Posts tagged netscaler
If your management gui is not able to use SSL, or In order to fix the ssl_error_no_cypher_overlap error with the netscaler VPX
access your netscaler via http://yournsip/
Go to “Load Balancing” -> Services -> Internal Services
Open up the nshttps-127.0.0.1-443 service
Click over to the SSL Settings tab and click on the Ciphers button
Remove all ciphers and add “DEFAULT” under the “Configured Ciphers Group”
Do the same exact procedure for the nsrpcs-127.0.0.1-3008
After you click on, Hit the Save button, and try to connect to your NSIP with https
Want to know which policy is being hit on the netscaler. In real time!!
- From the Command line of the netscaler type
- issue the command
1nsconmsg -d current -g pol_hits
- What to check for a specific Policy, just add the “grep” command
1nsconmsg -d current -g pol_hits | grep "Citrix"
where “Citrix” is the Policy you are looking to trace
When I went to kick off a user from my production netscaler, this is the message that popped up:
No more logged in? Really? Citrix? Really? lolz for all!!
If you ever needed to troubleshoot login issues with the Netscaler, you know that you have to drop down to the Command Line Interface (shell) in order to trace the aaad.debug log.
But what if you need to give your helpdesk access to the same logs so that they can troubleshoot login issues? Well, that requires that you give them shell access.
But, as per Citrix, “If a user goes to the shell, that user is already a root user”, and we sure wouldnt want our helpdesk techs having root access to our Netscalers. So how do we give them enough access to troubleshoot but not have root, we can create a “Command Policy”
A “Command Policy” is what tells the Netscaler what a user can and cant do, for example, the command policy for “superuser” is “ALLOW .*” (that’s a period and an asterisk which is Regular Expression for “Any Character”), that means the user with the command policy of superuser can execute any command.
Now to create the command policy for the Helpdesk
- Log in to our NetScaler using a superuser account
- Under the System Folder, select “Command Policies”
- Click the “Add” button and name your new policy “HelpDesk”, make sure that the “Action” is set to “Allow” and enter the following expression under “Command Spec”
1^shell (cat (/tmp/|/var/log/)[a-zA-Z]*\.(log|debug)|ls (/tmp|/var/log))$
Now we have to assign our new policy to our Helpdesk group. Since my NetScaler is “LDAP enabled” for login in, all I have to do is create a group, assign my new policy, and done. (If your Netscaler is not LDAP enabled, then you will have to go and create users manually and assigning them to the group we are going to create bellow)
- Under the same “System” folder, Select “Groups”
- Click the “Add” button and name your new group “NetScaler-HelpDesk” (It has to match exactly what your helpdesk group is called in LDAP, in my case I have a group called “NetScaler-HelpDesk”)
- Under the “command policies” window, pick your newly created “HelpDesk” Policy, then hit the “Create” and then the “Close” button
- Now Fire up putty and try to login with one of your HelpDesk user ID’s, you will see that you can only trace “log” or “debug” files and only in the “/var/log” and “/tmp” directories
Thats all there is to it. Now your Helpdesk can troubleshoot NetScaler log in issues while you concentrate on fixing other things
When using the Citrix Netscalers, you can find yourself login in to the management gui a few times a week to do some sort of maintenance task or just to monitor whats going on. I dont know about everyone else, but to me it is pretty annoying having to remember a different password for every appliance that I have running, so here is how to use LDAP to login to the management gui of the netscalers.
- Log in to thet NetScaler GUI with local Root credentials (preferably nsroot)
- Expand the “System” Folder and click on “Authentication”
- Click on the “Servers” tab and click the “Add” button
- Enter your Authentication server settings and Click “Create” then “Close”
- Now click on the “Policies” tab and click the “Add” button
- Enter a simple expression of “ns_true” (you must choose “Advanced Free-form” from the dropdown) and click”Create” then “Close”
- Right click your Newly created LDAP Authentication Policy and choose “Global Bindings”
- Click the “Insert Policy” button and from the drop down pick your LDAP authentication policy.
- Click OK and once you return to the Authentication Screen, you should see a green check mark under the column “Globally Bound?”
Now we have to let the NetScaler know whos going to be login in, and in order to do that we must create either a user account or a group, so lets create a group called “NetScaler-Admins”
- In “Active Directory Users and Computers” make sure that there is a group called “NetScaler-Admins”
- In the Netscaler gui, expand the “System” folder and pick “Groups”
- Click “Add” and type in a name for the group, the name must be exactly the same as the group in AD so we call this group “NetScaler-Admins”
- Assign the privileges that you want to give this group, in this case “superuser” and click the “Create” Button then the “Close” button
- Thats all there is to it, now have someone who is a member of the AD group “NetScaler-Admins” attempt to login to the NetScaler gui with their AD credentials, and it should let you right in
If you find that the login is not working, putty into the NetScaler and tail the /tmp/aaad.debug log, alot of times the issue is as simple as not being a member of the correct AD group, or our LDAP Policy/Server config not being setup correctly.
Also, these same procudures can be done for Individual user accounts as well, so if your user in ldap is jsmith, then create the user jsmith under the “Users” page instead (the password wont matter, just make it hard enough so no one will be able to guess it)
I have production NetScalers, but I also wanted to have a NetScaler on my desktop that I could quickly jump into, make changes, and not worry about breaking something.
Citrix offers a NetScaler Image for ESX, the problem is that the image wont work / load correctly in VMWare Desktop 7, but with a few steps you can have NetScaler running on VMware Desktop in no time.
Before I begin, I’m assuming that you have VMWare Desktop 7 already Installed, and that you have a login to Citrix.com, also, I’m working with NSVPX-ESX-9.2-50.4
- Go to Citrix.com and Download the NetScaler VPX for ESX (If you dont see any downloads, you must login first)
- Unzip the file using your favorite utility, Once done you should be left with 3 files (.vmdk, .mf, and .ovf)
- Create another folder where your “Converted” VM will go
- Open up the command prompt (Start -> Run -> CMD) and CD over to the OVFtool folder (for me located at C:\Program Files\VMware\VMware OVF Tool)
- Run this command
1ovftool.exe "D:\NSVPX-ESX-9.2-50.4_cl\NSVPX-ESX-9.2-50.4_cl.ovf" "D:\NSVPX-ESX-9.2-50.4_cl_converted\NSVPX-ESX-9.2-50.4_cl.vmx"
- Now that the command completed, look in your “converted” folder and you should see 2 files (.vmx, .vmdk)
- Using your favorite editor, open up the .VMX file and find the line that reads
1guestos = "solaris10"
Replace that line with
1guestos = "other-64"
- Save the .VMX file, and Move your newly created “converted” folder to wherever it is that you keep your VM machines
- Open VMWare Desktop 7, click on File -> Open, find your “converted” folder and select the .VMX file (its probably the only file you can see in the folder)
- Now click the Green Start button and off you go, you should end up in a prompt for asking you for the NetScalers IPv4 address.
- Make sure to setup your IP based on the type of Networking you have setup for your VM, if you are using bridged, pick an IP from your routers range, if using NAT assing a 192.168.26.x IP (VMWare Default Range for NAT) and forward port 80 to that IP, if using host only, you dont need to forward port 80 but just make sure you know which IP range it uses
- Setup your IP’s any way you want, point your browser over to “http://ipyouchosetouse” and enjoy using your NetScaler on VMWare Desktop 7
If you have a Citrix Netscaler and you need to manage it, you have to connect to the NetScaler IP (NIP) with a browser. But if you try to connect to it via HTTPS either with IE or Firefox you will get an “Invalid Certificate” Error.
Trying to follow the instructions in the Citrix Article (CTX122521) “How to Replace the Default Certificate of a NetScaler Appliance with a Trusted CA Certificate that Matches the Hostname of the Appliance” is just too cumbersome, and I knew there had to be an easier way to do it via the GUI, and there is:
Before we start I am assuming you already have a certificate installed in the NetScaler, either a cert that matches the host name of the NetScaler or a Wild Card cert
If you dont know how to install a certificate on the NetScalers, I suggest you read these article
– How to Generate and Install a Public SSL Certificate on a NetScaler Appliance (CTX109260)
– How to Transfer Certificates from IIS to the NetScaler(CTX109031)
- Log into your NetScaler using an account with “superuser” powers (nsroot, etc)
- Expand the “Load Balancing” Tab and click on “Services”
- On the right side under services click the “Internal Services” tab
- Highlight the “nshttps-127.0.0.1-443” service and click the “Open” button
- In the “Configure Service” window, click the “SSL Settings” tab
- Under the “Configured” certificates you will see the default “ns-server-certificate”, highlight it and click the “Remove” button
- Under the “Available” certificates, highlight the certificate you want to use and click the “Add” button (in my case, the “Pinchii Wildcard SSL Cert” from Godaddy)
- Hit “Ok” and close out of that window
- Repeat the same procedure for “nsrpcs-127.0.0.1-3008” and “nsrpcs-127.0.0.1-3009” as these are the “services” used when you configure the NetScalers using the “Web Start Client” Java App
- Hit “Save” and then “Refresh All” to save your new configuration to the NetScalers
Thats it, now next time you try to login to your NetScalers with a HTTPS connection you will have a valid SSL cert and you should have no warnings or problems with IE or Firefox