Professional Documents
Culture Documents
Citrix Netscaler Installation and Configuration Guide - Volume 1
Citrix Netscaler Installation and Configuration Guide - Volume 1
Citrix Netscaler Installation and Configuration Guide - Volume 1
Appendix G 777
The following table defines the various abbreviations and symbols that display in
the R row of the port information screen.
Indicates receive flow control regardless of speed rate or duplex
mode.
Indicates transmit flow control regardless of speed rate or duplex
mode.
Indicates receive and transmit flow control regardless of speed or
duplex mode
Indicates a speed rate of 10 megabits per second, half duplex mode,
and flow control OFF.
Indicates a speed rate of 100 megabits per second, half duplex mode,
and flow control OFF.
Indicates a speed rate of 1 gigabit per second, half duplex mode, and
flow control OFF
Port Abbreviations and Symbols for R row
R Row
Abbreviation/
Symbol
Description
Indicates the port is disabled.
Indicates receive speed is approximately 10% of line speed.
Indicates receive speed is 50% of line speed.
S Row
Abbreviation/
Symbol
Description
f
g
#
778 Installation and Configuration Guide - Volume 1
Indicates receive speed is 75% of line speed.
Indicates receive speed is 100% of line speed.
Port Abbreviations and Symbols for R row
R Row
Abbreviation/
Symbol
Description
APPENDIX H
Configuring Secure Access
By default, management access and communication between two systems are not
secure.This implies that the following are not secure: propagation and
synchronization between two nodes in an HA pair, MEP propagation between
sites in a GSLB setup, and access to the Configuration Utility using a Web
browser, etc. To secure these communication modes , you can encrypt the traffic
using the system's SSL capabilities.
To enable secure communications between two nodes, execute the set rpcNode
command and configure the "secure" option to YES. Secure communications
between two nodes are supported by a set of internally created services.
The secure internal services are:
nsrpcs
This service provides transparent SSL offload on port 3008 with the clear text
port being 3010 and secures management access and command synchronization,
to the system. It is created for the NSIP address and every management IP address
(MIP and SNIP). Therefore, when a management IP address such as MIP or SNIP
is added, a corresponding nsrpcs service is also added.
nshttps
This service provides transparent SSL offload on port 443 with the clear text port
being 80 and secures access to the Configuration Utility and Statistical Utility. It
is created for the NSIP and all SNIPs or an MIPs. Therefore, when an SNIP / MIP
is added, a corresponding nshttps service is also added. Once this service is
enabled, the user can access the Configuration Utility and Statistical Utility at
URL: https://<NSIP/MIP/SNIP>.
nskrpcs
This service secures command propagation in a HA setup and communication
between GSLB sites using MEP. Therefore, when a GSLB local site is added, a
corresponding nskrpcs service is created. The nskrpcs corresponding to the NSIP,
nskrpcs-127.0.0.1-3009, is preconfigured on the system.
780 Installation and Configuration Guide - Volume 1
The following table lists the system entities and their corresponding internal
services:
You cannot delete internal services and their corresponding servers. They are
automatically deleted when the corresponding system entity is deleted. For
example, when you delete an MIP or a SNIP, the internal service corresponding to
it is deleted. In addition, you cannot change the parameters of an internal service,
but you can change the SSL-related parameters. Finally, you cannot bind
monitors or vservers to the internal services. If you attempt any of these tasks, the
system responds with an "Operation not permitted" error.
To view the internal services, run the show service command.
> sh ser vi ce - i nt er nal
1) nsr pcs- 127. 0. 0. 1- 3008 ( 10. 102. 29. 50: 3008) - SSL_TCP
St at e: DOWN[ Cer t key not bound] Ser ver Name: ns- i nt er nal -
127. 0. 0. 1
Cl ear Text Por t : 3010
Max Conn: 0 Max Req: 0 Max Bandwi dt h: 0 kbi t s
Use Sour ce I P: YES
Cl i ent Keepal i ve( CKA) : NO
Access Down Ser vi ce: NO
TCP Buf f er i ng( TCPB) : NO
HTTP Compr essi on( CMP) : NO
I dl e t i meout : Cl i ent : 9000 sec Ser ver : 9000 sec
Cl i ent I P: DI SABLED
Ser ver I D : 0 Moni t or Thr eshol d : 0
2) nsht t ps- 127. 0. 0. 1- 443 ( 10. 102. 29. 50: 443) - SSL
Entity Internal Service
NSIP nsrpcs
nskrpcs
nshttps
MIP nsrpcs
nshttps
SNIP nsrpcs
nshttps
GSLB local Site nskrpcs
Appendix H 781
St at e: DOWN[ Cer t key not bound] Ser ver Name: ns- i nt er nal -
127. 0. 0. 1
Cl ear Text Por t : 80
Max Conn: 0 Max Req: 0 Max Bandwi dt h: 0 kbi t s
Use Sour ce I P: YES
Cl i ent Keepal i ve( CKA) : NO
Access Down Ser vi ce: NO
TCP Buf f er i ng( TCPB) : NO
HTTP Compr essi on( CMP) : NO
I dl e t i meout : Cl i ent : 180 sec Ser ver : 360 sec
Cl i ent I P: DI SABLED
Ser ver I D : 0 Moni t or Thr eshol d : 0
3) nskr pcs- 127. 0. 0. 1- 3009 ( 10. 102. 29. 50: 3009) - RPCSVRS
St at e: UP Ser ver Name: ns- i nt er nal - 127. 0. 0. 1
Max Conn: 0 Max Req: 0 Max Bandwi dt h: 0 kbi t s
Use Sour ce I P: NO
Cl i ent Keepal i ve( CKA) : NO
Access Down Ser vi ce: NO
TCP Buf f er i ng( TCPB) : NO
HTTP Compr essi on( CMP) : NO
I dl e t i meout : Cl i ent : 360 sec Ser ver : 360 sec
Cl i ent I P: DI SABLED
Ser ver I D : 0 Moni t or Thr eshol d : 0
Done
As mentioned in the previous section, to enable security, you need to execute the
set rpcNode command. When this command is executed, the communications are
handled by the secure services.
