NS Admin Guide

Citrix NetScaler Administration Guide
Citrix® NetScaler® 9.2

Copyright and Trademark Notice
© CITRIX SYSTEMS, INC., 2010. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR
TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION,
TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC.
ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED
WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE
OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.
CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR
APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT
TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS
OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits
for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against
harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-
frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be
required to correct the interference at their own expense.
Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements
for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to
correct any interference to radio or television communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by
the NetScaler Request Switch™ 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by
using one or more of the following measures:
Move the NetScaler equipment to one side or the other of your equipment.
Move the NetScaler equipment farther away from your equipment.
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your
equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the
product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler
Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft,
PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft
Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun
and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks
or trademarks of their respective holders.
Software covered by the following third party copyrights may be included with this product and will also be subject to the software license
agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. Mills 1993, 1994. Copyright ©
1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. Copyright © 1999, 2000 by Jef Poskanzer. All
rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All
rights reserved. Copyright © 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright ©
1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V
Murray. Copyright 1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston
Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright ©
1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights reserved. Copyright © 2001, 2002
Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-
2001© The Open LDAP Foundation. All Rights Reserved. Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000
The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights
Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c)
2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt
Thomas. All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik Lindergren.
All rights reserved.
Last Updated: June 2010
C ONTENTS
Contents
Preface
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Chapter 1 Citrix NetScaler Authentication and Authorization

Defining Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Defining Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Command Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Resetting the Default Administrator (nsroot) Password . . . . . . . . . . . . . . . . . . . . .11
Example of Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Configuring External User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Configuring and Binding Authentication Policies . . . . . . . . . . . . . . . . . . . . . . .17
Configuring LDAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Configuring RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Configuring TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Configuring NT4 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Chapter 2 SNMP
Importing MIB Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Defining SNMP Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Configuring SNMP V1 and V2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Adding an SNMP Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Removing an SNMP Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Configuring SNMP Traps and Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
iv Citrix NetScaler Administration Guide
Configuring SNMP V3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Salient Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
SNMPv3 Security Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Configuring SNMP V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Chapter 3 Audit Server Logging

Configuring the Citrix NetScaler Audit Server Log . . . . . . . . . . . . . . . . . . . . . . . .50
Configuring Global Audit Server Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . .51
Configuring Audit Server Action and Policy . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Globally Binding the Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Configuring Policy-Based Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Installing the Audit Server Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Installing Audit Server Files on the Linux Operating System . . . . . . . . . . . . . .56
Uninstalling Audit Server Files on the Linux Operating System. . . . . . . . . . . .56
Installing Audit Server Files on the FreeBSD Operating System . . . . . . . . . . .57
Uninstalling Audit Server Files on the FreeBSD Operating System . . . . . . . . .57
Installing Audit Server Files on the Windows Operating System . . . . . . . . . . .58
Uninstalling Audit Server Files on the Windows Operating System. . . . . . . . .58
Audit Server Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Configuring Audit Server Logging on a Server system. . . . . . . . . . . . . . . . . . . . . .60
Defining Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Defining Log Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Default Settings for the Log Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Adding the IP Addresses of the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Verifying Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Starting Audit Server Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Stopping Audit Server Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Sample Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Checklist for Configuring Audit Server Logging. . . . . . . . . . . . . . . . . . . . . . . .66
Configuring Audit Server Logging for a Commonly Used Deployment Scenario.67
Chapter 4 Web Server Logging

How Web Server Logging Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Configuring Web Server Logging Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Enabling or Disabling Web Server Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Modifying the Default Buffer Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Displaying Web Server Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . .73
System Requirements for Web Server Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Contents v
Installing the NSWL files on the Logging System . . . . . . . . . . . . . . . . . . . . . . . . .75

Installing NSWL on a Solaris Operating System . . . . . . . . . . . . . . . . . . . . . . . .75
Installing NSWL on a Linux Operating System. . . . . . . . . . . . . . . . . . . . . . . . .76
Installing NSWL on a FreeBSD Operating System . . . . . . . . . . . . . . . . . . . . . .76
Installing NSWL on a MAC Operating System . . . . . . . . . . . . . . . . . . . . . . . . .77
Installing NSWL on a Windows Operating System. . . . . . . . . . . . . . . . . . . . . .78
Installing NSWL on an AIX Operating System . . . . . . . . . . . . . . . . . . . . . . . . .79
NSWL Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Configuring Web Server Logging on the Logging System . . . . . . . . . . . . . . . . . . .80
Modifying the Web Server Log Configuration File . . . . . . . . . . . . . . . . . . . . . .81
Defining Log Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Adding the IP Addresses of the NetScaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Starting Web Server Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Stopping Web Server Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Sample Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Log File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Custom Log Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Apache Log Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Checklist for Configuring Web Server Logging . . . . . . . . . . . . . . . . . . . . . . . . . .100
Chapter 5 Advanced Configurations

Configuring Clock Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configuring Clock Synchronization Manually. . . . . . . . . . . . . . . . . . . . . . . . .102
Configuring Clock Synchronization Using the Configuration Utility or the CLI .
103
Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
The NetScaler in Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
The NetScaler in End-Point Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Enabling or Disabling Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . .107
Configuring TCP Window Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Configuring Selective Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Clearing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Viewing the HTTP Band Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Configuring HTTP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Configuring TCP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Chapter 6 Reporting Tool

vi Citrix NetScaler Administration Guide
Using the Reporting Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Working with Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Working with Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
How Data Collection Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Stopping and Starting the Data Collection Utility . . . . . . . . . . . . . . . . . . . . . .131
Creating a Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
P REFACE
Preface
Before you begin to manage and monitor your Citrix NetScaler, take a few
minutes to review this chapter and learn about related documentation, other
support options, and ways to send us feedback.
In This Preface
About This Guide
New in This Release
Audience
Formatting Conventions
Related Documentation
Getting Service and Support
Documentation Feedback
About This Guide

The Citrix NetScaler Administration Guide provides a conceptual reference and
instructions for managing and monitoring the NetScaler by using built-in
features, such as command policies, SNMP, Audit server Logging, Web Server
Logging, and NTP.
This guide provides the following information:
• Chapter 1, “Citrix NetScaler Authentication and Authorization.” Configure
authentication and authorization to manage access to the NetScaler and
different parts of the NetScaler configuration.
• Chapter 2, “SNMP.” Learn how SNMP works with a NetScaler and how to
configure SNMP V1, V2, and V3 on the NetScaler.
• Chapter 3, “Audit Server Logging.” Configure the NetScaler audit server
log to log and monitor the NetScaler states and status information. Also,
learn how to configure audit server logging on a server system and for a
deployment scenario.
ii Citrix NetScaler Administration Guide
• Chapter 4, “Web Server Logging.” Configure Web server logging to

maintain a history of the page requests that originate from the NetScaler.
• Chapter 5, “Advanced Configurations.” Learn how to set advanced
NetScaler configurations, such as NTP, path MTU, HTTP and TCP
profiles.
• Chapter 6, “Reporting Tool.” Learn how to use the Reporting tool to
display performance statistics as reports with graphs that are based on
statistics collected by the nscollect utility.
New in This Release

NetScaler nCore Technology uses multiple CPU cores for packet handling and
greatly improves the performance of many NetScaler features. Release 9.2 adds
nCore support for many additional features, including load balancing and virtual
private networks (VPNs).
In Release 9.2, the following new features are supported:
• HTTP Band Statistics. The NetScaler now displays statistics associated
with HTTP request and response sizes. Also you can set the band size for
HTTP request or response size statistics. For more information, see
“Viewing the HTTP Band Statistics,” on page 110.
• HTTP and TCP Profiles. The NetScaler now supports HTTP and TCP
profiles, which are a collection of HTTP and TCP parameter settings,
respectively. HTTP and TCP profiles can be applied to any TCP, HTTP, or
SSL virtual server or service. You can use built-in HTTP and TCP profiles
or you can configure custom profiles. For more information, see
“Configuring HTTP Profiles,” on page 112 and “Configuring TCP
Profiles,” on page 114.
• Exporting and Importing Custom Reports. With the Reporting tool, you
can now export or import custom reports for the purpose of sharing reports
with other administrators. For more information, see “Exporting and
Importing Custom Reports,” on page 123.
• Exporting NetScaler Performance Statistics. You can also export chart data
to Excel in a comma-separated value (CSV) format by using the Reporting
tool. For more information, see “Exporting Chart Data to Excel,” on page
128.
• Options for Customizing and Viewing Charts that Display NetScaler
Performance Statistics. You now have new Reporting tool options for
customizing and viewing charts, which include changing the scale of the
left and right y-axes, changing the background color and text of a chart and
Preface iii
its plot area, zooming in or zooming out of a chart, viewing numeric data
for a graph, and scrolling through time in a chart. For more information, see
“Viewing a Chart,” on page 125.
For a summary of the new features and remaining unsupported features, see the
Citrix NetScaler 9.2 Release Notes.
Audience
This guide is intended for the following audience:
• system administrators
• network administrators
The concepts and tasks described in this guide require you to have a basic
understanding of network design, operation, and terminology.
This documentation uses the following formatting conventions.
Convention Meaning
Boldface Information that you type exactly as shown (user input);
elements in the user interface.
Italics Placeholders for information or parameters that you
provide. For example, FileName in a command means you
type the actual name of a file. Also, new terms, and words
referred to as words (which would otherwise be enclosed in
quotation marks).
Monospace System output or characters in a command line. User input
and placeholders also are formatted using monspace text.
[ brackets ] Optional items in command statements. For example, in
the following command, [-range
positiveInteger] means that you have the option of
entering a range, but it is not required:
add lb vserver name serviceType IPAddress
port [-range positiveInteger]
Do not type the brackets themselves.

iv Citrix NetScaler Administration Guide
Convention Meaning
| (vertical bar) A separator between options in braces or brackets in
command statements. For example, the following indicates
that you choose one of the following load balancing
methods:
lbMethod = ( ROUNDROBIN | LEASTCONNECTION |
LEASTRESPONSETIME | URLHASH | DOMAINHASH |
DESTINATIONIPHASH | SOURCEIPHASH |
SRCIPDESTIPHASH | LEASTBANDWIDTH |
LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH |
LRTM | CALLIDHASH | CUSTOMLOAD )
Related Documentation
A complete set of documentation is available on the Documentation tab of your
NetScaler and from http://support.citrix.com/. (Most of the documents require
Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. From a Web browser, log on to the NetScaler.

2. Click the Documentation tab.
3. To view a short description of each document, hover your cursor over the
title. To open a document, click the title.
Getting Service and Support

Citrix offers a variety of resources for support with your Citrix environment,
including the following:
• The Knowledge Center is a self-service, Web-based technical support
database that contains thousands of technical solutions, including access to
the latest hotfixes, service packs, and security bulletins.
• Technical Support Programs for both software support and appliance
maintenance are available at a variety of support levels.
• The Subscription Advantage program is a one-year membership that gives
you an easy way to stay current with the latest product version upgrades
and enhancements.
• Citrix Education provides official training and certification programs on
virtually all Citrix products and technologies.
Preface v
For detailed information about Citrix services and support, see the Citrix Systems
Support Web site at
http://www.citrix.com/lang/English/support.asp.
You can also participate in and follow technical discussions offered by the experts
on various Citrix products at the following sites:
• http://community.citrix.com
• http://twitter.com/citrixsupport
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance
the documentation. You can send email to the following alias or aliases, as
appropriate. In the subject line, specify “Documentation Feedback.” Be sure to
include the document name, page number, and product release version.
• For NetScaler documentation, send email to nsdocs_feedback@citrix.com.
• For Command Center documentation, send email to
ccdocs_feedback@citrix.com.
• For Access Gateway documentation, send email to
agdocs_feedback@citrix.com.
You can also provide feedback from the Knowledge Center at http://
support.citrix.com/.
To provide feedback from the Knowledge Center home page
1. Go to the Knowledge Center home page at http://support.citrix.com/.

2. On the Knowledge Center home page, under Products, expand NetScaler,
and then click the Netscaler release for which you want to provide
feedback..
3. On the Documentation tab, click the guide name, and then click Article
Feedback.
4. On the Documentation Feedback page, complete the form, and then click
Submit.
vi Citrix NetScaler Administration Guide
C HAPTER 1
Citrix NetScaler Authentication and

Authorization
NetScaler authentication and authorization functions are of two basic types.The

user and group functions allow you to define who has access to the NetScaler.
Command policies allow you to define what parts of the NetScaler configuration
a user or group is permitted to access and modify. In other words, command
policies regulate which commands, command groups, and other elements
NetScaler users and groups are permitted to use.
To configure authentication and authorization, you first define the users who have
access to the NetScaler. After you have defined the users, you can organize them
into groups. You then configure command policies to define the types of access,
and assign the policies to users and/or groups. You can also configure the
NetScaler appliance to authenticate its users by using an external authentication
server.
In This Chapter
Defining Users
Defining Groups
Command Policies
Resetting the Default Administrator (nsroot) Password
Example of Authentication and Authorization
Configuring External User Authentication
Defining Users
Once you have changed the default password, no user can access the NetScaler
until you create an account for that user. After you have defined your users by
creating accounts for them, you might have to change passwords or remove user
accounts.
2 Citrix NetScaler Administration Guide
Creating a User Account

To create a user account, you simply assign a user name and password. You use
the parameters described in the following table.
Parameter Specifies
User Name Name that the user enters to request
access.
Password Password that the user enters to request
access.
To create a user account, use either of the following procedures.
To add a user account using the configuration utility
1. In the navigation pane, expand System and click Users.

2. On the System Users page, Click Add.
3. In the Create System User dialog box, in the User Name text box, type a
name for the user (for example, johnd).
4. In the Password text box, type a password to assign to the user.
5. In the Confirm Password text box, again type the password that you have
typed in the Password text box.
6. Click Create and click Close.
To add a user account using the NetScaler command line
At the NetScaler command prompt, type:

add system user userName
Example
add system user johnd
Changing a User Password

The following table describes the parameter you set to change a user password on
the NetScaler.
Parameter Specifies
Password The password you assign for the user
account.
Chapter 1 Citrix NetScaler Authentication and Authorization 3
To change a user password, use either of the following procedures.
To change the user password using the configuration utility

2. On the System Users page, select the user account for which you want to
change the password (for example, johnd) and click Change Password.
3. In the Password text box, type the new password.
4. In the Confirm Password text box, type the new password again.
5. Click OK.
To change the user password using the NetScaler command line

set system user userName newpassword
Example
set system user johnd johnd1
Removing User Accounts

You can remove user accounts if the policy assigned to your account allows you
to do so, or if you log in to the nsroot account. The nsroot account cannot be
removed.
To remove a user account, use either of the following procedures.
To remove a user account using the configuration utility

2. On the System Users page, select the user account that you want to
remove. For example, johnd.
3. Click Remove. The Remove pop-up window appears.
4. Click Yes.
To remove a user using the NetScaler command line

rm system user userName
Example
rm system user johnd
Defining Groups
To define a group, you first create the group, then bind users to the group.
Adding Groups
The following table describes the parameter you set to create a group.
Parameter Specifies
Group Name Name for the group of NetScaler users.
Use either of the following procedures to add a group.
To add a group using the configuration utility
1. In the navigation pane, expand System and click Groups.

2. On the System Groups page, click Add.
3. In the Create System Group dialog box, in the Group Name text box,
type a name for the group (for example, Managers).
4. Click Create, and click Close.
To add a group using the NetScaler command line

add system group groupName
Example
add system group Managers
Binding a User to a Group

You can bind each user account to more than one group. Binding user accounts to
multiple groups may allow more flexibility when applying command policies.
The following table describes the parameter you set to bind a user to a group.
Parameter Specifies
User Name Name for the NetScaler user to be
bound to the group.
To bind a user to a group, use either of the following procedures.

To bind a user to a group using the configuration utility

2. On the System Groups page, select a group and click Open.
3. In the Configure System Group dialog box, under Members section,
select a user you want to bind to the group, from the Available Users list
and click Add.
To bind a user to a group using the NetScaler command line

bind system group groupName userName
Example
bind system group Managers johnd
Removing Groups
All the users and command policies that are currently bound to the group should
be unbound before removing a group.
To remove a group using the configuration utility

2. On the System Groups page, select the group that you want to remove. (for
example, Managers).
3. Click Remove.
4. In the Remove pop-up, click Yes.
To remove a group using the NetScaler command line

rm system group groupName
Example
rm system group Managers
Command Policies
Command policies regulate which commands, command groups, vservers, and
other elements NetScaler users and user groups are permitted to use.
The NetScaler provides a set of built-in command policies, and you can configure
custom policies. To apply the policies, you bind them to user and/or groups.
Here are the key points to keep in mind when defining and applying command
policies.
• No global command policies may be created on the NetScaler. Command
policies must be bound directly to NetScaler users and groups.
• Users or groups with no associated command policies are subject to the
default DENY -ALL command policy, and will therefore be unable to
execute any commands until the proper command policies are bound to
their accounts.
• All users inherit the policies of the groups to which they belong.
• You must assign a priority to a command policy when you bind it to a user
account or group account. This enables the NetScaler to determine which
policy has priority when two or more conflicting policies apply to the same
user or group.
• The following commands are available by default to any user and are
unaffected by any command policies you specify:
help cli, show cli attribute, clear cli prompt,

alias, unalias, batch, source, help, history, man,
quit, exit, whoami, config, set cli mode, unset cli
mode, show cli mode, set cli prompt, and show cli
prompt.
Built-in Command Policies

Four default command policies are available on the NetScaler. The following
table describes them.
Policy Name Allows

read-only Read-only access to all show commands except show
runningconfig, show ns.conf, and the show commands for the
NetScaler command group.
operator Read-only access and access to commands to enable and disable
services and servers or place them in ACCESSDOWN mode.
network Full access except to NetScaler commands, the shell command, and the
show ns.conf and sh runningconfig commands.
superuser Full access. Same privileges as the nsroot user.
Creating Custom Command Policies

Regular expression support is offered for users with the resources to maintain
more customized expressions and those deployments that require the flexibility
that regular expressions offer. For most users, the built-in command policies
should be sufficient. Users who need additional levels of control, but are
unfamiliar with regular expressions, may want to use only simple expressions,
such as those in the examples provided in this section, to maintain policy
readability.
When you use a regular expression to create a command policy, keep the
following in mind.
• When you use regular expressions to define commands that will be affected
by a command policy, you must enclose the commands in double quotes.
For example, if you want to create a command policy named allowShow
that includes all commands that begin with show, you should type the
following:
“^show .*$”
If you want to create a command policy that includes all commands that
begin with rm, you should type the following:
DENY “^rm .*$”
• Regular expressions used in command policies are case insensitive.

The following table gives examples of regular expressions:
Command Specification Matches these Commands

“^rm\s+.*$” All remove actions, because all remove actions begin
with the rm string, followed by a space and
additional parameters and flags.
“^show\s+.*$” All show commands, because all show actions begin
with the show string, followed by a space and
“^shell$” The shell command alone, but not combined with
any other parameters or flags.
“^add\s+vserver\s+.*$” All create a vserver actions, which consist of the add
vserver command followed by a space and additional
parameters and flags.
“^add\s+(lb\s+vserver)\s+ All create an lb vserver actions, which consist of the
.*” add lb vserver command followed by a space and
“^set\s+lb\s+.*$” All commands that configure load balancing settings
at the command group level.
The following table shows the command specifications for each of the built-in
command policies:
Policy Name Command Specification Regular Expression

read-only (^man.*)|(^show\s+(?!system)(?!ns ns.conf)(?!ns
runningConfig).*)|(^stat.*)
operator (^man.*)|(^show\s+(?!system)(?!ns ns.conf)(?!ns

runningConfig).*)|(^stat.*)|(^set.*-accessdown.*)|(^
(enable|disable) (server|service).*)
network ^(?!shell)\S+\s+(?!system)(?!ns ns.conf)(?!ns

runningConfig).*
superuser .*
The following table describes the parameters you set to create a command policy.
Parameter Specifies
User Name Name of the command policy.
Command Spec Rule expression that the policy uses to
pattern match.
Action The action the policy need to apply
when the command specification
pattern matches. Possible values:
ALLOW and DENY
To create a command policy, use either of the following procedures.
To create a command policy using the configuration utility
1. In the navigation pane, expand System and click Command Policies.

