SPO-007: NetScaler Fundamentals Self-Paced Learning Labs exercise guide April 2013 Page | 1 Table of Contents NetScaler Fundamentals .............................................................................................................................. 1 Table of Contents .............................................................................................................................................. 2 Overview............................................................................................................................................................. 3 Hands-on Training Module............................................................................................................................... 3 Your lab desktop ................................................................................................................................................ 3 When all the servers are started, you should select the “Win7Client” VM and click on the “Console” tab. Click the “Switch to Remote Desktop” button. If it says “Switch to Default Desktop” then it is already using Remote Desktop, and you can leave it as is. It may prompt you to log in once it switches to Remote Desktop. If so, please use the training\administrator credentials below. All of the lab exercises should be completed from within the Win7Client. You will get the best experience if you go to console-fullscreen in XenCenter on the Win7Client VM. You can toggle this by entering Ctrl+Alt on your keyboard when at the console. .......................................................................................... 3 Required Lab Credentials .................................................................................................................................. 3 Lab Environment Architecture ........................................................................................................................ 4 Exercise 1: DataStream Load Balancing ........................................................................................................ 5 Exercise 2: DataStream Content Switching ................................................................................................... 7 Exercise 3: Application Visibility .................................................................................................................. 11 Exercise 4: Policy Enhancements ................................................................................................................. 14 Exercise 5: Miscellaneous Labs ..................................................................................................................... 23 Bonus Exercise 7: Web Interface on NetScaler .......................................................................................... 27 Page | 2 Overview Hands-on Training Module Objective Audience Provide hands-on experience configuring the new features in NetScaler 9.3 Provide access to the surrounding infrastructure which the new features are used against. Primary: Citrix Partners and NetScaler Administrators Your lab desktop When all the servers are started, you should select the “Win7Client” VM and click on the “Console” tab. Click the “Switch to Remote Desktop” button. If it says “Switch to Default Desktop” then it is already using Remote Desktop, and you can leave it as is. It may prompt you to log in once it switches to Remote Desktop. If so, please use the training\administrator credentials below. All of the lab exercises should be completed from within the Win7Client. You will get the best experience if you go to console-fullscreen in XenCenter on the Win7Client VM. You can toggle this by entering Ctrl+Alt on your keyboard when at the console. Required Lab Credentials Below you will find the login credentials required to login to the Win7Client and execute the lab exercises. Passwords are case sensitive. Domain/Machine Username Training.lab Administrator Password Citrix123 Training.lab XenCenter kerberos admin Citrix1 * NetScaler nsroot nsroot Description Domain Administrator – use to log onto the Win7 client, and the servers if required. Account used for Kerberos Authentication. Used to open XenCenter where all your servers and NetScaler VPX are running. NetScaler admin account. *Supplied after logging into the training.citrixsynergy.net portal. Page | 3 Lab Environment Architecture This section will describe the lab environment and the virtual machines that are used. VM Name AD IP Address 192.168.10.11 Win7Client 192.168.10.13 XenApp SERVER1,2,3 192.168.10.60 192.168.10.50-52 NetScaler VPX 192.168.10.20 Description Windows Server 2008 R2 - Domain controller for training.lab, DNS, Kerberos Authentication. Windows7 - client where all the lab work should