Netscaler VPX 1000 – Azure – Slowness getting through Netscaler.


With 12.0 builds, we have changed default yield behavior for PE vCPUs. vCPU will not yield to hypervisor, even though if there is less/moderate traffic in 12.0 build, which was not the case for 11.1 builds. That’s the reason, VPX vCPU is always 100% on hypervisor. However, vCPU is allocated to management core might not be 100%.

NetScaler yields PE vCPUs to hypervisor in sparse/moderate traffic cases. Since we have observed Tx overflow/congestion, it’s somewhat related to scheduling, we thought not yielding vCPU helps in improving the situation.

– set ns vpxparam -cpuyield NO

Upgrade to 12.0.53.X+

Related:

  • No Related Posts

Netscaler GSLB is answering queries for Vserver that are Down.


When the GSLB vserver is down, with all the corresponding gslb services in the down state, the DNS query response can have the IP addresses of the down GSLB services. This is by design/expected behavior.

However, you can configure the GSLB virtual server to send an empty down response (enable EDR on GSLB Vserver). When this option is set, a DNS response from a GSLB virtual server that is in a DOWN state does not contain IP address records, and this prevents clients from attempting to connect to GSLB sites that are down.


https://docs.citrix.com/en-us/netscaler/10-1/ns-tmg-wrapper-10-con/netscaler-gslb-gen-wrapper-10-con/ns-gslb-protct-setup-against-fail-con.html

Configuring a GSLB Virtual Server to Respond with an Empty Address Record When DOWN

A DNS response can contain either the IP address of the requested domain or an answer stating that the IP address for the domain is not known by the DNS server, in which case the query is forwarded to another name server. These are the only possible responses to a DNS query.

When a GSLB virtual server is disabled or in a DOWN state, the response to a DNS query for the GSLB domain bound to that virtual server contains the IP addresses of all the services bound to the virtual server. However, you can configure the GSLB virtual server to in this case send an empty down response (EDR). When this option is set, a DNS response from a GSLB virtual server that is in a DOWN state does not contain IP address records, but the response code is successful. This prevents clients from attempting to connect to GSLB sites that are down.

Note: You must configure this setting for each virtual server to which you want it to apply.

To configure a GSLB virtual server for empty down responses by using the command line interface

At the command prompt, type:

set gslb vserver<name> -EDR (ENABLED | DISABLED)

Example

> set gslb vserver vserver-GSLB-1 -EDR ENABLED Done 

To set a GSLB virtual server for empty down responses by using the configuration utility

  1. Navigate to Traffic Management > GSLB > Virtual Servers.
  2. In the GSLB Virtual Servers pane, select the GSLB virtual server for which you want to configure a backup virtual server (for example, vserver-GSLB-1).
  3. Click Open.
  4. On the Advanced tab, under When this VServer is “Down,” select the Do not send any service’s IP address in response (EDR) check box.
  5. Click OK.

Related:

  • No Related Posts

How to Use the Authentication Feature of a NetScaler Appliance with a Load Balancing or Content Switching VServer on the Appliance

This article describes how to use the authentication feature of a NetScaler appliance with a Load Balancing or Content Switching virtual server on the appliance.

Requirements

To complete this task, the NetScaler appliance must have license for the Load Balancing, Content Switching, and Authentication, Authorization, and Auditing (AAA – Application Traffic) features.

Related:

  • No Related Posts

StoreFront Loopback Feature

Citrix recommends that you modify the hosts file on your StoreFront servers to ensure that Receiver for Web always talks to the local StoreFront server instead of the load balancer. In StoreFront 3.0, we leverage a new feature in the .NET Framework 4.5 to implement loopback communication between Receiver for Web and the rest of StoreFront Services.

This is configurable using PowerShell cmdletSet-DSLoopback, which syntax is

Set-DSLoopback [-SiteId] <Int64> [-VirtualPath] <String> ` [-Loopback] <String>

[[-LoopbackPortUsingHttp] <Int32>]


User-added image

The valid values for Loopback are:

  • On – This is the default value for new Receiver for Web sites. Receiver for Web uses the schema (HTTPS or HTTP) and port number from the base URL but replace the host part with the loopback IP address to communicate with StoreFront Services. This works for a single server deployment and a deployments with a non SSL-terminating load balancer.

