Citrix Systems Network Router NETSCALER 9.3 User's Manual
Contents
1. 085 159 To configure a Web interface site for LAN users using HTTPS by using the configuration Utih sorinsce isie eine ee dea EENE EEEE TERENE dae eee 159 To configure a Web interface site for LAN users using HTTPS by using the COMMANG INE srs ariera EEEE REEERE tees nd cia EERE teens atk 161 Configuring a Web Interface Site for Remote Users Using AGEE 163 To configure a Web interface site for remote users using AGEE by using the configuration utility 0 cee cece cece ee eee eee eee EA TENARO RETN nena 164 To configure a Web interface site for remote users using AGEE by using the comman Mesec eaea SEGA dnd nde ua dada bina oad amend aden ei oas 165 Contents T PODPIOW miann nn a a meena a a a A E TR EE R 167 How AppFlow WolhkSiiie ccceitadt a Ena EE A detache a DAA an E A Ea EE EE a 168 OEE e A TE T E TTET EE AAT 169 Templates e aeneae e r tens oh a Pat DA E coe nen eas 169 Configuring the AppFlow Feature ccccee cece eee erent eee eee en een nee nn nn 170 Enabling or Disabling the AppFlow Feature cee eee cece een teen eens 171 To enable or disable the AppFlow feature by using the NetScaler command JING a oaadetiaesendieie seed ian eed tote eaede dies Sade A seeds 171 To enable the AppFlow feature by using the configuration utility 171 Specifying a Collector ccc sss eve es sie deta dee ne de nade ae Sew eee oe eee 171 To specify a collector by using the NetScaler co2. gt show ns tcpParam ICP Parameters Window Scaling status Window Scaling factor SACK status MaxBurst setting Tini INC INO 132 tial cwnd setting Receive Buffer Delayed ACK Timer 4 ENABLED ENABLED 6 MSS g 4 NSS 8190 bytes z 200 mi lilisee Citrix NetScaler Administration Guide Down Service Reset status DISABLED Nagle s Algorithm DISABLED Limited Persist Probes ENABLED Maximum out of order packets to queue 64 Done To enable SACK by using the Configuration Utility 1 In the navigation pane expand System and click Settings 2 In the details pane under Settings click Change TCP Parameters 3 In the Configure TCP Parameters dialog box under TCP select the Selective Acknowledgment check box and then click OK A message appears in the status bar stating that SACK has been configured successfully Clearing the Configuration You have the following three options for clearing your NetScaler configuration Basic level Clearing your configuration at the basic level clears all settings except the following NSIP MIP s and SNIP s Network settings Default Gateway VLAN RHI NTP and DNS settings HA node definitions Feature and mode settings Default administrator password nsroot Extended level Clearing your configuration at the extended level clears all settings except the following NSIP MIP s and S
3. Seta report as the default report for viewing whenever you log on Add or remove counters Print reports Refresh reports to view the latest performance data Using Built in Reports The Reporting tool provides built in reports for frequently viewed data Built in reports are available for the following seven functional groups System Network SSL Compression Integrated Cache Access Gateway and Application Firewall By default the built in reports are displayed for the last day However you can view the reports for the last hour last week last month or last year Note You cannot save changes to built in reports but you can save a modified built in report as a custom report To display a built in report 1 In the left pane of the Reporting tool under Built in Reports expand a group for example SSL 2 Click a report for example SSL gt All Backend Ciphers Creating and Deleting Reports You can create your own custom reports and save them with user defined names for reuse You can plot different counters for different groups based on your requirements You can create up to 256 custom reports You can either create a new report or save a built in report as a custom report By default a newly created custom report contains one chart named System Overview which displays the CPU Usage counter plotted for the last day You can customize the interval and set the data source and time zone from the report t
4. AppFlow Parameters templateRefresh The refresh interval in seconds at which to export the template data Because data transport is in the UDP protocol the templates must be resent at regular intervals Minimum value 60 Maximum value 3600 Default 600 appnameRefresh Interval at which Appnames are sent to the configured collectors in seconds Minimum value 60 Maximum value 3600 Default 600 flowRecordinterval Interval at which flow records are sent to the configured collectors in seconds Minimum value 60 Maximum value 3600 Default 600 udpPmtu The maximum length of the UDP datagram Default 1472 httpUrl The http URL received by the NetScaler appliance from the client Possible values ENABLED DISABLED Default DISABLED 181 Chapter 7 182 AppFlow httpCookie Include the cookie that was in the HTTP request received by the NetScaler appliance from the client Possible values ENABLED DISABLED Default DISABLED httpReferer Include the Web page that was last visited by the client Possible values ENABLED DISABLED Default DISABLED httpMethod Include the method that was specified in the HTTP request received by the NetScaler appliance from the client Possible values ENABLED DISABLED Default DISABLED httpHost Include the host identified in the HTTP request received by the NetScaler appliance from the client Possible values ENABLED DISABLED Default DISABLED httpUserAgent Include
5. _ Se ee ee ee ee 0 et nee tee ae oy ee ee eae ee Application specificflow information captured by AppFlow As shown in the figure the network flow identifiers for each leg of a transaction depend on the direction of the traffic The different flows that form a flow record are Flow1 lt Client IP Client Port VIP IP VIP port Protocol gt Flow2 lt NS MIP SNIP NS port Server IP Server Port Protocol gt Flow3 lt Server IP Server Port NS MIP SNIP NS Port Protocol gt Flow4 lt VIP IP VIP port Client IP Client Port Protocol gt Citrix NetScaler Administration Guide To help the collector link all four flows in a transaction AppFlow adds a custom transactionID element to each flow For application level content switching such as HTTP it is possible for a single client TCP connection to be load balanced to different backend TCP connections for each request AppFlow provides a set of records for each transaction Flow Records AppFlow records contain standard NetFlow or IPFIX information such as time stamps for the beginning and end of a flow packet count and byte count AppFlow records also contain application level information such as HTTP URLs HTTP request methods and response status codes server response time and latency IPFIX flow records are based on templates that need to be sent before sending flow records Templates AppFlow defines a set of templates one for each type of flow Each templ
6. Date format t URL suffix x Host name v 108 Citrix NetScaler Administration Guide Example LogFileNameFormat Ex smSd y t log This command creates the first file name as Exmmddyy log then every hour creates a file with file name Exmmddyy log 0 Exmmddyy log 1 Exmm ddyy log n Example Loginterval size LogFileSize 100 LogFileNameFormat Ex smsdsy t A Caution The date format t specified in the LogFilenameFormat command overrides the log interval property for that filter To prevent a new file being created every day instead of when the specified log file size is reached do not use t in the LogFilenameFormat LogExclude prevents logging of transactions with the specified file extensions Example LogExclude html This command creates a log file that excludes log transactions for html files LogTime specifies log time as either GMT or LOCAL The defaults are e NCSA log file format LOCAL e W3C log file format GMT Understanding the NCSA and W3C Log Formats The NetScaler supports the following standard log file formats NCSA Common Log Format W3C Extended Log Format NCSA Common Log Format If the log file format is NCSA the log file displays log information in the following format Client TPVaddress User Name Date ram TimeZone Method Object HELP version HELP Status ode BytesSent To use the NCSA Common log format enter NCSA in the LogFormat argument in
7. The NetScaler provides a set of condition entities called SNMP alarms When the condition in any SNMP alarm is met the NetScaler generates SNMP trap messages that 48 Citrix NetScaler Administration Guide are sent to the configured trap listeners For example when the LOGIN FAILURE alarm is enabled a trap message is generated and sent to the trap listener whenever there is a login failure on the NetScaler appliance To configure the NetScaler to generate traps you need to enable and configure alarms Then you specify trap listeners to which the NetScaler will send the generated trap messages Enabling or Disabling an SNMP Alarm The NetScaler generates traps only for SNMP alarms that are enabled Some alarms are enabled by default but you can disable them When you enable an SNMP alarm the NetScaler generates corresponding trap messages when some events occur Some NetScaler alarms are enabled by default To enable or disable an SNMP alarm by using the command line At the NetScaler command prompt type the following commands to set the parameters and verify the configuration enable snmp alarm lt alarm name gt sh snmp alarm lt alarm name gt Example gt enable snmp alarm LOGIN FAILURE Done gt show snmp alarm LOGIN FAILURE Alarm Alarm Threshold Normal Threshold Time State Severity Logging 1 LOGIN FAILURE N A N A N A E To enable or disable an SNMP alarm by using the con
8. for example C audserver win 9 3 51 5 etc c lt root directory extracted from the Windows NSLOG server package zip file gt samples for example C audserver win 9 3 51 5 samples Ata command prompt run the following command from the lt root directory extracted from the Windows NSLOG server package zip file gt bin path audserver install f lt directorypath gt auditlog conf lt directorypath gt Specifies the path to the configuration file auditlog conf By default log conf is under lt root directory extracted from Windows NSLOG server package zip file gt samples directory But you can copy auditlog conf to your desired directory 85 Chapter 3 Audit Logging To uninstall the NSLOG server on a Windows operating system At a command prompt run the following from the lt root directory extracted from Windows NSLOG server package zip file gt bin path audserver remove NSLOG Server Command Options The following table describes the commands that you can use to configure audit server 86 options Table 3 2 Audit Server Options Audit server commands Specifies audserver help The available Audit Server options audserver addns f lt path to configuration file gt The system that gathers the log transaction data You are prompted to enter the IP address of the NetScaler appliance Enter the valid user name and password audserver verify f lt path t
9. mss The maximum number of octets to allow in a TCP data segment To specify the MSS value in a TCP profile by using the NetScaler configuration utility 1 In the navigation pane expand System and then click Profiles 2 In the details pane do one of the following 145 Chapter 5 Advanced Configurations e To create a TCP profile click Add e To specify the MSS in an existing TCP profile click the name of the profile and then click Open 3 In the Create TCP Profile or Configure TCP Profile dialog box specify values for the following parameters which correspond to the parameters described in Parameters for specifying the MSS value in a TCP profile as shown e Name name cannot be changed for an existing TCP profile e MSS mss A required parameter 4 Click Create or OK Configuring the NetScaler to Learn the MSS Value from Bound Services 146 If you set the global TCP parameter learnVsvrMSS to ENABLED the NetScaler appliance learns the most frequently used MSS value for each configured virtual server When a client connects to a virtual server the appliance advertises to the client the MSS value that is optimum for that virtual server The optimum value is the MSS of the service or subset of bound services that are most frequently selected during load balancing Consequently each virtual server configuration uses its own MSS value This enhancement enables the appliance to optimize the consump
10. cece cece eee tee ete e eee eee e eee eee net e eae 105 To stop Web server logging started as a background process on the Solaris or Linux operating SySteMS 00 cc eect eee tenet detent ne tnn eee n ees 105 To stop Web server logging started as a service on the Windows operating system PE E A S bent Pie S ae a ig eerie dba A A T S a 105 Citrix NetScaler Administration Guide Customizing Logging on the NSWL Client System 00 cee eee eee eee eee ees 105 Creating FIETSE inpe Ee E ERENER atiatc TEETER cade teeneia cobs 106 EE AE EEA EE ONS A A E E E 106 Toscr ate a fior eei tes a er a N E Bee daa awe ees 107 To create a filter for a virtual server 6 eect eee ee eens 107 Specifying Log Properties esse rror ssoi porrak aAa KEEA KOKIRI RA TH AAA EA KA 107 Understanding the NCSA and W3C Log Formats seseeeunenneunanne ernennen 109 NCSA Common Log Fornat s eirres c innana i a A e AAA 109 W3C Extended Log Format 00 c enana ia eaa EE E 110 EMES onia aaea ewes eae aids Gee A dae la E ea ed aA 111 DIRECIIVES e ere aa aaa Bee iis seed aera d RA AETA AAA pee 111 Fields icare te bas haces Mace ot Rl eet AE oes dele a tates 112 Goia e E kode Mao thie talagho ne latadiades hee aes Blades 112 Creating a Custom Log Format 00 iiare a Ea e eee ee AA 114 Creating a Custom Log Format by Using the NSWL Library 114 Creating a Custom Log Format Manually cece cece eee ee
11. 10 Done Parameters for configuring an SNMP manager IPAddress Can be any of the following IPv4 address of the SNMP manager IPv4 network address The NetScaler appliance accepts and responds to SNMP queries from any device on this network Associated host name of an SNMP manager that has an IPv4 address If you specify a host name you must add a DNS name server that resolves the host name of the SNMP manager to its IP address 56 Citrix NetScaler Administration Guide Note The NetScaler appliance does not support host names for SNMP managers that have IPv6 addresses netmask Subnet of management stations Used to grant access from entire subnets to the NetScaler appliance domainResolveRetry The duration in seconds for which the NetScaler appliance waits to send the next DNS query to resolve the host name of the SNMP manager if the last query failed If last query succeeds the NetScaler waits for the TTL time Minimum value 5 Maximum value 20940 Default value 5 To add an SNMP manager by using the configuration utility 1 2 3 In the navigation pane expand System expand SNMP and then click Managers In the details pane click Add In the Create SNMP Manager dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an SNMP manager as shown e IP Address I PAddress e Netmask netmask A required paramet
12. 3 Continue choosing terms from the list boxes that appear to the right of the previous list box or typing strings or numbers in the text boxes that appear to prompt you to enter a value until your expression is finished For more information about the PI expressions language and creating expressions for AppFlow policies see the Citrix NetScaler Policy Configuration and Reference Guide For a link to the guide see the Documentation Library Binding an AppFlow Policy To put a policy into effect you must bind it either globally so that it applies to all traffic that flows through the NetScaler or to a specific virtual server so that the policy applies only to the traffic related to that virtual server When you bind a policy you assign it a priority The priority determines the order in which the policies you define are evaluated You can set the priority to any positive integer In the NetScaler operating system policy priorities work in reverse order the higher the number the lower the priority For example if you have three policies with priorities of 10 100 and 1000 the policy assigned a priority of 10 is performed first then the policy assigned a priority of 100 and finally the policy assigned an order of 1000 You can leave yourself plenty of room to add other policies in any order and still set them to evaluate in the order you want by setting priorities with intervals of 50 or 100 between each policy when you globally
13. Appliance A complete set of Citrix NetScaler documentation is available on the Documentation tab of your NetScaler appliance and at http support citrix com PDF version and at http edocs citrix com HTML version The PDF version of the documents require Adobe Reader available at http adobe com 18 To view the documentation 1 From a Web browser log on to the NetScaler Appliance 2 Click the Documentation tab 3 To view a short description of each document hover the mouse pointer over the title To open a document click the title Citrix NetScaler Administration Guide Getting Service and Support Citrix offers a variety of resources for support with your Citrix environment including the following The Knowledge Center is a self service Web based technical support database that contains thousands of technical solutions including access to the latest hotfixes service packs and security bulletins Technical Support Programs for both software support and appliance maintenance are available at a variety of support levels The Subscription Advantage program is a one year membership that gives you an easy way to stay current with the latest product version upgrades and enhancements Citrix Education provides official training and certification programs on virtually all Citrix products and technologies For more information about Citrix services and support see the Citrix Systems Support
14. Clem TER DETLORT EO 22 gixtl ace Colleetor l and 3 Done gt show appflow policy 174 Citrix NetScaler Administration Guide 1 Name apfl pol myPolicy5 iese O Undef Hits 0 Active Yes me apfl pol myPolicyl0 a DESE ndef Hits 0 re a TESS ndef Hits 0 ae EALWee Wes 4 Name apfl pol myPolicy50 Aaviess 0 Undef Hits 0 Active No 5 Name apfl pol tcp dsprt mies 0 Under Isliliesis 0 Active No Done To modify or remove an AppFlow policy by using the NetScaler command line To modify an AppFlow policy type the set appflow policy command the name of the policy and the parameters to be changed with their new values To remove an AppFlow policy type the rm appflow policy command and the name of the policy Parameters for configuring an AppFlow policy name A name for the policy or the name of the existing policy you want to modify The name can begin with a letter number or the underscore symbol and can consist of from one to 127 letters numbers and the hyphen period pound space at sign equals colon and underscore _ symbols rule The expression that defines the rule for this policy The expression can be a simple expression or a complex expression that contains several expressions in structured relationship to one another Expressions are written in the NetScaler Policy Infrastructure PI language For more information about PI
15. Figure 8 2 Chart Toolbar A Customize D Counters Export Working with Reports 184 You can plot and monitor statistics for the various functional groups configured on the NetScaler over a specified time interval Reports enable you to troubleshoot or analyze the behavior of your appliance There are two types of reports built in reports and custom reports Report content for built in or custom reports can be viewed in a graphical format or a tabular format The graphical view consists of line area and bar charts that can display up to 32 sets of data counters The tabular view displays the data in columns and rows This view is useful for debugging error counters The default report that is displayed in the Reporting tool is CPU vs Memory Usage and HTTP Requests Rate You can change the default report view by displaying the report you want as your default view and then clicking Default Report Reports can be generated for the last hour last day last week last month last year or you can customize the duration You can do the following with reports Citrix NetScaler Administration Guide Toggle between a tabular view of data and a graphical view of data Change the graphical display type such as bar chart or line chart Customize charts in a report Export the chart as an Excel comma separated value CSV file View the charts in detail by zooming in zooming out or using a drag and drop operation scrolling
16. O Citrix C US Sun ONE directory formerly iPlanet ou People dc citrix dc com The following table lists examples of the bind distinguished name DN Table 1 7 Examples of Bind Distinguished Name LDAP server Bind DN Microsoft Active Directory CN Administrator CN Users DC citrix DC local Novell eDirectory cn admin dc citrix dc net IBM Directory Server LDAP_dn 39 Chapter 1 40 Authentication and Authorization LDAP server Bind DN Lotus Domino CN Notes Administrator O Citrix C US Sun ONE directory formerly iPlanet uid admin ou Administrators ou TopologyManagement o NetscapeRoot To configure LDAP authentication by using the configuration utility 1 an wo KR W N In the navigation pane expand System and then click Authentication On the Policies tab click Add In Name type a name for the policy In Authentication Type select LDAP Next to Server click New In Name type the name of the server Under Server in IP Address and Port type the IP address and port number of the LDAP server Under Connection Settings provide the following information In Base DN location of users type the base DN under which users are located Base DN is usually derived from the Bind DN by removing the user name and specifying the group where in which are located Examples of syntax for base DN are ou users dc ace dc c
17. and the hyphen period pound space at sign equals colon and underscore _ symbols Cannot be changed for existing policies action The action the policy applies when the command specification pattern matches Possible values ALLOW DENY cmdspec Rule expression that the policy uses for pattern matching Citrix NetScaler Administration Guide To configure a command policy by using the configuration utility 1 2 In the navigation pane expand System and then click Command Policies In the details pane do one of the following e To create a command policy click Add e To modify an existing command policy select the command policy and then click Open Inthe Create Command Policy or Configure Command Policy dialog box specify values for the parameters which correspond to the parameters described in Parameters for configuring a command policy as shown e Policy Name policyname Cannot be changed for an existing policy e Action action e Command Spec cmdspec You can type a complete expression directly into the text area or you can click Add or Regex Tokens for assistance The Add icon opens the Add Command dialog box in which you can select a NetScaler entity and then select an operation to perform on the entity The Regex Tokens icon displays regular expression tokens which you can add to your expression by selecting them A required parameter Click Create
18. for transfer of data When you run NSLOG or a SYSLOG server it connects to the NetScaler appliance The NetScaler appliance then starts sending all the log information to the SYSLOG or NSLOG server and the server can filter the log entries before storing them in a log file An NSLOG or SYSLOG server can receive log information from more than one NetScaler appliance and a NetScaler appliance can send log information to more than one SYSLOG server or NSLOG server The log information that a SYSLOG or NSLOG server collects from a NetScaler appliance is stored in a log file in the form of messages These messages typically contain the following information The IP address of a NetScaler appliance that generated the log message A time stamp The message type The predefined log levels Critical Error Notice Warning Informational Debug Alert and Emergency The message information 71 Chapter 3 72 Audit Logging To configure audit logging you first configure the audit modules on the NetScaler that involves creating audit policies and specifying the NSLOG server or SYSLOG server information You then install and configure the SYSLOG or the NSLOG server on the underlying FreeBSD OS of the NetScaler appliance or on a remote system Note Because SYSLOG is an industry standard for logging program messages and because various vendors provide support this documentation does not include SYSLOG server configuration
19. name Name The name for a TCP profile A TCP profile name can be from 1 to 127 characters and must begin with a letter a number or the underscore symbol _ Other characters allowed after the first character in a name are the hyphen period pound sign space at sign and equals sign WS Window Scaling Enable or disable window scaling Possible values ENABLED DISABLED Default DISABLED WSVal Factor The factor used to calculate the new window size Possible values 0 to 8 Default 4 maxBurst Maximum Burst Limit The maximum number of TCP segments allowed in a burst Minimum value 2 Maximum value 10 Default 6 initialCwnd Initial Congestion Window Size The initial maximum upper limit on the number of TCP packets that can be outstanding on the TCP link to the server Minimum value 2 Maximum value 6 Default 4 delayedAck TCP Delayed ACK Time out msec The time out for TCP delayed ACK in milliseconds Minimum value 10 Maximum value 200 Default 300 oooQSize Maximum ooo Packet Queue Size The maximum size of out of order packets queue Minimum value 0 0 means infinite Maximum value 512 Default 64 maxPktPerMss Maximum Packets Per MSS The maximum number of TCP packets allowed per maximum segment size MSS Minimum value 0 Maximum value 1460 Default 0 Means that no maximum is set 140 Citrix NetScaler Administration Guide pktPerRetx Maximum Packets pe
20. type pkg_delete NSweblog Installing NSWL Client on a Mac OS Operating System Copy the installation files from the NetScaler product CD or download them from ftp netscaler com Log on to the Mac OS operating system as an administrator Use the following procedure to install the NSWL executable and the other files on the system To install the NSWL client package on a Mac OS operating system 1 At a command prompt copy the NSweblog tgz file into a temporary directory with the following command cp lt path_to_cd gt Utilities weblog macos NSweblog tgz tmp 2 Change to the temporary directory cd tmp 3 To install the package use the pkg_add command pkg_add NSweblog tgz This command extracts the files and installs them in the following directories e usr local netscaler etc e usr local netscaler bin e usr local netscaler samples 4 To verify that the package is installed use the following command pkg_info grep NSweblog 100 Citrix NetScaler Administration Guide To uninstall the NSWL client package on a Mac OS operating system At a command prompt type pkg_delete NSweblog Installing NSWL Client on a Windows Operating System Before installing the NSWL client you have to copy the NSWL client package from the NetScaler product CD or download it from www citrix com The NSWL client package has the following name format Weblog_ lt release number gt lt build number gt zip for example Weblog_9
21. 19 NetScaler Documentation Feedback 2 00 cece cece eee e ee cette eee eeeeeeeeeees 19 1 Authentication and Authorization cccceceeeee cess cess eee rene eee eee eeeeae eae eaeeaeaas 21 Configuring Users and GroupS cee eee eect eee e eee nee n ene nne eens 22 Configuring User ACCOUNTS 0 c cece eet e ee teen eee nnrir arrun nurnrnaru 22 To create a user account by using the NetScaler command line 22 To modify or remove a user account by using the NetScaler command line 23 Parameters for configuring a user ACCOUNL 66 cece cette eee eee eens 23 To configure a user account by using the configuration utility 24 Configuring User GroupS 0 0c c eee e eee cette tenet eee runur nne etnies 24 To create a user group by using the NetScaler command line 24 To modify or remove a user group by using the NetScaler command line 25 To bind a user to a group by using the NetScaler command line 25 To unbind a user from a group by using the NetScaler command line 25 Parameters for configuring a user group ee cece eee eee e eee e eee e eens 26 To configure a user group by using the configuration utility 26 Configuring Command PolicieS 6 c cece cece eee eee eee eee eee e ee runerne 27 Built in Command Policies 0020 c cece cece cee cence eee e eee ee
