• Category Archives Netscaler
  • Load Balancing AD FS 2012 R2 3.0 and Web Application Proxy With Netscaler

    Recently I had to set up load balancing for Microsoft Active Directory Federation Services (ADFS) 3.0 environment. There is not a whole lot of information out there on load balancing of ADFS 3.0. Most of the guides and documentation that are out there today are based on ADFS 2.0

    The diagram below illustrates a typical ADFS deployment scenario utilizing hardware load balancers such as Netscaler or F5 appliances.

    image_thumb_12

    Why you need to do this.
    Server Name Indication (SNI) is a feature of SSL TLS and both Web Application Proxy and AD FS 2012 R2 use it to enable simpler deployment and remove networking prerequisites. Some client applications don’t support SNI but there is an easy way to workaround this using a fallback certificate. In this blog we will explain what SNI is, how it works and what to do if you have non-SNI capable clients.

    In this case the client (i.e. the Netscaler) does not support SNI for back end services. hence the requirements below. The proxy servers will only reply if the host header is present and will not respond directly via IP address. One of the main issues with the load balancing of the latest ADFS is that it doesn’t bind the certificate or service to the IP address.

    ADFS Server & Proxy Server Configuration
    On each of the ADFS servers and Web Application Proxy Servers for the ADFS services you will need to do the following.

      1. Open PowerShell
      2. Run the following command in the PowerShell Window
        1. netsh http show sslcert
      3. Review the output of the command and notate the following field

      1. Certificate Hash
      2. Application ID – Copy including brackets
    1.  Run the following command in the PowerShell Window
      1. netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid=<appid> certstorename=MY
        1. Fields
          1. IPAddress:port such as 0.0.0.0:443 for example
            1. note 0.0.0.0 will bind to all IP addresses on server. Can use specific IP
          2. certhash – copied from netsh http show sslcert
          3. appid – copied from netsh http show sslcert
        2. Note: On several of the systems that I ran the powershell command on I had to put single quotes around the appid before and after the brackets Without the bracket the error was “The Parameter is incorrect”
          1. Example of this would be below
            1. netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid='<appid>’ certstorename=MY

    Netscaler Configuration.
    You will need to create attach the monitor to either the services or service groups for ADFS 3.0 Servers & Proxy Servers. In my case all services & service groups were configured for SSL Bridge

    ADFS Monitor Configuration

    add lb monitor mon-https-ADFS3 HTTP-ECV -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “adfs3.website.com/adfs/services/trust” -LRTM ENABLED -secure YES

    ADFS Proxy Monitor Configuration – Note the addition of the custom header. This is required for the proxy server configuration

    add lb monitor mon-https-ADFS3-PROXY HTTP-ECV -customHeaders “host: adfs3.website.comrn” -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “adfs3.website.com/adfs/services/trust” -LRTM ENABLED -secure YES

    Replace website adfs3.website.com with your particular company website.

    You can find more information below at the following links

    ADFS is used in a variety of services and I hope you found this helpful. Now signing off.


  • How-to: Netscaler VPX Express Deployment

    The Netscaler VPX Express is a great tool to test and play with Netscalers at no cost to you. Great for home labs and even testing various things. It is pretty well featured. You can find out more about the Netscaler VPX Express here in a previous blog post where I touch on benefits and limitations. I have been asked several times for a How-to on deploying the Netscaler VPX Express, I will do further posts on basic Netscaler setup and features in future posts.

    Here are the basic steps for getting the Netscaler VPX Express up and running.

    1. Download the NetScaler VPX virtual appliance package using the link below. Packages are available for both XenServer and VMware.
    2. Import NetScaler VPX Express onto the virtualized server of your choice.
      1. If you don’t currently have XenServer, download a free version of XenServer.
      2. If you don’t currently have VMware ESX, evaluation versions can be downloaded from vmware.com.
    3. Get and activate your free NetScaler VPX Express license via the get license link below. 
      1. Please note you will need to get your license after you deploy the VPX to get information from the virtual machine to license it properly.
    4. Want more than one license? just click get license again.

    Click here for full details and how to steps.

