NetScaler VPX Upgrade
- Login to MyCitrix and Select Downloads
- Select NetScaler Gateway / Product Software
- Select the Versions required
- Download the nCore-Appliance Software (nCore)
- Login to NetScaler
- Select Configuration / Save Running State
- Select Configuration / System / Backup and Restore
- Select Upgrade Wizard and follow prompts and select downloaded file.
- Check Show aaa parameter
- set AAA para -maxAAAusers 300
** To upgrade VPX, download the NetScaler ADC Firmware (Old location) – http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-upgrade-ns-sw-10-1-con.html
NetScaler Backup and Restore
- Login to Netscaler via SSH and run [save ns config]
- WinSCP into the NetScaler and backup /nsconfig and /var folder Directory Sub-Directory or Files
/nsconfig/ ssl/* license/* fips/* /var/ netscaler/ssl/* wi/java_home/jre/lib/security/cacerts/* wi/java_home/lib/security/cacerts/*
- Backup the NetScaler by using the configuration utility Navigate to System > Backup and Restore.
Apache server-status enabled
The remote web server discloses sensitive information about its status, when the URL ‘/server-status’ is requested. The server returns information such as current hosts and requests being processed, the number of idle servers, and CPU utilization. This information may be used by an attacker to craft further attacks.
Apache /server-status displays information about your Apache status. If you are not using this feature, disable it.
Possible sensitive information disclosure.
Disable this functionality if not required. Comment out the <Location /server-status> section from httpd.conf.
*** The following article must be followed to insure the customizations in NetScalers is retained after appliance has been rebooted : – http://support.citrix.com/article/CTX122271
Edit /etc/httpd.conf And comment out the highlighted 5 lines</pre> # Allow server status reports, with the URL of http://servername/server-status # Change the ".your-domain.com" to match your domain to enable. # #<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from all #</Location> <pre>
</pre> copy httpd.conf to /var create /flash/nsconfig/nsbefore.sh #!/bin/bash killall -9 httpd cp /var/httpd.conf /etc/httpd.conf /bin/httpd -f /etc/httpd.conf save ns config
Virtual DMZ with Multi-WAN
Research on how to create a virtual DMZ with Mutli-WAN (Multiple Internet Connections) for Inbound and Outband traffic.
The theory is that a user will hit a url called https://access.* which will have multiply A records pointing Public IP Address that are provided by different Internet Service Providers with NAT to the Datacenter Router, that are forwarded to virtual VIF. Setup a Subdomain with a HTML forwarder to a Dynamic DNS or Public IP address.
- Subdomain HTML
- Domain name Round Robin with public IP address for each Internet connection
- ZoneEdit Failover – http://www.zoneedit.com/failover.html
- Cisco 1841
- Vyatta or pfSense configure Multi-WAN
- Vyatta – http://www.vyatta.com/download/docdl?whence=
- PfSense Multi-WAN – http://securite-ti.com/pfSense_Web_Proxy_with_multi-WAN_links.pdf
- PfSense UTM – http://www.smallnetbuilder.com/security/security-howto/31451-build-your-own-utm-with-pfsense-part-2?start=3
- Dynamic DNS
- Active/Active NetScaler GSLB with Proximity and Site Roaming – http://support.citrix.com/servlet/KbServlet/download/28997-102-681498/XD%20-%20High%20Availability%20-%20Implementation%20Guide%20v2-2.pdf
- NetScaler XenDesktop Site Roaming redirects a user’s virtual desktop request to an appropriate site.
