var/log and are in
ns.log.#.gz form.
d.
e.
f.
Type SNIP in the Search field at the top left and then click Go to start the search.
211
Search for "lb vserver", "ns conf", or "enable feature" if time permits.
g.
Select the Ext_Kiwi_policy policy, click Unbind, and then click Yes.
Click Done.
1.
Configure the Kiwi Syslog Daemon for UDP messages on port 514.
a. Navigate to Start > All Programs > Kiwi Enterprises > Kiwi Syslog Daemon > Kiwi
Syslog Daemon.
The Kiwi Syslog Service Manager opens.
b.
c.
d.
e.
Open a PuTTY command-line for NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to create a Syslog Server named Ext_Kiwi on the NetScaler
system with the IP address 10.29.0.11 on port 514:
add audit syslogAction Ext_Kiwi 10.0.0.103 -serverPort 514 loglevel ALL
-logFacility LOCAL0 -tcp All
3.
Enter the following command to bind the audit policy to the system global to enable
audit logging:
bind system global Ext_Kiwi_policy
c.
4.
213
AD.training.lab
NS_VPX_0
Win7Client
Switch to the configuration utility for NS_VPX_0 at http://10.0.0.100 and log on using the
nsroot credentials, if necessary.
Configure an SNMP manager with a management host of 10.0.0.103.
a. Navigate to System > SNMP > Managers.
b. Click Add.
The Add SNMP Manager dialog box opens.
3.
4.
215
f.
5.
g. Click Create.
Configure an SNMP alarm as type CONFIG-SAVE, verify that the alarm is enabled and then
save the NetScaler configuration.
a. Navigate to System > SNMP > Alarms.
b. Click the Alarm column heading to sort the alarms by name.
c. Select the CONFIG-SAVE alarm and click Edit.
The Configure SNMP Alarm dialog box opens.
d.
e.
f.
g.
Click the Floppy disk icon and then click Yes to save the configuration and trigger an
SNMP alert.
Configure the Kiwi Syslog Daemon to listen for SNMP traps on UDP port 162.
a. Maximize the Kiwi Syslog Service Manager window on the Win7Client desktop.
If the Kiwi Syslog Service Manager window is closed, click Start > All
Programs > Kiwi Enterprises > Kiwi Syslog Daemon.
The Kiwi Syslog Daemon opens.
b.
c.
d.
2.
216
c.
d.
3.
View the SNMP traps in the Kiwi Syslog Daemon. The SNMP syslog will resemble the
following:
12-02-2008 16:22:43 Local7.Info 10.0.0.100
community=ctxtrainsnmp,
enterprise=1.3.6.1.4.1.5951.1.1.0.28,
enterprise_mib_name=netScalerConfigSave,
uptime=508021, agent_ip=10.0.0.103,
version=Ver2, nsUserName.0=nsroot,
sysIpAddress.0=10.0.0.100
4.
Enter the following command to add the SNMP community with ALL permissions:
add snmp community ctxtrainsnmp ALL
2.
Configure both a generic and specific SNMPv2 trap and attach each to the ctxtrainsnmp SNMP
community.
217
a.
b.
3.
Configure an SNMP alarm of type CONFIG-SAVE, save the NetScaler configuration to trigger
an SNMP alert and then view the trap results.
a. Enter the following command in PuTTY to set an SNMP alarm:
set snmp alarm CONFIG-SAVE -state ENABLED
b.
c.
Configure the Kiwi Syslog Daemon to listen for SNMP traps on UDP port 162.
a. Return to the Kiwi Syslog Service Manager window on the Win7Client desktop.
If the Kiwi Syslog Service Manager window is closed, click Start > All
Programs > Kiwi Enterprises > Kiwi Syslog Daemon > Kiwi Syslog
Daemon.
The Kiwi Syslog Daemon opens.
b.
c.
d.
2.
218
a.
3.
Select Info from the Syslog Level drop-down menu in Kiwi Syslog Daemon and click
OK.
b. Click View and select Clear display.
Switch to the PuTTY command-line interface for NS_VPX_0 and configure an SNMP alarm to
trigger when the NetScaler configuration is saved.
a. Enter the following command in PuTTY (NS_VPX_0) to add the SNMP alarm:
set snmp alarm CONFIG-SAVE -state ENABLED
b.
Enter the following command to save the NetScaler configuration and trigger an
alarm:
save ns config
4.