    1. Where to get the Netscaler VPX Express 

    2. Import Netscaler VPX Express onto the virtualized server of your choice (steps below are for ESXi)

    Fat Client (ESXi)

    • Log in into your Hypervisor (ESXi) 
    • Click File -> Deploy OVF template

     

    • Browse to the Netscaler Download (please note the download is a ZIP file and will have to be extracted to see the OVF) -> Click Open
    • Click Next on Source Selection
    • Click Next on OVF Template Details 
    •  Change Name to desired Netscaler VPX Name -> Click Next
    •  Select Cluster you would like to deploy to -> Click Next
    •  Select Datastore where the VPX will be stored -> Click Next
    •  Click Next on Disk Format screen
    •  Click next on Network Mapping (please note the error in the screenshot) I plan on only having one NIC in my lab setup for VPX, if multiple NICs are required you may have to more portgroups created.
    •  Review Ready to Complete Screen for accuracy -> Click Next
    •  The VPX will deploy. This not take long as the VPX is very small.
    •  Upon completion, you should see the following screen. -> Click Close
    •  Before Powering ON the VPX, I will be removing the unnecessary Network Interface. Right click the VM and Click Edit Settings…
    •  Highlight the Network adapter that you would like to remove and click the Remove button
    •  The Network Adapter should now show in strikethrough as below -> Click OK at the bottom of the window
    •  Now you can power on the VPX and begin the configuration. Enter an IPv4 address and hit Enter
    •  Enter a Subnet Mask and hit Enter
    •  Enter Gateway IPv4 address.
    •  Review settings and hit 4 or Enter to accept the default to save and quit. Follow on screen prompts if changes need to be made.
    •  Now your netscaler is powered on and you should be able to login using the default credentials of nsroot/nsroot
    •  Follow the configuration wizard and click Step 2 to enter the Subnet IP address or SNIP
    •  Enter the SNIP IP address
    •  Click Step 3 Enter Host Name and DNS IP address and change Timezone if necessary. -> Click Done once complete

    • Click Final Step to enter Licensing and complete the configuration.
    •  Click “Yes I accept” to accept the End-User License Agreement
    •  Click the green link under Serial Number in the area I have blacked out in the screenshot below.
    •  Click continue on Host Name Warning

    •  Click in the field Host ID and enter the MAC address of the VPX. You can find this in VMware in the network adapter properties in the Edit Settings option of the VM.

    • Click Continue and you should go to the Next step.
    •  Click OK to go the license download page.
    •  Click Download to download the license.
    •  Return to your browser window with the Netscaler VPX – On the licensing selection, select Upload license file from the local computer
    •  Browse and locate the license file downloaded from MyCitrix
    •  If applied successfully, you should see the below screen. Reboot the appliance
    •  Log back into the Netscaler and verify the licenses in the Licensing section. It should appear as below (I have seen this take two reboots). If it does not come back successfully and shows all Xs, please check to make sure the MAC matches the Host ID you entered earlier.

    Congratulations you have successfully completed deploying the VPX Express.


  • SHA2 Certificates and Citrix Receiver Support

    Please be advised of a SSL certificate issue when updating or purchasing new SSL Certificates for your Citrix implementations. You will want to ensure that you purchase a SHA1 Cert and not a SHA2 cert which is currently being sold by Vendors for a cert set to expire in three (3) years or that expire during or after 2017. You will more than likely have to call your vendor and have them reissue a SHA1 cert that expires at the end of 2016 to ensure that you are functional until Citrix updates their Citrix Receivers to support SHA2 across all products.

    Microsoft has announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates, in favor of SHA2. The policy affects CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.  It will allow CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA2 certificates only.

    The following Citrix Receiver models do not support SHA2 as of 2/25/2014 – This mostly affects the mobile receiver.

    • Linux 13.0
    • IOS 5.8.3
    • Android 3.4.13
    • HTML 5 1.2
    • Playbook 1.0
    • Blackberry 2.2 / BlackBerry 1.0 Tech Preview

     The following Citrix Receiver models do support SHA2 as of 2/25/2014

    • Windows 4.1 (std)
    • Windows 3.4 (ent)
    • Windows 8/RT (1.4)
    • Windows Phone 8 (1.1)
    • Mac 11.8.2 

    Please see the Citrix Receiver Feature Matrix for an updated list

    For more information on the deprecation of SHA1 from Microsoft, please visit the following link from Microsoft.

    You can view the algorithm of the Certificate by viewing the Certificate and looking at the Details tab.


  • Citrix Netscaler VPX Express (free but powerful)

    An often overlooked resource (free) for small environments or for deployments with low requirements is the use of the Netscaler VPX Express. This is a very powerful device, and the VPX express gives you the features of a Standard Edition VPX express platform but has a few limitations.

    Use Cases:

    • Load Balancing a small XenDesktop or XenApp Farm
    • Load Balancing Citrix PVS tftp
    • Load Balancing AD request
    • Load Balancing DNS
    • Load Balancing just about any web site or service…
    • Unlimited ICA Proxy connections to XenDesktop/XenApp (still bound by 5 Mpbs throughput)
    • Remote access to Citrix XenDesktop and Citrix XenApp (Access Gateway)
    • Load Balancing a VMware View deployment (more to come on this one…)
    • Full VPN tunnel for up to 5 concurrent users
    • Clientless access to Web Sites or File Shares
    • External access to Exchange or other web sites and file shares.

