Notice of Change Announcement for NetScaler SD-WAN 4000-SE (Standard Edition)

Citrix Systems, Inc. announces End of Maintenance for NetScaler SD-WAN 4000-SE (Standard Edition) appliances.

The tables below explain the Citrix NetScaler SD-WAN life cycle management milestones as well as important information regarding dates and options during this period. The dates and milestones provided are in accordance with stated End of Life/End of Support policies for Citrix Systems, Inc.

Table 1. Milestones and Dates

Milestone Definition Date
Notice of Change (NSC) The NSC date is the date on which Citrix announces the intent to initiate the lifecycle management process for a hardware platform. May 15, 2018
End of Sale (EOS) The date on which Citrix will no longer offer the product. June 15, 2018
End of Maintenance (EOM) / End of Life (EOL) The EOL milestone signals the point at which no support or maintenance is provided. Product information will be limited to the historical material available on MyCitrix.com or other online resources and is subject to removal beyond this date. June 15, 2023

Click here for the Citrix Product LifecycleMilestones Definitions.

Products Affected

The products affected by this announcement and their replacements are listed in Table 2 (below). The products listed in the Product Replacement / Alternatives column represent the migration path for these discontinued platforms.

Table 2. Platforms affected by this announcement.

Product Description Replacement / Alternatives
NetScaler SD-WAN 4000-SE (Standard Edition) 4100-SE (Standard Edition)

Customer Actions

Citrix recommends that existing customers take steps to upgrade to the latest NetScaler SD-WAN platform so that they can take advantage of the upgraded features and performance. This will ensure the best transition of the product.

For More Information

For more information about the Citrix NetScaler SD-WAN, visit https://www.citrix.com/products/netscaler-sd-wan/ or contact your local Citrix sales representative / authorized Citrix business partner..

Related:

  • No Related Posts

Netscaler VPX 1000 – Azure – Slowness getting through Netscaler.


With 12.0 builds, we have changed default yield behavior for PE vCPUs. vCPU will not yield to hypervisor, even though if there is less/moderate traffic in 12.0 build, which was not the case for 11.1 builds. That’s the reason, VPX vCPU is always 100% on hypervisor. However, vCPU is allocated to management core might not be 100%.

NetScaler yields PE vCPUs to hypervisor in sparse/moderate traffic cases. Since we have observed Tx overflow/congestion, it’s somewhat related to scheduling, we thought not yielding vCPU helps in improving the situation.

– set ns vpxparam -cpuyield NO

Upgrade to 12.0.53.X+

Related:

  • No Related Posts

How to Use the Authentication Feature of a NetScaler Appliance with a Load Balancing or Content Switching VServer on the Appliance

This article describes how to use the authentication feature of a NetScaler appliance with a Load Balancing or Content Switching virtual server on the appliance.

Requirements

To complete this task, the NetScaler appliance must have license for the Load Balancing, Content Switching, and Authentication, Authorization, and Auditing (AAA – Application Traffic) features.

Related:

  • No Related Posts

HA pair of SD-WAN SE/EE appliances running pre-9.3.4 versions may encounter a “file copy loop” when upgrading to version 9.3.4 and later

1. Disable the Secondary MCN

a. Go to Configuration > Virtual WAN > Enable/Disable/Purge Flows

b. Uncheck “Perform a diagnostic dump before doing the disable operation”

User-added image

c. Disable Citrix Virtual WAN Service

User-added image

2. Upgrade Primary MCN following correct procedure per our documentation:

3. Upgrade Secondary MCN using Local Change Management

4. Enable the Secondary MCN

a. Go to Configuration > Virtual WAN > Enable/Disable/Purge Flows

b. Enable Citrix Virtual WAN Service

User-added image

User-added image

This issue is fixed in version 9.3.4 and later versions.

Related:

  • No Related Posts

Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway leading to arbitrary code execution and host compromise

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

• Citrix NetScaler ADC and NetScaler Gateway version 12.0 Build 57.24 and later

• Citrix NetScaler ADC and NetScaler Gateway version 11.1 Build 58.13 and later

• Citrix NetScaler ADC and NetScaler Gateway version 11.0 Build 71.24 and later

• Citrix NetScaler ADC and NetScaler Gateway version 10.5 Build 68.7 and later

Citrix NetScaler ADC and NetScaler Gateway version 10.1 are not planned to be updated as part of remediating this issue. Customers on version 10.1 should plan to move to a later version to receive the latest security updates.