2. On the Command Policies page, click Add.
3. In the Create Command Policy dialog box, in the Policy Name text box,
type a name for the command policy (for example, read_all).
4. In the Action list, select the action (for example, Allow).
5. In the Command Spec text box, enter a command, such as
“(^show\s+(?!system)(?!ns ns.conf)(?!ns runningConfig).*)|(^stat.*)”
(you can use the Policy Components to expedite entry).
6. Click Create.
To create a command policy using the NetScaler command line

add system cmdPolicy policyname action cmdspec
Example
add system cmdPolicy read_all ALLOW (^show\s+(?!system)(?!ns
ns.conf)(?!ns runningConfig).*)|(^stat.*)
Binding Command Policies to Users and Groups

Once you have defined your command policies, you must bind them to the
appropriate user accounts and groups.
When you bind a policy, you must assign it a priority so that the NetScaler can
determine which command policy to follow when two or more applicable
command policies are in conflict.
The order in which command policies are evaluated is:
• Command policies bound directly to users and the corresponding groups
are evaluated based on the priority number. A command policy with a lower
priority number is evaluated before one with a higher priority number.
Therefore, any privileges the lower-numbered command policy explicitly
grants or denies are not overridden by a higher-numbered command policy.
• When two command policies one bound to an user account and other bound
to a group have the same priority number then the command policy bound
directly to the user account is evaluated first.
Binding Command Policies to a user

The following table describes the parameters you set to bind command policies to
a user.
Parameter Specifies
User Name The user account
Policy Name Name of the command policy bind to
the user.
To bind a policy to a user, use either of the following procedures.
To bind command policies to a user using the configuration utility

2. On the System Users page, select a user (for example, johnd)
3. Click Open.
4. In the Configure System User dialog box, under Command Policies, in
the Active column, select one or more check boxes for policies to bind to
this user.
5. In the Priority list box, for each active policy, enter a priority number for
the policy (for example, 1), or adjust the number.
6. Click OK.
To bind command policies to a user using the NetScaler command line

bind system user userName policyName priority
Example
bind system user johnd johnd_pol 1
Binding Command Policies to a Group

The following table describes the parameters you set to bind a policy to a
group.
Parameter Specifies
Group Name Name of the group.
Policy Name Name of the command policy to bind to
the user group.
To bind command policies to a group, use either of the following procedures
To bind command policies to a group using the configuration utility

2. On the System Groups page, select a group (for example, Managers)
3. Click Open.
4. In the Configure System Group dialog box, under Command Policies, in
the Active column, select one or more check boxes for policies to bind to
this group.
5. In the Priority list box, for each active policy, enter a priority number for
the policy (for example, 2), or adjust the number.
6. Click OK.
To bind command policies to a group using the NetScaler command line

bind system group groupName -policyName policyName priority
Example
bind system group Managers -policyName Managers_pol 2
Removing Command Policies

The built-in command policies cannot be removed. If your user account is
assigned the right to remove a command policy, you can use either of the
following procedures to remove command policies.
To remove a command policy using the configuration utility

2. On the Command Policies page, select the command policy to be removed
(for example, Managers_pol).
3. Click Remove.
4. In the Remove pop-up window, click Yes.
To remove a comand policy using the NetScaler command line

rm system cmdPolicy PolicyName
Example
rm system cmdPolicy Managers_pol
Resetting the Default Administrator (nsroot) Password

The nsroot account provides complete access to all features of the NetScaler.
Therefore, to preserve security, the nsroot account should be used only when
necessary, and only individuals whose duties require full access should know the
nsroot account password. Also for security, it is advisable to change the nsroot
password frequently. If you lose the password, you can reset it as described here.
To reset the nsroot password, you must boot the NetScaler into single user mode,
mount the file systems in read/write mode, and remove the set NetScaler user
nsroot entry from the ns.conf file. This process does not actually recover your
nsroot password, but it does allow you to reset it to the default setting, nsroot.
You can then choose a new password.
Use the following procedure.
To reset the nsroot password
1. Connect a computer to the NetScaler serial port and log on.
Note: You cannot log on via ssh to perform this procedure; you must connect
directly to the NetScaler.
As the operating system starts, it displays the following message:

Hit [Enter] to boot immediately, or any other key
for command prompt.
Booting [kernel] in # seconds.
2. Press CTRL+C.
The following message appears:
Type ‘?’ for a list of commands, ‘help’ for more
detailed help.
ok
3. Type boot -s, and press the Enter key to start the NetScaler in single user
mode.
After the NetScaler boots, it displays the following message:
Enter full pathname of shell or RETURN for /bin/sh:
4. Press the Enter key to display the # prompt, and type the following
commands to mount the file systems:
fsck /dev/ad0s1a
mount /dev/ad0s1a /flash
5. Using a text editor of your choice, edit the /flash/nsconfig/
ns.conf file and remove the set system user nsroot entry.
6. Save the file and exit the text editor.
7. Type reboot and press the Enter key to reboot the NetScaler.
When the NetScaler completes rebooting, it prompts for username and
password.
8. Log on as nsroot, with the password nsroot.
Once logged in to the NetScaler, you will be required to enter a new nsroot
user password.
9. Follow the prompts to change the password.
10. Exit the config ns menu.
Example of Authentication and Authorization

The following example shows how to create a complete set of user accounts,
groups, and command policies and bind each policy to the appropriate groups and
users. The company, Example Manufacturing, Inc., has three users who will
access the NetScaler:
• John Doe. The IT manager. John needs to be able to see all parts of the
NetScaler configuration but does not need to modify anything.
• Maria Ramirez. The lead IT administrator. Maria needs to be able to see
and modify all parts of the NetScaler configuration except for NetScaler
commands (which local policy dictates must be performed while logged on
as nsroot).
• Michael Baldrock. The IT administrator in charge of load balancing.
Michael needs to be able to see all parts of the NetScaler configuration, but
needs to modify only the load balancing functions.
The following table shows the breakdown of network information, user account
names, group names, and command policies for the sample company:
Field Value Note

NetScaler ns01.example.net
hostname
User accounts johnd John Doe, IT manager
mariar Maria Ramirez, IT administrator
michaelb Michael Baldrock, IT administrator
Groups Managers All managers
SysOps All IT administrators
Command read_all Allow complete read-only access
Policies modify_lb Allow modify access to load balancing
modify_all Allow nearly complete modify access
The following description walks you through the process of creating a complete
set of user accounts, groups, and command policies on the NetScaler
ns01.example.net.
The description includes procedures for binding the appropriate user accounts and
groups to one another, and binding appropriate command policies to the user
accounts and groups.
This example illustrates how you can use prioritization to grant precise access
and privileges to each user in the IT department.
The example assumes that initial installation and configuration have already been
performed on the NetScaler.
To create johnd, mariar, and michaelb user accounts

2. On the System Users page, Click Add.
3. In the Create System User dialog box, in the User Name text box, type
johnd.
4. In the Password text box, type a password to assign to the user.
5. In the Confirm Password text box, again type the password that you have
typed in the Password text box.
6. Click Create.
7. Repeat steps 2–6 to create user accounts and passwords for Maria
Ramirez and Michael Baldrock.
To create groups Managers and SysOps

2. On the System Groups page, click Add.
3. In the Create System Group dialog box, in the Group Name text box,
type Managers.
4. Click Create, and click Close.
5. Repeat steps 1–4 to create a group named SysOps.
To bind users to a group

2. On System Groups page, select the Managers group and click Open.
3. In the Configure System Group dialog box, under Members, select johnd
in the Available Users list.
4. Click Add to move johnd to the Configured Users list.
5. Click OK, and click Close.
6. Repeat steps 1–4 to bind users mariar and michaelb to the group SysOps.
To add command policies

2. On the Command Policies page, click Add.
3. In the Create Command Policy dialog box, in the Policy Name text box,
type read_all.
4. In the Action list, select Allow.
5. In the Command Spec text box, enter “(^show\s+(?!system)(?!ns
ns.conf)(?!ns runningConfig).*)|(^stat.*)” (you can use the Policy
Components to expedite entry).
6. Click Create.
7. Repeat steps 1–6, to create a command policy named modify_lb with
action as Allow and the command spec “^set\s+lb\s+.*$”
8. Repeat steps 1–6, to create a command policy named modify_all with
action as Allow and the command spec “^\S+\s+(?!system).*”
To bind a command policy to a group

2. On the System Groups page, select the Managers group.
3. Click Open.
4. In the Configure System Group dialog box, under Command Policies, in
the Active column, select the read_all policy and change the Priority list
box to 1.
5. Click OK.
6. Repeat steps 1–5 to bind the read_all command policy to the SysOps
group, also assigning it a priority of 1.
To bind a command policy to a user

2. On the System Users page, select the michaelb user account.
3. Click Open.
4. In the Configure System User dialog box, under Command Policies, in
the Active column, select the modify_lb policy and change the Priority list
box to 5.
5. Click OK.
The configuration you've just created results in the following:
• John Doe, the IT manager, has read-only access to the entire NetScaler, but
cannot make modifications.
• Maria Ramirez, the IT lead, has near-complete access to all areas of the
NetScaler configuration, having to log on only to perform NetScaler-level
commands.
• Michael Baldrock, the IT administrator responsible for load balancing, has
read-only access to the NetScaler configuration, and can modify the
configuration options for load balancing.
As mentioned earlier, the set of command policies that applies to a specific user is
a combination of command policies applied directly to the user's account and
command policies applied to the group(s) of which the user is a member.
Each time a user enters a command, the operating system searches the command
policies for that user until it finds a policy with an explicit ALLOW or DENY
action that matches the command. When it finds a match, the operating system
stops its command policy search and allows or denies access to the command.
If the operating system finds no matching command policy, it denies the user
access to the command, in accordance with the NetScaler’s default deny policy.
Note: When placing a user into multiple groups, take care not to cause
unintended user command restrictions or privileges. To avoid these conflicts,
when organizing your users in groups, it's good to bear in mind the NetScaler's
command policy search procedure and policy ordering rules.
Configuring External User Authentication

External user authentication is the process of authenticating the users of the
Citrix® NetScaler® appliance by using an external authentication server. To
configure external user authentication, you must create authentication policies.
An authentication policy is comprised of an expression and an action.
Authentication policies use NetScaler classic expressions, which are described in
detail in the Citrix NetScaler Policy Configuration and Reference Guide at http://
support.citrix.com/article/ctx123868.
After creating an authentication policy, you bind it to system global entity and
assign a priority to it. You can create simple server configurations by binding a
single authentication policy to the system global entity. Or, you can configure a
cascade of authentication servers by binding multiple policies to the system
global entity. If no authentication policies are bound to the system, users are
authenticated by the onboard system.
The NetScaler supports configuring of LDAP, RADIUS, TACACS+, and NT4
authentication servers. You configure these depending on the requirements for
your environment.
Note: User accounts must be configured on the NetScaler before users can be
externally authenticated. You must first create an onboard system user for all
users who will access the NetScaler in order to bind command policies to the user
accounts. Regardless of the authentication source, users cannot log on if they are
not granted sufficient command authorization through command policies bound
to their user accounts or to a group of which they are a member.
Configuring and Binding Authentication Policies

You can configure one or many authentication policies, depending on your
authentication needs. Authentication policies can be of the following types:
• LDAP. Authenticate to an external LDAP authentication server.
• RADIUS. Authenticate to an external RADIUS authentication server.
• TACACS+. Authenticate to an external Terminal Access Controller
Access-Control System (TACACS+) authentication server.
• NT4. Authenticate to an external Windows NT 4.0 server.
• LOCAL. Authenticate to the NetScaler appliance by using a password,
without reference to an external authentication server.
To configure and bind authentication policies, use the following parameters.
Parameter Specifies
Name A name for the policy you are creating.
The name can begin with a letter,
number, or the underscore symbol, and
can consist of up to 127 characters
including letters, numbers, hyphen (-),
period (.) pound (#), space ( ), at sign
(@), equal sign (=), colon (:), and
underscore (_) symbols. (Names cannot
be changed for existing policies.)
Authentication Type Type of authentication. Possible Values:
LDAP, RADIUS, TACACS+, NT4,
LOCAL. Default: LOCAL.
Rule A NetScaler classic expression that
defines which requests to authenticate.
For a complete description of NetScaler
classic expressions, see the Citrix
NetScaler Policy Configuration and
Reference Guide at http://
support.citrix.com/article/ctx123868.
Parameter Specifies
Action An action with parameters specific to
authentication servers.
Priority The priority assigned to this
authentication policy.
To create an authentication policy by using the configuration utility
1. In the navigation pane, expand System, and then click Authentication.

2. On the Policies tab, click Add.
3. In Name, type a name for the policy.
4. In Authentication Type, select the authentication type.
5. Next to Server, click New.
6. Configure the settings for your authentication type and click Create.
7. In the Create Authentication Policy dialog box, next to Named
Expressions, select True value, click Add Expression, click Create, and
then click Close.
To modify an authentication policy by using the configuration utility
You can modify configured authentication policies, such as changing the IP

address of the authentication server or modifying the expression.
2. On the Policies tab, click Open.
3. In the Configure Authentication Policy dialog box, make the changes and
click Close.
When the authentication policies are configured, bind the policy to the system
global entity.
To bind an authentication policy globally by using the configuration utility

2. On the Policies tab, click Global Bindings.
3. Under Details, click Insert Policy.
4. Under Policy Name, select the policy and click OK.
To unbind a global authentication policy by using the configuration utility

2. On the Policies tab, click Global Bindings.

3. In the Bind/Unbind Authentication Policies dialog box, in Policy Name,
select the policy, click Unbind Policy and then click OK.
Configuring LDAP Authentication

You can configure the NetScaler to authenticate user access with one or more
LDAP servers. LDAP authorization requires identical group names in Active
Directory, on the LDAP server, and on the NetScaler. The characters and case
must also be the same.
By default, LDAP authentication is secure by using SSL/TLS protocol. There are
two types of secure LDAP connections. In the first type, the LDAP server accepts
the SSL/TLS connection on a port separate from the port used to accept clear
LDAP connections. After users establish the SSL/TLS connection, LDAP traffic
can be sent over the connection. The second type allows both unsecure and secure
LDAP connections and is handled by a single port on the server. In this scenario,
to create a secure connection, the client first establishes a clear LDAP connection.
Then the LDAP command StartTLS is sent to the server over the connection. If
the LDAP server supports StartTLS, the connection is converted to a secure
LDAP connection by using TLS.
The port numbers for LDAP connections are:
• 389 for unsecured LDAP connections
• 636 for secure LDAP connections
• 3268 for Microsoft unsecure LDAP connections
• 3269 for Microsoft secure LDAP connections
LDAP connections that use the StartTLS command use port number 389. If port
numbers 389 or 3268 are configured on the NetScaler, it tries to use StartTLS to
make the connection. If any other port number is used, connection attempts are
made using SSL/TLS. If StartTLS or SSL/TLS cannot be used, the connection
fails.
When configuring the LDAP server, the letter case must match on the server and
on the NetScaler. If the root directory of the LDAP server is specified, all of the
subdirectories are also searched to find the user attribute. In large directories, this
can affect performance. For this reason, Citrix recommends that you use a
specific organizational unit (OU).
The following table contains examples of user attribute fields for LDAP servers.
LDAP Server User Attribute Case Sensitive Case Sensitive
Microsoft Active Directory Server sAMAccountName No
LDAP Server User Attribute Case Sensitive Case Sensitive

Novell eDirectory cn Yes
IBM Directory Server uid Yes
Lotus Domino CN Yes
Sun ONE directory (formerly iPlanet) uid or cn Yes
This table contains examples of the base distinguished name (DN).

LDAP Server Base DN
Microsoft Active Directory DC=citrix, DC=local
Novell eDirectory dc=citrix, dc=net
IBM Directory Server cn=users
Lotus Domino OU=City, O=Citrix, C=US
Sun ONE directory (formerly iPlanet) ou=People, dc=citrix, dc=com
This table contains examples of the bind distinguished name (DN).

LDAP Server Bind DN
Microsoft Active Directory CN=Administrator, CN=Users, DC=citrix,
DC=local
Novell eDirectory cn=admin, dc=citrix, dc=net
IBM Directory Server LDAP_dn
Lotus Domino CN=Notes Administrator, O=Citrix, C=US
Sun ONE directory (formerly iPlanet) uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot
To configure LDAP authentication by using the configuration utility

4. In Authentication Type, select LDAP. Next to Server, click New.
5. In Name, type the name of the server.
6. Under Server, in IP Address and Port, type the IP address and port
number of the LDAP server.
7. Under Connection Settings, complete the following:
• In Base DN (location of users), type the base DN under which users

are located.
Base DN is usually derived from the Bind DN by removing the user

name and specifying the group where users are located. Examples of
syntax for base DN are:
ou=users,dc=ace,dc=com
cn=Users,dc=ace,dc=com
• In Administrator Bind DN, type the administrator bind DN for
queries to the LDAP directory.
Examples for syntax of bind DN are:

domain/user name
ou=administrator,dc=ace,dc=com
user@domain.name (for Active Directory)
cn=Administrator,cn=Users,dc=ace,dc=com
For Active Directory, the group name specified as cn=groupname

is required. The group name that is defined in the NetScaler must be
identical to the group name that is defined on the LDAP server. For
other LDAP directories, the group name either is not required or, if
required, is specified as ou=groupname.
The NetScaler binds to the LDAP server using the administrator

credentials and then searches for the user. After locating the user, the
NetScaler unbinds the administrator credentials and rebinds with the
user credentials.
• In Administrator Password and Confirm Administrator
Password, type the administrator password for the LDAP server.
8. To retrieve additional LDAP settings automatically, click Retrieve
Attributes. When you click Retrieve Attributes, the fields under Other
Settings populate automatically. If you don't want to do this, skip to Step
12.
9. Under Other Settings, in Server Logon Name Attribute, type the
attribute under which the NetScaler should look for user logon names for
the LDAP server that you are configuring. The default is
samAccountName.
10. In Group Attribute, leave the default memberOf for Active Directory or
change it to that of the LDAP server type you are using. This attribute
enables the NetScaler to obtain the groups associated with a user during
authorization.
11. In Security Type, select the security type.
Note: If you select PLAINTEXT or TLS for security, use port number
389. If you select SSL, use port number 636.
12. To allow users to change their LDAP password, select Allow Password
Change.
Note: If you select PLAINTEXT as the security type, allowing users to

change thei passwords is not supported.
13. Click Create.

Expressions, select the expression, click Add Expression, click Create,
and click Close.
After the LDAP server settings are configured on the NetScaler, bind the policy to
the system global entity. For more information about binding authentication
policies globally, see “Configuring and Binding Authentication Policies” earlier
in this guide.
Determining Attributes in your LDAP Directory

If you need help determining your LDAP directory attributes, you can easily look
them up with the free LDAP browser from Softerra.
You can download the LDAP browser from the Softerra LDAP Administrator
Web site at http://www.ldapbrowser.com. After the browser is installed, set the
following attributes:
• The host name or IP address of your LDAP server.
• The port of your LDAP server. The default is 389.
• The base DN field can be left blank.
• The information provided by the LDAP browser can help you
determine the base DN needed for the Authentication tab.
• The Anonymous Bind check determines if the LDAP server requires
user credentials to connect to it. If the LDAP server requires
credentials, leave the check box cleared.
After completing the settings, the LDAP browser displays the profile name in the
left pane and connects to the LDAP server.
Configuring RADIUS Authentication

You can configure the NetScaler to authenticate user access with one or more
RADIUS servers. If you are using RSA SecurID, SafeWord, or Gemalto Protiva
products, each of these is configured using a RADIUS server.
Your configuration might require using a network access server IP address (NAS
IP) or a network access server identifier (NAS ID). When configuring your
NetScaler to use a RADIUS authentication server, use the following guidelines:
• If you enable use of the NAS IP, the appliance sends its configured IP
address to the RADIUS server, rather than the source IP address used
in establishing the RADIUS connection.
• If you configure the NAS ID, the appliance sends the identifier to the
RADIUS server. If you do not configure the NAS ID, the appliance
sends its host name to the RADIUS server.
• When the NAS IP is enabled, the appliance ignores any NAS ID that
is configured using the NAS IP to communicate with the RADIUS
server.
To configure RADIUS authentication by using the configuration utility

4. In Authentication Type, select RADIUS.
6. In Name, type a name for the server.
7. Under Server, in IP Address, type the IP address of the RADIUS server.
8. In Port, type the port. The default is 1812.
9. Under Details, in Secret Key and Confirm Secret Key, type the RADIUS
server secret.
10. In NAS ID, type the identifier number and click Create.
and click Close.
After the RADIUS server settings are configured on the NetScaler, bind the
policy to the system global entity.For more information about binding
authentication policies globally, see “Configuring and Binding Authentication
Policies” earlier in this guide.
Choosing RADIUS Authentication Protocols

The NetScaler supports implementations of RADIUS that are configured to use
several protocols for user authentication, including:
• Password Authentication Protocol
• Challenge-Handshake Authentication Protocol (CHAP)
• Microsoft Challenge-Handshake Authentication Protocol
(MS-CHAP Version 1 and Version 2)
If your deployment of the NetScaler is configured to use RADIUS authentication
and your RADIUS server is configured to use Password Authentication Protocol,
you can strengthen user authentication by assigning a strong shared secret to the
RADIUS server. Strong RADIUS shared secrets consist of random sequences of
uppercase and lowercase letters, numbers, and punctuation and are at least 22
characters long. If possible, use a random character generation program to
determine RADIUS shared secrets.
To further protect RADIUS traffic, assign a different shared secret to each
NetScaler appliance or virtual server. When you define clients on the RADIUS
server, you can also assign a separate shared secret to each client. If you do this,
you must configure separately each NetScaler policy that uses RADIUS
authentication.
Shared secrets are configured on the NetScaler when a RADIUS policy is created.
Configuring IP Address Extraction

You can configure the NetScaler to extract the IP address from a RADIUS server.
When a user authenticates with the RADIUS server, the server returns a framed
IP address that is assigned to the user. The following are components for IP
address extraction:
• Allows a remote RADIUS server to supply an IP address from the internal
network for a user logged on to the NetScaler.
• Allows configuration for any RADIUS attribute using the type ipaddress,
including those that are vendor encoded.
When configuring the RADIUS server for IP address extraction, you configure
the vendor identifier and the attribute type.
The vendor identifier enables the RADIUS server to assign an IP address to the
client from a pool of IP addresses that are configured on the RADIUS server. The
vendor ID and attributes are used to make the association between the RADIUS
client and the RADIUS server. The vendor ID is the attribute in the RADIUS
response that provides the IP address of the internal network. A value of zero
indicates that the attribute is not vendor encoded. The attribute type is the remote
IP address attribute in a RADIUS response. The minimum value is one and the
maximum value is 255.
A common configuration is to extract the RADIUS attribute framed IP address.
The vendor ID is set to zero or is not specified. The attribute type is set to eight.
To configure IP address extraction by using the configuration utility

2. On the Policies tab, click Open.
3. In the Configure Authentication Policy dialog box, next to Server, click
Modify.
4. Under Details, in Group Vendor Identifier, type the value.
5. In Group Attribute Type, type the value, and click OK twice.
Configuring TACACS+ Authentication

