CNS 301 3I en StudentExerciseWorkbook

Citrix NetScaler 11.
0 Advanced
Implementation
Citrix Course CNS-301-3I

Exercise Workbook
2 © Copyright 2016 Citrix Systems, Inc.
Citrix NetScaler 11.0 Advanced
Implementation
Exercise Workbook
August 2016
Version 3.2
Table of Contents
Module 1: Advanced Troubleshooting .......................................................... 15
Lab Overview ........................................................................................................................ 17
Lab Overview .................................................................................................................... 17
Lab Approach ................................................................................................................... 17
Lab Infrastructure .............................................................................................................. 18
Advanced Troubleshooting Exercises ................................................................................... 19
Exercise 1-1: Troubleshooting a NetScaler Configuration ................................................. 19
Before You Begin ............................................................................................................ 19
Exercise Details ................................................................................................................ 19
Summary .......................................................................................................................... 20
Exercise 1-2: Creating NetScaler Objects ......................................................................... 21
Before You Begin ............................................................................................................. 21
Summary .......................................................................................................................... 21
Creating NetScaler Objects for AFWeb ............................................................................. 22
Creating NetScaler Objects for AFWeb (Command-Line Interface) .................................... 23
Exercise 1-3: Creating NetScaler Objects for WebGoat .................................................... 24
Before You Begin ............................................................................................................. 24
Summary .......................................................................................................................... 24
Creating NetScaler Objects for WebGoat .......................................................................... 24
Creating NetScaler Objects for WebGoat (Command-Line Interface) ................................ 26
Module 2: Profiles and Policies ..................................................................... 27

Policies and Profiles Exercises .............................................................................................. 29
Exercise 2-1: Creating Basic and Advanced Profiles ......................................................... 29
Before You Begin ............................................................................................................. 29
Summary .......................................................................................................................... 29
Enabling the Application Firewall Feature .......................................................................... 30
Creating a Basic Application Firewall Profile for AFWeb .................................................... 30
Creating an Advanced Application Firewall Profile for AFWeb ........................................... 30
Configuring the Error Page for AFWeb .............................................................................. 31
Exercise 2-2: Configuring Application Firewall Policies ...................................................... 31
Before You Begin ............................................................................................................. 31
Summary .......................................................................................................................... 32
Creating an Application Firewall Policy for AFWeb ............................................................ 32
Testing Application Firewall Policies .................................................................................. 32
© Copyright 2016 Citrix Systems, Inc. 5

Module 3: Attacks and Protections .............................................................. 35
Attacks and Protections Exercises ........................................................................................ 37
Exercise 3-1: Buffer Overflow Protection ........................................................................... 37
Before You Begin ............................................................................................................. 37
Summary .......................................................................................................................... 37
Demonstrating a Buffer Overflow Attack ........................................................................... 38
Demonstrating Buffer Overflow Protection ........................................................................ 38
Exercise 3-2: SQL Injection Exploits and Protection .......................................................... 39
Before You Begin ............................................................................................................. 39
Summary .......................................................................................................................... 40
Demonstrating a SQL Injection Attack .............................................................................. 40
Demonstrating SQL Injection Protection ........................................................................... 41
Exercise 3-3: Cross-Site Scripting Attacks and Protections .............................................. 41
Before You Begin ............................................................................................................. 41
Summary .......................................................................................................................... 42
Demonstrating a Cross-Site Scripting Attack .................................................................... 42
Demonstrating Cross-Site Scripting Protection ................................................................. 43
Exercise 3-4: Cookie Consistency Protection ................................................................... 44
Before You Begin ............................................................................................................. 44
Summary .......................................................................................................................... 45
Demonstrating Cookie Tampering ..................................................................................... 45
Configuring and Demonstrating the Cookie Consistency Security Check .......................... 46
Exercise 3-5: Configuring Form Field Consistency Protection ........................................... 47
Before You Begin ............................................................................................................. 47
Summary .......................................................................................................................... 48
Configuring Paros for Use as a Proxy ............................................................................... 48
Demonstrating a Form Field Manipulation Attack .............................................................. 49
Demonstrating Form Field Consistency Protection ............................................................ 49
Exercise 3-6: Configuring Start URL Security Checks ....................................................... 51
Before You Begin ............................................................................................................. 51
Summary .......................................................................................................................... 51
Demonstrating Start URLs for AFWeb .............................................................................. 52
Exercise 3-7: Demonstrating Safe Objects ........................................................................ 53
Summary .......................................................................................................................... 53
Demonstrating Safe Objects ............................................................................................. 54
Exercise 3-8: Configuring Credit Card Protection .............................................................. 56
Before You Begin ............................................................................................................. 56
Summary .......................................................................................................................... 57

Demonstrating Credit Card Vulnerability ............................................................................ 57
Demonstrating Credit Card Protection .............................................................................. 57
Exercise 3-9: Learning ...................................................................................................... 58
Before You Begin ............................................................................................................. 58
Summary .......................................................................................................................... 59
Configuring Learning ......................................................................................................... 59
Generating and Deploying Learned Data .......................................................................... 60
Module 4: Application Firewall Troubleshooting ............................................ 61

Application Firewall Troubleshooting Exercises ..................................................................... 63
Exercise 4-1: Viewing NetScaler Log Files ........................................................................ 63
Before you Begin .............................................................................................................. 63
Summary .......................................................................................................................... 64
Viewing NetScaler Log Files Using the Configuration Utility ............................................... 64
Viewing the NetScaler Log Files Using the Command-Line Interface ................................ 65
Exercise 4-2: Capturing and Viewing NS Trace Files ......................................................... 66
Before You Begin ............................................................................................................. 66
Summary .......................................................................................................................... 67
Capturing a Network Trace 1 (Good Session) ................................................................... 67
Capturing a Network Trace 2 (App Firewall blocked Session) ........................................... 68
Disabling the Application Firewall Feature ......................................................................... 69
Module 5: Authentication, Authorization and Auditing ................................... 71

Authentication, Authorization, and Auditing Exercises ........................................................... 73
Exercise 5-1: Enabling External Authentication ................................................................. 73
Before You Begin ............................................................................................................. 73
Summary .......................................................................................................................... 74
Enabling LDAP Authentication .......................................................................................... 74
Enabling LDAP Authentication (Command-Line Interface) ................................................. 76
Exercise 5-2: Configuring AAA for Traffic Management ..................................................... 78
Before You Begin ............................................................................................................. 78
Summary .......................................................................................................................... 78
Configure an Authentication Virtual Server ........................................................................ 78
Configure an Authentication Virtual Server (Command-Line Interface) ............................... 79
Create Authorization Policies ............................................................................................ 80
Create Authorization Policies (Command-Line Interface) ................................................... 82
Module 6: AppExpert Rate Limiting, HTTP Service Callout and Policy-based

Logging ........................................................................................................ 85

HTTP Service Callout Exercises ............................................................................................ 87
Exercise 6-1: Configuring HTTP Callouts .......................................................................... 87
Before You Begin ............................................................................................................. 87
Exercise Parameters ......................................................................................................... 87
Configuration Testing and Troubleshooting ....................................................................... 88
Configuring HTTP Callouts ................................................................................................ 88
Configuring HTTP Callouts (Command-Line Interface) ...................................................... 90
Exercise 6-2: Configuring Rate Limiting ............................................................................ 92
Before You Begin ............................................................................................................. 92
Configuration Testing ........................................................................................................ 93
Configuring Rate Limiting .................................................................................................. 93
Configuring Rate Limiting (Command-Line Interface) ........................................................ 94
Module 7: Command Center ........................................................................ 97

Command Center Exercises ................................................................................................. 99
Exercise 7-1: Installing Command Center ......................................................................... 99
Before You Begin ............................................................................................................. 99
Summary .......................................................................................................................... 99
Installing Command Center ............................................................................................... 99
Exercise 7-2: Creating Device Profiles and Discovering NetScaler Devices ..................... 100
Before You Begin ........................................................................................................... 100
Exercise Details .............................................................................................................. 101
Summary ........................................................................................................................ 101
Creating a Device Profile ................................................................................................. 101
Adding a NetScaler Device to Command Center ............................................................ 101
Viewing Device Properties ............................................................................................... 102
Exercise 7-3: Configuring Tasks ..................................................................................... 103
Before You Begin ........................................................................................................... 103
Summary ........................................................................................................................ 103
Executing a Built in Task ................................................................................................. 104
Create a Custom Task .................................................................................................... 104
Execute a Custom Task .................................................................................................. 105
Exercise 7-4: Monitoring ................................................................................................. 106
Before You Begin ........................................................................................................... 106
Summary ........................................................................................................................ 107
Monitoring NetScaler Changes from Command Center .................................................. 107
Exercise 7-5: Managing Faults ........................................................................................ 107
Before You Begin ........................................................................................................... 108
Summary ........................................................................................................................ 108
Managing Faults ............................................................................................................. 108

Module 8: Insight Center ............................................................................ 111
Insight Center Exercises ..................................................................................................... 113
Exercise 8-1: Configuring Insight Center ......................................................................... 113
Before You Begin ........................................................................................................... 113
Summary ........................................................................................................................ 113
Performing an Insight Center Initial Configuration ............................................................ 114
Configuring Data Collection ............................................................................................ 114
Generating Traffic and Viewing Insight Center Reports ................................................... 115
Module 9: NetScaler Web Logging ............................................................. 117

NetScaler Web Logging Exercises ...................................................................................... 119
Exercise 9-1: Installing and Configuring NetScaler Web Logging .................................... 119
Before You Begin ........................................................................................................... 119
Configuring the NSWL Client .......................................................................................... 121
Running the NSWL Client with Default Filters .................................................................. 121
Configuring Web Logging Filters ..................................................................................... 123
Running the NSWL Client as a Service ........................................................................... 123
Module 10: Appendix A: Troubleshooting Common Issues ........................ 125

Troubleshooting Common Issues ....................................................................................... 127
Common Issues .............................................................................................................. 127
High Availability ............................................................................................................... 127
Configuration Synchronization Failure ............................................................................. 127
File Synchronization Failure ............................................................................................. 128
Unexpected Failover ....................................................................................................... 129
Load Balancing ............................................................................................................... 129
Uneven Load Balancing .................................................................................................. 129
Service/Virtual Server Flapping ........................................................................................ 130
SSL Offloading ................................................................................................................ 131
Access to SSL VIP Address Failing ................................................................................. 131
Certificate-Related Warnings Occurring .......................................................................... 132
Intermediate Certificate Not Being Properly Linked ......................................................... 132
Browser Warning Showing an Insecure Web Page ......................................................... 133
Certificates Expiring ........................................................................................................ 133
Content Switching .......................................................................................................... 133
Global Server Load Balancing ......................................................................................... 133
Networking ..................................................................................................................... 134
Duplex Mismatch or Misconfigured Interface Settings ..................................................... 134
Inaccessible Content ...................................................................................................... 135
Caching .......................................................................................................................... 136
Module 11: NetScaler Practicum ................................................................ 139

Practice Exercises .............................................................................................................. 141
Practice Exercises .......................................................................................................... 141
Requirements: Part I ....................................................................................................... 141
Requirements: Part II ...................................................................................................... 142
Requirements: Part III ...................................................................................................... 142

Citrix Hands-on Labs
What are Hands-on Labs?
Hands-on Labs from Citrix Education allows you to revisit, relearn, and master the lab exercises
covered during the course. This offer gives you 25 days of unlimited lab access to continue your
learning experience outside of the classroom.
Claim introductory pricing of $500 for 25 days of access. Contact your Citrix Education
representative or purchase online here.
Why Hands-on Labs?
Practice outside of the You'll receive a fresh set of labs, giving you the opportunity to
classroom recreate and master each step in the lab exercises.
Test before implementing Whether you're migrating to a new version of a product or

discovered a product feature you previously didn’t know about, you
can test it out in a safe sandbox environment before putting in live
production.
25 days of access Get unlimited access to the labs for 25 days after you launch, giving
you plenty of time to sharpen your skills.
Certification exam Get ready for your Citrix certification exam by practicing test
preparation materials covered by lab exercises.
Credits
Role Name
Instructional Designers: Jeremy Boehl, Dustin Clark, Nathaniel De Leon,
Anton Mayers, Christopher Rudolph
Graphic Artists: Benjamin Abraham, Veronica Fuentes, Tyler

Fromma
Manager: Leslie Keelan
Editor: Christopher Rudolph
Subject Matter Experts: Jeff Apsley, Justin Aspley, Arvind Bangari, Paul
Blitz, Mark Borrow, Erik Brandsberg, Colin
Christy, John Daniels, John Dell, Greg Dolan,
Stefan Drege, Seema Vaibhav Dubey, Abhishek
Gautam, Roland Geldner, Bino Gopal,
DeeLayna Hurst, Todd Hurst, Faisal Jahan,
Vamsi Korrapati, Prakash Mana, James Nagy,
Ronan O’Brien, Lokaraj Pedapalli, Glenn Porter,
Ram Prasad, Patrick Quinlan, Prabhu Rampur,
Kumaresan Rangasamy, Anoop Reddy, Guy
Rosefelt, Rhonda Rowland, Jacob Salassi,
Kawaljit Singh, Prakash Sinha, Erin Smith, Sam
Spence, Thilak Subburam, Raghu Varma
Tirumalaraju, Bjarne Traeholt, Chad Tripod,
Abhilash Verma, Gregor Visconty, Kit Wetzler,
Don Williams, Lena Yarovaya, Tony Zhang
Notices
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or
use of this publication. Citrix specifically disclaims any expressed or implied warranties,
merchantability, or fitness for any particular purpose. Citrix reserves the right to make any changes
in specifications and other information contained in this publication without prior notice and
without obligation to notify any person or entity of such revisions or changes.
© Copyright 2016 Citrix Systems, Inc. All Rights Reserved.
No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or information storage and retrieval
systems, for any purpose other than the purchaser’s personal use, without express written
permission of:
Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 http://www.citrix.com
The following marks are service marks, trademarks or registered trademarks of their respective
owners in the United States and other countries.
Mark Owner
Active Directory®, Microsoft®, Microsoft Internet Microsoft Corporation
Explorer®, Windows®, Win32™
ActivePerl® ActiveState Software, Inc.
American Express® American Express Company
Apache™ The Apache Software Foundation
Citrix®, Citrix NetScaler Gateway™, Citrix Citrix Systems, Inc.

Application Firewall™, Citrix Authorized
Learning Center™, Citrix Certified
Administrator™, Citrix Certified Enterprise
Administrator™, Citrix Certified Integration
Architect™, EdgeSight®, ICA®, NetScaler®,
MyCitrix™
Diners Club® Diners Club International Ltd.
Discover® Discover Financial Services
Firefox® Mozilla Corporation
FreeBSD® FreeBSD Foundation
Google™ Google Inc.

Mark Owner
Intel®, Pentium® Intel Corporation
Java® Sun Microsystems, Inc.
JCB® JCB International Co., Ltd.
Linux® Linus Torvalds
LiveHTTPHeaders® Mozdev Community Organization, Inc.
MasterCard® MasterCard Worldwide
Microsoft®, .NET™, Active Directory®, Internet Microsoft Corporation

Explorer®, SQL Server®, Windows®
Pearson VUE® Pearson Education, Inc.
PuTTY® Simon Tatham
Secure Shell®, SSH® SSH Communications Security Corp.
UNIX® The Open Group
Visa® Visa Inc.
WinSCP® Martin Prikryl, GNU General Public License,

Free Software Foundation, Inc.
Other product and company names mentioned herein might be the service marks, trademarks or
registered trademarks of their respective owners in the United States and other countries.
1
Module 1
Advanced
Troubleshooting
Lab Overview
Lab Overview
This book contains exercises to accompany the courseware content. This section provides an
overview of the hosted lab environment used with the lab exercises in this course.
Lab Approach
Each exercise presented here begins with an introduction to the exercise, followed by detailed step-
by-step instructions. The introduction comprises the following sections:
• Scenario: describes the end goal.
• Before You Begin: lists exercise dependencies.
• Exercise Details: lists the high-level tasks that will be performed in the lab.
These tasks are designed to contain enough information to allow you to attempt the
exercise without the step-by-step instructions. We encourage you to attempt to
perform the exercise using these tasks and resorting to the step-by-step instructions for
more information or if you have difficulty completing the exercise.
• Summary: reviews the main points of the exercise.
Revisit this summary after the exercise is completed.
• Login information: Use the following usernames and passwords throughout the labs:
• Citrixadmin/Password1 for Windows machines.
• root/public for Command Center machine.
• nsroot/nsroot for NetScaler and Insight Center machines.
© Copyright 2016 Citrix Systems, Inc. Module 1: Advanced Troubleshooting 17

Lab Infrastructure
18 Module 1: Advanced Troubleshooting © Copyright 2016 Citrix Systems, Inc.

