Professional Documents
Culture Documents
CNS 301 3I en StudentExerciseWorkbook
CNS 301 3I en StudentExerciseWorkbook
0 Advanced
Implementation
Claim introductory pricing of $500 for 25 days of access. Contact your Citrix Education
representative or purchase online here.
Practice outside of the You'll receive a fresh set of labs, giving you the opportunity to
classroom recreate and master each step in the lab exercises.
25 days of access Get unlimited access to the labs for 25 days after you launch, giving
you plenty of time to sharpen your skills.
Certification exam Get ready for your Citrix certification exam by practicing test
preparation materials covered by lab exercises.
Credits
Role Name
Instructional Designers: Jeremy Boehl, Dustin Clark, Nathaniel De Leon,
Anton Mayers, Christopher Rudolph
Subject Matter Experts: Jeff Apsley, Justin Aspley, Arvind Bangari, Paul
Blitz, Mark Borrow, Erik Brandsberg, Colin
Christy, John Daniels, John Dell, Greg Dolan,
Stefan Drege, Seema Vaibhav Dubey, Abhishek
Gautam, Roland Geldner, Bino Gopal,
DeeLayna Hurst, Todd Hurst, Faisal Jahan,
Vamsi Korrapati, Prakash Mana, James Nagy,
Ronan O’Brien, Lokaraj Pedapalli, Glenn Porter,
Ram Prasad, Patrick Quinlan, Prabhu Rampur,
Kumaresan Rangasamy, Anoop Reddy, Guy
Rosefelt, Rhonda Rowland, Jacob Salassi,
Kawaljit Singh, Prakash Sinha, Erin Smith, Sam
Spence, Thilak Subburam, Raghu Varma
Tirumalaraju, Bjarne Traeholt, Chad Tripod,
Abhilash Verma, Gregor Visconty, Kit Wetzler,
Don Williams, Lena Yarovaya, Tony Zhang
Notices
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or
use of this publication. Citrix specifically disclaims any expressed or implied warranties,
merchantability, or fitness for any particular purpose. Citrix reserves the right to make any changes
in specifications and other information contained in this publication without prior notice and
without obligation to notify any person or entity of such revisions or changes.
© Copyright 2016 Citrix Systems, Inc. All Rights Reserved.
No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or information storage and retrieval
systems, for any purpose other than the purchaser’s personal use, without express written
permission of:
Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 http://www.citrix.com
The following marks are service marks, trademarks or registered trademarks of their respective
owners in the United States and other countries.
Mark Owner
Active Directory®, Microsoft®, Microsoft Internet Microsoft Corporation
Explorer®, Windows®, Win32™
Other product and company names mentioned herein might be the service marks, trademarks or
registered trademarks of their respective owners in the United States and other countries.
1
Module 1
Advanced
Troubleshooting
16 © Copyright 2016 Citrix Systems, Inc.
Lab Overview
Lab Overview
This book contains exercises to accompany the courseware content. This section provides an
overview of the hosted lab environment used with the lab exercises in this course.
Lab Approach
Each exercise presented here begins with an introduction to the exercise, followed by detailed step-
by-step instructions. The introduction comprises the following sections:
• Scenario: describes the end goal.
• Before You Begin: lists exercise dependencies.
• Exercise Details: lists the high-level tasks that will be performed in the lab.
These tasks are designed to contain enough information to allow you to attempt the
exercise without the step-by-step instructions. We encourage you to attempt to
perform the exercise using these tasks and resorting to the step-by-step instructions for
more information or if you have difficulty completing the exercise.
• Login information: Use the following usernames and passwords throughout the labs:
• Citrixadmin/Password1 for Windows machines.
• root/public for Command Center machine.
• nsroot/nsroot for NetScaler and Insight Center machines.
To start a single virtual machine, right click the virtual machine and click start.
Exercise Details
Troubleshoot the following NetScaler configuration issues:
1. Using the Student Desktop virtual machine (CitrixUser/Password1), log in to the Configuration
Utility:
a. Open Firefox and Navigate to http://netscaler.training.lab/.
b. Type nsroot in the User Name field.
c. Type nsroot in the Password field.
d. Click Login.
2. Log in to the Command Line Interface:
a. Open putty.exe from the desktop.
b. Type 192.168.30.105 in Host Name (or IP address) field.
c. Click Open and click Yes on the Security Alert if needed.
d. Type nsroot as the username and nsroot as the password.
• Issue 1: Some services are down despite their servers being healthy.
1. Use the Configuration Utility or command-line interface to access your NetScaler system.
2. Determine which services are down and make a note.
3. Determine why the services are down and note the cause.
4. Determine possible solutions and add them to a note.
5. Perform configuration changes to resolve the issue.
6. Verify that the state of all services is UP.
• Issue 2: The vserver lb_TS_MAIN is down, yet the effective state shows as up.
1. Note why the lb_TS_MAIN state is DOWN.
2. Note why the lb_TS_MAIN effective state is UP.
3. Note the difference between the state and effective state of a virtual server.
• Issue 3: The configured load balancing method for vserver lb_TS_MAIN is Least Connections,
but requests are not being load balanced according to the Least Connections algorithm.
1. Verify that the requests to the lb vserver lb_TS_MAIN are not being load-balanced.
2. Determine and note why the requests are not being load-balanced.
Summary
In this exercise you learned some of the strategies for troubleshooting common NetScaler
configuration issues. Helpful keys to a successful implementation of a NetScaler system include the
following:
1. Perform configurations only of features or nodes that is required for your implementation
2. Perform configurations of features or nodes one at a time
Exercise Details
Complete the following steps:
1. Create the AFWeb objects:
a. Create a server object for AFWeb using the AFWeb IP address 192.168.20.110:
srv_afweb.
b. Create a service object for AFWeb, which supports HTTP traffic over port 80:
svc_afweb_http.
c. Create a load balancing virtual server object for AFWeb, which supports HTTP traffic
over port 80 using the IP address 192.168.30.30 named lb_vsrv_afweb.
d. Bind the service to the load-balancing virtual server.
2. Test the virtual server:
a. Launch a web browser.
b. Browse to http://afweb.training.lab/.
Summary
This exercise sets several key requirements needed by all other lab exercises. For this lab
environment, proxy settings must be removed from the web browser. The server, service and virtual
server objects are created, which are required to access the test application AFWeb.
A DNS entry for AFWeb has already been created for you.
Exercise Details
Complete the following steps:
• Create WebGoat objects:
• Create a server object for WebGoat using 192.168.20.9: srv_webgoat.
• Create a service object for WebGoat for HTTP traffic over port 80: svc_webgoat_http.
• Create a load balancing virtual server object for WebGoat, which supports HTTP traffic
over port 80. Use 192.168.30.35 for the virtual IP address. Virtual server: lb_vsrv_webgoat.
• Bind the service to the load balancing virtual server.
• Test the newly created load balancing virtual server by browsing to http://www.webgoat.net.
Summary
This exercise creates entities needed in later lab exercises as part of an initial environment
configuration. This section uses existing skills to create and configure load-balancing virtual servers
and services.
A host file entry for WebGoat.net has already been created for you. Note the
capital "W" and "G" in the URL.
Exercise Details
Complete the following tasks:
1. Create an Application Firewall profile for AFWeb: AFWeb_Basic. Create the profile with the
Basic default settings.
2. Create an Application Firewall profile for AFWeb: AFWeb_Adv. Create the profile with the
Advanced default settings.
3. Modify the AFWeb_Basic profile. Configure the error page to be the blocked page in AFWeb.
Set the error page URL to http://afweb.training.lab/blocked.htm.
Summary
An Application Firewall profile is a collection of settings (such as security checks, relaxations and
an error page) that determine the Application Firewall protections applied to a site or group of
sites. When creating a new profile, the profile options are to create a Basic profile or an Advanced
profile. These options determine the default settings for the profile. The default options include
which security checks are enabled for blocking by default, whether learning is used, and whether
certain default relaxations are already configured.