This is illustrated by the following sample configuration. In this example, secure
communication is enabled for a system with NSIP 10.102.29.50 and the
password, is set to PASSWORD.
> set r pcNode 10. 102. 29. 50 - secur e YES
Done
> sh r pcNode
1) I PAddr ess: 10. 102. 29. 50 Passwor d: . . ee0e237340e81007
Ret r y: 1 Sr cI P: 10. 102. 29. 50
782 Installation and Configuration Guide - Volume 1
Secur e: YES
Done
Note: In an HA setup, the secure mode can be enabled for both nodes from a
single node.
Configuring SSL Parameters for Internal Services
The internal services support basic SSL configurations such as binding
certificates and changing ciphers. As with any SSL service, the internal services
have a default certificate key, ns-server-certificate, bound to them. Once a
certificate key with this name is added to the system, it is automatically bound to
all the internal services. When new internal services are added, the default
certificate key pair is bound to them. The ns-server-certificate certificate key
reserved and cannot be deleted.
You can bind a certkey of your choice (or the default certkey) with different
certificate and key files. However, you cannot delete the default certkey; you can
only update it using the "update certkey" command.
On a fresh system, the default certificate key is added when the system starts up.
However, for a system that is upgraded, you need to execute the add ssl certkey
command to create it. Once created, the certificate key is automatically bound to
the internal services.
This is illustrated in the following sample configuration:
1. Run the sh ssl service command to verify the ciphers bound to the internal
service, nsrpcs.
> sh ssl ser vi ce nsr pcs - 127. 0. 0. 1 - 3008
Advanced SSL conf i gur at i on f or Fr ont - end SSL Ser vi ce nsr pcs-
127. 0. 0. 1- 3008:
DH: DI SABLED
Ephemer al RSA: ENABLED Ref r esh Count : 0
Sessi on Reuse: ENABLED Ti meout : 120 seconds
Ci pher Redi r ect : DI SABLED
SSLv2 Redi r ect : DI SABLED
Cl i ent Aut h: DI SABLED
SSL Redi r ect : DI SABLED
Non FI PS Ci pher s: DI SABLED
SSLv2: DI SABLED SSLv3: ENABLED TLSv1: ENABLED
Appendix H 783
1) Ci pher Name: DEFAULT
Descr i pt i on: Pr edef i ned Ci pher Al i as
Done
2. Run the add ssl certkey command to add the default certificate.
> add ssl cer t key ns- ser ver - cer t i f i cat e - cer t ns- ser ver . cer t - key
ns- ser ver . key
Done
Note: You need to bind the certificate to the services if the certificate is not ns-
server-certificate.
3. Run the sh ssl service command to verify if the default certificate is bound
to the internal service, nsrpcs.
> sh ssl ser vi ce nsr pcs- 127. 0. 0. 1- 3008
Advanced SSL conf i gur at i on f or Fr ont - end SSL Ser vi ce nsr pcs-
127. 0. 0. 1- 3008:
DH: DI SABLED
Ephemer al RSA: ENABLED Ref r esh Count : 0
Sessi on Reuse: ENABLED Ti meout : 120 seconds
Ci pher Redi r ect : DI SABLED
SSLv2 Redi r ect : DI SABLED
Cl i ent Aut h: DI SABLED
SSL Redi r ect : DI SABLED
Non FI PS Ci pher s: DI SABLED
SSLv2: DI SABLED SSLv3: ENABLED TLSv1: ENABLED
1) Cer t Key Name: ns- ser ver - cer t i f i cat e Ser ver Cer t i f i cat e
1) Ci pher Name: DEFAULT
Descr i pt i on: Pr edef i ned Ci pher Al i as
Done
As mentioned earlier, the internal services are SSL services. They support all the
configuration tasks that other SSL services support. For details, refer to the
"Secure Sockets Layer (SSL) Acceleration" chapter in Volume 1 of the ICG.
784 Installation and Configuration Guide - Volume 1
Note: While connecting to either the Configuration Utility or the Statistical
Utility using the NSIP or MIP in the secure mode, a server certificate-related
warning appears twice.
APPENDIX I
FIPS Approved Algorithms and Ciphers
The FIPS approved algorithms are:
Key-Exchange algorithms
RSA
Cipher algorithms
AES
DES
3ES
Note: RC4 (ARC4) is not a FIPS approved algorithm, and will be disabled on
an SSL virtual server, if a FIPS certificate-key pair is bound to it.
SSL virtual server is marked UP only when default ciphers (FIPS) are configured.
To enable other ciphers on an SSL virtual server, use the following command:
set ssl Vser ver [ - nonf i psci pher ( ENABLE| DI SABLE) ]
The following are the FIPS approved ciphers supported by the system
SSL3-DES-CBC3-SHA
SSL3-DES-CBC-SHA
TLS1-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
SSL3-RC4-SHA is the only Non-FIPS approved cipher supported by the system.
You can create cipher groups of FIPS approved ciphers and SSL3-RC4-SHA only
786 Installation and Configuration Guide - Volume 1
APPENDIX J
Resetting a Locked HSM
As mentioned in the previous section, the HSM is locked after three unsuccessful
login attempts. This is a security measure that is aimed at preventing
unauthorized access attempts and changes to the HSM settings. This implies that
once the card gets locked, you will not be allowed to log on to the HSM and alter
its configuration. Moreover, the HSM will cease to be operational.
To avoid this situation, you are strongly advised to follow these directions:
1. Use the save configuration command to save the configuration
after initializing the HSM.
2. Store the passwords in a secure location.
3. Store the super user password in a secure location. You will need it to
initialize the HSM. Moreover, you need to specify this password as the old
SO password when reinitializing the HSM.
Despite these precautions, if your HSM gets locked, you need to reset it to use it
again. Use the reset fips command to reset the HSM. This command clears
the HSM and resets the SO password and the User passwords to their default
values, i.e., sopin123 and userpin123 respectively.
The usage of the command is as follows:
r eset f i ps
WarningDo not use the command as an alternative to the set fips -
initHSM command, or when you have forgotten the passwords.
