Archive
#Citrix #NetScaler Traffic Domains ins and outs – via @barryschiffer
Another great blog post by Barry!!! Keep up the great work!!
Citrix NetScaler Traffic Domains are a way of segmenting network traffic for different applications or even tenants. You are able to use a traffic domain to create fully isolated network environments on a single NetScaler instance. An instance is a single appliance or a HA setup of two appliances.
Citrix NetScaler Traffic Domains were introduced with NetScaler 10.0. At first NetScaler Traffic Domains started as a somewhat hidden feature which you could only configure by CLI. As of version 10.1 Traffic Domains are fully configurable in the NetScaler GUI which makes it a lot simpler to use.
In a way NetScaler Traffic Domains could compete with the NetScaler SDX platform. With Traffic Domains we segment networks on a single NetScaler instance instead of the SDX where we create a virtual appliance per network segment.
A downside of using NetScaler Traffic Domains is the fact that some features are only supported for usage inside of Traffic Domain 0. Traffic Domain 0 is the default Traffic Domain, all services run inside Traffic Domain 0 unless explicitly specified.
An example of non supported features are NetScaler Management and NetScaler Gateway. For a complete list of supported features follow this link.
For non supported features for which you need isolation you have two options, NetScaler SDX or additional NetScaler appliances (virtual or physical).
My expectations are that we will see more and more features being supported on NetScaler Traffic Domains. An amazing feature would be to enable management functionality on Traffic Domains where you would only be able to manage or create services assigned to that Traffic Domain. This would be especially useful for multi-tenancy or multi management in situations where for example one team manages Mobility and one team managing a web application.
A few use cases Citrix describes for NetScaler Traffic Domains:
- Use of duplicate IP addresses
- Use of duplicate NetScaler entities
- Multi Tenancy
A use case I’m actually using NetScaler Traffic Domains for is the ability to deliver services in a DMZ as well as an internal network.
Internal Network services like Microsoft Exchange Client Access Services and Microsoft App-V are heavy on traffic and I don’t like those services traversing the firewall in the DMZ. This also works great combined with Direct Server Return (DSR) which is blocked by most firewalls. Check out more on DSR combined with App-V on this article by Ingmar Verheij.
Penetration testing tips for your NetScaler – via @neilspellings – #Citrix, #NetScaler
This is a really good blog post by Neil! Keep up the good work! 😉
When working on Netscaler implementation projects, most of which tend to be internet-facing, one aspect that most organisations always perform is a penetration test. Having been through a number of these over the years, I thought it would be a good idea to share my experiences and some of the common aspects that get highlighted, to enable you to “pass first time” without having any remedial actions to work through and costly re-tests to perform.
The Netscaler has a number of IPs (NSIP, SNIP/MIP, Access Gateway VIPs etc) so what should you test against? The answer may well depend on corporate policy, but I usually test the internet-facing Access Gateway VIP and the management interface (NSIP). I also usually include StoreFront in any internal tests as this is an integral component of the overall solution, but I won’t cover StoreFront in this post.
Of course technically “bad guys” can only reach internet-facing IP addresses (as permissioned by your external firewall) but I recommend including internal-facing IPs for any DMZ-hosts to understand your exposure should another DMZ host get compromised (as your attacker can now potentially access internal IPs so the external firewall rules no longer protect you)
- Remove unnecessary management tools (telnet and FTP are considered insecure so should alwaysbe disabled). Also remove SNMP if your Netscalers are not being monitored or managed by an external monitoring service.
- Ensure that “Secure access only” is selected to force SSL access to the GUI
- Ensure that management applications are only available on an internal IP (NSIP or SNIP). Open the IP properties for the IP addresses that won’t be used for management and untick “Enable management access”
- Change the default nsroot password to something long (obvious you’d think but you’d be amazed how many Netscalers I’ve seen that I can just log straight into using the default credentials!)
- If you have set up integrated AD authentication via LDAP for administrative access to the GUI, ensure that you have protected access using a filter group, otherwise anyone with a valid AD account will be able to access your Netscaler GUI (although they won’t be able to make any changes, it’s still not a good idea them having this access!)
- If you are using…
Continue reading here!
//Richard
Under the Covers of a Distributed Virtual Computing Platform – Built For Scale and Agility – via @dlink7, #Nutanix
I must say that Dwayne did a great job with this blog post series!! It goes into expelling the Nutanix Distributed File System (NDFS) that I must say is the most amazing enterprise product out there if you need a truly scalable and agile Compute and Storage platform! I advise you to read this series!!
Under the Covers of a Distributed Virtual Computing Platform – Part 1: Built For Scale and Agility
Lots of talk in the industry about how had software defined storage first and who was using what components. I don’t want to go down that rat hole since it’s all marketing and it won’t help you at the end of the day to enable your business. I want to really get into the nitty gritty of the Nutanix Distributed Files System(NDFS). NDFS has been in production for over a year and half with good success, take read of the article on the Wall Street Journal.
Below are core services and components that make NDFS tick. There are actually over 13 services, for example our replication is distributed across all the nodes to provide speed and low impact on the system. The replication service is called Cerebro which we will get to in this series.
This isn’t some home grown science experiment, the engineers that wrote the code come from Google, Facebook, Yahoo where this components where invented. It’s important to realize that all components are replaceable or future proofed if you will. The services\libraries provide the API’s so as newest innovations happen in the community, Nutanix is positioned to take advantage.
All the services mentioned above run on multiple nodes in cluster a master-less fashion to provide availability. The nodes talk over 10 GbE and are able to scale in a linear fashion. There is no performance degradation as you add nodes. Other vendors have to use InfiniBand because they don’t share the metadata cross all of the nodes. Those vendors end up putting a full copy of the metadata on each node, this eventually will cause them to hit a performance cliff and the scaling stops. Each Nutanix node acts a storage controller allowing you to do things like have a datastore of 10,000 VM’s without any performance impact… continue reading part 1 here.
Under the Covers of a Distributed Virtual Computing Platform – Part 2: ZZ Top
In case you missed Part 1 – Part 1: Built For Scale and Agility
No it’s not Billy Gibbons, Dusty Hill, or drummer Frank Beard. It’s Zeus and Zookeeper providing the strong blues that allow the Nutanix Distributed File System to maintain it’s configuration across the entire cluster. Read more…
#Netscaler Insight and Integration with #XenDesktop Director – via @msandbu
Great blog post by Marius! 🙂
This is another one of Citrix hidden gems, Netscaler Insight. This product has been available from Citrix some time now, but with the latest update in became alot more useful. Insight is an virtual applance from Citrix which gathers AppFlow data and statistics from Netscaler to show performance data, kinda like old Edgesight. (NOTE: In order to use this functionality against Netscaler it requires atleast Netscaler Enterprise or Platinum)
Insight has two specific functions, called Web Insight and HDX insight.
Web Insight shows traffic related to web-traffic, for instance how many users, what ip-adresses, what kind of content etc.
HDX Insight is related to Access Gateway functionality of Citrix to show for instance how many users have accessed the solution, what kind of applications have they used, what kind of latency did the clients have to the netscaler etc.
You can download this VPX from mycitrix under Netscaler downloads, important to note as of now it is only supported on Vmware and XenServer (They haven’t mentioned any support coming for Hyper-V but I’m guessing its coming.
The setup is pretty simple like a regular Netscaler we need to define an IP-address and subnet mask (Note that the VPX does not require an license since it will only gather data from Netscaler appliances that have a platform license and it does not work on regular Netscaler gateways)
After we have setup the Insight VPX we can access it via web-gui, the username and password here is the same as Netscaler nsroot & nsroot
After this is setup we need to enable the insight features, we can start by setting up HDX insight, here we need to define a expression that allows all Gateway traffic to be gathered.
Here we just need to enable VPN equals true. We can also add mulitple Netscalers here, if you have a cluster or HA setup we need to add both nodes.
After we have added the node, just choose configure on the node and choose VPN from the list and choose expression true.
