Thursday, 15 December 2016

Load Balancing Traffic on a Citrix NetScaler

Load Balancing Traffic on a Citrix NetScaler
Load balancing improves server fault tolerance and end-user response time. This chapter lists the basic and a few advanced settings that you can configure.

In This Chapter
How Load Balancing Works

Configuring Load Balancing

How Load Balancing Works
The load balancing feature distributes client requests across multiple servers to optimize resource utilization. In a real-world scenario with a limited number of servers providing service to a large number of clients, a server can become overloaded and degrade server performance. A NetScaler uses load balancing criteria to prevent bottlenecks by forwarding each client request to the server best

suited to handle the request when it arrives.

To configure load balancing, you define a virtual server (vserver) to proxy multiple servers in a server farm and balance the load among them. When a client initiates a connection to the server, the vserver terminates the client connection and initiates a new connection with the selected server to perform load balancing. The load balancing feature provides traffic management from Layer 4 (TCP and
UDP) through Layer 7 (FTP, HTTP, and HTTPS).

The NetScaler uses a number of algorithms, called load balancing methods, to determine how to distribute the load among the servers. The default load balancing method is the Least Connections method.

The entities that you must configure in a typical load balancing setup are:
• Vserver. An entity that is represented by an IP address, a port, and a protocol. The vserver IP address (VIP) is usually a public IP address. The client sends connection requests to this IP address. The vserver represents a bank of servers.

• Service. An entity that is represented by an IP address, a port, and a protocol. A service is a logical representation of a server or an application running on a server. The services are bound to the vservers.

• Server object. An entity that is represented by an IP address. The server object is created when you create a service. The IP address of the service is taken as the name of the server object. You can also create a server object and then create services by using the server object.

• Monitor. An entity that tracks the health of the services. The NetScaler periodically probes the servers using the monitor bound to each service. If a server does not respond within a specified response timeout, and the specified number of probes fails, the service is marked DOWN. The
NetScaler then performs load balancing among the remaining services.

To configure load balancing, you must first create services. Then, you must create vservers and bind services to the vservers. By default, the NetScaler binds a monitor to each service. You can also assign weights to a service. The load balancing method uses the assigned weight to select a service.

Understanding Persistence
You must configure persistence on a vserver if you want to maintain the states of connections on the servers represented by that vserver (for example, connections used in e-commerce). The NetScaler then uses the configured load balancing method for the initial selection of a server, but forwards to that same server all subsequent requests from the same client.

If persistence is configured, it overrides the load balancing methods once the server has been selected. If the configured persistence applies to a service that is down, the NetScaler uses the load balancing methods to select a new service, and the new service becomes persistent for subsequent requests from the client. If the selected service is in an Out Of Service state, it continues to serve the outstanding requests but does not accept new requests or connections. After the shutdown period elapses, no new requests or connections are directed to the service and the existing connections are closed.

If the configured persistence cannot be maintained because of lack of resources on a NetScaler, the load balancing methods are used for server selection. Persistence is maintained for a configured period of time, depending on the persistence type. Some persistence types are specific to certain vservers.

persistence on the group, the client requests are directed to the same selected server regardless of which vserver in the group receives the client request. When the configured time for persistence elapses, any vserver in the group can be selected for incoming client requests.

Thursday, 13 October 2016

Configuring SNMP Alarms

Configuring SNMP Alarms

This section includes procedures for configuring SNMP alarms. It covers the following topics:
• Enabling an SNMP Alarm
• Setting the Severity of the SNMP Alarm

Enabling an SNMP Alarm
After you enable an SNMP alarm, the NetScaler generates trap messages when certain events occur. Some alarms are enabled by default.

To enable alarm using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Alarms. The Alarms page appears in the details pane.
2. On the Alarms page, select a disabled SNMP alarm that you want to enable, for example, LOGIN-FAILURE.
3. Click Enable.
To enable alarms using the NetScaler command line
At a NetScaler command prompt, type:
set snmp alarm LOGIN-FAILURE –state ENABLED

Setting the Severity of an SNMP Alarm
There are five severity types (tags): Critical, Major, Minor, Warning, and Informational. A trap is sent only when the severity of the alarm matches the severity specified for the trap.

To set the severity of the alarm using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Alarms. The SNMP Alarms page appears in the details pane.
2. Select the alarm for which you want to set the severity, for example, LOGIN-FAILURE.
3. Click Open. The Configure SNMP Alarm dialog box appears.
4. In Severity, select a severity option, for example, Major.
5. Click Ok.
To set the severity of the alarm using the NetScaler command line
At a NetScaler command prompt, type:
set snmp alarm LOGIN-FAILURE -severity Major

Disabling an SNMP Alarm
If you disable an SNMP alarm, the NetScaler will not generate trap messages when corresponding events occur. For example, if you disable the Login-Failure SNMP alarm, the NetScaler will not generate a trap message when a login failure occurs.

To disable an SNMP alarm using the configuration utility
1. In the navigation pane, expand System, click SNMP, and click Alarms. The Alarms page appears in the details pane.
2. In the Alarms page, select an SNMP alarm that you want to disable, for example, LOGIN-FAILURE.
3. Click Disable.
To disable an SNMP alarm using the NetScaler command line
At a NetScaler command prompt, type:
set snmp alarm LOGIN-FAILURE –state DISABLED

Configuring Syslog

You can customize logging of NetScaler and Access Gateway Enterprise Edition access events for the needs of your site. You can direct these logs either to files on the NetScaler or to external log servers. The NetScaler uses the Audit Server Logging feature for logging the states and status information collected by different modules in the kernel and by user-level daemons. For more information about the Audit Server Logging feature, see the “Audit Server Logging” chapter in Citrix NetScaler Administration Guide.

Syslog is used to monitor a NetScaler and log connections, statistics, and so on. You can customize the two logging functions for system events messaging and syslog. The NetScaler’s internal event message generator passes log entries to the syslog server. The syslog server accepts these log entries and logs them.

Friday, 7 October 2016

Adding a Name Server

Adding a Name Server
You can add, remove, enable, and disable external name servers. You can create a name server by specifying its IP address, or you can configure an existing vserver as the name server.