    Benefits:

    • Netscaler Standard Edition Features
      • Load Balancing
      • Access Gateway
      • Content Switching
      • Web Logging
      • Content Filtering
      • URL Rewrite
    • Pay as you grow – VPX has all the same features and is only limited by licensing, can pay for a higher edition to expose new features and increase your total throughput
    • Netscaler includes 5 free Access Gateway Enterprise Edition concurrent licenses (what does that give me…?)
      • Full VPN Tunnel
      • EndPoint Analaysis
      • Policy Based SmartAccess
      • Clientless access to Web Sites and File Shares

    I think you get the idea, so what are the major limitations of the Netscaler VPX Express? This sounds too good to be true..

    • License only last one year.. (bummer), “but wait there’s more..” but its free and you can just request another license for the next year
    • 5 Mbps throughput (this applies to all traffic and can be upgraded with a simple license purchase)
    • No SSL offload (this is try of any VPX Netscaler) The Netscaler physical appliances offer SSL offload to dedicated hardware for encryption/decryption. This improved the performance of the box as the CPU doesn’t have to handle the SSL encryption/decryption.

    This is only the tip of the iceberg for what the Netscaler can do and the free ones main limitation is the bandwidth which can be upgraded with a license purchase. You can also deploy as many of these appliances as you need to handle the workload, each pair would have the 5 Mpbs limitation. It may not sound like much bandwidth but that is per second.

    Test it out, deploy the VPX Express yourself and see what your workload throughput is by putting it through the Netscaler and you may be surprised, maybe the VPX Express will be right for you… The Netscaler VPX Express is easy to deploy and can run on VMware vSphere, Hyper-V and XenServer, there are appliances for each of these hypervisors.


  • Goodbye Cisco ACE, Hello Citrix Netscaler

    Lately I have spent a fair amount of my time implementing and configuring Citrix Netscaler devices, the more I use these the more I am excited about this technology, apparently Cisco agrees with me.

    Cisco confirmed this week that it will not develop further generations of its ACE load-balancing products based on a review of data center trends and growth market opportunities. ACE, which is embodied in modules for Cisco 7600 routers and Catalyst 6500 switch and a standalone appliance, was not a growing product line for Cisco.

    ACE is an application delivery controller (ADC). ADCs are vital to virtualized data centers and cloud environments as more VM workloads are added and movde around within and between data centers, and within the cloud. Multiple active paths between switches need to balance traffic loads to ensure application uptime and performance, and reduce latency and congestion

    Cisco has announced a partnership with Citrix to use Netscalers as part of the solution stack. Cisco and Citrix have a long history of working together and many plans laid out for the future.

    The companies also plan to integrate Cisco’s collaboration products with Citrix’s CloudGateway and Xen Desktop virtualization offerings; and Cisco’s ONE programming environment, Unified Computing and Nexus data center switches with Citrix’s CloudPlatform orchestration engine and XenServer products.

    Ok so what does this mean to you if your an ACE customer and now your hardware is EOL, Citrix and Cisco have developed the ACE Migration Program or AMP to help you with the transition.

    In phase one of our networking partnership, Cisco sales teams will now recommend Citrix NetScaler ADC for Cisco Unified Data Center Architecture and Solutions. This will enable our mutual customers to deliver any application or service with the best possible performance, security and availability. Additionally, Citrix is developing a suite of migration tools, reference documents and services to ensure seamless integration of Citrix NetScaler into Cisco Cloud Network Services architectures.
    To fully support customers during this transition phase, Citrix is offering a new ACE Migration Program (AMP) to all global customers. The special program provides Cisco ACE customers with the industry’s most generous product discounts for next-generation ADC solutions, as well as custom NetScaler implementation services provided by world-class Citrix Consulting Services. Citrix is making it easy for ACE customers to migrate to the industry’s best ADC solution, NetScaler. Between now and December 31, 2012, qualified Cisco ACE customers will receive:
    • 20% discount on the MSRP of any NetScaler MPX and multi-tenant NetScaler SDX appliance.
    • 20% discount on the MSRP of a standard 3-day NetScaler Implementation Service provided by world-class Citrix Consulting Services.

