Citrix NetScaler Administration Guide Citrix® NetScaler® 9.
Copyright and Trademark Notice © CITRIX SYSTEMS, INC., 2012. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.
All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik Lindergren. All rights reserved.
Contents Preface..................................................................................................17 Formatting Conventions for NetScaler Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Documentation Available on the NetScaler Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Getting Service and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Parameters for binding a command policy to a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 To bind command policies to a user by using the configuration utility. . . . . . . . . . . .32 To bind command policies to a group by using the NetScaler command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Citrix NetScaler Administration Guide Configuring Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 To add an SNMP trap by using the NetScaler command line. . . . . . . . . . . . . . . . . . . .51 Parameters for configuring SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 To configure SNMP Traps by using the configuration utility . . . . . . . . . . . . . . . .
Contents To configure an SNMP alarm for packets dropped because of excessive PPS, by using the NetScaler command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Parameters for configuring an SNMP alarm for dropped packets. . . . . . . . . . . . . . . .63 To configure an SNMP alarm for dropped packets by using the configuration utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Citrix NetScaler Administration Guide To globally bind the audit policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Configuring Policy-Based Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Pre Requisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Configuring an Audit Message Action. . .
Contents Modifying the Default Buffer Size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 To modify the buffer size by using the NetScaler command line . . . . . . . . . . . . . . . . 95 Parameter for modifying the buffer size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 To modify the buffer size by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . .
Citrix NetScaler Administration Guide Customizing Logging on the NSWL Client System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Creating Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents To configure window scaling by using the NetScaler command line. . . . . . . . . . . . . . . . .131 Parameters for configuring window scaling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 To configure window scaling by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . 132 Configuring Selective Acknowledgment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Citrix NetScaler Administration Guide Specifying the MSS Value in a TCP Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 To specify the MSS value in a TCP profile by using the NetScaler commandline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Parameters for specifying the MSS value in a TCP profile. . . . . . . . . . . . . . . . . . . . . .
Contents 7 AppFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 How AppFlow Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Flow Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Citrix NetScaler Administration Guide To enable AppFlow for a virtual server by using the configuration utility. . . . . . .179 Enabling AppFlow for a Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 To enable AppFlow for a service by using the NetScaler command line. . . . . . . 180 To enable AppFlow for a service by using the configuration utility. . . . . . . . . . . . . .180 Setting the AppFlow Parameters. . . . . . . . . . . . . .
Contents xvi
Preface Learn about the Citrix® NetScaler® collection of documentation, including information about support options and ways to send us feedback. In This Preface: w Formatting Conventions for NetScaler Documentation w Documentation Available on the NetScaler Appliance w Getting Service and Support w NetScaler Documentation Feedback For information about new features and enhancements for this release, see the Citrix NetScaler 9.3 Release Notes at http://support.citrix.com/article/CTX128669.
Preface Convention Meaning you have the option of entering a range, but it is not required: add lb vserver [ -range ] Do not type the brackets themselves. | (vertical bar) A separator between options in braces or brackets in command statements.
Citrix NetScaler Administration Guide Getting Service and Support Citrix® offers a variety of resources for support with your Citrix environment, including the following: w The Knowledge Center is a self-service, Web-based technical support database that contains thousands of technical solutions, including access to the latest hotfixes, service packs, and security bulletins. w Technical Support Programs for both software support and appliance maintenance are available at a variety of support levels.
Preface 20
Chapter 1 Authentication and Authorization Topics: • Configuring Users and Groups • Configuring Command Policies • Resetting the Default Administrator (nsroot) Password • Example of a User Scenario • Configuring External User Authentication To configure Citrix® NetScaler® authentication and authorization, you must first define the users who have access to the NetScaler appliance, and then you can organize these users into groups.
Chapter 1 Authentication and Authorization Configuring Users and Groups You must define your users by configuring accounts for them. To simplify the management of user accounts, you can organize them into groups. You can also customize the NetScaler command-line prompt for a user. Prompts can be defined in a user’s configuration, in a user-group configuration, and in the global configuration. The prompt displayed for a given user is determined by the following order of precedence: 1.
Citrix NetScaler Administration Guide > show system user 1) User name: nsroot 2) User name: user1 3) User name: johnd Prompt String: user-%u-at%T Prompt Inherited From: User Done To modify or remove a user account by using the NetScaler command line w To modify a user's password, type the set system user command and the parameters to be changed, with their new values. w To remove a user account, type the rm system user command.
Chapter 1 Authentication and Authorization To configure a user account by using the configuration utility 1. In the navigation pane, expand System and click Users. 2. In the details pane, do one of the following: • To create a user account, click Add. • To modify an existing user account, select the user, and then click Open. 3. In the Create System User or Configure System User dialog box, set the following parameters: • User Name*(Cannot be changed for an existing user.
Citrix NetScaler Administration Guide To modify or remove a user group by using the NetScaler command line w To modify a user group, type the set system group command and the parameters to be changed, with their new values. w To remove a user group, type rm system group .
Chapter 1 Authentication and Authorization w unbind system group -userName w show system group Parameters for configuring a user group groupName (Group Name) A name for the group you are creating. The name can begin with a letter, number, or the underscore symbol, and can consist of from 1 to 31 letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. (Cannot be changed for existing groups.
Citrix NetScaler Administration Guide • Group Name* (Required for a new group. Cannot be changed for an existing group.) • CLI Prompt • CLI Idle Session Timeout (Secs) * A required parameter 4. Under Members, select users from the Available Users list and click Add to move them to the Configured Users list. 5. Click Create or OK, and then click Close. A message appears in the status bar, stating that the group has been configured successfully.
Chapter 1 Authentication and Authorization Table 1-1. Built-in Command Policies Policy name Allows read-only Read-only access to all show commands except show runningconfig, show ns.conf, and the show commands for the NetScaler command group. operator Read-only access and access to commands to enable and disable services and servers or place them in ACCESSDOWN mode. network Full access, except to the set and unset SSL commands, sh ns.conf, sh runningconfig, and sh gslb runningconfig commands.
Citrix NetScaler Administration Guide Table 1-2. Examples of Regular Expressions for Command Policies Command specification Matches these commands "^rm\s+.*$" All remove actions, because all remove actions begin with the rm string, followed by a space and additional parameters and flags. "^show\s+.*$" All show commands, because all show actions begin with the show string, followed by a space and additional parameters and flags.
Chapter 1 Authentication and Authorization To create a command policy by using the NetScaler command line At the NetScaler command prompt, type the following commands to create a command policy and verify the configuration: w add system cmdPolicy w sh system cmdPolicy Example > add system cmdPolicy read_all ALLOW (^show\s+(! system)(!ns ns.conf)(!ns runningConfig).*)| (^stat.
Citrix NetScaler Administration Guide To configure a command policy by using the configuration utility 1. In the navigation pane, expand System, and then click Command Policies. 2. In the details pane, do one of the following: • To create a command policy, click Add. • To modify an existing command policy, select the command policy, and then click Open. 3.
Chapter 1 Authentication and Authorization To bind command policies to a user by using the NetScaler command line At the NetScaler command prompt, type the following commands to bind a command policy to a user and verify the configuration: w bind system user -policyName w sh system user Example > bind system user user1 -policyName read_all 1 Done > sh system user user1 User name: user1 Done Command Policy: read_all Priority:1 To unbind command policies from
Citrix NetScaler Administration Guide 4. In the Priority column to the left, modify the default priority as needed to ensure that the policy is evaluated in the proper order. 5. Click OK. A message appears in the status bar, stating that the user has been configured successfully.
Chapter 1 Authentication and Authorization To bind command policies to a group by using the configuration utility 1. In the navigation pane, expand System, and then click Groups. 2. In the details pane, select the group to which you want to bind a command policy, and then click Open. 3. In the Configure System Group dialog box, under Command Policies, all the command policies configured on your NetScaler appear on the list.
Citrix NetScaler Administration Guide Type '?' for a list of commands, 'help' for more detailed help. ok 3. Type boot -s and press the ENTER key to start the NetScaler in single user mode. After the NetScaler boots, it displays the following message: Enter full path name of shell or RETURN for /bin/sh: 4. Press the ENTER key to display the # prompt, and type the following commands to mount the file systems: fsck /dev/ad0s1a mount /dev/ad0s1a /flash 5.
Chapter 1 Authentication and Authorization Table 1-4. Sample Values for Creating Entities Field Value Note NetScaler host name ns01.example.net N/A User accounts johnd, mariar, and michaelb John Doe, IT manager, Maria Ramirez, IT administrator and Michael Baldrock, IT administrator. Groups Managers and SysOps All managers and all IT administrators.
