Basic Administration For NetScaler 9.2 Workbook

Bas|c Adm|n|strat|on for O|tr|x
NetSca|er 9.2
ONS-203-3l
Exerc|se Workbook
Bas|c Adm|n|strat|on for
O|tr|x NetSca|er 9.2
Exerc|se Workbook
Ju|y 2011
vers|on 3.0
Tab|e of Oontents
Modu|e Modu|e 1: 1: |ab |ab Overv|ew Overv|ew ............................................................................... ............................................................................... 13 13
|ab Overv|ew ........................................................................................................................ 15
Modu|e Modu|e 2: 2: Exerc|ses Exerc|ses or or lntroduc|ng lntroduc|ng and and Dep|oy|ng Dep|oy|ng C|tr|x C|tr|x NetSca|er NetSca|er ............. ............. 17 17
Exerc|se 2-1: Perorm|ng an ln|t|a| Oon|gurat|on ................................................................... 19
Exerc|se 2-1: Step by Step Oommand-||ne lnterace} ......................................................... 20
Perorm|ng an ln|t|a| Oon|gurat|on ..................................................................................... 20
Exerc|se 2-2: Perorm|ng Bas|c Adm|n|strat|on ...................................................................... 22
Exerc|se 2-2: Step by Step Oon|gurat|on t|||ty} .................................................................. 24
Enab||ng and D|sab||ng Features ....................................................................................... 24
Oreat|ng a New Adm|n|strator Account ............................................................................. 25
v|ew|ng the Runn|ng and Saved Oon|gurat|ons ................................................................ 25
Perorm|ng a Oon|gurat|on Backup .................................................................................. 26
Exerc|se 2-2: Step by Step Oommand-||ne lnterace} ......................................................... 28
Enab||ng and D|sab||ng Features ....................................................................................... 28
Oreat|ng a New Adm|n|strator Account ............................................................................. 28
v|ew|ng the Runn|ng and Saved Oon|gurat|ons ................................................................ 29
Perorm|ng a Oon|gurat|on Backup .................................................................................. 30
Modu|e Modu|e 3: 3: Exerc|ses Exerc|ses or or Network|ng Network|ng ............................................................. ............................................................. 33 33
Exerc|se 3-1: Oon|gur|ng Bas|c Network|ng ......................................................................... 35
Exerc|se 3-1: Step-by-Step Oon|gurat|on t|||ty} .................................................................. 37
ldent|y|ng the NetSca|er Hardware P|atorm ..................................................................... 37
Enab||ng an lnterna| Network lnterace .............................................................................. 38
Add|ng a Subnet lP to the NetSca|er ................................................................................ 38
Add|ng a v|AN ................................................................................................................. 39
Add|ng a Stat|c Route ....................................................................................................... 39
Enab||ng SNlP Mode ...................................................................................................... 40
va||dat|ng Task Oon|gurat|ons .......................................................................................... 40
Exerc|se 3-1: Step-by-Step Oommand-||ne lnterace} ......................................................... 43
ldent|y|ng the NetSca|er Product Type ............................................................................. 43
Oon|gur|ng the NetSca|er lnterace ................................................................................... 43
va||dat|ng Task Oon|gurat|ons .......................................................................................... 44
Modu|e Modu|e 4: 4: Exerc|ses Exerc|ses or or Con|gur|ng Con|gur|ng H|gh H|gh Ava||ab|||ty Ava||ab|||ty .................................... .................................... 47 47
Exerc|se 4-1: Oon|gur|ng H|gh Ava||ab|||ty ............................................................................ 49
Oon|gur|ng NetSca|er A and NetSca|er B ......................................................................... 51
Oon|gur|ng H|gh Ava||ab|||ty on NetSca|er A and B .......................................................... 52
Copyr|ght 2011 C|tr|x Systems, lnc. 3
Test|ng the H|gh-Ava||ab|||ty Oon|gurat|on ......................................................................... 53
Remov|ng the H|gh-Ava||ab|||ty Oon|gurat|on on NetSca|er A and B ................................. 54
Restor|ng Sett|ngs ............................................................................................................ 54
Oon|gur|ng NetSca|er A and NetSca|er B ......................................................................... 56
Oon|gur|ng H|gh Ava||ab|||ty on NetSca|er A and B .......................................................... 57
Test|ng the H|gh-Ava||ab|||ty Oon|gurat|on ....................................................................... 58
Remov|ng the H|gh-Ava||ab|||ty Oon|gurat|on ................................................................... 59
Restor|ng Sett|ngs ............................................................................................................ 59
Modu|e Modu|e 5: 5: Exerc|ses Exerc|ses or or Secur|ng Secur|ng the the NetSca|er NetSca|er System System .............................. .............................. 61 61
Exerc|se: Enab||ng Externa| Authent|cat|on ............................................................................ 63
Enab||ng |DAP Authent|cat|on .......................................................................................... 65
Modu|e Modu|e 6: 6: Exerc|ses Exerc|ses or or Con|gur|ng Con|gur|ng |oad |oad Ba|anc|ng Ba|anc|ng .................................... .................................... 67 67
Exerc|se 6-1: Oon|gur|ng |oad Ba|anc|ng ............................................................................ 69
Oreat|ng Servers ............................................................................................................... 71
Oreat|ng Serv|ces .............................................................................................................. 71
Oreat|ng |oad-Ba|anc|ng v|rtua| Servers ........................................................................... 72
Test|ng |oad Ba|anc|ng .................................................................................................... 73
Resett|ng Pers|stence to None ......................................................................................... 73
Procedure or Oon|gur|ng Servers, Serv|ces, and v|rtua| Servers ..................................... 75
Test|ng |oad Ba|anc|ng .................................................................................................... 76
Exerc|se 6-2: Oon|gur|ng a |oad-Ba|anc|ng HTTP-EOv Mon|tor .......................................... 77
Oreat|ng a |oad-Ba|anc|ng HTTP-EOv Mon|tor ................................................................ 79
Test|ng the |oad-Ba|anc|ng HTTP-EOv Mon|tor ............................................................... 80
Oreat|ng a |oad-Ba|anc|ng HTTP-EOv Mon|tor ................................................................ 82
Test|ng the |oad-Ba|anc|ng HTTP-EOv Mon|tor ............................................................... 82
Exerc|se 6-3: Oon|gur|ng RADlS |oad Ba|anc|ng ............................................................... 85
Oreat|ng RADlS Serv|ce Groups ..................................................................................... 87
Oreat|ng RADlS |oad-Ba|anc|ng v|rtua| Servers ............................................................. 88
Test|ng RADlS Pers|stency ............................................................................................. 88
Exerc|se 6-4: Oon|gur|ng RTSP |oad Ba|anc|ng Opt|ona|} ................................................... 90
Oreat|ng Servers ............................................................................................................... 92
Oreat|ng Serv|ces .............................................................................................................. 92
Oreat|ng a |oad-Ba|anc|ng v|rtua| Server .......................................................................... 93
Test|ng RTSP |oad Ba|anc|ng Oon|gurat|on t|||ty} .......................................................... 93
4 Copyr|ght 2011 C|tr|x Systems, lnc.
Oon|gur|ng Advanced |oad Ba|anc|ng ............................................................................. 95
Test|ng RTSP |oad Ba|anc|ng .......................................................................................... 95
Modu|e Modu|e 7: 7: Exerc|ses Exerc|ses or or Con|gur|ng Con|gur|ng SS| SS| O|oad O|oad ......................................... ......................................... 97 97
Exerc|se 7-1: Oon|gur|ng SS| O|oad .................................................................................. 99
Exerc|se 7-1: Step-by-Step Oon|gurat|on t|||ty} ................................................................ 101
Oreat|ng an RSA Key F||e ................................................................................................ 101
Oreat|ng a Oert||cate Request ........................................................................................ 101
Procedure or Oreat|ng a Oert||cate ................................................................................ 102
Oon|gur|ng a Oert||cate-Key Pa|r ................................................................................... 103
Oreat|ng an SS| O|oad v|rtua| Server ............................................................................ 103
Test|ng SS| O|oad ........................................................................................................ 104
Exerc|se 7-1: Step-by-Step Oommand-||ne lnterace} ....................................................... 105
Oon|gur|ng a Se|-S|gned Oert||cate ............................................................................... 105
Oon|gur|ng SS| O|oad ................................................................................................. 106
Test|ng SS| O|oad ........................................................................................................ 107
Modu|e Modu|e 8: 8: Exerc|ses Exerc|ses or or Con|gur|ng Con|gur|ng G|oba| G|oba| Server Server |oad |oad Ba|anc|ng Ba|anc|ng ............ ............ 109 109
Exerc|se 8-1: Oon|gur|ng GS|B ......................................................................................... 111
Enab||ng GS|B Germany and Japan} ............................................................................. 114
ver|y|ng the Base Serv|ces Are p Germany and Japan} .............................................. 114
Oon|gur|ng and Test|ng |oad-Ba|anc|ng v|rtua| Servers Germany and Japan} ............... 115
Oon|gur|ng the GS|B S|tes Germany and Japan} .......................................................... 116
Oon|gur|ng |oad-Ba|anc|ng Servers Germany and Japan} ............................................ 117
Oon|gur|ng GS|B Serv|ces Germany and Japan} .......................................................... 117
Add|ng and B|nd|ng the GS|B v|rtua| Server Germany and Japan} ................................ 118
ver|y|ng the Oon|gurat|on Germany and Japan} ............................................................ 119
Oon|gur|ng DNS Sett|ngs Germany} .............................................................................. 119
Oon|gur|ng |oca| DNS Sett|ngs to Test the GS|B Oon|gurat|on .................................... 120
Test|ng the GS|B Oon|gurat|on ...................................................................................... 120
Enab||ng GS|B Germany and Japan} ............................................................................. 123
ver|y|ng the Base Serv|ces and |oad-Ba|anc|ng v|rtua| Servers Germany and Japan} ... 123
Oon|gur|ng the GS|B S|tes Germany and Japan} .......................................................... 124
Oon|gur|ng GS|B Serv|ces Germany and Japan} .......................................................... 125
Add|ng and B|nd|ng the GS|B v|rtua| Server Germany and Japan} ................................ 126
Oon|gur|ng DNS Sett|ngs Germany} .............................................................................. 127
ver|y|ng the Oon|gurat|on Germany and Japan} ............................................................ 128
Oon|gur|ng |oca| DNS Sett|ngs to Test the GS|B Oon|gurat|on .................................... 128
Test|ng the GS|B Oon|gurat|on ...................................................................................... 129
GS|B Troub|eshoot|ng T|ps ................................................................................................ 131
Modu|e Modu|e 9: 9: Exerc|ses Exerc|ses or or Con|gur|ng Con|gur|ng AppExpert AppExpert C|ass|c C|ass|c Po||c|es Po||c|es ................. ................. 133 133
Exerc|se 9-1: Oon|gur|ng Oontent F||ter|ng s|ng O|ass|c Po||c|es ...................................... 135
Oon|gur|ng a Po||cy Express|on ...................................................................................... 137
s|ng the Express|on Eva|uator ....................................................................................... 137
Oon|gur|ng Oontent F||ters .............................................................................................. 138
Test|ng Oontent F||ter|ng ................................................................................................. 138
Remov|ng Oontent F||ters ................................................................................................ 139
Oon|gur|ng a Po||cy Express|on ...................................................................................... 140
Oon|gur|ng Oontent F||ters .............................................................................................. 140
Test|ng Oontent F||ter|ng ................................................................................................. 141
Remov|ng Oontent F||ters ................................................................................................ 141
Exerc|se 9-2: Oon|gur|ng Oompress|on Po||c|es ................................................................. 142
Add|ng Oompress|on Po||c|es ......................................................................................... 144
Add|ng Oompound Oompress|on Po||c|es ....................................................................... 145
Enab||ng Oompress|on on Serv|ces ................................................................................. 146
Test|ng Oompress|on ...................................................................................................... 147
Oon|gur|ng Oompress|on Po||c|es ................................................................................... 149
Test|ng Oompress|on ...................................................................................................... 150
Modu|e Modu|e 10: 10: Exerc|ses Exerc|ses or or Con|gur|ng Con|gur|ng Rewr|te, Rewr|te, Responder, Responder, and and R| R|
Transormat|on Transormat|on ........................................................................................... ........................................................................................... 153 153
Exerc|se 10-1: Oon|gur|ng Rewr|te, Responder, and R| Transormat|on ......................... 155
Exerc|se 10-1: Step-by-Step Oon|gurat|on t|||ty} .............................................................. 156
Enab||ng the Rewr|te Feature .......................................................................................... 156
Oon|gur|ng a Rewr|te Act|on ........................................................................................... 156
Oon|gur|ng a Rewr|te Po||cy ........................................................................................... 157
Oreat|ng Po||cy B|nd|ngs ................................................................................................. 157
Test|ng the Rewr|te Po||cy ............................................................................................... 158
Exerc|se 10-1: Step-by-Step Oommand-||ne lnterace} ..................................................... 159
Oon|gur|ng Rewr|te ........................................................................................................ 159
Test|ng the Rewr|te Po||cy ............................................................................................... 160
Exerc|se 10-2: Remov|ng Server Data ................................................................................ 161
v|ew|ng the Deau|t Header lnormat|on .......................................................................... 163
Oon|gur|ng Rewr|te ........................................................................................................ 166
Exerc|se 10-3: lnsert|ng Server Data ................................................................................... 168
Exerc|se 10-4: Oon|gur|ng Responder ............................................................................... 175
Enab||ng the Responder Feature ..................................................................................... 177
Oon|gur|ng a Responder Act|on ..................................................................................... 177
Oon|gur|ng a Responder Po||cy ...................................................................................... 178
Test|ng the Responder Po||cy ......................................................................................... 178
Enab||ng the Responder Feature ..................................................................................... 180
Exerc|se 10-5: Add|ng a Oustom Response ....................................................................... 182
Oon|gur|ng a Responder Po||cy ...................................................................................... 184
Exerc|se 10-6: Add|ng R| Transorms .............................................................................. 189
Oreat|ng a R| Transorm Pro||e .................................................................................... 191
Oon|gur|ng a R| Transorm Act|on ............................................................................... 191
Oreat|ng a R| Transormat|on Po||cy ............................................................................ 192
Test|ng the R| Transorm Po||cy ................................................................................... 192
Test|ng the R| Transorm Po||cy ................................................................................... 195
Modu|e Modu|e 11: 11: Exerc|ses Exerc|ses or or Con|gur|ng Con|gur|ng Content Content Sw|tch|ng Sw|tch|ng ........................... ........................... 197 197
Exerc|se 11-1: Oon|gur|ng Oontent Sw|tch|ng .................................................................... 199
ver|y|ng Oontent-Sw|tch|ng Feature Enab|ement ............................................................ 201
Oreat|ng Non-Addressab|e |oad-Ba|anc|ng v|rtua| Servers ............................................. 201
Oreat|ng Po||cy Express|ons ............................................................................................ 202
Oreat|ng Oontent-Sw|tch|ng Po||c|es ............................................................................... 203
Oreat|ng the Oontent-Sw|tch|ng v|rtua| Server ............................................................... 204
Test|ng the Oontent-Sw|tch|ng Oon|gurat|on .................................................................. 205
Oon|gur|ng Oontent Sw|tch|ng ...................................................................................... 206
Test|ng the Oontent-Sw|tch|ng Oon|gurat|on .................................................................. 207
Modu|e Modu|e 12: 12: Exerc|ses Exerc|ses or or Con|gur|ng Con|gur|ng Tra|c Tra|c Opt|m|zat|on Opt|m|zat|on .......................... .......................... 209 209
Exerc|se 12-1: lntegrated Oach|ng ...................................................................................... 211
Oon|gur|ng G|oba| Oache Parameters Oon|gurat|on t|||ty} ........................................... 214
Oreat|ng Oontent Groups Oon|gurat|on t|||ty} ............................................................... 214
Oreat|ng Oach|ng Po||c|es Oon|gurat|on t|||ty} .............................................................. 215
Oreat|ng an lnva||dat|on Oache Po||cy Oon|gurat|on t|||ty} ............................................ 215
B|nd|ng Po||c|es Oon|gurat|on t|||ty} .............................................................................. 216
Enab||ng the Oach|ng Feature Oon|gurat|on t|||ty} ........................................................ 216
Test|ng Oach|ng Oon|gurat|on Oon|gurat|on t|||ty} ....................................................... 217
Test|ng a Oach|ng Oon|gurat|on w|th lnva||dat|on Oon|gurat|on t|||ty} ........................... 217
D|sab||ng lntegrated Oach|ng Oon|gurat|on t|||ty} ......................................................... 218
Oon|gur|ng G|oba| Oache Parameters Oommand-||ne lnterace} ................................... 219
Oon|gur|ng lntegrated Oach|ng Oommand-||ne lnterace} ............................................. 220
Oon|gur|ng lnva||dat|on Oache Po||c|es Oommand-||ne lnterace} .................................. 221
Test|ng the Oach|ng Oon|gurat|on Oommand-||ne lnterace} ......................................... 221
Test|ng the Oach|ng Oon|gurat|on w|th lnva||dat|on Oommand-||ne lnterace} ............... 222
D|sab||ng lntegrated Oach|ng Oommand-||ne lnterace} ................................................. 223
Modu|e Modu|e 13: 13: Exerc|ses Exerc|ses or or Management Management ...................................................... ...................................................... 225 225
Exerc|se 13-1: Aud|t|ng and |ogg|ng .................................................................................. 227
Oon|gur|ng the K|w| Sys|og Daemon .............................................................................. 228
Oreat|ng a Sys|og Po||cy and Sys|og Server ................................................................... 228
v|ew|ng Recent Aud|t Messages .................................................................................... 229
v|ew|ng H|stor|ca| Aud|t Messages ................................................................................. 229
v|ew|ng Aud|t Messages on the Remote Sys|og Server .................................................. 230
D|sab||ng Sys|og Aud|t Messages ................................................................................... 230
Oon|gur|ng the K|w| Sys|og Daemon .............................................................................. 231
Oon|gur|ng and v|ew|ng the Sys|og ............................................................................... 231
Exerc|se 13-2: Mon|tor|ng ................................................................................................... 233
Oon|gur|ng an SNMP Manager ...................................................................................... 235
Oon|gur|ng an SNMP Oommun|ty ................................................................................. 235
Oon|gur|ng an SNMP Trap ............................................................................................. 235
Oon|gur|ng an SNMP A|arm ........................................................................................... 236
ver|y|ng the SNMP Oon|gurat|on ................................................................................... 237
Oon|gur|ng the K|w| Sys|og Daemon and v|ew|ng SNMP A|erts ..................................... 237
Oon|gur|ng SNMP Sett|ngs ............................................................................................ 239
Oon|gur|ng the K|w| Sys|og Daemon and v|ew|ng SNMP A|erts ..................................... 240
Not|ces
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or
use of this publication. Citrix specifically disclaims any expressed or implied warranties,
merchantability, or fitness for any particular purpose. Citrix reserves the right to make any changes
in specifications and other information contained in this publication without prior notice and
without obligation to notify any person or entity of such revisions or changes.
Copyright 2011 Citrix Systems, Inc. All Rights Reserved.
No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or information storage and retrieval
systems, for any purpose other than the purchaser's personal use, without express written
permission of:
Citrix Systems, Inc.
831 West Cypress Creek Road
Fort Lauderdale, FL 33309
http://www.citrix.com
The following marks are service marks, trademarks or registered trademarks of their respective
owners in the United States and other countries.
Mark Owner
Active Directory, Microsoft, Microsoft Internet Microsoft Corporation
Explorer, Windows, Win32
ActivePerl ActiveState Software, Inc.
American Express American Express Company
Apache The Apache Software Foundation
Citrix, Citrix Access Gateway, Citrix Citrix Systems, Inc.
Application Firewall, Citrix Authorized
Learning Center, Citrix Certified
Administrator, Citrix Certified Enterprise
Administrator, Citrix Certified Integration
Architect, EdgeSight, ICA, NetScaler,
MyCitrix
Diners Club Diners Club International Ltd.
Discover Discover Financial Services
Firefox Mozilla Corporation
Mark Owner
FreeBSD FreeBSD Foundation
Google Google Inc.
Intel, Pentium Intel Corporation
Java Sun Microsystems, Inc.
JCB JCB International Co., Ltd.
Linux Linus Torvalds
LiveHTTPHeaders Mozdev Community Organization, Inc.
MasterCard MasterCard Worldwide
Microsoft, .NET, Active Directory, Internet Microsoft Corporation
Explorer, SQL Server, Windows
Pearson VUE Pearson Education, Inc.
PuTTY Simon Tatham
Secure Shell, SSH SSH Communications Security Corp.
UNIX The Open Group
Visa Visa Inc.
WinSCP Martin Prikryl, GNU General Public License,
Free Software Foundation, Inc.
Other product and company names mentioned herein might be the service marks, trademarks or
registered trademarks of their respective owners in the United States and other countries.
Ored|ts
Instructional Designers: Erin Shatara, Hung Ha, Rachel White, Todd
Hurst, Rhonda Rowland, Dustin Clark
Graphic Artist: Nathan Jackson
Manager : Mike Young
Editor: Karla Stagray
Translation Coordinator: Francine Chiaverini
Subject Matter Experts: Arvind Bangari, Mark Borrow, Erik Brandsberg,
Colin Christy, John Daniels, John Dell, Greg
Dolan, Stefan Drege, Seema Vaibhav Dubey,
Abhishek Gautam, Bino Gopal, DeeLayna
Hurst, Faisal Jahan, Vamsi Korrapati, Prakash
Mana, James Nagy, Ronan O'Brien, Lokaraj
Pedapalli, Ram Prasad, Patrick Quinlan, Prabhu
Rampur, Kumaresan Rangasamy, Anoop Reddy,
Guy Rosefelt, Jacob Salassi, Erin Shatara,
Prakash Sinha, Sam Spence, Thilak Subburam,
Raghu Varma Tirumalaraju, Chad Tripod,
Abhilash Verma, Gregor Visconty, Kit Wetzler,
Don Williams, Lena Yarovaya
Modu|e 1
|ab Overv|ew
|ab Overv|ew
This book contains exercises to accompany the courseware content. This section provides an
overview of the hosted lab environment used with the lab exercises in this course.
2IX7GEPIV 'SRJMKYVEXMSR
For this course, each student has been provided a hosted client workstation and an assigned
NetScaler system. The NetScaler systems have two interfaces connected to a front-end environment
facing the hosted client and a back-end environment facing the back-end resources.
The assigned NetScaler is provided in an initial state with an assigned NetScaler IP (NSIP) on the
front-end (public) network. Students will configure an assigned Subnet IP (SNIP) on the back-end
(private) network. The NetScaler systems are configured with USNIP mode and, therefore, a
Mapped IP (MIP) address is not required
Each student may be provided with unique information for their NetScaler systems. The NSIP and
SNIP addresses are fixed IP Addresses on each NetScaler system.
In addition to these fixed IP addresses, students have been provided with up to four additional IP
addresses which can be used as virtual IP addresses or subnet IP addresses as the labs require.
To prevent IP address conflicts within the lab, use only the assigned IP addresses.
0EF %TTVSEGL
Each exercise presented here begins with an introduction to the exercise, followed by detailed step-
by-step instructions. The introduction comprises the following sections:
- Scenario: describes the end goal
- Before You Begin: lists exercise dependencies
- Exercise Details: lists the high-level tasks that will be performed in the lab
These tasks are designed to contain enough information to allow you to attempt the
exercise without the step-by-step instructions. We encourage you to attempt to perform
the exercise using these tasks and resorting to the step-by-step instructions for more
information or if you have difficulty completing the exercise.
- Summary: reviews the main points of the exercise
Revisit this summary after the exercise is completed.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 1: |ab Overv|ew 15
Modu|e 2
Exerc|ses for lntroduc|ng
and Dep|oy|ng O|tr|x
NetSca|er
Exerc|se 2-1: Perform|ng an ln|t|a|
Oonf|gurat|on
3ZIVZMI[
This exercise demonstrates the process of connecting to the NetScaler system using the command-
line interface.
For most of the exercises in this course, the command-line interface commands are
provided as a reference. Students may choose to perform exercises using the
Configuration Utility or the command-line interface.
Attempt this exercise first on your own before relying on the step-by-step instructions.
&IJSVI =SY &IKMR
To complete this exercise, you will need:
- The NetScaler IP address assigned to you.
- The nsroot log on credentials (nsroot/nsroot).
- Access to the command-line interface with PuTTY or an alternate SSH client.
Estimated time to complete this exercise: 3 minutes
7GIREVMS
MillennialGadgets.com sells electronics, including cell phones, game consoles and MP3 players, to
Echo Boomers, also known as Millennials. The company has obtained a NetScaler system with a
Platinum Edition license. The NetScaler system needs initial configuration to ready it for basic
administration.
)\IVGMWI (IXEMPW
During this exercise, complete the following tasks:
- Connect and log on to the command-line interface using the following settings:
- Set the default session timeout for the connection to 28800 seconds (8 hours).
- Set the date and time.
- Save the NetScaler running configuration.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 2: Exerc|ses or lntroduc|ng and Dep|oy|ng O|tr|x
NetSca|er 19
Exerc|se 2-1: Step by Step Oommand-||ne
lnterface}
This exercise provides step-by-step instructions for completing 'Exercise 2-1: Performing an Initial
Configuration' using the command-line interface.
Perorm|ng an ln|t|a| Oon|gurat|on
Use the following procedure to log on, change the session timeout setting, date, and time, and to
save the running configuration on the NetScaler system from the command-line interface.
1. Launch the PuTTY.exe command-line interface on your desktop.
This lab environment uses PuTTY as the SSH client. Other SSH clients may be used to
connect to the command-line interface, but their configuration and operation are not
covered in this course.
2. Type NSIP in the Host Name field.
Replace NSIP with the NetScaler IP address (NSIP) found in the Student Reference text file on
the desktop. The NSIP address is unique to each system.
3. Verify that 22 appears in the Port field.
4. Verify that SSH is selected as the Connection type.
3. Click Open.
6. Click Yes in the PuTTY Security Alert dialog box.
7. Log on using the nsroot/nsroot credentials.
8. Set the session timeout for the connection by entering the following command:
set cli mode -timeout 28800
9. Configure the time zone by entering the following command:
config ns
The Review Configuration Parameters menu appears.
10. Type 4 and press Enter to set the time zone.
The Time Zone Selector menu appears.
11. Use the up and down arrow keys to browse to the appropriate region and press Enter.
12. Browse to the appropriate country or region and press Enter.
13. Browse to your local time zone and press Enter.
14. Press Enter to confirm your selection.
20 Modu|e 2: Exerc|ses or lntroduc|ng and Dep|oy|ng O|tr|x NetSca|er Copyr|ght 2011 C|tr|x Systems,
lnc.
13. Type 6 and press Enter to apply the changes and to exit the Review Configuration Parameters
menu.
16. Access the BSD shell by entering the following command:
shell
17. View the current date and time by entering the following command:
date
18. Set the current date and time by entering the following command:
date yyyymmddhhmm
Replace yyyymmddhhmm with the current year, month, day, hour and minute.