- Preferred Site – http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-override-static-proxim-by-using-preferred-locations-con.html
- AAGEE vServer for Multi-Tenancy customer1.*** customer2.**
- – http://pimpmyvdisk.com/?p=411
- Error: 401- Unauthorized: Access is denied due to invalid credentials – http://support.citrix.com/article/CTX126883
- How to Enable Connection Proxy Persistence when Using Web Interface on a NetScaler Appliance with the GSLB Feature – http://support.citrix.com/article/CTX130248
- Citrix NetScaler Global Server Load Balancing Primer: Theory and Implementation – http://support.citrix.com/article/CTX123976
- IP, VM NICs and Switch Configuration Requirements
- Data Replication – Synchronous
- VM Replication – Asynchronous
- Data Backup (email/file)
- Data Archiving Cloud
Reference Active/Active Design
Securing Citrix NetScaler Access Gateway AAGGE and Web Interface
Few steps to secure and reduce HTML / SQL Injection attempts and Brute Force Password Scripts from Attacking Securing Citrix NetScaler Access Gateway AAGGE and Web Interface.
- Setup Web Interface in HA and enable Automatic updates and set a variance of 30 mins for reboots. This should insure all Critical Microsoft Updates are installed on your DMZ Windows Servers and Internet facing servers and updated straight away.
- Implement End Point Analyse
- Implement CAPTHA
- Implement Visual Keyboard
- Implement Drop down select for PIN (Log me in style)
- Put 30 delay wait for retry for incorrect passwords
- Implement 2Factor authentication
- Google Authenticator – http://support.citrix.com/article/CTX132808
- Setup Double Hop DMZ
- .NET / Java SSL Visual Keyboard WIP
Here is a fantastic article on NetScaler VPX Sizing : – http://www.kraftkennedy.com/blog/bid/102021/Citrix-NetScaler-VPX-Sizing
By the time I need to renew my NetScaler Certificates I always forget how to do it. Plus most of the time its a last minute rushed change. So here is the basic steps:
- Backup the Netscaler Config
pscp -v -p -pw <password> nsroot@<IP Address>:/nsconfig/* "c:\SSL_BACKUP\"
- Save Running Config
- Save Config – Configuration/System/Diagnostics/Technical Support Tools/Generate support file
- Extract the Private & Public keys from the PFX file provided by your Certificate Authority using openssl command:
openssl pkcs12 –in xxxx.pfx –out xxxx.crt –nokeys –clcerts openssl pkcs12 –in xxxx.pfx –clcerts –out privatekey.pem openssl rsa –in privatekey.pem –out xxxx.key
- Connect to the NetScaler Management Interface via your Browser and select Configurations/SSL/Certificates
- Right click on Certificate and select Update, locate your Certificate.crt file & Private.Key file by selecting Browse Local > enter password if Certificate has a password otherwise leave it blank and click OK and Overwrite existing file.
- Check the Expiry date has been updated
- Upload the Intermediate Certificate Authority and Link to all corresponding keys..
- Verify the SSL Certificate by using SSL Certificate Verification Tool – https://ssl-tools.verisign.com/#certChecker)
- Make sure DR Netscaler with the same url is updated as well. Test the DR Netscaler by changing your local host file IP address of that UTL to the IP address of that DR NetScaler
When we had a new load of users connecting into our XenDesktop environment via NetScaler AAGEE, some of the users were getting the following error : The connection to “VDI Pool Name” failed with status (1030)
After allot of troubleshooting, we identified the issues with the NetScaler Global Authentication Settings was incorrectly configured and did not match the Access Gateway license number..
This could have been caused by the fact that, 10 AAGEE license was loaded initially and then 105 license were uploaded at a later date, but this Maximum Number of Users was not changed/increased.. 10 is a default value
Virtual Networking from End-to-End
Virtualization is radically changing datacenter architectures. And it’s not just servers and applications that are getting virtualized. Traditional networking services are now being virtualized to make the virtual infrastructure more efficient, more secure and easier to manage.
The vNetworkstack solution transforms router, load balancer, network firewall, application acceleration, VPN, and intrusion prevention, into software that can run on virtualized servers that can now be integrated on the same physical resource machine or logically provisioned on demand to provide an end-to-end L2- L7 software networking stack.
Citrix and Vyatta have joined together to offer the industry’s first end-to-end L2-L7 virtualized networking services and application delivery stack.