Hi Citrix Admins

We will not talk about how to setup Netscaler, Licensing and High Availability

Please download the Netscaler VPX from Citrix website.  

https://www.citrix.com/lp/try/netscaler-vpx-platinum.html?utm_campaign=WWWB0511NSTRDIYDR&utm_medium=Paid+Search+(SEM)&utm_source=sem-net-adc-em-en-sea-go&utm_term=Brand&utm_content=ns-do&ctm_programid=wwwb0511nstrdiydr&gclid=CjwKCAjw-dXaBRAEEiwAbwCi5tZ3OQHyD31vNggbt-jerIsQFwhq-wV2qSqT6cnwsTq0V9cgajCAhBoCpfQQAvD_BwE#/email

Link can change in future so search on google download Citrix Netscaler VPX and will get the 1st link for download from citrix.com

The demo download will work 90 days with platinum trail license which will enable all the features and will fit for your lab testing.

Its 1st step to configure the NSIP in order to access the NetScaler GUI interface and further setting up SNIP or MIP , Root password and NTP.

As we import the VPX appliance in Vsphere Vcenter and boot up, it will ask for mgmt ip address for Ns instance.

NetScaler 1 - 10.2.1.11

NetMasK- 255.255.255.0

Gateway: 10.2.1.1

Another instance 

NetScaler 2 : 10.2.1.12

NetMasK- 255.255.255.0

Gateway: 10.2.1.1

 once done with ip --> proceed to save the configuration.

 Select option 4 and Ns configuration will start automatically. o

 Browse the IP 10.2.1.11 and 10.2.1.12 from browser or telnet via putty depends on how you want to configure and work .

Login with default details nsroot and nsroot

post login it will ask for Subnet ip details.

it best advisable to change the password from default and select time zone.

Perform the same on another NetScaler node. we will move to configuration section to perform the further operation but it will through back to the initial screen because we have not deployed licenses on NS devices.

But there is way out. Click on the right top on Skip button to reach configuration section.

if you have many team member working on NS then set up groups and users for different types of access to team members.

Create Groups --> set type of access (operator, read-only, Network or Superuser )

Create User and make the member of Groups accordingly.

as last setup NTP details.

Setting up NetScaler License:- to set up license file we need to login to Citrix.com and generate license file corresponding to NS appliance MAC address.

The file should be available on Ns at boot time so it can read it during boot time otherwise it will consider it un licensed.

Use this machine id in the Citrix portal for generating the license.

https://support.citrix.com/article/CTX130498 

https://support.citrix.com/article/CTX133147

Deploy the license files and reboot the appliance (this should be performed on both NS devices).

Setting up NS HA or Clustering:- it important that both nodes should be running the same build and version to achieve this.

HA and clustering are two different stuff.

For clustering - We would need a separate license and work in Active-Active mode. (both nodes share the load)

There can be minimum 2 and max 32 devices in cluster mode. all the configuration will replicate except SNIP or MIP 

There are 2 methods to configure the Snip / Mip in the cluster called Stripped and Spotted 

Stripped:- all the Ns share the same SNIP (Citrix don't recommend it as it created the problem with ARP as )

Spotted:- All the Ns has different SNIP and recommended by Citrix.

NetScaler HA:-

Its available with All the version and work in the Active-Passive method. (passive nodes become active in case of active node failure)

1. All the NetScaler configuration is synced to the secondary node.

2. Hart beats every 200ms over UPD 3003 port

3. Both node sync 3010 and 3008 ports

4. Command propagation 3008, 3011 ports

5. file Sync TCP / 22

Configure HA is quite simple

1. Login to any of the NetScaler with nsroot --> system configuration--> High Availability

both Ns will show node as primary so not to worrry.

Click on Add button -->

Enter theIPp of another node and nsroot & password.

that's All. sync will take place for some time and primary node configuration will replace to secondary.

force sync operation can be performed from Action option in window according to need.

Thanks for reading the article and keep visiting.

Thanks

Amit Kumar Gupta

CCA in XenApp/XenDesktop/XenServer,Google Cloud Architect, MCSE, ITIL, Vmware Certified

Microsoft certified - Planning for Security Incident response.

https://www.linkedin.com/in/amit-kumar-gupta-5321a527/ 

Hi visitors

Here is a very good presentation from MS cybersecurity team for how to mitigate Hash breaches in your organization.

its important to view the whole video.

