NTP status displays “No association ID ” error message on Secondary NetScaler

On the Secondary NetScaler, ” No association ID error” gets displayed when “Show NTP Status command ” is executed

Primary NetScaler Appliance:

=======================

> show ntp status

remote refid st t when poll reach delay offset jitter

=======================================================

adljj.john.com .LOCL. 1 u 9 64 7 0.293 -212012 2.175


Secondary NetScaler Appliance:

===========================

> show ntp status

No association ID’s returned

Done

Log Analysis:

==============

1) From the logs, we found that, NTP was configured after upgrade and during that time secondary device interface was down.

2) We can see that interface was down in the time interval of10:01 – 11:18 A.M. In that interval, none of the command gets propagated. Because of that ntp config was missing from secondary.

3) As per current design, even if the Secondary comes UP and the NTP configurations are Synchronized through HA Synchronization, we have to manually restart the NTP Daemon to get the NTP status on Secondary. Which is a current limitation on NetScaler.

4) Hence, Enhancement request was raised to address this limitation. 5) The limitation was fixed in the following versions: 12.1 50.x 12.0 60.x 11.1 60.x

Logs from Primary:

—————————–

var/log/ns.log

ns.log.0:649:Apr 23 10:15:59 <local0.info> X.X.X.X 2018:01:15:59 GMT NetScaler-Internal-TDC-01 0-PPE-1 : default GUI CMD_EXECUTED 136 0 : User nsroot – Remote_ip X.X.X.20 – Command “add ntp server X.X.X.3 -minpoll 6 -maxpoll 10 -devno 32833536” – Status “Success”

ns.log.0:651:Apr 23 10:15:59 <local0.info> X.X.X.X 04/23/2018:01:15:59 GMT NetScaler-Internal-TDC-01 0-PPE-1 : default GUI CMD_EXECUTED 137 0 : User nsroot – Remote_ip X.X.X.20 – Command “unset ntp server X.X.X.3 -autokey” – Status “Success”

Logs from secondary:

——————————–

var/log/ns.log

Apr 23 10:00:34 <local0.info> X.X.X.25 04/23/2018:01:00:34 GMT NetScaler-Internal-TDC-02 0-PPE-1 : default CLI CMD_EXECUTED 131 0 : User nsroot – Remote_ip 127.0.0.1 – Command “logout” – Status “Success”

Apr 23 10:01:13 <local0.notice> X.X.X.25 04/23/2018:01:01:13 GMT NetScaler-Internal-TDC-02 0-PPE-0 : default EVENT DEVICEDOWN 79 0 : Device “interface(0/1)” – State DOWN

Apr 23 10:01:13 <local0.notice> X.X.X.25 04/23/2018:01:01:13 GMT NetScaler-Internal-TDC-02 0-PPE-1 : default EVENT DEVICEDOWN 132 0 : Device “interface(0/1)” – State DOWN

Apr 23 11:18:15 <local0.notice> X.X.X.25 04/23/2018:02:18:15 GMT NetScaler-Internal-TDC-02 0-PPE-1 : default EVENT DEVICEUP 133 0 : Device “interface(0/1)” – State UP

Apr 23 11:18:15 <local0.notice> X.X.X.25 04/23/2018:02:18:15 GMT NetScaler-Internal-TDC-02 0-PPE-0 : default EVENT DEVICEUP 80 0 : Device “interface(0/1)” – State UP

Apr 23 11:18:29 <local0.info> X.X.X.25 04/23/2018:02:18:29 GMT NetScaler-Internal-TDC-02 0-PPE-1 : default AAA Message 134 0 : “rba authentication : user nsroot response_len-0 cmdPolicyLen-0, partitionLen-0 PromptLen-0 timeout 805307268 authPolicyLen-0 authActionLen-0 ssh_pubkey_len

Related:

The following error occurred during an authentication attempt for user:domain.comabc with realm:

At the Storefront server open a command line and run the following command:

>set u

There would be two fields called USERDOMAIN and USERDNSDOMAIN

And these will be like this:

USERDNSDOMAIN=DOMAIN.COM

USERDOMAIN=DOMAIN

Open Netscaler Gateway Virtual server session profile.

