31,19 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
With a large demand for responsive websites and availability of services, IT administrators are faced with an ever-rising need for services that are optimized for speed. NetScaler VPX is a software-based virtual appliance that provides users with the comprehensive NetScaler feature set. Implementing apps and cloud-based services is much easier with its increased service performance and integrated security features.
This book will give you an insight into all the new features that NetScaler VPX™ has to offer. Starting off with the basics, you will learn how to set NetScaler up and configure it in a virtual environment including the new features available in version 11, such as unified gateway and portal theme customization. Next, the book will cover how to deploy NetScalar on Azure and Amazon, and you will also discover how to integrate it with an existing Citrix infrastructure. Next, you will venture into other topics such as load balancing Microsoft and Citrix solutions, configuring different forms of high availability Global Server Load Balancing (GSLB), and network optimization. You will also learn how to troubleshoot and analyze data using NetScaler's extensive array of features.
Finally, you will discover how to protect web services using an application firewall and will get to grips with other features such as HTTP, DOS, and AAA.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 278
Veröffentlichungsjahr: 2015
Ähnliche
Table of Contents
Implementing NetScaler VPX™ Second Edition
Implementing NetScaler VPX™ Second Edition
Copyright © 2015 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: October 2015
Production reference: 1161015
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78528-898-2
www.packtpub.com
Credits
Author
Marius Sandbu
Reviewer
Mikael Modin
Commissioning Editor
Priya Singh
Acquisition Editor
Harsha Bharwani
Content Development Editor
Riddhi Tuljapurkar
Technical Editor
Vivek Arora
Copy Editor
Puja Lalwani
Project Coordinator
Kinjal Bari
Proofreader
Safis Editing
Indexer
Tejal Soni
Graphics
Jason Monteiro
Production Coordinator
Manu Joseph
Cover Work
Manu Joseph
About the Author
Marius Sandbu is an IT architect, advisor, and trainer. He has worked with Microsoft technology for over 10 years and has been awarded an MVP title from Microsoft for his great dedication to the Microsoft community. He is also a board member of the local Microsoft technology user group and has spoken at many public events at Microsoft, Citrix, and other events. He has always had a strong interest in technology, and he also works as an instructor for Veeam and Citrix. Over the past few years, he has been awarded titles across different areas of technology, and he also had a role within Microsoft as an infrastructure ranger. He is a certified Microsoft trainer and has conducted different courses on System Center and Windows Server over the years. He is also an active blogger at https://msandbu.wordpress.com/.
I would like to thank my wife, Silje, for supporting me and always telling me to pursue my projects; love you!
About the Reviewer
Mikael Modin is a Citrix certified instructor and senior consultant at Wedel IT, with over 15 years of experience working with Citrix and Microsoft technologies.
He is also a board member of Citrix User Group Norway and is an engaging speaker at Citrix-related events.
You can follow him on Twitter at @mikael_modin or contact him at <[email protected]>.
Wedel IT is a consulting company based in Norway that specializes in virtualization technologies, primarily Citrix. The company was founded in 2010 and the employees are known for their expertise in the field and work with a range of customers both in the private and public sectors.
I would like to thank my coworkers, who keep my days interesting, and especially my wife and kids, who are always there for me with their love and support.
www.PacktPub.com
Support files, eBooks, discount offers, and more
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
Instant updates on new Packt books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter or the Packt Enterprise Facebook page.
Preface
NetScaler is becoming more essential in many environments and is often crucial because of many of the services it offers. This book, which is about implementing NetScaler VPX, covers all the basics on how to get started with NetScaler VPX in a virtual environment and how to deliver highly available services and remote access to a Citrix environment.
It starts off with an easy introduction on what the product is, what it can offer, and how to perform an initial setup both on an on-premises deployment and using public cloud offerings.
Later, it moves on to some of the more advanced features, such as remote access against Citrix, different VPN features, and optimizing network services.
It also covers high availability features, such as active/passive HA, clustering, and how to load balance many of the commonly used platforms such as Exchange, SQL, Lync, and other Citrix components. It shows you how to secure services using application firewall and AAA.
What this book covers
Chapter 1, NetScaler VPXTM 11 – Basics and Setup, covers the initial setup of NetScaler VPX in a virtual environment and in public clouds, such as Azure and Amazon. It also describes the different deployment types, features, and settings and tells us what they can do.
Chapter 2, NetScaler Gateway TM, explains how to set up the NetScaler Gateway feature against a XenApp/XenDesktop environment. It also covers how to set up SSL-based VPN and how to use the Unified Gateway feature.
Chapter 3, Load Balancing, covers how to set up load balancing against generic web services as well as many of the most used platforms, such as Exchange, SharePoint, MSSQL, and other Citrix products.
Chapter 4, Mobilestream, explains how to set up and configure compression, caching, and frontend optimization on NetScaler in order to increase performance on websites.
Chapter 5, Optimizing NetScaler Traffic, explains the different features and techniques that we can use in order to optimize network traffic in a virtual environment, such as TCP profiles and HTTP/2.
Chapter 6, High Availability, explains the different high-availability features and how to configure them. It also covers a basic setup of GSLB.
Chapter 7, Security and Troubleshooting, covers the use of different security features in NetScaler, such as Application Firewall, HTTP DoS, and so on. It also gives you an overview of how to troubleshoot a NetScaler appliance.
Chapter 8, AAA Application Traffic, explains how to set up and configure the AAA feature in NetScaler and how to use it to provide secure authentication and authorization to web services.
What you need for this book
You can download a trial version of the NetScaler virtual appliance from Citrix at https://secureportal.citrix.com/MyCitrix/login/EvalLand.aspx?downloadid=1857216&LandingFrom=1005.
You should also have a virtual environment running either VMware, Citrix XenServer, or Hyper-V. If you do not have a virtual environment, you can test it out on a client hypervisor.
For instance, if you are using Windows 8.1/10, you can use Client Hyper-V, which is an add-on that needs to be added from Programs and Features under Control Panel.
You can also use the VMware player, which is available at https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0.
Who this book is for
This book is intended for system administrators who are working with either Citrix or networking and who want to learn how to implement NetScaler VPX in a virtual environment for use with, for instance, remote access for Citrix environments and CVPN and to load balance different services.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "Start by typing shell, and then change the directory to tmp cd /tmp."
A block of code is set as follows:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "At the bottom, choose Secure Access Only and click on OK."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.
Chapter 1. NetScaler VPX™ 11 – Basics and Setup
Welcome to the first chapter of the second edition of this book. Throughout the course of this book, we will cover most of the different areas where NetScaler serves its purpose. The first chapter will cover a short introduction of what Citrix NetScaler is and some of its features. Throughout this book, we will focus on how to set up and deploy a NetScaler VPX in a virtualized environment. The book will mostly show you how to set up and deploy in Hyper-V, but the process is not that different for vSphere and XenServer. I will also provide a short description on the deployment of NetScaler on public cloud providers such as Amazon and Azure.
So to sum it up, here's what we will cover throughout this chapter:
Getting started with NetScaler®
NetScaler was an acquisition that Citrix made back in 2005, and it is one of the bestselling products in their portfolio today, pivotal in many large enterprises. Today, many of the largest IT organizations such as Microsoft, Google, and eBay, to mention a few, use NetScaler in front of their websites and services to ensure availability.
Note
We can check the kind of frontend solution an organization uses in most cases on their website by using a free web tool from http://www.netcraft.com/. For example, for eBay go to http://searchdns.netcraft.com/?restriction=site+contains&host=ebay.com.
NetScaler can be defined as a network appliance with the primary role of delivering services to end clients who connect to it. It does this by using different features, such as load balancing, high availability, gateway solutions, and so on. The commonly used term for it is Application Delivery Controller (ADC), as users in many cases connect to their services through, for example, a load-balanced web service such as NetScaler. It also has many features to optimize network traffic, such as web caching, compression, and SSL offloading, to give a service optimal performance. In addition, it includes features such as an application firewall, URL rewriting, frontend optimization, global server load balancing, and gateway function for XenApp/XenDesktop, to name a few. We will cover some of these features in greater detail in a later chapter.
So, NetScaler's whole purpose is to ensure that a service or an application is delivered through different availability and performance features. The following diagram presents some of the different uses of NetScaler and shows how users can access their different applications and services:
As we can see in the diagram, we can ensure content is delivered to users in many ways. Also, there are features that allow us to bridge different infrastructures, such as public cloud providers. We will delve into some of the features in the rest of the chapters.
NetScaler includes a variety of features; some information about the different features and the product itself can be found in the Citrix eDocs available at http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html. eDocs is an ideal place for knowledge and support documentation about setup and configuration of the different features included in NetScaler.
NetScaler comes in three different flavors:
MPX
The MPX is a physical appliance of NetScaler, which again comes in different models. As an example, the MPX 5550 is the starting platform that consists of an Intel CPU with 8 GB of RAM, and can handle up to 5,000 concurrent SSL VPN sessions and up to 175,000 HTTP requests every second. The MPX 5550 has a maximum throughput of 0.5 Gbps, but it can be upgraded to the 5650, which has 1 Gbps throughput. This only requires a change of license, as it still runs on the same hardware. A long list of different models that suit most business needs is available, depending on the number of users and the kind of service and bandwidth required. The largest physical appliance available is the MPX 21550, which has up to 50 Gbps of throughput.
Note
One of the benefits of NetScaler is that if we need better performance or more bandwidth, we can in many cases just upgrade the platform license to the next edition. You can refer to the NetScaler datasheet to see which platforms can be upgraded and check the specifications of the different platforms at http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-sheet.pdf.
All of the MPX models come with special SSL chips, which are specifically used to handle encrypted traffic (SSL traffic). NetScaler uses an architecture called nCore, which allows it to intelligently load balance the SSL operations among the chips available on the hardware. This allows for faster handling of SSL traffic on the platform. Also, an important point to remember is that each platform has a limit to the number of SSL-based operations and throughput it can handle each second, which can be viewed in the datasheet mentioned earlier.
SDX
The SDX is a special platform available on many of the same models as the MPX, as it uses the same underlying hardware. The difference is that the SDX itself cannot perform load balancing or any other NetScaler functions, as it is just a virtualization platform that runs a virtual NetScaler (VPX) on top of itself. By default, when purchasing an SDX, it ships with five VPXs. SDX runs a customized version of XenServer, and from there we can create multiple VPX instances running on top of it, which has all of the NetScaler features. This platform is better suited for multitenant environments; it is also suitable when we want to isolate the traffic into separate instances with dedicated bandwidth, VLANs, and/or applications.
Also important to remember is that when we have an SDX, we can have multiple VPX instances running—all with different software versions.
VPX
The VPX is available for XenServer, KVM, VMware, and Hyper-V, or as an instance on the SDX platform. The VPX can also be deployed on public cloud providers such as Microsoft Azure or Amazon Web Services.
There is a minor difference between running VPX in a regular virtual environment and as part of an SDX environment. In an SDX environment, the VPX has access to the onboard SSL chips and is able to handle SSL traffic accordingly. In a regular virtual environment, the VPX can handle only limited SSL traffic, as it is dependent on the virtualization host CPUs. Regular CPUs are not designed to handle SSL traffic as well as SSL chips; therefore, they have a soft limit on how many SSL connections they can handle. This can be seen in the NetScaler datasheet mentioned earlier.
Barry Schiffer has written an excellent article on NetScaler sizing and what model to choose, which I would recommend taking a look at if you are unsure of what to use. This article is available at http://www.barryschiffer.com/citrix-NetScaler-platform-sizing-guide/.
NetScaler also has different types of editions, and depending on the level, it will grant access to the different features. The three editions are Standard, Enterprise, and Platinum.
Standard is the most basic edition and contains most of the basic features, such as load balancing, SQL load balancing, NetScaler Gateway (formerly known as Access Gateway), network optimization, HTTP/URL rewrite, and more. The Enterprise edition gives us Global Server Load Balancing (GSLB), HTTP compression, AAA management, frontend optimization and surge protection. Lastly, the Platinum edition gives us CloudBridge, full NetScaler Insight Center functionality, application firewall, and more. An important point to note here is that on an SDX appliance, all the VPX appliances have Platinum edition features.
There is also a dedicated Gateway instance that only has the NetScaler Gateway feature available. This only comes in a VPX 50 instance, which basically means that it has a 50 Mbps bandwidth limit and can only be used for Gateway features such as ICA-proxy, SSL VPN, or VPN. It is also available as a physical unit, the NetScaler Gateway MPX 500, which has the same limitations but up to a 500 Mbps bandwidth and a higher number of concurrent users.
Now, many of these features may be unfamiliar to you, but these will be covered throughout the later chapters.
Note
The complete feature set of NetScaler and its different editions can be found in the NetScaler datasheet available at http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-sheet.pdf?accessmode=direct.
The datasheet for NetScaler Gateway can be found here https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-gateway-secure-remote-access-from-anywhere-on-any-device.pdf.
One of the things that I mentioned earlier was that in case we needed more bandwidth or better performance, we could just upgrade the license to another platform. The same goes for features as well; if we need features that are available in the Enterprise edition and we have only the Standard edition, we just have to buy a license upgrade to access those features. If, for example, we are in a situation where we need more bandwidth for a period of time, we can also purchase something called burst licenses. Burst licenses allow us to extend our bandwidth on the appliance, for example, for 90 days.
Note
There is also a free edition of the VPX called VPX Express. The VPX Express has the same functionality as VPX standard, but it has a limit of 5 Mbps of throughput and is valid for one year at a time. It also gives you access to running up to five users with NetScaler Gateway, which we will go through in the next chapter.
What is new in version 11?
Many may be familiar with the previous releases of NetScaler and some of its capabilities. Therefore, we decided to add what is new in version 11 of NetScaler OS. Version 11 was released in June 2015, and it introduced a bunch of new features and capabilities, including the following:
Most of these topics will be covered throughout this book. If you wish for more information about version 11, you can read the release document at https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_55_20.html.
Licensing
When we want to set up or deploy NetScaler, we need a license in place in order to access the features we want to use. An important point to note here is that three types of licenses are available for NetScaler:
Note
If you do not have access to a regular license, you can download a trial version of the latest NetScaler VPX Platinum edition from Citrix, available at http://www.citrix.com/products/netscaler-application-delivery-controller/try.html.
If you want to download a platform license for NetScaler from https://www.citrix.com/, you need to enter the MAC address of the first NIC on your appliance in the Host ID field on the website.
Note
If you are deploying a NetScaler Gateway VPX, and you want to download a platform license for it or generate universal licenses, both of these should be created with the hostname of the appliance instead of the MAC address. These licenses can be generated from the same website.
The MAC address can be found either via the CLI of the appliance or by using a hypervisor. We will look at CLI in detail in this chapter. To get hardware information from the CLI of the appliance, we have to first log in to the NetScaler System CLI, and then switch to the FreeBSD shell by typing shell and running the following command:
When using a hypervisor, such as the virtual machine manager PowerShell, run the following command:
If you are using VMware and have PowerCLI available, you can use a similar command as follows to get the same result:
This will give you the host ID/MAC address of the appliance, which needs to be entered on https://www.citrix.com/ to generate a platform license. We will cover installing the license a little later.
Setup scenarios
When thinking about the deployment of NetScaler, a couple of things need to be taken into consideration:
A common scenario is load balancing some sort of a web service to external users. In such a scenario, a business might have a demilitarized zone and an intranet zone. One topology that can be used here is that NetScaler can be placed with one interface in the demilitarized zone and one interface in the intranet zone. This is also known as a two-armed setup. It is important to note that a two-armed setup is not necessarily two NICs connected to different networks; it may also be multiple VLANs trunked to the same NIC. This is practical for load balancing internal resources, as well because the traffic does not need to flow back and forth through the firewall multiple times.
In some cases, because of business requirements, you might have NetScaler attached to only one interface or only one VLAN that resides in the same zone. This is known as a one-armed setup. Here, NetScaler is placed, for example, in only the DMZ zone, and routing tables are in place to allow NetScaler to access the backend services. This type of topology emphasizes security. We will cover a sample scenario later in this chapter.
Now that we have gone through the different editions, features, and licensing, let us begin with the initial setup of NetScaler.
Creating our first setup
Before setting up the VPX, we need to make sure that we have the following resources available in our virtual environment:
Note
NetScaler VPX supports a maximum of eight virtual network interfaces, and as of now, it supports Windows Server Hyper-V 2008 R2 and Windows Server Hyper-V 2012 R2. It also supports XenServer 6.0, XenServer 6.1, and VMware Vsphere from version 4.0 up to 5.5.
After downloading NetScaler from www.mycitrix.com/, we can import the virtual machine using the Hyper-V manager by selecting Import Virtual Machine… and browsing to the download location of NetScaler VPX.
After the appliance is imported, we should change the MAC address of the network adapter to static, as the license is based on the MAC address. Hyper-V manages MAC allocation for virtual machines, and in some scenarios, a virtual machine might generate a new MAC address. Therefore, it is important to set the MAC address as static.
This can be done by navigating to Virtual Machine | Network | Advanced Features, as shown in the following screenshot:
Note
Note that the same applies for VMware and XenServer as well.
After we are done changing the MAC address to static, we can boot the virtual appliance. The initial setup must be done using the CLI to connect the virtual machine console to the appliance console. The first thing we need to enter is the NetScaler IP Address (NSIP), which is used for management purposes, then a subnet mask, and finally a default gateway. Now we can press 4 to save the settings. After this is done, we can then access the console using HTTP through the NSIP address that we entered earlier. The default username and password for the web administration GUI is nsroot and nsroot. Prior to logging in, make sure that the deployment type is set to NetScaler ADC. The management interface uses pure HTML 5, and it can be managed using any modern browser such as Internet Explorer, Google Chrome, or Firefox, for instance.
We also have the option of using SSH, so we can use any SSH-based client, such as Putty to perform management using CLI from there as well.
When logging in to the web console for the first time after the initial setup, we are presented with a wizard that allows us to enter information, such as DNS, time zone, and SNIP, and to change password settings. Alternatively, we can click on skip these tasks and go straight to the configuration dashboard. For the purpose of this book, I am going to show you how to add different configurations using regular GUI and CLI instead of using the built-in wizard. An important point to note here is that the initial setup wizard will always pop up until we have added a platform license, subnet IP, and NetScaler IP.
You can restart the initial setup in the CLI by typing the following command:
Note
When altering the configuration of NetScaler, the configurations are put into the running configuration file. If we do not save the configuration, the settings that we changed will be lost when we restart. Make sure to save the configuration using the CLI command save config, or by clicking on the Save button (represented as a floppy disk) in the GUI, after performing the changes to the configuration.
Deployment on Microsoft Azure
Microsoft and Citrix recently made NetScaler available as an appliance within Microsoft Azure, with a bring-your-own-license model, meaning that we can deploy a virtual appliance and use our own license there. However, we still need to pay Microsoft for the running instance and network traffic that is going out of Azure cloud. As of now, three versions are supported in Azure: VPX 10, VPX 200, and VPX 1000.
If we want to deploy a NetScaler VPX within Microsoft Azure, we have to use the current build available in the Microsoft Azure Marketplace. As of now, it is only available in the new management portal.
First, you need to have an active subscription in place for Microsoft Azure. Then, go to the new management portal at https://portal.azure.com.
Next, navigate to the marketplace, which can be found in the main menu, Browse | Marketplace.
Here, we type Citrix NetScaler, and it will appear in the list of options, as shown in the following screenshot:
From there, click on Create. Then enter the required information, such as the IP address that will be used for management, username, and password. The default here is to enter nsroot and a custom password for that user. It is important to note that Microsoft Azure has its own DHCP service, which allows all virtual instances that run in Azure to get an IP address. Before deploying the virtual instance, you should define that the NetScaler VPX must use a static IP address to make sure that it does not lose its license in case of reboot or downtime, as in Azure, a virtual appliance may be moved to another and may be given another MAC address. In order to do so, navigate to Optional Configuration | Network | IP ADDRESSES. From here, you have the option to enter a static IP for the private IP address, which allows you to retain the IP address during reboots. Note also that Azure will automatically create a virtual network within a custom private IP range. So enter an IP address within the range that is created and click on OK.
