Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Table of Contents............................................................................................2
Overview.........................................................................................................3
Lab Topology
Diagram.4
How to login to the lab
environment5
Module 1 - Exercise 1: Initial Configuration...................................................6
Module 2 - Exercise 1: Load Balancing.........................................................16
Module 3 - Exercise 1: Content Switching....................................................22
Module 3 - Exercise 2: SSL Offload...............................................................33
Module 5 - Exercise 1: HTTP header modification.......................................41
Module 5 - Exercise 2: HTTP to HTTPs redirection and URL body rewrite. 53
Page 2
Overview
Hands-on Training Module
This training module has the following details:
Objectiv
e
Audienc
e
Details
Domain controller, DHCP, DNS
Virtual instance of a NetScaler appliance (HA
node)
Virtual instance of a NetScaler appliance (HA
node)
Administrative workstation
Linux server with Apache, PHP, MySQL
Linux server with Apache, PHP, MySQL
Linux server with Apache, PHP, MySQL
Microsoft SQL 2008 server and Microsoft
Certificate Services
IIS server, PHP, WebGoat
IIS server, PHP, WebGoat
IIS server, PHP, WebGoat
Page 3
NOTE: If prompted with a dialog to restart on any virtual machine, always select
Restart Later.
IP Address
192.168.10.11
NS10_HA1
NSIP:
192.168.10.220
SNIP:
192.168.10.90
NSIP:
192.168.10.225
SNIP:
NS10_HA2
Username
Password
TRAINING\Administra Citrix123
tor
nsroot
nsroot
nsroot
nsroot
Page 4
Win7Client
192.168.10.90
DHCP assigned
Apache_MySQL_1
Apache_MySQL_2
Apache_MySQL_2
SQLServer
192.168.10.13
192.168.10.14
192.168.10.15
192.168.10.12
WebBlue
192.168.10.205
WebGreen
192.168.10.210
WebRed
192.168.10.215
TRAINING\Administra
tor
root
root
root
TRAINING\Administra
tor
TRAINING\Administra
tor
TRAINING\Administra
tor
TRAINING\Administra
tor
Citrix123
Citrix123
Citrix123
Citrix123
Citrix123
Citrix123
Citrix123
Citrix123
Action
Once logged in at the self-paced portal, click the Start lab button to
launch a connection to published XenCenter.
Page 5
Ste
p
3
Action
On the Add New Server screen enter the XenServer IP address
provided on the portal and in the Password field enter the password
provided on the portal. The user name will always be root.
Page 6
Step-by-step guidance
The lab environment required for this exercise is as follows:
1. NetScaler VPX appliance: (NS10_HA1)
2. NetScaler VPX appliance: (NS10_HA2)
3. Windows 7 Workstation: (Win7Client)
Estimated time to complete this lab: 20 minutes.
Ste
p
1.
Action
In XenCenter, go to the networking tab of each NetScaler and
confirm that the MAC address is correct since it determines licensing.
NS10_HA1: 06:e0:89:e0:b0:fd
NS10_HA2: 22:64:cc:9b:ea:aa
Page 7
Ste
p
2.
Action
Go to the console tab of NS10_HA1 and NS10_HA2 virtual machines
and set the following Initial Network Address Configuration:
NS10_HA1:
IP Address: 192.168.10.220
Netmask: 255.255.255.0
Gateway: 192.168.10.1
Netmask: 255.255.255.0
Gateway: 192.168.10.1
Page 8
Ste
p
3.
4.
5.
6.
7.
Action
After the NetScaler VMs reboot, select the Win7Client VM and click
the Console tab.
Select the Send Ctrl+Alt+Del (Ctrl+Alt+Insert) button in the
lower left hand corner of XenCenter.
Login as
Username: training\administrator
Password: Citrix123
Open Internet Explorer and navigate to http://192.168.10.220 .
The NetScaler Configuration Utility is displayed.
