How To Configure NetScaler for Exchange 2013

Table of Contents

Basic Principles and Design Choices

When we talk about load balancing Exchange CAS, it is mostly about load-balancing HTTPS traffic. While the other types of traffic (SIP, SMTP, IMAP4 and so on) are also important, they are not nearly as big in terms of volume and not nearly as complex. That is why most of this article is about load balancing HTTPS traffic.

In our design, we followed both Microsoft and Citrix recommendations. Microsoft has a good but rather theoretical article (Load Balancing in Exchange 2013) on the Exchange 2013 CAS load balancing. Accumulating our experience of working with both NetScaler and Exchange, we decided on the following:

  1. We are using single namespace layer 7 proxy with no session affinity.
  2. All the idle timeouts on the NetScaler must be at least 1.5 times longer than on Exchange server.
  3. As described in the article above, we created custom monitors for all the Exchange web apps and bound them to their respective back-end entities (service groups). That allows us to adhere to the Microsoft-recommended health-per-protocol principle.
  4. Exchange 2013 load balancing does not require any connection persistence.

Back to top

Preparing Exchange CAS Servers

Configuring Exchange CAS server correctly is a vast task. However, we are only interested in the parts connected to load balancing. In Exchange 2013, there are no CAS arrays anymore, so no need to create one. The only thing to do is to configure TCP/IP idle timeout. The default value is two hours. Set it to 20 minutes. This is done through registry. By default, this parameter in the registry does not exist so we need to add it:

Name: KeepAliveTime

Path: HKLMSYSTEMCurrentControlSetServicesTcpipParameters

Data Type: REG_DWORD

Value: 0x124F80 (1,200,000 milliseconds)

Back to top

General Architecture of the SSL Content Switch

Below is the load-balancing architecture as seen by the Microsoft:

User-added image

The basic idea is that Layer 7 proxy allows us to have independent logical entry point for each Exchange web app which in turn allows us to independently switch them on and off based on their individual health rather than overall health of the server. Now, let us see how this general architecture can be translated into NetScaler configuration.

First thing that comes to mind is that some web apps can be grouped together to avoid excessive complexity. We grouped together OWA and ECP. Also, our testing indicates that Outlook Anywhere (RPC) and EWS need to be grouped together in order to avoid transient Outlook errors. In addition, we are not implementing MAPI at this point. It can be easily added later. Finally, we need a catchall default entity for cases when URL does not match anything. The general diagram is presented in Figure 2.

As you can see, user connects to the Content Switch first. Content Switch directs user’s request to the appropriate LB Virtual Server based on the URL. Finally, there is a Service Group bound to each Virtual Server. It is important to note, that, since all the Exchange web apps live on the same server and the same TCP port, all five Virtual Servers and all five Service Groups are nearly identical to each other. They only have different monitors.

User-added image

Back to top

Implementing Exchange Web Load-Balancing

Creating Health Monitors

Starting with Exchange 2013, we can check individual Exchange app’s health by running a simple HTTP query with the URL https://<server>/<app>/healthcheck.htm. If the app is healthy, the code 200 is returned. NetScaler allows us to easily create Monitors.

Figure 3 and Figure 4 show how to create Monitor for OWA. Make sure to do the following:

  1. Select type HTTP-ECV.
  2. Uncheck LTRM.
  3. Check Secure.
  4. Specify Send String: “GET /owa/healthcheck.htm”
  5. Specify Return String: “200”.