19. Log off the BSD shell by entering the following command:
exit
20. Save the NetScaler running configuration by entering the following command:
save ns config
Shorter forms of this command are also accepted.
save config
save ns c
save c
21. Log off the NetScaler system by entering the following command:
exit
NetSca|er 21
Exerc|se 2-2: Perform|ng Bas|c
Adm|n|strat|on
3ZIVZMI[
This exercise demonstrates several basic administrative tasks used for managing the NetScaler
system. These tasks include:
- Upgrading the NetScaler system from Standard Edition to Platinum Edition
- Enabling features
- Creating an account
- Viewing and comparing the running and saved configurations
- Creating a backup of the NetScaler configuration
Steps for performing these tasks are provided using both the Configuration Utility and the
command-line interface.
&IJSVI =SY &IKMR
- Access to the Configuration Utility or to the command-line interface.
- Access to the WinSCP3 application.
7GIREVMS
MillennialGadgets.com has decided to upgrade its NetScaler system to Platinum Edition to take
advantage of the additional features. MillennialGadgets.com has also hired an additional network
administrator for whom an account needs to be created.
)\IVGMWI (IXEMPW
During this exercise, complete the following tasks using either the Configuration Utility or the
command-line interface:
- Enable the following features on the NetScaler system:
- SSL Offload
- Compression
lnc.
- Load Balancing
- Content Switching
- Content Filtering
Ensure that the Integrated Caching feature is disabled. If Integrated Caching is enabled
before configuration, it caches everything and can affect the expected results for lab
exercises during the course.
- Create a new user account with read-only permissions
- User: testuser
- Password: Password1
- Compare the saved and running configurations. Update the saved configuration with the
current settings.
- Create a backup of the NetScaler configuration.
NetSca|er 23
Exerc|se 2-2: Step by Step Oonf|gurat|on
t|||ty}
This exercise provides step-by-step instructions for completing 'Exercise 2-2: Performing Basic
Administration' using the Configuration Utility.
Enab||ng and D|sab||ng Features
Use the following procedure to enable the required features on the NetScaler system.
1. Launch a web browser window to access the Configuration Utility.
2. Type http://NSIP in the address field and press Enter.
Replace NSIP with the NetScaler IP address (NSIP) for your NetScaler system.
The NetScaler logon page is displayed.
3. Type nsroot in the User Name field.
4. Type nsroot in the Password field.
3. Select Configuration in the Start in field.
6. Click Login.
The Configuration Utility opens.
If a Warning - Security dialog box appears, click Run to run the application.
7. Click Close to close the Setup Wizard, if it appears.
8. Expand the System node.
9. Select Settings in the System node.
10. Click Configure basic features in the Settings node.
The Configure Basic Features dialog box opens.
11. Select the following features:
- SSL Offloading
- Compression
- Load Balancing
- Content Switching
- Content Filtering
12. Verify that Integrated Caching is not selected.
13. Click OK.
14. Click Yes to proceed with enabling or disabling the features.
lnc.
Oreat|ng a New Adm|n|strator Account
Use the following procedure to create a new administrator user account.
1. Select Users in the System node of the Configuration Utility.
2. Click Add in the System Users pane.
The Create System User dialog box opens.
3. Type testuser in the User Name field.
4. Type Password1 in the Password field.
3. Re-type Password1 in the Confirm Password field.
6. Select read-only in the Command Policies pane under Active.
7. Click OK.
8. Click Close.
The Create System User dialog box closes.
9. Click Save to save the current configuration and click Logout to log off from of the current
session.
10. Log on to the Configuration Utility with the testuser/Password1 credentials.
14. Click Configure basic features in the Settings node.
13. Select a feature to enable and click OK.
16. Click Yes to enable the feature.
17. Verify that the chosen feature cannot be enabled with read-only access and click OK.
18. Click Close.
19. Click Logout to log off from the current session.
v|ew|ng the Runn|ng and Saved Oon|gurat|ons
Use the following procedure to view and compare the saved and running configurations.
1. Log on to the Configuration Utility using the nsroot credentials.
4. Select Diagnostics in the System node.
3. Click Saved configuration in the Diagnostics pane.
The Saved Configuration dialog box opens.
6. Review the configuration data and click Close.
NetSca|er 25
The Saved Configuration dialog box closes.
7. Click Running configuration and review the configuration data in the Running Configuration
dialog box.
The Running Configuration dialog box displays.
The running configuration includes the changes made in the previous exercises.
8. Click Close.
The Running Configuration dialog box closes.
9. Click Saved v/s running.
The Information dialog box opens.
This dialog box shows that the settings between the saved configuration and the running
configuration are identical.
10. Click OK.
Perorm|ng a Oon|gurat|on Backup
Use the following procedure to create a backup of the NetScaler configuration.
1. Select Diagnostics in the System node of the Configuration Utility.
2. Click Command line interface in the Diagnostics pane.
The Command Line Interface dialog box opens.
3. Type the following command in the Command field and click Go to enter the NetScaler BSD
shell.
shell
4. Type the following command in the Command field and click Go to create a backup of the
nsconfig directory.
tar cvzf /var/tmp/backup.tgz /flash/nsconfig
This step creates a backup named backup.tgz in the var/tmp directory.
3. Click Close.
6. Launch WinSCP3 on your desktop to perform a secure copy.
7. Select Session in the left pane.
8. Type NSIP in the Host Name field.
9. Verify that 22 appears in the Port number field.
10. Type nsroot in the User name field.
11. Type nsroot in the Password field.
12. Click Login.
lnc.
13. Click Yes, if a warning dialog box appears, to continue connecting and adding a host key to
the cache.
14. Double-click the folder in the right pane to navigate up one level from /root.
13. Double-click the var > tmp folder.
16. Drag the backup.tgz file from the right pane to a local folder (the current folder) in the left
pane.
The Copy dialog box opens.
17. Click Copy.
18. Close WinSCP3.
19. Click OK to confirm the termination of the WinSCP3 session.
NetSca|er 27
Exerc|se 2-2: Step by Step Oommand-||ne
lnterface}
This exercise provides step-by-step instructions for completing 'Exercise 2-2: Performing Basic
Administration' using the command-line interface.
This section is provided as a reference. It covers the same configurations made using the
Configuration Utility. If you have completed the lab exercises using the Configuration
Utility steps, then you do not need to repeat them using the command-line interface
commands.
Enab||ng and D|sab||ng Features
Use the following commands to enable and disable features on the NetScaler system.
1. Open the command-line interface (PuTTY) using the NSIP and the nsroot credentials.
2. View the NetScaler features by entering the following command:
show ns feature
3. Enable the NetScaler features by entering the following command:
enable ns feature SSL CMP LB CS CF
This command enables SSL Offload, Compression, Load Balancing, Content Switching and
Content Filtering.
4. Disable the Integrated Caching feature by entering the following command:
disable ns feature IC
Oreat|ng a New Adm|n|strator Account
Use the following commands to create a new administrator account on the NetScaler system.
1. Create a new system user by entering the following command:
add system user testuser Password1
2. View the available command policies by entering the following command:
show system cmdPolicy
lnc.
These command policies can be used to control the permissions allowed for delegated
administration.
3. Configure the testuser as a NetScaler User (read-only) by entering the following command:
bind system user testuser read-only 1
4. Save the configuration by entering the following command:
save ns config
3. Log off from the current session by entering the following command:
logout
6. Log on to PuTTY using the NSIP and the testuser/Password1 credentials.
7. Enable a basic feature by entering the following command:
enable ns feature rewrite
8. Verify that the command is not authorized when issued by a user with read-only access.
9. Log off from the current session by entering the following command:
logout
v|ew|ng the Runn|ng and Saved Oon|gurat|ons
Use the following commands to view the running and saved configurations.
1. Log on to the command-line interface using the NSIP and the nsroot credentials.
2. View the running configuration by entering the following command:
show ns runningconfig
3. View a summary of the current NetScaler configuration by entering the following command:
show ns config
4. To view the saved configuration, go to the BSD shell by entering the following command:
shell
3. Browse to the nsconfig directory by entering the following command:
cd /nsconfig
6. View the saved configuration in the ns.conf file by entering the following command:
NetSca|er 29
more /nsconfig/ns.conf
This is the current saved configuration. Any changes not saved in this file will be
discarded at restart.
7. Use the down arrow key to view the information, and then exit the BSD shell back to the
command-line interface by entering the following command:
exit
8. Save the running configuration by entering the following command:
save ns config
Perorm|ng a Oon|gurat|on Backup
Use the following commands to create a backup of the NetScaler configuration.
1. Access the BSD shell by entering the following command from the command-line interface:
shell
2. Create a backup of the nsconfig directory and all of its files by entering the following
command:
tar cvzf /var/tmp/backup.tgz /flash/nsconfig
A backup of the nsconfig directory named backup.tgz is created in the /var/tmp directory.
3. Perform a secure copy with WinSCP3 using the NSIP as the Host Name with the nsroot
credentials.
4. Double-click the folder in the right pane to navigate up one level from /root.
3. Double-click the var > tmp folder.
6. Drag the file backup.tgz from the right pane (the current folder) to a local folder in the left
pane.
The Copy dialog box opens.
7. Click Copy.
8. Close WinSCP3.
9. Click OK to confirm the termination of the WinSCP3 session.
10. Exit the FreeBSD shell by entering the following command:
lnc.
exit
11. Close the command-line interface.
NetSca|er 31
Modu|e 3
Exerc|ses for Network|ng
Exerc|se 3-1: Oonf|gur|ng Bas|c Network|ng
3ZIVZMI[
This exercise demonstrates the process of connecting the NetScaler system to the internal network
resources using both the Configuration Utility and the command-line interface.
&IJSVI =SY &IKMR
- The NetScaler IP (NSIP) address assigned to you.
- The nsroot logon credentials for your system.
- Backend route configuration details include:
- Network IP address
- Netmask
- Gateway IP address
This information can be found in the Student Reference text file located on the desktop.
- Access to the Configuration Utility and the command-line interface:
- Web browser with Java
- PuTTY or alternate SSH client
7GIREVMS
MillennialGadgets.com would like to segment the HTTP traffic to their new web servers on a
different VLAN than the existing network.
)\IVGMWI (IXEMPW
- Identify the NetScaler hardware platform.
- Enable an interface to connect to the internal network.
- Add a SNIP to the NetScaler.
- Enable an interface to connect to the internal network.
- Configure a VLAN:
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 3: Exerc|ses or Network|ng 35
- Bind the VLAN to the SNIP address.
- Bind the VLAN to the internal interface.
- Add one static route.
- Enable USNIP mode.
36 Modu|e 3: Exerc|ses or Network|ng Copyr|ght 2011 C|tr|x Systems, lnc.
Exerc|se 3-1: Step-by-Step Oonf|gurat|on
t|||ty}
This exercise provides step-by-step instructions for completing 'Exercise 3-1 Configuring Basic
Networking' using the Configuration Utility.
ldent|y|ng the NetSca|er Hardware P|atorm
Use the following procedure to identify the NetScaler hardware platform.
1. Open a web browser and enter the NSIP.
Replace NSIP with the NSIP for your NetScaler system.
2. Select Configuration in the Start in field.
4. Click Run in the dialog box and then click Close in the Setup Wizard.
3. Select the System node.
6. Note the Platform number in the System Information tab under Hardware Information.
Example: 7000v1
In this example, the NetScaler model is 7000.
Network lnteraces
This table identifies the network interfaces which will be used in this exercise for the NetScaler
7000 hardware.
1/1 - 1/6 Fast Ethernet (100 Mbps) Interfaces:
disconnected and unused.
1/7 Gigabit Ethernet (1000 Mbps): connected to the
frontend network. Enabled by default to allow
connection to the NetScaler system from the
hosted client.
DO NOT DISABLE.
1/8 Gigabit Ethernet (1000 Mbps): connected to the
back-end network. Disabled by default.
This interface and the back-end
network settings will be configured by
the student in this exercise.
Enab||ng an lnterna| Network lnterace
Use the following procedure to enable an internal network interface in the Configuration Utility.
1. Expand the Network node in the Configuration Utility.
2. Select Interfaces in the Network node.
3. Select Interface 1/8 in the Interfaces pane.
4. Click Enable at the bottom of the screen.
Add|ng a Subnet lP to the NetSca|er
Use the following procedure to add a SNIP to the NetScaler system.
1. Expand the Network node.
2. Select IPs in the Network node.
3. Click Add at the bottom of the screen in the IPs pane.
4. Type SNIP in the IP address field.
Replace SNIP with the SNIP assigned to your system.
3. Type the Netmask address in the Netmask field.
6. Select the following features:
- Subnet IP
- Enable Management Access control to support the below listed applications
Leave all other default settings.
7. Click Create.
8. Click Close.
Add|ng a v|AN
Use the following procedure to add a VLAN for the back-end network.
2. Select VLANs in the Network node.
3. Click Add in the VLANs pane.
4. Type 2 in the VLAN Id field.
3. Select Active next to SNIP in the IPs field to bind VLAN Id 2 to the specified address.
Replace SNIP with the SNIP assigned to your system.
6. Select Active for Interface 1/8 to bind the VLAN to that interface.
7. Click Create.
8. Click Close.
Add|ng a Stat|c Route
Use the following procedure to add a static route for the back-end network to the NetScaler system.
2. Select Routes in the Network node.
3. Click Add in the Routes pane.
4. Type 10.30.0.0 in the Network field.
3. Type 255.255.0.0 in the Netmask field.
6. Type 10.30.0.1 in the Gateway IP field.
Keep the other default settings.
7. Click Create.
8. Type 10.29.0.0 in the Network field.
9. Click Create.
10. Click Close.
Enab||ng SNlP Mode
Use the following procedure to enable USNIP mode.
3. Click Configure modes in the Settings pane.
4. Select Layer 3 Mode (IP Forwarding) and Use Subnet IP.
3. Click OK.
6. Click Yes to enable the mode.
va||dat|ng Task Oon|gurat|ons
Use the following procedure to validate the previous exercise tasks.
1. Log on to the command-line interface using the NSIP as the Host Name and the nsroot
credentials.
2. Use the IP addresses listed in the Student Reference text file, which is located on the desktop,
to ping the backend resources by entering the following commands:
ping RedIP
ping BlueIP
ping GreenIP
Press Ctrl + C to stop the ping.
Valid results will look similar to the following output:
> ping 10.29.0.90
PING 10.29.0.90 (10.29.0.90): 56 data bytes
64 bytes from 10.29.0.90: icmp_seq=0 ttl=128 time=0.446 ms
64 bytes from 10.29.0.90 icmp_seq=1 ttl=128 time=0.384 ms
^C--- 10.29.0.90 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.384/0.410/0.446/0.023 ms
Done
3. Show the routing table by entering the following command:
show route
4. Using the IP listed in the Student Reference file, ping the Gateway IP address of a resource on
the back-end network by entering the following command:
Ping GatewayIP
> ping 10.30.0.1
PING 10.30.0.1 (10.30.0.1): 56 data bytes
Done
3. Save the configuration if the ping is successful by entering the following command:
save config
If the pings do not work, check your configuration settings within the Configuration Utility
and the command-line interface.
Exerc|se 3-1: Step-by-Step Oommand-||ne
lnterface}
This section provides step-by-step instructions for completing 'Exercise 3-1: Configuring Basic
Networking' using the command-line interface.
ldent|y|ng the NetSca|er Product Type
Use the following procedure to identify the Netscaler product type.
1. Log on to the command-line interface (PuTTY) using the NSIP as the Host Name and the
nsroot credentials.
2. Access the BSD shell by entering the following command:
shell
3. Identify the NetScaler hardware platform by entering the following command:
sysctl -a | grep netscaler
The results will be similar to the following information:
debug.netscaler_panic: A
netscaler.developer: 0
netscaler.recovery: 0
netscaler.sysid: 9040030
netscaler.serial: 977723bc61374ba9f34d
netscaler.descr: 7000 v1 6*EZ+2*EM
netscaler.pitbossexitcode: -559039810
In this example, the netscaler.descr identifies the NetScaler platform, which is a 7000 model.
4. Exit the BSD shell by entering the following command:
exit
Oon|gur|ng the NetSca|er lnterace
Use the following procedure to configure the NetScaler interface.
1. Enable an interface by entering the following command at the command-line interface:
enable interface 1/8
2. Add a SNIP address to the NetScaler system by entering the following command:
add ns ip SNIP1 netmask -type SNIP -mgmtAccess ENABLED
Replace SNIP1 and netmask with the SNIP address and netmask assigned to your system.
3. Create a back-end VLAN entity by entering the following command:
add vlan 2
4. Create a back-end VLAN entity by entering the following command:
bind vlan 2 -ifnum 1/8 -IPAddress SNIP1 netmask
Replace SNIP1 and netmask with the SNIP address and netmask assigned to your system.
3. Add the network route for the back-end network by entering the following command:
add route 10.29.0.0 255.255.0.0 10.30.0.1
6. Enable layer 3 mode and USNIP mode by entering the following command:
enable ns mode L3 USNIP
va||dat|ng Task Oon|gurat|ons
Use the following procedure to validate the previous exercise tasks.
1. Log on to the command-line interface.
2. Use the IP addresses listed in the Student Reference text file, which is located on the desktop,
to ping the backend resources by entering the following commands:
ping RedIP
ping BlueIP
ping GreenIP
Press Ctrl + C to stop the ping.
> ping 10.29.0.90
PING 10.29.0.90 (10.29.0.90): 56 data bytes
64 bytes from 10.29.0.90 icmp_seq=1 ttl=128 time=0.384 ms
Done
3. Show the routing table by entering the following command:
show route
4. Using the IP listed in the Student Reference file, ping the Gateway IP address of a resource on
the back-end network by entering the following command:
Ping GatewayIP
Valid results look similar to the following output:
> ping 10.30.0.1
PING 10.30.0.1 (10.30.0.1): 56 data bytes
Done
3. Save the configuration if the ping is successful by entering the following command:
save config
If the pings do not work, check your configuration settings within the Configuration Utility
and the command-line interface.
Modu|e 4
Exerc|ses for Oonf|gur|ng
H|gh Ava||ab|||ty
Exerc|se 4-1: Oonf|gur|ng H|gh Ava||ab|||ty
3ZIVZMI[
This exercise demonstrates the process of configuring high availability.
Attempt this exercise first on your own before relying on the step-by-step instructions on the
following pages.
&IJSVI =SY &IKMR
To complete this lab, you will need access to the Configuration Utility or the command-line
interface.
Students will work in pairs for this lab; both NetScaler systems will be configured. Students should
identify which system is NetScaler A and which system is NetScaler B. Each student should identify
the following information for each NetScaler system.
NetScaler A:
- NetScaler IP: NSIPA
- Subnet IP: SNIPA
- nsroot password: nsroot
NetScaler B:
- NetScaler IP: NSIPB
- Subnet IP: SNIPB
7GIREVMS
MillennialGadgets.com wants to ensure redundancy in case its primary NetScaler system becomes
unavailable. The company has decided to deploy a secondary system.
)\IVGMWI (IXEMPW
- Save the configuration prior to starting this lab. Do not save the configuration again until the
lab is complete.
- Set the same nsroot password on NetScaler A and on NetScaler B.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 4: Exerc|ses or Oon|gur|ng H|gh Ava||ab|||ty 49
- Disable all unused interfaces. Be careful not to disable any active interfaces.
- Turn off high-availability monitoring for all unused interfaces. Turn on high availability
monitoring for all enabled interfaces.
- Configure NetScaler A and NetScaler B in a high-availability pair.
- Test the configuration using the force failover option.
- Remove the high-availability configuration from each system and return the systems to a
standalone configuration.
- Restart the systems to revert back to the last saved configuration (to restore system IP
addresses on the secondary NetScaler).
- All system-owned IP addresses return to their original configuration at the start of this lab.
- Passwords for the nsroot account return to their value at the start of this lab.
50 Modu|e 4: Exerc|ses or Oon|gur|ng H|gh Ava||ab|||ty Copyr|ght 2011 C|tr|x Systems, lnc.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 4-1: Configuring High
Availability' using the Configuration Utility.
Students should only save the NetScaler configuration when indicated by the lab exercises. This step
is added to help ensure a successful return of the systems to a standalone configuration at the end
of this lab.
Oon|gur|ng NetSca|er A and NetSca|er B
Use the following procedure to configure NetScaler A and NetScaler B.
1. Open two web browser windows.
2. Designate one system as NetScaler A and one system as NetScaler B.
3. Log on to the Configuration Utility in one browser window using the NSIPA address and the
nsroot credentials. This will be known as NetScaler A.
Replace NSIPA with the NetScaler IP address (NSIP) for your NetScaler system.
4. Log on to the Configuration Utility in the other browser window using the NSIPB address and
the nsroot credentials. This will be known as NetScaler B.
Replace NSIPB with the NetScaler IP address (NSIP) for your partner's NetScaler system.
3. NetScaler A and B: Click the Configuration tab > Applet Client and then click Save on the
upper-right menu bar to save the NetScaler configuration. If a Warning - Security dialog box
appears, click Run to run the application.
This step saves the configuration before proceeding. Do not save the configuration again
during this exercise until instructed to do so.
6. Click Yes to verify the saving of the configuration.
7. NetScaler A and B: Expand the System node.
8. NetScaler A and B: Select Users in the System node.
9. NetScaler A and B: Select the nsroot user account in the right pane.
10. NetScaler A and B: Click Change Password. The Change Password dialog box opens.
11. NetScaler A and B: Type nsroot in the Password and Confirm Password fields.
NetScaler systems that belong to a high-availability pair should have the nsroot accounts
set to the same password. For this lab, use the default password nsroot as specified.
However, in a production environment use a secure password instead of the default value.
12. NetScaler A and B: Click OK.
The Change Password dialog box closes.
13. NetScaler A and B: Expand the Network node.
14. NetScaler A and B: Click Interfaces in the Network node.
13. NetScaler A and B: Confirm that all unused interfaces are disabled. Only disable the interfaces
that are in a DOWN state.
To disable: Select one or more of the target interfaces and click Disable in the interfaces pane.
Do not disable any interfaces in an UP state because these interfaces are in use.
For this exercise, only interfaces 1/1-1/6 should be disabled.
16. NetScaler A and B: Confirm that all active interfaces are enabled.
Interfaces 1/7 and 1/8 should be listed as ENABLED and in an UP state.
17. NetScaler A and B: Enable high availability monitoring (HAMON) on the active interfaces.
To enable: Select the enabled interfaces (1/7 and 1/8) and click Open. Select ON in the HA
Monitoring field and click OK.
18. NetScaler A and B: Disable high-availability monitoring (HAMON) on the disabled interfaces.
To disable: Select the disabled interfaces (1/1 - 1/6) and click Open. Select OFF in the HA
Monitoring field and click OK.
Oon|gur|ng H|gh Ava||ab|||ty on NetSca|er A and B
Use the following procedure to configure NetScaler A and B. Slightly different settings are required
on each NetScaler system.
2. NetScaler A and B: Select High Availability in the System pane.
3. NetScaler A and B: Click Add in the right pane.
The High Availability Setup dialog box opens.
4. NetScaler A: Type NSIPB in the Remote Node IP Address field.
Replace NSIPB with the NetScaler IP address (NSIP) for your partner's NetScaler system.
3. NetScaler B: Type NSIPA in the Remote Node IP Address field.
Replace NSIPA with the NetScaler IP address (NSIP) for your NetScaler system.
6. Disable the Configure remote system to participate in High Availability.
Using this option will allow you to configure HA from the primary system. This setting is
being disabled in the lab because HA is being configured on both systems.
7. NetScaler A and B: Click OK.
The High Availability Setup dialog box closes.
8. NetScaler A and B: Click Refresh All.
9. NetScaler A and B: Click Yes to verify the refresh.
10. Verify that NSIPA appears on NetScaler B and that NSIPB appears on NetScaler A.
Test|ng the H|gh-Ava||ab|||ty Oon|gurat|on
Use the following procedure to test the high-availability configuration and to observe failover.
In this exercise, the system that is configured first is the primary system.
2. NetScaler A and B: Select IPs in the Network node.
3. Compare the system-owned IP addresses on both NetScaler A and B. Notice which system
retained its original SNIP address and which system configuration is overwritten by the high-
availability configuration.
The system that is configured first will have the primary state (NetScaler A).
3. NetScaler A and B: Select High Availability in the System node.
6. NetScaler A and B: Click Refresh All on the upper-menu bar.
8. NetScaler A and B: Verify that the node state on both nodes is UP.
- The Master State of NetScaler A is primary.
- The Master State of NetScaler B is secondary.
9. NetScaler A: Right-click Node ID 1.
10. Click Force Failover.
11. Click Yes to confirm the force failover and then click OK twice.
14. NetScaler A and B: Verify the master state of both nodes.
- The Master State of NetScaler A is now secondary.
- The Master State of NetScaler B is now primary.
13. NetScaler B: Select Node ID 1.
16. Click Force Failover.
17. Click Yes to confirm the force failover and then click OK twice.
20. NetScaler A and B: Verify the master state of both nodes.
- The Master State for the NetScaler A is primary again.
- The Master State for the secondary NetScaler B is secondary again.
Remov|ng the H|gh-Ava||ab|||ty Oon|gurat|on on NetSca|er
A and B
Use the following procedure to remove the high-availability configuration for NetScaler A and B.
1. NetScaler A: Expand the System node.
2. NetScaler A: Select High Availability in the System node.
3. NetScaler A: Select Node ID 1 in the right pane.
4. NetScaler A: Click Remove.
3. NetScaler A: Click Yes to confirm the removal when prompted.
6. NetScaler A: Click Yes to remove high availability from the remote system.
Restor|ng Sett|ngs
Use the following procedure to restore the NetScaler systems to their original state at the beginning
of this lab. This procedure is necessary for subsequent lab exercises.
2. NetScaler A and B: Select IPs in the Network node and verify that the Subnet IP on both
NetScaler systems is the same.
Although the high-availability node is removed, any shared system IP addresses (such as
the SNIP, MIP or VIPs) are still present on both systems and will result in an IP address
conflict between NetScaler A and B. Therefore, the SNIP on NetScaler B (secondary
NetScaler) must be restored to its original state to avoid an IP address conflict with the
back-end SNIP during later lab exercises. To reset the SNIP address, you will reboot the
NetScaler systems in Step 4 without saving the changes you made to the configuration.
3. NetScaler A and B: Select the System node.
4. NetScaler A and B: Click Reboot.
This step restarts the NetScaler system and completely restores the system to its state prior to
the start of this exercise.
3. NetScaler A and B: Click Yes to verify the restart.
6. NetScaler A and B: Open a web browser window and log on to the Configuration Utility.
8. NetScaler A and B: Select IPs in the Network node.
9. NetScaler A and B: Verify the NetScaler IP and Subnet IP Addresses have been restored to
their original values.
lnterface}
This section provides step-by-step instructions for completing 'Exercise 4-1 Configuring High
Availability' using the command-line interface.
This section is provided as a reference. If you have completed the lab exercises using the
Configuration Utility steps, you do not need to repeat them using the command-line
interface commands.
Oon|gur|ng NetSca|er A and NetSca|er B
Use the following procedure to prepare the NetScaler systems for the high-availability
configuration.
1. Open a command-line interface window (PuTTY).
2. Log on to NetScaler A using the nsroot credentials.
3. Open another command-line interface window.
4. Log on to NetScaler B using the nsroot credentials.
3. NetScaler A and B: Save the configuration before proceeding by entering the following
command:
save ns config
Do not save the configuration again during this lab until instructed to do so.
6. NetScaler A and B: Set the system password by entering the following command:
set system user nsroot nsroot
NetScaler systems that belong to a high-availability pair should have the nsroot accounts
set to the same password. For this lab use the default password nsroot as specified.