  • OnUsingHttp – Receiver for Web uses HTTP and the loopback IP address to communicate with StoreFront Services. If you are using an SSL-terminating load balancer, you should select this value. You have to also specify the HTTP port if it is not the default port 80.

  • Off – This turns off loopback and Receiver for Web uses the StoreFront base URL to communicate with StoreFront Services. If you perform an in-place upgrade this is the default value to avoid disruption to your existing deployment. For example, if you are using an SSL-terminating load balancer, your IIS is configured to use port 81 for HTTP and the path of your Receiver for Web site is /Citrix/StoreWeb, you can run the following command to configure the Receiver for Web site:

    Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb ` -Loopback OnUsingHttp -LoopbackPortUsingHttp 81


Switch off loopback if you want to use any web proxy tool like Fiddler to capture the network traffics between Receiver for Web and StoreFront Services. Delegating Authentication to the Backend Providers StoreFront 2.x always communicates with the Active Directory to authenticate users. This requires that the domain hosting StoreFront servers has at least one-way external trust to the domain hosting the backend XenApp/XenDesktop farms/sites. This may not be possible in some deployments. StoreFront 3.0 adds the capability to delegate authentication to the XenApp/XenDesktop farms/sites. This can be enabled by running the following PowerShell commands. Replace the store and authentication virtual paths appropriately.

## set some variables relevant to your deployment $SiteId = 1 $StoreVirtualPath = “/Citrix/Store” $AuthenticationVirtualPath = “/Citrix/Authentication” # change auth service to use XML Service auth instead of domain auth Set-DSXmlServiceAuthentication -SiteId $SiteId -VirtualPath $AuthenticationVirtualPath $fs = @(Get-DSFarmSets -IISSiteId $SiteId -VirtualPath $StoreVirtualPath) | where { $_.Name -eq “Default” } Update-DSFarmSet -IISSiteId $SiteId -VirtualPath $AuthenticationVirtualPath -Farmset $fs

Note: From StoreFront 3.5 and newer, you can enable loopback in the StoreFront Console.

Related:

  • No Related Posts

Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway leading to arbitrary code execution and host compromise

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

• Citrix NetScaler ADC and NetScaler Gateway version 12.0 Build 57.24 and later

• Citrix NetScaler ADC and NetScaler Gateway version 11.1 Build 58.13 and later

• Citrix NetScaler ADC and NetScaler Gateway version 11.0 Build 71.24 and later

• Citrix NetScaler ADC and NetScaler Gateway version 10.5 Build 68.7 and later

Citrix NetScaler ADC and NetScaler Gateway version 10.1 are not planned to be updated as part of remediating this issue. Customers on version 10.1 should plan to move to a later version to receive the latest security updates.

These new versions can be downloaded from the following locations:

https://www.citrix.com/downloads/netscaler-adc.html

https://www.citrix.com/downloads/netscaler-gateway.html

Citrix strongly recommends that customers using affected versions of NetScaler ADC and NetScaler Gateway to upgrade to a version of the appliance firmware that contains the fixes for this issue as soon as possible.

Related:

  • No Related Posts

FAQ: XenMobile 10 and NetScaler Gateway Integration

This article contains frequently asked questions about XenMobile 10 and NetScaler 10.5 Integration.

Q: What versions of NetScaler are supported with XenMobile 10 deployment wizard?

Q: Do I need to upgrade to NetScaler 10.5 to integrate with XenMobile 10?

Q: What is deployed by the new XenMobile 10 wizard?

Q: Why is the persistence type for MAM load balancing virtual server set to Custom Server ID?

Q: After running the XenMobile 10 wizard, why do I see a local DNS (A) record created with the XenMobile hostname?

Q: Is there a high-level communication flow diagram to understand how MDM and MAM traffic flows through the NetScaler?

Q. What versions of NetScaler are supported with XenMobile 10 deployment wizard?

A: NetScaler 10.5 build 54.9 or later are recommended with XenMobile 10 deployment wizard. For list of compatible NetScaler versions/builds with XenMobile 10, go to Citrix eDocs.