User-added image

User-added image

To create Monitors for all the other apps, repeat the same with app-appropriate URLs. On the other hand, you can more efficiently, create all the monitors by running the following commands in the NetScaler CLI:

add lb monitor https-ecv-mail-owa HTTP-ECV -send "GET /owa/healthcheck.htm" -recv 200 -LRTM DISABLED -secure YESadd lb monitor https-ecv-mail-ecp HTTP-ECV -send "GET /ecp/healthcheck.htm" -recv 200 -LRTM DISABLED -secure YESadd lb monitor https-ecv-mail-ews HTTP-ECV -send "GET /EWS/healthcheck.htm" -recv 200 -LRTM DISABLED -secure YESadd lb monitor https-ecv-mail-msa HTTP-ECV -send "GET /Microsoft-Server-ActiveSync/healthcheck.htm" -recv 200 -LRTM DISABLED -secure YESadd lb monitor https-ecv-mail-oab HTTP-ECV -send "GET /OAB/healthcheck.htm" -recv 200 -LRTM DISABLED -secure YESadd lb monitor https-ecv-mail-rpc HTTP-ECV -send "GET /Rpc/healthcheck.htm" -recv 200 -LRTM DISABLED -secure YESadd lb monitor https-ecv-mail-mapi HTTP-ECV -send "GET /MAPI/healthcheck.htm" -recv 200 -LRTM DISABLED -secure YESadd lb monitor https-ecv-mail-autodisc HTTP-ECV -send "GET /AutoDiscover/healthcheck.htm" -recv 200 -LRTM DISABLED -secure YES

Simply, copy and paste them into the NetScaler CLI.

Back to top

Creating Service Groups

First, before even creating Service Groups, we need to create Servers. That is easy enough. Just specify a name and an IP address of a CAS server – see Figure 5. You need to create as many of those as many CAS servers you have. We created two – CAS1 and CAS2.

User-added image

Back to top

Example: Creating OWA Service Group Using GUI

The next step is to create Service Groups in accordance with Figure 2. Again, let us look at OWA as an example. When adding a new Service Group using GUI, make sure you do the following:

  1. Select SSL as Protocol (Figure 6).
  2. Add all CAS servers by a) selecting Server Based; b) selecting the server from the list; c) specifying port 443 and d) clicking Add (Figure 6).
  3. Add OWA and ECP monitors on the Monitors tab (Figure 7).
  4. Enter 1800 as both client and server timeouts on the Advanced tab (Figure 8)
  5. Enable client IP address in the header by a) clicking on Override Global; b) clicking on Client IP and c) entering ” X-Forwarded-For” as Header (Figure 8). This will allow you to see client IP addresses (instead of NetScaler IP address) in the Exchange logs.

Of course, creating all the Service Groups this way might be tedious. Especially, if you have more than one Exchange access point. In addition, as noted above the Service Groups are almost identical (except for Monitors). Makes sense to automate this.

User-added image

User-added image

User-added image

Back to top

Creating All the Service Groups Using CLI

First, run the following to create Service Group objects:

add serviceGroup mail_owa SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 1800 -svrTimeout 1800 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLEDadd serviceGroup mail_as SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 1800 -svrTimeout 1800 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLEDadd serviceGroup mail_rpc SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 1800 -svrTimeout 1800 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLEDadd serviceGroup mail_autodisc SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 1800 -svrTimeout 1800 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLEDadd serviceGroup mail_oab SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 1800 -svrTimeout 1800 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLEDadd serviceGroup mail_d SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 1800 -svrTimeout 1800 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED

Here is the convention used:

  • “_owa” – OWA and ECP;
  • “_as” – ActyveSync;
  • “_rpc” – Outlook Anywhere and EWS;
  • “_autodisc” – Autodiscover;
  • “_oab” – OAB;
  • “_d” – Catch all.

Then, run the following to bind all CAS servers to all Service Groups:

bind serviceGroup mail_owa CAS1 443 -CustomServerID ""None""bind serviceGroup mail_owa CAS2 443 -CustomServerID ""None""bind serviceGroup mail_as CAS1 443 -CustomServerID ""None""bind serviceGroup mail_as CAS2 443 -CustomServerID ""None""bind serviceGroup mail_rpc CAS1 443 -CustomServerID ""None""bind serviceGroup mail_rpc CAS2 443 -CustomServerID ""None""bind serviceGroup mail_autodisc CAS1 443 -CustomServerID ""None""bind serviceGroup mail_autodisc CAS2 443 -CustomServerID ""None""bind serviceGroup mail_oab CAS1 443 -CustomServerID ""None""bind serviceGroup mail_oab CAS2 443 -CustomServerID ""None""bind serviceGroup mail_d CAS1 443 -CustomServerID ""None""bind serviceGroup mail_d CAS2 443 -CustomServerID ""None""

