Thursday 15 December 2016

Load Balancing Traffic on a Citrix NetScaler

Load Balancing Traffic on a Citrix NetScaler
Load balancing improves server fault tolerance and end-user response time. This chapter lists the basic and a few advanced settings that you can configure.

In This Chapter
How Load Balancing Works

Configuring Load Balancing

How Load Balancing Works
The load balancing feature distributes client requests across multiple servers to optimize resource utilization. In a real-world scenario with a limited number of servers providing service to a large number of clients, a server can become overloaded and degrade server performance. A NetScaler uses load balancing criteria to prevent bottlenecks by forwarding each client request to the server best

suited to handle the request when it arrives.

To configure load balancing, you define a virtual server (vserver) to proxy multiple servers in a server farm and balance the load among them. When a client initiates a connection to the server, the vserver terminates the client connection and initiates a new connection with the selected server to perform load balancing. The load balancing feature provides traffic management from Layer 4 (TCP and
UDP) through Layer 7 (FTP, HTTP, and HTTPS).

The NetScaler uses a number of algorithms, called load balancing methods, to determine how to distribute the load among the servers. The default load balancing method is the Least Connections method.

The entities that you must configure in a typical load balancing setup are:
• Vserver. An entity that is represented by an IP address, a port, and a protocol. The vserver IP address (VIP) is usually a public IP address. The client sends connection requests to this IP address. The vserver represents a bank of servers.

• Service. An entity that is represented by an IP address, a port, and a protocol. A service is a logical representation of a server or an application running on a server. The services are bound to the vservers.

• Server object. An entity that is represented by an IP address. The server object is created when you create a service. The IP address of the service is taken as the name of the server object. You can also create a server object and then create services by using the server object.

• Monitor. An entity that tracks the health of the services. The NetScaler periodically probes the servers using the monitor bound to each service. If a server does not respond within a specified response timeout, and the specified number of probes fails, the service is marked DOWN. The
NetScaler then performs load balancing among the remaining services.

To configure load balancing, you must first create services. Then, you must create vservers and bind services to the vservers. By default, the NetScaler binds a monitor to each service. You can also assign weights to a service. The load balancing method uses the assigned weight to select a service.

Understanding Persistence
You must configure persistence on a vserver if you want to maintain the states of connections on the servers represented by that vserver (for example, connections used in e-commerce). The NetScaler then uses the configured load balancing method for the initial selection of a server, but forwards to that same server all subsequent requests from the same client.

If persistence is configured, it overrides the load balancing methods once the server has been selected. If the configured persistence applies to a service that is down, the NetScaler uses the load balancing methods to select a new service, and the new service becomes persistent for subsequent requests from the client. If the selected service is in an Out Of Service state, it continues to serve the outstanding requests but does not accept new requests or connections. After the shutdown period elapses, no new requests or connections are directed to the service and the existing connections are closed.

If the configured persistence cannot be maintained because of lack of resources on a NetScaler, the load balancing methods are used for server selection. Persistence is maintained for a configured period of time, depending on the persistence type. Some persistence types are specific to certain vservers.

persistence on the group, the client requests are directed to the same selected server regardless of which vserver in the group receives the client request. When the configured time for persistence elapses, any vserver in the group can be selected for incoming client requests.

Thursday 13 October 2016

Configuring SNMP Alarms

Configuring SNMP Alarms

This section includes procedures for configuring SNMP alarms. It covers the following topics:
• Enabling an SNMP Alarm
• Setting the Severity of the SNMP Alarm

Enabling an SNMP Alarm
After you enable an SNMP alarm, the NetScaler generates trap messages when certain events occur. Some alarms are enabled by default.

To enable alarm using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Alarms. The Alarms page appears in the details pane.
2. On the Alarms page, select a disabled SNMP alarm that you want to enable, for example, LOGIN-FAILURE.
3. Click Enable.
To enable alarms using the NetScaler command line
At a NetScaler command prompt, type:
set snmp alarm LOGIN-FAILURE –state ENABLED

Setting the Severity of an SNMP Alarm
There are five severity types (tags): Critical, Major, Minor, Warning, and Informational. A trap is sent only when the severity of the alarm matches the severity specified for the trap.