You can configure a TACACS+ server for authentication. Similar to RADIUS
authentication, TACACS+ uses a secret key, an IP address, and the port number.
The default port number is 49. To configure the NetScaler to use a TACACS+
server, provide the server IP address and the TACACS+ secret. The port needs to
be specified only when the server port number in use is something other than the
default port number of 49.
To configure TACACS+ authentication by using the configuration utility

4. In Authentication Type, select TACACS.
6. In Name, type a name for the server.
7. Under Server, type the IP address and port number of the TACACS+
server.
8. Under TACACS server information, in TACACS Key and Confirm

TACACS key, type the key.
9. In Authorization, select ON and click Create.
and click Close.
After the TACACS+ server settings are configured on the NetScaler, bind the
policy to the system global entity. For more information about binding
Configuring NT4 Authentication

You can configure the NetScaler to use Windows NT LAN Manager (NTLM)
authentication to authenticate users against the user database on a Windows NT
4.0 domain controller. A Windows NT 4.0 domain controller maintains domain
user accounts in a database on the Windows NT 4.0 server. A domain user
account includes a user name and password and other information about the user.
When a user logs on to the NetScaler, the user enters the user name and password
maintained in the domain user account on the Windows NT 4.0 server. The
NetScaler connects to the Windows NT 4.0 server and passes these credentials to
the server. The server authenticates the user. If you need to configure the
NetScaler to authenticate clients against a Windows NT 4.0 primary or backup
domain controller, you need to specify the server IP address, the domain name,
the domain administrator user name and password of the person who is
authorized to administer the domain. These parameters are necessary because the
NetScaler joins the domain to communicate authentication data.
NT4 authentication supports NTLMv1 and NTLMv2 authentication protocols
only.
To configure NT4 authentication by using the configuration utility

4. In Authentication Type, select NT4.
6. In Server, type the name of the server.
7. Complete the settings as they are configured on your Windows NT 4.0
server and click Create.

and click Close.
When the settings for Windows NT 4.0 authentication are configured, bind the
policy to the system global entity. For more information about binding
C HAPTER 2
SNMP
The NetScaler supports Simple Network Management Protocol (SNMP)

functionality, as illustrated in the following diagram. This diagram shows a
network with a NetScaler that has SNMP enabled and configured. In the diagram,
each SNMP network management application uses SNMP to communicate with
the SNMP agent on the NetScaler. The SNMP agent searches its management
information base (MIB) to collect the data requested by the network management
application, and provides the information to the application.
NetScaler Supporting SNMP

The SNMP agent on the NetScaler supports SNMP version 1 (SNMPv1), SNMP
version 2 (SNMPv2), and SNMP version 3 (SNMPv3). The SNMP agent handles
queries, such as SNMPv2 Get-Bulk, from the SNMP manager. The SNMP agent
also sends out traps compliant with SNMPv2. It also supports SNMPv2
data-types, such as counter64.
In This Chapter
Importing MIB Files
Defining SNMP Managers
Configuring SNMP V1 and V2
Configuring SNMP V3
Importing MIB Files

SNMPv1 managers (programs on computers that request SNMP information
from the NetScaler) use the NS-MIB-smiv1.mib file when processing SNMP
queries. SNMPv2 and SNMPv3 managers use the NS-MIB-smiv2.mib file.
The NetScaler supports enterprise-specific MIBs. They are:
• A subset of standard MIB-2 groups. Provides the MIB-2 groups
SYSTEM, IF, ICMP, UDP, and SNMP.
• A NetScaler enterprise MIB. Provides NetScaler-specific configuration
and statistics.
Before you start configuring SNMP, you must import the appropriate SNMP MIB
files to the network management application, as follows:
• If the HP OpenView SNMP manager is installed on your computer, copy
the NS-MIB-smiv2.mib file from the NetScaler Product CD, /Utilities/
SNMP/HP_OpenView directory, or download it from the FTP site
ftp.netscaler.com.
• If the WhatsUpGold SNMP manager is installed on your computer, copy
the traps.txt and mib.txt files from the NetScaler Product CD, /Utilities/
SNMP/WhatsUpGold directory, or download it from the FTP site
ftp.netscaler.com.
Note: For information about the user name and password used to connect to the
FTP site, contact the NetScaler product support group.
Chapter 2 SNMP 31
Defining SNMP Managers

You need to configure the management application, which complies with SNMP
version1, SNMP version 2, or SNMP version 3, to access the NetScaler. You can
add upto a maximum of 100 SNMP manager or networks.
Note: If you do not configure at least one SNMP manager, the NetScaler
accepts and responds to SNMP queries from all IPs on the network. If you
configure one or more SNMP managers, it accepts and responds only to SNMP
queries from those specific IPs.
Adding an SNMP Manager

The following table describes the parameters you set to add an SNMP Manager:
Parameter Specifies
IP Address IP/Network address of the management
station.
Netmask Subnet of management stations. Used to
grant access from entire subnets to the
NetScaler.
To add an SNMP manager, use either of the following procedures:
To add an SNMP manager using the configuration utility
1. In the navigation pane, expand System, click SNMP, and click Managers.
2. In the Add SNMP Manager dialog box, click Add.
3. In the Create Manager dialog box, in the IP Address text box, type the IP
address of the computer running the management application (for example,
10.102.29.5).
4. Click Add.
To add an SNMP manager using the NetScaler command line

add snmp manager IPaddress
Example
add snmp manager 10.102.29.5
Removing SNMP Managers

When you remove a SNMP manager from the NetScaler, that manager can no
longer query the NetScaler.
Note: If there is no SNMP manager configured on the NetScaler, network

management applications from any host computer can access the NetScaler.
To remove an SNMP manager, use either of the following procedures:
To remove an SNMP manager using the configuration utility
1. In the navigation pane, expand System, click SNMP, and then click
Managers.
2. On the SNMP Managers page, select the manager which you want to
remove.
3. Click Remove.
4. In the Remove dialog box, click Yes.
To remove an SNMP manager using the NetScaler command line

rm snmp manager IPAddress
Example
rm snmp manager 10.102.29.5
Configuring SNMP V1 and V2

Before you can use SNMP in the NetScaler, you must configure the NetScaler to
allow the appropriate SNMP managers to access it. You must also provide the
SNMP manager with the required NetScaler-specific information. The
configuration process consists of the following tasks:
• Set the SNMP community, which defines access privileges (Read
operation).
• Set traps and alarms to send SNMP trap notifications to the SNMP manager
for any asynchronous events generated by the agent to indicate the state of
the NetScaler.
Chapter 2 SNMP 33
Adding an SNMP Community

You add an SNMP community string to grant access to an SNMP network
management application to manage the NetScaler. The community also
defines the specific management tasks that you can perform.
The following table describes the parameters you set to add an SNMP
community:
Parameter Specifies
Community Name SNMP community string.
Permissions Access privileges. Possible
values: GET, GET NEXT, GET
BULK, ALL.
To add an SNMP community string
Community.
2. On the SNMP Community page, click Add.
3. In the Add SNMP Community dialog box, in the Community String text
box, type a name for the community to be added (for example, Com_All).
4. In Permission, select the ALL option.
5. Click Create.
Removing an SNMP Community

When you remove a community string, no SNMP managers can use this
community string to manage or access the NetScaler.
To remove a community string, use either of the following procedures:
To remove an SNMP community string
Community.
2. On the SNMP Community page, select the community that you want to
remove (for example, Com_All).
3. Click Remove.
Configuring SNMP Traps and Alarms

In addition to providing information in response to specific requests, the
NetScaler can display an alarm, or notification message, in a window on a
designated computer or computers whenever a particular type of event occurs.
This type of notification is called an SNMP trap, and it helps administrators
monitor the NetScaler and respond promptly to any issues.s
SNMP traps are asynchronous events generated by the agent to indicate the state
of the NetScaler. The trap listener receives traps on the trap destination port. If
this port is not configured correctly, the traps do not reach the SNMP manager.
You can configure the NetScaler to send traps to the SNMP manager when
specific events generate alarms at specific severity levels. There are 5 severity
levels: Critical, Major, Minor, Warning, and Informational.
You can configure the NetScaler to send SNMP traps with source IP other than
the NSIP. You can set the source IP of an SNMP trap to either a MIP or a SNIP.
The NetScaler supports four types of generic SNMP traps and 65 types of
enterprise-specific traps. You can specify maximum of 20 IP addresses as
destinations for either type. If more than 10 authentication traps messages are
generated within 20 seconds, no traps messages will be generated for the next 60
seconds.
The following table describes the generic traps that the NetScaler supports.
Generic trap Indicates

authenticationFailure An SNMP management application without access
privileges has attempted to access the NetScaler.
coldStart An SNMP entity configured as an agent has reinitialized
itself. Its configuration may have been altered.
linkUp The sending protocol entity recognizes that one of the
communication links represented in the agent's
configuration has come up.
linkDown The sending protocol entity recognizes a failure in one of
the communication links represented in the agent's
configuration.
The following table describes the specific SNMP traps that the NetScaler
supports.
Specific trap Indicates

averageCpuUtilization Average CPU usage in the multi-processor
NetScaler has exceeded the high threshold.
Chapter 2 SNMP 35

averageCpuUtilizationNormal Average CPU usage in the multi-processor
NetScaler has come back to normal after
exceeding the predefined threshold.
changeToPrimary The NetScaler has become the primary node in a
High Availability configuration.
changeToSecondary The NetScaler has become the secondary node in
a High Availability configuration.
cpuUtilization CPU utilization has exceeded the threshold.
cpuUtilizationNormal CPU utilization has returned to normal after
exceeding the threshold and generating a
cpuUtilization trap.
diskUsageHigh Disk usage has exceeded the threshold.
diskUsageNormal Disk usage has returned to normal.
entityup State of the interface, vserver, or physical service
has changed to UP.
entitydown State of the interface, vserver, or physical service
has changed to DOWN.
fanSpeedLow A fan speed has fallen below an alarm threshold.
Note: Fan speed varies from 4000 through

6500 on all platforms. An alarm threshold of
25% of the minimum is recommended.
fanSpeedNormal A fan speed has returned to normal.

interfaceThroughputLow Interface throughput has fallen below an alarm
threshold.
interfaceThroughputNormal Interface throughput has returned to normal.
maxClients Number of clients for a service has reached the
maximum allowed for that service.
maxClientsNormal Number of clients for a service has fallen below
70% of maximum number allowed for that
service, after causing a maxClient trap.
memoryUtilization Memory utilization has exceeded the predefined
threshold.
memoryUtilizationNormal Memory utilization has returned to normal after a
memoryUtilization trap.
monRespTimeoutAboveThresh Response time for a monitor probe has exceeded
the configured threshold.

monRespTimeoutBelowThresh Response time for a monitor probe is below the
threshold, indicating that response time has
returned to normal.
netscalerLoginFailure A user 's atempt to log in to the NetScaler has
failed.
NetScalerConfigChange Your NetScaler configuration has changed.
Note: This trap is not generated when the

configuration is restored from the ns.conf file.
netScalerConfigSave The NetScaler configuration has been saved.

serviceRequestRate Request rate on a service has exceeded the
threshold.
serviceRequestRateNormal Request rate on a service has returned to normal.
serviceRxBytesRate Request bytes/s of a service has exceeded a
threshold value.
serviceRxBytesRateNormal Request bytes/s of a service has returned to
normal.
serviceTxBytesRate Response bytes/s of a service exceeded a
threshold value.
serviceTxBytesRateNormal Response bytes/s of a service has returned to
normal.
serviceSynfloodRate The number of unacknowledged syns for a
service has exceeded a threshold value.
serviceSynfloodNormal The number of unacknowledged syns for a
service has returned to normal.
sslCertificateExpiry A SSL certificate is due to expire.
svcGrpMemberRequestRate Request rate on a service group member has
exceeded a threshold value.
svcGrpMemberRequestRateNormal Request rate on a service group member has
returned to normal.
svcGrpMemberRxBytesRate Request bytes per second of a service group has
svcGrpMemberRxBytesRateNormal Request bytes per second of a service group has
returned to normal.
svcGrpMemberTxBytesRate Response bytes per second of a service group has
Chapter 2 SNMP 37

svcGrpMemberTxBytesRateNormal Response bytes per second of a service group has
returned to normal.
svcGrpMemberSynfloodRate Number of unacknowledged SYN packets for a
service group has exceeded a threshold value.
svcGrpMemberSynfloodNormal Number of unacknowledged SYN packets for a
service group has returned to normal.
svcGrpMemberMaxClients Number of clients has reached the maxClients
value for a service group member.
svcGrpMemberMaxClientsNormal Number of clients has fallen below 70% of
maxClients value for a service group member.
synflood Rate at which unacknowledged SYN packets are
received has exceeded the threshold.
synfloodNormal Rate at which unacknowledged SYN packets are
received has returned to normal.
temperatureHigh Temperature has gone high. The temperature is
measured in degree centigrade (0C).
temperatureNormal Temperature has returned to normal.
vServerRequestRate Request rate on a vserver has exceeded the
predefined threshold.
vServerRequestRateNormal Request rate on a vserver has returned to normal.
vserverRxBytesRate Request bytes/s of a vserver has exceeded the
threshold value.
vserverRxBytesRateNormal Request bytes/s of a vServer has returned to
normal.
vserverTxBytesRate Response bytes/s of a vserver has exceeded a
threshold value.
vserverTxBytesRateNormal Response bytes/s of a vServer has returned to
normal.
vserverSynfloodRate Number of unacknowledged syns for a vserver
has exceeded a threshold value.
vserverSynfloodNormal Number of unacknowledged syns for a vserver
has returned to normal.
voltageLow A voltage has fallen below the threshold value.
voltageNormal A voltage has returned to normal.

voltageHigh A voltage has exceeded the threshold value.
Note: The three traps voltageLow,

voltageNormal, and voltageHigh are based on
v33main and v33stby (mV). The normal value
ranges from 2970mV through 3630mV.
haVersionMismatch OS versions of the NetScalers in a High

Availability configuration do not match.
haSyncFailure Configuration synchronization has failed on
secondary node.
haNoHeartbeats High Availability heartbeats are not received by
the primary node from the secondary.
haBadSecState State of the secondary node has changed to
DOWN, UNKNOWN, or STAY SECONDARY .
powerSupplyFailed Power supply has failed.
powerSupplyNormal The power supply has returned to service.
interfaceBWUseHigh Bandwidth usage of any of the interfaces of the
NetScaler has exceeded the threshold value.
interfaceBWUseNormal Bandwidth usage of any of the interfaces of the
NetScaler has returned to normal
aggregateBWUseHigh Aggregate bandwidth usage of the NetScaler has
exceeded the threshold value.
aggregateBWUseNormal Aggregate bandwidth usage of the NetScaler has
returned to normal.
Note: SNMP manager to listen for traps with this community name. The default
community name is “public”.
The following table describes the parameters you set to add an SNMP trap:
Parameter Specifies
Trap Class The Trap type. Possible values: generic
and specific.
Version SNMP version of the trap PDU to be
sent.
Chapter 2 SNMP 39
Parameter Specifies
IP address of the trap destination.
Destination IP Address
Destination Port Destination port of the trap. Default:
162. Minimum value: 1
Source IP Address Source IP of the traps.
Severity Minimum severity of the alarm
resulting in this trap. Default:
Informational (any alarm).
Community Name The community string. Default: public.
To add an SNMP Trap, use either of the following procedures:
To add an SNMP Trap using the configuration utility
1. In the navigation pane, expand System, click SNMP, and click Traps.
2. On the Traps page, click Add.
3. In Version, select an SNMP Version (for example, V1).
4. In the Destination IP Address text box, type the IP address that is to
receive the trap (for example, 10.102.29.3).
5. In the Destination Port text box, type the destination port (for example,
163).
6. In the Source IP text box, type the source IP address of the trap (for
example, 10.102.29.54).
7. In Minimum Severity, select a severity option (for example, Major).
8. In the Community Name text box, type the name of the SNMP string that
you want to include in the trap (for example, com1).
9. Click Add.
To add an SNMP Trap using the NetScaler command line

add snmp trap trapClass trapDestination -version ( V1 | V2 )
-destPort port -communityName string -srcIP ip_addr -severity
severity
Example
add snmp trap specific 10.102.29.3 -version V2
-destPort 163 -communityName com1 -srcIP 10.102.29.54 -severity
Major
Removing an SNMP Trap

When you remove a trap, trap messages are no longer sent to the destination
specified.
To remove an SNMP trap, use either of the following procedures:
To remove an SNMP trap
1. In the navigation pane, expand System, click SNMP, and then click Traps.
2. On the SNMP Traps page, select the trap that you want to remove.
3. Click Remove.
Configuring SNMP Alarms

The NetScaler generates traps only for SNMP alarms that are enabled. Some
alarms are enabled by default, but you can disable them. You can assign severity
levels to alarms.
Enabling or Disabling an SNMP Alarm

When you enable a SNMP alarm, the NetScaler will generate corresponding trap
messages when some events occur. Some NetScaler alarms are enabled by
default.
To enable or disable an SNMP alarm
1. In the navigation pane, expand System, expand SNMP, and click Alarms.
2. On the SNMP Alarms page, select an alarm (for example, Login-Failure).
3. To enable a disabled alarm, click Enable, or, to disable an enabled alarm,
click Disable.
Setting the Severity of SNMP Alarms

There are 5 levels of severity for alarms: Critical, Major, Minor, Warning, and
Informational. A trap is sent only when the severity of the alarm matches the
severity configured in the trap. The following table describes the parameter you
set to configure the severity of SNMP alarm:
Parameter Specifies
Severity Severity level of this alarm. Possible
values: Critical, Major, Minor, Warning,
Informational. Default: Informational.
Chapter 2 SNMP 41
To set the severity of SNMP alarm
1. In the navigation pane, expand System, expand SNMP, and click Alarms.
2. Click Open.
3. In the Configure SNMP Alarm dialog box, in Severity, select a severity
option (for example, Major).
4. Click Ok.
Logging of SNMP Traps

The logging of trap messages is enabled by default. For alarms that need
threshold values, however, the logging state is unknown. Once thresholds are
configured, logging is automatically enabled.
If logging of an alarm has been disabled, you can enable it by setting the
parameter in the following table:
Parameter Specifies
Logging Enable logging of SNMP trap messages
by Syslog. Possible values: ENABLED
and DISABLED.
The following procedure includes examples for enabling or modifying the

logging of trap messages for the alarm LOGIN-FAILURE. When this alarm is
enabled, a trap message is generated and sent to the trap destination whenever
there is a login failure on the NetScaler. This message is logged.
To enable or disable logging of SNMP traps using configuration utility
1. In the navigation pane, expand System, expand SNMP, and then click
Alarms.
2. Click Open.
3. In the Configure SNMP Alarm dialog box, in Logging, select ENABLED
to enable the logging of SNMP trap messages generated or select
DISABLED to disable logging of SNMP trap messages.
4. Click Ok.
To enable or disable logging of SNMP traps using the NetScaler command

line

set snmp alarm AlarmType -logging Status
Example
set snmp alarm LOGIN-FAILURE -logging ENABLED
or
set snmp alarm LOGIN-FAILURE -logging DISABLED
Configuring SNMP V3
Simple Network Management Protocol Version 3 (SNMPv3) is based on the
basic structure and architecture of SNMPv1 and SNMPv2. However, SNMPv3
enhances the basic architecture to incorporate administration and security
capabilities such as authentication, access control, data integrity check, data
origin verification, message timeliness check, and data confidentiality.
Salient Features
SNMPv3 provides security features such as message-level security and access
control. To implement these features, SNMPv3 introduces the user-based security
model (USM) and the view-based access control model (VACM).
User-based Security Model

The user-based security model (USM) provides message-level security. It enables
you to configure users and security parameters at the agent and the manager to
ensure:
• Data integrity: To protect messages from being modified during
transmission through the network.
• Data origin verification: To authenticate the user who sent the message
request.
• Message timeliness: To protect against message delays or replays.
• Data confidentiality: To protect the content of messages from being
disclosed to unauthorized entities or individuals.
View-Based Access Control Model

View-based access control model (VACM) enables you to configure access rights
to a specific subtree of the MIB based on various parameters, such as security
level, security model, user name, and view type. It enables you to configure
agents to provide different levels of access to the MIB to different managers.
Chapter 2 SNMP 43
SNMPv3 Security Entities

The Citrix NetScaler supports the following entities that enable you to implement
the security features of SNMPv3:
• SNMP Engines
• SNMP Views
• SNMP Groups
• SNMP Users
SNMP Engines
SNMP engines are service providers that reside in the SNMP agent. They provide
services such as sending or receiving and authenticating messages. SNMP
engines are uniquely identified using engine IDs.
SNMP Views
SNMP views restrict user access to specific portions of the MIB. SNMP views
are used to implement access control.
SNMP Groups
SNMP groups are logical aggregations of SNMP users.They are used to
implement access control and to define the security levels. You can configure an
SNMP group to set access rights for users assigned to that group, thereby
restricting the users to specific views.
SNMP Users
SNMP users are the SNMP managers that the agents allow to access the MIBs.
Each SNMP user is assigned to an SNMP group.
These entities function together to implement the SNMPv3 security features.
Views are created to allow access to subtrees of the MIB. Then, groups are
created with the required security level and access to the defined views. Finally,
users are created and assigned to the groups.
Note: The view, group, and user configuration are synchronized and propagated
to the secondary node in an HA pair. However, the engineID is neither propagated
nor synchronized as it is unique to each NetScaler.
Configuring SNMP V3
To implement message authentication and access control, you need to:
• Set the Engine ID