Citrix NetScaler Administration Guide 4. Use the procedure described in Binding Command Policies to Users and Groups on page 31 to bind the read_all command policy to the SysOps group, with priority value 1. 5. Use the procedure described in Binding Command Policies to Users and Groups on page 31 to bind the modify_lb command policy to user michaelb, with priority value 5.
Chapter 1 Authentication and Authorization authentication policies are bound to the system, users are authenticated by the onboard system. Note: User accounts must be configured on the NetScaler appliance before users can be externally authenticated. You must first create an onboard system user for all users who will access the appliance, so that you can bind command policies to the user accounts.
Citrix NetScaler Administration Guide Table 1-5. User Attribute Fields for LDAP Servers LDAP server User attribute Case sensitive? Microsoft Active Directory Server sAMAccountName No Novell eDirectory cn Yes IBM Directory Server uid Yes Lotus Domino CN Yes Sun ONE directory (formerly iPlanet) uid or cn Yes The following table lists examples of the base distinguished name (DN). Table 1-6.
Chapter 1 Authentication and Authorization LDAP server Bind DN Lotus Domino CN=Notes Administrator, O=Citrix, C=US Sun ONE directory (formerly iPlanet) uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot To configure LDAP authentication by using the configuration utility 1. In the navigation pane, expand System, and then click Authentication. 2. On the Policies tab, click Add. 3. In Name, type a name for the policy. 4. In Authentication Type, select LDAP. Next to Server, click New.
Citrix NetScaler Administration Guide 8. To retrieve additional LDAP settings automatically, click Retrieve Attributes. The fields under Other Settings then populate automatically. If you do not want to do this, skip to Step 12. 9. Under Other Settings, in Server Logon Name Attribute, type the attribute under which the NetScaler should look for user logon names for the LDAP server that you are configuring. The default is samAccountName. 10.
Chapter 1 Authentication and Authorization Configuring RADIUS Authentication You can configure the NetScaler appliance to authenticate user access with one or more RADIUS servers. If you are using RSA SecurID, SafeWord, or Gemalto Protiva products, use a RADIUS server. Your configuration might require using a network access server IP address (NAS IP) or a network access server identifier (NAS ID).
Citrix NetScaler Administration Guide w Password Authentication Protocol w Challenge-Handshake Authentication Protocol (CHAP) w Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP Version 1 and Version 2) If your deployment of the NetScaler is configured to use RADIUS authentication and your RADIUS server is configured to use Password Authentication Protocol, you can strengthen user authentication by assigning a strong shared secret to the RADIUS server.
Chapter 1 Authentication and Authorization 5. In Group Attribute Type, type the value, and click OK twice. Configuring TACACS+ Authentication You can configure a TACACS+ server for authentication. Similar to RADIUS authentication, TACACS+ uses a secret key, an IP address, and the port number. The default port number is 49. To configure the NetScaler to use a TACACS+ server, provide the server IP address and the TACACS+ secret.
Citrix NetScaler Administration Guide name and password of the person who is authorized to administer the domain. These parameters are necessary because the NetScaler joins the domain to communicate authentication data. NT4 authentication supports NTLMv1 and NTLMv2 authentication protocols only. To configure NT4 authentication by using the configuration utility 1. In the navigation pane, expand System, and then click Authentication. 2. On the Policies tab, click Add. 3. In Name, type a name for the policy.
Chapter 1 Authentication and Authorization 2. On the Policies tab, click Global Bindings. 3. In the Bind/Unbind Authentication Policies dialog box, in Policy Name, select the policy, click Unbind Policy and then click OK.
Chapter 2 SNMP Topics: • Importing MIB Files to the SNMP Manager and Trap Listener • Configuring the NetScaler to Generate SNMPv1 and SNMPv2 Traps • Configuring the NetScaler for SNMP v1 and v2 Queries • Configuring SNMP Alarms for Rate Limiting • Configuring the NetScaler for SNMPv3 Queries You can use Simple Network Management Protocol (SNMP) to configure the SNMP agent on the Citrix® NetScaler® appliance to generate asynchronous events, which are called traps.
Chapter 2 SNMP Importing MIB Files to the SNMP Manager and Trap Listener You must download the following files to SNMP managers and trap listeners before you start monitoring a NetScaler appliance. w NS-MIB-smiv1.mib. This file is used by SNMPv1 managers and trap listeners. w NS-MIB-smiv2.mib. This file is used by SNMPv2 and SNMPv3 managers and SNMPv2 trap listeners. The MIB files include the following: w A subset of standard MIB-2 groups. Provides the MIB-2 groups SYSTEM, IF, ICMP, UDP, and SNMP.
Citrix NetScaler Administration Guide are sent to the configured trap listeners. For example, when the LOGIN-FAILURE alarm is enabled, a trap message is generated and sent to the trap listener whenever there is a login failure on the NetScaler appliance. To configure the NetScaler to generate traps, you need to enable and configure alarms. Then, you specify trap listeners to which the NetScaler will send the generated trap messages.
Chapter 2 SNMP Configuring Alarms The NetScaler provides a set of condition entities called SNMP alarms. When the condition set for an SNMP alarm is met, the NetScaler generates SNMP traps messages that are sent to the configured trap listeners. For example, when the LOGIN-FAILURE alarm is enabled, a trap message is generated and sent to the trap listener whenever there is a login failure on the NetScaler appliance. You can assign an SNMP alarm with a severity level.
Citrix NetScaler Administration Guide To configure SNMP alarms by using the configuration utility 1. In the navigation pane, expand System, expand SNMP, and then click Alarms. 2. In the details pane, select an alarm (for example, Login-Failure), and then click Open. 3. In the Configure SNMP Alarm dialog box, specify values for the following parameters, which correspond to parameters described in "Parameters for configuring SNMP alarms" as shown: • Severity—severity • Logging—logging 4. Click OK.
Chapter 2 SNMP w show snmp trap Example add snmp trap specific 10.102.29.3 -version V2 destPort 80 -communityName com1 -severity Major Done > show snmp trap Type DestinationIP DestinationPort Version SourceIP Min-Severity Community -------------------------------------------------------------generic 10.102.29.9 162 V2 NetScaler IP N/A public specific 10.102.29.9 162 V2 NetScaler IP public specific 10.102.29.3 80 V2 NetScaler IP Major com1 Done Parameters for configuring SNMP traps trapClass The trap type.
Citrix NetScaler Administration Guide 2. In the details pane, do one of the following: • To create a new trap, click Add. • To modify an existing trap, select the trap, and then click Open. 3. In the Create SNMP Trap Destination or Configure SNMP Trap dialog box, set the following parameters: • Type*—trapClass • Version—version • Destination IP Address*—trapDestination • Destination Port—destPort • Source IP Address—srcIP • Minimum Severity—severity • Community Name—communityName *A required parameter 4.
Chapter 2 SNMP Parameters for unconditional SNMP trap logging SnmpTrapLogging (SNMP Trap Logging) Enable the NetScaler appliance to log any SNMP traps messages (for those respective SNMP alarms in which logging is enabled) even when no trap listeners are configured. Possible Values: ENABLED, DISABLED. Default: DISABLED. To enable or disable unconditional SNMP trap logging by using the configuration utility 1. In the navigation pane, expand System, and then click SNMP. 2.
Citrix NetScaler Administration Guide the SNMP manager to its IP address. You can add up to a maximum of five host-name based SNMP managers. If you do not configure at least one SNMP manager, the NetScaler appliance accepts and responds to SNMP queries from all IP addresses on the network. If you configure one or more SNMP managers, the appliance accepts and responds only to SNMP queries from those specific IP addresses.
Chapter 2 SNMP Done Netmask: 255.255.255.255 To add an SNMP manager by specifying its host name, using the NetScaler command line Important: If you specify the SNMP manager’s host name instead of its IP address, you must configure a DNS name server to resolve the host name to the SNMP manager’s IP address. For more information, see the instructions for adding a name server in the Citrix NetScaler Traffic Management Guide. For a link to the guide, see the Documentation Library.
Citrix NetScaler Administration Guide Note: The NetScaler appliance does not support host names for SNMP managers that have IPv6 addresses. netmask Subnet of management stations. Used to grant access from entire subnets to the NetScaler appliance. domainResolveRetry The duration, in seconds, for which the NetScaler appliance waits to send the next DNS query to resolve the host name of the SNMP manager if the last query failed. If last query succeeds, the NetScaler waits for the TTL time. Minimum value: 5.
Chapter 2 SNMP Specifying an SNMP Community You can create strings called community strings and associate them with the following SNMP query types on the NetScaler: w GET w GET NEXT w ALL w GET BULK You can associate one or more community strings to each query types.
