Upload
buituyen
View
220
Download
1
Embed Size (px)
Citation preview
616: Accelerate Your NetScaler Skills
Hands-on Lab Exercise Guide
Joshua Travers & Steven Barnes
Americas Technical Readiness Cloud Networking
| 1 |
Table of Contents Table of Contents ....................................................................................................................... 1
Overview .................................................................................................................................... 3
Scenario..................................................................................................................................... 5
Exercise 1 .................................................................................................................................. 6
Initial NetScaler Setup and Basic Load Balancing ...................................................................... 6
Exercise 2 .................................................................................................................................10
NetScaler Configuration SNIP, VIP ...........................................................................................10
Exercise 3 .................................................................................................................................17
Define Server Load-Balancing Properties, Virtual Server, and Services ....................................17
Exercise 4 .................................................................................................................................23
Verify Load-Balancing Service is Active on Web Servers ..........................................................23
Exercise 5 .................................................................................................................................25
Content Switching .....................................................................................................................25
Exercise 6 .................................................................................................................................30
Bonus Content Switching Policy ................................................................................................30
Exercise 7 .................................................................................................................................33
URL Transformation using the Rewrite Feature ........................................................................33
Exercise 8 .................................................................................................................................38
Bonus URL Transformation Policy ............................................................................................38
Exercise 9 .................................................................................................................................40
Web Application Firewall ...........................................................................................................40
Exercise 10 ...............................................................................................................................60
High Availability .........................................................................................................................60
Exercise 11 ...............................................................................................................................63
Clustering ..................................................................................................................................63
Exercise 12 ...............................................................................................................................71
Global Server Load Balancing ...................................................................................................71
Exercise 13 ...............................................................................................................................91
Bonus Configure GSLB for WebGoat ........................................................................................91
Exercise 14 ...............................................................................................................................92
Admin Partitions ........................................................................................................................92
Exercise 15 ............................................................................................................................. 101
Bonus Admin Partitions ........................................................................................................... 101
Exercise 16 ............................................................................................................................. 101
Data Stream ............................................................................................................................ 101
Exercise 17 ............................................................................................................................. 111
| 2 |
AAA for Traffic Management ................................................................................................... 111
Exercise 18 ............................................................................................................................. 128
AAA SAML Assertion .............................................................................................................. 128
NetScaler Command Line Reference (CLI) ............................................................................. 142
Load Balancing 142
Content Switching 142
URL transformation 142
Application Firewall 143
Clustering 143
LDAP 144
SSL Certificate 144
| 3 |
Overview
Hands-on Training Module
Objective
This lab will cover and practice a wide range of core features that Citrix NetScaler offers. This lab is
designed to allow the student to pick and choose the exercises of choice.
Prerequisites
Basic NetScaler or ADC familiarity is desired.
Audience
Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support.
Lab Environment Details
Describe the lab environment. The system diagram of the lab is shown below:
| 4 |
The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All
windows applications such as XenCenter, (the XenServer GUI management tool), are accessed
from the Student Desktop.
Lab Guide Conventions
This symbol indicates particular attention must be paid to this step
Special note to offer advice or background information
reboot Text the student enters or an item they select is printed like this
VMDemo Filename mentioned in text or lines added to files during editing
Start Bold text indicates reference to a button or object
Focuses attention on a particular part of the screen (R:255 G:20 B:147)
Shows where to click or select an item on a screen shot (R:255 G:102 B:0)
List of Virtual Machines Used
VM Name IP Address Description / OS
NetScaler-A 192.168.10.15 Citrix NetScaler VPX
NetScaler-B 192.168.10.17 Citrix NetScaler VPX
Site1-WebServerA 192.168.10.115 Linux WebServer
Site1-WebServerB 192.168.10.116 Linux WebServer
Site1-
AD.Training.lab 192.168.10.11 Windows 2012 Server
Site1-SQLServer-
OLTP 192.168.10.12 Windows 2012 Server with SQL Server 2012
Site1-SQLServer-
DW 192.168.10.13 Windows 2012 Server with SQL Server 2012
Required Lab Credentials
The credentials required to connect to the environment and complete the lab exercises.
VM Name UserName Password
NetScaler-A nsroot nsroot
NetScaler-B nsroot nsroot
Site1-
AD.Training.lab Traininig/Administrator Citrix123
| 5 |
Scenario This lab is designed to cover a wide spectrum of the vast NetScaler feature set. We will touch on several core features and common use cases found in NetScaler deployments. You will see how NetScaler is managed and optimized, and cover topics including initial tune-up, networking and licensing. In addition, you'll get hands-on with load balancing, content switching, URL transform with Rewrite, SSL offload and more.
| 6 |
Exercise 1
Initial NetScaler Setup and Basic Load Balancing
Overview
Before configuration, the NetScaler needs to be properly licensed. Licenses are allocated based on the MAC
address of the appliance (known as the host ID), and can be downloaded at the link below. For this lab, we
have already downloaded the proper licenses and placed them on in C:\Licenses on the Student Desktop.
https://www.citrix.com/account/toolbox/manage-licenses/single-allocation.html
Through out this lab we will use 2 NetScalers. The NetScalers are identified as: NetScaler – A (192.168.10.15)
& NetScaler – B (192.168.10.17)
| 7 |
Step by step guidance
Step Action
1. Begin the licensing lab by verifying the host id of the NetScaler-A (192.168.10.15). You will use this
information for allocating the license file.
a. You will need to create an SSH connection to the NetScaler-A (192.168.10.15) by opening Putty
and connecting to the NetScaler
b. Login using nsroot/nsroot
c. Enter the CLI command „shell’ and the command „lmutil lmhostid –ether‟.
d. Take note of the FLEXnet host ID of this NetScaler we will need to reference this ID to the license
file in the steps below.
| 8 |
Step Action
2. Login to the NetScaler-A (192.168.10.15) navigating to http://192.168.10.15 in your web browser
Username: nsroot
Password: nsroot
3. Verify that the network configuration matches the screenshot below and continue.
| 9 |
Step Action
4. Upload the licenses file “06e089e0b0f1.lic”. If not going through the wizard, license configuration can be
found at System > Licenses > Update in the GUI.
a. Select the 4th
Item labeled Licensing. Select “Upload files from a local computer” You will find
the licenses in a folder located C:\Licenses
This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select the one matched to
the HostID of this NetScaler. Often when troubleshooting the process of a license, the host and a date need
to be verified. Wrong Host and incongruent time tends to be the issue. Open the license file with notepad
and check the date and host ID and note which goes to which. Find the license files that go with the host
ID identified earlier and upload them to the NetScaler.
5. Once the license has been uploaded to the NetScaler click, Reboot. (Due to the licensing change
the NetScaler requires a reboot in order for the license to take effect.
| 10 |
Step Action
6. After the NetScaler has rebooted you are able to verify the licenses by logging in and going to
System > Licenses. Since you have uploaded a Platinum License, all features should have a
green check as well due to the Platinum license.
Exercise Summary
In this exercise you successfully licensed a NetScaler with a Platinum license.
Exercise 2
NetScaler Configuration SNIP, VIP
Overview
NetScaler has 3 different types of IP addresses you will be working with.
NSIP: NetScaler IP, Management IP for GUI access, SSH, Telnet, SNMP etc.
| 11 |
o NS IP is set during OVA installation of NetScaler 1000V. It is configured as
192.168.10.15 in this pod.
SNIP: Subnet IP
o Backend service, and health monitoring
VIP: Load balancer server virtual IP
o Client use this IP address to access load-balanced service
| 12 |
Step by step guidance
Step Action
1. In the main configurations screen, browse to Configuration > System > Network >
IPs.
| 13 |
Step Action
2. Add a SNIP, Subnet IP address in IPs screen by selecting the add button and entering
in the below fields and click Create once completed. You will perform this on NetScaler
- A
IP Address: 192.168.10.16
Netmask: 255.255.255.0
Type: Subnet IP
| 14 |
Step Action
3. Verify the SNIP, Subnet IP Address is enabled and showing green.
| 15 |
Step Action
4. Next Step is to configure the Virtual IP. VIP is used for Load Balancing Virtual Server IP addresses, and needs to be configured in the Load Balancing section in subsequent steps.
Click on Add again, and fill out the form as indicated below:
IP Address: 192.168.10.125
Netmask: 255.255.255.0
IP Type: Virtual IP
Alternatively, VIP IP Addresses can be directly configured as part of LB vserver configuration. In this lab we will define it by adding it in the IPs Options.
| 16 |
Step Action
5. After this step, we have three IP addresses configured on NetScaler as depicted in the figure below
VIP is used for Load Balancing Virtual Server IP address, and needs to be configured in
Load Balancing Section in subsequent steps.
Exercise Summary
In this exercise you have successfully configured the 3 mandatory IP addresses that Citrix
NetScaler needs.
| 17 |
Exercise 3
Define Server Load-Balancing Properties, Virtual Server, and Services
Overview
When deployed in front of application servers, NetScaler load balancer ensures optimal distribution
of traffic by the way in which it directs client requests.
Administrators can segment application traffic according to information in the body of an HTTP or
TCP request, and on the basis of L4-L7 header information such as URL, application data type, or
cookie.
Numerous load balancing algorithms and extensive server health checks improve application
availability by ensuring that client requests are directed to the appropriate servers.
There are three things we will be setting up under the "Load Balancing" section in the navigation
pane in the same order:
Servers
Services
Virtual Server
Step by step guidance
Step Action
1. Enable the Load Balancing feature in Configuration > System > Settings. Click on
Configure basic features under “Modes and Features”.
2. Select Load Balancing and then click OK.
| 18 |
Step Action
3. Browse to “Configure modes” option and ensure the settings match with the screenshot
4. All the Load Balancing Configuration is done from the Configurations > Traffic
Management > Load Balancing screen.
5. Set up two web servers in Servers tab. Click on Add tab to add new web server with
user-defined name and IP address as 192.168.10.115 and Click Create. Similarly add
second server using its own IP address 192.168.10.116
| 19 |
Step Action
6. After configuring the Web-Server-1 you will have to click Create. Repeat the step for the
second Web-Server-2
| 20 |
Step Action
7. Once Servers are setup, add them as a back-end Service. Configure it from
Configurations > Traffic Management > Load Balancing > Services tab:
Add Service: Configure name to Web-Service1 and select the Web-Server-1
added in the previous step from the Existing Server option. Change protocol to
HTTP and Port 80. Make sure you add the “http-ecv” monitor and click “Create”.
Repeat same steps for Web-Service2
| 21 |
Step Action
8. Now you will create LB Virtual Server and bind services to this Virtual Server IP.
In Configurations > Traffic Management > Load Balancing > Virtual Servers
screen, Select Add and configure name and Virtual IP address (VIP) along with
Protocol, Services and LB Method (example Round Robin) in Method and
Persistence screen, in the options available. 192.168.10.125 is the IP for the LB
VIP.
| 22 |
Step Action
9. Set the persistence to COOKIEINSERT and Time-out(mins)* field to 1.
10. After configuring, you will need click OK.
11. After all setup is complete, go ahead and Save the running configuration by click on
"Save" icon in the upper right hand corner of your NetScaler GUI.
Exercise Summary
In this exercise you have successfully configured Servers, Services, and Virtual Server all for
Server Load Balancing in Citrix NetScaler.
| 23 |
Exercise 4
Verify Load-Balancing Service is Active on Web Servers
Overview
In this exercise you will be verifying that the configuration on the NetScaler is successful and
identify the load balancing method is performing as configured.
Step by step guidance
Step Action
1. From your web browser navigate to (http://192.168.10.125).
2. Client request is handled by and load balanced to one of the 2 web servers. Now, wait 1
min, and refresh or open a new tab and navigate back to http://192.168.10.125. This
time Web Server B is accessed because of round robin mechanism selected in load
balancing method, and COOKIEINSERT is set to 1min timeout. Requests are alternately
forward to each web server.
Note: Make sure to wait 1 min before accessing webserver again to allow for the
COOKIEINSERT persistence to timeout.
| 24 |
Step Action
3. From NetScaler GUI go to Dashboard to monitor live sessions and NetScaler application
state.
Exercise Summary
In this exercise you have gotten familiar the Citrix NetScaler, configured basic load balancing
services, and configured monitoring services in NetScaler.
| 25 |
Exercise 5
Content Switching
Overview
In this section, we will create a Content Switching Virtual Server that takes requests and directs
them to the appropriate web server. The policy that will be created looks for „/urlX‟ within the URL
and directs the request to the Web server A. Requests without „/urlX‟ are redirected to Web server
B.
Step by step guidance
Step Action
1. Start by enabling the Content Switching Feature for NetScaler - A by going to Traffic
Management, Content Switching and right clicking to Enable Feature.
| 26 |
Step Action
2. Create a Content Switching Virtual server by going to Content Switching > Virtual
Servers and clicking Add. Configure the "WebSwitch" Content Switching Virtual Server
with the Name/Protocol/IP/Port as below. Finally, click OK and Done.
| 27 |
Step Action
3. Create two Load Balancing Virtual Servers under Load Balancing > Virtual Servers
and clicking Add.
Configure WebVip1 and WebVip2 as HTTP with the Web-service1 and Web-service2
assigned respectively. Be sure to select „Non Addressable‟ in the IP Address Type.
These virtual servers will be utilized in the content switching virtual server as a
method to direct traffic to each individual server. We select non addressable so that
we are able to assign a server to the content switch while not consuming an IP
address on the network behind the NetScaler.
| 28 |
Step Action
4. Here is a summary of your Load Balancing Virtual servers thus far. Please note it may
initial show red indicating down. Refresh the screen to show the up state.
5. Create a Content Switching Policy by going to Content Switching > Policies and
clicking Add. Configure the name and URL as urlswitch and /url* and create the policy
by clicking Create and then close.
6. Insert a new content switching policy in Content Switching Virtual Server that you created
in step 1 of this lab.
To do this navigate to Traffic Management > Content Switching, Virtual Servers.
Click on WebSwitch and click Edit. Expand the CS Policy Binding section and select
urlswitch policy. Select the Webvip1 as the Load Balancing Virtual Server
| 29 |
Step Action
7. Expand Default Load Balancing Virtual Server and select the webvip2 virtual server. You
now have 1 CS policy bound to webvip1 and webvip2 is set to the default load
balancing virtual server.
8. Test the Content Switching by going to http://192.168.10.125/url1,
http://192.168.10.125/url2, and http://192.168.10.125:81/
You are able to verify that content switching policy urlswitch directs the requests into this
to the WebVip1. Not specifying the /urlX directs you to WebVip2, which would be the
(Default) policy.
Exercise Summary
In this exercise you have configured Content switching based on URL and tested that it works.
| 30 |
Exercise 6
Bonus Content Switching Policy
Overview
In this section, we will unbind the urlswitch policy and create a new policy that detects languages
via the HTTP header set by the browser. We will redirect requests accordingly.
Step by step guidance
Step Action
1. Begin by unbinding the original urlswitch policy from the Content Switching >Virtual
Servers by opening the WebSwitch, virtual server and expanding the Content Switching
Policy and clicking Unbind. Click Close finish.
2. In order to add the new policy, click on “No Content Policy” in the Content Switching
Virtual Server page. Then click the + icon beside “Select Policy”. We will need to switch
back to “default syntax”. To do this we will click on OK to close the dialog box, reopen
the WebSwitch vServer and expanding the CS Policy Binding. Select Add Binding
then selecting the + icon beside Policy. Once changed back to default syntax you can
verify by identifying it shows “Switch to Classic Syntax”.
| 31 |
Step Action
3. Navigate back top and provide the policy with the name Language and select
Expression
4. Configure the new policy, language, to detect the English language within the HTTP
request header: HTTP.REQ.HEADER("Accept-Language").CONTAINS("en").
5. Set the target of this policy to WebVip1, accept any messages about GoTo Expressions
if you encounter them here, and configure the Priority to 10. Verify the configuration
and continue by clicking OK.
Save your configuration by clicking the save disk at the top right of the web GUI.
| 32 |
Step Action
6. Test this content switching policy by heading to http://192.168.10.125:81 in Internet
Explorer and set your language to anything but English in the browser. You can find
this under Tools, Internet Options, and Languages. Once you switch from English you
will be sent to WebVip2 instead of WebVip1 and the name of the server will be changed
from 'Web Server – A ' to 'Web Server – B'.
Exercise Summary
In this exercise you have gotten familiar with Citrix NetScaler content switching functionality.
Configured basic Content Switching virtual server and policies. And Configured advanced content
switching virtual server to detect the language field of a http header.
| 33 |
Exercise 7
URL Transformation using the Rewrite Feature
Overview
In this section, we will create a URL Transformation Profile that takes requests and directs them to
the appropriate web server. The profile that will be created looks for „/url1‟ within the URL and
directs the request to '/url2' all while being transparent to the user.
Step by step guidance
Step Action
1. Start by enabling the Rewrite Feature by going to AppExpert, Rewrite and right clicking
to Enable Feature.
2. Create a new URL Transformation Profile named “Ferrysburg” by going to AppExpert,
Rewrite, URL Transformation, Profiles and clicking Add. Fill in the Name field with
“Ferrysburg” and click Create.
| 34 |
Step Action
3. Open the Ferrysburg profile by selecting it and clicking Edit, or double clicking. Add a
new URL Transformation Action by clicking „Insert’ at the bottom of the dialog window.
4. Configure the new URL Transformation Action “actFerrysburg”. URL Transformation
Action is used to take requests from url1 and respond via url2. The configuration for
actFerrysburg is below.
| 35 |
Step Action
5. Click Insert if you have not already, verify that the action is enabled by the green
checkbox under enabled and click OK to close the dialog.
6. Create a new URL Transformation Policy by heading to AppExpert, Rewrite, URL
Transformation, Policies and clicking add. This new policy will be used to check if the
URL contains "url1" and fire the URL Transformation Action that was added in step 2.
Add “Ferrysburg” for the name, attach the Ferrysburg Profile under the Profile drop
down, and add the expression: HTTP.REQ.URL.PATH.GET(1).CONTAINS(“url1”).
Finally click Create and Close.
| 36 |
Step Action
7. Bind the new policy under the Default Global bind point. You will need to open the Policy
Manager and select Default Global, finally insert the newly created policy. Open and bind
the policy by clicking Policy Manager. Select Default Global and click Continue.
Select the Ferrysburg policy at Priority 100. Finally click Bind followed by Done.
Verify the policy is active and bound by checking for the green checkmark under
Active.
| 37 |
Step Action
8. Verify the Ferrysburg URL Transformation Policy is active by directing your web browser
to http://192.168.10.125/url1. You will see a response from URL2 from either Web-Server
A or B, if the policy is active and working correctly. You may have to close re-open the
browser.
| 38 |
Exercise 8
Bonus URL Transformation Policy
Overview
You will create a URL Transformation policy yourself. This policy will be used to transform the
Request URL named “SpringLake” and Respond with “/url3”. This configuration is used to cloak or
change the external view from the internal webserver. The configurations for the bonus lab is below.
Step by step guidance
Step Action
1.
| 39 |
Step Action
2. You are able to verify the configuration by visiting http://192.168.10.125/SpringLake. If
you see URL3 the policy has been configured correctly!
Be sure to save your configuration by clicking the save disk at the top right of the web
GUI
Exercise Summary
In this exercise you have gotten familiar with Citrix NetScaler rewrite functionality. Configuring URL
Transformation policies to transparently rewrite a request. And configuring URL policies to
transparently rewrite a request hiding the internal architecture of the web servers.
| 40 |
Exercise 9
Web Application Firewall
Overview
In this lab, we will begin working with the Application Firewall feature of NetScaler. We will test the
security functionality of the AppFirewall through a web service called WebGoat that is served via
both webservers in the environment.
Step by step guidance
Step Action
1. Start by enabling the highly available WebGoat servers by creating a new Load
Balancing Virtual Server.
First, create two new WebGoat services for both servers. Do this by going to
Traffic Management, Load Balancing, Services, and adding the “webgoat-
service” and “webgoat-service1”. The Protocol will be HTTP and the Server
fields and Ports will be web-server1 port 8080 and web-server2 port 8080
respectively. Add a tcp monitor to the service and click Done.
| 41 |
Step Action
2. Create a new “WebGoat-VIP” Load Balancing Virtual Server by going to Traffic
Management, Load Balancing, Virtual Servers, and clicking Add. Configure in the
Name, IP Address, Port, and Services according to the image below.
3. Go to the Method and Persistence tab and choose Round Robin as the LB Method.
Under the Persistence section choose COOKIEINSERT, Time-out „0‟. Finally click ok.
| 42 |
Step Action
4. Test the new WebGoat-VIP by going to http://192.168.10.125:8080/WebGoat/attack the
username is “guest” and the password is “guest”.
5. NetScaler Application Firewall is able to utilize security signatures from various security
vendors such as Snort. These signatures are attached within policies that are created
within this section. To begin we will head to Security, Application Firewall, and
Signatures. To download the latest signatures from Snort click on *Default Signatures,
select Action, and finally Update Version. Agree to the update by selecting Yes. The
latest security signatures will be downloaded.
Note: If Application Firewall is yet enabled, however you can still update the signatures.
We will enable it in subsequent steps.
1. Next we will need to define our own version of the *Default Signatures. To do this
select *Default Signatures and click Add.
| 43 |
Step Action
6. The Add Signatures Object dialog opens and we will create a name, AppFWSignatures,
and verify the signatures that are being imported. Here we could select to block or not
block various signatures. For the purposes of this lab, we will leave the defaults selected.
After glancing over the signatures, select OK.
7. Define an application firewall profile.
Begin by enabling the Application Firewall feature. Do this by right clicking on Security,
Application Firewall and clicking Enable Feature.
| 44 |
Step Action
8. Add an AppFW profile by going to Security, Application Firewall, Profiles and clicking
Add. Fill in the Profile name “AppFWProfile”, select Web 2.0 Application, and choose
Basic Defaults. Click on Create and close the dialog.
| 45 |
Step Action
9. Configure the newly created AppFWProfile by double clicking on it. Head to the Security
Checks tab. Under the Start URL unselect Block and select Log and Stat. Credit Card
row select Log and Stat, under the HTML SQL Injection row select Block Log and
Stat.
10. Open the Credit Card profile by double clicking on it and change the status of each card
to Protected. After protecting each card, move to the General tab and select X-Out.
Click OK twice to back out of all dialog boxes.
| 46 |
Step Action
11. Next, we will attach the AppFWSignatures to this profile. To do this we will move to the
Settings tab and scroll to the Common Settings field. Here we will select
AppFWSignatures under the Signatures drop down. Finally click OK and close the
dialog.
12. Now you will need to create an AppFirewall policy by going to Security, Application
Firewall, Policies, Firewall and clicking Add. Configure the Policy Name, Profile, and
Expression as below. This step creates a policy for AppFirewall called AppFWPolicy
that links the recently created profile and adds an expression to fire the policy or not. The
expression used is “HTTP.REQ.IS_VALID” which will trigger the AppFWProfile if the
incoming connection is a HTTP Request and it is valid. Click Create and Close was
complete.
| 47 |
Step Action
13. Now we have an Application Firewall policy but it is not bound; meaning it is not enabled.
You will need to enable the policy through the policy manager. Go to the policy
manager by clicking Action and Policy Manager.
| 48 |
Step Action
14. Insert the AppFWPolicy into the Default Global policy. Do this by clicking the Default
Global bind point, selecting to Bind the Policy, by choosing the AppFWPolicy. Finally
click Bind and then close once complete.
Note: Binding the policy to the Default Global bind point will enable the policy on all
Virtual Servers that are available within the NetScaler. You are also able to bind policies
to other specific bind points such as Content Switching Virtual Servers, or even Load
Balancing Virtual Servers like in the image below.
1.
Verify that the policy is enabled via the green check under Active.
| 49 |
Step Action
15. Test the new Application Firewall policy via the WebGoat url that was configured earlier.
You can enable and disable the Application Firewall feature to test WebGoat security
vulnerabilities with Application Firewall enabled or disabled. You can do this by right
clicking on Application Firewall under Security, Application Firewall and selecting
Disable Feature or Enable Feature, like in step 4 above:
This makes for a quick way to see before and after protecting.
| 50 |
Step Action
16. Be sure to reset WebGoat each time with the "restart this lesson" link.
To test with WebGoat, remember a couple keys. Practice before a demo. Restart the
lesson after each exploit to reset WebGoat, or it may not „work‟ on subsequent tries. The
NetScaler needs to see the cookies and entire activity, so when you enable the
WebApplicationFirewall feature, open a fresh browser. A stale browser may not get the
same effect, and in real life people are not turning the WAF feature on and off like this.
IMPORTANT: Never try the attacks you learn here in the real world. Many a newbie
has experienced disgrace by playing around and starting some undesirable
consequences. Keep the hacks to just WebGoat, or within a Contract and detailed
Statement of Work. Ethical Hacking, etc… etc…
No surprises.
Go back and turn the NetScaler WebApplicationFirewall off. You need to establish a
baseline, and if the WAF is on, it will block by redirecting you to the root of TomCat. We
have it configured to do this when an exploit happens, so be careful not to follow a red
herring. Go ahead on and turn the WAF Feature off until you have a hack working, then
turn it on, and open a fresh browser, and start with WAF on to try it again…
| 51 |
Step Action
17. If you leave the WAF on, success will redirect you to the TomCat Root like this:
It says "It Works" but it is not what you are looking for. NetScaler redirected you to the
root because the Redirect Rule in the WAF Profile is configured to do just that.
When WebGoat works, you stay within WebGoat and it congratulates you. Also,
WebGoat is a tutorial. On the first screen it tells you the answers are hidden at the top
right under the solution link. Why not use that and cut/paste where helpful?
| 52 |
Step Action
18. Begin: To start the WebGoat Application, scroll down and click on start WebGoat:
You can see already your Application Firewall policy is taking hits:
| 53 |
Step Action
19. For SQL injection go to Injection Flaws, String SQL Injection:
We are modifying the select string, shown under the text field for convenience, and after
the match criteria you sneak in "or is true" to match everything, and get all of the data
back. The Solution for this lesson shows the example Erwin' OR '1'='1 (the outer „ticks‟
are implied for you).
Note the “* Congratulations.”, and all the 'credit card examples'. They may well not be
real credit card numbers, and the NetScaler will use an algorithm to take action on for
information leakage prevention and DLP. It does not x-out the fake numbers. We will turn
the NetScaler on and see it protect next.
| 54 |
Step Action
20. Turn the WAF back on:
Try Again (close and open your browser, login guest / guest, Start WebGoat... set up
accordingly),
*** Well, It works is true, but you were redirected per configuration for trying to hack.
| 55 |
Step Action
21. Let‟s check the logs:
On the NetScaler GUI, you can open a viewer under System, on Auditing, by selecting
Syslog Messages.
One could use CLI and view the /var/log directory with a grep, but the tool is right there
with a pull down menu. Set the module to APPFW and have a look.
| 56 |
Step Action
22. Let‟s stop blocking and keep playing with it. (You should be thinking to click on
WebGoat's Restart Lesson Link).
Under WebApplicationFirewall in the NetScaler GUI, select the Profile and the Security
Checks Tab.
Uncheck block.
Let‟s try "Transform" to neutralize the SQL tick. Double click on HTML SQL Injection, the
line in the above screen shot where we unchecked can be double clicked on.
Check the Transform Special Characters.Go back to WebGoat, Restart the Lesson,
and try again.
| 57 |
Step Action
23. Let‟s check the logs. Security – Application Firewall – Policies – Firewall – Auditing –
Syslog messages.
Gotcha! On a Sniffer Trace, you would see the Erwin part has double quotes now and
not single quotes. Above, the WebGoat screen shot even calls it out. „Erwin“ OR “1”=”1‟.
The double tic (“) and single tic („) are different to SQL.
| 58 |
Step Action
Ok, Let‟s stop transforming and let you back into the site…. By now you are used to
going into the App Firewall Profile that our Globally Bound Policy is set to.
On the Security Checks Tab, you can double click HTML SQL Injection.
On the General Tab, you can deselect transform.
Click 'OK' on both windows, and lets go back and Run WebGoat again. (I know you are
thinking Restart the Lesson).
This time, I got in:
| 59 |
| 60 |
Exercise 10
High Availability
Overview
In this lab, we will create a highly available pair of NetScalers by utilizing NetScaler-B and the
already configured NetScaler-A
Step by step guidance
Step Action
1. We will need to activate its license. You will follow the same procedure as in the
Licensing Lab, but you will use 192.168.10.17 as the NetScaler IP Address and the
appropriate licenses for the NetScaler – B ( “06e089e0b0f2.lic”)
Refer to the Licensing Lab for detailed licensing instructions. Below you will see the
appropriate configurations for the NetScaler –B.
2. We will also have to set the NetScaler Subnet IP, (SNIP). We will use 192.168.10.18
| 61 |
Step Action
3. Enable High Availability by heading to System, High Availability on the NetScaler –A
(192.168.10.15). Click on Add button, specify the Remote Node IP Address
(192.168.10.17) as below and click OK.
4. In a few moments as you refresh the high availability node (by clicking refresh symbol
button in the top right corner of the screen) you will see the synchronization state move
from in progress to success.
Note: Node configuration options. Opening nodes listed in this section of the high
availability configuration allows you to select advanced HA options. One to point out
would be HA Failsafe mode.
| 62 |
Step Action
5. To enable management access control via a subnet IP you will head to System, Network, and IPs. Here
you will select the subnet IP 192.168.10.16. Click Open and select Enable Management Access control…
within the Application Access Controls section of the dialog window. Click OK.
Be sure to save your configuration by clicking the save disk at the top right of the web GUI.
To test high availability try turning off the primary node and watching as the secondary node takes over.
Additionally, you can select force failover from within the GUI.
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler High Availability functionality and
configuring a pair of highly available NetScalers, utilizing NetScaler-A, and NetScaler-B.
| 63 |
Exercise 11
Clustering
Overview
In this lab, we will create a clustered active/active pair of NetScalers by utilizing NetScaler-A and
NetScaler-B.
Step by step guidance
Step Action
1. Before we start to configure clustering, we will need to disable high availability. To do
this head to NetScaler-A System, High Availability. Select the secondary node and
click delete. Accept the prompt to remove the selected node and remove the HA node
from the remote system.
2. First, save the configuration on the NetScaler-A. To do this, go to System and click
on the save icon.
You also must save the configuration on NetScaler-B. To do this, go to System and click
on the save icon.
| 64 |
Step Action
3. Navigate to NetScaler-A. We will fist create a cluster node by heading to System,
Cluster, Nodes and clicking Add. A prompt requesting that a cluster instance must be
present will popup. Add this instance by clicking yes.
Next, we will configure the cluster IP address for the cluster. Configure the cluster as
below using (192.168.10.130) be sure to select backplane interface 1/1. Continue by
clicking create.
Note: The below screenshot represent the Instance ID, not Node ID.
| 65 |
Step Action
4. A prompt will ask you to reboot before the changes take effect you will select No so that
we are able to make one configuration change before the reboot.
Double click on the cluster node 192.168.10.15 and change the State to PASSIVE,
verify the configuration and continue.
Head to System and click Reboot. Be sure to select Save configuration and click OK.
| 66 |
Step Action
5. Join the NetScaler to the Cluster
After the NetScaler-A reboots, login to the newly created Cluster Management IP at
http://192.168.10.130. Here we will select continue on the configuration page, as we
will set this up later.
6. We will add NetScaler-B to the cluster by heading to System, Cluster, Nodes, and
clicking Add. Configure this node with the NetScaler-B information below.
Both the cluster node and configuration coordinator credentials are the standard
NetScaler credentials you have been using for this lab. Once you click Create you will
be asked to reboot this node, accept the prompt and wait for the NetScaler-B to join
the cluster.
| 67 |
Step Action
7. Verify that both nodes are in the PASSIVE admin state and INACTIVE operational
state. Also, verify the backplane configuration.
Note: You will have to wait a few moments while NS-B reboots. During this time, click
the refresh button next to save to refresh the view.
8. Define NetScaler Subnet IP Addresses
Here we will need to recreate a Subnet IP address for the NetScaler appliance cluster.
We will head to System, Network, IPs, and click Add. Fill out IP, Netmask, and Owner
for the 192.168.10.16 SNIPs. Be sure Subnet IP is selected as the IP Type for each IP
Address and Owner Node is ALL_NODES.
| 68 |
Step Action
9. Configuring the Cluster State to Active
Configure the state of each cluster node to ACTIVE by heading to System, Cluster,
and selecting each node. Configure the state of each to ACTIVE.
10. Verify that both the admin and operational state of each node in the cluster is
ACTIVE.
Note: you may have to refresh your view to see the new state.
11. Define a Linkset
Create a Linkset by heading to System, Network, and Linkset. Click Add and configure
the Linkset name LS/1 and add interfaces 1/1/1 and 0/1/1 to the configured column of
the dialog. Click Create.
| 69 |
Step Action
12. Define NetScaler cluster configuration
Head to System, Settings and select Configure Modes. Configure the modes as below.
13. Define NetScaler cluster load balanced virtual server
In this step, we will configure a simple load balanced server to test the cluster
configuration. Below is the final configuration of the load balanced server. You will
configure this server the exact same way you configured the load balance virtual server
in the beginning of this lab. You will to recreate the Web-Services. You can do this by
clicking the „+‟ icon, when binding services to the VIP.
Note: You can use the CLI reference at the bottom of this document to create the load
balanced virtual server.
| 70 |
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler Clustering functionality.
Configuring a pair of clustered NetScalers utilizing NetScaler-A, and NetScaler-B. Configured a
linkset of interfaces. And created a load balanced virtual server to test the clustered NetScaler
instances.
| 71 |
Exercise 12
Global Server Load Balancing
Overview
In this lab, we will create a simple Global Server Load Balance environment by utilizing both
NetScalers within this lab.
Step by step guidance
Step Action
1. Before we start to configure GSLB, we will need to disable clustering. To do this head to
System, Cluster, Nodes on Cluster IP (192.168.10.130). Select the node that is not the
local node, in this case 192.168.10.17, and click Remove. Fill out the credentials and click
OK to remove the node. Repeat this step on the local node after the secondary node
has been removed. Accept any warnings that appear in this step and be sure to close the
Create Cluster Node dialog box if it appears.
| 72 |
Step Action
2. Login to NetScaler-A and configure the Subnet IP Address and Netmask Verify the
configuration of the NSIP and continue. Verify that the correct licenses are applied to this
appliance and continue. Finally, select done. Repeat the process on the NetSclaer-B, the
configuration is below.
| 73 |
Step Action
3. Next, we will configure the modes of both appliances. Configure the modes by heading to
System, Settings. Select Configure Modes and be sure that the modes are configured
as below.
Next, we will need to enable GSLB on both NetScalers. To do so we will need to enable
Load Balancing by heading to System, Settings, and clicking Configure Basic
Features. From here, we will select Load Balancing. You should do it for both
NetScaler-A and NetScaler-B
Next, we will need to enable Global Server Load Balancing by clicking on Configure
Advanced Features. Here we will be sure to select Global Server Load Balancing.
Leave the other options as they are configured now.
| 74 |
Step Action
4. Enable management to be accessed on the subnet IP addresses. Head to System,
Network, IPs, and click on the Subnet IP that is listed. Click on Open and select Enable
Management Access…
| 75 |
Step Action
5. Define GSLB Sites
While logged into the NetScaler-A, Configure a GSLB Site for both NetScalers, NS-A and
NS-B. Be sure to select the Type as either Remote or Local depending on which
NetScaler you are currently configuring. To do so head to Traffic Management, GSLB,
Sites. The remaining configuration can be found in the two images below (the pictures are
provided for NetScaler-A).
Repeat Step 1 on the second NetScaler.
After both NetScalers have had their sites configured, you are able to see the Remote Site
Metric MEP Status as Active. Verify the configurations on each NetScaler. It might
require to click Refresh button to see this result.
| 76 |
Step Action
6. Define Load Balancing Service for NetScaler-A
While logged in to NetScaler-B, define a Load Balance Server to utilize within the GSLB
configurations that will occur in the next step. To do so head to Traffic Management,
Load Balancing, Servers and click Add. Configure the WebServer Name and IP
Address.
| 77 |
Step Action
7. Define GSLB Configuration on NetScaler-B
While logged in to NetScaler-B begin to configure GSLB by heading to Traffic
Management, GSLB. Select the GSLB, Virtual Servers
Add the Virtual Server and define the Domain Name as www.webserver.com. Verify the
additional settings.
| 78 |
Step Action
8. Verify the default GSLB parameters and continue.
Add the Domain binding from the menu on the right.
Use www.webserver.com as the Domain Name
| 79 |
Step Action
9. Under the GSLB Services click on the Add button to begin to configure a service under
local site.
Create a new Virtual Server for this Service by clicking the Virtual Server icon next to
the drop-down list.
Under the Create Virtual Server dialog, define the WebVIP Name, IP Address as
192.168.10.125 and port as 80. Select Add under Services to create a new service for
this Virtual Server.
| 80 |
Step Action
10. Define the new service‟s name as WebService, be sure that WebServer is the Server
selected and the port and protocol are 80 and HTTP, finally ensure TCP default monitor
is bound.
| 81 |
Step Action
11. Configure the Load Balancing Method as Round Robin, and Persistence as
COOKIEINSERT with Time-out set to 1 min under the Method and Persistence tabs.
Finally click done.
Verify the service configuration for NS-B and click Done.
Verify the configuration under NS-B
| 82 |
Step Action
12. Create the Remote Service for NS-A. Configure the Service IP as 192.168.10.126 and the
Port as 80.
Bind the GSLB services to the GSLB Virtual Server www.webserver.com
| 83 |
Step Action
13. Define Load Balancing Server for NetScaler-A
While logged in to NS-A, define a Load Balance Server to utilize within the GSLB
configurations that will occur in the next step. To do so head to Traffic Management,
Load Balancing, Servers and click Add. Configure the WebServer Name and IP
Address. Click Create and then Close.
| 84 |
Step Action
14. Define GSLB Configuration on NetScaler-A
While logged in to NetScaler-A begin to configure GSLB by heading to Traffic
Management, GSLB. Select Virtual Servers. Add, and define the Domain Name as
www.webserver.com. Verify the additional configuration below.
Add the Domain binding from the right side menu
Use www.webserver.com for the Domain Name
| 85 |
Step Action
15. Accept the default GSLB Parameters and begin to configure the GSLB sites. Click on
the Services and Configure the Service IP as 192.168.10.125 and Port as 80. Click
Create.
16. Add a new service for NS-A. Configure the Service IP and Port as 192.168.10.126 and
80 and click on the new virtual server icon.
| 86 |
Step Action
17. Configure the WebVIP’s name, IP Address, and port as below. Click on the Add button
under Services to create a new Service.
Configure the WebService1’s name; verify the Server configuration; and configure
the Protocol and Port, finally ensure the default TCP monitor is bound and click done.
| 87 |
Step Action
18. Configure the Load Balancing Method as Round Robin, and Persistence to
COOKIEINSERT with Time-out set to 1min under the Method and Persistence tab.
Finally click done.
Verify the Service configuration and click done.
Bind the GSLB Services to the GSLB Virtual Server www.webserver.com
| 88 |
Step Action
19. Define ADNS Service
Login to NetScaler B (192.168.10.17) and create an ADNS service so that we can test our
GSLB configurations on the client machine. To do this head to Traffic Management, Load
Balancing, Services and click Add. Configure the Service Name as DNS, the Server as
192.168.10.135, the Protocol as ADNS, and the Port as 53.
20. Configure the Client‟s DNS
Configure the newly created DNS Server on the client machine. To do this head to the
Windows control panel, network and sharing center, click change adapter settings, right
click on local area connection, head to properties, click on internet protocol version 4, and
finally click properties. Configure the preferred DNS server as 192.168.10.135
| 89 |
Step Action
21. Verify the GSLB Configuration using the GSLB Vizualizer
Head to the main GSLB page by going to Traffic Management, GSLB. Open the GSLB
Visualizer by clicking GSLB Visualizer under Getting Started.
View the GSLB configuration.
| 90 |
Step Action
22. Verify GSLB Connectivity using Ping and a Web Browser
Open the Windows Command prompt and run ping www.webserver.com. You should
see pings from either server 125 or 126. Wait a few moments and try again. You should
see the GSLB Round Robin LB method change your DNS resolution to the other server.
Test your GSLB configuration via Internet Explorer. Open an internet explorer window and
head to www.webserver.com.
Exercise Summary
In this exercise you have gotten familiar with the Citrix NetScaler GSLB functionality. Configuring a
pair of NetScalers utilizing NetScaler-A and NetScaler-B via Global Server Load Balancing.
| 91 |
Exercise 13
Bonus Configure GSLB for WebGoat
Overview
In this exercise you will Configure GSLB for WebGoat using the www.webgoat.com GSLB Domain
Step by step guidance
Step Action
1. Configure GSLB for WebGoat using the www.webgoat.com GSLB Domain. Remember
that WebGoat is running on port 8080. The GSLB Visualizer should look like this when
you are finished.
| 92 |
Exercise 14
Admin Partitions
Overview
The NetScaler ADC provides an infrastructure called admin partitions that can be used to logically
partition a NetScaler ADC.
Each admin partition:
Has its own NetScaler configurations.
Has its own administrators and users. Only users associated with a partition or system
superuser can access and update the configurations.
Uses a subset of NetScaler system resources such as bandwidth, connection pools, and
memory.
Handles traffic that is specific for that partition
Step by step guidance
Step Action
1. Create users for Admin Partitions
Navigate to the Configuration, System, User Administration, and select Users.
Click on Add
| 93 |
Step Action
2. Add 2 users with user names Admin-A, and Admin-B. Set both passwords to
password1. You can also add the CLI Prompt as shown below. Click Save to save the
user creation, and Done to finish.
| 94 |
Step Action
3. Create the Admin Partitions
Navigate to Configuration, System, Partition Administration, Partitions, and click Add
Add the Partition with the configuration settings below, and click Continue
Click continue on the Network Isolation, to accept No VLAN, or Bridgegroup
| 95 |
Step Action
4. Bind user Admin-A to the Company-A partition, by expanding Users, and click on
Insert. Click Save and Done to complete
| 96 |
Step Action
5. Create a second Partition, Company-B by repeating the same steps as Company-A.
Reminder to bind the Admin-B user to the Company-B partition.
After you have created 2 partitions. Now we will configure these partitions independently
with their own settings. To do this lets first switch to the Company-A Partition. Navigate to
the partition menu on the top of the screen. And select Company-A
Click yes to confirm the submission
| 97 |
Step Action
6. Navigate to Configuration, System, Settings, and select Configure Modes
Select only User Source IP, and MAC Based Forwarding, click OK
| 98 |
Step Action
7. Now select Configure Basic Features
Select SSL Offload, and Load Balancing, click OK
Navigate to Configuration, Traffic Management, and expand. Note that Load Balancing,
and SSL Offload are enabled and Content Switching is not.
| 99 |
Step Action
8. Navigate back up to the Partitions menu and switch to Partition Company-B, click Yes
again to confirm the submission.
Navigate to Configuration, System, Settings, and select Configure Modes.
Note the different modes configured by default from the ones we selected in Company-A
partition. Let‟s leave theses default.
| 100 |
Step Action
9. Now Select Configure Basic Features
This time considering we are in the Company-B partition we will select SSL Offload, and
Content Switching. Click OK
Exercise Summary
In this exercise you have created 2 users for the purpose of owing partitions. Created 2
independent partitions and bound independent users to these partitions. And configured the
partitions independently from each other with different settings.
| 101 |
Exercise 15
Bonus Admin Partitions
Overview
In this exercise Create a third user, and partition. Configure this partition with the following settings:
5120 kbps Minimum Bandwidth
Use Source IP only
SSL offload, Load Balancing, and Content switching
Exercise 16
Data Stream
Overview
The demo environment consists of 2 SQL Server instances replicating an OLTP (Online Transactional Processing) and DW (Data Warehouse) database setup. Many organizations use this type of setup to capture and process data efficiently where the OLTP database is used primarily for transactional SQL transactions. (Creates, updates, inserts) and the DW database is used to store the data in a proper schema in order for the SQL transactions to be access quickly. It is extremely important for organizations to be able understand their data. Considering their data is one of the most valuable assets to understand their customers. With many features released by Microsoft to help DBA‟s (Database Administrators) with this scenario, these features are typically structured in a tiered licensing model, which can be expensive and complex to deploy. Citrix NetScaler DataStream feature is included in all editions of NetScaler. DataStream can improve database performance by intelligently understanding the SQL transactions and switching the content dynamically to the appropriate database. At the same by default it manipulates the TDS protocol to enable SQL server side multiplexing, reducing SQL server overhead and increasing speed of transaction time.
| 102 |
Step by step guidance
Step Action
1. Log onto the NetScaler-A (192.168.10.15)
Navigate to System-> User Administration -> Database Users
Add the user you created the on the SQL server instances to create the databases.
Username: dsu
Password: Password1
2. Add 2 Servers
Navigate to Traffic Management Load Balancing Servers
Add your MS SQL Server (Server Name & IP Address)
Server Name: MSSQL_OLTP
IP Address: 192.168.10.12
Server Name: MSSQL_DW
IP Address: 192.168.10.13
| 103 |
Step Action
3. Add a Monitor
Navigate to Traffic Management Load Balancing Monitors
Add a Monitor (Name = MSSQL_mon1, Type = MSSQL-ECV, )
Switch tabs „Special Parameters‟
Input a User Name (name must match SQL Server db username)
Input Database ( „ns‟ )
Input Query (select * from test)
Expression (MSSQL.RES.ATLEAST_ROWS_COUNT(0))
Select the appropriate SQL Server Protocol Version from the drop down
Click Create
You have now created a monitor that will check with the SQL Server instances on the ns
database and query it expecting 0 rows returned.
| 104 |
Step Action
4. Add the SQL Server Services
Navigate to Traffic Management Load Balancing Services
Add your 2 MS SQL Server Services (Server Name, IP Address, Protocol, and port)
Name: MSSQL_Srvc1
IP Address: 192.168.10.12
Port: 1433
Protocol: MSSQL
Name: MSSQL_Srvc2
IP Address: 192.168.10.13
Port: 1433
Protocol: MSSQL
5. Bind the monitor created in the previous step both services just created
| 105 |
Step Action
6. Add a load balancing virtual servers & bind to a service
Navigate to Traffic Management Load Balancing Virtual Servers
Add Name (MSSQL_LB_OLTP)
Protocol (MSSQL )
IP address (select „Non Addressable‟)
Bind the LB Virtual Server to Service representing the first SQL Server instance
Repeat the process and bind the second LB Virtual Server to the Service representing
the second SQL Server Instance
We selected ‘Non Addressable to demonstrate the conservation of IPv4 addresses. The
Load Balancing Virtual Servers will represent an IP of 0.0.0.0. This is done because
users will access the VIP of the CS server and all communication is done internally to the
Load Balancing servers.
We are also leaving the default Load Balancing „Method‟ as „Least Connection‟
| 106 |
Step Action
7. Add a content switch Action to NetScaler
Navigate to Traffic Management Content Switching Actions
Click Add
Input a Name (our example we are using „writes‟)
Select a Target LB server from the drop down (our example we selected
MSSQL_LB_OLTP)
Click „Create‟
Add another „Action‟
Input a „Name‟ (our example we are using „reads‟)
Select a „Target LB Virtual Server‟ form the drop down ( our example we selected
MSSQL_LB_DW)
Click create
You now should have 2 actions (writes & reads bound to the 2 lb vservers)
| 107 |
Step Action
8. Add a content switching policy to NetScaler
Navigate to Traffic Management Content Switching Content Switching Policies
Click Add
Input a „Name‟ (our example we choose („MSSQL_CS_Reads‟)
Select an „Action‟ form the drop down (select reads action)
Under Expression input : MSSQL.REQ.QUERY.COMMAND.CONTAINS(“select”)
Click create
Add another Policy
Input a „Name‟ (our eample we choose („MSSQL_CS_Writes‟)
Select an „Action‟ from the drop down ( select writes action)
Under Expression input: MSSQL.REQ.QUERY.COMMAND.CONTAINS(“create”)||
MSSQL.REQ.QUERY.COMMAND.CONTAINS(“insert”)
Click create
The purpose of creating these policies is to enable NetScaler to identify what is a write
transaction and what is a read transaction in the content of the SQL query.
| 108 |
Step Action
9. Create a Content Switching Virtual Server
Navigate to Traffic Management Content Switching Virtual Servers
Click Add
Input a „Name‟ (Our example we chose MSSQL_CVS1)
Select „MSSQL‟ from the „Protocol‟ drop down
Select „IP Address‟ from the „IP Address Type‟ drop down
Input a „IP Address‟ 192.168.10.150 (This is the IP Address that users will connect to via
DB Client such as SQL Management Studio)
Input a port (SQL Server default port is 1433)
Click Continue
Bind the 2 policies created in previous step to the Content Switching Virtual Server. You
will have to assign each binding a priority. 100, 110 will work.
You now have configured a Content Switching Virtual Server that has the 2 Load
Balancing Virtual Servers bound via the Actions we also created.
| 109 |
Step Action
10. How to Demonstrate Content Switching using SQL Queries via Microsoft Management Studio:
Add all 3 instances to SSMS (SQL Server Management Studio) using the database user created and added to NetScaler
First, Second Instance, and the Content Switching Virtual Server.
“ignore any warning such as”
1. Launch a new query
2. Right Click on the Content Switching Virtual Server, and select „New Query‟
3. To test the „reads‟ Policy use the following query:
select * from GIM_DW.dbo.CLIENT WHERE
CLIENT_HOUSEHOLD_INCOME>='30000'
This query is desgined to select those entries in the database that average house hold
income is greater than $30,000.
| 110 |
Step Action
11. Launch a new query
Right Click on the Content Switching Virtual Server, and select „New Query‟
To test the „writes‟ policy use the following query:
CREATE DATABASE NEW_TEST_DB
This query is designed to create a database on the appropriate server. The database
name is „NEW_TEST_DB‟
To demonstrate its working as expected, navigate to the GIM_OLTP database and
expand the database catalog. You will note that the new database now exist in this
instance because that is where the writes policy is bound too.
Exercise Summary
In this exercise you have familiarized yourself with Data Stream for MS SQL Server. Created and
configured database load balancing and content switching. And worked with MS SQL Server
database tools.
| 111 |
Exercise 17
AAA for Traffic Management
Overview
The AAA feature supports authentication, authorization, and auditing for all application traffic. To use AAA, you must configure authentication virtual servers to handle the authentication process and traffic management virtual servers to handle the traffic to web applications that require authentication.
Step by step guidance
Step Action
1. Creating a test user in Active Directory to be used as our user for the AAA -TM exercise.
From your desktop launch a remote desktop connection to 192.168.10.11, the Remote Desktop client can be found in Programs Accessories Remote Desktop Connection
Login with:
Username: Training\administrator Password: Citrix123
| 112 |
Step Action
2. Navigate to Administrator Tools, and select AD Users and Computers
Highlight on Users as shown above
Right click and select New – User
| 113 |
Step Action
3. Fill out fields for new user. (In our example we are using the username of “aaauser”. Click next.
Provide a password (In our example we are using the password of
“Password1” to comply to domain restrictions) Select Password never expires and click Next and then Finish.
| 114 |
Step Action
4. Adding DNS entries for the FQDN‟s used in this exercise
While still logged in via remote desktop to the Active Directory machine navigate to Administrator Tools, and select DNS (double click)
| 115 |
Step Action
5. Select “Forward Lookup Zones” from the left hand menu pane, then double click the Training.lab zone
Right click on the white space and select “New Host (A or AAAA)
| 116 |
Step Action
6. Add a host entry for the load balancing VIP.
Hostname: WebServer
IP Address: 192.168.10.125
7. Add a second host entry for the AAA VIP (click ok and done once complete)
Hostname: aaavs
IP Address: 192.168.10.175
| 117 |
Step Action
8. We are also going to add 2 additional DNS entries for the SAML exercise later on in this lab.
Note: You will not be able access the below IP‟s or hosts until the SAML exercise
o Hostname: aaasp o IP Address: 192.168.10.176
o Hostname: aaaidp o IP Address: 192.168.10.177
NOTE: To verify the DNS entries are correct, using command prompt (run as
administrator) on your machine, perform a ping test on both FQDNs that were just
created in DNS. If the ping test is unsuccessful type the following commands to flush the
DNS cache on the machine. Once the cache is flushed, retry the ping test.
ipconfig /flushdns
ipconfig /registerdns
| 118 |
Step Action
9. Creating a LDAP policy on NetScaler using Active Directory While logged on to NetScaler A, navigate to Security – AAA-Application Traffic – Policies – Authentication – Basic Policies – LDAP
Select the Servers tab, and click Add
Fill out the fields using the following values.
Name: AD IP Address: 192.168.10.11 (be sure to select Server IP) Server Type: AD Port: 389
10. Under Connection Settings use the following values
Base DN: DC=training,DC=lab Administrator DN: [email protected] Bind DN Password:(box is checked) Administrator Password: Citrix123
Click the Retrieve Attributes button to test the connection is successful.
| 119 |
Step Action
11. Scroll down to Other Settings. Under Server Logon Name Attribute select the following value.
Server Logon Name Attribute: sAMAccountName
Click create to finish.
You know have successfully created a Directory Server for authentication. The next step is to create a policy.
12. Now Select the Policies tab, and click Add
| 120 |
Step Action
13. Create the LDAP policy using the following values from the screenshot below. (ns_true)
Click create to finish.
14. Create a SSL test certificate
Navigate to Traffic Management – SSL. High light SSL, and select Create and Install a Server Test Certificate from the righ hand side menu options.
| 121 |
Step Action
15. Provide the following values for the certificate. Screenshot below, and click OK once finished
You have now created and installed a Server Test Certificate. We will bind this Certificate to our AAA vServer that we create in subsequent sections.
| 122 |
Step Action
16. Creating a AAA virtual Server
Navigate to Security – AAA-Application Traffic – Virtual Servers, and click Add
Provide the Basic Settings using the following values and click Ok when finished.
Name: AAA-vs IP Address: 192.16810.175 Protocol: SSL Port: 443 Authentication Domain: Training.lab
| 123 |
Step Action
17. Next step is to create the Server Certificate. You will see the Certificate menu appear once you click OK from the previous step.
Click on No Server Certificate to launch the Server Certificate Binding Wizard
18. Select AAA certificate and click OK, then Bind to complete.
Click Continue on Advanced Authentication Policies.
Click on the + icon to bind a Basic Authentication Policy
| 124 |
Step Action
19. Bind the LDAP policy. And select primary as the Type. Click Continue.
Bind the LDAP policy created in previous steps. And Leave the priority at 100. Click Bind to finish.
Finally click Continue at the bottom of the Authentication Virtual Server screen, and then Done to complete. After hitting the refresh button Your AAA vServer should show green representing an Up State.
| 125 |
Step Action
20. Bind the AAA vServer to the Load Balancing vServer created in earlier steps. If config is erased please reference the CLI reference to restore the config for the Load Balancing section.
Navigate to Traffic Management – Load Balancing – Virtual Servers, and edit the Web-Vip vServer. Seelct the Authentication option on the righ hand side menu
21. Provide the values for the Authentication option as shown below, click OK when finished.
Finally click Done. You know have bound the AAA vServer to your load balanced vServer. The purpose of this is to authenticate users against LDAP to access the backend WebServers.
| 126 |
Step Action
22. Testing the AAA-TM vServer.
To test using a web browser navigate to the FQDN (http:\\WebServer.training.lab) of the load balancing Virtual IP Address.
Scroll down and click “Advanced” on the web browser.
Click proceed at the bottom.
Now you should be able to login with the aaauser created in earlier steps.
Once authenticated you will be directed to the Webserver page.
| 127 |
Exercise Summary
In this exercise you successful created a user in Active Directory. Multiple DNS entries for the
FQDN,AAA vServers, and web server. A LDAP policy and Server in NetScaler. And a AAA vServer
that was bound to the WebServer load balancing VIP.
| 128 |
Exercise 18
AAA SAML Assertion
Overview
At a glance SAML 2.0 is a set of open standards leveraging XML to transport authentication and authorization data between trusted endpoints. The most adopted use case is web single sign on or SSO. SAML 2.0 addresses the authentication challenges over the internet opposed to an intranet. In this lab you leverage NetScaler as both enpoints in a SAML assertion to complete an authentication process.
Step by step guidance
Step Action
| 129 |
Step Action
1. Create a SAML policy
Navigate to Security – AAA Application Traffic – Policies – Authentication – Basic Policies – SAML
Select the “Servers” tab, and click Add
Fill out the following parameters in the appropriate fields, and click OK when finished.
o Name: saml-sp o IDP Certificate Name : Select the AAA certificate created earlier o Redirect URL: https://aaaidp.training.lab/saml/login o Signing Certificate Name: Select the AAA certificate created earlier o Issuer Name: aaaidp.training.lab o Authentication Class Types: Password o SAML Binding: Post
| 130 |
Step Action
2. Select Policies, and click Add
3. Fill out the parameters in their appropriate fields, and click create once finished.
o Name: saml-pol o Server: Select the server we just created in previous steps o Expression: ns_true
| 131 |
Step Action
4. Create a SAML IdP policy
Navigate to Security – AAA Application Traffic – Policies – Authentication – Basic Policies – SAML IDP
Select Profiles and click add
Fill out the parameters in their appropriate fields, and click create once finished
o Name: sam-idp-prof o Assertion Consumer Service Url (ACS):
http://webserver.training.lab/samlauth o SP Certificate Name: Select the AAA created earlier o IDP Certificate Name: Select the AAA again created earlier o Issuer Name: aaaidp.training.lab o Audience: http://webserver.training.lab
| 132 |
Step Action
5. Select Policies, and click Add
Fill out the parameters in their appropriate fields, and click create once finished
o Name: saml-idp-pol o Action: select the profile we just created. o Expression: HTTP.REQ.URL.CONTAINS("saml")
| 133 |
Step Action
6. Creating the Service Provider (SP) and Identity Provider (IdP) AAA vServers
Security – AAA – Application Traffic – Virtual Servers, and select Add
Provide the Basic Settings for the SP (Service Provider) AAA vServer, and click OK once complete
o Name: aaasp.training.lab o IP Address: 192.168.10.176 o Authentication Domain: Training.lab
| 134 |
Step Action
7. Bind the AAA Server Certificate created in earlier steps, click continue once complete
Click continue not selecting any Advanced Authentication Policies.
| 135 |
Step Action
8. Select the + icon on Basic Authentication Policies
Choose SAML as the policy, and Primary as the type, and click Continue
9. Bind the saml-pol policy we created as the SP policy in earlier steps. Click Bind to continue/
Click continue and Done to complete.
| 136 |
Step Action
10. Click Add again to create the IdP AAA vserver
Provide the Basic Settings for the IdP (Identity Provider) AAA vServer, and click OK once complete
o Name: aaaidp.training.lab o IP Address: 192.168.10.177 o Authentication Domain: Training.lab
| 137 |
Step Action
11. Bind the AAA Server Certificate created in earlier steps, click continue once complete
12. Click continue not selecting any Advanced Authentication Policies.
Select the + icon on Basic Authentication Policies
| 138 |
Step Action
13. First lets bind the SAMLIDP policy. Choose SAMLIDP for the policy and Primary for the type
14. Next, bind the sam-idp-pol created in earlier steps. Click Bind to continue
| 139 |
Step Action
15. Clicking the + icon again on Basic Authentication Policies, we will now bind the LDAP policy created earlier.
Select LDAP as the policy and Primary as the type. Click continue once complete.
Bind the LDAP policy created earlier and click Bind to continue.
Click Continue, and Done to complete.
NOTE: You may have to click the Refresh button to get the vServers to display green.
| 140 |
Step Action
16. Binding the SP AAA vServer to the Load Balancing WebServer
Navigate to Traffic Management – Load Balancing – Virtual Servers, and edit the existing Web-Vip virtual server.
Locate the Authentication tab. If there is already an authentication vServer bound from previous AAA exercise we will override it now. Select the edit icon on the Authentication settings, and add in the following:
Select Form Based-Authentication
Authentication FQDN: aaasp.training.lab
Authenticaiton Virtual Server: Select aaasp.training.lab
Click OK, and Done, to complete.
| 141 |
Step Action
17. Testing the SAML assertion flow
In your web browser navigate to http://webserver.training.lab, and note that it will redirect you to Https://aaaidp.training.lab/saml/login Click on Advanced to proceed.
Click on Proceed to aaaidp.training.lab (unsafe). This is because we are using a test certificate for lab purposes.
You are now directed to the AAA idp vServer for authentication. Login in with your AAA user credentials created in earlier steps.
o Username: aaauser o Password: Password1
| 142 |
Exercise Summary
In this section you successfully configured NetScaler as a Service Provider (SP) endpoint in a
SAML 2.0 assertion. Configured NetScaler as an Identity Provider (IdP) endpoint in a SAML 2.0
assertion. And Completed a successful SP initiated assertion flow using NetScaler as both
endpoints.
NetScaler Command Line Reference (CLI) SNIP: add ns ip 192.168.10.16 255.255.255.0 -vServer DISABLED -gui DISABLED -mgmtAccess ENABLED VIP: add ns ip 192.168.10.125 255.255.255.0 -type VIP -mgmtAccess ENABLED
Load Balancing
NS A
enable ns feature LB
add ns ip 192.168.10.125 255.255.255.0 -type VIP
add server web-server1 192.168.10.115
add server web-server2 192.168.10.116
add service web-service web-server1 HTTP 80
add service web-service1 web-server2 HTTP 80
add lb vserver Web-VIP HTTP 192.168.10.125 80 -persistenceType COOKIEINSERT -timeout 1 -lbMethod
ROUNDROBIN -cltTimeout 180
bind lb vserver Web-VIP web-service
bind lb vserver Web-VIP web-service1
Content Switching NS A
enable ns feature cs
add cs vserver WebSwitch HTTP 192.168.10.125 81
add lb vserver WebVip1 HTTP 0.0.0.0 0
bind lb vserver WebVip1 Web-Service1
add lb vserver WebVip2 HTTP 0.0.0.0 0
bind lb vserver WebVip2 Web-service2
add cs policy urlswitch -url "/url1*"
bind cs vserver WebSwitch -policyName urlswitch -targetLBVserver WebVip1
bind cs vserver WebSwitch -lbvserver WebVip2
URL transformation NS A
en ns feature rewrite
| 143 |
add transform profile Ferrysburg -type URL
add transform action actFerrysburg Ferrysburg 1000
set transform action actFerrysburg -priority 1000 -reqUrlFrom '192.168.10.125/url1' -reqUrlInto
'192.168.10.125/url2' -resUrlFrom '192.168.10.125 /url2' -resUrlInto '192.168.10.125 /url1' -state
ENABLED -comment 'URL transformation for Ferrysburg MI.'
add transform policy Ferrysburg "HTTP.REQ.URL.PATH.GET(1).CONTAINS(\"url1\")" Ferrysburg
bind transform global Ferrysburg 100
show transform profile Ferrysburg
Application Firewall
NS A
add service webgoat-service web-server1 HTTP 8080
add service webgoat-service1 web-server2 HTTP 8080
add lb vserver WebGoat-VIP HTTP 192.168.10.125 8080 -persistenceType COOKIEINSERT -timeout 0 -
lbMethod ROUNDROBIN
bind lb vserver WebGoat-VIP webgoat-service
bind lb vserver WebGoat-VIP webgoat-service1
en ns feature appfw
add appfw profile AppFWProfile -defaults basic
set appfw profile AppFWProfile -type HTML XML
set appfw profile AppFWProfile -creditCardAction log stats
set appfw profile AppFWProfile -creditCard amex dinersclub discover jcb mastercard visa
set appfw profile AppFWProfile -creditCardXOut on
set appfw profile AppFWProfile -creditCardMaxAllowed 1
add appfw policy AppFWPolicy "HTTP.REQ.IS_VALID" AppFWProfile
bind appfw global AppFWPolicy 100
Clustering
NS A & NS B
add cluster instance 1
add cluster node 1 192.168.10.15 -state PASSIVE -backplane 0/1/1
enable cluster instance 1
save ns config
reboot –warm
add ns ip 192.168.10.130 255.255.255.0 -type CLIP
show cluster instance
show cluster node
***logout and log into the Cluster IP.
add cluster node 2 192.168.10.17 -state PASSIVE -backplane 1/1/1
show cluster node *expect unknown for now.
save ns config
***logout and log into the Node 2 NSIP: 192.168.10.17
join cluster -clip 192.168.10.130 -password nsroot
save ns config
reboot -warm
***logout and log into the Cluster IP (CLIP).
show cluster node
add ns ip 192.168.10.16 255.255.255.0 -type SNIP -ownerNode 1
add ns ip 192.168.10.18 255.255.255.0 -type SNIP -ownerNode 2
---Node 1 already had this SNIP, so it may take some tweaking.
sh ip
set cluster node 1 -state ACTIVE
set cluster node 2 -state ACTIVE
show cluster node -should both be active.
| 144 |
**if a node stalls, do a rm cluster and a join cluster again.
sh ip
Add the link set. We can do CLAG and ECMP as options, but the all virtual lab is easiest with
LinkSet.
From the CLIP: add linkset LS/1
bind linkset LS/1 -ifnum 1/1/1
bind linkset LS/1 -ifnum 2/1/1
show linkset LS/1
save ns config
LDAP
NS A
add authentication ldapAction AD -serverIP 192.168.10.11 -ldapBase "DC=training,DC=lab" -ldapBindDn
[email protected] -ldapBindDnPassword Citrix123 -ldapLoginName sAMAccountName
add authentication ldapPolicy LDAP ns_true AD
SSL Certificate NS A
To generate a server test certificate by using the configuration utility
1. In the navigation pane, click SSL.
2. Under SSL Certificates, click Create and install a Server Test
Certificate.
3. In the Create and install a Server Test Certificate dialog box, specify
values for the following parameters:
o Certificate File Name—name of the server test certificate
o Fully Qualified Domain Name—the domain for which you want to secure the
connection
o Country—the name of the country or region
4. Click OK.
AAA Vserver add authentication vserver AAA-vs SSL 192.168.10.175 443 -AuthenticationDomain training.lab
bind authentication vserver AAA-vs -policy LDAP -priority 100
bind ssl vserver AAA-vs -certkeyName AAA
| 145 |
Revision: Change Description Updated By Date
1.0 Original version Joshua Travers May 2015
About Citrix
Citrix Systems, Inc. designs, develops and markets technology solutions that enable information
technology (IT) services. The Enterprise division and the Online Services division constitute its two
segments. Its revenues are derived from sales of Enterprise division products, which include its
Desktop Solutions, Datacenter and Cloud Solutions, Cloud-based Data Solutions and related
technical services and from its Online Services division's Web collaboration, remote access and
support services. It markets and licenses its products directly to enterprise customers, over the
Web, and through systems integrators (Sis) in addition to indirectly through value-added resellers
(VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July
2012, the Company acquired Bytemobile, provider of data and video optimization solutions for
mobile network operators.
http://www.citrix.com