Login as
Username: nsroot
Password: nsroot
Page 9
Ste
p
8.
9.
10.
Action
On the bottom of the screen, select Setup Wizard
11.
12.
Click Next.
On the Choose Application screen, click Next.
Click Finish on the Summary screen. Then click Exit to close the
setup wizard.
Page 10
Ste
p
13.
14.
Action
On the top right side of the screen, save your configuration by
clicking on the Save button.
17.
Netmask: 255.255.255.0
On both nodes, use the CLI to copy the new license file to the
/nsconfig/license directory.
Select the NS10_HA1 virtual machine and click on the Console tab.
If the you do not see the login: prompt, hit the enter key once or
twice.
Login as
Username: nsroot
Password: nsroot
At the NetScaler prompt, type shell.
18.
You are now in the shell of NetScaler. Type the following command:
15.
16.
cp /var/license_backup/VPX_1000.lic /nsconfig/license/
Hit the Enter key.
19.
Page 11
Ste
p
20.
21.
22.
23.
24.
25.
Action
Type reboot warm to reboot the NetScaler.
Type Y and hit the Enter key to confirm you want to restart
NetScaler.
Page 12
Ste
p
26.
27.
Action
Navigate to System > Settings > Configure basic features
Enable all features except HTTP Compression, Content Filter,
Integrated Caching, and Application Firewall.
Click OK.
Next we will configure a DNS Name Server on the NetScaler for
name resolution. NetScaler can be configured as a DNS Name
server, but in this exercise we will point to an external DNS server.
Navigate to DNS > Name Servers. Click Add.
Page 13
Ste
p
28.
Action
29.
Page 14
Ste
p
30.
Action
31.
Login as
Username: nsroot
Password: nsroot
32.
Page 15
Ste
p
33.
Action
34.
35.
Click Add.
Enter the IP of the NS10_HA2 (192.168.10.225).
Enable the Login credentials for remote system are different
from self node
Username: nsroot
Password: nsroot
Page 16
Ste
p
36.
Action
37.
Bring up the Putty window again. Run the following command (hit
enter a few times to get the CLI moving)
38.
Page 17
Ste
p
39.
40.
Action
Run the following command:
> sh ns feature | more
Confirm that SSL Offloading and Load Balancing are enabled.
Close out the putty window.
END OF EXERCISE
Page 18
Step-by-step guidance
The lab environment required for this exercise is as follows:
1.
2.
3.
4.
5.
6.
Page 19
2.
Click Add.
Enter the following configuration:
Server Name: Blue_Server
IP Address: 192.168.10.205
3.
Click Create.
Repeat steps 2-3 to create the following servers:
Red_Server 192.168.10.215
Green_Server 192.168.10.210
4.
Page 20
5.
6.
Create service objects for the servers created in the steps 1-4.
Enter the following configuration:
Service Name: Blue_Service
Server: Blue_Server (192.168.10.205)
Protocol: HTTP
Port: 80
Page 21
7.
Click Create.
Repeat steps 5-6 to create services for the following:
8.
Red_Service 192.168.10.215
Green_Service 192.168.10.210
Once you are done, click Close. You should see the following services:
9.
Page 22
Click Create.
11. Open another browser tab and browse to http://192.168.10.216 . Refresh
multiple times. The Red Blue and Green web servers should be load
balanced since no persistence is configured.
12. Go to Load Balancing > Services and disable two of the three services.
Page 23
right.
Click Remove.
The HTTP monitor expects a 200 OK response code to consider the service
state as UP.
Click OK.
Click OK on the warning as this only informs you that the default TCP
monitor cannot be unbound. Since we are selecting a new HTTP monitor,
the health-check is still performed.
20. Click Close and Save the configuration.
END OF EXERCISE
Server, services and load balancing virtual servers for each web server
Page 25
Step-by-step guidance
The lab environment required for this exercise is as follows:
1.
2.
3.
4.
5.
6.
Page 26
3.
4.
5.
6.
7.