22. 2 In the details pane click Add 3 In the Create AppFlow Collector dialog box specify values for the following parameters which correspond to parameters described in Parameters for specifying a collector as shown e Name name cannot be changed for an existing collector e IP Address ipaddress cannot be changed for an existing collector e Port port cannot be changed for an existing collector A required parameter 4 To remove a collector from the list select the collector and then click Remove 5 Click Create and then click Close Configuring an AppFlow Action 172 An Appflow action is a set collectors to which the flow records are sent if the associated Apflow policy matches To configure an AppFlow action by using the NetScaler command line At the NetScaler command prompt type the following commands to configure an Appflow action and verify the configuration add appflow action lt name gt collectors lt string gt comment lt string gt show appflow action Example gt add appflow action apfl act Collectors Collector lime olleg Done gt show appflow action Name apfl act collec Collectors collecter sess O Action Reference Coun Name apfl act collec Collectors collector ieee Action Reference Coun Name apfl act collec Citrix NetScaler Administration Guide Collikaciwoie ieiacl 3 ter 3 toiesik 1 2 COr 2 zana 2 collecter 3 1 E e iLSeua
23. 3 51 5 zip Within the package are separate installation packages for each supported platforms To download NSWL client package from www Citrix com 1 OS be Te ON From any system open www citrix com in the Web browser In the menu bar click Log In Enter your login credentials and then click Log In In the menu bar click Downloads Search to the page of the desired release number and build On the desired page under Weblog Clients click Download to download a file having the format Weblog lt release number gt lt build number gt zip to your local system for example Weblog 9 3 51 5 zip To install the NSWL client on a Windows system 1 On the system where you have downloaded the NSWL client package Weblog lt release number gt lt build number gt zip for example Weblog 9 3 51 5 zip extract nswl win lt release number gt lt build number gt zip for example nswl_ win 9 3 51 5 zip from the package Copy the extracted file nswl_win lt release number gt lt build number gt zip for example nswl_win 9 3 51 5 zip to a Windows system on which you want to install the NSWL client On the Windows system unzip the nswl_ lt release number gt lt build number gt zip file for example nswl_win 9 3 51 5 zip The following directories are extracted a lt root directory extracted from the Windows NSWL client package zip file gt bin for example C nswl win 9 3 51 5 bin 101 Cha
24. AppFlow Parameters 180 You can set AppFlow parameters to customize the exporting of data to the collectors To set the AppFlow Parameters by using the NetScaler Command Line At the NetScaler command prompt type the following commands to set the AppFlow parameters and verify the settings Citrix NetScaler Administration Guide set appflowParam templateRefresh lt secs gt appnameRefresh lt secs gt flowRecordInterval lt secs gt udpPmtu lt positive_integer gt httpUrl ENABLED DISABLED httpCookie ENABLED DISABLED httpReferer ENABLED DISABLED httpMethod ENABLED DISABLED httpHost ENABLED DISABLED httpUserAgent ENABLED DISABLED clientTrafficOnly YES NO show appflowParam Example gt set appflowParam templateRefresh 240 udpPmtu 128 httpUrl enabled Done gt show appflowparam AppFlow parameters IPFIX template refresh interval 600 seconds IPFIX UDP Path MTU 1472 bytes HTTP URL logging DISABLED HTTP cookie logging DISABLED HTTP referer logging DISABLED HTTP method logging ENABLED P P HTTP host logging ENABLED HTTP user agent logging ENABLE Log only client side traffic NO Done To return AppFlow parameters to their default values by using the NetScaler command line Type the unset appflowParam command and the names of the parameters to be returned to the default values
25. Citrix Systems Inc Linux is a registered trademark of Linus Torvalds Internet Explorer Microsoft PowerPoint Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation NetScape is a registered trademark of Netscape Communications Corporation Red Hat is a trademark of Red Hat Inc Sun and Sun Microsystems are registered trademarks of Sun Microsystems Inc Other brand and product names may be registered trademarks or trademarks of their respective holders Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement Copyright 1998 Carnegie Mellon University All rights reserved Copyright David L Mills 1993 1994 Copyright 1992 1993 1994 1997 Henry Spencer Copyright Jean loup Gailly and Mark Adler Copyright 1999 2000 by Jef Poskanzer All rights reserved Copyright Markus Friedl Theo de Raadt Niels Provos Dug Song Aaron Campbell Damien Miller Kevin Steves All rights reserved Copyright 1982 1985 1986 1988 1991 1993 Regents of the University of California All rights reserved Copyright 1995 Tatu Ylonen Espoo Finland All rights reserved Copyright UNIX System Laboratories Inc Copyright 2001 Mark R V Murray Copyright 1995 1998 Eric Young Copyright 1995 1996 1997 1998 Lars Fenneberg Copyright 1992 Livingston Enterprises Inc Copyright
26. Default ENABLED dropinvalReqs Drop invalid HTTP requests Drop requests or responses in which either the header or the body is invalid Possible values ENABLED DISABLED Default DISABLED markHttpO9Inval Mark HTTP 0 9 requests as invalid Mark all 0 9 requests as invalid Possible values ENABLED DISABLED Default DISABLED markConnReaInval Mark CONNECT requests as invalid Mark all CONNECT requests as invalid Possible values ENABLED DISABLED Default DISABLED cmpOnPush Compression on PUSH packet Compress PUSH packets sent by the virtual server to which this profile is bound Possible values ENABLED DISABLED Default DISABLED 137 Chapter5 Advanced Configurations To add an HTTP profile by using the configuration utility 1 In the navigation pane expand System and then click Profiles 2 In the details pane on the HTTP Profiles tab click Add 3 In the Create HTTP Profile dialog box set the following parameters e Name e Max Connection in reusepool e Connection Multiplexing e Drop invalid HTTP requests e Mark HTTP O 9 requests as invalid e Mark CONNECT requests as invalid e Compression on PUSH packet A required parameter 4 Click Create A message appears in the status bar stating that the HTTP profile has been configured successfully Configuring TCP Profiles A Transmission Control Protocol TCP profile is a collection of TCP parameter settings that can be applied to virtual servers
27. Log Format on page 118 Values within brackets show the range of values that appear For example 1 31 in the d description in the following table shows d ranges from 1 to 31 Table 4 12 Time Format Definition Argument Specifies The same as a The abbreviated name of the week day for the locale A The full name of the week day for the locale b The abbreviated name of the month for the locale B The full name of the month for the locale C The century number the year divided by 100 and truncated to an integer as a decimal number 1 99 single digits are preceded by a 0 d The day of month 1 31 single digits are preceded by 0 e The day of month 1 31 single digits are preceded by a blank h The abbreviated name of the month for the locale H The hour 24 hour clock 0 23 single digits are preceded by a 0 l The hour 12 hour clock 1 12 single digits are preceded by a 0 j The number of the day in the year 1 366 single digits are preceded by 0 k The hour 24 hour clock 0 23 single digits are preceded by a blank 121 Chapter4 Web Server Logging Argument Specifies l The hour 12 hour clock 1 12 single digits are preceded by a blank m The number of the month in the year 1 12 single digits are preceded by a 0 M The minute 00 59 leading 0 is permitted but not require
28. On the Chart tab under Category click Plot type and then click the graph type you want to display for the chart If you want to display the graph is 3D select the Use 3D check box To refocus a chart with detailed data 1 In the left pane of the Reporting tool select a report 2 In the right pane on the report toolbar click Zoom In and do one or both of the following e To refocus the chart to display data for a specific time window drag and drop the cursor from the start time to the end time For example you can view data for a one hour period on a certain day e To refocus the chart to display data for a data point simply click once on chart where you want to zoom in and get more detailed information 189 Chapter8 Reporting Tool 3 Once you have the desired range of time for which you want to view detailed data on the report toolbar click Tabular View Tabular view displays the data in numeric form in rows and columns To view numeric data for a graph 1 In the left pane of the Reporting tool select a report 2 In the right pane on the report toolbar click Tabular View To return to the graphical view click Graphical View Note You can also view the numeric data in the graphical view by hovering your cursor over the notches in the gridlines To scroll through time in a chart 1 In the left pane of the Reporting tool select a report 2 In the right pane on the report toolbar click Scroll and then
29. Preriozrirtys 100 Parameters for binding the audit policies globally policyName The name of the NSLOG or SYSLOG policy 78 Citrix NetScaler Administration Guide priority A numeric value that indicates when this policy is evaluated relative to others A lower priority is evaluated before a higher one To globally bind the audit policy 1 In the navigation pane expand System expand Auditing and then click Policies 2 In the details pane on the Policies tab click Global Bindings 3 In the Bind Unbind Auditing Global Policies dialog box click Insert Policy 4 Select the policy from the drop down list that appears under Policy Name and then click OK A message appears in the status bar stating that the auditing policy has been globally bound Configuring Policy Based Logging You can configure policy based logging for rewrite and responder policies Audit messages are then logged in a defined format when the rule in a policy evaluates to TRUE To configure policy based logging you configure an audit message action that uses default syntax expressions to specify the format of the audit messages and associate the action with a policy The policy can be bound either globally or to a load balancing or content switching virtual server You can use audit message actions to log messages at various log levels either in syslog format only or in both syslog and newnslog formats Pre Requisites User Configurable Log
30. Processor Intel x86 501 megahertz MHz e RAM 512 megabytes MB e Controller SCSI For Solaris 2 6 e Processor UltraSPARC Ili 400 MHz e RAM 512 MB e Controller SCSI If the NSWL client system cannot process the log transaction because of a CPU limitation the Web log buffer overruns and the logging process reinitiates A Caution Reinitiation of logging can result in loss of log transactions To temporarily solve a NSWL client system bottleneck caused by a CPU limitation you can tune the Web server logging buffer size on the NetScaler appliance To solve the problem you need a client system that can handle the site s throughput Installing NSWL Client on a Solaris Operating System Copy the installation files from the NetScaler product CD or download them from ftp netscaler com Log on to the Solaris system as an adminstrator Use the following procedure to install the NSWL executable and the other files on the system To install the NSWL client package on a Solaris operating system 1 At a command prompt copy the NSweblog tar file into a temporary directory using the command cp lt path_to_cd gt Utilities weblog Solaris NSweblog tar tmp 2 Change to the temporary directory 97 Chapter 4 Web Server Logging cd tmp 3 Extract the files from the tar file with the following command tar xvf NSweblog tar A directory NSweblog is created in the temporary directory and the files are ex
31. System expand Web Interface and then click Sites To configure a Web interface site for LAN users using HTTPS by using the command line 1 Add a Web interface site Set Direct or Alternate or Translated for the defaultAccessMethod parameter At the NetScaler command prompt type add wi site lt sitePath gt siteType XenAppWeb XenAppServices publishedResourceType Online Offline DualMode kioskMode ON OFF Example add wi site WINS1 siteType XenAppWeb publishedResourceTyp Online kioskMode ON Bind XenApp or XenDesktop farms to the Web interface site At the NetScaler command prompt type bind wi site lt sitePath gt lt farmName gt lt xmlServerAddresses gt xmlPort lt value gt transport HTTP HTTPS loadBalance ON OFF Example bind wi sirce WINSL XAL 10 102 466 x lt miPork J0 transbort MILIE LoadBalance OFF bind wi site WINS1 XD1 10 102 46 50 xmlPort 80 transport HTTP LoadBalance OFF Create a service that is a logical representation of the Web interface service running on the NetScaler appliance At the NetScaler command prompt type add service lt name gt lt PAddress gt lt serviceType gt lt port gt Example eci geryice WIL Looplecel Service 127 0 0 1 Hm B080 For more information see the Load Balancing chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 161 Chapter 6 162 Web Interfac
32. To configure a Web interface site for remote users using AGEE by using the configuration utility 1 In the navigation pane click Web Interface 2 In the details pane click Web Interface Wizard 3 On the wizard Introduction page click Next 4 On the wizard Configure Web Interface Site page specify the values for the following parameters which correspond to parameters described in Parameters for configuring Web interface sites on page 153 as shown e Site Path You cannot change the name of an existing Web interface site e Site Type e Published Resource Type e Kiosk Mode A required parameter 5 Select Gateway Direct Mode and specify values for the following parameters which correspond to parameters described in Parameters for configuring Web interface sites on page 153 as shown 164 Citrix NetScaler Administration Guide e Authentication Point e Access Gateway URL e Add DNS Entry e Trust SSL Certificate e STA Server URL e STA Server URL 2 e Session Reliability e Use two STA Servers 6 Click Next 7 On the wizard s Configure XenApp XenDesktop Farm page do one of the following e To add a XenApp or XenDesktop farm click Add e To modify an existing XenApp or XenDesktop farm select the farm and then click Open 8 In the Create XenApp XenDesktop Farm or Configure XenApp XenDesktop Farm dialog box specify values for the following parameters which correspond to parameters described in Parameters for co
33. Web server logging by using the configuration utility 95 Contents Modifying the Default Buffer Size 1 0 2 eect ete arenneren runnner 95 To modify the buffer size by using the NetScaler command line 95 Parameter for modifying the buffer size 0 ccc nett teen ees 95 To modify the buffer size by using the configuration utility 05 96 Installing and Configuring the Client System for Web Server Logging 5 96 Installing NSWL Client on a Solaris Operating System 0 cece eee eee 97 To install the NSWL client package on a Solaris operating system 97 To uninstall the NSWL client package on a Solaris operating system 98 Installing NSWL Client on a Linux Operating System 2 cece eee eee eee 98 To install the NSWL client package on a Linux operating system 98 To uninstall the NSWL client package on a Linux operating system 99 To get more information about the NSweblog RPM file sees 99 To view the installed Web server logging files 0 cece eens eee eee eee 99 Installing NSWL Client on a FreeBSD Operating System cee e ee eee 99 To install the NSWL client package on a FreeBSD operating system 99 To uninstall the NSWL client package on a FreeBSD operating system 100 Installing NSWL Client on a Mac OS Operating System 6 cec
34. Web site at http www citrix com lang English support asp You can also participate in and follow technical discussions offered by the experts on various Citrix products at the following sites http community citrix com http twitter com citrixsupport http forums citrix com support NetScaler Documentation Feedback You are encouraged to provide feedback and suggestions so that we can enhance the documentation You can send an email to nsdocs_feedback citrix com In the subject line specify Documentation Feedback Please include the title of the guide and the page number in the email message You can also provide feedback through the Knowledge Center at http support citrix com To provide feedback at the Knowledge Center home page 1 Go to the Knowledge Center home page at http support citrix com 2 On the Knowledge Center home page under Products expand NetScaler and then click the NetScaler release for which you want to provide feedback 3 On the Documentation tab click the guide name and then click Article Feedback 4 On the Documentation Feedback page complete the form and then click Submit 19 20 Preface Chapter 1 Authentication and Authorization Topics Configuring Users and Groups Configuring Command Policies Resetting the Default Administrator nsroot Password Example of a User Scenario Configuring External User Authentication To configure Citrix NetSc
35. Ys ciated tones dite detenat ada aiid doa ede deat Ganads da did eae Se dee etnias 142 Examipless2s cicada es Bi eee ee a aa ee Pied ee Sie 143 To set the TCP buffer size in the global TCP profile by using the NetScaler COMMANA NING 4 sews E A cde AE E T TT TTT 143 Example enaa aa a a aa Laveen eee aaa A 143 Parameters for setting the TCP buffer size in a TCP profile 00005 144 To set the TCP buffer size in a TCP profile by using the NetScaler configuration tility ena a a a a a a aa a a aes Sead N aao 144 Optimizing the TCP Maximum Segment Size for a Virtual Server Configuration 144 xii Citrix NetScaler Administration Guide Specifying the MSS Value in a TCP Profile ccc cece cence eee eee ee 145 To specify the MSS value in a TCP profile by using the NetScaler command JING EPET E EE E T cnnanaddarsastaddactedeateacnscdemad ba 145 Parameters for specifying the MSS value in a TCP profile aaaea 145 To specify the MSS value in a TCP profile by using the NetScaler configuration CE a A oe taal O a a a a r a a apa aay 145 Configuring the NetScaler to Learn the MSS Value from Bound Services 146 To configure the NetScaler to learn the MSS for a virtual server by using the NetScaler command line 0 0 cece eee eee eee nent en eeen need 146 Parameters for configuring the NetScaler to learn the MSS for a virtual server pe bdadeitind i atte an bei bint hkacd uaaet eo tain ang dns lo ein c
36. a command line interface Used for examples of command line procedures Also used to distinguish interface terms such as names of directories and files from ordinary text lt angle brackets gt A term enclosed in angle brackets is a variable placeholder to be replaced with an appropriate value Do not enter the angle brackets brackets Optional items in command statements For example in the following command range lt positivelnteger gt means that 17 Preface Convention Meaning you have the option of entering a range but it is not required add Ib vserver lt name gt lt serviceType gt lt IPAddress gt lt port gt range lt positivelnteger gt Do not type the brackets themselves vertical bar A separator between options in braces or brackets in command statements For example the following indicates that you choose one of the following load balancing methods lt lbMethod gt ROUNDROBIN LEASTCONNECTION LEASTRESPONSETIME URLHASH DOMAINHASH DESTINATIONIPHASH SOURCEIPHASH SRCIPDESTIPHASH LEASTBANDWIDTH LEASTPACKETS TOKEN SRCIPSRCPORTHASH LRTM CALLIDHASH CUSTOMLOAD ellipsis You can repeat the previous item or items in command statements For example route lt DeviceName gt means you can type additional lt DeviceNames gt separated by commas Documentation Available on the NetScaler
37. a database on the Windows NT 4 0 server A domain user account includes a user name and password and other information about the user When a user logs on to the NetScaler the user enters the user name and password maintained in the domain user account on the Windows NT 4 0 server The NetScaler connects to the Windows NT 4 0 server and passes these credentials to the server The server authenticates the user If you need to configure the NetScaler to authenticate clients against a Windows NT 4 0 primary or backup domain controller you need to specify the server IP address the domain name and the domain administrator user Citrix NetScaler Administration Guide name and password of the person who is authorized to administer the domain These parameters are necessary because the NetScaler joins the domain to communicate authentication data NT4 authentication supports NTLMv1 and NTLMv2 authentication protocols only To configure NT4 authentication by using the configuration utility 1 In the navigation pane expand System and then click Authentication On the Policies tab click Add In Name type a name for the policy In Authentication Type select NT4 Next to Server click New In Server type the name of the server i re ew Complete the settings as they are configured on your Windows NT 4 0 server and click Create 8 In the Create Authentication Policy dialog box next to Named Expressions select the expression click Add Exp
38. action select the action and then click Open 3 In the Add AppFlow Action or Configure AppFlow Action dialog box type a name for the new action or the name of an existing action respectively For allowed characters see Parameters for configuring an AppFlow action 4 Do one of the following to associate collectors with the action e If the collectors that you want are listed click the corresponding check boxes e If you want to specify all the collectors click Activate All e If you want to specify a new collector click Add 5 Click Create or OK depending on whether you are creating a new action or modifying an existing action 6 Click Close A message appears in the status bar stating that the configuration has been successfully implemented Configuring an AppFlow Policy After you configure an AppFlow action you must next configure an AppFlow policy An AppFlow policy is based on a rule which consists of one or more expressions Note For creating and managing AppFlow policies the configuration utility provides assistance that is not available at the NetScaler command line To configure an AppFlow policy by using the NetScaler command line At the NetScaler command prompt type the following command to add an AppFlow policy and verify the configuration add appflow policy lt name gt lt expression gt lt action gt show appflow policy lt name gt Example gt add appflow policy apfl pol tcp dsprt
39. alarm by using the command line At the NetScaler command prompt type the following commands to configure an SNMP alarm and verify the configuration set snmp alarm lt alarm Name gt thresholdValue lt positive_integer gt normalValue lt positive_integer gt time lt secs gt state ENABLED DISABLED severity lt severity gt logging ENABLED DISABLED sh snmp alarm lt alarm Name gt Parameters for configuring SNMP alarms severity Severity level of this alarm Possible values Critical Major Minor Warning Informational Default Informational logging Enable logging of SNMP trap messages by Syslog Possible values ENABLED and DISABLED Citrix NetScaler Administration Guide To configure SNMP alarms by using the configuration utility 1 In the navigation pane expand System expand SNMP and then click Alarms 2 In the details pane select an alarm for example Login Failure and then click Open 3 In the Configure SNMP Alarm dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring SNMP alarms as shown e Severity severity e Logging logging 4 Click OK A message appears in the status bar stating that the alarm has been configured successfully Configuring Traps After configuring the alarms you need to specify the trap listener to which the NetScaler appliance sends the trap messages Apart from spec
40. and XenDesktop servers Offline allows streaming of applications to the client DualMode allows both modes Default Online Kiosk Mode Specifies whether user settings should be persistent or last only for the lifetime of the session When Kiosk mode is enabled user settings do not persist from one session to another Possible values ON OFF Default value OFF Direct Mode The Web interface is accessed through an HTTP or an HTTPS loopback load balancing virtual server Virtual Server Lists existing loopback load balancing virtual servers and an option to create a new one Protocol The type of services to which the virtual server distributes requests Possible values HTTP HTTPS Default HTTP IP Address IP address of the virtual server Can be an IPv4 or IPv6 address 153 Chapter6 Web Interface Port Port on which the virtual server listens for client connections Possible values from 0 through 65535 Gateway Direct Mode The Web interface is accessed through a configured Access Gateway Authentication Point Authentication point to be used for the site Possible values Web interface AccessGateway Default AccessGateway Access Gateway URL URL of the Access Gateway Add DNS Entry Specifies whether to add DNS address record to resolve the specified Access Gateway URL Possible values ON OFF Default ON Trust SSL Certificate Specifies whether the Web interface site trusts certificates sign
41. and services A TCP profile can be reused on multiple virtual servers or services You can use built in TCP profiles or configure custom profiles The following table describes the built in TCP profiles Table 5 2 Built in TCP Profiles Built in profile Description nstcp_default_tcp_lfp This profile is useful for long fat pipe networks WAN on the client side Long fat pipe networks have long delay high bandwidth lines with minimal packet drops nstcp_default_tcp_Inp This profile is useful for long narrow pipe networks WAN on the client side Long narrow pipe networks have considerable packet loss once in a while 138 Citrix NetScaler Administration Guide Built in profile Description nstcp_default_tcp_lan This profile is useful for back end server connections where these servers reside on the same LAN as the NetScaler appliance nstcp_default_tcp_lfp_thin_stream This profile is similar to the nstcp_default_tcp_lfp profile however the settings are tuned for small size packet flows nstcp_default_tcp_Inp_thin_stream This profile is similar to the nstcp_default_tcp_Inp profile however the settings are tuned for small size packet flows nstcp_default_tcp_lan_thin_stream This profile is similar to the nstcp_default_tcp_lan profile however the settings are tuned to small size packet flows nstcp_default_tcp_interactive_stream This profile is simil
42. can use Simple Network Management Protocol SNMP to configure the SNMP agent on the Citrix NetScaler appliance to generate asynchronous events which are called traps The traps are generated whenever there are abnormal conditions on the NetScaler The traps are then sent to a remote device called a trap listener which signals the abnormal condition on the NetScaler appliance Or you can query the SNMP agent for System specific information from a remote device called an SNMP manager The agent then searches the management information base MIB for the data requested and sends the data to the SNMP manager The SNMP agent on the NetScaler can generate traps compliant with SNMPv1 and SNMPv2 only For querying the SNMP agent supports SNMP version 1 SNMPv1 SNMP version 2 SNMPv2 and SNMP version 3 SNMPv3 The following figure illustrates a network with a NetScaler that has SNMP enabled and configured In the figure each SNMP network management application uses SNMP to communicate with the SNMP agent on the NetScaler The SNMP agent searches its management information base MIB to collect the data requested by the SNMP Manager and provides the information to the application Figure 2 1 NetScaler Supporting SNMP Telnet serial port or SSH access to CLI or web GUI access ae SNMP T gt network management l SE application Internet HUB or Switch SNMP agent with MIB II 47 Chapter2 SNMP Impor
43. cddha edanieeadaiganiheat needa Genthagaewaentinen seg heies 63 Configuring the NetScaler for SNMPv3 QueriesS 0 cece cece eee e eee e ete 63 Setting the Engine lD erer sche beaded nye dana ele cue eda Oa wale TEETER 64 To set the engine ID by using the NetScaler command line 65 65 Parameters for setting the engine ID cece cence eects 65 To set the engine ID by using configuration utility 0 eee eee eee eee 65 Configuring a ViOWs e seecde bins ped goes AA DIAAN AEA AEN AETA Ss 65 To add an SNMP view by using the NetScaler command line 65 Parameters for configuring an SNMP view 0 cece eee eee eee ee eee ees 66 To configure an SNMP view by using the configuration utility 66 CONTGUIING aA GOUD rrera ne tiga urrera RAE nE TARARE ERTEAN AAA EA ated ie 66 To add an SNMP group by using the NetScaler command line 66 Parameters for configuring an SNMP group 0 ce cece eee eee eens 67 To configure an SNMP group by using the configuration utility 67 Configuring USER c3 cick d bash disddeiineiesddeigeadaaiged aiadaid araaidanas EAE A 67 To configure a user by using the NetScaler command line 265 67 Parameters for configuring an SNMP user 0c cece eee eee eens 68 To configure an SNMP user by using the configuration utility 68 3 Audit Logging
