Hands-on Lab Exercise Guide

Transcription

1 616: Accelerate Your NetScaler Skills Hands-on Lab Exercise Guide Joshua Travers & Steven Barnes Americas Technical Readiness Cloud Networking

2 Table of Contents Table of Contents... 1 Overview... 3 Scenario... 5 Exercise Initial NetScaler Setup and Basic Load Balancing... 6 Exercise NetScaler Configuration SNIP, VIP...10 Exercise Define Server Load-Balancing Properties, Virtual Server, and Services...17 Exercise Verify Load-Balancing Service is Active on Web Servers...23 Exercise Content Switching...25 Exercise Bonus Content Switching Policy...30 Exercise URL Transformation using the Rewrite Feature...33 Exercise Bonus URL Transformation Policy...38 Exercise Web Application Firewall...40 Exercise High Availability...60 Exercise Clustering...63 Exercise Global Server Load Balancing...71 Exercise Bonus Configure GSLB for WebGoat...91 Exercise Admin Partitions...92 Exercise Bonus Admin Partitions Exercise Data Stream Exercise

3 AAA for Traffic Management Exercise AAA SAML Assertion NetScaler Command Line Reference (CLI) Load Balancing 142 Content Switching 142 URL transformation 142 Application Firewall 143 Clustering 143 LDAP 144 SSL Certificate 144 2

4 Overview Hands-on Training Module Objective This lab will cover and practice a wide range of core features that Citrix NetScaler offers. This lab is designed to allow the student to pick and choose the exercises of choice. Prerequisites Basic NetScaler or ADC familiarity is desired. Audience Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support. Lab Environment Details Describe the lab environment. The system diagram of the lab is shown below: 3

5 The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All windows applications such as XenCenter, (the XenServer GUI management tool), are accessed from the Student Desktop. Lab Guide Conventions This symbol indicates particular attention must be paid to this step Special note to offer advice or background information reboot VMDemo Start Text the student enters or an item they select is printed like this Filename mentioned in text or lines added to files during editing Bold text indicates reference to a button or object Focuses attention on a particular part of the screen (R:255 G:20 B:147) Shows where to click or select an item on a screen shot (R:255 G:102 B:0) List of Virtual Machines Used VM Name IP Address Description / OS NetScaler-A Citrix NetScaler VPX NetScaler-B Citrix NetScaler VPX Site1-WebServerA Linux WebServer Site1-WebServerB Linux WebServer Site1- AD.Training.lab Windows 2012 Server Site1-SQLServer- OLTP Windows 2012 Server with SQL Server 2012 Site1-SQLServer- DW Windows 2012 Server with SQL Server 2012 Required Lab Credentials The credentials required to connect to the environment and complete the lab exercises. VM Name UserName Password NetScaler-A nsroot nsroot NetScaler-B nsroot nsroot Site1- AD.Training.lab Traininig/Administrator Citrix123 4

6 Scenario This lab is designed to cover a wide spectrum of the vast NetScaler feature set. We will touch on several core features and common use cases found in NetScaler deployments. You will see how NetScaler is managed and optimized, and cover topics including initial tune-up, networking and licensing. In addition, you'll get hands-on with load balancing, content switching, URL transform with Rewrite, SSL offload and more. 5

7 Exercise 1 Initial NetScaler Setup and Basic Load Balancing Overview Before configuration, the NetScaler needs to be properly licensed. Licenses are allocated based on the MAC address of the appliance (known as the host ID), and can be downloaded at the link below. For this lab, we have already downloaded the proper licenses and placed them on in C:\Licenses on the Student Desktop. Through out this lab we will use 2 NetScalers. The NetScalers are identified as: NetScaler A ( ) & NetScaler B ( ) 6

8 by step guidance Step 1. Begin the licensing lab by verifying the host id of the NetScaler-A ( ). You will use this information for allocating the license file. a. You will need to create an SSH connection to the NetScaler-A ( ) by opening Putty and connecting to the NetScaler b. Login using nsroot/nsroot c. Enter the CLI command shell and the command lmutil lmhostid ether. d. Take note of the FLEXnet host ID of this NetScaler we will need to reference this ID to the license file in the steps below. 7

9 2. Login to the NetScaler-A ( ) navigating to in your web browser Username: nsroot Password: nsroot 3. Verify that the network configuration matches the screenshot below and continue. 8

10 4. Upload the licenses file 06e089e0b0f1.lic. If not going through the wizard, license configuration can be found at System > Licenses > Update in the GUI. a. Select the 4 th Item labeled Licensing. Select Upload files from a local computer You will find the licenses in a folder located C:\Licenses This license folder is found in C:\Licenses. There is a total of 4 licenses, you will select the one matched to the HostID of this NetScaler. Often when troubleshooting the process of a license, the host and a date need to be verified. Wrong Host and incongruent time tends to be the issue. Open the license file with notepad and check the date and host ID and note which goes to which. Find the license files that go with the host ID identified earlier and upload them to the NetScaler. 5. Once the license has been uploaded to the NetScaler click, Reboot. (Due to the licensing change the NetScaler requires a reboot in order for the license to take effect. 9

11 6. After the NetScaler has rebooted you are able to verify the licenses by logging in and going to System > Licenses. Since you have uploaded a Platinum License, all features should have a green check as well due to the Platinum license. Exercise Summary In this exercise you successfully licensed a NetScaler with a Platinum license. Exercise 2 NetScaler Configuration SNIP, VIP Overview NetScaler has 3 different types of IP addresses you will be working with. NSIP: NetScaler IP, Management IP for GUI access, SSH, Telnet, SNMP etc. 10

12 o NS IP is set during OVA installation of NetScaler 1000V. It is configured as in this pod. SNIP: Subnet IP o Backend service, and health monitoring VIP: Load balancer server virtual IP o Client use this IP address to access load-balanced service 11

13 by step guidance Step 1. In the main configurations screen, browse to Configuration > System > Network > IPs. 12

14 2. Add a SNIP, Subnet IP address in IPs screen by selecting the add button and entering in the below fields and click Create once completed. You will perform this on NetScaler - A IP Address: Netmask: Type: Subnet IP 13

15 3. Verify the SNIP, Subnet IP Address is enabled and showing green. 14

16 4. Next Step is to configure the Virtual IP. VIP is used for Load Balancing Virtual Server IP addresses, and needs to be configured in the Load Balancing section in subsequent steps. Click on Add again, and fill out the form as indicated below: IP Address: Netmask: IP Type: Virtual IP Alternatively, VIP IP Addresses can be directly configured as part of LB vserver configuration. In this lab we will define it by adding it in the IPs Options. 15

17 5. After this step, we have three IP addresses configured on NetScaler as depicted in the figure below VIP is used for Load Balancing Virtual Server IP address, and needs to be configured in Load Balancing Section in subsequent steps. Exercise Summary In this exercise you have successfully configured the 3 mandatory IP addresses that Citrix NetScaler needs. 16

18 Exercise 3 Define Server Load-Balancing Properties, Virtual Server, and Services Overview When deployed in front of application servers, NetScaler load balancer ensures optimal distribution of traffic by the way in which it directs client requests. Administrators can segment application traffic according to information in the body of an HTTP or TCP request, and on the basis of L4-L7 header information such as URL, application data type, or cookie. Numerous load balancing algorithms and extensive server health checks improve application availability by ensuring that client requests are directed to the appropriate servers. There are three things we will be setting up under the "Load Balancing" section in the navigation pane in the same order: Servers Services Virtual Server Step by step guidance Step 1. Enable the Load Balancing feature in Configuration > System > Settings. Click on Configure basic features under Modes and Features. 2. Select Load Balancing and then click OK. 17

19 3. Browse to Configure modes option and ensure the settings match with the screenshot 4. All the Load Balancing Configuration is done from the Configurations > Traffic Management > Load Balancing screen. 5. Set up two web servers in Servers tab. Click on Add tab to add new web server with user-defined name and IP address as and Click Create. Similarly add second server using its own IP address

20 6. After configuring the Web-Server-1 you will have to click Create. Repeat the step for the second Web-Server-2 19

21 7. Once Servers are setup, add them as a back-end Service. Configure it from Configurations > Traffic Management > Load Balancing > Services tab: Add Service: Configure name to Web-Service1 and select the Web-Server-1 added in the previous step from the Existing Server option. Change protocol to HTTP and Port 80. Make sure you add the http-ecv monitor and click Create. Repeat same steps for Web-Service2 20

22 8. Now you will create LB Virtual Server and bind services to this Virtual Server IP. In Configurations > Traffic Management > Load Balancing > Virtual Servers screen, Select Add and configure name and Virtual IP address (VIP) along with Protocol, Services and LB Method (example Round Robin) in Method and Persistence screen, in the options available is the IP for the LB VIP. 21

23 9. Set the persistence to COOKIEINSERT and Time-out(mins)* field to After configuring, you will need click OK. 11. After all setup is complete, go ahead and Save the running configuration by click on "Save" icon in the upper right hand corner of your NetScaler GUI. Exercise Summary In this exercise you have successfully configured Servers, Services, and Virtual Server all for Server Load Balancing in Citrix NetScaler. 22

24 Exercise 4 Verify Load-Balancing Service is Active on Web Servers Overview In this exercise you will be verifying that the configuration on the NetScaler is successful and identify the load balancing method is performing as configured. Step by step guidance Step 1. From your web browser navigate to ( 2. Client request is handled by and load balanced to one of the 2 web servers. Now, wait 1 min, and refresh or open a new tab and navigate back to This time Web Server B is accessed because of round robin mechanism selected in load balancing method, and COOKIEINSERT is set to 1min timeout. Requests are alternately forward to each web server. Note: Make sure to wait 1 min before accessing webserver again to allow for the COOKIEINSERT persistence to timeout. 23

25 3. From NetScaler GUI go to Dashboard to monitor live sessions and NetScaler application state. Exercise Summary In this exercise you have gotten familiar the Citrix NetScaler, configured basic load balancing services, and configured monitoring services in NetScaler. 24

26 Exercise 5 Content Switching Overview In this section, we will create a Content Switching Virtual Server that takes requests and directs them to the appropriate web server. The policy that will be created looks for /urlx within the URL and directs the request to the Web server A. Requests without /urlx are redirected to Web server B. Step by step guidance Step 1. Start by enabling the Content Switching Feature for NetScaler - A by going to Traffic Management, Content Switching and right clicking to Enable Feature. 25

27 2. Create a Content Switching Virtual server by going to Content Switching > Virtual Servers and clicking Add. Configure the "WebSwitch" Content Switching Virtual Server with the Name/Protocol/IP/Port as below. Finally, click OK and Done. 26

28 3. Create two Load Balancing Virtual Servers under Load Balancing > Virtual Servers and clicking Add. Configure WebVip1 and WebVip2 as HTTP with the Web-service1 and Web-service2 assigned respectively. Be sure to select Non Addressable in the IP Address Type. These virtual servers will be utilized in the content switching virtual server as a method to direct traffic to each individual server. We select non addressable so that we are able to assign a server to the content switch while not consuming an IP address on the network behind the NetScaler. 27

29 4. Here is a summary of your Load Balancing Virtual servers thus far. Please note it may initial show red indicating down. Refresh the screen to show the up state. 5. Create a Content Switching Policy by going to Content Switching > Policies and clicking Add. Configure the name and URL as urlswitch and /url* and create the policy by clicking Create and then close. 6. Insert a new content switching policy in Content Switching Virtual Server that you created in step 1 of this lab. To do this navigate to Traffic Management > Content Switching, Virtual Servers. Click on WebSwitch and click Edit. Expand the CS Policy Binding section and select urlswitch policy. Select the Webvip1 as the Load Balancing Virtual Server 28

30 7. Expand Default Load Balancing Virtual Server and select the webvip2 virtual server. You now have 1 CS policy bound to webvip1 and webvip2 is set to the default load balancing virtual server. 8. Test the Content Switching by going to and You are able to verify that content switching policy urlswitch directs the requests into this to the WebVip1. Not specifying the /urlx directs you to WebVip2, which would be the (Default) policy. Exercise Summary In this exercise you have configured Content switching based on URL and tested that it works. 29

31 Exercise 6 Bonus Content Switching Policy Overview In this section, we will unbind the urlswitch policy and create a new policy that detects languages via the HTTP header set by the browser. We will redirect requests accordingly. Step by step guidance Step 1. Begin by unbinding the original urlswitch policy from the Content Switching >Virtual Servers by opening the WebSwitch, virtual server and expanding the Content Switching Policy and clicking Unbind. Click Close finish. 2. In order to add the new policy, click on No Content Policy in the Content Switching Virtual Server page. Then click the + icon beside Select Policy. We will need to switch back to default syntax. To do this we will click on OK to close the dialog box, reopen the WebSwitch vserver and expanding the CS Policy Binding. Select Add Binding then selecting the + icon beside Policy. Once changed back to default syntax you can verify by identifying it shows Switch to Classic Syntax. 30

32 3. Navigate back top and provide the policy with the name Language and select Expression 4. Configure the new policy, language, to detect the English language within the HTTP request header: HTTP.REQ.HEADER("Accept-Language").CONTAINS("en"). 5. Set the target of this policy to WebVip1, accept any messages about GoTo Expressions if you encounter them here, and configure the Priority to 10. Verify the configuration and continue by clicking OK. Save your configuration by clicking the save disk at the top right of the web GUI. 31

33 6. Test this content switching policy by heading to in Internet Explorer and set your language to anything but English in the browser. You can find this under Tools, Internet Options, and Languages. Once you switch from English you will be sent to WebVip2 instead of WebVip1 and the name of the server will be changed from 'Web Server A ' to 'Web Server B'. Exercise Summary In this exercise you have gotten familiar with Citrix NetScaler content switching functionality. Configured basic Content Switching virtual server and policies. And Configured advanced content switching virtual server to detect the language field of a http header. 32

34 Exercise 7 URL Transformation using the Rewrite Feature Overview In this section, we will create a URL Transformation Profile that takes requests and directs them to the appropriate web server. The profile that will be created looks for /url1 within the URL and directs the request to '/url2' all while being transparent to the user. Step by step guidance Step 1. Start by enabling the Rewrite Feature by going to AppExpert, Rewrite and right clicking to Enable Feature. 2. Create a new URL Transformation Profile named Ferrysburg by going to AppExpert, Rewrite, URL Transformation, Profiles and clicking Add. Fill in the Name field with Ferrysburg and click Create. 33

35 3. Open the Ferrysburg profile by selecting it and clicking Edit, or double clicking. Add a new URL Transformation by clicking Insert at the bottom of the dialog window. 4. Configure the new URL Transformation actferrysburg. URL Transformation is used to take requests from url1 and respond via url2. The configuration for actferrysburg is below. 34

36 5. Click Insert if you have not already, verify that the action is enabled by the green checkbox under enabled and click OK to close the dialog. 6. Create a new URL Transformation Policy by heading to AppExpert, Rewrite, URL Transformation, Policies and clicking add. This new policy will be used to check if the URL contains "url1" and fire the URL Transformation that was added in step 2. Add Ferrysburg for the name, attach the Ferrysburg Profile under the Profile drop down, and add the expression: HTTP.REQ.URL.PATH.GET(1).CONTAINS( url1 ). Finally click Create and Close. 35

37 7. Bind the new policy under the Default Global bind point. You will need to open the Policy Manager and select Default Global, finally insert the newly created policy. Open and bind the policy by clicking Policy Manager. Select Default Global and click Continue. Select the Ferrysburg policy at Priority 100. Finally click Bind followed by Done. Verify the policy is active and bound by checking for the green checkmark under Active. 36

38 8. Verify the Ferrysburg URL Transformation Policy is active by directing your web browser to You will see a response from URL2 from either Web-Server A or B, if the policy is active and working correctly. You may have to close re-open the browser. 37

39 Exercise 8 Bonus URL Transformation Policy Overview You will create a URL Transformation policy yourself. This policy will be used to transform the Request URL named SpringLake and Respond with /url3. This configuration is used to cloak or change the external view from the internal webserver. The configurations for the bonus lab is below. Step by step guidance Step 1. 38

40 2. You are able to verify the configuration by visiting If you see URL3 the policy has been configured correctly! Be sure to save your configuration by clicking the save disk at the top right of the web GUI Exercise Summary In this exercise you have gotten familiar with Citrix NetScaler rewrite functionality. Configuring URL Transformation policies to transparently rewrite a request. And configuring URL policies to transparently rewrite a request hiding the internal architecture of the web servers. 39

41 Exercise 9 Web Application Firewall Overview In this lab, we will begin working with the Application Firewall feature of NetScaler. We will test the security functionality of the AppFirewall through a web service called WebGoat that is served via both webservers in the environment. Step by step guidance Step 1. Start by enabling the highly available WebGoat servers by creating a new Load Balancing Virtual Server. First, create two new WebGoat services for both servers. Do this by going to Traffic Management, Load Balancing, Services, and adding the webgoatservice and webgoat-service1. The Protocol will be HTTP and the Server fields and Ports will be web-server1 port 8080 and web-server2 port 8080 respectively. Add a tcp monitor to the service and click Done. 40

42 2. Create a new WebGoat-VIP Load Balancing Virtual Server by going to Traffic Management, Load Balancing, Virtual Servers, and clicking Add. Configure in the Name, IP Address, Port, and Services according to the image below. 3. Go to the Method and Persistence tab and choose Round Robin as the LB Method. Under the Persistence section choose COOKIEINSERT, Time-out 0. Finally click ok. 41

43 4. Test the new WebGoat-VIP by going to the username is guest and the password is guest. 5. NetScaler Application Firewall is able to utilize security signatures from various security vendors such as Snort. These signatures are attached within policies that are created within this section. To begin we will head to Security, Application Firewall, and Signatures. To download the latest signatures from Snort click on *Default Signatures, select, and finally Update Version. Agree to the update by selecting Yes. The latest security signatures will be downloaded. Note: If Application Firewall is yet enabled, however you can still update the signatures. We will enable it in subsequent steps. 1. Next we will need to define our own version of the *Default Signatures. To do this select *Default Signatures and click Add. 42

44 6. The Add Signatures Object dialog opens and we will create a name, AppFWSignatures, and verify the signatures that are being imported. Here we could select to block or not block various signatures. For the purposes of this lab, we will leave the defaults selected. After glancing over the signatures, select OK. 7. Define an application firewall profile. Begin by enabling the Application Firewall feature. Do this by right clicking on Security, Application Firewall and clicking Enable Feature. 43

45 8. Add an AppFW profile by going to Security, Application Firewall, Profiles and clicking Add. Fill in the Profile name AppFWProfile, select Web 2.0 Application, and choose Basic Defaults. Click on Create and close the dialog. 44

46 9. Configure the newly created AppFWProfile by double clicking on it. Head to the Security Checks tab. Under the Start URL unselect Block and select Log and Stat. Credit Card row select Log and Stat, under the HTML SQL Injection row select Block Log and Stat. 10. Open the Credit Card profile by double clicking on it and change the status of each card to Protected. After protecting each card, move to the General tab and select X-Out. Click OK twice to back out of all dialog boxes. 45

47 11. Next, we will attach the AppFWSignatures to this profile. To do this we will move to the Settings tab and scroll to the Common Settings field. Here we will select AppFWSignatures under the Signatures drop down. Finally click OK and close the dialog. 12. Now you will need to create an AppFirewall policy by going to Security, Application Firewall, Policies, Firewall and clicking Add. Configure the Policy Name, Profile, and Expression as below. This step creates a policy for AppFirewall called AppFWPolicy that links the recently created profile and adds an expression to fire the policy or not. The expression used is HTTP.REQ.IS_VALID which will trigger the AppFWProfile if the incoming connection is a HTTP Request and it is valid. Click Create and Close was complete. 46

48 13. Now we have an Application Firewall policy but it is not bound; meaning it is not enabled. You will need to enable the policy through the policy manager. Go to the policy manager by clicking and Policy Manager. 47

49 14. Insert the AppFWPolicy into the Default Global policy. Do this by clicking the Default Global bind point, selecting to Bind the Policy, by choosing the AppFWPolicy. Finally click Bind and then close once complete. Note: Binding the policy to the Default Global bind point will enable the policy on all Virtual Servers that are available within the NetScaler. You are also able to bind policies to other specific bind points such as Content Switching Virtual Servers, or even Load Balancing Virtual Servers like in the image below. 1. Verify that the policy is enabled via the green check under Active. 48

50 15. Test the new Application Firewall policy via the WebGoat url that was configured earlier. You can enable and disable the Application Firewall feature to test WebGoat security vulnerabilities with Application Firewall enabled or disabled. You can do this by right clicking on Application Firewall under Security, Application Firewall and selecting Disable Feature or Enable Feature, like in step 4 above: This makes for a quick way to see before and after protecting. 49

51 16. Be sure to reset WebGoat each time with the "restart this lesson" link. To test with WebGoat, remember a couple keys. Practice before a demo. Restart the lesson after each exploit to reset WebGoat, or it may not work on subsequent tries. The NetScaler needs to see the cookies and entire activity, so when you enable the WebApplicationFirewall feature, open a fresh browser. A stale browser may not get the same effect, and in real life people are not turning the WAF feature on and off like this. IMPORTANT: Never try the attacks you learn here in the real world. Many a newbie has experienced disgrace by playing around and starting some undesirable consequences. Keep the hacks to just WebGoat, or within a Contract and detailed Statement of Work. Ethical Hacking, etc etc No surprises. Go back and turn the NetScaler WebApplicationFirewall off. You need to establish a baseline, and if the WAF is on, it will block by redirecting you to the root of TomCat. We have it configured to do this when an exploit happens, so be careful not to follow a red herring. Go ahead on and turn the WAF Feature off until you have a hack working, then turn it on, and open a fresh browser, and start with WAF on to try it again 50

52 17. If you leave the WAF on, success will redirect you to the TomCat Root like this: It says "It Works" but it is not what you are looking for. NetScaler redirected you to the root because the Redirect Rule in the WAF Profile is configured to do just that. When WebGoat works, you stay within WebGoat and it congratulates you. Also, WebGoat is a tutorial. On the first screen it tells you the answers are hidden at the top right under the solution link. Why not use that and cut/paste where helpful? 51

53 18. Begin: To start the WebGoat Application, scroll down and click on start WebGoat: You can see already your Application Firewall policy is taking hits: 52

54 19. For SQL injection go to Injection Flaws, String SQL Injection: We are modifying the select string, shown under the text field for convenience, and after the match criteria you sneak in "or is true" to match everything, and get all of the data back. The Solution for this lesson shows the example Erwin' OR '1'='1 (the outer ticks are implied for you). Note the * Congratulations., and all the 'credit card examples'. They may well not be real credit card numbers, and the NetScaler will use an algorithm to take action on for information leakage prevention and DLP. It does not x-out the fake numbers. We will turn the NetScaler on and see it protect next. 53

55 20. Turn the WAF back on: Try Again (close and open your browser, login guest / guest, Start WebGoat... set up accordingly), *** Well, It works is true, but you were redirected per configuration for trying to hack. 54

56 21. Let s check the logs: On the NetScaler GUI, you can open a viewer under System, on Auditing, by selecting Syslog Messages. One could use CLI and view the /var/log directory with a grep, but the tool is right there with a pull down menu. Set the module to APPFW and have a look. 55

57 22. Let s stop blocking and keep playing with it. (You should be thinking to click on WebGoat's Restart Lesson Link). Under WebApplicationFirewall in the NetScaler GUI, select the Profile and the Security Checks Tab. Uncheck block. Let s try "Transform" to neutralize the SQL tick. Double click on HTML SQL Injection, the line in the above screen shot where we unchecked can be double clicked on. Check the Transform Special Characters.Go back to WebGoat, Restart the Lesson, and try again. 56

58 23. Let s check the logs. Security Application Firewall Policies Firewall Auditing Syslog messages. Gotcha! On a Sniffer Trace, you would see the Erwin part has double quotes now and not single quotes. Above, the WebGoat screen shot even calls it out. Erwin OR 1 = 1. The double tic ( ) and single tic ( ) are different to SQL. 57

59 Ok, Let s stop transforming and let you back into the site. By now you are used to going into the App Firewall Profile that our Globally Bound Policy is set to. On the Security Checks Tab, you can double click HTML SQL Injection. On the General Tab, you can deselect transform. Click 'OK' on both windows, and lets go back and Run WebGoat again. (I know you are thinking Restart the Lesson). This time, I got in: 58

60 59

61 Exercise 10 High Availability Overview In this lab, we will create a highly available pair of NetScalers by utilizing NetScaler-B and the already configured NetScaler-A Step by step guidance Step 1. We will need to activate its license. You will follow the same procedure as in the Licensing Lab, but you will use as the NetScaler IP Address and the appropriate licenses for the NetScaler B ( 06e089e0b0f2.lic ) Refer to the Licensing Lab for detailed licensing instructions. Below you will see the appropriate configurations for the NetScaler B. 2. We will also have to set the NetScaler Subnet IP, (SNIP). We will use

62 3. Enable High Availability by heading to System, High Availability on the NetScaler A ( ). Click on Add button, specify the Remote Node IP Address ( ) as below and click OK. 4. In a few moments as you refresh the high availability node (by clicking refresh symbol button in the top right corner of the screen) you will see the synchronization state move from in progress to success. Note: Node configuration options. Opening nodes listed in this section of the high availability configuration allows you to select advanced HA options. One to point out would be HA Failsafe mode. 61

63 5. To enable management access control via a subnet IP you will head to System, Network, and IPs. Here you will select the subnet IP Click Open and select Enable Management Access control within the Application Access Controls section of the dialog window. Click OK. Be sure to save your configuration by clicking the save disk at the top right of the web GUI. To test high availability try turning off the primary node and watching as the secondary node takes over. Additionally, you can select force failover from within the GUI. Exercise Summary In this exercise you have gotten familiar with the Citrix NetScaler High Availability functionality and configuring a pair of highly available NetScalers, utilizing NetScaler-A, and NetScaler-B. 62

64 Exercise 11 Clustering Overview In this lab, we will create a clustered active/active pair of NetScalers by utilizing NetScaler-A and NetScaler-B. Step by step guidance Step 1. Before we start to configure clustering, we will need to disable high availability. To do this head to NetScaler-A System, High Availability. Select the secondary node and click delete. Accept the prompt to remove the selected node and remove the HA node from the remote system. 2. First, save the configuration on the NetScaler-A. To do this, go to System and click on the save icon. You also must save the configuration on NetScaler-B. To do this, go to System and click on the save icon. 63

65 3. Navigate to NetScaler-A. We will fist create a cluster node by heading to System, Cluster, Nodes and clicking Add. A prompt requesting that a cluster instance must be present will popup. Add this instance by clicking yes. Next, we will configure the cluster IP address for the cluster. Configure the cluster as below using ( ) be sure to select backplane interface 1/1. Continue by clicking create. Note: The below screenshot represent the Instance ID, not Node ID. 64

66 4. A prompt will ask you to reboot before the changes take effect you will select No so that we are able to make one configuration change before the reboot. Double click on the cluster node and change the State to PASSIVE, verify the configuration and continue. Head to System and click Reboot. Be sure to select Save configuration and click OK. 65

67 5. Join the NetScaler to the Cluster After the NetScaler-A reboots, login to the newly created Cluster Management IP at Here we will select continue on the configuration page, as we will set this up later. 6. We will add NetScaler-B to the cluster by heading to System, Cluster, Nodes, and clicking Add. Configure this node with the NetScaler-B information below. Both the cluster node and configuration coordinator credentials are the standard NetScaler credentials you have been using for this lab. Once you click Create you will be asked to reboot this node, accept the prompt and wait for the NetScaler-B to join the cluster. 66

68 7. Verify that both nodes are in the PASSIVE admin state and INACTIVE operational state. Also, verify the backplane configuration. Note: You will have to wait a few moments while NS-B reboots. During this time, click the refresh button next to save to refresh the view. 8. Define NetScaler Subnet IP Addresses Here we will need to recreate a Subnet IP address for the NetScaler appliance cluster. We will head to System, Network, IPs, and click Add. Fill out IP, Netmask, and Owner for the SNIPs. Be sure Subnet IP is selected as the IP Type for each IP Address and Owner Node is ALL_NODES. 67

69 9. Configuring the Cluster State to Active Configure the state of each cluster node to ACTIVE by heading to System, Cluster, and selecting each node. Configure the state of each to ACTIVE. 10. Verify that both the admin and operational state of each node in the cluster is ACTIVE. Note: you may have to refresh your view to see the new state. 11. Define a Linkset Create a Linkset by heading to System, Network, and Linkset. Click Add and configure the Linkset name LS/1 and add interfaces 1/1/1 and 0/1/1 to the configured column of the dialog. Click Create. 68

70 12. Define NetScaler cluster configuration Head to System, Settings and select Configure Modes. Configure the modes as below. 13. Define NetScaler cluster load balanced virtual server In this step, we will configure a simple load balanced server to test the cluster configuration. Below is the final configuration of the load balanced server. You will configure this server the exact same way you configured the load balance virtual server in the beginning of this lab. You will to recreate the Web-Services. You can do this by clicking the + icon, when binding services to the VIP. Note: You can use the CLI reference at the bottom of this document to create the load balanced virtual server. 69

71 Exercise Summary In this exercise you have gotten familiar with the Citrix NetScaler Clustering functionality. Configuring a pair of clustered NetScalers utilizing NetScaler-A, and NetScaler-B. Configured a linkset of interfaces. And created a load balanced virtual server to test the clustered NetScaler instances. 70

72 Exercise 12 Global Server Load Balancing Overview In this lab, we will create a simple Global Server Load Balance environment by utilizing both NetScalers within this lab. Step by step guidance Step 1. Before we start to configure GSLB, we will need to disable clustering. To do this head to System, Cluster, Nodes on Cluster IP ( ). Select the node that is not the local node, in this case , and click Remove. Fill out the credentials and click OK to remove the node. Repeat this step on the local node after the secondary node has been removed. Accept any warnings that appear in this step and be sure to close the Create Cluster Node dialog box if it appears. 71

73 2. Login to NetScaler-A and configure the Subnet IP Address and Netmask Verify the configuration of the NSIP and continue. Verify that the correct licenses are applied to this appliance and continue. Finally, select done. Repeat the process on the NetSclaer-B, the configuration is below. 72

74 3. Next, we will configure the modes of both appliances. Configure the modes by heading to System, Settings. Select Configure Modes and be sure that the modes are configured as below. Next, we will need to enable GSLB on both NetScalers. To do so we will need to enable Load Balancing by heading to System, Settings, and clicking Configure Basic Features. From here, we will select Load Balancing. You should do it for both NetScaler-A and NetScaler-B Next, we will need to enable Global Server Load Balancing by clicking on Configure Advanced Features. Here we will be sure to select Global Server Load Balancing. Leave the other options as they are configured now. 73

75 4. Enable management to be accessed on the subnet IP addresses. Head to System, Network, IPs, and click on the Subnet IP that is listed. Click on Open and select Enable Management Access 74

76 5. Define GSLB Sites While logged into the NetScaler-A, Configure a GSLB Site for both NetScalers, NS-A and NS-B. Be sure to select the Type as either Remote or Local depending on which NetScaler you are currently configuring. To do so head to Traffic Management, GSLB, Sites. The remaining configuration can be found in the two images below (the pictures are provided for NetScaler-A). Repeat Step 1 on the second NetScaler. After both NetScalers have had their sites configured, you are able to see the Remote Site Metric MEP Status as Active. Verify the configurations on each NetScaler. It might require to click Refresh button to see this result. 75

77 6. Define Load Balancing Service for NetScaler-A While logged in to NetScaler-B, define a Load Balance Server to utilize within the GSLB configurations that will occur in the next step. To do so head to Traffic Management, Load Balancing, Servers and click Add. Configure the WebServer Name and IP Address. 76

78 7. Define GSLB Configuration on NetScaler-B While logged in to NetScaler-B begin to configure GSLB by heading to Traffic Management, GSLB. Select the GSLB, Virtual Servers Add the Virtual Server and define the Domain Name as Verify the additional settings. 77

79 8. Verify the default GSLB parameters and continue. Add the Domain binding from the menu on the right. Use as the Domain Name 78

80 9. Under the GSLB Services click on the Add button to begin to configure a service under local site. Create a new Virtual Server for this Service by clicking the Virtual Server icon next to the drop-down list. Under the Create Virtual Server dialog, define the WebVIP Name, IP Address as and port as 80. Select Add under Services to create a new service for this Virtual Server. 79

81 10. Define the new service s name as WebService, be sure that WebServer is the Server selected and the port and protocol are 80 and HTTP, finally ensure TCP default monitor is bound. 80

82 11. Configure the Load Balancing Method as Round Robin, and Persistence as COOKIEINSERT with Time-out set to 1 min under the Method and Persistence tabs. Finally click done. Verify the service configuration for NS-B and click Done. Verify the configuration under NS-B 81

83 12. Create the Remote Service for NS-A. Configure the Service IP as and the Port as 80. Bind the GSLB services to the GSLB Virtual Server 82

84 13. Define Load Balancing Server for NetScaler-A While logged in to NS-A, define a Load Balance Server to utilize within the GSLB configurations that will occur in the next step. To do so head to Traffic Management, Load Balancing, Servers and click Add. Configure the WebServer Name and IP Address. Click Create and then Close. 83

85 14. Define GSLB Configuration on NetScaler-A While logged in to NetScaler-A begin to configure GSLB by heading to Traffic Management, GSLB. Select Virtual Servers. Add, and define the Domain Name as Verify the additional configuration below. Add the Domain binding from the right side menu Use for the Domain Name 84

86 15. Accept the default GSLB Parameters and begin to configure the GSLB sites. Click on the Services and Configure the Service IP as and Port as 80. Click Create. 16. Add a new service for NS-A. Configure the Service IP and Port as and 80 and click on the new virtual server icon. 85

87 17. Configure the WebVIP s name, IP Address, and port as below. Click on the Add button under Services to create a new Service. Configure the WebService1 s name; verify the Server configuration; and configure the Protocol and Port, finally ensure the default TCP monitor is bound and click done. 86

88 18. Configure the Load Balancing Method as Round Robin, and Persistence to COOKIEINSERT with Time-out set to 1min under the Method and Persistence tab. Finally click done. Verify the Service configuration and click done. Bind the GSLB Services to the GSLB Virtual Server 87

89 19. Define ADNS Service Login to NetScaler B ( ) and create an ADNS service so that we can test our GSLB configurations on the client machine. To do this head to Traffic Management, Load Balancing, Services and click Add. Configure the Service Name as DNS, the Server as , the Protocol as ADNS, and the Port as Configure the Client s DNS Configure the newly created DNS Server on the client machine. To do this head to the Windows control panel, network and sharing center, click change adapter settings, right click on local area connection, head to properties, click on internet protocol version 4, and finally click properties. Configure the preferred DNS server as

90 21. Verify the GSLB Configuration using the GSLB Vizualizer Head to the main GSLB page by going to Traffic Management, GSLB. Open the GSLB Visualizer by clicking GSLB Visualizer under Getting Started. View the GSLB configuration. 89

91 22. Verify GSLB Connectivity using Ping and a Web Browser Open the Windows Command prompt and run ping You should see pings from either server 125 or 126. Wait a few moments and try again. You should see the GSLB Round Robin LB method change your DNS resolution to the other server. Test your GSLB configuration via Internet Explorer. Open an internet explorer window and head to Exercise Summary In this exercise you have gotten familiar with the Citrix NetScaler GSLB functionality. Configuring a pair of NetScalers utilizing NetScaler-A and NetScaler-B via Global Server Load Balancing. 90

92 Exercise 13 Bonus Configure GSLB for WebGoat Overview In this exercise you will Configure GSLB for WebGoat using the GSLB Domain Step by step guidance Step 1. Configure GSLB for WebGoat using the GSLB Domain. Remember that WebGoat is running on port The GSLB Visualizer should look like this when you are finished. 91

93 Exercise 14 Admin Partitions Overview The NetScaler ADC provides an infrastructure called admin partitions that can be used to logically partition a NetScaler ADC. Each admin partition: Has its own NetScaler configurations. Has its own administrators and users. Only users associated with a partition or system superuser can access and update the configurations. Uses a subset of NetScaler system resources such as bandwidth, connection pools, and memory. Handles traffic that is specific for that partition Step by step guidance Step 1. Create users for Admin Partitions Navigate to the Configuration, System, User Administration, and select Users. Click on Add 92

94 2. Add 2 users with user names Admin-A, and Admin-B. Set both passwords to password1. You can also add the CLI Prompt as shown below. Click Save to save the user creation, and Done to finish. 93

95 3. Create the Admin Partitions Navigate to Configuration, System, Partition Administration, Partitions, and click Add Add the Partition with the configuration settings below, and click Continue Click continue on the Network Isolation, to accept No VLAN, or Bridgegroup 94

96 4. Bind user Admin-A to the Company-A partition, by expanding Users, and click on Insert. Click Save and Done to complete 95

97 5. Create a second Partition, Company-B by repeating the same steps as Company-A. Reminder to bind the Admin-B user to the Company-B partition. After you have created 2 partitions. Now we will configure these partitions independently with their own settings. To do this lets first switch to the Company-A Partition. Navigate to the partition menu on the top of the screen. And select Company-A Click yes to confirm the submission 96

98 6. Navigate to Configuration, System, Settings, and select Configure Modes Select only User Source IP, and MAC Based Forwarding, click OK 97

99 7. Now select Configure Basic Features Select SSL Offload, and Load Balancing, click OK Navigate to Configuration, Traffic Management, and expand. Note that Load Balancing, and SSL Offload are enabled and Content Switching is not. 98

100 8. Navigate back up to the Partitions menu and switch to Partition Company-B, click Yes again to confirm the submission. Navigate to Configuration, System, Settings, and select Configure Modes. Note the different modes configured by default from the ones we selected in Company-A partition. Let s leave theses default. 99

101 9. Now Select Configure Basic Features This time considering we are in the Company-B partition we will select SSL Offload, and Content Switching. Click OK Exercise Summary In this exercise you have created 2 users for the purpose of owing partitions. Created 2 independent partitions and bound independent users to these partitions. And configured the partitions independently from each other with different settings. 100

102 Exercise 15 Bonus Admin Partitions Overview In this exercise Create a third user, and partition. Configure this partition with the following settings: 5120 kbps Minimum Bandwidth Use Source IP only SSL offload, Load Balancing, and Content switching Exercise 16 Data Stream Overview The demo environment consists of 2 SQL Server instances replicating an OLTP (Online Transactional Processing) and DW (Data Warehouse) database setup. Many organizations use this type of setup to capture and process data efficiently where the OLTP database is used primarily for transactional SQL transactions. (Creates, updates, inserts) and the DW database is used to store the data in a proper schema in order for the SQL transactions to be access quickly. It is extremely important for organizations to be able understand their data. Considering their data is one of the most valuable assets to understand their customers. With many features released by Microsoft to help DBA s (Database Administrators) with this scenario, these features are typically structured in a tiered licensing model, which can be expensive and complex to deploy. Citrix NetScaler DataStream feature is included in all editions of NetScaler. DataStream can improve database performance by intelligently understanding the SQL transactions and switching the content dynamically to the appropriate database. At the same by default it manipulates the TDS protocol to enable SQL server side multiplexing, reducing SQL server overhead and increasing speed of transaction time. 101

103 by step guidance Step 1. Log onto the NetScaler-A ( ) Navigate to System-> User Administration -> Database Users Add the user you created the on the SQL server instances to create the databases. Username: dsu Password: Password1 2. Add 2 Servers Navigate to Traffic Management Load Balancing Servers Add your MS SQL Server (Server Name & IP Address) Server Name: MSSQL_OLTP IP Address: Server Name: MSSQL_DW IP Address:

104 3. Add a Monitor Navigate to Traffic Management Load Balancing Monitors Add a Monitor (Name = MSSQL_mon1, Type = MSSQL-ECV, ) Switch tabs Special Parameters Input a User Name (name must match SQL Server db username) Input Database ( ns ) Input Query (select * from test) Expression (MSSQL.RES.ATLEAST_ROWS_COUNT(0)) Select the appropriate SQL Server Protocol Version from the drop down Click Create You have now created a monitor that will check with the SQL Server instances on the ns database and query it expecting 0 rows returned. 103

105 4. Add the SQL Server Services Navigate to Traffic Management Load Balancing Services Add your 2 MS SQL Server Services (Server Name, IP Address, Protocol, and port) Name: MSSQL_Srvc1 IP Address: Port: 1433 Protocol: MSSQL Name: MSSQL_Srvc2 IP Address: Port: 1433 Protocol: MSSQL 5. Bind the monitor created in the previous step both services just created 104

106 6. Add a load balancing virtual servers & bind to a service Navigate to Traffic Management Load Balancing Virtual Servers Add Name (MSSQL_LB_OLTP) Protocol (MSSQL ) IP address (select Non Addressable ) Bind the LB Virtual Server to Service representing the first SQL Server instance Repeat the process and bind the second LB Virtual Server to the Service representing the second SQL Server Instance We selected Non Addressable to demonstrate the conservation of IPv4 addresses. The Load Balancing Virtual Servers will represent an IP of This is done because users will access the VIP of the CS server and all communication is done internally to the Load Balancing servers. We are also leaving the default Load Balancing Method as Least Connection 105

107 7. Add a content switch to NetScaler Navigate to Traffic Management Content Switching s Click Add Input a Name (our example we are using writes ) Select a Target LB server from the drop down (our example we selected MSSQL_LB_OLTP) Click Create Add another Input a Name (our example we are using reads ) Select a Target LB Virtual Server form the drop down ( our example we selected MSSQL_LB_DW) Click create You now should have 2 actions (writes & reads bound to the 2 lb vservers) 106

108 8. Add a content switching policy to NetScaler Navigate to Traffic Management Content Switching Content Switching Policies Click Add Input a Name (our example we choose ( MSSQL_CS_Reads ) Select an form the drop down (select reads action) Under Expression input : MSSQL.REQ.QUERY.COMMAND.CONTAINS( select ) Click create Add another Policy Input a Name (our eample we choose ( MSSQL_CS_Writes ) Select an from the drop down ( select writes action) Under Expression input: MSSQL.REQ.QUERY.COMMAND.CONTAINS( create ) MSSQL.REQ.QUERY.COMMAND.CONTAINS( insert ) Click create The purpose of creating these policies is to enable NetScaler to identify what is a write transaction and what is a read transaction in the content of the SQL query. 107

109 9. Create a Content Switching Virtual Server Navigate to Traffic Management Content Switching Virtual Servers Click Add Input a Name (Our example we chose MSSQL_CVS1) Select MSSQL from the Protocol drop down Select IP Address from the IP Address Type drop down Input a IP Address (This is the IP Address that users will connect to via DB Client such as SQL Management Studio) Input a port (SQL Server default port is 1433) Click Continue Bind the 2 policies created in previous step to the Content Switching Virtual Server. You will have to assign each binding a priority. 100, 110 will work. You now have configured a Content Switching Virtual Server that has the 2 Load Balancing Virtual Servers bound via the s we also created. 108

110 10. How to Demonstrate Content Switching using SQL Queries via Microsoft Management Studio: Add all 3 instances to SSMS (SQL Server Management Studio) using the database user created and added to NetScaler First, Second Instance, and the Content Switching Virtual Server. ignore any warning such as 1. Launch a new query 2. Right Click on the Content Switching Virtual Server, and select New Query 3. To test the reads Policy use the following query: select * from GIM_DW.dbo.CLIENT WHERE CLIENT_HOUSEHOLD_INCOME>='30000' This query is desgined to select those entries in the database that average house hold income is greater than $30,

111 11. Launch a new query Right Click on the Content Switching Virtual Server, and select New Query To test the writes policy use the following query: CREATE DATABASE NEW_TEST_DB This query is designed to create a database on the appropriate server. The database name is NEW_TEST_DB To demonstrate its working as expected, navigate to the GIM_OLTP database and expand the database catalog. You will note that the new database now exist in this instance because that is where the writes policy is bound too. Exercise Summary In this exercise you have familiarized yourself with Data Stream for MS SQL Server. Created and configured database load balancing and content switching. And worked with MS SQL Server database tools. 110

112 Exercise 17 AAA for Traffic Management Overview The AAA feature supports authentication, authorization, and auditing for all application traffic. To use AAA, you must configure authentication virtual servers to handle the authentication process and traffic management virtual servers to handle the traffic to web applications that require authentication. Step by step guidance Step 1. Creating a test user in Active Directory to be used as our user for the AAA -TM exercise. From your desktop launch a remote desktop connection to , the Remote Desktop client can be found in Programs Accessories Remote Desktop Connection Login with: Username: Training\administrator Password: Citrix

113 2. Navigate to Administrator Tools, and select AD Users and Computers Highlight on Users as shown above Right click and select New User 112

114 3. Fill out fields for new user. (In our example we are using the username of aaauser. Click next. Provide a password (In our example we are using the password of Password1 to comply to domain restrictions) Select Password never expires and click Next and then Finish. 113

115 4. Adding DNS entries for the FQDN s used in this exercise While still logged in via remote desktop to the Active Directory machine navigate to Administrator Tools, and select DNS (double click) 114

116 5. Select Forward Lookup Zones from the left hand menu pane, then double click the Training.lab zone Right click on the white space and select New Host (A or AAAA) 115

117 6. Add a host entry for the load balancing VIP. Hostname: WebServer IP Address: Add a second host entry for the AAA VIP (click ok and done once complete) Hostname: aaavs IP Address:

118 8. We are also going to add 2 additional DNS entries for the SAML exercise later on in this lab. Note: You will not be able access the below IP s or hosts until the SAML exercise o Hostname: aaasp o IP Address: o Hostname: aaaidp o IP Address: NOTE: To verify the DNS entries are correct, using command prompt (run as administrator) on your machine, perform a ping test on both FQDNs that were just created in DNS. If the ping test is unsuccessful type the following commands to flush the DNS cache on the machine. Once the cache is flushed, retry the ping test. ipconfig /flushdns ipconfig /registerdns 117

119 9. Creating a LDAP policy on NetScaler using Active Directory While logged on to NetScaler A, navigate to Security AAA-Application Traffic Policies Authentication Basic Policies LDAP Select the Servers tab, and click Add Fill out the fields using the following values. Name: AD IP Address: (be sure to select Server IP) Server Type: AD Port: Under Connection Settings use the following values Base DN: DC=training,DC=lab Administrator DN: [email protected] Bind DN Password:(box is checked) Administrator Password: Citrix123 Click the Retrieve Attributes button to test the connection is successful. 118

120 11. Scroll down to Other Settings. Under Server Logon Name Attribute select the following value. Server Logon Name Attribute: samaccountname Click create to finish. You know have successfully created a Directory Server for authentication. The next step is to create a policy. 12. Now Select the Policies tab, and click Add 119

121 13. Create the LDAP policy using the following values from the screenshot below. (ns_true) Click create to finish. 14. Create a SSL test certificate Navigate to Traffic Management SSL. High light SSL, and select Create and Install a Server Test Certificate from the righ hand side menu options. 120

122 15. Provide the following values for the certificate. Screenshot below, and click OK once finished You have now created and installed a Server Test Certificate. We will bind this Certificate to our AAA vserver that we create in subsequent sections. 121

123 16. Creating a AAA virtual Server Navigate to Security AAA-Application Traffic Virtual Servers, and click Add Provide the Basic Settings using the following values and click Ok when finished. Name: AAA-vs IP Address: Protocol: SSL Port: 443 Authentication Domain: Training.lab 122

124 17. Next step is to create the Server Certificate. You will see the Certificate menu appear once you click OK from the previous step. Click on No Server Certificate to launch the Server Certificate Binding Wizard 18. Select AAA certificate and click OK, then Bind to complete. Click Continue on Advanced Authentication Policies. Click on the + icon to bind a Basic Authentication Policy 123

125 19. Bind the LDAP policy. And select primary as the Type. Click Continue. Bind the LDAP policy created in previous steps. And Leave the priority at 100. Click Bind to finish. Finally click Continue at the bottom of the Authentication Virtual Server screen, and then Done to complete. After hitting the refresh button Your AAA vserver should show green representing an Up State. 124

126 20. Bind the AAA vserver to the Load Balancing vserver created in earlier steps. If config is erased please reference the CLI reference to restore the config for the Load Balancing section. Navigate to Traffic Management Load Balancing Virtual Servers, and edit the Web- Vip vserver. Seelct the Authentication option on the righ hand side menu 21. Provide the values for the Authentication option as shown below, click OK when finished. Finally click Done. You know have bound the AAA vserver to your load balanced vserver. The purpose of this is to authenticate users against LDAP to access the backend WebServers. 125

127 22. Testing the AAA-TM vserver. To test using a web browser navigate to the FQDN ( of the load balancing Virtual IP Address. Scroll down and click Advanced on the web browser. Click proceed at the bottom. Now you should be able to login with the aaauser created in earlier steps. Once authenticated you will be directed to the Webserver page. 126

128 Exercise Summary In this exercise you successful created a user in Active Directory. Multiple DNS entries for the FQDN,AAA vservers, and web server. A LDAP policy and Server in NetScaler. And a AAA vserver that was bound to the WebServer load balancing VIP. 127

129 Exercise 18 AAA SAML Assertion Overview At a glance SAML 2.0 is a set of open standards leveraging XML to transport authentication and authorization data between trusted endpoints. The most adopted use case is web single sign on or SSO. SAML 2.0 addresses the authentication challenges over the internet opposed to an intranet. In this lab you leverage NetScaler as both enpoints in a SAML assertion to complete an authentication process. Step by step guidance Step 128

130 1. Create a SAML policy Navigate to Security AAA Application Traffic Policies Authentication Basic Policies SAML Select the Servers tab, and click Add Fill out the following parameters in the appropriate fields, and click OK when finished. o o o o o o o Name: saml-sp IDP Certificate Name : Select the AAA certificate created earlier Redirect URL: Signing Certificate Name: Select the AAA certificate created earlier Issuer Name: aaaidp.training.lab Authentication Class Types: Password SAML Binding: Post 129

131 2. Select Policies, and click Add 3. Fill out the parameters in their appropriate fields, and click create once finished. o o o Name: saml-pol Server: Select the server we just created in previous steps Expression: ns_true 130

132 4. Create a SAML IdP policy Navigate to Security AAA Application Traffic Policies Authentication Basic Policies SAML IDP Select Profiles and click add Fill out the parameters in their appropriate fields, and click create once finished o o o o o o Name: sam-idp-prof Assertion Consumer Service Url (ACS): SP Certificate Name: Select the AAA created earlier IDP Certificate Name: Select the AAA again created earlier Issuer Name: aaaidp.training.lab Audience: 131

133 5. Select Policies, and click Add Fill out the parameters in their appropriate fields, and click create once finished o o o Name: saml-idp-pol : select the profile we just created. Expression: HTTP.REQ.URL.CONTAINS("saml") 132

134 6. Creating the Service Provider (SP) and Identity Provider (IdP) AAA vservers Security AAA Application Traffic Virtual Servers, and select Add Provide the Basic Settings for the SP (Service Provider) AAA vserver, and click OK once complete o Name: aaasp.training.lab o IP Address: o Authentication Domain: Training.lab 133

135 7. Bind the AAA Server Certificate created in earlier steps, click continue once complete Click continue not selecting any Advanced Authentication Policies. 134

136 8. Select the + icon on Basic Authentication Policies Choose SAML as the policy, and Primary as the type, and click Continue 9. Bind the saml-pol policy we created as the SP policy in earlier steps. Click Bind to continue/ Click continue and Done to complete. 135

137 10. Click Add again to create the IdP AAA vserver Provide the Basic Settings for the IdP (Identity Provider) AAA vserver, and click OK once complete o Name: aaaidp.training.lab o IP Address: o Authentication Domain: Training.lab 136

138 11. Bind the AAA Server Certificate created in earlier steps, click continue once complete 12. Click continue not selecting any Advanced Authentication Policies. Select the + icon on Basic Authentication Policies 137

139 13. First lets bind the SAMLIDP policy. Choose SAMLIDP for the policy and Primary for the type 14. Next, bind the sam-idp-pol created in earlier steps. Click Bind to continue 138

140 15. Clicking the + icon again on Basic Authentication Policies, we will now bind the LDAP policy created earlier. Select LDAP as the policy and Primary as the type. Click continue once complete. Bind the LDAP policy created earlier and click Bind to continue. Click Continue, and Done to complete. NOTE: You may have to click the Refresh button to get the vservers to display green. 139

141 16. Binding the SP AAA vserver to the Load Balancing WebServer Navigate to Traffic Management Load Balancing Virtual Servers, and edit the existing Web-Vip virtual server. Locate the Authentication tab. If there is already an authentication vserver bound from previous AAA exercise we will override it now. Select the edit icon on the Authentication settings, and add in the following: Select Form Based-Authentication Authentication FQDN: aaasp.training.lab Authenticaiton Virtual Server: Select aaasp.training.lab Click OK, and Done, to complete. 140

142 17. Testing the SAML assertion flow In your web browser navigate to and note that it will redirect you to Click on Advanced to proceed. Click on Proceed to aaaidp.training.lab (unsafe). This is because we are using a test certificate for lab purposes. You are now directed to the AAA idp vserver for authentication. Login in with your AAA user credentials created in earlier steps. o o Username: aaauser Password: Password1 141

143 Exercise Summary In this section you successfully configured NetScaler as a Service Provider (SP) endpoint in a SAML 2.0 assertion. Configured NetScaler as an Identity Provider (IdP) endpoint in a SAML 2.0 assertion. And Completed a successful SP initiated assertion flow using NetScaler as both endpoints. NetScaler Command Line Reference (CLI) SNIP: add ns ip vserver DISABLED -gui DISABLED -mgmtaccess ENABLED VIP: add ns ip type VIP -mgmtaccess ENABLED Load Balancing NS A enable ns feature LB add ns ip type VIP add server web-server add server web-server add service web-service web-server1 HTTP 80 add service web-service1 web-server2 HTTP 80 add lb vserver Web-VIP HTTP persistencetype COOKIEINSERT -timeout 1 -lbmethod ROUNDROBIN -clttimeout 180 bind lb vserver Web-VIP web-service bind lb vserver Web-VIP web-service1 Content Switching NS A enable ns feature cs add cs vserver WebSwitch HTTP add lb vserver WebVip1 HTTP bind lb vserver WebVip1 Web-Service1 add lb vserver WebVip2 HTTP bind lb vserver WebVip2 Web-service2 add cs policy urlswitch -url "/url1*" bind cs vserver WebSwitch -policyname urlswitch -targetlbvserver WebVip1 bind cs vserver WebSwitch -lbvserver WebVip2 URL transformation NS A en ns feature rewrite 142

144 add transform profile Ferrysburg -type URL add transform action actferrysburg Ferrysburg 1000 set transform action actferrysburg -priority requrlfrom ' /url1' -requrlinto ' /url2' -resurlfrom ' /url2' -resurlinto ' /url1' -state ENABLED -comment 'URL transformation for Ferrysburg MI.' add transform policy Ferrysburg "HTTP.REQ.URL.PATH.GET(1).CONTAINS(\"url1\")" Ferrysburg bind transform global Ferrysburg 100 show transform profile Ferrysburg Application Firewall NS A add service webgoat-service web-server1 HTTP 8080 add service webgoat-service1 web-server2 HTTP 8080 add lb vserver WebGoat-VIP HTTP persistencetype COOKIEINSERT -timeout 0 - lbmethod ROUNDROBIN bind lb vserver WebGoat-VIP webgoat-service bind lb vserver WebGoat-VIP webgoat-service1 en ns feature appfw add appfw profile AppFWProfile -defaults basic set appfw profile AppFWProfile -type HTML XML set appfw profile AppFWProfile -creditcard log stats set appfw profile AppFWProfile -creditcard amex dinersclub discover jcb mastercard visa set appfw profile AppFWProfile -creditcardxout on set appfw profile AppFWProfile -creditcardmaxallowed 1 add appfw policy AppFWPolicy "HTTP.REQ.IS_VALID" AppFWProfile bind appfw global AppFWPolicy 100 Clustering NS A & NS B add cluster instance 1 add cluster node state PASSIVE -backplane 0/1/1 enable cluster instance 1 save ns config reboot warm add ns ip type CLIP show cluster instance show cluster node ***logout and log into the Cluster IP. add cluster node state PASSIVE -backplane 1/1/1 show cluster node *expect unknown for now. save ns config ***logout and log into the Node 2 NSIP: join cluster -clip password nsroot save ns config reboot -warm ***logout and log into the Cluster IP (CLIP). show cluster node add ns ip type SNIP -ownernode 1 add ns ip type SNIP -ownernode 2 ---Node 1 already had this SNIP, so it may take some tweaking. sh ip set cluster node 1 -state ACTIVE set cluster node 2 -state ACTIVE show cluster node -should both be active. 143

145 **if a node stalls, do a rm cluster and a join cluster again. sh ip Add the link set. We can do CLAG and ECMP as options, but the all virtual lab is easiest with LinkSet. From the CLIP: add linkset LS/1 bind linkset LS/1 -ifnum 1/1/1 bind linkset LS/1 -ifnum 2/1/1 show linkset LS/1 save ns config LDAP NS A add authentication ldap AD -serverip ldapbase "DC=training,DC=lab" -ldapbinddn [email protected] -ldapbinddnpassword Citrix123 -ldaploginname samaccountname add authentication ldappolicy LDAP ns_true AD SSL Certificate NS A To generate a server test certificate by using the configuration utility 1. In the navigation pane, click SSL. 2. Under SSL Certificates, click Create and install a Server Test Certificate. 3. In the Create and install a Server Test Certificate dialog box, specify values for the following parameters: o o o 4. Click OK. AAA Vserver Certificate File Name name of the server test certificate Fully Qualified Domain Name the domain for which you want to secure the connection Country the name of the country or region add authentication vserver AAA-vs SSL AuthenticationDomain training.lab bind authentication vserver AAA-vs -policy LDAP -priority 100 bind ssl vserver AAA-vs -certkeyname AAA 144

146 Revision: Change Description Updated By Date 1.0 Original version Joshua Travers May 2015 About Citrix Citrix Systems, Inc. designs, develops and markets technology solutions that enable information technology (IT) services. The Enterprise division and the Online Services division constitute its two segments. Its revenues are derived from sales of Enterprise division products, which include its Desktop Solutions, Datacenter and Cloud Solutions, Cloud-based Data Solutions and related technical services and from its Online Services division's Web collaboration, remote access and support services. It markets and licenses its products directly to enterprise customers, over the Web, and through systems integrators (Sis) in addition to indirectly through value-added resellers (VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July 2012, the Company acquired Bytemobile, provider of data and video optimization solutions for mobile network operators