However, in a production environment use a secure password instead of the default value.
7. NetScaler A and B: Identify critical interfaces by entering the following command:
show node
The show node command lists high-availability nodes on the current system only. However, it
also identifies which critical interfaces are in use.
Notice which interfaces are listed as critical interfaces. Do not disable these interfaces.
8. NetScaler A and B: View the interfaces on the system by entering the following command:
show interface
Notice which interfaces are in an UP state versus a DOWN state. Interfaces in an UP state
should correspond to the critical interfaces in the previous step.
9. Disable each unused interface (in a DOWN state) by entering the following command:
disable interface INT
For this lab, replace INT with the appropriate value (1/1 - 1/6).
Do not disable the critical interfaces (1/7 and 1/8) identified above.
10. Enable high-availability monitoring on the appropriate interfaces by entering the following
command:
set interface INT -hamonitor On
Replace INT with the active interface: values (1/7 and 1/8).
11. Disable high-availability monitoring on the appropriate interfaces by entering the following
command:
set interface INT -hamonitor Off
Replace INT with the disabled interface: values (1/1 - 1/6).
Oon|gur|ng H|gh Ava||ab|||ty on NetSca|er A and B
Use the following procedure to configure NetScaler A and NetScaler B as a high availability pair.
1. NetScaler A: Add NetScaler B as a high-availability node on NetScaler A by entering the
following command:
add ha node 2 NSIPB
Replace NSIPB with the NetScaler IP address (NSIP) for NetScaler B.
2. NetScaler B: Add NetScaler A as a high-availability node on NetScaler B by entering the
following command:
add ha node 1 NSIPA
Replace NSIPA with the NetScaler IP address (NSIP) for NetScaler A.
3. NetScaler A and B: Verify the status of the nodes by entering the following command:
show ha node
The Node State should be listed as UP on both nodes.
Test|ng the H|gh-Ava||ab|||ty Oon|gurat|on
Use the following procedure to test the high-availability configuration.
1. NetScaler A and B: Verify the status of the system IP addresses by entering the following
command:
show ns ip
Note which IP addresses are the same and which are different on each system. Also note which
subnet IPs of the system are preserved and which subnet IPs of the system are overwritten.
show ha node
3. Identify which system is primary and which system is secondary.
The system that is configured first is primary (NetScaler A).
4. NetScaler A: Force a failover by entering the following command:
force ha failover
3. NetScaler A: Type y and press Enter to confirm failover.
6. NetScaler A and B: View the node status by entering the following command:
show ha node
NetScaler B becomes primary.
7. Primary NetScaler (NetScaler B): Force a failover by entering the following command:
force ha failover
8. NetScaler B: Type y and press Enter to confirm failover.
9. NetScaler A and B: View the node status by entering the following command:
show ha node
NetScaler A is primary again.
Remov|ng the H|gh-Ava||ab|||ty Oon|gurat|on
Use the following command-line interface commands to remove the high-availability configuration
and to return the NetScaler systems to a standalone configuration.
1. NetScaler A: Remove NetScaler B as a high-availability node by entering the following
command:
rm ha node 2
2. NetScaler B: Remove NetScaler A as a high-availability node by entering the following
command:
rm ha node 1
show ha node
Only Node 0 (current system) should be displayed.
4. NetScaler A and B: View the system IP address by entering the following command:
show ns ip
Although the high-availability node is removed, any system IP addresses (such as SNIP,
MIP or VIPs) are still present on both systems and will result in an IP address conflict
between NetScaler A and B. Therefore, the SNIP on NetScaler B (secondary NetScaler)
must be restored to its original state to avoid an IP address conflict with the back-end
SNIP during later lab exercises. To reset the SNIP address, you will reboot the NetScaler
systems without saving changes you made to the configuration.
Restor|ng Sett|ngs
Use the following procedure to restore the NetScaler systems to their original state. This procedure
is necessary for subsequent lab exercises.
1. NetScaler A and B: Restart each NetScaler system by entering the following command:
reboot
Restarting a NetScaler system returns it to the last saved configuration.
2. Type y and press Enter to confirm the restart request when prompted.
The system will take a few moments to revert back to the last saved configuration.
3. NetScaler A and B: Log on to the command-line interface.
4. NetScaler A and B: View the IP addresses by entering the following command:
show ns ip
Verify that both NetScaler systems have their original NSIP and SNIP assigned.
Modu|e 5
Exerc|ses for Secur|ng
the NetSca|er System
Exerc|se: Enab||ng Externa| Authent|cat|on
3ZIVZMI[
This configuration uses an LDAP authentication policy that was previously created. Please note that
external authentication for NetScaler system accounts is not required to configure the
authentication server in this exercise. The proper LDAP policies are required. The lab begins with
an exercise to allow NetScaler system authentications to use Active Directory. This exercise
demonstrates the process of configuring external authentication and verifying that external
authentication is properly configured before configuring the authentication virtual server.
&IJSVI =SY &IKMR
To complete this exercise, you need to have the following information:
Lab Active Directory architecture
Act|ve D|rectory va|ue
AD Domain Controller 10.29.0.20:389
AD Domain Name: Base DN DC=Backend,DC=EDULab,DC=Citrix,DC=com
Administrator BindDN trainADUserBackend.EDULab.Citrix.com /
Password1
LDAP Logon Name (case sensitive) samAccountName
Groups and User Credentials
Group ser Password Po||cy
Training_NSAdmins nstraining Password1 Superuser
Training_NSOperators nsinstructor Password1 Operator
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 5: Exerc|ses or Secur|ng the NetSca|er System 63
7GIREVMS
MillennialGadgets.com has initially configured their NetScaler system accounts for external
authentication. The company needs to test and verify LDAP authentication and group extraction.
)\IVGMWI (IXEMPW
Configure LDAP authentication and group extraction on the NetScaler system:
1. Create local groups on the NetScaler system that correspond to the groups in the directory
service.
2. Bind groups to the command policies.
3. Create the authentication action for LDAP.
4. Create the authentication policy for LDAP.
3. Bind the policy to System Global.
6. Save the NetScaler configuration.
7. Test external authentication.
64 Modu|e 5: Exerc|ses or Secur|ng the NetSca|er System Copyr|ght 2011 C|tr|x Systems, lnc.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 3-1: Enabling External
Authentication' using the Configuration Utility.
Students should only save the NetScaler configuration when indicated by the lab exercises. This step
is added to help ensure a successful return of the systems to a standalone configuration at the end
of this lab.
Enab||ng |DAP Authent|cat|on
Use the following procedure to configure LDAP authentication and group extraction on the
NetScaler system:
1. Open a web browser and log on to the Configuration Utility using the NSIP and the nsroot
credentials.
If a Warning - Security dialog box appears, click Run to run the application.
2. Go to System > Groups.
3. Click Add, type Training_NSAdmins in the Group Name field, select nstraining, and click
Add.
Group names must correspond to the group in the directory service and are case sensitive.
4. Select superuser in the Command Policies field to make it active, bind the group to the
command policy, and then click Create.
Notice the Details pane that lists the commands that the selected command policies allow.
3. Type Training_NSOperators in the Group Name field, select nsinstructor, and click
Add.
6. Select nstraining in the Configured Users field and click Remove.
7. Select operator in the Command Policies field, deselect superuser, and then click Create.
8. Click Close to close the Create System Group dialog box.
9. Go to System > Authentication and click the Servers tab.
10. Click Add and type auth_ldap_srv in the Name field.
11. Select LDAP from the Authentication Type field.
12. Type 10.29.0.20 in the IP Address field and verify that 389 is specified as the port number.
13. Type DC=Backend,DC=EDULab,DC=Citrix,DC=com in the Base DN field.
14. Type trainADUser@Backend.EDULab.Citrix.com in the Administrator Bind DN
field.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 5: Exerc|ses or Secur|ng the NetSca|er System 65
13. Type Password1 in the Administrator Password and Confirm Administrator Password fields.
16. Verify that samAccountName is specified in the Server Logon Name Attribute field and then
click Create.
17. Click Close to close the Create Authentication Server dialog box.
Refer to the Before you Begin section for these LDAP server details.
18. Go to System > Authentication and click the Policies tab.
19. Click Add and type auth_ldap_policy in the Name field.
20. Select LDAP in the Authentication Type field and verify that auth_ldap_srv is specified in the
Server field.
21. Select True value from the drop-down menu to the left of the Add Expression button and then
click Add Expression.
22. Verify that ns_true appears in the Expression field and click Create.
23. Click Close to close the Create Authentication policy field.
24. Right-click the auth_ldap_policy and then click Global Bindings.
23. Click Insert Policy, select auth_ldap_policy, and then click OK to bind the policy to System
Global.
26. Click Save to save the NetScaler configuration and then click Yes in the Save Config dialog
box.
27. Open a command-line interface and use the NSIP as the Host Name.
28. Click Yes in the PuTTY Security Alert dialog box, if one appears.
29. Log on using the trainNSAdmin, Password1 credentials.
30. Type add server testsrv 10.29.0.90 and press Enter. The trainNSAdmin was allowed
to add the server because of the superuser command policy.
33. Log on using the trainNSOperator, Password1 credentials.
34. Type disable server testsrv and press Enter. The trainNSOperator was allowed to
disable the server because of the operator command policy.
37. Log on using the trainADUser, Password1 credentials.
38. Type show server testsrv and press Enter. The trainADUser was not allowed to show
details about the testsrv server.
The trainAdUser can log in successfully but is unable to run any command because the
account is not a member of the designated groups. Attempting to execute commands returns a
not authorized message. This behavior is the same as logging into the command-line interface
with a local NetScaler account with no bound command policies.
66 Modu|e 5: Exerc|ses or Secur|ng the NetSca|er System Copyr|ght 2011 C|tr|x Systems, lnc.
Modu|e 6
|oad Ba|anc|ng
Exerc|se 6-1: Oonf|gur|ng |oad Ba|anc|ng
3ZIVZMI[
This exercise demonstrates the process for creating servers, services, and load-balancing virtual
servers. Steps for configuring load balancing using both the Configuration Utility and the
command-line interface are provided.
Attempt this exercise on your own before relying on the step-by-step instructions.
&IJSVI =SY &IKMR
- Access to the Configuration Utility or the command-line interface .
- IP addresses for the Red (RedIP), Blue (BlueIP), and Green (GreenIP) web servers.
- The IP address to configure a virtual IP address for a load-balancing virtual server (VIP1).
Replace VIP1 with the first VIP assigned to your system.
Estimated time to complete: 20 minutes
7GIREVMS
MillennialGadgets.com needs to configure load balancing on the NetScaler system so that it can
replace its legacy layer-4 load balancer.
The goals of this exercise are to:
- Create three servers.
- Create three HTTP services.
- Create a load-balancing virtual server, using the round robin load-balancing method.
- Bind the virtual server to the three HTTP services.
- Verify that load balancing is occurring.
Although the default load-balancing method is least connections, round-robin allows for
easier verification that load balancing is occurring in the lab environment.
)\IVGMWI (IXEMPW
Complete the following tasks:
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 6: Exerc|ses or Oon|gur|ng |oad Ba|anc|ng 69
- Create the following three server entities on the NetScaler system for the Red, Blue, and Green
Web servers:
- srv_red
- srv_blue
- srv_green
- Create the following three services on the NetScaler system for the Red, Blue, and Green Web
servers, specifying HTTP as the service type and 80 as the port:
- svc_red
- svc_blue
- svc_green
- Create a load-balancing virtual server (lb_vsrv_rbg) that load balances the Red, Blue, and
Green Web servers.
8IWXMRK XLI 'SRJMKYVEXMSR
After you have created the load-balancing virtual server, perform the following tasks:
- Test the configuration using the http://VIP1/home.php web site. Each Red, Blue, and Green
Web server hosts multiple sites.
- Configure the load-balancing virtual server to use round-robin as the load-balancing method.
Test the configuration and ensure that content is being delivered from the Red, Blue, and
Green Web servers.
- Modify the load-balancing virtual server to use cookie-based persistence. Test the configuration
to ensure that persistence has taken effect and that content is being delivered from the same
server (until the cookie expires).
- Reset the persistence method to NONE upon completion of testing.
70 Modu|e 6: Exerc|ses or Oon|gur|ng |oad Ba|anc|ng Copyr|ght 2011 C|tr|x Systems, lnc.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 6-1: Configuring Load
Balancing' using the Configuration Utility.
Oreat|ng Servers
Use the following procedure to create three servers.
2. Expand the Load Balancing node.
3. Click the Servers node.
4. Click Add in the Servers pane.
The Create Server dialog box opens.
3. Type srv_red in the Server Name field.
6. Type RedIP in the IP Address/Domain Name field.
Replace RedIP with the IP address of the Red Server.
7. Click Create.
8. Type srv_blue in the Server Name field.
9. Type BlueIP in the IP Address/Domain Name field.
Replace BlueIP with the IP address of the Blue Server.
10. Click Create.
11. Type srv_green in the Server Name field.
12. Type GreenIP in the IP Address/Domain Name field.
Replace GreenIP with the IP address of the Green Server.
13. Click Create.
14. Click Close.
The Create Server dialog box closes.
Oreat|ng Serv|ces
Use the following procedure to create services.
1. Click Services in the Load Balancing node.
2. Click Add in the Services pane.
The Create Service dialog box opens.
3. Type svc_red in the Service Name field.
4. Select srv_red from the Server list.
3. Select HTTP from the Protocol list (default value).
6. Type 80 in the Port field.
7. Click Create.
8. Type svc_blue in the Service Name field.
9. Select srv_blue from the Server list.
10. Select HTTP from the Protocol drop-down list.
12. Click Create.
13. Type svc_green in the Service Name field.
14. Select srv_green from the Server field.
17. Click Create.
18. Click Close.
The Create Service dialog box closes.
19. Verify all services display the state listed as UP in the Services pane.
Oreat|ng |oad-Ba|anc|ng v|rtua| Servers
Use the following procedure to add a virtual server.
1. Click Virtual Servers in the Load Balancing node.
2. Click Add in the Load Balancing Virtual Servers pane.
The Create Virtual Server (Load Balancing) dialog box opens.
3. Type lb_vsrv_rbg in the Name field.
4. Type VIP1 in the IP Address field.
Replace VIP1 with the first VIP address assigned to your system.
7. Check the Active box for the following services on the Services tab:
- svc_red
- svc_blue
- svc_green
This action binds the selected services to the LB virtual server.
8. Select the Method and Persistence tab.
9. Select Round Robin from the LB Method drop-down list.
10. Click Create.
11. Click Close.
The Create Virtual Server (Load Balancing) dialog box closes.
12. Verify that the load-balancing virtual server lb_vsrv_rbg state is displayed as UP.
13. Click Save to save the NetScaler configuration.
14. Click Yes to confirm.
Test|ng |oad Ba|anc|ng
Use the following procedure to test the load balancing configuration.
1. Launch a Web browser.
2. Type http://VIP1/home.php in the address bar and press Enter.
3. Refresh the browser several times to verify load-balancing activity.
With the round-robin method specified, the page should refresh and rotate through the Red,
Blue, and Green home pages.
4. Select Virtual Servers in the Load Balancing node in the Configuration Utility.
3. Select lb_vsrv_rbg.
6. Click Open.
8. Select COOKIEINSERT from the Persistence drop-down list.
Time-out and version settings are left as the default values.
9. Click OK.
10. Refresh the Web browser several times to verify the effects of load balancing with persistence.
With cookie persistence enabled, you are directed to the same page each time until the cookie
expires; the page does not load-balance to each available server.
Resett|ng Pers|stence to None
Use the following procedure to reset the persistence setting for later exercises.
1. Click Virtual Servers in the Load Balancing node.
2. Select lb_vsrv_rbg in the Load Balancing Virtual Servers pane.
3. Click Open.
3. Select NONE from the Persistence drop-down list.
Time-out and version settings are left as the default values.
6. Click OK.
7. Select Save to save the NetScaler configuration.
8. Click Yes to confirm.
lnterface}
This section provides step-by-step instructions for completing 'Exercise 6-1: Configuring Load
Balancing' using the command-line interface.
This section is provided as a reference. If you have completed the exercises using the
Configuration Utility steps, you do not need to repeat them using the command-line
interface commands.
Procedure or Oon|gur|ng Servers, Serv|ces, and v|rtua|
Servers
Use the procedure in the following table to configure servers, services and load-balancing virtual
servers using the command-line interface.
1. Log on to the command-line interface (PuTTY) using the nsroot credentials.
2. Create Red, Blue, and Green servers by entering the following commands:
add server srv_red RedIP
add server srv_blue BlueIP
add server srv_green GreenIP
Replace RedIP, BlueIP, and GreenIP with the corresponding IP address from the Student
Reference file.
3. Create HTTP services for Red, Blue, and Green servers by entering the following commands:
add service svc_red srv_red HTTP 80
add service svc_blue srv_blue HTTP 80
add service svc_green srv_green HTTP 80
4. Create the load-balancing virtual server by entering the following command:
add lb vserver lb_vsrv_rbg HTTP VIP1 80
-lbmethod ROUNDROBIN
3. Bind the services to the load-balancing virtual server by entering the following commands:
bind lb vserver lb_vsrv_rbg svc_red
bind lb vserver lb_vsrv_rbg svc_blue
bind lb vserver lb_vsrv_rbg svc_green
Test|ng |oad Ba|anc|ng
Use the following procedure to test load balancing using the command-line interface.
2. Type http://VIP1/home.php and press Enter.
3. Refresh the page multiple times and observe the results. Pages should switch between the Red,
Blue, and Green servers in a round-robin fashion.
4. Set persistence for the existing load-balancing virtual server to COOKIEINSERT by entering
the following command:
set lb vserver lb_vsrv_rbg -persistenceType COOKIEINSERT
3. Close the Web browser and open a new instance.
6. Type http://VIP1/home.php and press Enter
7. Refresh the browser several times to verify the effects of load balancing with persistence.
With cookie persistence enabled, you are directed to the same page each time until the cookie
expires; the page does not load balance to each available server.
8. Set persistence for the existing load balancing virtual server to NONE by entering the following
command:
set lb vserver lb_vsrv_rbg -persistenceType NONE
save ns config
Exerc|se 6-2: Oonf|gur|ng a |oad-Ba|anc|ng
HTTP-EOv Mon|tor
3ZIVZMI[
This lab demonstrates the process for creating and testing a load-balancing HTTP-ECV monitor.
The steps for configuring and testing an HTTP-ECV using the Configuration Utility or command-
line interface are provided.
&IJSVI =SY &IKMR
To complete this lab, you will need:
- Access to the Configuration Utility or the command-line interface
- Your nsroot/nsroot log on credentials
Estimated time to complete this lab: 20 minutes
7GIREVMS
MillennialGadgets.com wants to monitor the status of a specific HTTP service bound to a load-
balancing virtual server. This monitoring will help the company determine the health of load-
balanced servers in preparation for unexpected changes in traffic volumes.
)\IVGMWI (IXEMPW
- Create a load-balancing HTTP-ECV monitor that monitors requests to the home.php page of
the Red server. The monitor verifies that the service (web page) is available by making sure that
the page content includes a specific string ('serverinfo').
- Bind the load balancing HTTP-ECV monitor to the svc_red service.
- Test the monitor.
- Test the load balancing HTTP-ECV monitor.
- Display the monitor status.
- Display the service status.
- Test the configuration with a failed HTTP-ECV monitor, by configuring the monitor to
look for an invalid string such as 'bad string'.
- Clear the cache for the web browser.
- Test the configuration in a web browser to verify the web site does not load.
- Display the monitor status and verify it is DOWN.
- Display the service status and verify it is DOWN.
- Unbind the load balancing HTTP-ECV monitor from the svc_red service.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 6-2: Configuring a Load-
Balancing HTTP-ECV Monitor' using the Configuration Utility.
Oreat|ng a |oad-Ba|anc|ng HTTP-EOv Mon|tor
Use the following procedure to create a load-balancing HTTP-ECV monitor in the Configuration
Utility.
3. Select the Monitors node.
4. Click Add.
The Create Monitor dialog box opens.
3. Type mon_RBG_HTTPECV in the Name field.
6. Select HTTP-ECV in the Type drop-down list.
7. Click the Special Parameters tab.
8. Type GET /home.php in the Send String field under the Special Parameters section.
9. Type serverinfo in the Receive String field under the Special Parameters section.
The Receive field takes a string value and should be set to a string or phrase which appears on
the Web site, anywhere in the first 24 KB of the response. String matches are case sensitive.
10. Select the Standard Parameters tab.
11. Set Down Time to 3 seconds.
12. Click Create.
The mon_RBG_HTTPECV monitor is created.
13. Click Close.
The Create Monitor dialog box closes.
14. Select Services in the Load Balancing node.
13. Select the svc_red service.
16. Click Open.
The Configure Services dialog box opens.
17. Select mon_RBG_HTTPECV at the bottom of the available Monitors list.
18. Click Add.
19. Click OK.
The Configure Services dialog box closes.
Test|ng the |oad-Ba|anc|ng HTTP-EOv Mon|tor
Use the following procedure to test the load balancing HTTP-ECV monitor in the Configuration
Utility.
1. Type the following text in a web browser and press Enter.
http://VIP1/home.php
The monitor reports the service is UP. As a result the page load-balances between the red,
blue, and green servers.
2. Return to the Configuration Utility. View the Monitors section in the Load Balancing node.
Verify that the mon_RBG_HTTPECV monitor is in an enabled state.
The monitor reports the service is UP. As a result the page load-balances between the
Red, Blue, and Green servers.
3. Click Services under the Load Balancing node.
Verify that the svc_red service is up.
4. Click Monitors in the Load Balancing node.
3. Select the mon_RBG_HTTPECV monitor.
6. Click Open.
The Configure Monitor dialog box opens.
7. Select the Special Parameters tab.
8. Type bad string in the Receive String field under Special Parameters.
For this step, set the receive parameter to a string not found on the page. This step creates a
failed status. Any string not found on the page could be used.
9. Click OK.
The Configure Monitor dialog box closes.
10. Clear the cache before the next test to avoid issues with the browser caching the server
response. Close additional instances if more than one browser window is open.
Firefox:
a. Open a new Firefox instance, not just a new tab.
b. Click Tools > Clear Private Data. The Clear Private Data dialog box appears.
Internet Explorer (prevent caching):
a. Open a new Internet Explorer instance.
b. Click Tools > Internet Options. The Internet Options dialog box opens.
c. Click Settings in the General tab under Browsing history. The Temporary Internet Files
and History Settings dialog box opens.
d. Select Every time I visit the webpage under the text Check for newer versions of stored
pages.
e. Click OK.
f. Click OK.
Internet Explorer (clear cache):
a. Click Tools > Internet Options.
b. In the General tab, under Browsing history, click Delete.
c. Click Delete files next to Temporary Internet Files.
d. Click Close.
e. Click OK.
11. Type the following text in a web browser and press Enter to repeat the test.
The monitor should report the service is DOWN. As a result the page will not load
balance to the Red server. Content from the Blue and Green servers will be displayed.
12. Go back to the Configuration Utility and view the Services node in the Load Balancing node.
13. Click REFRESH ALL in the Services pane.
14. Verify that the state of svc_red is DOWN.
13. Select svc_red and click OPEN.
16. Select mon_RBG_HTTPECV in the Configured list on the Monitors tab and view the monitor
status.
The monitor details display the response status 'Failure - Pattern not found in response'.
17. Select the mon_RGB_HTTPECV monitor and click Remove to remove the custom monitor
from svc_red.
18. Select the TCP monitor and click Add.
19. Click OK.
Verify that the svc_red returns to an UP state.
lnterface}
This section provides step-by-step instructions for completing 'Exercise 6-2: Configuring a Load-
Balancing HTTP-ECV Monitor' using the command-line interface.
Oreat|ng a |oad-Ba|anc|ng HTTP-EOv Mon|tor
Use the following procedure to create a load-balancing HTTP-ECV monitor in the command-line
interface.
1. Log on to the command-line interface (PuTTY) using the nsroot credentials.
2. Create a load-balancing HTTP-ECV monitor by entering the following command:
add lb monitor mon_RBG_HTTPECV HTTP-ECV
-send GET /home.php -recv serverinfo
-interval 5 SEC -downTime 5 SEC
The receive parameter (-recv) takes a string value and should be set to a string or phrase which
appears on the website, anywhere in the first 24 KB of the response. For this exercise, specify
'serverinfo'. Other valid strings include:
- 'Viewing this page'
- 'this page indicates'
String matches are case sensitive.
3. Bind the load-balancing HTTP-ECV monitor by entering the following command:
bind lb monitor mon_RBG_HTTPECV svc_red
Test|ng the |oad-Ba|anc|ng HTTP-EOv Mon|tor
The monitor reports the service is UP. As a result the page load-balances between the
RED, BLUE, and GREEN servers.
2. Display the monitor status by entering the following command:
show lb monitor mon_RBG_HTTPECV
3. Display the service status by entering the following command:
show service svc_red
The monitor details display the response status 'Success - Pattern found in response'.
4. Change the monitor string to an invalid string by entering the following command:
set lb monitor mon_RBG_HTTPECV HTTP-ECV -recv bad string
For this step, set the receive parameter (-recv) to a string not found on the page; this create a
failed status. Any string not found on the page could be used.
3. Clear the cache before the next test to avoid issues with the browser caching the server
response. Close additional instances if more than one browser window is open.
Firefox:
a. Open a new Firefox instance, not just a new tab.
b. Click Tools > Clear Private Data.
Internet Explorer (prevent caching):
a. Open a new Internet Explorer instance.
b. Click Tools > Internet Options. The Internet Options dialog box opens.
c. Click Settings in the General tab under Browsing history. The Temporary Internet Files
and History Settings dialog box opens.
d. Select Every time I visit the webpage under the text Check for newer versions of stored
pages.
e. Click OK.
f. Click OK.
Internet Explorer (clear cache):
a. Click Tools > Internet Options.
b. In the General tab, under Browsing history, click Delete.
c. Click Delete files next to Temporary Internet Files. The Delete Files dialog box opens.
d. Click Yes.
e. Click Close.
f. Click OK.
6. Type the following text in a web browser and press Enter to repeat the test.
The RED server home.php page will not load while the monitor reports the service as
DOWN.
7. Display the monitor status by entering the following command:
show lb monitor mon_RBG_HTTPECV
8. Display the service status by entering the following command:
The state shows as DOWN.
9. Re-enable the load balancing virtual server by entering the following command:
unbind lb monitor mon_RBG_HTTPECV svc_red
10. Verify svc_red is now bound to the tcp-default monitor by entering the following command:
sh service svc_red
Exerc|se 6-3: Oonf|gur|ng RADlS |oad
Ba|anc|ng
3ZIVZMI[
This lab demonstrates the process for creating servers, services, and a load-balancing virtual server
for RADIUS Protocol. The steps for configuring load balancing using the Configuration Utility are
provided.
&IJSVI =SY &IKMR
- Access to the Configuration Utility
- IP addresses for the Radius servers:
- RedIP
- BlueIP
- GreenIP
RADIUS is running on the colors web servers used during the other exercises.
- The IP address for the load balancing virtual server: VIP1
You can reuse the same VIP for multiple virtual servers as long as you use different port
information.
7GIREVMS
MillennialGadgets.com is considering a RADIUS implementation in conjunction with their current
NetScaler system. The company needs to determine how to configure load-balancing servers and
services for RADIUS protocol.
)\IVGMWI (IXEMPW
In this exercise, you will configure RADIUS load balancing service groups on the NetScaler system.