#Citrix #AppController 2.5 Implementation Tips – #CloudGateway, #BYOD
Great blog post by Matthew Brooks!
AppController is a component of the Citrix CloudGateway Enterprise suite that orchestrates access to Enterprise Cloud applications. Those applications may take many forms including Mobile Applications, Software-as-a-Service hosted in public clouds, and Web links. Below I provided some tips to help with the implementation of AppController 2.5 (which is the latest version as of the publishing of this blog).
System Related
Including settings such as the Hostname, SSL certificates, and Restore.
TIPs:
- Take a hypervisor level snapshot after the initial installation so that you can easily return to that base level if configuration or integrations efforts go awry.
- The hostname cannot contain special characters in the AppController certificate signing request.
- The hostname must match SSL certificate.
- The system cert must be chained to its CA/(s).
Active Directory Related
Including settings such as the Server (Domain Controller), Base DN, and Service Account credentials.
TIPs:
- The AppController only supports integration with a single domain. Multiple domains require multiple AppControllers. The NetScaler Access Gateway may be configured to allow users to access a single fully qualified domain name, yet be directed to their respective domain AppController through the use of Global Groups. See CTX116169 for more informationhttp://support.citrix.com/article/CTX116169
- All user accounts must have a first name, last name, and email address configured or they will receive an authorization error when attempting to launch applications. The bind Administrator account must also have email address configured or directory integration will fail.
- Only LDAP (TCP 389) may be configured through the wizard that must be completed initially. Thereafter LDAPS (TCP 636) may be configured through the full administration menu.
- If the server name domain name is a load balanced DNS entry the initial import may work, yet subsequent bind attempts will fail. Alternatively you may use the IP address of an LDAPS load balancer on a Netscaler with specific domain controllers configured as services. See CTX135092 for more information http://support.citrix.com/article/CTX135092
Network Related
Including settings such as the IP address, @Workweb and NTP server.
TIPs:
- Use IP private addresses as system addresses if possible. When Trust Settings are configured for NetScaler Access Gateway it does not allow SSO to public addresses. If public addresses must be used the NetScaler may be configured with an SSL Bridge to access the AppController. See NetScaler Traffic Management document for more information.
- NTP must be configured or SAML authentication may fail for SaaS sites if the time difference is significant.
- When Trust Settings are configured for NetScaler Access…
Continue reading here!
//Richard
SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront
Single Sign-On from Access Gateway to StoreFront not working in CVPN mode
There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!
It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!
After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!
So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…
The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…
The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).
But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.
This picture just shows the login to the NetScaler ADC Access Gateway vServer:
#Citrix #GSLB blog post – GeoLite City as NetScaler location database
This was a good blog post! And I really like GSLB, of course there may be functionalities that you’d like to advance etc but it’s great! And this post addresses one topic of it;
You may know this problem: Your boss made you build several data centers around the globe with a bunch of NetScalers in the mix to load balance services across the various locations using GSLB (Global Server Load Balancing). But when it comes to configuring a static proximity geo IP database to help with that not too easy to understand dynamic proximity feature you notice most of these databases are commercial and you are out of budget. Luckily though, there are several free versions of geo IP databases out there, which reportedly work quite well. Before using one of those, you should carefully review the license terms. Some aren’t necessarily free for commercial use…
Moreover, these free versions are very popular, well maintained and were frequently updated (I say were because with the assignment of the last IP block by RIPE earlier in 2012 there shouldn’t be too many changes to the databases anymore) . So it’s fair to say that many of our clients who are using these databases are very satisfied with them.
Why is a database with IP addresses and address blocks necessary for such a setup? GSLB responds to DNS requests for a domain name with an IP address of a member service. Which service IP is returned is dependent on the load-balancing algorithm used, for example least connection, simple round robin or more commonly used, proximity to the client (or the clients local DNS to be precise). For proximity based GSLB, when a client sends a DNS request, the system determines the best suitable site…
Continue reading here!
//Richard
The IT Melting Pot! 