The advanced profile includes different default settings than the basic profile. The primary
differences are that the advanced profile includes learning enabled by default, and most security
checks are enabled for blocking by default. When looking specifically at the start URL security
check, the advanced profile does not include default allowed start URLs, and URL closure is
enabled by default.
Any Application Firewall profile may be fully configured or customized to work with the
application. The selection of the advanced profile versus the basic profile options at the time of
profile creation only determines the default profile settings.
3. Click the Save icon on the upper right menu bar to save the configuration. Changes to the
configuration affect the running configuration only, unless they are saved. Any unsaved
changes are lost following a restart.
4. Click Yes to save the running configuration.
Exercise Details
Complete the following tasks:
1. Create an Application Firewall policy for AFWeb: pol_af_afweb.
a. Create a new Application Firewall policy.
b. Set the policy action to the profile for AFWeb: AFWeb_Basic.
c. Set the policy expression to TRUE.
d. Bind the policy to the load-balancing virtual server lb_vsrv_afweb with a priority of
100.
2. Test the Application Firewall policies.
Summary
The Application Firewall policies determine which traffic the profile settings will be applied against.
The policies determine when the profile protections are applied.
Attacks and
Protections
36 © Copyright 2016 Citrix Systems, Inc.
Attacks and Protections Exercises
Exercise 3-1: Buffer Overflow Protection
This exercise demonstrates a Buffer Overflow exploit and protection using the AFWeb site.
Begin by disabling the Application Firewall protection for AFWeb and viewing the Buffer Overflow
demonstration link. Then, enable the Application Firewall protection and observe the default
behavior.
Exercise Details
Complete the following tasks:
1. Demonstrate a buffer overflow attack.
a. Disable protection for AFWeb. Modify the profile to disable the buffer overflow
security check.
b. Browse to the AFWeb Buffer Overflow page.
2. Demonstrate buffer overflow protection.
a. Enable protection for AFWeb. Modify the profile to enable blocking for the Buffer
Overflow security check.
b. Return to AFWeb and attempt to access the buffer overflow demonstration link.
Observe the default protection behavior.
Summary
The Application Firewall protection against Buffer Overflow exploits blocks data when thresholds
for the URL length, cookie length or header length exceed the specified limit.
Exercise Details
Complete the following tasks:
1. Demonstrate a SQL injection attack.
a. Disable the SQL injection protection for AFWeb.
b. Browse to AFWeb site and click the SQL Injection link.
c. Enter various SQL injection attacks in the Lookup Value field and click Submit:
d. Observe the results for each value.
2. Demonstrate SQL injection protection.
a. Enable SQL injection protection for AFWeb.
b. Return to the AFWeb SQL Injection page.
c. Enter various SQL injection attacks in the Comments field and click Submit:
d. Observe the results for each value.
Summary
SQL Injection attacks can lead to the exposure of sensitive information regarding the structure of
databases and the information contained within the databases themselves. Application Firewall
protection against SQL injection attacks can prevent SQL keywords from being submitted to the
server and exploiting this vulnerability. The SQL injection security check may be modified to enable
relaxations to permit the use of SQL keywords with fields that do not pose a risk for SQL Injection
attacks.
Exercise Details
Complete the following tasks:
1. Demonstrate a cross-site scripting attack.
a. Disable cross-site scripting protection for the AFWeb site.
b. Browse to AFWeb Cross-Site Scripting page.
c. Enter the following text in the text field and click Submit.
Summary
Cross-site scripting vulnerabilities, in mild cases, can lead to the defacing of a site; in more severe
cases, they can allow a rogue user to gather information (such as credentials, passwords, and other
identifying information) from users. Application Firewall protection prevents cross-site scripts from
being submitted.
Exercise Details
Complete the following tasks:
Summary
By default, with the cookie consistency protection enabled, Application Firewall prevents the client-
side modification of the cookie and can therefore prevent these types of cookie tampering attacks.
Altered cookies are deleted, which results in browsers being redirected to the launch page.
Relaxations for the cookie consistency security check may be required if there are cookies that are
allowed to be modified on the client-side, such as cookies that store user preferences.
Deleting the cookies will also log you out of your NetScaler session, requiring
you to log in again. This behavior is expected, as NetScaler uses cookies.
Exercise Details
Complete the following tasks:
1. Demonstrate a Form Field manipulation attack.
a. Configure Paros as a proxy server.
b. Verify that the Form Field consistency security check is disabled for AFWeb.
c. Browse to the AFWeb Form Field Consistency page.
d. Use Paros to modify the Form Field data and submit a different account.
1. Submit an existing account.
2. Use Paros to modify the request prior to account submission to request a
different account instead.
2. Demonstrating Form Field consistency protection.
a. Restore the Application Firewall protection for AFWeb by enabling the Form Field
Consistency security check.
b. Repeat the Form Field manipulation attack using Paros.
c. Observe the Application Firewall protection against Form Field manipulation.
Summary
Form Field manipulation can be performed during the request or the response. With the Form
Field Consistency security check enabled, Application Firewall can prevent manipulation of Form
Field data.
Use the following procedure to configure Firefox and Paros for this exercise:
1. Launch Firefox.
2. Go to Tools > Options within Firefox.
3. Click Advanced.
4. Select the Network tab and click Settings.
5. Set the following information in the Connection Settings window:
a. Select Manual proxy configuration.
b. Set HTTP Proxy and port to 127.0.0.1 and 8085.
c. Set SSL Proxy and port to 127.0.0.1 and 8085.
d. Clear the field for No Proxy for: so that it is blank.
e. Click OK to apply the settings.
f. Close the browser tab to close Firefox Options.
6. Launch Paros 3.2.13 using the shortcut on the desktop.
If you receive an error message when launching Paros, select Fix it and then retry.
Exercise Details
Complete the following tasks:
1. Configure Start URLs for AFWeb:
a. Browse to the AFWeb site.
b. Modify the AFWeb profile and update the Start URLs to allow access to the AFWeb
site and to the links on the page.
c. Create a Start URL to allow access to the Start URL Demonstration page.
d. Test to verify that the AFWeb site and the Start URL Demonstration page are now
allowed.
Summary
Start and deny URLs allow administrators to define a list of allowed URLs and a list of prohibited
URLs (or patterns). These lists give administrators granular control over access to various sites
within the application.
Depending on the requirements of the application, an administrator may need to configure start
URLs to allow access to the necessary parts of the web site and to configure deny URLs to prevent
access to sensitive areas of the web site. Used together, start URL and deny URL settings can be
used to provide protection against forceful browsing, and parameter manipulation attacks. These
settings prevent violations due to poor administrative configuration of a site by controlling which
areas of a site a user may or may not access.
Exercise Details
To complete this exercise, you need to have:
• Access to the AFWeb site.
Estimated time to complete this exercise: 15 minutes
Exercise Details
Complete the following tasks:
1. Browse to the AFWeb Safe Objects Demonstration page.
2. Enable and configure the safe object security check for AFWeb.
a. Define a safe object that matches the US Phone Number format displayed.
b. Define a safe object that matches the US SSN format displayed.
3. Test the safe object effects on the demo site using the following protection settings:
a. X-Out and Statistics enabled.
b. Remove enabled.
c. Block enabled.
Summary
The definition of safe objects allows administrators to extend the protection capabilities of the
Application Firewall to meet custom requirements. The safe objects security check allows
Application Firewall administrators to define custom patterns that the Application Firewall should
protect. The administrators can then customize the protection action that is taken, such as Block,
\d{3}-\d{2}-\d{4}
e. Set the Maximum Match Length based on the US SSN format: 11.
6. Click Create.
7. Create a Safe Object for US Phone Numbers:
a. Click Add.
b. Check Enabled.
c. Set Safe Object Name to US Phone Numbers.
d. Check Log, X-Out, and Stats under Actions. Leave the other Actions unchecked.
e. Create a regular expression that matches the phone number format displayed in the
AFWeb > Safe Object Demonstration Page.