User-added image

Q. Do I need to upgrade to NetScaler 10.5 to integrate with XenMobile 10?

A: No. Even though it is recommended to use the latest build of NetScaler 10.5, it is not required. You can still use NetScaler 10.1.

Ensure to check the XenMobile issues fixed in NetScaler available in
Citrix.com. This would assist you in the decision to upgrade or not. For example, NetScaler 10.5 (Main) Release Notes describes the overall fixes included on NetScaler 10.5 build 55.8.

Note: Some of these fixes are related to XenMobile.

When NetScaler Gateway is deployed with clientless access and Secure Browse is used with an HTTPS Proxy, the appliance fails if users close the connection when the proxy connection is still being established.

[From Build 55.8] [#526890, #531693, #532386]

Q. What is deployed by the new XenMobile 10 wizard?

A: The new XenMobile 10 wizard is very similar to the one introduced back with NetScaler 10.1 release for earlier releases of XenMobile. The following list provides a brief description of some of the new prompts.

When you launch the XenMobile 10 wizard, you will be prompted to select the settings/components you want to configure for XenMobile.

By default, Access through NetScaler Gateway and Load Balance XenMobile Servers are checked.

User-added image
Next, there is a new prompt to configure a load balancing virtual server for MAM traffic. Ensure to follow these tips to properly deploy your XenMobile 10 solution.

  1. Selecting HTTPS communication to XenMobile Server (for MDM traffic): NetScaler will set the load balancing virtual servers to SSL Forward (also known as SSL Bridge) on ports 443 and 8443. In this configuration, the NetScaler will not terminate the SSL traffic to XenMobile Server. It will forward it to the XenMobile Server over secured ports 443 and 8443. Hence, make sure the defined XenMobile Server hostname (ie. FQDN) can be reached externally. Otherwise, users would not be able to enroll successfully. Please refer to this article – (CTX200847) Second Profile Installation Fails when Enrolling iOS Devices.
User-added image
  • You can choose the protocol for MDM load balancing virtual server
    • HTTPS- SSL bridge
    • HTTP- SSL offload
  • For the MAM traffic, the NetScaler will set the load balancing virtual server to SSL Offload listening on port 8443. The communication to the XenMobile Server is configured on port 8443.

Example of MAM Load Balancing virtual server.

User-added image

Example of MAM Service Group.

User-added image
  1. Selecting HTTP communication to XenMobile Server (MDM & MAM traffic): SSL Offload configuration would be used on NetScaler. In this configuration, the NetScaler will contact the XenMobile Server(s) via port 80 in the back-end.

Note: If you plan to use HTTP communication to XenMobile Server, you must allow port 80 traffic on XenMobile’s built-in firewall. By default, port 80 is not allowed. To allow port 80, navigate to the CLI console > Configuration Menu > Firewall. Set “y” to enable port 80.

User-added image

Example of MDM Load Balancing virtual servers.

User-added image

Example of MAM Load Balancing virtual servers.

User-added image

Example of MDM/MAM (shared) service.

User-added image

Next, you need to select what Server Certificate to use for the load balancing virtual server for MAM.

User-added image
This SSL server certificate can be either from a public or private CA. Ensure to have the full SSL Root CA chain (that is, intermediate certificates) bundled in the certificate file.

Q. Why is the persistence type for MAM load balancing virtual server set to Custom Server ID?

A: When XenMobile Server 10 is deployed in a multi-node cluster solution, NetScaler needs to maintain the MAM-traffic session by checking the server ID value of each node. This value is automatically obtained by NetScaler (from each node) when using the wizard.

Each XenMobile Server node has a unique server ID. To change the server ID value, you have to change the IP address of the XenMobile Server. After reboot, the system will generate a new value.

Example of XenMobile node service with Server ID value.

User-added image
You can manually gather this value from each XenMobile cluster node in the CLI console.

Select Clustering Menu > Show Cluster Status.

User-added image

Example of MAM load balancing persistence type Custom Server ID.

User-added image

In the MAM load balancing virtual server, the NetScaler will set a timeout value of 2 mins along with an expression – HTTP.REQ.COOKIE.VALUE(“ACNODEID”).