To set the severity of the alarm using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Alarms. The SNMP Alarms page appears in the details pane.
2. Select the alarm for which you want to set the severity, for example, LOGIN-FAILURE.
3. Click Open. The Configure SNMP Alarm dialog box appears.
4. In Severity, select a severity option, for example, Major.
5. Click Ok.
To set the severity of the alarm using the NetScaler command line
At a NetScaler command prompt, type:
set snmp alarm LOGIN-FAILURE -severity Major

Disabling an SNMP Alarm
If you disable an SNMP alarm, the NetScaler will not generate trap messages when corresponding events occur. For example, if you disable the Login-Failure SNMP alarm, the NetScaler will not generate a trap message when a login failure occurs.

To disable an SNMP alarm using the configuration utility
1. In the navigation pane, expand System, click SNMP, and click Alarms. The Alarms page appears in the details pane.
2. In the Alarms page, select an SNMP alarm that you want to disable, for example, LOGIN-FAILURE.
3. Click Disable.
To disable an SNMP alarm using the NetScaler command line
At a NetScaler command prompt, type:
set snmp alarm LOGIN-FAILURE –state DISABLED

Configuring Syslog

You can customize logging of NetScaler and Access Gateway Enterprise Edition access events for the needs of your site. You can direct these logs either to files on the NetScaler or to external log servers. The NetScaler uses the Audit Server Logging feature for logging the states and status information collected by different modules in the kernel and by user-level daemons. For more information about the Audit Server Logging feature, see the “Audit Server Logging” chapter in Citrix NetScaler Administration Guide.

Syslog is used to monitor a NetScaler and log connections, statistics, and so on. You can customize the two logging functions for system events messaging and syslog. The NetScaler’s internal event message generator passes log entries to the syslog server. The syslog server accepts these log entries and logs them.

Friday 7 October 2016

Adding a Name Server

Adding a Name Server
You can add, remove, enable, and disable external name servers. You can create a name server by specifying its IP address, or you can configure an existing vserver as the name server.

When adding name servers, you can specify IP addresses or virtual IP addresses (VIPs). If you use IP addresses, the NetScaler load balances requests to the configured name servers in a round robin manner. If you use VIPs, you can specify any load balancing method. Use either of the following procedures to add a name server. (The examples use an IP address. For information about using a
VIP, see the “Domain Name System” chapter in Citrix NetScaler Traffic Management Guide.)

To add a name server using the configuration utility
1. In the navigation pane, expand DNS and click Name Servers. The Name Servers page appears in the details pane.
2. Click Add. The Create Name Server dialog box appears.
3. Select the IP Address radio button.
4. In the IP Address text box, type the IP address of the name server, for example, 10.102.29.10. When you are adding an external name server, clear the Local check box.
5. Click Create, and click Close. The name server that you added appears in the Name Servers page.

To add a name server using the NetScaler command line
At a NetScaler command prompt, type:
add dns nameServer 10.102.29.10

Verifying the Configuration
To verify the configuration, you need to view the properties of the name servers. These properties (state, effective state, and so on) can be used as a basis for troubleshooting any fault in the configuration. Use either of the following procedures to view the properties of a name server.

To view the properties of a name server using the configuration utility
1. In the navigation pane, expand DNS and click Name Servers. The Name Servers page appears in the details pane. The details of the available Name Servers appear on this page.
2. Verify that the configured name server (for example 10.102.29.10) appears.
3. Select the IP address or VIP that you assigned and, in the Details section, verify that the parameters displayed are correctly configured.

To view the properties of a name server using the NetScaler command line
At a NetScaler command prompt, type:
show dns nameServer

Configuring SNMP
The Simple Network Management Protocol (SNMP) network management application queries the SNMP agent on the NetScaler. The agent searches the management information base (MIB) for data requested by the network management application and sends the data to the application.

To configure SNMP monitoring of a NetScaler, you set up traps and alarms. SNMP traps are asynchronous events that the agent generates to signal abnormal conditions. For example, if you want to be informed when CPU utilization is above 90 percent, you can enable traps and set up an alarm for that condition. The following conceptual diagram illustrates a network with a NetScaler that has
SNMP enabled and configured.

The SNMP agent on a NetScaler supports SNMP version 1 (SNMPv1), SNMP version 2 (SNMPv2), and SNMP version 3 (SNMPv3). Because it operates in bilingual mode, the agent can handle SNMPv2 queries, such as Get-Bulk, and SNMPv1 queries. The SNMP agent also sends traps compliant with SNMPv2 and supports SNMPv2 data types, such as counter64. SNMPv1 managers (programs on other servers that request SNMP information from the NetScaler) use the NSMIB-
smiv1.mib file when processing SNMP queries. SNMPv2 managers use the NS-MIB-smiv2.mib file.

The NetScaler supports the following enterprise-specific MIBs:
• A subset of standard MIB-2 groups. Provides MIB-2 groups SYSTEM, IF, ICMP, UDP, and SNMP.
• A system enterprise MIB. Provides system-specific configuration and statistics.

Note: Procedures in this section include IP addresses and other settings as examples that you can use in your initial configuration.

Adding SNMP Managers
You can configure a workstation running a management application that complies with SNMP version 1, 2, or 3 to access a NetScaler. Such a workstation is called an SNMP manager. If you do not configure an SNMP manager, the NetScaler accepts and responds to SNMP queries from all IP addresses on the network. If you configure one or more SNMP managers, the NetScaler accepts and responds to SNMP queries from only those specific IP addresses. When specifying the IP address of an SNMP manager, you can use the netmask parameter to grant access from entire subnets. You can add a maximum of 100 SNMP managers or networks.

To add an SNMP manager using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Managers. The Managers page appears on the details pane.
2. Click Add. The Add SNMP Manager dialog box appears.
3. In the IP Address text box, type the IP address, for example, 10.102.29.5.
4. Click Create and click Close.

To add an SNMP manager using the NetScaler command line
At a NetScaler command prompt, type:
add snmp manager 10.102.29.5 –netmask 255.255.255.255

Adding SNMP Traps
You can use either of the procedures described in this section to set the NetScaler to send traps to a specified destination.

To add an SNMP trap using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Traps. The Traps page appears in the details pane.
2. Click Add. The Add SNMP Trap Destination dialog box appears.
3. In the Destination IP Address text box, type the IP address, for example, 10.102.29.3.
4. Click Create and click Close.

To add an SNMP trap using the NetScaler command line
At a NetScaler command prompt, type:
add snmp trap specific 10.102.29.3

Friday 30 September 2016

Configuring Virtual LANs

Configuring Virtual LANs
The NetScaler supports (Layer 2) port and IEEE802.1Q tagged virtual LANs (VLANs). VLAN configurations are useful when you need to restrict traffic to certain groups of stations. You can configure a network interface to belong to multiple VLANs using IEEE 802.1q tagging.

You can bind your configured VLANs to IP subnets. The NetScaler (if it is configured as the default router for the hosts on the subnets) then performs IP forwarding between these VLANs. A NetScaler supports the following types of VLANs.

• Default VLAN. By default, the network interfaces on a NetScaler are included in a single, port-based VLAN as untagged network interfaces. This default VLAN has a VID of 1 and exists permanently. It cannot be deleted, and its VID cannot be changed.

• Port-Based VLANs. A set of network interfaces that share a common, exclusive, Layer 2 broadcast domain define the membership of a port-based VLAN. You can configure multiple port-based VLANs.

• Tagged VLAN. A network interface can be a tagged or untagged member of a VLAN. Each network interface is an untagged member of only one VLAN (its native VLAN). The untagged network interface forwards the frames for the native VLAN as untagged frames. A tagged network
interface can be a part of more than one VLAN. When you configure tagging, be sure that both ends of the link have matching VLAN settings. You can use the configuration utility to define a tagged VLAN (nsvlan) that can have any ports bound as tagged members of the VLAN. Configuring this VLAN requires a reboot of the NetScaler and therefore must be done during initial network configuration.

Note: The VLAN configuration is neither synchronized nor propagated. You must perform the configuration on each unit in a high availability (HA) pair independently. The best practice is to set the VLAN ID for an NSIP to 1.

Creating a VLAN
You can implement VLANs in the following environments:
• Single subnet
• Multiple subnets
• Single LAN
• VLANs (no tagging)
• VLANs (802.1q tagging)
You can use either of the following procedures to create a VLAN.

To create a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Click Add. The Add VLAN dialog box appears.
3. In the VLAN Id text box, type the ID of the VLAN, for example, 2.
4. Click Create and click Close. The VLAN you added appears in the VLANs page.

To create a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
add vlan 2

For more information about VLANs, see the Citrix NetScaler Networking Guide. When you create VLANs that have only untagged network interfaces as their members, the total number of possible VLANs is limited to the number of network interfaces available on the NetScaler. If more IP subnets are required with a VLAN configuration, 802.1q tagging must be used.

Binding a Network Interface to a VLAN
You can use either of the following procedures to bind a network interface to a VLAN.

To bind a network interface to a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Select the VLAN to which you want to bind the interface, for example, 2.
3. Click Open. The Modify VLAN dialog box appears.
4. Under Interfaces, select the Active check box corresponding to the network interface that you want to bind to the VLAN, for example, 1/8.
5. Click OK.

To bind a network interface to a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
bind vlan 2 -ifnum 1/8

Verifying the Configuration
Viewing the configuration enables you to troubleshoot any problem in the configuration.

Viewing the Properties of VLANs
You can view properties such as VLAN ID, members, and tagging of the configured VLANs. You can use either of the following procedures to view the properties of the VLANs.

To view the properties of VLANs using the configuration utility
1. In the navigation Pane, expand Network and click VLANs. The VLANs page appears in the details pane. The details of the available VLANs appear on this page.
2. Verify that the configured VLAN (with ID 2 if you used the example in the previous procedure) appears.
3. Select the configured VLAN and, in the Details section, verify that the parameters displayed are correctly configured.

To view the properties of VLANs using the NetScaler command line
At a NetScaler command prompt, type:
show vlan

Viewing the Statistics of a VLAN
You can view statistics such as packets received, bytes received, packets sent, and bytes sent of configured VLANs. You can use the statistics to monitor a VLAN and debug problems. You can use either of the following procedures to view the statistics of a VLAN.

To view the statistics of a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Select the VLAN whose statistics you want to view, for example, 2.
3. Click Statistics. The VLAN Statistics dialog box appears.

To view the statistics of a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
stat vlan 2

Thursday 29 September 2016

Citrix NetScaler Authentication and Authorization

Citrix NetScaler Authentication and Authorization


NetScaler authentication and authorization functions are of two basic types.The users and groups functions allow you to define who has access to the NetScaler. Command policies allow you to define what parts of the NetScaler configuration a user or group is permitted to access and modify. In other words, command policies regulate which commands, command groups, and other elements NetScaler users and groups are permitted to use.

To configure authentication and authorization, you first define the users who have access to the NetScaler. After you have defined the users, you can organize them into groups. You then configure command policies to define the types of access, and assign the policies to users and/or groups.

In This Chapter

Defining Users
Defining Groups
Command Policies

Defining Users


Once you have changed the default password, no user can access the NetScaler until you create an account for that user. After you have defined your users by creating accounts for them, you might have to change passwords or remove user accounts.

Creating a User Account

To create a user account, you simply assign a user name and password. You use the parameters described in the following table.

Parameter :
User Name
Password

Specifies :
Name that the user enters to request access.
Password that the user enters to request access.

To create a user account, use either of the following procedures.

To add a user account using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, Click Add.
3. In the Create System User dialog box, in the User Name text box, type a
name for the user (for example, johnd).
4. In the Password text box, type a password to assign to the user.
5. In the Confirm Password text box, again type the password that you have
typed in the Password text box.
6. Click Create and click Close.

To add a user account using the NetScaler command line

At the NetScaler command prompt, type:
add system user userName

Example
add system user johnd

Changing a User Password

The following table describes the parameter you set to change a user password on the NetScaler.

Parameter :
Password

Specifies :
The password you assign for the user account.

To change a user password, use either of the following procedures.

To change the user password using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, select the user account for which you want to
change the password (for example, johnd) and click Change Password.
3. In the Password text box, type the new password.
4. In the Confirm Password text box, type the new password again.
5. Click OK.

To change the user password using the NetScaler command line At the NetScaler command prompt, type:

set system user userName newpassword

Example
set system user johnd johnd1

Removing User Accounts

You can remove user accounts if the policy assigned to your account allows you to do so, or if you log in to the nsroot account. The nsroot account cannot be removed.

To remove a user account, use either of the following procedures.

To remove a user account using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, select the user account that you want to
remove. For example, johnd.
3. Click Remove. The Remove pop-up window appears.
4. Click Yes.

To remove a user using the NetScaler command line At the NetScaler command prompt, type:
rm system user userName

Example
rm system user johnd

Defining Groups


To define a group, you first create the group, then bind users to the group.

Adding Groups

The following table describes the parameter you set to create a group.

Parameter :
Group Name

Specifies :
Name for the group of NetScaler users..

Use either of the following procedures to add a group.

To add a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, click Add.
3. In the Create System Group dialog box, in the Group Name text box, type a name for the group (for example, Managers).
4. Click Create, and click Close.

To add a group using the NetScaler command line At the NetScaler command prompt, type:
add system group groupName

Example
add system group Managers

Binding a User to a Group

You can bind each user account to more than one group. Binding user accounts to multiple groups may allow more flexibility when applying command policies. The following table describes the parameter you set to bind a user to a group.

Parameter :
User name

Specifies :
Name for the NetScaler user to be bound to the group.

To bind a user to a group, use either of the following procedures.

To bind a user to a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, select a group and click Open.
3. In the Configure System Group dialog box, under Members section, select a user you want to bind to the group, from the Available Users list and click Add.

To bind a user to a group using the NetScaler command line At the NetScaler command prompt, type:
bind system group groupName userName

Example
bind system group Managers johnd

Removing Groups

All the users and command policies that are currently bound to the group should be unbound before removing a group.

To remove a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, select the group that you want to remove. (for example, Managers).
3. Click Remove.
4. In the Remove pop-up, click Yes.

To remove a group using the NetScaler command line
rm system group groupName

Example
rm system group Managers

Command Policies


Command policies regulate which commands, command groups, vservers, and other elements NetScaler users and user groups are permitted to use. The NetScaler provides a set of built-in command policies, and you can configure custom policies. To apply the policies, you bind them to user and/or groups.

Here are the key points to keep in mind when defining and applying command policies.

• No global command policies may be created on the NetScaler. Command policies must be bound directly to NetScaler users and groups.

• Users or groups with no associated command policies are subject to the default DENY -ALL command policy, and will therefore be unable to execute any commands until the proper command policies are bound their accounts.

• All users inherit the policies of the groups to which they belong.

• You must assign a priority to a command policy when you bind it to a user account or group account. This enables the NetScaler to determine which policy has priority when two or more conflicting policies apply to the same user or group.

• The following commands are available by default to any any user and are unaffected by any command policies you specify:

help cli, show cli attribute, clear cli prompt, alias, unalias, batch, source, help, history, man, quit, exit, whoami, config, set cli mode, unset cli mode, show cli mode, set cli prompt, and show cli prompt.

Built-in Command Policies

Four default command policies are available on the NetScaler. The following table describes them.

Policy Name :
read-only
operator
network
superuser

Allows :
Read-only access to all show commands except show runningconfig, show ns.conf, and the show commands for the NetScaler command group.
Read-only access and access to commands to enable and disable services and servers or place them in ACCESSDOWN mode.
Full access except to NetScaler commands, the shell command, and the show ns.conf and sh runningconfig commands.
Full access. Same privileges as the nsroot user.

Creating Custom Command Policies

Regular expression support is offered for users with the resources to maintain more customized expressions and those deployments that require the flexibility that regular expressions offer. For most users, the built-in command policies should be sufficient. Users who need additional levels of control, but are unfamiliar with regular expressions, may want to use only simple expressions, such as those in the examples provided in this section, to maintain policy readability.

When you use a regular expression to create a command policy, keep the following in mind.

• When you use regular expressions to define commands that will be affected by a command policy, you must enclose the commands in double quotes. For example, if you want to create a command policy named allowShow that includes all commands that begin with show, you should type the following:
“^show .*$”

If you want to create a command policy that includes all commands that being with rm, you should type the following:
DENY “^rm .*$”

• Regular expressions used in command policies are case insensitive.

The following table gives examples of regular expressions:

Command Specification :
- “^rm\s+.*$”
- “^show\s+.*$”
- “^shell$”
- “^add\s+vserver\s+.*$”
- “^add\s+(lb\s+vserver)\s+ .*”
- “^set\s+lb\s+.*$”

Matches these Commands :
- All remove actions, because all remove actions begin with the rm string, followed by a space and additional parameters and flags.
- All show commands, because all show actions begin with the show string, followed by a space and additional parameters and flags.
- The shell command alone, but not combined with any other parameters or flags.
- All create a vserver actions, which consist of the add vserver command followed by a space and additional parameters and flags.
- All create an lb vserver actions, which consist of the add lb vserver command followed by a space and additional parameters and flags.
- All commands that configure load balancing settings at the command group level.

Thursday 22 September 2016

Configuring Modes of Packet Forwarding

Configuring Modes of Packet Forwarding
A NetScaler can use the following modes to forward the packets it receives:
• Layer 2 (L2) Mode
• Layer 3 (L3) Mode
• MAC-Based Forwarding Mode

Enabling and Disabling Layer 2 Mode
Layer 2 mode controls the Layer 2 forwarding (bridging) function. You can use this mode to configure a NetScaler to behave as a Layer 2 device and bridge the packets that are not destined for it. When this mode is enabled, packets are not forwarded to any of the MAC addresses, because the packets can arrive on any interface of the NetScaler and each interface has its own MAC address.

With Layer 2 mode disabled (which is the default), a NetScaler drops packets that are not destined for one of its MAC address. If another Layer 2 device is installed in parallel with a NetScaler, Layer 2 mode must be disabled to prevent bridging (Layer 2) loops. You can use either of the following procedures to enable Layer 2 mode.

To enable Layer 2 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure  Modes dialog box appears.
3. Select the Layer 2 Mode check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable Layer 2 mode using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode l2 You can use either of the following procedures to disable Layer 2 mode.

To disable Layer 2 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the Layer 2 Mode check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable Layer 2 mode using the NetScaler command line
At a NetScaler command prompt, type:

Enabling and Disabling Layer 3 Mode
Layer 3 mode controls the Layer 3 forwarding function. You can use this mode to configure a NetScaler to look at its routing table and forward packets that are not destined for it. With Layer 3 mode enabled (which is the default), a NetScaler performs route table lookups and forwards all packets that are not destined for any NetScaler-owned IP address. If you disable Layer 3 mode, the NetScaler drops these packets. You can use either of the following procedures to enable
Layer 3 mode.

To enable Layer 3 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Select the Layer 3 Mode (IP Forwarding) check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable Layer 3 mode using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode l3 You can use either of the following procedures to disable Layer 3 mode.

To disable Layer 3 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the Layer 3 Mode (IP Forwarding) check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable Layer 3 mode using the NetScaler command line
At a NetScaler command prompt, type:
disable ns mode l3

Enabling and Disabling MAC-Based Forwarding Mode
You can use MAC-based forwarding to process traffic more efficiently and avoid multiple-route or ARP lookups when forwarding packets, because the NetScaler remembers the MAC address of the source. To avoid multiple lookups, the NetScaler caches the source MAC address of every connection for which it performs an ARP lookup, and it returns the data to the same MAC address.
MAC-based forwarding is useful when you use VPN devices, because the NetScaler ensures that all traffic flowing through a particular VPN passes through the same VPN device.

When MAC-based forwarding is enabled, a NetScaler caches the MAC address of:
• The source (a transmitting device such as router, firewall, or VPN device) of the inbound connection.
• The server that responds to the requests.

When a server responds through a NetScaler, the NetScaler sets the destination MAC address of the response packet to the cached address, ensuring that the traffic flows in a symmetric manner, and then forwards the response to the client. The process bypasses the route table lookup and ARP lookup functions. However, when a NetScaler initiates a connection, it uses the route and ARP tables for the lookup function. To enable MAC-based forwarding, use either of the following procedures.


To enable MAC-based forwarding using the configuration utility

1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Select the MAC Based Forwarding check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable MAC-based forwarding using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode mbf

Some deployments require the incoming and outgoing paths to flow through different routers. In these situations, MAC-based forwarding breaks the topology design. For a global server load balancing (GSLB) site that requires the incoming and outgoing paths to flow through different routers, you must disable MACbased forwarding and use the NetScaler unit’s default router as the outgoing router.
With MAC-based forwarding disabled and Layer 2 or Layer 3 connectivity enabled, a route table can specify separate routers for outgoing and incoming connections. To disable MAC-based forwarding, use either of the following procedures.

To disable MAC-based forwarding using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the MAC Based Forwarding check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable MAC-based forwarding using the NetScaler command line
At a NetScaler command prompt, type: disable ns mode mbf

Monday 25 July 2016

Configuring Global Settings

Configuring Global Settings

Once you have installed and performed initial configuration, you can configure a number of connection parameters, customizing your NetScaler to match the needs of your network and managed servers.

Configuring HTTP Traffic Ports

This option identifies Web server HTTP ports used by your managed servers and allows the NetScaler to perform request switching for any client request that has a destination port matching a configured port.

The following procedure includes HTTP port 8080 as an example of a port that can be added on the NetScaler. If your managed servers accept HTTP connections on port 8080, clients need to send requests to this port

To configure HTTP traffic ports

1. In the left pane, expand System and click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure HTTP Parameters dialog box appears.
3. In HTTP Port Information, in the HTTP Port text box, type the port number, for example, 8080.
4. Click Add and Click OK. The Configure HTTP Parameters dialog box appears.

Setting the Maximum Connections to Each Server

You can specify a maximum number of connections that a NetScaler is allowed to make to each managed server. For example, if you enter 500 and there are three servers managed by the NetScaler, it will open a maximum of 500 connections to each of these three servers. By default, the NetScaler can create an unlimited number of connections to any of the servers it manages.

To set maximum connections to each server

1. In the left pane, expand System, and click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure HTTP Parameters dialog box appears.
3. Under Limits, in the Max Connections text box, type the maximum number of connections, for example, 500.
4. Click OK.

Setting the Maximum Requests per Connection

You can set a maximum number of requests that a NetScaler is allowed to send to a managed server over each connection. To specify an unlimited number of requests, set this value to 0.

To set the maximum requests per connection

1. In the left pane, expand System, and click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure HTTP Parameters dialog box appears.
3. Under Limits, in Max Requests text box, type the maximum number of requests, for example, 500.
4. Click OK.

Configuring Client IP Address Insertion

When a Web server managed by a NetScaler receives a mapped IP address, the server identifies this mapped IP address as the client’s IP address. Some applications need the client’s IP address for logging purposes or to dynamically determine the content to be served by the web server.

You can enable insertion of the actual client IP address into the HTTP header request sent from the client to one, some, or all servers attached to a NetScaler. You can then access the inserted address through a minor modification to the server (using an Apache module, ISAPI interface, or NSAPI interface).

To enable client IP Address insertion

1. In the left pane, expand System, then click Settings. The Settings page appears in the right pane.
2. Under Global Settings click HTTP Parameters. The Configure HTTP Parameters dialog box appears.
3. Under Client IP Insertion, select Client IP.
4. Click OK.

Setting HTTP Cookie Version

A NetScaler sends its own cookie when COOKIEINSERT persistence is configured on a virtual server. The NetScaler can send either a version 0 or a version 1 HTTP cookie. By default, it uses HTTP cookie version 0, which is the most common type on the Internet. In the following example, you set the HTTP cookie to version 1.

To set HTTP cookie version 1

1. In the left pane, expand System, then click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure HTTP
Parameters dialog box appears.
3. Under Cookie Version, select Version 1.
4. Click OK.

Setting FTP Port Range

A NetScaler can be configured to open FTP connections on a controlled range of ports instead of ephemeral ports for data connections. This improves security, because opening all ports on the firewall is insecure. You can set the range anywhere from 1024 to 64000.

To set FTP port range

1. In the left pane, expand System, and click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure Global Settings dialog box appears.
3. Under FTP Port Range, in Start Port and End Port text box, type the lowest and highest port number, respectively, in the range you are specifying, for example, 5000 and 6000.
4. Click OK.