\d{3}-\d{3}-\d{4}
f. Set the Maximum Match Length based on the phone number format: 12.
8. Click Create and then click Close to close the Relaxation Rules window.
9. Click Done to close the profile.
Exercise Details
Complete the following tasks:
1. Demonstrate credit card data vulnerability.
a. Disable credit card protection for AFWeb.
b. Browse to the AFWeb site and click the Credit Card Demonstration link.
c. Observe the data displayed.
2. Demonstrate credit card data protection.
a. Enable credit card protection for AFWeb.
• Disable Blocking.
• Enable X-Out.
• Enable Statistics.
• Enable Log.
b. Refresh the AFWeb Credit Card page.
c. Observe the data displayed.
Exercise Details
Complete the following tasks:
1. Delete existing start URLs for the AFWeb profile.
2. Configure the learning settings for start URLs. Set the learning thresholds for start URLs to:
a. Minimum # of sessions for learning: 1
b. % of Sessions URL has been seen: 0
c. Modify the start URL security check:
d. Disable Blocking.
e. Verify that Learning is enabled.
3. Generate and deploy learned rules
Summary
Learning allows an administrator to gather information about the type of requests being made to an
application and to determine the frequency of the request. An administrator can use the learning
results to identify behavior that should be prevented using Application Firewall, as well as behavior
that should be allowed and may require a relaxation for a specific security check.
In this module, learning features are demonstrated for the start URL security check only. However,
learning is available for multiple security checks and suggested rules may be viewed, edited, and
deployed as necessary.
Configuring Learning
Use the following procedure to configure the Learning settings for the Start URL. The learning
thresholds will be set to low values to accommodate the abbreviated test by a single user.
1. Log in to the Configuration Utility.
2. Modify the AFWeb_Basic profile:
a. Go to Security > Application Firewall > Profiles.
b. Select AFWeb_Basic and click Edit.
c. Click the Security Checks node on the right pane.
d. Select Start URL, deselect Block and check Learn.
e. Click OK then click Save & Close.
3. Click the Relaxation Rules node on the right pane.
4. Click Edit on the Start URL Relaxation Rule.
5. Under the Start URL Relaxation Rules tab, select each of the Start URL entries and click
Delete and remove them one at a time.
6. Click Yes.
7. Click Close.
8. Click the Learned Rules node on the right pane and ensure Start URL is selected, then click
Settings.
Application Firewall
Troubleshooting
62 © Copyright 2016 Citrix Systems, Inc.
Application Firewall Troubleshooting
Exercises
Exercise 4-1: Viewing NetScaler Log Files
View the NetScaler syslog file (ns.log) using both the Configuration Utility and the command-line
interface. Filter the log file for Application Firewall events. View the contents of the log file and
determine how to use the log for troubleshooting Application Firewall configuration issues.
Exercise Details
Complete the following tasks:
1. View NetScaler log files using the Configuration Utility:
a. Log in to the Configuration Utility.
b. Go to the System > Auditing. Click Recent audit messages then click Run and look
for any Application Firewall related events.
c. Click Close, then click Close again to exit.
d. Go to the System > Auditing. Use the Syslog viewer to view historical audit messages.
e. View the current log file and look for Application Firewall-related messages.
f. Use the Filter Messages option and filter the log for AppFW, block and AFWeb.
Observe the results for each filter option.
g. View a previous log file by selecting the Attack/Protections day of the lab.
2. View NetScaler log files using the command-line interface:
a. Log in to command-line interface using Putty.
Summary
The NetScaler log file (ns.log) records any changes to the NetScaler configuration as well as various
alert messages. The NetScaler log may be viewed using tools in both the Configuration Utility and
in the command-line interface.
If you do not have any Application Firewall events in the current ns.log file, then use zcat to
view past log files without having to decompress them. Specify a ns.log.#.gz from an
appropriate date and time period. Replace the # with the number of the file.
zcat /var/log/ns.log.#.gz
zcat /var/log/ns.log.#.gz | grep APPFW
zcat /var/log/ns.log.#.gz | grep blocked -i
Grep filters the output and returns only the lines from the log file containing the specified
string. Using the -i parameter with Grep results in a non-case sensitive search; it is not
required, but it may be useful.
Filtering the log using Grep and the command line returns log results with the search string
appearing anywhere in the log event and not just in the Messages field.
Summary
The NetScaler system can generate trace files in either tcpdump format or nstrace format. The
tcpdump format is suitable for viewing with an third-party tool, such as Wireshark.
This exercise demonstrates some basic procedures for generating a trace file and then using it to
inspect the packets within a session for diagnostic or troubleshooting purposes.
Authentication,
Authorization and
Auditing
72 © Copyright 2016 Citrix Systems, Inc.
Authentication, Authorization, and Auditing
Exercises
Exercise 5-1: Enabling External Authentication
This configuration uses the LDAP authentication policy that was previously created. Please note
that the external authentication for NetScaler system accounts is not required to configure the
authentication server in this exercise. The proper LDAP policies are required. The lab begins with
an exercise to allow NetScaler system authentications to use Active Directory. This exercise
demonstrates the process of configuring external authentication and verifying that external
authentication is properly configured before configuring the authentication virtual server.
© Copyright 2016 Citrix Systems, Inc. Module 5: Authentication, Authorization and Auditing 73
Exercise Details
Configure LDAP authentication and group extraction on the NetScaler system:
1. Create local groups on the NetScaler system that correspond to the groups in the directory
service.
2. Bind groups to the command policies.
3. Create the authentication action for LDAP.
4. Create the authentication policy for LDAP.
5. Bind the policy to System Global.
6. Save the NetScaler configuration.
7. Test external authentication.
Summary
During the initial configuration, external authentication for the NetScaler system accounts were
configured, allowing the testing and verification of LDAP authentication and group extraction.
Group names must correspond to the group in the directory service and are
case sensitive.
74 Module 5: Authentication, Authorization and Auditing © Copyright 2016 Citrix Systems, Inc.
e. Click Create.
4. Create the LDAP Authentication Server.
a. Go to System > Authentication > LDAP.
b. Click the Servers tab and click Add.
c. In the Name field type auth_ldap_srv.
d. Click the Server IP option.
e. In the IP Address field type 192.168.20.11, the Port field should contain 389.
f. In the Base DN (location of users) field type dc=training,dc=lab.
g. In the Administrator Bind DN field type ldapuser@training.lab.
h. Check the BindDN Password box to enter the password.
i. In the Administrator Password and Confirm Administrator Password fields type
Password1.
j. In the Server Logon Name Attribute drop-down menu, select sAMAccountName.
k. In the Group Attribute drop-down menu, select memberOf.
l. In the Sub Attribute Name drop-down menu, select cn.
m. Click More and under Nested Group Extraction select Enabled.
n. In the Group Name Identifier drop-down menu, select sAMAccountName.
o. In the Group Search Attribute drop-down menu, select sAMAccountName.
p. Click Create.
5. Create the LDAP Authentication Policy.
a. Go to System > Authentication > LDAP.
b. Click the Policies tab and click Add.
c. In the Name field type auth_ldap_policy.
d. In the Server drop-down list box, select auth_ldap_srv.
e. In the Expression field, click the drop down for the Saved Policy Expressions and
select ns_true from the list.
f. Click Create.
6. Bind the LDAP Policy:
a. Click the Policies tab and click Global Bindings.
b. Click in the field below Select Policy and select the option next to auth_ldap_policy.
c. Click Select then enter a Priority value of 100.
d. Click Bind then click Done.
7. Test the nsadmin account.
a. Open putty.exe from the student desktop.
b. Type 192.168.30.105 in Host Name (or IP address) field.
c. Click Open then click Yes if you get any pop up.
© Copyright 2016 Citrix Systems, Inc. Module 5: Authentication, Authorization and Auditing 75
d. Type nsadmin for the username and Password1 for the password.
e. Type shell at the command prompt. Because the nsadmin account is mapped to the
superuser command policy, the shell command is successful.
f. Type exit to exit the shell
g. Type exit to exit the session.