View the SNMP traps in the Kiwi Syslog Daemon. The SNMP syslog will resemble the
following:
12-02-2008 16:22:43 Local7.Info 10.0.0.100
community=ctxtrainsnmp,
enterprise=1.3.6.1.4.1.5951.1.1.0.28,
enterprise_mib_name=netScalerConfigSave,
uptime=508021, agent_ip=10.0.0.103,
version=Ver2, nsUserName.0=nsroot,
sysIpAddress.0=10.0.0.100
5.
219
220
Module 15
Troubleshooting
Exercises
15
222
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
Run a batch script from the Win7Client desktop to break the NetScaler configuration.
a. Launch PuTTY from the Win7Client desktop.
b. Type 10.0.0.100 for NS_VPX_0 in the Host Name (or IP address) field and click
Open.
c. Type nsroot and press Enter.
d. Type nsroot at the Password prompt and press Enter.
e. Enter the following commands at the command prompt to run the script to break the
NetScaler configuration:
batch -filename /var/break.txt
y
223
The batch script saves and moves the current NetScaler configuration to a
different location, loads a bad configuration file, and then restarts the
NetScaler.
f.
Verify that the NetScaler (NS_VPX_0 is restarting. If the script doesn't reboot the
NetScaler, reboot the NetScaler in the lab environment.
Where to Begin
Access the NetScaler (NS_VPX)) and browse to the Load Balancing node. Check the settings for
the servers, services, and load balancing virtual servers.
Browse to the System node. Check the Basic and Advanced NetScaler settings.
Checkpoint
Checking the following items may help you troubleshoot this issue.
Are the Blue and Green servers configured, and does the state show as Up?
Are the services for the Blue and Green servers properly configured?
Is the load-balancing virtual server configured?
Are the Blue and Green services bound to the virtual server?
Are the required features enabled?
The issue is considered resolved when the following conditions have been met:
224
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
Where to Begin
Navigate to Traffic Management > Load Balancing > Virtual Servers and check the SSL settings
for the SSL load balancing virtual server.
Checkpoint
Checking the following items may help you troubleshoot this issue:
Are the proper services bound to the SSL Load Balancing virtual server?
Is the new server certificate installed on the SSL Load Balancing virtual server?
Is the new server certificate bound to the SSL Load Balancing virtual server?
The issue is considered resolved when the following conditions have been met:
225
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
Where to Begin
Use the Firefox browser to access the IE6 and iPhone user agents and verify the problem. Use the
Firefox Tools > Default User Agent menu to select the appropriate agent. Browse to
http://10.0.0.84/home.php to verify that a problem exists.
Navigate to Content Switching > Virtual Servers and verify that the settings for the virtual server
are correct and the correct policies are applied.
Checkpoint
Checking the following items may help you troubleshoot this issue:
The issue is considered resolved when you browse to http://10.0.0.84 and the following conditions
have been met:
226
The Blue home page appears when using Firefox with the Default User Agent set to IE6.
Module 15: Troubleshooting Exercises
The Red home page appears when using Firefox with the Default User Agent set to iPhone.
The Green home page appears when using Firefox with the Default User Agent set to Default.
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
Where to Begin
Navigate to Responder and verify the actions and policies.
Checkpoint
Checking the following items may help you troubleshoot this issue:
The issue is considered resolved when the following conditions have been met:
You browse to http://10.0.0.80/private and the server returns the custom response: "Client:
x.x.x.x is not authorized to access URL: /private"
227
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
username: user1
password: Password1
Active Directory group membership: Remote Users
Where to Begin
Log on to the AD.training.lab virtual machine and examine the group membership for the user1
user.
Log on to the NS_VPX_0 (10.0.0.100) and browse to System > Groups to verify the group settings.
Checkpoint
Checking the following items may help you troubleshoot this issue:
The issue is considered resolved when the following conditions have been met:
228
You are able to log on to the NS_VPX_0 (10.0.0.100) configuration utility or command-line
interface as user1.
Module 15: Troubleshooting Exercises
In the configuration utility, you are able to view the System settings.
In the command-line interface, you can run "show server" to view the NetScaler settings.
229
230
231
851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA (954) 267 3000 www.citrix.com
Rheinweg 9 8200 Schaffhausen Switzerland +41 (0) 52 63577 00 www.citrix.com
Copyright 2015 Citrix Systems, Inc. All rights reserved.