• Configure Views
• Configure Groups
• Configure Users
Setting the Engine ID

An SNMP engine ID uniquely identifies an SNMP engine. The NetScaler has an
unique engineID based on the MAC address of one of its interfaces. It is not
necessary to override this engineID. However, if you want to change this engine
ID, you can reset it.
The following table describes the parameter you set to configure the Engine ID:
Parameter Specifies
EngineID Engine ID of the SNMP agent.
To set the engine ID, use either of the following procedures.
To set the engine ID using configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Users.
2. On the SNMP Users page, click Configure Engine ID.
3. In the Configure Engine ID dialog box, in the Engine ID text box, type an
engine ID (for example, 8000173f0300c095f80c68).
4. Click OK.
To set the engine ID using the NetScaler command line

set snmp engineId Value
Example
set snmp engineId 8000173f0300c095f80c68
Adding an SNMP View

You can use SNMP views to implement access control.
Chapter 2 SNMP 45
The following table describes the parameters you set to add an SNMP view:
Parameter Specifies
Name Name of the SNMP view.
Subtree Subtree of the MIB.
To add an SNMP view, use either of the following procedures.
To add an SNMP view using the configuration utility
1. In the Navigation Pane, expand System, expand SNMP, and click View.
2. On the SNMP View page, click Add.
3. In the Add SNMP View dialog box, in the Name text box, type a name for
the SNMP view you want to add (for example, View1).
4. In the Subtree text box, type the subtree of the MIB.
5. Click Create.
To add an SNMP view using the NetScaler command line

add snmp view Value
Example
add snmp view View1
Adding an SNMP Group

You need to configure an SNMP group to set access rights for users assigned to
that group.
The following table describes the parameters you set to add an SNMP group:
Parameter Specifies
Name Name of the SNMP view.
Read View SNMP view to be associated with this
group.
To add a SNMP group, use either of the following procedures:

To add an SNMP group using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Group.
2. On the SNMP Groups page, click Add.
3. In the Add SNMP Group dialog box, in the Name text box, type a name
for the SNMP group you want to add (for example, Group1).
To add an SNMP group using the NetScaler command line

add snmp group group name
Example
add snmp group Group1
Adding an SNMP User

You need to configure users at the agent, and assign each user to a group.
The following table describes the parameters you set to add an SNMP user:
Parameter Specifies
Name Name of the SNMP user.
Read View SNMP view to be associated with this
user.
To add a SNMP user, use either of the following procedures:
To add an SNMP user using the configuration utility
1. In the navigation pane, expand System, click SNMP, and then click Users.
2. On the SNMP Users page, click Add.
3. In the Add SNMP User dialog box, in the Name text box, type a name for
the SNMP user you want to add (for example, User1).
4. In Group Name, select the configured SNMP group that you want the user
to be part of.
To add an SNMP user using the NetScaler command line

Chapter 2 SNMP 47
add snmp user user name
Example
add snmp user User1
Note: The view, group, and user configurations are synchronized and
propagated to the secondary node in an HA pair. However, the engineID is neither
propagated nor synchronized, because it is unique to each NetScaler.
C HAPTER 3
Audit Server Logging
Auditing is a methodical examination or review of a condition or situation. The

Audit Server Logging feature enables you to log the Citrix NetScaler states and
status information collected by various modules in the kernel and in the user-level
daemons. The audit server collects and stores the events history in a
chronological order, so that you can review to troubleshoot problems or errors
and fix them.
When you configure audit server logging, you set up a log file to capture the
NetScaler status information in the form of messages. These messages typically
contain the following information:
• The source module that generates the message
• A time stamp
• The message type
• The predefined log levels (Critical, Error, Notice, Warning, Informational,
Debug, Alert, and Emergency)
• The message information
To enable audit server logging, you must configure the auditing parameters on the
NetScaler, set up and install the executable files on a computer from where you
want to run the audit tool, and configure the parameters in the configuration file
by defining the filters and filter parameters.The filters determine the type of
information in the log files and the location at which to store the files.
In This Chapter
Configuring the Citrix NetScaler Audit Server Log
Installing the Audit Server Files
Configuring Audit Server Logging on a Server system
Configuring Audit Server Logging for a Commonly Used Deployment Scenario
Configuring the Citrix NetScaler Audit Server Log

You can configure the log settings in the Citrix NetScaler through the NetScaler
configuration utility or the command-line interface (CLI). You can also define the
format of rewrite policy logs based on a policy.
The Citrix NetScaler log the following information related to TCP connections:
• Source port
• Destination port
• Source IP
• Destination IP
• Number of bytes transmitted and received
• Time period for which the connection is open
Note: You can enable TCP logging on individual load balancing vservers. You
must bind the audit log policy to a specific load balancing vserver that you want
to log.
To configure audit server logging, you must set the following parameters.
Parameter Specifies
Auditing Type Type of audit to perform. Possible values: SYSLOG
and NSLOG.
IP Address IP address of the auditing server. Default: 0.0.0.0.
Port Port to use to communicate. Default: 3023.
Log Levels Severity levels of messages to be logged. Possible
values: ALL, NONE, or one or more of the following:
• EMERGENCY
• ALERT
• CRITICAL
• ERROR
• WARNING
• NOTICE
• INFORMATION
• DEBUG
For more information about these settings, see
the table, “Log Levels,” on page 51.
Date Format Format of the date stamp. Possible Values:
MMDDYYYY and DDMMYYYY.
Chapter 3 Audit Server Logging 51
Parameter Specifies
Log Facility Log facility, as defined in RFC3164. Uses numerical
codes 0 to 7 to indicate the type of message originating
from the NetScaler (for example, NS and VPN).
Possible values: LOCAL0 to LOCAL7. Default:
LOCAL0.
Time Zone Time zone for the time stamp. Possible values: GMT
and Local. Default: Local.
TCP Logging Enable or disable logging of TCP events.
The following table describes the severity levels that you can set to specify when
logging is to occur.
Log Levels
Level Specifies
EMERGENCY Log errors indicating that the NetScaler is experiencing a
critical problem that may make it unusable.
ALERT Log problems that are not critical to current operations but
that indicate a need for immediate corrective action to prevent
a critical problem.
CRITICAL Log critical conditions, which do not restrict current
operations but may escalate to a larger problem.
ERROR Log messages related to failed NetScaler operations.
WARNING Log issues that may result in critical errors.
NOTICE Log the events specified by the INFORMATION setting, but
in greater detail.
INFORMATION Log all actions taken by the NetScaler. This level is useful for
troubleshooting problems.
DEBUG Log extensive, detailed information to help developers
troubleshoot problems.
Configuring Global Audit Server Parameters

The global audit server parameters provide detailed control of the information to
be logged, and you can specify the location at which the messages are stored. To
configure the parameters, use the following procedure.
To configure global auditing parameters
1. In the navigation pane, expand System, and then click the Auditing node.
2. In the details pane, under Settings, click Change global auditing settings.
3. In the Configure Auditing Parameters dialog box, in the Auditing Type

drop-down list, select NSLOG.
4. Under Server, in the IP Address and Port text boxes, type the IP of the
server for which you want to configure logging, and the port number to use,
for example, 10.102.29.1, and 3023. The default port number is 3023.
5. Under Log Levels, either select the ALL check box or select specific
log-level check boxes.
Note: Selecting NONE disables all log levels. Use this option when you
want to reset log levels.
6. In the Log Facility drop-down list, select a log facility option.

7. Select a Date Format option and a Time Zone option.
8. Click OK.
Configuring Audit Server Action and Policy

You can configure audit server actions for different servers and for different log
levels.
To configure an auditing action
1. In the navigation pane, expand System, expand Auditing, and click

Policies.
2. In the details pane, on the Servers tab, click Add.
For descriptions of the parameters in this dialog box, see the table, “Log
Levels,” on page 51.
3. In the Create Auditing Server dialog box, in the Name text box, type a
name for the auditing server, and in the Auditing Type drop-down list,
select NSLOG.
4. In the IP Address and Port text boxes, type the IP address and the port
number of the auditing server. The default port is 3023.
5. Under Log Levels, select the ALL check box or select specific log-level
check boxes.
6. In the Log Facility drop-down list, select a log facility.
7. In TCP Logging, click the NONE or ALL option.
8. Select a Date Format option and a Time Zone option for the time stamp.
To configure an audit server policy
1. In the navigation pane, expand System, expand Auditing, and then select
Policies.
2. In the details pane, on the Policies tab, click Add.
3. In the Create Auditing Policy dialog box, in the Name text box, type a
name for the policy (for example, nspol1).
4. In the Auditing Type drop-down list, select NSLOG.
5. In the Server drop-down list, select the server for which the policy applies.
6. Click Create, and click Close. The policy appears on the Policies page.
Globally Binding the Audit Policies

You must globally bind the audit log policies to enable logging of all Citrix
NetScaler System events. By defining the priority level, you can set the
evaluation order of the audit server logging. Priority 0 is the highest and is
evaluated first. The higher the priority number, the lower is the priority of
evaluation.
To globally bind the audit policy
1. In the navigation pane, expand System, expand Auditing, and then click
Policies.
2. In the details pane, on the Policies tab, click Global Bindings.
3. In the Bind/Unbind Auditing Global Policies dialog box, in the Active
column, select the check box next to the policy that you want to bind. (To
unbind a policy, clear the check box.)
4. In the Priority list box, enter or adjust the priority (for example, click the
down arrow until 0 appears).
5. Click OK.
Configuring Policy-Based Logging

With policy-based logging, audit messages are logged in a defined format when
the rule in a rewrite policy evaluates to TRUE. To do this, you must configure an
audit message action and associate it with a rewrite policy. The format of audit
messages can be defined only with advanced expressions in an audit message
action. Audit message actions can be used to log messages at various log levels
either only in syslog format or in both syslog and newnslog formats.
Creating an Audit Message Action

The following table describes the parameters used to create an audit message
action.
Parameter Specifies
Name A name for the audit message action you are creating. The
name can begin with a letter, number, or the underscore
(name) symbol, and can consist of up to 127 characters including
letters, numbers, hyphen (-), period (.) pound (#), space ( ),
at sign (@), equal sign (=), colon (:), and underscore (_)
symbols. (Names cannot be changed for existing audit
message action.)
Log Level The log level for the message action. Possible values:
EMERGENCY, ALERT, CRITICAL, ERROR, WARNING,
(logLevel) NOTICE, INFORMATIONAL, DEBUG, and NONE
Log Message The advanced expression that defines the format of the log
message. For a complete description of NetScaler advanced
(stringBuilderExpr) expressions, see the Citrix NetScaler Policy Configuration
and Reference Guide.
Bypass Safety Check Whether to bypass the safety check and allow unsafe
expressions.
(bypassSafetyCheck )
Log in newnslog Whether the messages to be logged in newnslog format in

addition to being logged in syslog format. By default, log
(logtoNewnslog) messages are written only in the syslog format.
To create an audit message action by using the configuration utility
1. In the navigation pane, expand System, expand Auditing, and then click
Message Actions.
2. In the details pane, click Add.
3. In the Create Audit Message Action dialog box, in the Name text box,
type a name (for example, logmsg1).
4. Under Log Level, select a log level option (for example, NOTICE).
5. Under Log Message, create an advanced expression (for example, '"Client
"+CLIENT.IP.SRC+" requested URL"+HTTP.REQ.URL").
6. To bypass the safety check and allow unsafe expressions, select the Bypass
Safety Check check box. By default, safety checks are not performed.
7. To enable logging messages in the newnslog format, select the Log in
newnslog check box. By default, messages are not logged in newnslog.
To create an audit message action by using the NetScaler command line

add audit messageaction name logLevel stringBuilderExpr

-logtoNewnslog ( YES | NO ) -bypassSafetyCheck ( YES | NO )
Example
add audit messageaction logmsg1 NOTICE '"Client "+CLIENT.IP.SRC+"
requested URL "+HTTP.REQ.URL" -logtoNewnslog YES -bypassSafetyCheck
YES
Binding Audit Message Action to Rewrite Policy

After you have created an audit message action, you need to bind it to a rewrite
policy. For more information about binding log message actions to a rewrite
policy, see the "Rewrite" chapter in the Citrix NetScaler Application Security
Guide.
Installing the Audit Server Files

This section describes the steps to install the audit server logging executable files
on various operating systems.
Copy the installation files from the product CD or download them from the site
ftp.netscaler.com. Run the installations from the root user account.
The following table lists the minimum system requirements for configuring
external audit server logging for Windows, Linux, and FreeBSD:
Operating System Software Requirements

Windows • Windows XP Professional - Version 2002
• Windows 2003 server
• Windows 2000/NT
Linux • Red Hat Enterprise Linux AS release 4 (Nahant) - Linux
version 2.6.9-5.EL
• Red Hat 3.4.3-9.EL4 - Linux version 2.6.9-5.ELsmp
• Red Hat Linux 3.2.2-5 - Linux version 2.4.20-8
FreeBSD FreeBSD 4.9
Hardware Requirements
For Windows / Linux / • Processor - Intel x86 ~501MHz
FreeBSD • RAM - 512 MB
• Controller - SCSI
Installing Audit Server Files on the Linux

Operating System
The following section describes the procedure to install the audit server
executable and other files on a system that runs Red Hat Linux.
To install on a Linux operating system
1. At a command prompt, type the following command to copy the

NSauditserver.rpm file to a temporary directory:
cp <path_to_cd>/Utilities/auditserver/Linux/NSauditserver.rpm
/tmp
2. Type the following command to install the NSauditserver.rpm file:

rpm -i NSauditserver.rpm
This command extracts the files and installs them in:

• /usr/local/netscaler/etc
• /usr/local/netscaler/bin
• /usr/local/netscaler/samples
Uninstalling Audit Server Files on the Linux

Operating System
This section describes the procedure to uninstall audit server logging on a server
that runs on the Linux operating system.
To uninstall audit server logging
At a command prompt, type the following command to uninstall the audit server
logging feature:
rpm -e NSauditserver
For more information about the NSauditserver RPM file, use the following
command:
rpm -qpi *.rpm
To view the installed audit server files use the following command:
rpm -qpl *.rpm
*.rpm: Specifies the file name.

Installing Audit Server Files on the FreeBSD

Operating System
This section describes the procedure to install the audit server executable and
other files on the FreeBSD 4.4 operating system.
To install on a FreeBSD operating system
1. Copy the NSauditserver.tgz file to a <target directory> using the

command:
cp <path_to_cd>/Utilities/auditserver/Freebsd/
NSauditserver.tgz /<target directory>
<path_to_cd>: Specifies the system path to the CD drive where the CD

device is mounted.
<target directory>: Specifies the path to the directory to which the
file should be copied.
2. Change to the <target directory>:
cd /<target directory>
3. Use the following command to install the package:

pkg_add NSauditserver.tgz
This command extracts the files and installs them in:

4. At a command prompt, type the following command to check whether the
package is installed:
pkg_info | grep NSauditserver
Uninstalling Audit Server Files on the FreeBSD

Operating System
that runs on the FreeBSD operating system.
At a command prompt, type the following command to uninstall the audit server
logging package:
pkg_delete NSauditserver
Installing Audit Server Files on the Windows

Operating System
This section describes the procedure to install the audit server executable and
other files on the Windows operating system.
To install on a Windows operating system
1. Extract the audserver.exe file from the NSauditserver.zip

compressed file into a temporary directory. When the files are extracted, the
following directories are created:
• \NS\BIN
• \NS\ETC
• \NS\SAMPLES
2. To install audit server logging as a service, run the following command
from \NS\BIN directory:
audserver -install -f <directorypath> \auditlog.conf
<directorypath>: Specifies the path where the auditlog.conf

file is available.
Uninstalling Audit Server Files on the Windows

Operating System
that runs on the Windows operating system.
1. At a command prompt, change to the following directory:

cd \NS\BIN
2. Type the following command to uninstall the audit server logging feature:
audserver -remove
Note: To uninstall the audit server logging application, uninstall the

auditserver service and remove the directory.
Audit Server Options

The following table describes the options you can use with the audserver
command to configure audit server options:
Audit Server Options
Audit Server Commands Specifies
audserver -help Lists all the available Audit Server options
audserver -addns -f Specifies the system that gathers the log transaction
<path to configuration data.
file>
On execution of the command, you are prompted to
enter the IP address of the system.
Enter the Userid and Password of the system.
Note: Userid and password must be valid.
audserver -verify -f Checks for syntax or semantic errors in the
<path to configuration configuration file, for example, auditlog.conf file.
file>
audserver -start -f Starts audit server logging based on the configuration
<path to configuration settings in the configuration file, for example,
file> auditlog.conf file.
Linux only:
To start the audit server as a background process, type
& at the end of the command.
audserver -stop Linux only:
Stops audit server logging when audit server is started
as a background process. Alternatively, use the Ctrl+C
key to stop audit server logging.
audserver -install -f Windows Only:
<path to configuration
Installs the audit server logging client as a service on
file>
Windows.
audserver -startservice Windows Only
Starts the audit server logging service, when you enter
this command at a command prompt.
You can also start audit server logging from Start >
Control Panel > Services option.
Note: Audit server logging starts by using the
configuration settings in the configuration file, for
example, auditlog.conf file specified in the audit server
install option.
audserver -stopservice Windows Only
audserver -remove Removes the audit server logging service from the
registry.
Run the audserver command from the directory in which the audit server
executable is present:
• On Windows: \ns\bin
• On Solaris and Linux: \usr\local\netscaler\bin
The audit server configuration files are present in the following directories:
• On Windows: \ns\etc
• On Linux: \usr\local\netscaler\etc
The audit server executable is started as ./auditserver in Linux and FreeBSD.
Configuring Audit Server Logging on a Server system

Use the following process to configure audit server logging on the server
computer, which can be running Windows, Linux, or FreeBSD.
1. Install audit server logging as described in “Installing the Audit Server
Files,” on page 55.
2. Using a text editor, make the following changes in the auditlog.conf file:
A. Add the IP address of the audit server in the MYIP field.
B. Define the log filters and log properties.
C. Add the IP address of the Citrix NetScaler System.
D. Verify the configuration.
3. Start audit server logging.
Note: You can configure the NetScaler to log integrated cache transactions
using the audit server logging feature.
Defining Filters
Define filters in the configuration file (for example, auditlog.conf) to
configure each Citrix NetScaler to log web transactions handled by the logging
server.
Define log properties for each filter. The filter applies these log properties to the
transactions that match the filter definition.
Note: A transaction is not recorded if a filter definition does not exist for a log
transaction.
Defining Default Filters

To define the default filter, you can either use the filter in the sample
configuration auditlog.conf file or modify it.
Note: For consolidated logging, if a log transaction occurs for which there is no
filter definition, the default filter is used (if it is enabled.) The only way you can
configure consolidated logging of all the Citrix NetScaler Systems is by defining
the default filter.
Creating Filters
To create a filter, type the following command in the auditlog.conf file:
filter <filterName> [IP <ip>] [NETMASK <mask>] [ON | OFF]
<filterName>, specify the name of the filter. (maximum of 64 alphanumeric

characters)
<ip>, specify the IP addresses
<mask>, specify the subnet mask to be used on a subnet.
Specify ON to enable the filter to log transactions, or specify OFF to disable the
filter. If no argument is specified, the filter is ON.
Examples
filter F1 IP 192.168.100.151 ON
To apply the filter F2 to IP addresses 192.250.100.1 to 192.250.100.254:

filter F2 IP 192.250.100.0 NETMASK 255.255.255.0 ON
Note: filterName is a required parameter if you are defining a filter with

other optional parameters such as IP address, or the combination of IP address
and Netmask.
Defining Log Properties

Log properties associated with the filter are applied to all the log entries present
in the filter. The log property definition starts with the key word BEGIN and ends
with END as illustrated in the following example:
BEGIN <filtername>
logFilenameFormat ...
logDirectory ...
logInterval ...
logFileSize ....
END
Entries in the definition can include the following:

• LogInterval specifies the interval at which new log files are created.
Use one of the following values:
• Hourly - every hour
• Daily - every day at midnight
• Weekly - every Sunday at midnight
• Monthly- the first day of the month at midnight
• None - only once, when audit server logging starts.
• Size - only when the log file size limit is reached.
By default the LogInterval property is set to Hourly.
Example:
LogInterval Hourly
• LogFileSizeLimit specifies the maximum size (in MB) of the log file.
A new file is created when the limit is reached.
Note that you can override the loginterval property by assigning
size as its value.
The default LogFileSizeLimit is 10 MB.
Example:
LogFileSizeLimit 35
• LogFilenameFormat specifies the file name format of the log file. The
name of the file can be of the following types:
• Static: A constant string that specifies the absolute path and the file
name.
• Dynamic: An expression that includes the following format

specifiers:
• Date (%{format}t)
• % creates filename with NSIP
Note: For more information, see “Checklist for Configuring Audit Server
Logging,” on page 66.
Example:
LogFileNameFormat Ex%{%m%d%y}t.log
This creates the first file name as Exmmddyy.log. New files are named:
Exmmddyy.log.0, Exmmddyy.log.1, and so on. In the following
example, the new files are crated when the file size reaches 100MB.
Example:
LogInterval size
LogFileSize 100
LogFileNameFormat Ex%{%m%d%y}t
Caution: The date format %t specified in the LogFilenameFormat

parameter overrides the log interval property for that filter. To prevent a
new file being created every day instead of when the specified log file size
is reached, do not use %t in the LogFilenameFormat parameter.
• logDirectory specifies the directory name format of the log file. The
name of the file can be either of the following:
• Static: Is a constant string that specifies the absolute path and
filename.
• Dynamic: Is an expression containing the following format
specifiers:
• % creates directory with NSIP
The directory separator depends on the operating system. In Windows, use
the directory separator \.
Example:
LogDirectory dir1\dir2\dir3
In the other operating systems (Linux, FreeBsd, Mac, etc.), use the
directory separator /.
Example:
LogDirectory dir1/dir2/dir3
Note: For more information, see “Checklist for Configuring Audit Server
Logging,” on page 66.
Default Settings for the Log Properties

The following is an example of the default filter with default settings for the log
properties:
begin default
logInterval Hourly
logFileSizeLimit 10
logFilenameFormat auditlog%{%y%m%d}t.log
end default
Following are two examples of defining the default filters:

Example 1:
Filter f1 IP 192.168.10.1
This creates a log file for NSIP 192.168.10.1 with the default values of the
log in effect.
Example 2:
Filter f1 IP 192.168.10.1
begin f1
logFilenameFormat logfiles.log
end f1
This creates a log file for NSIP 192.168.10.1. Since the log file name format
is specified, the default values of the other log properties are in effect.
Adding the IP Addresses of the System

In the configuration file, add the IP addresses of the system that performs the
audit server logging and the Citrix NetScaler Systems whose events must be
logged.
To add the IP addresses
1. At a command prompt, type the following command:

audserver -addns -f <directorypath>\auditlog.conf
<directorypath> specifies the path to the configuration file (for

example auditlog.conf.)
You are prompted to enter the information for the following parameters:
NSIP specifies the IP address of the Citrix NetScaler System, for example,
10.102.29.1.
Userid specifies the username, for example, nsroot
Password specifies the password, for example, nsroot.
If you add multiple NetScaler IP addresses (NSIP), and later you do not want to
log all of Citrix NetScaler System event details, you can delete the NSIPs
manually by removing the NSIP statement at the end of the auditlog.conf file. For
an HA setup, you must add both primary and secondary Citrix Netscaler IPs to
auditlog.conf using the audserver command. Before adding the IP address,
make sure the username and password exist on the system.
Verifying Configuration
Check the configuration file (auditlog.conf) for syntax correctness to enable
logging to start and function correctly.
To verify configuration, at a command prompt, type the following command:
audserver -verify -f <directorypath>\auditlog.conf
<directorypath> specifies the path where the configuration file

(auditlog.conf)resides.
Starting Audit Server Logging

To start audit server logging, enter the following command at a command prompt:
audserver -start -f directorypath\auditlog.conf
<directorypath>: Specifies the path to the configuration file

(auditlog.conf.)
Stopping Audit Server Logging

To stop audit server logging that starts as a background process in FreeBSD or
Linux, use the following command:
audserver -stop
To stop audit server logging that starts as a service in Windows, use the following
command:
audserver -stopservice
Sample Configuration File

Following is a sample configuration file:
##############################
# This is the Auditserver configuration file
# Only the default filter is active
# Remove leading # to activate other filters
##############################
MYIP <NSAuditserverIP>
MYPORT 3023
# Filter filter_nsip IP <Specify the NetScaler IP address to
filter on > ON
# begin filter_nsip
# logInterval Hourly
# logFileSizeLimit 10
# logDirectory logdir\%A\
# logFilenameFormat nsip%{%d%m%Y}t.log
# end filter_nsip
Filter default
begin default
logInterval Hourly
logFileSizeLimit 10
end default
Checklist for Configuring Audit Server Logging

Use the following checklist when you configure audit server logging, and to
troubleshoot problems:
1. Verify that the Citrix NetScaler System username and password are valid.
2. If there is a firewall between the NetScaler and logging machine, make sure
the RPC 3010/3011 port is open.
3. Verify that the Citrix NetScaler is accessible from the log machine by doing
the following:
• Ping the Citrix NetScaler IP address.
• Use FTP and Telnet to access the NetScaler.
4. Verify that the IP address of the system is present in the configuration file
(auditlog.conf).
5. Verify that the Audit Server IP address is entered in the MYIP field in the
auditlog.conf file.
Configuring Audit Server Logging for a Commonly Used

Deployment Scenario
This section describes how to configure the audit server logging feature for a
commonly used deployment scenario, which lets you log all NOTICE events of
Citrix NetScaler System. The procedures describe how to create an action and a
policy, and how to bind the policy globally. The following diagram illustrates a
typical deployment topology for audit server logging:
Audit Server Logging Topology

The following table lists the parameters that need to be set on Citrix NetScaler
System to configure audit server logging. The table includes sample values.
Parameters for Audit Server Logging Configuration
Parameter Value
Name audit1
Auditing Type NSLOG
IP Address 10.102.1.1
Port 3024
Log Level NOTICE
TCP Logging ALL
Date Format DDMMYYYY
Log Facility LOCAL0
Time Zone Local
To create an audit server action

Policies.
2. On the Auditing page, select the Servers tab and click Add.
3. In the Create Auditing Server dialog box, in the Name text box, type
audit1, and in the Auditing Type drop-down list, select NSLOG.
4. In the IP Address text box, type 10.102.1.1, and in the Port text box, type
3024.
5. Under Log Levels, select the NOTICE check box, and select the
DDMMYYYY Date format option.
6. In the Log Facility drop-down list, select LOCAL0, in TCP Logging,
select the ALL option, and in Time Zone, select the Local option.
The following procedure explains how to create a policy for the audit server
action audit1.
To configure audit server policy

Policies.
2. On the Policies page, click Add.
3. In the Create Auditing Policy dialog box, in the Name text box, type a
name for the policy (for example, auditpol1).
4. In the Auditing Type drop-down list, select NSLOG, in the Server
drop-down list, select audit1.
5. Click Create, and click Close. The policy appears on the Policies page.
In the following procedure, you globally bind the audit log policy auditpol1 and
set the priority to 0.
To globally bind the audit log policy

Policies.
2. On the Policies page, on the Policies tab, and click Global Bindings.
3. In the Bind/Unbind Auditing Global Policies dialog box, in the Active
column, select the check box next to auditpol1, and in the Priority list box,
set the priority as 1.
4. Click OK.
To install and configure the audit server tool on a Windows Server
1. Extract the files from NSauditserver.zip. The following directories are

created:
• \NS\BIN
• \NS\ETC
• \NS\SAMPLES
Note: The BIN directory contains the executable audserver.exe and the
ETC directory contains the auditlog.conf file.
2. Check the version of the audit server executable using the following
command at a command prompt:
audserver -version
The output appears in the following format:

Version: Netscaler Auditing Server (audserver)
NS<Release_version>:<Build_Version>, Date: <Date>,
<Time>(release) [Windows NT/2000]
3. Type the following command at a command prompt:

audserver -addns -f ../etc/auditlog.conf
The system prompts for inputs for the following parameters:

NSIP
Userid
Password
4. Enter the following values:

NSIP: 10.102.10.1
Userid: nsroot
Password: nsroot
5. Edit the auditlog.conf file located at \NS\ETC by changing the values for
the following parameters as shown:
MYIP 10.102.1.1
MYPORT 3024
Filter default
begin default
logInterval Hourly
logFileSizeLimit 10
end default
6. Verify the configuration using the following command at a command

prompt:
audserver -verify -f ../etc/auditlog.conf
A debug file is created and the following output appears:

Debug log file is ./nsaudit.log-<ddmmyyhhmm> & Log level is 1
Configuration file is correct
7. Start audit server by typing the following command at a command prompt:

audserver -start -f …/etc/auditlog.conf
The following output appears:

Debug log file is ./nsaudit.log-<ddmmyyhhmm> & Log level is 1
Configuration file is correct
Logging starts and the information is logged in the

auditlog%{%y%m%d}t.log file in the \NS\BIN directory.
8. To stop audit server, at the command prompt, press Ctrl+C. The following
output appears:
NSAUDIT:quitting on 2 signal!
C HAPTER 4
Web Server Logging
Web server logging is the process of maintaining a history of page requests that
originate from Citrix NetScaler System.
In This Chapter
How Web Server Logging Works
Configuring Web Server Logging Parameters
System Requirements for Web Server Logging
Installing the NSWL files on the Logging System
Configuring Web Server Logging on the Logging System
Checklist for Configuring Web Server Logging
How Web Server Logging Works

With the Web server logging feature enabled, the NetScaler collects log
transaction data from the servers and stores it in the system buffer. The default
size of the buffer is 16 MB.
Note: For more information about modifying the buffer size, see “Modifying
the Default Buffer Size,” on page 72 in this chapter.
You must configure filters to allow logging based on a domain name or a server
IP address. If the server uses the load balancing, content switching, or cache
redirection feature of the system, you can also configure web server logging to
log transactions based on the virtual IP address.
The system can store log file data in the following three formats:
• W3C Extended log file format
• NCSA Common log file standard format
• Custom log format
The log format that you can use depends on the requirements to troubleshoot a
problem. Custom log formats let you define only those parameters to log that you
specify.
Configuring Web Server Logging Parameters

You can set parameters to enable web server logging and to modify the size of the
buffer that stores the logged information. You can display these settings at any
time.
Enabling or Disabling Web Server Logging

Use either of the following procedures to enable or disable web server logging.
To enable or disable web server logging using Configuration Utility
1. In the navigation pane, expand System, and click Settings.

2. In the Settings page, click advanced features.
3. In the Configure Advanced Features dialog box, to enable Web server
logging, select the Web Logging check box. To disable Web server
logging, clear the check box.
4. Click OK.
5. In the Enable/Disable Feature(s) dialog box, click Yes.
To enable or disable web server logging using NetScaler command line
enable ns feature WL
or
disable ns feature WL
Modifying the Default Buffer Size

You can change the default buffer size of 16MB for Web server logging to suit
your requirements. To activate your modification, you must disable and reenable
Web server logging. The following table describes the parameter you set.
Parameter for Modifying Buffer Size
Parameter Specifies
Buffer Size Buffer size (in megabytes) allocated for
log transaction data in the appliance.
Chapter 4 Web Server Logging 73
To configure the buffer size using Configuration Utitlity
1. In the navigation pane, expand System, and click Settings.

2. On the Settings, under Settings, click Change global system settings.
3. In the Configure Global Settings dialog box, in the Web Logging section,
enter a value in the Buffer_Size (in MBytes) text box (for example, 32).
4. Click OK.
To configure the buffer size using the NetScaler command line

set weblogparam -b Size
Example
set weblogparam -b 32
Note: To activate the new buffer size, you must disable and reenable web server
logging, as described in “Enabling or Disabling Web Server Logging,” on page
72.
Displaying Web Server Logging Information

To see whether web server logging is enabled or disabled using the
configuration utility
In the navigation pane, expand System and click Settings. On the Settings page,
under Modes and Settings, click Change advanced features. In Configure
Advanced Features dialog box, check to see whether the Web Logging check
box is selected.
To see whether web server logging is enabled or disabled using the

NetScaler command line

show ns info
To display the buffer size for log transactions using the Configuration Utility
In the navigation pane, expand System and click Settings. On the Settings page,
under Settings, click Change global system settings. In Configure Global
Settings dialog box, under Web Logging, the Buffer_Size (in MBytes) text box
displays the buffer size.
To display the buffer size for log transactions using the NetScaler command
line

show weblogparam
System Requirements for Web Server Logging

The default web server log buffer size of 16 MB can handle up to 10,000
transactions per second on the logging system that meets the requirements shown
in the following table:
Hardware and Software Requirements for Web Server Logging
Operating System Software Requirements
Windows • Windows XP Professional - Version 2002
• Windows 2003 server
• Windows 2000/NT
MAC RELEASE_PPC Power Macintosh powerpc - Darwin
Kernel Version 8.6.0
Linux • Red Hat Enterprise Linux AS release 4 (Nahant) - Linux
version 2.6.9-5.EL
• Red Hat 3.4.3-9.EL4 - Linux version 2.6.9-5.ELsmp
• Red Hat Linux 3.2.2-5 - Linux version 2.4.20-8
Solaris Sun Microsystems 5.9 - sun4u Sun Ultra 5/10 UPA/PCI
FreeBSD FreeBSD 4.9
Hardware Requirements
For Windows / Linux / • Processor - Intel x86 ~501MHz
FreeBSD • RAM - 512 MB
For Solaris 2.6 • Processor - UltraSPARC-IIi 400 MHz
• RAM - 512 MB
If the logging system cannot process the log transaction because a CPU
limitation, the Web log buffer overruns and the logging process reinitiates.
Caution: Reinitiation of logging can result in loss of log transactions.
To temporarily solve a logger client bottleneck caused by a CPU limitation, you

can tune the Web server logging buffer size. To solve the problem, you need a
logger client that can handle the site’s throughput.
Installing the NSWL files on the Logging System

This section describes the steps to install the NetScaler Web Server Logging
executable files (NSWL) on various operating systems (logging systems).
Copy the installation files from the product CD or download them from
ftp.netscaler.com. Run the installations from a root user account. In the
procedures described in the following subsections, <path_to_cd> defines the
system path to the drive where the CD device is mounted.
Installing NSWL on a Solaris Operating System

Use the following procedure to install the nswl executable and other files on a
computer running the Solaris operating system.
To install NSWL on a Solaris operating system
1. Copy the NSweblog.tar file into a temporary directory using the

command:
cp <path_to_cd>/Utilities/weblog/Solaris/NSweblog.tar /tmp
2. Change to the temporary directory:

cd /tmp
3. Extract the files from the *.tar file with the following command:
tar xvf NSweblog.tar
A directory NSweblog is created in the temporary directory, and the files

are extracted to the NSweblog directory.
4. Install the package with the following command:
pkgadd -d .
The list of available packages appears. In the following example, one

NSweblog package is shown:
1 NSweblog NetScaler Weblogging
(SunOS,sparc) 7.0
5. You are prompted to select the packages. Select the package number of the
NSweblog to be installed.
After you select the package number and press Enter, the files are extracted
and installed in the following directories. (The dot indicates the current
directory.)
6. To verify that the package is installed, enter the following command:
pkginfo | grep NSweblog
Note: To uninstall web server logging, use the command: pkgrm NSweblog
Installing NSWL on a Linux Operating System

Use the following procedure to install the nswl executable and the other files on
a computer running the Red Hat™ Linux® operating system.
To install NSWL on a Linux operating system
1. Copy the NSweblog.rpm file into a temporary directory:

cp <path_to_cd>/Utilities/weblog/Linux/NSweblog.rpm /tmp
2. To install the nswl executable, use the following command:

rpm -i NSweblog.rpm
This command extracts the files and installs them in the following
directories. (The dot indicates the current directory.)
• /usr/local/netscaler/samples.
To uninstall web server logging, use the following command.
rpm -e NSweblog
To get more information on the NSweblog RPM file, use the following command.
rpm -qpi *.rpm.
To view the installed web server logging files, use the following command (*.rpm
is the file name).
rpm -qpl *.rpm
Installing NSWL on a FreeBSD Operating System

a computer running the FreeBSD 4.4 operating system.
To install NSWL on a FreeBSD operating system
1. At a command prompt, copy the NSweblog.tgz file into a temporary

directory:
cp <path_to_cd>/Utilities/weblog/Freebsd/NSweblog.tgz /tmp

cd /tmp
3. Install the package using the following command:

pkg_add NSweblog.tgz
4. To verify that the package is installed, use the following command:
pkg_info | grep NSweblog
Note: To uninstall the web server logging package, enter the command:
pkg_delete NSweblog
Installing NSWL on a MAC Operating System

a computer running the MAC operating system.
To install NSWL on a MAC operating system
1. At a command prompt, copy the NSweblog.tgz file into a temporary

directory with the following command:
cp <path_to_cd>/Utilities/weblog/macos/NSweblog.tgz /tmp

cd /tmp
3. To install the package, use the pkg_add command:

pkg_add NSweblog.tgz
4. To verify that the package is installed, use the following command:
pkg_info | grep NSweblog
Note: To uninstall the web server logging package, enter the command
pkg_delete NSweblog
Installing NSWL on a Windows Operating System

a computer running the Windows operating system.
To install NSWL on a Windows operating system
1. Copy the NSweblog.exe file (winzip executable) into a temporary directory.

2. The extracted files are installed in the following directories. (The dot
indicates the current directory.)
• \NS\BIN
• \NS\ETC
• \NS\SAMPLES
3. To install web server logging as a service, at a command prompt, run the
following command from the \NS\BIN path:
nswl -install -f <directorypath> \log.conf
<directorypath> specifies the path where the log.conf file is available.

4. To uninstall the web server logging, run the following command from the
\NS\BIN folder:
nswl -remove
Note: To uninstall the web server logging, run the nswl -remove command
from the \NS\BIN folder:
Installing NSWL on an AIX Operating System

a computer running the AIX operating system.
To install NSWL on an AIX operating system
1. Copy the NSweblog.rpm file into a temporary directory:

cp <path_to_cd>/Utilities/weblog/AIX/NSweblog.rpm /tmp
2. To install the nswl executable, use the following command:

rpm -i NSweblog.rpm
• /usr/local/netscaler/samples.
To uninstall web server logging, use the following command.
rpm -e NSweblog
To get more information on the NSweblog RPM file, use the following command.
rpm -qpi *.rpm.
To view the installed web server logging files, use the following command (*.rpm
is the file name).
rpm -qpl *.rpm
NSWL Options
The following table describes the options that you can use with the nswl
executable.
nswl Command Specifies

nswl -help Display all available nswl options
nswl -addns -f <path to The system that gathers the log transaction data.
configuration file>
You are prompted to enter the IP address of the system.
Enter a valid username and password.
nswl -verify -f <path to Check for syntax or semantic errors in the configuration file
configuration file> (for example, log.conf).
nswl Command Specifies

nswl -start -f <path to Start web server logging based on the settings in the
configuration file> configuration file (for example, log.conf).
For Solaris and Linux: To start web server logging as a
background process, use and at the end of the command.
nswl -stop Solaris and Linux only
Stop web server logging, if nswl was started as a
background process; otherwise, use CTRL+C to stop web
server logging.
nswl -install -f <path to Installs the web server logging client as a service in
configuration file> Windows.
(Windows only)
nswl -startservice Start web server logging , using the settings in the
(Windows only) configuration file (for example, log.conf) specified in the
nswl install option.
Web server logging can also be started from Start > Control
Panel > Services.
nswl -stopservice Stop Web server logging.
(Windows only)
nswl -remove Remove the web server logging service from the registry.
Run the following commands from the directory in which the nswl executable is
located:
• Windows: \ns\bin
• Solaris and Linux: \usr\local\netscaler\bin
The web server logging configuration files are located in the following directory
path:
• Windows: \ns\etc
• Solaris and Linux: \usr\local\netscaler\etc
The nswl executable is started as .\nswl in Linux and Solaris.
Configuring Web Server Logging on the Logging System

Following are the steps to configure web server logging:
1. Install web server logging.
2. Modify the web server log configuration file, log.conf.
3. Define log properties
4. Add the IP addresses of the Citrix NetScaler System to the log.conf file.
5. Verify the configuration.
6. Start web server logging
Note: You can configure the Citrix NetScaler System to log integrated cache
transactions, using the web server logging feature.
Modifying the Web Server Log Configuration

File
To modify the web server logging settings, use a text editor to modify the log.conf
configuration file.
Defining Filters
Log filters let you filter the host IP address, domain name, and hostname of the
Web servers. You must do the following to define filters:
• Define filters in the configuration file (log.conf) for each server whose
web transactions are logged.
• Define log properties for each filter. The filter applies these log properties
to transactions that match the filter.
Note: If a filter does not exist for a log transaction, the transaction is not
recorded unless the default filter is defined.
Defining Default Filters

You can use the default filter definition present in the sample configuration file,
log.conf, or you can modify it.
Note: Consolidated logging, which logs transactions for which no filter is

defined, uses the default filter if it is enabled. Consolidated logging of all servers
can be done by defining only the default filter.
Creating Filters
To create a filter, enter the following command in the log.conf file:
Filter <filterName> [HOST name] | [IP ip] | [IP ip 2...ip n] | [IP
ip NETMASK mask] [ON | OFF]
or
Filter <filterName> [HOST name] | [IP6 ip[/prefix length]] [ON |
OFF]
The following table lists the parameters that can be set using the filter command:
Parameter Specifies
filterName Name of the filter (maximum 64 alphanumeric characters.)
HOST name Host name of the server for which the transactions are being
logged.
IP ip IP address of the server for which transactions are to be
logged (for example, if the server has multiple domains that
have one IP address.)
IP ip 2...ip n: Multiple IP addresses (for example, if the server domain has
multiple IP addresses.)
ip6 ip IPv6 address of the server for which transactions are to be
logged.
IP ip NETMASK mask IP addresses and netmask combination to be used on a subnet.
ON | OFF Enable or disable the filter to log transactions. If no argument
is selected, the filter is enabled (ON).
Example
In the following example, you specify an IP address of 192.168.100.0 and

netmask of 255.255.255.0. The filter applies to IP addresses 192.168.100.1
through 192.168.100.254.
Filter F1 HOST www.netscaler.com ON
Filter F2 HOST www.netscaler.com IP 192.168.100.151 ON
Filter F3 HOST www.netscaler.com IP 192.168.100.151 192.165.100.152
ON
Filter F4 IP 192.168.100.151
Filter F5 IP 192.168.100.151 HOST www.netscaler.com OFF
Filter F6 HOST www.netscaler.com HOST www.xyz.com HOST
www.abcxyz.com IP 192.168.100.200 ON
Filter F7 IP 192.250.100.0 NETMASK 255.255.255.0
Filter F8 HOST www.xyz.com IP 192.250.100.0 NETMASK 255.255.255.0
OFF
For creating filters for servers having IPv6 addresses.