And finally, bind all the monitors to their respective Service Groups:

bind serviceGroup mail_owa -monitorName https-ecv-mail-owabind serviceGroup mail_owa -monitorName https-ecv-mail-ecpbind serviceGroup mail_as -monitorName https-ecv-mail-msabind serviceGroup mail_rpc -monitorName https-ecv-mail-ewsbind serviceGroup mail_rpc -monitorName https-ecv-mail-rpcbind serviceGroup mail_oab -monitorName https-ecv-mail-oabbind serviceGroup mail_autodisc -monitorName https-ecv-mail-autodiscbind serviceGroup mail_d -monitorName tcp

Note: We are using a default TCP Monitor for the catch all Service Group.

Back to top

Creating LB Virtual Servers

Additional consideration: by default, all the NetScaler HTTP and SSL Virtual Servers have caching enabled. Our experience indicates that caching causes problems for some Exchange clients. Based on Microsoft’s recommendation, we disabled caching by applying “NoCache” policy.

Back to top

Example: Creating OWA LB Virtual Server Using GUI

When creating OWA LB Virtual Server, male sure you do the following:

  1. Select HTTP Protocol (Figure 9).
  2. Uncheck Directly Addressable checkbox (Figure 9).
  3. On the Service Groups tab, check the checkbox next to the “mail_owa” Service Group (Figure 10).
  4. On the Policies tab, click on Cache (Request) and bind “noCacheRest” policy by clicking on Insert Policy and selecting the policy name from the drop-down list (Figure 11).
  5. Do not change anything on the Methods and Persistence tab as we do not need any persistence (Figure 12).
  6. On the Advanced Tab, enter “1800” in the Client Timeout field (Figure 13).

User-added image

User-added image

User-added image

User-added image

User-added image

Back to top

Creating All the LB Virtual Servers Using CLI

First, create the LB Virtual Servers:

add lb vserver mail.citrix.com_443_owa HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 1800add lb vserver mail.citrix.com_443_as HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 1800add lb vserver mail.citrix.com_443_rpc HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 1800add lb vserver mail.citrix.com_443_autodisc HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 1800add lb vserver mail.citrix.com_443_oab HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 1800add lb vserver mail.citrix.com_443_d HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 1800

Second, disable caching:

bind lb vserver mail.citrix.com_443_owa -policyName _noCacheRest -priority 100 -gotoPriorityExpression END -type REQUESTbind lb vserver mail.citrix.com_443_as -policyName _noCacheRest -priority 100 -gotoPriorityExpression END -type REQUESTbind lb vserver mail.citrix.com_443_rpc -policyName _noCacheRest -priority 100 -gotoPriorityExpression END -type REQUESTbind lb vserver mail.citrix.com_443_autodisc -policyName _noCacheRest -priority 100 -gotoPriorityExpression END -type REQUESTbind lb vserver mail.citrix.com_443_oab -policyName _noCacheRest -priority 100 -gotoPriorityExpression END -type REQUESTbind lb vserver mail.citrix.com_443_d -policyName _noCacheRest -priority 100 -gotoPriorityExpression END -type REQUEST

Finally, bind the Service Groups to their respective LB Virtual Servers:

bind lb vserver mail.citrix.com_443_owa mail_owabind lb vserver mail.citrix.com_443_as mail_asbind lb vserver mail.citrix.com_443_rpc mail_rpcbind lb vserver mail.citrix.com_443_autodisc mail_autodiscbind lb vserver mail.citrix.com_443_oab mail_oabbind lb vserver mail.citrix.com_443_d mail_d