User-added image
This expression means that the NetScaler will check for this cookie value (provided by the client in the communication flow) and determine which node to redirect the traffic.

Q. After running the XenMobile 10 wizard, why do I see a local DNS (A) record created with the XenMobile hostname?

User-added image
A: This value is vital to ensure the NetScaler Gateway virtual server contacts the MAM load balancing virtual server (internally) and decide which XenMobile Server node to contact. The DNS record value points to the MAM load balancing virtual server (listening on 8443).

This DNS record is not applicable for MDM traffic (for example, enrollment, application/policies push, and so on).

Q: Is there a high-level communication flow diagram to understand how MDM and MAM traffic flows through the NetScaler?

A: Yes. The following is a communication flow diagram for XenMobile Cluster environment.

User-added image
MDM Traffic:
  1. Mobile device uses Secure Hub to enroll the device.
  2. NetScaler will intercept this communication using both LB vservers listening on port 443 and 8443.

    To balance the MDM traffic, NetScaler is using SSL Session ID as persistence.
  3. When the device is enrolled, one of the XenMobile Servers in the cluster ‘push’ policies/apps along with the NetScaler Gateway URL to the mobile device.
MAM Traffic:
  1. If the user wants to access Web/SaaS/MDX apps from XenMobile Server, Secure Hub will communicate with the NetScaler Gateway vserver (port 443). Note that users will be prompted to enroll as an option if they bypass the enrollment process.
  2. When the user is authenticated on NetScaler Gateway, NetScaler will contact the internal LB vserver used to load balance MAM traffic sessions. To balance the MAM traffic, NetScaler is looking for cookie value called ACNODEID.

    The NetScaler will use the persistence of CustomServerID to identify which XenMobile Server node to contact based on the ACNODEID.

Additional Information

Click on the link to download XenMobile

XenMobile How Do I

Related:

  • No Related Posts

Re: Is it possible to rerun a policy action?

Hhm – good point.

Yes, you can define a workflow which will only run a clone action. And it will work.

However, my personal favorite is scripted cloning

– easy to configure

– easy to change

– much more flexibility

– you can use much more mminfo parameters to select your save sets precisely

– you can specify a storage node (load balancing)

– you can add other criteria as a specific retention date

– and it is valid for all NW versions 😉

Then schedule such script via in cron/task scheduler. Done.

We have used this method for years.

Related:

  • No Related Posts

How to Configure the GSLB Static Proximity Feature in a NetScaler Appliance

This article contains information about configuring and troubleshooting the static Global Server Load Balancing (GSLB) feature on a NetScaler appliance.

Background

GSLB

A NetScaler appliance with the GSLB feature directs DNS requests to the GSLB site with the best performance. When a client sends a DNS request, the appliance identifies the site with the best performance and sends the IP address of the site to the client. The appliance decides by using the Metric Exchange Protocol (MEP), GSLB policies, and GSLB methods supported by the appliance. The GSLB methods are algorithms that control how the appliance load balances the client requests across the distributed data centers.

You can configure the GSLB feature based on the round trip time (RTT), static proximity, or a combination of the two.

Static Proximity

The static proximity feature uses an IP address-based static location database. This database contains GeoIP address and the information of the location to which the site belongs. When a user visits the website, GeoIP address can determine the information such as country, region, city, and longitude/latitude. The database used to implement the static proximity method often contains information of all the GSLB sites. The appliance uses this database to determine the proximity between the Local DNS (LDNS) of the client and the GSLB sites. The appliance sends the IP address of a site that is closest to the client.

Note: In the static GSLB database the locations consist of an IP address range and up to six qualifiers for this range.

In order to use static proximity feature you have to upload the database on the appliance. The custom database is stored in ns.conf, and a static third party database or the database of the appliance is stored in the /var/netscaler/locdb directory, by default.

Static Proximity When using a NetScaler Appliance

A client sends a request for a domain to access an application by using resources such as internet, email, or VPN. The client requests for www.example.com by using the browser. The information for this website is stored at two different data centers, Site A and Site B. If the IP address for the domain is not found in the local cache, then the browser sends a request to the client LDNS server.