Citrix NetScaler Administration Guide 2. In the details pane, click Add. 3. In the Create SNMP Community dialog box, specify values for the following parameters, which correspond to parameters described in "Parameters for configuring an SNMP community string" as shown: • Community String*—communityName • Permission*—permissions *A required parameter 4. Click Create, and then click Close. A message appears in the status bar, stating that the SNMP community string has been configured successfully.
Chapter 2 SNMP To configure an SNMP alarm for the throughput rate by using the NetScaler command line At the NetScaler command prompt, type the following commands to configure the SNMP alarm and verify the configuration: w set snmp alarm PF-RL-RATE-THRESHOLD [-thresholdValue [normalValue ]] [-state ( ENABLED | DISABLED )] [-severity ] [-logging ( ENABLED | DISABLED )] w show snmp alarm PF-RL-RATE-THRESHOLD Example > set snmp alarm PF-RL-RATE-THRESHOLD thresho
Citrix NetScaler Administration Guide w show snmp alarm PF-RL-PPS-THRESHOLD Example > set snmp alarm PF-RL-PPS-THRESHOLD thresholdValue 70 -normalValue 50 Done > show snmp alarm PF-RL-PPS-THRESHOLD Alarm Threshold Severity Alarm Threshold Time State Logging Normal ----- ----------------------------------------------------- -------1) PF-RL-PPS-THRESHOLD 70 50 N/A ENABLED ENABLED Done To modify or remove the threshold values by using the NetScaler command line w To modify the threshold values, type the s
Chapter 2 SNMP logging Log the alarm. Possible values: ENABLED, DISABLED. Default value: ENABLED. To configure an SNMP alarm for throughput or PPS by using the configuration utility 1. In the navigation pane, expand System, expand SNMP, and then click Alarms. 2. In the details pane, do one of the following: • Select PF-RL-RATE-THRESHOLD to configure the SNMP alarm for throughput rate. • Select PF-RL-PPS-THRESHOLD to configure the SNMP alarm for packets per second. 3. Click Open. 4.
Citrix NetScaler Administration Guide Parameters for configuring an SNMP alarm for dropped packets state The current state of the alarm. Possible values: ENABLED, DISABLED. Default: ENABLED. severity The severity level of the alarm. Possible values: Critical, Major, Minor, Warning, Informational. Default: SNMP_SEV_UNKNOWN. logging Log the alarm. Possible values: ENABLED, DISABLED. Default value: ENABLED. To configure an SNMP alarm for dropped packets by using the configuration utility 1.
Chapter 2 SNMP • Data integrity: To protect messages from being modified during transmission through the network. • Data origin verification: To authenticate the user who sent the message request. • Message timeliness: To protect against message delays or replays. • Data confidentiality: To protect the content of messages from being disclosed to unauthorized entities or individuals. w View-Based Access Control Model.
Citrix NetScaler Administration Guide To set the engine ID by using the NetScaler command line At a NetScaler command prompt, type the following commands to set the parameters and verify the configuration: w set snmp engineId w show snmp engineId Example > set snmp engineId 8000173f0300c095f80c68 Done > show snmp engineId EngineID: 8000173f0300c095f80c68 Done Parameters for setting the engine ID EngineID Engine ID of the SNMP agent. To set the engine ID by using configuration utility 1.
Chapter 2 SNMP Parameters for configuring an SNMP view name Name of the SNMP view. subtree Subtree of the MIB. type Whether the subtree needs to be included or excluded. To configure an SNMP view by using the configuration utility 1. In the navigation pane, expand System, expand SNMP, and then click Views. 2. In the details pane, click Add. 3.
Citrix NetScaler Administration Guide 1) Name: edocs_group2 SecurityLevel: authPriv ReadViewName: edocs_read_view StorageType: volatile Status: active Done Parameters for configuring an SNMP group name Name of the SNMP view. securityLevel The security level of the group. Possible values: noAuthNoPriv, authNoPriv, authPriv readViewName SNMP view to be associated with this group. To configure an SNMP group by using the configuration utility 1.
Chapter 2 SNMP w show snmp user Example > add snmp user edocs_user -group edocs_group Done > show snmp user edocs_user 1) Name: edocs_user Group: edocs_group EngineID: 123abc456abc788 StorageType: volatile Status: active Done > Parameters for configuring an SNMP user name The name of the SNMP user. group Specifyes the SNMP group name to which the SNMP user will belong. authType The authentication type. Possible values: MD5, SHA. authPasswd Enter an authentication password.
Citrix NetScaler Administration Guide *A required parameter 4. Click Create or OK, and then click Close. A message appears in the status bar, stating that the SNMP user has been configured successfully.
Chapter 2 70 SNMP
Chapter 3 Audit Logging Topics: • Configuring the NetScaler Appliance for Audit Logging • Installing and Configuring the NSLOG Server • Running the NSLOG Server • Customizing Logging on the NSLOG Server • Default Settings for the Log Properties • Sample Configuration File (audit.conf) Auditing is a methodical examination or review of a condition or situation.
Chapter 3 Audit Logging To configure audit logging, you first configure the audit modules on the NetScaler that involves creating audit policies and specifying the NSLOG server or SYSLOG server information. You then install and configure the SYSLOG or the NSLOG server on the underlying FreeBSD OS of the NetScaler appliance or on a remote system.
Citrix NetScaler Administration Guide Configuring the NetScaler Appliance for Audit Logging Policies define the SYSLOG or NSLOG protocol, and server actions define what logs are sent where. For server actions, you specify the system information, which runs the SYSLOG or the NSLOG server.
Chapter 3 Audit Logging Done UserDefinedLogging: No AppFlow export: DISABLED To configure an NSLOG server action by using the command line At the NetScaler command prompt, type the following commands to set the parameters and verify the configuration: w add audit nslogAction [-serverPort ] -logLevel [dateFormat ( MMDDYYYY | DDMMYYYY )] w show audit nslogAction [] Example > add audit nslogAction nslog-action1 10.102.1.
Citrix NetScaler Administration Guide w ERROR w WARNING w NOTICE w INFORMATION w DEBUG dateFormat Format of the date stamp. Possible values: MMDDYYYY, DDMMYYYY. logFacility The Facility value (RFC 3164) assigned to the log message. Uses numerical codes 0 to 7 to indicate the type of message originating from the NetScaler (for example, NS and VPN). Possible values: LOCAL0 to LOCAL7. Default: LOCAL0. timeZone Time zone for the time stamp. Possible values: GMT and Local. Default: Local. tcp Log TCP events.
Chapter 3 Audit Logging INFORMATION Log actions taken by the NetScaler. This level is useful for troubleshooting problems. DEBUG Log extensive, detailed information to help developers troubleshoot problems. To configure an auditing server action 1. In the navigation pane, expand System, expand Auditing, and then click Policies. 2. In the details pane, on the Servers tab, do one of the following: • To create a new server action, click Add.
Citrix NetScaler Administration Guide w add audit syslogPolicy w show audit syslogPolicy [] Example > add audit syslogpolicy syslog-pol1 ns_true auditaction1 Done > show audit syslogpolicy syslog-pol1 1) Name: syslog-pol1 Rule: ns_true Action: audit-action1 Done To configure an NSLOG policy by using the command line At the NetScaler command prompt, type the following commands to set the parameters and verify the configuration: w add audit nslogPolicy w sh
Chapter 3 Audit Logging To configure an audit server policy 1. In the navigation pane, expand System, expand Auditing, and then click Policies. 2. In the details pane, on the Policies tab, do one of the following: • To create a new policy, click Add. • To modify an existing policy, select the policy, and then click Open. 3.
Citrix NetScaler Administration Guide priority A numeric value that indicates when this policy is evaluated relative to others. A lower priority is evaluated before a higher one. To globally bind the audit policy 1. In the navigation pane, expand System, expand Auditing, and then click Policies. 2. In the details pane, on the Policies tab, click Global Bindings. 3. In the Bind/Unbind Auditing Global Policies dialog box, click Insert Policy. 4.
Chapter 3 Audit Logging To modify or remove an audit message action by using the NetScaler command line w To modify an audit message action, type the set audit messageaction command, the name of the action, and the parameters to be changed, with their new values. w To remove an audit message action, type the rm audit messageaction command and the name of the action. Example > add audit messageaction log-act1 CRITICAL '"Client:"+CLIENT.IP.SRC+" accessed "+H TTP.REQ.
Citrix NetScaler Administration Guide To configure an audit message action by using the configuration utility 1. In the navigation pane, expand System, expand Auditing, and then click Message Actions. 2. In the details pane, do one of the following: • To create a new audit message action, click Add. • To modify an existing audit message action, select the action, and then click Open. 3.
Chapter 3 Audit Logging Table 3-1. Supported Platforms for the NSLOG Server Operating system Software requirements Windows w Windows XP Professional w Windows Server 2003 w Windows 2000/NT Linux w Red Hat Enterprise Linux AS release 4 (Nahant) - Linux version 2.6.9-5.EL w Red Hat 3.4.3-9.EL4 - Linux version 2.6.9-5.ELsmp w Red Hat Linux 3.2.2-5 - Linux version 2.4.20-8 FreeBSD FreeBSD 4.
Citrix NetScaler Administration Guide • /usr/local/netscaler/etc • /usr/local/netscaler/bin • /usr/local/netscaler/samples To uninstall the NSLOG server package on a Linux operating system 1. At a command prompt, type the following command to uninstall the audit server logging feature: rpm -e NSauditserver 2. For more information about the NSauditserver RPM file, use the following command: rpm -qpi *.rpm 3. To view the installed audit server files use the following command: rpm -qpl *.rpm *.
Chapter 3 Audit Logging To install the NSLOG server package on a FreeBSD operating system 1. On the system to which you have downloaded the NSLOG package AuditServer_-.zip (for example, AuditServer_9.3-51.5.zip), extract the FreeBSD NSLOG server package audserver_bsd--.tgz (for example, audserver_bsd-9.3-51.5.tgz) from the package. 2. Copy the FreeBSD NSLOG server package audserver_bsd-.
Citrix NetScaler Administration Guide (for example, AuditServer_9.3-51.5.zip). This package contains NSLOG installation packages for all supported platforms. To download NSLOG package from www.Citrix.com 1. In a web browser, go to www.citrix.com. 2. In the menu bar, click Log In. 3. Enter your login credentials, and then click Log In. 4. In the menu bar, click Downloads. 5. Search to find the page that provides the appropriate release number and build. 6.
Chapter 3 Audit Logging To uninstall the NSLOG server on a Windows operating system At a command prompt, run the following from the \bin path: audserver -remove NSLOG Server Command Options The following table describes the commands that you can use to configure audit server options. Table 3-2. Audit Server Options Audit server commands Specifies audserver -help The available Audit Server options.
Citrix NetScaler Administration Guide Audit server commands Specifies audserver -startservice Start the audit server logging service, when you enter this command at a command prompt. (Windows Only) You can also start audit server logging from Start > Control Panel > Services. Note: Audit server logging starts by using the configuration settings in the configuration file, for example, auditlog.conf file specified in the audit server install option. audserver -stopservice Stop audit server logging.
Chapter 3 Audit Logging You are prompted to enter the information for the following parameters: NSIP: Specifies the IP address of the NetScaler appliance, for example, 10.102.29.1. Userid: Specifies the user name, for example, nsroot. Password: Specifies the password, for example, nsroot.
Citrix NetScaler Administration Guide audserver -stopservice Customizing Logging on the NSLOG Server You can customize logging on the NSLOG server by making additional modifications to the NSLOG server configuration file (log.conf). Use a text editor to modify the log.conf configuration file on the server system. To customize logging, use the configuration file to define filters and log properties. w Log filters. Filter log information from a NetScaler appliance or a set of NetScaler appliances.
Chapter 3 Audit Logging filterName is a required parameter if you are defining a filter with other optional parameters, such as IP address, or the combination of IP address and Netmask. Specifying Log Properties Log properties associated with the filter are applied to all the log entries present in the filter. The log property definition starts with the key word BEGIN and ends with END as illustrated in the following example: BEGIN logFilenameFormat ... logDirectory ... logInterval ...
Citrix NetScaler Administration Guide w Date (%{format}t) w % creates directory with NSIP The directory separator depends on the operating system. In Windows, use the directory separator \. Example: LogDirectory dir1\dir2\dir3 In the other operating systems (Linux, FreeBsd, Mac, etc.), use the directory separator /. w LogInterval specifies the interval at which new log files are created. Use one of the following values: • Hourly: A file is created every hour. Default value.
Chapter 3 Audit Logging Example 1 Filter f1 IP 192.168.10.1 This creates a log file for NSI 192.168.10.1 with the default values of the log in effect. Example 2 Filter f1 IP 192.168.10.1 begin f1 logFilenameFormat logfiles.log end f1 This creates a log file for NSIP 192.168.10.1. Since the log file name format is specified, the default values of the other log properties are in effect. Sample Configuration File (audit.
Chapter 4 Web Server Logging Topics: • Configuring the NetScaler Appliance for Web Server Logging • Installing and Configuring the Client System for Web Server Logging • Running the NSWL Client • Customizing Logging on the NSWL Client System • Sample Configuration File • Arguments for Defining a Custom Log Format • Time Format Definition You can use the Web server logging feature to send logs of HTTP and HTTPS requests to a client system for storage and retrieval.
Chapter 4 Web Server Logging Configuring the NetScaler Appliance for Web Server Logging On the NetScaler appliance you need to enable the Web Server Logging feature, and you can modify the size of the buffer that stores the logged information before sending the logged information to the NetScaler Web Logging (NSWL) client. Enabling or Disabling Web Server Logging Web server logging is enabled by default.
Citrix NetScaler Administration Guide Done To enable or disable Web server logging by using the configuration utility 1. In the navigation pane, expand System, and then select Settings. 2. In the details pane, under Modes and Features, click Change advanced features. 3. In the Configure Advanced Features dialog box, select the Web Logging check box to enable the Web logging feature, or clear the check box to disable the feature. 4. Click OK. 5. In the Enable/Disable Feature(s) dialog box, click Yes.
Chapter 4 Web Server Logging To modify the buffer size by using the configuration utility 1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, under Settings, click Change global system settings. 3. In the Configure Global Settings dialog box, under Web Logging, enter a value in the Buffer_Size (in MBytes) text box (for example, 32). 4. Click OK.
Citrix NetScaler Administration Guide Operating system Version FreeBSD FreeBSD 6.3 or later The following table describes the minimum hardware specifications for the platform running the NSWL client. Table 4-2. Minimum Hardware Specification for Platforms Running the NSWL Client Operating system Hardware requirements For Windows / Linux / FreeBSD • Processor- Intel x86 ~501 megahertz (MHz) • RAM - 512 megabytes (MB) • Controller - SCSI For Solaris 2.
Chapter 4 Web Server Logging cd /tmp 3. Extract the files from the *.tar file with the following command: tar xvf NSweblog.tar A directory NSweblog is created in the temporary directory, and the files are extracted to the NSweblog directory. 4. Install the package with the following command: pkgadd -d The list of available packages appears. In the following example, one NSweblog package is shown: 1 NSweblog NetScaler Weblogging (SunOS,sparc) 7.0 5. You are prompted to select the packages.
Citrix NetScaler Administration Guide cp /Utilities/weblog/Linux/NSweblog.rpm /tmp 2. To install the NSWL executable, use the following command: rpm -i NSweblog.rpm This command extracts the files and installs them in the following directories.
Chapter 4 Web Server Logging This command extracts the files and installs them in the following directories. • /usr/local/netscaler/etc • /usr/local/netscaler/bin • /usr/local/netscaler/samples 4.
Citrix NetScaler Administration Guide To uninstall the NSWL client package on a Mac OS operating system At a command prompt, type: pkg_delete NSweblog Installing NSWL Client on a Windows Operating System Before installing the NSWL client, you have to copy the NSWL client package from the NetScaler product CD or download it from www.citrix.com. The NSWL client package has the following name format: Weblog_-.zip (for example, Weblog_9.3-51.5.zip).
Chapter 4 Web Server Logging b. \etc (for example, C:\nswl_win-9.3-51.5\ etc ) c. < root directory extracted from the Windows NSWL client package zip file >\samples (for example, C:\nswl_win-9.3-51.5\ samples ) 4. At a command prompt, run the following command from the \bin path: nswl -install -f \log.
Citrix NetScaler Administration Guide rpm -e NSweblog To get more information about the NSweblog RPM file At a command prompt, type: rpm -qpi *.rpm To view the installed Web server logging files At a command prompt, type: rpm -qpl *.rpm NSWL Client Command Options The following table describes the commands that you can use to configure the NSWL client. Table 4-3. NSWL Command Options NSWL command Specifies nswl -help The available NSWL help options.
Chapter 4 Web Server Logging NSWL command Specifies install option. You can also start NSWL client from Start > Control Panel > Services. nswl -stopservice (Windows only) Stops the NSWL client. nswl -remove Remove the NSWL client service from the registry.