8.
9.
Page 29
Click Add.
14. Add a policy with the following configuration:
Name: Home_Policy
Click Configure.
Page 30
&
Name: Blue_Policy
Expression: HTTP.REQ.URL.CONTAINS(blue.php)
&
Name: Green_Policy
Expression: HTTP.REQ.URL.CONTAINS(green.php)
Page 31
Click Add.
19. Configure the following:
Name: RBG_CSW
IP Address: 192.168.10.217
Protocol: HTTP
Port: 80
Page 32
Step Action
20. Note: The content switching virtual
servers state is UP although no
policies have been bound. Browse to
https://192.168.10.217 . The service
is unavailable when browsing to the
address.
21. Open the RBG_CSW virtual server. Click Insert Policy
23. Click the dropdown arrow under the GoTo Expression column and select
the blank option.
Page 33
24. Select the dropdown arrow under the Target column and select
RBG_Home.
25. Double-click the text box under the Priority column and change the priority
to 120.
27. A new DNS record was created for 192.168.10.217. Open another browser
tab and browse to http://web2.training.lab. Refresh multiple times. The Red
Page 34
Blue and Green web servers should be load balanced in a round robin
manner. This is because your request hit the Default policy and was
switched to RBG_Default which has no persistence is configured.
28. Change the request URL to http://web2.training.lab/home.php. Note:
Hitting refresh multiple times will keep you on the same server since your
request was sent to the RBG_Home virtual server which has CookieInsert
configured for persistence.
30. You can view the hit counts increase in the Content Switching > Policies
node or when you open the content switching virtual server.
Page 35
END OF EXERCISE
Page 36
Step-by-step guidance
The lab environment required for this exercise is as follows:
1.
2.
3.
4.
5.
6.
7.
Page 37
Step
1
Action
Open the NetScaler Configuration Utility. Navigate to SSL > Create
CSR (Certificate Signing Request
Page 38
Step
3
Action
Select the wildcard.req file and click Download.
Page 39
Step
7
Page 40
10
Step
Page 41
11
12
Click Upload.
Browse to C:\Users\administrator.TRAINING\Documents .
Select the certnew.cer file and upload to the appliance.
Page 42
13
14
Click Install.
Then click Close.
Navigate to Content Switching > Virtual Servers.
Open the RBG_CSW virtual server and unbind all the content
switching policies.
Page 43
15
16
Note that the virtual server is in a down state since it has not
certificate bound.
17
Double-click the virtual server and select the SSL Settings tab.
18
Note: This binds the certificate to the virtual server. The state is now
UP.
Page 44
19
END OF EXERCISE
Page 45
Step-by-step guidance
The lab environment required for this exercise is as follows:
1.
2.
3.
4.
5.
6.
Page 46
Step Action
1. We will complete a simple
load balancing configuration
to be used in our rewrite
examples. In this lab, we will
configure additional servers
and services for an Apache
web server farm.
Open IE and browse to
http://192.168.10.220
Navigate to Load Balancing
-> Servers and configure the
following:
Name: GENTOO_3
IP Address: 192.168.10.15
2.
3.
Protocol: HTTP
Port: 80
4.
Page 48
5.
Apache_MySQL_3 has
been provisioned with a
simple PHP page that
outputs all the server
variables and headers
included in the HTTP
request. This page is
served as the default
404 not found HTML.
For this lab, we will use
this server to visually
inspect the information
the backend server
received after the
traffic is processed by
the NetScaler
appliance.
In IE, browse to a nonexisting URL on the
new HTTP_vserver.
http://192.168.10.218/n
onexistenturl/
6.
Page 49
7.
8.
Page 50
9.
10. Open a browser and navigate to the same URL to ensure the header is
not inserted.
http://192.168.10.218/nonexistenturl/
11. Next, create the rewrite
action. Navigate to Rewrite >
Actions.