Filter F9 2002::8/112 ON
Filter F10 HOST www.abcd.com IP6 2002::8 ON
Defining Filters for Virtual Servers

If the server hosts multiple Web sites and each Web site has its own domain name,
and each domain is associated with a virtual server, you can configure Web server
logging to create a separate log directory for each Web site.
To define a filter for a virtual server, use the following command:
Filter <filterName> <IP>
<filterName>: Specifies the name of the filter

<IP>: Specifies the IP address of the virtual server
Defining Log Properties

Log properties associated with the filter are applied to all log entries associated
with the filter.
Log property definition begins with the keyword BEGIN and ends with END.
Example
BEGIN <filtername>
logFormat ...
logFilenameFormat ...
logInterval ...
logFileSize ....
logExclude ....
END
LogFormat specifies the web server logging feature that supports NCSA, W3C
Extended, and custom log file formats. For more information, see “Log File
Formats,” on page 90 in this chapter.
By default, the logformat property is w3c. To override, enter custom or
NCSA in the configuration file, for example:
LogFormat NCSA
Note: For the NCSA and Custom log formats, local time is used to time stamp
transactions and for file rotation.
LogInterval specifies the intervals at which log files are created. The default
property is Daily. If the LogInterval value is specified as:
• Hourly: A file is created every hour
• Daily: A file is created every day at midnight
• Weekly: A file is created every Sunday at midnight

• Monthly: A file is created on the first day of the month at midnight
• None: A file is created only once, when web server logging starts
Example
LogInterval Hourly
LogFileSizeLimit specifies the maximum size of the log file in MB. It can
be used with any log interval (weekly, monthly, and so on.) A file is created when
the maximum file size limit is reached or when the defined log interval time
elapses.
To override this behavior, specify the size as the loginterval property so that a file
is created only when the log file size limit is reached.
The default LogFileSizeLimit is 10 MB.
Example
LogFileSizeLimit 35
LogFilenameFormat specifies the file name format of the log file. The name
of the file can be of the following types:
• Static: Specifies a constant string that contains the absolute path and file
name.
• Dynamic: Specifies an expression containing the following format:
• Server IP address (%A)
• URL suffix (%x)
• Host name (%v)
Note: For more information, see “Log File Formats,” on page 90 in this chapter.
Example
LogFileNameFormat Ex%{%m%d%y}t.log
This command creates the first file name as Exmmddyy.log, then every hour
creates a file with file name: Exmmddyy.log.0, Exmmddyy.log.1,...,
Exmmddyy.log.n.
Example
LogInterval size
LogFileSize 100
LogFileNameFormat Ex%{%m%d%y}t
Caution: The date format %t specified in the LogFilenameFormat

command overrides the log interval property for that filter. To prevent a new file
being created every day instead of when the specified log file size is reached, do
not use %t in the LogFilenameFormat.
LogExclude prevents logging of transactions with the specified file extensions.
Example
LogExclude .html
This command creates a log file that excludes log transactions for *.html files.
LogTime specifies log time as either GMT or LOCAL.
The defaults are:
• NCSA log file format: LOCAL
• W3C log file format: GMT.
Default Settings for the Log Properties

The following default settings apply to the filter:
• LogFormat: W3C Extended
• LogInterval: Daily
• LogFileSize: 10
• LogFileNameFormat: Ex%{%m%d%y}t
• LogTime (logTime): GMT
Example 1
Filter f1 IP 192.168.10.1
This creates a log file for server 192.168.10.1
Example 2
Filter f1 IP 192.168.10.1
begin f1
logFilenameFormat c:\logfiles.log
end f1
This command creates a log file for server 192.168.10.1. Only the log file name
format is specified, and the rest of the default values for the log properties remain
same.
Adding the IP Addresses of the NetScaler

In the configuration file, add the IP addresses of the NetScaler that performs web
server logging.
To add the IP addresses
1. At a command prompt, enter the following command:

nswl -addns -f <directorypath>\log.conf

(log.conf).
2. The following information appears:
NSIP:
Username:
Password:
Enter the following:

• NSIP: Specify the IP address of the system
• Username: Specify the username to log on
• Password: Specify the password
If you add multiple NetScaler IP addresses (NSIP), and later you do not want to
log all of Citrix NetScaler System log details, you can delete the NSIPs manually
by removing the NSIP statement at the end of the log.conf file. During a failover
setup, you must add both primary and secondary Netscaler IPs to log.conf
using the command. Before adding the IP address, make sure the username and
password exist on the system.
Verifying the Configuration

Check the configuration file (log.conf) for syntax errors to make sure that
logging works correctly.
To verify the configuration, enter the following command:
nswl -verify -f <directorypath>\log.conf

(log.conf).
Starting Web Server Logging

To start web server logging, type the following command:
nswl -start -f <directorypath>\log.conf

(log.conf).
Stopping Web Server Logging

To stop web server logging started as a background process in Solaris or Linux,
use the following command:
nswl -stop
To stop web server logging started as a service in Windows, use the following
command:
nswl -stopservice
Sample Configuration File

Following is a sample configuration file:
##########
# This is the NSWL configuration file
# Only the default filter is active
# Remove leading # to activate other filters
##########
##########
# Default filter (default on)
# W3C Format logging, new file is created every hour or on reaching
10MB file size,
# and the file name is Exyymmdd.log
##########
Filter default
begin default
logFormat W3C
logInterval Hourly
logFileSizeLimit 10
logFilenameFormat Ex%{%y%m%d}t.log
end default
##########
# netscaler caches example

# CACHE_F filter covers all the transaction with HOST name
www.netscaler.com and the listed server ip's
##########
#Filter CACHE_F HOST www.netscaler.com IP 192.168.100.89
192.168.100.95 192.168.100.52 192.168.100.53 ON
##########
# netscaler origin server example

# Not interested in Origin server to Cache traffic transaction
logging
##########
#Filter ORIGIN_SERVERS IP 192.168.100.64 192.168.100.65
192.168.100.66 192.168.100.67 192.168.100.225 192.168.100.226
192.168.
100.227 192.168.100.228 OFF
##########
# netscaler image server example

# all the image server logging.
##########
#Filter IMAGE_SERVER HOST www.netscaler.images.com IP
192.168.100.71 192.168.100.72 192.168.100.169 192.168.100.170
192.168.10
0.171 ON
##########
# NCSA Format logging, new file is created every day midnight or on
reaching 20MB file size,
# and the file name is /datadisk5/netscaler/log/NS<hostname>/
Nsmmddyy.log.
# Exclude objects that ends with .gif .jpg .jar.
##########
#begin ORIGIN_SERVERS
# logFormat NCSA
# logInterval Daily
# logFilenameFormat /datadisk5/ORGIN/log/%v/
NS%{%m%d%y}t.log
# logExclude .gif .jpg .jar

#end ORIGIN_SERVERS
##########
# NCSA Format logging, new file is created every day midnight or on
reaching 20MB file size,
Nsmmddyy.log with log record timestamp as GMT.
##########
#begin CACHE_F
# logFormat NCSA
# logInterval Daily
# logFilenameFormat /datadisk5/netscaler/log/%v/
NS%{%m%d%y}t.log
# logtime GMT
#end CACHE_F
##########
# W3C Format logging, new file on reaching 20MB and the log file
path name is
# atadisk6/netscaler/log/server's ip/Exmmyydd.log with log record
timestamp as LOCAL.
##########
#begin IMAGE_SERVER
# logFormat W3C
# logInterval Size
# logFilenameFormat /datadisk6/netscaler/log/%AEx%{%m%d%y}t
# logtime LOCAL
#end IMAGE_SERVER
##########
# Virtual Host by Name firm, can filter out the logging based on the
host name by,
##########
#Filter VHOST_F IP 10.101.2.151 NETMASK 255.255.255.0

#begin VHOST_F
# logFormat W3C
# logInterval Daily
logFilenameFormat /ns/prod/vhost/%v/Ex%{%m%d%y}t
#end VHOST_F
########## END FILTER CONFIGURATION ##########
Log File Formats

The NetScaler supports the following log file formats:
• NCSA Common Log Format
• W3C Extended Log Format
• Custom Log Format
• Apache Log Format
NCSA Common Log Format

If the log file format is NCSA, the log file displays log information in the
following format:
Client_IP_address –User_Name [Date:Time –TimeZone] “Method Object
HTTP_version” HTTP_StatusCode BytesSent
To use the NCSA Common log format, enter NCSA in the LogFormat argument in
the log.conf file.
The following table describes the NCSA Common log format.
Client _IP_address Specifies the IP address of the client computer

User Name Specifies the user name
Date Specifies the date of the transaction
Time Specifies the time when the transaction was completed
Time Zone Specifies the time zone (Greenwich Mean Time or local
time)
Method Specifies the request method (for example; GET, POST)
Object Specifies the URL

HTTP_version Specifies the version of HTTP used by the client
HTTP_StatusCode Specifies the status code in the response
Bytes Sent Specifies the number of bytes sent from the server
W3C Extended Log Format

An extended log file contains a sequence of lines containing ASCII characters
terminated by either a Line Feed (LF) or the sequence Carriage Return Line Feed
(CRLF.) Log file generators must follow the line termination convention for the
platform on which they are run.
Log analyzers must accept either LF or CRLF form. Each line may contain either
a directive or an entry.
If you want to use the W3C Extended log format, enter W3C as the Log-Format
argument in the log.conf file.
Customizing W3C Format

By default, the standard W3C log format is defined internally as the custom log
format, shown as follows:
%{%Y-%m-%d%H:%M:%S}t %a %u %S %A %p %m %U %q %s %j %J %T %H
%+{user-agent}i %+{cookie} i%+{referer}i
For a description of the meaning of this each custom format, see “Custom Log
Format,” on page 95 in this chapter. You can also change the order or remove
some fields in this W3C log format. For example:
logFormat W3C %{%Y-%m-%d%H:%M:%S}t %m %U
W3C log entries are created with the following format:

#Version: 1.0
#Fields: date time cs-method cs-uri
#Date: 12-Jun-2001 12:34
2001-06-12 12:34:23 GET /sports/football.html
2001-06-12 12:34:30 GET /sports/football.html
Entries
Entries consist of a sequence of fields relating to a single HTTP transaction.
Fields are separated by white space; Citrix recommends the use of tab characters.
If a field in a particular entry is not used, a dash “-” marks the omitted field.
Directives
Directives record information about the logging process. Lines beginning with
the # character contain directives.
The following table describes the directives.
Directive Description
Version: <integer>.<integer> Displays the version of the extended log file format
used. This document defines version 1.0.
Fields: [<specifier>...] Identifies the fields recorded in the log.
Software: <string> Identifies the software that generated the log.
Start-Date: <date> <time> Displays the date and time at which the log was
started.
End-Date: <date> <time> Displays the date and time at which logging finished.
Date: <date> <time> Displays the date and time when the entry was
added.
Remark: <text> Displays comments. Analysis tools ignore data
recorded in this field.
Note: The Version and Fields directives are required. They precede all
other entries in the log file.
Example
The following sample log file shows the W3C Extended log format:
#Version: 1.0
#Fields: time cs-method cs-uri
#Date: 12-Jan-1996 00:00:00
00:34:23 GET /sports/football.html
Fields
The Fields directive lists a sequence of field identifiers that specify the
information recorded in each entry. Field identifiers may have one of the
following forms:
• identifier: Relates to the transaction as a whole.

• prefix-identifier: Relates to information transfer between parties defined
by the value prefix.
• prefix (header): Specifies the value of the HTTP header field header for
transfer between parties defined by the value prefix. Fields specified in this
manner always have the type <string>.
The following table describes defined prefixes.
Prefix Specifies
c Client.
s Server.
r Remote.
cs Client to server.
sc Server to client.
sr Server to remote server (prefix used by proxies).
rs Remote server to server (prefix used by proxies).
x Application-specific identifier.
Examples
The following examples are defined identifiers that use prefixes:

cs-method : Specifies the method in the request sent by the client to the server
sc(Referer): Specifies the Referer field in the reply
c-ip: Specifies the IP address of the client
Identifiers
The following table describes the W3C Extended log format identifiers that do
not require a prefix.
Identifier Description
date Specifies the date on which the transaction was done.
time Specifies the time when the transaction is done.
time-taken Specifies the time taken (in seconds) for the transaction to complete.
bytes Specifies the number of bytes transferred.
cached Records whether a cache hit has occurred. A zero indicates a cache miss.
The following table describes the W3C Extended log format identifiers that
require a prefix.
Identifier Description
IP Specifies the IP address and the port number.
dns Specifies the DNS name.
status Specifies the status code.
comment Specifies the comment returned with status code.
method Specifies the method.
url Specifies the URL.
url-stem Specifies the stem portion of the URL.
url-query Specifies the query portion of the URL.
The W3C Extended Log file format allows you to choose log fields. These fields
are shown in the following table:
Field Description
Date Specifies the date on which the transaction is done.
Time Specifies the time when the transaction is done.
Client IP Specifies the IP address of the client.
User Name Specifies the user name.
Service Name Specifies the service name, which is always HTTP.
Server IP Specifies the server IP address.
Server Port Specifies the server port number
Method Specifies the request method (for example; GET, POST).
Url Stem Specifies the URL stem.
Url Query Specifies the query portion of the URL.
Http Status Specifies the status code in the response.
Bytes Sent Specifies the number of bytes sent to the server (request size,
including HTTP headers).
Bytes Received Specifies the number of bytes received from the server (response
size, including HTTP headers).
Time Taken Specifies the time taken for transaction to complete, in seconds.
Protocol Version Specifies the version number of HTTP being used by the client.
User Agent Specifies the User-Agent field in the HTTP protocol.
Cookie Specifies the Cookie field of the HTTP protocol.
Referer Specifies the Referer field of the HTTP protocol.
Custom Log Format

You can customize the display format of the log file data as described in the
following subsections:
Using the NSWL Library to Define a Custom Log Format

Use one of the following NSWL libraries depending on whether the nswl
executable has been installed on a Windows or Solaris host computer:
• Windows: The nswl.lib library located in \ns\bin directory on the
system manager host computer.
• Solaris: The libnswl.a library located in /usr/local/
netscaler/bin
To define the custom log format
1. Add the following two C functions defined by the system in a source file:
ns_userDefFieldName(): This function returns the string that must
be added as a custom field name in the log file.
ns_userDefFieldVal(): This function implements the custom field
value, then returns it as a string that must be added at the end of the log
record.
2. Compile the file into an object file.
3. Link the object file with the NSWL library (and optionally, with third party
libraries) to form a new nswl executable.
4. Add a %d string at the end of the logFormat string in the log.conf
file.
Example
If you want to add a digital signature at the end of each record, follow the steps in
the preceding section and define the filter in the log.conf file as described
below.
##########
# A new file is created every midnight or on reaching 20MB file
size,
Nsmmddyy.log and create digital
#signature field for each record.
BEGIN CACHE_F
logFormat custom "%a - "%{user-agent}i" [%d/%B/%Y %T -%g] "%x"
%s %b%{referrer}i "%{user-agent}i" "%{cookie}i" %d "
logInterval Daily
logFileSizeLimit20
logFilenameFormat/datadisk5/netscaler/log/%v/NS%{%m%d%y}t.log
END CACHE_F
Manually Defining a Custom Log Format

To customize the format in which log file data should appear, specify a character
string (described in the following table) as the argument of the LogFormat log
property definition. For example:
LogFormat Custom ""%a - "%{user-agent}i"
%[%d/%m/%Y]t %U %s %b %T"
• The string can contain the “c” type control characters \n and \t to
represent new lines and tabs.
• Use the <Esc> key with literal quotes and backslashes.
The characteristics of the request are logged by placing % directives in the format
string, which are replaced in the log file by the values.
If the %v (Host name) or %x (URL suffix) format specifier is present in a log
filename format string, the following characters in the filename are replaced by
an underscore symbol in the log configuration filename:
", *, ., /, :, <, >, ? \, |
Characters whose ASCII values lie in the range of 0-31 are replaced by the
following:
%<ASCII value of character in hexadecimal>.
For example, the character with ASCII value 22 is replaced by %16.
Caution: If the %v format specifier is present in a log filename format string, a

separate file is opened for each virtual host. To ensure continuous logging, the
maximum number of files that a process can have open should be sufficiently
large. See your operating system documentation for a procedure to change the
number of files that can be opened.
The following table describes the data that you can use as the LogFormat
argument string:
%a Specifies the remote IPv4 address

%A Specifies the local IPv4 address
%a6 Specifies the remote IPv6 address
%A6 Specifies the local IPv6 address
%B Specifies the bytes sent, excluding the HTTP headers (response size)
%b Specifies the bytes received, excluding the HTTP headers (request size)
%d Specifies a user-defined field
%g Specifies the Greenwich Mean Time offset
(for example, -0800 for Pacific Standard Time)
%h Specifies the remote host
%H Specifies the request protocol
%{Foobar}i Specifies the contents of the Foobar: header line(s) in the request sent to
the server. The system supports the User-Agent, Referer and cookie
headers. The + after the % in this format informs the logging client to
use the + as a word separator.
%j Specifies the bytes received, including headers (request size)
%J Specifies the bytes sent, including headers (response size)
%l Specifies the remote log name (from identd, if supplied)
%m Specifies the request method
%M Specifies the time taken to serve the request (in microseconds)
%{Foobar}o Specifies the contents of Foobar: header line(s) in the reply. We support
the USER-AGENT, Referer, and cookie headers.
%p Specifies the canonical port of the server serving the request
%q Specifies the query string [prefixed with a question mark (?) if a query
string exists]
%r Specifies the first line of the request
%s For requests that were redirected internally, this is the status of the
original request
%t Specifies the time, in common log format (standard English time
format)
%{format}t Specifies the time, in the form given by format, must be in strftime(3)
format. The next table describes what you can enter as the format.
%T Specifies the time taken to serve the request, in seconds
%u Specifies the remote user (from auth; may be bogus if return status (%s)
is 401)
%U Specifies the URL path requested
%v Specifies the canonical name of the server serving the request
%V This is the virtual server IPv4 address in the system, if load balancing,
content switching, and/or cache redirection is used.
%V6 This is the virtual server IPv6 address in the system, if load balancing,
content switching, and/or cache redirection is used.
For example, if you define the log format as %+{user-agent}i, and if the
user agent value is Citrix Netscaler system Web Client, then the information is
logged as Citrix Netscaler system +Web+Client. An alternative is to use the
double quote (for example, “%{user-agent}i”, then it logs it as “Citrix
Netscaler system Web Client.” Do not use the <Esc> key on strings from %..
.r, %. . .i and, %. . .o. This complies with the requirements of the
Common Log Format. Note that clients can insert control characters into the log.
Therefore, you should take care when working with raw log files.
Time Format Definition

The following table lists the characters that you can enter as the format part of the
%{format}t string (described in the table in the preceding section). Values
within brackets ([ ]) show the range of values that appear. For example, [1,31] in
the %d description in the following table shows %d ranges from 1 to 31.
%% Specifies the same as %.

%a Specifies the abbreviated name of the week day for the locale.
%A Specifies the full name of the week day for the locale.
%b Specifies the abbreviated name of the month for the locale.
%B Specifies the full name of the month for the locale.
%C Specifies the century number (the year divided by 100 and truncated to an integer
as a decimal number [1,99]); single digits are preceded by a 0.
%d Specifies the day of month [1,31]; single digits are preceded by 0.

%e Specifies the day of month [1,31]; single digits are preceded by a blank.
%h Specifies the abbreviated name of the month for the locale.
%H Specifies the hour (24-hour clock) [0,23]; single digits are preceded by a 0.
%I Specifies the hour (12-hour clock) [1,12]; single digits are preceded by a 0.
%j Specifies the number of the day in the year [1,366]; single digits are preceded by 0.
%k Specifies the hour (24-hour clock) [0,23]; single digits are preceded by a blank.
%l Specifies the hour (12-hour clock) [1,12]; single digits are preceded by a blank.
%m Specifies the number of the month in the year [1,12]; single digits are preceded by
a 0.
%M Specifies the minute [00,59]; leading 0 is permitted but not required.
%n Inserts a new line.
%p Specifies the equivalent of either a.m. or p.m. for the locale.
%r Specifies the appropriate time representation in 12-hour clock format with %p.
%S Specifies the seconds [00,61]; the range of values is [00,61] rather than [00,59] to
allow for the occasional leap second and for the double leap second.
%t Inserts a tab.
%u Specifies the day of the week as a decimal number [1,7].
1 represents Sunday, 2 represents Tuesday and so on.
%U Specifies the number of the week in the year as a decimal number [00,53], with
Sunday as the first day of week 1.
%w Specifies the day of the week as a decimal number [0,6].
0 represents Sunday.
%W Specifies the number of the week in the year as a decimal number [00,53].
Monday is the first day of week 1.
%y Specifies the number of the year within the century [00,99].
For example, 5 would be the fifth year of that century.
%Y Specifies the year, including the century (for example, 1993).
Note: If you specify a conversion that does not correspond to any of the ones
described in the preceding table, or to any of the modified conversion
specifications listed in the next paragraph, the behavior is undefined and returns
0.
The difference between %U and %W (and also between modified conversions %OU
and %OW) is the day considered to be the first day of the week. Week number 1 is
the first week in January (starting with a Sunday for %U, or a Monday for %W).
Week number 0 contains the days before the first Sunday or Monday in January
for %U and %W.
Apache Log Formats

You can derive from the custom logs most of the log formats that Apache
currently supports. The custom log formats that match Apache log formats are:
NCSA/combined: LogFormat custom %h %l %u [%t] "%r" %s %B
"%{referer}i" "%{user-agent}i"
NCSA/Common: LogFormat custom %h %l %u [%t] "%r" %s %B
Referer Log: LogFormat custom "%{referer}i" -> %U
Useragent: LogFormat custom %{user-agent}i
Similarly, you can derive the other server log formats from the custom formats.
Checklist for Configuring Web Server Logging

Use the following checklist when you configure web server logging or need to
troubleshoot problems:
1. Make sure that the Citrix NetScaler system user name and password are
valid.
2. Make sure that the Netscaler is accessible from the logging system by doing
the following:
• Ping the Netscaler IP address
• Use FTP and Telnet to access the system
3. Verify that the IP address of the NetScaler is present in the configuration
file (log.conf)
C HAPTER 5
Advanced Configurations
You can configure network time protocol to synchronize the NetScaler's local
clock with the other servers on the network. If you enable path maximum
transmission unit (MTU) discovery, the NetScaler can use it to determine the
maximum transmission unit of any Internet channel. For more efficient data
transfer, you can configure TCP window scaling and selective acknowledgement.
You can clear any basic or extended configuration on your NetScaler. You can
view statistics associated with HTTP request and response sizes. For applying a
specific HTTP and TCP settings to vservers and services, you can configure
HTTP and TCP profiles.
In This Chapter
Configuring Clock Synchronization
Path MTU Discovery
Configuring TCP Window Scaling
Configuring Selective Acknowledgement
Clearing the Configuration
Viewing the HTTP Band Statistics
Configuring HTTP Profiles
Configuring TCP Profiles
Configuring Clock Synchronization

You can configure your NetScaler to synchronize its local clock with a Network
Time Protocol (NTP) server. This ensures that its clock has the same date and
time settings as the other servers on your network.
You can configure clock synchronization on your NetScaler either by manually
modifying the ntp.conf file and then starting the NTP daemon (ntpd), or by
adding NTP server entries in the ntp.conf file from the configuration utility or the
NetScaler command line.
Configuring Clock Synchronization Manually

You can configure clock synchronization manually by logging on to the
NetScaler and editing the ntp.conf file.
To enable clock synchronization on your NetScaler by modifying the

ntp.conf file
1. Log on to the NetScaler command line.