Go to Published applications tab and look for SSODomain field

As per the error it would be domain.com

We need to change it to domain, and save the configuration on Netscaler.

Also confirm that Storefront has either “Any” domain selected or has “domain.com” and “domain” added as trusted domain.

Related:

FAQ: Time-Out with Password Caching on XenMobile

Question:

What is the expectations of time-outs with the combinations of Enable Password Caching on XenMobile Server?

Answer:

Enable Password Cache: false

  • Secure PIN authentication on XenMobile Apps after INACTIVITY_TIMER expires.
  • Active Directory password authentication on Secure Hub when session times out on NetScaler Gateway.

User-added image
Enable Password Cache: true

  • Secure PIN authentication on XenMobile Apps after INACTIVITY_TIMER expires.
  • Secure PIN authentication on Secure Hub when SESSION times out on NetScaler Gateway. You will be prompted for Active Directory password only if it is changed on Active Directory.


Functionality of ENABLE_PASSWORD_CACHING(Need to set from XenMobile Client Properties)

This key lets you allow the users’ Active Directory password to be cached locally on the mobile device. When you set this key to true, users are prompted to set a Citrix PIN or passcode. The ENABLE_PASSCODE_AUTH key must be set to true when you set this key to true.

Default value: false


Question:

Is there any particular order for
Timeout values

Answer:

There is certain order in which all of the timeouts should be mentioned. Below is the article which have the timeout information.


https://support.citrix.com/article/CTX224958

You can increase the timeout values however ensure that they follow the order mentioned above. Please refer the below article for more information : https://support.citrix.com/article/CTX224958

Related:

TCP Connections Intermittently Dropped on NetScaler Because of TCP Small Window Attack Protection

Customer is facing issues with intermittent connection drops. This was found out to be due to TCP small window attack protection feature on NetScaler.

Trace analysis

In the non-working trace we see the following:

The ACK is getting dropped after the initial SYN, SYN-ACK. Here we are able to see the retransmitted packet is the ACK packet.

User-added image

Also the counter is matching the time of the issue:May 18 01:53:49 2016

nsconmsg -K /var/nslog/newnslog -g tcp_cur_SW

reltime:mili second between two records Wed May 18 01:53:07 2016

 Index rtime totalcount-val delta rate/sec symbol-name&device-no&time 135 0 1258237 1 0 tcp_err_SW_init_pktdrop Wed May 18 01:53:07 2016 136 7000 136 1 0 tcp_cur_SW_pcbs Wed May 18 01:53:14 2016 137 7000 1258239 2 0 tcp_err_SW_init_pktdrop Wed May 18 01:53:21 2016 138 0 132 -4 0 tcp_cur_SW_pcbs Wed May 18 01:53:21 2016 140 0 1258241 2 0 tcp_err_SW_init_pktdrop Wed May 18 01:53:49 2016 141 7000 134 4 0 tcp_cur_SW_pcbs Wed May 18 01:53:56 2016 142 0 1258247 6 0 tcp_err_SW_init_pktdrop Wed May 18 01:53:56 2016 143 7000 1258248 1 0 tcp_err_SW_init_pktdrop Wed May 18 01:54:03 2016 144 0 133 -1 0 tcp_cur_SW_pcbs Wed May 18 01:54:03 2016 145 14000 134 1 0 tcp_cur_SW_pcbs Wed May 18 01:54:17 2016 146 7000 130 -4 0 tcp_cur_SW_pcbs Wed May 18 01:54:24 2016 147 7000 133 3 0 tcp_cur_SW_pcbs Wed May 18 01:54:31 2016 148 7000 132 -1 0 tcp_cur_SW_pcbs Wed May 18 01:54:38 2016 149 7000 131 -1 0 tcp_cur_SW_pcbs Wed May 18 01:54:45 2016 150 7000 129 -2 0 tcp_cur_SW_pcbs Wed May 18 01:54:52 2016 151 14000 130 1 0 tcp_cur_SW_pcbs Wed May 18 01:55:06 2016 152 14000 129 -1 0 tcp_cur_SW_pcbs Wed May 18 01:55:20 2016 153 7000 130 1 0 tcp_cur_SW_pcbs Wed May 18 01:55:27 2016 154 7000 129 -1 0 tcp_cur_SW_pcbs Wed May 18 01:55:34 2016 155 7000 130 1 0 tcp_cur_SW_pcbs Wed May 18 01:55:41 2016 156 7000 128 -2 0 tcp_cur_SW_pcbs Wed May 18 01:55:48 2016 157 7000 129 1 0 tcp_cur_SW_pcbs Wed May 18 01:55:55 2016