Additionally, if you are using XenMobile NetScaler Connector (XNC), you need to bind XNC responder policies to the ActiveSync virtual server:

bind lb vserver mail.citrix.com_443_as -policyName <POLICY_W_DEVICEID> -priority 90 -gotoPriorityExpression END -type REQUESTbind lb vserver mail.citrix.com_443_as -policyName <POLICY_WO_DEVICEID> -priority 100 -gotoPriorityExpression END -type REQUEST

Back to top

Creating the Content Switch

Exchange Content Switch exists for the sole purpose of directing HTTPS traffic to the appropriate LB Virtual Server based on the URL. That behavior is determined by the Content Switch Policies.

Back to top

Creating Content Switch Policies

Without diving too much into theory, Content Switch is just a logical expression that needs to be bound to the Content Switch and associated with the LB Virtual Server.

User-added image

Using GUI to create the OWA Content Switch Policy is shown on Figure 14. You can see that the expression is true if the URL starts with either “/owa” or “/ecp”. All the policies are shown in Table 1.

Exchange Apps

Plolicy Name

Expression

OWA & ECP

mail_owa

HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH(“/owa”) || HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH(“/ecp”)

ActiveSync

mail_as

HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH(“/Microsoft-Server-ActiveSync”)

Outlook Anywhere & EWS

mail_rpc

HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH(“/Rpc”) || HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH(“/EWS”)

Autodiscover

mail_autodisc

HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH(“/Autodiscover”)

OAB

mail_oab

HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH(“/OAB”)

To create all the policies, run the following in the CLI:

add cs policy mail_owa -rule "HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH("/owa") || HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH("/ecp")"add cs policy mail_as -rule "HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH("/Microsoft-Server-ActiveSync")"add cs policy mail_rpc -rule "HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH("/Rpc") || HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH("/EWS")"add cs policy mail_autodisc -rule "HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH("/Autodiscover")"add cs policy mail_oab -rule "HTTP.REQ.URL.SET_TEXT_MODE (IGNORECASE).STARTSWITH("/OAB")"

Back to top

Creating the Content Switch

Lastly, we need to create the content switch and bind all the policies. Do the following:

  1. Open Create Virtual Server (Content Switching) dialog box.
  2. Specify Name, Protocol (SSL), IP Address and Port (443) – Figure 15.
  3. On the Advanced tab, enter “1800” in the Client Time-out field – Figure 16
  4. On the SSL Settings tab select the right certificate.
  5. Click Create.

User-added image

User-added image

In order to automate creating the Content Switch, run the following in the CLI instead:

add cs vserver mail.citrix.com_cs_443 SSL <ip_address> 443 -cltTimeout 1800bind ssl vserver mail.citrix.com_cs_443 -certkeyName <cert_name>

You need to enter specific IP address and certificate name.

At this point, the Content Switch is created but it is “empty”. Now you need to bind the Content Switch Policies and associate them with LB Virtual Servers.

Back to top

Binding Content Switch Policies

To bind the policies, open the Content Switch properties and click on CSV – Figure 17. To bind each policy, you need to a) click Insert Policy; b) select the policy name from the dropdown list; and c) select LB Virtual Server name from the Target dropdown list. The last policy you bind should be “(Default)”. That is not really a policy. You are just binding the catchall LB Virtual server.

User-added image

Figure 17 is a good example of what it should look like after you are done.

To perform the same operations in CLI, run the following:

bind cs vserver mail.citrix.com_cs_443 -policyName mail_as -targetLBVserver mail.citrix.com_443_as -priority 80bind cs vserver mail.citrix.com_cs_443 -policyName mail_rpc -targetLBVserver mail.citrix.com_443_rpc -priority 90bind cs vserver mail.citrix.com_cs_443 -policyName mail_owa -targetLBVserver mail.citrix.com_443_owa -priority 100bind cs vserver mail.citrix.com_cs_443 -policyName mail_oab -targetLBVserver mail.citrix.com_443_oab -priority 105bind cs vserver mail.citrix.com_cs_443 -policyName mail_autodisc -targetLBVserver mail.citrix.com_443_autodisc -priority 110bind cs vserver mail.citrix.com_cs_443 -lbvserver mail.citrix.com_443_d