 Very userful case studies on hash attack and case studies.

https://technet.microsoft.com/en-us/security/dn785092

Thanks

Amit Kumar Gupta

CCA in XenApp/XenDesktop/XenServer,Google Cloud Architect, MCSE, ITIL, Vmware Certified.

https://www.linkedin.com/in/amit-kumar-gupta-5321a527/

Hello Visitors

As we have the better understanding on Basic stuff and time to learn about kind of network topology can be used with NS Solutions.

1. Physical:-  its depends on network interface connected to NetScale.

One ARM: - it uses the one network interface to connect to client and Server. it has more dependency on one network interface and can cause traffic chock up depends on network connection speed settings.

Two Arm:- 2 network interfaces are used to handle the connection.

1 network interface connects to the client and another interface connects to backend Servers. netscaler is placed between both interface connectivity. its also called as inline topology.

so the decision can be made between one arm and two arm based on below factors.

1. Number of the interface on NS

2. is your company policy allowed to NetScaler network to expose backend Server network and internet facing network ?

3. Two arm is more secured and used one.

4. Two arm provide more bandwidth as a separate network for both network 

5. One ARM is one network bandwidth limitation.

Logical:-  

Single Subnet:- Here VIP and SNIP or MIP are from the same subnet if the client can connect to VIP then it can directly connect to backend Server if there are no additional firewall rules in the middle.

Below is an example of one arm Single Subnet Topology;

Two Arm - Single Subnet Topology - In this VIP is not used and netscaler plays a bridge role between Client and backend Server for connectivity.

Multi-Subnet Topology:-

One Arm-Multi Subnet Topology:-

One network card is connecting to multiple subnets. Clients are connecting to VIP and SNIP is connecting to backend Server but both are from the different network and did not expose the backend Server network to client network.

Two Arm - Multi Subnet Topology:- its mostly used Topology and more secure from the compliance point of view.

The different network interface for client and backend server connections same as two ARM but with different subnets for both interfaces.

So it's up to your environment and ip network design to choose which topology best fit for your organization.

Thanks

Amit Kumar Gupta

CCA in XenApp/XenDesktop/XenServer,Google Cloud Architect, MCSE, ITIL, Vmware Certified.

https://www.linkedin.com/in/amit-kumar-gupta-5321a527/

Hello Visitors

There are few basic facts which should be clarified in starting for the better understanding of NS.

1. What is Service?
2. What is Vserver?
3. What is SNIP?
4. What is VIP?
5. What is MIP?
6. What is NSIP?

Lets Start 

1.Service: - Service term is used in NS to configure the integration between NetScaler & backend Server for application delivery. Service is consist of Application or Web Server which runs outside NetScaler. It includes Name, IP Address, Protocol and ports

• Service get bound with VServer.

Name - Name of backend server (for identification so could be different but better to keep same)

Ip Address - Ip address of backend Server

Protocol:- HTTP or HTTPS or TFTP or others

Ports:- TCP or UDP

2. VServer:- VServer is used to handle the direct connection coming to VIP between client machines and Backend load-balanced Service. VIP is mapped with VServer and consist of Name, IP Address, Protocol, and port. VServer is hosted on NetScaler itself and can perform compression, Traffic redirection tasks. 

• VIP is owned by NetScaler.
• The client connects to VIP
• VServer performs load balancing via Service mapped with VServer.

3. SNIP:- SNIP is called as subnet IP which is assigned to NetScaler and used for connecting to backend service from particular subnets.

it helps in avoiding IP routing at the network side and each service subnet should have SNIP assigned to Netscaler to connect the incoming traffic.

example: you should have 5 SNIP assigned to NS if you have service from 5 different subents.

4. MIP:- MIP is called as mapped ip address and used for traffic routing for any service subnet if SNIP is not defined in NS. or in other words default IP address for connecting to backend server when SNIP is not defined.

SNIP / MIP:- it originates connection to backend Server and don't listen for a new connection.

VIP and SNIP or MIP are opposite to each other.