Citrix NetScaler Administration Guide Verifying the NSWL Configuration File To make sure that logging works correctly, check the NSWL configuration file (log.conf) on the client system for syntax errors. To verify the configuration in the NSWL configuration file At the client system command prompt, type: nswl -verify -f \log.conf < directorypath >: Specifies the path to the configuration file (log.conf).
Chapter 4 Web Server Logging To customize logging, use the configuration file to define filters and log properties. w Log filters. Filter log information based on the host IP address, domain name, and host name of the Web servers. w Log properties. Each filter has an associated set of log properties. Log properties define how to store the filtered log information. Creating Filters You can use the default filter definition located in the configuration file ( log.
Citrix NetScaler Administration Guide To create a filter To create a filter, enter the following command in the log.conf file: w filter | [IP ] | [IP ] | [ON | OFF] w filter | [IP6 ip/] [ON | OFF] To create a filter for a virtual server To create a filter for a virtual server, enter the following command in the log.
Chapter 4 Web Server Logging Entries in the definition can include the following: w LogFormat specifies the Web server logging feature that supports NCSA, W3C Extended, and custom log file formats. By default, the logformat property is w3c. To override, enter custom or NCSA in the configuration file, for example: LogFormat NCSA Note: For the NCSA and custom log formats, local time is used to time stamp transactions and for file rotation.
Citrix NetScaler Administration Guide Example LogFileNameFormat Ex%{%m%d%y}t.log This command creates the first file name as Exmmddyy.log, then every hour creates a file with file name: Exmmddyy.log.0, Exmmddyy.log.1,..., Exmmddyy.log.n. Example LogInterval size LogFileSize 100 LogFileNameFormat Ex%{%m%d%y}t Caution: The date format %t specified in the LogFilenameFormat command overrides the log interval property for that filter.
Chapter 4 Web Server Logging Table 4-5. NCSA Common Log Format Argument Specifies Client _IP_address The IP address of the client computer. User Name The user name. Date The date of the transaction. Time The time when the transaction was completed. Time Zone The time zone (Greenwich Mean Time or local time). Method The request method (for example; GET, POST). Object The URL. HTTP_version The version of HTTP used by the client. HTTP_StatusCode The status code in the response.
Citrix NetScaler Administration Guide 2001-06-12 12:34:23 GET /sports/football.html 2001-06-12 12:34:30 GET /sports/football.html Entries Entries consist of a sequence of fields relating to a single HTTP transaction. Fields are separated by white space; Citrix recommends the use of tab characters. If a field in a particular entry is not used, a dash (-) marks the omitted field. Directives Directives record information about the logging process. Lines beginning with the pound sign (#) contain directives.
Chapter 4 Web Server Logging 12:45:52 GET /sports/football.html 12:57:34 GET /sports/football.html Fields The Fields directive lists a sequence of field identifiers that specify the information recorded in each entry. Field identifiers may have one of the following forms: w identifier: Relates to the transaction as a whole. w prefix-identifier: Relates to information transfer between parties defined by the value prefix.
Citrix NetScaler Administration Guide Table 4-8. W3C Extended Log Format Identifiers (No Prefix Required) Identifier Description date The date on which the transaction was done. time The time when the transaction is done. time-taken The time taken (in seconds) for the transaction to complete. bytes The number of bytes transferred. cached Records whether a cache hit has occurred. A zero indicates a cache miss.
Chapter 4 Web Server Logging Field Description User Name The user name. Service Name The service name, which is always HTTP. Server IP The server IP address. Server Port The server port number Method The request method (for example; GET, POST). Url Stem The URL stem. Url Query The query portion of the URL. Http Status The status code in the response. Bytes Sent The number of bytes sent to the server (request size, including HTTP headers).
Citrix NetScaler Administration Guide w Solaris: The libnswl.a library located in /usr/local/netscaler/bin. To create the custom log format by using the NSWL Library 1. Add the following two C functions defined by the system in a C source file: ns_userDefFieldName() : This function returns the string that must be added as a custom field name in the log record. ns_userDefFieldVal() : This function implements the custom field value, then returns it as a string that must be added at the end of the log record.
Chapter 4 Web Server Logging If the %v (Host name) or %x (URL suffix) format specifier is present in a log file name format string, the following characters in the file name are replaced by an underscore symbol in the log configuration file name: "*./:<>?\| Characters whose ASCII values lie in the range of 0-31 are replaced by the following: %. For example, the character with ASCII value 22 is replaced by %16.
Citrix NetScaler Administration Guide logFilenameFormat Ex%{%y%m%d}t.log end default ########## # netscaler caches example # CACHE_F filter covers all the transaction with HOST name www.netscaler.com and the listed server ip's ########## #Filter CACHE_F HOST www.netscaler.com IP 192.168.100.89 192.168.100.95 192.168.100.52 192.168.100.53 ON ########## # netscaler origin server example # Not interested in Origin server to Cache traffic transaction logging ########## #Filter ORIGIN_SERVERS IP 192.168.100.
Chapter 4 Web Server Logging ########## # W3C Format logging, new file on reaching 20MB and the log file path name is # atadisk6/netscaler/log/server's ip/Exmmyydd.log with log record timestamp as LOCAL.
Citrix NetScaler Administration Guide Argument Specifies %b The bytes received, excluding the HTTP headers (request size). %d A user-defined field. %g The Greenwich Mean Time offset (for example, -0800 for Pacific Standard Time). %h The remote host. %H The request protocol. %{Foobar}i The contents of the Foobar: header line(s) in the request sent to the server. The system supports the User-Agent, Referer and cookie headers.
Chapter 4 Web Server Logging Argument Specifies %r The first line of the request. %s For requests that were redirected internally, this is the status of the original request. %t The time, in common log format (standard English time format). %{format}t The time, in the form given by format, must be in the strftime(3) format. For format descriptions, see Time Format Definition on page 121. %T The time taken to serve the request, in seconds.
Citrix NetScaler Administration Guide Time Format Definition The following table lists the characters that you can enter as the format part of the % {format}t string described in the Custom Log Format table of Arguments for Defining a Custom Log Format on page 118. Values within brackets ([ ]) show the range of values that appear. For example, [1,31] in the %d description in the following table shows %d ranges from 1 to 31. Table 4-12. Time Format Definition Argument Specifies %% The same as %.
Chapter 4 Web Server Logging Argument Specifies %l The hour (12-hour clock) [1,12]; single digits are preceded by a blank. %m The number of the month in the year [1,12]; single digits are preceded by a 0. %M The minute [00,59]; leading 0 is permitted but not required. %n Inserts a new line. %p The equivalent of either a.m. or p.m. for the locale. %r The appropriate time representation in 12-hour clock format with %p.
Citrix NetScaler Administration Guide The difference between %U and %W (and also between modified conversions %OU and %OW) is the day considered to be the first day of the week. Week number 1 is the first week in January (starting with a Sunday for %U, or a Monday for %W). Week number 0 contains the days before the first Sunday or Monday in January for %U and %W.
Chapter 4 124 Web Server Logging
Chapter 5 Advanced Configurations Topics: • Configuring Clock Synchronization • Viewing the System Date and Time • Configuring TCP Window Scaling • Configuring Selective Acknowledgment You can configure network time protocol to synchronize a Citrix® NetScaler® appliance's local clock with the other servers on the network. If you enable path maximum transmission unit (PMTU) discovery, the NetScaler can use it to determine the maximum transmission unit of any Internet channel.
Chapter 5 Advanced Configurations Configuring Clock Synchronization You can configure your NetScaler appliance to synchronize its local clock with a Network Time Protocol (NTP) server. This ensures that its clock has the same date and time settings as the other servers on your network. You can configure clock synchronization on your appliance by adding NTP server entries to the ntp.conf file from either the configuration utility or the NetScaler command line, or by manually modifying the ntp.
Citrix NetScaler Administration Guide To modify or remove NTP servers by using the NetScaler command line w To modify settings for an NTP server, type the set ntp server ( | ) command and the parameters to be changed, with their new values. w To remove an NTP server, type rm ntp server ( | ) Parameters for configuring an NTP server serverIP IP address of the NTP server. serverName Domain name of the NTP server.
Chapter 5 Advanced Configurations Starting or Stopping the NTP Daemon When you enable NTP synchronization, the NetScaler starts the NTP daemon and uses the NTP server entries in the ntp.conf file to synchronize its local time setting. If you do not want to synchronize your NetScaler time with the other servers in the network, you can disable NTP synchronization, which stops the NTP daemon (NTPD).
Citrix NetScaler Administration Guide 6. If the /nsconfig directory does not contain a file named rc.netscaler, create the file. 7. Add the following entry to /nsconfig/rc.netscaler: /usr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/ntpd.log & This entry starts the ntpd service, checks the ntp.conf file, and logs messages in the /var/log directory. This process runs every time the NetScaler is restarted. 8. Reboot the NetScaler to enable clock synchronization.