44. change the time interval for a built in report you can save the report as a custom report The new interval applies to all charts in the report The following table describes the time interval options Table 8 1 Time Intervals Time interval Displays Statistics data collected for the last hour Last Hour a Statistics data collected for the last day Last Day 24 hours ha Statistics data collected for the last Last Week week 7 days 186 Citrix NetScaler Administration Guide Time interval Displays E Statistics data collected for the last Last Month month 31 days a Statistics data collected for the last year Last Year A209 Cay Statistics data collected for a time iod that ted t ify Guten period that you are prompted to specify To modify the time interval 1 In the left pane of the Reporting tool click a report 2 On the report toolbar click Duration and then click a time interval Setting the Data Source and Time Zone You can retrieve data from different data sources to display them in the reports You can also define the time zone for the reports and apply the currently displayed report s time selection to all the reports including the built in reports To set the data source and time zone 1 In the Reporting tool on the report toolbar click Settings 2 In the Settings dialog box in Data Source select the data source from which you want to retri
45. click Sites 157 Chapter6 Web Interface To configure a Web interface site for LAN users using HTTP by using the command line 1 Add a Web interface site Set Direct or Alternate or Translated for the defaultAccessMethod parameter At the NetScaler command prompt type add wi site lt sitePath gt siteType XenAppWeb XenAppServices publishedResourceType Online Offline DualMode kioskMode ON OFF Example add wi site WINS1 siteType XenAppWeb publishedResourceTyp Online kioskMode ON 2 Bind XenApp or XenDesktop farms to the Web interface site At the NetScaler command prompt type bind wi site lt sitePath gt lt farmName gt lt xmlServerAddresses gt xmlPort lt value gt transport HTTP HTTPS loadBalance ON OFF Example binc wi sirce WINSL XAL LO LOZ 46 6 xmlPort 80 transport MIIE LoadBalance OFF bind wi site WINS1 XD1 10 102 46 50 xmlPort 80 transport HTTP LoadBalance OFF 3 Create a service that is a logical representation of the Web interface service running on the NetScaler appliance At the NetScaler command prompt type add service lt name gt lt IP address gt lt serviceType gt lt port gt Example ece service Ti LoOoDoeck Service 127 Oh Orel MITE H0OG0 For more information see the Load Balancing chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 4 Add an HTTP vserver At the NetScaler command pr
46. compare the bytes received rate and the bytes transmitted rate between two interfaces for the last Week ccc ec ee eee e ee ete eee teen eee eee anees 192 Stopping and Starting the Data Collection Utility 0 eens 193 10 StOp ASCOME Ch reiua aiie ea E i ial adem deo aE E etek ae 194 To start nscollect on the local sySteM 0 ec cc eee eee ete eet eee e eens 194 To start nscollect on the remote system ccc ee cece eee eee en eee ees 195 Examples rahne Vil Gees diet a dha DAA ace ae aai ca Blake ERIN a 195 XV Contents xvi Preface Learn about the Citrix NetScaler collection of documentation including information about support options and ways to send us feedback In This Preface Formatting Conventions for NetScaler Documentation Documentation Available on the NetScaler Appliance Getting Service and Support NetScaler Documentation Feedback For information about new features and enhancements for this release see the Citrix NetScaler 9 3 Release Notes at http support citrix com article CTX128669 Formatting Conventions for NetScaler Documentation The NetScaler documentation uses the following formatting conventions Table 1 Formatting Conventions Convention Meaning Boldface In text paragraphs or steps ina procedure information that you type exactly as shown user input or an element in the user interface Monospace Text that appears in
47. create up to 32 data sources The data collection utility nscollect retrieves data from the NetScaler and updates the data source This utility runs automatically when you start the NetScaler It creates a database for global counters at var log db lt DataSourceName gt The entity specific databases are created based on the entities configured on the NetScaler A specific folder is created for each entity type in var log db lt DataSourceName EntityNameDB gt Before creating a database for an entity nscollect allocates a unique number to the entity and creates the database based on that number It retrieves all the counters available for a group However there is a limit on the number of different entities that nscollect can retrieve as described in the following table Table 8 2 Limits on Entity Numbers Retrieved by nscollect Entity name Limit Content Switching Virtual Servers 100 Cache Redirection Virtual Servers 50 DOS Policies 100 GSLB Domains 100 GSLB Services 100 GSLB Sites 32 GSLB Virtual Servers 100 Interfaces 8 LB Virtual Servers 100 ACLs 100 193 Chapter8 Reporting Tool Entity name Limit ACL6 50 Priority Queuing Policies 100 RNAT IP Addresses 100 SureConnect Policies 100 Services 250 Service Groups 100 System CPU 8 VLAN 25 VPN Virtual Servers 5 The nscollect utility retrieves n number of entity counters and creates
48. fields are shown in the following table Table 4 10 W3C Extended Log File Format Allows Log Fields Field Description Date The date on which the transaction is done Time The time when the transaction is done Client IP The IP address of the client 113 Chapter 4 Web Server Logging Field Description User Name The user name Service Name The service name which is always HTTP Server IP The server IP address Server Port The server port number Method The request method for example GET POST Url Stem The URL stem Url Query The query portion of the URL Http Status The status code in the response Bytes Sent The number of bytes sent to the server request size including HTTP headers Bytes Received The number of bytes received from the server response size including HTTP headers Time Taken The time taken for transaction to complete in seconds Protocol Version The version number of HTTP being used by the client User Agent The User Agent field in the HTTP protocol Cookie The Cookie field of the HTTP protocol Referer The Referer field of the HTTP protocol Creating a Custom Log Format You can customize the display format of the log file data manually or by using the NSWL library By using the custom log format you can derive most of the log formats 114 that Apache curren
49. group edocs group2 authPriv readViewName edocs read view Done gt show snmp group edocs group2 authPriv Citrix NetScaler Administration Guide 1 Name edocs group2 SecurityLevel authPriv ReadViewName docs read view StorageType volatile Status active Done Parameters for configuring an SNMP group name Name of the SNMP view securityLevel The security level of the group Possible values noAuthNoPriv authNoPriv authPriv readViewName SNMP view to be associated with this group To configure an SNMP group by using the configuration utility 1 In the navigation pane expand System expand SNMP and then click Groups 2 In the details pane click Add 3 In the Create SNMP Group or Configure SNMP Group dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an SNMP group as shown e Name name e Security Level securityLevel e Read View Name readViewName A required parameter 4 Click Create or OK and then click Close A message appears in the status bar stating that the SNMP group has been configured successfully Configuring a User SNMP users are the SNMP managers that the agents allow to access the MIBs Each SNMP user is assigned to an SNMP group You need to configure users at the agent and assign each user to a group To configure a user by using the NetScaler command line At a NetScaler command prompt type t
50. gt sh ntp server INNIS Servers YZ NEL Minimum Poll Interval 6 64secs Maximum Poll Interval 9 512secs ND Servers 10 102 29 3 Minimum Poll Interval 6 64secs Maximum Poll Interval 11 2048secs 126 Citrix NetScaler Administration Guide To modify or remove NTP servers by using the NetScaler command line To modify settings for an NTP server type the set ntp server lt serverIP gt lt serverName gt command and the parameters to be changed with their new values To remove an NTP server type rm ntp server lt serverlP gt lt serverName gt Parameters for configuring an NTP server server IP IP address of the NTP server serverName Domain name of the NTP server minpoll Minimum number of seconds after which the NTP server must poll the NTP messages expressed as a power of 2 Minimum value 4 2 4 16 seconds Maximum value 17 2 17 131072 seconds Default 6 2 6 64 seconds maxpoll Maximum number of seconds after which the NTP server must poll the NTP messages expressed as a power of 2 Minimum value 4 2 4 16 seconds Maximum value 17 2 17 131072 seconds Default 10 2 10 1024 seconds To configure an NTP server by using the configuration utility 1 In the navigation pane expand System and then click NTP Servers 2 In the details pane do one of the following e To add anew NTP server click Add e To modify settings for an existing NTP server select the NTP server and th
51. logged Possible values ALL NONE or one or more of the following EMERGENCY ALERT CRITICAL Citrix NetScaler Administration Guide ERROR WARNING NOTICE INFORMATION DEBUG dateFormat Format of the date stamp Possible values MMDDYYYY DDMMYYYY logFacility The Facility value RFC 3164 assigned to the log message Uses numerical codes 0 to 7 to indicate the type of message originating from the NetScaler for example NS and VPN Possible values LOCALO to LOCAL7 Default LOCALO timeZone Time zone for the time stamp Possible values GMT and Local Default Local tcp Log TCP events Possible values NONE ALL acl Log ACL events Possible values ENABLED DISABLED userDefinedAuditlog Enable user configurable log messages Possible values YES NO appflowExport Export log messages to the AppFlow collectors Possible values ENABLED DISABLED Default DISABLED Log levels defined EMERGENCY Log errors indicating that the NetScaler is experiencing a critical problem that may make it unusable ALERT Log problems that are not critical to current operations but that indicate a need for immediate corrective action to prevent a critical problem CRITICAL Log critical conditions which do not restrict current operations but may escalate to a larger problem ERROR Log messages related to failed NetScaler operations WARNING Log issues that may result in critical errors NOTICE Log even
52. name johnd Prompt String user u at T Prompt Inherited From User Group name Managers Done To unbind a user from a group by using the NetScaler command line At the NetScaler command prompt type the following commands to unbind a user account and verify the configuration 25 Chapter 1 26 Authentication and Authorization unbind system group lt groupName gt userName lt userName gt e show system group lt groupName gt Parameters for configuring a user group groupName Group Name A name for the group you are creating The name can begin with a letter number or the underscore symbol and can consist of from 1 to 31 letters numbers and the hyphen period pound space at sign equals colon and underscore _ symbols Cannot be changed for existing groups userName The name that was assigned to a previously configured user promptString CLI Prompt A name for the NetScaler command line prompt for all the users that are part of this group The name can consist of letters numbers the hyphen period pound space at sign equals colon underscore _ symbols and the following variables u Is replaced by the user name h Is replaced by the host name of the NetScaler appliance t Is replaced by the current time in 12 hour format T Is replaced by the current time in 24 hour format d Is replaced by the current da
53. or OK and then click Close A message appears in the status bar stating that the command policy has been configured successfully Binding Command Policies to Users and Groups Once you have defined your command policies you must bind them to the appropriate user accounts and groups When you bind a policy you must assign it a priority so that the NetScaler appliance can determine which command policy to follow when two or more applicable command policies are in conflict Command policies are evaluated in the following order Command policies bound directly to users and the corresponding groups are evaluated according to priority number A command policy with a lower priority number is evaluated before one with a higher priority number Therefore any privileges the lower numbered command policy explicitly grants or denies are not overridden by a higher numbered command policy When two command policies one bound to a user account and other to a group have the same priority number the command policy bound directly to the user account is evaluated first 31 Chapter 1 32 Authentication and Authorization To bind command policies to a user by using the NetScaler command line At the NetScaler command prompt type the following commands to bind a command policy to a user and verify the configuration bind system user lt userName gt policyName lt policyName gt lt priority gt e sh system user lt userNa
54. see the Citrix NetScaler Policy Configuration and Reference Guide at http support citrix com article CTX128673 action The name of the action associated with the policy 175 Chapter 7 176 AppFlow comment Any comments that you may want to associate with the policy Maximum length 255 characters To include spaces in a comment that you type on the NetScaler command line enclose the entire comment inside quotation marks The quotation marks do not become part of the comment They are not required if you use the configuration utility To configure an AppFlow policy by using the configuration utility 1 2 In the navigation pane expand AppFlow and then click Policies In the details pane do one of the following e To create a new policy click Add e To modify an existing policy select the policy and then click Open In the Create AppFlow Policy or Configure AppFlow Policy dialog box type or select values for the following parameters which correspond to parameters described in Parameters for configuring an AppFlow policy as shown e Name name e Action action e Expression rule You can add the expression in any of three ways 1 You can click Add and choose an existing expression in the Frequently Used Expressions drop down list 2 You can type the expression directly into the supplied text box For brief help and prompts while the cursor is in the text box hold down the CTRL key while y
55. server prefix used by proxies rs Remote server to server prefix used by proxies x Application specific identifier Examples The following examples are defined identifiers that use prefixes cs method The method in the request sent by the client to the server sc Referer The Referer field in the reply c ip The IP address of the client Identifiers The following table describes the W3C Extended log format identifiers that do not require a prefix Citrix NetScaler Administration Guide Table 4 8 W3C Extended Log Format Identifiers No Prefix Required Identifier Description date The date on which the transaction was done time The time when the transaction is done time taken The time taken in seconds for the transaction to complete bytes The number of bytes transferred cached Records whether a cache hit has occurred A zero indicates a cache miss The following table describes the W3C Extended log format identifiers that require a prefix Table 4 9 W3C Extended Log Format Identifiers Requires a Prefix Identifier Description IP The IP address and the port number dns The DNS name status The status code comment The comment returned with status code method The method url The URL url stem The stem portion of the URL url query The query portion of the URL The W3C Extended Log file format allows you to choose log fields These
56. size The size range to which most requests responses belong Contribution of HTTP pages in a certain size range to the overall HTTP traffic To view HTTP request and response size statistics by using the NetScaler command line At the NetScaler command prompt type show protocol httpBand type REQUEST RESPONSE 134 Citrix NetScaler Administration Guide Example show protocol httpBand type R show protocol httpBand type R To view HTTP request and response size statistics by using the configuration utility 1 In the navigation pane expand System and then click Settings 2 In the details pane under Settings click HTTP data band statistics 3 In the HTTP Data Band Statistics dialog box view the HTTP request and HTTP response size statistics on the Request and Response tabs respectively You can also modify the band range for HTTP request or response size statistics To modify the band range by using the NetScaler command line At the NetScaler command prompt type set protocol httpBand reqBandSize lt value gt respBandSize lt value gt Example set protocol httpBand regBandSize 300 respBandSize 2048 Parameters for modifying the band range for HTTP request or response size statistics reqBandSize Band size for HTTP request band statistics in bytes Minimum value 50 Maximum value 2147483647 Default 100 respBandSize Band size for HTTP response band statistics in
57. step 4 on the Entities tab under Available click the entity instance name s you want to plot and then click the gt button 8 Click OK Viewing a Chart You can specify the graphical formats of the plotted counters in a chart Charts can be viewed as line charts spline charts step line charts scatter charts area charts bar charts stacked area charts and stacked bar charts You can also zoom in zoom out or scroll inside the plot area of a chart You can zoom in or out for all data sources for 1 hour 1 day 1 week 1 month 1 year and 3 years Other options for customizing the view of a chart include customizing the axes of the charts changing the background and edge color of the plot area customizing the color and size of the grids and customizing the display of each data set counter in a chart Data set numbers such as Data Set 1 correspond to the order in which the counters in your graph are displayed at the bottom of the chart For example if CPU usage and Memory usage are displayed in first and second order at the bottom of the chart CPU usage is equal to Data Set 1 and Memory usage is equal to Data Set 2 Whenever you modify a built in report you need to save the report as a custom report to retain your changes To change the graph type of a chart 1 In the left pane of the Reporting tool select a report 2 In the right pane under the chart you want to view on the chart toolbar click Customize 3
58. the SNMP alarm for PPS and verify the configuration set snmp alarm PF RL PPS THRESHOLD thresholdValue lt positive_integer gt normalValue lt positive_integer gt state ENABLED DISABLED severity lt severity gt logging ENABLED DISABLED Citrix NetScaler Administration Guide show snmp alarm PF RL PPS THRESHOLD Example gt set snmp alarm PF RL PPS THRESHOLD thresholdValue 70 normalValue 50 Done gt show snmp alarm PF RL PPS THRESHOLD Alarm Alarm Threshold Normal Threshold Time State Severity Logging ESHOLD N A To modify or remove the threshold values by using the NetScaler command line To modify the threshold values type the set snmp alarm PF RL PPS THRESHOLD command and the parameters to be changed with their new values To remove the threshold values type the unset snmp alarm PF RL PPS THRESHOLD command followed by the thresholdValue parameter but do not specify any value for the parameter Note The normal threshold value is automatically unset when you unset the high threshold value Parameters for configuring an SNMP alarm for throughput or PPS thresholdValue The high threshold value which triggers EVENT ALERTSTARTED Minimum value 1 normalValue The normal threshold value which triggers EVENT ALERTENDED state The current state of the alarm Possible values ENABLED DISABLED Default ENABLED severity The sev
59. the client application through which the HTTP request was received by the NetScaler appliance Possible values ENABLED DISABLED Default DISABLED clientTrafficOnly Generate AppFlow records only for the traffic from the client Possible values YES NO Default NO To set the AppFlow parameters by using the configuration utility 1 In the navigation pane click AppFlow 2 On the AppFlow landing page under Settings click Change AppFlow Settings 3 In the Configure AppFlow Settings dialog box specify values for the following parameters which correspond to parameters described in AppFlow Parameters as shown e Template Refresh Interval templateRefresh e AppName Refresh Interval appnameRefresh e Flow Record Export Interval flowRecordinterval e HTTP URL httpUrl e HTTP Cookie httpCookie e HTTP Referer httpReferer e HTTP Method httpMethod e HTTP Host httpHost e HTTP User Agent httpUserAgent e Template Refresh Interval templateRefresh e UDP Maximum Transmission Unit udpPmtu 4 Click OK and then click Close Chapter 8 Reporting Tool Topics Use the Citrix NetScaler Reporting tool to view NetScaler performance statistics data as reports Statistics data are Using the Reporting Tool collected by the nscollect utility and are stored in a database f When you want to view certain performance data over a Stopping and Starting the period of time the Reporting tool pulls out specified da
60. the other servers on your network You can configure clock synchronization on your appliance by adding NTP server entries to the ntp conf file from either the configuration utility or the NetScaler command line or by manually modifying the ntp conf file and then starting the NTP daemon NTPD The clock synchronization configuration does not change if the appliance is restarted upgraded or downgraded However the configuration does not get propagated to the secondary NetScaler in a high availability setup Note If you do not have a local NTP server you can find a list of public open access NTP servers at the official NTP site http Awww ntp org under Public Time Servers List Before configuring your NetScaler to use a public NTP server be sure to read the Rules of Engagement page link included on all Public Time Servers pages Setting Up Clock Synchronization by Using the CLI or the Configuration Utility To configure clock synchronization from the configuration utility or from the CLI you add NTP servers and then enable NTP synchronization To add an NTP server by using the NetScaler command line At the NetScaler command prompt type the following commands to add an NTP server and verify the configuration add ntp server lt serverlP gt lt serverName gt minpoll lt positive_integer gt maxpoll lt positive_integer gt show ntp server Example gt add ntp server 10 102 29 30 minpoll 6 maxpoll iil Done
61. to a specific subtree of the MIB based on various parameters such as security level security model user name and view type It enables you to configure agents to provide different levels of access to the MIB to different managers The Citrix NetScaler supports the following entities that enable you to implement the security features of SNMPv3 SNMP Engines SNMP Views SNMP Groups SNMP Users These entities function together to implement the SNMPv3 security features Views are created to allow access to subtrees of the MIB Then groups are created with the required security level and access to the defined views Finally users are created and assigned to the groups Note The view group and user configuration are synchronized and propagated to the secondary node in a high availability HA pair However the engine ID is neither propagated nor synchronized as it is unique to each NetScaler appliance To implement message authentication and access control you need to Set the Engine ID Configure Views Configure Groups Configure Users Setting the Engine ID 64 SNMP engines are service providers that reside in the SNMP agent They provide services such as sending receiving and authenticating messages SNMP engines are uniquely identified using engine IDs The NetScaler has a unique enginelD based on the MAC address of one of its interfaces It is not necessary to override the enginelD However if you want
62. to access the WINS1 site Figure 6 3 A Web Interface Site Configured for LAN Users Using HTTPS Client C1 3e NetScaler NS1 XenDesktop Farm To configure a Web interface site for LAN users using HTTPS by using the configuration utility 1 In the navigation pane click Web Interface In the details pane click Web Interface Wizard On the wizard Introduction page click Next A WwW N On the wizard Configure Web Interface Site page specify the values for the following parameters which correspond to parameters described in Parameters for configuring Web interface sites on page 153 as shown 159 Chapter 6 160 Web Interface e Site Path You cannot change the name of an existing Web interface site e Site Type e Published Resource Type e Kiosk Mode A required parameter Select Direct Mode and specify values for the following parameters which correspond to parameters described in Parameters for configuring Web interface sites on page 153 as shown e Virtual Server e Protocol select HTTPS e IP Address e Port Note When you create the HTTPS vserver by using the configuration utility the configuration utility automatically creates a service which logically represents the Web interface service running on the NetScaler appliance and binds the service to the HTTPS virtual server For more information about services and virtual servers see the Citrix NetScaler Traffic Management Gu
63. to change the engine ID you can reset it Citrix NetScaler Administration Guide To set the engine ID by using the NetScaler command line At a NetScaler command prompt type the following commands to set the parameters and verify the configuration set snmp engineld lt enginelD gt show snmp engineld Example gt set snmp engineld 8000173f 0300c095f80c68 Done gt show snmp engineld EngineID 8000173 0300c095f 80c68 Done Parameters for setting the engine ID EnginelD Engine ID of the SNMP agent To set the engine ID by using configuration utility 1 In the navigation pane expand System expand SNMP and then click Users 2 In the details pane click Configure Engine ID 3 In the Configure Engine ID dialog box in the Engine ID text box type an engine ID for example 8000173f0300c095f80c68 4 Click OK A message appears in the status bar stating that the engine ID has been modified successfully Configuring a View SNMP views restrict user access to specific portions of the MIB SNMP views are used to implement access control To add an SNMP view by using the NetScaler command line At a NetScaler command prompt type the following commands to set the parameters and verify the configuration add snmp view lt name gt lt subtree gt type included excluded sh snmp view lt name gt Example add snmp view Viewl type included 65 Chapter 2 SNMP Parameters for
64. to one another and binding appropriate command policies to the user accounts and groups This example illustrates how you can use prioritization to grant precise access and privileges to each user in the IT department The example assumes that initial installation and configuration have already been performed on the NetScaler Configuration steps 1 Use the procedure described in Configuring User Accounts on page 22 to create user accounts johnd mariar and michaelb 2 Use the procedure described in Configuring User Groups on page 24 to create user groups Managers and SysOps and then bind the users mariar and michaelb to the SysOps group and the user johnd to the Managers group 3 Use the procedure described in Creating Custom Command Policies on page 28 to create the following command policies e read_all with action Allow and command spec show s system ns ns conf ns runningConfig stat e modify_lb with action as Allow and the command spec set s Ib s e modify_all with action as Allow and the command spec S s system 36 Citrix NetScaler Administration Guide 4 Use the procedure described in Binding Command Policies to Users and Groups on page 31 to bind the read_all command policy to the SysOps group with priority value 1 5 Use the procedure described in Binding Command Policies to Users and Groups on page 31 to bind the modify_lb command policy to user michaelb with p
65. 02 1 loglevel INFORMATIONAL dateformat MMDDYYYY Done gt show audit syslogaction audit actionl 1 Name audit actionl Server IP 10 102 1 1 Porte SIA Loglevel INFORMATIONAL Date Format MMDDYYYY Time Zone GMT TIME Facility LOCALO Tcp Logging NONE ACL Logging DISABLED 73 Chapter 3 74 Audit Logging UserDefinedLogging No AppFlow export DISABLED Done To configure an NSLOG server action by using the command line At the NetScaler command prompt type the following commands to set the parameters and verify the configuration add audit nslogAction lt name gt lt serverIP gt serverPort lt port gt logLevel lt logLevel gt dateFormat MMDDYYYY DDMMYYYY show audit nslogAction lt name gt Example gt aco aucit nelogAcriom nelo act omi 1O 1021 3 serverport 520 loglevel INFORMATIONAL dateFormat MMDDYYYY Done gt show nslogAction nslog actionl 19 Name nslog actionl Server mes MO OA IS Ports 520 Loglevel INFORMATIONAL Date Format MMDDYYYY Time Zone GMT TIME Facility LOCALO Tcp Logging NONE ACL Logging DISABLED UserDefinedLogging No AppFlow export DISABLED Parameters for configuring auditing servers name The name of the SYSLOG server action or NSLOG server action serverIP IP address of the auditing server serverPort Port through which to communicate logLevel Severity levels of messages to be