These new versions can be downloaded from the following locations:

https://www.citrix.com/downloads/netscaler-adc.html

https://www.citrix.com/downloads/netscaler-gateway.html

Citrix strongly recommends that customers using affected versions of NetScaler ADC and NetScaler Gateway to upgrade to a version of the appliance firmware that contains the fixes for this issue as soon as possible.

Related:

  • No Related Posts

FAQ: XenMobile Server Support

This article contains answers to the frequently asked questions on XenMobile Server Support.

General

What is XenMobile Server Support?

How do I get to the support page on App Controller server?

In which version of App Controller Support feature is available?

What are the browsers and platforms supported?

What ports needs to be open for the support feature to work?

I am getting error “Unable to get the details from the server.” for NetScaler Gateway?

I am getting error “Failed to authenticate with the App Controller”?

I am getting error “Login Failed: Check XDM credentials or Database server is down.”?

How do I exit from the support page?

What if I have queries/suggestions regarding Support page?

Servers and Operations

What are the servers supported by the supportability framework?

How should I add App Controller HA pair in the Support Page?

How should I add XenMobile Device Manager Cluster Setup?

Can I add multiple servers for each server type?

Do I need to add the servers again in the next session/login?

What are the operations supported in the Support Page?

Can I perform more than one operation at a time?

Should all the three servers be in the same deployment of XenMobile Environment?

Connectivity Checks

Where/how are the connectivity checks done?

What does ‘Perform Connectivity Checks’ on NetScaler Gateway do?

What does ‘Perform Connectivity Checks’ on XenMobile Device Manager do?

I am unable to perform Connectivity Checks on App Controller?

Support Bundles

What information is collected in support bundles?

Can I collect support bundles for more than one server at a time?

Will I download multiple support bundles in this case?

Where do the support bundles get downloaded?

Are the generated support bundles permanently stored on the App Controller server?

Citrix Insight Services

What is “Citrix Insight Services” server?

What are the credentials to be used for uploading Support Bundles to Citrix Insight Services?

I do not have a “Citrix Insight Services” account. How do I upload the support bundle?

I do not have a SR number from “Citrix Insight Services”. Can I still upload support bundles?

General

  • IS it possible to install/configure DNS server on XenMobile appliance.
The DNS server should be installed on windows machine that is in the same network as that of your XenMobile , Since the XenMobile is linux appliance it is not possible ,

  • Is it possible to configure internal (sql and internal network )and external (apns )on dns server
All of the internal ip address and hostname can be added on the dns server as an address record . the external url are already public and dont require separate entries on DNS server . However if you are using proxy/firewall the traffic should be open bidirectional for communications. You can check out the following document for the same.
http://docs.citrix.com/en-us/xenmobile/server/system-requirements/ports.html

  • can we add static route to XenMobile

    We can only add static route on Netscaler , this is not possible for XenMobile. Can you please elaborate the exact requirement here so that .

Q: What is XenMobile Server Support?

A: XenMobile Server Support is an online platform that provides a one-stop location where administrators can perform various troubleshooting and instrumentation related tasks. It provides an easy way to collect troubleshooting information. For example, logs, configurations, environment information among other information.

Q: How do I get to the support page on App Controller server?

A: To access XenMobile Server Support page, open a browser and logon to App Controller admin ControlPoint. After you logon, edit the URL in the address bar to replace “main.html” by “support”. Now the URL should look like https://<AppControllerServer>:4443/ControlPoint/support.

Q: In which version of App Controller Support feature is available?

A: Support feature is available from App Controller 9.0 onwards.

Q: What are the browsers and platforms supported?

A: Support feature is supported on latest versions of Firefox, Chrome, Safari, IE10 and IE11. It is tested on Windows and Mac.

Q: What ports needs to be open for the support feature to work?

A: Port 443 for SSL/HTTPS and port 22 for file transfer needs to be open for support feature to work.

Q: I am getting error “Unable to get the details from the server.” for NetScaler Gateway?

A: Ensure correct password for the server is entered in the support page. Passwords are not cached, and it needs to be entered each time the page is refreshed or a new session is started.

Q: I am getting error “Failed to authenticate with the App Controller”?

A: Ensure correct password for the App Controller server is entered in the support page. Passwords are not cached, and it needs to be entered each time the page is refreshed or a new session is started.

Q: I am getting error “Login Failed: Check XDM credentials or Database server is down.”?

A: Ensure correct password for the XenMobile Device Manager server is entered in the Support page. Passwords are not cached, and it needs to be entered each time the page is refreshed or a new session is started.

Q: How do I exit from the support page?

A: Use the Exit button on the bottom right of the Support page. It will redirect to the ControlPoint Page.

Q: What if I have queries/suggestions regarding Support page?