Back to top

Load Balancing Other Types of CAS Traffic

Load balancing other types of traffic is simple: we create TCP LB Virtual Server for the following ports:

  1. 25 (default SMTP)
  2. 80 (HTTP)
  3. 110 (POP3)
  4. 143 (IMAP4)
  5. 587 (client SMTP)
  6. 993 (IMAP4-S)
  7. 995 (POP3-S)
  8. 5060 (Unified Messaging TCP)
  9. 5061 (Unified Messaging TLS)

Other things to pay attention:

  1. There is no persistence on these LB Virtual Servers.
  2. All the idle tem-outs are set to 1800 sec.
  3. Port 80 LB Virtual Server is in fact just a redirect to HTTPS.

Back to top

Related:

App Layering: Export/Import fails with “Object reference not set to an instance of an object” when using some NetApp filers

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

4.x – Can’t create Hyper-V connector – it is not showing in the pulldown

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

“Connection Interrupted” error message displayed while logging off ICA session

Follow the below steps to identify the driver causing the problem.

1) On the VDA on where the issue is happening, open the command prompt with administrator privileges.

2) Run the command fltmc to see all the filter drivers loaded on the VDA.

3) Disable the filter drivers one by one using “sc config “Drivername” Start= disabled”.

4) When you disable the TDI driver which is the cause of the issue you should not see the “Connection Interrupted” anymore.

Note:If you are not able to identify the driver causing the issue follow the below workaround to resolve the issue temporarily and contact Citrix Support for further assistance.

Workaround

There is a registry key based work around available along with a private binary “picasvc2.exe” for XenApp and XenDesktop 7.12 and 7.13. Please contact Technical Support and request a private fix for XenApp and XenDesktop versions 7.12 and 7.13 (reference number: LC6761). In XenDesktop 7.14, users can directly apply the registry workaround without requesting for a private binary.

Navigate to DWORD value named “CleanupSessionListenersCancelDelay” under HKLMSOFTWARECitrixPortica. The “CleanupSessionListenersCancelDelay” values are always positive (REG_DWORD => Uint32). The possible values are:

  • Zero means no delay which is the default
  • A non-zero value means that cancelling the liseners is delayed by the specified number of milliseconds
  • A value of 0xFFFFFFFF (Uin32.MAX_VALUE) means that cancelling the listeners is never done

Configure the Value to 5000 (Decimal).

NOTE: If you are unable to identify the driver causing the issue you may get around this issue by configuring the above Registry key workaround which will fix the issue. The registry based work around works for disoconnect/loggoff/restart operations performed via start menu within Windows only. Other logoff/disconnect options triggered from director/studio/DDC policy do not work as it takes different path and we do NOT intend to make additional changes.

Before Applying the above workaround, you may also check if the below updates are installed on the VDA:

2680464 (v1.0) nlasvc.dll Net_NLA http://support.microsoft.com/kb/2680464 Location detection feature in DirectAccess is disabled intermittently in Windows 7 or in Windows Server 2008 R2

– 2964643 (v1.0) ncsi.dll Net_NLA http://support.microsoft.com/kb/2964643 Third-party VPN client stops Internet connectivity in Windows 7 SP1 or Windows Server 2008 R2 SP1

– 3023557 (v1.0) afd.sys Net_Protocol http://support.microsoft.com/kb/3023557 WSAEINVAL error when many applications make WCF calls to connect to web in Windows 7 SP1 or Windows Server 2008 R2 SP

2870437 (v1.0) tdx.sys Net_Protocol http://support.microsoft.com/kb/2870437 Error message when you try to connect to a SQL Server 2012 AlwaysOn failover cluster instance by using the AlwaysOn listener in Windows 7 SP1 or Windows Server 2008 R2 SP1