Chapter 5 Advanced Configurations IST-Asia/Colombo 16:50:44 2011 16:48:02 2011 16:48:19 2011 Done System Time: Tue Feb 22 Last Config Changed Time: Tue Feb 22 Last Config Saved Time: Tue Feb 22 To view the system date and time by using the configuration utility 1. In the navigation pane, click System. 2. In the details pane, select the System Information tab. 3. Under System Information, view the system date and time.
Citrix NetScaler Administration Guide w You do not configure window scaling unless you clearly know why you want to change the window size. w Both hosts in the TCP connection send a window scale option during connection establishment. If only one side of a connection sets this option, windows scaling is not used for the connection. w Each connection for same session is an independent Window Scaling session.
Chapter 5 Advanced Configurations To configure window scaling by using the configuration utility 1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, under Settings, click Configure TCP Parameters. 3. In the Configure TCP Parameters dialog box, under TCP, select the Windows Scaling check box to enable window scaling. 4. In the Factor text box, type a windows scaling factor (for example, 6). For possible values, see “Parameters for configuring window scaling.” 5.
Citrix NetScaler Administration Guide Done Down Service Reset status : DISABLED Nagle's Algorithm : DISABLED Limited Persist Probes : ENABLED Maximum out-of-order packets to queue: 64 To enable SACK by using the Configuration Utility 1. In the navigation pane, expand System, and click Settings. 2. In the details pane, under Settings, click Change TCP Parameters. 3. In the Configure TCP Parameters dialog box, under TCP, select the Selective Acknowledgment check box, and then click OK.
Chapter 5 Advanced Configurations clear ns config < ( basic | advanced | full )> Example > clear ns config basic Are you sure you want to clear the configuration(Y/ N)? [N]:Y Done Parameters for clearing a configuration level A level representing the extent to which to clear the configuration. Possible values: basic, extended, full. To clear a configuration by using the configuration utility 1. In the navigation pane, expand System, and then click Diagnostics. 2.
Citrix NetScaler Administration Guide Example show protocol httpBand -type REQUEST show protocol httpBand -type RESPONSE To view HTTP request and response size statistics by using the configuration utility 1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, under Settings, click HTTP data band statistics. 3. In the HTTP Data Band Statistics dialog box, view the HTTP request and HTTP response size statistics on the Request and Response tabs, respectively.
Chapter 5 Advanced Configurations To modify the band range by using the configuration utility 1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, under Settings, click HTTP data band Statistics. Do one or both of the following: • To modify the band range of HTTP request statistics, click the Request tab, click the Request tab, and then click Configure.
Citrix NetScaler Administration Guide w add ns httpProfile name -maxReusePool -dropInvalReqs ( ENABLED | DISABLED ) -markHttp09Inval ( ENABLED | DISABLED ) -markConnReqInval ( ENABLED | DISABLED ) -cmpOnPush ( ENABLED | DISABLED ) -conMultiplex ( ENABLED | DISABLED ) w sh ns httpProfile Example add ns httpProfile http_profile1 -maxReusePool 30 dropInvalReqs ENABLED -markHttp09Inval ENABLED -markConnReqInval ENABLED -cmpOnPush ENABLED conMultiplex DISABLED Parameters for adding an HTTP profile name
Chapter 5 Advanced Configurations To add an HTTP profile by using the configuration utility 1. In the navigation pane, expand System, and then click Profiles. 2. In the details pane, on the HTTP Profiles tab, click Add. 3. In the Create HTTP Profile dialog box, set the following parameters: • Name* • Max Connection in reusepool • Connection Multiplexing • Drop invalid HTTP requests • Mark HTTP/0.9 requests as invalid • Mark CONNECT requests as invalid • Compression on PUSH packet * A required parameter.
Citrix NetScaler Administration Guide Built-in profile Description nstcp_default_tcp_lan This profile is useful for back-end server connections, where these servers reside on the same LAN as the NetScaler appliance. nstcp_default_tcp_lfp_thin_stream This profile is similar to the nstcp_default_tcp_lfp profile; however, the settings are tuned for small size packet flows.
Chapter 5 Advanced Configurations w add ns tcpProfile name -WS (ENABLED | DISABLED ) -SACK (ENABLED | DISABLED ) WSVal -nagle (ENABLED | DISABLED ) -ackOnPush (ENABLED | DISABLED ) maxBurst value -initialCwnd -delayedAck -oooQSize maxPktPerMss -pktPerRetx -minRTO -slowStartIncr w sh ns tcpProfile Example add ns tcpProfile tcp_profile1 -WS ENABLED -SACK ENABLED -WSVal 4 -nagle DISABLED -ackOnPush ENABLED -maxBurst 10 -initialCwnd 6 delayedAck 2
Citrix NetScaler Administration Guide pktPerRetx (Maximum Packets per Retransmission) The maximum limit on the number of packets that should be retransmitted on receiving a partial ACK. Minimum value: 1. Maximum value: 100. Default: 1. minRTO (Minimum RTO (in millisec)) The minimum round trip to origin (RTO) time, in milliseconds. Minimum value: 10. Maximum value: 64,000. Default: 1,000.
Chapter 5 Advanced Configurations • Use Nagle's Algorithm • Immediate ACK on Receiving Packet with PUSH * A required parameter. 4. Click Create. A message appears in the status bar, stating that the TCP profile has been configured successfully. Specifying a TCP Buffer Size You can set the TCP buffer size, both globally and for individual virtual servers and services, through TCP profiles.
Citrix NetScaler Administration Guide Example > set ns tcpProfile profile1 -bufferSize 12000 Done > show ns tcpProfile profile1 Name : profile1 Window Scaling status : DISABLED Window Scaling factor : 4 . . .
Chapter 5 Advanced Configurations Parameters for setting the TCP buffer size in a TCP profile name Name of the TCP profile. Maximum length: 127 characters. bufferSize TCP buffer size in bytes. Maximum value: 4194304. Minimum value: 8190. Default: 8190. To set the TCP buffer size in a TCP profile by using the NetScaler configuration utility 1. In the navigation pane, expand System, and then click Profiles. 2.
Citrix NetScaler Administration Guide the appliance learns the optimum MSS value. The appliance uses the learned MSS value until the appliance is restarted. If the appliance is restarted, the appliance defaults to the MSS value specified in the virtual server's TCP profile until it learns the MSS value again. Specifying the MSS Value in a TCP Profile If you know the optimal MSS value for a given virtual server, you can specify the MSS in a TCP profile and bind the profile to the virtual server.
Chapter 5 Advanced Configurations • To create a TCP profile, click Add. • To specify the MSS in an existing TCP profile, click the name of the profile, and then click Open. 3. In the Create TCP Profile or Configure TCP Profile dialog box, specify values for the following parameters, which correspond to the parameters described in "Parameters for specifying the MSS value in a TCP profile" as shown: • Name*—name (cannot be changed for an existing TCP profile) • MSS*—mss * A required parameter 4.
Citrix NetScaler Administration Guide Done > Parameters for configuring the NetScaler to learn the MSS for a virtual server learnVsvrMSS Enable or disable MSS learning for virtual servers. Possible values: ENABLED, DISABLED. Default: DISABLED. To configure the NetScaler to learn the MSS for a virtual server by using the NetScaler configuration utility 1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, click Change TCP parameters. 3.
Chapter 5 148 Advanced Configurations
Chapter 6 Web Interface Topics: • How Web Interface Works • Prerequisites • Installing the Web Interface • Configuring the Web Interface The Web Interface on Citrix® NetScaler® appliances is based on Java Server Pages (JSP) technology and provides access to Citrix® XenApp™ and Citrix® XenDesktop® applications. Users access resources through a standard Web browser or by using the Citrix XenApp plug-in. The Web Interface runs as a service on port 8080 on the NetScaler appliance.
Chapter 6 Web Interface How Web Interface Works The following figure illustrates a basic Web interface session. Figure 6-1. A Basic Web Interface Session Following is a typical set of interactions among a user device, a NetScaler running the Web interface, and a server farm. 1. A user authenticates to the Web interface through a Web browser or by using the XenApp plug-in. 2.
Citrix NetScaler Administration Guide edocs.citrix.com/. For more information about XenDesktop, see the XenDesktop farms documentation at http://edocs.citrix.com/. w Conceptual knowledge of the Web interface. For more information about Web interface running on a server, see the Web interface documentation at http:// edocs.citrix.com/. Installing the Web Interface To install the Web interface, you need to install the following files: w Web interface tar file.
Chapter 6 Web Interface Parameters for installing the Web interface and JRE tar files Web Interface tar file path Complete path to the Web interface tar file. JRE tar file path Complete path to the JRE tar file. To install the Web interface and JRE tar files by using the configuration utility 1. In the navigation pane, click Web Interface. 2. In the details pane, under Getting Started, click Install Web Interface. 3.
Citrix NetScaler Administration Guide HTTPS:/// Parameters for configuring Web interface sites Site Type Type of site. Possible values: XenApp/XenDesktop Web Site (configures the Web interface site for access by a Web browser); XenApp/XenDesktop Services Site (configures the Web interface site for access by the XenApp plug-in). Default: XenApp/ XenDesktop Web Site. Site Path Path to the Web interface site. This parameter is required.
Chapter 6 Web Interface Port Port on which the virtual server listens for client connections. Possible values: from 0 through 65535. Gateway Direct Mode The Web interface is accessed through a configured Access Gateway. Authentication Point Authentication point to be used for the site. Possible values: Web interface, AccessGateway. Default: AccessGateway. Access Gateway URL URL of the Access Gateway. Add DNS Entry Specifies whether to add DNS address record to resolve the specified Access Gateway URL.
Citrix NetScaler Administration Guide XML Service Addresses Comma-separated IP addresses or host names of either XenApp or XenDesktop servers providing XML services. XML Service Port Port number to use for contacting the XML service. Default: 80. Transport Transport protocol to use for the XML service. Possible values: HTTP, HTTPS. Default: HTTP. Load balance Specifies whether to use all the XML servers (load balance mode) or only one (failover mode).
Chapter 6 Web Interface Figure 6-2. A Web Interface Site Configured for LAN Users Using HTTP To configure a Web interface site for LAN users using HTTP by using the configuration utility 1. In the navigation pane, click Web Interface. 2. In the details pane, click Web Interface Wizard. 3. On the wizard Introduction page, click Next. 4.
Citrix NetScaler Administration Guide 5.
Chapter 6 Web Interface To configure a Web interface site for LAN users using HTTP by using the command line 1. Add a Web interface site. Set Direct or Alternate or Translated for the defaultAccessMethod parameter. At the NetScaler command prompt, type: add wi site -siteType ( XenAppWeb | XenAppServices ) publishedResourceType ( Online | Offline | DualMode ) -kioskMode ( ON | OFF) Example add wi site WINS1 -siteType XenAppWeb -publishedResourceType Online -kioskMode ON 2.
Citrix NetScaler Administration Guide Configuring a Web Interface Site for LAN Users Using HTTPS In this scenario, user accounts and the Web interface setup are on the same enterprise LAN. Users access the Web interface by using an SSL-based (HTTPS) vserver. The Web interface exposes its own login page for authentication. SSL offloading is done by this vserver on the NetScaler. The vserver IP address is used to access the Web interface instead of the NetScaler IP address (NSIP).
Chapter 6 Web Interface • Site Path* (You cannot change the name of an existing Web interface site.) • Site Type • Published Resource Type • Kiosk Mode • • • • * A required parameter. 5.
Citrix NetScaler Administration Guide 10. In the Create XenApp/XenDesktop Farm or Configure XenApp/XenDesktop Farm dialog box, specify values for the following parameters, which correspond to parameters described in Parameters for configuring Web interface sites on page 153 as shown: • Name* (You cannot change the name of an existing XenApp or XenDesktop farm.) • XML Service Addresses* • XML Service Port • Transport • Load Balance * A required parameter. 11. Click Next, and then click Finish. 12.
Chapter 6 Web Interface 4. Add an HTTPS vserver. At the NetScaler command prompt, type: add lb vserver Example add lb vserver HTTPS_WI SSL 10.102.29.3 443 For more information, see “Adding an SSL-Based Virtual Server” in the “Secure Sockets Layer (SSL) Acceleration” chapter of the Citrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX128670. 5. Bind the Web interface service to the HTTPS vserver.
Citrix NetScaler Administration Guide For more information, see “Configuring a Rewrite Action” in the “Rewrite” chapter of the Citrix NetScaler AppExpert Guide at http://support.citrix.com/article/ CTX128682. 9. Create a rewrite policy and bind the rewrite action to it. At the NetScaler command prompt, type: add rewrite policy Example add rewrite policy rewrite_location "HTTP.RES.STATUS == 302 && HTTP.RES.HEADER(\"Location\").Value(0).
Chapter 6 Web Interface Figure 6-4. A Web Interface Site Configured for Remote Users Using AGEE To configure a Web interface site for remote users using AGEE by using the configuration utility 1. In the navigation pane, click Web Interface. 2. In the details pane, click Web Interface Wizard. 3. On the wizard Introduction page, click Next. 4.
Citrix NetScaler Administration Guide • Authentication Point • Access Gateway URL • Add DNS Entry • Trust SSL Certificate • STA Server URL • STA Server URL (2) • Session Reliability • Use two STA Servers 6. Click Next. 7. On the wizard's Configure XenApp/XenDesktop Farm page, do one of the following: • To add a XenApp or XenDesktop farm, click Add. • To modify an existing XenApp or XenDesktop farm, select the farm, and then click Open. 8.
Chapter 6 Web Interface Example add wi site WINS1 https://ag.mycompany.com http:// ag.staserver.com -sessionReliability OFF -authenticationPoint AccessGateway -siteType XenAppWeb -publishedResourceType Online -kioskMode ON 2. Bind XenApp or XenDesktop farms to the Web interface site. At the NetScaler command prompt, type: bind wi site -xmlPort transport ( HTTP | HTTPS) -loadBalance ( ON | OFF ) Example bind wi site WINS1 XA1 10.102.46.
Chapter 7 AppFlow Topics: • How AppFlow Works • Configuring the AppFlow Feature The Citrix® NetScaler® appliance is a central point of control for all application traffic in the data center. It collects flow and user-session level information valuable for application performance monitoring, analytics, and business intelligence applications.
Chapter 7 AppFlow How AppFlow Works In the most common deployment scenario, inbound traffic flows to a Virtual IP address (VIP) on the NetScaler appliance and is load balanced to a server. Outbound traffic flows from the server to a mapped or subnet IP address on the NetScaler and from the VIP to the client. A flow is a unidirectional collection of IP packets identified by the following five tuples: sourceIP, sourcePort, destIP, destPort, and protocol.
Citrix NetScaler Administration Guide To help the collector link all four flows in a transaction, AppFlow adds a custom transactionID element to each flow. For application-level content switching, such as HTTP, it is possible for a single client TCP connection to be load balanced to different backend TCP connections for each request. AppFlow provides a set of records for each transaction.
Chapter 7 AppFlow httpRequestSize An unsigned 32-bit number indicating the request payload size. httpRequestURL The HTTP URL requested by the client. httpUserAgent The source of incoming requests to the Web server. httpResponseStatus An unsigned 32-bit number indicating the response status code. httpResponseSize An unsigned 32-bit number indicating the response size. httpResponseTimeToFirstByte An unsigned 32-bit number indicating the time taken to receive the first byte of the response.
Citrix NetScaler Administration Guide Enabling or Disabling the AppFlow Feature To be able to use the AppFlow feature, you must first enable it. To enable or disable the AppFlow feature by using the NetScaler command line At the NetScaler command prompt, type one of the following commands: w enable ns feature appflow w disable ns feature appflow To enable the AppFlow feature by using the configuration utility 1. In the navigation pane, expand System, and then click Settings. 2.
Chapter 7 AppFlow To remove a collector by using the NetScaler command line At the NetScaler command prompt, type: rm appflowCollector Parameters for specifying a collector name Name of the collector to which to export data. Maximum characters: 255. ipaddress The IPv4 address of the collector. port The UDP port on which the collector is listening. Default port: 4739. To specify a collector by using the configuration utility 1. In the navigation pane, expand AppFlow, and then click Collectors. 2.
Citrix NetScaler Administration Guide Example > add appflow action apfl-act-collector-1-and-3 collectors collector-1 collecter-3 Done > show appflow action 1) Name: apfl-act-collector-1 Collectors: collecter-1 Hits: 0 Action Reference Count: 2 2) Name: apfl-act-collector-2-and-3 Collectors: collector-2, collecter-3 Hits: 0 Action Reference Count: 1 3) Name: apfl-act-collector-1-and-3 Collectors: collector-1, collecter-3 Hits: 0 Action Reference Count: 1 Done To modify or remove an AppFlow action by
Chapter 7 AppFlow To configure an AppFlow action by using the configuration utility 1. In the navigation pane, expand AppFlow, and then click Actions. 2. In the details pane, do one of the following: • To create a new action, click Add. • To modify an existing action, select the action, and then click Open. 3. In the Add AppFlow Action or Configure AppFlow Action dialog box, type a name for the new action or the name of an existing action, respectively.
Citrix NetScaler Administration Guide 1) Name: apfl-pol-myPolicy5 Hits: 0 Undef Hits: 0 Active: Yes 2) Name: apfl-pol-myPolicy10 Hits: 0 Undef Hits: 0 Active: Yes 3) Name: apfl-pol-myPOL30 Hits: 0 Undef Hits: 0 Active: Yes 4) Name: apfl-pol-myPolicy50 Hits: 0 Undef Hits: 0 Active: No 5) Name: apfl-pol-tcp-dsprt Hits: 0 Undef Hits: 0 Active: No Done To modify or remove an AppFlow policy by using the NetScaler command line w To modify an AppFlow policy, type the set appflow policy command, the name
Chapter 7 AppFlow comment Any comments that you may want to associate with the policy. Maximum length: 255 characters. To include spaces in a comment that you type on the NetScaler command line, enclose the entire comment inside quotation marks. The quotation marks do not become part of the comment. They are not required if you use the configuration utility. To configure an AppFlow policy by using the configuration utility 1. In the navigation pane, expand AppFlow, and then click Policies. 2.
Citrix NetScaler Administration Guide CLIENT The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request. When you make your choice, the rightmost list box lists appropriate terms for the next part of your expression. 2. In the second list box, choose the second term for your expression. The choices depend upon which choice you made in the previous step, and are appropriate to the context.
Chapter 7 AppFlow To bind an AppFlow policy to a specific virtual server by using the NetScaler command line At the NetScaler command prompt, type the following command to bind an appflow policy to a specific virtual server and verify the configuration: bind lb vserver -policyname -priority Parameters for binding an AppFlow policy name The name of the virtual server to which you are binding the AppFlow policy.
Citrix NetScaler Administration Guide 5. Click one of the policies on the list. That policy is inserted into the list of globally bound AppFlow policies. 6. Click Apply Changes. 7. Click Close. A message appears in the status bar, stating that the configuration has been successfully implemented. To bind an AppFlow policy to a specific virtual server by using the configuration utility 1. In the navigation pane, expand Load Balancing, and then click Virtual Servers. 2.
Chapter 7 AppFlow For example, expand Content Switching to enable AppFlow for a content switching virtual server, and then click Virtual Servers. 2. In the details pane, do one of the following: • To enable AppFlow for a new virtual server, click Add. • To enable AppFlow for an existing virtual server, select the virtual server, and then click Open. 3. In the Create Virtual Server (feature_name) dialog box or the Configure Virtual Server (feature_name) dialog box, select the AppFlow Logging check box. 4.
Citrix NetScaler Administration Guide w set appflowParam [-templateRefresh ] [-appnameRefresh ] [flowRecordInterval ] [-udpPmtu ] [-httpUrl ( ENABLED | DISABLED )] [-httpCookie ( ENABLED | DISABLED )] [-httpReferer ( ENABLED | DISABLED )] [-httpMethod ( ENABLED | DISABLED )] [-httpHost ( ENABLED | DISABLED )] [-httpUserAgent ( ENABLED | DISABLED )] [-clientTrafficOnly ( YES | NO)] w show appflowParam Example > set appflowParam -templateRefresh 240 -udpPmtu 128 -httpUrl en
Chapter 7 AppFlow httpCookie Include the cookie that was in the HTTP request received by the NetScaler appliance from the client. Possible values: ENABLED, DISABLED. Default: DISABLED. httpReferer Include the Web page that was last visited by the client. Possible values: ENABLED, DISABLED. Default: DISABLED. httpMethod Include the method that was specified in the HTTP request received by the NetScaler appliance from the client. Possible values: ENABLED, DISABLED. Default: DISABLED.
Chapter 8 Reporting Tool Topics: • Using the Reporting Tool • Stopping and Starting the Data Collection Utility Use the Citrix® NetScaler® Reporting tool to view NetScaler performance statistics data as reports. Statistics data are collected by the nscollect utility and are stored in a database. When you want to view certain performance data over a period of time, the Reporting tool pulls out specified data from the database and displays them in charts. Reports are a collection of charts.
Chapter 8 Reporting Tool Using the Reporting Tool The Reporting tool is a Web-based interface accessed from the Citrix® NetScaler® appliance. Use the Reporting tool to display the performance statistics data as reports containing graphs. In addition to using the built-in reports, you can create custom reports, which you can modify at any time. Reports can have between one and four charts. You can create up to 256 custom reports. To invoke the Reporting tool 1.
Citrix NetScaler Administration Guide w Toggle between a tabular view of data and a graphical view of data. w Change the graphical display type, such as bar chart or line chart. w Customize charts in a report. w Export the chart as an Excel comma-separated value (CSV) file. w View the charts in detail by zooming in, zooming out, or using a drag-and-drop operation (scrolling). w Set a report as the default report for viewing whenever you log on. w Add or remove counters. w Print reports.
Chapter 8 Reporting Tool 1. In the Reporting tool, on the report toolbar, click Create, or if you want to create a new custom report based on an existing report, open the existing report, and then click Save As. 2. In Report Name box, type a name for the custom report. 3. Do one of the following: • To add the report to an existing folder, in Create in or Save in, click the down arrow to choose an existing folder, and then click OK.
Citrix NetScaler Administration Guide Time interval Last Month Last Year Custom Displays Statistics data collected for the last month (31 days). Statistics data collected for the last year (365 days). Statistics data collected for a time period that you are prompted to specify. To modify the time interval 1. In the left pane of the Reporting tool, click a report. 2. On the report toolbar, click Duration, and then click a time interval.
Chapter 8 Reporting Tool Note: When you export the file, it is exported in a .gz file format. Working with Charts Use charts to plot and monitor counters or groups of counters. You can include up to four charts in one report. In each chart, you can plot up to 32 counters. The charts can use different graphical formats (for example, area and bar).
Citrix NetScaler Administration Guide 6. Under Counters, in Available, click the counter name(s) that you want to plot, and then click the > button. 7. If you selected System entities statistics in step 4, on the Entities tab, under Available, click the entity instance name(s) you want to plot, and then click the > button. 8. Click OK. Viewing a Chart You can specify the graphical formats of the plotted counters in a chart.
Chapter 8 Reporting Tool 3. Once you have the desired range of time for which you want to view detailed data, on the report toolbar, click Tabular View. Tabular view displays the data in numeric form in rows and columns. To view numeric data for a graph 1. In the left pane of the Reporting tool, select a report. 2. In the right pane, on the report toolbar, click Tabular View. To return to the graphical view, click Graphical View.
Citrix NetScaler Administration Guide example, if CPU usage and Memory usage are displayed in first and second order at the bottom of the chart, CPU usage is equal to Data Set 1 and Memory usage is equal to Data Set 2. • To plot each data set in its own hidden y-axis, click Multiple Axes, and then click Enable. To change the background color, edge color, and gridlines for a plot area of a chart 1. In the left pane of the Reporting tool, select a report. 2.
Chapter 8 Reporting Tool To export chart data to Excel 1. In the left pane of the Reporting tool, select a report. 2. In the right pane, under the chart with the data you want to export to Excel, click Export. Deleting a Chart If you do not want to use a chart, you can remove it from the report. You can permanently remove charts from custom reports only. If you delete a chart from a builtin report and want to retain the changes, you need to save the report as a custom report. To delete a chart 1.
Citrix NetScaler Administration Guide 8. Click OK. 9. On the report toolbar, click Duration, and then click Last Week. Stopping and Starting the Data Collection Utility The performance data is stored in different data sources on the Citrix® NetScaler® appliance. The default data source is /var/log/db/default. You can create up to 32 data sources. The data collection utility nscollect retrieves data from the NetScaler and updates the data source. This utility runs automatically when you start the NetScaler.
Chapter 8 Reporting Tool Entity name Limit ACL6 50 Priority Queuing Policies 100 RNAT IP Addresses 100 SureConnect Policies 100 Services 250 Service Groups 100 System CPU 8 VLAN 25 VPN Virtual Servers 5 The nscollect utility retrieves n number of entity counters and creates the entity database. If the first n counters change in the subsequent fetch, the database stores more than n entries for that entity type. However, you need to delete the unused entity counters manually.
Citrix NetScaler Administration Guide /netscaler/nscollect start To start nscollect on the remote system At a NetScaler command prompt, type the following: /netscaler/nscollect start -U NS_IP:UserName:Password -ds DataSourceName Example /netscaler/nscollect start -U 10.102.29.