Advanced Troubleshooting Exercises
Exercise 1-1: Troubleshooting a NetScaler Configuration
Company XYZ has recently rolled out a NetScaler system into their pre-production environment
for testing and is experiencing five separate issues while accessing content that is delivered through
the system. As the NetScaler administrator you have been tasked with troubleshooting the five
issues detailed below:
1. Some services are showing as down even though their respective servers are healthy.
2. The vserver lb_TS_MAIN is down, yet the effective state shows as up.
3. The configured load balancing method for vserver lb_TS_MAIN is Least Connections, but
requests are not being load balanced according to the Least Connections algorithm.
Before You Begin

Before you begin, you must access the lab environment with XenCenter and ensure that all virtual
machines are started:
To access the environment and start the above virtual machines, complete the following steps:
1. Launch XenCenter then right click each virtual machine, then click Start.
To start a single virtual machine, right click the virtual machine and click start.
To complete this exercise, you need to have:

• The nsroot logon credentials for your NetScaler system.
• Access to the Configuration Utility or the command-line interface.
• Access to a web browser.
• Live HTTP headers.
• All virtual machines need to be started.
Estimated time to complete this exercise: 45 minutes
Exercise Details
Troubleshoot the following NetScaler configuration issues:

For all exercises, unless otherwise directed, use the Student Desktop virtual machine
logged on with the CitrixUser/Password1 credentials.
1. Using the Student Desktop virtual machine (CitrixUser/Password1), log in to the Configuration
Utility:
a. Open Firefox and Navigate to http://netscaler.training.lab/.
b. Type nsroot in the User Name field.
c. Type nsroot in the Password field.
d. Click Login.
2. Log in to the Command Line Interface:
a. Open putty.exe from the desktop.
b. Type 192.168.30.105 in Host Name (or IP address) field.
c. Click Open and click Yes on the Security Alert if needed.
d. Type nsroot as the username and nsroot as the password.
• Issue 1: Some services are down despite their servers being healthy.
1. Use the Configuration Utility or command-line interface to access your NetScaler system.
2. Determine which services are down and make a note.
3. Determine why the services are down and note the cause.
4. Determine possible solutions and add them to a note.
5. Perform configuration changes to resolve the issue.
6. Verify that the state of all services is UP.
• Issue 2: The vserver lb_TS_MAIN is down, yet the effective state shows as up.
1. Note why the lb_TS_MAIN state is DOWN.
2. Note why the lb_TS_MAIN effective state is UP.
3. Note the difference between the state and effective state of a virtual server.
• Issue 3: The configured load balancing method for vserver lb_TS_MAIN is Least Connections,
but requests are not being load balanced according to the Least Connections algorithm.
1. Verify that the requests to the lb vserver lb_TS_MAIN are not being load-balanced.
2. Determine and note why the requests are not being load-balanced.
Summary
In this exercise you learned some of the strategies for troubleshooting common NetScaler
configuration issues. Helpful keys to a successful implementation of a NetScaler system include the
following:
1. Perform configurations only of features or nodes that is required for your implementation
2. Perform configurations of features or nodes one at a time

3. Perform thorough testing of your configurations to ensure that the NetScaler system delivers
content as expected
Exercise 1-2: Creating NetScaler Objects

Create the server, service and load balancing virtual server objects necessary for the remaining
Application Firewall exercises in this course.
Before You Begin

• The NetScaler IP (NSIP) address assigned to you.
• The NetScaler nsroot logon credentials for your system.
• The AFWeb server IP address.
• The AFWeb VIP address assigned to you.
Exercise Details
Complete the following steps:
1. Create the AFWeb objects:
a. Create a server object for AFWeb using the AFWeb IP address 192.168.20.110:
srv_afweb.
b. Create a service object for AFWeb, which supports HTTP traffic over port 80:
svc_afweb_http.
c. Create a load balancing virtual server object for AFWeb, which supports HTTP traffic
over port 80 using the IP address 192.168.30.30 named lb_vsrv_afweb.
d. Bind the service to the load-balancing virtual server.
2. Test the virtual server:
a. Launch a web browser.
b. Browse to http://afweb.training.lab/.
Summary
This exercise sets several key requirements needed by all other lab exercises. For this lab
environment, proxy settings must be removed from the web browser. The server, service and virtual
server objects are created, which are required to access the test application AFWeb.

Creating NetScaler Objects for AFWeb
Use the following procedure to create NetScaler objects for AFWeb:
1. Go to Traffic Management > Load Balancing > Servers and click Add.
2. Create the AFWeb server:
a. In the Server Name field, type srv_afweb.
b. In the IP Address field, type 192.168.20.110.
c. Click Create.
3. Verify that the server is Enabled in the Server pane.
4. Go to Traffic Management > Load Balancing > Services and click Add.
5. Create the AFWeb service:
a. In the Service Name field, type svc_afweb_http.
b. Select Existing Server radio button.
c. In the Server drop-down list box, select srv_afweb (192.168.20.110).
d. In the Protocol drop-down list box, make sure HTTP is selected.
e. In the Port field, make sure 80 is defined.
f. Click OK and then click Done.
6. Verify that the service is Up in the Services pane.
7. Go to Traffic Management > Load Balancing > Virtual Servers and click Add.
8. Create the AFWeb virtual server:
a. In the Name field, type lb_vsrv_afweb.
b. In the Protocol drop-down box, make sure HTTP is selected.
c. In the IP Address field, type 192.168.30.30.
d. In the Port field, make sure 80 is defined.
e. Click OK.
f. Click No Load Balancing Virtual Server Service Binding under Services and Service
Groups.
g. Click Click to select under Select Service.
h. Click the svc_afweb_http check box, click Select and then click Bind.
i. Click Continue and then click Done.
9. Verify that the virtual server is enabled and Up in the Load Balancing Virtual Servers pane.
10. Click the Save icon on the upper right menu bar to save the configuration and confirm.
11. Open a new browser window and browse to http://afweb.training.lab/
a. The AFWeb website should display.

A DNS entry for AFWeb has already been created for you.
Creating NetScaler Objects for AFWeb (Command-Line

Interface)
Use the following procedure to create NetScaler objects for AFWeb. This is for reference only. If an
object is created using the GUI you cannot create it using the CLI unless it is first deleted.
1. Log in to the command-line interface:
a. Open putty.exe from the student desktop.
c. Click Open.
2. Create the AFWeb server.
add server srv_afweb 192.168.20.110
3. Create the AFWeb service.
add service svc_afweb_http srv_afweb HTTP 80
4. Create the AFWeb virtual server.

add lb vserver lb_vsrv_afweb HTTP 192.168.30.30 80
5. Bind the AFWeb virtual server to the AFWeb service.
bind lb vserver lb_vsrv_afweb svc_afweb_http
6. Save the NetScaler configuration.
save ns config
7. Open a new browser window and browse to http://afweb.training.lab/
a. The AFWeb website should display.
A DNS entry for AFWeb has already been created for you.

Exercise 1-3: Creating NetScaler Objects for WebGoat
Create the server, service, and load-balancing virtual server objects necessary for the HTTP callout
exercises in this course.
Before You Begin

• The NetScaler nsroot logon credentials for your system.
• The WebGoat server IP addresses.
• A VIP address to be used for the WebGoat load balancing virtual server.
Exercise Details
• Create WebGoat objects:
• Create a server object for WebGoat using 192.168.20.9: srv_webgoat.
• Create a service object for WebGoat for HTTP traffic over port 80: svc_webgoat_http.
• Create a load balancing virtual server object for WebGoat, which supports HTTP traffic
over port 80. Use 192.168.30.35 for the virtual IP address. Virtual server: lb_vsrv_webgoat.
• Bind the service to the load balancing virtual server.
• Test the newly created load balancing virtual server by browsing to http://www.webgoat.net.
Summary
This exercise creates entities needed in later lab exercises as part of an initial environment
configuration. This section uses existing skills to create and configure load-balancing virtual servers
and services.
Creating NetScaler Objects for WebGoat

Use the following procedure to create NetScaler objects for Webgoat:
1. Ensure that the WebGoat virtual machine is started.
2. Switch to the Student Desktop machine and log in to the Configuration Utility if necessary.

3. Go to Traffic Management > Load Balancing > Servers and click Add.
4. Create the WebGoat server:
a. In the Server Name field, type srv_webgoat.
b. In the IP Address field, type 192.168.20.9.
c. Click Create.
5. Verify that the server is Enabled in the Server pane.
6. Go to Traffic Management > Load Balancing > Services and click Add.
7. Create the WebGoat service:
a. In the Service Name field, type svc_webgoat_http.
b. Click the Existing Server radio button and in the Server drop-down list box, select
srv_webgoat (192.168.20.9).
c. In the Protocol drop-down list box, make sure HTTP is selected.
d. In the Port field, type 80.
e. Click OK and then click Done.
8. Verify that the service is Up in the Services pane.
9. Go to Traffic Management > Load Balancing > Virtual Servers.
10. Click Add.
11. Create the WebGoat virtual server:
a. In the Name field, type lb_vsrv_webgoat.
b. In the Protocol drop-down list box, make sure HTTP is selected.
d. In the Port field, make sure 80 is defined.
e. Click OK.
f. Click No Load Balancing Virtual Server Service Binding under the Services and
Service Groups field.
g. Click Click to select under Select Service.
h. Click the svc_webgoat_http check box, click Select and then click Bind.
i. Click Continue then click Done.
12. Verify that the virtual server is Up in the Load Balancing Virtual Servers pane. Click the
NetScaler Refresh button if it is down.
13. Click the Save icon to save the NetScaler configuration and confirm.
14. Open a new browser window and browse to the case sensitive URL
http://webgoat.net/WebGoat/attack
a. Enter webgoat for the user name and webgoat for the password.
b. The WebGoat website should display.

A host file entry for WebGoat.net has already been created for you. Note the
capital "W" and "G" in the URL.
Creating NetScaler Objects for WebGoat (Command-Line

Interface)
Use the following procedure to create NetScaler objects for WebGoat. This is for reference only. If
an object is created using the GUI you cannot create it using the CLI unless it is first deleted.
1. In XenCenter, select the WebGoat virtual machine and click Start.
2. Log on to the command-line interface.
3. Create the WebGoat server.
add server srv_webgoat 192.168.20.9
4. Create the WebGoat service.
add service svc_webgoat_http srv_webgoat HTTP 80
5. Create the WebGoat virtual server.

add lb vserver lb_vsrv_webgoat HTTP 192.168.30.35 80
6. Bind the WebGoat virtual server to the WebGoat service.
bind lb vserver lb_vsrv_webgoat svc_webgoat_http
save ns config
8. Open a new browser window and browse to the case sensitive URL
http://webgoat.net/WebGoat/attack
a. The WebGoat website should display.
A host file entry for WebGoat.net has already been created for you. Note the
capital "W" and "G" in the URL.

2
Module 2
Profiles and Policies

Policies and Profiles Exercises
Exercise 2-1: Creating Basic and Advanced Profiles
Create the Application Firewall profiles for the AFWeb web sites and set the initial profile settings.
Before You Begin

To complete this exercise, you need to have completed the configuration of the AFWeb load-
balancing virtual server.
Exercise Details
Complete the following tasks:
1. Create an Application Firewall profile for AFWeb: AFWeb_Basic. Create the profile with the
Basic default settings.
2. Create an Application Firewall profile for AFWeb: AFWeb_Adv. Create the profile with the
Advanced default settings.
3. Modify the AFWeb_Basic profile. Configure the error page to be the blocked page in AFWeb.
Set the error page URL to http://afweb.training.lab/blocked.htm.
Summary
An Application Firewall profile is a collection of settings (such as security checks, relaxations and
an error page) that determine the Application Firewall protections applied to a site or group of
sites. When creating a new profile, the profile options are to create a Basic profile or an Advanced
profile. These options determine the default settings for the profile. The default options include
which security checks are enabled for blocking by default, whether learning is used, and whether
certain default relaxations are already configured.
The advanced profile includes different default settings than the basic profile. The primary
differences are that the advanced profile includes learning enabled by default, and most security
checks are enabled for blocking by default. When looking specifically at the start URL security
check, the advanced profile does not include default allowed start URLs, and URL closure is
enabled by default.
Any Application Firewall profile may be fully configured or customized to work with the
application. The selection of the advanced profile versus the basic profile options at the time of
profile creation only determines the default profile settings.
© Copyright 2016 Citrix Systems, Inc. Module 2: Profiles and Policies 29

The error page is set as part of the initial profile configuration so that when the profile is applied
against the application, the user knows that the profile is blocking the action.
Enabling the Application Firewall Feature

Reminder: Use the ICA file to access the StudentDesktop virtual machine. Access
http://netscaler.training.lab and log in with the nsroot/nsroot credentials for this task and other
tasks unless directed otherwise.
Use the following procedure to enable the Application Firewall feature:
1. Expand the Security node.
2. Right-click Application Firewall and select Enable feature.
A yellow exclamation mark shows that the feature is not enabled.
3. Click the Save icon on the upper right menu bar to save the configuration. Changes to the
configuration affect the running configuration only, unless they are saved. Any unsaved
changes are lost following a restart.
4. Click Yes to save the running configuration.
Creating a Basic Application Firewall Profile for AFWeb

Use the following procedure to create a basic Application Firewall profile for AFWeb:
1. Go to Security > Application Firewall > Profiles.
2. Click Add to create a new profile.
3. Create an Application Firewall profile:
a. Set the Profile Name to AFWeb_Basic.
b. Verify that the Profile Type is set to Web Application (HTML).
c. Verify that the Defaults radio button is set to Basic.
d. Click OK.
Creating an Advanced Application Firewall Profile for

AFWeb
Use the following procedure to create an advanced Application Firewall profile for AFWeb:
1. Create an Application Firewall profile:
a. Click Add to create a new profile.
30 Module 2: Profiles and Policies © Copyright 2016 Citrix Systems, Inc.

b. Set Profile Name to AFWeb_Adv.
c. Verify that the Profile type is set to Web Application (HTML).
d. Set Defaults to Advanced.
e. Click OK.
The Advanced profile is created to show the differences in default profiles. The Basic profile
will be used in the following labs.
Configuring the Error Page for AFWeb

Use the following procedure to configure the AFWeb error page using the Configuration Utility:
1. Select the AFWeb_Basic profile and click Edit.
2. Click the Profile Settings node on the right.
3. Set the Redirect URL to /blocked.htm.
4. Click OK, then click Done.
Exercise 2-2: Configuring Application Firewall Policies

Create policies to identify the AFWeb web site and associate the appropriate profile to it.
Before You Begin

To complete this exercise, you need to have completed the creation of the Application Firewall
profile for AFWeb.
Exercise Details
1. Create an Application Firewall policy for AFWeb: pol_af_afweb.
a. Create a new Application Firewall policy.
b. Set the policy action to the profile for AFWeb: AFWeb_Basic.
c. Set the policy expression to TRUE.
d. Bind the policy to the load-balancing virtual server lb_vsrv_afweb with a priority of
100.
2. Test the Application Firewall policies.

a. Browse to the AFWeb site. Verify that you receive the blocked page instead of the
default home page.
b. Verify that the policy is being applied by checking the hit count within the NetScaler
Configuration Utility (GUI).
c. Prepare for the following labs by disabling the start URL check protection for the
AFWeb profile.
Summary
The Application Firewall policies determine which traffic the profile settings will be applied against.
The policies determine when the profile protections are applied.
Creating an Application Firewall Policy for AFWeb

Use the following procedure to create an Application Firewall policy for AFWeb:
1. Go to Security > Application Firewall > Policies > Firewall.
2. Click Add to create a new policy.
3. Create an Application Firewall policy:
a. In the Name field, type pol_af_afweb.
b. In the Profile drop-down box, select AFWeb_Basic.
c. In the Expression box, type TRUE.
4. Click Create.
6. Select the lb_vsrv_afweb virtual server and click Edit.
7. Click the Policies node on the right pane.
8. Click To add, please click on the + icon under Policies. Select App Firewall from the Choose
Policy drop-down menu.
9. Select Request from the Choose Type drop-down list, then click Continue.
10. Click Click to select under Select Policy and select the pol_af_afweb radio button.
11. Click Select.
12. Click Bind.
13. Click Done to close the Load Balancing Virtual Server dialog box.
Testing Application Firewall Policies

Use the following procedure to test the AFWeb policy:
32 Module 2: Profiles and Policies © Copyright 2016 Citrix Systems, Inc.

1. Open a new browser tab and go to http://afweb.training.lab to view the AFWeb
site. Verify that you have received the BLOCKED page instead of the default home page.
2. Switch to the Configuration Utility.
3. Go to Security > Application Firewall > Policies > Firewall.
4. View the policies in the right pane. Note the value in the Hits column for each policy. If
configured properly, then the hits will increase when you access a web site that matches the
rule in the policy. Click Refresh if necessary.
5. Disable Start URL protection in preparation of the following labs:
a. Go to Security > Application Firewall > Profiles.
b. Select AFWeb_Basic and click Edit.
c. Click the Security Checks node on the right pane.
d. Deselect Block for the Start URL Security Check.
e. Click OK, then click Save & Close to apply the change, then click Done.
f. Open a new browser tab and go to http://afweb.training.lab. You are now
permitted access to the AFWeb homepage.

3
Module 3
Attacks and
Protections
Attacks and Protections Exercises
Exercise 3-1: Buffer Overflow Protection
This exercise demonstrates a Buffer Overflow exploit and protection using the AFWeb site.
Begin by disabling the Application Firewall protection for AFWeb and viewing the Buffer Overflow
demonstration link. Then, enable the Application Firewall protection and observe the default
behavior.
Before You Begin

Before you begin, you must access the lab environment and ensure all virtual machines are started:
To access the environment and start the above virtual machines.
• Access to the AFWeb site.
• Completed the configuration of the load balancing virtual server AFWeb.
• Created the AFWeb_Basic profile and the corresponding policy.
Exercise Details
1. Demonstrate a buffer overflow attack.
a. Disable protection for AFWeb. Modify the profile to disable the buffer overflow
security check.
b. Browse to the AFWeb Buffer Overflow page.
2. Demonstrate buffer overflow protection.
a. Enable protection for AFWeb. Modify the profile to enable blocking for the Buffer
Overflow security check.
b. Return to AFWeb and attempt to access the buffer overflow demonstration link.
Observe the default protection behavior.
Summary
The Application Firewall protection against Buffer Overflow exploits blocks data when thresholds
for the URL length, cookie length or header length exceed the specified limit.
© Copyright 2016 Citrix Systems, Inc. Module 3: Attacks and Protections 37

Application Firewall protection can be adjusted to prevent a buffer overflow exploit from displaying
sensitive information by limiting the size of the buffer allowed. In other cases, the buffer overflow
thresholds may be relaxed by increasing the thresholds in order to allow valid data to be submitted.
Demonstrating a Buffer Overflow Attack

Reminder:
Use the following procedure to demonstrate a buffer overflow attack:
1. Log in to the Configuration Utility using the Student Desktop virtual machine.
a. Open a browser window and navigate to http://NetScaler.training.lab.
b. Type nsroot in the User Name field.
c. Type nsroot in the Password field.
d. Click Login.
2. Disable the buffer overflow security check for AFWeb:
d. Select Buffer Overflow and clear the Block check box.
e. Click OK, click Save & Close, then click Done to close the Profile and apply the
changes.
3. Open a new browser tab and navigate to http://afweb.training.lab.
4. Click the Buffer Overflow Demonstration link. The page will display a "successful" message
(because the behavior is not blocked). Note the URL length for the Buffer Overflow
Demonstration page.
Demonstrating Buffer Overflow Protection

Use the following procedure to demonstrate buffer overflow protection:
1. Switch to the NetScaler Configuration Utility.
2. Enable the buffer overflow security check for AFWeb:
d. Select Buffer Overflow and select the Block check box.
changes.
3. Switch to the AFWeb tab and navigate to http://afweb.training.lab.
38 Module 3: Attacks and Protections © Copyright 2016 Citrix Systems, Inc.