66. 1992 1993 1994 1995 The Regents of the University of Michigan and Merit Network Inc Copyright 1991 2 RSA Data Security Inc Created 1991 Copyright 1998 Juniper Networks Inc All rights reserved Copyright 2001 2002 Networks Associates Technology Inc All rights reserved Copyright c 2002 Networks Associates Technology Inc Copyright 1999 2001 The Open LDAP Foundation All Rights Reserved Copyright 1999 Andrzej Bialecki All rights reserved Copyright 2000 The Apache Software Foundation All rights reserved Copyright C 2001 2003 Robert A van Engelen Genivia inc All Rights Reserved Copyright c 1997 2004 University of Cambridge All rights reserved Copyright c 1995 David Greenman Copyright c 2001 Jonathan Lemon All rights reserved Copyright c 1997 1998 1999 Bill Paul All rights reserved Copyright c 1994 1997 Matt Thomas All rights reserved Copyright 2000 Jason L Wright Copyright 2000 Theo de Raadt Copyright 2001 Patrik Lindergren All rights reserved Last Updated March 2012 Document code May 21 2012 05 40 33 Contents Pretas ereeg ona eset cals detention cpio negra ies wiy teenie dae se cee E E E G 17 Formatting Conventions for NetScaler Documentation 2002 0eeeeeeeeeeeees 17 Documentation Available on the NetScaler Appliance 2 0eeceeee ee ee eens 18 Getting Service and Support 02 0 cece cece cece e eee rnrn rnrn eeneeeeeeaees
67. 64 1 6 0 07 02 tbz install wi package wi ftp username password 10 102 29 15 var nswi 1 1l tgz jre file var diablo jrefreebsd6 amd64 1 6 0 07 02 tbz 151 Chapter6 Web Interface Parameters for installing the Web interface and JRE tar files Web Interface tar file path Complete path to the Web interface tar file JRE tar file path Complete path to the JRE tar file To install the Web interface and JRE tar files by using the configuration utility 1 2 3 In the navigation pane click Web Interface In the details pane under Getting Started click Install Web Interface In the Install Web Interface dialog box in the Web Interface tar file path text box type the complete path to the Web interface tar file You can also use the browse button to locate the file on your local system or the NetScaler hard drive In the JRE tar file path text box type the complete path to the JRE tar file You can also use the browse button to locate the file on your local system or the NetScaler hard drive Click Install Configuring the Web Interface To configure the Web interface you create a Web interface site and bind one or more XenApp or XenDesktop farms to it You then configure the Web interface to work behind an HTTP or an HTTPS virtual server or Citrix Access Gateway The following access methods are available for setting up Web interface sites 152 Direct Mode You create an HTTP or an HTTPS vi
68. 77 To globally bind an AppFlow policy by using the NetScaler command line 177 To bind an AppFlow policy to a specific virtual server by using the NetScaler commend Denaren eeste Seales Pek eta eel nadie ed eee ane 178 Parameters for binding an AppFlow policy 2 0 0ceeeeeeeeeeeees 178 To globally bind an AppFlow policy by using the configuration utility 178 To bind an AppFlow policy to a specific virtual server by using the configuration utility 00 eee aAA AEAN AAAA AAEE ARS 179 Enabling AppFlow for Virtual Servers 2 0 eccce cece eee eee eee eeeeeeeaees 179 To enable AppFlow for a virtual server by using the NetScaler command line P ose E TE TAEAE E E aa ihe E E E EE 179 xiv Citrix NetScaler Administration Guide To enable AppFlow for a virtual server by using the configuration utility 179 Enabling AppFlow for a Service 02 0 cccce cece cece eee teen teen eeeeaees 180 To enable AppFlow for a service by using the NetScaler command line 180 To enable AppFlow for a service by using the configuration utility 180 Setting the AppFlow Parameters 2 0cece cece cece cece e eee e eset eeeeeeeees 180 To set the AppFlow Parameters by using the NetScaler Command Line 180 To return AppFlow parameters to their default values by using the NetScaler commend INC eave retines eas pee ian ad ce eine ete ew ted 181 AppFlow Parameters 02202cc
69. CITRIX Citrix NetScaler Administration Guide Citrix NetScaler 9 3 Copyright and Trademark Notice CITRIX SYSTEMS INC 2012 ALL RIGHTS RESERVED NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK SUCH AS TRANSLATION TRANSFORMATION OR ADAPTATION WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS INC ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT S DESCRIBED IN THIS MANUAL CITRIX SYSTEMS INC OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT S DESCRIBED IN THIS DOCUMENT INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE COMPANIES NAMES AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED The following information is for FCC compliance of Class A devices This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to part 15 of the FCC rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interferenc
70. EQ URL bypassSafetyCheck YES Done gt show audit messageaction log actl iL Name log actl LOGMSGSicies VOLLeme s VSHEICIINGE LE SRC accessed HTTP REQ URL Loglevel CRITICAL Log2Newnslog NO BypassSafetyCheck YE Aicss 0 Undef Hits 0 Action Reference Count Parameters for configuring an audit message action name The name of the audit message action The name can begin with a letter number or the underscore symbol and can consist of up to 127 characters including letters numbers and hyphen period pound space at sign equal sign colon and underscore _ symbols logLevel The log level for the message action Possible values EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG NONE stringBuilderExpr The expression that defines the format of the log message For a complete description of NetScaler expressions see the Citrix NetScaler Policy Configuration and Reference Guide For a link to the guide see the Documentation Library bypassSafetyCheck Bypass the safety check and allow unsafe expressions Possible values YES NO Default NO logtoNewnslog Log messages in newnslog format in addition to logging them in syslog format Possible values YES NO Default NO Citrix NetScaler Administration Guide To configure an audit message action by using the configuration utility 1 In the navigation pane expand System expand Auditing an
71. Guide A required parameter Click Create or OK and then click Close A message appears in the status bar stating that the SNMP user has been configured successfully 69 Chapter2 SNMP 70 Chapter 3 Audit Logging Topics Configuring the NetScaler Appliance for Audit Logging Installing and Configuring the NSLOG Server Running the NSLOG Server Customizing Logging on the NSLOG Server Default Settings for the Log Properties Sample Configuration File audit conf Auditing is a methodical examination or review of a condition or situation The Audit Logging feature enables you to log the Citrix NetScaler states and status information collected by various modules in the kernel and in the user level daemons For audit logging you have the options to configure SYSLOG the native NSLOG protocol or both SYSLOG is a standard protocol for logging It has two components the SYSLOG auditing module which runs on the NetScaler appliance and the SYSLOG server which can run on the underlying FreeBSD operating system OS of the NetScaler appliance or on a remote system SYSLOG uses user data protocol UDP for the transfer of data Similarly the native NSLOG protocol has two components the NSLOG auditing module which runs on the NetScaler appliance and the NSLOG server which can run on the underlying FreeBSD OS of the NetScaler appliance or ona remote system NSLOG uses transmission control protocol TCP
72. Kel s Collectors collector l collecter 3 Tessa Action Reference Count To modify or remove an AppFlow action by using the NetScaler command line To modify an AppFlow action type the set appflow action command the name of the action and the parameters to be changed with their new values To remove an AppFlow action type the rm appflow action command and the name of the action Parameters for configuring an AppFlow action name A name for your new action or the name of the existing action you want to modify The name can begin with a letter number or the underscore symbol and can consist of from one to 127 letters numbers and the hyphen period pound space at sign equals colon and underscore _ symbols collectors The name of a set of configured collectors comment Any comments that you may want to associate with the policy Maximum length 255 characters To include spaces in a comment that you type on the NetScaler command line enclose the entire comment inside quotation marks The quotation marks do not become part of the comment They are not required if you use the configuration utility 173 Chapter 7 AppFlow To configure an AppFlow action by using the configuration utility 1 In the navigation pane expand AppFlow and then click Actions 2 In the details pane do one of the following e To create a new action click Add e To modify an existing
73. L RATE PKTS DROPPED state ENABLED DISABLED severity lt severity gt logging ENABLED DISABLED To configure an SNMP alarm for packets dropped because of excessive PPS by using the NetScaler command line At the NetScaler command prompt type set snmp alarm PF RL PPS PKTS DROPPED state ENABLED DISABLED severity lt severity gt logging ENABLED DISABLED Citrix NetScaler Administration Guide Parameters for configuring an SNMP alarm for dropped packets state The current state of the alarm Possible values ENABLED DISABLED Default ENABLED severity The severity level of the alarm Possible values Critical Major Minor Warning Informational Default SNMP_SEV_UNKNOWN logging Log the alarm Possible values ENABLED DISABLED Default value ENABLED To configure an SNMP alarm for dropped packets by using the configuration utility 1 In the navigation pane expand System expand SNMP and then click Alarms 2 In the details pane do one of the following e Select PF RL RATE PKTS DROPPED to configure an SNMP alarm for packets dropped because of excessive throughput e Select PF RL PPS PKTS DROPPED to configure an SNMP alarm for packets dropped because of excessive PPS 3 Click Open 4 In the Configure SNMP Alarm dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an SNMP alarm for dropped packets as
74. Messages userDefinedAuditlog option is enabled for when configuring the audit action server to which you want to send the logs in a defined format For more information about enabling policy based logging on a audit action server see Binding the Audit Policies Globally on page 78 The related audit policy is bound to system global For more information about binding audit policies to system global see Binding the Audit Policies Globally on page 78 Configuring an Audit Message Action You can configure audit message actions to log messages at various log levels either in syslog format only or in both syslog and newnslog formats Audit message actions use expressions to specify the format of the audit messages To create an audit message action by using the NetScaler command line At the NetScaler command prompt type add audit messageaction lt name gt lt logLevel gt lt stringBuilderExpr gt logtoNewnslog YES NO bypassSafetyCheck YES NO 79 80 Chapter 3 Audit Logging To modify or remove an audit message action by using the NetScaler command line To modify an audit message action type the set audit messageaction command the name of the action and the parameters to be changed with their new values To remove an audit message action type the rm audit messageaction command and the name of the action Example gt add audit messageaction log actl CRITICAL Given CllEN lee SRCE waecesiseda aE TTP R
75. NIP s Network settings Default Gateway VLAN RHI NTP and DNS settings HA node definitions Feature and mode settings revert to their default values Full level Clearing your configuration at the full level returns all settings to their factory default values However the NSIP and default gateway are not changed because changing them could cause the NetScaler to lose network connectivity To clear a configuration by using the NetScaler command line At the NetScaler command prompt type the following command 133 Chapter5 Advanced Configurations clear ns config lt basic advanced full gt Example gt clear ns config basic Are you sure you want to clear the configuration Y N N Y Done Parameters for clearing a configuration level A level representing the extent to which to clear the configuration Possible values basic extended full To clear a configuration by using the configuration utility 1 In the navigation pane expand System and then click Diagnostics 2 In the details pane under Maintenance click Clear Configuration 3 In the Clear Configuration dialog box for Configuration Level select an option for example basic 4 Click Run A message appears in the status bar stating that the configuration has been refreshed successfully Viewing the HTTP Band Statistics You can view HTTP band statistics to obtain useful information such as Average request response band
76. RADIUS authentication and your RADIUS server is configured to use Password Authentication Protocol you can strengthen user authentication by assigning a strong shared secret to the RADIUS server Strong RADIUS shared secrets consist of random sequences of uppercase and lowercase letters numbers and punctuation and are at least 22 characters long If possible use a random character generation program to determine RADIUS shared secrets To further protect RADIUS traffic assign a different shared secret to each NetScaler appliance or virtual server When you define clients on the RADIUS server you can also assign a separate shared secret to each client If you do this you must configure separately each NetScaler policy that uses RADIUS authentication Shared secrets are configured on the NetScaler when a RADIUS policy is created Configuring IP address extraction You can configure the NetScaler to extract the IP address from a RADIUS server When a user authenticates with the RADIUS server the server returns a framed IP address that is assigned to the user The following are attributes for IP address extraction Allows a remote RADIUS server to supply an IP address from the internal network for a user logged on to the NetScaler Allows configuration for any RADIUS attribute using the type ipaddress including those that are vendor encoded When configuring the RADIUS server for IP address extraction you configure the vendor identif
77. SA logiInterval Daily logFileSizeLimit 20 logFilenameFormat datadisk5 netscaler log v NS m d OW Co LOG logtime GMT end CACHE F 117 Chapter 4 Web Server Logging i i i i i i i i i FEAE E EEEE W3C Format logging new file on reaching 20MB and the log file path name is atadisk6 netscaler log server s ip Exmmyydd log with log record timestamp as LOCAL HEREREHE EH begin IMAGE SERVER logFormat W3C logIinterval Size logFileSizeLimit 20 logFilenameFormat datadisk6 netscaler log A logtime LOCAL end IMAGE SERVER tat E EEEE a Ex Sm dSy t Virtual Host by Name firm can filter out the logging based on the host name by EAE E EEEE E Piltcer YHostT 7 IP 10 101 215 NEMMASK 255 255 295 0 begin VHOST F logFormat W3C logInterval Daily logFileSizeLimit 10 logFilenameFormat ns prod vhost v Ex smsd y t end VHOST F H eHeHeHHEHL END FILTER CONFIGURATION H 4 444 Arguments for Defining a Custom Log Format The following table describes the data that you can use as the Log Format argument string 118 Table 4 11 Custom Log Format Argument Specifies a The remote IPv4 address A The local IPv4 address ab The remote IPv6 address A6 The local IPv6 address B The bytes sent excluding the HTTP headers response size Citrix NetScaler A
78. Scaler command prompt type bind ssl vserver lt vserverName gt certkeyName lt certificate KeyPairName gt Example bined sel veesrver HITES WI CertkeyNemna SSl Cerrkey i For more information see Binding an SSL Certificate Key Pair to the Virtual Server in the Secure Sockets Layer SSL Acceleration chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 Add a rewrite action At the NetScaler command prompt type add rewrite action lt name gt lt type gt lt target gt lt stringBuilderExpr gt pattern lt expression gt Example add rewrite action Replace RETE tO HTTPS INSERT AFTER VISHUMEI ISUDYS ISheyAID IIR C WIG aLOin Wellies 0 Wiesner AL Mey Citrix NetScaler Administration Guide For more information see Configuring a Rewrite Action in the Rewrite chapter of the Citrix NetScaler AppExpert Guide at http support citrix com article CTX128682 9 Create a rewrite policy and bind the rewrite action to it At the NetScaler command prompt type add rewrite policy lt name gt lt expression gt lt rewriteAction gt Example Ede rewire POliley rewire locacion VRARI RAS o STATUS 5027 ME HTTP RES HEADER Location Value 0 startswith http IRS LEGS EMME ico Ines For more information see Configuring a Rewrite Policy in the Rewrite chapter of the C
79. Server Logging feature and you can modify the size of the buffer that stores the logged information before sending the logged information to the NetScaler Web Logging NSWL client Enabling or Disabling Web Server Logging Web server logging is enabled by default To enable or disable Web server logging by using the NetScaler command line At the NetScaler command prompt type the following relevant commands to add or remove Web server logging and verify the configuration enable ns feature WL disable ns feature WL sh ns feature Example gt enable ns feature WL Done sh ns feature Feature Acronym SIECICUS 1 Web Logging WL ON 2 Surge Protection SE ON 24 NetScaler Push push OFF Done gt gt disable ns feature WL Done sh ns feature Fearne Acronym Status 1 Web Logging WL OFF 2 Surge Protection SP ON 24 NetScaler Push push OFF 94 Citrix NetScaler Administration Guide Done To enable or disable Web server logging by using the configuration utility 1 In the navigation pane expand System and then select Settings 2 In the details pane under Modes and Features click Change advanced features 3 In the Configure Advanced Features dialog box select the Web Logging check box to enable the Web logging feature or clear the check box to disable the feature 4 Click OK 5 In the Enable Disable Feature s dialog box click Yes A message appears in the status bar stating that the feat
80. a TACACS server provide the server IP address and the TACACS secret The port needs to be specified only when the server port number in use is something other than the default port number of 49 To configure TACACS authentication by using the configuration utility 1 In the navigation pane expand System and then click Authentication On the Policies tab click Add In Name type a name for the policy In Authentication Type select TACACS In Name type a name for the server 2 3 4 5 Next to Server click New 6 7 Under Server type the IP address and port number of the TACACS server 8 Under TACACS server information in TACACS Key and Confirm TACACS key type the key 9 In Authorization select ON and click Create 10 In the Create Authentication Policy dialog box next to Named Expressions select the expression click Add Expression click Create and click Close After the TACACS server settings are configured on the NetScaler bind the policy to the system global entity For more information about binding authentication policies globally see Binding the Authentication Policies to the System Global Entity on page 45 Configuring NT4 Authentication 44 You can configure the NetScaler appliance to use Windows NT LAN Manager NTLM authentication to authenticate users against the user database on a Windows NT 4 0 domain controller A Windows NT 4 0 domain controller maintains domain user accounts in
81. ae Ale Zhe 147 To configure the NetScaler to learn the MSS for a virtual server by using the NetScaler configuration utility 0 0 cece cece eee eee een eee eee e eee 147 6 Webinterface ccia a a R Tete a atsaynsaa ne tases a a a 149 How Web Interface Wokou sero ccna ee ae eae ene eves CET nes One er aa 150 Prerequisites ig ncuiteaiiadwanedialatitaghileddadceiidelhat ciietduhvenhiaaeied bob SAA 150 Installing the Web Interface ce cece een eect eee eee tenner e eee nn nent nee e anes 151 To install the Web interface and JRE tar files by using the NetScaler command line EA ais Set MERA ied ta Bok Sait MAREN Sate A iat cst Fe Raa ee eda At ates Pal 151 Parameters for installing the Web interface and JRE tar files 08 152 To install the Web interface and JRE tar files by using the configuration utility 152 Configuring the Web Interface 00 ccc ce eect eee t netted teen eben need 152 Parameters for configuring Web interface siteS 00 2 cece eect e eee eee ees 153 Configuring a Web Interface Site for LAN Users Using HTTP 0065 155 To configure a Web interface site for LAN users using HTTP by using the configuration utility 00 cece NE ENEE iA NEEE AAEE CENAA 156 To configure a Web interface site for LAN users using HTTP by using the comman MNEs miaa ETE ETERA hide EE EATE ada ate eaenids oe ea had 158 Configuring a Web Interface Site for LAN Users Using HTTPS
82. aler authentication and authorization you must first define the users who have access to the NetScaler appliance and then you can organize these users into groups After configuring users and groups you need to configure command policies to define types of access and assign the policies to users and or groups You must log on as an administrator to configure users groups and command policies The default NetScaler administrator user name is nsroot After logging on as the default administrator you should change the password for the nsroot account Once you have changed the password no user can access the NetScaler appliance until you create an account for that user If you forget the administrator password after changing it from the default you can reset it to nsroot 21 Chapter 1 Authentication and Authorization Configuring Users and Groups You must define your users by configuring accounts for them To simplify the management of user accounts you can organize them into groups You can also customize the NetScaler command line prompt for a user Prompts can be defined in a user s configuration in a user group configuration and in the global configuration The prompt displayed for a given user is determined by the following order of precedence 1 Display the prompt as defined in the user s configuration 2 Display the prompt as defined in the group configuration for the user s group 3 Display the prompt as defin
83. ame gt lt VirtualServer IP address gt Example In the following example you specify an IP address of 192 168 100 0 and netmask of 255 255 255 0 The fi lter applies to IP addresses 192 168 100 1 through 192 168 100 254 Filter Fl HOST www netscaler Filter F2 HOST www netscaler ON Filter F3 HOST www netscaler LQZ LOD LOO L52 ON Piltesr 4 I 192 168 LOO 151 atlkesie 25 T 192 LES L00 LSL OHE Filter F6 HOST www netscaler HOST www abcxyz com IP 192 1 COMERON Com IP 192 168 i100 i Sil Com IP 192 169 100 Loi HOST www netscaler com com HOST www xyz com 68 100 200 ON Pailliew Wy Ie 192 250 100 0 NEUMASIK 255 255 255 60 Filter F8 HOST www xyz com I 2D gt 2955255 0 One P 192 250 100 0 NETMASK For creating filters for servers having IPv6 addresses Pilte r9 2002338 LI2 ON Filter F10 HOST www abcd com g Log Properties LES Z2OOZS sts ON Log properties are applied to all log entries associated with the filter The log property definition begins with the keyword BEGIN and ends with END as illustrated in the following example BEGIN lt filtername gt HOCIMOMENE 6 55 logFilenameFormat logInterval LOCGPAIMSSLAS 555 4 log BOLUS 5 456 logTime END 107 Chapter4 Web Server Logging Entries in the definition can include the following LogFormat specifies the Web server logging feature that supports NCSA W3C Extended and custom lo
84. anager with the required NetScaler specific information You can add up to a maximum of 100 SNMP managers or networks For an IPv4 SNMP manager you can specify a host name instead of the manager s IP address If you do so you must add a DNS name server that resolves the host name of Citrix NetScaler Administration Guide the SNMP manager to its IP address You can add up to a maximum of five host name based SNMP managers If you do not configure at least one SNMP manager the NetScaler appliance accepts and responds to SNMP queries from all IP addresses on the network If you configure one or more SNMP managers the appliance accepts and responds only to SNMP queries from those specific IP addresses If you remove an SNMP manager from the NetScaler configuration that manager can no longer query the NetScaler To add an SNMP manager by using the NetScaler command line At the NetScaler command prompt type the following commands to set the parameters and verify the configuration add snmp manager lt PAddress gt netmask lt netmask gt show snmp manager Example gt add snmp manager 10 102 29 10 Done gt show snmp manager all 1 102 295 2555255 25952299 Done To add an SNMP manager by specifying its IP address using the NetScaler command line At the NetScaler command prompt type the following commands to set the parameters and verify the configuration add snmp manager lt PAddress gt
85. ar to the nstcp_default_tcp_lan profile however it has a reduced delayed ACK timer and ACK on PUSH packet settings nstcp_internal_apps This profile is useful for internal applications on the NetScaler appliance for example GSLB sitesyncing This contains tuned window scaling and SACK options for the desired applications This profile should not be bound to applications other than internal applications nstcp_defualt_profile This profile represents the default global TCP settings on the NetScaler appliance To add a TCP profile by using the NetScaler command line At the NetScaler command prompt type the following commands to add a TCP profile and verify the configuration 139 Chapter5 Advanced Configurations add ns tcpProfile name WS ENABLED DISABLED SACK ENABLED DISABLED WSVal lt value gt nagle ENABLED DISABLED ackOnPush ENABLED DISABLED maxBurst value initialCwnd lt value gt delayedAck lt value gt oooQSize lt value gt maxPktPerMss lt value gt pktPerRetx lt value gt minRTO lt value gt slowStartIncr lt value gt sh ns tcpProfile Example Sickel me tTOpProrile veo Prorilal WS MNABID SNC ENABLED WSVal 4 nagle DISABLED ackOnPush ENABLED maxBurst 10 initialCwnd 6 delayedAck 200 oooQSize 100 maxPktPerMss 0 pktPerRetx 3 minRTO 200 slowStartIncr 3 Parameters for creating a TCP profile
86. at which logging finished Date lt date gt lt time gt Displays the date and time when the entry was added Remark lt text gt Displays comments Analysis tools ignore data recorded in this field Note The Version and Fields directives are required They precede all other entries in the log file Example The following sample log file shows the log entries in W3C Extended log format Version 1 0 Fields time cs method cs uri Date 12 Jan 1996 00 00 00 00 34 23 GET sports football html 12 21 16 GET sports football html 111 Chapter 4 112 Web Server Logging 12345852 GET SPOrTtS TOOwoaIl s Imr 12357 3934 GET soorcs coool I a mrm Fields The Fields directive lists a sequence of field identifiers that specify the information recorded in each entry Field identifiers may have one of the following forms identifier Relates to the transaction as a whole prefix identifier Relates to information transfer between parties defined by the value prefix prefix header Specifies the value of the HTTP header field header for transfer between parties defined by the value prefix Fields specified in this manner always have the type lt string gt The following table describes defined prefixes Table 4 7 Prefix Descriptions Prefix Specifies c Client s Server r Remote cs Client to server sc Server to client sr Server to remote
87. ata over long fat networks LFNs A TCP window determines the amount of outstanding unacknowledged by the recipient data a sender can send on a particular connection before receiving any acknowledgment from the receiver The main purpose of the window is flow control The window size field in the TCP header is 16 bits which limits the ability of the sender to advertise a window size larger than 65535 2 16 1 The TCP window scale extension expands the definition of the TCP window by applying a scale factor to the value in the 16 bit window size field of the TCP header Although RFC 1323 describes expanding the definition to up to 30 bits NetScaler window scaling expands the definition of the TCP window to up to 24 bits The scale factor is carried in the new TCP window scale field This field is sent only in a SYN packet a segment with the SYN bit on To fit a larger window size value into the 16 bit field the sender right shifts the value by the number of bit positions specified by the scale factor The receiver left shifts the value by the same number of positions Therefore the actual window size is equivalent to 2 lt scale factor gt lt received window size gt Before configuring window scaling make sure that You do not set a high value for the scale factor because this could have adverse effects on the NetScaler and the network You have enabled selective acknowledgement SACK 130 Citrix NetScale
