CNS 205 5I en StudentExerciseWorkbook Skytap v05

Citrix NetScaler 10.
5 Essentials
and Networking
Citrix Course CNS-205-5I
Exercise Workbook
Copyright 2015 Citrix Systems, Inc.
Citrix NetScaler 10.5 Essentials

and Networking
Exercise Workbook
April 2015
Version 5.0
Table of Contents
Module 1: Getting Started ............................................................................ 21
Module 1: Getting Started Exercises ..................................................................................... 23
Exercise 1-1: Performing an Initial Configuration ............................................................... 23
Before You Begin ............................................................................................................. 23
Exercise 1-1: Step-by-Step (Configuration Utility) .............................................................. 23
Performing an Initial Configuration (Configuration Utility) .................................................... 23
Before You Begin ............................................................................................................. 25
Exercise 1-1: Step-by-Step (Command-Line Interface) ..................................................... 25
Performing an Initial Configuration (Command-Line Interface) ........................................... 25
Exercise 1-2: Performing Basic Administration ................................................................. 28
Before You Begin ............................................................................................................. 28
Enabling and Disabling Features (Configuration Utility) ...................................................... 28
Viewing the Running and Saved Configurations (Configuration Utility) ............................... 29
Identifying the NetScaler Product Type (Configuration Utility) ............................................ 30
Performing a Configuration Backup (Configuration Utility) ................................................. 30
Enabling and Disabling Features (Command-Line Interface) .............................................. 31
Viewing the Running and Saved Configurations (Command-Line Interface) ....................... 31
Identifying the NetScaler Product Type (Command-Line Interface) .................................... 32
Performing a Configuration Backup (Command-Line Interface) ......................................... 32
Exercise 1-3: Upgrading a NetScaler System .................................................................. 33
Before You Begin ............................................................................................................. 33
Upgrading the NetScaler System ...................................................................................... 34
Verifying the NetScaler Upgrade (Configuration Utility) ...................................................... 35
Upgrading the NetScaler System (Command-Line Interface) ............................................ 35
Verifying the NetScaler Upgrade (Command-Line Interface) .............................................. 36
Module 2: Basic Networking ........................................................................ 37

Module 2: Basic Networking Exercises ................................................................................ 39
Exercise 2-1: Configuring Basic Networking ..................................................................... 39
Before You Begin ............................................................................................................. 39
Adding a VLAN (Configuration Utility) ................................................................................ 39
Adding a Static Route (Configuration Utility) ...................................................................... 40
Validating Task Configurations (Configuration Utility) ......................................................... 40
Configuring the NetScaler Interface (Command-Line Interface) ......................................... 43
Validating Task Configurations (Command-Line Interface) ................................................. 43
Module 3: High Availability ............................................................................ 47

Module 3: High Availability Exercises .................................................................................... 49
Exercise 3-1: Configuring High Availability ......................................................................... 49
Before You Begin ............................................................................................................. 49
Exercise 3-1: Step by Step (Configuration Utility) .............................................................. 49
Configuring NS_VPX_1 and NS_VPX_3 (Configuration Utility) ........................................... 49
Configuring High Availability on NS_VPX_1 and NS_VPX_3 (Configuration Utility) ............. 50
Testing the High-Availability Configuration (Configuration Utility) ........................................ 51
Removing High Availability from NS_VPX_1 and NS_VPX_3 (Configuration Utility) ............ 52
Exercise 3-1: Step by Step (Command-Line Interface) ...................................................... 53
Configuring NS_VPX_1 and NS_VPX_3 ............................................................................ 53
Configuring High Availability on NS_VPX_1 and NS_VPX_3 (Command-Line Interface) ..... 54
Testing the High-Availability Configuration (Command-Line Interface) ............................... 55
Removing High Availability from NS_VPX_1 and NS_VPX_3 (Command-Line Interface) .... 57
Module 4: Securing NetScaler ...................................................................... 59

Module 4: Securing NetScaler Exercises .............................................................................. 61
Exercise 4-1: Enabling External Authentication ................................................................. 61
Before You Begin ............................................................................................................. 61
Creating a New Administrator Account (Configuration Utility) ............................................ 62
Examining Command Policies (Configuration Utility) .......................................................... 62
Enabling LDAP Authentication (Configuration Utility) .......................................................... 63
Creating a New Administrator Account (Command-Line Interface) .................................... 65
Examining Command Policies (Command-Line Interface) ................................................. 66
Enabling LDAP Authentication (Command-Line Interface) ................................................. 66
Module 5: Basic Load Balancing .................................................................. 69

Module 5: Basic Load Balancing Exercises .......................................................................... 71
Exercise 5-1: Configuring Load Balancing ........................................................................ 71
Before You Begin ............................................................................................................. 71
Creating Servers (Configuration Utility) .............................................................................. 71
Creating Services (Configuration Utility) ............................................................................. 72
Creating a Load-Balancing Virtual Server (Configuration Utility) ......................................... 73
Testing Load Balancing (Configuration Utility) .................................................................... 74
Resetting Persistence to None (Configuration Utility) ........................................................ 75
Procedure for Configuring Servers, Services, and Virtual Servers (Command-Line
Interface) ........................................................................................................................... 75
Testing Load Balancing (Command-Line Interface) ........................................................... 76
Exercise 5-2: Configuring a Load-Balancing HTTP-ECV Monitor (Command-Line
Interface) ........................................................................................................................... 77
Before You Begin ............................................................................................................. 77
6

Creating a Load-Balancing HTTP-ECV Monitor (Configuration Utility) ................................ 78
Testing the Load-Balancing HTTP-ECV Monitor (Configuration Utility) .............................. 79
Creating a Load-Balancing HTTP-ECV Monitor (Command-Line Interface) ....................... 80
Testing the Load-Balancing HTTP-ECV Monitor (Command-Line Interface) ...................... 81
Exercise 5-3: Configuring Data Stream Load Balancing and Monitoring .......................... 83
Before You Begin ............................................................................................................. 83
Configuring Data Stream Load Balancing (Configuration Utility) ........................................ 83
Configuring a MySQL Monitor (Configuration Utility) .......................................................... 85
Configuring Data Stream Load Balancing (Command-Line Interface) ................................ 87
Configuring a MySQL Monitor (Command-Line Interface) ................................................. 88
Exercise 5-4: Configuring RADIUS Load Balancing ........................................................... 89
Before You Begin ............................................................................................................. 89
Creating RADIUS Service Groups (Configuration Utility) .................................................... 89
Creating RADIUS Load-Balancing Virtual Servers (Configuration Utility) ............................ 91
Testing RADIUS Persistency (Configuration Utility) ............................................................ 92
Creating RADIUS Service Groups (Command-Line Interface) ............................................ 94
Creating RADIUS Load-Balancing Virtual Servers (Command-Line Interface) .................... 94
Testing RADIUS Persistency (Command-Line Interface) .................................................... 95
Module 6: SSL Offload ................................................................................. 97

Module 6: SSL Offload Exercises .......................................................................................... 99
Exercise 6-1: Configuring SSL Certificates and SSL Offload ............................................. 99
Before You Begin ............................................................................................................. 99
Creating an RSA Key File (Configuration Utility) ................................................................. 99
Creating a Certificate Request (Configuration Utility) ....................................................... 100
Creating a Certificate (Configuration Utility) ..................................................................... 100
Configuring a Certificate-Key Pair (Configuration Utility) ................................................... 101
Creating an SSL Offload Virtual Server (Configuration Utility) ........................................... 102
Testing SSL Offload (Configuration Utility) ....................................................................... 103
Exercise 6-1: Step-by-Step (Command-Line Interface) ................................................... 103
Configuring a Self-Signed Certificate (Command-Line Interface) ..................................... 103
Configuring SSL Offload (Command-Line Interface) ........................................................ 104
Testing SSL Offload (Command-Line Interface) .............................................................. 105
Module 7: Global Server Load Balancing ................................................... 107

Module 7: Global Server Load Balancing Exercises ............................................................ 109
Exercise 7-1: Configuring Global Server Load-Balancing (GSLB) .................................... 109
Before You Begin ........................................................................................................... 109
Exercise 7-1: Step-by-Step (Configuration Utility) ............................................................ 110

Enabling Global Server Load Balancing on the Frankfurt NetScaler (Configuration Utility) 110
Configuring the GSLB Sites on the Frankfurt NetScaler (Configuration Utility) ................. 110
Configuring GSLB Services on the Frankfurt NetScaler (Configuration Utility) .................. 111
Adding and Binding the GSLB Virtual Server to the Frankfurt NetScaler (Configuration
Utility) .............................................................................................................................. 112
Exercise 7-1: Step-by-Step (Command-line Interface) .................................................... 112
Enabling Global Server Load Balancing on the Frankfurt NetScaler (Command-Line
Interface) ......................................................................................................................... 113
Configuring the GSLB Sites on the Frankfurt NetScaler (Command-Line Interface) ......... 113
Configuring GSLB Services on the Frankfurt NetScaler (Command-Line Interface) ......... 114
Adding and Binding the GSLB Virtual Server to the Frankfurt NetScaler (Command-Line
Interface) ......................................................................................................................... 114
Exercise 7-2: Configuring Additional NetScaler Systems for Global Server Load Balancing
(GSLB) ............................................................................................................................ 115
Before You Begin ........................................................................................................... 115
Enable Global Server Load Balancing on the Tokyo NetScaler (Configuration Utility) ....... 116
Configuring the GSLB Sites on the Tokyo NetScaler (Configuration Utility) ...................... 117
Synchronize GSLB Settings (Configuration Utility) ........................................................... 117
Enabling Global Server Load Balancing on the Tokyo NetScaler (Command-Line
Interface) ......................................................................................................................... 118
Configuring the GSLB Sites on the Tokyo NetScaler (Command-Line Interface) ............. 118
Synchronize GSLB Settings (Command-Line Interface) ................................................... 118
Exercise 7-3: Configuring DNS to Test a Global Server Load-Balancing (GSLB)
Configuration .................................................................................................................. 119
Before You Begin ........................................................................................................... 119
Configuring DNS Settings (Configuration Utility) .............................................................. 120
Configuring Local DNS Settings to Test the GSLB Configuration (Configuration Utility) ... 121
Testing the GSLB Configuration (Configuration Utility) ..................................................... 122
Return DNS Settings to Default (Configuration Utility) ...................................................... 123
Configuring DNS Settings (Command-Line Interface) ...................................................... 124
Verifying the Configuration (Command-Line Interface) ..................................................... 125
Configuring Local DNS Settings to Test the GSLB Configuration (Command-Line
Interface) ......................................................................................................................... 125
Testing the GSLB Configuration (Command-Line Interface) ............................................ 126
Return DNS Settings to Default (Command-Line Interface) ............................................. 127
GSLB Troubleshooting Tips ............................................................................................ 128
Unable to Resolve www.gslbdomain.com ....................................................................... 128
Load Balancing between NetScaler Systems Not Occurring ........................................... 128
Other Issues ................................................................................................................... 128
Module 8: AppExpert Classic Policy Engine ............................................... 129

8
Module 8: AppExpert Classic Policy Engine Exercises ........................................................ 131

Exercise 8-1: Configuring Content Filtering Using Classic Policies .................................. 131
Before You Begin ........................................................................................................... 131
Configuring a Policy Expression (Configuration Utility) ..................................................... 131
Configuring Content Filters (Configuration Utility) ............................................................. 132
Testing Content Filtering (Configuration Utility) ................................................................ 133
Removing a Content Filter Policy (Configuration Utility) ................................................... 134
Configuring a Policy Expression (Command-Line Interface) ............................................. 134
Testing Content Filtering (Command-Line Interface) ........................................................ 135
Removing a Content Filter Policy (Command-Line Interface) ........................................... 136
Module 10: Rewrite, Responder, and URL Transform ................................ 137

Module 10: Rewrite, Responder, and URL Transform Exercises ......................................... 139
Exercise 10-1: Configuring Rewrite, Responder, and URL Transformation ...................... 139
Before You Begin ........................................................................................................... 139
Exercise 10-1: Step-by-Step (Configuration Utility) .......................................................... 139
Viewing the Default Web Page (Configuration Utility) ....................................................... 139
Using Rewrite to Modify a URL (Configuration Utility) ...................................................... 140
Exercise 10-1: Step-by-Step (Command-Line Interface) ................................................. 141
Viewing the Default Web Page (Command-Line Interface) .............................................. 141
Using Rewrite to Modify a URL (Command-Line Interface) .............................................. 141
Exercise 10-2: Removing HTTP Headers ........................................................................ 142
Before You Begin ........................................................................................................... 142
Viewing the Default Header Information (Configuration Utility) ......................................... 143
Using Rewrite to Remove Header Information (Configuration Utility) ................................ 143
Verifying the Header Information (Configuration Utility) .................................................... 144
Viewing the Default Header Information (Command-Line Interface) ................................. 145
Using Rewrite to Remove Header Information (Command-Line Interface) ....................... 145
Verifying the Header Information (Command-Line Interface) ............................................ 146
Exercise 10-3: Inserting HTTP Headers .......................................................................... 147
Before You Begin ........................................................................................................... 147
Using Rewrite to Insert Header Information (Configuration Utility) .................................... 147
Verifying the Header Information (Configuration Utility) .................................................... 149
Using Rewrite to Insert Header Information (Command-Line Interface) ........................... 150
Verifying the Header Information (Command-Line Interface) ............................................ 151
Exercise 10-4: Configuring Responder to Redirect to HTTPS ......................................... 151
Before You Begin ........................................................................................................... 151
Configuring Responder to Use SSL (Configuration Utility) ............................................... 152
Testing the Redirect to SSL Policy (Configuration Utility) ................................................. 154

Configuring Responder to Use SSL (Command-Line Interface) ....................................... 155
Testing the Redirect to SSL Policy (Command-Line Interface) ........................................ 156
Exercise 10-5: Configuring Responder to Redirect Using String Maps ............................ 156
Before You Begin ........................................................................................................... 157
Configuring Responder to Redirect Using String Maps (Configuration Utility) .................. 157
Testing the String Map (Configuration Utility) ................................................................... 159
Configuring Responder to Redirect Using String Maps (Command-Line Interface) .......... 160
Testing the String Map (Command-Line Interface) .......................................................... 161
Exercise 10-6: Adding a Custom Response .................................................................. 161
Before You Begin ........................................................................................................... 161
Using Responder to Display a Custom Response (Configuration Utility) .......................... 162
Testing the Responder Policy (Configuration Utility) ........................................................ 163
Using Responder to Display a Custom Response (Command-Line Interface) ................. 164
Testing the Responder Policy (Command-Line Interface) ................................................ 164
Exercise 10-7: Adding URL Transformations .................................................................. 165
Before You Begin ........................................................................................................... 165
Previewing Pages for URL Transformation (Configuration Utility) ..................................... 166
Using Responder to Transform URLs (Configuration Utility) ............................................. 166
Testing the URL Transform Policy (Configuration Utility) .................................................. 168
Previewing Pages for URL Transformation (Command-Line Interface) ............................. 168
Using Responder to Transform URLs (Command Line Interface) .................................... 169
Testing the URL Transform Policy (Command-Line Interface) ......................................... 170
Module 11: Content Switching ................................................................... 171

Module 11: Content Switching Exercises ............................................................................ 173
Exercise 11-1: Configuring Content Switching ................................................................ 173
Before You Begin ........................................................................................................... 173
Verifying Content-Switching Feature is Enabled (Configuration Utility) ............................. 173
Creating Non-Addressable Load-Balancing Virtual Servers (Configuration Utility) ............ 174
Creating Policy Expressions (Configuration Utility) ........................................................... 176
Creating Content-Switching Policies (Configuration Utility) .............................................. 177
Creating the Content-Switching Virtual Server (Configuration Utility) ................................ 178
Testing the Content-Switching Configuration (Configuration Utility) ................................. 179
Creating Policies and Policy Expressions (Command-Line Interface) ............................... 180
Configuring Content Switching (Command-Line Interface) .............................................. 180
Testing the Content-Switching Configuration (Command-Line Interface) ......................... 182
10
Module 12: Optimizing Traffic ..................................................................... 183

Module 12: Optimizing Traffic Exercises ............................................................................. 185
Exercise 12-1: Configuring Compression Policies ........................................................... 185
Before You Begin ........................................................................................................... 185
Adding Compression Policies (Configuration Utility) ......................................................... 185
Verifying Compression for Services (Configuration Utility) ................................................ 186
Testing Compression (Configuration Utility) ..................................................................... 187
Configuring Compression Policies (Command-Line Interface) ......................................... 188
Testing Compression (Command-Line Interface) ............................................................. 189
Module 13: Clustering ................................................................................ 191

Module 13: Clustering Exercises ......................................................................................... 193
Exercise 13-1: Configuring the Initial Cluster Setup ......................................................... 193
Before You Begin ........................................................................................................... 193
Configuring the Initial Cluster Setup (Configuration Utility) ............................................... 193
Exercise 13-1: Step-by-Step (Command-line Interface) .................................................. 196
Configuring the Initial Cluster Setup ................................................................................ 196
Exercise 13-2: Configuring Load Balancing on a Cluster ................................................ 200
Before You Begin ........................................................................................................... 200
Configuring Load Balancing on a Cluster (Configuration Utility) ....................................... 201
Exercise 13-2: Step-by-Step (Command-line Interface) .................................................. 203
Configuring Load Balancing on a Cluster (Command-Line Interface) ............................... 204
Module 14: Monitoring and Management ................................................... 207

Module 14: Monitoring and Management Exercises ........................................................... 209
Exercise 14-1: Auditing and Logging .............................................................................. 209
Before You Begin ........................................................................................................... 209
Configuring the Kiwi Syslog Daemon (Configuration Utility) ............................................. 209
Creating a Syslog Policy and Syslog Server (Configuration Utility) ................................... 210
Viewing Recent Audit Messages (Configuration Utility) .................................................... 211
Viewing Historical Audit Messages (Configuration Utility) ................................................. 211
Viewing Audit Messages on the Remote Syslog Server (Configuration Utility) .................. 212
Disabling Syslog Audit Messages (Configuration Utility) ................................................... 212
Configuring the Kiwi Syslog Daemon (Command-Line Interface) ..................................... 212
Configuring and Viewing the Syslog (Command-Line Interface) ...................................... 213
Exercise 14-2: Monitoring ............................................................................................... 214
Before You Begin ........................................................................................................... 214
Configuring SNMP Settings (Configuration Utility) ........................................................... 215
11
Configuring the Kiwi Syslog Daemon and Viewing SNMP Alerts (Configuration Utility) .... 216
Exercise 14-2: Step-by-Step (Command-Line-Interface) ................................................. 217
Configuring SNMP Settings (Command-Line Interface) ................................................... 217
Configuring the Kiwi Syslog Daemon and Viewing SNMP Alerts (Command-Line
Interface) ......................................................................................................................... 218
Module 15: Troubleshooting Exercises ....................................................... 221

Module 15: Troubleshooting Exercises ............................................................................... 223
Exercise 15: Troubleshooting .......................................................................................... 223
Before You Begin ........................................................................................................... 223
Preparing the NetScaler for the Troubleshooting Lab ...................................................... 223
Exercise 15-1: Troubleshooting Scenario 1 ..................................................................... 224
Where to Begin ............................................................................................................... 224
Checkpoint ..................................................................................................................... 224
Before You Begin ........................................................................................................... 225
Where to Begin ............................................................................................................... 225
Checkpoint ..................................................................................................................... 225
Before You Begin ........................................................................................................... 226
Where to Begin ............................................................................................................... 226
Checkpoint ..................................................................................................................... 226
Before You Begin ........................................................................................................... 227
Where to Begin ............................................................................................................... 227
Checkpoint ..................................................................................................................... 227
Before You Begin ........................................................................................................... 228
Where to Begin ............................................................................................................... 228
Checkpoint ..................................................................................................................... 228
12
Credits
Role
Contributors
Instructional Designers:
Jeremy Boehl, Karen Bridgewater, Dustin Clark,

Orlando Martinez, Christopher Rudolph
Technical Specialist:
Nataniel De Leon
Graphic Artists:
Tyler Fromma
Manager:
Leslie Keelan
Editors:
Ben Goodman, Kathryn Morris
Translation Coordinator:
Yashica Burgess
Subject Matter Experts:
Gregg Anderson, Simon Barnes, Paul Blitz,

Terry Chou, Colin Christy, Mahasweta Dey,
Abhishek Gautam, Roland Geldner, Bino Gopal,
Dave Gunn, Todd Hurst, David Jimenez,
Henrik Johansson, Curtis Kegler, Henny
Louwers, Archana Maheshwari, Anton Mayers,
Sandeep Mehta, Mike Nelson, Johannes Norz,
Ronan O'Brien, Gary Pentecost, Senthil
Periasamy, Craig Pickford, Rhonda Rowland,
Marissa Schmidt, Gregory Screve, Muthukumar
Shunmugiah, Mark Simmons, Erin Smith, John
Smith, Jessy Strebel, Richard Todd, Steve
Vernon, Lena Yarovaya, Derek Yee, Sharin
Yeoh, Sreedhar Yengalasetti, Tony Zhang
Notices
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or
use of this publication. Citrix specifically disclaims any expressed or implied warranties,
merchantability, or fitness for any particular purpose. Citrix reserves the right to make any changes
in specifications and other information contained in this publication without prior notice and
without obligation to notify any person or entity of such revisions or changes.
Copyright 2015 Citrix Systems, Inc. All Rights Reserved.
No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or information storage and retrieval
systems, for any purpose other than the purchasers personal use, without express written
permission of:
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, FL 33309
USA
http://www.citrix.com
The following marks are service marks, trademarks or registered trademarks of their respective
owners in the United States and other countries.
Mark
Owner
Adobe, Flash, Acrobat
Adobe Systems Incorporated
Citrix, Citrix Access Gateway, Citrix

Education, EdgeSight, NetScaler, MyCitrix,
XenDesktop , TriScale, Xen, XenCenter,
Cloud Gateway, Citrix Application Firewall,
XenServer
Citrix Systems, Inc.
DSA
Digital Service Advisers, LLC
FreeBSD
Free BSD Foundation
Google Chrome
Google, Inc.
OpenView
Hewlett-Packard Company
Intel
Intel Corporation
WhatsUp
Ipswitch, Inc.
Mark
Owner
Kerberos
Kerberos, LLC
Linux
Linus Torvalds
Active Directory, Internet Explorer,

Microsoft, SQL Server, Windows, Windows
Server, Excel, PowerPoint, Word, Office,
MGSoft, Lync Server, Exchange, SharePoint,
MSN Messenger
Microsoft Corporation
Firefox
Mozilla Corporation
UNIX
The Open Group
OpenSSL
The Open SSL Software Foundation, Inc.
Java, JavaScript, Oracle
Oracle Corporation
Pearson VUE
Pearson Education, Inc.
PCI
PCI Security Standards Council, LLC
RSA
RSA Data Security, Inc.
SAP
SAP, Inc.
Secureauth
Secureauth Corporation
Shibboleth
University Corporation for Advanced Internet

Development
SolarWinds
SolarWinds Worldwide, LLC
Splunk
Splunk, Inc.
SSH
SSH Communications Security Corporation
Thawte
Symantec Corporation
Toolwire
Toolwire
VeriSign
Verisign, Inc.
Wireshark
Wireshark Foundation, Inc.
Other product and company names mentioned herein might be the service marks, trademarks or
registered trademarks of their respective owners in the United States and other countries.
Lab Overview
Lab Diagram
Lab IP Addresses
Below is a list of the IP addresses used:
Name
Address
Virtual Machines
NS_VPX_0
10.0.0.100
NS_VPX_1
10.0.0.110
NS_VPX_2
10.30.0.120
NS_VPX_3
10.0.0.130
WebBlue
10.29.0.205
WebGreen
10.0.0.210
WebRed
10.30.0.215
Win7Client
10.0.0.103
AD.training.lab
10.29.0.11
LAMP 1
10.29.0.13
LAMP 2
10.29.0.14
Virtual IP Addresses
testsrv
10.0.0.224 (Port 80)
lb_vsrv_rbg
10.0.0.80 (Port 80)
lb_vsrv_mysql
10.0.0.18 (Port 80)
lb_vsrv_radius_auth
10.0.0.80 (Port 1812)
lb_vsrv_radius_acct
10.0.0.80 (Port 1813)
ssl_vsrv_rbg
10.0.0.81 (Port 443)
lb_vsrv_redirecttossl
10.0.0.83 (Port 80)
cs_vsrv_rbg
10.0.0.84 (Port 80)
Name
Address
Cluster IP
10.0.0.150
Ext_Kiwi
10.0.0.103 (Port 514)
Global Server Load Balancing IPs

site_FRK
10.0.0.93
site_TOK
10.0.0.94
gslb_svc_FRK
10.0.0.66
gslb_svc_TOK
10.0.0.76
DNS Name Server
10.29.0.11
Subnet IP Addresses
NS_VPX_0
10.30.0.90
NS_VPX_1
10.0.0.91
NS_VPX_2
10.30.0.92
NS_VPX_3
10.0.0.93
Cluster Node 1
10.0.0.61
Cluster Node 2
10.30.0.62
Cluster Node 3
10.0.0.63
Module 1
Getting Started
22
Module 1: Getting Started Exercises

Exercise 1-1: Performing an Initial Configuration
This exercise will demonstrate how to complete an initial configuration on a NetScaler system,
including how to set the date and time using a network time protocol server.
Before You Begin

Use the URL provided to you by Citrix to access the Citrix lab environment and then use
the following information to navigate the environment:
To start a virtual machine (VM), click the Play icon above the VM in the
environment. The word "Running" will appear above the VM and the Play icon will be
replaced by a Pause icon.
To suspend a VM, click the Pause icon.
To access the graphical user interface of a VM, click the display for the VM in the lab
environment.
To return to the lab environment so you can access a different VM, move the mouse
to the top of the VM window to display the hidden drop-down menu and then select
All VMs.
To view the logon credentials that can be used with a VM, select the Key icon from
the hidden drop-down menu at the top of the VM.
To begin this lab, start the following virtual machines:
AD.training.lab
NS_VPX_0
Win7Client
Estimated time to complete this exercise: 5 minutes
Exercise 1-1: Step-by-Step (Configuration Utility)

This exercise provides step-by-step instructions for completing "Exercise 1-1: Performing an Initial
Configuration" using the configuration utility.
Performing an Initial Configuration (Configuration Utility)

In the Win7Client virtual machine, use an HTTP connection to the NS_VPX_0 (10.0.0.100)
configuration utility logged on as the nsroot user for this task.
Module 1: Getting Started
23
1.
2.
3.
4.
Log on to the Win7Client virtual machine using the Training\CitrixAdmin account and
Password1 for the credentials.
a. Click the Win7Client VM on the lab environment screen to access the graphical user
interface (GUI).
b. Move the mouse to the top of the VM window to display the hidden drop-down menu
and then click the Ctrl-Alt-Del button to send the command to the VM.
c. Log on using Training\CitrixAdmin and Password1 credentials.
Log on to the NetScaler configuration utility in the Chrome web browser using the
nsroot/nsroot credentials.
a. Launch a Google Chrome browser window from the Win7Client desktop.
b. Type http://10.0.0.100 in the address bar and press Enter.
c. Type nsroot in the User Name field, type nsroot in the Password field, and then
click Login.
The initial configuration wizard for your NetScaler virtual appliance appears.
a. Click Subnet IP Address.
b. Type 10.30.0.90 in the Subnet IP Address field.
c. Verify that the Netmask is set to 255.255.255.0.
d. Click the + sign to the right of Subnet IP Address and add SNIP 10.0.0.90 then
click Create.
e. Click Done.
f. Click Host Name, DNS IP Address, and TimeZone.
g. Type 10.29.0.11 in the DNS IP Address field.
h. Select your current time zone from the Time Zone drop-down list.
i. Click Done.
j. Click Licenses.
k. Verify that Upload license files from a local computer is selected.
l. Click Browse.
m. Select the NetScaler_VPX1_PLT_Citrix_Education_Expires_20180109.lic file.
n. Click Open.
o. Click Reboot. When the device is done rebooting, log on again using the
nsroot/nsroot credentials.
nsroot
Add a network time protocol (NTP) server to the NetScaler using 10.29.0.11 as the server
address.
a. Select System > NTP Servers on the left.
b. Click Add in the NTP Servers pane.
The Create NTP Server window appears.
24
c.
Type 10.29.0.11 in the NTP Server field and then click Create.
The Create NTP Server window closes.
d.
e.
f.
g.
Click Action in the NTP Servers pane and select NTP Synchronization.
Select the ENABLED radio button and then click OK.
Click the Floppy Disk icon in the upper-right corner of the configuration utility
window to save the NetScaler configuration.
Click Yes to confirm saving the running configuration.
Before You Begin

To begin this lab, ensure that the following virtual machines are started:
AD.training.lab
NS_VPX_0
Win7Client
Exercise 1-1: Step-by-Step (Command-Line Interface)

This exercise provides step-by-step instructions for completing "Exercise 1-1: Performing an Initial
Configuration" using the command-line interface.
Performing an Initial Configuration (Command-Line

Interface)
In the Win7Client virtual machine, use an SSH connection (PuTTY) to the NS_VPX_0 (10.0.0.100)
command-line interface logged on as the nsroot user for this task.
1.
Connect to the NetScaler system from the command-line interface using PuTTY and open the
NS_VPX_0 saved session. Log on using the nsroot credentials.
a. Log on to the Win7Client virtual machine using the Training\CitrixAdmin account
and Password1 for the credentials.
1. Click the Win7Client VM on the lab environment screen to access the
graphical user interface (GUI).
2. Move the mouse to the top of the VM window to display the hidden
drop-down menu and then click the Ctrl+Alt+Del button to send the
command to the VM.
3. Log on using Training\CitrixAdmin and Password1 credentials.
b. Launch the PuTTY command-line interface application from the Win7Client desktop.
25
This lab environment uses PuTTY as the SSH client. Other SSH clients may be
used to connect to the command-line interface, but their configuration and
operation are not covered in this course.
2.
c. Select NS_VPX_0 from the Saved Sessions pane and click Open.
d. Type nsroot at the logon prompt and press Enter.
e. Type nsroot at the Password prompt and press Enter.
Configure the NetScaler to your local time zone.
a. Enter the following command to configure the time zone:
config ns
The Review Configuration Parameters menu appears.
b.
Type 4 and press Enter to set the time zone.

The Time Zone Selector menu appears.
c.
d.
e.
f.
g.
h.
3.
Press Enter to select No on the Select local or UTC message.