4. Click the Buffer Overflow Demonstration link. The request will result in a redirect to
/blocked.htm (because the Application Firewall blocked the request).
5. Return to the Configuration Utility and view the log message.
a. Go to System > Auditing.
b. Click Syslog messages on the right pane.
c. Click Module under Filter By on the right pane.
d. Select APPFW from the Module drop-down list then click Apply.
e. Observe the log messages generated by the Application Firewall.
6. Click Back to close the Syslog Viewer.
Exercise 3-2: SQL Injection Exploits and Protection

This exercise demonstrates an SQL injection attack and the Application Firewall protection against
the attack. Begin by disabling the SQL injection protection for AFWeb and running various SQL
injection attacks against the site. Then enable the SQL injection protection and view the results
when a SQL injection attack is attempted.
Before You Begin

• Access to AFWeb.
Exercise Details
1. Demonstrate a SQL injection attack.
a. Disable the SQL injection protection for AFWeb.
b. Browse to AFWeb site and click the SQL Injection link.
c. Enter various SQL injection attacks in the Lookup Value field and click Submit:
d. Observe the results for each value.
2. Demonstrate SQL injection protection.
a. Enable SQL injection protection for AFWeb.
b. Return to the AFWeb SQL Injection page.
c. Enter various SQL injection attacks in the Comments field and click Submit:
d. Observe the results for each value.

e. Modify the SQL Injection security check to restrict checks to fields containing SQL
characters.
f. Return to AFWeb SQL Injection page.
g. Enter the following values in the Comments field and click Submit:
• 1001' OR '1=1
• select '
h. Observe the results for each value.
Summary
SQL Injection attacks can lead to the exposure of sensitive information regarding the structure of
databases and the information contained within the databases themselves. Application Firewall
protection against SQL injection attacks can prevent SQL keywords from being submitted to the
server and exploiting this vulnerability. The SQL injection security check may be modified to enable
relaxations to permit the use of SQL keywords with fields that do not pose a risk for SQL Injection
attacks.
Demonstrating a SQL Injection Attack

Use the following procedure to demonstrate a SQL injection attack:
1. Log in to the Configuration Utility.
2. Disable the SQL Injection security check for AFWeb:
d. Select HTML SQL Injection and uncheck Block if checked.
changes.
3. Open Firefox or Chrome and browse to http://afweb.training.lab.
4. Click the SQL Injection Demonstration link.
5. Enter each of the following values in the Lookup Value field and click Submit:
• 1001' OR '1=1'
• john' OR '1=1' OR 'mary
• select '
6. Observe the results. Note that none of the queries are blocked.

Demonstrating SQL Injection Protection
Use the following procedure to demonstrate SQL injection protection:
1. Return to the Configuration Utility.
2. Re-enable Block for the SQL Injection security check for AFWeb.
d. Select HTML SQL Injection and check Block.
changes.
3. Browse to http://afweb.training.lab.
5. Enter each of the following values in the Lookup Value field and click Submit:
• 1001' OR '1=1'
• john' OR '1=1' OR 'mary
• select '
6. Observe the results. Note that each query is blocked.
b. Click Syslog messages
Exercise 3-3: Cross-Site Scripting Attacks and Protections

This exercise demonstrates a cross-site scripting attack and the Application Firewall protection
against the attack. Begin by disabling the cross-site scripting protection for AFWeb and
demonstrating a cross-site scripting attack against the unprotected site. Then enable the cross-site
scripting protection for AFWeb and view the results when a cross-site scripting attack is attempted.
Before You Begin


Exercise Details
1. Demonstrate a cross-site scripting attack.
a. Disable cross-site scripting protection for the AFWeb site.
b. Browse to AFWeb Cross-Site Scripting page.
c. Enter the following text in the text field and click Submit.
Joe <script>alert("This is a cross-

site script!")</script>
a. Observe the results.
2. Demonstrate cross-site scripting protection.
a. Re-enable cross-site scripting protection for AFWeb.
b. Repeat the cross-site scripting attack.
3. Customize cross-site scripting protection.
a. Modify the cross-site scripting security check for AFWeb to transform cross-site
scripts.
b. Repeat the cross-site scripting attack.
c. Observe the results.
Summary
Cross-site scripting vulnerabilities, in mild cases, can lead to the defacing of a site; in more severe
cases, they can allow a rogue user to gather information (such as credentials, passwords, and other
identifying information) from users. Application Firewall protection prevents cross-site scripts from
being submitted.
Demonstrating a Cross-Site Scripting Attack

Use the following procedure to demonstrate a cross-site scripting attack:
2. Disable cross-site scripting protection for AFWeb.

d. Select HTML Cross-Site Scripting and clear the Block check box if checked.
changes.
4. Click the Cross-Site Scripting (XSS) Demonstration link.
5. Enter the following information into the Enter your user name field and click Submit:
Joe <script>alert("This is a cross-site script!")</script>
</script> should be typed literally, including the angle brackets
6. Observe the results when cross-site scripting protection is disabled.
Demonstrating Cross-Site Scripting Protection

Use the following procedure to re-enable the cross-site scripting security check and to demonstrate
the default protection behavior:
2. Enable cross-site scripting protection for AFWeb.
d. Select HTML Cross-Site Scripting and check Block.
changes.
4. Click the Cross-Site Scripting (XSS) Demonstration link.
5. Enter the following information into the Enter your user name field:
6. Click Submit.
7. Observe the results when cross-site scripting protection is enabled. The page is blocked.
9. Disable cross-site scripting blocking for AFWeb and enable Transform cross-site scripts:

d. Select HTML Cross-Site Scripting and click the Action Settings button.
e. Clear the Block check box, and select Transform cross-site scripts.
f. Click OK to close the HTML Cross-Site Scripting Settings dialog box.
g. Click OK, click Save & Close, then click Done to close the Profile and apply the
changes.
10. Return to the AFWeb Cross-Site Scripting Demonstration page.
11. Enter the following information into the text field and click Submit:
12. Observe the results. Notice the page was displayed but the script was not executed.
13. In Firefox, go to Tools > Web Developer > Page Source. Note that the script tags have been
changed to HTML code.
15. View the log message:
Exercise 3-4: Cookie Consistency Protection

This exercise demonstrates a cookie tampering attack and the Application Firewall protection
against this attack. Begin by disabling the cookie consistency protection and perform the cookie
tampering attack. Then re-enable the cookie consistency security check, attempt the attack again,
and observe the results.
Before You Begin

Exercise Details

1. Demonstrate cookie tampering.
a. Disable cookie consistency protection for AFWeb (disabled by default).
b. Browse to the AFWeb Cookie Consistency page.
c. Enter your name in the text field and click Submit to create a browser cookie.
d. Click Modify to modify the cookie on the client side.
e. Observe the results.
2. Demonstrate cookie consistency protection.
a. Enable cookie consistency protection for AFWeb.
b. Return to the AFWeb Cookie Consistency page.
c. Enter your name in the text field and click Submit to create a browser cookie.
d. Click Modify to modify the cookie on the client side.
e. Observe the results.
Summary
By default, with the cookie consistency protection enabled, Application Firewall prevents the client-
side modification of the cookie and can therefore prevent these types of cookie tampering attacks.
Altered cookies are deleted, which results in browsers being redirected to the launch page.
Relaxations for the cookie consistency security check may be required if there are cookies that are
allowed to be modified on the client-side, such as cookies that store user preferences.
Demonstrating Cookie Tampering

Use the following procedure to perform a cookie tampering attack against AFWeb:
2. Ensure that Cookie Consistency protection is disabled in the AFWeb_Basic profile.
d. Select Cookie Consistency and ensure that the Block check box is clear.
changes.
3. Clear cookies in Firefox. Go to Tools > Options.
a. Select Privacy and click remove individual cookies.
b. Click Remove All and then Close.
c. Close the browser tab to close Firefox Options.

5. Click the Cookie Consistency Demonstration link.
6. Type your name in the What is your Name? field and click Submit. The web server sets a
cookie indicating your name.
7. Click Modify to modify the cookie on the client side. The modified cookie is displayed. Your
name has been changed to Modified by Client!.
Configuring and Demonstrating the Cookie Consistency

Security Check
Use the following procedure to perform a cookie tampering attack against AFWeb:
1. Log on to the Configuration Utility.
2. Enable Cookie Consistency protection in the AFWeb_Basic profile.
d. Select Cookie Consistency and check Block, Log, and Stats.
changes.
3. Switch to Firefox and clear all cookies.
a. Go to Tools > Options.
b. Select Privacy and click remove individual cookies.
c. Click Remove All and then Close.
Deleting the cookies will also log you out of your NetScaler session, requiring
you to log in again. This behavior is expected, as NetScaler uses cookies.
d. Close the browser tab to close Firefox Options.

5. Click the Cookie Consistency Demonstration link.
6. Enter your name in the What is your Name? field and click Submit. The web server set a
cookie indicating your name.
7. Click Modify to modify the cookie on the client side. The modified cookie was blocked and
you were returned to the initial page with the field asking What is your Name? .
b. Click Syslog messages.

Exercise 3-5: Configuring Form Field Consistency

Protection
This exercise demonstrates a Form Field manipulation attack and how the Application Firewall
Form Field consistency security check protects against the attack.
Begin this exercise with the Form Field consistency security check for AFWeb already disabled.
Demonstrate a Form Field consistency exploit by modifying the field value. Then enable the Form
Field consistency security check and repeat the attack; observe how the Application Firewall
protects against the attack.
Before You Begin

• Access to Paros.
Exercise Details
1. Demonstrate a Form Field manipulation attack.
a. Configure Paros as a proxy server.
b. Verify that the Form Field consistency security check is disabled for AFWeb.
c. Browse to the AFWeb Form Field Consistency page.
d. Use Paros to modify the Form Field data and submit a different account.
1. Submit an existing account.
2. Use Paros to modify the request prior to account submission to request a
different account instead.
2. Demonstrating Form Field consistency protection.
a. Restore the Application Firewall protection for AFWeb by enabling the Form Field
Consistency security check.
b. Repeat the Form Field manipulation attack using Paros.
c. Observe the Application Firewall protection against Form Field manipulation.

3. Demonstrate a Form Field manipulation attack.
a. Configure Paros as a proxy server.
b. Verify that the Form Field consistency security check is disabled for AFWeb.
c. Browse to the AFWeb Form Field Consistency page.
d. Use Paros to modify the Form Field data and submit a different account.
e. Submit an existing account.
f. Use Paros to modify the request prior to account submission to request a different
account instead.
Summary
Form Field manipulation can be performed during the request or the response. With the Form
Field Consistency security check enabled, Application Firewall can prevent manipulation of Form
Field data.
Configuring Paros for Use as a Proxy

For this lab, you will need to configure the Firefox web browser to use Paros as a proxy in
order to capture requests prior to beginning the attack and protection demonstrations.
Use the following procedure to configure Firefox and Paros for this exercise:
1. Launch Firefox.
2. Go to Tools > Options within Firefox.
3. Click Advanced.
4. Select the Network tab and click Settings.
5. Set the following information in the Connection Settings window:
a. Select Manual proxy configuration.
b. Set HTTP Proxy and port to 127.0.0.1 and 8085.
c. Set SSL Proxy and port to 127.0.0.1 and 8085.
d. Clear the field for No Proxy for: so that it is blank.
e. Click OK to apply the settings.
f. Close the browser tab to close Firefox Options.
6. Launch Paros 3.2.13 using the shortcut on the desktop.
If you receive an error message when launching Paros, select Fix it and then retry.

7. Go to Tools > Options within Paros.
8. Select Local proxy in the Options window.
a. Verify that the address is set to localhost.
b. Verify that the port is set to 8085.
c. The Paros local proxy settings must match the settings configured in Firefox in Step 5.
9. Click OK to close the Options window.
10. Minimize the Paros session window partially. Arrange the windows so that you can access both
the Firefox browser and the Paros window while the configuration is tested.
11. Click the Trap tab in Paros.
12. In Firefox, browse to http://afweb.training.lab.
13. Return to Paros and verify that the information that is displayed in the bottom pane.
14. Keep Paros and AFWeb open and arrange the screen so that you can see both windows
simultaneously.
Demonstrating a Form Field Manipulation Attack

Use the following procedure to perform a Form Field manipulation attack against AFWeb.
1. Ensure that Paros is running.
3. Click the Form Field Demonstration link.
4. Switch to Paros Proxy.
5. Select the Trap tab and check Trap Response in Paros.
6. Type an email address in the Enter your email address field, select Standard Checking from
the Choose an account type drop-down list box, and click Submit.
7. Return to Paros and view the response page code. In the body section of the trapped response,
replace all instances of the string Standard Checking with No Fee Checking.
8. Uncheck Trap Response and click Continue.
9. Return to Firefox.
10. Select No Fee Checking from the Choose an account type drop-down list box and click
Submit.
11. Notice that the Form Field tampering attack was successful.
Demonstrating Form Field Consistency Protection

Use the following procedure to enable the Form Field Consistency security check to block a Form
Field manipulation attack.

2. Enable the Form Field Consistency security check for AFWeb.
d. Click Form Field Consistency and select the Block, Log, and Stats check boxes.
changes.
3. Ensure that Paros is running.
5. Click the Form Field Demonstration link.
6. Switch to Paros Proxy.
7. Select the Trap tab and select the Trap Response check box in Paros.
8. Type an email address in the Enter your email address field and select Standard Checking
from the Choose an account type: drop-down list box. Click Submit.
9. Return to Paros and view the response page code. In the body section of the trapped response,
replace all instances of the string Standard Checking with No Fee Checking.
10. Clear the Trap Response check box and click Continue.
11. Return to Firefox.
12. Select No Fee Checking from the Choose an account type drop-down list box and click
Submit.
13. Observe how the Application Firewall blocks a Form Field manipulation attack.
16. Disable the proxy setting in Firefox:
a. Go to Tools > Options > Advanced.
b. Click the Network tab.
c. Click Settings.
d. Select No Proxy.
e. Click OK and close the Firefox Options window.
17. Close Paros.

Exercise 3-6: Configuring Start URL Security Checks
This exercise demonstrates how to configure and use start URL and deny URL security checks to
allow and prevent access to specific sites or parts of sites.
Begin by disabling the Application Firewall protection for AFWeb and performing various forceful
browsing attacks. Enable the Application Firewall protection and observe the default behavior.
Finally, configure start URLs and deny URLs to permit access to the allowed areas of the site and to
restrict access to sensitive areas of the site.
Before You Begin

• Completed the configuration of the load balancing virtual server AFWeb.
• Created the AFWeb_Basic profile and the corresponding policy.
Exercise Details
1. Configure Start URLs for AFWeb:
a. Browse to the AFWeb site.
b. Modify the AFWeb profile and update the Start URLs to allow access to the AFWeb
site and to the links on the page.
c. Create a Start URL to allow access to the Start URL Demonstration page.
d. Test to verify that the AFWeb site and the Start URL Demonstration page are now
allowed.
Summary
Start and deny URLs allow administrators to define a list of allowed URLs and a list of prohibited
URLs (or patterns). These lists give administrators granular control over access to various sites
within the application.
Depending on the requirements of the application, an administrator may need to configure start
URLs to allow access to the necessary parts of the web site and to configure deny URLs to prevent
access to sensitive areas of the web site. Used together, start URL and deny URL settings can be
used to provide protection against forceful browsing, and parameter manipulation attacks. These
settings prevent violations due to poor administrative configuration of a site by controlling which
areas of a site a user may or may not access.

The basic profile includes a default start URL setting that allows common web extensions and web
server settings. The advanced profile settings, which do not include any default start URLs, will be
explored in later exercises.
Both basic and advanced profiles include a list of available deny URL regular expressions by default,
but the deny URLs are not enabled.
Demonstrating Start URLs for AFWeb

Use the following procedure to configure start URLs for AFWeb:
2. Select the AFWeb_Basic profile and click Edit.
3. Click the Security Checks node on the right pane.
4. Select the Start URL security check and click the Action Settings button.
5. Enable the Block action for the Start URL security check then click OK.
6. Select the Relaxation Rules node then highlight Start URL on the left and click the Edit Icon
to the right.
7. Click Add.
8. Create a Start URL for the AFWeb site: ^http://afweb\.training\.lab/$
9. Select the Enabled check box and click Create for the Start URL Relaxation Rule.
10. Click Close and then click Done.
12. Attempt to view the Start URL demo page. Click the Use Start URLs to allow this page. Note
the URL of the page: http://afweb.training.lab/blocked.htm.
13. Test other links on the AFWeb site.
• What is different between these URLs and the Start URL demo page?
• Why are the Start URL demo and the Buffer Overflow pages blocked?
a. Select the AFWeb_Basic profile and click Edit.
b. Click the Relaxation Rules node on the right pane.
c. Select Start URL and click Edit.
15. Create a new Start URL to allow the Start URL demo page. Using the existing Start URLs as an
example, create a regular expression to allow the .demo extension or to specifically allow the
allow.demo page:
a. Click Add, type ^[^?]+[.]demo$ and click Create.
b. Click Add, type /allow[.]demo and click Create.
c. Click Add, type ^http://afweb\.training\.lab/allow\.demo$ and click
Create.
d. Click Close. Click Done to save the profile changes.