be done from. The landing VM is only for XenCenter access, and to launch the client RDP session. XenApp Server - with some published applications. Windows Server 2008 R2 - Runs IIS Web Server with PHP and a MySQL Database server. NetScaler VPX - runs 9.3 build 51.5 nCore. Page | 4 Exercise 1: DataStream Load Balancing Overview In this exercise you will see MySQL load balancing working for yourself, and explore each part of the configuration carefully. To save time, this is preconfigured. In the next exercise, we will configure MySQL content switching, thereby exposing the MySQL component in the advanced policy engine, and gain a practical understanding of the benefits NetScaler DataStream can bring. Step-by-step guide Estimated time to complete this lab: 15 minutes Step Action 1. Log in to the Win7Client VM as outlined in the “How To Connect” paragraph above. 2. Firefox should open automatically, and bring you to the NetScaler configuration. Log into the NetScaler Configuration Utility using nsroot as the username and password. 3. Expand the Load Balancing node, click on Virtual Servers, and note that there is a MySQL VServer. Open the MySQL VServer and note the services bound to the MySQL VServer, and their state. (All Should be UP). Open one service from this window. 4. Click ONCE on (i.e. select) the configured monitor and look below the line to see the monitor status. Note the “Last Response” value. Close the Service and VServer window. 5. Click on ‘Monitors’ under the Load Balancing Node. 6. Double click the pre-configured MySQL Monitor, and select the Special Parameters tab. Note the values used to verify if the MySQL server is deemed to be “Up”. What is it checking for? 7. Delete the rule completely, and type in Mysql followed by a period “.” The advanced policy builder context menu will pop up – the first one may take a second or two. 8. 9. 10. Note that you only have “Response” as an option, as we are checking the health of a service based upon a response to the query above. Double click “RES” and enter another period “.”. You will see how the policy builder guides you in creating an expression. If you click ONCE on the menu items (or use the arrow keys on your keyboard) you can view the properties of each item. Now that we’ve explored the monitor, we are going to close without saving and continue. Do NOT click on the OK button on the Configure Monitor window. Page | 5 Step 11. 12. 13. 14. 15. 16. 17. Action Click on “Database Users” under the System node to see the pre-configured database user. (nsroot, password :citrix) Without this, MySQL Load Balancing and MySQL Content Switching is not possible. It is also not possible to create a SQL monitor with a username if it does not exist in this list. Click on the Virtual Servers node under Load Balancing, click on “Refresh” in the top menu bar (next to the breadcrumb trail, not browser refresh) to double check that your VServer is still at 100% health before continuing to the next step (in case any inadvertent changes were made to the monitor). Double-click on the MySQL vserver to open its properties. Unbind the Training-DB service and click OK. Open a new tab in your Firefox, and enter the following IP in the address bar: 192.168.10.50. Click the link indicating the MySQL Lab. Click the link labeled “Click here to receive Load Balanced…” Refresh the browser page. Note that at each refresh, the SQL request is sent to a different back end DB, which pulls different data from the database. While this has little practical use, it demonstrates that the requests are hitting different back end databases. The web application on 192.168.10.50 however is not aware that it is getting data from multiple back end DB servers. It has only one connection open to the NetScaler VIP, which then distributes or load balances the connections. Summary Key Takeaways The key takeaways for this exercise are: Configuration of the feature – taking into account the SQL- aware health check and configuration of the DB user on the NetScaler appliance. Without the DB user configured, it is not possible to setup a monitor. Page | 6 Exercise 2: DataStream Content Switching Overview In this exercise you will add to the existing configuration to configure MySQL content switching, so the correct SQL query is sent to the correct back end DB server. You will create 3 non-directly addressable VServers, and bind one service to each. Next, four Content Switching policies, and lastly, we’ll create a Content Switching VServer, bind our policies, set the targets, and test. Step-by-step guide Estimated time to complete this lab: 15 minutes. Step Action 1. All the necessary services are already configured, so under the Load Balancing menu node, click on VServers. 2. Click Add. Choose MySQL as the protocol type. DESELECT the “Directly Addressable” checkbox. The IP and port should be greyed out. (This VServer will not directly receive any requests – they will come from the CS VServer, therefore we don’t need to assign it an IP or Port. 3. 4. 5. 6. 7. Enter “Training” as the name, and select the “Training-DB” service. Click “Create”. The Vserver has been created but the dialog window remains open so we can add more VServers. Type “Sales” in the name box, deselect “Training-DB” and Select “Sales-DB”. Click Create. Type “Support” in the name box, deselect “Sales-DB” and Select “Support-DB”. Click Create. Now click close, and verify that there are three VServers, all UP, all with an IP address of 0.0.0.0 Right click the Content Switching Node, and choose “Enable Feature”. (It should no longer have a yellow exclamation mark next to the Content Switching menu item) Click on “Policies” under the Content Switching node, and click Add. Page | 7 Step 8. Action Click Configure. Enter training-pol as the expression name and put the following into the Expression box: MYSQL.REQ.QUERY.TEXT.CONTAINS("training") Click Create for the expression, and Create again to write the policy. 9. 10. 11. 12. 13. The policy will be created, but the dialog box remains open. Replace the word training with sales in the Policy name and the expression (no need to click on Configure). Click Create. Replace the word sales with support in the Policy name and the expression (no need to click on Configure). Click Create Click close, and verify that you have three policies. Click on the Virtual Server node under Content Switching, and click “Add”. Select MySQL as the protocol and input 3306 for the port, 192.168.10.35 as the IP address, and MySQL-CS as the Name. Do not click create yet! Page | 8 Step 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. Action Click Insert Policy, and choose (Default). Click the little green arrow under the target column, as shown below, and choose MySQL-Roundrobin This is the Vserver which will receive requests which do not match any other policies. We must configure this so that any requests which do no match a policy have somewhere to go. Click insert policy once more, and choose the Training policy, and then select Training from the Target column. Acknowledge the confirmation prompt. Click Yes. Do the same for Sales and Support. The priority numbers are not important in this example, and click create. Now click close. Open a new tab in Firefox, and enter the following IP in the address bar: 192.168.10.50 Click the link indicating the MySQL Lab. Enter the IP address of your Content Switching VServer into the IP address box at the top of the page. (192.168.10.35) Training is selected by default, now click “Submit”. The SQL Statement and Server IP are now prepared .Click the link at the bottom of the page indicating the IP of your Content Switching VServer. Confirm that users from the training dept are selected. Click the link at the bottom of the page to change the MySQL parameters. Select the Sales radio button, click submit, and click the link at the bottom of the page again. Confirm that you see Sales users now. Do the same for Support. Go back to the NetScaler configuration. Open your Content Switching Vsever, and confirm that you see policy hits on your MySQL Content Switching policies. END OF EXERCISE Page | 9 Summary Key Takeaways If you’re finished early…. The key takeaways for this exercise are: Using the advanced policy engine to create CS MySQL policies. Creating and demonstrating MySQL Content Switching and confirming the same via the policy hits in the CS VServer GUI. Run “show cs vserver MySQL-CS” and view the policy hits Take a trace of your MySQL transactions, and open it in wireshark. WinSCP and Wireshark are installed on your workstation. Traces can be taken from the Configuration Utility under the System Diagnostics node. When creating a MySQL Content Switching Policy, explore the AppExpert Policy Builder sub menus. These are Request Only. Why? Explore the MySQL ECV Monitor AppExpert Expression builder. These expressions are Response Only. Why? Page | 10 Exercise 3: Application Visibility Overview In this exercise you will enable the AppFlow feature, configure the basic parameters for AppFlow, add an AppFlow action, collector and policy to the NetScaler configuration, generate traffic resulting in AppFlows, and view some of the AppFlow content in 3rd party AppFlow software. Step-by-step guide Estimated time to complete this lab: 10 minutes. Step Action 1. In the config utility, Expand out System, expand out AppFlow, click on Collectors, and click on Add. 2. Enter “collector” as the name, “192.168.10.13” as the IP, and change the default port to 2055. Leave the Net Profile option blank. Click Create, and click Close. 3. Click on Actions under the AppFlow node and click on Add. 4. Select the collector you’ve just added, and give the action a name, e.g. AppFlowAct for example. Click Create, then close. 5. Click on policies under the AppFlow node. Click on Add and give it a name, e.g. AppFlowPol. Choose your recently added action from the dropdown. Enter the following for the expression: HTTP.REQ.IS_VALID 6. Click Create. 7. Expand out Load Balancing in the NetScaler GUI and select Virtual Servers. 8. Open the www.training.lab virtual server, and select the Policies tab. Click the two angle brackets beside Filter (>>) and choose AppFlow. 9. Click Insert Policy, select your recently added AppFlow policy from the dropdown and click OK. Page | 11 Step 10. 11. 12. 13. Action Now click on Start – All Programs – Solar Winds Real-time NetFlow Analyzer. If there is nothing under “Interface” then generate some traffic by going to www.training.lab in your web browser. Hit refresh several times. Now you should see your NSIP appear under Interface in the SolarWinds analyzer. Expand the NSIP in SolarWinds, select Interface1, and click “Start Flow Capture”. Click Yes to override the existing file, if prompted. Back in your browser, enter www.training.lab in your browser, and hit refresh several more times. (Approx 10-15) In SolarWinds, expand out the node below “Citrix” to see VServers. This gives a breakdown of clients, user-agents, requests, etc. END OF EXERCISE Summary Page | 12 Key Takeaways If you’re finished early… The key takeaways for this exercise are: Understanding AppFlow in general, and how to configure it on the NetScaler appliance. 1. Verify that the appliance is sending AppFlows by connecting to the CLI, dropping into the shell, and searching for packets in a network dump. To do this, run the following command from the shell: o nstcpdump.sh | grep win7client.training.lab | grep UDP 2. Bind the two other HTTP Services (Red-Svc & Blue-Svc) to your www.training.lab Vserver, make several more get requests, and view the additional information in Solarwinds. Page | 13 Exercise 4: Policy Enhancements Overview In this exercise you will explore different enhancements & new features (as well as old!) in the Advanced Policy Expression Builder, in addition to seeing how easy it is to configure complex operations using the policy engine. Create these from the CLI using copy and paste, confirm that it works, and then you can take a look at the config in the configuration utility if you have time. CLI, shell, or policy configuration commands are highlighted in grey. Step-by-step guide – Log Responder Action Estimated time to complete this lab: 5 minutes. Step Action 1. You will now add a responder log action, log it into the newnslog, create the responder action and policy, and verify it works. Expand System, and click on Auditing in the left hand menu.Click on Change Global Auditing Settings in the right hand pane. 2. 3. 4. 5. Check the “User Configurable Log Messages” checkbox, then click OK. Click on Message Actions. Click Add, and give the action a name, e.g. Log-Responder-Action. Chose Informational as the type. Enter the following into the Log Message window: "Request from "+CLIENT.IP.SRC+" was redirected to europa.eu, and used this browser: "+HTTP.REQ.HEADER("User-Agent").HTTP_HEADER_SAFE 6. 7. 8. Check the “Log in newnslog” checkbox, click Create and then Close. Now we’ll configure a responder action and policy. Go to the Responder feature, expand it out, click on Actions and click Add. Give the action a name, e.g. europa Choose Redirect as the type. Enter “http://europa.eu/” in the target box (including the double quotes), and click Create and then Close. Page | 14 Step 9. Action Click on Policies under the Responder node, and click on Add. Give it a name, e.g. Redirect-europa, choose the action you’ve just added from the drop down (europa), and choose the Log action configured earlier (Log-Responder-Action). Enter the following as the expression: TRUE 10. 11. 12. 13. This means it will always trigger. Click Create and then Close. Bind the policy to your http VServer. To do this, expand the Load Balancer node, click on Virtual Servers, open the www.training.lab VServer, select the Policies tab, and click on Responder Click “Insert Policy” and select the responder policy you have just added, and click OK. To get access to the logs, establish a SSH session to the NetScaler. On the desktop, doubleclick on Putty. Select NetScaler and click on Open. Login with nsroot/nsroot. Once logged in, use the following commands to inspect the syslog: > shell # tail -f /var/log/ns.log 14. In Firefox, open a new tab and enter www.training.lab in your browser and verify that you are redirected. Page | 15 Step 15. 16. Action Go back to the putty session and examine the log files to see the log entry: UNBIND the policy when finished with this lab. END OF EXERCISE Step-by-step guide – Cookie Encryption Estimated time to complete this lab: 10 minutes. Step Action 1. You will now encrypt a cookie value, and verify that it is encrypted by viewing the encrypted content via the HTTP Headers on our browser tool, and comparing it against what the web server sees. Connect to the load balanced Vserver http://www.training.lab/, click on the link for the Cookie Encryption lab. Page | 16 Step 2. Action Now we will add TWO actions, one to Encrypt and one to Decrypt. Expand the Rewrite node and click on Actions. Click on Add. Put the word “Encrypt” in the action name to avoid confusion later on. Choose REPLACE as the TYPE of action. Enter the following as the Expression to choose target text reference: HTTP.RES.SET_COOKIE.COOKIE("CreteCookie").VALUE(0) Enter the following as the expression for replacement text: HTTP.RES.SET_COOKIE.COOKIE("CreteCookie").VALUE(0).ENCRYPT Tick the Bypass Safety Check tickbox. Note that we encrypt the response and decrypt the request. Please ask a member of the staff if you want this clarified. Page | 17 Step 3. Action Now to configure the Decrypt action in a similar fashion: Click on Add again and put the word “Decrypt” in the action name. Choose REPLACE as the TYPE of action. Enter the following as the Expression to choose target text reference: HTTP.REQ.COOKIE.VALUE("CreteCookie") Enter the following as the expression for replacement text: HTTP.REQ.COOKIE.VALUE("CreteCookie").DECRYPT Tick the Bypass Safety Check tickbox. Page | 18 Step 4. Action Now we will create policies which call the rewrite actions: Navigate to Policies under the rewrite node, and click Add. Put the word “Encrypt_pol” in the policy name to avoid confusion later on. Enter the following for the expression: HTTP.RES.HEADER("Set-Cookie").CONTAINS("CreteCookie") and choose the Encryption action, then click OK. 5. Likewise for the Decryption Policy. Enter the following for the expression: HTTP.REQ.HEADER("Cookie").CONTAINS("CreteCookie") and choose the decrypt action. 6. Lastly we will bind the policies to our Vserver before testing the feature. We will use the Policy Manager to do this. Page | 19 Step 7. 8. Action Click on HTTP, Request, LB Virtual Server, Select www.trianing.lab, Insert Policy, Choose DECRYPT Policy, and click Apply. Do not Close. Now click on the Response flow under HTTP. Click Insert Policy, and add choose your ENCRYPT policy. Click Apply Changes and close the window. Page | 20 Step 9. Action Open a NEW Firefox window, not a tab. In the address bar, access the virtual server URL. http://www.training.lab/ Select the cookie encryption lab link. A simple form should be displayed. NOTE: The form will display the cookie name and content as read by the web server. (It’s a session cookie which only lives as long as your browser is open.) 10. In Firefox, launch the HTTPFox Add-On. Page | 21 Step 11. Action Click on Start. 12. In the HTML Form, enter ‘CreteCookie’ (case sensitive) for the cookie name (to relate to the rewrite policies above) and anything you want in the value field. Click Add Cookie in the form window. 13. The form should now display the cookie and the value. 14. However, when you view your HTTP Headers (HTTPFox) in the browser, you will see that the cookie content has been encrypted as far as the client is concerned, but the webserver sees the plaintext. To verify this, click on the Cookies tab in HTTPFox. END OF EXERCISE Page | 22 Exercise 5: Miscellaneous Labs Overview In the next two sub-exercises, you will learn how to disable a service gracefully. In the third subexercise, you will look at how we can decide to not use a health check to keep a service in the “up” state. Step-by-step guide – Disable a service gracefully In this lab, we are going to run an RDP session to a client through a NetScaler VServer. We will ‘gracefully’ disable the single service that is bound to the VServer while still connected with the RDP client. We will note that the session does not terminate. Estimated time to complete this lab: 5 minutes. Step Action 1. Drill down to your Virtual Servers under the Load Balancing node in the configuration utility, and click on services. You will see that the virtual server is DOWN. Page | 23 Step 2. 3. 4. 5. Action This is because the service is set to disabled. Let’s re-enable the service. In the load balancing section, select Services. Right click on the Red-RDP service and click Enable. Click YES at the prompt. Verify the service is now UP. Click on virtual servers under load balancing and make sure the RDP-Vserver is now UP. Open an RDP client on your workstation and enter the IP address 192.168.10.35. Login with userID training\administrator and password Citrix123. A shortcut for the RDP client should be on the desktop. 