NetScaler TCP Small Window Protection

This is a protection feature on the NetScaler which will be evoked when the NetScaler receives a packet with Window size less than the negotiated MSS value. The NetScaler will drops the final ack packet silently resulting in the session not getting established or packet being sent to the backend server.

More Information

If a Client with an Initial Sequence Number (ISN) advertises a window size in the final ack which is less than the MSS, then such clients ISN will be put into a hash table and marked as malicious. Before marking the packet as malicious it will send keep alives to the client in order to open up the window or send a higher window size packet.

Further if NetScaler receives a connection request with an ISN matching the entry in the hash table from same or different client it will be silently dropped in the final ACK of such transaction.

In NetScaler, we can see following two counters increment when the TCP small window packets are received and dropped silently:

tcp_cur_SW_pcbs

tcp_err_SW_init_pktdrop

Procedure to disable TCP small window protection on NetScaler

We can disable the small window option through nsapimgr command:

root@ns# nsapimgr_wr.sh -ys small_window_protection=0

Number of PEs running: 1

Changing Connection startup small window protection from 1 to 0 … Done.

Note: nsapimgr are developers specific and these commands needs to be run only under the advice of Citrix Support. Kindly contact Citrix Support before applying any nsapimgr commands.

Related:

NetScaler GSLB Static Proximity Does Not Work After Upgrading to 11.0/11.1 Firmware

To resolve this issue delete the nslocation.* files from the /var/netscaler/locdb/ directory and then re-run the configuration to add the location file.

root@NS-Cumulus1# cd /var/netscaler/locdb/

root@NS-Cumulus1# ls

GeoIPCountryWhois.csv GeoLite2-City-Locations-en.csv IP2LOCATION-LITE-DB1.CSV nslocation.ck nslocation.db

root@NS-Cumulus1# rm nslocation.*

> add locationfile /var/netscaler/locdb/GeoIPCountryWhois.csv -format geoip-country

Related:

How to Deploy NetScaler Appliances in a High Availability Setup in Two Arm Mode having Multiple Subnets with VLAN IDs

This article contains information about deploying NetScaler appliances in a high availability setup in two arm mode having multiple subnets with VLAN IDs.

Requirements

  • Both the NetScaler appliances must be on the same NetScaler software release version and have the same hardware platform.
  • Configure the appliances in a high availability setup. Ensure that both the appliances are communicating to each other. Refer to CTX116748 – How to Set Up a High Availability Pair on NetScaler.

Background

In this scenario, you have a requirement that NetScaler appliance must communicate with four VLANs such as 200, 201, 202, and 400, and the mode of communication must be in two arm mode.

The IP range for communication of VLAN 200, 201, 202, and 400 are 192.168.200.0/24,192.168.300.0/24,192.168.400.0/24, and 172.17.154.0/24 respectively:

  • Internal VLAN200 / 192.168.200.x
  • Internal VLAN201 / 192.168.300.x
  • Internal VLAN202 / 192.168.400.x
  • DMZ VLAN400 / 172.17.154.x

Related:

How to Configure RDP Proxy on NetScaler Gateway 11.0 to 12.1

  • Create an RDP listener on port 3389 using VPN virtual server IP (RDP feature needs to be enabled).