16. Browse to http://afweb.training.lab. Click the Use Start URLs to allow this page.
Verify that the page is now allowed.
Exercise 3-7: Demonstrating Safe Objects

This exercise demonstrates the configuration of safe objects (custom objects defined by regular
expressions), and the configuration of the Application Firewall protections for each safe object. Safe
objects allow administrators to identify additional information that needs to be protected, as well as
to control the type of protection that is applied against the object.
Begin this exercise by viewing the safe objects demonstration page within AFWeb and then define
safe objects for the data that is displayed. Next, test the safe object security check and view
protection options for block, X-Out and Remove.
Exercise Details
Exercise Details
1. Browse to the AFWeb Safe Objects Demonstration page.
2. Enable and configure the safe object security check for AFWeb.
a. Define a safe object that matches the US Phone Number format displayed.
b. Define a safe object that matches the US SSN format displayed.
3. Test the safe object effects on the demo site using the following protection settings:
a. X-Out and Statistics enabled.
b. Remove enabled.
c. Block enabled.
Summary
The definition of safe objects allows administrators to extend the protection capabilities of the
Application Firewall to meet custom requirements. The safe objects security check allows
Application Firewall administrators to define custom patterns that the Application Firewall should
protect. The administrators can then customize the protection action that is taken, such as Block,

X-Out or Remove. The safe objects security check functions as a collection of custom security
checks because the protection options can be configured independently for each safe object.
Demonstrating Safe Objects

Use the following procedure to demonstrate safe objects:
2. Click the Safe Object Demonstration link. View the data that is presented for US Social
Security Numbers and US Phone Numbers.
3. Open the AFWeb_Basic profile from the Configuration Utility:
• Go to Security > Application Firewall > Profiles.
• Select AFWeb_Basic and click Edit.
• Click the Relaxation Rules node on the rignt pane.
• Select Safe Object and click Edit.
4. Click Add.
5. Create a Safe Object for US Social Security Numbers:
a. Ensure that Enabled is selected.
b. Set Safe Object Name to US SSN.
c. Check Log, X-Out, and Stats under Actions. Leave the other Actions unchecked.
d. Create a regular expression that matches the Social Security Number format displayed
in the AFWeb > Safe Object Demonstration Page.
\d{3}-\d{2}-\d{4}
e. Set the Maximum Match Length based on the US SSN format: 11.
6. Click Create.
7. Create a Safe Object for US Phone Numbers:
a. Click Add.
b. Check Enabled.
c. Set Safe Object Name to US Phone Numbers.
d. Check Log, X-Out, and Stats under Actions. Leave the other Actions unchecked.
e. Create a regular expression that matches the phone number format displayed in the
AFWeb > Safe Object Demonstration Page.
\d{3}-\d{3}-\d{4}
f. Set the Maximum Match Length based on the phone number format: 12.
8. Click Create and then click Close to close the Relaxation Rules window.
9. Click Done to close the profile.

11. Click the Safe Object Demonstration link. View the results and the effects of the protection.
Note that the numbers have been replaced by X's.
Refresh or clear the browser cache if necessary.

c. Click the Relaxation Rules node.
d. Select Safe Object and click Edit.
13. Select the US SSN Safe Object check. Click Edit.
a. Uncheck X-Out.
b. Check Remove.
14. Click OK to close the Safe Object and then Close to close the Safe Object Rules window.
Note that the Social Security numbers have been removed.
c. Click the Relaxation Rules node.
d. Select Safe Object and click Edit.
19. Select the US SSN Safe Object check. Click Edit.
a. Uncheck Remove.
b. Check Block.
20. Click OK to close the Safe Object and then Close to close the Safe Object Rules window.
Note that the TCP connection was reset and the page was not displayed.
24. View the log message from the Configuration Utility:

c. On the right pane select APPFW from the Module drop-down list on the right pane
then click Apply.
d. Observe the log messages generated by the Application Firewall.
Exercise 3-8: Configuring Credit Card Protection

This exercise demonstrates the Application Firewall protection to prevent the unnecessary exposure
of credit card numbers when a numeric string matching a credit card number format is displayed.
Begin by exploiting previous vulnerabilities in AFWeb to expose credit card numbers. Then, enable
the Application Firewall protection for credit card numbers for AFWeb and view the various
protection methods available for hiding credit card numbers.
Before You Begin

• Access to AFWeb site.
Exercise Details
1. Demonstrate credit card data vulnerability.
a. Disable credit card protection for AFWeb.
b. Browse to the AFWeb site and click the Credit Card Demonstration link.
c. Observe the data displayed.
2. Demonstrate credit card data protection.
a. Enable credit card protection for AFWeb.
• Disable Blocking.
• Enable X-Out.
• Enable Statistics.
• Enable Log.
b. Refresh the AFWeb Credit Card page.
c. Observe the data displayed.

Summary
The Application Firewall has pre-defined protections for securing credit card numbers for multiple
credit card companies. These pre-defined protections allow the Application Firewall security check
to identify valid credit card numbers that meet a specific card vendor's standard. Once the security
check is enabled for a given card type (or for all card types), an administrator may configure the
response of an Application Firewall to include blocking access to the page containing numbers, X-
ing out the credit card numbers or removing the credit card numbers from the display.
Demonstrating Credit Card Vulnerability

Use the following procedure to demonstrate credit card vulnerability:
2. Modify the AFWeb_Basic profile:
d. Select Credit Card and ensure Block is unchecked.
changes.
4. Click the Credit Card Demonstration link. Note the credit card numbers displayed.
Demonstrating Credit Card Protection

Use the following procedure to demonstrate credit card protection:
d. Select Credit Card and click the Action Settings button.
2. Select Visa under Protected Credit Card.
3. Under Actions, select Log, X-Out, and Stats. Ensure the Maximum credit cards allowed per
page is set to 0.
4. Click OK.
5. Click OK, click Save & Close, then click Done to close the Profile and apply the changes.

7. Click the Credit Card Demonstration link. Notice that the credit card numbers have been "X-
ed" out.
Numbers that are not "X-ed" out are not valid credit card numbers (due to bad checksums or
other format inconsistencies).
Exercise 3-9: Learning

This exercise demonstrates the learning capabilities of Application Firewall using start URLs.
For this exercise, begin by deleting all configured allowed start URLs for AFWeb (which will block
all requests to AFWeb by default). Then, configure the learning settings for start URLs. Finally,
several start URLs will be deployed based on the learned rules.
Before You Begin

To complete this exercise, you will need to have:
Exercise Details
1. Delete existing start URLs for the AFWeb profile.
2. Configure the learning settings for start URLs. Set the learning thresholds for start URLs to:
a. Minimum # of sessions for learning: 1
b. % of Sessions URL has been seen: 0
c. Modify the start URL security check:
d. Disable Blocking.
e. Verify that Learning is enabled.
3. Generate and deploy learned rules

a. Close all open internet browser instances and open a new instance. Clear the cache.
Browse to the AFWeb site.
b. Return to the NetScaler Configuration Utility. Open the AFWeb profile and view the
learned rules generated from a single link.
c. Return to the browser and click on each of the AFWeb links.
d. Return to the AFWeb profile and view the learned rules on the Simple tab. Explore
the generalized results. Vary the number of generalized rules to generate from 8, 5 and
3.
Compare your start URLs for the AFWeb profiles against the rule included in the exercise.
Summary
Learning allows an administrator to gather information about the type of requests being made to an
application and to determine the frequency of the request. An administrator can use the learning
results to identify behavior that should be prevented using Application Firewall, as well as behavior
that should be allowed and may require a relaxation for a specific security check.
In this module, learning features are demonstrated for the start URL security check only. However,
learning is available for multiple security checks and suggested rules may be viewed, edited, and
deployed as necessary.
Configuring Learning
Use the following procedure to configure the Learning settings for the Start URL. The learning
thresholds will be set to low values to accommodate the abbreviated test by a single user.
2. Modify the AFWeb_Basic profile:
d. Select Start URL, deselect Block and check Learn.
e. Click OK then click Save & Close.
3. Click the Relaxation Rules node on the right pane.
4. Click Edit on the Start URL Relaxation Rule.
5. Under the Start URL Relaxation Rules tab, select each of the Start URL entries and click
Delete and remove them one at a time.
6. Click Yes.
7. Click Close.
8. Click the Learned Rules node on the right pane and ensure Start URL is selected, then click
Settings.

9. Ensure that the Start URLs learning thresholds are configured as follows:
• Minimum number of sessions for learning : 1
• Percentage of sessions URL has been seen : 0
10. Click OK.
11. Click Edit. Ensure that there are no entries in the learned rule list then click Close.
12. If there are learned rules present, click the Remove All Learned Data button to remove all
rules.
Generating and Deploying Learned Data

Use the following procedure to access AFWeb and to generate rules from learned data.
1. Close all open instances of Firefox. Open Firefox and clear the cached data. Go to Tools >
Options. Click the Advanced node, then click the Network tab and click Clear Now next to
Cached Web Content.
3. Click on each link on the AFWeb home page.
4. Log into the Configuration Utility:
5. View the Learned rules:
c. Click the Learned Rules node.
d. Select Start URL and click Edit.
6. Examine the rules in the list.
7. Click Close.
8. Click Visualizer.
9. Examine the contents of the visualizer.
10. Click X to close the Visualizer.
11. Click Edit, select all of the learned rules in the list and click Deploy.
12. Click Yes to deploy the Learned Rules.
13. Click Close.
14. Notice that the Learned Rules have been deployed.

4
Module 4
Application Firewall
Troubleshooting
Application Firewall Troubleshooting
Exercises
Exercise 4-1: Viewing NetScaler Log Files
View the NetScaler syslog file (ns.log) using both the Configuration Utility and the command-line
interface. Filter the log file for Application Firewall events. View the contents of the log file and
determine how to use the log for troubleshooting Application Firewall configuration issues.
Before you Begin

Before you begin, you must access the lab environment and ensure that all virtual machines are
started.
To access the environment and start the virtual machines, complete the following steps:
• Access to the Configuration Utility and command-line interface.
• The completed configurations of the Application Firewall profile, policy and basic security
checks.
Exercise Details
1. View NetScaler log files using the Configuration Utility:
a. Log in to the Configuration Utility.
b. Go to the System > Auditing. Click Recent audit messages then click Run and look
for any Application Firewall related events.
c. Click Close, then click Close again to exit.
d. Go to the System > Auditing. Use the Syslog viewer to view historical audit messages.
e. View the current log file and look for Application Firewall-related messages.
f. Use the Filter Messages option and filter the log for AppFW, block and AFWeb.
Observe the results for each filter option.
g. View a previous log file by selecting the Attack/Protections day of the lab.
2. View NetScaler log files using the command-line interface:
a. Log in to command-line interface using Putty.
© Copyright 2016 Citrix Systems, Inc. Module 4: Application Firewall Troubleshooting 63

b. Go to the NetScaler shell and then browse to the /var/log directory.
c. Use more to view the contents of the complete ns.log file; filter using grep on topics,
such as appfw and blocked. (Use grep string -i for non-case-sensitive searches).
d. Use tail to view most recent contents of the ns.log file. Filter the results using grep
with appfw and blocked.
e. Use the tail -f command and use the log file to monitor live activity.
Summary
The NetScaler log file (ns.log) records any changes to the NetScaler configuration as well as various
alert messages. The NetScaler log may be viewed using tools in both the Configuration Utility and
in the command-line interface.
Viewing NetScaler Log Files Using the Configuration Utility

Use the following procedure to view NetScaler Log files:
1. Go to System > Auditing.
2. Click Recent audit messages. This view shows the most recent messages in the audit log.
Depending on your most recent activity, it may or may not display information related to the
Application Firewall (AppFw) features. If no Application Firewall events are displayed, enter
80 in the Number of Audit Messages to be shown field and click Run.
3. Click Close, then Close again to close the Audit Messages window.
4. Go to System > Auditing.
5. Click Syslog messages to view the Historical Audit Messages.
6. View the current log file (default) within the Syslog Viewer. This log file is /var/log/ns.log.
7. Click Module under Filter By on the right pane.
8. Select APPFW from the Module drop-down list then click Apply.
9. Use the Filter By section to filter the log display:
a. Select the Search field in the left pane.
b. Set the search string to .demo and click Go to filter the results. Examine the results
c. Set the search string to US SSN and click Go to filter. Examine the results.
10. Click Clear on the right pane to the right of Filter By to restore the full log view under Syslog
Viewer.
11. View a previous log file. Within the Choose Log section:
a. Leave Log Directory set to the default value: /var/log.
b. Click below the File field and choose ns.log.1.gz.
64 Module 4: Application Firewall Troubleshooting © Copyright 2016 Citrix Systems, Inc.

The NetScaler syslog file (ns.log) rolls over periodically. Previous logs may be viewed
using this method.
Viewing the NetScaler Log Files Using the Command-Line

Interface
Use the following procedure to view the NetScaler log files:
a. Open PuTTY from the student desktop.
c. Click Open.
2. Go to the NetScaler shell:
shell
3. Go to the /var/log directory and display the results:
cd /var/log
ls
4. View the contents of the ns.log file; use grep to filter output:
more /var/log/ns.log
more /var/log/ns.log | grep appfw -i
more /var/log/ns.log | grep blocked -i
If you do not have any Application Firewall events in the current ns.log file, then use zcat to
view past log files without having to decompress them. Specify a ns.log.#.gz from an
appropriate date and time period. Replace the # with the number of the file.
zcat /var/log/ns.log.#.gz
zcat /var/log/ns.log.#.gz | grep APPFW
zcat /var/log/ns.log.#.gz | grep blocked -i
Grep filters the output and returns only the lines from the log file containing the specified
string. Using the -i parameter with Grep results in a non-case sensitive search; it is not
required, but it may be useful.
Filtering the log using Grep and the command line returns log results with the search string
appearing anywhere in the log event and not just in the Messages field.

5. Use the tail command to view most recent logged events:
tail /var/log/ns.log
tail /var/log/ns.log | grep appfw -i
tail /var/log/ns.log | grep blocked -i
6. Use the tail command and zcat to filter an archived syslog file (optional):
zcat /var/log/ns.log.#.gz | grep APPFW
7. Use the log file to monitor live activity:
tail -f /var/log/ns.log | grep appfw -i
Or filter specifically for blocked events:
tail -f /var/log/ns.log | grep block -i
The -f option for the tail command keeps the file open and continues to output new events to
the screen.
8. Open Firefox and browse to http://afweb.training.lab.
10. Enter 1001' OR '1=1 in the Lookup Value field and click Submit:
11. View the resulting APPFW SQL message in the shell session.
12. Exit the NetScaler shell:
exit
Exercise 4-2: Capturing and Viewing NS Trace Files

This exercise demonstrates how to generate a nstrace file in PCAP format using the Configuration
Utility.
Begin by generating a trace of a successful connection to the AFWeb site. Next re-enable the
content filtering policy and specify the request action to reset the connection. Then, generate a
second trace capturing a connection reset when attempting to access the AFWeb site. Finally,
compare both traces and observe the effect of the session reset on the session.
Before You Begin

• Access to Wireshark on the hosted client workstation.

Exercise Details
1. Capture a network trace of a good session:
a. Delete any existing trace files on the system.
b. Generate a new trace of a successful connection to the AFWeb site. Capture the trace
in PCAP format (tcpdump ON).
2. Capture a network trace of a reset session:
a. Configure a content filtering policy (cf_pol_filterbyip) that will RESET the connection
(as opposed to DROP). This policy will affect all traffic from the IP address of the
hosted client workstation.
b. Generate a new trace of the reset when attempting to access the AFWeb site.
3. Download and view the trace files:
a. Download the trace files to the hosted client workstation (C:\).
b. Open each trace file in Wireshark. Compare the trace files and the results when
filtering the files using the following values:
• tcp
• http
• ip.addr== ip_address
Replace ip_address with the AFWeb server back-end IP address, and with your
assigned VIP address.
c. Observe how the reset session is captured within the trace.
Summary
The NetScaler system can generate trace files in either tcpdump format or nstrace format. The
tcpdump format is suitable for viewing with an third-party tool, such as Wireshark.
This exercise demonstrates some basic procedures for generating a trace file and then using it to
inspect the packets within a session for diagnostic or troubleshooting purposes.
Capturing a Network Trace 1 (Good Session)

Use the following procedure to generate a network trace file of a successful connection to AFWeb:
1. Go to System > Diagnostics.
2. Under Technical Support Tools, click Start new trace.
3. Trace a client session:
a. In the Packet size field, enter 0.

b. In the Filter expression field, enter connection.SRCIP.EQ(192.168.30.30)
c. Check the box next to Trace filtered connection's peer traffic.
d. Select all options in the "Capturing Mode" section
e. Click Start.
6. Type test in the Lookup Value field and click Submit.
7. Return to the Configuration Utility and click OK.
8. Download the trace file:
a. Select nstrace1.pcap and click Download.
b. Click close to exit the trace.
9. Minimize all windows and double click nstrace1.pcap in the Download folder.
10. In Wireshark type http in the Filter: field and hit Enter on your keyboard.
11. View the contents of the trace. Notice the trace shows traffic all the way from the client to the
web server.
Capturing a Network Trace 2 (App Firewall blocked

Session)
Use the following procedure to generate a network trace file of a successful connection to AFWeb:
2. Go to System > Diagnostics.
3. Under Technical Support Tools, click Start new trace.
4. Trace a client session:
a. In the Packet size field, enter 0.
b. In the Filter expression field, enter connection.SRCIP.EQ(192.168.30.30).
c. Check the box next to Trace filtered connection's peer traffic.
d. Click Start.
7. Type 1001' or '1=1 in the Lookup Value field and click Submit.
8. Return to the Configuration Utility and click Ok.
9. Download the trace file:
a. Select the nstrace1.pcap and click Download.
b. Click Close.
10. Browse to the location that the file was downloaded to and double click nstrace1.pcap.