Use the Up arrow and Down arrow keys to select the appropriate region and then
press Enter.
Use the Up arrow and Down arrow keys to select the appropriate country or region
and then press Enter.
Use the Up arrow and Down arrow keys to select the appropriate time zone and then
press Enter.
Press Enter to confirm your selection.
Type 7 and press Enter to apply the changes and to exit the Review Configuration
Parameters menu.
add
Set up a network time protocol (NTP) server on the NetScaler using 10.29.0.11 as a server,
enable NTP synchronization, and save the NetScaler configuration.
a. Enter the following command to add a NTP server to the NetScaler:
add ntp server 10.29.0.11
b.
Enter the following command to enable NTP server synchronization:

enable ntp sync
c.
Enter the following command to save the NetScaler running configuration:

save ns config
26
Shorter forms of this command are also accepted.

save config
save ns c
save c
4.
Add SNIP for the backend network.

a. Enter the following command to add the SNIP:
add ns ip 10.30.0.90 255.255.255.0 -type SNIP
5.
Add the DNS name server and enable it.

a. Enter the following command to add the DNS name server:
add dns nameServer 10.29.0.11 -state ENABLED
6.
Examine the features available without a license on a NetScaler.

a. Enter the following command to view the list of unlicensed NetScaler features:
show license
7.
b. Review the list to determine which features are available without a license.
Use WinSCP to install a license on a NetScaler.
a. On the Win7Client desktop, double-click the WinSCP icon.
b. Select NS_VPX_0 and click Login.
c. Type nsroot in the Username field and click OK.
d. Type nsroot in the Password field and click OK.
e. In the left pane of the WinSCP window, double-click the uppermost folder, doubleclick Desktop, and then double-click the NetScaler License folder. The location is
C:\Users\administrator.TRAINING\Desktop\NetScaler License
f. In the right pane of the WinSCP window, double-click the uppermost folder, doubleclick nsconfig, and then double-click license. The location is /flash/nsconfig/license
g. Click and drag the NetScaler_VPX1_PLT_Citrix_Education_Expires_20180109.lic
from the left pane to the right pane.
h. Click Copy when the Copy window appears.
The license is copied to the NetScaler file system.
8.
i. Close the WinSCP window and click OK to confirm ending the session.
Examine the features available with a license on a NetScaler.
27
a.
Enter the following command in PuTTY to view the list of licensed NetScaler features:
show license
Exercise 1-2: Performing Basic Administration

This exercise will demonstrate how to complete basic administration tasks, such as enabling
features and adding NetScaler administration accounts, compare the running and saved
configurations, and perform a backup of the NetScaler system.
Before You Begin

AD.training.lab
NS_VPX_0
Win7Client

This exercise provides step-by-step instructions for completing "Exercise 1-2: Performing Basic
Administration" using the configuration utility.
Enabling and Disabling Features (Configuration Utility)

In the Win7Client virtual machine, use an HTTP connection to the NS_VPX_0 configuration utility
logged on as the nsroot user for this task.
1.
Enable the SSL Offloading, HTTP Compression, Load Balancing, Content Switching, Content
Filter, and Rewrite features.
a. Navigate to System > Settings in the left pane.
b. Click Configure Basic Features on the right.
The Configure Basic Features dialog opens.
c.
28
Select the following features:

Load Balancing
Content Filter
Rewrite
HTTP Compression
2.
3.
Content Switching
Click OK.
the Responder feature.
Navigate to System > Settings.
Click Configure Advanced Features on the right. The Configure Advanced Features
dialog opens.
c. Select the following feature:
Responder
d. Click OK.
Save the NetScaler configuration.
a. Click the Floppy Disk icon on the top-right corner of the configuration utility.
b. Click Yes to confirm.
d.
Enable
a.
b.
Viewing the Running and Saved Configurations

(Configuration Utility)
1.
Review the current saved NetScaler configuration.

a. Navigate to System > Diagnostics.
b. Click Saved configuration in the Diagnostics pane.
The Saved Configuration dialog is displayed.
c.
Review the configuration data and click Close.

The Saved Configuration dialog box closes.
2.
Review the current running NetScaler configuration.

a. Click Running configuration in the Diagnostics pane and review the configuration
data in the Running Configuration dialog box.
The Running Configuration dialog box is displayed.
b.
Click Close.
The Running Configuration dialog box closes.
c.
Click Saved v/s running in the Diagnostics pane.

The Information dialog box is displayed.
This dialog box indicates that the saved configuration and the running configuration
are identical.
d.
Click OK.
29
Identifying the NetScaler Product Type (Configuration

Utility)
1.
Identify the NetScaler product type.

a. Click the System node on the left.
b. Note the Platform information in the Hardware Information section on the right.
In this example, the NetScaler Platform is NetScaler Virtual Appliance 450010.
Performing a Configuration Backup (Configuration Utility)

1.
Access the NetScaler shell from the command-line interface.

b. Click Command line interface in the Utilities section.
The Command Line Interface box opens.
c.
2.
In the Command field near the bottom of the screen, type shell and then click Go
to access the NetScaler shell.
Create an archive file of the NetScaler configuration.
a. In the Command field, type tar cvzf /var/tmp/backup.tgz
/flash/nsconfig and then click Go to create a backup file of the NetScaler
configuration.
An archive of the nsconfig directory named backup.tgz is created in the /var/tmp
directory. This archive will serve as a backup for the NetScaler configuration.
3.
30
b. Click Close.
Copy the newly-created backup of the NetScaler configuration from /var/tmp/backup.tgz to
your desktop using WinSCP.
a. Launch WinSCP on your Win7Client desktop.
b. Double-click the NS_VPX_0 in the Saved sessions pane to start the session. The
window may be hidden by other open windows. Minimize other windows to view it.
c. Type nsroot in the Username field and click OK.
d. Type nsroot in the Password field and click OK.
e. In the right pane, double-click the folder icon at the top to navigate up one level to
/root.
f.
Navigate to var > tmp and drag the backup.tgz file from the right pane to the left
pane.
The Copy dialog box opens.
g.
h.
Click Copy.
Close the WinSCP application and then click OK in the Confirm message.

This exercise provides step-by-step instructions for completing "Exercise 1-2: Performing Basic
Administration" using the command-line interface.
Enabling and Disabling Features (Command-Line Interface)

1.
Enable the SSL Offloading, Compression Control, Load Balancing, Content Switching, Content
Filtering, Rewrite, and Responder features.
a. Enter the following command in PuTTY to view the NetScaler features:
show ns feature
b.
Enter the following command to enable the NetScaler features:

enable ns feature SSL CMP LB CS CF rewrite responder
This command enables SSL Offload, Compression, Load Balancing, Content Switching,
Content Filtering, Rewrite, and Responder.
2.
Enter the following command to save the NetScaler configuration:

save ns config
Viewing the Running and Saved Configurations

(Command-Line Interface)
In the Win7Client virtual machine, use an SSH connection (PuTTY) to the NS_VPX_0 commandline interface logged on as the nsroot user for this task.
1.
2.
Access the command-line interface for NS_VPX_0 using PuTTY and log on using the nsroot
credentials.
View the current running configuration.
31
a.
Enter the following command to view the running configuration:

show ns runningconfig
b.
Enter the following command to view a summary of the current NetScaler

configuration:
show ns config
3.
View the current saved configuration.

a. Enter the following command to view the saved configuration:
show ns.conf
This is the current saved configuration. Any changes not saved in this file will
be discarded at restart.
Identifying the NetScaler Product Type (Command-Line

Interface)
1.
Identify the NetScaler product type.

a. Enter the following command to display the NetScaler hardware information:
show ns hardware
The results will be similar to the following information:
Platform: NetScaler Virtual Appliance 450000
Manufactured on: 2/17/2009
CPU: 2261MHZ
Host Id: 06e089e0b0fd
Serial no: HE2H91SCZ6
Encoded serial no: 98310000cb254307ee78
Performing a Configuration Backup (Command-Line

Interface)
32
1.
Create an archive of the nsconfig directory.

a. Enter the following command in PuTTY to access the NetScaler BSD shell:
shell
b.
Enter the following command to create an archive of the NetScaler configuration:

tar cvzf /var/tmp/backup.tgz /flash/nsconfig
An archive of the nsconfig directory named backup.tgz is created in the /var/tmp
directory. This archive will serve as a backup for the NetScaler configuration.
c.
Enter the following command to return to the NetScaler PuTTY command-line

interface:
exit
2.
Copy the newly created backup of the NetScaler configuration from /var/tmp/backup.tgz to
your Win7Client desktop using WinSCP.
a. Launch WinSCP from the Win7Client desktop.
b. Double-click the NS_VPX_0 in the saved sessions pane.
c. Type nsroot in the Username field, and press Enter.
d. Type nsroot in the Password field and press Enter.
e. In the right pane, double-click the folder icon at the top of the pane to navigate up
one level to /<root>.
f. Navigate to var > tmp and drag the backup.tgz file from the right pane to the left
pane.
The Copy dialog box opens.
g.
h.
Click Copy.
Close the WinSCP window and click OK to confirm.
Exercise 1-3: Upgrading a NetScaler System

This exercise demonstrates how to upgrade a NetScaler system.
Before You Begin

AD.training.lab
NS_VPX_0
Win7Client
33

This exercise provides step-by-step instructions for completing "Exercise 1-3 Upgrading a NetScaler
System" using the configuration utility.
Upgrading the NetScaler System

1.
Note the version of the NetScaler system displayed above the toolbar.
The version shows NS 10.5 51.10.nc.
2.
Launch the NetScaler system upgrade wizard tool.

a. Select the System node in the left pane and then select the Upgrade Wizard button.
The Upgrade Wizard window appears.
3.
4.
Upgrade the NetScaler to build version 52.11.nc using the upgrade files in the
/var/nsinstall/build_10.5_52_11_nc directory.
a. Click Next on the Introduction screen and then select Appliance next to File
Location.
b. To the right of the File Path field, click Browse.
c. Scroll down, double click the nsinstall folder and then double-click the build-10.552.11_nc folder.
d. Select the NS10.5 Build 52.11.nc file and click Select.
e. Click Next and then click Next on the Manage Licenses screen.
Finish the NetScaler upgrade process.
a. On the Clean-up/Reboot screen, select the box next to Automatically move files to
create space in flash.
b. Click Yes to confirm the deletion of all unused kernels on the flash.
c. Select Reboot after successful installation, click Next and then click Finish.
The NetScaler will restart upon successful completion of the upgrade process.
When the NetScaler restarts, the browser will lose its connection. Wait for the
NetScaler to restart and then click the Refresh icon in the Chrome browser
window (on the Win7Client) to access the log on screen for the NetScaler.
34
Verifying the NetScaler Upgrade (Configuration Utility)

1.
Verify that the NetScaler has been upgraded to build version 52.11.
a. Log on to the NetScaler configuration utility using the nsroot credentials.
b. Verify that NS10.5 52.11.nc. is displayed above the toolbar.

This exercise provides step-by-step instructions for completing "Exercise 1-3: Upgrading a NetScaler
System" using the command-line interface.
Upgrading the NetScaler System (Command-Line

Interface)
1.
Use the PuTTY command-line to view the current NetScaler version and save the
configuration.
a. Enter the following command to view the NetScaler version:
show ns version
The NetScaler version shows as 10.5 Build 51.10.nc
b.
Enter the following command in PuTTY to save the NetScaler configuration, so you
can return to the current configuration if the upgrade fails:
save ns config
2.
Upgrade the NetScaler system to build version 52.11.

a. Enter the following command in PuTTY to access the BSD shell:
shell
b.
Enter the following command in PuTTY to change to the /var/nsinstall/build-10.552.11_nc directory:

cd /var/nsinstall/build-10.5-52.11_nc/
35
c.
Enter the following command in PuTTY to extract the new build file:
tar xvzf build-10.5-52.11_nc.tgz
d.
Wait for the extraction to complete.

Enter the following command to start the NetScaler upgrade script:
installns
e.
f.
Enter Y when prompted to restart NS_VPX_0 after the installation has completed.
Click OK in the message to acknowledge that PuTTY was unexpectedly closed and
then wait for NS_VPX_0 to restart.
Verifying the NetScaler Upgrade (Command-Line Interface)

1.
Verify that the NetScaler has been upgraded to build version 52.11.
a. After the NetScaler has restarted, log on to the PuTTY command-line interface for
NS_VPX_0 with the nsroot credentials.
b. Enter the following command to verify that the NetScaler has been updated to version
NS10.5: Build 52.11.nc:
show version
36
Module 2
Basic Networking
38
Module 2: Basic Networking Exercises

Exercise 2-1: Configuring Basic Networking
This exercise will demonstrate how to enable an internal network interface, add a subnet IP
address, add a VLAN, and a static route to a NetScaler system.
Before You Begin

AD.training.lab
NS_VPX_0
WebBlue
WebGreen
WebRed
Win7Client

This exercise provides step-by-step instructions for completing "Exercise 2-1 Configuring Basic
Networking" using the configuration utility.
Adding a VLAN (Configuration Utility)

In the Win7Client virtual machine logged on as Training\CitrixAdmin, use an HTTP connection to
the NS_VPX_0 configuration utility (10.0.0.100) logged on as the nsroot user for this task.
1.
Add a VLAN to the NetScaler using 2 as the ID and bind it to 10.30.0.90.

a. Navigate to System > Network > VLANs and click Add.
b. Type 2 in the VLAN ID field.
c. Select the 1/1 interface in the Interface Bindings tab.
d. Click the IP Bindings tab and select the 10.30.0.90 IP address.
e. Click Create.
Module 2: Basic Networking
39
Adding a Static Route (Configuration Utility)

1.
Add a static route to the NetScaler using 10.29.0.0 as the Network, 255.255.255.0 as the
Netmask, and 10.30.0.254 as the Gateway.
a. Navigate to System > Network > Routes and click Add.
b. Type 10.29.0.0 in the Network field.
c. Type 255.255.255.0 in the Netmask field.
d. Type 10.30.0.254 in the Gateway field.
e. Click Create.
Validating Task Configurations (Configuration Utility)

1.
Ping the Gateway IP address, 10.30.0.254.

b. Select Ping under Utilities.
The Ping window appears.
c.
Type 10.30.0.254 in the Host Name field, type 4 in the Count field, and then
click Run.
Valid results will look similar to the following output:
40
> ping 10.30.0.254

PING 10.30.0.254 (10.30.0.254): 56 data bytes
64 bytes from 10.30.0.254: icmp_seq=0 ttl=255 time=0.959
ms
ms
ms
ms
^C--- 10.30.0.254 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
roundtrip min/avg/max/stddev = 0.412/0.881/1.721/0.533 ms
Done
2.
d. Click Close when the ping finishes.

Ping the WebBlue, WebGreen, and WebRed servers to verify that the NetScaler system has
connectivity to these backend servers.
a. Select Ping under Utilities.
The Ping window appears.
b.
Type 10.29.0.205 in the Host Name field, type 4 in the Count field, and then
click Run.
41
> ping 10.29.0.205

PING 10.29.0.205 (10.29.0.205): 56 data bytes
ms
ms
ms
ms
roundtrip min/avg/max/stddev = 0.412/0.881/1.721/0.533 ms
Done
3.
c. Repeat Steps a and b for the 10.0.0.210 and 10.30.0.215 IP addresses.

d. Click Close when the pings finish.
View the routes that have been set on the NetScaler and their current state.
a. Navigate to Network > Routes.
All listed routes should be UP.
4.
Save the configuration if the pings are successful.

If the pings do not work, check your configuration settings within the configuration utility or
the command-line interface.
a.
Click the Floppy Disk icon in the upper-right corner of the configuration utility
window and then click Yes to confirm the saving of the configuration.

This section provides step-by-step instructions for completing "Exercise 2-1: Configuring Basic
Networking" using the command-line interface.
42
Configuring the NetScaler Interface (Command-Line

Interface)
1.
Enter the following command to enable the 1/1 interface on the NetScaler:
enable interface 1/1
2.
Enter the following command to add a SNIP address to the NetScaler system using 10.30.0.90
as the IP Address and 255.255.255.0 as the Netmask with Management Access enabled:
add ns ip 10.30.0.90 255.255.255.0 -type SNIP mgmtAccess ENABLED
3.
Enter the following command to create a back-end VLAN with an ID of 2:

add vlan 2
4.
Enter the following command to bind VLAN 2 to 1/1:

bind vlan 2 -ifnum 1/1 -IPAddress 10.30.0.90 255.255.255.0
5.
Enter the following command to add the network route for the back-end network:
add route 10.29.0.0 255.255.255.0 10.30.0.254
Validating Task Configurations (Command-Line Interface)

1.
Enter the following command to ping the Gateway IP address on the back-end network:
ping 10.30.0.254
43
> ping 10.30.0.254

PING 10.30.0.254 (10.30.0.254): 56 data bytes
64 bytes from 10.30.0.254: icmp_seq=0 ttl=255 time=0.959 ms
round-trip min/avg/max/stddev = 0.412/0.881/1.721/0.533 ms
Done
Press Ctrl + C to stop the ping.
2.
Enter the following command to view the routing table:

show route
3.
Enter the following command to ping the WebBlue, WebGreen, and WebRed servers to verify
that the NetScaler device has connectivity to the backend:
ping 10.29.0.205
ping 10.0.0.210
ping 10.30.0.215
Press Ctrl + C to stop the ping.
44
> ping 10.29.0.205

PING 10.29.0.205 (10.29.0.205): 56 data bytes
64 bytes from 10.29.0.205 icmp_seq=1 ttl=128 time=0.384 ms
round-trip min/avg/max/stddev = 0.384/0.410/0.446/0.023 ms
Done
4.
Enter the following command to save the configuration if the ping is successful.
If the pings do not work, check your configuration settings within the configuration utility and
the command-line interface.
save ns config
45
46
Module 3
High Availability
48
Module 3: High Availability Exercises

Exercise 3-1: Configuring High Availability
This exercise will demonstrate how to create a high-availability pair, how to test the pair for
redundancy, and how to properly break a high-availability pair.
Before You Begin

AD.training.lab
Win7Client

Do not save the running configuration on NS_VPX_1 or NS_VPX_3 during this exercise.
Exercise 3-1: Step by Step (Configuration Utility)

This exercise provides step-by-step instructions for completing "Exercise 3-1: Configuring High
Availability" using the configuration utility.
Configuring NS_VPX_1 and NS_VPX_3 (Configuration

Utility)
In the Win7Client virtual machine, use an HTTP connection to the NS_VPX_1 (10.0.0.110) and
NS_VPX_3 (10.0.0.130) configuration utilities logged on as the nsroot user for this task.
1.
2.
3.
Start NS_VPX_1 and NS_VPX_3 in the lab environment.

a. Locate the NS_VPX_1 virtual machine in the lab environment and click the Play
button for the VM to start it.
b. Locate the NS_VPX_3 virtual machine in the lab environment and click the Play
button for the VM to start it.
Click the display for Win7Client virtual machine in the lab environment to access the console
of the VM.
Open the configuration utility for both NetScalers using the Chrome browser and log on using
the nsroot credentials.
Module 3: High Availability
49
a.
b.
c.
d.
Open a Chrome browser from the Win7Client desktop, type http://10.0.0.110

in the address field and press Enter to access NS_VPX_1.
Log on to NS_VPX_1 using the nsroot credentials.
Open another tab in the Chrome browser window, type http://10.0.0.130 in
the address field and press Enter to access NS_VPX_3.
Log on to NS_VPX_3 using the nsroot credentials.
The NetScalers can now be accessed using the tabs in the Chrome browser.
4.
Verify that high availability monitoring is active on NS_VPX_1 and NS_VPX_3.

a. On NS_VPX_1 (10.0.0.110), navigate to System > Network > Interfaces.
b. In the Interfaces pane on NS_VPX_1, scroll to the right to verify that HA monitoring
is enabled on interfaces 0/1.
In the lab environment, ON will not be displayed in the HA Monitoring
column even though it is ON. This step appears here as a best practice for
implementation in an actual environment.
c.
d.
On NS_VPX_3 (the 10.0.0.130 tab), navigate to System > Network > Interfaces.
In the Interfaces pane on NS_VPX_3, scroll to the right to verify that HA Monitoring
is enabled on interfaces 0/1.
In the lab environment, ON will not be displayed in the HA Monitoring
column even though it is ON. This step appears here as a best practice for
implementation in an actual environment.
Configuring High Availability on NS_VPX_1 and NS_VPX_3

1.
2.
50
Configure NS_VPX_3 to stay secondary during the election process for High Availability.
a. On NS_VPX_3, navigate to System > High Availability.
b. Click 0 in the ID column and then click Edit.
c. Select STAY SECONDARY (Remain in Listen Mode) in the High Availability Status
drop-down menu.
d. Click OK. The Node State should now display as Staysecondary.
Configure NS_VPX_1 and NS_VPX_3 to function as a high availability pair. Set NS_VPX_3 as
the remote node on NS_VPX_1 and specify both nodes to use the nsroot logon credentials.
a.
b.
On NS_VPX_1, navigate to System > High Availability.

Click Add in the High Availability pane.
The Create HA Node dialog box opens.
c.
3.
4.
Type 10.0.0.130 in the Remote Node IP Address field, verify that Configure
remote system to participate in High Availability setup, Turn off HA Monitor on
interfaces/channels that are down are all selected.
d. In the Remote System Login Credential fields, enter the nsroot credentials and then
click Create.
Refresh the NetScaler system configurations and verify that NS_VPX_3 is setup as the
Secondary node on NS_VPX_1.
b. On NS_VPX_1, click the Refresh button in the upper-right corner of the
configuration utility window.
c. On NS_VPX_1, verify that 10.0.0.110 appears as Primary and 10.0.0.130 appears as
Secondary in the Master State column.
d. On NS_VPX_3, navigate to System > High Availability.
e. On NS_VPX_3, click the Refresh button in the upper-right corner of the
configuration utility window.
f. On NS_VPX_3, verify that 10.0.0.110 appears as Primary and 10.0.0.130 appears as
Secondary in the Master State column.
Enable the NS_VPX_3 Node State to actively participate in High Availability.
b. Click ID 0 in the High Availability pane and click Edit.
c. Select ENABLED (Actively Participate in HA) in the High Availability Status dropdown list.
d. Click OK.
Testing the High-Availability Configuration (Configuration

Utility)
In the Win7Client virtual machine, use an HTTP connection to the NS_VPX_1 and NS_VPX_3
configuration utilities logged on as the nsroot user for this task.
1.
Verify the current state of the high availability pair.

a. On NS_VPX_1, navigate to System > Network > IPs.
b. On NS_VPX_1, compare the system-owned IP addresses on both NS_VPX_1 and 2.
Notice which system retained its original SNIP address and which system
configuration is overwritten by the high-availability configuration. The IP Address
shows as 10.0.0.110.
51
c.
d.
2.
3.
On NS_VPX_3, navigate to NetworkIPs.

On NS_VPX_3, compare the system-owned IP addresses on both NS_VPX_1 and 2.
Notice which system retained its original SNIP address and which system
configuration is overwritten by the high-availability configuration. The IP Address
shows as 10.0.0.130.
Test the high-availability configuration by forcing a failover on NS_VPX_1.
a. On NS_VPX_1, navigate to System High Availability.
b. On NS_VPX_1, click Action > Force Failover.
c. Click Yes to confirm the force failover and then click OK.
d. On NS_VPX_1, click the Refresh button in the upper-right corner of the
configuration utility. The master state of NS_VPX_1 is now Secondary.
e. On NS_VPX_3, navigate to System High Availability.
f. On NS_VPX_3, click the Refresh button in the upper-right corner of the
configuration utility. The master state of NS_VPX_3 is now Primary.
Test the high-availability configuration by forcing a failover on NS_VPX_3.
a. On NS_VPX_3, right-click Node ID 1 and click Force Failover.
b. Click Yes to confirm the force failover and then click OK.
c. On NS_VPX_3, click the Refresh button in the upper-right corner of the
configuration utility. The master state of NS_VPX_3 is now Secondary again.
d. On NS_VPX_1, click the Refresh button in the upper-right corner of the
configuration utility. The master state of NS_VPX_1 is Primary again.
Removing High Availability from NS_VPX_1 and NS_VPX_3

1.
Verify the current high-availability status on NS_VPX_1.

a. On NS_VPX_1, navigate to System High Availability.
b. Verify that the Node ID 0 master state is Primary and the Node State for both nodes
is Up.
If NS_VPX_1 is not listed as the Primary node, use the force high-availability
failover command to promote NS_VPX_1 as the primary node.
2.
52
Remove the secondary node from the high-availability configuration on NS_VPX_1.

a. On NS_VPX_1, select Node ID 1 from the High-Availability pane and click Delete.
b. Click Yes to confirm the removal of the node.
3.
4.
Remove high availability Node ID 1 from NS_VPX_3.

a. On NS_VPX2, navigate to System High Availability.
b. Select Node ID 1 in the High-Availability pane and click Delete.
c. Click Yes to confirm the removal of the node.
Shut down the NS_VPX_1 and NS_VPX_3 virtual machines.
a. Select All VMs from the drop-down menu at the top of the Win7Client window.
b. Click the Pause icon for the NS_VPX_1 VM to shut it down.
c. Click the Pause icon for the NS_VPX_3 VM to shut it down.
Exercise 3-1: Step by Step (Command-Line Interface)

This exercise provides step-by-step instructions for completing "Exercise 3-1: Configuring High
Availability" using the command-line interface.
Configuring NS_VPX_1 and NS_VPX_3

In the Win7Client virtual machine, use an SSH connection (PuTTY) to the NS_VPX_1 and
NS_VPX_3 command-line interfaces logged on as the nsroot user for this task.
1.
2.
Start NS_VPX_1 and NSP_VPX_3 in the lab environment.

a. Click the NS_VPX_1 virtual machine in the lab environment and then click the Play
button to start it.
b. Click the NS_VPX_3 virtual machine in the lab environment and then click the Play
button to start it.
Prepare NS_VPX_1 (10.0.0.110) and NS_VPX_3 (10.0.0.130) for high availability configuration.
a. Open the command-line interface program (PuTTY) from the Win7Client desktop.
b. Select the NS_VPX_1 saved session and click Open.
c. Log on to the PuTTY session using the nsroot credentials.
d. Open another command-line interface window (PuTTY) from the Win7Client
desktop.
e. Select the NS_VPX_3 saved session and click Open.
f. Log on to the PuTTY session using the nsroot credentials.
Be very cognizant of the NetScaler window you are working in at any given
time.
53
g.
On NS_VPX_1 (10.0.0.110), enter the following command to identify the critical

interfaces:
show node
The show node command lists high-availability nodes on the current system only.
However, it also identifies which critical interfaces are in use. Notice which interfaces
are listed as critical interfaces. Do not disable these interfaces.
h.
On NS_VPX_1, enter the following command to view the interfaces on the system:
show interface
Notice which interfaces are in an Up state versus a Down state. Interfaces in an Up
state should correspond to the critical interfaces in the previous step.
i.
On NS_VPX_3 (10.0.0.130), enter the following command to identify the critical

interfaces:
show node
The show node command lists high-availability nodes on the current system only.
However, it also identifies which critical interfaces are in use. Notice which interfaces
are listed as critical interfaces. Do not disable these interfaces.
j.
On NS_VPX_3, enter the following command to view the interfaces on the system:
show interface
Notice which interfaces are in an Up state versus a Down state. Interfaces in an Up
state should correspond to the critical interfaces.
Configuring High Availability on NS_VPX_1 and NS_VPX_3

1.
Configure NS_VPX_1 and NS_VPX_3 as a high-availability pair.

a. On NS_VPX_3 (10.0.0.130), enter the following command to set the HA node status
to stay secondary:
set ha node -haStatus STAYSECONDARY
54
b.
On NS_VPX_1 (10.0.0.110), enter the following command to add NS_VPX_3 as a

high-availability node on NS_VPX_1:
add ha node 1 10.0.0.130 -INC ENABLED
c.
On NS_VPX_1, enter the following command to sync the high-availability

configuration with NS_VPX_3:
set ha node -haSync ENABLED
d.
On NS_VPX_3, add NS_VPX_1 as a high-availability node on NS_VPX_3 by entering

the following command:
add ha node 1 10.0.0.110 -INC ENABLED
e.
On NS_VPX_1, enter the following command to view the status of the node and note
the Master State of each node:
show ha node
The Master State for NS_VPX_1 should show as Primary and NS_VPX_3 should show
as Secondary.
f.
On NS_VPX_3, enter the following command to view the status of the node and note
the Master State of each node:
show ha node
The Master State for NS_VPX_1 should show as Primary and NS_VPX_3 should show
as Secondary.
g.
On NS_VPX_3, enter the following command to set the HA node status to

ENABLED:
set ha node -haStatus ENABLED
Testing the High-Availability Configuration (Command-Line

Interface)
1.
Use the following procedure to test the high-availability configuration:

a. On NS_VPX_1 (10.0.0.110), enter the following command to verify the status of the
system IP addresses:
show ns ip
55
Compare which IP addresses are the same and which are different on each system.
Also note which subnet IPs of the system are preserved and which subnet IPs of the
system are overwritten.
b.
On NS_VPX_3 (10.0.0.130), enter the following command to verify the status of the
system IP addresses:
show ns ip
c.
On NS_VPX_1, enter the following command to verify the status of the nodes:
show ha node
NS_VPX_1 (10.0.0.110) should be the Primary node.
d.
On NS_VPX_3, enter the following command to verify the status of the nodes:
show ha node
NS_VPX_1 (10.0.0.110) should be the Primary node.
e.
On NS_VPX_1, enter the following commands to force a failover:

force ha failover
y
f.
On NS_VPX_1, enter the following command to view the node status:

show ha node
NS_VPX_3 (10.0.0.130) becomes the Primary node.
g.

show ha node
NS_VPX_3 is the Primary node.
h.
On NS_VPX_3, enter the following commands to force a failover:

force ha failover
y
i.

show ha node
NS_VPX_1 is the Primary node again.
56
j.

show ha node
NS_VPX_1 is the Primary node again.
Removing High Availability from NS_VPX_1 and NS_VPX_3

1.
Verify the current high availability status.

a. On NS_VPX_1, enter the following command to verify that the node status is Up and
that NS_VPX_1 is the primary node:
show ha node
If NS_VPX_1 is not listed as the Primary node, use the force high availability
failover command to promote NS_VPX_1 as the Primary node.
2.
On NS_VPX_1, enter the following command to remove the secondary node from the high
availability configuration:
rm ha node 1
3.
On NS_VPX_3, enter the following command to remove the secondary node from the high
availability configuration:
rm ha node 1
4.
On NS_VPX_1, enter the following command to verify the high availability status:
show ha node
5.
On NS_VPX_3, enter the following command to verify the high availability status:
show ha node
6.
7.
Close the PuTTY sessions for NS_VPX_1 and NS_VPX_3. Click OK in the PuTTY Exit
Confirmation messages.
c. Click the Pause icon for the NS_VPX_3 VM to shut it down.
57
58
Module 4
Securing NetScaler
60
Module 4: Securing NetScaler Exercises

Exercise 4-1: Enabling External Authentication
This exercise will demonstrate how to configure the NetScaler system to use an LDAP server to
authenticate system users.
Before You Begin

AD.training.lab
NS_VPX_0
Win7Client
To complete this exercise, you need to have the following information:

Active Directory architecture
Active Directory
Value
AD Domain Controller
10.29.0.11
AD Domain Name: Base DN
DC=Training,DC=LAB
Administrator BindDN
CitrixAdmin@training.lab
Administrator Password
Password1
Server Login Name Attribute (case sensitive)
samAccountName
Groups and User Credentials
Group
User
Password
Policy
Domain Admins
citrixadmin
Password1
Superuser
Remote Users
user1
Password1
Show Only
Module 4: Securing NetScaler
61

This section provides step-by-step instructions for completing "Exercise 4-1: Enabling External
Authentication" using the configuration utility.
Creating a New Administrator Account (Configuration

Utility)
1.
Create a new administrator account called "testuser" with read-only permissions.

a. Navigate to System > User Administration > Users.
b. Click Add in the System Users pane.
The Create System User dialog box opens.
c.
d.
e.
Type testuser in the User Name field and then type Password1 in the Password
and Confirm Password fields.
Click Insert and then select read-only in the Command Policies pane.
Click Insert and then click Create.
The Create System User dialog box closes.
2.
f.
g.
Test the
a.
b.
c.
Click the Floppy Disk icon and then click Yes to save the current configuration.
Click Logout to log off from of the current session.
new administrator account by attempting to enable a feature.
Log on to the configuration utility with the testuser and Password1 credentials.
Navigate to System > Settings.
Click Configure Basic Features on the right.
The Configure Basic Features dialog box opens.
d.
e.
f.
g.
Select a feature to enable and click OK. The user only has read-only permissions, so
the change should not work.
Click OK in the Error message that indicates that testuser does not have permission to
enable features.
Click Close.
Click Logout to log off from the current session.
Examining Command Policies (Configuration Utility)

62
1.
2.
3.
Enter 10.0.0.100 in the address field of the Chrome browser to access the NS_VPX_0
configuration utility.
Log on using the nsroot credentials.
Examine the expression for the superuser policy.
a. Navigate toSystem > User Administration > Command Policies in the left pane.
b. Select the superuser policy in the Command Policies section and click Edit.
Note the policy allows any command to be permitted using the .* expression.
4.
c. Click Close.
Create a new policy called show_only that only allows the "show" command using the string
(^show\s+.*) as the command.
a. Click Add in the Command Policies section.
b. Type show_only in the Policy Name field.
c. Select ALLOW from the Action drop-down list.
d. Click inside the Command Spec field, clear any existing text, and then type
(^show\s+.*)
e. Click Create.
Enabling LDAP Authentication (Configuration Utility)

1.
Grant superuser access to the Domain Admins Active Directory group.

a. Navigate to System > User Administration > Groups in the left pane.
b. Click Add.
c. Type Domain Admins in the Group Name field.
Group names must correspond to the group in the directory service and are case
sensitive.
2.
d. Click Insert below Command Policies.

e. Select superuser to make it active and bind the group to the command policy.
f. Click Insert.
g. Click Create.
Grant show-only access to the Remote Users Active Directory group.
a. Click Add.
b. Type Remote Users in the Group Name field.
sensitive.
63
3.
4.
5.
64
c. Click Insert below Command Policies.

d. Select show_only to make it active and to bind the group to the command policy.
e. Click Insert.
f. Click Create.
Create an "auth_ldap_srv" entry for the LDAP server with 10.29.0.11 as the IP address and 389
as the port.
a. Navigate to System > Authentication > LDAP in the left pane.
b. Select the Servers tab and then click Add.
c. Complete the Create Authentication Server form as follows:
Name: auth_ldap_srv
Select the Server IP radio button.
IP Address: 10.29.0.11
Security Type: PLAINTEXT
Port: 389
Base DN: dc=training,dc=lab
Administrator Bind DN: CitrixAdmin@training.lab
Select BindDN Password.
Administrator Password: Password1
Confirm Administrator Password: Password1
Server Logon Name Attribute: samAccountName
Group Attribute: memberOf
Sub Attribute Name: CN
d. Click Create.
Create an "auth_ldap_policy" authentication policy for the LDAP server with an expression of
True.
a. Select the Policies tab and click Add.
b. Type auth_ldap_policy in the Name field and verify that auth_ldap_srv is
specified in the Server field.
c. Type ns_true in the Expression field.
d. Click Create.
Bind the auth_ldap_policy globally.
a. Right-click the auth_ldap_policy and then click Global Bindings.
b. Click Click to select under Select Policy.
c. Select the auth_ldap_policy radio button and then click OK
d. Click Bind and then click Done.
e. Click the Floppy Disk icon to save the NetScaler configuration.
6.
f. Click Yes in the Confirm dialog box.

Add a load balancing virtual server called testsrv with an IP address of 10.29.0.224 to verify
that an Active Directory Domain Admin user has superuser access.
a. Click Logout to log out of the current NetScaler session.
b. Type citrixadmin in the User Name field, type Password1 in the Password
field, and then click Login.
If an error message appears, click OK and then log on with the nsroot
credentials to complete this exercise.
c.
d.
e.
f.
Navigate to Traffic Management > Load Balancing > Servers and click Add.
Type testsrv in the Server Name field.
Type 10.29.0.224 in the IP Address field.
Click OK then click OK then click Done.
The CitrixAdmin user was allowed to add the server.
g.
h.
Click the Floppy Disk icon in the upper-right corner of the configuration utility.
Click Yes to confirm saving the configuration.

This section provides step-by-step instructions for completing "Exercise 4-1: Enabling External
Authentication" using the command-line interface.
Creating a New Administrator Account (Command-Line

Interface)
Use an SSH connection (PuTTY) to the NS_VPX_0 command-line interface logged on as the
nsroot user for this task.
1.
2.
Launch a PuTTY session to NS_VPX_0 (10.0.0.100) and log on using the nsroot credentials.
Create a new system account with read-only permissions on the NetScaler system:
a. Enter the following command in PuTTY to create a new system user:
add system user testuser Password1
b.
Enter the following command to view the available command policies:

show system cmdPolicy
65
These command policies can be used to control the permissions allowed for
delegated administration.
c.
Enter the following command to configure the testuser with read-only permissions
and a priority of 1:
bind system user testuser read-only 1
d.
Enter the following command to save the configuration:

save ns config
Examining Command Policies (Command-Line Interface)

1.
2.
Launch a PuTTY session to NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to show the system command policies:
show system cmdPolicy
3.
Enter the following command to examine the expression for the superuser policy :
show system cmdPolicy superuser
Note the policy allows any command to be permitted using the .* expression.
4.
Enter the following command to create a new policy named show_only that only allows the
show command using the string (^show\s+.*) as the command spec:
add system cmdPolicy show_only ALLOW "(^show\s+.*)"
Enabling LDAP Authentication (Command-Line Interface)

1.
Enter the following commands to add the Active Directory groups, Domain Admins and
Remote Users to the NetScaler system:
add system group "Domain Admins"
add system group "Remote Users"
66
sensitive.
2.
Enter the following command to grant superuser access to the Domain Admins Active
Directory group:
bind system group "Domain Admins" -policyName superuser 1
3.
Enter the following command to grant show-only access to the Remote Users Active Directory
group:
bind system group "Remote Users" -policyName show_only 10
4.
Enter the following command to create an "auth_ldap_srv" entry for the LDAP server with
10.29.0.11 as the IP address and 389 as the port:
add authentication ldapAction auth_ldap_srv
-serverIP 10.29.0.11 -ldapBase "DC=Training,DC=Lab"
-ldapBindDn CitrixAdmin@training.lab
-ldapBindDnPassword Password1
-ldapLoginName samAccountName -groupAttrName memberOf
-subAttributeName CN
5.
Enter the following command to create an "auth_ldap_policy" authentication policy for the
LDAP server with an expression of ns_true:
add authentication ldapPolicy auth_ldap_policy ns_true
auth_ldap_srv
6.
Enter the following command to bind the auth_ldap_policy globally:

bind system global auth_ldap_policy -priority 100
7.
Enter the following command to save the running configuration:

save ns config
67
68
Module 5
Basic Load
Balancing
70
Module 5: Basic Load Balancing Exercises

Exercise 5-1: Configuring Load Balancing
This exercise will demonstrate how to add servers, services, and a load balancing virtual server to a
NetScaler, and then configure all of those items to work together for load balancing.
Before You Begin

AD.training.lab
NS_VPX_0
WebBlue
WebGreen
WebRed
Win7Client
Estimated time to complete: 20 minutes

This exercise provides step-by-step instructions for completing "Exercise 5-1: Configuring Load
Balancing" using the configuration utility.
Creating Servers (Configuration Utility)

1.
2.
Log on to the NS_VPX_0 (10.0.0.100) configuration utility with the nsroot credentials.
Create the "srv_red" server with 10.30.0.215 for the IP address.
a. Navigate to Traffic Management > Load Balancing > Servers.
b. Click Add in the Servers pane.
The Create Server dialog box opens.
c.
3.
Type srv_red in the Server Name field and then type 10.30.0.215 in the IP
Address field.
d. Click Create.
Create the "srv_green" server with 10.0.0.210 for the IP address.
Module 5: Basic Load Balancing
71
a.
Click Add in the Servers pane.

b.
4.
Type srv_green in the Server Name field and then type 10.0.0.210 in the IP
Address field.
c. Click Create.
Create the "srv_blue" server with 10.29.0.205 for the IP address.
a. Click Add in the Servers pane.
b.
c.
Type srv_blue in the Server Name field and then type 10.29.0.205 in the IP
Address field.
Click Create.
Creating Services (Configuration Utility)

1.
Create an HTTP service called "svc_red" that will be associated with the WebRed web server.
a. Navigate to Traffic Management > Load Balancing > Services.
b. Click Add in the Services pane.
The Load Balancing Service dialog box opens.
c.
d.
e.
f.
2.
Type svc_red in the Service Name field.

Select the Existing Server radio button.
Select srv_red from the Server menu.
Verify that HTTP is selected from the Protocol menu and 80 is entered in the Port
field.
g. Click OK and then click Done.
Create an HTTP service called "svc_blue" that will be associated with the WebBlue web server.
a. Click Add in the Services pane.
The Create Service dialog box opens.
b.
c.
d.
e.
f.
72
Type svc_blue in the Service Name field.

Select srv_blue from the Server menu.
field.
Click OK and then click Done.
3.
Create an HTTP service called "svc_green" that will be associated with the WebGreen web
server.
a. Click Add in the Services pane.
The Create Service dialog box opens.
b.
c.
d.
e.
4.
Type svc_green in the Service Name field.

Select srv_green from the Server menu.
field.
f. Click OK and then click Done.
Verify that all services display the state as Up in the Services tab.
Creating a Load-Balancing Virtual Server (Configuration

Utility)
1.
Begin the configuration of a "lb_vsrv_rbg" load-balancing virtual server that will be associated
with the red, blue, and green services.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers.
b. Click Add in the Load Balancing Virtual Servers pane.
c. Type lb_vsrv_rbg in the Name field.
d. Verify that HTTP is selected from the Protocol drop-down menu and that 80 is
entered in the Port field.
e. Type 10.0.0.80 in the IP Address field.
f. Click OK.
g. Click the No Load Balancing Virtual Server Service Binding option below Service to
bind the Services.
h. Click the Click to select in the Select Service field.
i. Select the svc_red radio button.
j. Click OK and then click Bind.
k. Click the 1 Load Balancing Virtual Server Service Binding option below Service to
bind the Services.
l. Click Add Binding.
m. Click the Click to select in the Select Service field.
n. Select the svc_blue radio button.
o. Click OK and then click Bind.
73
p.
q.
r.
s.
t.
u.
v.
w.
Click Add Binding.

Click the Click to select in the Select Service field.
Select the svc_green radio button.
Click OK and then click Bind.
Click Close and then click OK.
Click Method under Advanced on the right.
Select ROUNDROBIN from the Load Balancing Method drop-down menu.
You may need to click Refresh on the top-right before the State shows as Up.
2.
Save the running configuration.

a. Click the Floppy Disk icon and then click Yes to confirm saving the running
configuration.
Testing Load Balancing (Configuration Utility)

1.
Test the load-balancing configuration.

a. Open a new browser tab and browse to http://10.0.0.80/home.php.
b. Refresh the browser several times to verify load-balancing activity.
With the round-robin method specified, the page should refresh and rotate through
the Red, Blue, and Green home pages.
2.
3.
Change the persistence of the load-balancing virtual server to COOKIEINSERT.

a. Switch back to the NetScaler configuration utility (10.0.0.100).
b. Navigate to Traffic Management > Load Balancing > Virtual Servers.
c. Double-click the lb_vsrv_rbg virtual server to open its configuration window.
d. Click Persistence under Advanced on the right.
e. Select COOKIEINSERT from the Persistence drop-down menu.
f. Click OK and then Done.
Test the updated load balancing configuration.
a. Switch back to the 10.0.0.80 browser window and refresh the browser several times to
verify the effects of load balancing with persistence.
With cookie-insert persistence enabled, you are directed to the same server until the
cookie expires (2 minutes).
74
Resetting Persistence to None (Configuration Utility)

1.
Reset the lb_vsrv_rbg load-balancing virtual server persistence to none.

a. Switch back to the NetScaler configuration utility (10.0.0.100).
c. Double-click the lb_vsrv_rbg virtual server to open its configuration window.
d. Click the Edit icon (pencil) to the right of the Persistence field.
e. Select NONE from the Persistence drop-down menu.
Time-out and version settings are left as the default values.
2.

Save the running configuration.
a. Click the Floppy Disk icon and click Yes to confirm saving the running configuration.

This exercise provides step-by-step instructions for completing "Exercise 5-1: Configuring Load
Balancing" using the command-line interface.
Procedure for Configuring Servers, Services, and Virtual

Servers (Command-Line Interface)
1.
2.
Launch a PuTTY session to NS_VPX_0 (10.0.0.100) and log on using the nsroot credentials.
Configure the WebRed, WebBlue, and WebGreen web servers as load-balancing servers on the
NetScaler.
a. Enter the following commands to create the Red, Blue, and Green web servers:
add server srv_blue 10.29.0.205
add server srv_green 10.0.0.210
add server srv_red 10.30.0.215
75
3.
Create the svc_red, svc_blue, and svc_green HTTP services that will be associated with the web
servers.
a. Enter the following commands to create HTTP services for Red, Blue, and Green web
servers:
add service svc_blue srv_blue HTTP 80
add service svc_green srv_green HTTP 80
add service svc_red srv_red HTTP 80
4.
Create the lb_vsrv_rbg load-balancing virtual server that will be associated with the WebRed,
WebBlue, and WebGreen web servers using RoundRobin for the load balancing method.
a. Enter the following command to create the load-balancing virtual server
add lb vserver lb_vsrv_rbg HTTP 10.0.0.80 80 lbMethod ROUNDROBIN
b.
Bind the services to the load-balancing virtual server using the following commands:
bind lb vserver lb_vsrv_rbg svc_blue
bind lb vserver lb_vsrv_rbg svc_green
bind lb vserver lb_vsrv_rbg svc_red
Testing Load Balancing (Command-Line Interface)

1.
Test the load balancing configuration.

a. Open a Firefox browser from the Win7Client desktop and browse to
http://10.0.0.80/home.php
b. Refresh the browser several times to verify load-balancing activity.
With the round-robin method specified, the page should refresh and rotate through
the Red, Blue, and Green home pages.
If the page doesn't rotate between the Red, Blue and Green home pages, clear
the browser cache by clicking Tools > Options > Privacy > clear your recent
history > Clear now. Click OK to close the Options window.
2.
76
c. Close the Firefox window.

Change the persistence of the load-balancing virtual server to COOKIEINSERT.
a.
Enter the following command in the PuTTY session to set the persistence for the
existing load-balancing virtual server to COOKIEINSERT:
set lb vserver lb_vsrv_rbg -persistenceType COOKIEINSERT
3.
Test the updated load balancing configuration.

a. Open a new Firefox window and browse to http://10.0.0.80/home.php.
b. Refresh the browser several times to verify the effects of load balancing with
persistence.
With cookie-insert persistence enabled, you are directed to the same page each time
until the cookie expires; the page does not load balance to each available server. By
default, the cookie-insert persistence is set to 2 minutes.
4.
c. Close the Firefox window.

Change the persistence of the load-balancing virtual server to NONE.
a. Enter the following command to set persistence for the existing load balancing virtual
server to NONE:
set lb vserver lb_vsrv_rbg -persistenceType NONE
b.

save ns config
Exercise 5-2: Configuring a Load-Balancing HTTP-ECV

Monitor (Command-Line Interface)
This exercise will demonstrate how to monitor the status of a specific HTTP service bound to a
load-balancing virtual server.
Before You Begin

AD.training.lab
NS_VPX_0
Win7Client
WebBlue
WebGreen
WebRed
Estimated time to complete this lab: 20 minutes

77

This section provides step-by-step instructions for completing "Exercise 5-2: Configuring a LoadBalancing HTTP-ECV Monitor" using the configuration utility.
Creating a Load-Balancing HTTP-ECV Monitor

1.
2.
Switch to the NS_VPX_0 configuration utility on the Win7Client virtual machine.

Create a load-balancing HTTP-ECV monitor named "mon_RBG_HTTPECV." Configure the
monitor to use a send string of "GET /home.php" and a receive string of "serverinfo".
a. Navigate to Traffic Management > Load Balancing > Monitors.
b. Click Add.
c. Type the following information in the Standard Parameters tab and leave all other
values in their default state.
Name: mon_RBG_HTTPECV
Type: HTTP-ECV
Down Time: 5 and Second
d. Click the Special Parameters tab and type the following values in the specified fields:
Send String: GET /home.php
Receive String: serverinfo
e. Click Create.
The Receive String parameter is a string value and should be set to a string or phrase
which appears on the web site in the first 24 KB of the response. For this exercise, you
specify "serverinfo". Other valid strings include "Viewing this page" and "this page
indicates." String matches are case sensitive.
3.
78
Bind the load-balancing HTTP-ECV monitor to the service .

a. Navigate to Load Balancing > Services.
b. Select the svc_red service and click Edit.
c. Click 1 Service to LB Monitor Binding in the Monitors section.
d. Click Add Binding
e. Click Click to select in the Select Monitor field.
f. Select the mon_RBG_HTTPECV monitor from the Monitors list and click OK.
g. Click Bind and then click Close.
h. Click Done.
Testing the Load-Balancing HTTP-ECV Monitor

Use the Win7Client virtual machine logged on as the CitrixAdmin user for this task.
1.
Open a new browser tab and browse to http://10.0.0.80/home.php. Refresh the page
several times.
The page load balances between the RED, BLUE, and GREEN servers while the
monitor status shows as UP.
2.
Ensure
a.
b.
c.
d.
that the red service for the mon_RBG_HTTPECV monitor is successfully responding.
Switch to the configuration utility for NS_VPX_0.
Navigate to Traffic Management > Load Balancing > Services.
Select the svc_red service and click Edit
Click 1 Service to Load Balancing Monitor Binding in the Monitors section at the
bottom of the screen.
e. Note the information for the configured monitor.
The monitor details display the response status "Success - Pattern found in
response."
3.
f. Click Close and then click Done.

Change the monitor string to use the invalid string "bad string".
a. Navigate to Traffic Management > Load Balancing > Monitors.
b. Select the mon_RBG_HTTPECV monitor and click Edit.
c. Click the Special Parameters tab.
d. Change the Receive String field to bad string.
For this step, setting the Receive string, -recv, to a string not found on the
page creates a failed status. Any string not found on the page could be used.
4.
e. Click OK.
Clear the cache before the next test to avoid issues with the browser caching the server
response. Close additional instances, if more than one browser window is open.
a. Open the Firefox browser from the Win7Client desktop.
b. In the Firefox browser, navigate to Tools > Options > Privacy
c. Click clear your recent history on the Privacy page.
d. Click Clear Now to clear the cache and then click OK to close the Options dialog box.
79
If you are using another browser, the steps required to clear the cache will
differ.
5.
In the browser window, browse to http://10.0.0.80/home.php. Refresh the page

several times.
The red server home.php page will not load while the monitor reports the service as
DOWN. Load balancing may, or may not, function with the ECV monitor failing.
6.
7.
8.
Ensure
a.
b.
c.
Ensure
a.
b.
c.
d.
that the monitor status for the mon_RBG_HTTPECV monitor is Enabled.

Navigate to Traffic Management > Load Balancing > Monitors.
Verify that the mon_RBG_HTTPECV monitor status is Enabled.
that the red service for the mon_RBG_HTTPECV monitor is no longer responding.
Select the svc_red service and click Edit
Click 1 Service to Load Balancing Monitor Binding in the Monitors section.
Note the information for the configured monitor. The service state shows as DOWN
and the monitor response shows "Failure - Pattern not found in response."
Remove the mon_RBG_HTTPECV monitor from the load balancing virtual server.
a. Select the mon_RBG_HTTPECV monitor and click Unbind.
b. Click Yes to confirm.
c. Click Close.
d. Click Done.
e. Click Refresh. The State of the svc_red service should now show as Up.

This section provides step-by-step instructions for completing "Exercise 5-2: Configuring a LoadBalancing HTTP-ECV Monitor" using the command-line interface.
Creating a Load-Balancing HTTP-ECV Monitor (CommandLine Interface)

80
1.
Enter the following command in the PuTTY session to create a load-balancing HTTP-ECV
monitor named "mon_RBG_HTTPECV" and configure the monitor to use a send string of
"GET /home.php" and a receive string of "serverinfo":
add lb monitor mon_RBG_HTTPECV HTTP-ECV -send "GET /home.php" recv "serverinfo"
-interval 5 SEC -downTime 5 SEC
The Receive parameter (-recv) uses a string value and should be set to a string or
phrase which appears on the website in the first 24 KB of the response. For this
exercise, specify "serverinfo". Other valid strings include "Viewing this page" and "This
page indicates". String matches are case sensitive.
2.
Enter the following command to bind the load-balancing HTTP-ECV monitor to the service:
bind service svc_red -monitorName mon_RBG_HTTPECV
Testing the Load-Balancing HTTP-ECV Monitor

1.
Open a Firefox browser on the Win7Client desktop and browse to

http://10.0.0.80/home.php. Refresh the page several times.
The page load-balances between the RED, BLUE, and GREEN servers while the
monitor status is UP.
2.
3.
Switch to the PuTTY command-line interface for NS_VPX_0.

Enter the following command to verify that the monitor status for the mon_RBG_HTTPECV
monitor is enabled:
show lb monitor mon_RBG_HTTPECV
4.
Enter the following command to ensure that the red service for the mon_RBG_HTTPECV
monitor is successfully responding:
show service svc_red
The monitor details display the response status "Success - Pattern found in response".
81
5.
Enter the following command to change the monitor string to the invalid string "bad string":
set lb monitor mon_RBG_HTTPECV HTTP-ECV -recv "bad string"
For this step, set the Receive parameter (-recv) to a string not found on the page; this
creates a failed status. Any string not found on the page could be used.
6.
Clear the cache before the next test to avoid issues with the browser caching the server
response. Close additional instances if more than one browser window is open.
b. In the Firefox browser, navigate to Tools > Options > Privacy tab.
c. Click clear your recent history on the Privacy page.
d. Click Clear Now to clear the cache and then click OK to close the Options dialog box.
If you are using another browser, the steps required to clear the cache will
differ.
7.
In the Firefox browser, browse to http://10.0.0.80/home.php. Refresh the page

several times.
The RED server home.php page will not load while the monitor reports the service as
DOWN.
8.
Enter the following command to ensure that the monitor state for the mon_RBG_HTTPECV
monitor is Enabled:
show lb monitor mon_RBG_HTTPECV
9.
Enter the following command to ensure that the red service for the mon_RBG_HTTPECV
monitor is no longer responding:
The service state shows as DOWN and the monitor response shows "Failure - Pattern not
found in response."
10. Enter the following command to unbind the mon_RBG_HTTPECV monitor from the scv_red
service:
unbind service svc_red -monitorName mon_RBG_HTTPECV
11. Enter the following command to verify svc_red is now bound to the tcp-default monitor and
the state is UP:
82
Exercise 5-3: Configuring Data Stream Load Balancing and

Monitoring
This lab demonstrates the process for creating servers, services, a load-balancing virtual server, and
a MYSQL-ECV monitor for MySQL servers.
Before You Begin

AD.training.lab
NS_VPX_0
LAMP_1
LAMP_2
Win7Client

This section provides step-by-step instructions for completing "Exercise 5-3: Configuring Data
Stream Load Balancing and Monitoring" using the configuration utility.
Configuring Data Stream Load Balancing (Configuration

Utility)
1.
From the lab environnment screen, click the Play icon for the LAMP_1 and LAMP_2 virtual
machines.
To access the lab environment screen, click the All VMs option in the drop-down
menu at the top of the VM.
2.
Switch to the configuration utility for NS_VPX_0 in the Win7Client and add the netscalersql
database user.
a. Navigate to System > User Administration > Database Users and click Add.
b. Type netscalersql in the User Name field.
c. Type netscaler in the Password field.
d. Type netscaler in the Confirm Password field.
83
3.
4.
5.
6.
7.
84
e. Click Create.
Create the lamp_1 server with the IP address 10.29.0.13.
a. Navigate to Traffic Management > Load Balancing > Servers and click Add.
b. Type lamp_1 in the Server Name field.
c. Type 10.29.0.13 in the IP Address field.
d. Click Create.
Create the lamp_2 server with the IP address 10.29.0.14.
a. Navigate to Traffic Management > Load Balancing > Servers and then click Add.
b. Type lamp_2 in the Server Name field.
d. Click Create.
Create the svc_mysql_lamp1 service for the lamp_1 server using MYSQL as the protocol and
3306 as the port.
a. Navigate to Traffic Management > Load Balancing > Services and click Add.
b. Type svc_mysql_lamp1 in the Service Name field.
c. Select the Existing Server Radio button.
d. Select lamp_1 from the Server drop-down menu.
e. Select MYSQL from the Protocol drop-down menu.
f. Type 3306 in the Port field.
g. Click OK and then click in the field below Monitors.
h. Click Add Binding then in the field Click to select and check the radio button next to
ping then click OK.
i. Click Bind, then click Close then Done.
Create the svc_mysql_lamp2 service for the lamp_2 server using MYSQL as the protocol and
3306 as the port.
a. Navigate to Traffic Management > Load Balancing > Services and click Add.
b. Type svc_mysql_lamp2 in the Service Name field.
c. Select the Existing Server Radio button.
d. Select lamp_2 from the Server drop-down menu.
e. Select MYSQL from the Protocol drop-down menu.
g. Click OK and then click in the field below Monitors.
h. Click Add Binding then in the field Click to select and check the radio button next to
ping then click OK.
i. Click Bind, then click Close then Done.
Create the lb_vsrv_mysql virtual server with the IP address 10.0.0.18 on port 3306.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers and click Add.
8.
9.
b. Type lb_vsrv_mysql in the Name field.

c. Select MYSQL from the Protocol drop-down menu.
d. Type 10.0.0.18 in the IP Address field.
e. Type 3306 in the Port field.
f. Click OK
Bind the MYSQL services to the virtual load-balancing server.
a. Click No Load Balancing Virtual Server Service Binding in the Service section.
b. Click Click to select in the Select Service field and select the svc_mysql_lamp1 radio
button.
c. Click OK then click Bind.
d. Click 1 Load Balancing Virtual Server Service Binding in the Service aection.
e. Click Add Binding.
f. Click Click to select in the Select Service field and select the svc_mysql_lamp2 radio
button.
g. Click OK and then click Bind
h. Click Close and then click OK to confirm service settings10.
i. Click Done.
Test the MYSQL load-balancing server.
a. On the Win7Client desktop, double-click the HeidiSQL icon.
b. Verify that MYSQLTest is selected in the left pane, the Hostname/IP is set to
10.0.0.18, the Port is set to 3306 and then click Open.
The MYSQLTest session is configured to connect to imdb table in the database on the
lb_vsrv_mysql load-balancing virtual server.
c.
d.
Type netscalersql in the Username field, type netscaler in the Password

field, and then click Login.A HeidiSQL session opens that is connected to the imdb
database.
Select the Query tab and type the following command in the Query field.
select * from actors where actors.last_name = "Tazova"
e. Click the Play button on the task bar. The query should return one record.
10. Close the HeidiSQL window and click No in the Confirm box.
Configuring a MySQL Monitor (Configuration Utility)

1.
Create the mon_mysql_ecv monitor to monitor the imdb database for queries for actors with a
last name of Tazova.
85
a.
b.
c.
d.
Navigate to Traffic Management > Load Balancing > Monitors and click Add.
Type mon_mysql_ecv in the Name field.
Select MYSQL-ECV from the Type drop-down menu.
Click the Special Parameters tab and type the following values in the specified fields:
User Name: netscalersql
Database: imdb
Query: select * from actors where actors.last_name = "Tazova"
Expression: MYSQL.RES.ATLEAST_ROWS_COUNT(1)
Verify that the expression is correct before continuing to the next step.
2.
3.
e. Click Create.
Bind the mon_mysql_ecv monitor to the MYSQL services.
a. Navigate to Traffic Management > Load Balancing > Services.
b. Select the svc_mysql_lamp1 service and click Edit
c. Click 1 Service to Load Balancing Monitor Binding in the Monitors section.
d. Click Add Binding and then click Click to select in the Select Monitor field.
e. Select the mon_mysql_ecv monitor, click OK and then click Bind.
f. Click Close and then click Done.
g. Select the svc_mysql_lamp2 service and click Edit.
h. Click 1 Service to Load Balancing Monitor Binding in the Monitors section.
i. Click Add Binding then click Click to select in the Select Monitor field.
j. Select the mon_mysql_ecv monitor, click OK, and then click Bind.
k. Click Close and then click Done.
Verify that the MYSQL-ECV monitor is working.
a. Select the svc_mysql_lamp1 service and then click Edit.
b. Click 1 Service to Load Balancing Monitor Binding in the Monitors section.
c. Highlight mon_mysql_ecv in the Configured pane. The Last Response should show
Success - Pattern found in response.
d. Click Xon the top right to close the Monitors window and then click Done.