88. ate contains a set of standard Information Elements IEs and Enterprise specific Information Elements EIEs IPFIX templates define the order and sizes of the Information Elements IE in the flow record The templates are sent to the collectors at regular intervals as described in RFC 5101 A template can include the following EIEs transactionlD An unsigned 32 bit number identifying an application level transaction For HTTP this corresponds to a request and response pair All flow records that correspond to this request and response pair have the same transaction ID In the most common case there are four uniflow records that correspond to this transaction If the NetScaler generates the response by itself served from the integrated cache or by a security policy there may be only two flow records for this transaction connectionID An unsigned 32 bit number identifying a layer 4 connection TCP or UDP The NetScaler flows are usually bidirectional with two separate flow records for each direction of the flow This information element can be used to link the two flows For the NetScaler connectionID is an identifier for the connection data structure to track the progress of a connection In an HTTP transaction for instance a given connectionID may have multiple transactionID elements corresponding to multiple requests that were made on that connection tcpRTT The round trip time in milliseconds as measured on the TCP connectio
89. b Interface Works e Prerequisites Installing the Web Interface Configuring the Web Interface The Web Interface on Citrix NetScaler appliances is based on Java Server Pages JSP technology and provides access to Citrix XenApp and Citrix XenDesktop applications Users access resources through a standard Web browser or by using the Citrix XenApp plug in The Web Interface runs as a service on port 8080 on the NetScaler appliance To create Web Interface sites Java is executed on Apache Tomcat Web server version 6 0 26 on the NetScaler appliance The Web Interface sites provide user access to the XenApp and XenDesktop resources which include applications content and desktops Note This feature is supported only on NetScaler nCore builds The Web Interface installation includes installing the Web Interface tar file and JRE tar file on the NetScaler appliance To configure the Web Interface you create a Web Interface site and bind one or more XenApp or XenDesktop farms to it 149 Chapter6 Web Interface How Web Interface Works The following figure illustrates a basic Web interface session Figure 6 1 A Basic Web Interface Session Web Web Interface on browser NetScaler SS es z _ i Citrix XML Service Citrix servers User device HTML page Resource set Server farm Following is a typical set of interactions among a user device a NetScaler running the Web interface and a se
90. be longer than 63 characters timeout CLI Idle Session Timeout Secs Time out value in seconds for inactive CLI sessions for a system user If a user s CLI session is idle for a time that exceeds the time out value the NetScaler appliance terminates the connection 23 Chapter 1 Authentication and Authorization To configure a user account by using the configuration utility 1 In the navigation pane expand System and click Users 2 In the details pane do one of the following e To create a user account click Add e To modify an existing user account select the user and then click Open 3 In the Create System User or Configure System User dialog box set the following parameters e User Name Cannot be changed for an existing user e Password e Confirm Password e CLI Prompt e CLI Idle Session Timeout Secs A required parameter 4 Click Create or OK and then click Close A message appears in the status bar stating that the user has been configured successfully Configuring User Groups After configuring a user group you can easily grant the same access rights to everyone in the group To configure a group you create the group and bind users to the group You can bind each user account to more than one group Binding user accounts to multiple groups may allow more flexibility when applying command policies To create a user group by using the NetScaler command line At the NetScaler command prompt type th
91. bind it You can then add additional policies at any time without having to change the priority of an existing policy For additional information about binding policies on the NetScaler see the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 To globally bind an AppFlow policy by using the NetScaler command line At the NetScaler command prompt type the following command to globally bind an AppFlow policy and verify the configuration bind appflow global lt policyName gt lt priority gt lt gotoPriorityExpression type lt type gt invoke lt labelType gt lt labelName gt show appflow global 177 Chapter 7 178 AppFlow To bind an AppFlow policy to a specific virtual server by using the NetScaler command line At the NetScaler command prompt type the following command to bind an appflow policy to a specific virtual server and verify the configuration bind lb vserver lt name gt policyname lt policy_name gt priority lt priority gt Parameters for binding an AppFlow policy name The name of the virtual server to which you are binding the AppFlow policy policyname The name of the AppFlow policy that you want to bind priority A number specifying the priority assigned to this policy The lower the number the higher the priority The priority determines the order in which policies are evaluated allowing the NetScaler to evaluate the most specific policy fir
92. bind wi site lt sitePath gt lt farmName gt lt xmlServerAddresses gt xmlPort lt value gt transport HTTP HTTPS loadBalance ON OFF Example bind wi site WINS1 XAL 10 102 46 6 xmlPort 80 transport HTTP LoadBalance OFF bind wi site WINS1 XD1 10 102 46 50 xmlPort 80 transport HTTP LoadBalance OFF Chapter 7 AppFlow Topics How AppFlow Works Configuring the AppFlow Feature The Citrix NetScaler appliance is a central point of control for all application traffic in the data center It collects flow and user session level information valuable for application performance monitoring analytics and business intelligence applications AppFlow transmits the information by using the Internet Protocol Flow Information eXport IPFIX format which is an open Internet Engineering Task Force IETF standard defined in RFC 5101 IPFIX the standardized version of Cisco s NetFlow is widely used to monitor network flow information AppFlow defines new Information Elements to represent application level information Using UDP as the transport protocol AppFlow transmits the collected data called flow records to one or more IPv4 collectors The collectors aggregate the flow records and generate real time or historical reports AppFlow provides visibility at the transaction level for HTTP SSL TCP and SSL_TCP flows You can sample and filter the flow types that you want to monitor AppFlow use actions and po
93. bytes Minimum value 50 Maximum value 2147483647 Default 1024 135 Chapter5 Advanced Configurations To modify the band range by using the configuration utility 1 In the navigation pane expand System and then click Settings 2 In the details pane under Settings click HTTP data band Statistics Do one or both of the following e To modify the band range of HTTP request statistics click the Request tab click the Request tab and then click Configure In Change HTTP Request Band Size dialog box enter a value for example 300 in Request Data Band Size text field and then click OK e To modify the band range of HTTP response statistics click the Response tab and then click Configure In Change HTTP Response Band Size dialog box enter a value for example 2048 in Response Data Band Size text field and then click OK 3 Click Close Configuring HTTP Profiles An HTTP profile is a collection of HTTP parameter settings that can be applied to virtual servers and services An HTTP profile can be reused on multiple virtual servers or services You can use built in HTTP profiles or configure custom profiles The following table describes the built in HTTP profiles Table 5 1 Built in HTTP Profiles Built in profile Description nshttp_default_strict_validation Settings for deployments that require strict validation of HTTP requests and responses nshttp_default_profile The default global HTTP settings fo
94. caler Administration Guide Example gt set ns tcpProfile profilel bufferSize 12000 Done gt show ns tcpProfile profilel Name profilel Window Scaling status DISABLE Window Scaling factor 4 TCP Buffer Size 12000 bytes Reference count 0 To set the TCP buffer size in the global TCP profile by using the NetScaler command line At the NetScaler command prompt type the following commands to set the TCP buffer size in the global TCP profile and verify the configuration set ns tcpProfile nstcp_default profile bufferSize lt positive integer gt show ns tcpProfile nstcp default profile Example gt SOG ng wee nerca Cerewilge prorile bufferSize 12000 Done gt show ns tcpProfile nstcp default_profile Name 5 nstToo Ceiault prorile Window Scaling status DISABLE Window Scaling factor 4 TCP Buffer Size 12000 bytes Reference count 200 143 Chapter5 Advanced Configurations Parameters for setting the TCP buffer size in a TCP profile name Name of the TCP profile Maximum length 127 characters bufferSize TCP buffer size in bytes Maximum value 4194304 Minimum value 8190 Default 8190 To set the TCP buffer size in a TCP profile by using the NetScaler configuration utility 1 In the navigation pane expand System and then click Profiles 2 In the details pane click the TCP Profiles tab and then do one of the following e To create a custom entity level TCP profile click Ad
95. ce by using an HTTP vserver The Web interface exposes its own login page for authentication The vserver IP address is used to access the Web interface The following figure illustrates the Web interface running on the NetScaler appliance NS1 A Web interface site WINS1 is created and a XenApp farm XA1 and a XenDesktop farm XD1 are bound to it An HTTP vserver HTTP_WI is also created Client C1 uses the IP address of the HTTP_WI vserver to access the WINS1 site 155 Chapter6 Web Interface Figure 6 2 A Web Interface Site Configured for LAN Users Using HTTP Son Client C1 NetScaler NS1 a XenDesktop Farm To configure a Web interface site for LAN users using HTTP by using the configuration utility 1 In the navigation pane click Web Interface 2 In the details pane click Web Interface Wizard 3 On the wizard Introduction page click Next 4 On the wizard Configure Web Interface Site page specify the values for the following parameters which correspond to parameters described in Parameters for configuring Web interface sites on page 153 as shown e Site Path You cannot change the name of an existing Web interface site e Site Type e Published Resource Type e Kiosk Mode A required parameter 156 5 Citrix NetScaler Administration Guide Select Direct Mode and specify values for the following parameters which correspond to parameters described in Parameters for configuring Web interface sites o
96. cedure and policy ordering rules Configuring External User Authentication External user authentication is the process of authenticating the users of the Citrix NetScaler appliance by using an external authentication server The NetScaler supports LDAP RADIUS TACACS and NT4 authentication servers To configure external user authentication you must create authentication policies You can configure one or many authentication policies depending on your authentication needs An authentication policy consists of an expression and an action Authentication policies use NetScaler classic expressions which are described in detail in the Citrix NetScaler Policy Configuration and Reference Guide at http support citrix com article CTX128673 After creating an authentication policy you bind it to the system global entity and assign a priority to it You can create simple server configurations by binding a single authentication policy to the system global entity Or you can configure a cascade of authentication servers by binding multiple policies to the system global entity If no 37 Chapter 1 Authentication and Authorization authentication policies are bound to the system users are authenticated by the onboard system Note User accounts must be configured on the NetScaler appliance before users can be externally authenticated You must first create an onboard system user for all users who will access the appliance so that you can bi
97. cee ee eee e ennnen eee teen eee eeeeeeaeeees 181 To set the AppFlow parameters by using the configuration utility 182 8 Reporting Tolesni e e EE TEES 183 Using the Reporting Tool 02 cece cece EErEE EIEEE ARER eee RA RI TARTEA AATE 184 To invoke the Reporting tool cece cece eect e eee eee eee n nett eee e anes 184 Working with Repone n oceni derar eann K ra E AEA A een eee AA RANEE 184 Using Built in Reports is ecs reisinin aw ta rie br ton Ri eed T A 185 Creating and Deleting Reports 0 ccc ee eee cece eee eee eee teen eens 185 Modifying the Time Interval 2 cc ce eee e eee ene eee ee nent enn eens 186 Setting the Data Source and Time Zone 00 c cece cece eee eee nent e eens 187 Exporting and Importing Custom Reports 0 eece cece cece eect ees 187 Working with Ghamts 2 pot scepeaiewa ceviuaie sins oe eee ea ade ee ee ae ers herbs 188 Adding a Chart erreren ba oeketrenp aiden dare EO EAE A Seadtihuntl aces 188 Modifying a Chal noesa a h peace aah cea edd ag ead AA EEEa aA ee 188 Viewing a Chat 2 2 aiiwin cee bine caddie ta r R hain E E A gence euihart 189 Deleting a Gharts 4 ees es dete ds pace es eis seid cakes bet 192 Examples chins s ctenet E E a ig thane ating EE a ENEN eae 192 To display the trend report for CPU usage and memory usage for the last week bah irs Wace ped ae alate dearayosciaa h doa get ad Saas aoa Bacon A A det Barbour somnee 192 To
98. ch filter has an associated set of log properties Log properties define how to store the filtered log information Creating Filters You can use the default filter definition located in the configuration file audit log conf or you can modify the filter or create a new filter You can create more than one log filter Note For consolidated logging if a log transaction occurs for which there is no filter definition the default filter is used if it is enabled The only way you can configure consolidated logging of all the Citrix NetScaler appliances is by defining the default filter To create a filter At the command prompt type the following command in the configuration file auditlog conf filter lt filterName gt IP lt ip gt NETMASK lt mask gt ON OFF lt filterName gt Specify the name of the filter maximum of 64 alphanumeric characters lt ip gt Specify the IP addresses lt mask gt Specify the subnet mask to be used on a subnet Specify ON to enable the filter to log transactions or specify OFF to disable the filter If no argument is specified the filter is ON Examples filter Fl IP 192 168 100 151 ON To apply the filter F2 to IP addresses 192 250 100 1 to 192 250 100 254 filter F2 IP 192 250 100 0 NETMASK 255 255 255 0 ON 89 Chapter3 Audit Logging filterName is a required parameter if you are defining a filter with other optional parameters such as IP address or the combinati
99. ciate any community string to a query type then the SNMP agent responds to all SNMP queries of that type To specify an SNMP community by using the NetScaler command line At the NetScaler command prompt type the following commands to set the parameters and verify the configuration add snmp community lt communityName gt lt permissions gt sh snmp community Example gt add snmp community com all Done gt show snmp community com Community com Permissions ALL Done Parameters for configuring an SNMP community string communityName SNMP community string permissions Access privileges Possible values GET GET NEXT GET BULK ALL To configure an SNMP community string by using the configuration utility 1 In the navigation pane expand System expand SNMP and then click Community Citrix NetScaler Administration Guide 2 In the details pane click Add 3 In the Create SNMP Community dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an SNMP community string as shown e Community String communityName e Permission permissions A required parameter 4 Click Create and then click Close A message appears in the status bar stating that the SNMP community string has been configured successfully To remove an SNMP community string by using the configuration utility 1 In the navigation pane expand System clic
100. cies to a group by using the NetScaler command line At the NetScaler command prompt type the following commands to bind a command policy to a user group and verify the configuration bind system group lt groupName gt policyName lt policyName gt lt priority gt sh system group lt groupName gt Example gt bind system group Managers policyName read all 1 Done gt sh system group Managers Group name Managers User name johnd Command policy read all Pyeakoreslic we IL To unbind command policies from a group by using the NetScaler command line At the NetScaler command prompt type the following commands to unbind a command policy from a user group and verify the configuration unbind system group lt groupName gt policyName lt policyName gt sh system group lt groupName gt Parameters for binding a command policy to a group groupName The name of an existing user group policyName The name of an existing command policy priority The priority assigned to this command policy 33 Chapter 1 Authentication and Authorization To bind command policies to a group by using the configuration utility 1 In the navigation pane expand System and then click Groups 2 In the details pane select the group to which you want to bind a command policy and then click Open 3 In the Configure System Group dialog box under Command Policies all the command policies configured on your NetSca
101. click inside the chart and drag the cursor in the direction for which you want to see data for a new time period For example if you want to view data in the past click and drag to the left To change the background color and text color of a chart 1 In the left pane of the Reporting tool select a report 2 In the right pane under the chart for which you want to customize the axes click Customize 3 On the Chart tab under Category click one or more of the following e To change the background color click Background Color and then select the options for color transparency and effects e To change the text color click Text Color and then select the options for color transparency and effects To customize the axes of a chart 1 In the left pane of the Reporting tool select a report 2 In the right pane under the chart for which you want to customize the axes click Customize 3 On the Chart tab under Category click one or more of the following e To change the scale of the left y axis click Left Y Axis and then select the scale you want e To change the scale of the right y axis click Right Y Axis in Data set to plot select the date set and then select the scale you want Note The data set numbers such as Data Set 1 correspond to the order in which the counters in your graph are displayed at the bottom of the chart For 190 Citrix NetScaler Administration Guide example if CPU usage and Mem
102. configuration utility 45 To unbind a global authentication policy by using the configuration utility 45 Di SNMP secotceais snes nace icats E alg tek aA aces tan eet 47 Importing MIB Files to the SNMP Manager and Trap Listener ceeeee eee eee 48 To import the MIB files to the SNMP manager and trap listener 48 Configuring the NetScaler to Generate SNMPv1 and SNMPv2 Traps 48 Enabling or Disabling an SNMP Alarm 0 0 0 cece eee eee eee tener ene e renee 49 To enable or disable an SNMP alarm by using the command line 49 To enable or disable an SNMP alarm by using the configuration utility 49 Configuring AlarMS rese 2 cece cence AEEA AEPA A NANAS AAAA KA a AENA a 50 To configure an SNMP alarm by using the command line 0e eee 50 Parameters for configuring SNMP alarms 0 ce eee eener 50 To configure SNMP alarms by using the configuration utility 51 vi Citrix NetScaler Administration Guide Configuring Taps e sessed ey tas hes fea tee a ee 51 To add an SNMP trap by using the NetScaler command line 51 Parameters for configuring SNMP traps cece cece eee eee eter eens 52 To configure SNMP Traps by using the configuration utility 52 Enabling Unconditional SNMP Trap Logging cece eee eee eee eee eens 53 To enable or disable uncondi
103. configure Web server logging to create a separate log directory for each Web site The following table displays the parameters for creating a filter Table 4 4 Parameters for Creating a Filter Parameter Specifies filterName Name of the filter maximum 64 alphanumeric characters HOST name Host name of the server for which the transactions are being logged IP ip IP address of the server for which transactions are to be logged for example if the server has multiple domains that have one IP address IP ip 2 ip n Multiple IP addresses for example if the server domain has multiple IP addresses ip6 ip IPv6 address of the server for which transactions are to be logged IP ip NETMASK mask IP addresses and netmask combination to be used on a subnet ON OFF Enable or disable the filter to log transactions If no argument is selected the filter is enabled ON 106 To create a filter To create a filter enter the following command in the log conf file filter lt filterName gt lt HOST name gt IP lt ip gt IP lt ip 2 ip n gt lt IP ip NETMASK mask gt ON OFF filter lt filterName gt lt HOST name gt IP6 ip lt prefix length gt ON OFF Citrix NetScaler Administration Guide To create a filter for a virtual server To create a filter for a virtual server enter the following command in the log conf file filter Specifyin lt filterN
104. configuring an SNMP view name Name of the SNMP view subtree Subtree of the MIB type Whether the subtree needs to be included or excluded To configure an SNMP view by using the configuration utility 1 In the navigation pane expand System expand SNMP and then click Views 2 In the details pane click Add 3 In the Create SNMP View or Configure SNMP View dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an SNMP view as shown e Name name e Subtree subtree e Type type A required parameter 4 Click Create or OK and then click Close A message appears in the status bar stating that the SNMP view has been configured successfully Configuring a Group 66 SNMP groups are logical aggregations of SNMP users They are used to implement access control and to define the security levels You can configure an SNMP group to set access rights for users assigned to that group thereby restricting the users to specific views You need to configure an SNMP group to set access rights for users assigned to that group To add an SNMP group by using the NetScaler command line At a NetScaler command prompt type the following commands to set the parameters and verify the configuration add snmp group lt name gt lt securityLevel gt readViewName lt string gt show snmp group lt name gt lt securityLevel gt Example add snmp
105. cs by using the NetScaler command ING 3555 haere Sh pase wadeindeeaad epee densaedd E E AAE ERAT 134 To view HTTP request and response size statistics by using the configuration utility EE E duttelee AiG A dik dee e CoG Meee da genre as etbbue A gata A T apie lee 135 To modify the band range by using the NetScaler command line 135 Parameters for modifying the band range for HTTP request or response size SlaliStiCS 2ctapiiaciavedetaimdaed Gedadedadilvepeeinelait Gabi di dea eneebariedand Aa 135 To modify the band range by using the configuration utility ee 136 Configuring HTTP Profiles mesas niiae a cece cence teen eee eee nner EA TE EAE ES 136 To add an HTTP profile by using the NetScaler command line 005 136 Parameters for adding an HTTP profile cece cece cence aneneen 137 To add an HTTP profile by using the configuration utility cece eee 138 Configuring TCP Profiles 22 0024 cceageceas Maeda sae aad eae Wenge eda sae ERDERA 138 To add a TCP profile by using the NetScaler command line ee eee 139 Parameters for creating a TCP profile 0 c cece cece e eee eee nennen 140 To add a TCP profile by using the configuration utility 0 cece eee eee eee 141 Specifying a TCP Buffer Size uian verir eect tenet EECA EERS Y 142 To set the TCP buffer size in an entity level TCP profile by using the NetScaler COMMANG NING
106. d n Inserts a new line p The equivalent of either a m or p m for the locale r The appropriate time representation in 12 hour clock format with p S The seconds 00 61 the range of values is 00 61 rather than 00 59 to allow for the occasional leap second and for the double leap second t Inserts a tab u The day of the week as a decimal number 1 7 1 represents Sunday 2 represents Tuesday and so on U The number of the week in the year as a decimal number 00 53 with Sunday as the first day of week 1 W The day of the week as a decimal number 0 6 0 represents Sunday W Specifies the number of the week in the year as a decimal number 00 53 Monday is the first day of week 1 y The number of the year within the century 00 99 For example 5 would be the fifth year of that century Y The year including the century for example 1993 Note If you specify a conversion that does not correspond to any of the ones described in the preceding table or to any of the modified conversion specifications listed in the next paragraph the behavior is undefined and returns 0 122 Citrix NetScaler Administration Guide The difference between U and W and also between modified conversions OU and OW is the day considered to be the first day of the week Week number 1 is the first week in January starting with a Sunday for U or a Monday for W Week numb
107. d and in the Create TCP Profile dialog box type a name for the new profile e To set the TCP buffer size for an existing TCP profile click the name of the TCP profile and then click Open If you want to set the TCP buffer size in the global TCP profile click nstcp_default_profile 3 In the Create TCP Profile or Configure TCP Profile dialog box in the TCP Buffer Size Bytes box type the number of bytes to specify as the minimum TCP buffer size 4 Click Create or OK Optimizing the TCP Maximum Segment Size for a Virtual Server Configuration You can specify the Maximum Segment Size MSS that the Citrix NetScaler appliance advertises to a client when the client initiates a connection to a virtual server on the appliance You can configure the MSS for the virtual servers configured on the appliance in two ways You can set the MSS for each virtual server to a value of your choice in a TCP profile You can set the learnVsvrMSS global TCP parameter to ENABLED to enable MSS learning for all the virtual servers configured on the appliance If you know the optimal MSS value for a given virtual server you can specify the MSS in a TCP profile and bind the profile to the virtual server When a client initiates a connection with the virtual server the NetScaler appliance advertises the specified MSS value to the client However if the appliance is also configured to learn the optimum MSS value from bound services as d
108. d server ip s HEHEHE HHT HE Pailicew CAC P GOST vini o netscaler Com Te 192 168 100 89 192 168 100 95 192 1660 100 52 192 196 190753 ON EEEE EHEH netscaler origin server exampl Not interested in Origin server to Cache traffic transaction logging EERE HHT HE Dallie we OIIGIIN SIRWAGRYS ILE 102 os OO gt A OZ 1S 100 6s IQA LS MOO GS TOYZ SS 100 67 192166 OO 225 192 168 100 226 LIZ LGS 100 227 192 168 1007229 Om HEEHE HHT HE netscaler image server exampl all the image server logging ERER HHT HE Filter IMAGE SERVER HOST www netscaler images com IP 192 168 100 Hil 192168 100 72 192 16S OO 169 192 168 100 170 1923163 ALG Orn ON HEEHE HEHEHE NCSA Format logging new file is created every day midnight or on reaching 20MB file size and the file name is datadisk5 netscaler log NS lt hostname gt Nsmmddyy log Exclude objects that ends with gif jpg jar EERE HEH begin ORIGIN SERVERS logFormat NCSA logInterval Daily logFileSizeLimit 40 logFilenameFormat datadisk5 ORGIN log v NS 3m d sy t log logExclude oG a JOG o JEE end ORIGIN_SERVERS HEEHE HHT H NCSA Format logging new file is created every day midnight or on reaching 20MB file size and the file name is datadisk5 netscaler log NS lt hostname gt Nsmmddyy log with log record timestamp as GMT EERE HHT HE begin CACHE F logFormat NC
109. d then click Message Actions 2 In the details pane do one of the following e To create a new audit message action click Add e To modify an existing audit message action select the action and then click Open 3 In the Create Message Action or Configure Message Action dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an audit message action as shown e Name name e Log Level logLevel e Log Message stringBuilderExpr e Bypass Safety Check bypassSafetyCheck To specify YES select the check box e Log in newnslog logtoNewnslog To specify YES select the check box A required parameter 4 Click Create or OK and then click Close The audit message action that you configured appears in the details pane Binding Audit Message Action to a Policy After you have created an audit message action you must bind it to a rewrite or responder policy For more information about binding log message actions to a rewrite or responder policy see the Rewrite or the Responder chapter of the Citrix NetScaler Application Security Guide For a link to the guide see the Documentation Library Installing and Configuring the NSLOG Server During installation the NSLOG server executable file auditserver is installed along with other files The auditserver executable file includes options for performing several actions on the NSLOG server inc
110. directorypath gt log conf lt directorypath gt Specifies the path to the configuration file log conf 2 At the next prompt enter the following information e NSIP Specify the IP address of the NetScaler appliance e User name Specify the user name of the NetScaler appliance e Password Specify the password Note If you add multiple NetScaler IP addresses NSIP and later you do not want to log all of NetScaler system log details you can delete the NSIPs manually by removing the NSIP statement at the end of the log conf file During a failover setup you must add both primary and secondary NetScaler IP addresses to the log conf by using the command Before adding the IP address make sure the user name and password exist on the NetScaler appliances Citrix NetScaler Administration Guide Verifying the NSWL Configuration File To make sure that logging works correctly check the NSWL configuration file log conf on the client system for syntax errors To verify the configuration in the NSWL configuration file At the client system command prompt type nswl verify f lt directorypath gt log conf lt directorypath gt Specifies the path to the configuration file log conf Running the NSWL Client To start Web server logging At the client system command prompt type nswl start f lt directorypath gt log conf lt directorypath gt Specifies the path to the configuration file log conf To stop Web
111. dministration Guide Argument Specifies b The bytes received excluding the HTTP headers request size d A user defined field g The Greenwich Mean Time offset for example 0800 for Pacific Standard Time h The remote host H The request protocol Foobar i The contents of the Foobar header line s in the request sent to the server The system supports the User Agent Referer and cookie headers The after the in this format informs the logging client to use the as a word separator j The bytes received including headers request size J The bytes sent including headers response size l The remote log name from identd if supplied m The request method M The time taken to serve the request i n microseconds Foobar o The contents of Foobar header line s in the reply USER AGENT Referer and cookie headers are supported p The canonical port of the server serving the request q The query string prefixed with a question mark if a query string exists 119 Chapter4 Web Server Logging Argument Specifies r The first line of the request S For requests that were redirected internally this is the status of the original request t The time in common log format standard English time format format t The time in the form given by format m
112. e Add an HTTPS vserver At the NetScaler command prompt type add Ib vserver lt virtualServerName gt lt protocol gt lt IPAddress gt lt port gt Example ecko lo veerver BITES WL SSilb 10 10229 9 Aas For more information see Adding an SSL Based Virtual Server in the Secure Sockets Layer SSL Acceleration chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 Bind the Web interface service to the HTTPS vserver At the NetScaler command prompt type bind lb vserver lt virtualServerName gt lt serviceName gt Example bind lb vserver HTTPS WI WI Loopback Service For more information see Binding Services to the Virtual Server in the Secure Sockets Layer SSL Acceleration chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 Create an SSL certificate key pair At the NetScaler command prompt type add ssl certkey lt certificate KeyPairName gt cert lt certificateFileName gt key lt privateKeyFileName gt Example add ssl certkey SSL Certkey 1 cert nsconfig ssl testl cer key nsconfig ssl testl For more information see Adding a Certificate Key Pair in the Secure Sockets Layer SSL Acceleration chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 Bind the SSL certificate key pair to the HTTPS vserver At the Net
113. e NSWL client including running and stopping the NSWL client In addition you use the nswl executable to configure the NSWL client with the IP addresses of the NetScaler appliances from which the NSWL client will start collecting logs Configuration settings are applied in the NSWL client configuration file log conf Then you start the NSWL client by executing the nswl executable The NSWL client configuration is based on the settings in the configuration file You can further customize logging on the NSWL client system by making additional modifications to the NSLOG server configuration file auditlog conf The following table lists the operating systems on which the NSWL client is supported Table 4 1 Supported Platforms for the NSWL Client Operating system Version Windows Windows XP Professional Windows Server 2003 Windows 2000 NT Windows Server 2008 Windows Server 2008 R2 Mac OS Mac OS 8 6 or later Linux RedHat Linux 4 or later SUSE Linux Enterprise 9 3 or later Solaris Solaris Sun OS 5 6 or later Citrix NetScaler Administration Guide Operating system Version FreeBSD FreeBSD 6 3 or later The following table describes the minimum hardware specifications for the platform running the NSWL client Table 4 2 Minimum Hardware Specification for Platforms Running the NSWL Client Operating system Hardware requirements For Windows Linux FreeBSD e
114. e eee eens 115 Creating Apache Log Formats 0 ccc ce eee ee eee teen eee teen eee enes 116 Sample Configuration File 0 0 cece cence eee eee ENEE EEFT b enn enn een nee ed 116 Arguments for Defining a Custom Log Format 0 ccc cece cece eee eee eects 118 Time Format Deninitlon ves hess4 see a oe deeded E EEE deans 121 9 Advanced Configurations sie Gveree a O EE rE a teenie 125 Configuring Clock Synchronization 00 c cece cence eee teen teen ee ten eee ne ened 126 Setting Up Clock Synchronization by Using the CLI or the Configuration Utility 126 To add an NTP server by using the NetScaler command line 126 To modify or remove NTP servers by using the NetScaler command line 127 Parameters for configuring an NTP Server 0 ceeceeee eee eee e ee aees 127 To configure an NTP server by using the configuration utility 127 Starting or Stopping the NTP Daemon 00 cece eee eee e eee eee e eee eee enee 128 To enable or disable NTP synchronization by using the NetScaler command ING Sg dees tot cetera E ce ee Ste At a tele tos tes te le ea 128 To enable or disable NTP synchronization by using the configuration utility 128 Configuring Clock Synchronization Manually 00 cee cece cece eee eee eens 128 To enable clock synchronization on your NetScaler by modifying the NP CONTIG v cxy an Geis ea a a eos ayes ML faced adhe wlth
115. e eee ees 100 To install the NSWL client package on a Mac OS operating system 100 To uninstall the NSWL client package on a Mac OS operating system 101 Installing NSWL Client on a Windows Operating System e cece eee 101 To download NSWL client package from www Citrix cOM eee eee es 101 To install the NSWL client on a Windows system 00 cece eee eens 101 To uninstall the NSWL client on a Windows system 0 cee eee ee ees 102 Installing NSWL Client on an AIX Operating System 0 cece eee eee ees 102 To install the NSWL client package on an AIX operating system 102 To uninstall the NSWL client package on an AIX operating system 102 To get more information about the NSweblog RPM file 0 00 103 To view the installed Web server logging fileS 00 cece eeee eee tees 103 NSWL Client Command Options 02 0c cece cee eee eee eee eee rnrn rnrn 103 Adding the IP Addresses of the NetScaler Appliance 2 0 0e eee eens 104 To add the NSIP address of the NetScaler appliance 2 2 05 104 Verifying the NSWL Configuration File 0 cece eee eee eee e eee 105 To verify the configuration in the NSWL configuration file 0 105 Running the NSWL Client 2 0 0 cece eect nent nee tenet nee nne etn e tans 105 To start Web server lOgQing
116. e following commands to create a user group and verify the configuration add system group lt groupName gt promptString lt string gt timeout lt secs gt show system group Example gt add system group Managers promptString Group Managers at h Done gt show system group 1 Group name groupl 2 Group name Managers Prompt String Group Managers at h Done 24 Citrix NetScaler Administration Guide To modify or remove a user group by using the NetScaler command line To modify a user group type the set system group lt groupName gt command and the parameters to be changed with their new values To remove a user group type rm system group lt groupName gt To bind a user to a group by using the NetScaler command line At the NetScaler command prompt type the following commands to bind a user account to a group and verify the configuration bind system group lt groupName gt userName lt userName gt show system group lt groupName gt Example gt bind system group Managers userName userl Done gt bind system group Managers userName johnd Done gt show system group Managers Group name Managers Prompt String Group Managers at h User name userl User name johnd Done gt show system user userl User name userl Prompt String Group Managers at sh Prompt Inherited From Group Group name Managers Done gt show system user johnd User
117. e log file The name of the file can be either of the following e Static Is a constant string that specifies the absolute path and file name e Dynamic Is an expression containing the following format specifiers 90 Citrix NetScaler Administration Guide Date format t creates directory with NSIP The directory separator depends on the operating system In Windows use the directory separator Example ILyYOC Dalinacieoiey Clavell oliiie2 olare3 In the other operating systems Linux FreeBsd Mac etc use the directory separator Loginterval specifies the interval at which new log files are created Use one of the following values e Hourly A file is created every hour Default value e Daily A file is created very day at midnight e Weekly A file is created every Sunday at midnight e Monthly A file is created on the first day of the month at midnight e None A file is created only once when audit server logging starts e Size A file is created only when the log file size limit is reached Example LogInterval Hourly LogFileSizeLimit specifies the maximum size in MB of the log file A new file is created when the limit is reached Note that you can override the loginterval property by assigning size as its value The default LogFileSizeLimit is 10 MB Example LogFileSizeLimit 35 Default Settings for the Log Properties The following is an example of the default filter with de
118. e server side connection However for optimum results make sure that the values specified for a virtual server and the services bound to it have the same value The buffer size that you specify is used only when the connection is associated with endpoint application functions such as SSL and compression You set the TCP buffer size in a custom entity level TCP profile by setting the bufferSize parameter for the profile To apply the buffer size setting specified in a custom entity level profile you bind the profile to the virtual server or service You set the global TCP buffer size by setting the bufferSize parameter in the global TCP profile nstcp default profile You do not bind nstcp default profile to an entity The settings in nstcp default profile are automatically applied globally Note A high TCP buffer value could limit the number of connections that can be made to the NetScaler appliance Additionally the global TCP parameter recvBuffSize which was set by the use of the set ns tcpParam command has been deprecated You can now specify the buffer size only through TCP profiles To set the TCP buffer size in an entity level TCP profile by using the NetScaler command line At the NetScaler command prompt type the following commands to set the TCP buffer size in a TCP profile and verify the configuration set ns tcpProfile lt name gt bufferSize lt positive integer gt show ns tcpProfile lt name gt 142 Citrix NetS
119. e the user name and password exist on the system Verifying the NSLOG Server Configuration File Check the configuration file audit log conf_ for syntax correctness to enable logging to start and function correctly To verify configuration at a command prompt type the following command audserver verify f lt directorypath gt auditlog conf lt directorypath gt Specifies the path to the configuration file audit log conf Running the NSLOG Server To start audit server logging Type the following command at a command prompt audserver start f lt directorypath gt auditlog conf lt directorypath gt Specifies the path to the configuration file audit log conf To stop audit server logging that starts as a background process in FreeBSD or Linux Type the following command audserver stop To stop audit server logging that starts as a service in Windows Type the following command 88 Citrix NetScaler Administration Guide audserver stopservice Customizing Logging on the NSLOG Server You can customize logging on the NSLOG server by making additional modifications to the NSLOG server configuration file log conf Use a text editor to modify the log conf configuration file on the server system To customize logging use the configuration file to define filters and log properties Log filters Filter log information from a NetScaler appliance or a set of NetScaler appliances Log properties Ea
120. e to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case users will be required to correct the interference at their own expense Modifying the equipment without Citrix written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices In that event your right to use the equipment may be limited by FCC regulations and you may be required to correct any interference to radio or television communications at your own expense You can determine whether your equipment is causing interference by turning it off If the interference stops it was probably caused by the NetScaler appliance If the NetScaler equipment causes interference try to correct the interference by using one or more of the following measures Move the NetScaler equipment to one side or the other of your equipment Move the NetScaler equipment farther away from your equipment Plug the NetScaler equipment into an outlet on a different circuit from your equipment Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses Modifications to this product not authorized by Citrix Systems Inc could void the FCC approval and negate your authority to operate the product BroadCom is a registered trademark of BroadCom Corporation Fast Ramp NetScaler and NetScaler Request Switch are trademarks of
121. ecutable use the following command rpm i NSweblog rpm This command extracts the files and installs them in the following directories e usr local netscaler etc e usr local netscaler bin e usr local netscaler samples To uninstall the NSWL client package on an AIX operating system At a command prompt type 102 rpm e NSweblog Citrix NetScaler Administration Guide To get more information about the NSweblog RPM file At a command prompt type rpm qpi rpm To view the installed Web server logging files At a command prompt type rpm qpl rpm NSWL Client Command Options The following table describes the commands that you can use to configure the NSWL client Table 4 3 NSWL Command Options NSWL command Specifies nswl help The available NSWL help options nswl addns f lt path to configuration file gt The system that gathers the log transaction data You are prompted to enter the IP address of the NetScaler appliance Enter a valid user name and password nswl verify f lt path to configuration file gt Check for syntax or semantic errors in the configuration file for example log conf nswl start f lt path to configuration file gt Start the NSWL client based on the settings in the configuration file for example log conf For Solaris and Linux To start Web server logging as a background process type the ampersand sign amp at the end of the co
122. ed by a non trusted CA Possible values ON OFF Default ON STA Server URL URL of the Secure Ticket Authority STA server STA Server URL 2 URL of the second STA server Session Reliability Specifies whether to use session reliability through the Access Gateway Possible values ON OFF Default OFF Use Two STA Servers Specifies whether the Web interface requests tickets from two separate gateway Secure Ticket Authorities when a resource is accessed Possible values ON OFF Default OFF Name Name of a XenApp or XenDesktop farm Any name can be used as a logical representation of a XenApp or XenDesktop farm The name must not exceed 127 characters 154 Citrix NetScaler Administration Guide XML Service Addresses Commaz separated IP addresses or host names of either XenApp or XenDesktop servers providing XML services XML Service Port Port number to use for contacting the XML service Default 80 Transport Transport protocol to use for the XML service Possible values HTTP HTTPS Default HTTP Load balance Specifies whether to use all the XML servers load balance mode or only one failover mode Possible values ON load balance mode OFF failover mode Default ON Configuring a Web Interface Site for LAN Users Using HTTP In this scenario user and the Web interface setup are on the same enterprise LAN The enterprise has both a XenApp and a XenDesktop farm Users access the Web interfa
123. ed in the system global configuration You can now specify a time out value for inactive CLI sessions for a system user If a user s CLI session is idle for a time that exceeds the time out value the NetScaler appliance terminates the connection The timeout can be defined in a user s configuration in a user group configuration and in the global configuration The time out for inactive CLI sessions for a user is determined by the following order of precedence 1 Time out value as defined in the user s configuration 2 Time out value as defined in the group configuration for the user s group 3 Time out value as defined in the system global configuration Configuring User Accounts 22 To configure user accounts you simply specify user names and passwords You can change passwords and remove user accounts at any time To create a user account by using the NetScaler command line At the NetScaler command prompt type the following command to create a user account and verify the configuration add system user lt userName gt promptString lt string gt timeout lt secs gt show system user Example gt add system user userl Enter password Confirm password Done gt add system user johnd promptString user Su at T Enter password Confirm password Done Citrix NetScaler Administration Guide gt show system user 1 User name nsroot 2 User name userl 3 User name johnd Prompt St
124. eeeeeeaes 27 Creating Custom Command Policies 00200 cece eect e eee eee eee teeters 28 To create a command policy by using the NetScaler command line 30 To modify or remove a command policy by using the NetScaler command line PEE E scant outer a E E can ene sana ee anaes NT E soa 30 Parameters for configuring a command policy cee eee eee eee eee ees 30 To configure a command policy by using the configuration utility 31 Binding Command Policies to Users and GroupS 02 0eeeeeee eee tease 31 To bind command policies to a user by using the NetScaler command line 32 To unbind command policies from a user by using the NetScaler command a EE E chpaustaparteen addoalsadamoedetsenaadenand ta hidumiddondads 32 Contents Parameters for binding a command policy to a USer 22 02e cece eee eee 32 To bind command policies to a user by using the configuration utility 32 To bind command policies to a group by using the NetScaler command line EE E Qua deeantegt det Bel E E ated dea beac E E deans TE TE 33 To unbind command policies from a group by using the NetScaler command ING oie sons a a boca dens ated Shine pena ons Ganado as SEER E EIS ay 33 Parameters for binding a command policy to a group 220eeee eee 33 To bind command policies to a group by using the configuration utility 34 Resetting the Default Administrator nsroot PaSSwo
125. en click Open 3 In the Create NTP Server or Configure NTP Server dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an NTP server as shown e NTP Server serverlP or serverName Cannot be changed for an existing NTP server e Minimum Poll minpoll e Maximum Poll maxpoll A required parameter 4 Click Create or OK and then click Close A message appears in the status bar stating that the NTP server has been configured successfully 127 Chapter 5 Advanced Configurations Starting or Stopping the NTP Daemon When you enable NTP synchronization the NetScaler starts the NTP daemon and uses the NTP server entries in the ntp conf file to synchronize its local time setting If you do not want to synchronize your NetScaler time with the other servers in the network you can disable NTP synchronization which stops the NTP daemon NTPD To enable or disable NTP synchronization by using the NetScaler command line At the NetScaler command prompt type one of the following commands enable ntp sync disable ntp sync To enable or disable NTP synchronization by using the configuration utility 1 In the navigation pane expand System and then click NTP Servers 2 On the NTP Servers page click NTP Synchronization ON or NTP Synchronization OFF Configuring Clock Synchronization Manually 128 You can configure clock synchr
126. eport the System Overview chart appears with the CPU Usage counter plotted for the last one day To plot a different group of statistics or select a different counter see Modifying a Chart on page 188 Note If you add charts to a built in report and you want to retain the report you must save the report as a custom report Use the following procedure to add a chart to a report To add a chart to a report 1 In the left pane of the Reporting tool click a report 2 Under the chart where you want to add the new chart click the Add icon Modifying a Chart You can modify a chart by changing the functional group for which the statistics are displayed and by selecting different counters To modify a chart 1 In the left pane of the Reporting tool click a report Under the chart that you want to modify click Counters In the dialog box that appears in the Title box type a name for the chart mw ON Next to Plot chart for do one of the following e To plot counters for global counters such as Integrated Cache and Compression click System global statistics e To plot entity counters for entity types such as Load Balancing and GSLB click System entities statistics 5 In Select group click the desired entity 188 Citrix NetScaler Administration Guide 6 Under Counters in Available click the counter name s that you want to plot and then click the gt button 7 If you selected System entities statistics in
127. er In the Create SNMP Manager dialog box do one of the following e To specify the host name of an SNMP manager select Management Host and set the following parameters Host Name IPAddress Resolve Retry secs domainResolveRetry Important If you specify the SNMP manager s host name instead of its IPv4 address you must configure a DNS name server to resolve the host name to the SNMP manager s IP address For more information see the instructions for adding a name server in the Citrix NetScaler Traffic Management Guide For a link to the guide see the Documentation Library e To specify the IPv4 address of an SNMP manager select Management Network and set the following parameters IP Address IPAddress Netmask netmask Click Create and then click Close A message appears in the status bar stating that the SNMP manager has been configured successfully 57 Chapter 2 SNMP Specifying an SNMP Community 58 You can create strings called community strings and associate them with the following SNMP query types on the NetScaler GET GET NEXT e ALL GET BULK You can associate one or more community strings to each query types For example when you associate two community strings such as abc and bcd to the query type GET NEXT the SNMP agent on the NetScaler appliance considers only those GET NEXT SNMP query packets that contain abc or bcd as the community string If you don t asso
128. er 0 contains the days before the first Sunday or Monday in January for U and W 123 Chapter4 Web Server Logging 124 Chapter 5 Advanced Configurations Topics Configuring Clock Synchronization Viewing the System Date and Time Configuring TCP Window Scaling Configuring Selective Acknowledgment Clearing the Configuration Viewing the HTTP Band Statistics Configuring HTTP Profiles Configuring TCP Profiles Specifying a TCP Buffer Size Optimizing the TCP Maximum Segment Size for a Virtual Server Configuration You can configure network time protocol to synchronize a Citrix NetScaler appliance s local clock with the other servers on the network If you enable path maximum transmission unit PMTU discovery the NetScaler can use it to determine the maximum transmission unit of any Internet channel For more efficient data transfer you can configure TCP window scaling and selective acknowledgment You can clear any basic or extended configuration on your NetScaler You can view statistics associated with HTTP request and response sizes For applying a specific HTTP and TCP settings to vservers and services you can configure HTTP and TCP profiles 125 Chapter5 Advanced Configurations Configuring Clock Synchronization You can configure your NetScaler appliance to synchronize its local clock with a Network Time Protocol NTP server This ensures that its clock has the same date and time settings as
129. erity level of the alarm Possible values Critical Major Minor Warning Informational Default SNMP_SEV_UNKNOWN 61 Chapter 2 SNMP logging Log the alarm Possible values ENABLED DISABLED Default value ENABLED To configure an SNMP alarm for throughput or PPS by using the configuration utility 1 In the navigation pane expand System expand SNMP and then click Alarms 2 In the details pane do one of the following e Select PF RL RATE THRESHOLD to configure the SNMP alarm for throughput rate e Select PF RL PPS THRESHOLD to configure the SNMP alarm for packets per second 3 Click Open 4 In the Configure SNMP Alarm dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an SNMP alarm for throughput or PPS as shown e Alarm Threshold thresholdValue e Alarm Threshold thresholdValue e Normal Threshold normalValue e Severity severity e Logging logging 5 Select the Enable check box to enable the alarm 6 Click OK and then click Close Configuring SNMP Alarm for Dropped Packets 62 You can configure an alarm for packets dropped as a result of exceeding the throughput limit and an alarm for packets dropped as a result of exceeding the PPS limit To configure an SNMP alarm for packets dropped because of excessive throughput by using the NetScaler command line At the NetScaler command prompt type set snmp alarm PF R
130. ersion V1 V2 destPort lt port gt communityName lt string gt srcIP lt ip_addr gt severity lt severity gt 51 Chapter 2 52 SNMP show snmp trap Example Bickel Sins Kika SxsCiiese 10 l02Z 29 3 wersilom WZ destPort 80 communityName coml severity Major Done gt show snmp trap Type DestinationIP DestinationPort Version SourcelIP Min Severity Community generic LO 102 29 v2 NetScaler IP specific 10 102 29 9 v2 NetScaler IP specific MOLOTO ES v2 NetScaler IP Done Parameters for configuring SNMP traps trapClass The trap type Possible values generic and specific version SNMP version of the trap PDU to be sent trapDestination IPv4 address of the trap listener destPort Destination port of the trap Default 162 Minimum value 1 scrIP Source IP of the traps severity Specify the severity level of trap messages All generated trap messages of the severity level up to the specified severity level will be sent to the trap listener Possible values Critical Major Minor Warning and Informational Default Informational communityName The community string Default public To configure SNMP Traps by using the configuration utility 1 In the navigation pane expand System expand SNMP and then click Traps Citrix NetScaler Administration Guide 2 In the details pane do one of the following e To create a new trap click Add e To modify an existing trap select
131. erval Daily logFileSizeLimit 20 logFilenameFormat datadisk5 netscaler log ZSv NS SmSsd y t log BND CACHE FP Creating a Custom Log Format Manually To customize the format in which log file data should appear specify a character string as the argument of the LogFormat log property definition For more information see Arguments for Defining a Custom Log Format on page 118 The following is an example where character strings are used to create a log format LogFormat Custom a S user agent i d m SY t SU s Sb plu The string can contain the c type control characters n and t to represent new lines and tabs Use the lt Esc gt key with literal quotes and backslashes The characteristics of the request are logged by placing directives in the format string which are replaced in the log file by the values 115 Chapter 4 Web Server Logging If the v Host name or x URL suffix format specifier is present in a log file name format string the following characters in the file name are replaced by an underscore symbol in the log configuration file name elf r lt gt 2 Characters whose ASCII values lie in the range of 0 31 are replaced by the following lt ASCII value of character in hexadecimal gt For example the character with ASCII value 22 is replaced by 16 A Caution Ifthe v format specifier is present in a log file name format string a separate file is opened fo
132. escribed in the following section the learned MSS value takes precedence and the value specified in the TCP profile is used only until 144 Citrix NetScaler Administration Guide the appliance learns the optimum MSS value The appliance uses the learned MSS value until the appliance is restarted If the appliance is restarted the appliance defaults to the MSS value specified in the virtual server s TCP profile until it learns the MSS value again Specifying the MSS Value in a TCP Profile If you know the optimal MSS value for a given virtual server you can specify the MSS in a TCP profile and bind the profile to the virtual server When a client initiates a connection with the virtual server the NetScaler appliance advertises the specified MSS value to the client To specify the MSS value in a TCP profile by using the NetScaler command line At the NetScaler command prompt type the following commands to specify the MSS value in a TCP profile and verify the configuration add ns tcpProfile lt name gt mss lt positive integer gt show ns tcpProfile gt ecl ims iecorico icsIkS CES Pror 086 1000 Done gt Show ng TCP ronrile TED Orori Name 3 EED icone il Window Scaling status DISABLED Window Scaling factor 4 SACK status DISABLED MSS 1000 MaxBurst setting 5 6 MSs Initial cwnd setting 4 MSS Done gt Parameters for specifying the MSS value in a TCP profile name The name of the TCP profile
133. eve the counter information 3 Do one or both of the following e If you want the tool to remember the time period for which a chart is plotted select the Remember time selection for charts check box e If you want the reports to use the time settings of your NetScaler appliance select the Use Appliance s time zone check box Exporting and Importing Custom Reports You can share reports with other NetScaler administrators by exporting reports You can also import reports To export or import custom reports 1 In the left pane of the Reporting tool next to Custom Reports click the Click to manage custom reports icon 2 Select the check box that corresponds with the report you want to export or import and then click Export or Import 187 Chapter8 Reporting Tool Note When you export the file it is exported in a gz file format Working with Charts Use charts to plot and monitor counters or groups of counters You can include up to four charts in one report In each chart you can plot up to 32 counters The charts can use different graphical formats for example area and bar You can move the charts up or down within the report customize the colors and visual display for each counter in a chart and delete a chart when you do not want to monitor it In all report charts the horizontal axis represents time and the vertical axis represents the value of the counter Adding a Chart When you add a chart to a r
134. fault settings for the log properties begin default logInterval Hourly logFileSizeLimit 10 logFilenameFormat auditlogs sysmsd t log end default Following are two examples of defining the default filters 91 Chapter 3 Audit Logging Example 1 alice il 12 192168 10 i This creates a log file for NSI 192 168 10 1 with the default values of the log in effect Example 2 pileet ie We 192 166 10 i begin f1 logFilenameFormat logfiles log end f1 This creates a log file for NSIP 192 168 10 1 Since the log file name format is specified the default values of the other log properties are in effect Sample Configuration File audit conf 92 Following is a sample configuration file HERE TE EHH HH HEE EE EE EEE EEE EH EH This is the Auditserver configuration file Only the default filter is active Remove leading to activate other filters HERE AE EH HE HH HH HH HH HE EE EE EE EE EE MYIP lt NSAuditserverIP gt MYPORT 3023 4 Piler filter neip IP lt Specity the NetScaler IP acdrese to filter on gt ON begim filter imiSaljo logInterval Hourly 4 logFileSizeLimit 10 4 logDirectory logdir A logFilenameFormat nsip S SdsmSY t log end filter nsip Filter default begin default logInterval Hourly logFileSizeLimit 10 logFilenameFormat auditlog y msd t log end default Chapter 4 Web Server Logging Topics Configuring the NetScaler Appliance for Web Server Logging Installing a
135. figuration utility 1 In the navigation pane expand System expand SNMP and then click Alarms 2 In the details pane select an alarm for example Login Failure and do one of the following e To enable an alarm click Enable e To disable an alarm click Disable A message appears in the status bar stating that the alarm is enabled or disabled successfully 49 Chapter 2 SNMP Configuring Alarms 50 The NetScaler provides a set of condition entities called SNMP alarms When the condition set for an SNMP alarm is met the NetScaler generates SNMP traps messages that are sent to the configured trap listeners For example when the LOGIN FAILURE alarm is enabled a trap message is generated and sent to the trap listener whenever there is a login failure on the NetScaler appliance You can assign an SNMP alarm with a severity level When you do this the corresponding trap messages are assigned that severity level The following are the severity levels defined in the NetScaler in decreasing order of severity Critical Major Minor Warning Informational For example if you set a Warning severity level for the SNMP alarm named LOGIN FAILURE the trap messages generated when there is a login failure will be assigned with the Warning severity level You can also configure an SNMP alarm to log the corresponding trap messages generated whenever the condition on that alarm is met To configure an SNMP
136. g file formats By default the logformat property is w3c To override enter custom or NCSA in the configuration file for example LogFormat NCSA Note For the NCSA and custom log formats local time is used to time stamp transactions and for file rotation Loginterval specifies the intervals at which new log files are created Use one of the following values e Hourly A file is created every hour e Daily A file is created every day at midnight Default value e Weekly A file is created every Sunday at midnight e Monthly A file is created on the first day of the month at midnight e None A file is created only once when Web server logging starts Example LogInterval Daily LogFileSizeLimit specifies the maximum size of the log file in MB It can be used with any log interval weekly monthly and so on A file is created when the maximum file size limit is reached or when the defined log interval time elapses To override this behavior specify the size as the loginterval property so that a file is created only when the log file size limit is reached The default LogFileSizeLimit is 10 MB Example LogFileSizeLimit 35 LogFilenameFormat specifies the file name format of the log file The name of the file can be of the following types e Static Specifies a constant string that contains the absolute path and file name e Dynamic Specifies an expression containing the following format Server IP address A
137. gin with rm type the following A rm Regular expressions used in command policies are not case sensitive The following table lists examples of regular expressions 28 Citrix NetScaler Administration Guide Table 1 2 Examples of Regular Expressions for Command Policies Command specification Matches these commands rm s All remove actions because all remove actions begin with the rm string followed by a space and additional parameters and flags Ashow s All show commands because all show actions begin with the show string followed by a space and additional parameters and flags shell The shell command alone but not combined with any other parameters or flags add s yserver s All create vserver actions which consist of the add vserver command followed by a space and additional parameters and flags add s lb s vserver s All create lb vserver actions which consist of the add lb vserver command followed by a space and additional parameters and flags The following table shows the command specifications for each of the built in command policies Table 1 3 Expressions Used in the Built in Command Policies Policy name Command specification regular expression read only man show s system ns ns conf ns runningConfig stat operator man show s syste
138. hange the system date and time you must use the shell interface to the underlying FreeBSD OS However to view the system date and time you can use the NetScaler command line or the configuration utility To view the system date and time by using the NetScaler command line At the NetScaler command prompt type show ns config Example gt show ns config NeieS allers IPs i0 102 29 170 mask 255 255 2550 Number of MappedIP s 6 Node Standalone Global configuration settings EME pore S e Max connections 0 Max requests per connection 0 D 0 Client IP insertion Cookie version Persistence Cookie Secure Flag ENABLED Min Path MTU 576 Path MTU entry timeout 10 FTP Port Range 0 CR Port Range 0 Timezone GMT 05 30 129 Chapter5 Advanced Configurations IST Asia Colombo System Time Tue Feb 22 16 50 44 2011 Last Config Changed Time Tue Feb 22 Teale 02 ZOLI Last Config Saved Time Tue Feb 22 Baca LS ZOLL Done To view the system date and time by using the configuration utility 1 In the navigation pane click System 2 In the details pane select the System Information tab 3 Under System Information view the system date and time Configuring TCP Window Scaling The TCP window scaling option which is defined in RFC 1323 increases the TCP receive window size beyond its maximum value of 65 535 bytes This option is required for efficient transfer of d
139. he FreeBSD NSLOG server package was copied run the following command to install the package pkg_add audserver_bsd lt release number gt lt build number gt tgz Example pkg_add audserver_bsd 9 3 51 5 tgz The following directories are extracted e lt root directory extracted from the FreeBSD NSLOG server package tgz file gt netscaler bin for example var auditserver netscaler bin e lt root directory extracted from the FreeBSD NSLOG server package tgz file gt netscaler etc for example var auditserver netscaler etc e lt root directory extracted from the FreeBSD NSLOG server package tgz file gt netscaler samples for example var auditserver samples 4 At a command prompt type the following command to verify that the package is installed pkg_info grep NSaudserver To uninstall the NSLOG server package on a FreeBSD operating system At a command prompt type pkg_delete NSaudserver Installing NSLOG Server Files on the Windows Operating System Before you can install the NSLOG server you have to copy the NSLOG package from the NetScaler product CD or download it from www citrix com The NSLOG package has the following name format AuditServer lt release number gt lt build number gt zip 84 Citrix NetScaler Administration Guide for example AuditServer 9 3 51 5 zip This package contains NSLOG installation packages for all supported platforms To download NSLOG package from www Citrix co
140. he NetScaler configuration but does not need to modify anything Maria Ramiez The lead IT administrator Maria needs to be able to see and modify all parts of the NetScaler configuration except for NetScaler commands which local policy dictates must be performed while logged on as nsroot Michael Baldrock The IT administrator in charge of load balancing Michael needs to be able to see all parts of the NetScaler configuration but needs to modify only the load balancing functions The following table shows the breakdown of network information user account names group names and command policies for the sample company 35 Chapter 1 Authentication and Authorization Table 1 4 Sample Values for Creating Entities Field Value Note NetScaler host name ns01 example net N A User accounts johnd mariar and John Doe IT manager michaelb Maria Ramirez IT administrator and Michael Baldrock IT administrator Groups Managers and SysOps All managers and all IT administrators Command Policies read_all modify_lb and Allow complete read only modify_all access Allow modify access to load balancing and Allow complete modify access The following description walks you through the process of creating a complete set of user accounts groups and command policies on the NetScaler appliance named ns01 example net The description includes procedures for binding the appropriate user accounts and groups
141. he following commands to set the parameters and verify the configuration add snmp user lt name gt group lt string gt authType MD5 SHA authPasswd privType DES AES privPasswd 67 Chapter 2 68 SNMP show snmp user lt name gt Example gt add snmp user edocs user group edocs group Done gt show snmp user edocs user 1 Name edocs_user Group edocs group EngineID 123abc456abc788 StorageType volatile Status active Done gt Parameters for configuring an SNMP user name The name of the SNMP user group Specifyes the SNMP group name to which the SNMP user will belong authType The authentication type Possible values MD5 SHA authPasswd Enter an authentication password privType The encryption type Possible values DES AES privPasswd The encryption password Maximum Length 31 To configure an SNMP user by using the configuration utility 1 In the navigation pane expand System expand SNMP and then click Users 2 In the details pane click Add 3 In the Create SNMP User or Configure SNMP User dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring an SNMP user as shown e Name name e Group Name group e Authentication Type authType e Authentication Password authPasswd e Privacy Type privlype e Privacy password privPasswd Citrix NetScaler Administration
142. ide at http support citrix com article CTX128670 Click Next On the wizard s Specify a server Certificate page you create or specify an existing SSL certificate key pair The SSL certificate key pair is automatically bound to the HTTPS vserver For more information see Binding an SSL Certificate Key Pair to the Virtual Server in the Secure Sockets Layer SSL Acceleration chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 Click Next On the wizard s Configure XenApp XenDesktop Farm page do one of the following e To add a XenApp or XenDesktop farm click Add e To modify an existing XenApp or XenDesktop farm select the farm and then click Open 10 Citrix NetScaler Administration Guide In the Create XenApp XenDesktop Farm or Configure XenApp XenDesktop Farm dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring Web interface sites on page 153 as shown e Name You cannot change the name of an existing XenApp or XenDesktop farm e XML Service Addresses e XML Service Port e Transport e Load Balance A required parameter Click Next and then click Finish Verify that the Web interface site you configured is correct by selecting the site and viewing the Details section at the bottom of the pane To view the Web interface site in the navigation pane expand
143. ier and the attribute type The vendor identifier enables the RADIUS server to assign an IP address to the client from a pool of IP addresses that are configured on the RADIUS server The vendor ID and attributes are used to make the association between the RADIUS client and the RADIUS server The vendor ID is the attribute in the RADIUS response that provides the IP address of the internal network A value of zero indicates that the attribute is not vendor encoded The attribute type is the remote IP address attribute in a RADIUS response The minimum value is one and the maximum value is 255 A common configuration is to extract the RADIUS attribute framed IP address The vendor ID is set to zero or is not specified The attribute type is set to eight To configure IP address extraction by using the configuration utility 1 In the navigation pane expand System and then click Authentication 2 On the Policies tab click Open 3 In the Configure Authentication Policy dialog box next to Server click Modify 4 Under Details in Group Vendor Identifier type the value 43 Chapter 1 Authentication and Authorization 5 In Group Attribute Type type the value and click OK twice Configuring TACACS Authentication You can configure a TACACS server for authentication Similar to RADIUS authentication TACACS uses a secret key an IP address and the port number The default port number is 49 To configure the NetScaler to use
144. ifying parameters such as IP address and the destination port of the trap listener you can specify the type of trap either generic or specific and the SNMP version You can configure a maximum of 20 trap listeners for receiving either generic or specific traps You can also configure the NetScaler to send SNMP trap messages with a source IP other than the NetScaler IP address NSIP to a particular trap listener You can set the source IP to either a mapped IP address MIP or a subnet IP address SNIP configured on the NetScaler appliance You can also configure the NetScaler to send trap messages to a trap listener on the basis of a severity level For example if you set the severity level as Minor for a trap listener all trap messages of the severity level equal to or greater than Minor Minor Major and Critical are sent to the trap listener If you have defined a community string for the trap listener you must also specify a community string for each trap that is to be sent to the listener A trap listener for which a community string has been defined accepts only trap messages that include a community string matching the community string defined in the trap listener Other trap messages are dropped To add an SNMP trap by using the NetScaler command line At the NetScaler command prompt type the following commands to set the parameters and verify the configuration add snmp trap lt trapClass gt lt trapDestination gt v
145. imum ooo Packet Queue Size e Maximum Packets Per MSS e Maximum Packets per Retransmission e Minimum RTO in millisec e Slow Start Increment e Selective Acknowledgement 141 Chapter5 Advanced Configurations e Use Nagle s Algorithm e Immediate ACK on Receiving Packet with PUSH A required parameter 4 Click Create A message appears in the status bar stating that the TCP profile has been configured successfully Specifying a TCP Buffer Size You can set the TCP buffer size both globally and for individual virtual servers and services through TCP profiles The value that you set is the minimum value that is advertised by the NetScaler appliance and this buffer size is reserved when a client initiates a connection that is associated with an endpoint application function such as compression or SSL The managed application can request a larger buffer but if it requests a smaller buffer the request is not honored and the specified buffer size is used If the TCP buffer size is set both at the global level and at the entity level virtual server or service level the buffer specified at the entity level takes precedence If the buffer size that you specify for a service is not the same as the buffer size that you specify for the virtual server to which the service is bound the NetScaler appliance uses the buffer size specified for the virtual server for the client side connection and the buffer size specified for the service for th
146. information The NSLOG server has its own configuration file auditlog conf You can customize logging on the NSLOG server system by making additional modifications to the configuration file auditlog conf Citrix NetScaler Administration Guide Configuring the NetScaler Appliance for Audit Logging Policies define the SYSLOG or NSLOG protocol and server actions define what logs are sent where For server actions you specify the system information which runs the SYSLOG or the NSLOG server The Citrix NetScaler logs the following information related to TCP connections Source port Destination port Source IP Destination IP Number of bytes transmitted and received Time period for which the connection is open Note You can enable TCP logging on individual load balancing vservers You must bind the audit log policy to a specific load balancing vserver that you want to log Configuring Audit Servers You can configure audit server actions for different servers and for different log levels To configure a SYSLOG server action by using the command line At the NetScaler command prompt type the following commands to set the parameters and verify the configuration add audit syslogAction lt name gt lt serverIP gt serverPort lt port gt logLevel lt logLevel gt dateFormat MMDDYYYY DDMMYYYY show audit syslogAction lt name gt Example gt ace awdit syslogactiom euciicoactioml 110 1
147. ing tool under Built in Reports expand System 2 Click the report CPU vs Memory Usage and HTTP Requests Rate 3 In the right pane on the report toolbar click Duration and then click Last Week To compare the bytes received rate and the bytes transmitted rate between two interfaces for the last week 1 In the right pane on the report toolbar click Create 2 In the Report Name box type a name for the custom report for example Custom Interfaces and then click OK The report is created with the default System Overview chart which displays the CPU Usage counter plotted for the last hour 3 Under System Overview on the chart toolbar click Counters 4 In the counter selection pane in Title type a name for the chart for example Interfaces bytes data 5 In Plot chart for click System entities statistics and then in Select Group select Interface 6 On the Entities tab click the interface name s you want to plot for example 1 1 and 1 2 and then click the gt button 7 On the Counters tab click Bytes received Rate and Bytes transmitted Rate and then click the gt button 192 Citrix NetScaler Administration Guide 8 Click OK 9 On the report toolbar click Duration and then click Last Week Stopping and Starting the Data Collection Utility The performance data is stored in different data sources on the Citrix NetScaler appliance The default data source is var log db default You can
148. itrix NetScaler AppExpert Guide at http support citrix com article CTX128682 10 Bind the rewrite policy to the HTTPS vserver At the NetScaler command prompt type bind lb vserver lt VserverName gt policyname lt rewritePolicyName gt priority lt value gt type response Example bind lb vserver HTTPS WI policyname rewrite location priority 10 type response For more information see Binding a Rewrite Policy in the Rewrite chapter of the Citrix NetScaler AppExpert Guide at http support citrix com article CTX128682 Configuring a Web Interface Site for Remote Users Using AGEE In this scenario user accounts and the Web interface setup are on different networks Users access a Web interface site by using Access Gateway Enterprise Edition AGEE URL SmartAccess is automatically enabled The following figure illustrates the Web interface running on the NetScaler appliance NS1 A Web interface site WINS1 is created and a XenApp farm XA1 and a XenDesktop XD1 are bound to it An AGEE VPN vserver AGEE_WI is also configured The client uses the AGEE URL of the AGEE_WI to access the WINS1 site For more information about configuring AGEE see the AGEE documentation at http edocs citrix com 163 Chapter6 Web Interface Figure 6 4 A Web Interface Site Configured for Remote Users Using AGEE m Client C1 E Internet 2 wW i eS NetScaler NS 1 H XenApp Farm XenDesktop Farm
149. k SNMP and then click Community 2 In the details pane select the community that you want to remove for example Com_All and then click Remove Configuring SNMP Alarms for Rate Limiting Citrix NetScaler appliances such as the NetScaler MPX 10500 12500 and 15500 are rate limited The maximum throughput Mbps and packets per second PPS are determined by the license purchased for the appliance For rate limited platforms you can configure SNMP traps to send notifications when throughput and PPS approach their limits and when they return to normal Throughput and PPS are monitored every seven seconds You can configure traps with high threshold and normal threshold values which are expressed as a percentage of the licensed limits The appliance then generates a trap when throughput or PPS exceeds the high threshold and a second trap when the monitored parameter falls to the normal threshold In addition to sending the traps to the configured destination device the NetScaler logs the events associated with the traps in the var log ns log file as EVENT ALERTSTARTED and EVENT ALERTENDED Exceeding the throughput limit can result in packet loss You can configure SNMP alarms to report packet loss For more information about SNMP alarms and traps see Configuring the NetScaler to Generate SNMPv1 and SNMPv2 Traps on page 48 Configuring an SNMP Alarm for Throughput or PPS To monitor both throughput and PPS you must configure se
150. ler appear on the list Select the check box next to the name of the policy you want to bind to this group 4 In the Priority column to the left modify the default priority as needed to ensure that the policy is evaluated in the proper order 5 Click OK A message appears in the status bar stating that the group has been configured successfully Resetting the Default Administrator nsroot Password The nsroot account provides complete access to all features of the Citrix NetScaler appliance Therefore to preserve security the nsroot account should be used only when necessary and only individuals whose duties require full access should know the password for the nsroot account Frequently changing the nsroot password is advisable If you lose the password you can reset it to the default and then change it To reset the nsroot password you must boot the NetScaler into single user mode mount the file systems in read write mode and remove the set NetScaler user nsroot entry from the ns conf file You can then reboot log on with the default password and choose a new password To reset the nsroot password 34 1 Connect a computer to the NetScaler serial port and log on Note You cannot log on by using ssh to perform this procedure you must connect directly to the NetScaler appliance As the operating system starts it displays the following message Hit Enter to boot immediately or any other key for command prom
151. licies to send records for a selected flow to specific set of collectors An AppFlow action specifies which set of collectors will receive the AppFlow records Policies which are based on Advanced expressions can be configured to select flows for which flow records will be sent to the collectors specified by the associated AppFlow action To limit the types of flows you can enable AppFlow for a virtual server AppFlow can also provide statistics for the virtual server You can also enable AppFlow for a specific service representing an application server and monitor the traffic to that application server Note This feature is supported only on NetScaler nCore builds 167 Chapter 7 AppFlow How AppFlow Works 168 In the most common deployment scenario inbound traffic flows to a Virtual IP address VIP on the NetScaler appliance and is load balanced to a server Outbound traffic flows from the server to a mapped or subnet IP address on the NetScaler and from the VIP to the client A flow is a unidirectional collection of IP packets identified by the following five tuples sourcelP sourcePort destIP destPort and protocol The following figure describes how the AppFlow feature works Figure 7 1 NetScaler Flow Sequence Server Client Citrix NetScaler Flow 2 NS MIP SNIP to Server IP Flow 1 Clientto Virtual IP a A a a Flow 3 MIP SNI Flow 4 Virtual IP to Client a Oe ee ee ee ee
152. luding running and stopping the NSLOG server In addition you use the auditserver executable to configure the NSLOG server with the IP addresses of the NetScaler appliances from which the NSLOG server will start collecting logs Configuration settings are applied in the NSLOG server configuration file auditlog conf Then you start the NSLOG server by executing the auditserver executable The NSLOG server configuration is based on the settings in the configuration file You can further customize logging on the NSLOG server system by making additional modifications to the NSLOG server configuration file auditlog conf The following table lists the operating systems on which the NSLOG server is supported 81 Chapter3 Audit Logging Table 3 1 Supported Platforms for the NSLOG Server Operating system Software requirements Windows Windows XP Professional Windows Server 2003 Windows 2000 NT Linux Red Hat Enterprise Linux AS release 4 Nahant Linux version 2 6 9 5 EL Red Hat 3 4 3 9 EL4 Linux version 2 6 9 5 ELsmp Red Hat Linux 3 2 2 5 Linux version 2 4 20 8 FreeBSD FreeBSD 4 9 The minimum hardware specifications for the platform running the NSLOG server are as follows Processor Intel x86 501 megahertz MHz RAM 512 megabytes MB Controller SCSI Installing NSLOG Server on the Linux Operating System Copy the installation files from the NetScaler