If the LDNS server does not have an IP address for a requested domain, then it sends a query to a NetScaler appliance that is configured as the authoritative DNS server for the domain.

When the appliance receives the request from the client LDNS, the appliance uses the static database to determine if the IP address and the location information of the client exists.

The appliance then sends the IP address of the nearest data center to the client and the client browser displays the web page.

Related:

  • No Related Posts

FAQ: How to Verify Hardware Health Status on NetScaler MPX?

Q: How to verify hardware health status on NetScaler MPX?

A: stat system -detailcommand to display the current health attributes of different NetScaler hardware component.

For a list of health attributes and their recommended value ranges, refer to Citrix Documentation – Hardware Health Attributes.

Run the following commands to check on NetScaler (deprecated) :

> shell

root@Netscaler# ns_hw_err.bash

WARNING: DO NOT run the ns_hw_err.bash script on a FIPS Netscaler. This script contains commands that can cause a FIPS Netscaler to hang or crash, requiring a power cycle to recover.

NOTE: The ns_hw_err.bash script was intended for Netscaler Tech Support use only. As such, it can sometimes report false positives that should be ignored. Examples of false positives are cavium card timeout recoveries and SMART Old-Age warnings. Both of these conditions are considered normal and are not indicative of a hardware failure, nor do they require an RMA.

In lieu of the script above, RECOMMENDED method of performing a health check on a Netscaler is to generate a tech support file (from the GUI or by running show techsupport from the CLI) and uploading the resulting support.tgz file (in /var/tmp/support) to https://cis.citrix.com for analysis. CIS will analyze the file and generate a report detailing the Netscaler’s health and also providing suggestions for improvement.

Related:

  • No Related Posts

How to Configure a Web Interface Site on a NetScaler Appliance by Using the Web Interface Wizard

If Web Interface is not installed on the NetScaler appliance, then refer to CTX130153 – How to Install Web Interface on NetScaler to install the same.

From NetScaler GUI

To configure a Web Interface site on a NetScaler appliance, complete any of the following procedures, as required:

Configuring a Web Interface Site in Direct Mode

To configure the Web Interface site on a NetScaler appliance in Direct Mode, complete the following procedure:

  1. Run the following command from the command line interface to verify if you have the Web Interface license for the NetScaler appliance:

    show license | grep -i interface

    The following is a sample output of the preceding command:

    Web Interface on NS: YES

  2. If the Web Interface license is available for the NetScaler appliance, expand the System node.

  3. Expand the Web Interface node.

  4. Select the Sites node.

  5. Click Add.

    The Web Interface Wizard is displayed.

    User-added image

  6. In the Site Path field, specify the path of the site. The site path is the URL appended to the IP address in the HTTP Request that is used to reach the Web Interface site.

    Note: If the Web Interface site is hosted on a UNIX platform, then the site path is case sensitive.

    User-added image

  7. Select one of the following options from the Site Type list:

    • XenApp/XenDesktop Web Site: This option is configured for browser access with the XenApp plugin or XenApp plugin Web.

    • XenApp/XenDesktop Service Site: This option is configured for use with the XenApp plugin or PNAgent.

      User-added image

  8. Select Online from the Published Resource Typelist. This setting reflects the type of published resources in the XenApp/XenDesktop farm.

    User-added image

  9. Select the Kiosk Mode option if you do not want to save the user customizations.

    User-added image

  10. Select the Direct Mode option for access without a gateway. If the site is in the Direct mode, no CAG authentication occurs at the Web Interface site.

    User-added image

  11. You can either create a Virtual Server (VServer) or select an existing VServer. To create a VServer, specify the details as shown in the following screen shot:

    User-added image

    • In the IP Address field, specify the IP address of the VServer.

    • In the Port field, specify the port number.

      Note: If you are using an existing VServer, ensure that the service you bind to the VServer is a loopback to the NetScaler appliance or NetScaler IP address.