Complete the following tasks using the Configuration Utility or command-line interface:
- Configure the following service groups:
- radius_rbg_auth on port 1812 using srv_red, srv_blue, and srv_green as servers
- radius_rbg_acct on port 1813 using srv_red, srv_blue, and srv_green as servers
- Create two new load balancing virtual servers pointing to the radius_rbg_auth and
radius_rbg_acct service groups using the virtual IP address: VIP1
- Test RADIUS authentication.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 6-3: Configuring RADIUS
Load Balancing' using the Configuration Utility.
Oreat|ng RADlS Serv|ce Groups
Use the following procedure to configure RADIUS service groups.
3. Select Service Groups.
4. Click Add.
The Create Service Group dialog box opens.
3. Type radius_rbg_auth in the Service Group Name field.
6. Select RADIUS from the Protocol drop-down list.
8. Click Server Based and add the srv_red, srv_blue, and srv_green servers to the Configured
Members list.
9. Select the Monitors tab and add the ping monitor to the Configured Monitors list.
10. Click Create.
The service group appears in the list.
11. Click Close.
The Create Service Group dialog box closes.
12. Click Add.
The Create Service Group dialog box opens.
13. Type radius_rbg_acct in the Service Group Name field.
16. Select Server Based and add the srv_red, srv_blue, and srv_green servers to the Configured
Member list.
17. Select the Monitors tab and add the ping monitor to the Configured Monitors list.
18. Click Create.
The service group appears in the list.
19. Click Close.
The Create Service Group dialog box closes.
20. Verify that both groups are ENABLED and UP.
Oreat|ng RADlS |oad-Ba|anc|ng v|rtua| Servers
Use the following procedure to create RADIUS load-balancing virtual servers.
1. Select Virtual Servers in the expanded Load Balancing node.
2. Click Add.
3. Type lb_vsrv_radius_auth in the Name field.
7. Select the Service Groups tab and select Active next to the radius_rbg_auth service group to
bind it to the virtual server.
8. Click the Method and Persistence tab, select Token from the LB Method drop-down list, and
set Rule to CLIENT.UDP.RADIUS.USERNAME.
9. Set the Persistence drop-down list to Rule and configure the same rule:
CLIENT.UDP.RADIUS.USERNAME.
10. Click Create.
11. Type lb_vsrv_radius_acct in the Name field.
14. Select the Service Groups tab and select Active next to the radius_rbg_acct service group to
bind it to the virtual server.
13. Deselect radius_rbg_auth.
16. Click Create.
17. Click Close.
18. Verify that the Radius authentication and accounting virtual servers are up.
Test|ng RADlS Pers|stency
Use the following procedure to test RADIUS Persistency.
1. Launch the RADIUS test client (Web page): Start > Programs > RadiusNT > Radius test
client.
This action launches a Web browser: http://localhost:8020
2. Log on with the following credentials:
Username: student
Password: Password1
3. Click Add, next to RADIUS Servers to add a new RADIUS Server.
4. Set Server address to VIP1.
3. Set Shared secret to Password1.
6. Set Auth Port to 1812.
7. Set Acct Port to 1813.
8. Click Continue.
9. Click Radlogin.
10. Set RADIUS Server to VIP1. (The RADIUS Server just added to the test client utility.)
11. Set Profile to Authentication.
12. Set Login to your student username. (For example: Student02.)
13. Set Password to Password1.
14. Click CONTINUE to initiate a radius authentication request to the virtual server. The response
should indicate GOOD. Click CONTINUE multiple times to submit additional requests.
13. On the NetScaler system Configuration Utility, select the Load Balancing node. Click Virtual
Server persistence sessions in the right-hand pane (under Monitor Sessions).
Persistence sessions display.
Exerc|se 6-4: Oonf|gur|ng RTSP |oad
Ba|anc|ng Opt|ona|}
3ZIVZMI[
This lab demonstrates the process for creating servers, services, and a load-balancing virtual server
for Real Time Streaming Protocol (RTSP). The steps for configuring load balancing using the
Configuration Utility or command-line interface are provided.
&IJSVI =SY &IKMR
- The IP address for the RTSP server 1 (RTSP1_IP) and the IP address for the RTSP server 2
(RTSP2_IP).
- The IP address for the load balancing virtual server: VIP2
Replace VIP2 with the second VIP assigned to your system.
7GIREVMS
MillennialGadgets.com is also considering an RTSP implementation in conjunction with their
current NetScaler system. The company needs to determine how to configure load-balancing
servers and services for RTSP.
)\IVGMWI (IXEMPW
In this exercise, you will configure RTSP load-balancing services on the NetScaler system. Complete
the following tasks using the Configuration Utility or command-line interface:
- Configure the following servers:
- srv_RTSP1 on port 334 using RTSP1_IP as the IP address
- srv_RTSP2 on port 334 using RTSP2_IP as the IP address
- Configure the following services:
- svc_RTSP1 on port 334 using srv_RTSP1 as the server
- svc_RTSP2 on port 334 using srv_RTSP2 as the server
- Create a new load-balancing virtual server pointing to the RTSP1 and RTSP2 servers on port
334 using the virtual IP address: VIP2
- Bind the load-balancing virtual server lb_vsrv_RTSP to the services svc_RTSP1 and svc_RTSP2.
- Test streaming.
- Remove the RTSP load-balancing virtual server (lb_vsrv_RTSP) when this exercise is complete.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 6-4: Configuring RTSP
Load Balancing (Optional)' using the Configuration Utility.
Oreat|ng Servers
Use the following procedure to configure load-balancing servers on the NetScaler system using the
3. Select Servers.
4. Click Add.
3. Type srv_RTSP1 in the Server Name field.
6. Type 10.29.0.94 in the IP Address/Domain Name field.
7. Click Create.
The server appears in the Servers list.
8. Type srv_RTSP2 in the Server Name field.
9. Type 10.29.0.95 in the IP Address field.
10. Click Create.
The server appears in the Servers list.
11. Click Close.
The Create Server dialog box closes.
Oreat|ng Serv|ces
Use the following procedure to configure load balancing services on the NetScaler system using the
Configuration Utility.
2. Select the Services node.
3. Click Add.
The Create Service dialog box appears.
4. Type svc_RTSP1 in the Service Name field.
3. Select the srv_RTSP1 in the Server drop-down list.
6. Select RTSP in the Protocol field.
8. Click Create.
The service svc_RTSP1 appears in the service list.
9. Type svc_RTSP2 in the Service Name field.
10. Select the srv_RTSP2 in the Server field.
11. Verify that 334 appears in the Port field.
12. Click Create.
The service svc_RTSP2 appears in the service list.
13. Click Close.
The Create Service dialog box closes and the two new services are listed.
Oreat|ng a |oad-Ba|anc|ng v|rtua| Server
Use the following procedure to configure a load balancing virtual server on the NetScaler system
using the Configuration Utility.
1. Select Virtual Servers in the expanded Load Balancing node.
2. Click Add.
3. Type lb_vsrv_RTSP in the Name field.
4. Select RTSP from the protocol list.
7. Select Active next to the svc_RTSP1 and svc_RTSP2 services to bind the services to the virtual
server.
8. Click Create.
9. Click Close.
Test|ng RTSP |oad Ba|anc|ng Oon|gurat|on t|||ty}
Use the following procedure to test RTSP load balancing with a sample streaming video.
1. Type the following text in a Web browser and press Enter to start streaming a video.
mms://VIP2/RTSPlab
The URL is prefixed by mms://, not http://.
No sound will be available. There may be some latency with the display of the video.
2. Click Pause and Play.
The video responds as intended.
3. Close the media player and the Web browser used to launch the content.
lnterface}
This section provides step-by-step instructions for completing 'Exercise 6-4: Configuring RTSP
Load Balancing (Optional)' using the command-line interface.
Oon|gur|ng Advanced |oad Ba|anc|ng
Use the following procedure to configure load balancing for real-time streaming protocol on the
NetScaler system using the command-line interface.
1. Log on to the command-line interface using the nsroot credentials.
2. Add a service named svc_RTSP1 by entering the following command:
add service svc_RTSP1 10.29.0.94 RTSP 554
3. Add a service named svc_RTSP2 by entering the following command:
add service svc_RTSP2 10.29.0.95 RTSP 554
4. Create a new load-balancing virtual server pointing to the RTSP servers by entering the
following command:
add lb vserver lb_vsrv_RTSP RTSP VIP2 554
Replace VIP2 with your assigned virtual IP address for VIP2.
3. Bind the services to the load-balancing virtual server by entering the following commands:
bind lb vserver lb_vsrv_RTSP svc_RTSP1
bind lb vserver lb_vsrv_RTSP svc_RTSP2
Test|ng RTSP |oad Ba|anc|ng
Use the following procedure to test RTSP load balancing with a sample streaming video.
1. Type the following text in a Web browser and press Enter to start streaming a video.
mms://VIP2/RTSPlab
Replace VIP2 with your assigned virtual IP address for VIP2.
The URL is prefixed by mms://, not http://.
No sound will be available. There may be some latency with the display of the video.
2. Click Pause and Play.
The video responds as intended.
3. Close the media player and the Web browser used to launch the content.
Modu|e 7
SS| Off|oad
Exerc|se 7-1: Oonf|gur|ng SS| Off|oad
3ZIVZMI[
This exercise demonstrates the process to create and to configure an SSL offload on the NetScaler
system. Attempt this exercise first on your own before relying on the step-by-step instructions.
&IJSVI =SY &IKMR
- IP addresses for the Red, Blue and Green Web servers
- Virtual IP address 3
- Access to a Web browser
7GIREVMS
MillennialGadgets.com is now accepting credit cards for online payments and thus has the need for
secured communications. MillennialGadgets.com wants to implement SSL offload on the NetScaler
system to reduce the CPU load on its Web servers.
The goals of this exercise are to:
1. Generate a self-signed certificate on the NetScaler system.
2. Create an SSL offload virtual server with HTTP services.
3. Verify SSL offloading by accessing the Web site using HTTPS.
)\IVGMWI (IXEMPW
During this lab, complete the following tasks:
- Generate a self-signed certificate on the NetScaler system.
- Create an RSA key file (TestKey.pem).
- Create a certificate request file (TestCSR.csr).
- Create a self-signed certificate file (TestCert.cert).
- Create a certificate-key pair (TestCertKey) linking the certificate file and the private key file
together and add it to the NetScaler configuration.
- Create an SSL offload virtual server. The SSL virtual server load balances the HTTP services
previously created for the red, blue, and green Web servers.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 7: Exerc|ses or Oon|gur|ng SS| O|oad 99
- The load-balancing virtual server supports SSL offload capabilities by accepting HTTPS
(443) connections.
- The services bound to the load-balancing virtual server are still HTTP (80).
After configuring SSL offload, perform the following tasks to test the configuration:
- Open a Web browser and go to the https://VIP3/home.php Web site.
- Verify that a successful HTTPS connection to the Web site can be established.
The Citrix NetScaler system has a built-in Certificate Authority (CA) tools suite. As a result, the
NetScaler system can be used to create self-signed certificates. Because these certificates are signed
by the NetScaler system itself, and not by an actual CA, you should not use them in a production
environment, but only for testing purposes. If you attempt to use a self-signed certificate in a
production environment, users will receive a 'certificate invalid' warning each time the virtual
server is accessed.
100 Modu|e 7: Exerc|ses or Oon|gur|ng SS| O|oad Copyr|ght 2011 C|tr|x Systems, lnc.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 7-1: Configuring SSL
Offload' using the Configuration Utility.
Oreat|ng an RSA Key F||e
Use the following procedure to use the NetScaler certificate tools to create an RSA key file.
2. Select the SSL node.
3. Click Create RSA Key in the SSL pane.
The Create RSA Key dialog box opens.
4. Type TestKey.pem in the Key Filename field.
3. Type 1024 in the Key Size field.
6. Select F4 as the public exponent value.
7. Select PEM as the key format.
8. Select DES3 as the PEM encoding algorithm.
9. Type Password1 in the PEM Passphrase field.
Outside of the lab environment, specify a secure passphrase.
10. Re-type Password1 in the Verify Passphrase field.
11. Click Create.
12. Click Close.
The Create RSA Key dialog box closes.
Oreat|ng a Oert||cate Request
Use the following procedure to use the NetScaler certificate tools to create a certificate request.
2. Click Create Certificate Request in the SSL pane.
The Create Certificate Request dialog box opens.
3. Type TestCSR.csr in the Request File Name field.
4. Click Browse next to the Key File Name field.
3. Select TestKey.pem from the /nsconfig/ssl/ directory.
7. Provide the following information under Distinguished Name Fields:
- Common Name: MillennialGadgets.com
- Organization Name: MillennialGadgets.com
- Country Name: US
- State/Province Name: California
8. Type Password1 in the Challenge Password field.
This password does not have to be same as the PEM passphrase. However, outside of the
lab environment, it is recommended that you specify a secure passphrase.
9. Type MillennialGadgets.com in the Company Name field.
10. Click Create.
11. Click Close.
The Create Certificate Request dialog box closes.
Procedure or Oreat|ng a Oert||cate
Use the following procedure to use the NetScaler certificate tools to create a self-signed certificate.
2. Click Create Certificate in the SSL pane.
The Create Certificate dialog box opens.
3. Type TestCert.cert in the Certificate File Name field.
4. Select PEM as the certificate format.
3. Select Server as the certificate type.
6. Click Browse next to the Certificate Request File Name field.
7. Select TestCSR.csr from the SSL directory and click Select.
8. Type 30 in the Validity Period field.
9. Click Browse next to the CA Certificate File Name field.
10. Select ns-root.cert in the SSL directory.
11. Select PEM as the CA certificate file format.
12. Click Browse next to the CA Key File Name field.
13. Select ns-root.key in the SSL directory and click Select.
14. Select PEM as the CA key file format.
16. Click Browse next to the CA Serial Number File field.
17. Select ns-root.srl in the SSL directory and click Select.
18. Click Create.
19. Click Close.
The Create Certificate dialog box closes.
Oon|gur|ng a Oert||cate-Key Pa|r
Use the following procedure to create a certificate-key pair on the NetScaler system.
1. Expand the SSL node.
2. Click Certificates.
3. Click Add in SSL Certificates pane.
The Install Certificate dialog box opens.
4. Type TestCertKey in the Certificate-Key Pair Name field.
3. Select Appliance from the drop-down list.
6. Select TestCert.cert in the /nsconfig/ssl/ directory.
7. Click Browse next to the Private Key File Name field.
8. Select TestKey.pem in the /nsconfig/ssl/ directory.
9. Type Password1 in the Password field.
10. Select PEM as the certificate format.
11. Click Install to create the certificate-key pair.
12. Click Close.
The Install Certificate dialog box closes.
13. Verify that TestCertKey is displayed in the SSL Certificates pane and the status is shown as
VALID.
Oreat|ng an SS| O|oad v|rtua| Server
Use the following procedure to create the SSL-offload virtual server.
1. Expand the SSL Offload node.
2. Click Virtual Servers in the SSL Offload pane.
3. Click Add in the SSL Offload Virtual Servers pane.
The Create Virtual Server (SSL Offload) dialog box opens.
4. Type ssl_vsrv_rbg in the Name field.
Replace VIP3 with the VIP3 IP address located in the Student Reference file.
6. Select SSL as the protocol.
8. Check the Active box for the following services on the Services tab:
- svc_red
- svc_blue
- svc_green
9. Click the SSL Settings tab.
10. Select TestCertKey from the list of available certificates.
11. Click Add to move the certificate to the list of configured certificates.
12. Click Create.
13. Click Close.
The Create Virtual Server (SSL Offload) dialog box closes.
14. Verify the SSL virtual server (ssl_vsrv_rbg) displays the State as UP.
Test|ng SS| O|oad
Use the following procedure to test the SSL offload configuration.
2. Type https://VIP3/home.php and press Enter.
3. Click Continue to this website (not recommended) to continue to the Web site.
A certificate error will be displayed within Internet Explorer because the test certificate
was not created by a trusted certificate authority and a root certificate was not installed.
Disregard these errors for this lab exercise.
4. Refresh the Web site multiple times.
The site is now secured with SSL. The web page load-balances between the Red, Blue, and
Green Web servers based on the services bound to the SSL-offload virtual server.
lnterface}
This section provides step-by-step instructions for completing 'Exercise 7-1: Configuring SSL
Offload' using the command-line interface.
Configuration Utility. If you have completed the lab exercises using the Configuration
Utility steps, then you do not need to repeat them using the command-line interface
commands.
Oon|gur|ng a Se|-S|gned Oert||cate
Use the following procedure to create and configure a self-signed certificate using the command-
line interface.
2. Create the RSA key file by entering the following command:
create ssl rsakey TestKey.pem 1024 -exponent F4
-keyform PEM -des3 -password Password1
3. Type Password1 and press Enter when prompted to verify the PEM passphrase.
4. Create the certificate request by entering the following command:
create ssl certreq TestCSR.csr -keyFile
TestKey.pem -keyForm PEM
3. Provide the following information when prompted:
- Country Name: US
- State/Province Name: California
- Organization Name: MillennialGadgets.com
- Common Name: MillennialGadgets.com
- Challenge Password: Password1
Other fields are not required and may be left blank.
6. Enter Password1 as the PEM passphrase and press Enter when prompted.
7. Create the SSL certificate by entering the following command:
create ssl cert TestCert.cert TestCSR.csr
SRVR_CERT
-CAcert /nsconfig/ssl/ns-root.cert
-CAkey /nsconfig/ssl/ns-root.key
-CAserial /nsconfig/ssl/ns-root.srl
8. Create the certkey by entering the following command:
add ssl certkey TestCertKey -cert TestCert.cert
-key TestKey.pem -password Password1
9. View the certkey by entering the following command:
show ssl certkey
save ns config
Oon|gur|ng SS| O|oad
Use the following procedure to configure SSL offload using the command-line interface.
1. Create the SSL virtual server by entering the following command:
add lb vserver ssl_vsrv_rbg SSL VIP3 443
2. Bind the certificate-key pair to the SSL virtual server by entering the following command:
bind ssl vserver ssl_vsrv_rbg
-certkeyName TestCertKey
3. Bind services to the SSL virtual server by entering the following commands:
bind lb vserver ssl_vsrv_rbg svc_red
bind lb vserver ssl_vsrv_rbg svc_blue
bind lb vserver ssl_vsrv_rbg svc_green
save ns config
Test|ng SS| O|oad
Use the following procedure to test the SSL offload configuration.
2. Type https://VIP3/home.php and press Enter.
3. Accept any confirmation requests to continue to the web site.
A certificate error will be displayed within Internet Explorer because the test certificate
was not created by a trusted certificate authority and a root certificate was not installed.
Disregard these errors for this lab exercise.
4. Refresh the Web site multiple times.
The site is now secured with SSL. The web page load-balances between the Red, Blue and
Green Web servers based on the services bound to the SSL-offload virtual server.
Modu|e 8
G|oba| Server |oad
Ba|anc|ng
Exerc|se 8-1: Oonf|gur|ng GS|B
3ZIVZMI[
This lab demonstrates the process for configuring and testing a global server load-balancing (GSLB)
setup. The steps for configuring and testing the necessary objects using the Configuration Utility
and command-line interface are provided.
&IJSVI =SY &IKMR
- Access to the Configuration Utility or the command-line interface.
- Your nsroot/nsroot log on credentials.
- Services pointing to the IP addresses for the Red, Blue, and Green servers.
- A partner whose NetScaler system has a different NSIP address.
Students will work in pairs for this lab; both NetScaler systems will be configured. Students should
identify which system is NetScaler Germany and which system is NetScaler Japan. Each student
should identify the following information for each NetScaler system.
Japan NetScaler:
- NetScaler IP
- Subnet IP
Germany NetScaler:
- NetScaler IP
- Subnet IP
var|ab|e Descr|pt|on Ass|gned va|ue
VIP4_GER Virtual IP 4 for GER
SNIP1_GER Subnet IP 1 for GER
VIP4_JPN Virtual IP 4 for JPN
SNIP1_JPN Subnet IP 1 for JPN
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 8: Exerc|ses or Oon|gur|ng G|oba| Server |oad
Ba|anc|ng 111
var|ab|e Descr|pt|on Ass|gned va|ue
VIP3_GER Virtual IP 3 for GER
VIP3_JPN Virtual IP 3 for JPN
7GIREVMS
These NetScaler systems must be configured for two GSLB sites and will be used to load balance
requests between sites.
)\IVGMWI (IXEMPW 'SRJMKYVEXMSR 9XMPMX]
Complete the following tasks using the Configuration Utility:
- On both the German and Japanese NetScaler systems:
- Enable the GSLB feature and LB feature.
- Save the NetScaler configuration.
- Set the same password on both NetScaler systems. Use nsroot/nsroot.
- For the German NetScaler:
- Verify the following services are setup:
- svc_red with an IP address of RedIP
- svc_blue with an IP address of BlueIP
- svc_green with an IP address of GreenIP
- Configure a load-balancing virtual server:
- Add a round-robin load-balancing virtual server lb_vsrv_GER using port 80 and using
VIP4_GER as the virtual IP address.
- Bind lb_vsrv_GER to svc_green.
- Configure the GSLB sites.
- Add site_GER using the SNIP1_GER address.
- Add site_JPN using the SNIP1_JPN address.
- Configure the GSLB services.
- Add a server object srv_GER using VIP4_GER as the IP address.
- Add a server object srv_JPN using VIP4_JPN as the IP address.
- Add a GSLB service gslb_svc_GER on port 80 using srv_GER and a site name of
site_GER.
112 Modu|e 8: Exerc|ses or Oon|gur|ng G|oba| Server |oad Ba|anc|ng Copyr|ght 2011 C|tr|x Systems,
lnc.
- Add a GSLB service gslb_svc_JPN on port 80 using srv_JPN as the IP address and a
site name of site_JPN.
- Add and bind the GSLB services to the GSLB virtual server.
- Create an authoritative DNS Service using VIP3_GER.
- For the Japanese NetScaler system:
- Verify the following services are setup:
- svc_red with an IP address of RedIP
- svc_blue with an IP address of BlueP
- svc_green with an IP address of GreenIP
- Configure a load-balancing virtual server:
- Add a round-robin load-balancing virtual server lb_vsrv_JPN using port 80 and using
VIP4_JPN as the virtual IP address.
- Bind lb_vsrv_JPN to svc_red.
- Configure the GSLB sites.
- Add site_GER using the SNIP1_GER address.
- Add site_JPN using the SNIP1_JPN address.
- Configure the GSLB services.
- Add a server object srv_GER using VIP4_GER as the IP address.
- Add a server object srv_JPN using VIP4_JPN as the IP address.
- Add a GSLB service gslb_svc_JPN on port 80 using srv_JPN as the IP address and a
site name of site_JPN.
- Add a GSLB service gslb_svc_GER on port 80 using srv_GER as the IP address and a
site name of site_GER.
- Add and bind the GSLB services to the GSLB virtual server.
- Create an authoritative DNS Service using VIP3_JPN.
- Verify the configuration.
- Configure the DNS local settings on your network connection to point to the ADNS service .
- Test the GSLB configuration using the command-line interface.
- Restore DNS settings to the original state.
For this lab, students will work on two Netscaler systems. This lab lists the steps for
configuring both the Germany and Japan NetScaler systems. Only perform steps labeled
for NetScaler Germany on the Germany NetScaler system and those for NetScaler Japan
on the Japan NetScaler system.
Ba|anc|ng 113
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 8-1: Configuring GSLB'
Enab||ng GS|B Germany and Japan}
Use the following procedure to enable GSLB on both NetScalers Germany and Japan.
3. Click Settings.
4. Click Configure advanced features.
The Configure Advanced Features dialog box appears.
3. Select Global Server Load Balancing.
6. Click OK.
The Enable/Disable Features dialog box appears.
7. Click Yes.
8. Click Save and then click Yes to save the NetScaler configuration.
9. Click Users under the System node.
10. Select nsroot.
11. Click Change Password.
The Change Password dialog box opens.
12. Type nsroot in the Password and Confirm Password fields.
The nsroot account password must be the same for NetScalers Germany and Japan.
For purposes of this lab, leave the password on both systems set to the default password
of nsroot. In a production environment, use secure passwords.
13. Click OK.
The Change Password dialog box closes.
ver|y|ng the Base Serv|ces Are p Germany and Japan}
Use the following procedure to verify the base services are UP on NetScaler Germany and Japan.
2. Click Services.
lnc.
3. Verify that the services svc_red, svc_blue, and svc_green are UP.
Oon|gur|ng and Test|ng |oad-Ba|anc|ng v|rtua| Servers
Germany and Japan}
Use the following procedure to configure and test the load-balancing virtual servers on NetScaler
Germany and Japan.
At the end of this procedure, one load-balancing virtual server (lb_vsrv_GER) will be configured on
NetScaler Germany and one (lb_vsrv_JPN) will be configured on NetScaler Japan.
1. Click Virtual Servers under the Load Balancing node.
2. Click Add.
The Create Virtual Server (Load Balancing) dialog box appears.
3. Type lb_vsrv_GER in the Name field on NetScaler Germany.
Type lb_vsrv_JPN in the Name field on NetScaler Japan.
4. Type VIP4_GER in the IP Address field on NetScaler Germany.
Type VIP4_JPN in the IP Address field on NetScaler Japan.
Replace VIP4_GER and VIP4_JPN with the corresponding VIP4 IP address located in the
Student Reference file on the indicated NetScaler system.
3. Verify that HTTP is selected in the Protocol field and Type 80 in the Port field.
6. Select svc_green in the Active column on the Services tab on NetScaler Germany.
Select svc_red in the Active column on the Services tab on NetScaler Japan.
7. Click the Method and Persistence tab.
8. Select Round Robin under LB Method.
9. Click Create.
The load-balancing virtual server is created.
10. Click Close.
11. Type the following text into a web browser and press Enter to test the load-balancing virtual
server configuration.
- For Germany:
http://VIP4_GER/remote.php
- For Japan:
http://VIP4_JPN/remote.php
Replace VIP4 with the VIP4 IP address located in the Student Reference file on the indicated
NetScaler system.
Ba|anc|ng 115
Oon|gur|ng the GS|B S|tes Germany and Japan}
Use the following procedure to configure GSLB sites on NetScalers Germany and Japan. Both GSLB
Sites will be created on both NetScaler systems.
1. Expand the GSLB node.
2. Click Sites.
3. Click Add.
The Create GSLB Site dialog box box opens.
4. Type site_GER in the Name field.
3. Type SNIP1_GER in the Site IP Address field.
The NetScaler system automatically identifies the site as local or remote based on the IP
address, therefore the Site Type does not have to be explicitly specified.
Replace SNIP1_GER with the SNIP address located in the Student Reference file on the
Germany NetScaler system.
6. Click Create.
The GSLB site site_GER is created.
7. Type site_JPN in the Name field.
8. Type SNIP1_JPN in the Site IP Address field.
The NetScaler system automatically identifies the site as local or remote based on the IP
address, therefore the Site Type does not have to be explicitly specified.
Replace SNIP1_JPN with the SNIP address located in the Student Reference file on the Japan
NetScaler system.
9. Click Create.
The GSLB site site_JPN is created.
10. Click Close.
The Create GSLB Site dialog box closes.
12. Click IPs.
Note the IP addresses that are enabled.
14. Click Sites.
13. Verify site_GER and site_JPN are Enabled and that the Metric Exchange Status (ME Status) is
Active for the remote site on each NetScaler.
lnc.