This commend must be used only on a locked HSM.
After executing the reset fips command, use the set fips -initHSM
command to change the default passwords. Use the save configuration
command to save the running configuration.
In the following example, the HSM gets locked after three unsuccessful login
attempts. The reset fips command is then used to reset the card. Finally, the
set fips -initHSM command is used to change the default SO and User
passwords. This change is saved using the save configuration command.
788 Installation and Configuration Guide - Volume 1
> set f i ps - i ni t HSM Level - 2 newsopi n123 newsopi n123 newuser pi n123 -
hsmLabel NSFI PS
Thi s command wi l l er ase al l dat a on t he FI PS car d. You must save t he
conf i gur at i on ( saveconf i g) af t er execut i ng t hi s command. Do you
want t o cont i nue?( Y/ N) y
ERROR: I nt er nal Er r or
> set f i ps - i ni t HSM Level - 2 newsopi n1234 newsopi n1234 newuser pi n123
- hsmLabel NSFI PS
Thi s command wi l l er ase al l dat a on t he FI PS car d. You must save t he
conf i gur at i on ( saveconf i g) af t er execut i ng t hi s command. Do you
want t o cont i nue?( Y/ N) y
ERROR: I nt er nal Er r or
> set f i ps - i ni t HSM Level - 2 newsopi n12345 newsopi n12345
newuser pi n12345 - hsmLabel NSFI PS
Thi s command wi l l er ase al l dat a on t he FI PS car d. You must save t he
conf i gur at i on ( saveconf i g) af t er execut i ng t hi s command. Do you
want t o cont i nue?( Y/ N) y
ERROR: FI PS car d l ocked due t o t hr ee unsuccessf ul l ogi n at t empt s
> r eset f i ps
Done
> set f i ps - i ni t HSM Level - 2 f i pssopi n123 sopi n123 f i psuser pi n123 -
hsmLabel NSFI PS
Thi s command wi l l er ase al l dat a on t he FI PS car d. You must save t he
conf i gur at i on ( saveconf i g) af t er execut i ng t hi s command. Do you
want t o cont i nue?( Y/ N) y
Done
> saveconf i g
Net Scal er saved t he conf i gur at i on
Done
>
INDEX
Index
A
Access Gateway
alerts 5
accessdown on services
enabling, 209
ACLs
applying, 102
configuring, 95
managing, 102
modifying, 104
action
respondwith 708
actions
modifying 671
URL Rewriting 671
removing 671
URL Rewriting 671
SSL 401
actions, content filtering 508
active standby mode
concepts, 602
add, HTTP DoS 531
add, IP address 551, 583
add, service 532
adding
name server, 290
static ARP entries, 54
adding IPv6
addresses, 648
vserver, 650
address resolution protocol (ARP)
controlling, 49
advantages, SYN cookies 519
advertising
networks, 618
advertising routes
BGP, 614
OSPF, 609
RIP, 604
alerts
Knowledge Center 5
anycast
IPv6 address types, 645
Apache format, log files 555, 564
applying
ACLs, 102
applying rules
classify frames, 82
architecture
load balancing, 112
argument string, log format 562
ARP entries
viewing properties, 56
assigning
service weights, 184
audit log, parameters 568
audit policy, global binding 572
audit server action, configuring 571
audit server executable, options 577
audit server files, installing 572
audit server logging
deployment scenario 586
installing on Linux 574
audit server logging, configuring 568
audit server logging, how it works 567
audit server logging, starting 584
audit server logging, stopping 584
audit server logging, systemrequirements 572
audit server policy, configuring 571
auditing 567
audserver
command 577
B
backup persistence
configuring, 178
backup router
configuring, 625
790 Installation and Configuration Guide - Volume 1
backup vserver
configuring, 339
bandwidth-based spillover
configuring, 190
base threshold 522
basic configuration
load balancing, 113, 114
basic content switching
configuring, 319
basic load balancing setup
configuring, 114
basic network configuration
concepts, 41
basic SSL offloading
configuring virtual server 354
BGP
advertising routes, 614
disabling, 614
enabling, 613
using, 612
viewing settings, 615
BGP instance
creating, 614
modifying, 615
bind policy, priority queuing 528
bind, HTTP DoS policy 532
bind, monitor 532
binding
HTTP services 356
metrics to metric tables, 255
monitors to services, 225
URL Rewrite policies 665
vserver to work load manager, 260
binding policies
vservers, 325
binding to channel
network interface, 74
binding to service
monitors, 225
binding to service group
IP addresses, 268
monitor, 269
binding to VLANs
IP address, 90
network interfaces, 90
binding to vserver
service group, 267
services, 121
bridge table
configuring, 107
modifying, 107
verifying, 108
viewing properties, 108
viewing statistics, 109
buffer size
configure 539
TCP buffering 460
built-in policies
compression 478
C
cache redirection
configuring on services, 222
configuring, 197
content switching vserver, 344
calculating
response time for monitors, 146
call ID hash method
configuring, 156
case sensitivity
setting, 335, 338
certificate authority
obtaining certificate 361
changing ACL
source IP and destination port, 598
source IP, 595
changing source IP
ACL, 595
changing source IP and destination port
ACL, 598
channel
configuring manually, 73
modifying, 75
unbinding a network interface, 76
viewing properties, 80
checklist, audit server logging 585
checklist, web server logging 565
Citrix NetScaler
9010 749, 758
Citrix NetScaler against failure
protecting, 339
Citrix Netscaler system
IPv6, 646
neighbor discovery, 652
Citrix Presentation Server component
monitoring, 246
Index 791
classify frames
applying rules, 82
egress rules, 83
ingress rules, 82
classifying
IPv6 address types, 644
clearing
network interface statistics, 71
clearing ACLs
extended, 103
simple, 98
CLI
web server logging 538
client IP address
insertion, 213
client keep-alive
basic topology 451
configuration 451
configure service 453, 454
configured parameters 452
configuring, 212
definition 449
disable mode 453
enable mode 453
entities configured 452
entity model 450
how it works 450
client traffic
managing, 195
command, audit server 577
comparing
IPv4 and IPv6 headers, 642
compressible content 462
compression
basic topology 465