8. Test the nsoperator account.
a. Open putty.exe from the student desktop
b. Type 192.168.30.105 in Host Name (or IP address) field.
c. Click Open.
d. Type nsoperator for the username and Password1 for the password.
e. Type shell at the command prompt. Because the Operator Command Policy does
not allow shell access, the nsoperator account is denied access.
f. Type disable service svc_green. The Operator Command Policy does allow
servers and services to be enabled or disabled.
g. Type exit to exit the session.
h. Type y to save the configuration.
9. Click the Save icon on the upper right menu bar to save the configuration and confirm.
76 Module 5: Authentication, Authorization and Auditing © Copyright 2016 Citrix Systems, Inc.
3. Create the LDAP Authentication policy.
add authentication ldapPolicy auth_ldap_policy ns_true
auth_ldap_srv
4. Bind the LDAP Authentication policy.
bind system global auth_ldap_policy -priority 100
5. Create the NSAdmins Group.
add system group NSAdmins
6. Bind the NSAdmins Group to the Superuser Command Policy.
bind system group NSAdmins -policyName superuser 100
7. Create the NSOperators Group.
add system group NSOperators
8. Bind the NSAdmins Group to the Superuser Command Policy.
bind system group NSOperators -policyName operator 100
9. Test thensadmin account:
a. Open putty.exe from the student desktop.
b. Type 192.168.30.105 in Host Name (or IP address) field.
c. Click Open.
d. Type nsadmin for the username and Password1 for the password.
e. Type shell at the command prompt. Because the nsadmin account is mapped to the
superuser command policy, the shell command is successful
f. Type exit to exit the shell
g. Type exit to exit the session.
10. Test the nsoperator account:
a. Open putty.exe from the student desktop
b. Type 192.168.30.105 in Host Name (or IP address) field.
c. Click Open.
d. Type nsoperator for the username and Password1 for the password.
e. Type shell at the command prompt. Because the Operator Command Policy does
not allow shell access, nsoperator account is denied access.
f. Type disable service svc_green. The Operator Command Policy does allow
servers and services to be enabled or disabled
g. Type exit to exit the session.
© Copyright 2016 Citrix Systems, Inc. Module 5: Authentication, Authorization and Auditing 77
11. Save the NetScaler configuration.
save config
Exercise Details
Complete the following tasks:
1. Configure an authentication virtual server that authenticates to the AFWeb site.
2. Configure authorization policies for the AFWeb site.
Summary
The authentication virtual server supports Active Directory authentication for the AFWeb site
which does not implement any authentication on its own. The NetScaler system was configured to
perform authentication on behalf of this application using the AAA features.
78 Module 5: Authentication, Authorization and Auditing © Copyright 2016 Citrix Systems, Inc.
3. Go to Security > AAA - Application Traffic > Virtual Servers.
4. Create an authentication virtual server named auth_vsrv_afweb.
a. Click Add.
b. In the Name field, type auth_vsrv_afweb.
c. In the IP Address field, type 192.168.30.30.
d. In the Authentication Domain field, type afweb.training.lab.
e. Click OK to continue.
f. Click No Server Certificate.
g. Click in the field below Select Server Certificate and select the option next to ns_plat
and click Select then click Bind. The certificate was previously added to the base lab
configuration.
h. Click Continue then click Continue.
i. Click in the field below Basic Authentication Policies to add the policy, in the drop
down list under Choose Policy select LDAP click Continue, then click in the field
below Select Policy, select the option next to auth_ldap_policy then click Select then
click Bind. This was the authentication policy we created in the last lab.
j. Click Done.
5. Go to Traffic Management > Load Balancing > Virtual Servers.
6. Enable Authentication for the AFWeb lb vserver:
a. Select the Virtual Server lb_vsrv_afweb and click Edit.
b. Click the Authentication node on the right pane.
c. In the left pane under the Authentication field, click the option next to 401 Based
Authentication.
d. In the Authentication Virtual Server drop down, select auth_vsrv_afweb.
e. Click OK, then click Done.
7. Click Save on the upper right menu bar to save the configuration.
8. Test the authentication configuration:
a. Open Internet Explorer and browse to the http://afweb.training.lab/.
b. Type contractor in the User Name field and Password1 in the Password field.
Note that upon successful authentication, access the AFWeb site is granted.
© Copyright 2016 Citrix Systems, Inc. Module 5: Authentication, Authorization and Auditing 79
2. Enable the AAA for Application Traffic feature.
enable ns feature AAA
3. Create the Authentication virtual server.
add authentication vserver auth_vsrv_afweb SSL 192.168.30.30
443 -AuthenticationDomain afweb.training.lab
4. Bind the LDAP Authentication policy to the Authentication virtual server.
bind authentication vserver auth_vsrv_afweb -
policy auth_ldap_policy -priority 100
5. Bind an SSL Certificate to the Authentication virtual server.
bind ssl vserver auth_vsrv_afweb -certkeyName ns_plat
6. Enable Authentication for the AFWeb lb vserver.
set lb vserver lb_vsrv_afweb -Authn401 ON -
authnVsName auth_vsrv_afweb
7. Save the NetScaler configuration.
save config
80 Module 5: Authentication, Authorization and Auditing © Copyright 2016 Citrix Systems, Inc.
a. Click Add.
b. In the Name field enter contractor_auth_pol.
c. Ensure that Action is set to ALLOW.
d. Click Switch to Classic Syntax, click OK on pop-up.
e. Click Expression Editor and configure the expression as follows and click Done after
each entry:
REQ.HTTP.URL == /
REQ.HTTP.URL == /allow.demo
REQ.HTTP.URL == /*.css
REQ.HTTP.URL == /*.png
You may need to manually edit the "&&" characters in the expression to "||".
© Copyright 2016 Citrix Systems, Inc. Module 5: Authentication, Authorization and Auditing 81
c. Click the Use Start URLs to allow this page link. Notice access is allowed due to the
Authorization policy.
d. Click the Credit Card Demonstration link. Notice access is denied because it is not
allowed by an Authorization policy.
10. Disable authentication server settings on the LB Vserver:
a. Go to Traffic Management > Load Balancing > Virtual Servers.
b. Select the Virtual Server lb_vsrv_afweb and click Edit.
c. Click the Edit icon to the right of the Authentication field.
d. Check the option next to None.
e. Click OK then click Done.
11. Unbind the global LDAP policy.
a. Go to System > Authentication > LDAP.
b. Select auth_ldap_policy.
c. Click Global Blindings.
d. Select the policy and click Unbind.
e. Click Yes to confirm.
f. Click Done.
12. Click the Save icon on the upper right menu bar to save the configuration.
82 Module 5: Authentication, Authorization and Auditing © Copyright 2016 Citrix Systems, Inc.
5. Bind the Contractors group to the contractor_auth_pol Authorization policy.
bind aaa group Contractors -policy contractor_auth_pol -
priority 100
6. Test the authorization policies:
a. Open Internet Explorer and browse to http://afweb.training.lab.
b. Type contractor in the User Name field and Password1 in the Password field.
c. Click the Use Start URLs to allow this page link . Notice access is allowed due to the
Authorization policy.
d. Click the Credit Card Demonstration link. Notice access is denied because it is not
allowed by an Authorization policy.
7. Disable authentication server settings on the Load Balancing virtual server.
set lb vserver lb_vsrv_afweb -Authentication OFF
8. Unbind the global LDAP policy.
unbind system global auth_ldap_policy
9. Save the NetScaler configuration.
save config
© Copyright 2016 Citrix Systems, Inc. Module 5: Authentication, Authorization and Auditing 83
84 © Copyright 2016 Citrix Systems, Inc.
6
Module 6
AppExpert Rate
Limiting, HTTP
Service Callout and
Policy-based
Logging
86 © Copyright 2016 Citrix Systems, Inc.