    Note: Existing volume license programs apply to the discounted manufacturer suggested retail price (MSRP), if applicable.
    Information on the ACE Migration Program, as well as for materials and resources pertaining to the Cisco and Citrix NetScaler partnership, please visit the Citrix “Welcome to NetScaler” site at www.citrix.com/netscaler/cisco.

    More about the future relationship between Cisco and Citrix

    Cisco and Citrix believe the IT industry is on the verge of the next major architectural transition:  the mobile-cloud era. To help enterprise and service provider customers capture the market transition and transform their business models, Cisco and Citrix will collaborate to unify best-of-breed technologies into innovative solutions for the mobile-cloud era.

    The expanded partnership will include a significant investment in people and resources to drive market-leading technology innovation, solution integration and validation, customer support, and joint go-to-market investment on a global basis.

    • Cloud Networking
    • Cloud Orchestration
    • Mobile Workstyles
    • PertnerShip Momentum

     Expect a few more blogs around the Citrix Netscalers coming up soon. I hope you find this article useful, if you have any comments please leave them below.


  • Citrix Netscaler 10

    Citrix systems recently announced the release of Citrix Netscaler 10. I am excited about several of the new features that Netscaler has to offer. This major release has over 160 new features.

    Triscale is perhaps the most compelling and interesting feature announced in Netscaler 10 allowed you to scale up and out at will. Netscalers have thus far been a HA Active/Passive configuration and done well but can now work as a cluster. It introduces the 3 key factors around scalability which addresses all your needs immaterial of what nature of business you have and what is your deployment model.

    • Scale UP – on demand growth up to 5x on single hardware
    • Scale IN – consolidation of 40 appliances in single unit
    • Scale Out – capacity scale by adding nodes up to 32x


    The Clustering technology which enables Scale Out factor by 32x is just wonderful as it works seamlessly on all hardware and software NetScaler appliances. NetScaler 10 introduces this biggest infrastructure change where you can Cluster NetScaler nodes together to drive through any kind of performance and scalability requirement. It focuses on how easily you can transition from multiple nodes working in isolation to logical Cluster of nodes without any physical hardware requirement. It also has a simplified extension model where you can keep adding nodes based on your scale requirements without disrupting the production traffic. It helps reduce the power usage and rack space consumption from Datacenter/Cloud point of view and can be huge for a large deployment.
    Here are quick facts on Cluster:

    • Cluster of NetScaler nodes
    • Can be formed with 2 to 32 nodes
    • Single system image for end user
    • Built on NetScaler nCore architecture
    • No Chassis or new hardware required
    • Dynamic changes permitted

    Cluster Benefits:

    • Provides linear scalability
    • Higher Throughput
    • Configuration Scalability
    • In-built Fault Tolerance
    • Active-active Support
    • Active-standby Support

    Let us get to other functional and usability enhancements in NetScaler 10.

    Traffic Management Enhancements:

    • TCP Westwood support
    • Dynamic TCP receive buffer size
    • Advance policy support for SSL
    • Ability to flush Surge Queue
    • Rule Based Persistence for TCP/SSL_TCP
    • TXT record support in DNS
    • DBS Auto-scaling
    • Responder action for Timeout
    • Better Entity Scalability
    • String based custom server id persistence
    • Preferred backup list for GSLB Proximity
    • Rewriting NX domain responses
    • Slow Start fine tuning at Vserver layer
    • Multiple firewall LB vserver support
    • NetScaler Based persistent ETag
    • NetScaler tracing enhancements
    • Set-cookie header logging for Weblogs
    • Custom Client-IP header logging for Weblogs
    • Multiple Binding for Content Switching Policies
    • SIP Expression Support
      • Content Switching
      • Rewrite
      • Responder
      • Rate Limiting

    Lots of new features and capabilities, increasing the overall value of NetScaler solution. TCP Westwood can act really well in wireless environments. Entity scalability is critical for the larger deployments with huge number of entities around. SIP expression support makes us SIP aware at layer 7 and you can do all kind of layer 7 processing for SIP traffic… technically acting as a SIP firewall :)

    DataStream Enhancements:

    • Responder for DataStream
    • Rate Limiting for DataStream
    • Token LB for DataStream
    • AppFlow for DataStream
    • Logaction for DataStream
    • Caching for DataStream

    DataStream was the biggest innovation in ADC world recently and was introduced with previous release in NetScaler. Now with NetScaler 10 you have all the layer 7 feature modules supporting Database traffic, which add value to HTTP/TCP flows today. So it is completely integrated into the system with advance policy support. The advantages from DataStream Caching and AppFlow would be huge and a real game changer…
    AAA Enhancements:

    • SAML 2.0 Consumer Support
      • Service Provider Initiated
      • Identity Provider Initiated
    • NTLMv2 Session Support
    • NTLMv2 Signing Support