configuration steps 465
configure service 466, 469
configure service parameters 466
configured entities 465
definition 461
enable feature 466
enabling on service, 210
entity model 463
how it works 462
supported MIME types 462
compression actions
built-in 475
COMPRESS 474
create 475
definition 474
DEFLATE 474
DELTA 474
GZIP 474
NOCOMPRESS 474
compression policies
built-in 478
configured parameters 479, 480
user-defined 479
compression policy
create 479
definition 478
concepts
active standby mode, 602
BGP, 612
connection failover, 191
dynamic routing, 602
ICMP for IPv6, 641
IPv6 addresses scheme, 642
IPv6, 639
link aggregation, 73
link load balancing, 619
load balancing, 111
neighbor discovery of IPv6, 645
neighbor discovery, 641
NSSA support, 612
OSPF, 607
RNAT, 591
route health injection, 616
VLAN support, 654
configuration file, sample 585
configuration file, verifying 584
configuration, verifying 551
configure
buffer size 539
content filtering 509
logging parameters 538
configure audit server
server computer 578
configure, audit server action 571
configure, audit server logging 568
configure, audit server policy 571
configure, DoS protection 531
configure, global audit server parameters 570
configure, priority queuing 526
configure, surge protection 521
configure, web server logging 546
792 Installation and Configuration Guide - Volume 1
Configuring 386, 387
basic High Availability 9
configuring
ACL based RNAT, 595
ACLs, 95
backup vserver, 339
basic content switching, 319
basic load balancing setup, 114
BGP, 614
body insertion 692
bridge tables, 107
content switching, 317
HA command propagation 18
HA dead Intervals 16
HA hello Intervals 16
HA synchronization 17
link load balancing, 622
load balancing setup, 323
metrics, 253
network interfaces, 67
OSPF, 608
packet forwarding modes, 56
persistence, 171
postbody files 695
prebody files 694
rewrite actions 663
RIP, 604
RNAT, 293
route maps, 616
services for load balancing, 206
spillover, 341
SSL 387, 394, 395, 396, 398, 399
static ARP, 53
systemto advertise host routes, 614
URL for redirection, 342
URL Rewriting 662
VLANs, 81
VMAC, 95
configuring ACLs
extended, 100
simple, 96
configuring BGP
HA setup active-standby mode, 616
configuring channel
link aggregate channel protocol (LACP), 78
manually, 73
configuring connection failover
high availability, 193
configuring content switching
how content switching works, 317
configuring IP address
system-owned, 41
types, 42
configuring load balancing
deployment scenario, 654
SASP, 257
configuring load balancing methods
call ID hash method, 156
custom load method, 167
destination IP hash method, 154
domain hash method, 154
hash methods, 151
least bandwidth method, 156
least connection method, 134
least packets method, 160
least response time method, 141
LRTM using monitors, 146
round robin method, 139
source IP destination IP hash method, 155
source IP hash method, 155
source IP source port hash method, 155
token method, 164
URL hash method, 153
weighted round robin, 140
configuring metrics
load assessments, 253
configuring monitors
inline, 247
load, 252
user, 248
configuring persistence
backup persistence, 178
vserver groups, 179
configuring persistence types
cookie based persistence, 174
destination IP persistence, 177
rule based persistence, 175
Server-ID based persistence, 177
source and destination IP based persistence, 178
Source IP persistence, 173
SSL session IDs persistence, 175
URL passive, 176
configuring RNAT
link load balancing, 629
configuring router
backup, 625
configuring spillover
bandwidth-based spillover, 190
connection-based spillover, 189
dynamic spillover, 190
Index 793
configuring VLANs
802.1q tagging, 89
HA setup, 85
multiple subnets, 87
single subnet, 85
untagged 88
configuring VMAC 22
connection failover
concepts, 191
configuring, 191, 193
disabling, 194
connection-based spillover
configuring, 189
connections
proxying, 62
content filter policy, creating 510
content filter policy, globally binding 511
content filter policy, removing 511
content filtering 508
enabling 509
content filtering, actions 508
content filtering, configuring 509
content filtering, disabling 510
content filtering, how it works 508
content switching
configuring, 317
enabling, 321
topology, 320
content switching configuration
verifying, 327
content switching policies
creating, 323
modifying, 331
removing, 334
viewing, 328
content switching policy
managing, 331
content switching setup
customizing, 334
content switching vserver
enabling and disabling, 330
content switching vservers
creating, 322
removing, 330
unbinding content switching policies, 329
viewing properties, 327
content switching, DoS protection 530
controlling
address resolution protocol (ARP), 49
PING response, 50
route learning, 606
cookie based persistence
configuring, 174
create policies
compression 479
create policy, priority queuing 527
create, compression actions 475
create, content filter policy 510
create, filters 579
create, rules 508
creating
content switching policies, 323
content switching vservers, 322
filter action 510
filter actions 687
filter policies 689
HTTP based services 354
IPv6 routes, 651
link aggregate channels, 73
metric tables, 254
monitors, 224
range of vservers and services, 264
rewrite policies 664
servers, 119
service groups, 266
services, 116
SSL virtual server 355
VLANs, 84
vservers, 120
work load manager, 259
creating ACLs
extended, 100
simple, 96
creating IP address
GSLB site, 47
mapped, 46
NetScaler system, 42
subnet, 44
virtual server, 46
CRL
configuring 386
CS vserver state dependency on the state of target LB
vservers
setting, 338
custom format, log files 555, 560
custom load method
configuring, 167
CustomLog Format
Define 560
Defining Manually 561
Time Format Definition 563
custom log format, defining 560
794 Installation and Configuration Guide - Volume 1
customizing
content switching setup, 334
load balancing configuration, 131
monitors, 247
customizing, W3C format 556
D
default buffer size
web server logging 539
default log filter, defining 546
default settings, log properties 550
default weights, priority queuing 528
define 548
define, customlog format 560
define, filters 579
define, log properties 580
defining
log properties 548
defining log filter
virtual servers 548
delayed cleanup of vserver connections
enabling, 345
Denial of Service 517
deployment scenario
configuring load balancing, 654
load balancing DNS servers, 285
load balancing domain-name based services, 287
load balancing FTP servers, 282
load balancing in direct server return mode, 295
load balancing in inline mode, 309
load balancing in one-arm mode, 299, 307
load balancing SIP servers, 292
load balancing, 295
deployment scenario, audit server logging 586
deployment scenarios
URL Rewriting 673
describing
spillover parameters, 188, 341
destination IP
routing persistence, 620
destination IP address
selecting, 63
destination IP based persistence
configuring, 177
destination IP hash method
configuring, 154
direct server return mode
configuring, 295
directing requests
priority based, 198
Web page, 199, 207
disable feature
compression 467
disable mode
client keep-alive 453
TCP buffering 459
disable surge protection, service 522
disable, content filtering 510
disable, surge protection 521
disabling
BGP, 614
connection failover, 194
HA command propagation 19
HA synchronization 17
discovered neighbors
viewing, 652
DNS servers
load balancing, 285
monitoring, 287
DNS service
monitoring, 242
domain hash method
configuring, 154
domain-name based service
load balancing, 287
DoS protection, configuring 531
DoS protection, content switching 530
DoS protection, memory 530
DoS protection, performance 530
DoS protection, priority queuing 530
DoS protection, SSL 530
DoS protection, surge protection 530
downstateflush
enabling on service, 208
enabling on vserver, 200
dynamic routing
concepts, 602
enabling and disabling, 603
dynamic routing protocols
viewing routes, 619
dynamic spillover
configuring, 190
E
egress rules
applying, 83
enable
responder 708
Index 795
enable feature
compression 466
content filtering 509
enable mode
client keep-alive 453
TCP buffering 459
enable, HTTP DoS 531
enable, priority queuing 526
enable, surge protection 521
enabling
accessdown on services, 209
BGP, 613
content switching, 321
delayed cleanup of vserver connections, 345
HA command propagation 19
HA synchronization 17
HTML Injection 686
load balancing, 115
OSPF, 608
RHI, 617
RIP, 603
SNIP mode, 45
URL Rewriting 662
use source IP address, 216
web server logging 538
enabling and disabling
content switching vserver, 330
dynamic routing, 603
extended ACLs, 103
IP addresses 52
IPv6, 647
layer 2 mode, 57
layer 3 mode, 58
link aggregate channels, 78
MBF mode, 59
monitors, 229
network interfaces, 70
path MTU behavior, 633
servers, 126
service group, 274
services, 128
use source IP mode (USIP), 64
vservers, 130
enabling BGP
non-NSIP network, 613
enabling downstateflush
services, 208
vservers, 200
enabling on service
compression, 210
TCP buffering, 210
entity model
work load manager, 259
entry time-out
session, 621
event
undefined 709
extended ACLs
clearing, 103
configuring, 100
creating, 100
enabling and disabling, 103
removing, 102
resetting priorities, 104
verifying, 106
viewing properties, 106
viewing statistics, 107
F
f 583
filter
content 707
filter action
creating 510
filter policies
binding 690
FilterName 580
Filters
Creating 547, 579
Defining 546, 579
filters, creating 579
filters, defining 579
FIS 30
FIS, unbind interfaces 32
FIS,binding interfaces 31
FIS,remove 33
FIS,unbinding interfaces 33
FIS,verify configuration 32
force HA failover 20
force HA synchronization 18
forwarding
packets, 83
FTP monitors
configuring, 284
FTP servers
load balancing, 282
FTP service
monitoring, 235
796 Installation and Configuration Guide - Volume 1
G
global audit server parameters, configuring 570
global binding, audit policy 572
global binding, content filter policy 511
GSLB site IP address
creating, 47
H
HA setup
configuring VLANs, 85
HA setup active standby mode
OSPF, 612
HA setup active-standby mode
configuring BGP, 616
hash methods
configuring, 151
High Availability
adding node 10
basic configuration 9
configuring command propagation 18
configuring state of a node 37
configuring synchronization 17
configuring VMAC 22
dead Intervals 16
disabling a node 13, 14
disabling HA monitor 11
enabling a node 15
FIS 30
force failover 20
force synchronization 18
health checks 37
hello Intervals 16
INC 27
modifying configuration 13
removing a node 15
requirements 8
route monitors 34
High availability
binding route monitor 34
high availability
configuring connection failover, 193
High Availabilty
troubleshooting 39
High Availabity
troubleshooting 37
host header
modifying, 657
how content switching works
configuring content switching, 317
how it works
HTML Injection 685
SSL 351
URL Rewriting 661
HTML Injecion
example
mask server type 677
HTML Injection
body insertion 697
configuring for commonly used applications 700
configuring header insertion 686
example 674, 675, 676, 677, 678, 679,
681, 682
delete header 675
home page redirection 682
inserting client IP address 674
keyword redirection 681
migrate rewrite module rules 679
query redirection 681
redirect URLs 678
tagging connections 676
internal variables 692
HTTP DoS policy, binding 532
HTTP DoS, adding 531
HTTP DoS, enabling 531
HTTP redirection
configuring, 201
I
ICMP for IPv6
concepts, 641
idle client connections
setting time-out, 205, 219
setting timeout, 348
idle server connections
setting time-out, 220
implementing
RNAT with link load balancing, 621
INC 27
adding node 29
disabling HA monitor 29
route monitors 34
ingress rules
applying, 82
inline mode
configuring, 309
inline monitors
configuring, 247
Index 797
inserting
client IP address in requests, 213
IP address and port, 203, 346
VIP, 658
install, how to
audit server files 572
installing
NSWL on FreeBSD 542
NSWL on Linux 542
NSWL on MAC operating system 543
NSWL on Solaris 541
NSWL on Windows 544
installing audit server logging
FreeBSD 575
Windows 576
installing, NSWL 540
IP address
binding to VLANs, 90
enabling and disabling, 52
managing, 51
modifying, 47
removing, 51
viewing properties, 53
IP address and port
inserting, 203, 346
IP address types
configuring, 42
IP address, adding 551, 583
IPv4 and IPv6 headers
comparing, 642
IPv6
Citrix Netscaler system, 646
enabling and disabling, 647
multicast listener discovery, 641
neighbor discovery, 642
support, 639
IPv6 address scheme
concepts, 642
IPv6 address types
anycast, 645
classifying, 644
multicast, 644
unicast, 644
IPv6 addresses
adding, 648
viewing, 649
IPv6 route
creating, 651
removing, 651
viewing, 652
IPv6 statistics
viewing, 653
IPv6 vserver
adding, 650
K
Knowledge Center
alerts 5
L
LACP
viewing properties, 80
large scale deployment
managing, 263
layer 2 mode
enabling and disabling, 57
layer 3 mode
enabling and disabling, 58
Layer 7 Denial of Service Protection 529
LB configuration
modifying, 125
LB method
load balancing DSR mode, 298, 313
LCD
display
out of service 773
power on 772
start-up 772
LDAP service
monitoring, 243
learning
router, 653
learning routes
OSPF, 611
least bandwidth method
configuring, 156
least connection method
configuring, 134
least packets method
configuring, 160
least response time method
configuring, 141
LED
12000 764, 766
9010 system 750, 752, 755
limiting propagations
RIP, 605
798 Installation and Configuration Guide - Volume 1
link aggregate channel
binding an interface, 74
creating, 73
enabling and disabling, 78
removing, 77
verifying, 80
link aggregate channel protocol (LACP)
configuring, 78
link aggregation
concepts, 73
link load balancing
concepts, 619
configuring, 622
RNAT, 629
listen to RIP advertisements
configuring 605
listen-only mode
configuring, 610
load balancing
architecture, 112
basic configuration, 113, 114
common protocols, 281
concepts, 111
deployment scenarios, 295
enabling, 115
redirection mode, 182
sessionless vservers, 195
SIP in inline DSR mode, 240
SIP in one-armDSR mode, 239
spillover, 188
SSL 426
SSL servers, 284
topology, 114
troubleshooting problems, 315
verifying configuration, 123
load balancing configuration
customizing, 131
protecting, 185
viewing, 328
load balancing DSR mode
enabling MAC-based forwarding, 297, 312
LB method and redirection mode, 298, 313
USIP mode, 298, 314
load balancing policy
routing, 621
load balancing setup
configuring, 323
load balancing using SASP
configuring, 257
load monitors
configuring, 252
log file format
types 537
log files, Apache format 564
log filter, creating 547
log filter, defining 546
log format, argument string 562
log messages, severity levels 569
log properties 548, 580
log properties, default settings 550
log properties, defining 580
logging parameters
configure 538
logging, TCP 568
LRTM using monitors
configuring, 146
M
MAC-based forwarding
enabling, 297, 312
maintaining
client connections, 212
managing
ACLs, 102
client traffic, 195
content switching policy, 331
IP addresses, 51
large scale deployment, 263
monitors, 229
network interfaces, 69
rewrite actions 666
servers, 125
service groups, 272
services, 127
static routes, 650
VLANs, 92
vservers, 129
work load manager, 262
managing and monitoring
servers, 206
mapped IP address
creating, 46
maximumbandwidth usage
setting, 221
maximumentries
session, 621
maximumnumber of client connections
setting, 217
maximumnumber of requests
setting, 218
Index 799
MBF mode
enabling and disabling, 59
measuring
application performance 700
memory usage limit
TCP buffering 461
metric table
creating, 254
unbinding, 256
metric tables
removing, 255
viewing properties, 256
metrics
binding to metric tables, 255
configuring, 253
MIB xvi
MIP as NAT IP address
using, 592
modes
RNAT, 592
modifying
ACLs, 104
BGP instance, 615
bridge tables, 107
channels, 75
content switching policies, 331
host header, 657
IP addresses, 47
LB configuration, 125
monitors, 226
service groups, 270
VLANs, 91
work load manager, 261
modifying,HA configuration 13
monitor
enabling and disabling, 229
managing, 229
modifying, 226
removing, 230
monitor, binding 532
monitoring
Citrix Presentation Server component, 246
DNS servers, 287
routers, 620
services, 223
monitoring services
DNS, 242
FTP, 235, 284
LDAP, 243
MySQL, 244
NNTP, 245
POP3, 245
RADIUS, 241
SIP, 235
SMTP, 246
SNMP, 244
SSL, 233
monitors
binding to a service group, 269
binding to services, 225
configuring, 223
creating, 224
customizing, 247
unbinding fromservice, 230
viewing, 231
multicast
IPv6 address, 644
multicast listener discovery
IPv6, 641
multiple subnets
configuring VLAN, 87
MySQL service
monitoring, 244
N
name server
adding, 290
NAT statistics
viewing, 600
NCSA Common format, log files 555
neighbor discovery
Citrix Netscaler system, 652
concepts, 641
IPv6, 642
neighbor discovery entries
removing, 652
neighbor discovery of IPv6
concepts, 645
NetScaler
safety information 737
NetScaler system IP address
creating, 42
800 Installation and Configuration Guide - Volume 1
network interface
binding to VLAN, 90
clearing statistics, 71
configuring, 67
enabling and disabling, 70
managing, 69
resetting, 70
unbinding froma VLAN, 92
verifying, 71
viewing properties, 72
viewing statistics, 72
networks
advertising, 618
nfiguration 13
NNTP service
monitoring, 245
non-NSIP network
enabling BGP, 613
NOOP 709
NSSA support
concepts, 612
NSWL
installing 540
NSWL, options 545
O
one-armmode
configuring, 299, 307
options
NSWL 545
options, audit server executable 577
OSPF
advertising routes, 609
concepts, 607
configuring, 608
enabling, 608
in a HA setup active standby mode, 612
learning routes, 611
listen-only, 610
viewing settings, 612
P
packet forwarding modes
configuring, 56
packets
forwarding, 83
parameters, audit log 568
parameters, set 547
path MTU behavior
enabling and disabling, 633
persistence
configuring, 171
persistence groups
configuring, 179
PING response
controlling, 50
policies
compression 478
managing 672
URL Rewriting 672
removing 672
URL Rewriting 672
POP3 service
monitoring, 245
ports
10010 752, 755
15000 763, 765
7000 system 748, 757, 759, 761
9010 750
ports and protocols
rewriting, 346
potential for, DoS attack 517
precedence of evaluation
setting, 336
priority levels, policy queuing 525
priority queuing 525
configuring, 198
priority queuing, binding policy 528
priority queuing, configuring 526
priority queuing, creating policy 527
priority queuing, enabling 526
priority queuing, priority levels 525
priority queuing, verifying configuration 528
product alerts 5
protecting
Citrix NetScaler against failure, 339
load balancing configuration, 185
traffic surge, 206
protocols
load balancing, 281
proxying
connections, 62
R
RADIUS service
monitoring, 241
range of vservers and services
creating, 264
Index 801
redirecting
client requests, 185
HTTP requests to cache, 197
requests to cache, 222
redirecting requests
cache, 344
redirection mode
configuring, 182
load balancing DSR mode, 298, 313
remove
basic configuration 769
extended configuration 769
full configuration 769
route monitor 36
VMAC 26
remove, content filter policy 511
removing
content switching policies, 334
content switching vservers, 330
extended ACLs, 102
IP Addresses, 51
IPv6 routes, 651
link aggregate channels, 77
metric tables, 255
monitors, 230
neighbor discovery entries, 652
server, 126
service groups, 272
service, 127
simple ACLs, 98
static ARP entries, 55
VLANs, 93
vserver, 130
work load manager, 262
renumbering
extended ACLs, 104
requesting
NAT statistics, 600
resetting
network interfaces, 70
responder
bypassing safety checks 716
configuring policies 711
configuring redirect actions 715
enable 708
how it works 707
managing actions 716
managing policies 718
modifying actions 717
removing actions 718
removing policies 719
verifying configuration 713
respondwith action 708, 710
configure 708, 710
response time
calculating, 146
rewriting
ports and protocols, 346
rewriting ports and protocols
HTTP redirection, 201
RHI
enabling, 617
VIP, 618
RIP
configuring, 604
enabling, 603
RIP settings
viewing, 602
RIP to advertise routes
configuring, 604
RNAT
concepts, 591
configuring, 293
modes, 592
RNAT modes
USIP,USNIP,LLB, 600
RNAT with link load balancing
implementing, 621
round robin method
configuring, 139
route health injection
concepts, 616
route learning
configuring 606
route maps
configuring, 616
route monitor
remove 36
verifying configuration 34
route monitor,binding to HA node 34
802 Installation and Configuration Guide - Volume 1
router advertisement learning
enabling, 653
routers
monitoring, 620
routing
load balancing policy, 621
routing persistence
destination IP, 620
rule based persistence
configuring, 175
rules, creating 508
S
safety check
bypassing 667
URL Rewriting 667
safety information 737
sample configuration file 585
NSWL 552
selecting
destination IP address, 63
source IP address, 63
server
creating, 119
enabling and disabling, 126
managing, 125
removing, 126
server IDs
setting, 215
server parameters
usage, 119
Server-IDs based persistence
configuring, 177
servers
managing and monitoring 206
service
binding to vservers, 121
creating, 116
enabling and disabling, 128
managing, 127
removing, 127
unbinding froma vserver, 129
viewing bindings, 125
viewing properties, 124
viewing statistics, 124
service group
binding an IP address, 268
binding to a vserver, 267
configuring, 266
creating, 266
enabling and disabling, 274
managing, 272
modifying, 270
removing, 272
unbinding a member, 273
unbinding froma vserver, 273
unbinding monitors, 274
viewing properties, 275
viewing statistics, 276
service parameters
usage, 116
service weight
configuring, 184
service, adding 532
service, configure
client keep-alive 453, 454
compression 466, 469
parameters 466
TCP buffering 458, 460
session
entry time-out, 621
maximumentries, 621
sessionless vservers
configuring, 195
set threshold, surge protection 522
setting
case sensitivity, 335, 338
CS vserver state dependency on the state of target
LB vservers, 338
expiry time (TTL), 97
maximumbandwidth usage, 221
maximumnumber of client connections, 217
maximumnumber of requests, 218
precedence of evaluation, 336
server IDs, 215
SIP parameters, 294
threshold value for monitors, 218
undefined actions 672
URL Rewriting 672
setting idle time-out
client connections, 205, 219
server connections, 220
setting timeout
idle client connections, 348
Index 803
setting up
connection failover, 191, 193
monitors, 223
service groups, 266
severity level, log messages 569
simple ACL
removing, 98
verifying, 99
viewing properties, 99
viewing statistics, 99
simple ACL rules
creating, 96
simple ACLs
configuring, 96
single subnet
configuring VLANs, 85
SIP
working, 237
SIP in inline DSR mode
concepts, 240
SIP in one-armDSR mode
concepts, 239
SIP parameters
configuring, 294
SIP servers
load balancing, 292
SIP service
monitoring, 235
SMTP service
monitoring, 246
SNIP mode
enabling, 45
SNMP xv
SNMP service
monitoring, 244
source and destination IP persistence
configuring, 178
source and destination IPs based on ACL
changing, 595
source IP address
selecting, 63
source IP destination IP hash method
configuring, 155
source IP hash method
configuring, 155
source IP persistence
configuring, 173
source IP source port hash method
configuring, 155
Specification
7000 model 747, 756
specification
10010 system 752
12000 system 754
15000 MPX appliance 763, 765
9010 system 749, 758
specifying files
HTML Injection 696
spillover
configuring, 188, 341
SSL
actions 401
certificate key pair 357
certificate revocation lists 386
client authentication 381, 382, 401
configurations 411, 414, 421, 423, 426,
428
configuring 399
configuring SSL offloading 352
CRL 389, 390
customizing configuration 392
deployment scenarios 426
enabling 353
insertion 403
managing certificates 360
outlook web access 402
overview 351
policies 409
server authentication 385
verifying configuration 359
virtual server 359
SSL Acceleration
Exporting Certificates and Keys
IIS 5 on Windows 2000 366
Sun iPlanet 367
SSL certificate
exporting 364
self signed 371
SSL certificates
chain 373
client certificates 381
converting 381
exporting 364, 365, 366, 367, 369
global site certificates 376
importing 378
managing 375
server 375
SSL servers
load balancing, 284
SSL service
monitoring, 233
804 Installation and Configuration Guide - Volume 1
SSL session IDs based persistence
configuring, 175
SSL, DoS protection 530
start, audit server logging 584
start, web server logging 552
state, SYN cookie 518
static ARP
configuring, 53
static ARP entry
adding, 54
removing, 55
static routes
managing, 650
stop, audit server logging 584
stop, web server logging 552
subnet IP address
creating, 44
supported MIME types
compression 462
sure connect
configuring, 199, 207
surge protection 519
configuring, 206
surge protection, configuring 521
surge protection, disabling 521
surge protection, enabling 521
surge protection, setting threshold 522
SYN cookies 518
system requirements, audit server logging 572
system-owned IP address
configuring, 41
T
tagged network interface
configuring, 91
TCP buffering
basic topology 457
buffer size 460
configuration steps 457
configure parameters 460
configure service 458, 460
configured parameters 458
definition 454
enabling on service, 210
entities configured 458
entity model 456
how it works 455
memory usage limit 461
TCP logging 568
threshold value for monitors
setting, 218
threshold, configuration 524
throttle 523
throttle rate, aggressive 523
throttle rate, normal 523
time format definition 563
token method
configuring, 164
topology
content switching, 320
load balancing, 114
troubleshooting
load balancing problems, 315
TTL
configuring, 97
types of, log file formats 537
U
unbind, how to
content filter policy 512
unbinding
metric tables, 256
monitors fromservice groups, 274
monitors, 230
service groups, 267, 273
work load manager, 262
unbinding content switching policies
content switching vservers, 329
unbinding froma vserver
service group, 273
services, 129
unbinding fromservice
monitors, 230
unbinding fromservice group
member, 273
monitors, 274
unbinding IP addresses
VLANs, 93
unbinding network interface
channel, 76
VLAN, 92
undefined actions
setting 672
URL Rewriting 672
undefined event 709
configure 709
NOOP 709
RESET 709
URL Rewriting 662
Index 805
understanding
basic LB topology, 114, 320
LB entity model 115, 321
SIP in inline DSR mode, 240
SIP in one-armDSR mode, 239
unicast
IPv6 address types, 644
uninstalling audit server
on Linux 574
uninstalling audit server logging
on FreeBSD 575
on Windows 576
unique NAT IP address
configuring, 593
untagged VLANs
configuring, 88
URL for redirection
configuring, 342
URL hash method
configuring, 153
URL passive persistence
configuring, 176
URL redirection
configuring, 185
URL Rewrite
configuring actions 663
URL Rewriting
binding policies 665
configuring 662
creating policies 664
deployment scenarios 673
enabling 662
how it works 661
managing actions 666
managing policies 672
modifying actions 671
removing actions 671
removing policies 672
undefined events 662
use source IP address
enabling, 216
use source IP mode (USIP)
enabling and disabling, 64
user monitors
configuring, 248
user-defined policies
compression 479
using
MIP as NAT IP address, 592
unique NAT IP address, 593
USIP,USNIP,LLB
RNAT modes, 600
V
verify
route monitor 34
VMAC configuration 25
verify cache redirection configuration
using CLI 472, 473
verify configuration, priority queuing 528
verify, compression configuration
configuration utility 473
statistical utility 471
using SNMP 471
verify, configuration 551
verify, configuration file 584
verifying
bridge tables, 108
configuration 666
URL Rewriting 666
content switching configuration, 327
extended ACLs, 106
link aggregate channels, 80
load balancing configuration, 123
network interfaces, 71
simple ACLs, 99
VLANs, 94
verifying configuration
HTML Injection 690
viewing
content switching policies, 328
discovered neighbors, 652
filter actions 691
filter policies 691
IPv6 addresses, 649
load balancing configuration, 328
monitors, 231
service bindings, 125
virtual server 692
vserver properties, 123
work load manager, 263
806 Installation and Configuration Guide - Volume 1
viewing properties
ARP entries, 56
bridge tables, 108
channels, 80
content switching vservers, 327
extended ACLs, 106
IP addresses, 53
LACP, 80
metric tables, 256
network interfaces, 72
service group, 275
service, 124
simple ACLs, 99
VLANs, 94
vserver, 123
viewing routes
dynamic routing protocols, 619
IPv6, 652
viewing settings
BGP, 615
OSPF, 612
RIP, 602
viewing statistics
bridge table, 109
extended ACL, 107
IPv6, 653
network interface, 72
service group, 276
service, 124
simple ACL, 99
VLANs, 94
vserver, 123
VIP
inserting, 658
RHI, 618
virtual server IP address
creating, 46
virtual servers
defining log filter 548
VLAN support
concepts, 654
VLANs
configuring, 81
creating, 84
managing, 92
removing, 93
unbinding IP address, 93
verifying, 94
viewing properties, 94
viewing statistics, 94
VMAC
adding 23
binding interfaces 24
configuring, 95
remove 26
unbinding interfaces 26
verify configuration 23, 25
vserver
creating, 120
managing, 129
removing, 130
viewing statistics, 123
vserver parameters
usage, 120, 322
vservers
binding policies, 325
binding to work load manager, 260
viewing properties, 123
W
W3C Extended log format
Customizing W3C Format 556
Directives 557
Entries 556
Fields 557
Identifiers 558
W3C format, customize 556
W3C format, log files 555, 556
web server logging 537
configure 546
enabling 538
hardware configuration 540
how it works 537
software configuration 540
web server logging, checklist 565
web server logging, starting 552
web server logging, stopping 552
weighted queuing 528
weighted round robin
configuring, 140
work load manager
creating, 259
entity model, 259
managing, 262
modifying, 261
removing, 262
unbinding, 262
viewing, 263
working
SIP, 237