11. In Wireshark type http.response.code == 302 in the Filter: field and click Apply.
12. View the redirect to the /blocked.htm page.
Disabling the Application Firewall Feature

To avoid conflicts with later lab exercises, disable the Application Firewall feature before
continuing. Use the following procedure to disable the Application Firewall feature:
1. Open the Configuration Utility.
2. Expand the Security node.
3. Right click the Application Firewall node and select Disable Feature.
4. Click Save on the upper right menu bar to save the configuration.

5
Module 5
Authentication,
Authorization and
Auditing
Authentication, Authorization, and Auditing
Exercises
Exercise 5-1: Enabling External Authentication
This configuration uses the LDAP authentication policy that was previously created. Please note
that the external authentication for NetScaler system accounts is not required to configure the
authentication server in this exercise. The proper LDAP policies are required. The lab begins with
an exercise to allow NetScaler system authentications to use Active Directory. This exercise
demonstrates the process of configuring external authentication and verifying that external
authentication is properly configured before configuring the authentication virtual server.
Before You Begin

To access the environment and ensure that all virtual machines are started.
To complete this exercise, you need to have the following information:
Lab Active Directory architecture:
Active Directory Value

AD Domain Controller 192.168.20.11:389
AD Domain Name: Base DN DC=training,DC=lab
Administrator BindDN LDAPUser@training.lab / Password1
LDAP Login Name (case sensitive) sAMAccountName
Groups and User Credentials:
Group User Password

NSAdmins NetScaler Admin Password1
NSOperators NetScaler Operator Password1
Contractors contractor Password1
© Copyright 2016 Citrix Systems, Inc. Module 5: Authentication, Authorization and Auditing 73
Exercise Details
Configure LDAP authentication and group extraction on the NetScaler system:
1. Create local groups on the NetScaler system that correspond to the groups in the directory
service.
2. Bind groups to the command policies.
3. Create the authentication action for LDAP.
4. Create the authentication policy for LDAP.
5. Bind the policy to System Global.
7. Test external authentication.
Summary
During the initial configuration, external authentication for the NetScaler system accounts were
configured, allowing the testing and verification of LDAP authentication and group extraction.
Enabling LDAP Authentication

Use the following procedure to configure LDAP authentication and group extraction on the
NetScaler system:
1. From the StudentDesktop virtual machine, go to System > User Administration > Groups.
2. Create the NSAdmins group:
a. Click Add.
b. Type NSAdmins in the Group Name field.
Group names must correspond to the group in the directory service and are
case sensitive.
c. Under Command Policies select Insert.

d. Select the check box that corresponds to superuser and click Insert.
e. Click Create.
3. Create the NSOperators group:
a. Click Add.
b. Type NSOperators in the Group Name field.
c. Under Command Policies select Insert.
d. Select the check box that corresponds to operator and click Insert.
74 Module 5: Authentication, Authorization and Auditing © Copyright 2016 Citrix Systems, Inc.
e. Click Create.
4. Create the LDAP Authentication Server.
a. Go to System > Authentication > LDAP.
b. Click the Servers tab and click Add.
c. In the Name field type auth_ldap_srv.
d. Click the Server IP option.
e. In the IP Address field type 192.168.20.11, the Port field should contain 389.
f. In the Base DN (location of users) field type dc=training,dc=lab.
g. In the Administrator Bind DN field type ldapuser@training.lab.
h. Check the BindDN Password box to enter the password.
i. In the Administrator Password and Confirm Administrator Password fields type
Password1.
j. In the Server Logon Name Attribute drop-down menu, select sAMAccountName.
k. In the Group Attribute drop-down menu, select memberOf.
l. In the Sub Attribute Name drop-down menu, select cn.
m. Click More and under Nested Group Extraction select Enabled.
n. In the Group Name Identifier drop-down menu, select sAMAccountName.
o. In the Group Search Attribute drop-down menu, select sAMAccountName.
p. Click Create.
5. Create the LDAP Authentication Policy.
b. Click the Policies tab and click Add.
c. In the Name field type auth_ldap_policy.
d. In the Server drop-down list box, select auth_ldap_srv.
e. In the Expression field, click the drop down for the Saved Policy Expressions and
select ns_true from the list.
f. Click Create.
6. Bind the LDAP Policy:
a. Click the Policies tab and click Global Bindings.
b. Click in the field below Select Policy and select the option next to auth_ldap_policy.
c. Click Select then enter a Priority value of 100.
d. Click Bind then click Done.
7. Test the nsadmin account.
c. Click Open then click Yes if you get any pop up.
d. Type nsadmin for the username and Password1 for the password.
e. Type shell at the command prompt. Because the nsadmin account is mapped to the
superuser command policy, the shell command is successful.
f. Type exit to exit the shell
g. Type exit to exit the session.
8. Test the nsoperator account.
a. Open putty.exe from the student desktop
c. Click Open.
d. Type nsoperator for the username and Password1 for the password.
e. Type shell at the command prompt. Because the Operator Command Policy does
not allow shell access, the nsoperator account is denied access.
f. Type disable service svc_green. The Operator Command Policy does allow
servers and services to be enabled or disabled.
h. Type y to save the configuration.
Enabling LDAP Authentication (Command-Line Interface)

An administrator can use the following procedure to enable LDAP Authentication for System users.
c. Click Open.
2. Create the LDAP Authentication server (all one line).
add authentication ldapAction auth_ldap_srv
-serverIP 192.168.20.11
-ldapBase "dc=training,dc=lab"
-ldapBindDn ldapuser@training.lab
-ldapBindDnPassword Password1
-ldapLoginName samAccountName
-groupAttrName memberOf
-subAttributeName CN
-nestedGroupExtraction ON
-maxNestingLevel 2
-groupNameIdentifier sAMAccountName
-groupSearchAttribute sAMAccountName
3. Create the LDAP Authentication policy.
add authentication ldapPolicy auth_ldap_policy ns_true
auth_ldap_srv
4. Bind the LDAP Authentication policy.
bind system global auth_ldap_policy -priority 100
5. Create the NSAdmins Group.
add system group NSAdmins
6. Bind the NSAdmins Group to the Superuser Command Policy.
bind system group NSAdmins -policyName superuser 100
7. Create the NSOperators Group.
add system group NSOperators
8. Bind the NSAdmins Group to the Superuser Command Policy.
bind system group NSOperators -policyName operator 100
9. Test thensadmin account:
c. Click Open.
d. Type nsadmin for the username and Password1 for the password.
e. Type shell at the command prompt. Because the nsadmin account is mapped to the
superuser command policy, the shell command is successful
f. Type exit to exit the shell
10. Test the nsoperator account:
a. Open putty.exe from the student desktop
c. Click Open.
d. Type nsoperator for the username and Password1 for the password.
e. Type shell at the command prompt. Because the Operator Command Policy does
not allow shell access, nsoperator account is denied access.
f. Type disable service svc_green. The Operator Command Policy does allow
servers and services to be enabled or disabled
save config
Exercise 5-2: Configuring AAA for Traffic Management

This exercise shows how to configure NetScaler AAA to provide authentication and authorization
services for web servers. The NetScaler system requires users to authenticate with Active Directory
through the NetScaler system before accessing the AFWeb site. The configuration is updated to
include allowed and denied authorization policies to control which parts of the site the
authenticated users can access.
Before You Begin

• A test SSL certificate.
• A browser with proxy disabled (Firefox by default).
• Contractor credentials: contractor / Password1.
Exercise Details
1. Configure an authentication virtual server that authenticates to the AFWeb site.
2. Configure authorization policies for the AFWeb site.
Summary
The authentication virtual server supports Active Directory authentication for the AFWeb site
which does not implement any authentication on its own. The NetScaler system was configured to
perform authentication on behalf of this application using the AAA features.
Configure an Authentication Virtual Server

Configure an authentication virtual server that authenticates to the AFWeb site:
2. Go to Security > AAA - Application Traffic. Right click AAA - Application Traffic and click
Enable Feature.
3. Go to Security > AAA - Application Traffic > Virtual Servers.
4. Create an authentication virtual server named auth_vsrv_afweb.
a. Click Add.
b. In the Name field, type auth_vsrv_afweb.
d. In the Authentication Domain field, type afweb.training.lab.
e. Click OK to continue.
f. Click No Server Certificate.
g. Click in the field below Select Server Certificate and select the option next to ns_plat
and click Select then click Bind. The certificate was previously added to the base lab
configuration.
h. Click Continue then click Continue.
i. Click in the field below Basic Authentication Policies to add the policy, in the drop
down list under Choose Policy select LDAP click Continue, then click in the field
below Select Policy, select the option next to auth_ldap_policy then click Select then
click Bind. This was the authentication policy we created in the last lab.
j. Click Done.
6. Enable Authentication for the AFWeb lb vserver:
a. Select the Virtual Server lb_vsrv_afweb and click Edit.
b. Click the Authentication node on the right pane.
c. In the left pane under the Authentication field, click the option next to 401 Based
Authentication.
d. In the Authentication Virtual Server drop down, select auth_vsrv_afweb.
e. Click OK, then click Done.
8. Test the authentication configuration:
a. Open Internet Explorer and browse to the http://afweb.training.lab/.
b. Type contractor in the User Name field and Password1 in the Password field.
Note that upon successful authentication, access the AFWeb site is granted.
Configure an Authentication Virtual Server (Command-Line

Interface)
Configure an authentication virtual server that authenticates to the AFWeb site:
1. Log in to the command-line interface
2. Enable the AAA for Application Traffic feature.
enable ns feature AAA
3. Create the Authentication virtual server.
add authentication vserver auth_vsrv_afweb SSL 192.168.30.30
443 -AuthenticationDomain afweb.training.lab
4. Bind the LDAP Authentication policy to the Authentication virtual server.
bind authentication vserver auth_vsrv_afweb -
policy auth_ldap_policy -priority 100
5. Bind an SSL Certificate to the Authentication virtual server.
bind ssl vserver auth_vsrv_afweb -certkeyName ns_plat
6. Enable Authentication for the AFWeb lb vserver.
set lb vserver lb_vsrv_afweb -Authn401 ON -
authnVsName auth_vsrv_afweb
save config
8. Test the authentication configuration:

a. Open Internet Explorer and browse to the http://afweb.training.lab.
Note that upon successful authentication, access the AFWeb site is granted.
c. Close Internet Explorer.
Create Authorization Policies

Use the following procedure to configure Authorization Policies for the AFWeb site. The
authorization server is providing authentication for web site domain accounts, which do not
implement its own authentication. The authorization policies are used to restrict access to the web
site for certain accounts only.
2. Go to Security > AAA - Application Traffic.
3. Click Change global settings.
4. In the Default Authorization Action drop down menu, select DENY. Then click Ok.
5. Go to Security > AAA - Application > Policies > Authorization.
6. Create an Authorization Policy:
a. Click Add.
b. In the Name field enter contractor_auth_pol.
c. Ensure that Action is set to ALLOW.
d. Click Switch to Classic Syntax, click OK on pop-up.
e. Click Expression Editor and configure the expression as follows and click Done after
each entry:
REQ.HTTP.URL == /
f. Click Expression Editor and configure the expression as follows:
REQ.HTTP.URL == /allow.demo
g. Click Expression Editor and configure the expression as follows
REQ.HTTP.URL == /*.css
h. Click Expression Editor and configure the expression as follows
REQ.HTTP.URL == /*.png
i. Click Create. The expression should display as the following:
REQ.HTTP.URL == / || REQ.HTTP.URL == /allow.demo ||

REQ.HTTP.URL == '/*.css' || REQ.HTTP.URL == '/*.png'
You may need to manually edit the "&&" characters in the expression to "||".
7. Go to Security > AAA - Application > Groups.

8. Add a group named Contractors and configure it to use the Authorization policy:
a. Click Add.
b. In the Group Name field, enter Contractors then click OK.
c. Click the Authorization Policies node on the right pane.
d. Click No Authorization Policy on the left pane to add the policy.
e. Click in the field below Select Policy and select the option next to
contractor_auth_pol.
f. Click Select, in the Priority field enter 100 then click Bind and then click Done.
9. Test the authorization policies:
a. Open Internet Explorer and browse to http://afweb.training.lab.
c. Click the Use Start URLs to allow this page link. Notice access is allowed due to the
Authorization policy.
d. Click the Credit Card Demonstration link. Notice access is denied because it is not
allowed by an Authorization policy.
10. Disable authentication server settings on the LB Vserver:
a. Go to Traffic Management > Load Balancing > Virtual Servers.
b. Select the Virtual Server lb_vsrv_afweb and click Edit.
c. Click the Edit icon to the right of the Authentication field.
d. Check the option next to None.
e. Click OK then click Done.
11. Unbind the global LDAP policy.
b. Select auth_ldap_policy.
c. Click Global Blindings.
d. Select the policy and click Unbind.
e. Click Yes to confirm.
f. Click Done.
12. Click the Save icon on the upper right menu bar to save the configuration.
Create Authorization Policies (Command-Line Interface)

Use the following procedure to configure Authorization Policies for the AFWeb site. The
authorization server is providing authentication for web site domain accounts, which do not
implement its own authentication. The authorization policies are used to restrict access to the web
site for certain accounts only.
2. Set the Default Authorization Action to DENY.
set tm sessionParameter -defaultAuthorizationAction DENY
3. Create an Authorization Policy.
add authorization policy contractor_auth_pol "REQ.HTTP.URL ==
/
|| REQ.HTTP.URL == /allow.demo
|| REQ.HTTP.URL == /*.css
|| REQ.HTTP.URL == /*.png
4. Add a group named Contractors.
add aaa group Contractors
5. Bind the Contractors group to the contractor_auth_pol Authorization policy.
bind aaa group Contractors -policy contractor_auth_pol -
priority 100
6. Test the authorization policies:
a. Open Internet Explorer and browse to http://afweb.training.lab.
c. Click the Use Start URLs to allow this page link . Notice access is allowed due to the
Authorization policy.
d. Click the Credit Card Demonstration link. Notice access is denied because it is not
allowed by an Authorization policy.
7. Disable authentication server settings on the Load Balancing virtual server.
set lb vserver lb_vsrv_afweb -Authentication OFF
8. Unbind the global LDAP policy.
unbind system global auth_ldap_policy
save config
6
Module 6
AppExpert Rate
Limiting, HTTP
Service Callout and
Policy-based
Logging
HTTP Service Callout Exercises
Exercise 6-1: Configuring HTTP Callouts
This exercise demonstrates the configuration of an HTTP callout. Users accessing the WebGoat
web site are redirected to the AFWeb blocked page as part of the demonstration.
Before You Begin

Estimated time to completion: 20 minutes
Exercise Parameters
The following table lists the exercise parameters and settings.
Parameter Setting
HTTP Callout Policy Name blackout
HTTP Callout Server IP 192.168.20.111
Callout URL Stem /check_client.pl
HTTP Callout Headers Callout: "negate"
Parameters cip CLIENT.IP.SRC
HTTP Callout Server Result Expression HTTP.RES.Body(1000)
Responder Policy Action blacklist_act
Responder Policy rs_pol_blacklistredirect
Exercise Details
1. Enable the Responder feature.
2. Create an HTTP callout policy.
3. Configure the HTTP callout policy.
© Copyright 2016 Citrix Systems, Inc. Module 6: AppExpert Rate Limiting, HTTP Service Callout and
Policy-based Logging 87
4. Create a responder policy action to redirect a blacklisted page to the block page.
5. Create a responder policy that performs the HTTP callout action.
6. Bind the policy to the WebGoat virtual server.
8. Test the configuration.
Configuration Testing and Troubleshooting

To test the configuration:
1. Open a web browser and browse to the http://webgoat.net web site.
2. Verify that you are redirected to the AFWeb blocked page (due to the HTTP callout policy).
If the client IP address matches the list of blacklisted IP addresses maintained on the callout server,
then the callout server returns the string "IP Matched" to the NetScaler system. If the policy
expression evaluates to true, then the responder policy performs the specified action, which
redirects the request to the AFWeb blocked page.
To troubleshoot configuration issues during this exercise:
• Check if the responder policy is reporting any hits.
• Verify that the policy is bound to the proper virtual server if there are no hits.
• Verify that the Responder feature is enabled.
• Verify that the "Address found" string is capitalized as listed.
• View syslog to determine if the responder policy is evaluating to true or false.
• Verify the settings from the beginning of this exercise and look for any errors or discrepancies.
Configuring HTTP Callouts

Use the following procedure to redirect users to the AFWeb blocked page using HTTP Callout.
The responder feature must be enabled before starting this exercise.
1. Go to AppExpert > Responder.

