NetScaler

From Network Security Wiki
Jump to navigation Jump to search


   Ambox notice.png     This page is under Construction

Basics

  • A Netscaler is deployed in front of Server farm & functions as a Transparent Proxy between Client & server without requiring any client-side Configuration.
#ship
#show connectiontable
#config ns
OR
#set ns config -Ipaddress <IP> -netmask <mask>
#add ns ip <IP> <subnet mask> -mgmtAccess [Enabled|Disabled] -type MIP
  • Adding Virtual Server automatically creates a VIP
  • VLAN tagging does not propagate in NS HA Pairs
  • Can create null routes to prevent routing loops
  • 2 interfaces should not be plugged into same port or vlan unless using link aggregation
  • No IP to Interface mapping => Floating IP config
  • Why? In HA, when Primary failes, secondary takes over, no loss of Service.
  • When the Backend Application expects request for a specific Hostname or redirect you to that hostname, Netscaler should be configured as below:
- Configure the VIP for the same Hostname
- Use URL Transformation to achieve the same

LB Methods

Least Connection = Service with fewest active connections
Round Robin = Rotates a list of services
Least Response time(LRTM) = Fewest active connections & lowest average responce time
Least Bandwidth = service serving least amount of traffic measured in mbps
Least Packets = service that received fewest packets
Source IP Hash
Destination IP Hash

Persistence Methods

SOURCE IP =
COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session.
SSL Session = Connections having same SSL session ID
RULE = All connection matching a user defined rule
URL Passive = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded
Dest IP =
SRC IP DST IP =
CALL ID = Same Caller ID in SIP Header


NetScaler Topology Diagram

Netscaler ZenDesktop.png

  • StoreFront and License server can be installed in the same server to save lab resources.
SNIP:x.x.x.79
VIP:(NS Gateway) :x.x.x.87

NS IP address details

Netscaler Zendesktop 2.png

Integrating with SAML Server

You need to have a SAML Server to achieve below setups:


NetScaler as SP

SAML Server.png

IP Address Scheme
10.107.88.70	SAML Server	 saml.testlab.com
10.107.88.69	Netscaler VIP	 aaavip.testlab.com
10.107.88.79	Netscaler SNIP	 samlvip.testlab.com
10.107.88.93	Backend Server 
10.107.88.80	LDAP Server      ad.testlab.com

Configuration

 
add ns ip 10.107.88.78 255.255.255.224 -type NSIP -vServer DISABLED -mgmtAccess ENABLED -dynamicRouting ENABLED
add ns ip 10.107.88.67 255.255.255.224 -type VIP -snmp DISABLED
add ns ip 10.107.88.87 255.255.255.224 -vServer DISABLED -gui DISABLED -ssh DISABLED -mgmtAccess ENABLED
add service Server3 Ubuntu_Server HTTP 8083 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add service Server4 Ubuntu_Server HTTP 8084 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add service Server1 Ubuntu_Server HTTP 8081 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add service Server2 Ubuntu_Server HTTP 8082 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
add ssl certKey web.testlab.com -cert web.testlab.com.CER
add ssl certKey sf.testlab.com -cert sf.testlab.com.cer -key sf.testlab.com.key -passcrypt "gScQiu+ULgg="
add ssl certKey testlab-root -cert root.cer -passcrypt "gScQiu+ULgg="
add ssl certKey IDP-Cert -cert idp.crt
add authentication samlIdPProfile SAML-IDP-Profile -samlIdPCertName sf.testlab.com -assertionConsumerServiceURL "https://saml.testlab.com/simplesaml/"
add lb vserver Saml-Test-Srv SSL 10.107.88.79 443 -persistenceType SOURCEIP -cltTimeout 180 -AuthenticationHost aaavip.testlab.com -Authentication ON -authnVsName Saml-vServer
add authentication vserver Saml-vServer SSL 10.107.88.69 443
set ns encryptionParams -method AES256 -keyValue 4bd351ed61dbec30ef34ffeafc8d94acdd35e3336fa0b881780f72b293ec33c89ea91201302a0649da1970d4e5fcb5c50a83c0f95c28a29e9b57c9619dd6259b4c55debd1eff2f6ce714fe5974675220 -encrypted -encryptmethod ENCMTHD_3
bind lb vserver Saml-Test-Srv Server3
add dns nameServer 10.107.88.80
add lb monitor STAMONNHOP-webServer CITRIX-STA-SERVICE-NHOP -LRTM DISABLED -interval 2 MIN -resptimeout 4 -downTime 5 -destIP 10.107.88.93 -destPort 8083
add authentication samlAction Saml-vServer -samlIdPCertName sf.testlab.com -samlSigningCertName sf.testlab.com -samlRedirectUrl "https://saml.testlab.com/simplesaml/saml2/idp/SSOService.php" -samlUserField sAMAccountName -samlRejectUnsignedAssertion OFF -samlIssuerName testlab-AD-CA -Attribute1 sAMAccountName -logoutURL "https://saml.testlab.com/simplesaml/saml2/idp/SingleLogoutService.php" -skewTime 30
add authentication samlPolicy Saml-Policy ns_true Saml-vServer
bind authentication vserver Saml-vServer -policy Saml-Policy -priority 100
bind ssl vserver Saml-Test-Srv -certkeyName sf.testlab.com
bind ssl vserver Saml-Test-Srv -certkeyName testlab-root -CA -ocspCheck Optional
bind ssl vserver Saml-vServer -certkeyName sf.testlab.com
set ns param -timezone "GMT+05:30-IST-Asia/Kolkata"

Screenshots

   Paste.png     This section is under construction.


Logs

   Paste.png     This section is under construction.

Packet Captures

   Paste.png     This section is under construction.

NetScaler as IDP

   Paste.png     This section is under construction.


Troubleshooting

  • For Netscaler:
> set syslogParams -logLevel ALL


API Calls

Reboot Netscaler
curl -s -k -X POST -H 'Content-Type:application/vnd.com.citrix.netscaler.reboot+json' --basic --user nsroot:pwd@123 -d '{"reboot":{"warm":true}}' http://10.107.88.78/nitro/v1/config/reboot/
Last Boot time
curl -s -k -X GET -H 'Content-Type:application/json'  --basic --user nsroot:pwd@123 http://10.107.88.78/nitro/v1/stat/system?attrs=starttime




References





blog comments powered by Disqus