Click on Add and configure
the following:
Name: InserClientIP
Type:
INSERT_HTTP_HEADER
Header Name: Client-IP
String Expression:
CLIENT.IP.SRC
Click Create.
Then click Close.
Page 51
Page 52
15. Next, we will create a Response Rewrite policy to obscure some of the
information sent by the backend server.
16. To visualize the
request and response
headers received,
open a new IE
instance and display
the ieHTTPHeaders.
Note, the add-on is
already installed and
enabled.
Navigate to Tools
menu and select
Display
ieHTTPHeaders
Page 53
Click Create.
Then click Close.
21. Next, create a rewrite policy. Since we need to perform the action on
every response, use a true expression. Navigate to Rewrite > Policies.
Click Add.
Configure the following settings:
Name: ReplaceServerHeader_pol
Action: ReplaceServerHeader
Expression: TRUE
Click Create.
Page 55
Page 56
END OF EXERCISE
Summary
Page 57
Page 58
Step-by-step guidance
The lab environment required for this exercise is as follows:
1. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1)
2. Linux Server 2 : Apache_MySQL_2 - (GENTOO_2)
3. Linux Server 2 : Apache_MySQL_3 - (GENTOO_3)
4. Web Server Blue: (WebBlue)
5. Web Server Green: (WebGreen)
6. Web Server Red: (WebRed)
7. SQLServer
8. NetScaler VPX: (NS10_HA1)
9. NetScaler VPX: (NS10_HA1)
10.
Windows 7 workstation: (Win7Client)
Estimated time to complete this lab: 40 minutes.
Page 59
Ste
p
1.
Action
2.
3.
Page 60
Ste
p
4.
Action
Create a responder action that redirects to a secure URL.
Configure the following settings:
Name: RedirectToSecureSite
Type: Redirect
Target: https:// + HTTP.REQ.HOSTNAME +
HTTP.REQ.URL.PATH_AND_QUERY
Click Create.
Then click Close.
Page 61
Ste
p
5.
Action
Next, create a responder
policy to trigger the action.
Navigate to Responder >
Policies.
Click Add.
Configure the following
settings:
Name:
RedirectToSecureSite_pol
Action:
RedirectToSecureSite
Expression: true
Since this will be bound to
HTTP_vserver, use a true
expression.
6.
Click Create.
Then click Close.
Navigate to Load
Balancing > Virtual
Servers.
Double-click the
HTTP_vserver and select
the Policies tab.
Under the Policies tab,
select the Responder tab.
Select Insert Policy and
bind this policy using the
default priority.
Click OK.
Page 62
Ste
p
7.
Action
Open a browser instance
and navigate to the VIP.
http://192.168.10.218
Use the ieHTTPHeaders to
verify the redirect is
triggered.
Why is the page not
displayed?
8.
9.
Since we do not have a Virtual server listening on port 443, the redirect
does not complete properly. Lets proceed to create a new SSL vserver.
Navigate to Load Balancing -> Virtual Servers. Click Add.
Create the vserver
with the following
configuration:
Name:
HTTPs_vserver
IP Address:
192.168.10.218
Protocol: SSL
Port: 443
Ensure that you bind
the same service:
GENTOO_3_HTTP_TCP_80.
Page 63
Ste
p
10.
Action
Since this is an SSL
vserver, we need to
bind a server
certificate.
Select the SSL
Settings tab.
Select the wildcardcert and click Add to
bind this certificate to
the vserver.
Click Create to
complete the
configuration.
11.
Click Close.
Attempt to test the
responder policy by
navigating to the
HTTP URL.
http://192.168.10.218/
phpmyadmin
Since we are not
using an FQDN, a
warning is displayed.
Proceed to accept the
warning. The default
content should be
displayed over a
secure channel.
(https://...)
Page 64
Ste
p
12.
Action
To avoid this SSL
warning, lets re-issue
the request using the
FQDN that resolves to
the VIP:
http://web3.training.la
b/phpmyadmin
The redirect should
complete without any
warning message.