– 2974617 (v1.0) ndis.sys Net_Protocol http://support.microsoft.com/kb/2974617 Network connectivity is lost when many users run applications on a remote server in Windows 7 or Windows Server 2008 R2

– 2896146 netiohlp.dll Net_Protocol http://support.microsoft.com/kb/2896146 Packet loss occurs when MTU is below 576 and PMTU discovery is enabled on your Windows 7 SP1 or Windows Server 2008 R2 SP1

– 3125574 Win2008R2_16_04B_rollup_KB http://support.microsoft.com/kb/3125574 Convenience roll-up update for Windows 7 SP1 and Windows Server 2008 R2 SP1

– 3216523 Win2008R2_17_03C_rollup_KB http://support.microsoft.com/kb/3216523 March 2017 Preview of the Quality Rollup for the .NET Framework 3.5.1, 4.5.2, and 4.6 on Windows 7 and Windows Server 2008 R2 SP1 (KB 3216523): March 21,2017.

4015552 Win2008R2_17_04C_rollup_KB http://support.microsoft.com/kb/4015552 April 18, 2017-KB4015552 (Preview of Monthly Rollup).

Related:

How to Install and Configure RSA Soft Token on iOS Receiver

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

General Information on NetScaler SDX LOM

This article provides general information on Lights Out Management (LOM) on the NetScaler SDX appliance and also about how to configure the NetScaler SDX appliance, initial settings and commands to troubleshoot.

Background

All NetScaler SDX devices are shipped with a LOM. The LOM has a separate CPU, memory and NIC and is designed to provide supervisor functions such as fan control, power supply monitoring, temperature monitoring, and so on. The LOM is controlled by a BMC chip (an ARM-based CPU that is not related to the main Intel-based CPU that runs the NetScaler).
The LOM firmware is not written by Citrix. It connects to various hardware sensors using a special serial bus called the SMBus (System Management Bus; also known as I2C; http://en.wikipedia.org/wiki/SMBus). The BMC/LOM chip is always powered-up and runs the copy of Linux. This functionality is also called as Intelligent Platform Management Interface (IPMI).

Summary of the LOM Module

The following is a summary of LOM module:

  • It is a device within the NetScaler appliance that has a CPU, a Memory and a network interface.
  • It is segregated from the NetScaler OS and stack.
  • It only shares power (NetScaler appliance does not need to be turned on, just plugged in).
  • It runs a web server that provides console access and reboot functionality among other features.

Initial Configuration

The default username and password for the LOM module is nsroot/nsroot. There is no console access to the LOM module. The following must be taken care:

  • The LOM module will boot with the default IP address of 192.168.1.3.
  • The LOM module will not have a default gateway assigned.
  • There are several ways to log onto the LOM module to perform the initial configuration; the examples are as follows:
    • Change the default IP and set a default gateway.
    • Change the password.
    • Set the time.

How to connect to the LOM module

Complete the following steps:

  1. Use a crossover cable to connect a laptop or other device directly to the LOM interface.
  2. Use a switch in the same broadcast domain as the LOM interface.

User-added image

The following are the initial configurations of LOM module:
  1. Set a static IP on your laptop or workstation of 192.168.1.10 and plug it in one of the following ways:
    • Directly into the LOM interface with a cross over cable

      Or

    • Directly into a switch in the same broadcast domain as the LOM interface.

  2. Enter the IP 192.168.1.3 into your browser; and you should see the LOM logon page.
  3. After the new IP address is configured, access the LOM with the new IP address.

