NetScaler Master Class (October 2015)

2015-10-Master Class October – FINAL

Advertisements

NetScaler VPX Upgrade

NetScaler VPX Upgrade

  1. Login to MyCitrix and Select Downloads
  2. Select NetScaler Gateway / Product Software
  3. Select the Versions required
  4. Download the nCore-Appliance Software (nCore)
  5. Login to NetScaler
  6. Select Configuration / Save Running State
  7. Select Configuration / System / Backup and Restore
  8. Select Upgrade Wizard and follow prompts and select downloaded file.
  9. Check Show aaa parameter
  10. set AAA para -maxAAAusers 300

** To upgrade VPX, download the NetScaler ADC Firmware  (Old location) – http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-upgrade-ns-sw-10-1-con.html

NetScaler Backup and Restore

NetScaler Backup and Restore

Reference :http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-system-backup1-tsk.html

  1. Login to Netscaler via SSH and run [save ns config]
  2. WinSCP into the NetScaler and backup /nsconfig and /var folder Directory Sub-Directory or Files
  3. /nsconfig/
    
    ssl/*
    license/*
    fips/*
    /var/
    
    netscaler/ssl/*
    wi/java_home/jre/lib/security/cacerts/*
    wi/java_home/lib/security/cacerts/*
    
    
  4. Backup the NetScaler by using the configuration utility Navigate to System > Backup and Restore.

Netscaler Vulnerability

Netscaler Vulnerability

Apache server-status enabled

The remote web server discloses sensitive information about its status, when the URL ‘/server-status’ is requested. The server returns information such as current hosts and requests being processed, the number of idle servers, and CPU utilization. This information may be used by an attacker to craft further attacks.

Description

Apache /server-status displays information about your Apache status. If you are not using this feature, disable it.

Impact

Possible sensitive information disclosure.

Recommendation

Disable this functionality if not required. Comment out the <Location /server-status> section from httpd.conf.

Reference :- http://www.acunetix.com/vulnerabilities/apache-server-status-enab/

*** The following article must be followed to insure the customizations in NetScalers is retained after appliance has been rebooted : – http://support.citrix.com/article/CTX122271

Solution

Edit /etc/httpd.conf

And comment out the highlighted 5 lines</pre>
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your-domain.com" to match your domain to enable.
#
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from all
#</Location>
<pre>
</pre>
copy httpd.conf to /var

create /flash/nsconfig/nsbefore.sh

#!/bin/bash
killall -9 httpd
cp /var/httpd.conf /etc/httpd.conf
/bin/httpd -f /etc/httpd.conf

save ns config


Virtual DMZ with Multi-WAN for NetScaler AAGEE Multi-Tenant (above your pay grade)

Virtual DMZ with Multi-WAN

Research on how to create a virtual DMZ with Mutli-WAN (Multiple Internet Connections) for Inbound and Outband traffic.

The theory is that a user will hit a url called https://access.* which will have multiply A records pointing Public IP Address that are provided by different Internet Service Providers with NAT to the Datacenter Router, that are forwarded to virtual VIF. Setup a Subdomain with a HTML forwarder to a Dynamic DNS or Public IP address.

  1. Subdomain HTML
  2. <!DOCTYPE HTML>
     <html lang="en-US">
     <head>
     <meta charset="UTF-8">
     <meta http-equiv="refresh" content="1;url=DOMAIN.com">
     <script type="text/javascript">
     window.location.href = "http://DOMAIN.com"
     </script>
     <title>Page Redirection</title>
     </head>
     <body>
     <!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
     If you are not redirected automatically, follow the <a href='unitycloud.com'>link to example</a>
     </body>
     </html>
    
  3. Domain name Round Robin with public IP address for each Internet connection
  4. ZoneEdit Failover – http://www.zoneedit.com/failover.html
  5. Cisco 1841
  6. Vyatta or pfSense configure Multi-WAN
  7. Active/Active NetScaler GSLB with Proximity and Site Roaming – http://support.citrix.com/servlet/KbServlet/download/28997-102-681498/XD%20-%20High%20Availability%20-%20Implementation%20Guide%20v2-2.pdf
  8. AAGEE vServer for Multi-Tenancy customer1.*** customer2.**
  9. IP, VM NICs and Switch Configuration Requirements
  10. Data Replication – Synchronous
  11. VM Replication – Asynchronous
  12. Data Backup (email/file)
  13. Data Archiving Cloud

 

Reference Active/Active Design

Securing Citrix NetScaler Access Gateway AAGGE and Web Interface

Securing Citrix NetScaler Access Gateway AAGGE and Web Interface

Few steps to secure and reduce HTML / SQL Injection attempts and Brute Force Password Scripts from Attacking Securing Citrix NetScaler Access Gateway AAGGE and Web Interface.