2. Right click Responder and select Enable Feature.
3. Go to AppExpert > Http Callouts.
4. Create an HTTP Callout to initiate a request to the blacklist server:
a. Click Add.
b. In the Name field, type blackout.
c. Select the option next to IP Address and enter 192.168.20.111.
88 Module 6: AppExpert Rate Limiting, HTTP Service Callout and Policy-based Logging ©
Copyright 2016 Citrix Systems, Inc.
d. In the Port field, enter 80.
e. Under the Request to send to the server section, verify that Attribute-Based is
selected under Request Type.
f. Ensure that the Method drop-down box displays GET.
g. In the Host Expression field, type "blacklist.afweb.training.lab".
The quotes are required.
h. In the URL Stem Expression field, type "/check_client.pl".
i. Click Insert under the Headers section, enter callout in the Name field and
"negate" in the Value expression field.
j. Click Insert.
k. Click Insert under the Parameters section, enter cip in the Name field and
CLIENT.IP.SRC in the Value expression field.
l. Click Insert.
m. In the Server Response section, select TEXT from the Return Type drop-down list
box.
n. In the Expression to extract data from the response field, enter
HTTP.RES.BODY(1000).
o. Click Create.
5. Go to AppExpert > Responder > Actions.
6. Create a new Responder action with the following properties:
a. Click Add.
b. In the Name field, enter blacklist_act.
c. In the Type drop-down list, select Redirect.
d. In the Expression field, enter
"http://afweb.training.lab/blocked.htm".
e. Click Create.
7. Go to AppExpert > Responder > Policies.
8. Create a Responder Policy with the following properties:
a. Click Add.
b. In the Name field, enter rs_pol_blacklistredirect.
c. In the Action drop down menu, select blacklist_act
d. In the Expression field, enter
HTTP.REQ.HEADER("host").CONTAINS("webgoat.net") &&
SYS.HTTP_CALLOUT(blackout).CONTAINS("IP Matched").
e. Click Create.
9. Go to AppExpert > Responder and click Responder Policy Manager.
10. Click the drop down below Bind Point and select Load Balancing Virtual Server, then click
the drop down under Virtual Server and select lb_vsrv_webgoat then click Continue.
11. Click in the field below Select Policy and select the option next to rs_pol_blacklistredirect.
12. Click Select, then click Bind and Done.
13. Open Internet Explorer and go to http://webgoat.net/WebGoat/attack. Verify you
are redirected the AFWeb Blocked page (per the HTTP Callout policy).
15. Click the drop down below Bind Point and select Load Balancing Virtual Server, then click
the drop down under Virtual Server and select lb_vsrv_webgoat then click Continue.
16. Select rs_pol_blacklistredirect and click Unbind.
17. Click Yes to Confirm then click Done.
Configuring HTTP Callouts (Command-Line Interface)

An administrator can use the following procedure to redirect users to the AFWeb blocked page
using HTTP Callout.
1. Log on to the command-line interface:

c. Click Open.
2. Enable Responder feature.
enable ns feature RESPONDER
3. Create the HTTP Callout policy.
add policy httpCallout blackout
4. Set IP Address and Port of HTTPCallout server (hosting the blacklist).
set policy httpCallout blackout -IPAddress 192.168.20.111 -

port 80
5. Set the expression to configure the HOST header in the request to the callout server using the
Callout Server IP.
set policy httpCallout blackout -
hostExpr "\"blacklist.afweb.training.lab\""
6. Set the expression to generate the URL stem for the literal string /check_client.asp.
urlStemExpr "\"/check_client.pl\""
7. Specify the Client-IP and callout headers to insert into the HTTP callout request. The Client-IP
header sends the client IP address to the HTTP Callout server to determine if the Client IP
matches the list of blacklisted IP addresses.
parameters cip(CLIENT.IP.SRC) -headers callout("negate")
8. Set the return type (return value) of the result from the HTTPCallout server.
set policy httpCallout blackout -returnType TEXT
9. Specify how the NetScaler should extract the response from the HTTP Callout server.
resultExpr "HTTP.RES.BODY(1000)"
10. Create a responder policy action to redirect a blacklisted page to the AFWeb blocked page.
add responder action BLACKLIST_ACT redirect
"\"http://afweb.training.lab/blocked.htm\""
11. Create a responder policy which will perform the HTTP Callout and if the policy evaluates to
true, then the policy will perform the BLACKLIST_ACT action.
add responder policy rs_pol_blacklistredirect
"HTTP.REQ.HEADER(\host\).CONTAINS(\webgoat.net\) &&
SYS.HTTP_CALLOUT(blackout).CONTAINS(\IP Matched\)"
BLACKLIST_ACT
12. Bind policy to the WebGoat vserver.
bind lb vserver lb_vsrv_webgoat -
policyName rs_pol_blacklistredirect -priority 100
13. Open Internet Explorer and browse to http://webgoat.net/WebGoat/attack. Verify
you are redirected the AFWeb Blocked page (per the HTTP Callout policy).
14. After verifying the redirection to the AFWeb blocked page, disable the HTTP Callout Policy.
unbind lb vserver lb_vsrv_webgoat -
policyName rs_pol_blacklistredirect
save ns config
Exercise 6-2: Configuring Rate Limiting

This lab demonstrates the process for creating URL-based rate-limiting policies. This lab will use
the Responder feature to send a 404 error message if more than three requests from the same
source IP for the same URL are seen within 15 seconds. The Expression in the Responder policy
will target the Rate Limit to the /home.php page and the Responder Policy will be bound to the
Load Balancing Vserver lb_TS. These thresholds are intentionally low for the purpose of this lab.
Thresholds in production environments would be considerably higher. The steps for configuring
the limit selector, limit identifier, responder action and responder policy using the Configuration
Utility or command-line interface are provided.
Before You Begin

• Access to the Configuration Utility or command-line interface.
• A load balancing vserver lb_TS with a Virtual IP of 192.168.30.21 bound to svc_red, svc_blue,
svc_green.
Estimated time to completion: 15 minutes
Exercise Details
1. Create a Limit Selector to identify the source IP address and the URL.
2. Create a Limit Identifier to set a limit of 3 requests in a 15 second time slice.
3. Create a Responder action to send a 404 Page Not Found response.
4. Create a Responder policy to send the 404 if the Rate Limit is triggered and the request is for
the /home.php page.
5. Bind the policy to the Load Balancing virtual server lb_TS.
7. Test the configuration.
Configuration Testing
To test the configuration:
1. Open a web browser and browse to http://192.168.30.21/home.php.
2. Verify that you receive a 404 Page Not Found response after exceeding the rate limit within the
specified time slice.
Configuring Rate Limiting

Use the following procedure to send an error message if the Rate Limit is exceeded.

2. Launch Firefox and browse to http://192.168.30.21/home.php .
3. Reload the page in quick succession by hitting the reload button multiple times.
Expected result: The page displays and load balances between Blue, Red and Green page
content.
4. Go to AppExpert > Rate Limiting > Selectors and click Add.
5. Create a Limit Selector:
a. In the Name field, type limitsel.
b. Click Insert and in the Expression field, type CLIENT.IP.SRC and click Insert.
c. Click Insert and in the Expression field, type HTTP.REQ.URL and click Insert.
d. Click Create.
6. Go to AppExpert > Rate Limiting > Limit Identifiers and click Add.
7. Create a Limit Identifier:
a. In the Name field, type limitid.
b. In the Selector drop-down box, select limitsel.
c. In the Threshold field, type 3.
d. In the Time Slice (msec) field, type 15000.
e. Click Create.
8. Go to AppExpert > Responder > Actions and click Add.
9. Create a Responder action:
a. In the Name field, type rs_act_404.
b. In the Type drop-down box, select Respond with.
c. In the Expression field, type "HTTP/1.1 404 Not Found\r\n\r\n".
d. Click Create.
10. Go to AppExpert > Responder > Policies and click Add.
11. Create a Responder policy to apply the Rate Limit.
a. In the Name field, type rs_pol_ratelimit_404.
b. In the Action drop-down box, select rs_act_404.
c. In the Expression box, type HTTP.REQ.URL.EQ("/home.php") &&
SYS.CHECK_LIMIT("limitid").
d. Click Create.
13. Click the drop down below Bind Point and select Load Balancing Virtual Server, in the
Virtual Server drop down menu select lb_TS and click Continue.
14. Click in the field below Select Policy, select the option next to rs_pol_ratelimit_404.
15. Click Select, then click Bind and Done.
16. Click the Save button in the upper right hand corner to save the configuration.
17. Launch Firefox and browse to http://192.168.30.21/home.php.
Expected result: After the third quick reload, a 404 page not found error is displayed. May also
get a white screen
19. Go to AppExpert > Responder > Policies and verify the hits for rs_pol_ratelimit_404 have
increased.
Configuring Rate Limiting (Command-Line Interface)

Use the following procedure to send a 404 Not Found error message if the Rate Limit is exceeded.
1. Create the Limit Selector to specify the source IP and the URL.
add stream selector limitSel HTTP.REQ.URL CLIENT.IP.SRC
2. Create the Limit Identifier to specify a limit of 3 requests in a 15 second time slice.
add ns limitIdentifier limitid -threshold 3 -timeSlice 15000 -

selectorName limitSel
3. Create the Responder action to send a 404 Page Not Found response.
add responder action rs_act_404 respondwith "\"HTTP/1.1 404
Not Found\r\n\r\n\""
4. Create a Responder Policy to send a 404 response if the Rate Limit is exceeded and the url is
/home.php.
add responder policy rs_pol_ratelimit_404
'http.req.url.eq("/home.php") && sys.check_limit("limitid")'
rs_act_404
5. Bind the Responder policy to the LB Vserver lb_TS.
bind lb vserver lb_TS -policyName rs_pol_ratelimit_404 -
priority 100
save ns config
7. Launch Internet Explorer and browse to http://192.168.30.21/home.php .
Expected result: After the third quick reload, a 404 page not found error is displayed.
9. Show the policy and verify that the Hits counter has incremented.
show responder policy rs_pol_ratelimit_404
7
Module 7
Command Center
Command Center Exercises
Exercise 7-1: Installing Command Center
Command Center is used to manage multiple NetScalers and NetScaler Gateway devices. In this
exercise you will install Command Center to run as a service on the Windows client.
Before You Begin

• Logged on to the AD.training.lab virtual machine using the CitrixAdmin/Password1
credentials.
• The Command Center installation file downloaded from MyCitrix. The file is found in the
Downloads folder.
Exercise Details
Follow the Prompts to install Command Center. Select Evaluation as the type of installation.
Summary
This exercise demonstrates the process to install Command Center, start the service and log on to
the Command Center utility.
Installing Command Center

Use the procedure in the following table to install Command Center. Note that prerequisites for the
installation such as the MySQL setup and initial database creation are already configured.
1. On the AD.training.lab virtual machine, browse to the Downloads folder.
2. Right click the CC_Setup_5.2_43_19.exe and select Run as administrator.
3. Click Yes if you receive a UAC prompt.
4. Click Next.
5. Select the option next to I accept the terms of the License Agreement and click Next.
6. Accept the default install location and click Next.
7. Select the option next to Evaluation and click Next.
© Copyright 2016 Citrix Systems, Inc. Module 7: Command Center 99

8. Click Install.
9. Click Done.
Go into the Local Services on the DC and start the Citrix Command Center and the
PostgresForCommand Center Services if they are not running.
10. From the DC or StudentDesktop, open a new tab in Internet Explorer and browse to
https://ad.training.lab:8443/.
Click Continue if you receive a browser certificate error.
11. Enter root in the User Name field and public in the Password field.
12. Click Login.
13. Click Cancel or Skip to proceed.
14. In the Change Command Center User Password window enter public in the Current
Password field and in the New Password and Confirm New Password fields, enter
Password1 then click Save.
Citrix recommends to change the default password for production implementations.

Choose a strong password to secure access to systems managed by Command Center
and prevent unauthorized access to environment.
15. Click Back or Cancel to go to the Command Center Home window.
Exercise 7-2: Creating Device Profiles and Discovering

NetScaler Devices
This exercise demonstrates the configuration and use of Citrix Command Center 5.2 for managing
NetScaler appliances. You will create a Device Profile and add your NetScaler to it to familiarize
yourself with the Command Center interface.
Typically, Command Center is used to manage multiple NetScalers or NetScaler Gateway devices.
Device profiles define connection and SNMP properties used by Command Center to connect to
and manage NetScaler devices.
Since all NetScalers in this classroom share a single subnet, your instance of Command Center is
able to interact with other NetScalers than your own. For this reason, it is important to follow the
naming scheme outlined in this exercise.
Before You Begin

100 Module 7: Command Center © Copyright 2016 Citrix Systems, Inc.

• Installed Command Center.
• Your student/NetScaler number (for naming purposes).
• Your NetScaler NSIP address.
Exercise Details
This exercise demonstrates creating a Device Profile. Your NetScaler is then added to the
Command Center inventory using the discovery process and the settings contained in the Device
Profile.
1. Create a Device Profile named NSLab.
2. Configure Device Profile settings, such as SSH credentials and SNMP community.
3. Add your assigned NetScaler as a device.
4. Verify that your NetScaler has been properly discovered.
Summary
Command Center uses Device Profiles for network management.
Creating a Device Profile

Use the procedure in the following table to create a map within Command Center.
1. From the StudentDesktop virtual machine, click the Citrix Network tab, go to Device Profiles,
and click Add.
2. Create a Device Profile:
a. In the Name field, type NSLab.
b. In the Device Family drop down menu select NetScaler.
c. In the User Name field, type nsroot.
d. In the Password field, type nsroot.
e. In the Community field, type CCenter.
f. Click Create.
Adding a NetScaler Device to Command Center

Use the procedure in the following table to Discover your assigned NetScaler using the NSLab
Device Profile.
1. Open the Command Center console.

2. Click the Citrix Network tab.
3. Go to Device Inventory > NetScaler and click Add.
4. Add Your NetScaler to Command Center:
• In the Devices field, enter 192.168.30.105.
• In the Device Profile drop-down list box, select NSLab.
• Click Continue.
• Click Done once the discovery process completes.
5. Click Discovery Status and wait until the Status reflects Completed.
This step will take a moment to complete.
Viewing Device Properties

Use the following procedure to view device properties and various device management options
available.
3. Go to Device Inventory > NetScaler.
4. Select the check box next to 192.168.30.105 and click Details.
5. Within Command Center, view the following details within the Device Properties screen:
• Configuration - note options available and the configuration files that have been archived.
• License & Modes - view features licensed, unlicensed and feature status and device modes
• Expand Device Properties by clicking More (upper right in pane).
6. Return to Citrix Network > Device Inventory > NetScaler.
7. Right click 192.168.30.105 and select Invoke CLI.
8. In the User Name field, type nsroot, in the Password field, type nsroot, and click Login.
9. In the Command field, type set ns hostname NetScaler_1, and click Send.
10. Click Close.
11. Right click 192.168.30.105 and select Rediscover.
12. Click Yes.
13. Click the Administration tab.
14. Under Settings, click Server Settings.
15. In the Device Label drop-down list box, select Host Name, and click OK.
17. Go to Device Inventory > NetScaler.

18. Notice the NetScaler now displays by host name.
Exercise 7-3: Configuring Tasks

This exercise demonstrates the configuration and use of Citrix Command Center 5.2 for managing
NetScaler appliances. You will schedule configuration tasks within Command Center, as well as
create and use custom configuration tasks.
Configuration tasks allow you to carry out operations across multiple NetScalers simultaneously.
While Command Center does not have all the capacity of the NetScaler Configuration Utility, it
does have numerous built-in tasks along with the ability to create custom tasks. These tasks are
operations that can be executed on demand or scheduled for a specified time. Tasks include
upgrades and filter policy creations.
Before You Begin

• Completed the previous exercises.
• Created an SSL certificate.
This lab uses objects created in previous exercises. If you used a personalized naming
convention, you will have to adjust the directions accordingly.
Exercise Details
1. Schedule a built-in task: the explicit creation of a new content filtering policy.
2. Create a custom task: the creation of a customized SSL virtual server.
3. Run the custom task.
Summary
This exercise demonstrates configuring tasks. You will first schedule a built-in task for immediate
execution. Then you will create a new custom task and execute it as well.

Executing a Built in Task
This exercise demonstrates how to execute and schedule tasks with Command Center. Use the
procedure in the following table to use Command Center to configure a content filter policy which
is used in a later lab exercise.
2. Click the Configuration tab.
3. Go to Configuration > Built-in Tasks.
4. Select ConfigureFilterPolicy and click Execute.
5. Under Available Devices, select NetScaler_1, click the right arrow button, and click Next.
6. Configure the User Input screen:
a. In the Policy Name field, type cf_pol_filterbyip.
b. In the Expression field, type "REQ.IP.SOURCEIP == 216.58.218.174".
The quotation marks are required.
c. In the Action Name field, type RESET.

d. In the Priority field, type 100.
e. In the Comments field, type Block Bad IP.
7. Click Next.
8. Click the Preview button and verify the command syntax.
9. Click Close then Finish and OK to close the window.
10. Click Execution Log and ensure status reflects Success.
It may take a minute for the status to be completed.
Create a Custom Task

Use the procedure in the following table to configure a custom task:
2. Click the Configuration tab.
3. Go to Configuration > Custom Tasks, and click Add.
4. Ensure the option next to Define New Commands is selected and click Next.
5. In the Task Name field, enter CreateSSLVServer.
6. In the Device Family drop-down list box, select NetScaler.

7. Click Add Command.
8. In the Command field, enter add lb vserver $vsrv_name$ SSL $vip$ 443 and click
OK.
10. In the Command field, enter bind lb vserver $vsrv_name$ $svc$ and click OK.
12. In the Command field, enter bind ssl vserver $vsrv_name$ -certkeyName
$certkey$ and click OK.
13. Click Add Task Variable:
a. In the Variable Name field, enter vsrv_name.
b. In the Prompt field, enter Vserver Name.
c. Click OK.
a. In the Variable Name field, enter vip.
b. In the Type drop-down list box, select IP Address Field.
c. In the Prompt field, enter Virtual IP Address.
d. Click OK.
a. In the Variable Name field, enter svc.
b. In the Type dropdown box, select Choice.
c. In the Prompt field, enter Select Service.
d. In the Possible Values field, enter svc_blue,svc_red.
e. Click OK.
a. In the Variable Name field, enter certkey.
b. In the Type dropdown box, select Text Field.
c. In the Prompt field, enter Certificate.
d. Click OK.
17. Click OK.
Execute a Custom Task

Use the procedure in the following table to configure a custom task:
1. Select CreateSSLVserver check box and click Execute.
2. Select NetScaler_1, click the right arrow button, and click Next.
3. Complete the User Input screen:

a. In the Vserver Name field, enter lb_vsrv_rbg_https.
b. In the Virtual IP Address field, enter 192.168.30.25.
c. In the Select Service dropdown box, select svc_red.
d. In the Certificate field, enter ns_plat.
e. In the Comments field, enter New SSL vserver.
f. Click Next.
4. Click Preview, verify the commands, and click Close.
5. Click Finish and OK to close the Execute Task window.
6. Click Execution Log and verify the task status reflects Success.
It may take a minute for the status to be completed.
7. Click the Monitoring tab.