HTTP Service Callout Exercises
Exercise 6-1: Configuring HTTP Callouts
This exercise demonstrates the configuration of an HTTP callout. Users accessing the WebGoat
web site are redirected to the AFWeb blocked page as part of the demonstration.
Exercise Parameters
The following table lists the exercise parameters and settings.
Parameter Setting
HTTP Callout Policy Name blackout
Exercise Details
Complete the following tasks:
1. Enable the Responder feature.
2. Create an HTTP callout policy.
3. Configure the HTTP callout policy.
© Copyright 2016 Citrix Systems, Inc. Module 6: AppExpert Rate Limiting, HTTP Service Callout and
Policy-based Logging 87
4. Create a responder policy action to redirect a blacklisted page to the block page.
5. Create a responder policy that performs the HTTP callout action.
6. Bind the policy to the WebGoat virtual server.
7. Save the NetScaler configuration.
8. Test the configuration.
88 Module 6: AppExpert Rate Limiting, HTTP Service Callout and Policy-based Logging ©
Copyright 2016 Citrix Systems, Inc.
d. In the Port field, enter 80.
e. Under the Request to send to the server section, verify that Attribute-Based is
selected under Request Type.
f. Ensure that the Method drop-down box displays GET.
g. In the Host Expression field, type "blacklist.afweb.training.lab".
i. Click Insert under the Headers section, enter callout in the Name field and
"negate" in the Value expression field.
j. Click Insert.
k. Click Insert under the Parameters section, enter cip in the Name field and
CLIENT.IP.SRC in the Value expression field.
l. Click Insert.
m. In the Server Response section, select TEXT from the Return Type drop-down list
box.
n. In the Expression to extract data from the response field, enter
HTTP.RES.BODY(1000).
o. Click Create.
5. Go to AppExpert > Responder > Actions.
6. Create a new Responder action with the following properties:
a. Click Add.
b. In the Name field, enter blacklist_act.
c. In the Type drop-down list, select Redirect.
d. In the Expression field, enter
"http://afweb.training.lab/blocked.htm".
© Copyright 2016 Citrix Systems, Inc. Module 6: AppExpert Rate Limiting, HTTP Service Callout and
Policy-based Logging 89
e. Click Create.
7. Go to AppExpert > Responder > Policies.
8. Create a Responder Policy with the following properties:
a. Click Add.
b. In the Name field, enter rs_pol_blacklistredirect.
c. In the Action drop down menu, select blacklist_act
d. In the Expression field, enter
HTTP.REQ.HEADER("host").CONTAINS("webgoat.net") &&
SYS.HTTP_CALLOUT(blackout).CONTAINS("IP Matched").
e. Click Create.
9. Go to AppExpert > Responder and click Responder Policy Manager.
10. Click the drop down below Bind Point and select Load Balancing Virtual Server, then click
the drop down under Virtual Server and select lb_vsrv_webgoat then click Continue.
11. Click in the field below Select Policy and select the option next to rs_pol_blacklistredirect.
12. Click Select, then click Bind and Done.
13. Open Internet Explorer and go to http://webgoat.net/WebGoat/attack. Verify you
are redirected the AFWeb Blocked page (per the HTTP Callout policy).
14. Go to AppExpert > Responder and click Responder Policy Manager.
15. Click the drop down below Bind Point and select Load Balancing Virtual Server, then click
the drop down under Virtual Server and select lb_vsrv_webgoat then click Continue.
16. Select rs_pol_blacklistredirect and click Unbind.
17. Click Yes to Confirm then click Done.
18. Click Save on the upper right menu bar to save the configuration.
90 Module 6: AppExpert Rate Limiting, HTTP Service Callout and Policy-based Logging ©
Copyright 2016 Citrix Systems, Inc.
2. Enable Responder feature.
enable ns feature RESPONDER
3. Create the HTTP Callout policy.
add policy httpCallout blackout
4. Set IP Address and Port of HTTPCallout server (hosting the blacklist).
5. Set the expression to configure the HOST header in the request to the callout server using the
Callout Server IP.
set policy httpCallout blackout -
hostExpr "\"blacklist.afweb.training.lab\""
6. Set the expression to generate the URL stem for the literal string /check_client.asp.
set policy httpCallout blackout -
urlStemExpr "\"/check_client.pl\""
7. Specify the Client-IP and callout headers to insert into the HTTP callout request. The Client-IP
header sends the client IP address to the HTTP Callout server to determine if the Client IP
matches the list of blacklisted IP addresses.
set policy httpCallout blackout -
parameters cip(CLIENT.IP.SRC) -headers callout("negate")
8. Set the return type (return value) of the result from the HTTPCallout server.
set policy httpCallout blackout -returnType TEXT
9. Specify how the NetScaler should extract the response from the HTTP Callout server.
set policy httpCallout blackout -
resultExpr "HTTP.RES.BODY(1000)"
10. Create a responder policy action to redirect a blacklisted page to the AFWeb blocked page.
add responder action BLACKLIST_ACT redirect
"\"http://afweb.training.lab/blocked.htm\""
11. Create a responder policy which will perform the HTTP Callout and if the policy evaluates to
true, then the policy will perform the BLACKLIST_ACT action.
add responder policy rs_pol_blacklistredirect
"HTTP.REQ.HEADER(\host\).CONTAINS(\webgoat.net\) &&
SYS.HTTP_CALLOUT(blackout).CONTAINS(\IP Matched\)"
BLACKLIST_ACT
© Copyright 2016 Citrix Systems, Inc. Module 6: AppExpert Rate Limiting, HTTP Service Callout and
Policy-based Logging 91
12. Bind policy to the WebGoat vserver.
bind lb vserver lb_vsrv_webgoat -
policyName rs_pol_blacklistredirect -priority 100
13. Open Internet Explorer and browse to http://webgoat.net/WebGoat/attack. Verify
you are redirected the AFWeb Blocked page (per the HTTP Callout policy).
14. After verifying the redirection to the AFWeb blocked page, disable the HTTP Callout Policy.
unbind lb vserver lb_vsrv_webgoat -
policyName rs_pol_blacklistredirect
15. Save the NetScaler configuration.
save ns config
Exercise Details
Complete the following tasks:
1. Create a Limit Selector to identify the source IP address and the URL.
2. Create a Limit Identifier to set a limit of 3 requests in a 15 second time slice.
3. Create a Responder action to send a 404 Page Not Found response.
92 Module 6: AppExpert Rate Limiting, HTTP Service Callout and Policy-based Logging ©
Copyright 2016 Citrix Systems, Inc.
4. Create a Responder policy to send the 404 if the Rate Limit is triggered and the request is for
the /home.php page.
5. Bind the policy to the Load Balancing virtual server lb_TS.
6. Save the NetScaler configuration.
7. Test the configuration.
Configuration Testing
To test the configuration:
1. Open a web browser and browse to http://192.168.30.21/home.php.
2. Verify that you receive a 404 Page Not Found response after exceeding the rate limit within the
specified time slice.
© Copyright 2016 Citrix Systems, Inc. Module 6: AppExpert Rate Limiting, HTTP Service Callout and
Policy-based Logging 93
e. Click Create.
8. Go to AppExpert > Responder > Actions and click Add.
9. Create a Responder action:
a. In the Name field, type rs_act_404.
b. In the Type drop-down box, select Respond with.
c. In the Expression field, type "HTTP/1.1 404 Not Found\r\n\r\n".
d. Click Create.
10. Go to AppExpert > Responder > Policies and click Add.
11. Create a Responder policy to apply the Rate Limit.
a. In the Name field, type rs_pol_ratelimit_404.
b. In the Action drop-down box, select rs_act_404.
c. In the Expression box, type HTTP.REQ.URL.EQ("/home.php") &&
SYS.CHECK_LIMIT("limitid").
d. Click Create.
12. Go to AppExpert > Responder and click Responder Policy Manager.
13. Click the drop down below Bind Point and select Load Balancing Virtual Server, in the
Virtual Server drop down menu select lb_TS and click Continue.
14. Click in the field below Select Policy, select the option next to rs_pol_ratelimit_404.
15. Click Select, then click Bind and Done.
16. Click the Save button in the upper right hand corner to save the configuration.
17. Launch Firefox and browse to http://192.168.30.21/home.php.
18. Reload the page in quick succession by hitting the reload button multiple times.
Expected result: After the third quick reload, a 404 page not found error is displayed. May also
get a white screen
19. Go to AppExpert > Responder > Policies and verify the hits for rs_pol_ratelimit_404 have
increased.
94 Module 6: AppExpert Rate Limiting, HTTP Service Callout and Policy-based Logging ©
Copyright 2016 Citrix Systems, Inc.
1. Create the Limit Selector to specify the source IP and the URL.
add stream selector limitSel HTTP.REQ.URL CLIENT.IP.SRC
2. Create the Limit Identifier to specify a limit of 3 requests in a 15 second time slice.
3. Create the Responder action to send a 404 Page Not Found response.
add responder action rs_act_404 respondwith "\"HTTP/1.1 404
Not Found\r\n\r\n\""
4. Create a Responder Policy to send a 404 response if the Rate Limit is exceeded and the url is
/home.php.
add responder policy rs_pol_ratelimit_404
'http.req.url.eq("/home.php") && sys.check_limit("limitid")'
rs_act_404
5. Bind the Responder policy to the LB Vserver lb_TS.
bind lb vserver lb_TS -policyName rs_pol_ratelimit_404 -
priority 100
6. Save the NetScaler configuration.
save ns config
7. Launch Internet Explorer and browse to http://192.168.30.21/home.php .
8. Reload the page in quick succession by hitting the reload button multiple times.
Expected result: After the third quick reload, a 404 page not found error is displayed.
9. Show the policy and verify that the Hits counter has incremented.
show responder policy rs_pol_ratelimit_404
© Copyright 2016 Citrix Systems, Inc. Module 6: AppExpert Rate Limiting, HTTP Service Callout and
Policy-based Logging 95
96 © Copyright 2016 Citrix Systems, Inc.
7
Module 7
Command Center
98 © Copyright 2016 Citrix Systems, Inc.
Command Center Exercises
Exercise 7-1: Installing Command Center
Command Center is used to manage multiple NetScalers and NetScaler Gateway devices. In this
exercise you will install Command Center to run as a service on the Windows client.
Exercise Details
Follow the Prompts to install Command Center. Select Evaluation as the type of installation.
Summary
This exercise demonstrates the process to install Command Center, start the service and log on to
the Command Center utility.
Go into the Local Services on the DC and start the Citrix Command Center and the
PostgresForCommand Center Services if they are not running.
10. From the DC or StudentDesktop, open a new tab in Internet Explorer and browse to
https://ad.training.lab:8443/.
11. Enter root in the User Name field and public in the Password field.
12. Click Login.
13. Click Cancel or Skip to proceed.
14. In the Change Command Center User Password window enter public in the Current
Password field and in the New Password and Confirm New Password fields, enter
Password1 then click Save.
Exercise Details
This exercise demonstrates creating a Device Profile. Your NetScaler is then added to the
Command Center inventory using the discovery process and the settings contained in the Device
Profile.
1. Create a Device Profile named NSLab.
2. Configure Device Profile settings, such as SSH credentials and SNMP community.
3. Add your assigned NetScaler as a device.
4. Verify that your NetScaler has been properly discovered.
Summary
Command Center uses Device Profiles for network management.
This lab uses objects created in previous exercises. If you used a personalized naming
convention, you will have to adjust the directions accordingly.
Exercise Details
Complete the following tasks:
1. Schedule a built-in task: the explicit creation of a new content filtering policy.
2. Create a custom task: the creation of a customized SSL virtual server.
3. Run the custom task.
Summary
This exercise demonstrates configuring tasks. You will first schedule a built-in task for immediate
execution. Then you will create a new custom task and execute it as well.
Exercise Details
Complete the following tasks:
1. Disable a service.
Summary
Command Center is a powerful monitoring tool. It provides a central location from which a large
number of NetScaler device can be observed.
Exercise Details
Complete the following tasks:
1. Observe the Fault Management interface.
2. Pick an Alarm.
3. Assign an Alarm.
4. Clear the Alarms by restoring the disabled service.
Summary
Command Center is a useful management tool. It allows assignment of alarms to administrator
accounts directly from the monitoring interface.
Managing Faults
Use the procedure in the following table to configure Fault Management.
1. Open the Command Center console.
2. Click the Fault tab.
3. Go to SNMP > Alarms.
4. Select the Entityup svc_green Alarm.
5. Click Action and select Pickup.
6. In the Annotation field, type Working issue, and click Pickup.
7. Click My Assignments and notice the Alarm.
8. Click the Monitoring tab.
9. Go to NetScaler > Services.
10. Select svc_green, right click and click Enable.
11. In the Annotation field, type Maintenance done and click OK.
12. Close the Operation Status window.
13. Ensure that svc_green reflects a status of UP.
Insight Center
112 © Copyright 2016 Citrix Systems, Inc.
Insight Center Exercises
Exercise 8-1: Configuring Insight Center
This exercise demonstrates how to configure Insight Center to monitor HDX traffic.
Exercise Details
Complete the following steps:
• Configure Insight Center. The web address for your Insight Center host is
http://insight.training.lab.
• Add your NetScaler to the Insight Server Inventory.
• Enable Insight Monitoring for the LB Vserver lb_vs_webgoat.
• From the Configuration Utility, verify that the AppFlow policies have been created and
bound to lb_vs_webgoat.
• Generate traffic and View the Web Insight reporting:
• Browse to http://www.webgoat.net and click through the application to generate traffic.
• View the reports that are generated in the Insight Center Dashboard.
Summary
This module demonstrates the functionality and reporting capabilities of NetScaler Insight. This
module is focused on the Web Insight reporting of Insight Center.
Estimated time to complete this exercise: 20 minutes
You can enable data collection on a virtual server only if the operational state
is UP.
NetScaler Web
Logging
118 © Copyright 2016 Citrix Systems, Inc.
NetScaler Web Logging Exercises
Exercise 9-1: Installing and Configuring NetScaler Web
Logging
This module demonstrates the installation and configuration of the NetScaler web logging
component.
Prior to the start of class, the NSWL files for Windows were downloaded to the StudentDesktop
machine. Please note that the files must be downloaded from Citrix or the NetScaler FTP site (same
as the NetScaler build). It is not available from the NetScaler system. The version of the NSWL
client must match the version of the NetScaler operating system in use.
For best results, clear cached data/private data between web logging tests. This will ensure
there is traffic between the client and the NetScaler system that is logged and will prevent
the web browser from using cached data.
Exercise Details
Complete the following tasks:
1. Install and configure the NSWL client.
a. Go to the NSWL BIN directory using the command prompt.
b. Verify the NSWL configuration.
Expected result: you should receive an error since NSWL has not yet been configured.
c. Add the NSIP address to the NSWL log file.
© Copyright 2016 Citrix Systems, Inc. Module 9: NetScaler Web Logging 119
d. Verify the NSWL configuration once more.
Expected result: you should receive a correct confirmation message this time.
e. Make a backup copy of the log.conf file (with the configured NSIP address) for later
use.
2. Run the NSWL client with the default filter.
a. Enable web logging on the NetScaler system.
b. Launch the NSWL client in standalone mode. The NSWL client uses the default filter
format W3C.
c. Test web logging by generating some web traffic.
d. Stop the NSWL client.
e. View the log files generated.
f. Rename the transaction log file for later use.
g. Change the NSWL log format to NCSA.
h. Re-launch NWSL client in standalone mode.
i. Generate more web traffic and then stop the NSWL client.
j. Rename the second transaction log file and compare it to the first to see the difference
between W3C and NCSA logging.
3. Configure the specific filters.
a. Create a new log folder and edit the log.conf file to use it.
b. Add some new filters to log.conf:
• For the AFWeb virtual server
• For the WebGoat virtual server
c. Save and close log.conf.
d. Run the NSWL client as a standalone process with a debug level of 3.
e. Generate some web traffic from a fresh browser.
f. Close the browser and stop the NSWL client.
g. Inspect the log files that are generated.
4. Run the NSWL client as a service.
a. Create a backup of the current log.conf file from the initial default backup.
b. Revert to the initial default configuration by replacing the log.conf file with the initial
backup.
c. Install the NSWL client as a service on Windows.
d. View NSWL service registry.
e. Verify that NSWL was installed as a service from services.msc.
f. Start the NSWL service.
g. Generate some web traffic from a fresh browser.
120 Module 9: NetScaler Web Logging © Copyright 2016 Citrix Systems, Inc.
h. Stop the NSWL service.
i. View the transaction and debug log files.
j. Uninstall NSWL as a service.
© Copyright 2016 Citrix Systems, Inc. Module 9: NetScaler Web Logging 121
2. Enter the following command in the command prompt to go to the NSWL BIN directory:
cd c:\nswl\bin
3. Launch the NSWL client in standalone mode.
nswl -start -f c:\nswl\etc\log.conf -d 1
This step is included to ensure specific files can be compared between tests.
122 Module 9: NetScaler Web Logging © Copyright 2016 Citrix Systems, Inc.
Configuring Web Logging Filters
Use the following procedure to configure web logging filters:
1. Create a new log folder called C:\NSWL\LOGS\ and edit the log.conf file to use it:
a. Open the C:\nswl\etc\log.conf file with Wordpad.
b. Change the logFilenameFormat value in the begin default section of the log.conf file
to C:\nswl\Logs\Default_%{%y%m%d}t.log .
2. Add a new filter to log.conf for the AFWeb virtual server. Below the end default section of the
log.conf file, enter the following:
Filter afweb HOST afweb.training.lab ON
Begin afweb
logFormat NCSA
logInterval daily
logFileSizeLimit 100
logExclude .gif .jpg .css
logFilenameFormat C:\NSWL\LOGS\afweb_%{%y%m%d}t.log
end afweb
3. Save and close log.conf.
4. Enter the following command to run the NSWL client as a standalone process with a debug
level of 3:
nswl -start -f C:\NSWL\etc\log.conf -d 3
5. Open Firefox and browse to http://afweb.training.lab and reload the page several
times.
6. Wait for the C:\nswl\Logs\afweb_<date>.log file to increase in size.
7. Close Firefox and stop the enter CTRL + C to stop NSWL client.
8. Inspect the log files that were generated. Notice:
• Only the Troubleshooting log files were generated in the C:\nswl\Bin\ directory.
• Debug log files were generated with debug level 3.
• Two separate log files were created in the C:\nswl\Logs\ directory, one for the afweb
filter named afweb_<date>.log and one for all other traffic Default_<date>.log
based on the default filter.
© Copyright 2016 Citrix Systems, Inc. Module 9: NetScaler Web Logging 123
2. Enter the following command in the command prompt to go to the NSWL BIN directory:
cd c:\nswl\bin
3. Enter the following command to install the NSWL client as a service on Windows:
nswl -install -f C:\NSWL\etc\log.conf
Verify the command returns a message confirming the NetScaler Web Logging service was
installed.
4. View NSWL service registry:
a. From the StudentDesktop virtual machine, go to Start, type Run in the Search field,
click on Run, then type regedit.
b. Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nswlsvc\
c. View the ImagePath value: C:\nswl\bin\nswl.exe -log -f C:\NSWL\etc\log.conf
The registry key shows the location of the nswl.exe and log.conf files as configured during the
service install process (nswl -install). Use the registry key to verify the configuration and
to troubleshoot NSWL if there are issues starting the service.
Modifying the registry key directly is not recommended. If changes are required,
remove and re-install NSWL as a service with the corrected values.
124 Module 9: NetScaler Web Logging © Copyright 2016 Citrix Systems, Inc.
10
Module 10
Appendix A:
Troubleshooting
Common Issues
126 © Copyright 2016 Citrix Systems, Inc.
Troubleshooting Common Issues
Common Issues
Common issues encountered during NetScaler operations include:
• High availability
• Load balancing
• SSL offloading
• Networking
• Global server load balancing
• Content Switching
High Availability
High-availability issues include:
• Configuration synchronization failure
• File synchronization failure
• Unexpected failover
© Copyright 2016 Citrix Systems, Inc. Module 10: Appendix A: Troubleshooting Common Issues 127
Ensure that the /tmp directory has write permissions. For example:
drwxrwxrwt 4 root wheel 512 Aug 17 21:28 /tmp
• Verify that the two nodes are not running different versions of the NetScaler operating system.
Argument Description
mode Specifies the sync mode
Possible values include:
• all
• bookmarks
• ssl
• htmlinjection
• imports
Mode Path
all /nsconfig/ssl/
/var/vpn/bookmarks/
/nsconfig/htmlinjection/
ssl /nsconfig/ssl/
128 Module 10: Appendix A: Troubleshooting Common Issues © Copyright 2016 Citrix Systems, Inc.
Mode Path
bookmarks /var/vpn/bookmarks/
htmlinjection /nsconfig/htmlinjection/
Unexpected Failover
If the NetScaler systems are failing over unexpectedly, then enter the following command in
command-line interface to view current events that may be causing the failover.
Load Balancing
Load-balancing issues include:
• Uneven load balancing
• Service/virtual IP address flapping
© Copyright 2016 Citrix Systems, Inc. Module 10: Appendix A: Troubleshooting Common Issues 129
Item Description
Slow Start The NetScaler system performs a slow start to
avoid overloading physical servers. During the
slow start phase, the NetScaler system
distributes requests by round robin, regardless
of the actual load balancing method configured
on the virtual server. However, it does honor
the configured weight on bindings even during
round robin. A slow start occurs in any of the
following conditions:
• The load balancing method changes
• A new server is bound to a virtual server
• An existing server binding is removed from
a virtual server
• A server changes its status from DOWN to
UP
A contact slow start indicates service flapping.
130 Module 10: Appendix A: Troubleshooting Common Issues © Copyright 2016 Citrix Systems, Inc.
Enter the following command in the command-line interface to obtain detail monitoring and status
information:
show service service
In most cases, assume that the monitor is failing legitimately and troubleshooting the issue on the
servers themselves. It is also possible that the monitor configuration is causing service flapping by
monitoring too frequently or for the wrong response. The configuration should then be inspected
for any issues.
A virtual server goes down when all of the bound services go down, so a virtual server that flaps is
likely the result of services that are flapping. Follow the advice for service flapping to determine
why the virtual server is flapping.
SSL Offloading
SSL offloading issues include:
• Access to the SSL VIP address failing
• Certificate-related warnings occurring
• Intermediate cert not being properly linked
• Browser warning showing an insecure web page
Argument Description
vserver_name Specifies the name of the SSL virtual server
Enter the following command in the command-line interface to resolve the issue:
© Copyright 2016 Citrix Systems, Inc. Module 10: Appendix A: Troubleshooting Common Issues 131
Argument Description
vserver_name Specifies the name of the SSL virtual server
name to which the certificate-key pair needs to
be bound
The fourth cause can also be resolved by the end user accepting the cert when accessing an
internal site. This option is not a good practice with test certificates, as those certificates
can be used on public sites. Once the certificate is accepted, the end user will never be
prompted and may not be aware they are trusting a site with an invalid certificate.
132 Module 10: Appendix A: Troubleshooting Common Issues © Copyright 2016 Citrix Systems, Inc.
Browser Warning Showing an Insecure Web Page
This commonly occurs with static content like images that are served up on an SSL encrypted page;
this is not a problem and either the images can be provided securely or the user can ignore the
warnings.
Certificates Expiring
The NetScaler system can alert on certificate expiry and new certificates can be uploaded and
bound to the SSL virtual server by unbinding the old cert and binding the new one.