This section provides step-by-step instructions for completing "Exercise 5-3: Configuring Data
Stream Load Balancing and Monitoring" using the command-line interface.
86
Configuring Data Stream Load Balancing (Command-Line

Interface)
1.
2.
3.
Start the LAMP_1 and LAMP_2 virtual machines in the lab environment.
a. Move the mouse pointer to the top of the Win7Client VM and click All VMs in the
drop-down menu to display the lab environment.
b. Select LAMP_1 and then click Play.
c. Select LAMP_2 and then click Play.
d. Select the Win7Client virtual machine in the lab environment to access its desktop.
From the Win7Client desktop, launch a PuTTY session to NS_VPX_0 (10.0.0.100) and log on
using the nsroot credentials.
Enter the following command at the PuTTY command line for NS_VPX_0 to add the
netscalersql database:
add db user netscalersql -password netscaler
4.
Enter the following command to create the LAMP_1 server with the IP address 10.29.0.13:
add server lamp_1 10.29.0.13
5.
Enter the following command to create the LAMP_2 server with the IP address 10.29.0.14:
add server lamp_2 10.29.0.14
6.
Enter the following command to create the svc_mysql_lamp1 service for the LAMP_1 server
using MYSQL as the protocol and 3306 as the port:
add service svc_mysql_lamp1 lamp_1 MYSQL 3306
7.
Enter the following command to create the svc_mysql_lamp2 service for the LAMP_2 server
using MYSQL as the protocol and 3306 as the port:
add service svc_mysql_lamp2 lamp_2 MYSQL 3306
8.
Enter the following command to create the lb_vsrv_mysql virtual server with the IP address
10.0.0.18 on port 3306:
add lb vserver lb_vsrv_mysql MYSQL 10.0.0.18 3306
9.
Enter the following commands to bind the MYSQL services to the virtual load-balancing
server:
bind lb vserver lb_vsrv_mysql svc_mysql_lamp1
bind lb vserver lb_vsrv_mysql svc_mysql_lamp2
87
10. Test the MYSQL load-balancing server.

a. On the Win7Client desktop, double-click the HeidiSQL icon.
b. Verify that MYSQLTest is selected in the left pane, the Hostname/IP is set to
10.0.0.18, the Port is set to 3306 and then click Open.
The MYSQLTest session is configured to connect to imdb table in the database on the
lb_vsrv_mysql load-balancing virtual server.
c.
d.
Type netscalersql in the Username field, type netscaler in the Password

field, and then click Login.A HeidiSQL session opens connected to the imdb database.
Select the Query tab and type the following command in the Query field.
select * from actors where actors.last_name = "Tazova"
e. Click the Play button on the task bar. The query should return one record.
11. Close the HeidiSQL window and click No in the Confirm box.
Configuring a MySQL Monitor (Command-Line Interface)

1.
Enter the following command in PuTTY to create the mon_mysql_ecv monitor to monitor the
imdb database for queries for actors with a last name of Tazova:
add lb monitor mon_mysql_ecv MYSQL-ECV
-userName netscalersql -database imdb
-sqlQuery "select * from actors where
actors.last_name = \"Tazova\""
-evalRule "MYSQL.RES.ATLEAST_ROWS_COUNT(1)"
2.
Enter the following commands to bind the mon_mysql_ecv monitor to the MYSQL services:
bind service svc_mysql_lamp1 -monitorName mon_mysql_ecv
bind service svc_mysql_lamp2 -monitorName mon_mysql_ecv
3.
Enter the following command to verify that the MYSQL-ECV monitor is working:
show service svc_mysql_lamp1
4.
88
The Last Response should show Success - Pattern found in response.

Shut down the LAMP_1 and LAMP_2 virtual machines.
a. Move the mouse pointer to the top of the Win7Client window and select All VMs to
return to the lab environment screen.
b. Select the LAMP_1 virtual machine and click the Pause icon.
c. Select the LAMP_2 virtual machine and click the Pause icon.
Exercise 5-4: Configuring RADIUS Load Balancing

This lab demonstrates the process for creating servers, services, and a load-balancing virtual server
for RADIUS Protocol. The steps for configuring load balancing using the configuration utility and
the command-line interface are provided.
Before You Begin

AD.training.lab
NS_VPX_0
WebBlue
WebGreen
WebRed
Win7Client

This section provides step-by-step instructions for completing "Exercise 5-4: Configuring RADIUS
Load Balancing" using the configuration utility.
Creating RADIUS Service Groups (Configuration Utility)

1.
2.
Create
a.
b.
c.
a load balancing service group called radius_rbg_auth with a protocol set to RADIUS.
Navigate to Traffic Management > Load Balancing > Service Groups.
Click Add. The Create Service Group dialog box opens.
Type radius_rbg_auth in the Service Group Name field and select RADIUS from
the Protocol drop-down menu.
d. Click OK.
Configure WebRed, WebBlue, and WebGreen as specified members and add a ping monitor to
the new RADIUS service group.
a. Click Members under Advanced on the right.
b. Click No Service Group Member in the Service Group Members section.
c. Select the Server Based radio button.
d. Select srv_blue from the Server Name drop-down menu.
89
3.
90
e. Type 1812 in the Port field.

f. Click Create.
g. Click 1 Service Group Member in the Service Group Members section.
h. Click Add.
i. Select the Server Based radio button.
j. Select srv_green from the Server Name drop-down menu.
k. Type 1812 in the Port field.
l. Click Create.
m. Click Add.
n. Select the Server Based radio button.
o. Select srv_red from the Server Name drop-down menu.
p. Type 1812 in the Port field.
q. Click Create.
r. Click Close.
s. Select Monitors under Advanced on the right.
t. Click No Service Group to Monitor Binding.
u. Click Click to select in the Select Monitor field.
v. Select the ping radio button.
w. Click OK.
x. Click State to enable the monitor.
y. Click Bind.
z. Click Done.
Create a RADIUS service group called radius_rbg_acct.
a. Navigate to Traffic Management > Load Balancing > Service Groups.
b. Click Add. The Create Service Group dialog box opens.
c. Type radius_rbg_acct in the Service Group Name field and select RADIUS from
the Protocol drop-down menu.
d. Click OK.
e. Click Members under Advanced on the right.
f. Click No Service Group Member in the Service Group Members section.
g. Select the Server Based radio button.
h. Select srv_blue from the Server Name drop-down menu.
i. Type 1813 in the Port field.
j. Click Create.
k. Click 1 Service Group Member in the Service Group Members section.
l. Click Add.
4.
m. Select the Server Based radio button.

n. Select srv_green from the Server Name drop-down menu.
o. Type 1813 in the Port field.
p. Click Create.
q. Click Add.
r. Select the Server Based radio button.
s. Select srv_red from the Server Name drop-down menu.
t. Type 1813 in the Port field.
u. Click Create.
v. Click Close.
w. Click Monitors under Advanced on the right.
x. Click No Service Group to Monitor Binding.
y. Click Click to select in the Select Monitor field.
z. Select the ping radio button.
aa. Click OK.
ab. Select State to enable the monitor.
ac. Click Bind.
ad. Click Done.
Click the Refresh icon and verify that both service groups are ENABLED and UP.
Creating RADIUS Load-Balancing Virtual Servers

1.
2.
Create a RADIUS load balancing virtual server called lb_vsrv_radius_auth with an IP address
of 10.0.0.80 on port 1812.
b. Click Add.
c. Type lb_vsrv_radius_auth in the Name field.
d. Select RADIUS in the Protocol drop-down menu.
e. Type 10.0.0.80 in the IP Address field and type 1812 in the Port field.
f. Click OK and then click OK again.
Bind the radius_rbg_auth service group to the new virtual server using Token for the loadbalancing method and CLIENT.UDP.RADIUS.USERNAME for the rule.
a. Click Service Group under Advanced on the right.
91
b.
3.
4.
Click No Load Balancing Virtual Server Service Group Binding in the Service
Group section.
c. Click Click to select in the Select Service Group Name field.
d. Click the radius_rbg_auth radio button to bind the service group to the virtual server.
e. Click OK and then click Bind.
f. Click Method under Advanced on the right.
g. Select TOKEN in the Load Balancing Method drop-down menu.
h. Delete None from the Expression window and then type
CLIENT.UDP.RADIUS.USERNAME in the Expression window.
i. Click OK.
j. Click the Persistence under Advanced on the right.
k. Click RULE in the Persistence drop-down menu.
l. Verify that CLIENT.UDP.RADIUS.USERNAME appears in the Expression window.
m. Click OK.
n. Click Done.
Create a RADIUS load balancing virtual server called lb_vsrv_radius_acct with an IP address of
10.0.0.80 and a port of 1813.
b. Click Add.
c. Type lb_vsrv_radius_acct in the Name field.
d. Select RADIUS in the Protocol drop-down menu.
g. Click OK and then click OK again.
h. Click Service Group under Advanced on the right.
i. Click No Load Balancing Virtual Server ServiceGroup Binding in the Service Group
section.
j. Click Click to select in the Select Service Group Name field.
k. Click the radius_rbg_acct radio button to bind it to the virtual server.
l. Click OK and click Bind.
m. Click Done.
Verify that the Radius authentication and accounting virtual servers are UP.
Testing RADIUS Persistency (Configuration Utility)

92
1.
2.
3.
4.
5.
Launch the RADIUS test client and log on to the client.

a. Click Start > All Programs > RadiusNT > Radius test client to launch the RADIUS
test client (Web page) from the Win7Client desktop. This action launches a web
browser to http://localhost:8020.
b. Log on with the following credentials:
Username: student
Password: Password1
Add a new RADIUS server using 10.0.0.80 as the server address.
a. Click Add next to RADIUS servers (above the red Welcome line) to add a new
RADIUS Server.
b. Type 10.0.0.80 in the Server Address field and type Password1 in the Shared
secret field.
c. Type 1812 in the Auth Port field and 1813 in the Acct port field.
d. Click Continue.
Set up the RADIUS server authentication settings.
a. Click Radlogin (above the red line) and select 10.0.0.80 in the RADIUS Server dropdown menu.
b. Select Authentication from the Profile drop-down menu.
c. Type student in the Login field and type Password1 in the Password field.
d. Click Continue to initiate a RADIUS authentication request to the virtual server. The
response status should indicate Good.
e. Click Continue multiple times to submit additional requests.
View the RADIUS persistence sessions that were created with the RADIUS authentication
requests.
a. In the NetScaler configuration utility (10.0.0.100) , select the Traffic Management
node and then select Virtual Server persistence sessions in the right pane. The
Persistence sessions from the RADIUS authentication requests are displayed.
b. Click Close.
Close the RADIUS test client window.

This section provides step-by-step instructions for completing "Exercise 5-4: Configuring RADIUS
Load Balancing" using the command-line interface.
93
Creating RADIUS Service Groups (Command-Line

Interface)
1.
Enter the following command in PuTTY to create a RADIUS service group called
radius_rbg_auth:
add serviceGroup radius_rbg_auth RADIUS
2.
Enter the following commands to configure WebRed, WebBlue, and WebGreen as specified
members of the new RADIUS service group:
bind serviceGroup radius_rbg_auth srv_blue 1812
bind serviceGroup radius_rbg_auth srv_green 1812
bind serviceGroup radius_rbg_auth srv_red 1812
3.
Enter the following command to create a RADIUS service group called radius_rbg_acct:
add serviceGroup radius_rbg_acct RADIUS
4.
Enter the following commands to bind the service group to the WebBlue, WebGreen, and
WebRed servers:
bind serviceGroup radius_rbg_acct srv_blue 1813
bind serviceGroup radius_rbg_acct srv_green 1813
bind serviceGroup radius_rbg_acct srv_red 1813
5.
Enter the following commands to verify that both service groups are ENABLED and Up:
show serviceGroup radius_rbg_acct
show serviceGroup radius_rbg_auth
Creating RADIUS Load-Balancing Virtual Servers

94
1.
Enter the following command in PuTTY to create a RADIUS load-balancing virtual server
called lb_vsrv_radius_auth with an IP address of 10.0.0.80 on port 1812 using Token for the
load-balancing method and client.udp.radius.username for the rule:
add lb vserver lb_vsrv_radius_auth RADIUS 10.0.0.80 1812
-persistenceType RULE -lbMethod TOKEN
-rule client.udp.radius.username
2.
Enter the following command to bind the radius_rbg_auth service group to the new virtual
server:
bind lb vserver lb_vsrv_radius_auth radius_rbg_auth
3.
Enter the following command to create a RADIUS load-balancing virtual server called
lb_vsrv_radius_acct with an IP address of 10.0.0.80 on port 1813 using Token for the loadbalancing method and client.udp.radius.username for the rule:
add lb vserver lb_vsrv_radius_acct RADIUS 10.0.0.80 1813
-persistenceType RULE -lbMethod TOKEN
-rule client.udp.radius.username
4.
Enter the following command to bind the radius_rbg_acct service group to the new virtual
server:
bind lb vserver lb_vsrv_radius_acct radius_rbg_acct
5.
Enter the following commands to verify that the Radius authentication and accounting virtual
servers are Up:
show lb vserver lb_vsrv_radius_acct
show lb vserver lb_vsrv_radius_auth
Testing RADIUS Persistency (Command-Line Interface)

1.
2.
Launch the RADIUS test client and log on to the client.

a. From the Win7Client desktop, navigate to Start > All Programs > RadiusNT >
Radius test client. This action launches a Web browser to http://localhost:8020.
b. Log on with the following credentials:
Username: student
Password: Password1
Add a new RADIUS server using 10.0.0.80 as the server address.
a. Click (Add) next to RADIUS servers (above the red Welcome line), to add a new
RADIUS Server.
95
3.
b. Type 10.0.0.80 in the Server address field.

c. Type Password1 in the Shared secret field.
d. Type 1812 in the Auth port field and 1813 in the Acct port field.
e. Click Continue.
Set up the RADIUS server authentication settings.
a. Click Radlogin (above the red RADIUS server line) and select 10.0.0.80 from the
RADIUS Server drop-down menu.
b. Select Authentication from the Profile drop-down menu.
c. Type student in the Login field and type Password1 in the Password field.
d. Click Continue to initiate a RADIUS authentication request to the virtual server. The
response status should indicate Good.
RADIUS Test fails with Timeout response. Did removing the 10.30.0.0, or 10.29.0.0 route
break this or did the removal of the 10.30.0.254 SNIP break it? It used to work. Did I type
something incorrect.
e.
4.
Click Continue multiple times to submit additional requests. Verify that the Response
status is still Good.
f. Close the RADIUS test client window.
View the RADIUS persistence sessions that were created with the RADIUS authentication
requests.
a. Switch to the PuTTY command-line interface for NS_VPX_0.
b. Enter the following command to view the persistence sessions:
show persistentSessions lb_vsrv_radius_auth
Persistence sessions from the RADIUS authentication requests are displayed.
96
Module 6
SSL Offload
98
Module 6: SSL Offload Exercises

Exercise 6-1: Configuring SSL Certificates and SSL Offload
This exercise demonstrates the use of SSL certificates with a NetScaler system and how to configure
SSL Offload.
Before You Begin

AD.training.lab
NS_VPX_0
WebBlue
WebGreen
WebRed
Win7Client

This exercise provides step-by-step instructions for completing "Exercise 6-1: Configuring SSL
Certificates and SSL Offload" using the configuration utility.
Creating an RSA Key File (Configuration Utility)

1.
Use the NetScaler certificate tools to create an RSA key file called TestKey.pem with a key size
of 2048 and DES3 as the encoding algorithm.
a. Navigate to Traffic Management > SSL and then click Create RSA Key under SSL
Keys.
b. Type TestKey.pem in the Key Filename field and then type 2048 in the Key Size
field.
c. Select F4 as the Public Exponent Value and verify that PEM is selected as the Key
Format.
d. Select DES3 as the PEM Encoding Algorithm and type Password1 in the PEM
Passphrase and Confirm PEM Passphrase fields.
Module 6: SSL Offload
99
In a production environment, specify a secure passphrase.
e.
Click OK.
Creating a Certificate Request (Configuration Utility)

1.
Use the NetScaler certificate tools to create a certificate request named TestCSR.csr using
TestKey.pem as the key file and the MillennialGadgets.com company information.
a. Navigate to Traffic Management > SSL and then click Create Certificate Signing
Request (CSR) under SSL Certificates.
b. Type TestCSR.csr in the Request File Name field.
c. To the right of the Key Filename field, select Appliance from the Browse drop-down
list.
d. Select TestKey.pem from the current directory and click Open.
e. Type Password1 in the PEM Passphrase field.
f. Provide the following information in the corresponding Distinguished Name Fields:
State or Province Name: California
Organization Name: MillennialGadgets.com
Common Name: MillennialGadgets.com
g. Type Password1 in the Challenge Password field.
This password does not have to be same as the PEM passphrase. However,
outside of the lab environment, it is recommended that you specify a secure
passphrase.
h.
i.
Type MillennialGadgets.com in the Company Name field.

Click OK.
The Create Certificate Request dialog box closes.
Creating a Certificate (Configuration Utility)

1.
100
Use the NetScaler certificate tools to create a self-signed certificate named TestCert.cert with a
validity period of 1825 days.
a.
2.
3.
Navigate to Traffic Management > SSL and then click Create Certificate under SSL
Certificates.
b. Type TestCert.cert in the Certificate File Name field.
c. Verify that PEM is selected as the Certificate Format, and then select Server as the
Certificate Type.
d. Click Browse next to the Certificate Request File Name field, select TestCSR.csr in the
displayed directory and then click Open.
e. Type 1825 in the Validity Period field.
Use the NetScaler certificate tools to continue creating a self-signed certificate named
TestCert.cert using ns-root.cert and ns-root.key as the CA certificate file and CA key file.
a. Click Browse next to the CA Certificate File Name field, select ns-root.cert in the
current directory and click Open.
b. Verify that PEM is selected as the CA Certificate File format.
c. Click Browse next to the CA Key File Name field, select ns-root.key in the current
directory and then click Open.
d. Verify that PEM is selected as the CA Key File Format.
e. Type Password1 in the PEM Passphrase field.
Use the NetScaler certificate tools to complete creating a self-signed certificate named
TestCert.cert using ns-root.srl as the CA serial number file.
a. Click Browse next to the CA Serial File Number field, select ns-root.srl in the
displayed directory and click Open.
b. Click OK.
Configuring a Certificate-Key Pair (Configuration Utility)

1.
2.
Create
a.
b.
c.
a certificate-key pair on the NetScaler system using the new certificate and key.
Navigate to Traffic Management > SSL > Certificates and then click Install.
Type TestCertKey in the Certificate-Key Pair Name field.
Click Browse next to Certificate File Name field, select TestCert.cert in the displayed
directory, and click Open.
d. Click Browse next to the Key File Name field and select TestKey.pem in the displayed
directory and click Open.
e. Verify that PEM is selected as the Certificate Format and type Password1 in the
Password field
f. Click Install to create the certificate-key pair.
Verify that TestCertKey is displayed in the SSL Certificates pane and the status is shown as
Valid.
101
Creating an SSL Offload Virtual Server (Configuration Utility)

1.
2.
102
Begin configuration of an "ssl_vsrv_rbg" SSL-offload virtual server with an IP address of

10.0.0.81 and ROUND ROBIN as the load balancing method.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers and click Add.
b. Type ssl_vsrv_rbg in the Name field and select SSL as the protocol.
c. Type 10.0.0.81 in the IP Address field and verify that 443 appears in the Port
field.
d. Click OK
e. Click No Load Balancing Virtual Server Service Binding in the Service section.
f. Click Click to select under Select Service
g. Select the svc_red radio button and click OK.
h. Click Bind.
i. Click 1 Load Balancing Virtual Server Service Binding.
j. Click Add Binding.
k. Click Click to select under Select Service.
l. Select the svc_blue radio button and click OK.
m. Click Bind.
n. Click Add Binding.
o. Click Click to select under Select Service.
p. Select the svc_green radio button and click OK.
q. Click Bind, click Close and then click OK.
r. Click Method under Advanced on the right.
s. Select ROUNDROBIN in the Load Balancing Method drop-down list.
t. Click OK.
Complete the configuration of the ssl_vsrv_rbg SSL-offload virtual server by adding the
TestCertKey to the virtual server. Create the virtual server.
a. Click SSL Certificate from the Advanced section on the right.
b. Click No Server Certificate under Certificates.
c. Click Click to select under Select Server Certificate.
d. Select the TestCertKey radio button from the list of available certificates.
e. Click OK and Bind.
f. Click Done.
g. Click the Refresh icon and then verify that the SSL virtual server (ssl_vsrv_rbg)
displays the State as Up.
3.
Click the Floppy Disk icon in the upper-right corner of the configuration utility to save the
running configuration and then click Yes to confirm.
Testing SSL Offload (Configuration Utility)

1.
Open a secure connection to the virtual server and test the SSL offload configuration.
a. Open an Internet Explorer browser window and browse to
https://10.0.0.81/home.php.
b. Select Continue to this web site (not recommended).
This certificate error is displayed within the browser because the test certificate
was not created by a trusted certificate authority and a root certificate was not
installed. Disregard these errors for this lab exercise.
c.
Refresh the web site multiple times.

The site is now secured with SSL. The web page load-balances between the Red, Blue,
and Green web servers based on the services bound to the SSL-offload virtual server.
d.
Close Internet Explorer.

This exercise provides step-by-step instructions for completing "Exercise 6-1: Configuring SSL
Certificates and SSL Offload" using the command-line interface.
Configuring a Self-Signed Certificate (Command-Line

Interface)
1.
Create an RSA Key called TestKey.pem with a key size of 2048 and DES3 as the encoding
algorithm.
a. Enter the following command in PuTTY to create the RSA key file:
create ssl rsakey TestKey.pem 2048 -exponent F4 keyform PEM -des3 -password Password1
2.
Create a certificate request called TestCSR.csr using TestKey.pem as the key file and the
MillennialGadgets.com company information.
103
a.
Enter the following command to create the certificate request:

create ssl certreq TestCSR.csr -keyFile TestKey.pem keyForm PEM
-PEMPassPhrase Password1 -countryName US stateName California organizationName MillennialGadgets.com
-commonName MillennialGadgets.com challengePassword Password1
3.
Create a self-signed certificate named TestCert.cert with a validity period of 1825 days.
a. Enter the following command to create the SSL certificate:
create ssl cert TestCert.cert TestCSR.csr SRVR_CERT
-CAcert /nsconfig/ssl/ns-root.cert
-CAkey /nsconfig/ssl/ns-root.key CAserial /nsconfig/ssl/ns-root.srl
4.
Create the Certificate Key Pair by using the created RSA Key and Certificate.
a. Enter the following command to create the certkey:
add ssl certkey TestCertKey -cert TestCert.cert key TestKey.pem
-password Password1
b.
Enter the following command to view the certkey:

show ssl certkey
5.

a. Enter the following command to save the configuration:
save ns config
Configuring SSL Offload (Command-Line Interface)

1.
Create an SSL virtual server called ssl_vsrv_rbg, bind the certificate key-pair to the virtual
server and then bind the services to the virtual server.
a. Enter the following command in PuTTYto create the SSL virtual server:
add lb vserver ssl_vsrv_rbg SSL 10.0.0.81 443
104
b.
Enter the following command to bind the certificate-key pair to the SSL virtual server:
bind ssl vserver ssl_vsrv_rbg -certkeyName TestCertKey
c.
Enter the following commands to bind services to the SSL virtual server:
bind lb vserver ssl_vsrv_rbg svc_blue
bind lb vserver ssl_vsrv_rbg svc_green
bind lb vserver ssl_vsrv_rbg svc_red
d.

save ns config
Testing SSL Offload (Command-Line Interface)

1.
Open a secure connection to the virtual server and test the SSL offload configuration.
a. Open a Firefox browser window and browse to https://10.0.0.81/home.php.
b. Click I Understand the Risks, click Add Exception and then click Confirm Security
Exception to continue to the web site.
A certificate error will be displayed within the browser because the test
certificate was not created by a trusted certificate authority and a root
certificate was not installed. Disregard these errors for this lab exercise.
c.
Refresh the web site multiple times.

The site is now secured with SSL. The web page load-balances between the Red, Blue,
and Green web servers based on the services bound to the SSL-offload virtual server.
105
106
Module 7
Global Server Load

Balancing
108
Module 7: Global Server Load Balancing

Exercises
Exercise 7-1: Configuring Global Server Load-Balancing
(GSLB)
This exercise will demonstrate how to configure two NetScaler systems located in different locations
for global server load balancing (GSLB).
You must begin configuring the GSLB pair by setting up the first NetScaler at the Frankfurt site.
Before You Begin

AD.training.lab
NS_VPX_1
NS_VPX_2
Web_Blue
Web_Green
Web_Red
Win7Client
Information required for this lab:
Variable
Frankfurt
Tokyo
NSIP
10.0.0.110
10.30.0.120
SNIP
10.0.0.91
10.30.0.92
SNIP (Site IP)
10.0.0.93
10.30.0.93
VIP1
10.0.0.66
10.30.0.76
VIP2
10.0.0.68
10.30.0.78
Variable
IP Address
DNS Name Server
10.29.0.11
109

This section provides step-by-step instructions for completing "Exercise 7-1: Configuring Global
Server Load Balancing" using the configuration utility.
Enabling Global Server Load Balancing on the Frankfurt

NetScaler (Configuration Utility)
1.
Enable the GSLB feature on the NS_VPX_1 (Frankfurt) system.

a. Open a browser connection to http://10.0.0.110 (Frankfurt) and log on with
b. Navigate to System > Settings.
c. Click Configure Advanced Features.
d. Select Global Server Load Balancing and click OK.
If you received the error, "All commands failed (19)", click OK to close the
error message and then click Close to close the Configure Advanced Features
screen. The feature has been enabled, despite the message.
Configuring the GSLB Sites on the Frankfurt NetScaler

1.
2.
110
Add a "site_FRK" (10.0.0.93) GSLB site to the Frankfurt NetScaler.

a. Navigate to Traffic Management > GSLB > Sites and then click Add.
b. Type site_FRK in the Name field.
c. Select LOCAL in Type drop-down menu.
d. Type 10.0.0.93 in the Site IP Address field.
e. Click Create.
Add a "site_TOK" (10.30.0.93) GSLB site to the Frankfurt NetScaler.
a. Click Add.
b. Type site_TOK in the Name field and 10.30.0.93 in the Site IP Address field.
c.
d.
Select REMOTE in Type drop-down menu.

Click Create.
The site_TOK Site Metric MEP Status will show as Down until site_TOK is
configured on a remote GSLB site.
Configuring GSLB Services on the Frankfurt NetScaler

1.
2.
3.
Create a "gslb_svc_FRK" GSLB service on the Frankfurt NetScaler and configure the service to
communicate over HTTP on port 80.
a. Navigate to Traffic Management > GSLB > Services and then click Add.
b. Type gslb_svc_FRK in the Service Name field and select site_FRK from the Site
Name drop-down menu.
c. Select LOCAL from the Site Type drop down menu.
d. Verify that HTTP is selected as the Service Type and 80 appears in the Port field.
e. Select Virtual Servers radio button and then select lb_vsrv_FRK from the Virtual
Server drop-down menu.
Create a "gslb_svc_TOK" GSLB service on the Frankfurt NetScaler and configure the service to
communicate over HTTP on port 80.
a. Click Add
b. Type gslb_svc_TOK in the Service Name field, select site_TOK from the Site
Name drop-down menu.
c. Select Remote from the Site Type drop down menu.
d. Verify that HTTP is selected as the Service Type and 80 appears in the Port field.
e. Select New Server and type 10.30.0.78 in the Server IP field. This is the SNIP for
site_TOK on NS_VPX_2.
f. Click OK.
g. Click Done.
Verify that the state for gslb_svc_FRK service shows as UP.
The gslb_svc_TOK service will show as DOWN until the remote GSLB service is
configured.
111
Adding and Binding the GSLB Virtual Server to the

Frankfurt NetScaler (Configuration Utility)
1.
2.
3.
Begin configuration of a "GSLB_vsrv_global" HTTP GSLB virtual server on the Frankfurt

NetScaler. Bind the new virtual server to the gslb_svc_FRK and gslb_svc_TOK GSLB services.
a. Navigate to Traffic Management > GSLB > Virtual Servers and click Add.
b. Type GSLB_vsrv_global in the Name field and verify that HTTP is selected for
the Service Type.
c. Click OK.
d. Click Service under Advanced on the right.
e. Click No GSLB Virtual Server to GSLBService Binding under the GSLB Virtual
Server to GSLB Service Binding section.
f. Click Click to select under Select Service.
g. Select the gslb_svc_FRK radio button.
h. Click OK and then click Bind.
i. Click 1 GSLB Virtual Server to GSLBService Binding under the GSLB Virtual Server
to GSLB Service Binding section.
k. Click Click to select under Select Service.
l. Select the gslb_svc_TOK radio button.
m. Click OK and click Bind.
n. Click Close.
Complete the configuration by setting the GSLB_vsrv_global virtual server for round-robin
load balancing. Create the new GSLB virtual server.
a. Click the Edit icon (pencil) in the Method section of the screen and select
ROUNDROBIN in the Choose Method drop-down menu.
b. Click OK and then click Done.
Verify that the GSLB_vsrv_global virtual server shows as UP after creating it.
The health for the GSLB_vsrv_global virtual server will show as 50 percent until an
additional NetScaler system is configured.
Exercise 7-1: Step-by-Step (Command-line Interface)

This section provides step-by-step instructions for completing "Exercise 7-1: Configuring Global
Server Load Balancing" using the command-line interface.
112
Enabling Global Server Load Balancing on the Frankfurt

NetScaler (Command-Line Interface)
1.
2.
3.
4.
Start NS_VPX_1 and NS_VPX_2 in the lab environment.

a. Move the mouse pointer to the top of the Win7Client VM and select All VMs to
return to the lab environment.
b. Click the NS_VPX_1 virtual machine and then click the Play icon.
c. Click the NS_VPX_2 virtual machine and then click the Play icon.
d. Click the Win7Client display in the lab environment to access the Win7Client
desktop.
Launch PuTTY from the Win7Client desktop.
Log on to the Frankfurt NetScaler (NS_VPX_1) PuTTY command-line interface using the
nsroot credentials.
Enter the following command to enable the GSLB feature:
enable ns feature GSLB
Configuring the GSLB Sites on the Frankfurt NetScaler

From the Win7Client, use an SSH connection (PuTTY) to the NS_VPX_1 command-line interface
1.
Add the "site_FRK" and "site_TOK" GSLB sites to the Frankfurt NetScaler.
a. Enter the following command to add the Frankfurt GSLB site:
add gslb site site_FRK 10.0.0.93
b.
Enter the following command to add the Tokyo GSLB site:

add gslb site site_TOK 10.30.0.93
2.
Enter the following command to display the NetScaler IP address:

show ns ip
3.
Enter the following command to display the GSLB site:

show gslb site
The site_FRK will appear as LOCAL and site_TOK will appear as REMOTE.
113
Configuring GSLB Services on the Frankfurt NetScaler

1.
Enter the following command to add the gslb_svc_FRK service to the Frankfurt NetScaler:
add gslb service gslb_svc_FRK srv_FRK HTTP 80 publicIP 10.0.0.68
-publicPort 80 -siteName site_FRK
2.
Enter the following command to add the gslb_svc_TOK service:

add gslb service gslb_svc_TOK srv_TOK HTTP 80 publicIP 10.30.0.78
-publicPort 80 -siteName site_TOK
3.
Enter the following commands to display the GSLB site:

show gslb site
show gslb site site_FRK
show gslb site site_TOK
The gslb_svc_TOK state will show as DOWN because the Tokyo NetScaler has not been
configured yet.
Adding and Binding the GSLB Virtual Server to the

Frankfurt NetScaler (Command-Line Interface)
1.
Enter the following command to add the GSLB virtual server GSLB_vsrv_global of type HTTP
using round robin for the load-balancing method:
add gslb vserver GSLB_vsrv_global HTTP -lbMethod ROUNDROBIN
The LB method is being set to Round Robin for purposes of the lab demonstration
only. A production implementation of GSLB would not be based on round robin.
2.
114
Bind the Frankfurt and Tokyo GSLB services to the GSLB virtual server.
a.
Enter the following command to bind the Frankfurt GSLB service to the GSLB virtual
server:
bind gslb vserver GSLB_vsrv_global serviceName gslb_svc_FRK
b.
Enter the following command to bind the Tokyo GSLB service to the GSLB virtual
server:
bind gslb vserver GSLB_vsrv_global serviceName gslb_svc_TOK
3.
Enter the following command to display the GSLB virtual server:

show gslb vserver
Verify that the GSLB virtual server State shows as Up.
4.
Enter the following command to display the GSLB virtual server GSLB_vsrv_global:
show gslb vserver GSLB_vsrv_global
Exercise 7-2: Configuring Additional NetScaler Systems for

Global Server Load Balancing (GSLB)
This exercise will demonstrate how to configure GSLB on the second NetScaler at the Tokyo site.
Before You Begin

AD.training.lab
NS_VPX_1
NS_VPX_2
Web_Blue
Web_Green
Web_Red
Win7Client
115
Variable
Frankfurt
Tokyo
NSIP
10.0.0.110
10.30.0.120
SNIP
10.0.0.91
10.30.0.92
SNIP (Site IP)
10.0.0.93
10.30.0.93
VIP1
10.0.0.66
10.30.0.76
VIP2
10.0.0.68
10.30.0.78
Variable
IP Address
DNS Name Server
10.29.0.11

This section provides step-by-step instructions for completing "Exercise 7-2: Configuring Additional
NetScaler Systems for Global Server Load Balancing" using the configuration utility.
Enable Global Server Load Balancing on the Tokyo

NetScaler (Configuration Utility)
1.
2.
Open a Chrome browser connection to http://10.30.0.120 (Tokyo) and log on using

Enable the GSLB feature on the NS_VPX_2 (Tokyo) system.
a. Navigate to System > Settings.
b. Click Configure Advanced Features.
c. Select Global Server Load Balancing and click OK.
If you received the error, "All commands failed (19)", click OK to close the
error message and then click Close to close the Configure Advanced Features
screen. The feature has been enabled, despite the message.
116
Configuring the GSLB Sites on the Tokyo NetScaler

1.
Add a "site_FRK" (10.0.0.93) GSLB site to the Frankfurt NetScaler.

a. Navigate to Traffic Management > GSLB > Sites and click Add.
b. Type site_FRK in the Name field and 10.0.0.93 in the Site IP Address field.
c. Select REMOTE in Type drop-down menu.
d. Click Create.
You may need to refresh the view for the Site Metric MEP Status to show as
Enabled.
2.
Add a "site_TOK" (10.30.0.93) GSLB site to the Frankfurt NetScaler.

a. Click Add
b. Type site_TOK in the Name field and 10.30.0.93 in the Site IP Address field.
c. Select LOCAL in Type drop-down menu.
d. Click Create.
Synchronize GSLB Settings (Configuration Utility)

1.
Synchronize the GSLB settings from the Frankfurt NetScaler to the Tokyo NetScaler.
a. Switch to the Frankfurt NetScaler (10.0.0.110).
b. Navigate to Traffic Management > GSLB and click Synchronize configuration on
remote sites.
The Synchronize GSLB Configuration window appears.
c.
d.
Select Force Sync from the Synchronization Option and then select site_TOK from
the GSLB Site Name drop-down menu.
Click OK.

This section provides step-by-step instructions for completing "Exercise 7-2: Configuring Additional
NetScaler Systems for Global Server Load Balancing" using the command-line interface.
117
Enabling Global Server Load Balancing on the Tokyo

NetScaler (Command-Line Interface)
1.
2.
Log on to the PuTTY command-line interface for Tokyo NetScaler (NS_VPX_2) using the
nsroot credentials.
Enter the following command to enable the GSLB feature:
enable ns feature gslb
Configuring the GSLB Sites on the Tokyo NetScaler

1.
Add the "site_FRK" and "site_TOK" GSLB sites to the Tokyo NetScaler.
a. Enter the following command to add the Frankfurt GSLB site:
add gslb site site_FRK 10.0.0.93
b.
Enter the following command to add the Tokyo GSLB site:

add gslb site site_TOK 10.30.0.93
2.
Enter the following command to display the NetScaler IP address:

show ns ip
3.

show gslb site
Synchronize GSLB Settings (Command-Line Interface)

1.
Synchronize the GSLB settings from the Frankfurt NetScaler to the Tokyo NetScaler.
a. In the PuTTY command-line interface for the Frankfurt NetScaler (NS_VPX_1), enter
the following command to save the configuration:
save ns config
118
b.
In the PuTTY command-line interface for the Frankfurt NetScaler (NS_VPX_1), enter
the following commands to force sync the local GSLB configuration to the remote
GSLB site:
sync gslb config -forceSync site_TOK
y
An automated script will sync all settings from the local site to the remote site.
c.
Save the NetScaler configuration on both Frankfurt and Tokyo NetScalers.

1. On NS_VPX_1 (10.0.0.110), enter the following command to save the
Frankfurt NetScaler configuration:
save ns config
2.
On NS_VPX_2 (10.30.0.120), enter the following command to save the

Tokyo NetScaler configuration:
save ns config
Exercise 7-3: Configuring DNS to Test a Global Server

Load-Balancing (GSLB) Configuration
This exercise will demonstrate how to test the GSLB configuration using DNS.
Before You Begin

AD.training.lab
NS_VPX_1
NS_VPX_2
Web_Blue
Web_Green
Web_Red
Win7Client
Variable
Frankfurt
Tokyo
NSIP
10.0.0.110
10.30.0.120
119
Variable
Frankfurt
Tokyo
SNIP
10.0.0.91
10.30.0.92
SNIP (Site IP)
10.0.0.93
10.30.0.93
VIP1
10.0.0.66
10.30.0.76
VIP2
10.0.0.68
10.30.0.78
Variable
IP Address
DNS Name Server
10.29.0.11

This section provides step-by-step instructions for completing "Exercise 7-3: Configuring DNS to
Test a Global Server Load-Balancing (GSLB) Configuration" using the configuration utility.
Configuring DNS Settings (Configuration Utility)

Configuring ADNS is only necessary on one NetScaler.
1.
2.
120
Switch to the Frankfurt NetScaler (10.0.0.110) configuration utility.

Bind the "www.gslbdomain.com" domain alias to the GSLB_vsrv_global virtual server on the
Frankfurt NetScaler.
a. Navigate to Traffic Management > GSLB > Virtual Servers.
b. Select the GSLB_vsrv_global virtual server and click Edit.
c. Click Domains under Advanced on the right.
d. Click No GSLB Virtual Server Domain Binding under domains.
e. Type www.gslbdomain.com in the Domain Name field.
f. Click Bind and then click Done.
3.
4.
Create an authoritative DNS service using the 10.0.0.66 LB VS IP address on the Frankfurt
NetScaler.
a. Navigate to Traffic Management > DNS > Name Servers and click Add.
b. Select the DNS Virtual Server radio button then click the DNS Virtual Server drop
down menu and select lb_vsrv_dns virtual server.
c. The Protocol should state UDP.
d. Click Create.
Switch to the Frankfurt NetScaler command-line interface and ping the www.gslbdomain.com
domain to verify the DNS setup.
a. Launch a PuTTY session from the Win7Client desktop and open the NS_VPX_1 saved
session.
b. Log on to the NS_VPX_1 command-line interface using the nsroot credentials.
c. Enter the following command to ping the www.gslbdomain.com domain several times:
ping www.gslbdomain.com
Note the IP address, then press CTRL+C to stop the ping.
If GSLB is configured correctly on both systems, the ping response should alternate between
the VIP addresses of the Frankfurt and Tokyo NetScaler systems during alternating tests.
Be aware that pinging the address from multiple locations at once can hide the roundrobin load-balancing behavior, since subsequent requests can be load balanced
(correctly) back to the first server.
5.
Enable
a.
b.
c.
d.
e.
f.
Multiple IP Response (MIR) on the Frankfurt NetScaler.

Navigate to Traffic Management > GSLB > Virtual Servers.
Select GSLB_vsrv_global and click Edit.
Click the Edit icon (pencil) for the Basic Settings
Select Send all "active" service IP's in response (MIR) and click OK.
Click Done
Configuring Local DNS Settings to Test the GSLB

Configuration (Configuration Utility)
1.
Open the Local Area Network settings for the Win7Client virtual machine.
121
a.
2.
Click Start > Control Panel on the Win7Client to open the Control Panel dialog box
on the hosted workstation.
b. Click Network and Sharing Center, and then click Local Area Connection.
c. Click Properties to open the Local Area Connection Properties dialog box.
Configure the local DNS settings to use the 10.0.0.66 LB virtual server.
a. Highlight Internet Protocol Version 4 (TCP/IPv4).
b. Click Properties to open the Internet Protocol (TCP/IP) Properties dialog box.
c. Select Use the following DNS server addresses.
d. Set the Preferred DNS Server to 10.0.0.66.
It is recommended to use only one NetScaler system as a DNS.
3.
Close the Local Area Network settings.

a. Click OK to save the settings.
b. Click Close and then click Close again.
c. Close the Network and Sharing Center window.
Testing the GSLB Configuration (Configuration Utility)

1.
Ping the www.gslbdomain.com domain using a Windows command prompt.

a. Click Start, type cmd, and then press Enter to open a command prompt.
b. Ping the www.gslbdomain.com domain using the following command:
2.
Repeat the ping 5 more times.

Expected result: The server IP address of the response changes with some of the pings.
If the responses do not alternate between Frankfurt and Tokyo, try flushing the DNS with the
command: ipconfig /flushdns.
3.
4.
Open the Google Chrome browser and browse to

http://www.gslbdomain.com/remote.php to view the global load-balancing server.
Either the Red Tokyo (remote.php) screen on NetScaler Tokyo or the Green Frankfurt
(remote.php) screen on NetScaler Frankfurt appears.
Open Firefox and browse to http://www.gslbdomain.com/remote.php to view the
global load-balancing server.
The alternate remote.php screen will load in the new browser.
122
If ping responses are displaying alternating IP addresses as expected, but the content
in the web browsers is not reflecting load balancing between the Frankfurt and Tokyo
NetScaler systems, close all open web browsers. Repeat the test with only one web
browser and close and open the browser between each test.
5.
Switch back to the command prompt on the Win7Client virtual machine and perform an
nslookup on the www.gslbdomain.com domain.
a. Switch to the Win7Client command prompt.
b. Perform an nslookup using the following command:
nslookup www.gslbdomain.com
The GSLB virtual server returns two IP addresses, 10.0.0.68 and 10.30.0.78.
Return DNS Settings to Default (Configuration Utility)

1.
2.
a. Click Start > Control Panel to open the Control Panel dialog box on the hosted
workstation.
b. Click Network and Internet, click Network and Sharing Center, and then click Local
Area Connection.
3.
4.

123
c.
\Click the Pause icon for the NS_VPX_2 VM to shut it down.

This section provides step-by-step instructions for completing "Exercise 7-3: Configuring DNS to
Test a Global Server Load-Balancing (GSLB) Configuration" using the command-line interface.
Configuring DNS Settings (Command-Line Interface)

Configuring ADNS is only necessary on one NetScaler.
1.
In the PuTTY command-line interface for the Frankfurt NetScaler (NS_VPX_1), enter the
following command to bind the domain alias www.gslbdomain.com to the GSLB virtual server:
bind gslb vserver GSLB_vsrv_global domainName www.gslbdomain.com
2.
Enter the following command to create an authoritative DNS service on the Frankfurt
NetScaler:
add dns nameserver lb_vsrv_dns -state ENABLED
3.
Enter the following command to ping the domain name from the NetScaler command-line
interface and verify the results:
Note the IP address and then press CTRL+C to stop the ping.
4.
Enter the following command to repeat the ping to domain name from the PuTTY commandline interface and verify that the other site is responding to the ping:
Note the IP address then press CTRL+C to stop the ping.
If GSLB is configured correctly on both systems, the ping response should alternate between
the VIP addresses of the Frankfurt and the Tokyo NetScaler systems during alternating tests.
124
Be aware that pinging the address from multiple locations at once can hide the roundrobin load-balancing behavior, since subsequent requests can get load balanced
(correctly) back to the first server.
5.
Enable Multiple IP Response (MIR) on the Frankfurt NetScaler.

a. Enter the following command on NS_VPX_1 (10.0.0.110) to enable MIR:
set gslb vserver GSLB_vsrv_global -MIR ENABLED
Verifying the Configuration (Command-Line Interface)

Perform these steps on both the Frankfurt and Tokyo NetScalers.
1.

show gslb site
2.
Enter the following command to display the GSLB virtual server GSLB_vsrv_global:
show gslb vserver gslb_vsrv_global
3.
Enter the following command to display the GSLB service gslb_svc_FRK:

show gslb service gslb_svc_FRK
4.
Enter the following command to display the GSLB service gslb_svc_TOK:

show gslb service gslb_svc_TOK
Configuring Local DNS Settings to Test the GSLB

Configuration (Command-Line Interface)
1.
2.
workstation.
b. Click Network and Sharing Center, and then click Local Area Connection 2.
Configure the local DNS settings to use the 10.0.0.66.
125
a.
b.
c.
d.
Highlight Internet Protocol Version 4 (TCP/IPv4).

Click Properties to open the Internet Protocol (TCP/IP) Properties dialog box.
Select Use the following DNS server addresses.
Set the Preferred DNS Server to 10.0.0.66.
3.

Testing the GSLB Configuration (Command-Line Interface)

1.
Ping the www.gslbdomain.com domain using a Windows command prompt.

a. Click Start, type cmd, and press Enter to open a command prompt.
b. Ping the www.gslbdomain.com domain by entering the following command:
2.
Repeat the ping 5 more times.

Expected result: The server IP address of the response changes with some of the pings.
If the responses do not alternate between Frankfurt and Tokyo, try flushing the DNS with the
command: ipconfig /flushdns.
3.
4.
Open the Chrome browser and browse to http://www.gslbdomain.com/remote.php

to view the global load-balancing server. Either the Red Tokyo (remote.php) screen for
NetScaler Tokyo or the Green Frankfurt (remote.php) screen for NetScaler Frankfurt appears.
Open Firefox and browse to http://www.gslbdomain.com/remote.php to view the
global load-balancing server.
The alternate remote.php screen will load in the new browser.
If ping responses are displaying alternating IP addresses as expected, but the content
in the web browsers is not reflecting load balancing between the Frankfurt and Tokyo
NetScaler systems, close all open web browsers. Repeat the test with only one web
browser and close and open the browser between each test.
5.
126
Switch back to the command prompt on the Win7Client virtual machine and perform an
nslookup on the www.gslbdomain.com domain.
a.
b.
Switch to the Win7Client command prompt.

Enter the following command to perform an nslookup:
nslookup www.gslbdomain.com
The GSLB virtual server returns two IP addresses, 10.0.0.68 and 10.30.0.78.
Return DNS Settings to Default (Command-Line Interface)

1.
2.
workstation.
b. Click Network and Internet, click Network and Sharing Center, and then click Local
Area Connection.
3.
4.

Shut down NS_VPX_1 and NS_VPX_2 in the lab environment.
a. Move the mouse pointer to the top of the Win7Client VM and click All VMs to
return to the lab environment screen.
b. Select the NS_VPX_1 virtual machine and click the Pause icon.
c. Select the NS_VPX_2 virtual machine and click the Pause icon.
127
GSLB Troubleshooting Tips

If the procedure for testing the GSLB configuration does not produce the expected results, use the
following tips to troubleshoot the lab configuration.
Unable to Resolve www.gslbdomain.com
Ensure that you are pointing to the correct DNS server. For this lab, you should point to one
of the ADNS IP addresses on either the Frankfurt or Tokyo NetScaler systems.
Ensure that you set the DNS setting on the correct network connection if multiple networks
are present. Consult with your instructor if required.
Ensure that your web browser does not have a proxy server configured.
Ensure that you are not connecting from a workstation behind a firewall that is blocking UDP
port 53 (DNS).
Load Balancing between NetScaler Systems Not Occurring
If the issue exists during the browser test, clear the cache between test runs. For best results,
close and re-open the browser between each test.
If the issue is at the ping response from the workstation and only 1 IP address is being
returned, verify that the GSLB sites, services, and virtual servers appear as UP and that MEP
status shows as UP/Active.
Multiple browser instances can also affect the results. Close all open browsers and start from a
fresh session. Close and open browsers between tests.
Conduct tests from only one hosted workstation at a time.
Ensure that the GSLB and load-balancing (LB) features are ENABLED on both NetScaler
systems.
Verify on the NetScaler system that the resolution is alternating between GSLB services.
Example: From the command-line interface on a given NetScaler system, ping
www.gslbdomain.com; stop and re-ping. Verify that you receive the two expected IP addresses.
Other Issues
128
Verify that the correct IP addresses are used for the load-balancing virtual server, GSLB
services, and GSLB virtual server. Confirm that sites, virtual servers, services, and domains are
bound appropriately.
Verify that MEP is functioning and that both sites and services show as UP on both NetScaler
systems. Using the configuration utility instead of the command-line interface may be easier to
quickly verify the configured settings.
Module 8
AppExpert Classic
Policy Engine
130
Module 8: AppExpert Classic Policy Engine

Exercises
Exercise 8-1: Configuring Content Filtering Using Classic
Policies
This exercise demonstrates the process for configuring a content-filtering policy.
Content filtering allows you to prevent unwanted requests from reaching a protected server, by
comparing the request against filters based on HTTP URLs or headers. Content filtering allows you
to specify the action to take for requests matching the filter rules. The content filter can be
configured to DROP or RESET the request or to return an error code in the response. You have
control over which content to filter and how it is filtered.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

This section provides step-by-step instructions for completing "Exercise 8-1: Configuring Content
Filtering Using Classic Policies" using the configuration utility.
Configuring a Policy Expression (Configuration Utility)

1.
Create an expression named red_url for URL requests that contain "/red.php".
a. Navigate to AppExpert > Expressions > Classic Expressions and then click Add.
The Create Policy Expression dialog box opens.
131
b.
c.
Type red_url in the Expression Name field.

Click Expression Editor at the top-right of the Expressions section.
The Add Expression dialog box opens.
2.
3.
Create the expression.

a. Select General in the Select Expression Type drop-down menu.
b. Select REQ in the Flow Type drop-down menu.
c. Select HTTP in the Protoco1 drop-down menu.
d. Select URL in the Qualifier drop-down menu.
e. Select = = in the Operator drop-down menu.
f. Type /red.php in the Value field.
g. Click Done.
Complete the policy expression.
a. Verify that the Expression field contains the following expression:
REQ.HTTP.URL == /red.php
b.
Type the following text in the Comments field:

Drop client request for red.php
c.
Click Create.
Configuring Content Filters (Configuration Utility)

1.
Create the cf_red_url content filter policy using the red_url policy expression.
a. Navigate to Security > Protection Features > Filter and then click Add.
The Create Filter Policy dialog box opens.
b.
c.
d.
e.
Type cf_red_url in the Filter Name field.

Select red_url from the Saved Policy Expressions drop-down list.
Select the Request Action radio button and select DROP from the Request Action list.
Click Create.
If a message appears stating that "Feature CF is disabled", click Yes to enable
the Content Filtering feature.
2.
132
Bind the cf_red_url policy globally.

a.
Select the cf_red_url policy, click Action and then click Global Bindings.
The Filter Global Filter Policy Binding dialog box opens.
b.
c.
d.
e.
f.
g.
Click Click to select in the Select Policy field.

Select the cf_red_url radio button.
Click OK.
Click Bind.
Click Done.
Verify that the Hits column shows 0 for the policy.
Testing Content Filtering (Configuration Utility)

Use the Win7Client virtual machine logged on as CitrixAdmin for this task.
1.
Verify that the red.php page does not load.

The pages are being load-balanced, so the server that presents the page may differ in
color from the content on the page.
a.
Open another tab in the browser and browse to http://10.0.0.80/red.php.

The browser will display a "The connection was reset" page and the red content will
not load.
2.
Verify that the blue.php and green.php pages are loading.

a. Open another tab in the browser and browse to http://10.0.0.80/blue.php.
The page should display blue content.
b.
Open another tab in the browser and browse to

http://10.0.0.80/green.php.
The page should display green content.
3.
View the filter policy in the configuration utility.

a. Switch to the configuration utility for NS_VPX_0 (10.0.0.100).
b. Navigate to Security > Protection Features > Filter and click the Refresh icon.
c. Note the number of hits for the cf_red_url policy.
The number of hits should have increased.
You can also switch the policy action from "Drop" to "Reset" to see the difference.
133
Removing a Content Filter Policy (Configuration Utility)

The policy will be unbound so it doesn't impact other exercises.
1.
Unbind
a.
b.
c.
d.
e.
f.
the cf_red_url content filter policy.

Navigate to Security > Protection Features > Filter.
Select the cf_red_url filter.
Click Action and then click Global Bindings.
Select the cf_red_url policy and click Unbind.
Click Yes to confirm.
Click Done.

This section provides step-by-step instructions for completing "Exercise 8-1: Configuring Content
Filtering Using Classic Policies" using the command-line interface.
Configuring a Policy Expression (Command-Line Interface)

1.
2.
3.
Launch the PuTTY command-line interface application from the Win7Client desktop.
Select NS_VPX_0 from the saved sessions and then log on to PuTTY using the nsroot
credentials.
Enter the following command to create the red_url policy expression:
add policy expression red_url "REQ.HTTP.URL == /red.php"
4.
Enter the following command to create the cf_red_url filter using the red_url policy with a
request action of DROP:
add filter policy cf_red_url -rule red_url -reqAction DROP
5.
Enter the following command to bind the content filter policy:

bind filter global cf_red_url
134
6.
Enter the following command to view the filter.

show filter policy cf_red_url
The command displays the details for the filter. Note the number of hits for the filter.
Testing Content Filtering (Command-Line Interface)

1.
Verify that the red.php page does not load from the red server.
a.
Open the Firefox browser from the Win7Client desktop and browse to
http://10.0.0.80/red.php.
The browser will display a "The connection was reset" page and the red content will
not load.
2.
Verify that the blue.php and green.php pages are loading.

a. Open another tab in Firefox and browse to http://10.0.0.80/blue.php.
The page should display blue content.
b.
Open another tab in Firefox and browse to http://10.0.0.80/green.php.

The page should display green content.
3.
View the filter policy in the configuration utility.

a. Switch to the PuTTY command-line interface for NS_VPX_0.
b. Enter the following command to view the details for the cf_red_url filter.
show filter policy cf_red_url
c.
Note the number of hits for the cf_red_url policy.

The number of hits should have increased.
You can also switch the policy action from "Drop" to "Reset" to see the difference.
135
Removing a Content Filter Policy (Command-Line Interface)

The policy will be unbound so it doesn't impact other exercises.
1.
Enter the following command to unbind the content filter policy:

unbind filter global cf_red_url
136
Module 10
Rewrite, Responder,
and URL Transform
10
138
Module 10: Rewrite, Responder, and URL

Transform Exercises
Exercise 10-1: Configuring Rewrite, Responder, and URL
Transformation
This exercise will demonstrate how to create a rewrite rule that appends home.php to the URL
when a request is sent to the web server.
Before You Begin

To begin this exercise, ensure that the following virtual machines are started:
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

This section provides step-by-step instructions for completing "Exercise 10-1: Configuring Rewrite"
using the configuration utility.
Viewing the Default Web Page (Configuration Utility)

Use the Win7Client virtual machine and log on as the CitrixAdmin user for this task.
1.
2.
Launch Firefox from the Win7Client desktop.

Browse to the RBG virtual server by navigating to http://10.0.0.80.
Note that the index page is displayed for one of the RBG servers.
3.
Browse to the RBG virtual server home page by navigating to http://10.0.0.80/home.php.

Note that the home page is displayed for one of the RBG servers.
Module 10: Rewrite, Responder, and URL Transform
139
Using Rewrite to Modify a URL (Configuration Utility)

1.
2.
3.
Switch to the configuration utility for NS_VPX_0 at http://10.0.0.100 and log on using the
nsroot credentials if necessary.
Add the rw_act_SendToHome rewrite action to replace an unspecified URL path with
"/home.php."
a. Navigate to AppExpert > Rewrite > Actions and then click Add.
b. Type rw_act_SendToHome in the Name field.
c. Select REPLACE from the Type drop-down menu.
d. Type HTTP.REQ.URL.PATH in the Expression to choose target location field.
e. Type "/home.php" in the Expression to Replace with field.
f. Click Create.
Add the req_pol_SendToHome rewrite policy using the rw_act_SendToHome action that
matches the forward slash (/) character.
a. Navigate to Rewrite > Policies and then click Add.
b. Type req_pol_SendToHome in the Name field.
c. Select rw_act_SendToHome from the Action drop-down menu.
d. Type HTTP.REQ.URL.PATH.EQ("/") in the Expression field.
Verify that the expression is typed correctly before moving on.
4.
5.
6.
7.
140
e. Click Create.
Globally bind the rewrite policy.
a. Click the Policy Manager button in the AppExpert > Rewrite > Rewrite Policies
screen.
b. Select Override Global from the Bind Point drop-down menu.
c. Click Continue.
d. Click Click to select in the Select Policy field.
e. Select the req_pol_SendToHome radio button and then click OK.
f. Click Bind.
g. Click Done.
Click the Floppy Disk icon to save the NetScaler configuration and then click Yes to confirm
the save.
Switch to the Firefox browser on the Win7Client desktop.
Browse to http://10.0.0.80/ to verify the rewrite policy.
The home.php page for one of the RGB servers is displayed without having to specify it in the
URL.
8.
Unbind the req_pol_SendToHome policy so it doesn't impact future exercises.

a. Switch to the Chrome browser containing the configuration utility for NS_VPX_0 at
http://10.0.0.100.
b. Navigate to AppExpert > Rewrite > Policies.
c. Click the Policy Manager button.
d. Click Continue.
e. Select the req_pol_SendToHome policy and click Unbind.
f. Click Yes.
g. Click Done.

This section provides step-by-step instructions for completing "Exercise 10-1: Configuring Rewrite,
Responder, and URL Transformation" using the command-line interface.
Viewing the Default Web Page (Command-Line Interface)

Use the Win7Client virtual machine and log on as the CitrixAdmin user for this task.
1.
Open Firefox and browse to the RBG virtual server by navigating to http://10.0.0.80.
Note that the index page is displayed for one of the Red, Blue, or Green (RBG) servers.
2.
Browse to the RBG virtual server home page by navigating to http://10.0.0.80/home.php.

Note that the home page is displayed for one of the RBG servers.
Using Rewrite to Modify a URL (Command-Line Interface)

1.
2.
Log on to the PuTTY command-line interface for NS_VPX_0 using the nsroot credentials.
Enter the following command to add the rw_act_SendToHome rewrite action to replace the
URL path "/home.php":
add rewrite action rw_act_SendToHome REPLACE HTTP.REQ.URL.PATH
'"/home.php"'
141
3.
Enter the following command to add the req_pol_SendToHome rewrite policy using the
re_act_SendToHome action:
add rewrite policy req_pol_SendToHome
'HTTP.REQ.URL.PATH.EQ("/")' rw_act_SendToHome
The policy is not yet active.
4.
Enter the following command to globally bind the rewrite policy:

bind rewrite global req_pol_SendToHome 10 NEXT type REQ_OVERRIDE
5.

save ns config
6.
7.
Switch to the Firefox browser and browse to http://10.0.0.80 to verify that the rewrite
policy is working correctly. The "home.php" page for one of the RBG servers is displayed
without having to specify it in the URL.
Enter the following command in PuTTY to unbind the rewrite policy so it doesn't impact
future exercises:
unbind rewrite global req_pol_SendToHome
Exercise 10-2: Removing HTTP Headers

This exercise demonstrates how to configure a rewrite policy that modifies the server response and
removes the HTTP header that identifies the web server hosting the web site.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
142

This section provides step-by-step instructions for completing "Exercise 10-2: Removing HTTP
Headers" using the configuration utility.
Viewing the Default Header Information (Configuration

Utility)
1.
2.

Open the HttpFox add-on in the Firefox browser.
a. Select Tools > Web Developer > HttpFox > Toggle HttpFox.
The HttpFox window appears at the bottom of the browser.
3.
b. Click Start in the HttpFox window.

View the header information for the server that is hosting the RBG web page.
a. Browse to the RBG virtual server by navigating to the http://10.0.0.80 index
page.
b. Select any item in the Started column that does not have (Cache) in the Result
column.
c. View the header information in the Response Header pane.
Verify that the Server is displayed as: Microsoft-IIS/7.5.
Using Rewrite to Remove Header Information

1.
2.
3.
Switch to the configuration utility for NS_VPX_0 and log on using the nsroot credentials, if
necessary.
Add the rw_act_RemoveSrvID rewrite action to remove the Server ID from the header.
a. Navigate to AppExpert > Rewrite > Actions and then click Add.
b. Type rw_act_RemoveSrvID in the Name field.
c. Select DELETE_HTTP_HEADER from the Type drop-down menu.
d. Type Server in the Header Name field.
e. Click Create.
Add a "res_pol_RemoveSrvID" rewrite policy to remove the Server ID with an IS_VALID
HTTP response.
143
4.
a. Click the Policies node and then click Add.

b. Type res_pol_RemoveSrvID in the Name field.
c. Select rw_act_RemoveSrvID in the Action field.
d. Type HTTP.RES.IS_VALID in the Expression field.
e. Click Create.
Bind the res_pol_RemoveSrvID globally.
a. Click the Policy Manager button on the Rewrite Policies screen.
b. Verify that Override Global is selected under Bind Points.
c. Select Response from the Connection Type drop-down menu.
d. Click Continue.
e. Click Add Binding.
f. Click Click to select under Select Policy.
g. Select the res_pol_RemoveSrvID radio button and then click OK.
h. Click Bind.
i. Click Done.
Verifying the Header Information (Configuration Utility)

Do not replace the server header with strings or phrases such as "Hack this" or "Try to
hack me now." Potential legal implications with such a statement may exist because you
could be granting permission to hackers to attempt to violate your security. As always,
consult the appropriate security experts within your organization for guidelines and
requirements for your environment.
1.
2.

Open the HttpFox add-on in the Firefox browser.
a. Select Tools > Web Developer > HttpFox > Toggle HttpFox.
The HttpFox window appears at the bottom of the browser.
3.
4.
144
b. Click Start in the HttpFox window.

Verify that the Header information for the server is not displayed.
page.
b. Select one of the items in the Started column that does not include (Cache) in the
Result column.
c. View the Header information in the Response Header pane to verify that Server does
not appear.
Unbind the res_pol_RemoveSrvID policy so it doesn't impact future exercises.
a.
b.
c.
d.
e.
Switch to the configuration utility for NS_VPX_0 and log on using the nsroot
credentials, if necessary.
Navigate to AppExpert > Rewrite > Policies and then click the Policy Manager
button.
Select Response from the Connection Type drop-down menu and then click
Continue.
Select the res_pol_RemoveSrvID and click Unbind.
Click Yes and then click Done.

This section provides step-by-step instructions for completing "Exercise 10-2: Removing HTTP
Headers" using the command-line interface.
Viewing the Default Header Information (Command-Line

Interface)
1.
2.
Switch to the Firefox browser from the Win7Client desktop.

Click Start in the HttpFox window at the bottom of the Firefox window.
You may need to size the HttpFox window in order to see the information in the field
below the Start, Stop, and Clear buttons.
3.
View the header information for the server that is hosting the RBG web page.
page.
b. Select one of the items below Started in HttpFox that does not say (Cache) in the
Result column in HttpFox.
c. View the header information in the Response header pane.
Verify that the Server header is displayed as Microsoft-IIS/7.5.
Using Rewrite to Remove Header Information (CommandLine Interface)

145
1.
2.
Switch to the NS_VPX_0 command-line interface (PuTTY) and log on using the nsroot
Enter the following command to add the rw_act_RemoveSrvID rewrite action to remove the
Server ID from the header:
add rewrite action rw_act_RemoveSrvID delete_http_header
Server
3.
Enter the following command to add the res_pol_RemoveSrvID rewrite policy to remove the
Server ID:
add rewrite policy res_pol_RemoveSrvID 'HTTP.RES.IS_VALID'
rw_act_RemoveSrvID
4.
Enter the following command to bind the res_pol_RemoveSrvID globally:

bind rewrite global res_pol_RemoveSrvID 10 NEXT type RES_OVERRIDE
Verifying the Header Information (Command-Line Interface)

1.
2.
3.

Click Clear in the HttpFox window at the bottom of the Firefox window.
Verify that the Header information for the server is not displayed.
page.
b. Select one of the items in the top box which does not say (Cache) in the HttpFox
Result column.
c. View the Header information in the Response header pane.
Verify that the Server entry is not displayed.
4.
Enter the following command in PuTTY (10.0.0.100) to unbind the res_pol_RemoveSrvID

policy so it doesn't impact future exercises:
unbind rewrite global res_pol_RemoveSrvID
146
Exercise 10-3: Inserting HTTP Headers

This exercise demonstrates how to add a rewrite policy to insert information into the HTTP
headers.
Before You Begin

To begin this exercise, ensure the following virtual machines are started:
AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

This section provides step-by-step instructions for completing "Exercise 10-3: Inserting HTTP
Headers" using the configuration utility.
Using Rewrite to Insert Header Information (Configuration

Utility)
1.
2.
Log on to the NetScaler system and add a rewrite action.

a. Switch to the configuration utility for NS_VPX_0 (10.0.0.100) and log on using the
nsroot credentials if necessary.
b. Navigate to AppExpert > Rewrite > Actions and then click Add.
Complete the rw_act_NewSrvID rewrite action to insert the string "Unspecified" for the HTTP
Server Header value.
a. Type rw_act_NewSrvID in the Name field.
b. Select INSERT_HTTP_HEADER from the Type drop-down menu.
c. Type Server in the Header Name field.
d. Type "Unspecified" in the Expression to Replace with field.
e. Click Create.
147
3.
4.
5.
6.
7.
148
Add the res_pol_NewSrvID rewrite policy using the rw_act_NewSrvID action with an http
IS_VALID response.
a. Select the Policies node and click Add.
b. Type res_pol_NewSrvID in the Name field.
c. Select rw_act_NewSrvID from the Action drop-down menu.
e. Click Create.
Bind the res_pol_NewSrvID rewrite policy globally.
a. Click the Policy Manager button in the Rewrite Policies screen.
b. Verify that Override Global is selected in the Bind Point field and select Response
from the Connection Type drop-down menu.
c. Click Continue.
d. Click Add Binding.
e. Click Click to select under Select Policy.
f. Select the res_pol_NewSrvID radio button and click OK.
g. Click Bind.
h. Click Done.
Add the rw_act_NoCache rewrite action to insert "no-cache" in the cache-control of the HTTP
Header.
a. Select the Actions node and click Add.
b. Type rw_act_NoCache in the Name field.
c. Select INSERT_HTTP_HEADER from the Type drop-down menu.
d. Type Cache-Control in the Header Name field.
e. Type "no-cache" in the Expression to Replace with field.
f. Click Create.
Add the res_pol_NoCache rewrite policy using the rw_act_NoCache action.
a. Click the Policies node and then click Add.
b. Type res_pol_NoCache in the Name field.
c. Select rw_act_NoCache from the Action drop-down menu.
e. Click Create.
Bind the res_pol_NoCache policy globally.
a. Click the Policy Manager button.
b. Verify that Override Global is selected in the Bind Point field.
c. Select Response from the Connection Type drop-down menu.
d. Click Continue.
e.
f.
g.
h.
i.
Click Add Binding.

Click Click to select under Select Policy.
Select the res_pol_NoCache radio button and click OK.
Click Bind.
Click Done.
Verifying the Header Information (Configuration Utility)

1.
2.
3.

Click Clear in the HttpFox window at the bottom of the Firefox window.
Browse to the RBG server and verify that the Server header includes "Unspecified" and that the
Cache-control header includes "no-cache".
page.
b. Select one of the items in Started column that does not say (Cache) in the Result
column.
c. View the Header information in the Response Header pane.
The Server header value displays "Unspecified" and the Cache-Control header
value displays "no-cache".
4.
5.
Unbind the res_pol_NewSrvID policy so it doesn't impact future exercises.

a. Switch to the configuration utility for NS_VPX_0 and log on using the nsroot
b. Navigate to AppExpert > Rewrite > Policies and then click the Policy Manager
button.
c. Select Response from the Connection Type drop-down menu and then click
Continue.
d. Select the res_pol_NewSrvID policy and click Unbind.
Unbind the res_pol_NoCache policy so it doesn't impact future exercises.
a. Select the res_pol_NoCache and click Unbind.
b. Click Yes and then click Done.
149

This section provides step-by-step instructions for completing "Exercise 10-3: Inserting HTTP
Headers" using the command-line interface.
Using Rewrite to Insert Header Information (Command-Line

Interface)
1.
Enter the following command in PuTTY to add the rw_act_NewSrvID rewrite action to insert
the HTTP header "Unspecified" for the Server value:
add rewrite action rw_act_NewSrvID insert_http_header "Server"
"\"Unspecified\""
2.
Enter the following command to add the res_pol_NewSrvID rewrite policy using the
rw_act_NewSrvID action:
add rewrite policy res_pol_NewSrvID 'HTTP.RES.IS_VALID'
rw_act_NewSrvID
3.
Enter the following command to bind the rewrite policy res_pol_NewSrvID globally:
bind rewrite global res_pol_NewSrvID 20 NEXT -type RES_OVERRIDE
4.
Enter the following command to add the rw_act_NoCache rewrite action to insert the string
"no-cache" in the cache-control of the HTTP Header:
add rewrite action rw_act_NoCache insert_http_header "CacheControl" "\"no-cache\""
5.
Enter the following command to add the res_pol_NoCache rewrite policy using the
rw_act_NoCache action:
add rewrite policy res_pol_NoCache 'HTTP.RES.IS_VALID'
rw_act_NoCache
6.
Enter the following command to bind the res_pol_NoCache policy globally:

bind rewrite global res_pol_NoCache 30 NEXT -type RES_OVERRIDE
150
Verifying the Header Information (Command-Line Interface)

1.
2.
3.

Click Clear in the HttpFox window at the bottom of the browser.
Browse to the RBG server and verify that the Server header shows "Unspecified" and that the
Cache-control header shows "no-cache".
page.
b. Select one of the items below Started in the HttpFox window that does not say
(Cache) in the HttpFox Result column.
c. View the Header information in the Response header pane.
The Server header value includes "Unspecified" and the Cache-Control header
value includes "no-cache".
4.
Unbind the res_pol_NewSrvID and res_pol_NoCache policies so they don't impact future
exercises.
a. Enter the following command in PuTTY to unbind the res_pol_NewSrvID policy:
unbind rewrite global res_pol_NewSrvID
b.
Enter the following command in PuTTY to unbind the res_pol_NoCache policy:

unbind rewrite global res_pol_NoCache
Exercise 10-4: Configuring Responder to Redirect to

HTTPS
This exercise will demonstrate how to create a responder policy that will redirect an HTTP request
to an HTTPS request.
Before You Begin

AD.training.lab
151
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

This section provides step-by-step instructions for completing "Exercise 10-4: Configuring
Responder to Redirect to HTTPS" using the configuration utility.
Configuring Responder to Use SSL (Configuration Utility)

1.
152
Create a load-balancing virtual server for the Red, Blue, and Green servers named
lb_vsrv_redirecttossl with the IP address 10.0.0.81 on the standard HTTP port.
a. Navigate to Traffic Management > Load Balancing > Virtual Servers and then click
Add.
b. Type lb_vsrv_redirecttossl in the Name field.
c. Verify that HTTP is selected for the Protocol and 80 as the value for the Port.
e. Click OK.
f. Click No Load Balancing Virtual Server Service Binding in the Service section.
g. Click Click to select in the Select Service field.
h. Select the svc_red radio button and then click OK.
i. Click Bind.
j. Click 1 Load Balancing Virtual Server Service Binding in the Service section.
k. Click Add Binding.
l. Click Click to select in the Select Service field.
m. Select the svc_blue radio button and then click OK.
n. Click Bind and then click Close.
o. Click 2 Load Balancing Virtual Server Service Binding in the Service section.
p. Click Add Binding.
q. Click Click to select in the Select Service field.
r. Select the svc_green radio button and then click OK.
s.
t.
Click Bind and then click Close.

The load-balancing virtual server is created and the status should be UP.
If the lb_vsrv_redirecttossl is down, click the Refresh icon to refresh the
display.
2.
Create a Responder action to redirect any URL, including path and query, from HTTP to
HTTPS.
a. Navigate to AppExpert > Responder > Actions and then click Add.
b. Type rs_act_sendtossl in the Name field.
c. Select Redirect from the Type drop-down menu.
d. Type the following text in the Expression field.
"https://" + HTTP.REQ.HOSTNAME +
HTTP.REQ.URL.PATH_AND_QUERY
Add a space before and after the + symbols in the expression.
e.
Click Create.
The following error appears: "Input expression is unsafe."
3.
f.
Enable
a.
b.
Click OK to close the error.

Bypass Safety Check for the responder action.
Select the Bypass Safety Check option below the Expression field.
Click Create.
The action is created without an error.
4.
Modify the rs_act_sendtossl action to convert unsafe URL characters to safe URL characters.
a. Select the rs_act_sendtossl action and click Edit.
b. Modify the Target expression as follows:
"https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE +
HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE
5.
c.
d.
Create
a.
Deselect the Bypass Safety Check option below the Expression field.
Click OK.
a policy named rs_pol_sendtossl for for the rs_act_sendtossl action.
Navigate to AppExpert > Responder > Policies and click Add.
153
b.
c.
d.
e.
Type rs_pol_sendtossl in the Name field.

Select rs_act_sendtossl from the Action drop-down menu.
Verify that -Global undefined-result action- is selected for the Undefined-Result
Action.
Type the following text in the Expression field.
!CLIENT.SSL.IS_SSL
6.
7.
f. Click Create.
Bind the rs_pol_sendtossl policy to the lb_vsrv_redirecttossl virtual server.
a. Click the Policy Manager button in the Responder Policies screen.
b. Select Load Balancing Virtual Server from the Bind Point drop-down menu.
c. Verify that HTTP is selected under Protocol.
d. Select lb_vsrv_redirecttossl from the Virtual Server drop-down list and then click
Continue.
e. Click Click to select in the Select Policy field.
f. Select the rs_pol_sendtossl radio button and click OK.
g. Click Bind and then click Done.
a. Click the Floppy Disk icon to save the configuration.
b. Click Yes to confirm saving the configuration.
Testing the Redirect to SSL Policy (Configuration Utility)

1.
2.
3.

Browse to the lb_vsrv_redirecttossl virtual server and verify that the page is redirected to an
SSL connection.
a. Browse to http://10.0.0.81/.The page is redirected to https://10.0.0.81/.
If the page is not redirected, close the browser and then repeat Steps 1 and 2.
b.
c.
Verify that the first entry in the Started column pane contains 302 in the Result field
and the Type and URL fields identify the redirected change.
Browse to http://10.0.0.81/blue.php?demo=value1&demo2=value2.
The URL and query will be redirected to an HTTPS connection.
154
4.
Unbind the rs_pol_sendtossl policy from the lb_vsrv_redirecttossl virtual server so it doesn't
impact future exercises.
a. Switch to the Chrome browser containing the configuration utility for NS_VPX_0 at
http://10.0.0.100.
c. Double-click the lb_vsrv_redirecttossl virtual server.
d. Select 1 Responder Policy under the Policies section.
e. Select the rs_pol_sendtossl policy and click Unbind.
f. Click Yes and then click Close.
g. Click Done.

Responder to Redirect to HTTPS" using the command-line interface.
Configuring Responder to Use SSL (Command-Line

Interface)
1.
Enter the following command in PuTTY to create a load-balancing virtual server for the Red,
Blue, and Green servers named lb_vsrv_redirecttossl with the IP address 10.0.0.81 on the
standard HTTP port:
add lb vserver lb_vsrv_redirecttossl HTTP 10.0.0.81 80
2.
Enter the following commands to bind the svc_red, svc_blue, and svc_green services to the
virtual server:
bind lb vserver lb_vsrv_redirecttossl svc_red
bind lb vserver lb_vsrv_redirecttossl svc_blue
bind lb vserver lb_vsrv_redirecttossl svc_green
3.
Enter the following command to create a Responder action to redirect any URL, including path
and query, from HTTP to HTTPS:
add responder action rs_act_sendtossl redirect '"https://" +
HTTP.REQ.HOSTNAME.HTTP_URL_SAFE +
HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE'
155
4.
Enter the following command to create a policy named rs_pol_sendtossl for the
rs_act_sendtossl action:
add responder policy rs_pol_sendtossl '!CLIENT.SSL.IS_SSL'
rs_act_sendtossl
5.
Enter the following command to bind the rs_pol_sendtossl policy to the lb_vsrv_redirecttossl
virtual server:
bind lb vserver lb_vsrv_redirecttossl policyName rs_pol_sendtossl -priority 10
6.

save ns config
Testing the Redirect to SSL Policy (Command-Line

Interface)
1.
2.
3.
4.

Browse to the lb_vsrv_redirecttossl virtual server and verify that the page is redirected to an
SSL connection.
a. Browse to http://10.0.0.81/.The page should be redirected to https://10.0.0.81.
b. Select the entry under the Result column containing 302 and verify that the http: entry
was redirected to https.
c. Browse to http://10.0.0.81/blue.php?demo=value1&demo2=value2.
Verify that the URL and query were redirected to an HTTPS connection.
Enter the following command in PuTTY to unbind the rs_pol_sendtossl policy from the
lb_vsrv_redirecttossl virtual server so it doesn't impact future exercises:
unbind lb vserver lb_vsrv_redirecttossl policyName rs_pol_sendtossl -type REQUEST
Exercise 10-5: Configuring Responder to Redirect Using

String Maps
This exercise demonstrates how to create a custom response to a URL request to a restricted page
or directory.
156
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

Responder to Redirect Using String Maps" using the configuration utility.
Configuring Responder to Redirect Using String Maps

1.
Create a string map named search_redirects.

a. Navigate to AppExpert > String Maps and click Add.
The Create String Map window appears.
2.
3.
4.
b. Type search_redirects in the Name field.

Add a string map to redirect /google to http://www.google.com.
a. Click Insert.
b. Type /google in the Key field.
c. Type http://www.google.com in the Value field.
d. Click Insert.
Add a string map to redirect /yahoo to http://www.yahoo.com.
a. Click Insert.
b. Type /yahoo in the Key field.
c. Type http://www.yahoo.com in the Value field.
d. Click Insert.
Add a string map to redirect /bing to http://www.bing.com.
157
5.
6.
a. Click Insert.
b. Type /bing in the Key field.
c. Type http://www.bing.com in the Value field.
d. Click Insert.
Click Create in the String Map window.
Add the search_stringmap_act responder action for the string map.
a. Navigate to Responder > Actions and click Add.
b. Type search_stringmap_act in the Name field.
c. Select Redirect from the Type drop-down menu.
d. Type the following string in the Expression field:
HTTP.REQ.URL.MAP_STRING("search_redirects").HTTP_URL_SAFE
Verify that the string appears correctly in the Expression field before
proceeding to the next step.
7.
e. Click Create.
Add the search_stringmap_pol responder policy for the string map action.
a. Navigate to Responder > Policies and click Add.
b. Type search_stringmap_pol in the Name field.
c. Select search_stringmap_act from the Action drop-down menu.
d. Verify that Global undefined-result action is selected in the Undefined-Result Action
field.
e. Type the following string in the Expression field:
HTTP.REQ.URL.IS_STRINGMAP_KEY("search_redirects")
8.
158
f. Click Create.
Bind the search_stringmap_pol policy to the lb_vsrv_rbg virtual server.
b. Select Load Balancing Virtual Server from the Bind Point drop-down menu.
c. Verify that HTTP is selected in the Protocol field.
d. Verify that lb_vsrv_rbg is selected in the Virtual Server field.
e. Click Continue.
f. Click Click to select in the Select Policy field.
9.
g. Select the search_stringmap_pol radio button and click OK.

h. Click Bind and then click Done.
a. Click the Floppy Disk icon.
b. Click Yes to confirm saving the changes.
Testing the String Map (Configuration Utility)

1.
2.
3.
4.

Test the string map responder policy by browsing to the mapped strings.
a. Browse to http://10.0.0.80/google.
b. Look at the URL column for the first entry in HttpFox and verify that a 302 Result is
listed and the page is redirected to http://www.google.com.
c. Browse to http://10.0.0.80/yahoo.
d. Look at the URL column for the first entry in HttpFox and verify that a 302 Result is
listed and the page is redirected to http://www.yahoo.com.
e. Browse to http://10.0.0.80/bing.
f. Look at the URL column for the first entry in HttpFox and verify that a 302 Result is
listed and the page is redirected to http://www.bing.com.
Unbind the search_stringmap_pol policy so it doesn't impact future exercises.
a. Switch to the browser containing the configuration utility for NS_VPX_0 at
http://10.0.0.100.
b. Navigate to AppExpert > Responder > Policies and then click Policy Manager.
c. Select Load Balancing Virtual Server from the Bind Point drop-down menu.
d. Click Continue.
e. Select the search_stringmap_pol policy and then click Unbind.
f. Click Yes and then click Done.

Responder to Redirect Using String Maps" using the command-line interface.
159
Configuring Responder to Redirect Using String Maps

1.
Enter the following command in PuTTY to create a string map policy named search_redirects:
add policy stringmap search_redirects
2.
Enter the following command to bind the string map policy using the key /yahoo and the value
http://www.yahoo.com:
bind policy stringmap search_redirects "/yahoo"
"http://www.yahoo.com"
3.
Enter the following command to bind the string map policy using the key /google and the
value http://www.google.com:
bind policy stringmap search_redirects "/google"
"http://www.google.com"
4.
Enter the following command to bind the string map policy using the key /bing and the value
http://www.bing.com:
bind policy stringmap search_redirects "/bing"
"http://www.bing.com"
5.
Enter the following command to create the search_stringmap_act responder action:

add responder action search_stringmap_act redirect
"HTTP.REQ.URL.MAP_STRING(\"search_redirects\").HTTP_URL_SAFE"
6.
Enter the following command to create the search_stringmap_pol responder policy for the
search_stringmap_act responder action:
add responder policy search_stringmap_pol
"HTTP.REQ.URL.IS_STRINGMAP_KEY(\"search_redirects\")"
search_stringmap_act
7.
Enter the following command to bind the search_stringmap_pol responder policy to the
lb_vsrv_rbg virtual server:
bind lb vserver lb_vsrv_rbg -policyName search_stringmap_pol
-priority 100 -gotoPriorityExpression END
8.

save ns config
160
Testing the String Map (Command-Line Interface)

1.
2.
3.
4.

Test the string map responder policy by browsing to the mapped strings.
a. Browse to http://10.0.0.80/google.
b. Look at the URL column for the first entry in HttpFox and verify that a 302 Result is
listed and the page is redirected to http://www.google.com.
c. Browse to http://10.0.0.80/yahoo.
d. Look at the URL column for the first entry in HttpFox and verify that a 302 Result is
listed and the page is redirected to http://www.yahoo.com.
e. Browse to http://10.0.0.80/bing.
f. Look at the URL column for the first entry in HttpFox and verify that a 302 Result is
listed and the page is redirected to http://www.bing.com.
Enter the following command in PuTTY to unbind the search_stringmap_pol responder policy
so it doesn't impact future exercises:
unbind lb vserver lb_vsrv_rbg -policyName search_stringmap_pol
Exercise 10-6: Adding a Custom Response

This exercise demonstrates how to create a custom response to a URL request to a restricted page
or directory.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
161

This section provides step-by-step instructions for completing "Exercise 10-6: Adding a Custom
Response" using the configuration utility.
Using Responder to Display a Custom Response

1.
2.
Switch to the Chrome browser with the configuration utility for NS_VPX_0.
Add a "rs_act_RespondWithCustom" custom responder action.
a. Navigate to AppExpert > Responder > Actions and click Add.
b. Type rs_act_RespondWithCustom in the Name field.
c. Select Respond with in the Type drop-down menu.
d. Type the following text in the Expression field:
"http/1.1 200 OK\r\n\r\n" + "Client: " + CLIENT.IP.SRC +
" is not authorized to
access URL:" + HTTP.REQ.URL.HTTP_URL_SAFE
proceeding to the next step. A space should appear before and after each +
symbol in the expression.
3.
e. Click Create.
Add the rs_pol_RespondWithCustom responder policy using the rs_act_RespondWithCustom
action for any URL that contains "private."
a. Click the Policies node and click Add.
b. Type rs_pol_RespondWithCustom in the Name field.
c. Select rs_act_RespondWithCustom from the Action drop-down menu.
d. Type HTTP.REQ.URL.PATH.CONTAINS("private") in the Expression field.
4.
162
e. Click Create.
Bind the rs_pol_RespondWithCustom policy globally.
b. Select Default Global from the Bind Point drop-down menu.
5.
c. Click Continue
d. Select the rs_pol_RespondWithCustom radio button and click OK.
e. Click Bind.
f. Click Done.
a. Click the Floppy Disk icon.
b. Click Yes to confirm saving the changes.
Testing the Responder Policy (Configuration Utility)

1.
2.
3.

Browse to http://10.0.0.80/private to test the responder policy.
An attempt to browse to /private results in the NetScaler system returning the custom response
text: Client: x.x.x.x is not authorized to access URL: /private
4.
Use the HttpFox add-on to verify that the proper response code was generated.
a. Refresh the page and verify that the HTTP response code HTTP/1.x 200 OK was
properly generated.
This responder value in the Response Header indicates a successful response to the
client browser.
b.
Browse to http://10.0.0.80/.
The page loads as expected. The Responder policy allows redirection for a successful
page load.
5.
6.
Close the Firefox browser window.

Unbind the res_pol_RespondWithCustom policy so it doesn't impact future exercises.
b. Navigate to AppExpert > Responder > Policies and then click the Policy Manager
button.
c. Select Default Global from the Bind Point drop-down menu and then click Continue.
d. Select the rs_pol_RespondWithCustom and click Unbind.
e. Click Yes and then click Done.
163

This section provides step-by-step instructions for completing "Exercise 10-6: Adding a Custom
Response" using the command-line interface.
Using Responder to Display a Custom Response

In the Win7Client virtual machine, use an SSH connection (PuTTY) to the NS_VPX_0 commandline interface (PuTTY) logged on as the nsroot user for this task.
1.
2.
Use the PuTTY command-line interface for NS_VPX_0 and log on using the nsroot
Enter the following command to add the rs_act_RespondWithCustom custom responder action
for unauthorized requests:
add responder action rs_act_RespondWithCustom respondwith
("http/1.1 200 OK\r\n\r\n"
+ "Client: " + CLIENT.IP.SRC + " is not authorized to access
URL: "
+ HTTP.REQ.URL.HTTP_URL_SAFE)
3.
Enter the following command to add the rs_pol_RespondWithCustom responder policy for
requests in the URL that contains "private":
add responder policy rs_pol_RespondWithCustom
'HTTP.REQ.URL.PATH.Contains("private")'
rs_act_RespondWithCustom
4.
Enter the following command to bind the rs_pol_RespondWithCustom policy globally:

bind responder global rs_pol_RespondWithCustom 20 END type Default
5.

save ns config
Testing the Responder Policy (Command-Line Interface)

1.
2.
3.
164

Browse to http://10.0.0.80/private to test the responder policy.
An attempt to browse to /private results in the NetScaler system returning the custom response
text: Client: x.x.x.x is not authorized to access URL: /private
4.
Use the HttpFox add-on to verify that the proper response code was generated.
a. Refresh the page and verify that the HTTP response code HTTP/1.x 200 OK was
properly generated.
This responder value in the Response Header indicates a successful response to the
client browser.
b.
Browse to http://10.0.0.80/.
The page loads as expected. The Responder policy allows redirection for a successful
page load.
5.
Enter the following command in PuTTY to unbind the rs_pol_RespondWithCustom policy so

it doesn't impact future exercises:
unbind responder global rs_pol_RespondWithCustom -type Default
Exercise 10-7: Adding URL Transformations

This exercise demonstrates how to transform URL requests to expired web pages into URLs of
current pages.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

This section provides step-by-step instructions for completing "Exercise 10-7: Adding URL
Transforms" using the configuration utility.
165
Previewing Pages for URL Transformation (Configuration

Utility)
1.
2.

Browse to http://10.0.0.80/dist_red.php.
The http://10.0.0.80/dist_red.php page should display normally (Japan). The
http://10.0.0.80/dist_blue.php (US) and http://10.0.0.80/dist_green.php (Germany) pages may
be tested as well.
3.
Browse to http://10.0.0.80/international_red.php.
You will receive a Server Error 404 - File or directory not found. You will correct this issue in
the next exercise using a responder to transform the URL.
4.
Close the Firefox browser.
Using Responder to Transform URLs (Configuration Utility)

1.
2.
Switch to the configuration utility for NS_VPX_0 and log on using the nsroot credentials, if
necessary.
Add the trns_remote_URL transform profile to transform requests for "/dist_page.php" into
"/international_page.php".
a. Navigate to AppExpert > Rewrite > URL Transformation > Profiles.
b. Click Add.
c. Type trns_remote_URL in the Name field.
d. Type the following text in the Comments field.
"Transform /dist_page.php (actual) to
/international_page.php (display)"
3.
166
e. Click Create.
Add the act_trns_DistToInt transform action to the trns_remote_URL profile with a priority of
50.
a. Select the trns_remote_URL profile and click Edit.
b. Click the Insert button to add an action.
4.
c. Type act_trns_DistToInt in the Name field.

d. Type 50 in the Priority field.
e. Select Enabled below the Priority field.
Set the actions for the act_trns_DistToInt transform to change requests for "/dist*" into
"/international*".
a. Type the following text in the Request URL From field:
http://10.0.0.80/international_(.*)
b.
Type the following text in the Request URL Into field:

http://10.0.0.80/dist_$1
c.
Type the following text in the Response URL From field:

http://10.0.0.80/dist_(.*)
d.
Type the following text in the Response URL Into field:

http://10.0.0.80/international_$1
5.
6.
7.
e. Click Insert and then click OK.

Create a transform policy by entering the following command:
a. Navigate to Rewrite > URL Transformation > Policies and click Add.
b. Type trns_pol_remote in the Name field.
c. Select trns_remote_URL from the Profile drop-down menu.
d. Type TRUE in the Expression field.
e. Click Create.
Bind the trns_pol_Remote policy globally.
a. Click the Policy Manager button in the URL Transformation Policies screen.
b. Select Override Global from the Bind Point drop-down menu.
c. Click Continue
d. Click Click to select in the Select Policy field.
e. Select the trns_pol_remote radio button and click OK.
f. Click Bind and then click Done.
a. Click the Floppy Disk icon in the upper-right corner of the configuration utility.
b. Click Yes to confirm saving the configuration.
167
Testing the URL Transform Policy (Configuration Utility)

1.
2.
Open the Firefox browser from the Win7Client desktop.

The http://10.0.0.80/dist_red.php page should display normally (Japan). The
http://10.0.0.80/dist_blue.php (US) and http://10.0.0.80/dist_green.php (Germany) pages may
be tested as well.
3.
The same page loads as appeared when you typed http://10.0.0.80/dist_red.php.
The URL displays "international_red.php," but the content that is loading is the "dist_red.php"
page.
The server request is load-balanced and accesses the alternate pages, international_blue.php
and international_green.php, resulting in the dist_blue.php and dist_green.php content,
respectively.
4.
5.

Unbind the trns_pol_Remote policy so it doesn't impact future exercises.
b. Navigate to AppExpert > URL Transformation > Policies and then click the Policy
Manager button.
c. Select Request from the Connection Type drop-down menu and then click Continue.
d. Select the trns_pol_Remote policy and click Unbind.
e. Click Yes and then click Done.

This section provides step-by-step instructions for completing "Exercise 10-7: Adding URL
Transforms" using the command-line interface.
Previewing Pages for URL Transformation (Command-Line

Interface)
168
1.
2.
Open the Firefox browser from the Win7Client desktop.

The dist_red.php page should display normally (Japan). The dist_blue.php (US) and
dist_green.php (Germany) pages may be tested as well.
3.
You will receive a Server Error 404 - File or directory not found. You will correct this issue in
the next exercise using a responder to transform the URL.
Using Responder to Transform URLs (Command Line

Interface)
1.
2.
Switch to the PuTTY command-line interface for NS_VPX_0 and log on using the nsroot
Enter the following command to add the trns_remote_URL transform profile:
add transform profile trns_remote_URL
3.
Enter the following command to configure the profile comment to display the dist_page.php
for requests to international_page.php:
set transform profile trns_remote_URL -type URL -comment
"'Transform /dist_page.php (actual) to /international_page.php
(display)'"
4.
Enter the following command to add the act_trns_DistToInt transform action:

add transform action act_trns_DistToInt trns_remote_URL 50
5.
Enter the following command to configure the act_trns_DistToInt transform action to display
the dist_page.php for requests to international_page.php:
set transform action act_trns_DistToInt -priority 50 reqUrlFrom
"http://10.0.0.80/international_(.*)" reqUrlInto "http://10.0.0.80/dist_$1"
-resUrlFrom "http://10.0.0.80/dist_(.*)" resUrlInto "http://10.0.0.80/international_$1"
169
The transform action name is case-sensitive.
6.
Enter the following command to create the trns_pol_remote transform policy to use the
trns_remote_URL profile:
add transform policy trns_pol_remote TRUE trns_remote_URL
7.
Enter the following command to bind the trns_pol_Remote policy globally:

bind transform global trns_pol_remote 50
8.

save ns config
Testing the URL Transform Policy (Command-Line

Interface)
1.
2.

The dist_red.php page should display normally (Japan). The dist_blue.php (US) and
dist_green.php (Germany) pages may be tested as well.
3.
The same page loads as expected.
The URL displays "international_red.php," but the content that is loading is the "dist_red.php"
page.
The server request is load-balanced and accesses the alternate international_blue.php and
international_green.php, resulting in the dist_blue.php and dist_green.php content,
respectively.
4.
5.

Enter the following command in PuTTY to unbind the trns_pol_remote policy so it doesn't
impact future exercises:
unbind transform global trns_pol_remote -type REQ_DEFAULT
170
Module 11
Content Switching
11
172
Module 11: Content Switching Exercises

Exercise 11-1: Configuring Content Switching
This exercise demonstrates how to configure content switching on a NetScaler system, including
creating non-addressable virtual servers, content switching virtual servers, and using policies and
expressions to switch content at the servers.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
Estimated time for complete this exercise: 20 minutes

This exercise provides step-by-step instructions for completing "Exercise 11-1: Configuring Content
Switching" using the configuration utility.
Verifying Content-Switching Feature is Enabled

1.
Verify the content-switching feature is enabled.

a. Open the Chrome browser, access the configuration utility for NS_VPX_0 and log on
using the nsroot credentials.
b. Navigate to System > Settings.
c. Click Configure Basic Features in the Settings pane. The Configure Basic Features
dialog box opens.
d. Verify that the Load Balancing and Content Switching features are selected and then
click Close.
Module 11: Content Switching
173
The Configure Basic Features dialog box closes.
Creating Non-Addressable Load-Balancing Virtual Servers

1.
Create a non-addressable "lb_vsrv_red" load-balancing virtual server for the WebRed web
server.
b. Click Add to display the Load Balancing Virtual Servers pane.
c. Type lb_vsrv_red in the Name field.
This virtual server is dedicated to iPhone users.
d.
e.
f.
Verify that HTTP is selected in the Protocol field.

Select Non Addressable from the IP Address Type drop-down menu.
Click OK.
This action disables the IP address and Port fields. No VIP address is assigned to this
2.
g. Click No Load Balancing Virtual Servers Service Binding in the Service section.
h. Click Click to select in the Select Service field.
i. Select the svc_red radio button and click OK.
j. Click Bind.
k. Click OK.
l. Click Done.
Create a non-addressable "lb_vsrv_blue" load-balancing virtual server for the WebBlue web
server.
c. Type lb_vsrv_blue in the Name field.
This virtual server is dedicated for Internet Explorer 6 users.
d.
174
e.
f.

Click OK.
3.
g. Click No Load Balancing Virtual Servers Service Binding in the Service section.
h. Click Click to select in the Select Service field.
i. Select the svc_blue radio button and click OK.
j. Click Bind.
k. Click OK.
l. Click Done.
Create a non-addressable "lb_vsrv_green" load-balancing virtual server for the WebGreen web
server.
c. Type lb_vsrv_green in the Name field.
This virtual server is dedicated for default users.
d.
e.
f.

Click OK.
g.
h.
i.
j.
k.
l.
Click No Load Balancing Virtual Servers Service Binding in the Service section.
Click Click to select in the Select Service field.
Select the svc_green radio button and click OK.
Click Bind.
Click OK.
Click Done.
All three load balancing servers will be in the Down state at this time.
175
Creating Policy Expressions (Configuration Utility)

1.
Create a policy expression that will respond to requests from iPhone clients.
a. Navigate to AppExpert > Expressions > Advanced Expressions.
b. Click Add in the Advanced Expressions pane.
The Create Advanced Expression dialog box opens.
c.
Type iPhone in the Expression Name field and click Expression Editor on the top
right of the Expression field.
The Expression Editor dialog box opens.
d.
e.
f.
g.
h.
i.
j.
Select HTTP as the protocol in the first drop-down menu.

Select REQ as the flow type in the second drop-down menu.
Select HEADER(String) as the qualifier in the third drop-down menu.
Type User-Agent in the parameter field for the HEADER(String).
Select CONTAINS(String) as the operator in the fourth drop-down menu.
Type iPhone in the parameter field for the CONTAINS(String).
Click Done and then click Create.
The iPhone expression is created and the Create Advanced Expression dialog box
closes.
2.
Create a policy expression that responds to requests from Internet Explorer 6 clients.
a. Click Add in the Expressions pane. The Create Advanced Expression dialog box
opens.
b. Type IE6 in the Expression Name field and click Expression Editor to the right of
Expression.
The Expression Editor dialog box opens.
c.
d.
e.
f.
g.
h.
i.
Select HTTP as the protocol in the first drop-down menu.

Select REQ as the flow type in the second drop-down menu.
Select HEADER(String) as the qualifier in the third drop-down menu.
Type User-Agent in the parameter field for the HEADER(String).
Select CONTAINS(String) as the operator in the fourth drop-down menu.
Type MSIE 6.0 in the parameter field for the CONTAINS(String).
Click Done and then click Create.
The IE6 expression is created and the Create Advanced Expression dialog box closes.
176
Creating Content-Switching Policies (Configuration Utility)

1.
Create a content-switching policy expression for iPhone clients.

a. Navigate to Traffic Management > Content Switching > Policies.
b. Click Add in the Content Switching Policies pane.
The Create Content Switching Policy dialog box opens.
2.
c.
d.
e.
f.
g.
h.
i.
j.
Create
a.
Type cs_pol_mobile in the Name field.

Click the + sign to the right of the Action field.
Type lb_vsrv_red_action in the Name field.
Select lb_vsrv_red from the Target Load Balancing Virtual Server drop-down menu.
Click Create.
Click the Saved Policy Expressions button above the Expression field.
Select iPhone from the Saved Policy Expressions drop-down list.
Click Create.
a content-switching policy expression for Internet Explorer 6 clients.
Click Add in the Content Switching Policies pane.
The Create Content Switching Policy dialog box opens.
3.
b. Type cs_pol_legacy in the Name field.

c. Click the + sign to the right of the Action field.
d. Type lb_vsrv_blue_action in the Name field.
e. Select lb_vsrv_blue from the Target Load Balancing Virtual Server drop-down menu.
f. Click Create.
g. Click the Saved Policy Expressions button above the Expression field.
h. Select IE6 from the Saved Policy Expressions drop-down list.
i. Click Create.
a. Click the Floppy Disk icon in the upper-right corner of the configuration utility
window.
b. Click Yes to confirm saving.
177
Creating the Content-Switching Virtual Server

1.
Create a content-switching virtual server called cs_vsrv_rbg with an IP address of 10.0.0.84.

a. Navigate to Traffic Management > Content Switching > Virtual Servers.
b. Click Add in the Content Switching Virtual Servers pane.
The Content Switching Virtual Server dialog box opens.
2.
3.
178
c. Type cs_vsrv_rbg in the Name field.

d. Verify that the Protocol is set to HTTP.
f. Verify that the port is set to 80.
g. Click OK
Bind the cs_pol_mobile and cs_pol_legacy policy to the content-switching virtual server.
a. Click No Content Switching Policy Bound to open the Policy Binding dialog box.
b. Click Click to select in the Select Policy field.
c. Select the cs_pol_mobile radio button and then click OK.
d. Type 100 in the Priority field.
e. In the Goto Expression drop down menu select END then click Bind.
f. Click 1 Content Switching Policy to open the Content Switching Virtual Server
Content Switching Policy Binding dialog box.
g. Click Add Binding.
h. Click Click to select in the Select Policy field.
i. Select the cs_pol_legacy radio button and then click OK.
j. In the Goto Expression drop down menu select END then click Bind.
k. Click Close. Verify that 2 Content Switching Policies appears in the CS Policy
Binding section.
Set up the default user policy and bind it to the content switching virtual server.
a. Click No Default Load Balancing Virtual Server Bound in the CS Policy Binding
section.
b. Select the lb_vsrv_green virtual server from the Default Load Balancing Virtual Server
Name field.
c. Click Create and then click Done.
d. Click the Floppy Disk icon in the upper-right corner of the configuration utility
window.
e. Click Yes to confirm saving the configuration.
Testing the Content-Switching Configuration (Configuration

Utility)
1.
Test the configuration to observe the content-switching behavior.

b. Browse to http://10.0.0.84/home.php.
The Green server displays for all users (Firefox, IE 7.0, or any other agent) using the
default Content Switching policy.
c.
Change the browser user agent to iPhone and test the results using the following steps:
1. Click Tools > Default User Agent > iPhone 3.0 in Firefox.
2. Click the browser Refresh button.
The Red server displays to iPhone mobile users using the iPhone Content
Switching policy.
d.
Change the browser user agent to Internet Explorer 6 and test the results using the
following steps:
1. Click Tools > iPhone 3.0 > Internet Explorer > Internet Explorer 6 in
Firefox.
The Blue server displays to legacy browser users (MSIE 6.0) using the IE6
Content Switching policy.
e.
Change the browser user agent back to the default using the following steps:
1. Click Tools > Internet Explorer 6 > Default User Agent.
The Green server displays again for all users of the default Content
Switching policy.
2.
f. Close the Firefox browser.

Unbind the content-switching policies from the content switching vserver using the following
steps:
b. Navigate to Traffic Management > Content Switching > Virtual Server.
c. Select cs_vsrv_rbg and click Edit.
d. Select 2 Content Switching Policies in the CS Policy Binding section.
e. Select cs_pol_mobile, click Unbind and then click Yes.
f. Select cs_pol_legacy, click Unbind and then click Yes.
g. Click Close and then click Done.
179

This exercise provides step-by-step instructions for completing "Exercise 11-1: Configuring Content
Switching" using the command-line interface.
Creating Policies and Policy Expressions (Command-Line

Interface)
1.
2.
Launch a PuTTY connection to NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to create a policy expression to recognize iPhone users:
add policy expression iPhone "HTTP.REQ.HEADER(\"UserAgent\").CONTAINS(\"iPhone\")"
3.
Enter the following command to create a content-switching policy for the iPhone policy
expression:
add cs policy cs_pol_mobile -rule iPhone
4.
Enter the following command to create a policy expression to recognize Internet Explorer 6
users:
add policy expression IE6 "HTTP.REQ.HEADER(\"UserAgent\").CONTAINS(\"MSIE 6.0\")"
5.
Enter the following command to create a content-switching policy for the IE6 policy
expression:
add cs policy cs_pol_legacy -rule IE6
6.

save ns config
Configuring Content Switching (Command-Line Interface)

1.
180
Create a non-addressable load-balancing virtual server for the Red server and bind it to the
svc_red service.
a.
Enter the following command to create the load-balancing virtual server:

add lb vserver lb_vsrv_red HTTP
b.
Enter the following command to bind the service to the load-balancing virtual server:
bind lb vserver lb_vsrv_red svc_red
This server will be dedicated to mobile users.
The load-balancing virtual server is being created without assigning a virtual
IP address or a port.
2.
Create a non-addressable load-balancing virtual server for the Blue server and bind it to the
svc_blue service by entering the following commands:
a. Enter the following command to create the load-balancing virtual server:
add lb vserver lb_vsrv_blue HTTP
b.
bind lb vserver lb_vsrv_blue svc_blue
This server will be dedicated to legacy browser users.
3.
Create a non-addressable load-balancing virtual server for the Green server and bind it to the
svc_green service by entering the following commands:
a. Enter the following command to create the load-balancing virtual server:
add lb vserver lb_vsrv_green HTTP
b.
bind lb vserver lb_vsrv_green svc_green
This server will be dedicated to default users.
4.
Create a content-switching virtual server and bind the load-balancing virtual servers to the new
content-switching virtual server.
a. Enter the following command to create a content-switching virtual server:
add cs vserver cs_vsrv_rbg HTTP 10.0.0.84 80
b.
Enter the following commands to bind the load-balancing virtual servers and the
corresponding policies to the content-switching virtual server:
bind cs vserver cs_vsrv_rbg -lbvserver lb_vsrv_green
181
bind cs vserver cs_vsrv_rbg -policyName cs_pol_mobile

-targetLBVserver lb_vsrv_red -priority 100
bind cs vserver cs_vsrv_rbg -policyName cs_pol_legacy
-targetLBVserver lb_vsrv_blue -priority 110
c.

save ns config
Testing the Content-Switching Configuration (CommandLine Interface)

1.
2.
Test the configuration and to observe content-switching behavior.

a. Open a new Firefox browser window and browse to
http://10.0.0.84/home.php. The Green server displays for all other users
(Firefox, IE 7.0, or any other agent) as the default policy.
b. Change the browser user agent to iPhone by clicking Tools > Default User Agent >
iPhone 3.0 in Firefox, then click the Refresh button. The Red server displays to
mobile users (iPhone).
c. Change the browser user agent to Internet Explorer 6 by clicking Tools > iPhone 3.0
> Internet Explorer > Internet Explorer 6 in Firefox, then click the Refresh button.
The Blue server displays to legacy browser users (MSIE 6.0).
d. Change the browser user agent to the default by clicking Tools > Internet Explorer 6
> Default User Agent.
Enter the following command in PuTTY to unbind the content-switching policies from the
content switching vserver:
unbind csverser cs_vsrv_rbg -policyName cs_pol_mobile
unbind csverser cs_vsrv_rbg -policyName cs_pol_legacy
182
Module 12
Optimizing Traffic
12
184
Module 12: Optimizing Traffic Exercises

Exercise 12-1: Configuring Compression Policies
This exercise demonstrates the basics of configuring compression policies on the NetScaler system.
Compression policies are used to control which responses are compressed and which responses are
not compressed.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
Estimated time for complete this exercise: 20 minutes

Compression Policies" using the configuration utility.
Adding Compression Policies (Configuration Utility)

1.
2.
Disable server-side compression.

a. Navigate to Optimization > HTTP Compression.
b. Click Change compression settings under Settings in the right pane.
c. Deselect Allow Server-side compression and click OK.
Create a compression policy called cmp_pol_javascript that will compress javascript content in
the server response.
a. Navigate to HTTP Compression > Policies and click Add.
The Create Compression Policy dialog box opens.
Module 12: Optimizing Traffic
185
3.
4.
b. Type cmp_pol_javascript in the Policy Name field.

c. Select COMPRESS from the Response Action drop-down menu.
d. Click Switch to Default Syntax near the bottom of the screen.
e. Click Expression Editor at the top-right of the Expression field.
Complete the policy expression to compress javascript content.
a. Select HTTP from the first drop-down list.
b. Select RES from the second drop-down list.
c. Select HEADER(String) from third drop-down list.
d. Type Content-Type in the parameter field for the HEADER(String).
e. Select CONTAINS(String) from the fourth drop-down list.
f. Type javascript in the parameter field for the CONTAINS(String).
Complete the compression policy.
a. Click Done.
The expression should read HTTP.RES.HEADER("ContentType").CONTAINS("javascript").
b.
Click Create.
The Create Compression Policy dialog box closes.
5.
Bind the policy to the lb_vsrv_rbg virtual server.

a. Click the Policy Manager button.
b. Select Load Balancing Virtual Server from the Bind Point drop-down list.
c. Select Response from the Connection Type drop-down list.
d. Select lb_vsrv_rbg from the Virtual Server drop-down list.
e. Click Continue.
f. Click Click to select in the Select Policy field.
g. Select the cmp_pol_javascript radio button and click OK.
h. Click Bind and then click Done.
Verifying Compression for Services (Configuration Utility)

In the Win7Client virtual machine, use an HTTP connection to NS_VPX_0 (10.0.0.100)
configuration utility logged on as the nsroot user.
1.
186
Enable
a.
b.
c.
d.
compression on the svc_red service.

Select svc_red in the Services tab and click Edit.
Verify that Compression is set to YES under Settings.
Click Done.
2.
3.
Verify that compression is enabled on the svc_blue service.

a. Select svc_blue in the Services tab and click Edit.
b. Verify that Compression is set to YES under Settings.
c. Click Done.
Verify that compression is enabled on the svc_green service.
a. Select svc_green in the Services pane and click Open.
b. Verify that Compression is set to YES under Settings.
c. Click Done.
Testing Compression (Configuration Utility)

1.
2.
Test the compression policy.

a. Navigate to Optimization > HTTP Compression > Policies.
b. View the statistics reported for the cmp_pol_javascript policy and note the number of
hits.
Open the jspage.php page on the lb_vsrv_rbg virtual server.
a. Launch the Internet Explorer browser from the Win7Client desktop.
b. Browse to http://10.0.0.80/jspage.php.
The opens a page with javascript content.
3.
4.
Return to the Chrome browser and access the HTTP Compression > Policies node in the
configuration utility
Click Refresh. View the number of hits and compression ratio for the cmp_pol_javascript
policy.
The hit count for cmp_pol_javascript policy should have increased.
If the hit count does not increment, the page may be displayed from the browser
cache. Clear the browser cache and then reload the page.

Compression Policies" using the command-line interface.
187
This section is provided as a reference. It covers the same configurations made using the
configuration utility. If you have completed the exercises using the configuration utility
steps, then you do not need to repeat them using the command-line interface commands.
Configuring Compression Policies (Command-Line

Interface)
The NetScaler system includes some predefined policies, including ns_content_type. This
policy is a duplicate of the one created here.
1.
2.
Launch a PuTTY connection to NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to ensure that the compression feature is enabled:
enable ns feature CMP
3.
Enter the following command to disable Server-side compression:

set cmp parameter ServerCmp OFF
4.
Enter the following command to create the compression policy cmp_pol_javascript to compress
javascript content in the server response:
add cmp policy cmp_pol_javascript rule "HTTP.RES.HEADER(\"Content-Type\").CONTAINS
(\"javascript\")" -resAction COMPRESS
5.
Enter the following command to bind the compression policy to the lb_vsrv_rbg virtual server:
bind lb vserver lb_vsrv_rbg -policyName cmp_pol_javascript type RESPONSE
-Priority 100 -GotoPriorityExpression END
6.
Enter the following command to enable compression on the svc_red service:

set service svc_red -CMP yes
7.
Enter the following command to enable compression on the svc_blue service:

set service svc_blue -CMP yes
8.
Enter the following command to enable compression on the svc_green service:

set service svc_green -CMP yes
188
Testing Compression (Command-Line Interface)

1.
Enter the following command in PuTTY to view the compression statistics:

stat cmp
2.
Enter the following command to view the policy details:

show cmp policy cmp_pol_javascript
3.
4.
Take note of the number of hits for the policy.

Open the jspage.php on the lb_vsrv_rbg virtual server.
a. Launch the Firefox browser from the Win7Client desktop.
b. Browse to http://10.0.0.80/jspage.php.
A page with javascript content opens.
5.
Enter the following command in PuTTY to view the policy hits and compression ratio:
show cmp policy cmp_pol_javascript
The hit count for cmp_pol_javascript policy should have increased.
If the hit count does not increment, the page may be displayed from the browser
cache. Clear the browser cache then reload the page.
189
190
Module 13
Clustering
13
192
Module 13: Clustering Exercises

Exercise 13-1: Configuring the Initial Cluster Setup
This exercise will demonstrate how to create a cluster instance and add nodes to the cluster.
Before You Begin

AD.training.lab
NS_VPX_0
NS_VPX_1
NS_VPX_3
Win7Client
WebBlue
WebGreen
WebRed

This section provides step-by-step instructions for completing "Exercise 13-1: Configuring the
Initial Cluster Setup" using the configuration utility.
Configuring the Initial Cluster Setup (Configuration Utility)

In the Win7Client virtual machine, use an HTTP connection to the NS_VPX_0 (10.0.0.100),
NS_VPX_1 (10.0.0.110) , and NS_VPX_3 (10.0.0.130) configuration utilities logged on as the nsroot
user for this task.
1.
2.
In the lab environment, click the Play icon for the NS_VPX_1, NS_VPX_0, and NS_VPX_3
virtual machines to start them.
Log on to the configuration utility for NS_VPX_1 using the nsroot credentials.
a. Switch to the Win7Client virtual machine and log on using the CitrixAdmin
credentials.
b. Launch the Chrome browser and browse to http://10.0.0.110.
c. Log on to the NS_VPX_1 VM using the nsroot credentials.
Module 13: Clustering
193
3.
Open the Cluster Configuration page.

a. Navigate to System > Cluster.
If the Welcome! page appears, scroll to the bottom of the page and click
Continue.
4.
5.
6.
b. Click Manage cluster in the right pane.

Configure the cluster instance with an ID of 1, an IP address of 10.0.0.150, and a backplane
interface of 0/1.
a. Type 1 in the Cluster instance id field. (Default)
b. Type 10.0.0.150 in the Cluster IP address field.
c. Select 0/1 from the Backplane interface drop-down menu.
d. Click Create and then click Yes to restart the system.
Log on to the cluster IP address to enable USNIP mode.
a. Open a new Chrome window or tab and browse to http://10.0.0.150.
b. Log on to the NetScaler cluster using the nsroot credentials.
c. Click Continue on the Welcome screen.
d. Navigate to System > Settings and click Configure Modes in the right pane.
e. Verify that Use Subnet IP is selected and click OK.
Add NS_VPX_0 and NS_VPX_3 to the cluster on backplane interface 0/1.
These steps must be performed using the configuration utility for the cluster
(10.0.0.150) or the changes will not be replicated to other nodes in the cluster.
BACKUP VPX0 (10.0.0.100) BEFORE ADDING IT TO THE CLUSTER AND
RESTORE IT AFTER THIS MODULE.
7.
Log into VPX0 10.0.0.100 with nsroot credentials and go to System, Backup and Restore and
backup the config.
a. Navigate to System > Cluster > Nodes.
b. Click the Discover NetScalers button.
c. Type 10.0.0.100 - 130 in the IP address range field.
d. Type 0/1 in the Backplane interface field.
e. Type nsroot in both User Name fields and both Password fields.
f. Click OK.
The search result should show the IP addresses for NS_VPX_0 and NS_VPX_3.
8.
194
Complete adding the nodes to the cluster on NS_VPX_0 and NS_VPX_3.

a. Select both IP addresses in the Discover NetScaler screen and click OK.
b. Click Yes to confirm the restarting of the NS_VPX_0 and NS_VPX_3.
The NS_VPX_0 and NS_VPX_3 nodes are now added to the cluster instance.
9.
Assign 10.0.0.61 as a spotted SNIP to node 0 with a subnet mask of 255.255.255.0.

a. From the cluster configuration utility at 10.0.0.150, navigate to Network > IPs and
click Add.
b. Type 10.0.0.61 in the IP Address field.
d. Select Subnet IP from the IP Type drop-down menu.
e. Select 0 from the Owner Node drop-down menu.
f. Click Create.
10. Assign 10.0.0.62 as a spotted SNIP to node 1 with a subnet mask of 255.255.255.0.
click Add.
f. Click Create.
11. Assign 10.0.0.63 as a spotted SNIP to node 2 with a subnet mask of 255.255.255.0.
click Add.
f. Click Create.
12. Create the LS/1 linkset to the cluster.
Since this lab environment is virtualized, you will use the "link set" deployment type.
This does not require any router or switch configuration.
a.
From the cluster configuration utility at 10.0.0.150, navigate to Network > Linkset and
click Add.
b. Type LS/1 in the Linkset.
c. Click Add.
13. Add the available nodes to the linkset.
a. Click the + next to 0/0/1.
b. Click the + next to 1/0/1.
195
c.
d.
Click the + next to 2/0/1.

Click Create.

This section provides step-by-step instructions for completing "Exercise 13-1: Configuring the
Initial Cluster Setup" using the command-line interface.
Configuring the Initial Cluster Setup

In the Win7Client virtual machine, use an SSH connection (PuTTY) to the NS_VPX_0, 1, and 3
command-line interfaces logged on as the nsroot user for this task.
1.
2.
In the lab environment, click Play for the NS_VPX_0, NS_VPX_1, and NS_VPX_3 virtual
machines to start them.
Add and configure the first node to the cluster with an IP address of 10.0.0.150, a backplane of
0/1, and a state of PASSIVE.
a. Switch to the NetScaler command-line interface (PuTTY) on NS_VPX_1.
b. Enter the following command to add the node to the cluster instance:
add cluster instance 1
c.
Enter the following command to add node1 to the cluster instance with interface 0/1
as the backplane interface:
add cluster node 1 10.0.0.150 -state PASSIVE backplane 0/1
d.
Enter the following command to enable the cluster instance:

enable cluster instance 1
e.

save ns config
f.
Enter the following commands to restart the system:

reboot -warm
y
Wait for the NetScaler system to restart.
3.
196
Add the 10.0.0.150 cluster IP to the cluster using a netmask of 255.255.255.255.

a.
b.
From the Win7Client, open to the PuTTY command-line interface to NS_VPX_1 and
log on using the nsroot credentials.
Enter the following command to add the cluster IP to the cluster:
add ns ip 10.0.0.150 255.255.255.255 -type CLIP
c.
Enter the following commands to verify the cluster instance:

show cluster instance
show cluster node
4.
Log on to the cluster IP address to enable USNIP mode.

a. Open a new PuTTy and type 10.0.0.150 in the Host Name field to access the cluster.
b. Log on to the NetScaler cluster using the nsroot credentials.
If a PuTTY Security Alert appears, click Yes to add the security key to the
PuTTY cache.
c.
Enter the following command to enable USNIP mode:

enable ns mode usnip
5.
Add NS_VPX_0 and NS_VPX_3 to the cluster.

These commands must be performed on the cluster IP (10.0.0.150) or the changes will
not be replicated to other nodes in the cluster.
a.
Enter the following commands in PuTTY (10.0.0.150) to add NS_VPX_0 and

NS_VPX_3 to the cluster:
add cluster node 2 10.0.0.100 -state PASSIVE backplane 2/0/1
add cluster node 3 10.0.0.130 -state PASSIVE backplane 3/0/1
b.

save ns config
6.
7.
Open a new PuTTy session to NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to add the node to the cluster:
join cluster -clip 10.0.0.150 -password nsroot
197
8.
Enter the following command to save the NS_VPX_0configuration:

save ns config
9.

reboot -warm
y
10. Open a new PuTTy session to NS_VPX_3 and log on using the nsroot credentials.
11. Enter the following command to add the node to the cluster:
12. Enter the following command to save the NS_VPX_3 configuration:
save ns config
13. Enter the following commands to restart the system:
reboot -warm
reboot -warm
14. Verify that the nodes show as PASSIVE and that node1 is the CCO.
a. Return to the PuTTY command-line interface for the cluster IP at 10.0.0.150.
b. Enter the following command to verify that the nodes show as PASSIVE and that
Node ID 1 is the Configuration Coordinator:
show cluster node
15. Enter the following command to assign 10.0.0.61 as a spotted SNIP to node 1 with a subnet
mask of 255.255.255.0:
add ns ip 10.0.0.61 255.255.255.0 -type SNIP -ownerNode 1
mask of 255.255.255.0:
mask of 255.255.255.0:
18. Enter the following command to view and verify the cluster IP addresses:
show ip
19. Set the node state to ACTIVE on all the nodes in the cluster.
198
a.
Enter the following command to set an ACTIVE state on node 1:

set cluster node 1 -state ACTIVE
b.

c.

20. Enter the following command to verify the cluster nodes:

show cluster node
Nodes that successfully synchronize will show their Health status as UP.
21. Remove a node from the cluster and rejoin it to the cluster, if any node shows as DOWN.
This is an optional step. If all nodes synchronized successfully, proceed to the next
step. Perform the following steps ONLY if any of the nodes are not synchronized with
the cluster.
a.
Enter the following command to identify the node that did not synchronize:
show cluster node
A node that did not synchronize with the cluster will show its Health status as NOT
UP.
b.
c.
Switch the PuTTY command-line interface of the node that is not synchronized.
Enter the following command to remove the cluster instance, where n is the node
number:
rm cluster instance n
d.
Enter the following command to rejoin the node to the cluster:

e.

save ns config
f.

reboot -warm
y
199
22. Enter the following command to verify that the mode for each node shows as ACTIVE:
show ip
23. Configure the cluster to use the link set traffic distribution method and bind the interfaces for
all three nodes in the cluster.
Since this lab environment is virtualized, you will use the link set deployment type,
because type this does not require any router or switch configuration.
a.
b.
Switch to the PuTTY command-line interface for the cluster IP at 10.0.0.150.

Enter the following command to create the link set definition:
add linkset LS/1
c.
Enter the following command to bind the interfaces connected to the link set:
bind linkset LS/1 -ifnum 0/0/1 1/0/1 2/0/1
d.
Enter the following command to verify the link set binding:

show linkset LS/1
Exercise 13-2: Configuring Load Balancing on a Cluster

This exercise will demonstrate how to configure load balancing on a cluster.
Before You Begin

AD.training.lab
NS_VPX_0
NS_VPX_1
NS_VPX_3
WebBlue
WebGreen
WebRed
Win7Client
200

This section provides step-by-step instructions for completing "Exercise 13-2: Configuring Load
Balancing on a Cluster" using the configuration utility.
Configuring Load Balancing on a Cluster (Configuration

Utility)
In the Win7Client virtual machine, use an HTTP connection to the NS_VPX_1, NS_VPX_0, and
NS_VPX_3 configuration utilities logged on as the nsroot user for this task.
1.
2.
3.
4.
5.
6.
Switch to the configuration utility on the cluster IP at http://10.0.0.150 and log on using the
nsroot credentials.
Enable the load-balancing feature for the cluster.
a. Navigate to System > Settings.
b. Click Configure Basic Features.
c. Select Load Balancing and click OK to enable the feature.
Add the "srv_blue" server to the cluster with an IP address of 10.29.0.205.
a. From the configuration utility on the cluster IP at http://10.0.0.150, navigate to Traffic
Management > Load Balancing > Servers and click Add.
b. Type srv_blue in the Server Name field.
d. Click Create.
Add the "srv_green" server to the cluster with an IP address of 10.0.0.210.
b. Type srv_green. in the Server Name field.
d. Click Create.
Add the "srv_red" server to the cluster with an IP address of 10.30.0.215.
b. Type srv_red in the Server Name field.
d. Click Create.
Add the svc_blue service for HTTP to the cluster.
Management > Load Balancing > Services and click Add.
b. Type svc_blue in the Service Name field.
201
c. Select the Existing Server radio button.

d. Select srv_blue (10.29.0.205) from the Server drop-down menu.
e. Verify that HTTP is selected from the Protocol drop-down menu.
f. Verify that the Port field is set to 80.
g. Click OK.
h. Click Done.
7. Add the svc_green service for HTTP to the cluster.
b. Type svc_green in the Service Name field.
d. Select srv_green (10.0.0.210) from the Server drop-down menu.
g. Click OK.
h. Click Done.
8. Add the svc_red service for HTTP to the cluster.
b. Type svc_red in the Service Name field.
d. Select srv_red (10.30.0.215) from the Server drop-down menu.
g. Click OK.
h. Click Done.
9. Create the "lb_vsrv_rbg" load-balancing virtual server on the cluster for HTTP using the IP
address 10.0.0.88.
a. From the configuration utility on the cluster IP at http://10.0.0.150, navigate to Load
Balancing > Virtual Servers and click Add.
b. Type lb_vsrv_rbg in the Name field.
c. Verify that HTTP is selected from the Protocol drop-down menu.
e. Verify that the Port field is set to 80.
f. Click OK.
10. Bind the "svc_blue", "svc_green", and "svc_red" services to the lb_vsrv_rbg virtual server.
a. Click No Load Balancing Virtual Server Service Binding under Service.
202
b. Click Click to select in the Select Service field.

c. Select the svc_blue radio button and click OK.
d. Click Bind.
e. Click 1 Load Balancing Virtual Server Service Binding.
f. Click Add Binding.
g. Click Click to select in the Select Service field.
h. Select the svc_red radio button and click OK.
i. Click Bind.
k. Click Click to select in the Select Service field.
l. Select the svc_green radio button and click OK.
m. Click Bind.
n. Click Close and click OK.
11. Configure the virtual server to use the Round Robin load balancing method.
a. Click the + symbole next to Method in the Advanced section on the right.
b. Select ROUNDROBIN from the Load Balancing Method drop-down menu.
c. Click OK and then click Done.
The virtual server is created and the state should be Up.
12. Test load balancing by browsing to the "lb_vsrv_rbg" IP address.
a. Open a Firefox browser window from the Win7Client desktop.
b. Browse to http://10.0.0.88/home.php.
The Citrix Home page will appear displaying one of the color pages.
If you receive a message stating that the connection was reset, click Try Again.
c.
Refresh the web page several times.

The web page should cycle through the three different color pages.
d.

This section provides step-by-step instructions for completing "Exercise 13-2: Configuring Load
Balancing on a Cluster" using the command-line interface.
203
Configuring Load Balancing on a Cluster (Command-Line

Interface)
In the Win7Client virtual machine, use an SSH connection (PuTTY) to the NS_VPX_1, 2, and 3
command-line interfaces logged on as the nsroot user for this task.
1.
Add the Web_Blue, Web_Green, and Web_Red servers to the cluster and create the
corresponding services for HTTP.
a. Switch to the PuTTY command-line interface for the cluster IP at 10.0.0.150.
b. Log on to the NetScaler system using the nsroot credentials, if necessary.
c. Enter the following commands to add the servers:
add server srv_blue 10.29.0.205
add server srv_green 10.0.0.210
add server srv_red 10.30.0.215
d.
Enter the following command to add the HTTP services for the servers:
add service svc_blue srv_blue HTTP 80
add service svc_green srv_green HTTP 80
add service svc_red srv_red HTTP 80
2.
Enable the load balancing feature using the following command:

enable ns feature lb
3.
Create the lb_vsrv_rbg load-balancing virtual server for HTTP using the IP address 10.0.0.88,
then bind the svc_blue, svc_green, and svc_red services to it.
a. Enter the following command to create the HTTP load-balancing virtual server:
add lb vserver lb_vsrv_rbg HTTP 10.0.0.88 80 lbMethod ROUNDROBIN
b.
Enter the following commands to bind the HTTP load-balancing virtual server to the
HTTP services:
bind lb vserver lb_vsrv_rbg svc_blue
bind lb vserver lb_vsrv_rbg svc_green
bind lb vserver lb_vsrv_rbg svc_red
4.
204
Test load balancing by browsing to the "lb_vsrv_rbg" IP address.

a.
b.
Open a Firefox browser from the Win7Client desktop.

Browse to http://10.0.0.88/home.php.
The Citrix Home page will appear displaying one of the color pages.
If you receive a message stating that the connection was reset, click Try Again.
c.
Refresh the web page several times.

The web page should cycle through the three different color pages.
d.
205
206
Module 14
Monitoring and
Management
14
208
Module 14: Monitoring and Management

Exercises
Exercise 14-1: Auditing and Logging
This exercise demonstrates how to configure a syslog server and view syslog messages on the
NetScaler.
Before You Begin

AD.training.lab
NS_VPX_0
Win7Client

This exercise provides step-by-step instructions for completing "Exercise 14-1: Auditing and
Logging" using the configuration utility.
Configuring the Kiwi Syslog Daemon (Configuration Utility)

1.
Configure the Kiwi Syslog Daemon for UDP messages on port 514.
a. From the Win7Client VM desktop, navigate to Start > All Programs > Kiwi
Enterprises > Kiwi Syslog Daemon.
The Kiwi Syslog Service Manager opens.
b.
c.
d.
e.
f.
Click File and select Setup.

Expand the Inputs node on the bottom left side of the window and click UDP.
Verify that Listen for UDP Syslog messages is selected and that the UDP Port is set
to 514.
Leave all other settings at their default values.
Click OK.
209
Creating a Syslog Policy and Syslog Server (Configuration

Utility)
Use an HTTP connection to the NS_VPX_0 (10.0.0.100) configuration utility logged on as the
1.
2.
3.
Open the Chrome browser from the Win7Client desktop.

Browse to http://10.0.0.100 and log on using the nsroot credentials.
Configure a syslog policy and syslog server using 10.0.0.103 for the IP address.
a. Navigate to System > Auditing > Syslog.
b. Click on the Servers tab then click Add.
c. Type Ext_Kiwi in the Name field.
d. Enter 10.0.0.103 in the IP Address field.
e. Select the ALL radio button in the Log Levels field.
f. Verify that the Log Facility field is set to LOCAL0.
g. Click Create.
This step creates the Ext_Kiwi server object.
h.
i.
j.
k.
Click the Policies tab, then click Add.

In the Name field enter Ext_Kiwi_policy.
Verify that Ext_Kiwi is selected in the Server field in the Create Auditing Policy
dialog box.
Click Create.
This step creates the syslog policy.
4.
Bind the syslog policy Globally.

a. Click Action and then Global Bindings.
b. Click Click to select under the Select Policy field.
c. Select the Ext_Kiwi_policy radio button and click OK.
d. Click Bind and Done.
e. Click the Floppy disk icon in the upper-right corner of the configuration utility to
save the running configuration.
f. Click Yes to confirm saving the configuration.
By saving the running configuration, a syslog audit message is generated. Syslog
messages are sent to the Kiwi Syslog Server running on the Win7Client. This message
will be search-able in an upcoming task.
210
Viewing Recent Audit Messages (Configuration Utility)

1.
View recent audit messages.

a. Navigate to System > Auditing.
b. Click Recent audit messages under the Audit Messages heading on the left.
The Audit Messages dialog box opens.
c.
d.
Click Custom and then select INFORMATIONAL and any other log levels you want
to display.
Type 25 in the Number of Audit Messages to be shown field and then click Run at the
bottom of the page.
The viewer will update with the specified number of messages for the selected log
levels. In most cases, systems in the lab will only have INFORMATIONAL messages
to display.
e.
Click Close.
The Audit Messages dialog box closes.
Viewing Historical Audit Messages (Configuration Utility)

1.
View historical audit messages.

a. Navigate to System > Auditing.
b. Select Syslog messages under the Audit Messages heading on the right.
The Syslog Viewer dialog box opens.
c.
Select ns.log under File /var/log/ on the right side of the screen and then select any
historical log file from the drop-down menu.
Historical log files are maintained by default under /var/log and are in
ns.log.#.gz form.
d.
e.
Click Severity on the right side of the screen.

Select ERR and INFO from the Severity drop-down menu and then click Apply.
The Syslog Viewer updates and displays messages from the historical log.
f.
Type SNIP in the Search field at the top left and then click Go to start the search.
211
Search for "lb vserver", "ns conf", or "enable feature" if time permits.
g.
Click Back at the top left to close the Syslog Viewer.
Viewing Audit Messages on the Remote Syslog Server

Use the Win7Client vitual machine logged on as the CitrixAdmin user for this task.
1.
View audit messages on the remote syslog server.

a. Switch to the Kiwi Syslog Daemon window.
b. View the syslog messages from the NetScaler in the Display 00 (Default) Kiwi Syslog
window.
The systems in the lab will only have INFORMATIONAL messages to display.
Disabling Syslog Audit Messages (Configuration Utility)

1.
Disable logging of Syslog Audit Messages to the Kiwi Syslog Server.

a. Switch to the configuration utility for NS_VPX_0 (10.0.0.100).
b. Navigate to System > Auditing > Syslog.
c. Click Action and then click Global Bindings in the Syslog pane.
The System Global Auditing Syslog Policy Binding dialog box opens.
d.
e.
Select the Ext_Kiwi_policy policy, click Unbind, and then click Yes.
Click Done.

This exercise provides step-by-step instructions for completing "Exercise 14-1: Auditing and
Logging" using the command-line interface.
Configuring the Kiwi Syslog Daemon (Command-Line

Interface)
212
1.
Configure the Kiwi Syslog Daemon for UDP messages on port 514.
a. Navigate to Start > All Programs > Kiwi Enterprises > Kiwi Syslog Daemon > Kiwi
Syslog Daemon.
The Kiwi Syslog Service Manager opens.
b.
c.
d.
e.
Click File and select Setup.

Click UDP in the Inputs node in the left pane.
Verify that Listen for UDP Syslog messages is selected and that the UDP Port is set
to 514. Leave all other settings at their defaults.
Click OK.
Configuring and Viewing the Syslog (Command-Line

Interface)
1.
2.
Open a PuTTY command-line for NS_VPX_0 and log on using the nsroot credentials.
Enter the following command to create a Syslog Server named Ext_Kiwi on the NetScaler
system with the IP address 10.29.0.11 on port 514:
add audit syslogAction Ext_Kiwi 10.0.0.103 -serverPort 514 loglevel ALL
-logFacility LOCAL0 -tcp All
3.
Create a Syslog Policy named Ext_Kiwi_policy on the NetScaler system.

a. Enter the following command to add a syslog policy on the NetScaler system:
add audit syslogPolicy Ext_Kiwi_policy ns_true Ext_Kiwi
b.
Enter the following command to bind the audit policy to the system global to enable
audit logging:
bind system global Ext_Kiwi_policy
c.
Enter the following command to save the running configuration:

save ns config
4.
View the recent audit messages in PuTTY.

a. Enter the following command to show recent audit messages:
show audit messages -numOfMesgs 20
The results will look like the following text:
213
NS_VPX_0> show audit messages

1) 10/07/2008:22:30:44 GMT edulabvpn1
Informational : UI CMD_EXECUTED 96357 : User
nsroot - Remote_ip 0.0.0.0 - Command "save ns
config" - Status "Success"
2) 10/07/2008:22:30:44 GMT edulabvpn1
Informational : TCP CONN_TERMINATE 96358 : Source
192.168.1.3:80 - Destination 192.168.1.21:40284 Start Time 10/07/2008:22:30:44 GMT End Time 10/07/2008:22:30:44 GMT - Total_bytes_send 0
- Total_bytes_recv 1
3) 10/07/2008:22:30:45 GMT edulabvpn1
Informational : TCP CONN_TERMINATE 96359 : Source
192.168.1.4:80 - Destination 192.168.1.21:17855 Start Time 10/07/2008:22:30:45 GMT End Time 10/07/2008:22:30:45 GMT - Total_bytes_send 0
- Total_bytes_recv 1
5.
b. Verify syslog audit messages are received by Kiwi Syslog Daemon.

Enter the following command in PuTTY to disable syslog audit logging before continuing to
next lab exercise:
unbind system global Ext_Kiwi_policy
This stops syslog audit messages from being sent from the NetScaler to the
SyslogManagerIP.
Exercise 14-2: Monitoring

This exercise demonstrates how to configure SNMP monitoring on the NetScaler.
Before You Begin

AD.training.lab
NS_VPX_0
Win7Client

214

This section provides step-by-step instructions for completing "Exercise 14-2: Monitoring" using the
configuration utility.
Configuring SNMP Settings (Configuration Utility)

1.
2.
Switch to the configuration utility for NS_VPX_0 at http://10.0.0.100 and log on using the
nsroot credentials, if necessary.
Configure an SNMP manager with a management host of 10.0.0.103.
a. Navigate to System > SNMP > Managers.
b. Click Add.
The Add SNMP Manager dialog box opens.
3.
c. Select the Management Network radio button.

e. Click Create.
Configure an SNMP community named "ctxtrainsnmp" with permissions set to ALL.
a. Navigate to System > SNMP > Community.
b. Click Add.
The Create SNMP Community dialog box opens.
4.
c. Type ctxtrainsnmp in the Community String field.

d. Select ALL from the Permission drop-down menu.
e. Click Create.
Configure a specific SNMPv2 trap for the destination IP address 10.0.0.103. Associate the trap
with the ctxtrainsnmp SNMP community.
a. Navigate to System > SNMP > Traps and click Add.
The Create SNMP Trap Destination dialog box opens.
b.
c.
d.
e.
Select the Specific radio button.

Verify that the V2 radio button is selected in the Version field.
Type 10.0.0.103 in the Destination IP address field. This is the SNMP IP Address.
Leave the Source IP Address field blank.
The NSIP address is used by default.
215
f.
Type ctxtrainsnmp in the Community Name field.

The community name must match the community string specified when you
configured the SNMP community in this lab.
5.
g. Click Create.
Configure an SNMP alarm as type CONFIG-SAVE, verify that the alarm is enabled and then
save the NetScaler configuration.
a. Navigate to System > SNMP > Alarms.
b. Click the Alarm column heading to sort the alarms by name.
c. Select the CONFIG-SAVE alarm and click Edit.
The Configure SNMP Alarm dialog box opens.
d.
e.
f.
Verify that Enabled is selected in the Logging field.

Verify that Enabled is selected in the State field.
Click OK.
The Configure SNMP Alarm dialog box closes.
g.
Click the Floppy disk icon and then click Yes to save the configuration and trigger an
SNMP alert.
Configuring the Kiwi Syslog Daemon and Viewing SNMP

Alerts (Configuration Utility)
1.
Configure the Kiwi Syslog Daemon to listen for SNMP traps on UDP port 162.
a. Maximize the Kiwi Syslog Service Manager window on the Win7Client desktop.
If the Kiwi Syslog Service Manager window is closed, click Start > All
Programs > Kiwi Enterprises > Kiwi Syslog Daemon.
The Kiwi Syslog Daemon opens.
b.
c.
d.
2.
216
Click File and click Setup.

Select SNMP from the Inputs node on the left.
Select the Listen for SNMP Traps option and verify that 162 appears in the UDP
Port field.
Prepare the listener for SNMP informational traps. Clear any previously captured data and
send an SNMP trap.
a. Select Info from the Syslog Level drop-down menu and click OK.
b. Click View and select Clear display.
c.
d.
Switch to the NetScaler configuration utility for NS_VPX_0 (10.0.0.100).

Click the Floppy Disk icon and then click Yes to save the running configuration and
send an SNMP trap.
Click OK if a message appears stating that the configuration hasn't changed.
3.
View the SNMP traps in the Kiwi Syslog Daemon. The SNMP syslog will resemble the
following:
12-02-2008 16:22:43 Local7.Info 10.0.0.100
community=ctxtrainsnmp,
enterprise=1.3.6.1.4.1.5951.1.1.0.28,
enterprise_mib_name=netScalerConfigSave,
uptime=508021, agent_ip=10.0.0.103,
version=Ver2, nsUserName.0=nsroot,
sysIpAddress.0=10.0.0.100
4.
Close the Kiwi Syslog Service Manager.
Exercise 14-2: Step-by-Step (Command-Line-Interface)

This section provides step-by-step instructions for completing "Exercise 14-2: Monitoring" using the
command-line interface.
Configuring SNMP Settings (Command-Line Interface)

1.
Configure an SMNP manager with a 10.0.0.103 IP address and create a "ctxtrainsnmp"

community with permissions set to ALL.
a. Enter the following command to add the SNMP manager:
add snmp manager 10.0.0.103
b.
Enter the following command to add the SNMP community with ALL permissions:
add snmp community ctxtrainsnmp ALL
2.
Configure both a generic and specific SNMPv2 trap and attach each to the ctxtrainsnmp SNMP
community.
217
a.
Enter the following command to configure the specific SNMP trap:

add snmp trap specific 10.0.0.103 -version V2 communityName ctxtrainsnmp
b.
Enter the following command to configure the generic SNMP trap:

add snmp trap generic 10.0.0.103 -version V2 communityName ctxtrainsnmp
3.
Configure an SNMP alarm of type CONFIG-SAVE, save the NetScaler configuration to trigger
an SNMP alert and then view the trap results.
a. Enter the following command in PuTTY to set an SNMP alarm:
set snmp alarm CONFIG-SAVE -state ENABLED
b.

save ns config
c.
Enter the following command to view the SNMP results:

stat snmp
Configuring the Kiwi Syslog Daemon and Viewing SNMP

Alerts (Command-Line Interface)
1.
Configure the Kiwi Syslog Daemon to listen for SNMP traps on UDP port 162.
a. Return to the Kiwi Syslog Service Manager window on the Win7Client desktop.
If the Kiwi Syslog Service Manager window is closed, click Start > All
Programs > Kiwi Enterprises > Kiwi Syslog Daemon > Kiwi Syslog
Daemon.
The Kiwi Syslog Daemon opens.
b.
c.
d.
2.
218
Click File and click Setup.

Select SNMP from the Inputs node on the left.
Select the Listen for SNMP Traps option and verify that 162 appears in the UDP
Port field.
Prepare the listener for SNMP informational traps and clear any previously captured data.
a.
3.
Select Info from the Syslog Level drop-down menu in Kiwi Syslog Daemon and click
OK.
b. Click View and select Clear display.
Switch to the PuTTY command-line interface for NS_VPX_0 and configure an SNMP alarm to
trigger when the NetScaler configuration is saved.
a. Enter the following command in PuTTY (NS_VPX_0) to add the SNMP alarm:
set snmp alarm CONFIG-SAVE -state ENABLED
b.
Enter the following command to save the NetScaler configuration and trigger an
alarm:
save ns config
4.
View the SNMP traps in the Kiwi Syslog Daemon. The SNMP syslog will resemble the
following:
12-02-2008 16:22:43 Local7.Info 10.0.0.100
community=ctxtrainsnmp,
enterprise=1.3.6.1.4.1.5951.1.1.0.28,
enterprise_mib_name=netScalerConfigSave,
uptime=508021, agent_ip=10.0.0.103,
version=Ver2, nsUserName.0=nsroot,
sysIpAddress.0=10.0.0.100
5.
Close the Kiwi Syslog Service Manager.
219
220
Module 15
Troubleshooting
Exercises
15
222
Module 15: Troubleshooting Exercises

Exercise 15: Troubleshooting
The following scenarios are based on the lab exercises that you performed during the past week.
Each troubleshooting scenario presents a problem that you need to resolve. There are checkpoints
in each lab to help you determine the solution.
You will be working on the NS_VPX_0 virtual machine. To start the troubleshooting lab, you will
run a script that will introduce the wrong configuration for the NetScaler.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client
Preparing the NetScaler for the Troubleshooting Lab

1.
Run a batch script from the Win7Client desktop to break the NetScaler configuration.
a. Launch PuTTY from the Win7Client desktop.
b. Type 10.0.0.100 for NS_VPX_0 in the Host Name (or IP address) field and click
Open.
c. Type nsroot and press Enter.
d. Type nsroot at the Password prompt and press Enter.
e. Enter the following commands at the command prompt to run the script to break the
NetScaler configuration:
batch -filename /var/break.txt
y
223
The batch script saves and moves the current NetScaler configuration to a
different location, loads a bad configuration file, and then restarts the
NetScaler.
f.
Verify that the NetScaler (NS_VPX_0 is restarting. If the script doesn't reboot the
NetScaler, reboot the NetScaler in the lab environment.
Exercise 15-1: Troubleshooting Scenario 1

You have configured a virtual server that uses the round-robin method of load balancing. The load
balancing virtual server on http://10.0.0.80 is configured to serve the Blue, Green, and Red home
pages. During some internal tests, you find that only the Red home page is being displayed by the
server. You refresh the page, clear the cache, and try a different browser, so you think the problem
is on the server side.
The web site needs to go live tomorrow and you need to find out why load balancing is not
working.
Where to Begin
Access the NetScaler (NS_VPX)) and browse to the Load Balancing node. Check the settings for
the servers, services, and load balancing virtual servers.
Browse to the System node. Check the Basic and Advanced NetScaler settings.
Checkpoint
Checking the following items may help you troubleshoot this issue.
Are the Blue and Green servers configured, and does the state show as Up?
Are the services for the Blue and Green servers properly configured?
Is the load-balancing virtual server configured?
Are the Blue and Green services bound to the virtual server?
Are the required features enabled?
The issue is considered resolved when the following conditions have been met:
224
One of the color pages appears when you browse to http://10.0.0.80.

The web page cycles through the Blue, Green, and Red home pages when the browser is
refreshed.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

You have configured a virtual server for SSL Offload. The page was working until you installed a
new server certificate. You followed the procedures to create a certificate request and then
downloaded the server certificate. However, the SSL virtual server at https://10.0.0.81/home.php is
not responding.
The old certificate expires today and customers will need access to the secure web site. You need to
determine why SSL offload is not working and then fix the problem.
Where to Begin
Navigate to Traffic Management > Load Balancing > Virtual Servers and check the SSL settings
for the SSL load balancing virtual server.
Checkpoint
Checking the following items may help you troubleshoot this issue:
Are the proper services bound to the SSL Load Balancing virtual server?
Is the new server certificate installed on the SSL Load Balancing virtual server?
Is the new server certificate bound to the SSL Load Balancing virtual server?
You use Firefox to browse to https://10.0.0.81/home.php and the page loads.

The page cycles through the Blue, Green, and Red home pages when the browser is refreshed.
225
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

The company home page at http://10.0.0.84/home.php that includes content for most browsers. In
order to accommodate users on legacy browsers and users on iPhones, you have configured the
NetScaler to switch content requested from IE6 and iPhones to different servers. IE6 users should
be directed to the Blue server and iPhone users should be directed to the Red server.
The NetScaler was restarted after updates were applied. Shortly after that, you receive complaints
from iPhone users that they are not able to view the proper content.
Where to Begin
Use the Firefox browser to access the IE6 and iPhone user agents and verify the problem. Use the
Firefox Tools > Default User Agent menu to select the appropriate agent. Browse to
http://10.0.0.84/home.php to verify that a problem exists.
Navigate to Content Switching > Virtual Servers and verify that the settings for the virtual server
are correct and the correct policies are applied.
Checkpoint
Is the content switching virtual server Up?

Are the appropriate policies bound to the server?
Do the policies have the correct targets?
The issue is considered resolved when you browse to http://10.0.0.84 and the following conditions
have been met:
226
The Blue home page appears when using Firefox with the Default User Agent set to IE6.
The Red home page appears when using Firefox with the Default User Agent set to iPhone.
The Green home page appears when using Firefox with the Default User Agent set to Default.
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

The web administrators need to update certain information on the web site and they want to be
able to deny access to the pages while they are being updated. The hidden pages will contain the
string "private" and the administrators have asked you to configure the NetScaler to deny access to
these pages with a custom response.
They created a responder action, a policy, and bound the policy globally. However, during tests the
server does not return the custom response "Client: x.x.x.x is not authorized to access URL:
/private" and instead returns an error 404 - File or directory not found.
Where to Begin
Navigate to Responder and verify the actions and policies.
Checkpoint
Does the policy have the correct action applied to it?

Does the policy contain the correct expression?
Is the policy bound globally?
You browse to http://10.0.0.80/private and the server returns the custom response: "Client:
x.x.x.x is not authorized to access URL: /private"
227
Before You Begin

AD.training.lab
NS_VPX_0
Web_Blue
Web_Green
Web_Red
Win7Client

A Windows application connects to the NetScaler using a Windows Active Directory user
credential. The application needs to be able to view certain NetScaler settings for reporting
purposes. You decide to test the user credentials and log on to the NetScaler at http://10.0.0.100.
You are able to log on successfully, but you receive an error and are not able to view any settings.
You verify that the user has the following Active Directory group membership:
username: user1
password: Password1
Active Directory group membership: Remote Users
Where to Begin
Log on to the AD.training.lab virtual machine and examine the group membership for the user1
user.
Log on to the NS_VPX_0 (10.0.0.100) and browse to System > Groups to verify the group settings.
Checkpoint
Is user1 a member of the appropriate group?

Is the group added to the NetScaler?
Are the appropriate policies bound to the group?
228
You are able to log on to the NS_VPX_0 (10.0.0.100) configuration utility or command-line
interface as user1.
In the configuration utility, you are able to view the System settings.
In the command-line interface, you can run "show server" to view the NetScaler settings.
229
230
231
851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA (954) 267 3000 www.citrix.com
Rheinweg 9 8200 Schaffhausen Switzerland +41 (0) 52 63577 00 www.citrix.com
Copyright 2015 Citrix Systems, Inc. All rights reserved.

CNS 205 5I en StudentExerciseWorkbook Skytap v05

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CNS 205 5I en StudentExerciseWorkbook Skytap v05

Încărcat de

Drepturi de autor:

Formate disponibile

Citrix NetScaler 10.

Copyright 2015 Citrix Systems, Inc.

Citrix NetScaler 10.5 Essentials

Copyright 2015 Citrix Systems, Inc.

Module 2: Basic Networking ........................................................................ 37

Module 3: High Availability ............................................................................ 47

Module 4: Securing NetScaler ...................................................................... 59

Module 5: Basic Load Balancing .................................................................. 69

Copyright 2015 Citrix Systems, Inc.

Exercise 5-2: Step-by-Step (Configuration Utility) .............................................................. 78

Module 6: SSL Offload ................................................................................. 97

Module 7: Global Server Load Balancing ................................................... 107

Exercise 7-1: Step-by-Step (Configuration Utility) ............................................................ 110

Module 8: AppExpert Classic Policy Engine ............................................... 129

Copyright 2015 Citrix Systems, Inc.

Module 8: AppExpert Classic Policy Engine Exercises ........................................................ 131

Module 10: Rewrite, Responder, and URL Transform ................................ 137

Exercise 10-4: Step-by-Step (Command-Line Interface) ................................................. 155

Module 11: Content Switching ................................................................... 171

Copyright 2015 Citrix Systems, Inc.

Module 12: Optimizing Traffic ..................................................................... 183

Module 13: Clustering ................................................................................ 191

Module 14: Monitoring and Management ................................................... 207

Module 15: Troubleshooting Exercises ....................................................... 221

Copyright 2015 Citrix Systems, Inc.

Jeremy Boehl, Karen Bridgewater, Dustin Clark,

Ben Goodman, Kathryn Morris

Subject Matter Experts:

Gregg Anderson, Simon Barnes, Paul Blitz,

Adobe, Flash, Acrobat

Adobe Systems Incorporated

Citrix, Citrix Access Gateway, Citrix

Citrix Systems, Inc.

Digital Service Advisers, LLC

Free BSD Foundation

Active Directory, Internet Explorer,

The Open Group

The Open SSL Software Foundation, Inc.

Java, JavaScript, Oracle

Pearson Education, Inc.

PCI Security Standards Council, LLC

RSA Data Security, Inc.

University Corporation for Advanced Internet

SolarWinds Worldwide, LLC

SSH Communications Security Corporation

Wireshark Foundation, Inc.

10.0.0.224 (Port 80)

10.0.0.80 (Port 80)

10.0.0.18 (Port 80)

10.0.0.80 (Port 1812)

10.0.0.80 (Port 1813)

10.0.0.81 (Port 443)

10.0.0.83 (Port 80)

10.0.0.84 (Port 80)

10.0.0.103 (Port 514)

Global Server Load Balancing IPs

DNS Name Server

Copyright 2015 Citrix Systems, Inc.

Module 1: Getting Started Exercises

Before You Begin

Estimated time to complete this exercise: 5 minutes

Exercise 1-1: Step-by-Step (Configuration Utility)

Performing an Initial Configuration (Configuration Utility)

Module 1: Getting Started