    Navigate to Configuration > NetScaler Gateway > Policies > RDP and click add new Server Profile.

    RDP IP, would be the NetScaler Gateway VIP, and desired port for RDP connection to NetScaler Gateway virtual sever.

    Specify a Pre-Shared key, and take note of it, it will be used in Step 2.

    NOTE: As of NetScaler 12.1, there is a new feature called RDPRedirection which adds support for RDPProxy with Connection Broker. If you enable this and use SSO without a Connection Broker, then the RDP Connection will fail. For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/rdp-proxy/rdp-redirection.html

    User-added image

  • Related:

    New SSL Features Included in NetScaler 12.0.56.20 Release

    What new SSL features are included in NetScaler 12.0 56.20?

    ECC for VPX backend

    NetScaler VPX now includes support for Elliptic Curve Cryptography on backend connections. This allows the NetScaler to support ECC connections to backend servers:

    ECC on Services

      ECDHE Cipher Enhancement on VPX Backend

      ECDHE ciphers are now supported on VPX backend.

      • ECDHE suites can give improved performance and better security.
      • RFC 4492 allows ECDHE ciphers to be used with TLS1.0, TLS1.1, and TLS1.2.
      • The new set of ciphers supported on VPX backend are:

      ECDHE on VPX backend

      4K server cert and DHE for VPX backend

      NetScaler VPX now supports backend cert key sizes up to 4K, including DHE:

      4k support

      ChaCha20-Poly1305 Support on VPX and CPX

      ChaCha20-Poly1305 is a new Authenticated Encryption with Associated Data (AEAD) cipher in TLS (RFC 7905).

      • ChaCha20 – Stream Cipher – 96 bit Nonce and 256 bit Key
      • Poly1305 – Authenticator – 256 bit ‘One-time’ Key
      • Both primitives designed for higher performance when done in Software (CPU)

      Benefits/Use Cases

      • Better Performance/Faster Encryption
        • On devices that don’t have specialized AES acceleration (AES-NI on x86)
        • e.g. Non x86 platforms e.g. Android devices, Wearable etc. with ARM processots. Improves User experience, battery life etc.
      • Better Security
        • Reduces side-channel attacks (by design) such as Lucky13 (CBC-Mode) or attacks on other stream ciphers such as RC4 stram cipher
      • Wide deployment on various Clients
        • Chrome browsers on Android devices moved to TLS1.2 + ChaCha=Poly in 2014.

      DTLS BE for MPX and VPX

      DTLS for backend (i.e. DTLS client on NS) is now supported. This requirement is currently for “Double hop for framehawk and UDP audio” feature of NetScaler Gateway.

      • Use Case: VDA solution to provide secure access to Desktop in StoreFront via end-to-end DTLS.
      • It is similar to TLS except works on UDP instead of TCP
      • 3 supported ciphers:
        • TLS_RSA_WITH_AES_256_CBC_SHA
        • TLS_RSA_WITH_AES_128_CBC_SHA
        • TLS_RSA_WITH_3DES_EDE_CBC_SHA

      Hybrid ECC on 14xxx MPX-FIPS platform – Hybrid-ECC feature is now available on the N3-FIPS platform (ECDHE-RSA2K)

      • Hybrid ECDH Approach (CPU + Card processing)
      • Offload ECC operations to software/CPU (to configured CPU quota)
      • Additional ECC operations done on card
      • RSA Operations done on card
      • Hybrid ECC Feature – Disabled by default
      • Enable by configuring “Software Crypto acceleration CPU threshold” SSL Parameter
      • E.g. “set ssl parameter -softwareCryptoThreshold 90”

      New DoD CA chain support

      The appliance now supports the new Department of Defense CA chain, used with CAC smart card authentication.