Supported LOM features

There are a lot of features built into the LOM. Currently only the following LOM features are supported:

  • Configuring the LOM IP address, mask and gateway or DHCP.
  • Power cycling the appliance.
  • Using Non-Maskable Interrupt (NMI) button only when Citrix Technical Support requests.
  • Resetting the LOM device

Troubleshooting the LOM

The following commands are used:

  • Command to print the sensor list

    ipmitool sensor list

  • Command to print the sensor data repository information

    ipmitool sdr list

  • Command to print the sensor event log

    ipmitool sel list

  • Command to print LOM IP and details on SDX (XenServer root)

    ipmitool lan print 1

    Set in Progress : Set CompleteAuth Type Support : MD2 MD5 OEMAuth Type Enable : Callback : MD2 MD5 OEM : User : MD2 MD5 OEM : Operator : MD2 MD5 OEM : Admin : MD2 MD5 OEM : OEM :IP Address Source : Static AddressIP Address : 10.217.147.231Subnet Mask : 255.255.254.0MAC Address : 00:25:90:9d:00:8eSNMP Community String : AMIIP Header : TTL=0x00 Flags=0x00 Precedence=0x00 TOS=0x00BMC ARP Control : ARP Responses Enabled, Gratuitous ARP DisabledGratituous ARP Intrvl : 0.0 secondsDefault Gateway IP : 10.217.146.1Default Gateway MAC : 00:00:00:00:00:00Backup Gateway IP : 0.0.0.0Backup Gateway MAC : 00:00:00:00:00:00802.1q VLAN ID : Disabled802.1q VLAN Priority : 0RMCP+ Cipher Suites : 1,2,3,6,7,8,11,12,0Cipher Suite Priv Max : aaaaXXaaaXXaaXX : X=Cipher Suite Unused : c=CALLBACK : u=USER : o=OPERATOR : a=ADMIN : O=OEM

Configuring the LOM port for SDX appliances

To configure the LOM port for SDX appliances (XenServer root), complete the following steps:

  1. Log on to the XenServer as a root user or change user to root (“su –”).

  2. Run the following command to load the ipmi drivers.

    modprobe ipmi_devintf ; modprobe ipmi_si

  3. Run the following command to start the IPMI tool shell.

    ipmitool shell

  4. Run the following command to configure the LOM module.

    lan set 1 ipaddr <ip>

    lan set 1 netmask <mask>

    lan set 1 defgw ipaddr <ip>

  5. Load the ipmi drivers in dom0.

    sudo modprobe ipmi_devintf

    sudo modprobe ipmi_msghandler

    sudo modprobe ipmi_si

The BMC can be restored to factory defaults including deleting the SSL Certificate and SSL key with the following command.

ipmitool raw 0x30 0x41 0x1

Related:

How to Disable Transfer Login Page on NetScaler Gateway for a Set of Users

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

High CPU Usage on NetScaler VPX Reported on VMware ESXi Version 6.0

https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS-12-0-51-24.html

Two New Commands to Control CPU Usage Behavior has been introduced.

set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:

1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)

Allow each VM to use CPU resources that have been allocated to another VM but are not being used.

Set ns vpxparam parameters:

-cpuyield: Release or do not release of allocated but unused CPU resources.

YES: Allow allocated but unused CPU resources to be used by another VM.

NO: Reserve all CPU resources for the VM to which they have been allocated. This option shows higher percentage in hypervisor for VPX CPU usage.

DEFAULT: NO

Note: On all NetScaler VPX platforms, the vCPU usage on the host system will be 100 percent. Type the set ns vpxparam –cpuyield YES command to override this usage.

2. show ns vpxparam

Display the current vpxparam settings.

Related:

Citrix Director shows User Session Stuck on “Logging On”

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

EPA for device certificate check fails on NetScaler

If certificate check is required, then users should have admin rights.

Workaround:

It is a rare scenario when users would have admin rights on the systems, so a workaround is to install the full NetScaler Gateway plug-in which can access the local store.

As we do not need Gateway plugin for EPA scan we have to manually install the plugin so that the plugin would check the certificates in the store and validate EPA.

If there are multiple client machines, use GPO to push the gateway plugin to multiple machines.

https://docs.citrix.com/en-us/netscaler-gateway/12/vpn-user-config/ng-plugin-select-type/ng-connect-ng-plugin-deploy-from-active-directory-tsk.html

Related: