NetScaler Fundamentals

Learning Labs exercise guide

February 2013

Table of Contents
Table of Contents............................................................................................2
Overview.........................................................................................................3
Lab Topology
Diagram.4
How to login to the lab
environment5
Module 1 - Exercise 1: Initial Configuration...................................................6
Module 2 - Exercise 1: Load Balancing.........................................................16
Module 3 - Exercise 1: Content Switching....................................................22
Module 3 - Exercise 2: SSL Offload...............................................................33
Module 5 - Exercise 1: HTTP header modification.......................................41
Module 5 - Exercise 2: HTTP to HTTPs redirection and URL body rewrite. 53

Module 1 - Exercise 1: Initial Configuration

Page 2

Overview
Hands-on Training Module
This training module has the following details:
Objectiv
e

This lab provides hands on training on the core

NetScaler functionality

Audienc
e

Primary: Partners and customers

Lab Environment Details

Machine
AD.training.lab
NS10_HA1
NS10_HA2
Win7Client
Apache_MySQL_1
Apache_MySQL_2
Apache_MySQL_2
SQLServer
WebBlue
WebGreen
WebRed

Details
Domain controller, DHCP, DNS
Virtual instance of a NetScaler appliance (HA
node)
Virtual instance of a NetScaler appliance (HA
node)
Administrative workstation
Linux server with Apache, PHP, MySQL
Linux server with Apache, PHP, MySQL
Linux server with Apache, PHP, MySQL
Microsoft SQL 2008 server and Microsoft
Certificate Services
IIS server, PHP, WebGoat
IIS server, PHP, WebGoat
IIS server, PHP, WebGoat

Module 1 - Exercise 1: Initial Configuration

Page 3

Lab Topology Diagram

NOTE: If prompted with a dialog to restart on any virtual machine, always select
Restart Later.

Required Lab Credentials

Below are the login credentials required to connect to the workshop system and
complete the lab exercises.
Machine
AD.training.lab

IP Address
192.168.10.11

NS10_HA1

NSIP:
192.168.10.220
SNIP:
192.168.10.90
NSIP:
192.168.10.225
SNIP:

NS10_HA2

Module 1 - Exercise 1: Initial Configuration

Username
Password
TRAINING\Administra Citrix123
tor
nsroot
nsroot

nsroot

nsroot

Page 4

Win7Client

192.168.10.90
DHCP assigned

Apache_MySQL_1
Apache_MySQL_2
Apache_MySQL_2
SQLServer

192.168.10.13
192.168.10.14
192.168.10.15
192.168.10.12

WebBlue

192.168.10.205

WebGreen

192.168.10.210

WebRed

192.168.10.215

TRAINING\Administra
tor
root
root
root
TRAINING\Administra
tor
TRAINING\Administra
tor
TRAINING\Administra
tor
TRAINING\Administra
tor

Citrix123
Citrix123
Citrix123
Citrix123
Citrix123
Citrix123
Citrix123
Citrix123

How to log into the lab environment

The self-paced lab environment is hosted on a cloud-based Citrix XenServer.
Connecting to your server from the portal page is as easy as 1-2-3.

Step-by-step login instructions

Ste
p
1

Action
Once logged in at the self-paced portal, click the Start lab button to
launch a connection to published XenCenter.

When XenCenter loads, right-click the XenCenter node and select

Add

Module 1 - Exercise 1: Initial Configuration

Page 5

Ste
p
3

Action
On the Add New Server screen enter the XenServer IP address
provided on the portal and in the Password field enter the password
provided on the portal. The user name will always be root.

Module 1 - Exercise 1: Initial Configuration

Page 6

Module 1 - Exercise 1: Initial Configuration

Overview
In this exercise you will configure the NetScaler with a management IP address,
subnet IP and a DNS name server. Additionally you will configure licensing and
set up a high availability pair.

Step-by-step guidance
The lab environment required for this exercise is as follows:
1. NetScaler VPX appliance: (NS10_HA1)
2. NetScaler VPX appliance: (NS10_HA2)
3. Windows 7 Workstation: (Win7Client)
Estimated time to complete this lab: 20 minutes.
Ste
p
1.

Action
In XenCenter, go to the networking tab of each NetScaler and
confirm that the MAC address is correct since it determines licensing.
NS10_HA1: 06:e0:89:e0:b0:fd
NS10_HA2: 22:64:cc:9b:ea:aa

Module 1 - Exercise 1: Initial Configuration

Page 7

Ste
p
2.

Action
Go to the console tab of NS10_HA1 and NS10_HA2 virtual machines
and set the following Initial Network Address Configuration:
NS10_HA1:

IP Address: 192.168.10.220

Netmask: 255.255.255.0

Gateway: 192.168.10.1

Select option #4 to Save and quit.

NS10_HA2
IP Adress: 192.168.10.225

Netmask: 255.255.255.0

Gateway: 192.168.10.1

Select option #4 to Save and quit.