A: Contact the Citrix Support Personnel for more information.

Servers and Operations

Q: What are the servers supported by the Supportability Framework?

A: Supportability Framework supports App Controller, XenMobile Device Manager, and NetScaler Gateway Server.

Q: How should I add App Controller HA pair in the Support Page?

A: App Controller Cluster deployments are currently not supported. You can provide each cluster node separately to collect respective support bundles.

Q: How should I add XenMobile Device Manager Cluster Setup?

A: You can add any one of the cluster nodes of the XenMobile Device Manager cluster. Operations are performed on all the nodes in the cluster.

Q: Can I add multiple servers for each server type?

A: Yes, you can add multiple servers under each server type.

Q: Do I need to add the servers again in the next session/login?

A: No, all servers added are persistent across sessions. However, passwords are not cached, and it needs to be entered again.

Q: What are the operations supported in the Support Page?

The following operations are supported:
  • Perform Connectivity Checks
  • Collect Support Bundles and Download to Client
  • Collect Support Bundles and Upload to ‘Citrix Insight Services’

Q: Can I perform more than one operation at a time?

A: Yes, you can select all the operations or a combination of operations at a time.

Q: Should all the three servers be in the same deployment of XenMobile Environment?

A: Not Necessary. Any supported XenMobile server which is reachable from the App Controller can be added to the support page.

Connectivity Checks

Q: Where/how are the connectivity checks done?

A: Connectivity checks are initiated and controlled by the App Controller . However, actual Connectivity Checks happen from the NetScaler Gateway/XenMobile Device Manager Server to their associated backend servers.

Q: What does ‘Perform Connectivity Checks’ on NetScaler Gateway do?

A: ‘Perform Connectivity Checks’ on NetScaler Gateway does a reachability check for all the backend servers associated with NetScaler Gateway. The connectivity validation also involves performing server-specific protocol and port validation ensuring the validity of the backend servers.

Q: What does ‘Perform Connectivity Checks’ on XenMobile Device Manager do?

A: ‘Perform Connectivity Checks’ on XenMobile Device Manager does reachability checks for Apple Servers.

Q: I am unable to perform Connectivity Checks on App Controller?

A: Currently, ‘Perform Connectivity Checks’ is not supported on App Controller .

Support Bundles

Q: What information is collected in support bundles?

A: You receive the following information for each server:

XenMobile Device Manager Server Support bundle

  1. Logs
  2. Config files
    • Cluster_configuration
    • Ew-Config.properties
    • Pki.xml
    • Log4j
    • Push_services
    • Oscache
    • Server.xml
  3. Information collected as part of helper.jsp
    • Patches
    • Cluster Info
    • Thread Dump
    • Thread Dump V2
    • Push Service Status (if IOS)
  4. Server details (Windows)
    • OS Version
    • Number of cores (CPU)
    • Memory
    • Page file settings
    • Interfaces settings (speed, ipv4, ipv6 (enabled)
    • Disk space

App Controller Server Support bundle

  • Audit logs with information for customers to get an overall picture of what is happening in the system
  • Debug file with information required for DEV during debugging

NetScaler Server Support bundle

  • NetScaler System information
  • NetScaler Gateway logs
  • NetScaler Gateway database information
  • NetScaler Gateway core information
  • NetScaler Trace files

Q: Can I collect support bundles for more than one server at a time?

A: Yes, you can collect support bundles for multiple servers of same type/different type at the same time.

Q: Will I download multiple support bundles in this case?

A: No, all support bundles are compressed into one single file.

Q: Where do the support bundles get downloaded?

A: Support bundles get downloaded into the default “downloads” folder set by the browser.

Q: Are the generated support bundles permanently stored on the App Controller server?

A: No. At any point, only the last generated support bundle is present on the App Controller Server. All support bundles are cleaned up periodically, during Logoff, session expiry, or reboot of App Controller.

Citrix Insight Services

Q: What is “Citrix Insight Services” server?

A: Citrix Insight Services (formerly known as TaaS) is an initiative from Citrix focused on making the support of Citrix environment as easy as possible. Citrix has developed tools and online analysis capabilities to help collect environment information, analyze that information and receive tailored recommendations based on Citrix environment and configuration.

Q: What are the credentials to be used for uploading Support Bundles to Citrix Insight Services?

A: You need to use your My Account credentials for uploading Support bundles to Citrix Insight Services.

Q: I do not have a “Citrix Insight Services” account. How do I upload the support bundle?

Q: I do not have a SR number from “Citrix Insight Services”. Can I still upload support bundles?