5. NSIP:- Its called as NetScaler IP and used for connecting to NetScaler Interface for mgmt purpose.

Keep visiting for next article -- coming soon

Thanks

Amit Kumar Gupta

CCA in XenApp/XenDesktop/XenServer,Google Cloud Architect, MCSE, ITIL, Vmware Certified.

https://www.linkedin.com/in/amit-kumar-gupta-5321a527/

Hi Citrix Admins

Many of us will be using desktop director, XenDesktop or XenApp and NetScaler devices.

The biggest challenge for IT Admins is to how to get network analysis for Citrix Users.

its possible to integrate all the tools together to get the ICA Traffic report for the Citrix environment.

The image is taken from the Citrix site and some of the content.

Director can access:

• Real-time data from the Broker Agent using a unified console integrated with Analytics, Performance Manager, and Network Inspector.
• Analytics includes performance management for health and capacity assurance, and historical trending and network analysis, powered by NetScaler Insight Center or NetScaler MAS, to identify bottlenecks due to the network in your XenApp or XenDesktop environment.
• Historical data stored in the Monitor database to access the Configuration Logging database.
• ICA data from the NetScaler Gateway using NetScaler Insight Center or NetScaler MAS.
• Gain visibility into end-user experience for virtual applications, desktops, and users for XenApp or XenDesktop.
• Correlate network data with application data and real-time metrics for effective troubleshooting.
• Integrate with XenDesktop 7 Director monitoring tool.
• Personal vDisk data that allows for runtime monitoring showing base allocation and gives help-desk IT the ability to reset the Personal vDisk (to be used only as a last resort

Director uses a troubleshooting dashboard that provides real-time and historical health monitoring of the XenApp or XenDesktop Site.This feature allows administrators to see failures in real time, providing a better idea of what the end users are experiencing.

Director integrates with NetScaler MAS for network analysis and performance management.

1. Network analysis obtains HDX Insight reports from NetScaler MAS and provides an application and desktop view of the network. With this feature, the Director provides an advanced analytics view of ICA traffic in your deployment.
2. Performance management provides historical retention and trend reporting. With the historical retention of data versus the real-time assessment, you can create Trend reports, including capacity and health trending.

we would see some more data in Network TAB of Desktop director post implementing the integration.

The Network tab in the Trends page shows latency and bandwidth effects for applications, desktops, and users across your deployment.
The User Details page shows latency and bandwidth information specific to a particular user session.

Limitations

1. The availability of this feature depends on your organization's license and your administrator permissions.
2. ICA session Round Trip Time (RTT) shows data correctly for Citrix Receiver for Windows 3.4 or later and for Citrix Receiver for Mac 11.8 or later. For earlier versions of these Receivers, the data does not display correctly.
3. In the Trends view, HDX connection logon data is not collected for VDAs earlier than version 7. For earlier VDAs, the chart data is displayed as 0.
4. For deployments that already have an external hard disk with storage space less than 500 GB, you cannot add another hard disk.

How to integrate Desktop director with NMAS.

To enable network analysis, you must install and configure NetScaler Insight Center or NetScaler MAS in Director. Director requires NetScaler MAS Version 11.1 Build 49.16 or later. Insight Center and MAS are Virtual appliances that run on the Citrix XenServer. Using network analysis, Director communicates and gathers the information that is related to your deployment.

For more information, see the NetScaler Insight Center or NetScaler MAS documentation.

1. On the server where Director is installed, locate the DirectorConfig command line tool in C:\inetpub\wwwroot\Director\tools, and run it with parameter /confignetscaler from a command prompt.
2. When prompted, enter the NetScaler Insight Center or NetScaler MAS machine name (FQDN or IP address), enter the username, password, HTTP or HTTPS connection type, and choose NetScaler Insight or NetScaler MAS integration.
3. To verify the changes, log off and log back on.

Keep visiting us.

Thanks

Amit Kumar Gupta

CCA in XenApp / XenDesktop/ XenServer, Google Cloud Architect, MCSE, ITIL, Vmware Certified.

https://www.linkedin.com/in/amit-kumar-gupta-5321a527/

Hi All

here is the command to install SSL Certificate on Ns

add ssl certkey XXXXXXXX -cert /nsconfig/ssl/XXXXXXXXX.pem -key /nsconfig/ssl/XXXXXXXX.key -password XXXXXXXXXX

bind ssl vserver Vservername -certkeyName XXXX

 Save Config

All done