Module 1 - Exercise 1: Initial Configuration

Page 8

Ste
p
3.
4.

5.

6.
7.

Action
After the NetScaler VMs reboot, select the Win7Client VM and click
the Console tab.
Select the Send Ctrl+Alt+Del (Ctrl+Alt+Insert) button in the
lower left hand corner of XenCenter.

Login as
Username: training\administrator
Password: Citrix123
Open Internet Explorer and navigate to http://192.168.10.220 .
The NetScaler Configuration Utility is displayed.
Login as
Username: nsroot
Password: nsroot

Module 1 - Exercise 1: Initial Configuration

Page 9

Ste
p
8.

9.
10.

Action
On the bottom of the screen, select Setup Wizard

Click Next on the Introduction screen.

On the Network Config screen, enter the following:
Host Name: NS10_HA1
Subnet IP (SNIP): 192.168.10.90
Netmask: 255.255.255.0

11.
12.

Click Next.
On the Choose Application screen, click Next.
Click Finish on the Summary screen. Then click Exit to close the
setup wizard.

Module 1 - Exercise 1: Initial Configuration

Page 10

Ste
p
13.

14.

Action
On the top right side of the screen, save your configuration by
clicking on the Save button.

Click Yes to confirm.

Open another tab in Internet Explorer and repeat steps 6-13 for
NS10_HA2 (192.168.10.225).
Host name: NS10_HA2
Subnet IP (SNIP): 192.168.10.90

17.

Netmask: 255.255.255.0
On both nodes, use the CLI to copy the new license file to the
/nsconfig/license directory.
Select the NS10_HA1 virtual machine and click on the Console tab.
If the you do not see the login: prompt, hit the enter key once or
twice.
Login as
Username: nsroot
Password: nsroot
At the NetScaler prompt, type shell.

18.

You are now in the shell of NetScaler. Type the following command:

15.

16.

cp /var/license_backup/VPX_1000.lic /nsconfig/license/
Hit the Enter key.

19.

Type exit to exit the shell.

Module 1 - Exercise 1: Initial Configuration

Page 11

Ste
p
20.

21.
22.
23.
24.

25.

Action
Type reboot warm to reboot the NetScaler.
Type Y and hit the Enter key to confirm you want to restart
NetScaler.

The NetScaler now reboots.

Select the NS10_HA2 virtual machine in XenCenter and click on the
Console tab.
Repeat steps 16-20 on NS10_HA2.
Select the Win7Client VM again. Close out your browser. Open a
new instance of IE and browse to http://192.168.10.220.
Login as
Username: nsroot
Password: nsroot
Navigate to System>Licenses page and note all the licensed
features.

Module 1 - Exercise 1: Initial Configuration

Page 12

Ste
p
26.

27.

Action
Navigate to System > Settings > Configure basic features
Enable all features except HTTP Compression, Content Filter,
Integrated Caching, and Application Firewall.

Click OK.
Next we will configure a DNS Name Server on the NetScaler for
name resolution. NetScaler can be configured as a DNS Name
server, but in this exercise we will point to an external DNS server.
Navigate to DNS > Name Servers. Click Add.

Module 1 - Exercise 1: Initial Configuration

Page 13

Ste
p
28.

Action

29.

Minimize your IE window and double-click on the Putty application

on your desktop.

Enter IP address 192.168.10.11 (This is the lab Domain

Controller) and click Create. Click Close to close the Create
Name Server window.

Module 1 - Exercise 1: Initial Configuration

Page 14

Ste
p
30.

Action

31.

Login as
Username: nsroot
Password: nsroot

Enter 192.168.10.220 in the Host Name field and click Open.

Click Yes on the security alert pop-up.

32.

At the NetScaler prompt, run each of the following commands:

> show run
> sh ns ip (note the NSIP and SNIP)
> sh route
> sh ns feature
> sh ns mode
> sh ha node
> sh license
> show (tab complete to see all the available options)
> show ns (tab complete and check one or two options out)

Module 1 - Exercise 1: Initial Configuration

Page 15

Ste
p
33.

Action

34.

Bring up the NetScaler Configuration Utility of NS10_HA1 again

and navigate to System > High Availability

35.

Minimize the Putty window.

Click Add.
Enter the IP of the NS10_HA2 (192.168.10.225).
Enable the Login credentials for remote system are different
from self node
Username: nsroot
Password: nsroot

Click OK. Click Ok on the Information pop-up window.

Module 1 - Exercise 1: Initial Configuration

Page 16

Ste
p
36.

Action

37.

Bring up the Putty window again. Run the following command (hit
enter a few times to get the CLI moving)

Click Refresh until Synchronization State is SUCCESS and save the

configuration.

> sh ha node | more

38.

Note: Sync state Enabled. The Master State is (Primary) on

NS10_HA1. If you run this command on NS10_HA2, the Master
State should show as (Secondary).
Failover is a feature that allows the secondary node to automatically
receive incoming requests in the event the primary node stops
functioning.
Manually failover to the secondary node by entering the following
commands:
> force ha failover
> sh ha node

Note: The Master State has changed. Force it back so NS10_HA1 is

primary. Confirm that the enabled features such as SSL Offload and
Load Balancing are enabled.
Module 1 - Exercise 1: Initial Configuration

Page 17

Ste
p
39.

40.

Action
Run the following command:
> sh ns feature | more
Confirm that SSL Offloading and Load Balancing are enabled.
Close out the putty window.
END OF EXERCISE

Module 1 - Exercise 1: Initial Configuration

Page 18

Module 2 - Exercise 1: Load Balancing

Overview
You want to demonstrate NetScaler load balancing. You need to configure the
NetScaler to load balance the Red, Blue and Green web servers. A server is a
virtual representation of a physical server on the backend. It consists of a server
name and IP address. A service provides the connection between the NetScaler
appliance and the load balanced backend server. It consists of a server name, IP
address, and port, and data type to be served. If you prefer to identify servers
by name rather than IP address, you can create server objects and then specify a
server's name instead of its IP address when you create a service. After you
create your services, you must create a virtual server to accept traffic for the
load balanced Web sites, applications, or servers. Once load balancing is
configured, users connect to the load-balanced Web site, application, or server
through the virtual servers IP address or FQDN. Create servers, services and
virtual servers with persistence and protocol aware monitors.

Step-by-step guidance
The lab environment required for this exercise is as follows:
1.
2.
3.
4.
5.
6.

NetScaler VPX appliance: (NS10_HA1)

NetScaler VPX appliance: (NS10_HA2)
Windows 7 Workstation: (Win7Client)
IIS Web Server: (WebBlue)
IIS Web Server: (WebGreen)
IIS Web Server: (WebRed)

Estimated time to complete this lab: 20 minutes.

Step Action
1. In the NetScaler Configuration Utility of NS10_HA1, navigate to Load
Balancing > Servers.

Page 19

2.

Click Add.
Enter the following configuration:
Server Name: Blue_Server
IP Address: 192.168.10.205

3.

Click Create.
Repeat steps 2-3 to create the following servers:
Red_Server 192.168.10.215
Green_Server 192.168.10.210

4.

After creating the servers, click Close.

Once done, you should see the servers created as follows.

Page 20

5.

Navigate to Load Balancing > Services. Click Add.

6.

Create service objects for the servers created in the steps 1-4.
Enter the following configuration:
Service Name: Blue_Service
Server: Blue_Server (192.168.10.205)
Protocol: HTTP
Port: 80

Page 21

7.

Click Create.
Repeat steps 5-6 to create services for the following:

8.

Red_Service 192.168.10.215
Green_Service 192.168.10.210
Once you are done, click Close. You should see the following services:

9.

Navigate to Load Balancing > Virtual Server. Click Add.

Page 22

10. Create a virtual server with the following configuration:

Name: RBG1
Protocol : HTTP
IP address: 192.168.10.216
Port: 80
Bind all three services by checking the box next to each service.

Click Create.
11. Open another browser tab and browse to http://192.168.10.216 . Refresh
multiple times. The Red Blue and Green web servers should be load
balanced since no persistence is configured.

12. Go to Load Balancing > Services and disable two of the three services.

Page 23

13. Test load balancing by browsing to http://192.168.10.216 again. You should

connect to the same server.
14. Re-Enable the services when done.
15. Go back to the NetScaler Configuration Utility and open the RBG1 virtual
server.
Select the Method and Persistence tab.
16. Configure the following:
Method: change from Least Connection (Default) to Round Robin.
Persistence: CookieInsert
Time-Out value: Change from 2 (Default) to 0

17. A DNS record was created for 192.168.10.216. Browse to

http://web1.training.lab and refresh multiple times. This time you will notice
that your session will persist to either the Red, Blue or Green server for the
duration of the session.
18. In the NetScaler Configuration Utility, navigate to Loadbalancing >
Services.
Double-click the Blue_Service.
19. Select the http monitor from the list of available monitors on the left.
Click Add.
Select the tcp-default monitor from the list of configured monitors on the
Page 24

right.
Click Remove.
The HTTP monitor expects a 200 OK response code to consider the service
state as UP.

Click OK.
Click OK on the warning as this only informs you that the default TCP
monitor cannot be unbound. Since we are selecting a new HTTP monitor,
the health-check is still performed.
20. Click Close and Save the configuration.
END OF EXERCISE

Module 3 - Exercise 1: Content Switching

Overview
You want to demonstrate NetScaler Content Switching. You need to configure
NetScaler with a Content Switching virtual server to achieve the following:

HTTP requests to home.php should be switched to a load balancing virtual

server with CookieInsert persistence and Round Robin load balancing.

HTTP requests for blue.php, red.php, and green.php should be switched to

their own respective servers.