A: Yes, SR number is an optional parameter while uploading support bundles. However, if a case is already open with Citrix, and you have an SR number, the support bundles uploaded with SR number, would directly be linked with the case.

Related:

  • No Related Posts

FAQ: XenMobile 10 and NetScaler Gateway Integration

This article contains frequently asked questions about XenMobile 10 and NetScaler 10.5 Integration.

Q: What versions of NetScaler are supported with XenMobile 10 deployment wizard?

Q: Do I need to upgrade to NetScaler 10.5 to integrate with XenMobile 10?

Q: What is deployed by the new XenMobile 10 wizard?

Q: Why is the persistence type for MAM load balancing virtual server set to Custom Server ID?

Q: After running the XenMobile 10 wizard, why do I see a local DNS (A) record created with the XenMobile hostname?

Q: Is there a high-level communication flow diagram to understand how MDM and MAM traffic flows through the NetScaler?

Q. What versions of NetScaler are supported with XenMobile 10 deployment wizard?

A: NetScaler 10.5 build 54.9 or later are recommended with XenMobile 10 deployment wizard. For list of compatible NetScaler versions/builds with XenMobile 10, go to Citrix eDocs.

User-added image

Q. Do I need to upgrade to NetScaler 10.5 to integrate with XenMobile 10?

A: No. Even though it is recommended to use the latest build of NetScaler 10.5, it is not required. You can still use NetScaler 10.1.

Ensure to check the XenMobile issues fixed in NetScaler available in
Citrix.com. This would assist you in the decision to upgrade or not. For example, NetScaler 10.5 (Main) Release Notes describes the overall fixes included on NetScaler 10.5 build 55.8.

Note: Some of these fixes are related to XenMobile.

When NetScaler Gateway is deployed with clientless access and Secure Browse is used with an HTTPS Proxy, the appliance fails if users close the connection when the proxy connection is still being established.

[From Build 55.8] [#526890, #531693, #532386]

Q. What is deployed by the new XenMobile 10 wizard?

A: The new XenMobile 10 wizard is very similar to the one introduced back with NetScaler 10.1 release for earlier releases of XenMobile. The following list provides a brief description of some of the new prompts.

When you launch the XenMobile 10 wizard, you will be prompted to select the settings/components you want to configure for XenMobile.

By default, Access through NetScaler Gateway and Load Balance XenMobile Servers are checked.

User-added image
Next, there is a new prompt to configure a load balancing virtual server for MAM traffic. Ensure to follow these tips to properly deploy your XenMobile 10 solution.

  1. Selecting HTTPS communication to XenMobile Server (for MDM traffic): NetScaler will set the load balancing virtual servers to SSL Forward (also known as SSL Bridge) on ports 443 and 8443. In this configuration, the NetScaler will not terminate the SSL traffic to XenMobile Server. It will forward it to the XenMobile Server over secured ports 443 and 8443. Hence, make sure the defined XenMobile Server hostname (ie. FQDN) can be reached externally. Otherwise, users would not be able to enroll successfully. Please refer to this article – (CTX200847) Second Profile Installation Fails when Enrolling iOS Devices.
User-added image
  • You can choose the protocol for MDM load balancing virtual server
    • HTTPS- SSL bridge
    • HTTP- SSL offload
  • For the MAM traffic, the NetScaler will set the load balancing virtual server to SSL Offload listening on port 8443. The communication to the XenMobile Server is configured on port 8443.

Example of MAM Load Balancing virtual server.

User-added image

Example of MAM Service Group.

User-added image
  1. Selecting HTTP communication to XenMobile Server (MDM & MAM traffic): SSL Offload configuration would be used on NetScaler. In this configuration, the NetScaler will contact the XenMobile Server(s) via port 80 in the back-end.

Note: If you plan to use HTTP communication to XenMobile Server, you must allow port 80 traffic on XenMobile’s built-in firewall. By default, port 80 is not allowed. To allow port 80, navigate to the CLI console > Configuration Menu > Firewall. Set “y” to enable port 80.

User-added image

Example of MDM Load Balancing virtual servers.

User-added image

Example of MAM Load Balancing virtual servers.

User-added image

Example of MDM/MAM (shared) service.

User-added image

Next, you need to select what Server Certificate to use for the load balancing virtual server for MAM.

User-added image
This SSL server certificate can be either from a public or private CA. Ensure to have the full SSL Root CA chain (that is, intermediate certificates) bundled in the certificate file.

Q. Why is the persistence type for MAM load balancing virtual server set to Custom Server ID?

A: When XenMobile Server 10 is deployed in a multi-node cluster solution, NetScaler needs to maintain the MAM-traffic session by checking the server ID value of each node. This value is automatically obtained by NetScaler (from each node) when using the wizard.

Each XenMobile Server node has a unique server ID. To change the server ID value, you have to change the IP address of the XenMobile Server. After reboot, the system will generate a new value.

Example of XenMobile node service with Server ID value.

User-added image
You can manually gather this value from each XenMobile cluster node in the CLI console.

Select Clustering Menu > Show Cluster Status.

User-added image

Example of MAM load balancing persistence type Custom Server ID.

User-added image

In the MAM load balancing virtual server, the NetScaler will set a timeout value of 2 mins along with an expression – HTTP.REQ.COOKIE.VALUE(“ACNODEID”).

User-added image
This expression means that the NetScaler will check for this cookie value (provided by the client in the communication flow) and determine which node to redirect the traffic.

Q. After running the XenMobile 10 wizard, why do I see a local DNS (A) record created with the XenMobile hostname?

User-added image
A: This value is vital to ensure the NetScaler Gateway virtual server contacts the MAM load balancing virtual server (internally) and decide which XenMobile Server node to contact. The DNS record value points to the MAM load balancing virtual server (listening on 8443).

This DNS record is not applicable for MDM traffic (for example, enrollment, application/policies push, and so on).

Q: Is there a high-level communication flow diagram to understand how MDM and MAM traffic flows through the NetScaler?

A: Yes. The following is a communication flow diagram for XenMobile Cluster environment.

User-added image
MDM Traffic:
  1. Mobile device uses Secure Hub to enroll the device.
  2. NetScaler will intercept this communication using both LB vservers listening on port 443 and 8443.

    To balance the MDM traffic, NetScaler is using SSL Session ID as persistence.
  3. When the device is enrolled, one of the XenMobile Servers in the cluster ‘push’ policies/apps along with the NetScaler Gateway URL to the mobile device.
MAM Traffic:
  1. If the user wants to access Web/SaaS/MDX apps from XenMobile Server, Secure Hub will communicate with the NetScaler Gateway vserver (port 443). Note that users will be prompted to enroll as an option if they bypass the enrollment process.
  2. When the user is authenticated on NetScaler Gateway, NetScaler will contact the internal LB vserver used to load balance MAM traffic sessions. To balance the MAM traffic, NetScaler is looking for cookie value called ACNODEID.

    The NetScaler will use the persistence of CustomServerID to identify which XenMobile Server node to contact based on the ACNODEID.

Additional Information

Click on the link to download XenMobile

XenMobile How Do I

Related:

  • No Related Posts

NetScaler VPN Login Page and Management Page Down after upgrade to 12.0

Edit the customized httpd.conf file in ‘/nsconfig’ folder:

Go to line 166 and search for this line:

LoadModule php5_module /libexec/libphp5.so

Replace it with:

LoadModule php7_module /libexec/libphp7.so

If you do not need any customization then just delete the httpd.conf file from ‘/nsconfig’ and ‘/etc’ and reboot the NetScaler. After reboot, correct httpd.conf will be auto-generated on NetScaler.

Note: While editing the file on Secondary, make sure you have HA sync disabled. Otherwise changes will be reverted back as Primary will sync the wrong file content to your node.

Related:

  • No Related Posts

FAQ: How to Verify Hardware Health Status on NetScaler MPX?

Q: How to verify hardware health status on NetScaler MPX?

A: stat system -detailcommand to display the current health attributes of different NetScaler hardware component.

For a list of health attributes and their recommended value ranges, refer to Citrix Documentation – Hardware Health Attributes.

Run the following commands to check on NetScaler (deprecated) :

> shell

root@Netscaler# ns_hw_err.bash

WARNING: DO NOT run the ns_hw_err.bash script on a FIPS Netscaler. This script contains commands that can cause a FIPS Netscaler to hang or crash, requiring a power cycle to recover.

NOTE: The ns_hw_err.bash script was intended for Netscaler Tech Support use only. As such, it can sometimes report false positives that should be ignored. Examples of false positives are cavium card timeout recoveries and SMART Old-Age warnings. Both of these conditions are considered normal and are not indicative of a hardware failure, nor do they require an RMA.

In lieu of the script above, RECOMMENDED method of performing a health check on a Netscaler is to generate a tech support file (from the GUI or by running show techsupport from the CLI) and uploading the resulting support.tgz file (in /var/tmp/support) to https://cis.citrix.com for analysis. CIS will analyze the file and generate a report detailing the Netscaler’s health and also providing suggestions for improvement.

Related:

  • No Related Posts