Content Switching
The following table lists content-switching issues.
Issue Resolution
Traffic not hitting the intended load balancing Make sure that content switching is enabled, the
virtual IP address policies are configured, and the load-balancing
virtual server is bound with a policy to the
content switching virtual server.
Policy not being matched properly Use the policy evaluator tool to ensure the
policy matches the expected content.
No content being served Make sure the back-end resources are available
for the load-balancing virtual server and that
the services passing health checks.
Issue Description
Metric Exchange Protocol (MEP) not being First, make sure that MEP is enabled on both IP
formed addresses and that they are pointing to the
correct ones on each site. Then check that
communication between the sites for the MEP
IP addresses is working and that there are no
firewalls or ACLs blocking the traffic.
© Copyright 2016 Citrix Systems, Inc. Module 10: Appendix A: Troubleshooting Common Issues 133
Issue Description
Remote site not coming up When this issue occurs, make sure that the load
balancing virtual server on the remote site is
passing all its health checks and that the other
site is either reachable by MEP or by direct
health checks from the working site.
Networking
Networking issues include:
• Duplex mismatch or misconfigured interface settings
• Unresponsive system
• Inaccessible content
Several common issues can be checked and discarded early in the troubleshooting process,
including a slow NetScaler system due to a duplex mismatch, an unresponsive system and
inaccessible content.
The NetScaler system always draws power when it is plugged in. Therefore, an occasional
simple reboot does not clear severe console hang conditions. Completely remove the
power from the units (unplug them from the outlets) for 30 seconds and then power them
back on.
134 Module 10: Appendix A: Troubleshooting Common Issues © Copyright 2016 Citrix Systems, Inc.
set interface id -speed speed -duplex duplex_mode
Argument Description
id Specifies the interface ID, for example 1/1 or
1/5
Enter the following command to obtain detailed interface statistics and switch port settings:
sh interface n/n
Argument Description
n/n Specifies the appropriate interface
Incorrect interface settings usually result in an interface that will not come up. It is
important to ensure that the configuration on the NetScaler interface closely resembles the
configuration on the corresponding switch/router interface. Ensure that speed, duplex, and
flow control settings match.
Inaccessible Content
If content located behind the NetScaler system is inaccessible, the following items should be
verified:
• Have configuration changes been made to servers or network devices?
• Have configuration changes been made to server, service, or virtual server objects?
• Can the site be accessed directly (in other words, bypassing the NetScaler system)?
• Can the server and port be accessed using Telnet?
© Copyright 2016 Citrix Systems, Inc. Module 10: Appendix A: Troubleshooting Common Issues 135
Caching
The following table lists cache issues.
Issue Description
Incorrect content being cached Improper configuration of the Integrated
Caching feature may cause users to see incorrect
content served from the cache.
Enter the following command in the command-
line interface to determine whether a particular
object is in the cache:
Expired content being served Proper expiry headers are not being provided;
check the content on the servers and the
invalidation parameters.
136 Module 10: Appendix A: Troubleshooting Common Issues © Copyright 2016 Citrix Systems, Inc.
Issue Description
Cache expiry causing traffic surge to the back- Decrease the timeouts for the cached content or
end create different content groups that expire at
different times so all the content is not expiring
at the same time. Enable the prefetch option.
© Copyright 2016 Citrix Systems, Inc. Module 10: Appendix A: Troubleshooting Common Issues 137
138 © Copyright 2016 Citrix Systems, Inc.
11
Module 11
NetScaler Practicum
140 © Copyright 2016 Citrix Systems, Inc.
Practice Exercises
Practice Exercises
Company XYZ has purchased a NetScaler appliance as their Application Delivery Controller. As an
administrator you are required to configure the NetScaler to meet the requirements in each of the
below mentioned scenarios.
Requirements: Part I
Configure the NetScaler System to meet the below mentioned requirements. Make a note and test
the configuration when prompted.
1. By default, access to the NetScaler is not secured. Configure your NetScaler such that access to
the NetScaler system should be secured. Both the management access as well as the
communication between two systems in an HA pair should be secured by encrypting the traffic
using SSL capabilities. Verify that the NetScaler system can be accessed only in a secured way.
2. Create a complete set of user accounts, groups, and command policies. Then bind each policy
with the appropriate groups and users. Assume that initial installation and configuration have
already been performed on the NetScaler. The company has three users who will access the
system:
John Berry The IT manager. John needs to see all parts of the NetScaler
configuration, but does not need to modify anything.
Maria Johnson
The lead IT administrator. Maria needs to be able to see and modify
all parts of the NetScaler configuration.
3. Create two vservers, one with HTTP services on Red and Blue servers and one with HTTP
services on the Green server. Specify the second vserver as the backup vserver for the first.
Verify the configuration by disabling the primary vserver and connecting to your chosen VIP.
© Copyright 2016 Citrix Systems, Inc. Module 11: NetScaler Practicum 141
Requirements: Part II
Configure the NetScaler System to meet the below mentioned requirements. Make a note and test
the configuration when prompted.
1. Consider the following scenario and perform the following tasks. Each online customer is given
a Student ID that indicates their gender (M/F) followed by a dash, followed by the year that
they entered the school (YYYY), followed by a dash and followed by a random five digit
number. Example IDs:
• F-2005-12345
• -1998-44444
• Write the narrowest regular expression possible for the Student ID. Assume that the
university was founded in 1950.
• Assume that the dashes are optional. Write a regular expression that will match this ID
number.
2. A security breach occurred where the cell phone number of the CEO (123-555-4567) was
released on the AFWeb "Safe Object" web page. Ensure that all instances of phone numbers are
removed from the web page before being sent. However, ensure that no other information is
blocked.
3. The CEO of the company Company M'Ore has been blocked by other Application Firewalls
because of SQL injection. Using the SQL Injection page on AFWeb, set up the form so that it
allows you to enter the lookup values of Jon Williams-Smith and Company M'Ore, but will
block Jon' or '1=1.
4. The Application Firewall can be fingerprinted by its session cookie. Rename the cookie to mask
the Application Firewall.
5. The web application needs to accept email addresses in the format Name <name@domain> in
the form field on the www.afweb.net XSS Demonstration page. However, the customer does
not feel safe enough to allow a relaxation on the file for XSS. Configure the Application
Firewall to allow email addresses in the field and to prevent XSS attacks.
142 Module 11: NetScaler Practicum © Copyright 2016 Citrix Systems, Inc.
• Describe two scenarios that would call for, a) enabling Layer 2 mode, and b) disabling it
• Is the MAC-based forwarding feature enabled?
• Describe two scenarios that would call for, a) enabling MAC-based forwarding, and b)
disabling it
• Have the default settings of the surge protection feature changed?
• Describe scenarios that would call for changing the default surge protection behavior
© Copyright 2016 Citrix Systems, Inc. Module 11: NetScaler Practicum 143
Citrix Hands-on Labs
What are Hands-on Labs?
Hands-on Labs from Citrix Education allows you to revisit, relearn, and master the lab exercises
covered during the course. This offer gives you 25 days of unlimited lab access to continue your
learning experience outside of the classroom.
Claim introductory pricing of $500 for 25 days of access. Contact your Citrix Education
representative or purchase online here.
Practice outside of the You'll receive a fresh set of labs, giving you the opportunity to
classroom recreate and master each step in the lab exercises.
25 days of access Get unlimited access to the labs for 25 days after you launch, giving
you plenty of time to sharpen your skills.
Certification exam Get ready for your Citrix certification exam by practicing test
preparation materials covered by lab exercises.
144 Module 11: NetScaler Practicum © Copyright 2016 Citrix Systems, Inc.
© Copyright 2016 Citrix Systems, Inc. 145
851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA (954) 267 3000 www.citrix.com
Rheinweg 9 8200 Schaffhausen Switzerland +41 (0) 52 63577 00 www.citrix.com
© Copyright 2016 Citrix Systems, Inc. All rights reserved.