13.
14.
Ste
p
15.
Action
In order to get
through the initial
login, we need to
rewrite the redirect
request the backend
server is sending to
include the FQDN for
the VIP. To do this, we
will use a Rewrite
Response policy.
Observe the header
trace captured. The
Location header has
the wrong
information.
Page 66
Ste
p
16.
Action
Proceed to create a Rewrite Action with the following configuration:
Name: ReplaceLocationHeader
Type: Replace
Expression to choose: HTTP.RES.HEADER(Location)
String expression for replacement: https://web3.training.lab +
HTTP.RES.HEADER(Location).TYPECAST_HTTP_URL_T.PATH_A
ND_QUERY
The above expression looks for the Location Header value in the
response and changes the hardcoded IP address for the VIP FQDN.
Click Create.
Then click Close.
Page 67
Ste
p
17.
Action
Next, create the rewrite policy.
Navigate to Rewrite > Policies.
Configure the policy as follows:
Name: ReplaceRedirect_pol
Action: ReplaceLocationHeader
18.
Click Create.
Then click Close.
Bind the rewrite policy to the
HTTPs_vserver load balanced
virtual server.
Ensure to select the Response
queue, otherwise the policy will
not show up in the list.
19.
Page 68
Ste
p
20.
Action
Close the ieHTTPHeaders window.
Click the home icon on the top left
side of the phpMyAdmin site.
Once on the home page, scroll to
the bottom of the page and hover
the mouse pointer over the here
hyperlink.
There is one more problem with
this configuration. Unfortunately,
some of the links are hardcoded by
the application and the URL
includes the backend server IP.
Notice the IP in the URL in the
screenshot to the right.
We need to configure a rewrite
policy to modify the response body
and replace this static value for
the correct FQDN.
Page 69
Ste
p
21.
Action
Lets configure another rewrite
policy to adjust the body.
First, configure the rewrite action
as follows:
Name:
Rewrite_Body_HTTP_HTTPs
Type: REPLACE_ALL
Expression to choose:
HTTP.RES.BODY(100000)
String expression:
https://web3.training.lab
Pattern: http://192.168.10.15
Click Create.
Then click Close.
22.
Page 70
Ste
p
23.
24.
Action
Next, bind the policy to
HTTPs_vserver response queue
using the default priority.
Make sure that you select NEXT
for the Goto Expression on the
first policy, otherwise the policy
with lower priority will not be
evaluated.
Test the application one more time
by refreshing the PHPMyAdmin
page. The URL should now be
rewritten and the web application
was correctly SSL offloaded
through NetScaler.
END OF EXERCISE
Summary
Page 71
Key
Takeaway
s
Page 72
Revision History
Revisi
on
1.0
Change Description
Updated By
Date
Original Version
Curtis Kegler
February
2013
About Citrix
Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization,
networking and software as a service technologies for more than 230,000 organizations
worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online
Services product families radically simplify computing for millions of users, delivering
applications as an on-demand service to any user, in any location on any device. Citrix
customers include the worlds largest Internet companies, 99 percent of Fortune Global
500 enterprises, and hundreds of thousands of small businesses and prosumers
worldwide. Citrix partners with over 10,000 companies worldwide in more than 100
countries. Founded in 1989, annual revenue in 2008 was $1.6 billion.
http://www.citrix.com
Page 73
2012 Citrix Systems, Inc. All rights reserved. Citrix, Citrix Delivery Center, Citrix
Cloud Center, XenApp, XenServer, NetScaler, XenDesktop, Citrix Repeater,
Citrix Receiver, Citrix Workflow Studio, GoToMyPC, GoToAssist, GoToMeeting,
GoToWebinar, GoView and HiDef Corporate are trademarks of Citrix Systems, Inc.
and/or one or more of its subsidiaries, and may be registered in the United States
Patent and Trademark Office and in other countries. All other trademarks and
registered trademarks are property of their respective owners.
Page 74