The Metric Exchange Status should be Enabled and the Site Metric MEP Status should be
ACTIVE for the remote site on both NetScaler systems, if the GSLB sites were configured
properly. A refresh may be required.
Oon|gur|ng |oad-Ba|anc|ng Servers Germany and Japan}
Technically, only one Netscaler system needs to be configured for ADNS.
Use the following procedure to configure both load-balancing servers on NetScalers Germany and
Japan.
2. Click Servers.
3. Click Add.
4. Type srv_GER in the Server Name field.
3. Type VIP4_GER in the IP Address field.
Replace VIP4_GER with the VIP4 IP address located in the Student Reference file on the
6. Click Create.
The server srv_GER is created.
7. Type srv_JPN in the Server Name field.
8. Type VIP4_JPN in the IP Address field.
Replace VIP4_JPN with the VIP4 IP address located in the Student Reference file on the
Japan NetScaler system.
9. Click Create.
The server srv_JPN is created.
10. Click Close.
Oon|gur|ng GS|B Serv|ces Germany and Japan}
Use the following procedure to configure both GSLB services on NetScalers Germany and Japan.
2. Click Services.
3. Click Add.
The Create GSLB Service dialog box opens.
4. Type gslb_svc_GER in the Service Name field.
3. Select site_GER in the Site Name field.
Ba|anc|ng 117
6. Select srv_GER in the Server Name field.
7. Verify that HTTP is selected in the Service Type field and type 80 in the Port field.
8. Click Create.
The GSLB service gslb_svc_GER is created.
9. Type gslb_svc_JPN in the Service Name field.
10. Select site_JPN in the Site Name field.
11. Select srv_JPN in the Server Name field.
12. Verify that HTTP is selected in the Service Type field and type 80 in the Port field.
13. Click Create.
The GSLB service gslb_svc_JPN is created.
14. Click Close.
The Create GSLB Service dialog box closes.
13. Verify gslb_svc_GER and gslb_svc_JPN are UP.
Both services are created on both NetScaler systems. It may take a moment for both of the
services to change to UP status.
16. Select Sites in the GSLB node.
17. Verify site_GER and site_JPN are enabled.
Add|ng and B|nd|ng the GS|B v|rtua| Server Germany and
Japan}
Use the following procedure to add and to bind both GSLB virtual servers on NetScalers Germany
and Japan.
1. Click Virtual Servers in the GSLB node.
2. Click Add.
The Create GSLB Virtual Server dialog box opens.
3. Type GSLB_vsrv_global in the Name field.
4. Verify HTTP is selected in the Service Type field.
3. Select gslb_svc_GER and gslb_svc_JPN in the Active column on the Services tab.
6. Click the Method and Persistence tab.
7. Select Round Robin in the Choose Method drop down.
8. Click Create.
The GSLB virtual server GSLB_vsrv_global is created.
9. Click Close.
The Create GSLB Virtual Servers dialog box closes.
lnc.
ver|y|ng the Oon|gurat|on Germany and Japan}
Use the following procedure to verify the configuration on NetScalers Germany and Japan.
1. Click Sites under the GSLB node.
2. Verify site_GER and site_JPN appear in the site list and are enabled.
3. Click Virtual Servers under the GSLB node.
4. Verify GSLB_vsrv_global appears in the virtual server list and is UP.
3. Click Services under the GSLB node.
6. Verify gslb_svc_GER and gslb_svc_JPN appear in the service list of both NetScaler systems
and are UP.
Oon|gur|ng DNS Sett|ngs Germany}
Use the following procedure to configure DNS settings on NetScaler Germany.
Technically, only one NetScaler system needs to be configured as an ADNS server.
1. Click Virtual Servers under the GSLB node.
2. Select GSLB_vsrv_global.
3. Click Open.
The Configure GSLB Virtual Server dialog box opens.
4. Click the Domains tab.
3. Click Add.
The Create GSLB Domain dialog box opens.
6. Type www.gslbdomain.com in the Domain Name field.
7. Click Create.
The domain www.gslbdomain.com is created and the Create GSLB Domain dialog box closes.
8. Click OK.
The Configure GSLB Virtual Server dialog box closes.
9. Expand the DNS node.
10. Click Name Servers.
11. Click Add.
The Create Name Server dialog box opens.
12. Configure ADNS:
Type VIP5_GER in the IP Address field on the NetScaler Germany.
Replace VIP5_GER with the VIP3 IP address located in the Student Reference text file on the
NetScaler Germany system.
Ba|anc|ng 119
13. Select Local.
14. Click Create.
The name server is created.
13. Click Close.
The Create Name Server dialog box closes.
Oon|gur|ng |oca| DNS Sett|ngs to Test the GS|B
Oon|gurat|on
Use the following procedure to configure local DNS settings on one of the hosted workstations to
test the GSLB configuration.
This procedure must be carried out to test GSLB. However, either NetScaler system can be
used as an ADNS.
1. Click Start > Settings > Control Panel to open the Control Panel dialog box on the hosted
workstation.
2. Double-click Network Connections to open the Network Connections dialog box.
3. Right-click Local Area Connection.
If there is more than one interface, the DNS settings will be updated on all of the interfaces.
4. Select Properties to open the Local Area Connection Properties dialog box.
3. Highlight Internet Protocol (TCP/IP).
6. Click Properties to open the Internet Protocol (TCP/IP) Properties dialog box.
7. Write down the existing DNS settings, if any exist.
These will be used later to reset the DNS settings to the original state.
8. Select Use the following DNS server addresses.
9. Set the Preferred DNS Server to VIP5_GER.
Replace VIP5_GER with the VIP3 IP address located in the Student Reference text file on the
NetScaler Germany system.
It is recommended to use only one NetScaler as a DNS.
10. Click OK.
11. Click Close to close the Local Area Connection Properties dialog box.
Test|ng the GS|B Oon|gurat|on
Use the following procedure to test the GSLB configuration.
lnc.
1. Click Start > Run.
2. Type the following text and click OK to open the Command Prompt.
cmd
3. Type the following command in the Command Prompt and press Enter to ping the web site.
ping www.gslbdomain.com
4. Repeat the ping by repeating step 3 five more times.
Expected result: The server IP address of the response changes with some of the pings.
If the responses do not alternate between Germany and Japan, try flushing the DNS with the
command ipconfig /flushdns.
3. Disable Proxy server, if required.
If using Internet Explorer to test GSLB, you may need to perform the following tasks to
disable the proxy server setting before the results will appear as expected.
1. Close all open web browser instances, including the NetScaler Configuration Utility. Open
a new instance of Internet Explorer.
2. Click Tools.
3. Click Internet Options.
4. Click Connections.
3. Click LAN settings.
6. Uncheck Use a proxy server for your LAN under Proxy server.
7. Click OK.
8. Click OK.
6. Open a web browser (Internet Explorer) and type the following text in the address and press
Enter.
http://www.gslbdomain.com/remote.php
Either the Red Japan (remote.php) screen on NetScaler Japan or the Green Germany
(remote.php) screen on NetScaler Germany appears.
7. Open a second web browser (Firefox) and type the following text in the address and press
Enter.
The alternate remote.php screen will load in the new browser.
Ba|anc|ng 121
If ping responses are giving alternating IP addresses as expected, but the content in the
web browsers is not reflecting load balancing between the Germany and Japan NetScalers,
close all open web browsers. Repeat the test with only one web browser and close and
open the browser between each test.
8. Expand the GSLB node and click Virtual Servers (for the NetScaler Germany only).
9. Select GSLB_vsrv_global.
10. Click Open.
The Configure GSLB Virtual Server dialog box opens.
11. Click the Advanced tab.
12. Select Send all active" service IPs' in response (MIR).
13. Click OK.
The Configure GSLB Virtual Server dialog box closes.
14. Use the following command in the Command Prompt of the hosted workstation to view two
IP addresses.
nslookup www.gslbdomain.com
The GSLB virtual server now returns two IP addresses instead of one IP address.
lnc.
lnterface}
This section provides step-by-step instructions for completing 'Exercise 8-1: Configuring GSLB'
using the command-line interface.
Enab||ng GS|B Germany and Japan}
Use the following procedure to enable GSLB on NetScalers Germany and Japan.
2. Enable the GSLB feature by entering the following command:
enable ns feature GSLB
3. Save the running NetScaler configuration by entering the following command:
save ns config
4. Configure the nsroot and password on both systems by entering the following command:
set system user nsroot
nsroot
The password must be the same for NetScalers Germany and Japan. For purposes of this lab,
leave the password on both systems set to the default password of nsroot. In a production
environment, use secure passwords.
ver|y|ng the Base Serv|ces and |oad-Ba|anc|ng v|rtua|
Servers Germany and Japan}
Use the following procedure to verify the base services are UP and to configure and test the load-
balancing virtual servers on NetScalers Germany and Japan.
At the end of this procedure, one load-balancing virtual server (lb_vsrv_GER) will be configured on
NetScaler Germany and one (lb_vsrv_JPN) will be configured on NetScaler Japan.
1. Verify the status of the svc_red and svc_green services are UP by entering the following
commands:
show service svc_green
Ba|anc|ng 123
2. Add the load-balancing virtual server by entering the following command:
- On NetScaler Germany:
add lb vserver
lb_vsrv_GER HTTP VIP4_GER 80
-lbMethod ROUNDROBIN
- On NetScaler Japan:
add lb vserver
lb_vsrv_JPN HTTP VIP4_JPN 80
Replace VIP4_* with the VIP4 IP address located in the Student Reference file on the
indicated NetScaler system.
3. Bind the load-balancing virtual server by entering the following command:
- On NetScaler Germany:
bind lb vserver
lb_vsrv_GER svc_green
- On NetScaler Japan:
bind lb vserver
lb_vsrv_JPN svc_red
4. Type the following text into a web browser and press Enter to test the load-balancing virtual
server configuration.
- For Germany:
http://VIP4_GER/remote.php
- For Japan:
http://VIP4_JPN/remote.php
Replace VIP4_* with the VIP4 IP address located in the Student Reference file on the
indicated NetScaler system.
Oon|gur|ng the GS|B S|tes Germany and Japan}
Use the following procedure to configure both GSLB sites on NetScalers Germany and Japan.
1. Add a GSLB site by entering the following command:
lnc.
add gslb site
site_GER SNIP1_GER
Replace SNIP1_GER with the SNIP1 IP address located in the Student Reference text file on
the NetScaler Germany system.
2. Add a GSLB site by entering the following command:
add gslb site
site_JPN SNIP1_JPN
Replace SNIP1_JPN with the SNIP1 IP address located in the Student Reference text file on
the NetScaler Japan system.
The NetScaler automatically identifies the site as local or remote based on the IP address.
3. Display the NetScaler IP address by entering the following command:
show ns ip
4. Display the GSLB site by entering the following command:
show gslb site
Verify that the Metric Exchange is ENABLED and the Site Metric MEP status is ACTIVE on
the Remote site on each NetScaler system: site_JPN on the Germany NetScaler and site_GER
on the Japan NetScaler.
Oon|gur|ng GS|B Serv|ces Germany and Japan}
Use the following procedure to configure both GSLB services on NetScalers Germany and Japan.
1. Add a GSLB service by entering the following command:
add gslb service
gslb_svc_GER VIP4_GER HTTP 80
-siteName site_GER
This command will create a server object for VIP4_GER named by its IP.
2. Add a second GSLB service by entering the following command:
Ba|anc|ng 125
add gslb service
gslb_svc_JPN VIP4_JPN HTTP 80
-siteName site_JPN
This command will create a server object for VIP4_JPN named by its IP.
3. Display the GSLB site by entering the following commands:
show gslb site
show gslb site site_GER
show gslb site site_JPN
Verify that the correct service is bound to each site.
4. Display the GSLB service by entering the following command:
show gslb service
Verify that the Effective State of both services is UP on both NetScaler systems.
Add|ng and B|nd|ng the GS|B v|rtua| Server Germany and
Japan}
Use the following procedure to add and bind both GSLB virtual servers on NetScalers Germany and
Japan.
1. Add a GSLB virtual server by entering the following command:
add gslb vserver
GSLB_vsrv_global HTTP
The LB method is being set to Round Robin for purposes of the lab demonstration only.
A production implementation of GSLB would not be based on round robin.
2. Bind the GSLB virtual server by entering the following command:
bind gslb vserver
GSLB_vsrv_global -service gslb_svc_GER
3. Bind the GSLB virtual server by entering the following command:
lnc.
bind gslb vserver
GSLB_vsrv_global -service gslb_svc_JPN
4. Display the GSLB virtual server by entering the following command:
show gslb vserver
Verify that the GSLB virtual server State is listed as UP.
3. Display the GSLB virtual server GSLB_vsrv_global by entering the following command:
show gslb vserver GSLB_vsrv_global
Verify that both GSLB services are bound to the GSLB virtual server and that the State on each
service is listed as UP.
Oon|gur|ng DNS Sett|ngs Germany}
Use the following procedure to configure DNS settings on NetScaler Germany.
Technically, only one Netscaler system needs to be configured for ADNS.
1. Bind the domain alias to the GSLB virtual server by entering the following command:
bind gslb vserver GSLB_vsrv_global
-domainName www.gslbdomain.com
2. Create an authoritative DNS service by entering the following command only on NetScaler
Germany:
add dns nameserver VIP5_GER -local
3. Ping the domain name from the NetScaler command-line interface and verify results by
entering the following command:
Press CTRL+C to stop the ping response, and then repeat the ping test.
If GSLB is configured correctly on both systems at this point, the ping response should
alternate between the VIP4 addresses of the Germany and the Japan NetScaler systems during
alternating tests.
Ba|anc|ng 127
Be aware that pinging the address from multiple locations at once can hide the round-
robin load-balancing behavior, since subsequent requests can end up load balanced
(correctly) back to the first server.
ver|y|ng the Oon|gurat|on Germany and Japan}
Use the following procedure to verify the configuration on NetScalers Germany and Japan.
1. Display the GSLB site by entering the following command:
show gslb site
2. Display the GSLB virtual server GSLB_vsrv_global by entering the following command:
show gslb vserver GSLB_vsrv_global
3. Display the GSLB service gslb_svc_GER by entering the following command:
show gslb service gslb_svc_GER
4. Display the GSLB service gslb_svc_JPN by entering the following command:
show gslb service gslb_svc_JPN
Oon|gur|ng |oca| DNS Sett|ngs to Test the GS|B
Oon|gurat|on
Use the following procedure to configure local DNS settings to test the GSLB configuration.
1. Click Start > Settings > Control Panel to open the Control Panel dialog box on the hosted
workstation.
2. Double-click Network Connections to open the Network Connections dialog box.
3. Right-click the first Local Area Connection.
If there is more than one interface, the DNS settings will need to be updated on all of the
interfaces.
4. Select Properties to open the Local Area Connection Properties dialog box.
3. Highlight Internet Protocol (TCP/IP).
6. Click Properties to open the Internet Protocol (TCP/IP) Properties dialog box.
7. Select Use the following DNS server addresses.
8. Set the Preferred DNS Server to VIP5_GER.
lnc.
It is recommended to use only one NetScaler system as a DNS.
9. Click OK.
10. Click Close to close the Local Area Connection Properties dialog box.
Test|ng the GS|B Oon|gurat|on
Use the following procedure to test the GSLB configuration.
1. Click Start > Run.
2. Type the following text and click OK to open the Command Prompt.
cmd
3. Type the following command in the Command Prompt and press Enter to ping the web site.
4. Repeat the ping by repeating steps 3 and 4 five more times.
Expected result: The server IP address of the response changes with some of the pings.
If the responses do not alternate between Germany and Japan, try flushing the DNS with the
command ipconfig /flushdns.
3. Disable Proxy server, if required.
If using Internet Explorer to test GSLB, you may need to perform the following tasks to
disable the proxy server setting before the results will appear as expected.
1. Close all open web browser instances, including the NetScaler Configuration Utility. Open
a new instance of Internet Explorer.
2. Click Tools.
3. Click Internet Options.
4. Click Connections.
3. Click LAN settings.
6. Uncheck Use a proxy server for your LAN under Proxy server.
7. Click OK.
8. Click OK.
Ba|anc|ng 129
6. Open a web browser (Internet Explorer) and type the following text in the address and press
Enter.
Either the Red Japan (remote.php) screen on NetScaler Japan or the Green Germany
(remote.php) screen on NetScaler Germany appears.
7. Open a second web browser (Firefox) and type the following text in the address and press
Enter.
The alternate remote.php screen will load in the new browser.
If ping responses are giving alternating IP addresses as expected, but the content in the
web browsers is not reflecting load balancing between the Germany and Japan NetScaler
systems, close all open web browsers. Repeat the test with only one web browser and close
and open the browser between each test.
8. Enable Multiple IP Response (MIR) on NetScaler Germany by entering the following command
in the NetScaler command-line interface:
set gslb vserver GSLB_vsrv_global -MIR ENABLED
9. Type the following text in the Command Prompt of the hosted workstation and press Enter.
nslookup www.gslbdomain.com
The GSLB virtual server now returns two IP addresses instead of one IP address.
lnc.
GS|B Troub|eshoot|ng T|ps
If the procedure for testing the GSLB configuration does not behave as expected, then use the
following tips to troubleshoot the lab configuration.
9REFPI XS 6IWSPZI [[[KWPFHSQEMRGSQ
- Make sure you are pointing to the correct DNS server. For this lab, you should point to one of
the ADNS IP addresses on either NetScaler systems Germany or Japan.
- Make sure that you set the DNS setting on the right network connection, if multiple networks
are present. Follow up with your instructor if required.
- Make sure your web browser does not have a proxy server configured.
- Make sure you are not connecting from a workstation behind a firewall that is blocking UDP
port 33 (DNS).
0SEH &EPERGMRK FIX[IIR 2IX7GEPIV 7]WXIQW 2SX 3GGYVVMRK
- If the issue is at the browser test, make sure that you clear the cache between test runs. For best
results, close and re-open the browser between each test.
- If the issue is at the ping response from the workstation and only 1 IP address is being
returned, make sure that the GSLB sites, services, and virtual servers appear as UP. Verify MEP
status is UP/Active.
- If multiple browser instances are open, this can also affect the results. Close all open browsers
and start from a fresh session. Close and open browsers between tests.
- Conduct tests from only one hosted workstation at a time.
- Make sure the GSLB and load balancing (LB) features are ENABLED on both NetScaler
systems.
- Verify on the NetScaler system that the resolution is alternating between GSLB services.
Example: From the command-line interface on a given NetScaler system ping
www.gslbdomain.com. Stop and re-ping. Verify you receive the two expected IP addresses.
3XLIV -WWYIW
- Re-verify that the right IP addresses are used for the load balancing virtual server, GSLB
services, and GSLB virtual server. Be sure sites, virtual servers, services, and domains are bound
appropriately.
- Verify MEP is working and that both sites and services appear up on both NetScaler systems.
The GUI may be easier than the command-line interface for quick verification of configured
settings.
Ba|anc|ng 131
Modu|e 9
AppExpert O|ass|c
Po||c|es
Exerc|se 9-1: Oonf|gur|ng Oontent F||ter|ng
s|ng O|ass|c Po||c|es
3ZIVZMI[
This exercise demonstrates the process for configuring a content-filtering policy.
Content filtering allows you to prevent unwanted requests from reaching a protected server, by
comparing the request against filters based on HTTP URLs or headers. Content filtering allows you
to specify the action to take for requests matching the filter rules. The content filter can be
configured to DROP or RESET the request or to return an error code in the response. You have
control over which content to filter and how it is filtered.
&IJSVI =SY &IKMR
- The IP address used to configure the load-balancing virtual server in the load-balancing
exercise VIP1.
- A web browser
7GIREVMS
The MillennialGadgets.com web site has become popular enough that it is experiencing attacks such
as Code Red and Nimda. Content filtering can be used to block these type of attacks.
You wish to quarantine a specific page by dropping all requests to the page's URL. This can be
done as a temporary measure and can be undone at a later time.
For the purpose of this exercise, content filtering will be used to block access to a specific page
(red.php) based on a URL matching policy. The configuration will be undone at the end of the
exercise.
)\IVGMWI (IXEMPW
- Enable the Content Filtering feature.
- Create a policy expression that matches a request URL to the red.php page.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 9: Exerc|ses or Oon|gur|ng AppExpert O|ass|c Po||c|es 135
- Create a content filter policy that drops requests to the red.php URL.
- Bind the content filter policy to the global object.
- Test the content filter policy:
- Verify that content filtering is being applied by browsing to the http://VIP1/red.php web
site.
- Verify that content filtering is not being applied by browsing to the http://VIP1/home.php
web site.
- Unbind the content filter policy.
The policy needs to be unbound at the end of this exercise to prevent it from affecting
subsequent exercises.
- Remove the content filter policy.
136 Modu|e 9: Exerc|ses or Oon|gur|ng AppExpert O|ass|c Po||c|es Copyr|ght 2011 C|tr|x Systems, lnc.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 9-1: Configuring Content
Filtering Using Classic Policies' using the Configuration Utility.
Oon|gur|ng a Po||cy Express|on
Use the following procedure to create a policy expression.
2. Expand the AppExpert node and the Expressions subnode.
3. Click the Classic Expressions node.
4. Click Add in the Classic Expressions pane.
The Create Policy Expression dialog box opens.
3. Type red_url in the Expression Name field.
6. Click Add.
The Add Expression dialog box opens.
7. Select General from the Expression Type list.
8. Select REQ from the Flow Type list.
9. Select HTTP from the Protocol list.
10. Select URL from the Qualifier list.
11. Select == from the Operator list.
12. Type /red.php in the Value field.
13. Click OK.
The Add Expression dialog box closes, and the REQ.HTTP.URL == /red.php expression is
displayed as follows in the Create Policy Expression dialog box.
14. Click Create.
This creates the policy expression.
13. Click Close to close the Create Policy Expression dialog box.
s|ng the Express|on Eva|uator
Use the following procedure to test the Expression Evaluator.
1. Select the AppExpert node and launch the Advanced Expression Evaluator in the right-hand
pane (under Tools).
2. Add an expression in the expression field:
HTTP.REQ.HEADER("host").CONTAINS("www")
3. Click the Sample button and select GET Request.
4. Click Evaluate.
3. Notice the evaluator result is true.
6. Close the Advanced Expression Evaluator.
Oon|gur|ng Oontent F||ters
Use the following procedure to configure the content filter policy.
1. Expand the Protection Features node.
2. Click the Filter node.
3. Click Add in the Filter Policies pane.
The Create Filter Policy dialog box opens.
4. Type cf_red_url in the Filter Name field.
3. Verify that Request Action is selected and select Drop from the Request Action list.
6. Select red_url from the drop-down list to the left of the Add Expression button.
7. Click Add Expression to add the selected expression.
8. Click Create.
This creates the content filtering policy.
9. Click Close.
The Create Filter Policy dialog box closes.
10. Click Global Bindings.
The Bind/Unbind Filter Policy(s) to Global dialog box opens.
11. Click Insert Policy and select the cf_red_url policy.
12. Click OK.
The Bind/Unbind Filter Policy dialog box closes.
Test|ng Oontent F||ter|ng
Use the following procedure to test content filtering.
1. Launch a web browser.
2. Type http://VIP1/red.php in the address bar and press Enter.
Replace VIP1 with the VIP1 IP address located in the Student Reference text file.
3. Refresh the browser multiple times.
With this content filter policy configured, attempts to browse to red.php are dropped. Access
to other URLs, such as http://VIP1/blue.php, are not affected and continue to work as
expected.
4. View the filter policy in the Configuration Utility after clicking Refresh.
Notice the number of hits displayed.
3. Type http://VIP1/home.php in the address bar and press Enter. Refresh the browser multiple
times.
Verify this time the content is returned and load balances across the servers Red, Blue, and
Green successfully.
6. View the filter policy in the configuration utility.
Notice that the number of hits displayed has not changed, since the new URL requests did not
match the filter criteria.
Remov|ng Oontent F||ters
Use the following procedure to remove the configured content filter policy.
1. Expand the Protection Features node.
2. Click the Filter node.
3. Select the cf_red_url policy on the Policies tab in the Filter Policies and Actions pane.
4. Select Remove.
3. Click Yes to verify the removal.
A message is displayed stating that bound policies cannot be removed.
6. Click OK to close the message.
The Bind/Unbind Filer Policy(s) dialog box opens.
8. Select the cf_red_url policy and click Unbind Policy.
9. Click OK.
The Bind/Unbind Filer Policy(s) dialog box closes.
10. Select the cf_red_url policy on the Policies tab in the Filter Policies and Actions pane.
11. Select Remove.
12. Click Yes to confirm the removal of the policy.
lnterface}
Filtering Using Classic Policies' using the command-line interface.
Configuration Utility. If you have completed the exercises using the Configuration Utility
steps, then you do not need to repeat them using the command-line interface commands.
Oon|gur|ng a Po||cy Express|on
Use the following command-line interface commands to create the policy expression.
2. Create the named policy expression red_url by entering the following command:
add policy expression red_url "REQ.HTTP.URL == /red.php"
Oon|gur|ng Oontent F||ters
Use the following command-line interface commands to configure and remove the content filtering
policy.
1. Create the policy using the existing named expression red_url by entering the following
command:
add filter policy cf_red_url -rule red_url -reqAction DROP
Or type the following command and press Enter to create the policy using an in-line
expression.
add filter policy cf_red_url -rule "REQ.HTTP.URL == /red.php"
-reqAction DROP
2. Bind the content filter policy by entering the following command.
bind filter global cf_red_url
Test|ng Oontent F||ter|ng
Use the following procedure to test content filtering.
2. Type http://VIP1/red.php in the address bar and press Enter.
3. Refresh the browser multiple times.
With this content filter policy configured, attempts to browse to red.php are dropped. Access
to other URLs, such as http://VIP1/home.php, are not affected and continue to work as
expected.
4. Log on to the Configuration Utility, expand the Protection Feature node, and select the Filter
node.
Notice the number of hits displayed for the cf_red_url filter policy.
3. Type http://VIP1/blue.php in the address bar and press Enter. Refresh the browser multiple
times.
Verify this time the content is returned and load balances across the servers Red, Blue, and
Green successfully.
6. View the filter policy in the Configuration Utility.
Notice that the number of hits displayed has not changed, since the new URL requests did not
match the filter criteria.
Remov|ng Oontent F||ters
Use the following procedure to remove the configured content filter policy.
1. Unbind the content filter policy by entering the following command:
unbind filter global cf_red_url
2. Remove the content filter policy by entering the following command:
remove filter policy cf_red_url
Exerc|se 9-2: Oonf|gur|ng Oompress|on
Po||c|es
3ZIVZMI[
This exercise demonstrates the basics of configuring compression policies on the NetScaler system.
Compression policies are used to control which responses are compressed and which responses are
not compressed.
Steps for configuring compression using both the Configuration Utility and the command-line
interface are provided. Attempt this exercise on your own before relying on the step-by-step
instructions.
&IJSVI =SY &IKMR
- Access to the Configuration Utility or the command-line interface: .
- The IP address used to configure the load-balancing virtual server in the load-balancing
exercise: VIP1.
- Firefox Web browser with the Live HTTP Header add-on.
- Firefox Web browser and the User Agent Switcher add-on, used to simulate different agent
headers for testing purposes.