8. Go to NetScaler > Virtual Servers.
9. Verify that lb_vsrv_rbg_https is present and the State reflects as up. It may take a few minutes
to refresh.
Exercise 7-4: Monitoring

This exercise demonstrates how to use the Monitoring features within Command Center. You will
disable a service, which will take down a vserver, directly from the NetScaler Configuration Utility
and observe its effect from Command Center.
Command Center polls each device at a regular interval, so changes are not observed instantly. The
interval can be customized to fit your needs.
Before You Begin

• A working virtual server that can be taken off-line.
Exercise Details
1. Disable a service.

2. Observe the effect from Command Center.
Summary
Command Center is a powerful monitoring tool. It provides a central location from which a large
number of NetScaler device can be observed.
Monitoring NetScaler Changes from Command Center

Use the procedure in the following table to monitor NetScaler virtual servers and services.
3. Go to NetScaler > Virtual Servers.
4. Ensure that all Vservers reflect a state of UP.
5. Go to NetScaler > Services.
6. Verify that all of the Service reflect a state of UP.
7. From the NetScaler Configuration Utility on the StudentDesktop virtual machine, go to
Traffic Management > Load Balancing > Services.
8. Select svc_green, click Action, and select Disable then OK.
9. Return to the Command Center console.
12. Click Action then Poll then click OK.
13. Click Refresh, and verify the state of svc_green is showing as Down.
14. Select the svc_green check box, then right click and click Enable.
15. In the Annotation field, type Maintenance done and click OK.
16. Close the Operation Status window.
17. Click Refresh and ensure that svc_green reflects a status of UP.
Exercise 7-5: Managing Faults

This exercise demonstrates some of the basic fault management capabilities of Command Center.
Alarms are picked or assigned on a user account basis. Both picked alarms and the assigned alarms
are visible to the user. Picked alarms may be viewed and annotated by any Command Center users.
Assigned alarms are only available for updates by the assigned user until unassigned.

Before You Begin
• Alarm messages in the Fault Management queue.
Exercise Details
1. Observe the Fault Management interface.
2. Pick an Alarm.
3. Assign an Alarm.
4. Clear the Alarms by restoring the disabled service.
Summary
Command Center is a useful management tool. It allows assignment of alarms to administrator
accounts directly from the monitoring interface.
Managing Faults
Use the procedure in the following table to configure Fault Management.
2. Click the Fault tab.
3. Go to SNMP > Alarms.
4. Select the Entityup svc_green Alarm.
5. Click Action and select Pickup.
6. In the Annotation field, type Working issue, and click Pickup.
7. Click My Assignments and notice the Alarm.
10. Select svc_green, right click and click Enable.
11. In the Annotation field, type Maintenance done and click OK.
12. Close the Operation Status window.
13. Ensure that svc_green reflects a status of UP.

14. Click the Fault tab.
15. Go to SNMP > My Assignments.
16. Notice the event now shows as clear.

8
Module 8
Insight Center
Insight Center Exercises
Exercise 8-1: Configuring Insight Center
This exercise demonstrates how to configure Insight Center to monitor HDX traffic.
Before You Begin

• The NetScaler nsroot login credentials for your system.
• Access to the Configuration Utility.
• The IP Address of your assigned Insight center.
• The Vserver lb_vs_webgoat created.
Exercise Details
• Configure Insight Center. The web address for your Insight Center host is
http://insight.training.lab.
• Add your NetScaler to the Insight Server Inventory.
• Enable Insight Monitoring for the LB Vserver lb_vs_webgoat.
• From the Configuration Utility, verify that the AppFlow policies have been created and
bound to lb_vs_webgoat.
• Generate traffic and View the Web Insight reporting:
• Browse to http://www.webgoat.net and click through the application to generate traffic.
• View the reports that are generated in the Insight Center Dashboard.
Summary
This module demonstrates the functionality and reporting capabilities of NetScaler Insight. This
module is focused on the Web Insight reporting of Insight Center.
© Copyright 2016 Citrix Systems, Inc. Module 8: Insight Center 113

Performing an Insight Center Initial Configuration
1. Configure Insight Center to monitor the NetScaler appliance.
a. From the StudentDesktop virtual machine, open Firefox and browse to
http://insight.training.lab.
b. Type nsroot in the User Name field and nsroot in the Password fields then click
Login. This will bring up the NetScaler Insight Center Welcome screen.
c. Click Get Started.
d. Type the following values in the NetScaler Insight Center Inventory Setup screen.
• NetScaler IP address: 192.168.30.105.
• User name: nsroot
• Password: nsroot
e. Click Add. The Application List is populated with the load-balancing virtual servers
from the NetScaler.
2. Configure the time zone.
a. Click the Configuration tab and select the System node.
b. Click Change Time Zone.
c. Select UTC-0400 EDT America/New_York and click OK.
3. Add an NTP server.
a. Click NTP Servers under the System node and click Add.
b. Type 192.168.20.11, and click Create.
c. Select the 192.168.20.11 NTP server and select NTP Synchronization.
d. Select Enable NTP Sync and click OK.
Configuring Data Collection

In the StudentDesktop virtual machine, use an HTTP connection to the Insight Center
configuration utility logged on as the nsroot user for this task.
1. Enable AppFlow on the WebGoat virtual server.
a. Click the Configuration tab and click Inventory.
b. Click the 192.168.30.105 link.
c. Ensure Load Balancing is selected from the View drop-down list.
d. Right-click the 192.168.30.35 virtual server and select Enable AppFlow.
You can enable data collection on a virtual server only if the operational state
is UP.
e. In the Expression box, type TRUE, and click OK.
114 Module 8: Insight Center © Copyright 2016 Citrix Systems, Inc.

2. Verify that AppFlow is enabled on the NetScaler.
a. Switch to the NetScaler configuration utility and log on using the nsroot credentials.
b. Click the Configuration tab and go to System > Settings.
c. Click Configure Advanced Features.
d. Ensure that the AppFlow feature is enabled and click Close.
3. Verify that policies were bound correctly to the Webgoat Virtual Server.
a. Click the Configuration tab and go to Traffic Management > Load Balancing >
Virtual Servers.
b. Double-click the lb_vsrv_webgoat virtual server and verify that AppFlow Logging is
enabled.
c. In the Policies node, verify that an App Flow policy is listed.
d. Click the App Flow policy.
e. Verify that the af_policy_lb_vsvr_webgoat_192.168.20.16 policy is bound to the virtual
server.
4. Inspect the AppFlow policy.
a. Select the af_policy_lb_vsrv_webgoat_192.168.20.16 policy and click Edit Action to
display the Appflow af_action_lb_vsrv_webgoat_192.168.20.16 action.
b. Verify that the AppFlow collector on the NetScaler Insight Center appliance is in the
Collectors field.
c. Click OK then click Close then Done.
Generating Traffic and Viewing Insight Center Reports

Use the StudentDesktop virtual machine logged on as the CitrixAdmin user for this task.
1. Generate traffic.
a. Open Internet Explorer and browse to
http://webgoat.net/WebGoat/attack. Note the capital "W" and "G".
b. Type webgoat for the username and webgoat for the password.
c. Start WebGoat and click through the links of the WebGoat site to generate traffic.
2. View Web Insight data.
a. Switch to Insight Center and click the Dashboard tab.
b. Go to Web Insight > Clients. The graph should indicate user activity and the users
logged on through the Gateway.
c. Select the other nodes under Web Insight to view the available information.
© Copyright 2016 Citrix Systems, Inc. Module 8: Insight Center 115

9
Module 9
NetScaler Web
Logging
NetScaler Web Logging Exercises
Exercise 9-1: Installing and Configuring NetScaler Web
Logging
This module demonstrates the installation and configuration of the NetScaler web logging
component.
Prior to the start of class, the NSWL files for Windows were downloaded to the StudentDesktop
machine. Please note that the files must be downloaded from Citrix or the NetScaler FTP site (same
as the NetScaler build). It is not available from the NetScaler system. The version of the NSWL
client must match the version of the NetScaler operating system in use.
For best results, clear cached data/private data between web logging tests. This will ensure
there is traffic between the client and the NetScaler system that is logged and will prevent
the web browser from using cached data.
Before You Begin

• The location of the NSWL files.
• Access to the Windows command prompt.
• A text editor, such as Notepad, to view and edit the log.conf files.
• Windows Explorer to copy and rename log files.
• Services Management Console: Services.msc.
• Regedit.
• Configured AFWeb and WebGoat virtual servers.
Exercise Details
1. Install and configure the NSWL client.
a. Go to the NSWL BIN directory using the command prompt.
b. Verify the NSWL configuration.
Expected result: you should receive an error since NSWL has not yet been configured.
c. Add the NSIP address to the NSWL log file.
© Copyright 2016 Citrix Systems, Inc. Module 9: NetScaler Web Logging 119
d. Verify the NSWL configuration once more.
Expected result: you should receive a correct confirmation message this time.
e. Make a backup copy of the log.conf file (with the configured NSIP address) for later
use.
2. Run the NSWL client with the default filter.
a. Enable web logging on the NetScaler system.
b. Launch the NSWL client in standalone mode. The NSWL client uses the default filter
format W3C.
c. Test web logging by generating some web traffic.
d. Stop the NSWL client.
e. View the log files generated.
f. Rename the transaction log file for later use.
g. Change the NSWL log format to NCSA.
h. Re-launch NWSL client in standalone mode.
i. Generate more web traffic and then stop the NSWL client.
j. Rename the second transaction log file and compare it to the first to see the difference
between W3C and NCSA logging.
3. Configure the specific filters.
a. Create a new log folder and edit the log.conf file to use it.
b. Add some new filters to log.conf:
• For the AFWeb virtual server
• For the WebGoat virtual server
c. Save and close log.conf.
d. Run the NSWL client as a standalone process with a debug level of 3.
e. Generate some web traffic from a fresh browser.
f. Close the browser and stop the NSWL client.
g. Inspect the log files that are generated.
4. Run the NSWL client as a service.
a. Create a backup of the current log.conf file from the initial default backup.
b. Revert to the initial default configuration by replacing the log.conf file with the initial
backup.
c. Install the NSWL client as a service on Windows.
d. View NSWL service registry.
e. Verify that NSWL was installed as a service from services.msc.
f. Start the NSWL service.
g. Generate some web traffic from a fresh browser.
120 Module 9: NetScaler Web Logging © Copyright 2016 Citrix Systems, Inc.
h. Stop the NSWL service.
i. View the transaction and debug log files.
j. Uninstall NSWL as a service.
Configuring the NSWL Client

The NetScaler Web Logging Binaries have already been extracted to the C:\NSWL directory. Use
the following steps to configure the NSWL client.
1. From the StudentDesktop virtual machine, go to Start, type Run in the Search field, click on
Run, then type cmd.
2. Enter the following command in the command prompt to go to the NSWL BIN directory:
cd c:\nswl\bin
3. Enter the following command to verify the NSWL configuration:
nswl -verify -f c:\nswl\etc\log.conf
Expected result: You should receive an error: Netscaler IP not found in the configuration
file! since NSWL has not yet been configured.
4. Enter the following command to add the NSIP address to the NSWL log file:
nswl -addns -f c:\nswl\etc\log.conf
5. At the prompt NSIP:, enter 192.168.30.105.
6. At the prompt userid:, enter nsroot.
7. At the prompt password:, enter nsroot.
8. Enter the following command to verify the NSWL configuration once more.
nswl -verify -f c:\nswl\etc\log.conf
Expected result: You should receive a correct confirmation message this time.
9. Make a backup copy of the log.conf file (with the configured NSIP address) for later use.
• Open Windows Explorer and browse to c:\NSWL\etc\.
• Make a copy of log.conf.
• Name the copy default.log.conf.
Running the NSWL Client with Default Filters

Use the following procedure to run the NSWL client with default filters:
1. On the hosted client, go to Start > Command Prompt.
cd c:\nswl\bin
3. Launch the NSWL client in standalone mode.
nswl -start -f c:\nswl\etc\log.conf -d 1
The NSWL client uses the default filter format W3C.

Keep the command prompt open to keep the NSWL client running.
4. Open a browser window and browse to http://afweb.training.lab and reload the
page several times.
5. Wait for the C:\NSWL\bin\Ex<date>.log log file to increase in size.
6. Stop the NSWL client. Enter CTRL+C to interrupt the process.
7. View the log files generated in the C:\NSWL\BIN\ directory:
• Debug Log files: nswl.log-<date/time>
With debug level 1, minimal information is logged.
• Transaction Log files: Ex<date>.log
Log file is in W3C format since this is the format specified in the default filter.
Log files can be viewed in Notepad.
8. Rename the Transaction log file to Test1_default_w3c.log. The NSWL client will
increment the file the next time it restarts and will not overwrite the content.
This step is included to ensure specific files can be compared between tests.
9. Change the NSWL log format to NCSA:

a. Open the C:\nswl\etc\log.conf file with Wordpad.
b. Change the logFormat value in the begin default section of the log.conf file to NCSA.
c. Save the log.conf file.
10. Re-launch NSWL client in standalone mode. The NSWL client now uses the NCSA filter.
nswl -start -f c:\nswl\etc\log.conf -d 1
11. Open a browser window and browse to http://afweb.training.lab and reload the
page several times.
12. From the command prompt, enter CTRL+C to interrupt the NSWL client process.
13. Rename the new C:\NSWL\bin\Ex<date>.log log file to
Test2_default_ncsa.log.
14. Compare the two transaction log files to see the difference between W3C and NCSA logging.
Configuring Web Logging Filters
Use the following procedure to configure web logging filters:
1. Create a new log folder called C:\NSWL\LOGS\ and edit the log.conf file to use it:
a. Open the C:\nswl\etc\log.conf file with Wordpad.
b. Change the logFilenameFormat value in the begin default section of the log.conf file
to C:\nswl\Logs\Default_%{%y%m%d}t.log .
2. Add a new filter to log.conf for the AFWeb virtual server. Below the end default section of the
log.conf file, enter the following:
Filter afweb HOST afweb.training.lab ON
Begin afweb
logFormat NCSA
logInterval daily
logFileSizeLimit 100
logExclude .gif .jpg .css
logFilenameFormat C:\NSWL\LOGS\afweb_%{%y%m%d}t.log
end afweb
3. Save and close log.conf.
4. Enter the following command to run the NSWL client as a standalone process with a debug
level of 3:
nswl -start -f C:\NSWL\etc\log.conf -d 3
5. Open Firefox and browse to http://afweb.training.lab and reload the page several
times.
6. Wait for the C:\nswl\Logs\afweb_<date>.log file to increase in size.
7. Close Firefox and stop the enter CTRL + C to stop NSWL client.
8. Inspect the log files that were generated. Notice:
• Only the Troubleshooting log files were generated in the C:\nswl\Bin\ directory.
• Debug log files were generated with debug level 3.
• Two separate log files were created in the C:\nswl\Logs\ directory, one for the afweb
filter named afweb_<date>.log and one for all other traffic Default_<date>.log
based on the default filter.
Running the NSWL Client as a Service

Use the following procedure to install and run NSWL as a Windows service.
1. On the hosted client, open a command prompt.
cd c:\nswl\bin
3. Enter the following command to install the NSWL client as a service on Windows:
nswl -install -f C:\NSWL\etc\log.conf
Verify the command returns a message confirming the NetScaler Web Logging service was
installed.
4. View NSWL service registry:
a. From the StudentDesktop virtual machine, go to Start, type Run in the Search field,
click on Run, then type regedit.
b. Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nswlsvc\
c. View the ImagePath value: C:\nswl\bin\nswl.exe -log -f C:\NSWL\etc\log.conf
The registry key shows the location of the nswl.exe and log.conf files as configured during the
service install process (nswl -install). Use the registry key to verify the configuration and
to troubleshoot NSWL if there are issues starting the service.
Modifying the registry key directly is not recommended. If changes are required,
remove and re-install NSWL as a service with the corrected values.
5. Close the Registry editor.