      SSL Certificate Classification

      When installing a certificate-key pair, the NetScaler is able to determine which certificate type/s these certificates should be classified as. Any certificate (whether it be Server, Client, Root, or Intermediate) that is installed with a private key can be classified and bound to a virtual server or service as both a server and client certificate. This means that the NetScaler is now able to classify certificates as more than one type.

      Unknown Certificates bucket in the GUI – a new GUI enhancement allows users to see certificate-key pairs that could not be classified as Server, Client, Root, or Intermediate. These are classified as Unidentified in the CLI and can be seen in the Unknown Certificates bucket through the GUI:

      Unknown Certificates

    Related:

    • No Related Posts

    FAQ: NetScaler Surge Queue

    Q: What is NetScaler Surge queue?

    A: A Surge queue is a path in the NetScaler appliance through which all client connections are sent, irrespective of the condition of the target service, such as service being loaded or service has reached the maximum connections state. When the number of requests to the servers is low, the connections are not observed in the Surge queue because the connections are sent to the servers quickly and the Surge queue build up is not observed.

    Q: When connection is in Surge queue, is there a way to change the number of retries before giving up a connection (default is 7)?

    A: No, this is as per design and it is not recommended to change the number of retries.

    Q: What is the total maximum interval of 7 attempts of retransmit before NetScaler gives up on a connection? How long does the 7 retries take in total?

    A: When there is a SYN without a response, the time is doubled for the retransmit and the time keeps doubling for every SYN without a response.

    If you were to capture an nstrace for analysis then you can see the following retry pattern interval – 1 second, 2 seconds, 4 seconds, 8 seconds, 16 seconds, 32 seconds, 64 seconds and then a RST is sent. This works as per exponential back off algorithm.

    Q: How many connections can NetScaler surge queue handle?

    A: Surge queue is essentially a list of memory buffer thus there is no hard limit and it can go on building as far as there is memory in the connection pool (NSB/PCB). Till date there is no failover or crash grade issues observed with Surge queue.

    Related:

    ShareFile Connector SSO to Network Shares and SharePoint using Kerberos (KCD)

    Summary of items

    1. Configure SharePoint for KCD
    2. Create an additional “Internal Content Switch” on the NetScaler
    3. Configure SplitDNS to resolve to the new Internal Content Switch
    4. StorageZone Controller IIS changes
    5. AD Delegation
    6. Web Browsers configs

    1. Configure SharePoint for KCD

    SharePoint config steps:

    1. On the Central Administration page, on the Quick Launch click Security, and in the General Security section click Specify authentication providers.
    2. On the Authentication Providers page, select the zone for which you want to change authentication settings.
    3. On the Edit Authentication page, and in the Authentication Type section ensure this is set to Windows (selected by default).
    4. In the IIS Authentication Settings section, select Negotiate (Kerberos).

      NOTE: If you selectNegotiate (Kerberos)you must perform additional steps to configure authentication (below).
    5. Click Save.

    Set the SPN to the service account for SharePoint config steps:

    NOTE:this is a standard SharePoint requirement which references the service account used during the installation of SharePoint itself). The service account used below is usually the one that SharePoint has been initially installed with.

    1. From any server, open CMD (elevate with account with the appropriate SharePoint rights)
    2. Type the following:

      SetSPN -S HTTP/SharePoint domainserviceaccountname

      SetSPN -S HTTP/SharePoint.citrix.lab domainserviceaccountname

    2. Create an additional “Internal Content Switch” on the NetScaler

    Before creating this, you should have run the wizard to create an External Content Switch as you would need to split the traffic, to split External and Internal traffic. The main reason being is to have AAA configured for Connectors externally, but for Internal use, not to have AAA enabled on the Connectors, especially if you would like to enable Web Access to Connectors and have a seamless SSO in all web browsers.

    NOTE: AAA requires a NetScaler Enterprise license to use.

    External Content Switch (usually created by the inbuilt ShareFile wizard on the NS).

    NOTE: If Web Access to Connectors are required then additional configuration is needed in addition to the wizard. Please see this
    article in section “Configure NetScaler for restricted zones or web access to Connectors”.

    The External config would typically have:

    • 1 x Content Switch, with Policies, Responders, Callouts.
    • 3 x LBVIP’s
      • ShareFile Data LBVIP.
      • Connectors LBVIP with AAA enabled.
      • OPTIONS LBVIP.

    Internal Content Switch (in this scenario, created manually)

    The internal config would typically have:

    • 1 x Content Switch, with Policies, Responders, Callouts.
    • 2 x LBVIP’s
      • ShareFile Data LBVIP.
      • Connectors LBVIP (No AAA enabled).
      • No OPTIONS LBVIP required (even if SSO to “Web Access to Connectors” is needed).

    Create the Internal Content Switch config steps:

    Create the Virtual Servers (one for ShareFile Data and another for Connectors)

    1. Log onto the NetScaler and browse to:

      +Traffic Management

      +Load Balancing

      Virtual Servers
    2. Click Add to create the ShareFile Data LBVIP:

      Name: _SF_SZ_LB_INT

      Protocol: SSL or HTTP

      IP Address Type: Non Addressable
    3. Click OK.
    4. Click on the “No Load Balancing Virtual Server Binding”
    5. On the Select Server option click the arrow next to Click to select field
    6. Select the appropriate StorageZone Controller node(s) and click Bind
    7. Select the Certificate and click Bind, click Continue
    8. Click on the +Method option, change the Load Balancing Method to Token
    9. Add the expression REQ.URL.QUERY.VALUE(“uploadid”), click OK
    10. Click on the +Persistence option, and change the Persistence field to SSLSESSION
    11. Click OK
    12. Click Add to create the ShareFile Connector LBVIP:

      Name: _SF_CIF_SP_LB_INT

      Protocol: SSL or HTTP

      IP Address Type: Non Addressable
    13. Click OK
    14. Click on the “No Load Balancing Virtual Server Binding”
    15. On the Select Server option click the arrow next to Click to select field
    16. Select the appropriate StorageZone Controller node(s) and click Bind
    17. Select the Certificate and click Bind, click Continue
    18. Click on the +Method option, change the Load Balancing Method to LEASTCONNECTION
    19. Click on the +Persistence option, and change the Persistence field to COOKIEINSERT
    20. Click OK

    Create the HTTP Callouts

    1. Browse to :

      +AppExpert

      HTTP Callouts
    2. Click Add to create the first callout:

      Name: _SF_CALLOUT_INT

      Server to receive callout request:

      Virtual Server and choose _SF_SZ_LB_INT

      Request to send to the server:

      Request Type:Attribute-Based

      Method: GET

      HostExpression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

      URLStemExpression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.BEFORE_STR(“&h”).HTTP_URL_SAFE.B64ENCODE + “&h=”+ HTTP.REQ.URL.QUERY.VALUE(“h”)

      Parameter:

      Scheme: HTTP

      ServerResponse

      ReturnType: BOOL

      Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
    3. Click Create:

      Name: _SF_CALLOUT_INT_Y

      Server to receive callout request:

      Virtual Server and choose _SF_SZ_LB_INT

      Request to send to the server:

      Request Type:Attribute-Based

      Method: GET

      HostExpression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

      URLStemExpression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + “&h=”

      Parameter:

      Scheme: HTTP

      ServerResponse

      ReturnType: BOOL

      Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
    4. Click Create.
    5. Click Add to create the second callout (note: this is the same as the other except for the Name and URL Stem Expression)
    6. Click Add to create the first callout:

      Name: _SF_CALLOUT_INT_Y

      Server to receive callout request:

      Virtual Server and choose _SF_SZ_LB_INT

      Request to send to the server:

      Request Type: Attribute-Based

      Method: GET

      Host Expression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

      URL Stem Expression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + “&h=”

      Parameter:

      Scheme: HTTP

      Server Response


      Return Type: BOOL

      Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
    7. Click Create.

    Create the Responder policy

    1. Browse to :

      +AppExpert

      +Responder

      Policies
    2. Click Add to create the responder:

      Name: _SF_RESPONDERPOL_INT

      Action: DROP

      Expression: HTTP.REQ.URL.CONTAINS(“&h=”) && HTTP.REQ.URL.CONTAINS(“/crossdomain.xml”).NOT&& HTTP.REQ.URL.CONTAINS(“/validate.ashx?requri”).NOT&& SYS.HTTP_CALLOUT(_SF_CALLOUT_INT) || HTTP.REQ.URL.CONTAINS(“&h=”).NOT && HTTP.REQ.URL.CONTAINS(“/crossdomain.xml”).NOT&& HTTP.REQ.URL.CONTAINS(“/validate.ashx?requri”).NOT&& SYS.HTTP_CALLOUT(_SF_CALLOUT_INT_Y)
    3. Click Create:

      Bind the Responder policy


      +Traffic Management

      +Load Balancing

      Virtual Servers
    4. Open _SF_SZ_LB_INT
    5. Click on the +Policies option
    6. Click Add Binding, Select the policy _SF_RESPONDERPOL_INT
    7. Click Bind, then Close.
    8. Click Done to complete.

    Create the Content Switch policies

    +Traffic Management

    +Content Switching

    Policies

    1. Click Add.

      Name: _SF_SZ_CSPOL_INT

      Expression: HTTP.REQ.HOSTNAME.CONTAINS(“sz.company.com”) && HTTP.REQ.URL.CONTAINS(“/cifs/”).NOT && HTTP.REQ.URL.CONTAINS(“/sp/”).NOT

      Note: DON’T FORGET TO CHANGE TO THE CORRECT EXTERNAL FQDN
    2. Click Create and then Add.

      Name: _SF_CIF_SP_CSPOL_INT

      Expression: HTTP.REQ.HOSTNAME.CONTAINS(“sz.company.com”) && (HTTP.REQ.URL.CONTAINS(“/cifs/”) || HTTP.REQ.URL.CONTAINS(“/sp/”))

      NOTE: Don’t forget to change to the correct external FQDN.
    3. Click Create.

    Create the Content Switch vServer

    +Traffic Management

    +Content Switching

    Virtual Server

    1. Click Add to create the Content Switch vServer:

      Name: _SF_CS_ShareFile_INT

      Protocol: SSL

      IP Address: Internal IP of DNS name

      Port:443
    2. Click OK
    3. Under Content Switching Policy Binding click on the No Content Switching Bound option:

      Select Policy:_SF_SZ_CSPOL_INT

      Target Load Balancing Virtual Server: _SF_SZ_LB_INT

      Click Bind

      Select Policy:_SF_CIF_SP_CSPOL_INT

      Target Load Balancing Virtual Server: _SF_CIF_SP_LB_INT

      Click Bind
    4. Click OK
    5. Click on the +Certificates option, add a certificate by clicking the No Server Certificate option
    6. Select the Certificate and click Bind, click Continue.

    3. Configure SplitDNS to resolve to the new Internal Content Switch

    This is important as you need to direct traffic internally to the NetScaler for internal clients. Create a Host A entry for the StorageZone FQDN to point to the IP of the Internal Content Switch created in section 2.

    1. Log into the Domain Controller and open dsa.msc.
    2. Browse to Forward Lookup Zones to find the one which correlates to the StorageZone FQDN (sz.company.com)
    3. Add a New Host (A or AAAA)… and enter the FQDN for the StorageZone.
    4. Enter the IP, this should be the one of the Internal Content Switch created in section 2.
    5. To test, open CMD from another desktop/server, run ipconfig/flushdns and ping the StorageZone FQDN. Does it resolve to the correct IP?

    4. StorageZone Controller IIS changes

    Config steps:

    1. Log onto the StorageZone Controller(s) and open IIS.
    2. Click on the Default web site then to the SP virtual directory.
    3. Click on Authentication, then ensure Anonymous and Windows Authentication are Enabled.
    4. Right-click on the WindowsAuthentication option and select Providers
    5. Highlight Negotiate and Move Up to the top of the list. Click
    6. Ensure Basic Authentication is set to Disabled.
    7. Click on the CIFS virtual directory, then on Authentication.
    8. Ensure Anonymous and Windows Authentication are Enabled.
    9. Right-click on the WindowsAuthentication option and select Providers.
    10. Highlight Negotiate and Move Up to the top of the list. Click
    11. Ensure Basic Authentication is Disabled.

      NOTE: If Using port 80 on your StorageZone Controller for Load Balancing communication, see section 5 of this article.
    12. Then right-click the Default Web Site and select Edit Bindings.
    13. Add a new binding on port 80, assign the IP address and insert a host header (which is the fqdn of storagezone).

      NOTE: Editing the existing binding on port 80 will upset the NTLM Path configured within the NetScaler IdP
      article on page 14 .
    14. On the StorageZone Controller, run CMD, then type:

      setspn –a http/sz.company.com SZCServer1

      setspn –a http/”fqdn of storagezone”hostname of storagezone controller”

      where “fqdn of storagezone” = sz.company.com

      and “hostname of storagezone controller” = SZCServer1)

    5. AD DELEGATION

    Changes need to be actioned on the SZC AD object(s), and all the servers used for Network Shares and SharePoint need to be added. Config steps shown in this procedure.

    NOTE:

    • Ensure that any File servers hosting any Network Shares, are added to the delegation as CIFS.
    • Ensure any SharePoint servers that need to be accessed, are also entered as HTTP.

    6. Browsers

    Config steps:

    Internet Explorer

    1. Open Internet Options, Security, Local Intranet, Sites, Advanced then enter the following:

      ShareFile site – subdomain.sharefile.com

      FQDN StorageZone – sz.company.com

      FQDN of AAAVIP – aaavip.company.com

      Note: If this is locked down, configure via GPO which will be actioned on the User Configuration.
    2. Open GPMC and select the GPO controlling the behavior of IE.
    3. Browse to Computer Configuration/Administrative Templates/System/Group Policy and Enabled the policy Configure user group policy loopback processing mode and select Replace.
    4. Then browse to User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page and edit the Site to Zone Assignment List as follows:

      User-added image

      NOTE: The number in the Value field denotes the number of the zone. MS breaks them down as follows:

      1 – Intranet zone – sites on your local network.

      2 – Trusted Sites zone – sites that have been added to your trusted sites.

      3 – Internet zone – sites that are on the Internet.

      4 – Restricted Sites zone – sites that have been specifically added to your restricted sites.

    5. For external IE browsers, extra configuration is required as follows:

      Click on the Internet/Custom Level and ensure that:

      Miscellaneous/Access data sources across domains is Enabled.

      User Authentication/Log on/Prompt for Username and Password is selected.
    6. Click OK twice.

    Firefox

    1. Launch Firefox. In the Address Bar, instead of typing a URL, enter:

      about:config
    2. This will open the configuration interface. You may need to agree to a security warning in order to proceed.
    3. Double-click the line labeled automatic-ntlm-auth.trusted-uris and enter the following:

      ShareFile site – subdomain.sharefile.com

      FQDN StorageZone – sz.company.com

      FQDN of AAAVIP – aaavip.company.com

      NOTE: Separate individual URLs with commas, but do not put spaces between them, for example:

      subdomain.sharefile.com, sz.company.com
    4. Click OK when you’re finished.
    5. Double-click the line labeled negotiate-auth.trusted-uris. Enter the same information you entered in the previous step, with the URLs separated by commas and with no spaces. Click OK.

    Chrome

    This should work. CORS should be enabled by default on Chrome but you can add the plugin into Chrome here.

    Opera

    This should work.

    Related: