Partner Workshop Support: NetScaler ADC Fundamentals David Jimenez Senior Technical Readiness Specialist Agenda Day 1 (NetScaler Fundamental Concepts) Module 1 – Core Configuration (Lab) Module 2 – Traffic Management (Lab) Module 3 – SSL (Lab) Day 2 (NetScaler Intermediate Concepts) Module 4 – Optimization (Slides) Module 5 - Rewrite and Responder (Labs) Module 6 – DataStream (Labs) Module 7 – SDX (Slides) Module 8 – Troubleshooting (Slides) © 2012 Citrix | Confidential – Do Not Distribute Core Configuration Hardware and Components NetScaler Hardware MPX 5500 VPX MPX 7500 and MPX 9500 MPX 10500/12500/15000/15500 MPX 17000/17500/19500/21500 © 2012 Citrix | Confidential – Do Not Distribute SDX Differences Between MPX and VPX • Three main differences exist between MPX and VPX: ᵒ System capacity ᵒ Performance ᵒ Tagged VLAN Configuration • NetScaler VPX system capacity: ᵒ No hardware SSL acceleration ᵒ Processing not offloaded to dedicated silicon © 2012 Citrix | Confidential – Do Not Distribute When to Use Which? NetScaler Appliances NetScalerVPX • Gig+ performance • Labs/test environments • High volume SSL Offload • Development environments • >100 SSL VPN CCUs • “Datacenter-in-a-box” • FIPS requirements • CPU-intensive workloads • Physical device security • Frequently moved apps • Fast/remote deployment © 2012 Citrix | Confidential – Do Not Distribute NetScaler SDX • Instances, not partitions • Complete CPU isolation • Complete memory isolation • Version independence • High availability independence • Lifecycle independence © 2012 Citrix | Confidential – Do Not Distribute Architecture Overview of the NetScaler Architecture • The NetScaler design is based on a layered model between the NetScaler Kernel, and the BSD Operating System • The NetScaler Kernel operates below the BSD Kernel, and controls ᵒ ᵒ ᵒ ᵒ Timeslicing for BSD Network access SNMP and syslog processing SSL Offload • BSD manages ᵒ The boot process ᵒ Filesystem access ᵒ Long-term logging © 2012 Citrix | Confidential – Do Not Distribute Initial Setup Networking Concepts Network Topologies One-Armed 2. User Request 1. User Request Public/Front VLAN 4. Response 3. Response Private/Server VLAN • One-armed topologies have several benefits ᵒ ᵒ ᵒ ᵒ Simple, one physical interface and no risk of bridge loops May make use of one or many VLANs with 802.1q tagging Can make use of Link Aggregation to satisfy bandwidth requirements Very few failure modes, easing HA failure analysis If you are able to, one-armed topologies are the preferred method of deploying NetScaler in most environments, and is what we will use today © 2012 Citrix | Confidential – Do Not Distribute Network Topologies Two-Armed Public/Front VLAN 1. User Request 2. User Request 4. Response 3. Response Private/Server VLAN • Two-armed topologies work in situations where one-armed doesn’t ᵒ ᵒ ᵒ ᵒ Allows layer 3 style deployments with split subnets (as shown) Allow layer 2 style deployments with one subnet on both sides Supports transparent compression and SSL offload Support USIP or Use Source IP processing without server changes The most common implementation of two-armed topologies are when a NetScaler is replacing another legacy two-armed device in a network © 2012 Citrix | Confidential – Do Not Distribute NetScaler Owned IP Addresses • The NetScaler uses a set of IP addresses to communicate with other devices • These IP addresses also enable NetScaler to abstract backend servers and multiplex connections • IP addresses owned by NetScaler are: ᵒ NSIP NetScaler IP Address ᵒ MIP Mapped IP Address ᵒ SNIP Subnet IP Address ᵒ VIP Virtual IP Address/Vserver IP Address ᵒ GSLB Site IP Address © 2012 Citrix | Confidential – Do Not Distribute NetScaler Owned IP Addresses • NetScaler IP Address (NSIP) ᵒ Unique IP address of NetScaler system ᵒ Commonly referred to as management IP address ᵒ NetScaler can be accessed via this IP address ᵒ The NetScaler can only possess a single NetScaler IP address ᵒ Added when configuring NetScaler for first time ᵒ Reboot NetScaler system after modifying this IP address ᵒ The NetScaler IP address is mandatory configuration © 2012 Citrix | Confidential – Do Not Distribute NetScaler Owned IP Addresses • Mapped IP Address (MIP) ᵒ Mapped IP addresses (MIP) are used for server-side connections (communicating with servers) and Reverse NAT ᵒ The Mapped IP address is NOT the IP address of the NetScaler system ᵒ Refer to the Using Mapped IP Addresses section of documentation for more details regarding the management of MIPs © 2012 Citrix | Confidential – Do Not Distribute NetScaler Owned IP Addresses • Subnet IP Address (SNIP) ᵒ This allows the user to access a NetScaler system from an external host that resides on another subnet ᵒ When SNIP address is added, a corresponding route entry is made in the route table. ᵒ Only one such entry is made per subnet, and the route entry corresponds to the first IP address added in the subnet ᵒ Unlike NSIP and MIP, it is not mandatory to specify the Subnet IP address (SNIP) during the initial configuration of the NetScaler system © 2012 Citrix | Confidential – Do Not Distribute NetScaler Owned IP Addresses • Virtual Server IP Address (VIP) ᵒ The Virtual Server IP address (VIP) is the IP address associated with a vserver ᵒ This is the normal method for configuring explicit services ᵒ Like SNIP, it is not mandatory to specify the Virtual Server IP address during the initial configuration of the NetScaler ᵒ ARP and ICMP attributes on this IP address allow users to host the same vserver on multiple NetScaler systems that reside on the same broadcast domain © 2012 Citrix | Confidential – Do Not Distribute NetScaler Owned IP Addresses • GSLB Site IP Address ᵒ Use the add GSLB site command to add this IP address ᵒ This address is used for GSLB local site configuration • Cluster IP Address (CLIP) ᵒ Use the add CLIP command to add this IP address ᵒ This address is used for cluster configuration © 2012 Citrix | Confidential – Do Not Distribute NetScaler System Networking Overview • The NetScaler system is fundamentally a TCP proxy at layer 4 that reuses connections to the server • This reuse is done by proxying, at layer 3, the IP address of the client that the server sees © 2012 Citrix | Confidential – Do Not Distribute Client IP Address to Virtual IP Address Client Client IP © 2012 Citrix | Confidential – Do Not Distribute Citrix NetScaler VIP MIP/SNIP Backend Server Server IP NetScaler Networking Citrix NetScaler Typical Network Endpoint Device NIC 1 IP Address 1…IP Address n NIC 2 NIC 1 MAC 1 MAC 2 IP Address 1 IP Address 2 Subnet B Each data interface (MAC) sends and receives for a bound IP address © 2012 Citrix | Confidential – Do Not Distribute MAC 1 NIC 2 MAC 2 Subnet A Each data interface (MAC) can send and receive for all IP addresses NetScaler Modes • Layer-3 mode • Layer-2 mode • MAC-Based forwarding • USIP © 2012 Citrix | Confidential – Do Not Distribute Routing Traffic Using Layer 3 Mode Layer 3 mode: • Is enabled by default • Used to make traffic routing decisions © 2012 Citrix | Confidential – Do Not Distribute Routing Traffic Using Layer 2 Mode • The NetScaler system forwards data that is not addressed to its MAC address when running in Layer 2 mode • The exceptions to this forwarding behavior are: ᵒ Broadcasts received on an interface associated with a VLAN ᵒ ICMP and UDP traffic that exceeds the value set for packet rate filters Note: L2 mode should be avoided © 2012 Citrix | Confidential – Do Not Distribute MAC-Based Forwarding Mode VIP: vserver-LB-1 IP address: 10.102.29.13 Router 1 MAC address: 00:01::e6:ff0d:69 IP address: 10.10.1.2 IP and MAC addresses are cached Router 2 MAC address: 00:01::e6:ff0d:67 IP address: 10.10.1.1 Server 1 © 2012 Citrix | Confidential – Do Not Distribute Service: service-ANY-1 Server 2 MAC address: 00:01::e6:ff0d:68 Service: service-ANY-2 IP address: 10.10.1.1 IP address: 10.10.1.1 Sending a Client IP Address to Servers and Use Source IP Mode • The NetScaler system supports the insertion of a Custom HTTP Header, which will have the original IP address of the client that can be extracted for logging or by applications that need it • Use Source IP (USIP) mode: ᵒ Is OFF by default ᵒ Must have surge protection disabled ᵒ Should be avoided © 2012 Citrix | Confidential – Do Not Distribute Reverse Network Address Translation • Reverse Network Address Translation (RNAT) allows server side addresses to be translated to the MIP or a SNIP address of the NetScaler system when servers send data through the system • File Transfer Protocol (FTP) is supported by RNAT © 2012 Citrix | Confidential – Do Not Distribute RNAT Example Packet received by the client after RNAT Packet generated by the backend server Source IP Address Destination IP Address Source IP Address Destination IP Address 100.100.100.1 200.200.200.1 192.168.1.1 200.200.200.1 Internet Private Network Client (200.200.200.1) Source IP Address 200.200.200.1 Backend Server (192.168.1.1) NetScaler MIP Address (100.100.100.1) Destination IP Address 100.100.100.1 Response packet from client © 2012 Citrix | Confidential – Do Not Distribute Source IP Address Destination IP Address 200.200.200.1 192.168.1.1 Packet received by the server after RNAT Command Line Basics GUI / CLI • Access the GUI by going to NSIP • Access the CLI through SSH client (PuTTY) • Access file system through SFTP client (WinSCP) © 2012 Citrix | Confidential – Do Not Distribute Key CLI Commands • > show run • > show route • > show ns feature • > show ns mode • > show ha node • > show license © 2012 Citrix | Confidential – Do Not Distribute Running Config, Saved Config • ns.conf loaded on startup • Changes reflected in running config • Changes must be committed to saved config © 2012 Citrix | Confidential – Do Not Distribute CLI Configuration Toolset • On-board Command Line Interface NSCLI ᵒ Default shell for nsroot user ᵒ Command “hierarchy” • • • • • Basic commands at the top (service, vserver, vlan, system, tunnel, vpn...) Remaining commands in functional sub-groups (lb, ssl, cs, cr, dos, snmp…) Verb-object style ᵒ Commands stored in /nsconfig/ns.conf via save config command • FreeBSD shell © 2012 Citrix | Confidential – Do Not Distribute Command Line Interfaces • > NSCLI e.g., train_73> • # FreeBSD e.g., root@ns# ᵒ To get here from the NSCLI ᵒ > shell • Use this command to move to the FreeBSD command prompt, where FreeBSD commands may be entered • Press the <Control> + <D> keys or type “exit” to return to the Citrix NetScaler system CLI prompt © 2012 Citrix | Confidential – Do Not Distribute CLI Look and Feel • Command abbreviation ᵒ The first few letters of a CLI command are sufficient to invoke it, provided they are unique. For example, enter sh for the command show • Command completion ᵒ Entering a partial command followed by a question mark displays all commands matching the partial command. For example, entering sh? displays shell, show and shutdown (on successive lines) • Command help ᵒ Help displays a syntax description of any CLI command • Command history ᵒ History displays up to the last 100 previous commands © 2012 Citrix | Confidential – Do Not Distribute NSCLI - Command Abbreviation • Command abbreviation ᵒ Group name is (usually) optional. ᵒ <action> and <entity> can be shortened to shortest unique prefix ᵒ Spaces between <action>, <cmdgroup> and <entity> are optional. • Example 1: > add policy expression > add expression > add exp > ae • Example 2: > show lb vservers > shlbv (group name needed, as "shcsv" also exists) © 2012 Citrix | Confidential – Do Not Distribute CLI - Look and Feel • CLI Navigation ᵒ Familiar file system access through the BSD shell <Tab> key Command Completion <?> key Help, matching commands with the same prefix <Ctrl>+<a> keys Moves cursor to the beginning of the line <Ctrl>+<e> keys Moves cursor to the end of the line <Ctrl>+<u> keys Clears the entire line, regardless of cursor position © 2012 Citrix | Confidential – Do Not Distribute CLI - Additional Features • NSCLI can indicate the location of a syntax error with carets ᵒ > add vserver vs1 htto 10.101.4.99 80 ^^^^ ᵒ ERROR: invalid argument value [serviceType, htto] ᵒ > add server s1 ^ ᵒ ERROR: required argument missing ᵒ Usage: add server <name> <IPAddress> [-state ( ENABLED | DISABLED )] © 2012 Citrix | Confidential – Do Not Distribute CLI - Additional Features • Built in Help and MAN ᵒ ᵒ ᵒ ᵒ > help <commandName> for full usage of a specific command > help <groupName> for brief usage of a group of commands > help -all for brief usage of all NSCLI commands > man <command> full syntax and description of command • NetScaler help is ALWAYS correct (driven by the NSCLI parser) © 2012 Citrix | Confidential – Do Not Distribute CLI - MAN Pages • Additional syntax over help statements • Issued from the CLI ᵒ > man add system user © 2012 Citrix | Confidential – Do Not Distribute NSCLI - Show Example > show interface 1/1 Interface 1/1 (NIC 1/dc1) Digital 21143-xD Fast Ethernet flags=0xc000 <ENABLED, UP, autoneg, HAMON, 802.1q> MTU=1514, native vlan=1, MAC=00:c0:95:ca:68:61, uptime 152h06m52s Requested: media AUTO, speed AUTO, duplex AUTO, fctl NONE Actual: media UTP, speed 100, duplex FULL, fctl NONE RX: Pkts(17286791) Bytes(1045065936) Errs(0) Drops(279372) TX: Pkts(2968184) Bytes(377036331) Errs(0) Drops(1) NIC: InDisc(0) OutDisc(0) Fctls(0) Hangs(0) Done © 2012 Citrix | Confidential – Do Not Distribute CLI - Example Commands > show info > set ns config –httpport 80 > show runningconfig > add ns ip 10.0.100.43 255.255.255.0 Add a subnet IP on a directly attached network > set rnat 10.0.100.0 Enable RNAT for a private network > show route Show routes > shell Access FreeBSD prompt > batch –fileName lb.txt –outFile error.log Execute all the lines in lb.txt as cli commands, and capture output in error.log > reboot > quit © 2012 Citrix | Confidential – Do Not Distribute Licensing NetScaler Offerings Packaged for broad adoption for all users Standard Enterprise Platinum Edition Edition Edition Comprehensive L4-7 load balancing and optimizes expensive server and network resources to reduce cost Web application delivery solution providing advanced traffic management and powerful application acceleration Web application delivery solution designed to deliver mission-critical applications with web application firewall security, fastest performance, and lowest cost © 2012 Citrix | Confidential – Do Not Distribute NetScaler Licensing Appliance licensing • One license per appliance (physical or virtual) • Ability to upgrade throughput via a license within each physical MPX/SDX appliance • License file determines the available features and system performance limits to enable on the appliance © 2012 Citrix | Confidential – Do Not Distribute License Files NetScaler MPX Activated and downloaded to the appliance from MyCitrix, a self-service portal License File MyCitrix NetScaler VPX No central license server License File NetScaler SDX License File License file hosted on the NetScaler appliance + Instance License Files NetScaler Feature Matrix © 2012 Citrix | Confidential – Do Not Distribute NetScaler – Platform Availability Model MPX Standard MPX Enterprise MPX Platinum SDX Model MPX Standard MPX Enterprise MPX Platinum SDX 5500 YES YES YES NO 17550 YES YES YES YES 7500 YES YES YES NO 18500 YES YES YES YES 9500 YES YES YES NO 19500 YES YES YES YES 9700 YES YES YES NO 19550 YES YES YES YES 10500 YES YES YES NO 20550 YES YES YES YES 11500 YES YES YES YES 12500 YES YES YES NO 21500 YES YES YES YES 13500 YES YES YES YES 21550 YES YES YES YES 14500 YES YES YES YES 15500 YES YES YES NO 16500 YES YES YES YES 17500 YES YES YES YES © 2012 Citrix | Confidential – Do Not Distribute NetScaler Accessories Availability Power supply AC Power supply DC Rail kit (standard) Rail kit tool less 24 inch Rail adaptor (round hole) Rail adaptor (2 post rack) Short rail kit Hard disk drive Solid state HDD Flash card HDD+FC SFP fiber SR 4-pack SFP fiber LR single SFP copper 10G SFP+ SR (300m) - single 10G SFP+ LR (10km) - single MPX5500 MPX7500-9500 MPX10500-15500 MPX17500-21550 Not available Not available Available Available Available Available Not available Available Not available Available Available Not available Not available Not available Not available Not available Available Available Available Available Available Available Not available Available Not available Available Available Available Available Available Not available Not available Available Available Available Not available Available Available Available Available Not available Available Available Available Available Available Available Available Available Not available © 2012 Citrix | Confidential – Do Not Distribute Not available Available Available Available Available Available Not available Not available Not available Not available Not available Available Available Software License Option Availability NetScaler Software License Options (Via software license; New per unit license pricing) AppCompress GSLB Application Firewall AppCache (MPX 5500/7500, 7000 series) AppCache (excluding MPX 5500/7500, 7000 series) EdgeSight for NetScaler © 2012 Citrix | Confidential – Do Not Distribute Edition Standard Enterprise Platinum Additional Cost Additional Cost N/A N/A N/A N/A Included Included Additional Cost Additional Cost Additional Cost Additional Cost Included Included Included Included Included Included NetScaler Cloud Bridge Pricing HTTP Throughput Branch Repeater VPX License Entitlements Cloud Bridge VPX 10 10 Mpbs 1 Branch Repeater VPX 10 Cloud Bridge VPX 200 200 Mbps 4 Branch Repeater VPX 45 Cloud Bridge MPX 7500 500 Mpbs 10 Branch Repeater VPX 45 NetScaler Cloud Bridge Offering © 2012 Citrix | Confidential – Do Not Distribute NetScaler Cloud Bridge Feature Comparisons Product Features NetScaler CloudBridge L4-7 Traffic Management (NS-S TM functionality) Global Server Load Balancing Site-to-Site WAN Optimization (via inclusion of BRVPX) Secure, transparent L2/3 Bridge Access Gateway (SSL VPN) Content Compression (user-facing) Content Caching (user-facing) Web Application Firewall EdgeSight for NetScaler © 2012 Citrix | Confidential – Do Not Distribute NetScaler VPX Availability • 5 VPX appliances available • VPX Express* – 1 mbps (Free) • VPX10 – 10 mbps • VPX200 – 200 mbps • VPX1000 – 1 gbps • VPX3000 – 3 gbps • All platform licenses available in all models (Standard, Enterprise, Platinum) *Not available in Service Provider Licensing © 2012 Citrix | Confidential – Do Not Distribute NetScaler MPX FIPS Pricing Model Standard Edition Enterprise Edition Platinum Edition NS 9010 FIPS N/A YES YES MPX 9700 FIPS YES YES YES MPX 10500 FIPS YES YES YES MPX 12500 FIPS YES YES YES MPX 15500 FIPS YES YES YES © 2012 Citrix | Confidential – Do Not Distribute Citrix Application Firewall Availability Application Firewall Platforms App Firewall 5500 Platform App Firewall 7500 Platform App Firewall 9500 Platform App Firewall 10500 Platform App Firewall 12500 Platform MPX 12500 Throughput 500 Mpbs 1 Gbps 2 Gbps 3 Gbps 5 Gbps MPX 10500 MPX 9500 MPX 7500 MPX 5500 © 2012 Citrix | Confidential – Do Not Distribute NetScaler Upgrades NetScaler - Platform Upgrade Availability MPX MPX Via software license MPX 7500 to MPX 9500 MPX 10500 to MPX 12500 MPX 11500 to MPX 13500 MPX 11500 to MPX 14500 MPX 10500 to MPX 15500 MPX 11500 to MPX 16500 MPX 11500 to MPX 18500 MPX 12500 to MPX 15500 MPX 11500 to MPX 20500 MPX 17500 to MPX 19500 MPX 13500 to MPX 14500 MPX 13500 to MPX 16500 MPX 13500 to MPX 18500 MPX 13500 to MPX 20500 MPX 14500 to MPX 16500 MPX 14500 to MPX 18500 MPX 14500 to MPX 20500 MPX 16500 to MPX 18500 MPX 17500 to MPX 21500 Standard YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES © 2012 Citrix | Confidential – Do Not Distribute Enterprise Platinum Via software license YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES MPX 16500 to MPX 20500 MPX 18500 to MPX 20500 MPX 17550 to MPX 19550 MPX 17550 to MPX 20550 MPX 17550 to MPX 21550 MPX 19550 to MPX 20550 MPX 19550 to MPX 21550 MPX 20550 to MPX 21550 MPX 19500 to MPX 21500 Standard YES YES YES YES YES YES YES YES YES Enterprise Platinum YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES NetScaler - Platform Upgrade Availability SDX Via software license Platinum SDX 11500 to SDX 13500 YES SDX 13500 to SDX 14500 YES SDX 14500 to SDX 16500 YES SDX 16500 to SDX 18500 YES SDX 18500 to SDX 20500 YES SDX 17500 to SDX 19500 YES SDX 19500 to SDX 21500 YES SDX 17550 to SDX 19550 YES SDX 19550 to SDX 20550 YES SDX 20550 to SDX 21550 YES © 2012 Citrix | Confidential – Do Not Distribute Note: NetScaler SDX with clustering not available at this time NetScaler – MPX to SDX Platform Conversion OS and License update* Available OS and License update Available MPX 11500 to SDX 11500 YES MPX 17550 to SDX 17550 YES MPX 13500 to SDX 13500 YES MPX 19550 to SDX 19550 YES MPX 14500 to SDX 14500 YES MPX 20550 to SDX 20550 YES MPX 16500 to SDX 16550 YES MPX 21550 to SDX 21550 YES MPX 17500 to SDX 17500 YES MPX 19550 to SDX 19550 YES MPX 18500 to SDX 18500 YES MPX 20550 to SDX 20550 YES MPX 19500 to SDX 19500 YES MPX 21500 to SDX 21500 YES MPX 20500 to SDX 20500 YES MPX 21550 to SDX 21550 YES *Requires an update kit © 2012 Citrix | Confidential – Do Not Distribute Citrix Application Firewall – Edition Upgrades Application Firewall Platform Upgrades MPX 12500 Throughput Upgrade Via software license MPX 7500 to MPX 9500 MPX 10500 to MPX 12500 1Gbp to 2 Gbps 3 Gbps to 5 Gbps MPX 10500 MPX 9500 MPX 7500 © 2012 Citrix | Confidential – Do Not Distribute License Upgrade License Upgrade Citrix Application Firewall - “Pay-as-you-grow” Platform and “Burst Pack” Upgrade Availability Model Upgrade Charge to MPX 15500 MPX 10500 Available ---- ---- MPX 12500 Available ---- ---- MPX 17500 ---- Available Available MPX 19500 ---- ----- Available MPX 21500 ---- ---- ---- Model Burst License to MPX 15500 Burst License to MPX 19500 Burst License to MPX 21500 MPX 10500 Available ---- ---- MPX 12500 Available ---- ---- MPX 17500 ---- ---- Available MPX 19500 ---- ----- Available MPX 21500 ---- ---- ---- © 2012 Citrix | Confidential – Do Not Distribute Upgrade Charge to Upgrade Charge to MPX 19500 MPX 21500 Citrix Volume Licensing Commercial: EASY • SMB Customers • No Customer Discounts • Advisor Rewards Eligible Commercial: ELA • Medium to Large Businesses • Customer Discounts based on Initial Purchase • Advisor Rewards Eligible • ELA 7 – Require AVP, GEO VP and Finance Controller approval © 2012 Citrix | Confidential – Do Not Distribute Public Sector • Education – Academic and Non-Profit Institutions • GSA – Federal, State, and Local Government entities inside the United States • GELA – other Government programs, outside the United States NetScaler - “Burst Pack” Upgrade Pricing MPX 7500 to MPX MPX 10500 to 9500 MPX 15500 (1 Gb 3 Gb) (5 Gb 15 Gb) MPX 11500 to MPX 18500 (5 Gb 30 Gb) MPX 12500 to MPX 15500 (8 Gb 15 Gb) MPX 13500 to MPX 14500 to MPX 18500 MPX 18500 (12 Gb 30 Gb) (16 Gb 30 Gb) MPX 16500 to MPX 17500 to MPX 17550 to MPX 19500 to MPX 19550 to MPX 20550 to VPX100 to MPX 18500 MPX 21500 MPX 21550 MPX 21500 MPX 21550 MPX 21550 VPX3000 (20 Gb 30 (20 Gb 50 (20 Gb 50 (35 Gb 50 (30 Gb 50 (40 Gb 50 (1 Gb 3 Gb) Gb) Gb) Gb) Gb) Gb) Gb) Notes: • A 90-day license used to accommodate above average traffic conditions and reassess permanent capacity requirements • Licenses are purchased in quantity of one • For Burst Licenses, use a web key obtained via email to generate Burst License via http://www.mycitrix.com. • There are no associated maintenance © 2012 Citrix | Confidential – Do Not Distribute NetScaler - “Burst Pack” Upgrade Availability NetScaler Burst 90-Day with Cluster STD ENT PLT NetScaler Burst 90-Day with Cluster STD ENT PLT NetScaler Burst 90-Day with Cluster STD ENT PLT MPX 7500 to MPX 9500 YES YES YES MPX 17500 to MPX 21500 YES YES YES SDX 11500 to SDX 20500 N/A N/A YES MPX 10500 to MPX 15500 YES YES YES MPX 19500 to MPX 21500 YES YES YES N/A N/A YES MPX 12500 to MPX 15500 YES YES YES MPX 17550 to MPX 21550 YES YES YES N/A N/A YES MPX 11500 to MPX 18500 YES YES YES MPX 19550 to MPX 21550 N/A N/A YES N/A N/A YES MPX 13500 to MPX 18500 YES YES YES MPX 20550 to MPX 21550 N/A N/A YES N/A N/A YES MPX 14500 to MPX 18500 YES YES YES SDX 17500 to SDX 21500 YES YES YES N/A N/A YES MPX 16500 to MPX 18500 YES YES YES SDX 19500 to SDX 21500 N/A N/A YES N/A N/A YES MPX 11500 to MPX 20500 YES YES YES VPX 1000 to VPX 3000 N/A N/A YES N/A N/A YES MPX 13500 to MPX 20500 YES YES YES N/A N/A YES MPX 14500 to MPX 20500 YES YES YES N/A N/A YES MPX 16500 to MPX 20500 YES YES YES YES YES YES MPX 18500 to MPX 20500 YES YES YES YES YES YES © 2012 Citrix | Confidential – Do Not Distribute SDX 11500 to SDX 18500 SDX 13500 to SDX 18500 SDX 14500 to SDX 18500 SDX 16500 to SDX 18500 SDX 13500 to SDX 20500 SDX 14500 to SDX 20500 SDX 16500 to SDX 20500 SDX 18500 to SDX 20500 SDX 17550 to SDX 21550 SDX 19550 to SDX 21550 SDX 20550 to SDX 22550 High Availability High Availability Topics • High Availability Concepts • Typical Configurations • Node and Interface Configuration • Managing HA • Failover Do’s and Don'ts • Replacing Failed Node • Software Upgrade • Monitoring HA © 2012 Citrix | Confidential – Do Not Distribute HA - Concepts • NetScaler High Availability (HA) is a base functionality ᵒ Does not need to be enabled ᵒ Does need to be configured • NetScaler HA pair is a single logical unit for traffic handling ᵒ ᵒ ᵒ ᵒ Active – Standby topology Two nodes = Primary and Secondary Separate NSIP, interface configurations Co-managed pool of MIPs, VIPs, SNIPs • “Monitored” interfaces and HW ᵒ Local health check © 2012 Citrix | Confidential – Do Not Distribute HA - Concepts • Negotiation ᵒ Who’s in charge? • Propagation ᵒ Commands sent from Primary to Secondary • Synchronization ᵒ Configuration synchronized between Primary and Secondary © 2012 Citrix | Confidential – Do Not Distribute HA - Design Considerations • By default management and heartbeat sent via L2 • Distance between nodes is not a limitation • L2 connectivity between the two HA nodes must allow the heartbeat to be received within 3 seconds by default © 2012 Citrix | Confidential – Do Not Distribute HA - Typical Configuration Note: Mapped IP is shared between the failover pair (single logical unit) © 2012 Citrix | Confidential – Do Not Distribute HA - Configuration Process • Starting with two new systems ᵒ NS-A and NS-B • Setup overview ᵒ Setup NS-A • Basic IP and HA configuration, no traffic features • Connect NS-A to network ᵒ Setup NS-B • Basic IP and HA configuration, no traffic features • Connect NS-B to network ᵒ Verify HA Status • NS-A primary, NS-B secondary ᵒ Configure traffic handling features on primary • Secondary will be automatically synchronized © 2012 Citrix | Confidential – Do Not Distribute HA - Node and Interface Setup • On each Citrix NetScaler in the pair, create a node ID pointing to the other Citrix NetScaler ᵒ Node ID must be unique integer ᵒ Node ID does not set any precedence for primary ᵒ Command: “add node <ID> <IP> • Node creation example ᵒ Assume NS-A at NSIP 10.10.1.4, NS-B at NSIP 10.10.1.8 ᵒ On NS-A: add node 2 10.10.1.8 ᵒ On NS-B: add node 1 10.10.1.4 • Interface management (automatic) ᵒ Disable all unused interfaces ᵒ Command: “disable interface <int>” where <int> is, e.g., “1/3” © 2012 Citrix | Confidential – Do Not Distribute HA - GUI © 2012 Citrix | Confidential – Do Not Distribute HA - Completing Setup • Verify negotiation ᵒ NS-A primary, NS-B secondary • Enter “rest” of configuration ON PRIMARY ᵒ Servers, services, VIPs, monitors, etc. • “save config” on primary • Verify propagation of configuration ON SECONDARY NetScaler > show runningconfig • Reboot both systems, one at a time ᵒ Verify correct failover functionality © 2012 Citrix | Confidential – Do Not Distribute HA - Show Node Information > show node 1) Node ID: IP: 0 10.102.1.172 Master State: Primary Node State: UP Sync state: SUCCESS. Enabled Interfaces: <list of interfaces > HA monitor ON Interfaces:<list of interfaces > Disabled Interfaces:<list of interfaces > Interfaces causing Partial Failure: <list of interfaces > SSL card status: UP/DOWN © 2012 Citrix | Confidential – Do Not Distribute HA - Managing Configurations • “set node” command > set node [–hastatus (ENABLE | STAYSECONDARY | DISABLE )] [– hasync ( ENABLE | DISABLE )] ᵒ STAYSECONDARY - Holds node secondary, even if primary goes down ᵒ DISABLE - Hold node secondary and do not synchronize to primary’s configuration • “force failover” command > force failover • Executed from either NS in the HA pair © 2012 Citrix | Confidential – Do Not Distribute HA - Force Synchronization > force ns synch • Will not work when: ᵒ Executed on Standalone System ᵒ HA is Disabled ᵒ HA Synchronization is disabled • Issued on either node, Primary or Secondary © 2012 Citrix | Confidential – Do Not Distribute HA - Failover Do’s and Don'ts • Do not connect two NetScaler systems by a cross-over cable ᵒ Risk of bridge loop • Be sure all unused interfaces are disabled > disable interface <x/y> > nsroot password synchronization ᵒ Both nodes need same password for the nsroot account ᵒ Not required for root or nsmaint accounts © 2012 Citrix | Confidential – Do Not Distribute HA - Failover Do’s and Don'ts • Ancillary Files – Synchronization ᵒ Configuration files in the NS file system must be present in the same location on both nodes of the HA pair • Use “scp” for secure file transfer: ᵒ A typical command might look something like this: # scp myfile.txt nsroot@192.168.100.200:/var/tmp/myfile.txt • It is not recommended to run HA with different versions. ᵒ For upgrade testing keep the NS with the older build powered off during the test period. To failover power off the *newer* NS and power on *older* Citrix NetScaler © 2012 Citrix | Confidential – Do Not Distribute HA - Replacing a Failed Node • Cleanup ᵒ Issue "save config" on working primary unit ᵒ Recover any debug information from defective unit ᵒ Remove defective unit from network • Configure replacement offline ᵒ Configure the replacement unit as in initial HA setup • Add working primary as a node ᵒ Force the replacement unit to stay secondary • Connect the replacement ᵒ Verify secondary status ᵒ Populate all environmental files from primary ᵒ Verify configuration synchronization • Release the replacement unit from forced secondary state © 2012 Citrix | Confidential – Do Not Distribute HA - Upgrade Procedure Perform “rolling upgrade” • Open two telnet or SSH sessions side by side • Follow Upgrade Procedure to upgrade Secondary • On Primary, “force failover” • Verify failover was successful and former Secondary is now Primary • Upgrade former Primary © 2012 Citrix | Confidential – Do Not Distribute HA - Improper VLAN Sync. • Ensure that NetScaler’s VLAN configuration is done after configuring the Citrix NetScaler with the High Availability setup • For NetScaler systems in High Availability setup, synchronization does not work properly when only one Citrix NetScaler system has a VLAN configuration © 2012 Citrix | Confidential – Do Not Distribute HA - Retrieving Lost Configuration • If the primary NetScaler system is unable to send the configuration to the secondary NetScaler system because of any network error, then the secondary NetScaler may not have an accurate configuration and may not behave correctly if failover occurs • In this situation, you can retrieve the original primary system’s configuration from a back-up copy present on the NetScaler’s disk © 2012 Citrix | Confidential – Do Not Distribute HA - Retrieving Lost Configuration • NetScaler saves the last four copies of the ns.conf file in the /nsconfig directory • These are named ns.conf.0, ns.conf.1, and so on • The ns.conf.0 file contains the latest configuration © 2012 Citrix | Confidential – Do Not Distribute HA - Connection Failover / Mirroring • Connection failover allows a TCP connection, established through a primary node, to remain active after failover • By default, two Citrix NetScaler systems that comprise an HA pair do not exchange any information pertaining to existing packet flows ᵒ i.e., TCP sessions on the primary are lost during failover • Ensures that the new primary maintains a relationship between incoming packets, belonging to the previously established connections, after failover © 2012 Citrix | Confidential – Do Not Distribute Backups and Upgrades Code Upgrade Overview • Code upgrades are done by uploading a compressed tar file, extracting it, then running an install script • Through the GUI, this is handled behind the scenes, but it can be done manually as well • Downgrades are handled the same way, but risk having parts of the configuration dropped due to additional configuration directives. • In some cases, old boot files will need to be removed manually via the BSD shell, as indicated by an error on the install © 2012 Citrix | Confidential – Do Not Distribute Code Upgrade Instructions • To start the upgrade process through the GUI, go to the Diagnostics tab under System and select the “Upgrade Wizard” button • Next, point to the upgrade file (.tgz) located locally or on the appliance: © 2012 Citrix | Confidential – Do Not Distribute Code Upgrade Instructions • Next select the correct license to apply: © 2012 Citrix | Confidential – Do Not Distribute Code Upgrade Instructions • Then upgrade the documentation file if available and then proceed apply the upgrade and reboot: © 2012 Citrix | Confidential – Do Not Distribute LAB – Module 1 – Exercise 1 To begin the lab, browse to: http://training.mycitrixcloud.net/geoilt Enter you business email and this session code: NETSCALER-WORKSHOP © 2012 Citrix | Confidential – Do Not Distribute Work better. Live better.