6. From the StudentDesktop virtual machine, go to Start, type Run in the Search field, click on
Run, then type services.msc.
7. View the NetScaler Weblogging Service status from services console. Expected result: The
NetScaler Weblogging Service was successfully installed as a service and now appears in the
Windows Services list.
8. Return to the command prompt.
9. Enter the following command to start the NSWL service:
nswl -startservice
When running as a service, the NSWL client can be started/stopped from either the command
prompt window or the Services management console. The command prompt need not stay
open to keep the service running, unlike in stand-alone mode.
10
Module 10
Appendix A:
Troubleshooting
Common Issues
Troubleshooting Common Issues
Common Issues
Common issues encountered during NetScaler operations include:
• High availability
• Load balancing
• SSL offloading
• Networking
• Global server load balancing
• Content Switching
High Availability
High-availability issues include:
• Configuration synchronization failure
• File synchronization failure
• Unexpected failover
Configuration Synchronization Failure

Synchronization failure can be a result of connectivity issues, duplex mismatches, packet drops, or
the /netscaler/nsnetsvc process not running. Perform the following tasks if synchronization between
the primary and secondary node fails:
• Verify that the primary and secondary nodes can communicate with each other. Management
and heartbeat messages are sent through layer 2 protocols. Layer 2 connectivity between the
two high-availability nodes must allow the heartbeat to be received within 3 seconds.
• Ensure that any configured ACLs permit communication between the pair.
• Enter the following command to check inetd.conf file to ensure the /netscaler/nsnetsvc process
is not disabled:
ns# more /etc/inetd.conf
Ensure the nsnetsvc stream tcp nowait root /netscaler/nsnetsvc nsnetsvc line is not
commented out.
• Enter the following command in the shell to check the ns_com_cfg.conf file on the secondary
node:
ls -l
© Copyright 2016 Citrix Systems, Inc. Module 10: Appendix A: Troubleshooting Common Issues 127
Ensure that the /tmp directory has write permissions. For example:
drwxrwxrwt 4 root wheel 512 Aug 17 21:28 /tmp
• Verify that the two nodes are not running different versions of the NetScaler operating system.
File Synchronization Failure

Both nodes in an high-availability pair may need a set of common configuration or certificate files,
depending on the deployment needs. If so, files may need to be manually synchronized. For
example, if SSL offload is enabled, then SSL certificates must be copied to the same location
(directory) on both nodes. Similar examples include vsr.html (for SureConnect), any manually
customized files, or any other batch files containing configuration commands.
Enter the following command in the command-line interface to manually synchronize files between
nodes in a high-availability pair:
sync ha files mode
The following table lists available arguments.
Argument Description
mode Specifies the sync mode
Possible values include:
• all
• bookmarks
• ssl
• htmlinjection
• imports
The following table lists paths corresponding to synchronization mode.
Mode Path
all /nsconfig/ssl/
/var/vpn/bookmarks/
/nsconfig/htmlinjection/
ssl /nsconfig/ssl/
128 Module 10: Appendix A: Troubleshooting Common Issues © Copyright 2016 Citrix Systems, Inc.
Mode Path
bookmarks /var/vpn/bookmarks/
htmlinjection /nsconfig/htmlinjection/
Unexpected Failover
If the NetScaler systems are failing over unexpectedly, then enter the following command in
command-line interface to view current events that may be causing the failover.
root@ns# nsconmsg -d event
Possible causes include:

• An interface is down.
• An SSL acceleration card is down.
• The primary node has failed.
Load Balancing
Load-balancing issues include:
• Uneven load balancing
• Service/virtual IP address flapping
Uneven Load Balancing

The following table lists items to check when looking to explain and diagnose uneven load
balancing.
Item Description
Slow Start The NetScaler system performs a slow start to
avoid overloading physical servers. During the
slow start phase, the NetScaler system
distributes requests by round robin, regardless
of the actual load balancing method configured
on the virtual server. However, it does honor
the configured weight on bindings even during
round robin. A slow start occurs in any of the
following conditions:
• The load balancing method changes
• A new server is bound to a virtual server
• An existing server binding is removed from
a virtual server
• A server changes its status from DOWN to
UP
A contact slow start indicates service flapping.
Persistence When enabled, persistence may create uneven

loading because the NetScaler system must
direct requests from a specific client to a specific
server. Only unique or expired clients get
balanced according to the load balancing
method.
Inconsistent Server Performance Performance across a set of servers is seldom

consistent. Therefore, some servers serve
requests faster and based on the Load Balancing
method configured, will likely cause an uneven
balance. The degree of imbalance increases as
the degree of inconstancy between the servers
increases.
Service Weights Service weights can result in uneven load

balancing. The services with less weight serve
fewer requests.
Service/Virtual Server Flapping

A service flaps mostly likely because its monitors are failing.
Enter the following command in the command-line interface to obtain detail monitoring and status
information:
show service service
In most cases, assume that the monitor is failing legitimately and troubleshooting the issue on the
servers themselves. It is also possible that the monitor configuration is causing service flapping by
monitoring too frequently or for the wrong response. The configuration should then be inspected
for any issues.
A virtual server goes down when all of the bound services go down, so a virtual server that flaps is
likely the result of services that are flapping. Follow the advice for service flapping to determine
why the virtual server is flapping.
SSL Offloading
SSL offloading issues include:
• Access to the SSL VIP address failing
• Certificate-related warnings occurring
• Intermediate cert not being properly linked
• Browser warning showing an insecure web page
Access to SSL VIP Address Failing

This issue typically occurs when the certkey (certificate-key pair entity on the NetScaler system) is
not bound. Enter the following command in the command-line interface to show this state:
show ssl vserver vserver_name
The following table lists the available arguments.
vserver_name Specifies the name of the SSL virtual server
Enter the following command in the command-line interface to resolve the issue:
bind ssl certKey vserver_nameservice_name certkey_name
vserver_name Specifies the name of the SSL virtual server
name to which the certificate-key pair needs to
be bound
service_name Specifies the name of the SSL service to which

the certificate-key pair needs to be bound
Use the add service command to create this
service.
certkey_name Specifies the object name for the certificate-key

pair
Certificate-Related Warnings Occurring

Potential causes of this issue include:
• The certkey domain does not match the domain in the browser address bar.
• The site is accessed by IP address.
• The certificate is expired.
• The intermediate certificate is not installed or is not bound to the certkey.
The first two causes can be resolved by using the correct domain in the browser address bar. The
third cause requires installation of an updated valid cert. The fourth cause requires a linked
intermediate certificate.
The fourth cause can also be resolved by the end user accepting the cert when accessing an
internal site. This option is not a good practice with test certificates, as those certificates
can be used on public sites. Once the certificate is accepted, the end user will never be
prompted and may not be aware they are trusting a site with an invalid certificate.
Intermediate Certificate Not Being Properly Linked

Certain server certificates might be issued by a CA that is not in the browser's trusted store by
default. In that case, an intermediate certificate which established the chain of trust would need to
added to the NetScaler system and linked to the certkey. When the certificate is presented to the
end user, the intermediate certificate is also provided. This trust is established. The intermediate
certificate needs to be added and then linked to the certkey in question
Browser Warning Showing an Insecure Web Page
This commonly occurs with static content like images that are served up on an SSL encrypted page;
this is not a problem and either the images can be provided securely or the user can ignore the
warnings.
Certificates Expiring
The NetScaler system can alert on certificate expiry and new certificates can be uploaded and
bound to the SSL virtual server by unbinding the old cert and binding the new one.
Content Switching
The following table lists content-switching issues.
Issue Resolution
Traffic not hitting the intended load balancing Make sure that content switching is enabled, the
virtual IP address policies are configured, and the load-balancing
virtual server is bound with a policy to the
content switching virtual server.
Policy not being matched properly Use the policy evaluator tool to ensure the
policy matches the expected content.
No content being served Make sure the back-end resources are available
for the load-balancing virtual server and that
the services passing health checks.
Global Server Load Balancing

The following table lists global-server load-balancing issues.
Issue Description
Metric Exchange Protocol (MEP) not being First, make sure that MEP is enabled on both IP
formed addresses and that they are pointing to the
correct ones on each site. Then check that
communication between the sites for the MEP
IP addresses is working and that there are no
firewalls or ACLs blocking the traffic.
Issue Description
Remote site not coming up When this issue occurs, make sure that the load
balancing virtual server on the remote site is
passing all its health checks and that the other
site is either reachable by MEP or by direct
health checks from the working site.
DNS not working If the NetScaler system is resolving DNS queries

(ADNS mode), then make sure that the entry
for that domain is present. If so, then make sure
it is accepting DNS queries on the ADNS
service and that it is up. If the NetScaler system
is operating as a DNS proxy, then make sure
that the back-end DNS servers are responding
and that the virtual server and services are up.
Networking
Networking issues include:
• Duplex mismatch or misconfigured interface settings
• Unresponsive system
• Inaccessible content
Several common issues can be checked and discarded early in the troubleshooting process,
including a slow NetScaler system due to a duplex mismatch, an unresponsive system and
inaccessible content.
The NetScaler system always draws power when it is plugged in. Therefore, an occasional
simple reboot does not clear severe console hang conditions. Completely remove the
power from the units (unplug them from the outlets) for 30 seconds and then power them
back on.
Duplex Mismatch or Misconfigured Interface Settings

If the duplex setting on the NetScaler system does not match the setting on the switch or router on
which it is connected, the NetScaler system may be slow to respond to requests. To investigate this
issue, click View console messages in the Diagnostics pane of the System node.
IP address conflicts or a duplex mismatch alert should be checked. Interfaces can be configured in
the Interfaces screen of the Network node.
Enter the following command in the command-line interface to correctly set the interface:
set interface id -speed speed -duplex duplex_mode
id Specifies the interface ID, for example 1/1 or
1/5
-speed speed Specifies the network speed, which can be set to

Auto, 10, 100 or 1000
-duplex duplex_mode Specifies the duplex mode, which can be Auto,

Full or Half
Enter the following command to obtain detailed interface statistics and switch port settings:
sh interface n/n
the following table lists available arguments.
n/n Specifies the appropriate interface
Incorrect interface settings usually result in an interface that will not come up. It is
important to ensure that the configuration on the NetScaler interface closely resembles the
configuration on the corresponding switch/router interface. Ensure that speed, duplex, and
flow control settings match.
Inaccessible Content
If content located behind the NetScaler system is inaccessible, the following items should be
verified:
• Have configuration changes been made to servers or network devices?
• Have configuration changes been made to server, service, or virtual server objects?
• Can the site be accessed directly (in other words, bypassing the NetScaler system)?
• Can the server and port be accessed using Telnet?
Caching
The following table lists cache issues.
Issue Description
Incorrect content being cached Improper configuration of the Integrated
Caching feature may cause users to see incorrect
content served from the cache.
Enter the following command in the command-
line interface to determine whether a particular
object is in the cache:
show cache object -url url -

host hostname
Enter this command after making an initial

request for the object (for example, using a web
browser) to give the NetScaler system a chance
to cache the object. If the object is not in the
cache, the NetScaler system reports "ERROR:
No such resource."
To determine if an object served from the cache
does not match the object served from the back-
end Web server(s), compare the HTTP
responses from:
• A client with a connection through the
NetScaler system
• A client with a connection not through the
NetScaler system
If the responses differ, the responses received
from clients passing through the NetScaler
system are erroneous and the issue requires
troubleshooting.
Verify if there are any cache selectors
configured that could serve the same object for
different VIP addresses.
Expired content being served Proper expiry headers are not being provided;
check the content on the servers and the
invalidation parameters.
Issue Description
Cache expiry causing traffic surge to the back- Decrease the timeouts for the cached content or
end create different content groups that expire at
different times so all the content is not expiring
at the same time. Enable the prefetch option.
11
Module 11
NetScaler Practicum
Practice Exercises
Practice Exercises
Company XYZ has purchased a NetScaler appliance as their Application Delivery Controller. As an
administrator you are required to configure the NetScaler to meet the requirements in each of the
below mentioned scenarios.
Requirements: Part I
Configure the NetScaler System to meet the below mentioned requirements. Make a note and test
the configuration when prompted.
1. By default, access to the NetScaler is not secured. Configure your NetScaler such that access to
the NetScaler system should be secured. Both the management access as well as the
communication between two systems in an HA pair should be secured by encrypting the traffic
using SSL capabilities. Verify that the NetScaler system can be accessed only in a secured way.
2. Create a complete set of user accounts, groups, and command policies. Then bind each policy
with the appropriate groups and users. Assume that initial installation and configuration have
already been performed on the NetScaler. The company has three users who will access the
system:
John Berry The IT manager. John needs to see all parts of the NetScaler
configuration, but does not need to modify anything.
Maria Johnson
The lead IT administrator. Maria needs to be able to see and modify
all parts of the NetScaler configuration.
Michael George The IT administrator in charge of load balancing. Michael needs to

be able to see most parts of the NetScaler configuration, but only
needs to modify the load balancing functions.
3. Create two vservers, one with HTTP services on Red and Blue servers and one with HTTP
services on the Green server. Specify the second vserver as the backup vserver for the first.
Verify the configuration by disabling the primary vserver and connecting to your chosen VIP.
© Copyright 2016 Citrix Systems, Inc. Module 11: NetScaler Practicum 141
Requirements: Part II
1. Consider the following scenario and perform the following tasks. Each online customer is given
a Student ID that indicates their gender (M/F) followed by a dash, followed by the year that
they entered the school (YYYY), followed by a dash and followed by a random five digit
number. Example IDs:
• F-2005-12345
• -1998-44444
• Write the narrowest regular expression possible for the Student ID. Assume that the
university was founded in 1950.
• Assume that the dashes are optional. Write a regular expression that will match this ID
number.
2. A security breach occurred where the cell phone number of the CEO (123-555-4567) was
released on the AFWeb "Safe Object" web page. Ensure that all instances of phone numbers are
removed from the web page before being sent. However, ensure that no other information is
blocked.
3. The CEO of the company Company M'Ore has been blocked by other Application Firewalls
because of SQL injection. Using the SQL Injection page on AFWeb, set up the form so that it
allows you to enter the lookup values of Jon Williams-Smith and Company M'Ore, but will
block Jon' or '1=1.
4. The Application Firewall can be fingerprinted by its session cookie. Rename the cookie to mask
the Application Firewall.
5. The web application needs to accept email addresses in the format Name <name@domain> in
the form field on the www.afweb.net XSS Demonstration page. However, the customer does
not feel safe enough to allow a relaxation on the file for XSS. Configure the Application
Firewall to allow email addresses in the field and to prevent XSS attacks.
Requirements: Part III

1. Create a note for the configuration details of the NetScaler system assigned to you:
• The build running
• The Serial number of the NetScaler
• The port settings (speed, duplex, flow control, monitoring)
• List the routes that have been used to resolve servers on other subnets
• List the enabled features and modes on the NetScaler system
• Is the Layer 2 mode enabled?
142 Module 11: NetScaler Practicum © Copyright 2016 Citrix Systems, Inc.
• Describe two scenarios that would call for, a) enabling Layer 2 mode, and b) disabling it
• Is the MAC-based forwarding feature enabled?
• Describe two scenarios that would call for, a) enabling MAC-based forwarding, and b)
disabling it
• Have the default settings of the surge protection feature changed?
• Describe scenarios that would call for changing the default surge protection behavior
© Copyright 2016 Citrix Systems, Inc. Module 11: NetScaler Practicum 143
Citrix Hands-on Labs
What are Hands-on Labs?
Hands-on Labs from Citrix Education allows you to revisit, relearn, and master the lab exercises
covered during the course. This offer gives you 25 days of unlimited lab access to continue your
learning experience outside of the classroom.
Claim introductory pricing of $500 for 25 days of access. Contact your Citrix Education
representative or purchase online here.
Why Hands-on Labs?
Practice outside of the You'll receive a fresh set of labs, giving you the opportunity to
classroom recreate and master each step in the lab exercises.
Test before implementing Whether you're migrating to a new version of a product or

discovered a product feature you previously didn’t know about, you
can test it out in a safe sandbox environment before putting in live
production.
25 days of access Get unlimited access to the labs for 25 days after you launch, giving
you plenty of time to sharpen your skills.
Certification exam Get ready for your Citrix certification exam by practicing test
preparation materials covered by lab exercises.
144 Module 11: NetScaler Practicum © Copyright 2016 Citrix Systems, Inc.
851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA (954) 267 3000 www.citrix.com
Rheinweg 9 8200 Schaffhausen Switzerland +41 (0) 52 63577 00 www.citrix.com
© Copyright 2016 Citrix Systems, Inc. All rights reserved.

CNS 301 3I en StudentExerciseWorkbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CNS 301 3I en StudentExerciseWorkbook

Uploaded by

Copyright:

Available Formats

Citrix NetScaler 11.

Citrix Course CNS-301-3I

Module 2: Profiles and Policies ..................................................................... 27

© Copyright 2016 Citrix Systems, Inc. 5

6 © Copyright 2016 Citrix Systems, Inc.

Module 4: Application Firewall Troubleshooting ............................................ 61

Module 5: Authentication, Authorization and Auditing ................................... 71

Module 6: AppExpert Rate Limiting, HTTP Service Callout and Policy-based

© Copyright 2016 Citrix Systems, Inc. 7

Module 7: Command Center ........................................................................ 97

8 © Copyright 2016 Citrix Systems, Inc.

Module 9: NetScaler Web Logging ............................................................. 117

Module 10: Appendix A: Troubleshooting Common Issues ........................ 125

Module 11: NetScaler Practicum ................................................................ 139

© Copyright 2016 Citrix Systems, Inc. 9

10 © Copyright 2016 Citrix Systems, Inc.

Why Hands-on Labs?

Test before implementing Whether you're migrating to a new version of a product or

Graphic Artists: Benjamin Abraham, Veronica Fuentes, Tyler

Manager: Leslie Keelan

Editor: Christopher Rudolph

ActivePerl® ActiveState Software, Inc.

American Express® American Express Company

Apache™ The Apache Software Foundation

Citrix®, Citrix NetScaler Gateway™, Citrix Citrix Systems, Inc.

Diners Club® Diners Club International Ltd.

Discover® Discover Financial Services

Firefox® Mozilla Corporation

FreeBSD® FreeBSD Foundation

Google™ Google Inc.

Java® Sun Microsystems, Inc.

JCB® JCB International Co., Ltd.

Linux® Linus Torvalds

LiveHTTPHeaders® Mozdev Community Organization, Inc.

MasterCard® MasterCard Worldwide

Microsoft®, .NET™, Active Directory®, Internet Microsoft Corporation

Pearson VUE® Pearson Education, Inc.

PuTTY® Simon Tatham

Secure Shell®, SSH® SSH Communications Security Corp.

UNIX® The Open Group

Visa® Visa Inc.

WinSCP® Martin Prikryl, GNU General Public License,

• Summary: reviews the main points of the exercise.

Revisit this summary after the exercise is completed.

© Copyright 2016 Citrix Systems, Inc. Module 1: Advanced Troubleshooting 17

18 Module 1: Advanced Troubleshooting © Copyright 2016 Citrix Systems, Inc.

Before You Begin

To complete this exercise, you need to have:

© Copyright 2016 Citrix Systems, Inc. Module 1: Advanced Troubleshooting 19

20 Module 1: Advanced Troubleshooting © Copyright 2016 Citrix Systems, Inc.

Exercise 1-2: Creating NetScaler Objects

Before You Begin

© Copyright 2016 Citrix Systems, Inc. Module 1: Advanced Troubleshooting 21

22 Module 1: Advanced Troubleshooting © Copyright 2016 Citrix Systems, Inc.

Creating NetScaler Objects for AFWeb (Command-Line

add service svc_afweb_http srv_afweb HTTP 80

4. Create the AFWeb virtual server.

© Copyright 2016 Citrix Systems, Inc. Module 1: Advanced Troubleshooting 23

Before You Begin

Creating NetScaler Objects for WebGoat

24 Module 1: Advanced Troubleshooting © Copyright 2016 Citrix Systems, Inc.

© Copyright 2016 Citrix Systems, Inc. Module 1: Advanced Troubleshooting 25

Creating NetScaler Objects for WebGoat (Command-Line