    NetScaler has the strong AAA module and adding further support for NTLMv2 protocol helps with seamless integration into the Microsoft environment. The real game changer here is SAML which is becoming standard authentication and SSO protocol for the Cloud services and deployments. Having SAML 2.0 consumer support is excellent because it enables us to work with various Identity providers. Along with providing other ADC services in Cloud, SAML support will make us de-facto choice for Cloud deployments.
    XA/XD (WIonNS) Enhancements:

    • Client Plugin Download options
    • Login Page Customization
    • Mobile Receiver client support
    • Handling Case sensitivity
    • Multiple Client Access Methods
    • Address Translation

    In order to ease up XenApp/XenDesktop deployments, one of the major step was to have the capacity to host Web Interface on NetScaler. It has huge benefits and to further increase the value proposition multiple enhancements are done to this module.
    Visibility Enhancements:

    • Action Analytics
    • AppFlow
      • New HTTP Export Parameters
      • Support for MySQL and MSSQL
      • EdgeSight record templates

    Visibility became the mainstream focus for us in last release where AppFlow was launched. AppFlow made it possible to see the statistics all the way from layer 2 to layer 7 which was not possible with older standards. As we get deeper into Cloud deployment and even within Enterprise, Visibility requirements are becoming more important and this release enhances the core AppFlow standard to add end to end application visibility.
    NetScaler 10 brings out another exciting feature called “Action Analytics” which is a runtime analytic engine generating all kind of visibility into the applications. It brings in the on-board analytic ability which can be fed back into the policy evaluation cycle. Think of the use case of Caching responses for only Top 10 URLs flowing through the system at any point in time…
    AppExpert Enhancements:

    • Ability to import Responder page
    • Support for HTML5 content parsing
    • New advance expression support

    AppExpert layer has been driving many exciting features in last many releases. This release addresses both functional and usability features for AppExpert.
    Optimization Enhancements:

    • Dynamic Cache Memory
    • Multi Part byte range support
    • Metadata optimization
    • Seek streaming

    NetScaler 10 adds substantial functional features to the optimization layer and brings out the benefits of Cache engine. With these core architectural enhancements the Cache engine can store more objects, process responses faster and handle multi part HTTP requests.
    Application Firewall Enhancements:

    • CEF Logging
    • CSRF learning
    • Click to Rule AppFw
    • Sessionless security
    • AppFw policy manager
    • Signatures for Response side checks

    On Security front as well the AppFw module comes with bunch of exciting enhancements. Click to Rule could be very handy and useful while you want to relax the protection rules. CEF logging can help integration with 3rd party security products. Sessionless security helps with reducing memory usage significantly on the NetScaler platform while resulting into better security.
    Networking Enhancements:

    • Network Profiles
    • Logical grouping of IPs
    • IPv6 Support
      • SNMP
      • LLB
      • PBR
      • DSR
      • RNAT
      • Route with VLAN as nexthop
      • Extension Header parsing
      • IS-IS Routing
      • Monitoring gateway health
      • ACL Enhancements
        • Increased Extended ACL              
        • Better ACL Flush support
        • Rename support for extended ACL and ACL6

    Networking infrastructure bucket has several useful enhancements and specifically the IPv6 support has come through a long way. This is a blockbuster release reducing IPv6 parity with IPv4 features and bringing them on same ground. Network Profile as a feature will be loved by everyone as it helps in several use cases. ACL enhancements are again very useful and would apply to most of the use cases.
    Other Security Focused Enhancements:

    • Configurable SYN cookie protection
    • Runtime detection of SYN attack
    • Protection against TLS Reneg attack
    • Adaptive request timeout for HTTP DoS

    Security has remained our focus and with every release NetScaler adds value to the core protection layer. With NetScaler 10 we have introduced better SYN attack protection ability with runtime detection engine. TLS renegotiation MITM attack was under heavy focus last year and we have core protection added with multiple options as well. NetScaler 10 also addresses the popular Slowloris and Slowpost kind of attacks which troubled many Application and Web deployments worldwide.
    Manageability Enhancements:

    • Lightweight GUI
    • Most pages moved to HTML
    • Pagination support on UI
    • Easy user navigation support
    • Load Balancing Templates
    • Deployment Wizard for BR LB
    • NITRO Enhancements
      • Exception handling
      • Accept header support
      • Content-Type header support
      • HTTP Error code utilization
      • Login auth token support
      • Authentication using HTTP headers
      • Allow warning in NITRO responses
      • Cluster support with NITRO

    Links:
    Netscaler 10 Documentation