Estimated time for complete this exercise: 20 minutes
7GIREVMS
MillennialGadgets.com web users are complaining about site response time. Also, the IT budget is
shrinking, and bandwidth costs are too high. Instead of expanding its bandwidth budget, the
administrator decides to implement the NetScaler compression feature. To avoid compressed
javascript issues, implement a precautionary policy not to compress content requested by legacy
browsers.
)\IVGMWI (IXEMPW
- Verify that the compression feature is enabled.
- Create a compression policy that does not compress responses from the sites that contain java
for legacy browser (IE 6.0).
- Create a compression policy that compresses responses that contain text.
- Bind the compression policies to the global object.
- Enable compression on the following services:
- svc_red
- svc_blue
- svc_green
- Test the configuration by viewing the current statistics for the compression policies, which
displays the hits per policy.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 9-2: Configuring
Compression Policies' using the Configuration Utility.
Add|ng Oompress|on Po||c|es
Use the following procedure to create a generic compression policy.
The NetScaler system includes some preformatted policies, including ns_content_type.
This policy is a duplicate of the one created here.
1. Launch the Configuration Utility using the nsroot credentials.
2. Expand the HTTP Compression node.
3. Click the Policies node.
4. Click Add in the HTTP Compression Policies pane.
The Create Compression Policy dialog box opens.
3. Type cmp_cmp_txt in the Policy Name field.
6. Select COMPRESS from the Response Action list.
7. Click Add under Expression.
9. Select RES from the Flow Type list.
11. Select HEADER from the Qualifier list.
12. Select CONTAINS from the Operator list.
13. Type text in the Value field.
14. Type Content-Type in the Header Name field.
13. Click OK and then click Close.
The Add Expression dialog box closes.
The expression should display as:
RES.HTTP.HEADER Content-Type CONTAINS text
16. Click Create in the Create Compression Policy dialog box.
This creates the policy.
17. Click Close.
The Create Compression Policy dialog box closes.
Add|ng Oompound Oompress|on Po||c|es
Use the following procedure to create a compound compression policy.
1. Click Add in the HTTP Compression Policies pane.
The Create Compression Policy dialog box opens.
2. Type cmp_nocmp_java in the Policy Name field.
3. Select NOCOMPRESS from the Response Action list.
4. Add an expression that recognizes responses that include javascript:
3. Select RES from the Flow Type list.
7. Type javascript in the Value field.
8. Type Content-Type in the Header Name field.
9. Click OK and then click Close in the Add Expression window.
RES.HTTP.HEADER Content-Type CONTAINS javascript
3. Add an expression that recognizes requests coming from legacy browsers:
3. Select REQ from the Flow Type list.
7. Type "MSIE 6.0" in the Value field.
8. Type User-Agent in the Header Name field.
9. Click OK and then click Close in the Add Expression window.
REQ.HTTP.HEADER User-Agent CONTAINS "MSIE 6.0"
6. Select Match All Expressions from the Expression Behavior list.
This policy requires that a Response Header contain javascript AND that the user-agent
(browser) making the request matches MSIE 6.0 in order to NOT COMPRESS javascript.
7. Click Create in the Create Compression Policy dialog box.
8. Click Close in the Create Compression policy dialog box.
The dialog box closes.
The Bind/Unbind Compression Policies to Global dialog box opens.
10. Insert the following policies:
- cmp_cmp_txt
- cmp_nocmp_java
11. Ensure that the cmp_nocmp_java policy has a lower priority number than the cmp_cmp_txt
policy.
12. Click Apply Changes and Close.
The Bind/Unbind Compression Policies to Global dialog box closes.
Enab||ng Oompress|on on Serv|ces
Use the following procedure to enable compression on all the services.
2. Select the Services node.
3. Select svc_red in the Services pane.
4. Click Open.
The Configure Service dialog box opens.
3. Select the Advanced Tab.
6. Verify that Compression is selected under Settings in the Advanced tab.
7. Click OK.
The Configure Service dialog box closes.
8. Select svc_blue in the Services pane.
9. Click Open.
10. Select the Advanced Tab.
12. Click OK.
13. Select svc_green in the Services pane.
14. Click Open.
13. Select the Advanced tab.
17. Click OK.
Test|ng Oompress|on
Use the following procedure to test the compression policy configured in the prior procedures of
this exercise.
1. Expand the HTTP Compression node.
2. Click the Policies node.
3. View the statistics reported for the following compression policies on the Policy tab, taking
note of the number of hits for:
- cmp_cmp_txt
- cmp_nocmp_java
4. Launch a Firefox browser.
3. Open Live HTTP Headers in Firefox. Click Tools > Live HTTP headers. Click Clear if header
information is displayed in the screen.
Live HTTP Headers will display the header information of any pages visited by Firefox
while it is open.
6. Set the User Agent Switcher to default. Click Tools > Default User Agent > Default User
Agent.
8. View the header information for the page within Live HTTP Headers.
a. Scroll to the top and look for the header information for the home.php page.
b. Note that the Content-Type header is text/html. This object should match the
cmp_cmp_txt policy.
c. Note that the Content-Encoding header is gzip. This indicates the response was
compressed.
Multiple pages or content types are retrieved. Live HTTP Headers will display information
for each of the parts. Scroll to the section indicated.
9. Return to the Policies node in the Configuration Utility and click Refresh.
10. View the updated stats for each policy. The hit count for cmp_cmp_txt should have increased.
You may have to clear your browser's web cache in between refreshes to see policy hits.
11. Set the User Agent Tool in Firefox to IE6 and refresh the browser:
a. Click Tools > Default User Agent > IE6 in Firefox.
b. Click Refresh.
12. Click Clear in the Live HTTP Headers window.
http://VIP1/
The call to home page actually loads multiple pages including a javascript page:
common.js.
a. Scroll to the top and look for the header information for either common.js or
externaljs.js.
b. Note that the User-Agent header includes MSIE 6.0 due to the User Agent Switcher add-
on.
c. Note that the Content-Type header is text/javascript. This object should match the
cmp_cmp_txt policy AND the cmp_ncmp_javascript policy.
d. Note that a Content Encoding header is not included in the header list. This indicates the
response was not compressed.
The cmp_nocmp_javascript has a higher priority than the cmp_cmp_text policy and ensures
that the Javascript content is not compressed for the IE 6.0 browser.
13. Return to the Policies node and click Refresh.
View the updated statistics for each policy. The hit count for cmp_nocmp_java should have
increased.
lnterface}
Compression Policies' using the command-line interface.
Oon|gur|ng Oompress|on Po||c|es
Use the following procedure to configure and bind the compression policy.
The NetScaler system includes some predefined policies, including ns_content_type. This
policy is a duplicate of the one created here.
2. Verify that the compression feature is enabled by entering the following command:
show ns feature
enable ns feature CMP
3. Create the compression policy to compress text by entering the following command:
add cmp policy cmp_cmp_txt -rule "RES.HTTP.HEADER
Content-Type CONTAINS text" -resAction COMPRESS
4. Bind the compression policy by entering the following command:
bind cmp global cmp_cmp_txt -priority 30
3. Create the compression policy to not compress java for IE 6.0 browsers by entering the
following command:
add cmp policy cmp_nocmp_java -rule
"RES.HTTP.HEADER Content-Type CONTAINS javascript &&
REQ.HTTP.HEADER User-Agent CONTAINS 'MSIE 6.0'" -
resAction NOCOMPRESS
6. Bind the compression policy by entering the following command:
bind cmp global cmp_nocmp_java -priority 20
7. Enable compression on the svc_red service by entering the following command:
set service svc_red -CMP yes
8. Enable compression on the svc_blue service by entering the following command:
set service svc_blue -CMP yes
9. Enable compression on the svc_green service by entering the following command:
set service svc_green -CMP yes
Test|ng Oompress|on
Use the procedure in the following table to test the configuration and to observe compression.
1. View the compression statistics by entering the following command:
stat cmp
2. View the policy details by entering the following command:
show cmp policy
3. Take note of the initial hits for the following policies:
- cmp_nocmp_java
- cmp_cmp_txt
4. Launch a Firefox browser.
3. Open Live HTTP Headers in Firefox. Click Tools > Live HTTP headers. Click Clear if header
information is displayed in the screen.
6. Set the User Agent Switcher to default. Click Tools > Default User Agent > Default User
Agent.
a. Scroll to the top and look for the header information for the home.php page.
b. Note that the Content-Type header is text/html. This object should match the
cmp_cmp_txt policy.
c. Note that the Content-Encoding header is gzip. This indicates the response was
compressed.
9. View the policy hits:
show cmp policy
Home.php triggers the cmp_cmp_txt policy. The request is compressed.
10. Set the User Agent Switcher to IE6. Click Tools > Default User Agent > IE6.
11. Click Clear in the Live HTTP Headers window.
12. Type http://VIP1/ in the address bar and press Enter.
The call to the home page actually loads multiple pages including a javascript page.
a. Scroll to the top and look for the header information for either common.js or
externaljs.js.
b. Note that the User-Agent header includes MSIE 6.0 due to the User Agent Switcher add-
on.
c. Note that the Content-Type header is text/javascript. This object should match the
cmp_cmp_txt policy AND the cmp_ncmp_javascript policy.
d. Note that a Content Encoding header is not included in the header list. This indicates the
response was not compressed.
The cmp_nocmp_javascript has a higher priority than the cmp_cmp_text policy and ensures
that the Javascript content is not compressed for the IE 6.0 browser.
14. View the policy details by entering the following command:
show cmp policy
The cmp_nocmp_java policy was triggered. In loading the page, a javascript page was briefly
loaded. That specific request is not compressed.
Modu|e 10
Rewr|te, Responder, and
R| Transformat|on
Exerc|se 10-1: Oonf|gur|ng Rewr|te,
Responder, and R| Transformat|on
3ZIVZMI[
This lab demonstrates the process for verifying and creating the base configuration necessary before
configuring responder or rewrite policies. The steps for the initial configuration using the
Configuration Utility and command-line interface are provided.
&IJSVI =SY &IKMR
To complete this exercise, you must have:
- Access to the Red, Blue, and Green (RBG) web servers.
Ensure integrated caching is disabled prior to starting the exercise. Integrated caching
operations are performed before rewrite actions and could result in unexpected and
undesirable results for this lab.
- A virtual IP address VIP1 configured to load balance the Red, Blue, and Green web servers.
7GIREVMS
You are an administrator of a NetScaler system for MilllennialGadgets.com. You are configuring a
NetScaler system to perform basic rewrite functions.
In this exercise, you will configure the rewrite feature. You will use the Configuration Utility or
command-line interface to:
- Enable the rewrite feature.
- Create a rewrite action rw_act_SendToHome that replaces a default request URL (/") with
(/home.php").
- Create a rewrite policy req_pol_SendToHome that uses the rw_act_SendtoHome action and an
expression that identifies requests with a URL that contains a /".
- Bind the policy, req_pol_SendToHome, to the Global Request Override policy bank. Configure
the policy with a priority of 10 and configure the policy to evaluate the next expression.
- Test the configuration by navigating to http://VIP1/ and verifying the result is correct.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 10: Exerc|ses or Oon|gur|ng Rewr|te, Responder, and R|
Transormat|on 155
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 10-1: Configuring Rewrite,
Responder, and URL Transformation' using the Configuration Utility.
Enab||ng the Rewr|te Feature
Use the following procedure to enable the rewrite feature in the Configuration Utility.
3. Select Settings.
4. Click the Configure basic features link.
3. Select Rewrite to enable the rewrite feature if the feature is not already enabled.
6. Click OK.
7. Click Save and Yes to save the running configuration.
Oon|gur|ng a Rewr|te Act|on
Use the following procedure to configure a rewrite action in the Configuration Utility.
1. Expand the Rewrite node.
2. Select Actions.
3. Click Add.
The Create Rewrite Action dialog box opens.
4. Type rw_act_SendToHome in the Name field.
3. Select REPLACE in the Type drop-down list
6. Type HTTP.REQ.URL.PATH in the Expression to choose target text reference field.
7. Type /home.php in the String expression for replacement text field.
Quotes are required in this step.
8. Verify that the Bypass Safety Check field is not selected.
9. Click Create.
10. Click Close.
The Create Rewrite Action dialog box closes.
156 Modu|e 10: Exerc|ses or Oon|gur|ng Rewr|te, Responder, and R| Transormat|on
Copyr|ght 2011 C|tr|x Systems, lnc.
Oon|gur|ng a Rewr|te Po||cy
Use the following procedure to configure a rewrite policy in the Configuration Utility.
1. Select Policies in the Rewrite node.
2. Click Add.
The Create Rewrite Policy dialog box opens.
3. Type req_pol_SendToHome in the Name field.
4. Select rw_act_SendToHome in the Action drop-down list.
3. Verify Global undefined-result action is selected in the Undefined Action drop-down list.
6. Type HTTP.REQ.URL.PATH.EQ(/) in the Expression box.
7. Click Create.
8. Click Close.
The Create Rewrite Policy dialog box closes.
The policy is not yet active.
Oreat|ng Po||cy B|nd|ngs
Use the following procedure to create policy bindings in the Configuration Utility.
1. Click Policy Manager.
The Rewrite Policy Manager opens.
The Policy Manager may be accessed at the bottom of the Rewrite Policies pane or by
selecting the Rewrite node.
2. Verify the bind point Override Global under Request is selected.
This is the default Bind Point. The appropriate bind point must be selected before
inserting or binding a policy.
3. Click Insert Policy.
4. Double-click req_pol_SendToHome.
3. Expand the Goto Expression field for req_pol_SendToHome.
6. Double-click NEXT in the Goto Expression field.
7. Click Apply Changes.
8. Click Close.
9. Click Save and Yes to save the NetScaler Configuration.
Transormat|on 157
Test|ng the Rewr|te Po||cy
Use the following procedure to test the rewrite policy in a web browser.
2. Browse to http://VIP1 and press Enter.
Replace VIP1 with the VIP1 IP address from the Student Reference file.
VIP1 was configured to load balance the Red, Blue, and Green servers in earlier exercises.
Expected result: The RBG home.php content displays without having to manually add
/home.php" to the URL. After redirection, the client-side URL still shows the original path
only. The redirection URL does not appear.
A different page (index.php) will load by browsing to the http://VIP1/ alone if the policy
is disabled (inactive).
Exerc|se 10-1: Step-by-Step Oommand-
||ne lnterface}
This section provides step-by-step instructions for completing 'Exercise 10-1: Configuring Rewrite,
Responder, and URL Transformation' using the command-line interface.
Oon|gur|ng Rewr|te
Use the following procedure to configure a rewrite action and policy to remove the server header in
the command-line interface.
2. Enable the Rewrite feature by entering the following command:
enable ns feature rewrite
3. Add a rewrite action to remove the URL path /home.php by entering the following command:
add rewrite action rw_act_SendToHome REPLACE HTTP.REQ.URL.PATH
"\"/home.php\""
4. Add a rewrite policy using the re_act_SendToHome action by entering the following
command:
add rewrite policy req_pol_SendToHome
'HTTP.REQ.URL.PATH.EQ("/")'
rw_act_SendToHome
The Policy is not yet active.
3. Globally bind the rewrite policy by entering the following command:
bind rewrite global req_pol_SendToHome 10 NEXT -
type REQ_OVERRIDE
6. Save the NetScaler configuration by entering the following command:
save ns config
Transormat|on 159
Test|ng the Rewr|te Po||cy
Use the following procedure to test the rewrite policy in a web browser.
2. Browse to http://VIP1 and press Enter.
Replace VIP1 with the VIP1 IP address from the Student Reference file.
VIP1 was configured to load balance the Red, Blue, and Green servers in earlier exercises.
Expected result: The RBG home.php content displays without having to manually add
/home.php" to the URL. After redirection, the client-side URL still shows the original path
only. The redirection URL does not appear.
A different page (index.php) will load by browsing to the http://VIP1/ alone if the policy
is disabled (inactive).
Exerc|se 10-2: Remov|ng Server Data
3ZIVZMI[
This lab demonstrates the process for removing server data using a rewrite policy. The steps for
configuring a rewrite policy using the Configuration Utility and command-line interface are
provided.
&IJSVI =SY &IKMR
- Access to the Red, the Blue, and the Green (RBG) web servers.
- The Mozilla Firefox browser.
- The LiveHTTPHeaders add-on for Mozilla Firefox.
Other programs exist for both Firefox and Internet Explorer, but they are not discussed in
this lab.
7GIREVMS
NetScaler system to perform basic rewrite functions for the default web site. You recently learned
that removing the server header information is a recommended security best practice. You plan to
configure a rewrite policy which modifies the server response and removes the HTTP header
identifying the web server hosting the web site.
Transormat|on 161
)\IVGMWI (IXEMPW
- View header information using the Firefox web browser and the LIVEHTTPHeaders add-on.
- Create a rewrite action rw_act_RemoveSrvID to remove the server header.
- Create a rewrite policy res_pol_RemoveSrvID using the rw_act_RemoveSrvID rewrite action.
- Bind the res_pol_RemoveSrvID policy to the Global Response Override policy bank and
configure the policy with a priority of 10 and a policy evaluation of NEXT.
- Test the configuration.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 10-2: Removing Server
Data' using the Configuration Utility.
v|ew|ng the Deau|t Header lnormat|on
Use the following procedure to view the default header information using Firefox and
LiveHTTPHeaders.
1. Launch Mozilla Firefox.
2. Go to Tools > Live HTTP headers.
3. Select the Headers tab.
4. Select Capture.
3. Click Clear to clear any existing text.
6. Browse to the RBG virtual server by navigating to http://VIP1 in a Firefox browser and
pressing Enter.
7. View the Header information as it displays in the LiveHTTPHeader dialog box.
Verify the Server header is displayed: Server: Apache/2.2.8 (Win32) PHP/3.2.6
Use the following procedure to configure a rewrite action to remove the server header in the
1. Log on to the Configuation Utility using the nsroot credentials.
2. Select Actions in the Rewrite node.
3. Click Add.
4. Type rw_act_RemoveSrvID in the Name field.
3. Select DELETE_HTTP_HEADER in the Type drop-down list.
6. Type Server in the Header Name field.
7. Verify that Bypass Safety Check is not selected.
8. Click Create.
9. Click Close.
Transormat|on 163
Use the following procedure to configure a rewrite policy to remove the server header in the
2. Click Add.
3. Type res_pol_RemoveSrvID in the Name field.
4. Select rw_act_RemoveSrvID in the Action drop-down list.
3. Verify Global undefined-result action is selected in the Undefined Action drop-down list.
6. Type HTTP.RES.IS_VALID in the Expression box.
7. Click Create.
8. Click Close.
The Rewrite Policy Manager displays.
2. Click the Response tab and verify that Override Global bind point is selected.
4. Double-click res_pol_RemoveSrvID.
3. Expand the Goto Expression drop-down list.
6. Double-click NEXT in the Goto Expression field.
8. Click Close.
The Bind/Unbind Rewrite Policy dialog box closes.
9. Click Save and Yes to save the NetScaler configuration.
LiveHTTPHeaders.
Do not replace the server header with strings or phrases such as Hack this" or Try to
Hack Me Now". Potential legal implications with such a statement may exist because you
could be granting permission to hackers to attempt to violate your security. As always,
consult the appropriate security experts within your organization for guidelines and
requirements for your environment.
3. Select the Headers tab in LiveHTTPHeaders.
3. Open a Firefox browser and browse to: http://VIP1.
6. View the Header information as it displays in the LiveHTTPHeader dialog box. Verify the
Server header and details about the web server are no longer displayed in the header lists.
Transormat|on 165
||ne lnterface}
This section provides step-by-step instructions for completing 'Exercise 10-2: Removing Server
Data' using the command-line interface.
LiveHTTPHeaders.
3. Select the Headers tab.
4. Select Capture.
6. Browse to the RBG virtual server by navigating to http://VIP1 in a Firefox browser and
pressing Enter.
Verify the Server header is displayed: Server: Apache/2.2.8 (Win32) PHP/3.2.6
Oon|gur|ng Rewr|te
Use the following procedure to configure a rewrite action and policy to remove the server header in
the command-line interface.
2. Add a rewrite action to remove the Server ID by entering the following command:
add rewrite action rw_act_RemoveSrvID DELETE_HTTP_HEADER
Server
3. Add a rewrite policy to remove the Server ID by entering the following command:
add rewrite policy res_pol_RemoveSrvID 'HTTP.RES.IS_VALID'
rw_act_RemoveSrvID
4. Bind the res_pol_RemoveSrvID globally by entering the following command:
bind rewrite global res_pol_RemoveSrvID 10 NEXT -
type RES_OVERRIDE
LiveHTTPHeaders.
3. Open a Firefox browser and browse to: http://VIP1.
6. View the Header information as it displays in the LiveHTTPHeader dialog box. Verify the
Server header and details about the web server are no longer displayed in the header lists.
Transormat|on 167
Exerc|se 10-3: lnsert|ng Server Data
3ZIVZMI[
This lab demonstrates the process for inserting server data using a rewrite policy. The steps for
configuring a rewrite policy using the Configuration Utility and command-line interface are
provided.
&IJSVI =SY &IKMR
this lab.
7GIREVMS
NetScaler system to perform basic rewrite functions for the default web site. You recently have
configured a policy to remove server header information as it is a recommended security best
practice. You plan to add a rewrite policy to insert new server information, as well as a policy that
will insert a No-Cache" header into the response.
)\IVGMWI (IXEMPW
- Open LiveHTTPHeaders.
- Create a rewrite action rw_act_NewSrvID to add Unspecified" about a server in the header.
- Create a rewrite policy res_pol_NewSrvID that uses the rw_act_NewSrvID action.
- Create a rewrite action rw_act_NoCache to add a no-cache header.
- Create a rewrite policy res_pol_NoCache that uses the rw_act_NoCache action.
Transormat|on 169
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 10-3: Inserting Server Data'
Use the following procedure to configure rewrite actions to insert new HTTP header information in
the Configuration Utility.
1. Select Actions in the Rewrite node.
2. Click Add.
3. Type rw_act_NewSrvID in the Name field.
4. Select INSERT_HTTP_HEADER in the Type drop-down list
3. Type Server in the Header Name field.
6. Type Unspecified in the string expression for the header value.
7. Verify that Bypass Safety Check is not selected.
8. Click Create.
9. Type rw_act_NoCache in the Name field.
10. Select INSERT_HTTP_HEADER in the Type drop-down list.
11. Type Cache-Control in the Header Name field.
12. Type no-cache as the string expression for the header value.
13. Click Create.
14. Click Close.
Use the following procedure to configure rewrite policies to add to the server header.
2. Click Add.
3. Type res_pol_NewSrvID in the Name field.
4. Select rw_act_NewSrvID in the Action drop-down list.
3. Verify that Global undefined-result action is selected in the Undefined-Result Action field.
6. Type HTTP.RES.IS_VALID in the Expression box.
7. Click Create.
8. Type res_pol_NoCache in the Name field.
9. Select rw_act_NoCache in the Action drop-down list.
10. Click Create.
11. Click Close.
The Rewrite Policy Manager dialog box opens.
2. Click the Response tab.
3. Verify that Override Global is selected under the Response Bind Points.
3. Double-click res_pol_NoCache.
6. Verify that END is displayed in the Goto Expression field.
8. Double-click res_pol_NewSrvID.
9. Expand the Goto Expression field.
10. Double-click NEXT in the Goto Expression drop-down list.
11. Click the res_pol_RemoveSrvID priority block and drag it to the top of the list.
The policy priority may be assigned by directly editing the priority field or by manually
arranging the list as demonstrated. If you do not order the policies, res_pol_RemoveSrvID
will not be evaluated. Evaluation will end at res_pol_NoCache.
12. Click Regenerate Priorities.
Priorities are reassigned to the policies to maintain the order and to allow space between
priorities, for example res_pol_RemoveSrvID (100), res_pol_NewSrvID (110), and
res_pol_NoCache (120).
13. Click Yes.
13. Click Close.
The Rewrite Policy Manager dialog box closes.
Transormat|on 171
LiveHTTPHeaders.
3. Open a Firefox browser, browse to http://VIP1, and press Enter.
Verify the new header information is displayed:
- Server: Unspecified
- Cache-Control: no-cache
||ne lnterface}
This section provides step-by-step instructions for completing 'Exercise 10-3: Inserting Server Data'
Use the following procedure to configure a rewrite policy to insert new server header information
in the command-line interface.
1. Add a rewrite action to insert an HTTP header for the Server value by entering the following
command:
add rewrite action rw_act_NewSrvID INSERT_HTTP_HEADER
"Server" "\"Unspecified\""
2. Add a rewrite policy using the rw_act_NewSrvID action by entering the following command:
add rewrite policy res_pol_NewSrvID 'HTTP.RES.IS_VALID'
rw_act_NewSrvID
3. Bind the rewrite policy res_pol_NewSrvID globally by entering the following command:
bind rewrite global res_pol_NewSrvID 20 NEXT -type RES_OVERRIDE
4. Add a rewrite action to insert no-cache" in the cache-control of the HTTP Header by entering
the following command:
add rewrite action rw_act_NoCache INSERT_HTTP_HEADER "Cache-
Control"
"\"no-cache\""
3. Add a rewrite policy using the rw_act_NoCache action by entering the following command:
add rewrite policy res_pol_NoCache 'HTTP.RES.IS_VALID'
rw_act_NoCache
6. Bind the res_pol_NoCache policy globally by entering the following command:
bind rewrite global res_pol_NoCache 30 NEXT -type RES_OVERRIDE
Transormat|on 173
LiveHTTPHeaders.
Verify the new header information is displayed:
- Server: Unspecified
- Cache-Control: no-cache
Exerc|se 10-4: Oonf|gur|ng Responder
3ZIVZMI[
This lab demonstrates the process for configuring a responder policy. The steps for configuring a
responder policy using the Configuration Utility and command-line interface are provided. Attempt
this exercise first on your own before relying on the step-by-step instructions.
&IJSVI =SY &IKMR
this lab.
7GIREVMS
NetScaler system to perform basic responder functions. The responder policy will redirect any URL
ending with a /" (not specifying a specific target) to an appropriate valid directory, such as
/home.php.
)\IVGMWI (IXEMPW
In this exercise, you will configure the responder feature. You will use the Configuration Utility or
Transormat|on 175
- Enable the responder feature.
- Create a responder action rs_act_RedirectToHome that redirects the requests to /home.php.
For this exercise, the Redirect action will be used.
- Create a responder policy rs_pol_RedirectToHome that uses the rs_act_RedirectToHome
action.
- Bind the rs_pol_RedirectToHome responder policy to the Responder Global Default policy
bank. Configure the policy with a priority of 10 and specify the GoTo Expression to END.
t|||ty}
Responder' using the Configuration Utility.
Enab||ng the Responder Feature
Use the following procedure to enable the responder feature in the Configuration Utility.
3. Select Settings.
4. Click the Configure advanced features link.
The Configure Advanced Features dialog box opens.
3. Select Responder to enable the responder feature.
6. Click OK.
The enable/disable feature prompt appears.
7. Click Yes.
The Configure Advanced Features dialog box closes.
9. Click Yes to save the configuration.
Oon|gur|ng a Responder Act|on
Use the following procedure to configure a responder action to redirect any URL ending in a
forward slash (/) in the Configuration Utility.
1. Expand the Responder node.
2. Select Actions.
3. Click Add.
The Create Responder Action dialog box opens.
4. Type rs_act_RedirectToHome in the Name field.
3. Select Redirect in the Type drop-down list.
6. Type /home.php in the Target field and leave Bypass Safety Check deselected.
7. Click Create.
8. Click Close.
The Create Responder Action dialog box closes.
Transormat|on 177
Oon|gur|ng a Responder Po||cy
Use the following procedure to configure a responder policy in the Configuration Utility.
1. Select Policies in the Responder node.
2. Click Add.
The Create Responder Policy dialog box opens.
3. Type rs_pol_RedirectToHome in the Name field.
4. Select rs_act_RedirectToHome in the Action drop-down list.
3. Verify that Global undefined-result action is selected in the Undefined-Result Action drop-
down list.
6. Type HTTP.REQ.URL.PATH.EQ("/") in the expression field.
7. Click Create.
8. Click Close.
The Create Responder Policy dialog box closes.
The Responder Policy Manager displays.
2. Select Default Global under the Bind Points.
4. Double-click rs_pol_RedirectToHome.
6. Click Close.
The Bind/Unbind Responder Policy dialog box closes.
Test|ng the Responder Po||cy
Open a web browser and browse to http://VIP1.
Expected result: The RBG web site displays without the user having to manually add /home.php"
to the URL. Responder Redirect action results in the client-side URL being changed, reflecting the
redirection. The HTTP response code in the header information will also indicate that URL
redirection has occurred.
If the responder policy is disabled but the rewrite policy is still enabled, then users will still
successfully reach the home.php page due to the rewrite request policy.
Responder actions occur before URL rewrite actions. RespondWith actions bypass
NetScaler processing.
Transormat|on 179
||ne lnterface}
Responder' using the command-line interface.
Enab||ng the Responder Feature
Use the following procedure to enable the responder feature in the command-line interface.
2. Type the following command and press Enter to enable the responder feature.
enable ns feature responder
3. Type the following command and press Enter to save the configuration.
save ns config
Use the following procedure to configure a responder action to redirect any URL ending in a
forward slash (/) in the command-line interface.
1. Add a responder action redirecting to home.php by entering the following command:
add responder action rs_act_RedirectToHome REDIRECT
"\"/home.php\""
2. Add a responder policy using the rs_act_RedirectToHome action by entering the following
command:
add responder policy rs_pol_RedirectToHome
'HTTP.REQ.URL.PATH.EQ("/")'
rs_act_RedirectToHome
3. Bind the rs_pol_RedirectToHome policy globally by entering the following command:
bind responder global rs_pol_RedirectToHome 10 END -
type Default
save ns config
Open a web browser and browse to http://VIP1.
Expected result: The RBG web site displays without the user having to manually add /home.php"
to the URL. Responder Redirect action results in the client-side URL being changed, reflecting the
redirection. The HTTP response code in the header information will also indicate that URL
redirection has occurred.
If the responder policy is disabled but the rewrite policy is still enabled, then users will still
successfully reach the home.php page due to the rewrite request policy.
Responder actions occur before URL rewrite actions. RespondWith actions bypass
NetScaler processing.
Transormat|on 181
Exerc|se 10-5: Add|ng a Oustom Response
3ZIVZMI[
This lab demonstrates the process for adding a custom response. The steps for configuring a
responder policy using the Configuration Utility and command-line interface are provided. Attempt
this exercise first on your own before relying on the step-by-step instructions.
&IJSVI =SY &IKMR
this lab.
7GIREVMS
NetScaler system to perform basic responder functions.
You plan to configure a responder policy to provide a custom response when users try to access a
specific URL. For this scenario, you assume that an attempt to access a specific directory (Private")
on the Red, Blue, and Green web servers should not be allowed. The responder policy will be
configured to detect access to this directory (or web site) and to provide the user with a custom
response when access is attempted.
)\IVGMWI (IXEMPW
In this exercise, you will configure the responder feature. You will use the Configuration Utility or
- Create a responder action rs_act_RespondWithCustom which defines a custom response that
returns an HTTP 200 (OK) message and displays info back to the user.
- Create a responder policy rs_pol_RespondWithCustom that provides a custom response
(rs_act_ResponWithCustom) if a request is made to a URL containing the string private".
- Bind the rs_pol_RespondWithCustom responder policy to the Responder Global Default policy
bank. Configure the policy with a priority of 20 and specify the GoTo Expression to END.
Transormat|on 183
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 10-3: Adding a Custom
Response' using the Configuration Utility.
Use the following procedure to configure a responder action to return a custom response. The
response is being formatted to be viewed as a success and to provide some custom data to the user
for the purposes of this exercise. Configure the responder action with the Configuration Utility.
2. Select Actions under the Responder node.
3. Click Add.
The Create Responder Action dialog box opens.
4. Type rs_act_RespondWithCustom in the Name field.
3. Select Respond with in the Type drop-down list.
6. Type the following text in the Target field.
"http/1.1 200 OK\r\n\r\n" + "Client: " + CLIENT.IP.SRC + "
is not authorized to access URL: " + HTTP.REQ.URL.HTTP_URL_SAFE
This string needs to be entered as listed, including quotes where specified.
7. Leave Bypass Safety Check deselected.
8. Click Create.
9. Click Close.
The Create Responder Action dialog box closes.
Oon|gur|ng a Responder Po||cy
Use the following procedure to configure a responder policy in the Configuration Utility.
1. Select Policies in the Responder node.
2. Click Add.
The Create Responder Policy dialog box opens.
3. Type rs_pol_RespondWithCustom in the Name field.
4. Select rs_act_RespondWithCustom in the Action drop-down list.
3. Verify that Global undefined-result action is selected in the Undefined-Result Action drop-
down list.
6. Type HTTP.REQ.URL.PATH.CONTAINS("private") in the expression field.
7. Click Create.
8. Click Close.
The Create Responder Policy dialog box closes.
The Responder Policy Manager dialog box opens.
2. Verify Default Global is selected under Bind Points.
4. Double-Click rs_pol_RespondWithCustom.
3. Click and drag the rs_pol_RespondWithCustom entry below the previous policy:
rs_pol_RedirectToHome.
6. Click Regenerate Priorities.
An information prompt opens.
7. Click Yes.
The Regenerate Priorities function readjusts the policy priorities to 100 and 110. The
RespondWithCustom policy still has a lower priority (higher value) and is set to 110.
8. Verify the Goto Expression is set to END.
10. Click Close.
The Responder Policy Manager dialog box closes.
Use the following procedure to test the responder policy in a web browser.
1. Open a Firefox browser, browse to http://VIP1/private, and press Enter.
An attempt to browse to /private results in the NetScaler system returning the custom response
text. The not authorized" message configured appears in the policy action.
2. Open Live HTTP headers and refresh the page.
Transormat|on 185
3. Verify that the HTTP response code HTTP/1.x 200 OK was properly generated.
This responder value indicates a successful response to the client browser.
The page loads as expected. The previously configured responder policy allows redirection to
home.php for a successful page load.
||ne lnterface}
This section provides step-by-step instructions for completing 'Exercise 10-3: Adding a Custom
Response' using the command-line interface.
Use the following procedure to configure and bind a responder policy to redirect any URL ending
in a forward slash (/) in the command-line interface.
2. Add a responder action redirecting any URL ending in a forward slash by entering the
following command:
add responder action rs_act_RespondWithCustom respondwith
q{"http/1.1 200 OK\r\n\r\n" + "Client: " + CLIENT.IP.SRC +
" is not authorized to access URL: " +
HTTP.REQ.URL.HTTP_URL_SAFE}
3. Add a responder policy using the rs_act_RespondWithCustom action by entering the following
command:
add responder policy rs_pol_RespondWithCustom
'HTTP.REQ.URL.PATH.Contains("private")'
rs_act_RespondWithCustom
4. Bind the rs_pol_RespondWithCustom policy globally by entering the following command:
bind responder global rs_pol_RespondWithCustom 20 END -
type Default
save ns config
Use the following procedure to test the responder policy in a web browser.
1. Open a Firefox browser, browse to http://VIP1/private, and press Enter.
An attempt to browse to /private results in the NetScaler system returning the custom response
text. The not authorized" message configured appears in the policy action.
Transormat|on 187
2. Open Live HTTP headers and refresh the page.
3. Verify that the HTTP response code HTTP/1.x 200 OK was properly generated.
This responder value indicates a successful response to the client browser.
The page loads as expected. The previously configured responder policy allows redirection to
home.php for a successful page load.
Exerc|se 10-6: Add|ng R| Transforms
3ZIVZMI[
This lab demonstrates the process for using the URL Transform feature. The steps for configuring a
responder policy using the Configuration Utility and command-line interface are provided.
&IJSVI =SY &IKMR
7GIREVMS
NetScaler system to perform URL Transform on a web site that your company recently acquired.
By transforming the acquired companies URL into a sub-URL of your company, you remove the
need for an expensive content migration.
The URL Transform policy will be configured to detect URL requests to a sub-URL of your choice
and will transfer those requests to the acquired company's web servers. The responses will be
transformed back to the sub-URL so the user sees the desired URL.
For the purpose of this lab, the distance pages (dist_) are used to simulate the acquired webpage
(international_).
)\IVGMWI (IXEMPW
In this exercise, you will configure the URL Transform feature. You will use the Configuration
Utility or command-line interface to:
Transormat|on 189
- Create a URL Transform Policy named trns_pol_remote which always evaluates true.
- Create a URL Transform Profile trns_remote_URL.
- Configure a transform action for this profile which changes requests for /international to
/dist.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 10-6: Adding URL
Transforms' using the Configuration Utility.
Oreat|ng a R| Transorm Pro||e
Use the following procedure to create a URL Transform Profile named trns_remote_URL.
2. Expand the URL Transformation subnode under the Rewrite node.
3. Select the Profiles subnode.
4. Click Add on the URL Transformation Profile pane.
The Create URL Transformation Profile dialog box displays.
3. Type trns_remote_URL in the Name field.
6. Type "Transform /international_page.php (req/display) to
/dist_page.php (actual)" in the Comment field.
7. Click Create.
8. Click Close.
Oon|gur|ng a R| Transorm Act|on
Use the following procedure to create a URL Transform Action to transform URL requests for
/international to /dist.
1. Double-click trns_remote_URL.
The Configure URL Transformation Profile dialog box displays.
2. Click Add.
The Create URL Transformation Action dialog box displays.
3. Type act_trns_DistToInt in the Name field.
4. Check the Enabled checkbox.
3. Type 50 in the Priority field.
6. Type http://VIP1/international_(.*) in the Request URL From field.
7. Type http://VIP1/dist_$1 in the Request URL Into field.
8. Type http://VIP1/dist_(.*) in the Response URL From field.
Transormat|on 191
9. Type http://VIP1/international_$1 in the Response URL Into field.
If there were more than one variable part of the URL, the variable $1 would increment to
$2, $3, etc.
10. Click Create and then click Close.
11. Click OK to confirm.
Oreat|ng a R| Transormat|on Po||cy
Use the procedure in the following table to create and bind a URL Transform Policy.
1. Click the Policies subnode under URL Transformation.
2. Click Add.
The Create URL Transformation Policy dialog box displays.
3. Type trns_pol_remote in the Name field.
4. Select trns_remote_URL in the Profile drop-down list.
3. Type TRUE in the Expression field.
The TRUE expression always evaluates to true.
6. Click Create.
7. Click Close.
The Bind/Unbind URL Transformation Policies dialog box displays.
9. Insert the trns_pol_remote policy.
Only one URL Transform Policy can be active at a time. To have multiple different
transformations active simultaneously, add more URL Transform Actions to the profile.
10. Click OK.
Test|ng the R| Transorm Po||cy
Use the following procedure to test the URL transform policy in a web browser.
1. Open a web browser, browse to http://VIP1/dist_red.php, and press Enter.
Expected Result: The dist_red.php page should display normally (Japan). The dist_blue.php
(US) and dist_green.php (Germany) pages may be tested as well.
2. Browse to http://VIP1/international_red.php and press Enter.
The same page loads as expected.
The URL displays international_red.php", but the content that is loading is the dist_red.php"
page.
It attempts to load balance and access the alternate pages international_blue.php and
international_green.php, result in the dist_blue.php and dist_green.php content respectively.
Transormat|on 193
||ne lnterface}
This section provides step-by-step instructions for completing 'Exercise 10-6: Adding URL
Transforms' using the command-line interface.
Use the following procedure to configure and bind a URL transformation policy in the command-
line interface.
2. Add a transform profile by entering the following command:
add transform profile trns_remote_URL
3. Set the comment field and type for the profile by entering the following command:
set transform profile trns_remote_url -type URL -comment
`Transform /dist_page.php (actual) to /international_page.php
(display)'
4. Add a transform action by entering the following command:
add transform action act_trns_DistToInt trns_remote_URL 50
3. Configure the transform action by entering the following command:
The following is one command and should be entered on a single line. Replace VIP1 with
the VIP1 IP address located in the Student Reference file.
set transform action act_trns_DistToInt -priority 50
-reqUrlFrom "http://VIP1/international_(.*)"
-reqUrlInto "http://VIP1/dist_$1"
-resUrlFrom "http://VIP1/dist_(.*)"
-resUrlInto "http://VIP1/international_$1"
The transform action name is case-sensitive in this command.
6. Create a transform policy by entering the following command:
add transform policy trns_pol_remote TRUE trns_remote_URL
7. Bind the trns_pol_Remote policy globally by entering the following command:
bind transform global trns_pol_remote 50
save ns config
Test|ng the R| Transorm Po||cy
Use the following procedure to test the URL transform policy in a web browser.
1. Open a web browser, browse to http://VIP1/dist_red.php, and press Enter.
Expected Result: The dist_red.php page should display normally (Japan). The dist_blue.php
(US) and dist_green.php (Germany) pages may be tested as well.
2. Browse to http://VIP1/international_red.php and press Enter.
The same page loads as expected.
The URL displays international_red.php", but the content that is loading is the dist_red.php"
page.
It attempts to load balance and access the alternate pages international_blue.php and
international_green.php, result in the dist_blue.php and dist_green.php content respectively.
Transormat|on 195
Modu|e 11
Oontent Sw|tch|ng
Exerc|se 11-1: Oonf|gur|ng Oontent
Sw|tch|ng
3ZIVZMI[
This exercise demonstrates the process of configuring content switching on the NetScaler system.
&IJSVI =SY &IKMR
To complete this exercise you will need:
- Access to the NetScaler Configuration Utility or the command-line interface .
- Content Switching and Load Balancing features enabled.
- Server and service objects for the Red, Blue, and Green Web servers created on the system.
- svc_red
- svc_blue
- svc_green
- An IP address to configure a virtual IP address for the content-switching virtual server: VIP6.
- The Firefox Web browser and the User Agent Switcher add-on, which are used to easily
simulate tests with different agents headers.
Estimated time for complete this exercise: 20 minutes
7GIREVMS
MillennialGadgets.com needs to accommodate mobile and legacy users. The company decides to
host a customized Web site for mobile support on one of its Web servers, as well as an older Web
site for legacy users to avoid browser compatibility issues.
The purpose of this exercise is to configure content switching, such that requests coming from
iPhones are routed to the Red Web server and requests coming from Internet Explorer 6.0 browsers
are routed to the Blue Web server. All other requests are routed to the Green Web server.
)\IVGMWI (IXEMPW
- Create the following three load-balancing virtual servers:
- lb_vsrv_red bound to the svc_red
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 11: Exerc|ses or Oon|gur|ng Oontent Sw|tch|ng 199
- lb_vsrv_blue bound to the svc_blue
- lb_vsrv_green bound to the svc_green
All three load-balancing virtual servers are not-directly addressable, meaning virtual IP
addresses are not assigned to them.
- Create the following two policy expressions:
- remote_users
- IE6
- Create the following two content-switching policies:
- cs_pol_mobile
- cs_pol_legacy_browser
Both policies are rule-based policies.
- Create the following content-switching virtual server:
- cs_vsrv_rbg
- Bind the following load-balancing virtual servers to the content-switching virtual server:
- lb_vsrv_red
- lb_vsrv_blue
- lb_vsrv_green
200 Modu|e 11: Exerc|ses or Oon|gur|ng Oontent Sw|tch|ng Copyr|ght 2011 C|tr|x Systems, lnc.
t|||ty}
Switching' using the Configuration Utility.
ver|y|ng Oontent-Sw|tch|ng Feature Enab|ement
Use the following procedure to verify enablement of the content-switching feature.
1. Launch the Configuration Utility using the nsroot credentials.
3. Select the Settings node.
4. Click Configure basic features.
3. Verify that the Load Balancing and Content Switching features are selected and click Close.
The Configure Basic Features dialog box closes.
Oreat|ng Non-Addressab|e |oad-Ba|anc|ng v|rtua| Servers
Use the following procedure to create three non-addressable load balancing virtual servers.
2. Select the Virtual Servers node.
3. Click Add in the Load Balancing Virtual Servers pane.
4. Type lb_vsrv_red in the Name field. This virtual server is dedicated to iPhone users.
3. Select HTTP in the Protocol drop-down list.
6. Clear Directly Addressable. Click Yes to confirm the change.
This action disables the IP address and Port fields. This load-balancing virtual server has no
VIP address assigned.
7. Check the Active field for svc_red on the Services tab.
8. Click Create. This step binds the service to the vserver.
9. Type lb_vsrv_blue in the Name field. This virtual server is dedicated to Internet Explorer
users.
10. Clear the Active field for svc_red on the Services tab.
11. Check the Active field for svc_blue on the Services tab.
12. Click Create.
13. Type lb_vsrv_green in the Name Field. This virtual server is dedicated to default users.
14. Clear the Active field for svc_blue on the Services tab.
13. Check the Active field for svc_green on the Services tab.
16. Click Create. This step binds the service to the vserver.
17. Click Close.
Oreat|ng Po||cy Express|ons
Use the following procedure to create the policy expressions to match iPhone" and IE6" users.
1. Expand the AppExpert node.
2. Expand the Expressions node.
3. Select the Classic Expressions node.
3. Type iPhone in the Expression Name field.
7. Select General from the Expression Type drop-down list.
8. Select REQ from the Flow Type drop-down list.
10. Select HEADER from the Qualifier drop-down list.
11. Select CONTAINS from the Operator drop-down list.
12. Type iPhone in the Value field.
14. Click OK.
13. Click Create.
The iPhone expression is created.
16. Click Close.
The Create Policy Expression dialog box closes.
18. Type IE6 in the Expression Name field.
20. Select General from the Expression Type drop-down list.
21. Select REQ from the Flow Type drop-down list.
23. Select HEADER from the Qualifier drop-down list.
24. Select CONTAINS from the Operator drop-down list.
23. Type MSIE 6.0 in the Value field.
The header value must be enclosed in quotes due to the space in the value. If double
quotes are used, they will be converted to single quotes by the system. (This is illustrated
in the command-line interface section.)
27. Click OK.
28. Verify the expression is displayed as: REQ.HTTP.HEADER User-Agent CONTAINS "MSIE
6.0"
This alternate form is also correct: REQ.HTTP.HEADER User-Agent CONTAINS 'MSIE 6.0'
29. Click Create.
This step creates the IE6 expression.
30. Click Close.
The Create Policy Expression dialog box closes.
Oreat|ng Oontent-Sw|tch|ng Po||c|es
Use the following procedure to create the content-switching policies.
1. Expand the Content Switching node.
2. Select the Policies node.
3. Click Add in the Content Switching Policies pane.
The Create Content Switching Policy dialog box opens.
4. Type cs_pol_mobile in the Name field.
3. Click Configure.
The Create Expression dialog box opens.
6. Select iPhone from the General Named Expressions drop-down list.
7. Click Add Expression.
The iPhone expression is added under Expressions.
8. Click Create.
The Create Expression dialog box closes.
9. Click Create.
This step creates the cs_pol_mobile policy.
10. Click Close.
The Create Content Switching Policy dialog box closes.
11. Click Add.
The Create Content Switching Policy dialog box opens.
12. Type cs_pol_legacy_browser in the Name field.
13. Click Configure.
The Create Expression dialog box opens.
14. Select IE6 from the General Named Expressions list.
13. Click Add Expression.
16. Click Create.
The Create Expression dialog box closes.
17. Click Create.
This step creates the second policy cs_pol_legacy_browser.
18. Click Close.
The Create Content Switching Policy dialog box closes.
Oreat|ng the Oontent-Sw|tch|ng v|rtua| Server
Use the following procedure to create and to configure the content-switching virtual server.
1. Expand the Content Switching node.
2. Select the Virtual Servers node.
3. Click Add in the Content Switching Virtual Servers pane.
The Create Virtual Server (Content Switching) dialog box opens.
4. Type cs_vsrv_rbg in the Name field.
6. Verify the Protocol is set to HTTP.
8. Click Insert Policy and select cs_pol_mobile to bind the mobile policy to the content
switching virtual server.
9. Click the Target cell for cs_pol_mobile and select lb_vsrv_red.
10. Click Insert Policy and select cs_pol_legacy_browser to bind the legacy policy to the content-
switching virtual server.
11. Click the Target cell for cs_pol_legacy_browser and select lb_vsrv_blue.
12. Click Insert Policy and select (Default) to bind the default policy to the content switching
virtual server.
13. Click the Target cell for (Default) and select lb_vsrv_green.
14. Click Create.
This creates the virtual server.
13. Click Close.
The Create Virtual Server (Content Switching) dialog box closes.
16. Click Save and verify that you want to save the running configuration.
Test|ng the Oontent-Sw|tch|ng Oon|gurat|on
Use the following procedure to test the configuration and to observe content-switching behavior.
1. Launch a Firefox web browser with the User Agent Switcher add-on installed. Type the
following text in the browser and press Enter.
The Green server displays for all other users (Firefox, IE 7.0, or any other agent) as the default
policy.
2. Change the web browser's user agent to iPhone and refresh the browser.
1. Click Tools > Default User Agent > iPhone in Firefox.
2. Click Refresh.
The Red server displays only to mobile users (iPhone).
3. Change the web browser's user agent to IE6 and refresh the browser.
1. Click Tools > iPhone > IE6 in Firefox.
2. Click Refresh.
The Blue server displays only to legacy browser users (MSIE 6.0).
||ne lnterface}
Switching' using the command-line interface.
Oon|gur|ng Oontent Sw|tch|ng
Use the following command-line interface commands to configure and test content switching.
1. Launch the command-line interface using the nsroot credentials.
2. Verify that the load balancing and content switching features are enabled by entering the
following command:
enable ns feature cs lb
3. Create a non-addressable load-balancing virtual server for the Red server and bind it to the
svc_red service by entering the following commands:
add lb vserver lb_vsrv_red HTTP
bind lb vserver lb_vsrv_red svc_red
This server will be dedicated to mobile users.
The load-balancing virtual server is being created without assigning a virtual IP address or
a port.
4. Create a non-addressable load-balancing virtual server for the Blue server and bind it to the
svc_blue service by entering the following commands:
add lb vserver lb_vsrv_blue HTTP
bind lb vserver lb_vsrv_blue svc_blue
This server will be dedicated to legacy browser users.
3. Create a non-addressable load-balancing virtual server for the Green server and bind it to the
svc_green service by entering the following commands:
add lb vserver lb_vsrv_green HTTP
bind lb vserver lb_vsrv_green svc_green
This server will be dedicated to default users.
6. Create a policy expression and content-switching policy to recognize iPhone users by entering
the following commands:
add policy expression remote_users "REQ.HTTP.HEADER User-
Agent CONTAINS iPhone"
add cs policy cs_pol_mobile -rule remote_users
7. Create a policy expression and content-switching policy to recognize Internet Explorer 6 users
by entering the following commands:
add policy expression IE6 "REQ.HTTP.HEADER User-
Agent CONTAINS \MSIE 6.0\"
add cs policy cs_pol_legacy_browser -rule IE6
8. Create a content-switching virtual server by entering the following command:
add cs vserver cs_vsrv_rbg HTTP VIP6 80
9. Bind the load-balancing virtual servers and the corresponding policies to the content-switching
virtual server by entering the following commands:
bind cs vserver cs_vsrv_rbg lb_vsrv_green
bind cs vserver cs_vsrv_rbg lb_vsrv_red -
policyName cs_pol_mobile
bind cs vserver cs_vsrv_rbg lb_vsrv_blue -
policyName cs_pol_legacy_browser
save ns config
Test|ng the Oontent-Sw|tch|ng Oon|gurat|on
Use the following procedure to test the configuration and to observe content-switching behavior.
1. Launch a Firefox web browser with the User Agent Switcher add-on installed. Type the
following text in the browser and press Enter.
The Green server displays for all other users (Firefox, IE 7.0, or any other agent) as the default
policy.
2. Change the web browser's user agent to iPhone and refresh the browser.
1. Click Tools > Default User Agent > iPhone in Firefox.
2. Click Refresh.
The Red server displays only to mobile users (iPhone).
3. Change the web browser's user agent to IE6 and refresh the browser.
1. Click Tools > iPhone > IE6 in Firefox.
2. Click Refresh.
The Blue server displays only to legacy browser users (MSIE 6.0).
Modu|e 12
Traff|c Opt|m|zat|on
Exerc|se 12-1: lntegrated Oach|ng
3ZIVZMI[
This lab demonstrates the basics of configuring integrated caching and creating policies where
specific data is cached and identifies how the data is managed using cache, no cache, and
invalidation actions.
This lab is divided into three exercises. Step-by-step procedures for completing this lab using the
Configuration Utility and command-line interface are provided.
&IJSVI =SY &IKMR
- Your nsroot log on credentials.
- Services for the Red, Blue, and Green servers for HTTP and port 80.
- A virtual IP (VIP1) for the load-balancing virtual server for all three services.
- Removal of the content filter policy configured in Lab 9. The policy to drop red.php conflicts
with settings in this lab
7GIREVMS
MillenialGadgets.com has recently suffered severe lag time due to heavy server traffic. The company
wants to reduce their server response time by caching frequently served web content through the
NetScaler system.
The goal of this exercise is to configure an integrated-caching solution and then test those results in
terms of caching, no-caching, and caching invalidation.
)\IVGMWI (IXEMPW
This lab consists of three exercises to configure integrated caching and to test the results.
- Enable the integrated caching feature.
- Set the integrated caching parameters.
- Set the cache memory size to 312 MB.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 12: Exerc|ses or Oon|gur|ng Tra|c Opt|m|zat|on 211
- Set the VIA header string to Served from Cache.
- Create cache content groups.
- cache_cg_colorpage
- cache_cg_image
- Create four caching policies.
- cache_pol_blue
Defines the policy to cache the color HTML pages from the server. Configure to use the
cache_cg_colorpage content group.
- cache_pol_nocache
Defines the policy to not cache. Use the TRUE expression to apply the policy for all
content.
- cache_pol_image
Defines the policy to cache when png files are requested from the server. Configure to use
the cache_cg_image content group.
- cache_inval_color
Defines the policy to invalidate the cache when a the red.php page is requested from the
server. Configure to use the cache_cg_colorpage content group.
- Bind the cache policies to Request / Default Global policy bank.
- cache_inval_color
Highest Priority (70)
- cache_pol_image
Middle Priority (80)
- cache_pol_colorpage
Middle Priority (90)
- cache_pol_nocache
Lowest Priority (100)
Use the LB VServer created in the Load Balancing lab (lb_vsrv_rbg) for testing. Use the Virtual IP
address assigned to the LB VServer for testing. This IP address is VIP1.
After you have configured integrated caching, perform the following tasks to test the configuration:
- Enable the integrated caching feature.
- Observe caching: Browse to http://VIP1/blue.php and refresh the screen.
- View the cache object.
- View the cache policy.
- Observe image caching: Browse to http://VIP1/media.php, click download multiple times.
212 Modu|e 12: Exerc|ses or Oon|gur|ng Tra|c Opt|m|zat|on Copyr|ght 2011 C|tr|x Systems, lnc.
- Observe no-caching: Browse to http://VIP1/home.php and refresh the screen.
- Observe cache invalidation.
- Browse to http://VIP1/blue.php.
- Observe caching and note the server from where the content originated (identified by the
background color of the page).
- Browse to http://VIP1/red.php.
- Browse to http://VIP1/blue.php and refresh the screen.
- Observe that the content has originated from a different server; a new page is cached for
subsequent refreshes.
- Disable integrated caching.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 12-1: Integrated Caching'
using the configuration utility.
Oon|gur|ng G|oba| Oache Parameters Oon|gurat|on t|||ty}
Use the following procedure to enable the Integrated Caching feature and to set the global
parameters.
2. Select the Integrated Caching node.
3. Click Change cache settings in the Integrated Caching pane.
The Cache Global Settings dialog box displays.
4. Type 512 in the Memory Usage Limit (MB) field.
3. Type Served from Cache in the Via Header field.
This string is used for this lab to identify cached content served by the NetScaler system.
The default string identifies the system as a NetScaler system and may include version
information. In a production environment, you should modify this string and not identify
the specific device type in use for security purposes.
6. Click OK.
This closes the dialog box.
Oreat|ng Oontent Groups Oon|gurat|on t|||ty}
Use the following procedure to configure two cache content groups.
1. Click Content Groups in the Integrated Caching node.
2. Click Add in the Cache Content Groups pane.
3. Type cache_cg_colorpage in the Name field.
4. Type 600 in the Expire content after field.
This sets the cache duration to 10 minutes for this content group.
3. Select the Memory tab.
6. Type 10 in the Maximum memory allocated field.
This limits the cache memory to 10 MB for this content group.
7. Click Create.
This creates the content group.
8. Type cache_cg_image in the Name field.
9. Click Create.
This creates the content group.
10. Click Close.
Oreat|ng Oach|ng Po||c|es Oon|gurat|on t|||ty}
Use the following procedure to configure cache policies.
1. Click Policies in the Integrated Caching node.
2. Click Add in the Cache Policies pane.
3. Type cache_pol_blue in the Name field.
4. Select cache_cg_colorpage from the Store in Group list.
3. Type HTTP.REQ.URL.CONTAINS(blue) in the expression box.
6. Click Create.
7. Type cache_pol_image in the Name field.
8. Select cache_cg_image from the Store in Group list.
9. Type HTTP.REQ.URL.CONTAINS(.png) in the expression box.
10. Click Create.
11. Type cache_pol_nocache in the Name field.
12. Select NOCACHE from the Action list.
13. Type True in the expression box.
14. Click Create.
13. Click Close.
Oreat|ng an lnva||dat|on Oache Po||cy Oon|gurat|on t|||ty}
Use the following procedure to configure an invalidation cache policy.
1. Click Add in the Cache Policies pane.
The dialog box may be pre-populated with entries from a previous entry.
2. Type cache_inval_color in the Name field.
3. Select INVAL from the Action list.
4. Select cache_cg_colorpage from the Invalidate all objects in the following groups list.
3. Click Add.
6. Type HTTP.REQ.URL.CONTAINS(red) in the Expression box.
7. Click Create.
8. Click Close.
B|nd|ng Po||c|es Oon|gurat|on t|||ty}
Use the following procedure to bind the policies.
The Cache Policy Manager dialog box opens.
2. Select Default Global under Bind Points on the Request tab.
4. Double-click cache_pol_nocache in the Policy Name list and set the Priority to 100.
6. Select cache_pol_blue in the Policy Name list and set the Priority to 90.
8. Select cache_pol_image in the Policy Name list and set the Priority to 80.
10. Select cache_inval_color in the Policy Name list and set the Priority to 70.
12. Click Close.
Enab||ng the Oach|ng Feature Oon|gurat|on t|||ty}
Use the following procedure to enable the caching feature.
The feature is enabled after configuration to prevent ongoing traffic from being cached
mid-configuration.
2. Select Settings.
3. Click the Change basic features link.
4. Select Integrated Caching to enable the caching feature.
3. Click OK.
The Enable/Disable Feature prompt appears.
6. Click Yes to enable the feature.
7. Click Save.
Click Yes to save the running configuration.
Test|ng Oach|ng Oon|gurat|on Oon|gurat|on t|||ty}
Use the following procedure to test the policy configuration.
1. Launch a browser.
2. Browse to http://VIP1/blue.php. Refresh the browser several times.
Expected result: After the first page loads, subsequent requests are served from cache; the page
background color (which indicates the host server) does not change.
3. Expand the Integrated Caching node in the Configuration Utility.
4. Click Cache Objects in the Integrated Caching node to view the contents of cache on the
NetScaler system.
3. Click Content Groups in the Integrated Caching node and note the number of 304 hits (cache)
compared to Non-304 hits.
6. Click Policies in the Integrated Caching node and view the hits for each policy.
7. View the headers using IEHTTPHeaders for IE or LiveHttpHeaders for Firefox and view the
header string applied by the VIA header parameter setting.
This step is optional.
8. Browse to http://VIP1/media.php. Click Download several times.
Expected result: After the image loads once, subsequent requests are served from cache.
9. Click Cache Objects in the Integrated Caching node of the Configuration Utility and view the
contents of cache on the NetScaler system. Verify the .PNG file appears in the cache objects
list.
Test|ng a Oach|ng Oon|gurat|on w|th lnva||dat|on
Oon|gurat|on t|||ty}
Use the following procedure to test a caching configuration with invalidation.
1. Browse to http://VIP1/blue.php and press Enter.
Refresh the browser several times. Blue.php is cached.
2. Browse to http://VIP1/red.php and press Enter.
Refresh the browser several times. Red.php matches the invalidation cache policy
(cache_inval_color).
3. Browse to http://VIP1/blue.php and press Enter.
Refresh the browser several times. Blue.php is first served from a new server, and the results
are cached. You can identify which server is hosting the blue.php page by looking at the
background color.
D|sab||ng lntegrated Oach|ng Oon|gurat|on t|||ty}
Use the following procedure to disable integrated caching.
1. Click System > Settings > Configure basic features in the Configuration Utility.
The Configure Basic Features dialog box appears.
2. Clear Integrated Caching.
3. Click OK and Yes.
The Configure Basic Features dialog box closes.
||ne lnterface}
This section provides step-by-step instructions for completing 'Exercise 12-1: Integrated Caching'
Oon|gur|ng G|oba| Oache Parameters Oommand-||ne
lnterace}
Use the following procedure to enable the Integrated Caching feature and to set the global
parameters.
1. Connect to the command-line interface using the nsroot credentials.
2. Verify the Integrated Caching feature is disabled using the following command:
show ns feature
During this exercise, warnings that the integrated caching feature is disabled will be
displayed as various integrated cache settings are configured. This feature may be
configured without the feature being enabled. The warnings within the command-line
interface are to remind you to enable the feature before testing.
It is a best practice to not enable integrated caching until it is configured.
3. View default caching global parameters by entering the following command:
show cache parameter
Note default values for memory limit, VIA string and other parameter values.
4. Set the caching global parameter for cache size by entering the following command:
set cache parameter -memLimit 512
3. Set the caching global parameter for the VIA string by entering the following command:
set cache parameter -via Served from Cache
This string is used for this lab to identify cached content served by the NetScaler system.
The default string identifies the system as a NetScaler system and may include version
information. In a production environment, you should modify this string and not identify
the specific device type in use for security purposes.
Oon|gur|ng lntegrated Oach|ng Oommand-||ne lnterace}
Use the following procedure to configure a cache content group and the cache policies.
1. Create a cache content group by entering the following command:
add cache contentGroup
cache_cg_colorpage -relExpiry 600
-memLimit 10
The cache duration is set to 10 minutes, and the cache memory limit is set to 10 MB for the
content group.
2. Create a cache policy to cache blue.php to the cache content group by entering the following
command:
add cache policy
cache_pol_blue -rule `HTTP.REQ.URL.CONTAINS(blue)'
-action CACHE -storeInGroup cache_cg_colorpage
3. Create a cache content group by entering the following command:
add cache contentGroup
cache_cg_image -relExpiry 600 -memLimit 10
The cache duration is set to 10 minutes, and the cache memory limit is set to 10 MB for the
content group.
4. Create a cache policy to cache blue.php to the cache content group by entering the following
command:
add cache policy cache_pol_image
-rule 'HTTP.REQ.URL.CONTAINS(".png")' -action CACHE
-storeInGroup cache_cg_image
3. Create a cache policy to prevent caching of all content by entering the following command:
add cache policy cache_pol_nocache
-rule true -action NOCACHE
6. Bind the cache policies to global by entering the following commands:
bind cache global cache_pol_image
-priority 80 -gotoPriorityExpression END
-type REQ_DEFAULT
bind cache global cache_pol_blue
-type REQ_DEFAULT
bind cache global cache_pol_nocache
-priority 100 -gotoPriorityExpression END -type
REQ_DEFAULT
The Blue policy cache_pol_blue is bound with a higher priority than the cache_pol_nocache
policy.
7. Enable the Integrated Caching feature by entering the following command:
enable ns feature IC
The feature is enabled after configuration to prevent ongoing traffic from being cached
mid-configuration.
Oon|gur|ng lnva||dat|on Oache Po||c|es Oommand-||ne
lnterace}
Use the following procedure to create and to bind cache invalidation policies.
1. Create an invalidation cache policy for the red.php page by entering the following command:
add cache policy cache_pol_invalcolor
-rule 'HTTP.REQ.URL.CONTAINS("red")' -action INVAL
-invalGroups cache_cg_colorpage
2. Bind the cache policy to global by entering the following command:
bind cache global cache_pol_invalcolor
-type REQ_DEFAULT
Test|ng the Oach|ng Oon|gurat|on Oommand-||ne
lnterace}
Use the following procedure to test the policy configuration.
1. Verify initial load balancing behavior by opening Firefox and browsing to
http://VIP1/green.php.
Refresh the browser several times.
Expected Result: The Green.php page loads. Since none of the caching policies will match this
URL, the page should load balance between the Red, Green, and Blue Servers. The page
background and server information section (lower half) will load balance between the RBG
servers.
2. Navigate to http://VIP1/blue.php. Refresh the browser several times.
Expected result: After the first page loads, subsequent requests are served from cache; the page
background color (which indicates the host server) does not change.
3. View header information in LiveHTTPHeaders. Verify the VIA header displays the string
configured on the NetScaler system.
4. View the contents by entering the following command:
show cache objects
3. View the content groups by entering the following command:
show cache contentgroup cache_cg_colorpage
6. Browse to http://VIP1/media.php. Click Download several times.
Expected result: After the image loads the first time, subsequent requests are served from cache.
7. View the contents of cache on the NetScaler system by entering the following command:
show cache object
8. View the cache policy by entering the following command:
show cache policy
The details are displayed for all cache policies. Note the values of hits for each cache policy.
Test|ng the Oach|ng Oon|gurat|on w|th lnva||dat|on
Oommand-||ne lnterace}
Use the following procedure to test the caching configuration with invalidation.
1. Browse to http://VIP1/red.php.
Red.php matches the invalidation cache policy (cache_inval_color).
2. View the cache object by entering the following command:
show cache object
Blue.php should be listed as cached within the content group.
3. View the cache policy by entering the following command:
show cache policy
The details are displayed for all cache policies. Note the values of hits for each cache policy.
D|sab||ng lntegrated Oach|ng Oommand-||ne lnterace}
Disable integrated caching by entering the following command:
disable ns feature IC
Modu|e 13
Exerc|ses for
Management
Exerc|se 13-1: Aud|t|ng and |ogg|ng
3ZIVZMI[
This exercise demonstrates the process of configuring a syslog server and policy to send syslog audit
messages to an external syslog server using both the Configuration Utility and the command-line
interface. This exercise also demonstrates how to view the recent and historical audit messages on
the NetScaler system and syslog daemon.
&IJSVI =SY &IKMR
- The IP address of the hosted workstation where the Syslog/SNMP manager resides. For the lab,
this will be the IP address on the hosted workstation which faces the NetScaler system.
- Access to the Configuration Utility.
- Access to the command-line interface.
- Access to the Kiwi Syslog Daemon.
7GIREVMS
MillenialGadgets.com wants to deploy a separate syslog server to record long-term audit data.
Configuration changes were made a month ago that caused site problems, and the information was
not saved. In the future, MillenialGadgets.com would like to capture this data for historic and
troubleshooting purposes.
)\IVGMWI (IXEMPW
- Configure the Kiwi Syslog Daemon.
- Create a syslog policy and syslog server.
- Create a specific syslog audit message and run the save config command.
- View recent audit messages on the NetScaler system.
- View historical audit messages on the NetScaler system.
- View the Audit messages on the remote syslog server.
Copyr|ght 2011 C|tr|x Systems, lnc. Modu|e 13: Exerc|ses or Management 227
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 13-1: Auditing and
Logging' using the Configuration Utility.
Oon|gur|ng the K|w| Sys|og Daemon
Use the following procedure to configure the Kiwi Syslog Daemon.
1. Click Start > Programs > Kiwi Enterprises > Kiwi Syslog Daemon > Kiwi Syslog Daemon.
The Kiwi Syslog Daemon opens.
2. Click File.
3. Select Setup.
4. Expand the Inputs node.
3. Click UDP.
6. Check Listen for UDP Syslog messages.
Verify that the UDP Port is set to 314.
7. Click OK.
Oreat|ng a Sys|og Po||cy and Sys|og Server
Use the following procedure to configure a syslog policy and syslog server.
3. Expand Auditing in the System pane.
4. Click Policies in the Auditing pane.
3. Click the Policies tab in the Auditing Policies and Severs pane.
6. Click Add.
7. Type Ext_Kiwi in the Name field.
Verify that the Auditing Type is set to Syslog.
8. Click New.
9. Type Ext_Kiwi in the Name field.
10. Enter the Syslog Manager IP in the IP address field.
Leave the Port field blank as the NetScaler will default to UDP port 314.
228 Modu|e 13: Exerc|ses or Management Copyr|ght 2011 C|tr|x Systems, lnc.
The Syslog Manager IP is located in the Student Reference text file.
11. Select All in the Log Levels field.
Verify that Log Facility is set to LOCAL0.
12. Click Create.
This step creates the Ext_Kiwi server object.
13. Choose Ext_Kiwi in the Server field.
14. Click Create.
This step creates the syslog policy.
13. Click Close.
16. Click Global Bindings in the Auditing Policies and Servers pane.
17. Click Insert Policy and select Ext_Kiwi from the Policy Name drop-down list.
18. Click OK.
19. Click Save above the Auditing Polices and Servers pane.
The Save Config dialog box opens.
20. Click Yes.
By saving the running config, a syslog audit message is generated. Syslog messages are sent to
the Syslog Server (Kiwi) running on the workstation IP. This message will be searchable in an
upcoming task.
v|ew|ng Recent Aud|t Messages
Use the following procedure to view recent audit messages.
2. Select Auditing in the System pane.
3. Select Recent audit messages in the Auditing pane.
The Audit Messages dialog box opens.
4. Select one or more log levels to display.
3. Set the number of audit messages to be shown.
6. Click Refresh.
The viewer will update with the specified number of messages for the selected log levels. In
most cases, systems in the lab will only have INFORMATIONAL messages to display.
7. Click Close.
The Audit Messages dialog box closes.
v|ew|ng H|stor|ca| Aud|t Messages
Use the following procedure to view historical audit.
2. Select Auditing in the System pane.
3. Select Syslog messages in the Auditing pane.
The Syslog Viewer dialog box opens.
4. Click the Severity drop-down list or other drop-down lists to sort the log messages.
3. Select a historical log file from the Log Files list.
Historical log files are maintained by default under /var/log and are in ns.log.#.gz form.
6. Click View.
The Syslog Viewer updates and displays messages from the historical log.
7. Enter a search string under Filter Log.
Possible values for search string include: lb vserver, ns conf, or enable feature.
8. Click Go to view the search results.
9. Click Close.
The Syslog Viewer dialog box closes.
v|ew|ng Aud|t Messages on the Remote Sys|og Server
Use the following procedure to view audit messages on the remote syslog server.
1. Launch Kiwi Syslog Daemon.
2. The syslog messages from the NetScaler will display in the Display 00 (Default) syslog window.
The systems in the lab will only have INFORMATIONAL messages to display.
D|sab||ng Sys|og Aud|t Messages
Use the following procedure to disable logging of Syslog Audit Messages to the Syslog Server
(Kiwi).
1. Log on to the Configuration Utility.
3. Expand Auditing in the System pane.
4. Select Policies in the Auditing pane.
3. Click Global Bindings in the Auditing Policies and Servers pane.
The Bind/Unbind Auditing Policies to Global dialog box opens.
6. Select the Ext_Kiwi policy.
7. Click Unbind Policy.
8. Click OK.
The Bind/Unbind Auditing Policies to Global dialog box closes.
||ne lnterface}
This section provides step-by-step instructions for completing 'Exercise 13-1: Auditing and
Logging' using the command-line interface.
Oon|gur|ng the K|w| Sys|og Daemon
Use the following procedure to configure the Kiwi Syslog Daemon.
2. Click File.
3. Select Setup.
4. Expand the Inputs node.
3. Click UDP.
6. Check Listen for UDP Syslog messages.
Verify that the UDP Port is set to 314.
7. Click OK.
Oon|gur|ng and v|ew|ng the Sys|og
Use the following procedure to add and configure the four Configuration Utility tasks:
- Create a Syslog Server on the NetScaler system.
- Create a Syslog Policy on the NetScaler system.
- Run the Save Config command.
- View recent audit messages.
2. Add a syslog server and a syslog policy by entering the following command:
add audit syslogAction Ext_Kiwi workstationIP
-serverPort 514 -loglevel ALL -logFacility LOCAL0 -tcp All
3. Add a syslog policy on the NetScaler system by entering the following command:
add audit syslogPolicy Ext_Kiwi_policy ns_true Ext_Kiwi
4. Bind the audit policy to the system global to enable audit logging by entering the following
command:
bind system global Ext_Kiwi_policy
save config
6. Show recent audit messages by entering the following command:
sh audit messages
The results will look like the following text.
NS_Dev_3_10010> sh audit messages
1) 10/07/2008:22:30:44 GMT edulabvpn1
Informational : UI CMD_EXECUTED 96357 : User
nsroot - Remote_ip 0.0.0.0 - Command "save ns
config" - Status "Success"
2) 10/07/2008:22:30:44 GMT edulabvpn1
Informational : TCP CONN_TERMINATE 96358 : Source
192.168.1.3:80 - Destination 192.168.1.21:40284 -
Start Time 10/07/2008:22:30:44 GMT -
End Time 10/07/2008:22:30:44 GMT - Total_bytes_send 0
- Total_bytes_recv 1
3) 10/07/2008:22:30:45 GMT edulabvpn1
Informational : TCP CONN_TERMINATE 96359 : Source
192.168.1.4:80 - Destination 192.168.1.21:17855 -
Start Time 10/07/2008:22:30:45 GMT -
End Time 10/07/2008:22:30:45 GMT - Total_bytes_send 0
- Total_bytes_recv 1
Notice the save ns config command that was run in the previous step.
7. Verify syslog audit messages are received by Kiwi Syslog Daemon.
8. Disable syslog audit logging before continuing to next lab exercise.
unbind system global Ext_Kiwi_policy
This stops syslog audit messages from being sent from the NetScaler to the SyslogManagerIP.
Exerc|se 13-2: Mon|tor|ng
3ZIVZMI[
This exercise demonstrates the process for configuring SNMP settings on the NetScaler system
using both the Configuration Utility and the command-line interface.
&IJSVI =SY &IKMR
To complete this exercise you will need:
- The IP address of the SNMP manager.
7GIREVMS
MillenialGadgets.com wants to configure SNMP monitoring to track bandwidth utilization of the
web servers to measure the effectiveness of compression.
)\IVGMWI (IXEMPW
- Configure SNMP settings.
- SNMP manager
- SNMP community
- Configure SNMP traps.
- Enable a V2 generic trap using the SNMP destination IP address.
- Enable a V2 specific trap using the SNMP destination IP address.
- Configure one or more SNMP alarms.
- Enable an alarm for CONFIG-SAVE.
After you have completed the SNMP configuration above, perform the following tasks to test
SNMP.
- Use the command-line interface or the Configuration Utility to monitor the SNMP alerts.
- Trigger an SNMP alert by saving the configuration.
- Configure the Kiwi Syslog Daemon to capture and view SNMP.
t|||ty}
This section provides step-by-step instructions for completing 'Exercise 13-2: Monitoring' using the
Oon|gur|ng an SNMP Manager
Use the following procedure to configure an SNMP manager.
1. Log on to the Configuration Utilityusing the nsroot credentials.
3. Expand SNMP in the System pane.
4. Select Managers.
3. Click Add in the SNMP Managers pane.
The Add SNMP Manager dialog box opens.
6. Select Management Host.
7. Type the SNMP Manager IP in the IP Address field.
The SNMP Manager IP address is located in the Student Reference text file.
8. Click Create.
9. Click Close.
The Add SNMP Manager dialog box closes.
Oon|gur|ng an SNMP Oommun|ty
Use the following procedure to configure a specific SNMP community name.
1. Select Community in the SNMP node.
2. Click Add in the SNMP Community pane.
The Create SNMP Community dialog box opens.
3. Type ctxtrainsnmp in the Community String field.
4. Select ALL from the permission drop-down list.
3. Click Create.
6. Click Close.
Oon|gur|ng an SNMP Trap
Use the following procedure to configure a specific SNMP trap and a generic SNMP trap.
1. Select Traps in the SNMP node.
2. Click Add in the SNMP Traps pane.
The Create SNMP Trap Destination dialog box opens.
3. Select Specific in the Type field.
4. Select V2 in the Version field.
3. Type the SNMP IP in the Destination IP address field.
6. Leave the Source IP Address field blank.
The NSIP address is used by default.
7. Type ctxtrainsnmp in the Community Name field.
The community name must match the community string specified when configuring the
SNMP community in this lab.
8. Click Create.
9. Select Generic in the Type field.
10. Select V2 in the Version field.
11. Verify that Community Name is set to ctxtrainsnmp.
The community name must match the community string specified when configuring the
SNMP community in this lab.
12. Click Create.
13. Click Close.
The Create SNMP Community dialog box closes.
Oon|gur|ng an SNMP A|arm
Use the following procedure to configure an SNMP alarm.
1. Select Alarms in the SNMP node.
2. Select the CONFIG-SAVE alarm.
3. Click Open.
The Configure SNMP Alarm dialog box opens.
4. Verify Enabled is selected
3. Click OK.
ver|y|ng the SNMP Oon|gurat|on
Use the following procedure to verify the SNMP configuration.
1. Select the Monitoring tab from the menu along the top menu bar.
2. Select SNMP from the Select Group drop-down list.
3. View the current SNMP statistics being reported. View the total for Trap messages sent.
4. Launch a separate Web browser and connect to the Configuration Utility.
6. Click Yes to verify the save configuration.
7. Return to the SNMP Statistics page in the NetScaler Monitoring Utility.
a. Click Refresh.
b. Verify that the number of Trap messages sent has increased.
Oon|gur|ng the K|w| Sys|og Daemon and v|ew|ng SNMP
A|erts
Use the following procedure to view SNMP alerts using an SNMP manager.
2. Click File.
3. Select Setup.
4. Expand the Inputs node and click UDP.
3. Clear the check box Listen for UDP Syslog messages.
6. Click SNMP in the Inputs node.
7. Check Listen for SNMP Traps.
8. Enter 162 in the UDP Port field.
9. Select Info from the Syslog Level list.
10. Click Apply.
11. Click OK.
12. Click View.
13. Select Clear display.
14. Click System > Settings > SNMP > Alarms in the Configuration Utility.
13. Select the CONFIG-SAVE alarm.
16. Click Open.
The Configure SNMP Alarm dialog box opens.
17. Verify that Enabled is selected.
18. Click OK.
19. Save the running configuration to send an SNMP trap.
20. View the SNMP traps in the Kiwi Syslog Daemon. The SNMP syslog will look like the
following:
12-02-2008 16:22:43 Local7.Info 172.30.108.5
community=ctxtrainsnmp,
enterprise=1.3.6.1.4.1.5951.1.1.0.28,
enterprise_mib_name=netScalerConfigSave,
uptime=508021, agent_ip=172.29.1.108,
version=Ver2, nsUserName.0=nsroot,
sysIpAddress.0=172.30.108.5
||ne lnterface}
This section provides step-by-step instructions for completing 'Exercise 13-2: Monitoring' using the
Oon|gur|ng SNMP Sett|ngs
Use the following command-line interface commands to configure an SMNP manager, community,
traps and alarm.
1. Log on to the command-line interfaceusing the nsroot credentials.
2. Configure the SNMP manager by entering the following command:
add snmp manager workstationIP
3. Configure the SNMP community by entering the following command:
add snmp community ctxtrainsnmp ALL
4. Configure the SNMP traps by entering the following commands:
- Specific trap:
add snmp trap specific workstationIP -version V2
-communityName ctxtrainsnmp
- Generic trap:
add snmp trap generic workstationIP -version V2
-communityName ctxtrainsnmp
3. Configure an SNMP alarm by entering the following command:
set snmp alarm CONFIG-SAVE -state ENABLED
6. Save the configuration to trigger an SNMP alert by entering the following command:
save ns config
7. View the SNMP results by entering the following command:
stat snmp
Oon|gur|ng the K|w| Sys|og Daemon and v|ew|ng SNMP
A|erts
Use the procedure in the following table to view SNMP alerts using an SNMP manager.
2. Click File.
3. Select Setup.
4. Expand the Inputs node and click UDP.
3. Clear the check box Listen for UDP Syslog messages.
6. Click SNMP in the Inputs node.
7. Check Listen for SNMP Traps.
8. Enter 162 in the UDP Port field.
9. Select Info from the Syslog Level list.
10. Click Apply.
11. Click OK.
12. Click View.
13. Select Clear display.
14. In the command-line interface, configure an SNMP alarm again by entering the following
command:
set snmp alarm CONFIG-SAVE -state ENABLED
13. Save the configuration to send an SMNP trap by entering the following command:
save ns config
16. View the SNMP traps in the Kiwi Syslog Daemon. The SNMP syslog will look like the
following:
12-02-2008 16:22:43 Local7.Info 172.30.108.5
community=ctxtrainsnmp,
enterprise=1.3.6.1.4.1.5951.1.1.0.28,
enterprise_mib_name=netScalerConfigSave,
uptime=508021, agent_ip=172.29.1.108,
version=Ver2, nsUserName.0=nsroot,
sysIpAddress.0=172.30.108.5
831 West Cypress Creek Road Fort Lauderdale, FL 33309 USA (934) 267 3000 www.citrix.com
Rheinweg 9 8200 Schaffhausen Switzerland +41 (0) 32 63377 00 www.citrix.com
Copyright 2011 Citrix Systems, Inc. All rights reserved.

Basic Administration For NetScaler 9.2 Workbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Basic Administration For NetScaler 9.2 Workbook

Uploaded by

Copyright:

Available Formats

Bas|c Adm|n|strat|on for O|tr|x

You might also like