  12. Click Next. The Create XenApp/XenDesktop Farm Window is displayed.

  13. Type the XML service addresses in the XML Service Addresses field.

  14. Type the port number for the XML service in the XML Service Port field.

  15. Click Create, as shown in the following screen shot:

    User-added image

  16. Click Next, and review the settings.

  17. Click Finish.

Configuring the Web Interface Site in Gateway Direct Mode

To configure the Web Interface site on a NetScaler appliance in the Gateway Direct Mode, complete the following procedure:

  1. Run the following command from the command line interface to verify if you have the Web Interface license for the NetScaler appliance.

    show license | grep interface

    The following is a sample output of the preceding command:

    Web Interface on NS: YES

  2. If the Web Interface license is available for the NetScaler appliance, expand the System node.

  3. Expand the Web Interface node.

  4. Select the Sites node.

  5. Click Add.

    The Web Interface Wizard is displayed.

  6. In the Site Path field, specify the path of the site. The site path is the URL appended to the IP address in the HTTP Request that is used to reach the Web Interface site.

    Note: If the Web Interface site is hosted on a UNIX platform, then the site path is case sensitive.

  7. Select one of the following options from the Site Type list:

    • XenApp/XenDesktop Web Site: This option is configured for browser access with the XenApp plugin or XenApp plugin Web.

    • XenApp/XenDesktop Service Site: This option is configured for use with the XenApp plugin or PNAgent.

  8. Select Online, Offline, or Dualmode from the Published Resource Type list. This setting should reflect the type of published resources in the farm.

  9. Select the Kiosk Mode option if you do not want to save the user customizations.

  10. Select the Gateway Direct option for Default Access Method.

    User-added image

  11. Select the NetScaler Gateway option for Authentication Point.

  12. Add the NetScaler Gateway URL. You can retrieve this URL from the SSL certificate bound to the NetScaler Gateway VServer.

    User-added image

  13. Click Settings to create a session policy for use with the VServer, as shown in the following screen shot:

    User-added image

  14. In the Settings dialog box, specify the following details:

    • In the Name field, specify a name for the session policy.

    • Select ON from the ICA Proxy list.

    • In the Web Interface field, specify the address of the Web Interface. This field should always have the value 127.0.0.1:8080/<site path>.

    • Select NORMAL from the Web Interface Portal Mode list.

    • In the Single Sign-on Domain field, specify a domain name.

    • Ensure that the Single Sign-on to Web Applications option is selected.

      The following is a sample screen shot for your reference:

      User-added image

  15. Click OK.

  16. Select the Add DNS Entry option.

  17. Select the Trust SSL certificate option.

    The SSL certificate is imported from the VServer to the Apache Tomcat Java KeyStore. The SSL certificate with .PEM format is not supported for importing. For the SSL certificate to be imported successfully, an SSL certificate with the .PEM format should be split into separate certificate and private key files and bound to a VServer before initiating the Web Interface Wizard, as shown in the following screen shot:

    User-added image

    Add STA URL if it does not exist.

    User-added image

  18. Click Next.

    The Create XenApp/XenDesktop Farm window is displayed.

  19. Type the XML service addresses separated by commas in the XML Service Addresses field.

  20. Type the port number for the XML service in the XML Service Port field.

    User-added image

  21. Click Create.

  22. Click Next, and review the settings.

  23. Click Finish.

From NetScaler CLI

To configure the Web Interface site on a NetScaler appliance, run the following command from the command line interface:

add wi site <sitePath> [<agURL> [<staURL>] [-sessionReliability ( ON | OFF ) [-useTwoTickets ( ON | OFF ) [-secondSTAURL <string>]]] [-authenticationPoint ( WebInterface | AccessGateway )]] [-siteType (XenAppWeb | XenAppServices )] [-publishedResourceType <publishedResourceType>] [-kioskMode ( ON | OFF )]

Also see: https://docs.citrix.com/en-us/netscaler/10-5/ns-solutions-con/ns-ag-wi-wrapper-con/ns-ag-wi-config-wi-con/ns-ag-wi-config-wi-site-for-lan-users-using-http-tsk.html

Please Note: The NetScaler Session Profile->Client Experience->Plugin Type setting must be set to “Java” or you will receive a 401 error after logging in. You can also receive a 401 error for other reasons, please refer to CTX138849 and CTX139390.

Refer to Citrix Documentation for additional information.

Related:

  • No Related Posts