HTTP requests that meet no configured content switching policy should

trigger the Default content switching policy and be switched to a load
balancing virtual server with no persistence and Round Robin load
balancing.
In order to achieve this objective, the following must be configured

Server, services and load balancing virtual servers for each web server
Page 25

The three services (Red, Blue, Green) are bound to non-directly

addressable load balancing virtual servers

Multiple content switching policies (e.g.

HTTP.REQ.URL.CONTAINS("blue.php"))

A content switching virtual server with bound policies.

Step-by-step guidance
The lab environment required for this exercise is as follows:
1.
2.
3.
4.
5.
6.

NetScaler VPX appliance: (NS10_HA1)

NetScaler VPX appliance: (NS10_HA2)
Windows 7 Workstation: (Win7Client)
IIS Web Server: (WebBlue)
IIS Web Server: (WebGreen)
IIS Web Server: (WebRed)

Estimated time to complete this lab: 30 minutes.

Step Action
1. In the NetScaler Configuration Utility, navigate to Load Balancing >
Virtual Servers.
Delete the RBG1 virtual server.
2. Create a new virtual server with the following configuration:
Name: RBG_Default
Uncheck the Directly Addressable box.
Bind all services to this virtual server.

Page 26

3.

Select the Method and Persistence tab.

Configure the following:
Method: Round Robin
Persistence: None (No Persistence)

4.

Create a new virtual server.

Configure the following:
Name: RBG_Home
Uncheck the Directly Addressable box.
Bind all services to this virtual server.

5.

Configure the following:

Page 27

Method: Round Robin

Persistence: CookieInsert
Time-out: 0

6.

Create a new virtual server.

Configure the following:
Name: RBG_Red
Uncheck the Directly Addressable box.
Bind only the Red service to this virtual server.

7.

Select the Method and Persistence tab.

Configure the following:
Method: Round Robin
Persistence: CookieInsert
Time-out: 0

8.

Create a new virtual server.

Configure the following:
Name: RBG_Blue
Uncheck the Directly Addressable box.
Bind only the Blue service to this virtual server.
Page 28

9.

Select the Method and Persistence tab.

Configure the following:
Method: Round Robin
Persistence: CookieInsert
Time-out: 0

10. Create a new virtual server.

Configure the following:
Name: RBG_Green
Uncheck the Directly Addressable box.
Bind only the Green service to this virtual server.

11. Select the Method and Persistence tab.

Configure the following:
Method: Round Robin
Persistence: CookieInsert
Time-out: 0
12. You should have the following virtual servers configured:

Page 29

13. Navigate to Content Switching > Policies.

Click Add.
14. Add a policy with the following configuration:
Name: Home_Policy
Click Configure.

15. In the Expression section type:

HTTP.REQ.URL.CONTAINS(home.php)

Page 30

Click Create to close the Create Expression window.

16. Click Create to close the Create Content Switching Policy window.
17. Repeat steps 15-17 to create the following policies:
Name: Red_Policy
Expression: HTTP.REQ.URL.CONTAINS(red.php)

&
Name: Blue_Policy
Expression: HTTP.REQ.URL.CONTAINS(blue.php)

&
Name: Green_Policy
Expression: HTTP.REQ.URL.CONTAINS(green.php)

Page 31

18. Navigate to Content Switching > Virtual Servers.

Click Add.
19. Configure the following:
Name: RBG_CSW
IP Address: 192.168.10.217
Protocol: HTTP
Port: 80

Page 32

Step Action
20. Note: The content switching virtual
servers state is UP although no
policies have been bound. Browse to
https://192.168.10.217 . The service
is unavailable when browsing to the
address.
21. Open the RBG_CSW virtual server. Click Insert Policy

22. Select the Home_Policy.

23. Click the dropdown arrow under the GoTo Expression column and select
the blank option.

Page 33

24. Select the dropdown arrow under the Target column and select
RBG_Home.

25. Double-click the text box under the Priority column and change the priority
to 120.

Hit the Enter key.

26. Bind the remaining content switching policies to the respective targets (ie:
Red_Policy to RBG_Red etc). Configure the priorities in those policies
as indicated below.

27. A new DNS record was created for 192.168.10.217. Open another browser
tab and browse to http://web2.training.lab. Refresh multiple times. The Red
Page 34

Blue and Green web servers should be load balanced in a round robin
manner. This is because your request hit the Default policy and was
switched to RBG_Default which has no persistence is configured.
28. Change the request URL to http://web2.training.lab/home.php. Note:
Hitting refresh multiple times will keep you on the same server since your
request was sent to the RBG_Home virtual server which has CookieInsert
configured for persistence.

29. Change the request URL to http://web2.training.lab/red.php. Note: Your

request was sent to the RBG_Red virtual server.
Repeat the request with http://web2.training.lab/blue.php and
http://web2.training.lab/green.php

30. You can view the hit counts increase in the Content Switching > Policies
node or when you open the content switching virtual server.