2. Switch to the shell prompt.
3. Copy the /etc/ntp.conf file to /nsconfig/ntp.conf.
4. Copy the ntp.conf file from the /etc directory to the /nsconfig
directory. If it already exists in the /nsconfig directory, be sure to
remove the following entries from the ntp.conf file:
restrict localhost
restrict 127.0.0.2
These entries are required only if you want to run the device as a time
server, and this feature is not supported on the NetScaler.
5. Edit /nsconfig/ntp.conf and add the IP address for the desired NTP
server under the file’s server and restrict entries.
Note: For security reasons, it is recommended to include a corresponding

restrict entry for each server entry.
6. Create a file and name it rc.netscaler in the /nsconfig directory, if

the file does not already exist in the directory.
7. Edit /nsconfig/rc.netscaler, and add the following entry.
/usr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/

ntpd.log &
This entry starts the ntpd service, checks the ntp.conf file, and logs
messages in the /var/log directory. This process runs every time the
NetScaler is restarted.
8. Reboot the NetScaler to enable clock synchronization.
Chapter 5 Advanced Configurations 103
Note: If you want to start the time synchronization process without restarting
the NetScaler, run the following command from the shell prompt:
/usr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/

ntpd.log &
If you do not have a local NTP server, you can find a list of public, open access
NTP servers at the official NTP site at http://www.ntp.org.
Configuring Clock Synchronization Using the

Configuration Utility or the CLI
You can configure clock synchronization on your NetScaler by adding NTP
servers from the configuration utility or from the command-line interface (CLI)
and then enabling NTP synchronization. The clock synchronization configuration
persists on restart, upgrade, or downgrade of the NetScaler. However, the
configuration does not get propagated to the secondary NetScaler in a High
Availability (HA) setup.
Adding NTP Server Entries

You must add NTP server entries to the ntp.conf file so that your NetScaler can
synchronize the clock with the clock settings of the other servers on the network.
The following table describes the parameters you need to set to add NTP servers.
Parameters Specifies
NTP Server Name or IP address of the NTP server.
Minimum Poll Minimum number of seconds after which the NTP server must
Interval poll the NTP messages. Must be a power of 2. Minimum value: 4
(2^4=16 seconds), Default: 6 (2^6=64 seconds). Maximum value:
17 (2^17=131072 seconds).
Maximum Poll Maximum number of seconds after which the NTP server must
Interval poll the NTP messages. Must be a power of 2. Minimum value: 4
(2^4=16 seconds), Default: 10 (2^10=1024 seconds). Maximum
value: 17 (2^17=131072 seconds).
To add NTP servers by using the configuration utility
1. In the navigation pane, expand System, and then click NTP Servers.
2. In the details pane, click Add.
3. In the Create NTP Server dialog box, in the NTP Server text box, type
either the IP address or the name of the NTP server (for example, 1.2.3.4).
4. In the Minimum Poll Interval text box, type the minimum time interval
after which you want the NTP server to poll the NTP messages (for
example, 5).
5. In the Maximum Poll Interval text box, type the maximum time interval
after which you want the NTP server to poll the NTP messages (for
example, 11).
6. Click Create, and then click Close.
To add NTP servers by using the NetScaler command line

add ntp server serverIP | serverName -minpoll positive integer
-maxpoll positive integer
Example
add ntp server 1.2.3.4 -minpoll 5 -maxpoll 11
Modifying NTP Server Entries

You can modify the minimum and maximum polling intervals of the NTP servers.
To modify NTP polling by using the configuration utility
2. In the details pane, click the NTP server that you want to modify, and then
click Open.
3. In the Configure NTP Server dialog box, in the Minimum Poll Interval
text box, change the minimum time interval after which you want the NTP
server to poll the NTP messages (for example, 7).
4. In the Maximum Poll Interval text box, change the maximum time
interval after which you want the NTP server to poll the NTP messages (for
example, 9).
5. Click OK.
To modify NTP servers using the NetScaler command line

set ntp server serverIP | serverName -minpoll positive integer
-maxpoll positive integer
Example
set ntp server 1.2.3.4 -minpoll 7 -maxpoll 9
Removing NTP Server Entries

You can remove the NTP servers from the ntp.conf file if you do not want to use
these servers.
To remove NTP servers using the configuration utility
2. In the details pane, click the NTP server that you want to remove, and then
click Remove.
3. In the remove message box, click Yes.
To remove NTP servers using the NetScaler command line

rm ntp server serverIP | serverName
Example
rm ntp server 1.2.3.4
Displaying NTP Server Entries

You can display the details of the NTP servers that you have added to the ntp.conf
file.
To display NTP servers by using the configuration utility
2. In the details pane, you can view all the NTP servers that you have added.
To view NTP servers by using the NetScaler command line

show ntp server
Enabling or Disabling NTP Synchronization

When you enable NTP synchronization, the NetScaler uses the NTP server
entries in the ntp.conf file to synchronize its local time setting. If you do not want
to synchronize your NetScaler time with the other servers in the network, you can
disable NTP synchronization.
To enable or disable NTP synchronization by using the configuration utility
2. In the details pane, click NTP Synchronization.
To enable or disable NTP synchronization by using the NetScaler command

line

enable ntp sync
or
disable ntp sync
Path MTU Discovery

Path maximum transmission unit (MTU) discovery is a method for dynamically
learning the maximum transmission unit of any Internet channel. The discovered
path MTU is used by the TCP or UDP layer to create packets of an optimum size
for that channel. This avoids fragmentation overhead on the routers in the path,
and reassembly overhead on the receiving server.
Path MTU discovery is an operational mode on the NetScaler. This mode enables
the NetScaler to interoperate with other routers participating in path MTU
discovery. In a typical topology, the NetScaler is deployed in front of the servers
and it manages, and it either manages connections from clients on behalf of these
servers (transparent mode), or it manages connections with the servers and clients
independently (end-point mode).
The NetScaler in Transparent Mode

In transparent mode, if a NetScaler-managed server sends a datagram, and the
path MTU is smaller than the size of the datagram, the NetScaler receives an
ICMP error. When the NetScaler is operating in MIP mode, it adjusts the MTU to
the MIP and updates the MTU database so that the lower MTU is used for all
subsequent connections.
Note: This affects all clients using that MIP—not just the client that generated
the ICMP error.
In USIP mode, when an ICMP error message is received, the NetScaler translates
it and sends it to the managed server. The managed server updates the MTU for
that destination, and subsequent datagrams are sent with the lowered MTU. The
MTU value for that client is also updated on the NetScaler. All new connections
then use the lower MTU.
The NetScaler in End-Point Mode

In end-point mode, the NetScaler separately manages connections to the servers
and connections to the clients that contact those servers.
For client connections, the NetScaler uses an Maximum Segment Size (MSS) of
1460 and 1440 bytes for IPv4 packets and IPv6 packets, respectively. Whenever a
router sends an ICMP error to the NetScaler because of an MTU mismatch, the
NetScaler does not pass the error to the servers it manages; instead, it parses the
error and determines an MTU appropriate for that particular client. The NetScaler
then updates the MTU database with the lower MTU. Thereafter, the NetScaler
uses the new MTU value for all new connections to that client.
Enabling or Disabling Path MTU Discovery

The NetScaler does not participate in path MTU discovery by default.
To enable or disable path MTU discovery by using configuration utility
1. In the navigation pane, expand System, and then click Settings.

2. In the details pane, under Modes and Features, click Change modes.
3. In the Configure Modes dialog box, do one of the following:
• To enable this feature, select the Path MTU Discovery check box.
• To disable this feature, clear the Path MTU Discovery check box.
To enable or disable path MTU discovery by using the NetScaler command

line

enable ns mode PMTUD
or
disable ns mode PMTUD
Configuring TCP Window Scaling

The TCP window scaling option increases the TCP receive window size beyond
its maximum value of 65,535 bytes. This TCP option is defined in RFC 1323. The
window scaling option is required for efficient transfer of data over long fat
networks (LFNs).
A TCP window determines the amount of outstanding (unacknowledged by the
recipient) data that can be sent on a particular connection before receiving any
acknowledgment from the receiver. The main purpose of the window is flow
control.
The window size field in the TCP header is 16 bits, which limits the ability of the
sender to advertise a window size larger than 65,535 (2^16 - 1). The TCP window
scale extension expands the definition of the TCP window to 30 bits by using a
scale factor to carry this value in the 16-bit window field of the TCP header. On
the NetScaler, the window scale expands the definition of the TCP window to 24
bits. The scale factor is carried in the new TCP window scale field. This field is
sent only in a SYN packet (a segment with the SYN bit on).
The new window size is calculated by the receiver.
[right shifting the bits of the received window size by the scale-factor value]
which is equivalent to
[(2^scale factor) * received window size]
Before configuring window scaling, make sure that:
• You do not set a high value for the scale factor, because this could have
adverse effects on the NetScaler and the network.
• You have enabled SACK (selective acknowledgement).
• You do not configure window scaling unless you clearly know why you
want to change the window size.
• Both hosts in the TCP connection send a window scale option during
connection establishment. If only one side of a connection sets this option,
windows scaling will not be used for the connection.
• Each connection for same session (such as the same request/response for
TCP sessions between client and NetScaler and NetScaler and server) is an
independent window scaling session. It is possible to have window scaling
between a client and the NetScaler and not between the NetScaler and a
server.
By default, window scaling is not enabled. The following table describes the
parameters used to configure window scaling.
Window scaling factor Factor used to calculate new window size. Possible values: 0 to 8.
Default: 4.
To configure window scaling, use either of the following procedures:
To configure window scaling by using the configuration utility

2. In the details pane, under Settings, click Configure TCP Parameters.
3. In the Configure TCP Parameters dialog box, under TCP, select the
Windows Scaling check box.
4. In the Factor text box, type a windows scaling factor (for example, 5).
5. Click OK.
To configure Window Scaling by using the NetScaler command line

set ns tcpParam -WS value -WSVal value
Example
set ns tcpParam -WS ENABLED -WSVal 5
Configuring Selective Acknowledgement

The NetScaler supports Selective Acknowledgement (SACK), as defined in RFC
2018. By using SACK, the data receiver (either a NetScaler or a client) notifies
the sender about all the segments that have been received successfully. As a
result, the sender (either a NetScaler or a client) needs to retransmit only those
segments that were lost during transmission. This improves the performance of
data transmission. SACK is important in long fat networks (LFNs).
By default, SACK is disabled. Use either of the following procedures to enable it.
To enable SACK by using the configuration utility

2. In the details pane, under Settings, click Configure TCP Parameters.
3. In the Configure TCP Parameters dialog box, select the Selective
Acknowledgement check box, and click OK.
To enable SACK by using the NetScaler command line

set ns tcpParam - SACK ENABLED
Clearing the Configuration

You have the following three options for clearing your NetScaler configuration.
Basic level: Clearing your configuration at the basic level clears all settings
except the following:
• NSIP, MIP(s), and SNIP(s)
• Network settings (Default Gateway, VLAN, RHI, NTP, and DNS settings)
• HA node definitions
• Feature and mode settings
• Default administrator password (nsroot)
Extended level: Clearing your configuration at the extended level clears all
settings except the following:
• NSIP, MIP(s), and SNIP(s)
• Network settings (Default Gateway, VLAN, RHI, NTP, and DNS settings)
• HA node definitions
Feature and mode settings revert to their default values.
Full level: Clearing your configuration at the full level returns all settings to their
factory default values. However, the NSIP and default gateway are not changed,
because changing them could cause the NetScaler to lose network connectivity.
To clear a configuration, use either of the following procedures:
To clear a configuration by using the configuration utility
1. In the navigation pane, expand System, and then click Diagnostics.

2. In the details pane, under Maintenance, click Clear Configuration.
3. In the Clear Configuration dialog box, for Configuration Level, select an
option (for example, basic).
4. Click Run.
To clear configuration by using the NetScaler command line

clear ns config (basic | advanced | full)
Example
clear ns config basic
Viewing the HTTP Band Statistics

You can view HTTP band statistics to obtain useful information such as:
• Average request/response band size.
• The size range to which most requests/responses belong.
• Contribution of HTTP pages, in a certain size range, to the overall HTTP

traffic.
To view HTTP request and response size statistics by using the

configuration utility

2. In the details pane, under Settings, click HTTP data band Statistics.
HTTP Data Band Statistics dialog box is displayed.
3. View the HTTP request and HTTP response size statistics on the Request
and Response tabs, respectively.
To view HTTP request and response size statistics by using the NetScaler
command line

show protocol httpBand –type REQUEST | RESPONSE
Example
show protocol httpBand –type REQUEST
show protocol httpBand –type RESPONSE
You can also modify the band range for HTTP request or response size statistics.
The following table describes the parameters used to modify the band range for
HTTP request or response size statistics.
Request Data Band Band size for HTTP request band statistics, in bytes. Minimum
Size value: 50. Maximum value: 2147483647. Default: 100.
(reqBandSize)
Response Data Band Band size for HTTP response band statistics, in bytes. Minimum
Size value: 50. Maximum value: 2147483647. Default: 1024.
(respBandSize)
To modify the band range by using the configuration utility

2. In the details pane, under Settings, click HTTP data band Statistics.
3. For modifying the band range of HTTP Request Statistics, click the
Request tab and then click Configure. In Change HTTP Request Band
Size dialog box, enter a value (for example, 300) in Request Data Band
Size text field and click Ok.
4. For modifying the band range of HTTP Response Statistics, click the
Response tab and then click Configure. In Change HTTP Response
Band Size dialog box, enter a value (for example, 2048) in Response Data
Band Size text field and click Ok.
5. Click Close.
To modify the band range by using the NetScaler command line

set protocol httpBand reqBandSize value respBandSize value
Example
set protocol httpBand reqBandSize 300 respBandSize 2048
Configuring HTTP Profiles

An HTTP profile is a collection of HTTP parameter settings that can be applied to
vservers and services. An HTTP profile can be reused on multiple vservers or
services.
You can use built-in HTTP profiles or configure custom profiles. The following
table describes the built-in HTTP profiles.
Profile Description
nshttp_default_strict_validation This profile is useful for deployments
where strict validation of HTTP
requests and responses is required.
nshttp_default_profile This profile represents the default
global HTTP settings on the NetScaler
appliance.
Adding an HTTP Profile

The following table describes the parameters used to create an HTTP profile.
Parameter Specifies
Name The name for an HTTP profile. An
HTTP profile name can be from 1 to
(name) 127 characters and must begin with a
letter, a number, or the underscore
symbol (_). Other characters allowed
after the first character in a name are the
hyphen (-), period (.), pound sign (#),
space ( ), at sign (@), and equals sign
(=).
Parameter Specifies
Max Connection in reusepool A maximum limit on the number of
connections, from the NetScaler to a
(maxReusePool) particular server, in the reuse pool. This
setting is helpful for optimal memory
utilization and for reducing the idle
connections to the server just after the
peak time.
Connection Multiplexing When this option is enabled, the
NetScaler appliance reuse the server
(conMultiplex) connections for multiple client
connections.
Possible values: ENABLED,
DISABLED. Default: ENABLED.
Drop invalid HTTP requests Drop the invalid request or responses,
either based on the header or body.
(dropInvalReqs) Possible values: ENABLED,
DISABLED. Default: DISABLED.
Mark HTTP/0.9 requests as invalid Mark the 0.9 requests as invalid or not.
(markHttp09Inval) DISABLED. Default: DISABLED.
Mark CONNECT requests as invalid Mark the CONNECT requests invalid
or not. Possible values: ENABLED,
(markConnReqInval) DISABLED. Default: DISABLED.
Compression on PUSH packet Use compression on PUSH for the
HTTP VIP. Possible values:
(cmpOnPush) ENABLED, DISABLED. Default:
DISABLED.
To add an HTTP profile by using the configuration utility
1. In the navigation pane, expand System, and then click Profiles.

2. In the details pane, on the HTTP Profiles tab, specify the desired settings,
and then click Create.
To add an HTTP profile by using the NetScaler command line

add ns httpProfile name -maxReusePool value -dropInvalReqs (
ENABLED | DISABLED ) -markHttp09Inval ( ENABLED | DISABLED )
-markConnReqInval ( ENABLED | DISABLED ) -cmpOnPush ( ENABLED |
DISABLED ) -conMultiplex ( ENABLED | DISABLED )
Example
add ns httpProfile http_profile1 -maxReusePool 30 -dropInvalReqs
ENABLED -markHttp09Inval ENABLED -markConnReqInval ENABLED
-cmpOnPush ENABLED -conMultiplex DISABLED
Verifying the HTTP Profile Configuration

To verify the HTTP profile configuration, you should display and examine the
HTTP profiles.
To verify HTTP profiles by using the configuration utility

2. In the details pane, on the HTTP Profiles tab, examine the settings.
To verify HTTP Profiles by using the NetScaler command line

sh ns httpProfile
Configuring TCP Profiles

A TCP profile is a collection of TCP parameter settings that can be applied to
vservers and services. A TCP profile can be reused on multiple vservers or
services.
You can use built-in TCP profiles or configure custom profiles. The following
table describes the built-in TCP profiles.
Profile Description
nstcp_default_tcp_lfp This profile is useful for long fat pipe
networks (WAN) on the client side.
Long fat pipe networks have long delay,
high bandwidth lines with minimal
packet drops.
nstcp_default_tcp_lnp This profile is useful for long narrow
pipe networks (WAN) on the client side.
Long narrow pipe networks have
considerable packet loss once in a
while.
nstcp_default_tcp_lan This profile is useful for back-end
server connections, where these servers
reside on the same LAN as the
NetScaler appliance.
nstcp_default_tcp_lfp_thin_stream This profile is similar to the
nstcp_default_tcp_lfp profile but the
settings are tuned for small size packet
flows.
nstcp_default_tcp_lnp_thin_stream This profile is similar to the
nstcp_default_tcp_lnp profile but the
settings are tuned for small size packet
flows.
Profile Description
nstcp_default_tcp_lan_thin_stream This is similar to the
nstcp_default_tcp_lan profile but the
settings are tuned to small size packet
flows.
nstcp_default_tcp_interactive_stream This is similar to the
nstcp_default_tcp_lan profile but with
reduced delayed ACK timer and ACK
on PUSH packet settings.
nstcp_internal_apps This profile is useful for internal
applications on the NetScaler (for
example, GSLB sitesyncing). This
contains tuned window scaling and
SACK options for the desired
applications. This profile should not be
bound to other than the internal
applications.
nstcp_defualt_profile This profile represents the default
global TCP settings on the NetScaler
appliance.
Adding a TCP Profile

The following table describes the parameters used to create a TCP profile.
Parameter Specifies
Name The name for a TCP profile. A TCP
profile name can be from 1 to 127
(name) characters and must begin with a letter,
a number, or the underscore symbol (_).
Other characters allowed after the first
character in a name are the hyphen (-),
period (.), pound sign (#), space ( ), at
sign (@), and equals sign (=).
Window Scaling Enable or disable window scaling.
(WS) DISABLED. Default: DISABLED.
Factor The factor used to calculate the new
window size. Possible values: 0 to 8.
(WSVal) Default: 4.
Maximum Burst Limit The maximum number of TCP
segments allowed in a burst. Minimum
(maxBurst) value: 2. Maximum value: 10. Default:
6.
Initial Congestion Window Size The initial maximum upper limit on the
number of TCP packets that can be
(initialCwnd) outstanding on the TCP link to the
server. Minimum value: 2. Maximum
value: 6. Default: 4.
Parameter Specifies
TCP Delayed ACK Time-out (msec) The time-out for TCP delayed ACK, in
milliseconds. Minimum value: 10.
(delayedAck) Maximum value: 200. Default: 300.
Maximum ooo Packet Queue Size The maximum size of out-of-order
packets queue. Minimum value: 0 (0
(oooQSize) means infinite). Maximum value: 512.
Default: 64.
Maximum Packets Per MSS The maximum number of TCP packets
allowed per maximum segment size
(maxPktPerMss) (MSS). Minimum value: 0. Maximum
value: 1460. Default: 0 (Means that no
maximum is set.)
Maximum Packets per Retransmission The maximum limit on the number of
packets that should be re-transmitted on
(pktPerRetx) receiving a partial ACK. Minimum
value: 1. Maximum value: 100. Default:
1.
Minimum RTO (in millisec) The minimum round trip to Origin
(RTO) time, in milliseconds. Minimum
(minRTO) value: 10. Maximum value: 64,000.
Default: 1,000.
Slow start Increment The multiplier that determines the rate
at which slow start increases the size of
(slowStartIncr) the TCP transmission window after
each acknowledgement of successful
transmission. Minimum value: 1.
Maximum value: 100. Default: 2.
Selective Acknowledgement Enable or disable selective
acknowledgement (SACK). Possible
(SACK) values: ENABLED, DISABLED.
Default: DISABLED.
Use Nagle's Algorithm Enable or disable the Nagle algorithm
on TCP connections. Possible values:
(nagle) ENABLED, DISABLED. Default:
DISABLED.
Immediate ACK on Receiving Packet with Send immediate positive
PUSH acknowledgement (ACK) on receipt of
TCP packets when doing Web 2.0
(ackOnPush) PUSH. Possible values: ENABLED,
DISABLED. Default: ENABLED.
To add a TCP profile by using the configuration utility