6. 7. NOTE: You might receive a warning stating that the identity of the remote computer cannot be verified. Click YES on the warning. Minimize the RDP session so you can see your NetScaler configuration. Navigate to Load Balancing -> Services. Right Click on the Red-RDP service, choose disable, select the Graceful checkbox. Put 300 in the ‘Wait Time’ box and click ok. Page | 24 Step 8. 9. Action Ensure that the service is highlighted, and look at the properties at the bottom of the window. The current state now reads: GOING OUT OF SERVICE. As soon as you close your RDP session, the service will transition into Out of Service as this was the only connection flowing through this virtual server. The difference between graceful and non-graceful is that with graceful, the service goes into the Out of Service state as soon as there are no connections. Non-graceful will complete the countdown regardless of the fact that there are no more open connections. END OF EXERCISE Step-by-step guide - Skip a service health check This lab will demonstrate how Estimated time to complete this lab: 5 minutes. Step Action 1. Enable the Red-RDP service. 2. Open the Red-RDP service and note the monitor that is bound. Page | 25 Step 3. 4. 5. 6. Action Deselect the ‘Enable Health Monitoring’ checkbox. Enter 192.168.10.123 In the Server box (non existent server ) and click OK Note that the service remains up, even though there is no such server. You can verify by attempting to RDP to the VServer once more: 192.168.10.35. The connection will time out. END OF EXERCISE Page | 26 Bonus Exercise 7: Web Interface on NetScaler Overview In this exercise you will use the wizard to add a WI site. WI on NS is already installed on your NetScaler. There is a XenApp server in your environment configured with one published applications. We will run through the wizard to create a WI site on the NetScaler, which AGEE will utilize. The following components have been pre-configured on your appliance: SSL VPN and SSL Certificate with LDAP Authentication. Default Session Policy bound to SSL VPN. XenApp Server with published applications. Step-by-step guide – XenApp Web Interface on NetScaler Estimated time to complete this lab: 5 minutes. Step Action 1. Locate the Web Interface on NetScaler wizard in the configuration utility and start it. Page | 27 Step 2. Action In the Install Web Interface section, select to browse locally and navigate to the c:\temp\tools directory. Provide the following parameters: Web Interface Tar File Path: c:\temp\Tool\nswi-1.5.tgz JRE Tar File Path: C:\temp\Tools\diablo-latte-freebsd6-amd64-1.6.0_07-b02.tar.bz2 Maximum number of sites: 3 Click Next. 3. Wait until the packages are installed and click OK to continue. Page | 28 Step 4. 5. Action In the Configure Web Interface Section, leave all the fields with the defaults, except the Deafault Access Method. Select Gateway Direct. Click ‘Next’ and configure the following entries, leaving everything else at wizard defaults: Under “Access Method” choose Gateway Direct mode. Page | 29 Step 6. Action Ensure that the Access Gateway Vserver (vpn.training.lab) is selected from the dropdown, “Add DNS Entry” and “Trust SSL certificate” are selected, and the STA Server URL is http://192.168.10.60 . Click Next. 7. In the Configure Access Methods section, leave the default entry: Gateway Direct. Click on Next to continue. In the Configure XenApp/XenDesktop farm, click ‘Add’ to configure your XML Service Addresses. Enter FARM as the XenApp farm name, 192.168.10.60 as the XML Service address, and click ‘Create’. 8. 9. 10. 11. Click ‘Next’, review the summary, and click finish. Web Interface on NetScaler is now installed and configured. Click on Exit. END OF EXERCISE Page | 30 Revision History Revision Change Description Updated By Date 1.0 Original Version Rónán O'Brien Oct/2012 1.1 Update for v10. David Jimenez Apr/2013 About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Services product families radically simplify computing for millions of users, delivering applications as an on-demand service to any user, in any location on any device. Citrix customers include the world’s largest Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2008 was $1.6 billion. http://www.citrix.com © 2013 Citrix Systems, Inc. All rights reserved. Citrix®, Citrix Delivery Center™, Citrix Cloud Center™, XenApp™, XenServer™, NetScaler®, XenDesktop™, Citrix Repeater™, Citrix Receiver™, Citrix Workflow Studio™, GoToMyPC®, GoToAssist®, GoToMeeting®, GoToWebinar®, GoView™ and HiDef Corporate™ are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners. Page 31