Page 35

END OF EXERCISE

Page 36

Module 3 - Exercise 2: SSL Offload

Overview
You want to secure traffic to your web servers using SSL certificates. In this lab,
you will create a certificate and configure NetScaler to offload the SSL
transactions while load balancing the Red, Blue and Green Web servers. SSL
Offload is how the NetScaler appliance transparently accelerates SSL
transactions. All SSL processing is performed on the appliance instead of the
backend web server. This reduced workload allows the web server to serve web
pages much faster.

Step-by-step guidance
The lab environment required for this exercise is as follows:
1.
2.
3.
4.
5.
6.
7.

NetScaler VPX appliance: (NS10_HA1)

NetScaler VPX appliance: (NS10_HA2)
Windows 7 Workstation: (Win7Client)
Microsoft SQL Server 2008: (SQLServer)
IIS Web Server: (WebBlue)
IIS Web Server: (WebGreen)
IIS Web Server: (WebRed)

Estimated time to complete this lab: 40 minutes.

Page 37

Step
1

Action
Open the NetScaler Configuration Utility. Navigate to SSL > Create
CSR (Certificate Signing Request

Configure the following:

File name: wildcard.req
Key File Name: (Browse > ns-root.key)
Format: PEM
Common name: *.training.lab

Fill all other required fields, but do not put a password.

Page 38

Step
3

Navigate to SSL > Manage Certificates / Keys / CSRs.

Action
Select the wildcard.req file and click Download.

Save the file in C:\Users\administrator.TRAINING\Documents.

Click Close twice.
Open another tab in IE and browse to https://192.168.10.12/certsrv .
Login as
Username: Administrator
Password: Citrix123

Page 39

Select Request a certificate

Select Advanced Cert Request.

Then select Submit a certificate request by using a base-64
Action
Open the wildcard.req filewith Notepad.exe and copy the contents.

Step
7

Page 40

Paste the contents into the Saved Request field.

Choose Web Server as the Certificate Template and click Submit.

Download a Base 64 encoded certificate (certnew.cer) to the
documents folder.

10
Step

Using the NetScaler Configuration Utility, navigate to SSL > Manage

Certificates / Keys / CSRs.
Action

Page 41

11

12

Click Upload.
Browse to C:\Users\administrator.TRAINING\Documents .
Select the certnew.cer file and upload to the appliance.

Note: the file will be uploaded to the /nsconfig/ssl directory.

To install the certificate, navigate to SSL > Certificates > Install.

Page 42

13

Configure the following:

Certificate-Key Pair Name: wildcard-cert
Certificate File Name: browse (Appliance) to certnew.cer
Private Key File Name: browse (Appliance) to ns-root.key

14

Click Install.
Then click Close.
Navigate to Content Switching > Virtual Servers.
Open the RBG_CSW virtual server and unbind all the content
switching policies.

Page 43

15

Add a new virtual server.

Configure as follows:
Name: RBG_CSW_HTTPS
IP Address: 192.168.10.217
Protocol: SSL
Bind the CSW policies with priorities as shown below.

16

Note that the virtual server is in a down state since it has not
certificate bound.

17

Double-click the virtual server and select the SSL Settings tab.

18

Select the wildcard-cert and click Add. Click OK

Note: This binds the certificate to the virtual server. The state is now
UP.

Page 44

19

Browse to https://web2.training.lab and confirm that you are

connecting using HTTPs and the NetScaler is offloading the SSL
transactions.

END OF EXERCISE

Page 45

Module 5 - Exercise 1: HTTP header

modification
Overview
In todays web, applications often require different responses or information sent
to backend servers as part of the HTTP requests/response. For example, when
the home page is requested, a different response is required depending upon the
users location, or the language the browser accepts, or simple the type of
browser it is being used to connect to the site.
With the help of rewrite and responder, we can manipulate the parameters on
the request or response and based on certain conditions take a different action.
This is especially useful when you want to masquerade any information return by
the server or simply redirect the client connection to a secure site.
In this module, we will explore different examples on how to use the rewrite and
responder feature to perform HTTP to HTTPs redirection, as well as changing
the body of the response to ensure all links are displayed with the correct secure
protocol. In addition, we will also configure a simple URL transformation to hide
the application path and also garble some of the parameters returned by the
backend server with the purpose to enhance application security.

Step-by-step guidance
The lab environment required for this exercise is as follows:
1.
2.
3.
4.
5.
6.

Linux Server 1 : Apache_MySQL_1 - (GENTOO_1)

Linux Server 2 : Apache_MySQL_2 - (GENTOO_2)
Linux Server 2 : Apache_MySQL_3 - (GENTOO_3)
NetScaler VPX: (NS10_HA1)
NetScaler VPX: (NS10_HA1)
Windows 7 workstation: (Win7Client)

Estimated time to complete this lab: 30 minutes.

Page 46

Step Action
1. We will complete a simple
load balancing configuration
to be used in our rewrite
examples. In this lab, we will
configure additional servers
and services for an Apache
web server farm.
Open IE and browse to
http://192.168.10.220
Navigate to Load Balancing
-> Servers and configure the
following:
Name: GENTOO_3
IP Address: 192.168.10.15

2.

3.

Click Create. Then click

Close.
Create a service with the following configuration:
Name: GENTOO_3_HTTP_TCP_80
Monitor: TCP

Create a Loadbalanced vserver with the following configuration:

Name: HTTP_vserver
IP address: 192.168.10.218
Page 47

Protocol: HTTP
Port: 80

4.

Bind the service we created on step 2 to it.

Page 48

5.

Apache_MySQL_3 has
been provisioned with a
simple PHP page that
outputs all the server
variables and headers
included in the HTTP
request. This page is
served as the default
404 not found HTML.
For this lab, we will use
this server to visually
inspect the information
the backend server
received after the
traffic is processed by
the NetScaler
appliance.
In IE, browse to a nonexisting URL on the
new HTTP_vserver.
http://192.168.10.218/n
onexistenturl/

6.

Inspect the headers and

variables to familiarize
with the output.
First, we will start with a header insertion to include the CLIENT-IP
address in the HTTP request. This can be accomplished in two different
ways:

Using the CLIENT-IP option in the Advanced Properties of the

service.
Using a rewrite rule to insert a new HTTP header.

Page 49

7.

We will start with option

1. Open the
GENTOO_3_HTTP_TCP
_80 service and select
the Advanced tab.
Under Settings, check
the Client IP option.
Fill in the header name
Client-IP.

8.

Open a new browser

instance and attempt
your request again.
http://192.168.10.218/no
nexistenturl/
You should be able to
see the Client-IP being
inserted in the request.

Page 50

9.

Now, we will attempt to

use a rewrite policy to
insert the same
information.
Remove the CLIENT-IP
insertion configuration
from the Settings
section of the Advanced
tab.

10. Open a browser and navigate to the same URL to ensure the header is
not inserted.
http://192.168.10.218/nonexistenturl/
11. Next, create the rewrite
action. Navigate to Rewrite >
Actions.
Click on Add and configure
the following:
Name: InserClientIP
Type:
INSERT_HTTP_HEADER
Header Name: Client-IP
String Expression:
CLIENT.IP.SRC
Click Create.
Then click Close.

Page 51

12. Next, we need to create a new

policy and bind it to the
rewrite action.
Navigate to the Rewrite >
Policies.
Click on Add and configure
the following:
Name: InsertClientIP_pol
Action: InsertClientIP
Expression: true
Click Create.
Then click Close.
13. Finally, we need to bind the
policy to the HTTP_vserver.
Double-click the
HTTP_vserver and select the
Rewrite (Request) tab.
Bind the InsertClientIP_pol
policy with the default
priority.
Click OK to commit the
changes.
NOTE: If the rewrite policy
does not show up when
attempting to bind, close the
Configure Virtual Server
window and perform a
Refresh. Then attempt the
binding again.

Page 52

14. Select the IE tab in which you

browsed to:
http://192.168.10.217/nonexis
tenturl
Refresh the window and verify
that the client IP was inserted.

15. Next, we will create a Response Rewrite policy to obscure some of the
information sent by the backend server.
16. To visualize the
request and response
headers received,
open a new IE
instance and display
the ieHTTPHeaders.
Note, the add-on is
already installed and
enabled.
Navigate to Tools
menu and select
Display
ieHTTPHeaders

Page 53

17. Now, navigate to the

IP Address of the
virtual server.
http://192.168.10.218
You should see the
request and response
headers.

18. Take a closer look at

the response headers.
Since this backend
server runs Apache, it
includes a Server
header in its response.
A common practice is
to masquerade this
information and
include a generic
response.
19. We will create a rewrite action to replace the HTTP header.
In the NetScaler Configuration Utility, navigate to Rewrite > Actions
and click on Add.
20. Configure the following settings:
Name: ReplaceServerHeader
Type: REPLACE
Expression to choose target: HTTP.RES.HEADER(Server)
String expression for replacement text: MyWebServer (include the
quotes)
Page 54

Click Create.
Then click Close.
21. Next, create a rewrite policy. Since we need to perform the action on
every response, use a true expression. Navigate to Rewrite > Policies.
Click Add.
Configure the following settings:
Name: ReplaceServerHeader_pol
Action: ReplaceServerHeader
Expression: TRUE

Click Create.
Page 55

Then click Close.

22. Navigate to Load

Balancing > Virtual
Servers.
Double-click on the
HTTP_vserver and
select the Policies
tab.
Under the Policies
tab, select the
Rewrite tab.
Bind this rewrite
policy to the
HTTP_vserver.
Ensure you click the
dropdown arrow and
select the RESPONSE
rewrite; otherwise, the
policy will not be
listed.
Click OK.
23. Open a new browser instance and browse to http://192.168.10.218
24. Inspect the response headers. Verify the server header value was
replaced.

Page 56

END OF EXERCISE

Summary
Page 57

The key takeaways for this exercise are:

Key
Takeaway
s
Rewrite and responder can be used in conjunction to manipulate
the data and enhance application security.

Rewrite policies can modify data on the request and/or response.

Page 58

Module 5 - Exercise 2: HTTP to HTTPs

redirection and URL body rewrite
Overview
Certain applications require specific requests to occur over a secure connection.
Leveraging the responder module, the NetScaler can issue a redirect to a secure
site, ensuring a seamless user experience. Additionally, the rewrite module can
be used to rewrite any HTLM content containing any reference to an HTTP URI,
forcing the connecting client to navigate the site using HTTPs only. In this
exercise, we will configure a responder policy that redirects requests to an
alternate URL and continue to setup a rewrite policy that rewrites any HTTP
URIs to force secure browsing.

Step-by-step guidance
The lab environment required for this exercise is as follows:
1. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1)
2. Linux Server 2 : Apache_MySQL_2 - (GENTOO_2)
3. Linux Server 2 : Apache_MySQL_3 - (GENTOO_3)
4. Web Server Blue: (WebBlue)
5. Web Server Green: (WebGreen)
6. Web Server Red: (WebRed)
7. SQLServer
8. NetScaler VPX: (NS10_HA1)
9. NetScaler VPX: (NS10_HA1)
10.
Windows 7 workstation: (Win7Client)
Estimated time to complete this lab: 40 minutes.

Page 59

Ste
p
1.

Action

2.

The first step in securing an application is to ensure all requests occur

over an encrypted channel. For this example, we will use a pre-installed
web application (PHPMyAdmin) available on the Linux web server
(Apache_MySQL_3). Since this application lives in the /phpmyadmin
subdirectory, we will configure a responder action to redirect all request
to HTTPs.
In the NetScaler
Configuration Utility,
navigate to System >
Settings >
Configure Advanced
Features and enable
the Responder option.

3.

Navigate to Responder > Actions. Click Add.

Page 60

Ste
p
4.

Action
Create a responder action that redirects to a secure URL.
Configure the following settings:
Name: RedirectToSecureSite
Type: Redirect
Target: https:// + HTTP.REQ.HOSTNAME +
HTTP.REQ.URL.PATH_AND_QUERY

The target specified above ensures that any hostname is redirected

regardless of the host header.
Since this expression could potentially create a redirect loop, make sure
that you select the Bypass Safety Check option to allow the action to
be created.

Click Create.
Then click Close.

Page 61

Ste
p
5.

Action
Next, create a responder
policy to trigger the action.
Navigate to Responder >
Policies.
Click Add.
Configure the following
settings:
Name:
RedirectToSecureSite_pol
Action:
RedirectToSecureSite
Expression: true
Since this will be bound to
HTTP_vserver, use a true
expression.

6.

Click Create.
Then click Close.
Navigate to Load
Balancing > Virtual
Servers.
Double-click the
HTTP_vserver and select
the Policies tab.
Under the Policies tab,
select the Responder tab.
Select Insert Policy and
bind this policy using the
default priority.
Click OK.
Page 62

Ste
p
7.

Action
Open a browser instance
and navigate to the VIP.
http://192.168.10.218
Use the ieHTTPHeaders to
verify the redirect is
triggered.
Why is the page not
displayed?

8.

9.

Since we do not have a Virtual server listening on port 443, the redirect
does not complete properly. Lets proceed to create a new SSL vserver.
Navigate to Load Balancing -> Virtual Servers. Click Add.
Create the vserver
with the following
configuration:
Name:
HTTPs_vserver
IP Address:
192.168.10.218
Protocol: SSL
Port: 443
Ensure that you bind
the same service:
GENTOO_3_HTTP_TCP_80.

Page 63

Ste
p
10.

Action
Since this is an SSL
vserver, we need to
bind a server
certificate.
Select the SSL
Settings tab.
Select the wildcardcert and click Add to
bind this certificate to
the vserver.
Click Create to
complete the
configuration.

11.

Click Close.
Attempt to test the
responder policy by
navigating to the
HTTP URL.
http://192.168.10.218/
phpmyadmin
Since we are not
using an FQDN, a
warning is displayed.
Proceed to accept the
warning. The default
content should be
displayed over a
secure channel.
(https://...)

Page 64

Ste
p
12.

Action
To avoid this SSL
warning, lets re-issue
the request using the
FQDN that resolves to
the VIP:
http://web3.training.la
b/phpmyadmin
The redirect should
complete without any
warning message.

13.

14.

This responder policy will redirect any request to port 80 to 443;

however, some applications hardcode absolute URLs or require special
Host headers to serve content. This is especially troublesome when the
application is SSL Offloaded as it could render all the links inaccessible
or the application fails to work.
Attempt to login to
the phpMyAdmin
application using the
following credentials:
Username: root
Password: Citrix123
Did the login request
work?
You should see that a
redirect diverts traffic
directly to the
backend server,
effectively bypassing
the load balancer.
Page 65

Ste
p
15.

Action
In order to get
through the initial
login, we need to
rewrite the redirect
request the backend
server is sending to
include the FQDN for
the VIP. To do this, we
will use a Rewrite
Response policy.
Observe the header
trace captured. The
Location header has
the wrong
information.

Page 66

Ste
p
16.

Action
Proceed to create a Rewrite Action with the following configuration:
Name: ReplaceLocationHeader
Type: Replace
Expression to choose: HTTP.RES.HEADER(Location)
String expression for replacement: https://web3.training.lab +
HTTP.RES.HEADER(Location).TYPECAST_HTTP_URL_T.PATH_A
ND_QUERY
The above expression looks for the Location Header value in the
response and changes the hardcoded IP address for the VIP FQDN.

Click Create.
Then click Close.

Page 67

Ste
p
17.

Action
Next, create the rewrite policy.
Navigate to Rewrite > Policies.
Configure the policy as follows:
Name: ReplaceRedirect_pol
Action: ReplaceLocationHeader

18.

Click Create.
Then click Close.
Bind the rewrite policy to the
HTTPs_vserver load balanced
virtual server.
Ensure to select the Response
queue, otherwise the policy will
not show up in the list.

19.

Attempt to login to the application.

http://web3.training.lab/phpmyad
min/
Is the request redirected to
HTTPs?
Does the application complete
the login request?
After binding the previous policies,
the application works as intended.
Navigate a few links to verify
correct behavior. Observe the links
on the page.

Page 68

Ste
p
20.

Action
Close the ieHTTPHeaders window.
Click the home icon on the top left
side of the phpMyAdmin site.
Once on the home page, scroll to
the bottom of the page and hover
the mouse pointer over the here
hyperlink.
There is one more problem with
this configuration. Unfortunately,
some of the links are hardcoded by
the application and the URL
includes the backend server IP.
Notice the IP in the URL in the
screenshot to the right.
We need to configure a rewrite
policy to modify the response body
and replace this static value for
the correct FQDN.

Page 69

Ste
p
21.

Action
Lets configure another rewrite
policy to adjust the body.
First, configure the rewrite action
as follows:
Name:
Rewrite_Body_HTTP_HTTPs
Type: REPLACE_ALL
Expression to choose:
HTTP.RES.BODY(100000)
String expression:
https://web3.training.lab
Pattern: http://192.168.10.15
Click Create.
Then click Close.

22.

Note: Choose the response body

as the target text reference. For
the body argument, use 100000
characters. This should be plenty
to catch all instances of the
pattern to replace.
Create the policy with the
following configuration:
Name:
Rewrite_Body_HTTP_HTTPs_pol
Action:
Rewrite_Body_HTTP_HTTPs
Expression: true
The true expression will trigger
the action on every instance that
matches the pattern.

Page 70

Ste
p
23.

24.

Action
Next, bind the policy to
HTTPs_vserver response queue
using the default priority.
Make sure that you select NEXT
for the Goto Expression on the
first policy, otherwise the policy
with lower priority will not be
evaluated.
Test the application one more time
by refreshing the PHPMyAdmin
page. The URL should now be
rewritten and the web application
was correctly SSL offloaded
through NetScaler.
END OF EXERCISE

Summary

Page 71

Key
Takeaway
s

Rewrite policies can be string together to manipulate the

request or response data sequentially.

For some web-apps, deeper knowledge of the application

logic is required to successfully configure the necessary
rewrite policies. Additional information can be inherited
from header/network traces and log analysis.

Page 72

Revision History
Revisi
on
1.0

Change Description

Updated By

Date

Original Version

Curtis Kegler

February
2013

About Citrix
Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization,
networking and software as a service technologies for more than 230,000 organizations
worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online
Services product families radically simplify computing for millions of users, delivering
applications as an on-demand service to any user, in any location on any device. Citrix
customers include the worlds largest Internet companies, 99 percent of Fortune Global
500 enterprises, and hundreds of thousands of small businesses and prosumers
worldwide. Citrix partners with over 10,000 companies worldwide in more than 100
countries. Founded in 1989, annual revenue in 2008 was $1.6 billion.
http://www.citrix.com

Page 73

 2012 Citrix Systems, Inc. All rights reserved. Citrix, Citrix Delivery Center, Citrix
Cloud Center, XenApp, XenServer, NetScaler, XenDesktop, Citrix Repeater,
Citrix Receiver, Citrix Workflow Studio, GoToMyPC, GoToAssist, GoToMeeting,
GoToWebinar, GoView and HiDef Corporate are trademarks of Citrix Systems, Inc.
and/or one or more of its subsidiaries, and may be registered in the United States
Patent and Trademark Office and in other countries. All other trademarks and
registered trademarks are property of their respective owners.

Page 74