  1. Setup Web Interface in HA and enable Automatic updates and set a variance of 30 mins for reboots. This should insure all Critical Microsoft Updates are installed on your DMZ Windows Servers and Internet facing servers and updated straight away.
  2. Implement End Point Analyse
  3. Implement CAPTHA
  4. Implement Visual Keyboard
    1. https://online.westpac.com.au/esis/Login/SrvPage?referrer=http%3A%2F%2Fwww.westpac.com.au%2FHomepageAlternative%2F
    2. https://www.ingdirect.com.au/client/index.aspx
  5. Implement Drop down select for PIN (Log me in style)
  6. Put 30 delay wait for retry for incorrect passwords
  7. Implement 2Factor authentication
  8. Setup Double Hop DMZ
  9. .NET / Java SSL Visual Keyboard WIP

Reference

Netscaler SSL Certificate Renewal and Install

By the time I need to renew my NetScaler Certificates I always forget how to do it. Plus most of the time its a last minute rushed change. So here is the basic steps:

  1. Backup the Netscaler Config
pscp -v -p -pw <password> nsroot@<IP Address>:/nsconfig/* "c:\SSL_BACKUP\"
  1. Save Running Config
  2. Save Config – Configuration/System/Diagnostics/Technical Support Tools/Generate support file
  3. Extract the Private & Public keys from the PFX file provided by your Certificate Authority using openssl command:
 openssl pkcs12 –in xxxx.pfx –out xxxx.crt –nokeys –clcerts
 openssl pkcs12 –in xxxx.pfx –clcerts –out privatekey.pem
 openssl rsa –in privatekey.pem –out xxxx.key
 
  1. Connect to the NetScaler Management Interface via your Browser and select Configurations/SSL/Certificates
  2. Right click on  Certificate and select Update, locate your Certificate.crt file & Private.Key file by selecting Browse Local > enter password if Certificate has a password otherwise leave it blank and click OK and Overwrite existing file.
  3. netscaler_Certs
  4. Check the Expiry date has been updated
  5. Upload the Intermediate Certificate Authority and Link to all corresponding keys.. 
  6. Verify the SSL Certificate by using SSL Certificate Verification Tool – https://ssl-tools.verisign.com/#certChecker)
  7. Make sure DR Netscaler with the same url is updated as well. Test the DR Netscaler by changing your local host file IP address of that UTL to the IP address of that DR NetScaler

NetScaler 1030 Error

When we had a new load of users connecting into our XenDesktop environment via NetScaler AAGEE,  some of the users were getting the following error : The connection to “VDI Pool Name” failed with status (1030)

1030

After allot of troubleshooting, we identified the issues with the NetScaler Global Authentication Settings was incorrectly configured and did not match the Access Gateway license number..

 

 

 

global-autehtication-settings1

This could have been caused by the fact that, 10 AAGEE license was loaded initially and then 105 license were uploaded at a later date, but this Maximum Number of Users was not changed/increased.. 10 is a default value

vNetworkstack

Virtual Networking from End-to-End

Virtualization is radically changing datacenter architectures. And it’s not just servers and applications that are getting virtualized. Traditional networking services are now being virtualized to make the virtual infrastructure more efficient, more secure and easier to manage.

The vNetworkstack solution transforms router, load balancer, network firewall, application acceleration, VPN, and intrusion prevention, into software that can run on virtualized servers that can now be integrated on the same physical resource machine or logically provisioned on demand to provide an end-to-end L2- L7 software networking stack.

Citrix and Vyatta have joined together to offer the industry’s first end-to-end L2-L7 virtualized networking services and application delivery stack.

http://www.vnetworkstack.com


Hypervisor