2. In the details pane, on the TCP Profiles tab, specify the desired settings,
and then click Create.
To add a TCP profile by using the NetScaler command line

add ns tcpProfile name -WS ( ENABLED | DISABLED ) -SACK ( ENABLED |
DISABLED ) -WSVal value -nagle ( ENABLED | DISABLED ) -ackOnPush (
ENABLED | DISABLED ) -maxBurst value -initialCwnd value -delayedAck
value -oooQSize value -maxPktPerMss value -pktPerRetx value -minRTO
value -slowStartIncr value
Example
add ns tcpProfile tcp_profile1 -WS ENABLED -SACK ENABLED -WSVal 4
-nagle DISABLED -ackOnPush ENABLED -maxBurst 10 -initialCwnd 6
-delayedAck 200 -oooQSize 100 -maxPktPerMss 0 -pktPerRetx 3 -minRTO
200 -slowStartIncr 3
Verifying the TCP Profile Configuration

To verify the TCP profile configuration, you should display and examine the TCP
profiles.
To verify TCP profiles by using the configuration utility

2. In the details pane, on the TCP Profiles tab, examine the settings.
To verify TCP profiles by using the NetScaler command line

sh ns tcpProfile
C HAPTER 6
Reporting Tool
Use the Citrix NetScaler Reporting tool to view NetScaler performance statistics
data as reports. Statistics data are collected by the nscollect utility and are stored
in a database. When you want to view certain performance data over a period of
time, the Reporting tool pulls out specified data from the database and displays
them in charts.
Reports are a collection of charts. The Reporting tool provides built-in reports as
well as the option to create custom reports. In a report, you can modify the charts
and add new charts. You can also modify the operation of the data collection
utility, nscollect, and stop or start its operation.
In This Chapter
Using the Reporting Tool
How Data Collection Works
Using the Reporting Tool

The Reporting tool is a Web-based interface accessed from the NetScaler. Use the
Reporting tool to display the performance statistics data as reports containing
graphs. In addition to using the built-in reports, you can create custom reports that
you can modify at any time. Reports can have between one and four charts. You
can create up to 256 custom reports.
To invoke the Reporting tool
1. Use the Web browser of your choice to connect to the IP address of the
NetScaler (for example, http://10.102.29.170/).
The Web Logon screen appears.
2. In the User Name text box, type the user name assigned to the NetScaler.
3. In the Password text box, type the password.
4. In the Start in drop-down box, select Reporting.
5. Click Login.
The following screen shots show the report toolbar and the chart toolbar, which
are frequently referenced in this documentation.
Report toolbar
Chart toolbar
Working with Reports

You can plot and monitor statistics for the various functional groups configured
on the NetScaler over a specified time interval. Reports enable you to
troubleshoot or analyze the behavior of your appliance. There are two types of
reports: built-in reports and custom reports. Report content for built-in or custom
reports can be viewed in a graphical format or a tabular format. The graphical
view consists of line, area, and bar charts that can display up to 32 sets of data
(counters). The tabular view displays the data in columns and rows. This view is
useful for debugging error counters.
The default report that is displayed in the Reporting tool is CPU vs. Memory
Usage and HTTP Requests Rate. You can change the default report view by
displaying the report you want as your default view, and then clicking Default
Report.
Reports can be generated for the last hour, last day, last week, last month, last
year, or you can customize the duration.
You can do the following with reports:
• Toggle between a tabular view of data and a graphical view of data.
• Change the graphical display type, such as bar chart or line chart.
• Customize charts in a report.
• Export the chart as an Excel comma-separated value (CSV) file.
• View the charts in detail by zooming in, zooming out, or using a
drag-and-drop operation (scrolling).
• Set a report as the default report for viewing whenever you log on.
• Add or remove counters.
• Print reports.
• Refresh reports to view the latest performance data.
Chapter 6 Reporting Tool 121
Using Built-in Reports

The Reporting tool provides built-in reports for frequently viewed data. Built-in
reports are available for the following seven functional groups: System, Network,
SSL, Compression, Integrated Cache, Access Gateway, and Application Firewall.
By default, the built-in reports are displayed for the last day. However, you can
view the reports for the last hour, last week, last month, or last year.
Note: You cannot save changes to built-in reports, but you can save a modified
built-in report as a custom report.
To display a built-in report
1. In the left pane of the Reporting tool, under Built-in Reports, expand a
group (for example, SSL).
2. Click a report (for example, SSL > All Backend Ciphers).
Creating and Deleting Reports

You can create your own custom reports and save them with user-defined names
for reuse. You can plot different counters for different groups based on your
requirements. You can create up to 256 custom reports.
You can either create a new report or save a built-in report as a custom report. By
default, a newly created custom report contains one chart named System
Overview, which displays the CPU Usage counter plotted for the last day. You
can customize the interval and set the data source and time zone from the report
toolbar. Within a report, you can use the chart toolbars to add, modify, or delete
charts, as described in “Working with Charts,” on page 123.
By default, newly created custom reports contain one chart named System
Overview that displays a CPU Usage counter plotted for the last day.
To create a custom report
1. In the Reporting tool, on the report toolbar, click Create, or if you want to
create a new custom report based on an existing report, open the existing
report, and then click Save As.
2. In Report Name box, type a name for the custom report.
3. Do one of the following:
• To add the report to an existing folder, in Create in or Save in, click
the down arrow to choose an existing folder, and then click OK.
• To create a new folder to store the report, click the Click to add
folder icon, in Folder Name, type the name of the folder, and in
Create in, specify where you want the new folder to reside in the
hierarchy, and then click OK.
Note: You can create up to 128 folders.
To delete a custom report
1. In the left pane of the Reporting tool, next to Custom Reports, click the
Click to manage custom reports icon.
2. Select the check box that corresponds with the report you want to delete,
and then click Delete.
Note: When you delete a folder, all the contents of that folder are deleted.
Modifying the Time Interval

By default, built-in reports display data for the last day. However, if you want to
change the time interval for a built-in report, you can save the report as a custom
report. The new interval applies to all charts in the report. The following table
describes the time-interval options.
Time intervals
Time interval Displays
Last Hour Statistics data collected for the last hour.
Last Day Statistics data collected for the last day (24 hours).
Last Week Statistics data collected for the last week (7 days).
Last Month Statistics data collected for the last month (31 days).
Last Year Statistics data collected for the last year (365 days).
Custom Statistics data collected for a time period that you are
prompted to specify.
To modify the time interval
1. In the left pane of the Reporting tool, click a report.

2. On the report toolbar, click Duration, and then click a time interval.
Setting the Data Source and Time Zone

You can retrieve data from different data sources to display them in the reports.
For information about data sources, see “How Data Collection Works,” on page
129. You can also define the time zone for the reports and apply the currently
displayed report's time selection to all the reports, including the built-in reports.
To set the data source and time zone
1. In the Reporting tool, on the report toolbar, click Settings.

2. In the Settings dialog box, in Data Source, select the data source from
which you want to retrieve the counter information.
3. Do one or both of the following:
• If you want the tool to remember the time period for which a chart is
plotted, select the Remember time selection for charts check box.
• If you want the reports to use the time settings of your NetScaler
appliance, select the Use Appliance’s time zone check box.
Exporting and Importing Custom Reports

You can share reports with other NetScaler administrators by exporting reports.
You can also import reports.
To export or import custom reports
1. In the left pane of the Reporting tool, next to Custom Reports, click the
Click to manage custom reports icon.
2. Select the check box that corresponds with the report you want to export or
import, and then click Export or Import.
Note: When you export the file, it is exported in a .gz file format.
Working with Charts

Use charts to plot and monitor counters or groups of counters. You can include up
to four charts in one report. In each chart, you can plot up to 32 counters. The
charts can use different graphical formats (for example, area and bar). You can
move the charts up or down within the report, customize the colors and visual
display for each counter in a chart, and delete a chart when you do not want to
monitor it.
In all report charts, the horizontal axis represents time and the vertical axis
represents the value of the counter.
Adding a Chart
When you add a chart to a report, the System Overview chart appears with the
CPU Usage counter plotted for the last day. To plot a different group of statistics
or select a different counter, see “Modifying a Chart,” on page 124.
Note: If you add charts to a built-in report, and you want to retain the report,
you must save the report as a custom report.
Use the following procedure to add a chart to a report.
To add a chart to a report
2. Under the chart where you want to add the new chart, click the Add
icon.
Modifying a Chart
You can modify a chart by changing the functional group for which the statistics
are displayed and by selecting different counters.
To modify a chart
2. Under the chart that you want to modify, click Counters.

3. In the dialog box that appears, in the Title box, type a name for the chart.
4. Next to Plot chart for, do one of the following:
• To plot counters for global counters, such as Integrated Cache and
Compression, click System global statistics.
• To plot entity counters for entity types, such as Load Balancing and
GSLB, click System entities statistics.
5. In Select group, click the desired entity.
6. Under Counters, in Available, click the counter name(s) that you want to
plot, and then click the > button.
7. If you selected System entities statistics in step 4, on the Entities tab ,
under Available, click the entity instance name(s) you want to plot, and
then click the > button.
8. Click OK.
Viewing a Chart
You can specify the graphical formats of the plotted counters in a chart. Charts
can be viewed as line charts, spline charts, step-line charts, scatter charts, area
charts, bar charts, stacked area charts, and stacked bar charts. You can also zoom
in, zoom out, or scroll inside the plot area of a chart. You can zoom in or out for
all data sources for 1 hour, 1 day, 1 week, 1 month, 1 year, and 3 years.
Other options for customizing the view of a chart include customizing the axes of
the charts, changing the background and edge color of the plot area, customizing
the color and size of the grids, and customizing the display of each data set
(counter) in a chart.
Data set numbers, such as Data Set 1, correspond to the order in which the
counters in your graph are displayed at the bottom of the chart. For example, if
CPU usage and Memory usage are displayed in first and second order at the
bottom of the chart, CPU usage is equal to Data Set 1 and Memory usage is
equal to Data Set 2.
Note: Whenever you modify a built-in report, you need to save the report as a
custom report to retain your changes.
To change the graph type of a chart
1. In the left pane of the Reporting tool, select a report.

2. In the right pane, under the chart you want to view, on the chart toolbar,
click Customize.
3. On the Chart tab, under Category, click Plot type, and then click the graph
type you want to display for the chart. If you want to display the graph is
3D, select the Use 3D check box.
To refocus a chart with detailed data

2. In the right pane, on the report toolbar, click Zoom In, and do one or both
of the following:
• To refocus the chart to display data for a specific time window, drag
and drop the cursor from the start time to the end time. For example,
you can view data for a one-hour period on a certain day.
• To refocus the chart to display data for a data point, simply click once
on chart where you want to zoom in and get more detailed
information.
3. Once you have the desired range of time for which you want to view
detailed data, on the report toolbar, click Tabular View. Tabular view
display the data in numeric form in rows and columns.
To view numeric data for a graph

2. In the right pane, on the report toolbar, click Tabular View. To return to the
graphical view, click Graphical View.
Note: You can also view the numeric data in the graphical view by
hovering your cursor over the notches in the gridlines.
To scroll through time in a chart

2. In the right pane, on the report toolbar, click Scroll, and then click inside
the chart and drag the cursor in the direction for which you want to see data
for a new time period. For example, if you want to view data in the past,
click and drag to the left.
To change the background color and text color of a chart

2. In the right pane, under the chart for which you want to customize the axes,
click Customize.
3. On the Chart tab, under Category, click one or more of the following:
• To change the background color, click Background Color, and then
select the options for color, transparency, and effects.
• To change the text color, click Text Color, and then select the options
for color, transparency, and effects.
To customize the axes of a chart

2. In the right pane, under the chart for which you want to customize the axes,
click Customize.
3. On the Chart tab, under Category, click one or more of the following:
• To change the scale of the left y-axis, click Left Y-Axis, and then
select the scale you want.
• To change the scale of the right y-axis, click Right Y-Axis, in Data
set to plot, select the date set, and then select the scale you want.
Note: The data set numbers, such as Data Set 1, correspond to the
order in which the counters in your graph are displayed at the bottom
of the chart. For example, if CPU usage and Memory usage are
displayed in first and second order at the bottom of the chart, CPU
usage is equal to Data Set 1 and Memory usage is equal to Data Set
2.
• To plot each data set in its own hidden y-axis, click Multiple Axes,
and then click Enable.
To change the background color, edge color, and gridlines for a plot area of
a chart

2. In the right pane, under the chart for which you want to customize the plot
area, click Customize.
3. On the Plot Area tab, under Category, click one or more of the following:
• To change the background color and edge color of the chart, click
Background Color and Edge Color, and then select the options for
color, transparency, and effects.
• To change the horizontal or vertical grids of the chart, click
Horizontal Grids or Vertical Grids, and then select the options for
displaying the grids, grid width, grid color, transparency, and effects.
To change the color and graph type of a data set

2. In the right pane, under the chart for which you want to customize the
display of the data set (counters), click Customize.
3. On the Data Set tab, in Select Data Set, select the data set (counter) for
which you want to customize the graphical display.
Note: The data set numbers, such as Data Set 1, correspond to the order
in which the counters in your graph are displayed at the bottom of the chart.
For example, if CPU usage and Memory usage are displayed in first and
second order at the bottom of the chart, CPU usage is equal to Data Set 1
and Memory usage is equal to Data Set 2.
4. Under Category, do one of more of the following:

• To change the background color, click Color, and then select the
options for color, transparency, and effects.
• To change the graph type, click Plot type, and then select the graph
type you want to display for the data set. If you want to display the
graph as 3D, select the Use 3D check box.
Exporting Chart Data to Excel

For further data analysis, you can export charts to Excel in a comma-separated
value (CSV) format.
To export chart data to Excel

2. In the right pane, under the chart with the data you want to export to Excel,
click Export.
Deleting a Chart
If you do not want to use a chart, you can remove it from the report. You can
permanently remove charts from custom reports only. If you delete a chart from a
built-in report and want to retain the changes, you need to save the report as a
custom report.
To delete a chart

2. In the right pane, under the chart that you want to delete, click the
Delete icon.
Examples
To display the trend report for CPU usage and memory usage for the last
week
1. In the left pane of the Reporting tool, under Built-in Reports, expand
System.
2. Click the report CPU vs. Memory Usage and HTTP Requests Rate.
3. In the right pane, on the report toolbar, click Duration, and then click Last
Week.
To compare bytes the received rate and the bytes transmitted rate between
two interfaces for the last week
1. In the right pane, on the report toolbar, click Create.

2. In the Report Name box, type a name for the custom report (for example,
Custom_Interfaces), and then click OK.
The report is created with the default System Overview chart, which
displays the CPU Usage counter plotted for the last hour.
3. Under System Overview, on the chart toolbar, click Counters.

4. In the counter selection pane, in Title, type a name for the chart (for
example, Interfaces bytes data).
5. In Plot chart for, click System entities statistics, and then in Select
Group, select Interface.
6. On the Entities tab, click the interface name(s) you want to plot (for
example, 1/1 and 1/2), and then click the > button.
7. On the Counters tab, click Bytes received (Rate) and Bytes transmitted
(Rate), and then click the > button.
8. Click OK.
9. On the report toolbar, click Duration, and then click Last Week.
How Data Collection Works

The performance data is stored in different data sources in the NetScaler. The
default data source is /var/log/db/default. You can create up to 32 data sources.
The data collection utility nscollect retrieves data from the NetScaler and updates
the data source. This utility runs automatically when you start the NetScaler. It
creates a database for global counters at /var/log/db/<DataSourceName>. The
entity-specific databases are created based on the entities configured on the
NetScaler. A specific folder is created for each entity type in
/var/log/db/<DataSourceName>/<EntityNameDB>.
Before creating a database for an entity, nscollect allocates a unique number to
the entity and creates the database based on that number. It retrieves all the
counters available for a group. However, there is a limit on the number of
different entities that nscollect can retrieve, as described in the table “Limits on
entity numbers retrieved by nscollect,” on page 130.
The nscollect utility retrieves n number of entity counters and creates the entity
database. If the first n counters change in the subsequent fetch, the database stores
more than n entries for that entity type. However, you need to delete the unused
entity counters manually.
Note: The Reporting tool supports only numerical counters.
Limits on entity numbers retrieved by nscollect

Entity Name Limit
Content Switching Virtual Servers 100
Cache Redirection Virtual Servers 50
DOS Policies 100
GSLB Domains 100
GSLB Services 100
GSLB Sites 32
GSLB Virtual Servers 100
Interfaces 8
LB Virtual Servers 100
ACLs 100
ACL6 50
Priority Queuing Policies 100
RNAT IP Addresses 100
SureConnect Policies 100
Services 250
Service Groups 100
Limits on entity numbers retrieved by nscollect

Entity Name Limit
System CPU 8
VLAN 25
VPN Virtual Servers 5
By default, nscollect retrieves data at every 5-minute interval. Data is maintained

in 5-minute granularity for one day, hourly for the last 30 days, and daily for three
years.
The nscollect utility can also import data from the newnslog file (within the same
release or across releases) to the data source. For more information about
importing from newnslog files, see “Creating a Data Source,” on page 132.
Stopping and Starting the Data Collection Utility

When you start the NetScaler, the nscollect utility automatically starts. However,
if data is not updated accurately or corrupted data is displayed in the reports, you
can stop and then restart the utility. You may also want to stop nscollect to back
up the databases or to create a new data source.
To stop nscollect
At a NetScaler command prompt, type the following:

/netscaler/nscollect stop
You can start nscollect on either the local system or a remote system.
To start nscollect on the local system

/netscaler/nscollect start
To start nscollect on the remote system

/netscaler/nscollect start -U <NS_IP:UserName:Password> -ds
<DataSourceName>
Example
/netscaler/nscollect start -U 10.102.29.170:nsroot:nsroot -ds
default
Creating a Data Source

The nscollect utility can import data from the newnslog files (within the same
release or across releases) to the data source. When you set nscollect to import
data from a newnslog file, it imports the data at 5-minute intervals by default.
However, you can set nscollect to import data from a newnslog file for a specific
duration. Before importing data from the file, you can clean the data source.
You must clean the data source before importing data from multiple files if you
import the data in any order other than that in which the newnslog files were
created (that is, using the incremental method in temporal order).
Use one of the following procedures to import data from newnslog files.
To import data from a file at the default time interval
At a NetScaler command prompt, type the following command:

/netscaler/nscollect import -file <FileName> -ds <DataSourceName>
Example
/netscaler/nscollect import -file newnslog.24 -ds default
To import data from a file for a specific duration

-starttime <MMDDYYYYHHMM> -endtime <MMDDYYYYHHMM>
Example
/netscaler/nscollect import -file newnslog.3 -ds default -starttime
112220080735 -endtime 112320080735
To clean the data source and import data

-clean
Example
/netscaler/nscollect import -file newnslog.15 -ds default -clean

NS Admin Guide

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

NS Admin Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Citrix NetScaler Administration Guide

Citrix® NetScaler® 9.2

Chapter 1 Citrix NetScaler Authentication and Authorization

Configuring SNMP V3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Chapter 3 Audit Server Logging

Chapter 4 Web Server Logging

Installing the NSWL files on the Logging System . . . . . . . . . . . . . . . . . . . . . . . . .75

Chapter 5 Advanced Configurations

Chapter 6 Reporting Tool

Using the Reporting Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

About This Guide

• Chapter 4, “Web Server Logging.” Configure Web server logging to

New in This Release

Do not type the brackets themselves.

To view the documentation

1. From a Web browser, log on to the NetScaler.

Getting Service and Support

To provide feedback from the Knowledge Center home page

1. Go to the Knowledge Center home page at http://support.citrix.com/.

Citrix NetScaler Authentication and

NetScaler authentication and authorization functions are of two basic types.The

Creating a User Account

To create a user account, use either of the following procedures.

To add a user account using the configuration utility

1. In the navigation pane, expand System and click Users.

To add a user account using the NetScaler command line

At the NetScaler command prompt, type:

Changing a User Password

To change a user password, use either of the following procedures.

To change the user password using the configuration utility

1. In the navigation pane, expand System and click Users.

To change the user password using the NetScaler command line

At the NetScaler command prompt, type:

Removing User Accounts

To remove a user account using the configuration utility

1. In the navigation pane, expand System and click Users.

To remove a user using the NetScaler command line

At the NetScaler command prompt, type:

Use either of the following procedures to add a group.

To add a group using the configuration utility

1. In the navigation pane, expand System and click Groups.

To add a group using the NetScaler command line

At the NetScaler command prompt, type:

add system group Managers

Binding a User to a Group

To bind a user to a group, use either of the following procedures.

To bind a user to a group using the configuration utility

1. In the navigation pane, expand System and click Groups.

To bind a user to a group using the NetScaler command line

At the NetScaler command prompt, type:

To remove a group using the configuration utility

1. In the navigation pane, expand System and click Groups.

To remove a group using the NetScaler command line

help cli, show cli attribute, clear cli prompt,

Built-in Command Policies

Policy Name Allows

Creating Custom Command Policies

• Regular expressions used in command policies are case insensitive.

Command Specification Matches these Commands

Policy Name Command Specification Regular Expression

operator (^man.*)|(^show\s+(?!system)(?!ns ns.conf)(?!ns

network ^(?!shell)\S+\s+(?!system)(?!ns ns.conf)(?!ns