When adding name servers, you can specify IP addresses or virtual IP addresses (VIPs). If you use IP addresses, the NetScaler load balances requests to the configured name servers in a round robin manner. If you use VIPs, you can specify any load balancing method. Use either of the following procedures to add a name server. (The examples use an IP address. For information about using a
VIP, see the “Domain Name System” chapter in Citrix NetScaler Traffic Management Guide.)

To add a name server using the configuration utility
1. In the navigation pane, expand DNS and click Name Servers. The Name Servers page appears in the details pane.
2. Click Add. The Create Name Server dialog box appears.
3. Select the IP Address radio button.
4. In the IP Address text box, type the IP address of the name server, for example, 10.102.29.10. When you are adding an external name server, clear the Local check box.
5. Click Create, and click Close. The name server that you added appears in the Name Servers page.

To add a name server using the NetScaler command line
At a NetScaler command prompt, type:
add dns nameServer 10.102.29.10

Verifying the Configuration
To verify the configuration, you need to view the properties of the name servers. These properties (state, effective state, and so on) can be used as a basis for troubleshooting any fault in the configuration. Use either of the following procedures to view the properties of a name server.

To view the properties of a name server using the configuration utility
1. In the navigation pane, expand DNS and click Name Servers. The Name Servers page appears in the details pane. The details of the available Name Servers appear on this page.
2. Verify that the configured name server (for example 10.102.29.10) appears.
3. Select the IP address or VIP that you assigned and, in the Details section, verify that the parameters displayed are correctly configured.

To view the properties of a name server using the NetScaler command line
At a NetScaler command prompt, type:
show dns nameServer

Configuring SNMP
The Simple Network Management Protocol (SNMP) network management application queries the SNMP agent on the NetScaler. The agent searches the management information base (MIB) for data requested by the network management application and sends the data to the application.

To configure SNMP monitoring of a NetScaler, you set up traps and alarms. SNMP traps are asynchronous events that the agent generates to signal abnormal conditions. For example, if you want to be informed when CPU utilization is above 90 percent, you can enable traps and set up an alarm for that condition. The following conceptual diagram illustrates a network with a NetScaler that has
SNMP enabled and configured.

The SNMP agent on a NetScaler supports SNMP version 1 (SNMPv1), SNMP version 2 (SNMPv2), and SNMP version 3 (SNMPv3). Because it operates in bilingual mode, the agent can handle SNMPv2 queries, such as Get-Bulk, and SNMPv1 queries. The SNMP agent also sends traps compliant with SNMPv2 and supports SNMPv2 data types, such as counter64. SNMPv1 managers (programs on other servers that request SNMP information from the NetScaler) use the NSMIB-
smiv1.mib file when processing SNMP queries. SNMPv2 managers use the NS-MIB-smiv2.mib file.

The NetScaler supports the following enterprise-specific MIBs:
• A subset of standard MIB-2 groups. Provides MIB-2 groups SYSTEM, IF, ICMP, UDP, and SNMP.
• A system enterprise MIB. Provides system-specific configuration and statistics.

Note: Procedures in this section include IP addresses and other settings as examples that you can use in your initial configuration.

Adding SNMP Managers
You can configure a workstation running a management application that complies with SNMP version 1, 2, or 3 to access a NetScaler. Such a workstation is called an SNMP manager. If you do not configure an SNMP manager, the NetScaler accepts and responds to SNMP queries from all IP addresses on the network. If you configure one or more SNMP managers, the NetScaler accepts and responds to SNMP queries from only those specific IP addresses. When specifying the IP address of an SNMP manager, you can use the netmask parameter to grant access from entire subnets. You can add a maximum of 100 SNMP managers or networks.

To add an SNMP manager using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Managers. The Managers page appears on the details pane.
2. Click Add. The Add SNMP Manager dialog box appears.
3. In the IP Address text box, type the IP address, for example, 10.102.29.5.
4. Click Create and click Close.

To add an SNMP manager using the NetScaler command line
At a NetScaler command prompt, type:
add snmp manager 10.102.29.5 –netmask 255.255.255.255

Adding SNMP Traps
You can use either of the procedures described in this section to set the NetScaler to send traps to a specified destination.

To add an SNMP trap using the configuration utility
1. In the navigation pane, expand System, expand SNMP, and click Traps. The Traps page appears in the details pane.
2. Click Add. The Add SNMP Trap Destination dialog box appears.
3. In the Destination IP Address text box, type the IP address, for example, 10.102.29.3.
4. Click Create and click Close.

To add an SNMP trap using the NetScaler command line
At a NetScaler command prompt, type:
add snmp trap specific 10.102.29.3

Friday, 30 September 2016

Configuring Virtual LANs

Configuring Virtual LANs
The NetScaler supports (Layer 2) port and IEEE802.1Q tagged virtual LANs (VLANs). VLAN configurations are useful when you need to restrict traffic to certain groups of stations. You can configure a network interface to belong to multiple VLANs using IEEE 802.1q tagging.

You can bind your configured VLANs to IP subnets. The NetScaler (if it is configured as the default router for the hosts on the subnets) then performs IP forwarding between these VLANs. A NetScaler supports the following types of VLANs.

• Default VLAN. By default, the network interfaces on a NetScaler are included in a single, port-based VLAN as untagged network interfaces. This default VLAN has a VID of 1 and exists permanently. It cannot be deleted, and its VID cannot be changed.

• Port-Based VLANs. A set of network interfaces that share a common, exclusive, Layer 2 broadcast domain define the membership of a port-based VLAN. You can configure multiple port-based VLANs.

• Tagged VLAN. A network interface can be a tagged or untagged member of a VLAN. Each network interface is an untagged member of only one VLAN (its native VLAN). The untagged network interface forwards the frames for the native VLAN as untagged frames. A tagged network
interface can be a part of more than one VLAN. When you configure tagging, be sure that both ends of the link have matching VLAN settings. You can use the configuration utility to define a tagged VLAN (nsvlan) that can have any ports bound as tagged members of the VLAN. Configuring this VLAN requires a reboot of the NetScaler and therefore must be done during initial network configuration.

Note: The VLAN configuration is neither synchronized nor propagated. You must perform the configuration on each unit in a high availability (HA) pair independently. The best practice is to set the VLAN ID for an NSIP to 1.

Creating a VLAN
You can implement VLANs in the following environments:
• Single subnet
• Multiple subnets
• Single LAN
• VLANs (no tagging)
• VLANs (802.1q tagging)
You can use either of the following procedures to create a VLAN.

To create a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Click Add. The Add VLAN dialog box appears.
3. In the VLAN Id text box, type the ID of the VLAN, for example, 2.
4. Click Create and click Close. The VLAN you added appears in the VLANs page.

To create a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
add vlan 2

For more information about VLANs, see the Citrix NetScaler Networking Guide. When you create VLANs that have only untagged network interfaces as their members, the total number of possible VLANs is limited to the number of network interfaces available on the NetScaler. If more IP subnets are required with a VLAN configuration, 802.1q tagging must be used.

Binding a Network Interface to a VLAN
You can use either of the following procedures to bind a network interface to a VLAN.

To bind a network interface to a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Select the VLAN to which you want to bind the interface, for example, 2.
3. Click Open. The Modify VLAN dialog box appears.
4. Under Interfaces, select the Active check box corresponding to the network interface that you want to bind to the VLAN, for example, 1/8.
5. Click OK.

To bind a network interface to a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
bind vlan 2 -ifnum 1/8

Verifying the Configuration
Viewing the configuration enables you to troubleshoot any problem in the configuration.

Viewing the Properties of VLANs
You can view properties such as VLAN ID, members, and tagging of the configured VLANs. You can use either of the following procedures to view the properties of the VLANs.

To view the properties of VLANs using the configuration utility
1. In the navigation Pane, expand Network and click VLANs. The VLANs page appears in the details pane. The details of the available VLANs appear on this page.
2. Verify that the configured VLAN (with ID 2 if you used the example in the previous procedure) appears.
3. Select the configured VLAN and, in the Details section, verify that the parameters displayed are correctly configured.

To view the properties of VLANs using the NetScaler command line
At a NetScaler command prompt, type:
show vlan

Viewing the Statistics of a VLAN
You can view statistics such as packets received, bytes received, packets sent, and bytes sent of configured VLANs. You can use the statistics to monitor a VLAN and debug problems. You can use either of the following procedures to view the statistics of a VLAN.

To view the statistics of a VLAN using the configuration utility
1. In the navigation pane, expand Network and click VLANs. The VLANs page appears in the details pane.
2. Select the VLAN whose statistics you want to view, for example, 2.
3. Click Statistics. The VLAN Statistics dialog box appears.

To view the statistics of a VLAN using the NetScaler command line
At a NetScaler command prompt, type:
stat vlan 2

Thursday, 29 September 2016

Citrix NetScaler Authentication and Authorization

Citrix NetScaler Authentication and Authorization


NetScaler authentication and authorization functions are of two basic types.The users and groups functions allow you to define who has access to the NetScaler. Command policies allow you to define what parts of the NetScaler configuration a user or group is permitted to access and modify. In other words, command policies regulate which commands, command groups, and other elements NetScaler users and groups are permitted to use.

To configure authentication and authorization, you first define the users who have access to the NetScaler. After you have defined the users, you can organize them into groups. You then configure command policies to define the types of access, and assign the policies to users and/or groups.

In This Chapter

Defining Users
Defining Groups
Command Policies

Defining Users


Once you have changed the default password, no user can access the NetScaler until you create an account for that user. After you have defined your users by creating accounts for them, you might have to change passwords or remove user accounts.

Creating a User Account

To create a user account, you simply assign a user name and password. You use the parameters described in the following table.

Parameter :
User Name
Password

Specifies :
Name that the user enters to request access.
Password that the user enters to request access.

To create a user account, use either of the following procedures.

To add a user account using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, Click Add.
3. In the Create System User dialog box, in the User Name text box, type a
name for the user (for example, johnd).
4. In the Password text box, type a password to assign to the user.
5. In the Confirm Password text box, again type the password that you have
typed in the Password text box.
6. Click Create and click Close.

To add a user account using the NetScaler command line

At the NetScaler command prompt, type:
add system user userName

Example
add system user johnd

Changing a User Password

The following table describes the parameter you set to change a user password on the NetScaler.

Parameter :
Password

Specifies :
The password you assign for the user account.

To change a user password, use either of the following procedures.

To change the user password using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, select the user account for which you want to
change the password (for example, johnd) and click Change Password.
3. In the Password text box, type the new password.
4. In the Confirm Password text box, type the new password again.
5. Click OK.

To change the user password using the NetScaler command line At the NetScaler command prompt, type:

set system user userName newpassword

Example
set system user johnd johnd1

Removing User Accounts

You can remove user accounts if the policy assigned to your account allows you to do so, or if you log in to the nsroot account. The nsroot account cannot be removed.

To remove a user account, use either of the following procedures.

To remove a user account using the configuration utility

1. In the navigation pane, expand System and click Users.
2. On the System Users page, select the user account that you want to
remove. For example, johnd.
3. Click Remove. The Remove pop-up window appears.
4. Click Yes.

To remove a user using the NetScaler command line At the NetScaler command prompt, type:
rm system user userName

Example
rm system user johnd

Defining Groups


To define a group, you first create the group, then bind users to the group.

Adding Groups

The following table describes the parameter you set to create a group.

Parameter :
Group Name

Specifies :
Name for the group of NetScaler users..

Use either of the following procedures to add a group.

To add a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, click Add.
3. In the Create System Group dialog box, in the Group Name text box, type a name for the group (for example, Managers).
4. Click Create, and click Close.

To add a group using the NetScaler command line At the NetScaler command prompt, type:
add system group groupName

Example
add system group Managers

Binding a User to a Group

You can bind each user account to more than one group. Binding user accounts to multiple groups may allow more flexibility when applying command policies. The following table describes the parameter you set to bind a user to a group.

Parameter :
User name

Specifies :
Name for the NetScaler user to be bound to the group.

To bind a user to a group, use either of the following procedures.

To bind a user to a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, select a group and click Open.
3. In the Configure System Group dialog box, under Members section, select a user you want to bind to the group, from the Available Users list and click Add.

To bind a user to a group using the NetScaler command line At the NetScaler command prompt, type:
bind system group groupName userName

Example
bind system group Managers johnd

Removing Groups

All the users and command policies that are currently bound to the group should be unbound before removing a group.

To remove a group using the configuration utility

1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, select the group that you want to remove. (for example, Managers).
3. Click Remove.
4. In the Remove pop-up, click Yes.

To remove a group using the NetScaler command line
rm system group groupName

Example
rm system group Managers

Command Policies


Command policies regulate which commands, command groups, vservers, and other elements NetScaler users and user groups are permitted to use. The NetScaler provides a set of built-in command policies, and you can configure custom policies. To apply the policies, you bind them to user and/or groups.

Here are the key points to keep in mind when defining and applying command policies.

• No global command policies may be created on the NetScaler. Command policies must be bound directly to NetScaler users and groups.

• Users or groups with no associated command policies are subject to the default DENY -ALL command policy, and will therefore be unable to execute any commands until the proper command policies are bound their accounts.

• All users inherit the policies of the groups to which they belong.

• You must assign a priority to a command policy when you bind it to a user account or group account. This enables the NetScaler to determine which policy has priority when two or more conflicting policies apply to the same user or group.

• The following commands are available by default to any any user and are unaffected by any command policies you specify:

help cli, show cli attribute, clear cli prompt, alias, unalias, batch, source, help, history, man, quit, exit, whoami, config, set cli mode, unset cli mode, show cli mode, set cli prompt, and show cli prompt.

Built-in Command Policies

Four default command policies are available on the NetScaler. The following table describes them.

Policy Name :
read-only
operator
network
superuser

Allows :
Read-only access to all show commands except show runningconfig, show ns.conf, and the show commands for the NetScaler command group.
Read-only access and access to commands to enable and disable services and servers or place them in ACCESSDOWN mode.
Full access except to NetScaler commands, the shell command, and the show ns.conf and sh runningconfig commands.
Full access. Same privileges as the nsroot user.

Creating Custom Command Policies

Regular expression support is offered for users with the resources to maintain more customized expressions and those deployments that require the flexibility that regular expressions offer. For most users, the built-in command policies should be sufficient. Users who need additional levels of control, but are unfamiliar with regular expressions, may want to use only simple expressions, such as those in the examples provided in this section, to maintain policy readability.

When you use a regular expression to create a command policy, keep the following in mind.

• When you use regular expressions to define commands that will be affected by a command policy, you must enclose the commands in double quotes. For example, if you want to create a command policy named allowShow that includes all commands that begin with show, you should type the following:
“^show .*$”

If you want to create a command policy that includes all commands that being with rm, you should type the following:
DENY “^rm .*$”

• Regular expressions used in command policies are case insensitive.

The following table gives examples of regular expressions:

Command Specification :
- “^rm\s+.*$”
- “^show\s+.*$”
- “^shell$”
- “^add\s+vserver\s+.*$”
- “^add\s+(lb\s+vserver)\s+ .*”
- “^set\s+lb\s+.*$”

Matches these Commands :
- All remove actions, because all remove actions begin with the rm string, followed by a space and additional parameters and flags.
- All show commands, because all show actions begin with the show string, followed by a space and additional parameters and flags.
- The shell command alone, but not combined with any other parameters or flags.
- All create a vserver actions, which consist of the add vserver command followed by a space and additional parameters and flags.
- All create an lb vserver actions, which consist of the add lb vserver command followed by a space and additional parameters and flags.
- All commands that configure load balancing settings at the command group level.

Thursday, 22 September 2016

Configuring Modes of Packet Forwarding

Configuring Modes of Packet Forwarding
A NetScaler can use the following modes to forward the packets it receives:
• Layer 2 (L2) Mode
• Layer 3 (L3) Mode
• MAC-Based Forwarding Mode

Enabling and Disabling Layer 2 Mode
Layer 2 mode controls the Layer 2 forwarding (bridging) function. You can use this mode to configure a NetScaler to behave as a Layer 2 device and bridge the packets that are not destined for it. When this mode is enabled, packets are not forwarded to any of the MAC addresses, because the packets can arrive on any interface of the NetScaler and each interface has its own MAC address.

With Layer 2 mode disabled (which is the default), a NetScaler drops packets that are not destined for one of its MAC address. If another Layer 2 device is installed in parallel with a NetScaler, Layer 2 mode must be disabled to prevent bridging (Layer 2) loops. You can use either of the following procedures to enable Layer 2 mode.

To enable Layer 2 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure  Modes dialog box appears.
3. Select the Layer 2 Mode check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable Layer 2 mode using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode l2 You can use either of the following procedures to disable Layer 2 mode.

To disable Layer 2 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the Layer 2 Mode check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable Layer 2 mode using the NetScaler command line
At a NetScaler command prompt, type:

Enabling and Disabling Layer 3 Mode
Layer 3 mode controls the Layer 3 forwarding function. You can use this mode to configure a NetScaler to look at its routing table and forward packets that are not destined for it. With Layer 3 mode enabled (which is the default), a NetScaler performs route table lookups and forwards all packets that are not destined for any NetScaler-owned IP address. If you disable Layer 3 mode, the NetScaler drops these packets. You can use either of the following procedures to enable
Layer 3 mode.

To enable Layer 3 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Select the Layer 3 Mode (IP Forwarding) check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable Layer 3 mode using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode l3 You can use either of the following procedures to disable Layer 3 mode.

To disable Layer 3 mode using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the Layer 3 Mode (IP Forwarding) check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable Layer 3 mode using the NetScaler command line
At a NetScaler command prompt, type:
disable ns mode l3

Enabling and Disabling MAC-Based Forwarding Mode
You can use MAC-based forwarding to process traffic more efficiently and avoid multiple-route or ARP lookups when forwarding packets, because the NetScaler remembers the MAC address of the source. To avoid multiple lookups, the NetScaler caches the source MAC address of every connection for which it performs an ARP lookup, and it returns the data to the same MAC address.
MAC-based forwarding is useful when you use VPN devices, because the NetScaler ensures that all traffic flowing through a particular VPN passes through the same VPN device.

When MAC-based forwarding is enabled, a NetScaler caches the MAC address of:
• The source (a transmitting device such as router, firewall, or VPN device) of the inbound connection.
• The server that responds to the requests.

When a server responds through a NetScaler, the NetScaler sets the destination MAC address of the response packet to the cached address, ensuring that the traffic flows in a symmetric manner, and then forwards the response to the client. The process bypasses the route table lookup and ARP lookup functions. However, when a NetScaler initiates a connection, it uses the route and ARP tables for the lookup function. To enable MAC-based forwarding, use either of the following procedures.


To enable MAC-based forwarding using the configuration utility

1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Select the MAC Based Forwarding check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To enable MAC-based forwarding using the NetScaler command line
At a NetScaler command prompt, type: enable ns mode mbf

Some deployments require the incoming and outgoing paths to flow through different routers. In these situations, MAC-based forwarding breaks the topology design. For a global server load balancing (GSLB) site that requires the incoming and outgoing paths to flow through different routers, you must disable MACbased forwarding and use the NetScaler unit’s default router as the outgoing router.
With MAC-based forwarding disabled and Layer 2 or Layer 3 connectivity enabled, a route table can specify separate routers for outgoing and incoming connections. To disable MAC-based forwarding, use either of the following procedures.

To disable MAC-based forwarding using the configuration utility
1. In the navigation pane, expand System and click Settings. The Settings page appears in the details pane.
2. In the Modes and Features group, click Change modes. The Configure Modes dialog box appears.
3. Clear the MAC Based Forwarding check box.
4. Click OK. The Enable/Disable Feature(s)? message appears.
5. Click Yes.

To disable MAC-based forwarding using the NetScaler command line
At a NetScaler command prompt, type: disable ns mode mbf

Monday, 25 July 2016

Configuring Global Settings

Configuring Global Settings

Once you have installed and performed initial configuration, you can configure a number of connection parameters, customizing your NetScaler to match the needs of your network and managed servers.

Configuring HTTP Traffic Ports

This option identifies Web server HTTP ports used by your managed servers and allows the NetScaler to perform request switching for any client request that has a destination port matching a configured port.

The following procedure includes HTTP port 8080 as an example of a port that can be added on the NetScaler. If your managed servers accept HTTP connections on port 8080, clients need to send requests to this port

To configure HTTP traffic ports

1. In the left pane, expand System and click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure HTTP Parameters dialog box appears.
3. In HTTP Port Information, in the HTTP Port text box, type the port number, for example, 8080.
4. Click Add and Click OK. The Configure HTTP Parameters dialog box appears.

Setting the Maximum Connections to Each Server

You can specify a maximum number of connections that a NetScaler is allowed to make to each managed server. For example, if you enter 500 and there are three servers managed by the NetScaler, it will open a maximum of 500 connections to each of these three servers. By default, the NetScaler can create an unlimited number of connections to any of the servers it manages.

To set maximum connections to each server

1. In the left pane, expand System, and click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure HTTP Parameters dialog box appears.
3. Under Limits, in the Max Connections text box, type the maximum number of connections, for example, 500.
4. Click OK.

Setting the Maximum Requests per Connection

You can set a maximum number of requests that a NetScaler is allowed to send to a managed server over each connection. To specify an unlimited number of requests, set this value to 0.

To set the maximum requests per connection

1. In the left pane, expand System, and click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure HTTP Parameters dialog box appears.
3. Under Limits, in Max Requests text box, type the maximum number of requests, for example, 500.
4. Click OK.

Configuring Client IP Address Insertion

When a Web server managed by a NetScaler receives a mapped IP address, the server identifies this mapped IP address as the client’s IP address. Some applications need the client’s IP address for logging purposes or to dynamically determine the content to be served by the web server.

You can enable insertion of the actual client IP address into the HTTP header request sent from the client to one, some, or all servers attached to a NetScaler. You can then access the inserted address through a minor modification to the server (using an Apache module, ISAPI interface, or NSAPI interface).

To enable client IP Address insertion

1. In the left pane, expand System, then click Settings. The Settings page appears in the right pane.
2. Under Global Settings click HTTP Parameters. The Configure HTTP Parameters dialog box appears.
3. Under Client IP Insertion, select Client IP.
4. Click OK.

Setting HTTP Cookie Version

A NetScaler sends its own cookie when COOKIEINSERT persistence is configured on a virtual server. The NetScaler can send either a version 0 or a version 1 HTTP cookie. By default, it uses HTTP cookie version 0, which is the most common type on the Internet. In the following example, you set the HTTP cookie to version 1.

To set HTTP cookie version 1

1. In the left pane, expand System, then click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure HTTP
Parameters dialog box appears.
3. Under Cookie Version, select Version 1.
4. Click OK.

Setting FTP Port Range

A NetScaler can be configured to open FTP connections on a controlled range of ports instead of ephemeral ports for data connections. This improves security, because opening all ports on the firewall is insecure. You can set the range anywhere from 1024 to 64000.

To set FTP port range

1. In the left pane, expand System, and click Settings. The Settings page appears in the right pane.
2. Under Settings, click Change HTTP Parameters. The Configure Global Settings dialog box appears.
3. Under FTP Port Range, in Start Port and End Port text box, type the lowest and highest port number, respectively, in the range you are specifying, for example, 5000 and 6000.
4. Click OK.

Saturday, 23 July 2016

Load Balancing Works

Load Balancing Works


The load balancing feature distributes client requests across multiple servers to optimize resource utilization. In a real-world scenario with a limited number of servers providing service to a large number of clients, a server can become overloaded and degrade server performance. A NetScaler uses load balancing criteria to prevent bottlenecks by forwarding each client request to the server best suited to handle the request when it arrives.

To configure load balancing, you define a virtual server (vserver) to proxy multiple servers in a server farm and balance the load among them. When a client initiates a connection to the server, the vserver terminates the client connection and initiates a new connection with the selected server to perform load balancing. The load balancing feature provides traffic management from Layer 4 (TCP and UDP) through Layer 7 (FTP, HTTP, and HTTPS).

The NetScaler uses a number of algorithms, called load balancing methods, to determine how to distribute the load among the servers. The default load balancing method is the Least Connections method.

A typical load balancing deployment consists of the entities described in the following figure.



The entities that you must configure in a typical load balancing setup are:


• Vserver. An entity that is represented by an IP address, a port, and a protocol. The vserver IP address (VIP) is usually a public IP address. The client sends connection requests to this IP address. The vserver represents a bank of servers.

• Service. An entity that is represented by an IP address, a port, and a protocol. A service is a logical representation of a server or an application running on a server. The services are bound to the vservers. 

• Server object. An entity that is represented by an IP address. The server object is created when you create a service. The IP address of the service is taken as the name of the server object. You can also create a server object and then create services by using the server object.

• Monitor. An entity that tracks the health of the services. The NetScaler periodically probes the servers using the monitor bound to each service. If a server does not respond within a specified response timeout, and the specified number of probes fails, the service is marked DOWN. The NetScaler then performs load balancing among the remaining services.

To configure load balancing, you must first create services. Then, you must create vservers and bind services to the vservers. By default, the NetScaler binds a monitor to each service. You can also assign weights to a service. The load balancing method uses the assigned weight to select a service. You need to perform these tasks in the sequence illustrated in the following flow chart.


Understanding Persistence


You must configure persistence on a vserver if you want to maintain the states of connections on the servers represented by that vserver (for example, connections used in e-commerce). The NetScaler then uses the configured load balancing method for the initial selection of a server, but forwards to that same server all subsequent requests from the same client.

If persistence is configured, it overrides the load balancing methods once the server has been selected. If the configured persistence applies to a service that is down, the NetScaler uses the load balancing methods to select a new service, and the new service becomes persistent for subsequent requests from the client. If the selected service is in an Out Of Service state, it continues to serve the outstanding requests but does not accept new requests or connections. After the shutdown period elapses, no new requests or connections are directed to the service and the existing connections are closed. The following table lists the types of persistence that you can configure.

Persistence Type:

Source IP, SSL Session ID, Custom Server ID, Rule, DESTIP, SRCIPDESTIP
CookieInsert, URL passive

Persistent Connections:

250 K
Memory limit. In case of CookieInsert, if time out is not 0, any number of connections is allowed until limited by memory.

If the configured persistence cannot be maintained because of lack of resources on a NetScaler, the load balancing methods are used for server selection. Persistence is maintained for a configured period of time, depending on the persistence type. Some persistence types are specific to certain vservers.

You can also specify persistence for a group of vservers. When you enable persistence on the group, the client requests are directed to the same selected server regardless of which vserver in the group receives the client request. When the configured time for persistence elapses, any vserver in the group can be selected for incoming client requests.

Understanding Persistence Based on Cookies


When you enable persistence based on cookies, the NetScaler adds an HTTP cookie into the Set-Cookie header field of the HTTP response. The cookie contains information about the service to which the HTTP requests must be sent. The client stores the cookie and includes it in all subsequent requests, and the NetScaler uses it to select the service for those requests. You can use this type of persistence on vservers of type HTTP or HTTPS.

The NetScaler inserts the cookie NSC_XXXX= ServiceIP ServicePort where

• NSC_XXXX is the vserver ID that is derived from the vserver name.
• ServiceIP is the hexadecimal value of the IP address of the service.
• ServicePort is the hexadecimal value of the port of the service.

The NetScaler encrypts ServiceIP and ServicePort when it inserts a cookie, and decrypts them when it receives a cookie.

By default, the NetScaler sends HTTP cookie version 0, in compliance with the Netscape specification. It can also send version 1, in compliance with RFC 2109.

You can configure a timeout value for persistence that is based on HTTP cookies. Note the following:

• If HTTP cookie version 0 is used, the NetScaler inserts the absolute Coordinated Universal Time (GMT) of the cookie’s expiration (the expires attribute of the HTTP cookie), calculated as the sum of the current GMT time on a NetScaler, and the timeout value.
• If an HTTP cookie version 1 is used, the NetScaler inserts a relative expiration time (Max-Age attribute of the HTTP cookie). In this case, the client software calculates the actual expiration time.

If you set the timeout value to 0, the NetScaler does not specify the expiration time, regardless of the HTTP cookie version used. The expiration time then depends on the client software, and such cookies are not valid if that software is shut down. This persistence type does not consume any system resources. Therefore, it can accommodate an unlimited number of persistent clients.

Understanding Persistence Based on Server IDs in URLs


The NetScaler can maintain persistence based on the server IDs in the URLs. In a technique called URL passive persistence, the NetScaler extracts the server ID from the server response and embeds it in the URL query of the client request. The server ID is an IP address and port specified as a hexadecimal number. The NetScaler extracts the server ID from subsequent client requests and uses it to select the server.

URL passive persistence requires configuring either a payload expression or a policy infrastructure expression specifying the location of the server ID in the client requests. For more information about expressions, see the “Policies and Expressions” chapter in the Citrix NetScaler Policy Configuration and Reference Guide.

Example: Payload Expression

The expression, URLQUERY contains sid= configures the system to extract the server ID from the URL query of a client request, after matching token sid=. Thus, a request with the URL http://www.citrix.com/ index.asp?&sid=c0a864100050 is directed to the server with the IP address 10.102.29.10 and port 80.

The timeout value does not affect this type of persistence, which is maintained as long as the server ID can be extracted from the client requests. This persistence type does not consume any system resources, so it can accommodate an unlimited number of persistent clients.

Understanding URL Redirection


You can configure a redirect URL to communicate the status of the NetScaler in the event that a vserver of type HTTP or HTTPS is down or disabled. This URL can be a local or remote link. The NetScaler uses HTTP 302 redirect.

Redirects can be absolute URLs or relative URLs. If the configured redirect URL contains an absolute URL, the HTTP redirect is sent to the configured location, regardless of the URL specified in the incoming HTTP request. If the configured redirect URL contains only the domain name (relative URL), the HTTP redirect is sent to a location after appending the incoming URL to the domain configured in the redirect URL.

Understanding Backup Vservers


If the primary vserver is marked down or disabled, the NetScaler can direct the connections or client requests to a backup vserver that forwards the client traffic to the services. The NetScaler can also send a notification message to the client regarding the site outage or maintenance. The backup vserver is a proxy and is transparent to the client.

You can configure a backup vserver when you create a vserver or when you change the optional parameters of an existing vserver. You can also configure a backup vserver for an existing backup vserver, thus creating cascaded backup vservers. The maximum depth of cascading backup vservers is 10. The NetScaler searches for a backup vserver that is up and accesses that vserver to deliver the content.

You can configure URL redirection on the primary for use when the primary and the backup vservers are down or have reached their thresholds for handling requests.

Friday, 22 July 2016

Path Maximum Transmission Unit Discovery

Path Maximum Transmission Unit Discovery


Path maximum transmission unit (PMTU) discovery is a method for dynamically learning the maximum transmission unit of any Internet channel. The discovered PMTU is used by the TCP or UDP layer to create packets of an optimum size for that channel. This avoids fragmentation overhead on the routers in the path, and reassembly overhead on the receiving server.

PMTU discovery is an operational mode in the NetScaler. This mode enables the NetScaler to interoperate with other routers participating in PMTU discovery. In a typical topology, the NetScaler is deployed in front of the servers it manages, and either manages connections from clients on behalf of these servers (transparent mode), or manages connections with the servers and clients independently (endpoint mode).

The NetScaler in Transparent Mode


In transparent mode, if a managed server sets the DF bit and sends a datagram, and Path MTU is smaller than the size of the datagram, the NetScaler receives an ICMP error. When the NetScaler is operating in MIP mode, it adjusts the MTU to the MIP and updates the MTU database so that the lower MTU is used for subsequent connections. All packets subsequently sent via that connection have the DF bit unset.

In USIP mode, when an ICMP error message is received, the NetScaler translates it and sends it to the managed server. The managed server updates the MTU for that destination, and subsequent datagrams are sent with the lowered MTU. The MTU value for that client is also updated in the NetScaler. All new connections then use the lowered MTU.

The NetScaler in End-Point Mode


In end-point mode, the NetScaler separately manages connections to the servers it manages and connections to the clients that contact those servers.

For client connections, the NetScaler uses an Maximum Segment Size (MSS) of 1460 bytes. If the network contains a router that fragments the packet into multiple datagrams because of MTU mismatches, the router sends an ICMP error to the NetScaler. The NetScaler does not pass the error to the servers it manages,  but parses it and determines an MTU appropriate for that particular client. The NetScaler then updates the MTU database with the lower MTU. Thereafter, it uses the new MTU value for all new connections to that client.

Enabling or Disabling PMTU Discovery


The NetScaler does not participate in PMTU Discovery by default.

To enable or disable PMTU discovery using configuration utility

1. In the Navigation Pane, expand System, and then click Settings.
2. On the Settings page, under Modes & Features click Change modes.
3. In the Configure Modes dialog box, select the Path MTU Discovery check box to enable this feature, or clear the check box to disable it, and click OK

To enable or disable PMTU discovery using using the NetScaler command line

At the NetScaler command prompt, type:
enable ns mode PMTUD
or
disable ns mode PMTUD

Configuring TCP Window Scaling


The TCP window scaling option increases the TCP receive window size beyond its maximum value of 65,535 bytes. This TCP option is defined in RFC 1323. The window scaling option is required for efficient transfer of data over long fat networks (LFNs).

A TCP window determines the amount of outstanding (unacknowledged by the recipient) data a sender can send on a particular connection before receiving any acknowledgment from the receiver. The main purpose of the window is flow control.

The window size field in the TCP header is 16 bits, which limits the ability of the sender to advertise a window size larger than 65535 ( 2^16 - 1). The TCP window scale extension expands the definition of the TCP window to 30 bits by using a scale factor to carry this value in the 16 bit window field of the TCP header. In the NetScaler, the window scale expands the definition of the TCP window to 24 bits. The scale factor is carried in the new TCP window scale field. This field is sent only in a SYN packet (a segment with the SYN bit on).

The new window size is calculated by the receiver.
[right shifting the bits of the received window size by the scale factor value]

which is equivalent to
[(2^scale factor) * received window size]

Before configuring window scaling, make sure that:

• You do not set a high value for the Scale Factor, because this could have adverse effects on the NetScaler and the network.
• You have enabled SACK (selective acknowledgement).
• You do not configure window scaling unless you clearly know why you want to change the window size.
• Both hosts in the TCP connection send a window scale option during connection establishment. If only one side of a connection is sets this option, windows scaling will not be used for the connection.
• Each connection for same session (such as TCP session between Client and NetScaler and TCP session between NetScaler and Server having the same request/response) is an independent Window Scaling session. It is possible to have window scaling between the client and a Citrix NetScaler and not the a Citrix NetScaler and a server.

Wednesday, 20 July 2016

The Load Balancing Visualizer

The Load Balancing Visualizer


The Load Balancing Visualizer is a tool that you can use to view and modify the load balancing configuration in graphical format. Following is an example of the Visualizer display



You can use the visualizer to view the following:

a. The services and service groups that are bound to a virtual server.
b. The monitors that are bound to each service.
c. The policies that are bound to the virtual server.
d. The policy labels, if configured.
e. Configuration details of any displayed element.
f. Load balancing virtual server statistics.
g. Statistical information such as the number of requests received per second by the virtual server and the number of hits per second for rewrite, responder, and cache policies.
h. A comparative list of all the parameters whose values either differ or are not defined across service containers.

You can also use the Visualizer to add and bind new objects, modify existing ones, and enable or disable objects. Most configuration elements displayed in the Visualizer appear under the same names as in other parts of the configuration utility. However, unlike the rest of the configuration utility, the Visualizer groups services that have the same configuration details and monitor bindings into an entity called a service container.

A service container is set of similar services and service groups that are bound to a single load balancing virtual server. Next to the service container is a number that shows the number of services in the group. The services in the container have the same properties, with the exception of the name, IP address, and port, and their monitor bindings should have the same weight and binding state. When you bind a new service to a virtual server, it is placed into an existing container if its configuration and monitor bindings match those of other services; otherwise, it is placed in its own container.

The service container display can help you troubleshoot your configuration if something is not functioning as you expect. More than one container for a particular virtual server is an indication that something is wrong with the configuration of that virtual server and its services. To correct the problem, you must first identify the container that has the desired configuration. You can do so by using the Service Attributes Diff feature, described below. After you identify the container, you right-click the container and click Apply Configuration.

The following procedures provide only basic steps for using the Visualizer. Because the Visualizer duplicates functionality in other areas of the Load Balancing feature, other methods of viewing or configuring all of the settings that can be configured in the Visualizer are provided throughout the Load Balancing documentation.

To view load balancing virtual server properties by using the Visualizer


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server that you want to view, and then click Visualizer.

3. In the Load Balancing Visualizer dialog box, you can adjust the viewable area as follows:

• Click the Zoom In and Zoom Out icons to increase or decrease the size of the viewed objects. You can click and drag the viewable area if an item that you want to see disappears from view after zooming in.
• Click the Best Fit icon to optimize the viewing area.
• Click the Save Image icon to save the graph as an image file.
• Click the image, hold down the mouse button, and drag the image to pan the view.
• In the Search in text field, begin typing the name of the item you are looking for. The item’s location is then highlighted. To restrict the search, click the dropdown menu and select the type of element that you want to search for

To view configuration details for services, service groups, and monitors by using the Visualizer


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server that you want to view, and then click Visualizer.

3. In the Load Balancing Visualizer dialog box, to view configuration details for entities that are bound to this virtual server, you can do the following:

• To view a summary of bound services, position the cursor over the virtual server icon.
• To view services in a service container, click the icon for a service group, click the Related Tasks tab, click Show Member Services, and then click the service group name. To view additional details about the services click Open.
• To view common properties of services in a service group, click the icon for the service group, click the Related Tasks tab, and view the Details section of the tab.
• To view a comparative list of the parameters whose values either differ or are not defined across service containers, click the icon for a container, click the Related Tasks tab, and then click Service Attributes Diff. To view monitor binding details for the services in a container, in the Service Attributes Diff dialog box, in the Group column for the container, click Details.
• To view the details for a monitor, position the cursor over the icon or click the icon for the monitor. For additional details, click the icon, click the Related Tasks tab, and then click View Monitor.
• To view binding details of a monitor, click the connecting line between the monitor and its related service.

To view configuration details for policies and policy labels by using the Visualizer in the configuration utility


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server that you want to view, and then click Visualizer.

3. In the Load Balancing Visualizer dialog box, to view configuration details for entities that are bound to this virtual server, you can do the following:

• To view policies that are bound to this virtual server, select one or more policy icons in the tool bar at the top of the dialog box. For example, you can select Compression, Filter, Rewrite, and Responder. If policy labels are configured, they appear in the main view area.
• For bound policies that appear in the view pane of the Visualizer, to view a policy’s expression and actions, position the cursor over the policy icon. To view binding details, position the cursor over the line that connects the policy to the virtual server. To view these details, click the policy. The details of the policy appear in the details pane.

To view statistical information by using the Visualizer


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server that you want to view, and then click Visualizer.

3. In the Load Balancing Visualizer dialog box, to view statistical information, you can do the following:

• To view detailed statistics for the load balancing virtual server, click the icon for the virtual server, click the Related Tasks tab, and then click Statistics.
• To view the number of requests received per second at a given point in time by the load balancing virtual server and the number of hits per second at a given point in time for rewrite, responder, and cache policies, click Show Stats. The statistical information is displayed on the respective nodes in the Visualizer. This information is not updated in real time and has to be refreshed manually. To refresh this information, click Refresh Stats.

To save configuration properties for any entity by using the Visualizer


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server that you want to view, and then click Visualizer.

3. To copy configuration details for an element to a document or spreadsheet, click the icon for that element, click Related Tasks.

4. In the Related Tasks tab, click Copy Properties and then paste the information into a document.

To bind a resource to a load balancing configuration by using the Visualizer


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server for which you want to configure bindings (for example, Vserver-LB-1), and then click Visualizer.

3. In the Load Balancing Visualizer dialog box, click the Available Resources tab, select a resource type in the drop-down menu, and do one or more of the following:

• To bind a new monitor to a service, select Monitors, click a particular monitor, and then drag it to the service container icon. Use CONTROL + click to select multiple monitors and drag them to the service.
• To bind a service or service group, select Services or Service Groups, respectively, click a particular service or service group, and then drag it to the virtual server icon. To bind multiple services or service groups at one time, press CONTROL + click to select multiple services and drag them over the virtual server.
• To bind a policy, select one of the policy groups, click a particular policy, and then drag it to a virtual server. To bind multiple policies (classic policies only) at one time, press CONTROL + policies and drag them over the virtual server. For details on classic and advanced policies, see the Citrix NetScaler Policy Configuration and Reference Guide. For a link to the guide, see the Documentation Library.

To unbind a resource by using the Visualizer


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server from which you want to unbind a service, policy, or monitor (for example, Vserver-LB-1), and then click Visualizer.

3. In the Load Balancing Visualizer dialog box, on the Visualizer image, click the connecting line between the resources that you want to unbind, and then click Unbind. For example, to unbind a monitor, you would click the link between the monitor and its bound service and click Unbind.

4. In the Unbind dialog box, click Yes.

To modify a resource in a load balancing configuration by using the Visualizer


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server that you want to configure (for example, Vserver-LB-1), and then click Visualizer.

3. In the Load Balancing Visualizer dialog box, on the Visualizer image, double-click the resource that you want to modify.

4. In the modify dialog box, enter new settings for the resource.

To add, remove, or disable a resource in a load balancing configuration by using the Visualizer


1. In the navigation pane, expand Load Balancing, and then click Virtual Servers.

2. In the details pane, select the virtual server that you want to configure (for example, Vserver-LB-1), and then click Visualizer.

3. In the Load Balancing Visualizer dialog box, right-click the icon for the resource that you want to add, remove, or disable, and then select the corresponding option from the menu.