153. m 1 an wo KR W N In a web browser go to www citrix com In the menu bar click Log In Enter your login credentials and then click Log In In the menu bar click Downloads Search to find the page that provides the appropriate release number and build On that page under Audit Servers click Download to download the NSLOG package having the format AuditServer lt release number gt lt build number gt zip to your local system for example AuditServer 9 3 51 5 zip To install NSLOG server on a Windows operating system 1 On the system where you have downloaded the NSLOG package AuditServer lt release number gt lt build number gt zip for example AuditServer 9 3 51 5 zip extract audserver win lt release number gt lt build number gt zip for example audserver win 9 3 51 5 zip from the package Copy the extracted file audserver lt release number gt lt build number gt zip for example audserver win 9 3 51 5 zip to a Windows system on which you want to install the NSLOG server Unzip the audserver lt release number gt lt build number gt zip file for example audserver win 9 3 51 5 zip The following directories are extracted a lt root directory extracted from the Windows NSLOG server package zip file gt bin for example C audserver win 9 3 51 5 bin b lt root directory extracted from the Windows NSLOG server package zip file gt etc
154. m ns ns conf ns runningConfig stat set accessdown enable disable server service network shell S s system ns ns conf ns runningConfig superuser 29 Chapter 1 30 Authentication and Authorization To create a command policy by using the NetScaler command line At the NetScaler command prompt type the following commands to create a command policy and verify the configuration add system cmdPolicy lt policyname gt lt action gt lt cmdspec gt sh system cmdPolicy Example gt add system cmdPolicy read all ALLOW show s system Tns ns conf ns runningConfig stata Done gt sh system cmdPolicy Command policy operator Command policy read only Command policy network Command policy superuser Command policy allow portaladmin Command policy read_all To modify or remove a command policy by using the NetScaler command line To modify a command policy type the set system cmdPolicy lt PolicyName gt command and the parameters to be changed with their new values To remove a command policy type rm system cmdPolicy lt PolicyName gt Note The built in command policies cannot be removed Parameters for configuring a command policy policyname A name for the command policy you are creating The name can begin with a letter number or the underscore symbol and can consist of from one to 31 letters numbers
155. me gt Example gt bind system user useri policyName read all 1 Done gt sh system user userl User name userl Command Policy read_all Prioritys i To unbind command policies from a user by using the NetScaler command line At the NetScaler command prompt type the following commands to unbind a command policy from a user and verify the configuration unbind system user lt userName gt policyName lt policyName gt sh system user lt userName gt Parameters for binding a command policy to a user userName The name of an existing user account policyName The name of an existing command policy priority The priority assigned to this policy To bind command policies to a user by using the configuration utility 1 In the navigation pane expand System and then click Users 2 In the details pane select the user to which you want to bind a command policy and then click Open 3 In the Configure System User dialog box under Command Policies all of the command policies configured on your NetScaler appear on the list Select the check box next to the name of the policy you want to bind to this user Citrix NetScaler Administration Guide 4 In the Priority column to the left modify the default priority as needed to ensure that the policy is evaluated in the proper order 5 Click OK A message appears in the status bar stating that the user has been configured successfully To bind command poli
156. mmand nswl stop Solaris and Linux only Stop the NSWL client if it was started as a background process otherwise use CTRL C to stop Web server logging nswl install f lt path to configuration file gt Windows only Install the NSWL client as a service in Windows nswl startservice Windows only Start the NSWL client by using the settings in the configuration file for example log conf specified in the nswl 103 Chapter 4 Web Server Logging NSWL command Specifies install option You can also start NSWL client from Start gt Control Panel gt Services nswl stopservice Windows only Stops the NSWL client nswl remove Remove the NSWL client service from the registry Run the following commands from the directory in which the NSWL executable is located Windows ns bin Solaris and Linux usr local netscaler bin The Web server logging configuration files are located in the following directory path Windows ns etc Solaris and Linux usr local netscaler etc The NSWL executable is started as nswl in Linux and Solaris Adding the IP Addresses of the NetScaler Appliance 104 In the NSWL client configuration file log conf add the NetScaler IP address NSIP from which the NSWL client will start collecting logs To add the NSIP address of the NetScaler appliance 1 At the client system command prompt type nswl addns f lt
157. mmand line 5 171 To remove a collector by using the NetScaler command line 172 Parameters for specifying a Collector cc eee eee eee eee nee e teen eee 172 To specify a collector by using the configuration utility ee 172 Configuring an AppFlow Action 000 cece cece eee ene e eee e eee teen eee eens 172 To configure an AppFlow action by using the NetScaler command line 172 To modify or remove an AppFlow action by using the NetScaler command line CS chee abs Erte tele ali Riek dni MOON Tach ath ica anid g ehetlares tl eaten tage ntscan TT 173 Parameters for configuring an AppFlow action 0c ece cece eee ees 173 To configure an AppFlow action by using the configuration utility 174 Configuring an AppFlow Policy cece eee eee cece eee eee e teen teen nena 174 To configure an AppFlow policy by using the NetScaler command line 174 To modify or remove an AppF low policy by using the NetScaler command line piedativnn beanbag ie sedan thie decid a hae tenna shel ae eae tibet aha a aa 175 Parameters for configuring an AppFlow policy eccee eee eee ee eees 175 To configure an AppFlow policy by using the configuration utility 176 To add an expression by using the Add Expression dialog box 176 Binding an AppFlow Policy 0c cece eee cece eee eter n ee ee nee en eee nneeenne es 1
158. n This can be used as a metric to determine the client or server latency on the network httpRequestMethod An 8 bit number indicating the HTTP method used in the transaction An options template with the number to method mapping is sent along with the template 169 Chapter 7 AppFlow httpRequestSize An unsigned 32 bit number indicating the request payload size httpRequestURL The HTTP URL requested by the client httpUserAgent The source of incoming requests to the Web server httpResponseStatus An unsigned 32 bit number indicating the response status code httpResponseSize An unsigned 32 bit number indicating the response size httpResponseTimeToFirstByte An unsigned 32 bit number indicating the time taken to receive the first byte of the response httpResponseTimeToLastByte An unsigned 32 bit number indicating the time taken to receive the last byte of the response flowF lags An unsigned 64 bit flag used to indicate different flow conditions Configuring the AppFlow Feature 170 You configure AppFlow in the same manner as most other policy based features First you enable the AppFlow feature Then you specify the collectors to which the flow records are sent After that you define actions which are sets of configured collectors Then you configure one or more policies and associate a action to each policy The policy tells the NetScaler appliance to select requests the flow records of which are sent to the as
159. n page 153 as shown e Virtual Server e Protocol select HTTPS e IP Address e Port Note When you create the HTTPS vserver by using the configuration utility the configuration utility automatically creates a service which logically represents the Web interface service running on the NetScaler appliance and binds the service to the HTTPS virtual server For more information about services and virtual servers see the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 Click Next On the wizard s Configure XenApp XenDesktop Farm page do one of the following e To add a XenApp or XenDesktop farm click Add e To modify an existing XenApp or XenDesktop farm select the farm and then click Open In the Create XenApp XenDesktop Farm or Configure XenApp XenDesktop Farm dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring Web interface sites on page 153 as shown e Name You cannot change the name of an existing XenApp or XenDesktop farm e XML Service Addresses e XML Service Port e Transport e Load Balance A required parameter Click Next and then click Finish Verify that the Web interface site you configured is correct by selecting the site and viewing the Details section at the bottom of the pane To view the Web interface site in the navigation pane expand System expand Web Interface and then
160. n utility 1 In the navigation pane expand Load Balancing and then click Virtual Servers 2 On the Load Balancing Virtual Servers page select the virtual server to which you want to bind the AppFlow policy and then click Open 3 In the Configure Virtual Server Load Balancing dialog box select the Policies tab to display the policies bound to that particular virtual server 4 Click Insert Policy to insert a new row and display a drop down list of all unbound AppFlow policies 5 From the drop down list that appears under Policy Name select the policy that you want to bind to this virtual server 6 Click OK and then click Close A message appears in the status bar stating that the configuration has been successfully implemented Enabling AppFlow for Virtual Servers If you want to monitor only the traffic through certain virtual servers enable AppFlow specifically for those virtual servers You can enable AppFlow for load balancing content switching cache redirection SSL VPN GSLB and authentication virtual servers To enable AppFlow for a virtual server by using the NetScaler command line At the NetScaler command prompt type set lt feature_name gt vserver lt vServerName gt lt protocol gt lt IPAddress gt lt port gt appflowLog ENABLED Example SeERCSmySenver Sener OS run Ps iO O AeA ealeGsles Ole appflowLog ENABLED To enable AppFlow for a virtual server by using the configuration u
161. nd Configuring the Client System for Web Server Logging Running the NSWL Client Customizing Logging on the NSWL Client System Sample Configuration File Arguments for Defining a Custom Log Format Time Format Definition You can use the Web server logging feature to send logs of HTTP and HTTPS requests to a client system for storage and retrieval This feature has two components the Web log server which runs on the Citrix NetScaler appliance and the NetScaler Web Logging NSWL client which runs on the client system When you run the client it connects to the NetScaler The NetScaler buffers the HTTP and HTTPS request log entries before sending them to the NSWL client and the client can filter the entries before storing them You can log HTTP and HTTPS requests for all of your Web servers on one NSWL client system To configure Web server logging you first enable the Web logging feature on the NetScaler and configure the size of the buffer for temporarily storing the log entries Then you install NSWL on the client system You then add the NetScaler IP address NSIP to the NSWL configuration file You are now ready to start the NSWL client to begin logging You can customize Web server logging by making additional modifications to the NSWL configuration file log conf 93 Chapter4 Web Server Logging Configuring the NetScaler Appliance for Web Server Logging On the NetScaler appliance you need to enable the Web
162. nd command policies to the user accounts Regardless of the authentication source users cannot log on if they are not granted sufficient command authorization through command policies bound to their user accounts or to a group of which they are a member Configuring LDAP Authentication You can configure the NetScaler to authenticate user access with one or more LDAP servers LDAP authorization requires identical group names in Active Directory on the LDAP server and on the NetScaler The characters and case must also be the same By default LDAP authentication is secured by using SSL TLS protocol There are two types of secure LDAP connections In the first type the LDAP server accepts the SSL TLS connection on a port separate from the port used to accept clear LDAP connections After users establish the SSL TLS connection LDAP traffic can be sent over the connection The second type allows both unsecure and secure LDAP connections and is handled by a single port on the server In this scenario to create a secure connection the client first establishes a clear LDAP connection Then the LDAP command StartTLS is sent to the server over the connection If the LDAP server supports StartTLS the connection is converted to a secure LDAP connection by using TLS The port numbers for LDAP connections are 389 for unsecured LDAP connections 636 for secure LDAP connections 3268 for Microsoft unsecure LDAP connections 3269 for Microsoft
163. netmask lt netmask gt show snmp manager Example gt add snmp manager 10 102 29 10 Done gt show snmp manager all 10 102 29 5 255 299 259 40 Done S Eckl Smmijo memecese WO LOZ629 15 10 102 29 30 Done gt show snmp manager i IP Address 10 102 29 10 Netmask ZOO 299 5299 cB 2 IP Address 10 102 29 5 15 Netmask ZOO 5299 5299 c 290 3 IP Address 10 102 29 30 55 Chapter2 SNMP Netmask 255 255 255 2255 Done To add an SNMP manager by specifying its host name using the NetScaler command line Important If you specify the SNMP manager s host name instead of its IP address you must configure a DNS name server to resolve the host name to the SNMP manager s IP address For more information see the instructions for adding a name server in the Citrix NetScaler Traffic Management Guide For a link to the guide see the Documentation Library At the NetScaler command prompt type the following commands to set the parameters and verify the configuration add snmp manager lt PAddress gt domainResolveRetry lt integer gt show snmp manager Example gt add nameserver 10 103 128 15 Done gt show nameserver 1 LO sLOS 128 15 Sitares Ue Done gt add snmp manager engwiki eng example net domainResolveRetry 10 Done gt show snmp manager als Hostname abc com Unresolved IP Resolve Retry 7 2 Hostname engwiki eng example net 10 217 3 249 Resolve Retry
164. nfiguring Web interface sites on page 153 as shown e Name You cannot change the name of an existing XenApp or XenDesktop farm e XML Service Addresses e XML Service Port e Transport e Load Balance A required parameter 9 Click Next and then click Finish 10 Verify that the Web interface site you configured is correct by selecting the site and viewing the Details section at the bottom of the pane To view the Web interface site in the navigation pane expand System expand Web Interface and then click Sites To configure a Web interface site for remote users using AGEE by using the command line 1 Add a Web interface site Set GatewayDirect or GatewayAlternate or GatewayTranslated for the defaultAccessMethod parameter At the NetScaler command prompt type add wi site lt sitePath gt lt agURL gt lt staURL gt sessionReliability ON OFF useTwoTickets ON OFF secondSTAURL lt string gt authenticationPoint WebInterface AccessGateway siteType XenAppWeb XenAppServices publishedResourceType Online Offline DualMode kioskMode ON OFF 165 Chapter 6 166 Web Interface Example add wi site WINS1 https ag mycompany com http ag staserver com sessionReliability OFF authenticationPoint AccessGateway siteType XenAppWeb publishedResourceTyp Online kioskMode ON Bind XenApp or XenDesktop farms to the Web interface site At the NetScaler command prompt type
165. ning of this each custom format see Arguments for Defining a Custom Log Format on page 118 You can also change the order or remove some fields in this W3C log format For example logFormat W3C SY Sm Sd SH M SS t Sm U W3C log entries are created with the following format Version 1 0 Fields date time cs method cs uri Date 12 Jun 2001 12 34 Citrix NetScaler Administration Guide ZOOUS VCS A234 73 CET eports soot alleles tems 2001 06 12 23 4 33 ONGHA eports o tO ales menm Entries Entries consist of a sequence of fields relating to a single HTTP transaction Fields are separated by white space Citrix recommends the use of tab characters If a field in a particular entry is not used a dash marks the omitted field Directives Directives record information about the logging process Lines beginning with the pound sign contain directives The following table describes the directives Table 4 6 Directive Descriptions Directive Description Version lt integer gt lt integer gt Displays the version of the extended log file format used This document defines version 1 0 Fields lt specifier gt Identifies the fields recorded in the log Software lt string gt Identifies the software that generated the log Start Date lt date gt lt time gt Displays the date and time at which the log was started End Date lt date gt lt time gt Displays the date and time
166. o configuration file gt Check for syntax or semantic errors in the configuration file for example auditlog conf audserver start f lt path to configuration file gt Start audit server logging based on the settings in the configuration file auditlog conf Linux only To start the audit server as a background process type the ampersand sign amp at the end of the command audserver stop Linux only Stops audit server logging when audit server is started as a background process Alternatively use the Ctrl C key to stop audit server logging audserver install f lt path to configuration file gt Windows only Installs the audit server logging client as a service on Windows Citrix NetScaler Administration Guide Audit server commands Specifies audserver startservice Start the audit server logging service when you enter this command at a Windows Only command prompt You can also start audit server logging from Start gt Control Panel gt Services Note Audit server logging starts by using the configuration settings in the configuration file for example auditlog conf file specified in the audit server install option audserver stopservice Stop audit server logging Windows Only audserver remove Removes the audit server logging service from the registry Run the audserver command from the directory in which the audit server exec
167. of the Web interface For more information about Web interface running on a server see the Web interface documentation at http edocs citrix com Installing the Web Interface To install the Web interface you need to install the following files Web interface tar file A setup file for installing the Web interface on the NetScaler This tar file also includes Apache Tomcat Web server version 6 0 26 The file name has the following format nswi lt version number gt tgz for example nswi 1 1 tgz JRE tar file This is Diablo Latte JRE version 1 6 0 7 for 64 bit FreeBSD 6 x amd64 platform To download the JRE tarball see the FreeBSD Foundation Web site at http www freebsdfoundation org downloads java shtml Copy the tar files to a local workstation or to the var directory of the NetScaler appliance These files install all the Web interface components and JRE on the NetScaler hard drive and configure automatic startup of the Tomcat Web server with Web interface at the NetScaler appliance startup time Both tar files are internally expanded in the var wi directory on the hard drive To install the Web interface and JRE tar files by using the NetScaler command line At the NetScaler command prompt type install wi package wi lt URL gt jre lt URL gt Example install wi package wi sftp username password 10 102 29 12 var nswi 1 1l tgz jre ftp username password 10 102 29 14 tmp diablojre freebsd6 amd
168. ogging To configure an audit server policy 1 2 In the navigation pane expand System expand Auditing and then click Policies In the details pane on the Policies tab do one of the following e To create a new policy click Add e To modify an existing policy select the policy and then click Open In the Create Auditing Policy or Configure Auditing Policy dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring auditing policies as shown e Name name e Server action A required parameter Click Create or OK and then click Close A message appears in the status bar stating that the auditing policy has been configured successfully Binding the Audit Policies Globally You must globally bind the audit log policies to enable logging of all Citrix NetScaler system events By defining the priority level you can set the evaluation order of the audit server logging Priority 0 is the highest and is evaluated first The higher the priority number the lower is the priority of evaluation To configure a SYSLOG policy by using the command line bind system global lt policyName gt priority lt positive_integer gt sh system global Example gt bind system global nslog poll priority 20 Done gt sh system global Policy Name nslog poll Priority 20 Policy Name syslog poll Priority 50 Policy Name nslogpol9
169. olicy name Allows read only Read only access to all show commands except show runningconfig show ns conf and the show commands for the NetScaler command group operator Read only access and access to commands to enable and disable services and servers or place them in ACCESSDOWN mode network Full access except to the set and unset SSL commands sh ns conf sh runningconfig and sh gslb runningconfig commands superuser Full access Same privileges as the nsroot user Creating Custom Command Policies Regular expression support is offered for users with the resources to maintain more customized expressions and for those deployments that require the flexibility that regular expressions offer For most users the built in command policies are sufficient Users who need additional levels of control but are unfamiliar with regular expressions may want to use only simple expressions such as those in the examples provided in this section to maintain policy readability When you use a regular expression to create a command policy keep the following in mind When you use regular expressions to define commands that will be affected by a command policy you must enclose the commands in double quotation marks For example to create a command policy that includes all commands that begin with show type the following Ashow S To create a command policy that includes all commands that be
170. om cn Users dc ace dc com In Administrator Bind DN type the administrator bind DN for queries to the LDAP directory Examples for syntax of bind DN are domain user name ou administrator dc ace dc com user domain name for Active Directory cn Administrator cn Users dc ace dc com For Active Directory the group name specified as cn groupname is required The group name that is defined in the NetScaler must be identical to the group name that is defined on the LDAP server For other LDAP directories the group name either is not required or if required is specified as ou groupname The NetScaler binds to the LDAP server using the administrator credentials and then searches for the user After locating the user the NetScaler unbinds the administrator credentials and rebinds with the user credentials In Administrator Password and Confirm Administrator Password type the administrator password for the LDAP server Citrix NetScaler Administration Guide 8 To retrieve additional LDAP settings automatically click Retrieve Attributes The fields under Other Settings then populate automatically If you do not want to do this skip to Step 12 9 Under Other Settings in Server Logon Name Attribute type the attribute under which the NetScaler should look for user logon names for the LDAP server that you are configuring The default is samAccountName 10 In Group Attribute leave the default memberOf for Active Directory o
171. ompt type add Ib vserver lt virtualServerName gt lt protocol gt lt IPAddress gt lt port gt Example ede lo veerver RITE Wi HITITE LO 102 2955 G0 For more information see the Load Balancing chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 5 Bind the Web interface service to the HTTP vserver At the NetScaler command prompt type bind lb vserver lt virtualServerName gt lt serviceName gt Example bind lb vserver HTTP WI WI Loopback Service For more information see the Load Balancing chapter of the Citrix NetScaler Traffic Management Guide at http support citrix com article CTX128670 158 Citrix NetScaler Administration Guide Configuring a Web Interface Site for LAN Users Using HTTPS In this scenario user accounts and the Web interface setup are on the same enterprise LAN Users access the Web interface by using an SSL based HTTPS vserver The Web interface exposes its own login page for authentication SSL offloading is done by this vserver on the NetScaler The vserver IP address is used to access the Web interface instead of the NetScaler IP address NSIP The following figure illustrates the Web interface running on the NetScaler appliance NS1 A Web interface site WINS1 is created and a XenApp farm XA1 and a XenDesktop farm XD1 are bound to it An HTTPS vserver HTTPS_WI is also created Client C1 uses the IP address of the HTTPS_WI vserver
172. on by using the configuration utility 1 In the navigation pane expand System and then click Authentication On the Policies tab click Add In Name type a name for the policy In Authentication Type select RADIUS Next to Server click New In Name type a name for the server Under Server in IP Address type the IP address of the RADIUS server In Port type the port The default is 1812 SO eS SE ON Under Details in Secret Key and Confirm Secret Key type the RADIUS server secret _ a In NAS ID type the identifier number and then click Create Inthe Create Authentication Policy dialog box next to Named Expressions select the expression click Add Expression click Create and click Close After the RADIUS server settings are configured on the NetScaler bind the policy to the system global entity For more information about binding authentication policies globally see Binding the Authentication Policies to the System Global Entity on page 45 Choosing RADIUS authentication protocols The NetScaler appliance supports implementations of RADIUS that are configured to use any of several protocols for user authentication including Citrix NetScaler Administration Guide Password Authentication Protocol Challenge Handshake Authentication Protocol CHAP Microsoft Challenge Handshake Authentication Protocol MS CHAP Version 1 and Version 2 If your deployment of the NetScaler is configured to use
173. on of IP address and Netmask Specifying Log Properties Log properties associated with the filter are applied to all the log entries present in the filter The log property definition starts with the key word BEGIN and ends with END as illustrated in the following example BEGIN lt filtername gt logFilenameFormat INCXeDLIEEXCIOIAW aoo loginterval logFileSizeLimit END Entries in the definition can include the following LogFilenameFormat specifies the file name format of the log file The name of the file can be of the following types e Static A constant string that specifies the absolute path and the file name e Dynamic An expression that includes the following format specifiers Date format t creates file name with NSIP Example LogFileNameFormat Ex S Smsd y t log This creates the first file name as Exmmddyy log New files are named Exmmddyy log 0 Exmmddyy 1log 1 and so on In the following example the new files are crated when the file size reaches 100MB Example LogIinterval size LogFileSize 100 LogFileNameFormat Ex smsdsy t A Caution The date format t specified in the LogFilenameFormat parameter overrides the log interval property for that filter To prevent a new file being created every day instead of when the specified log file size is reached do not use t in the LogFilenameFormat parameter logDirectory specifies the directory name format of th
174. onization manually by logging on to the NetScaler and editing the ntp conf file To enable clock synchronization on your NetScaler by modifying the ntp conf file 1 Log on to the NetScaler command line 2 Switch to the shell prompt 3 Copy the etc ntp conf file to nsconfig ntp conf unless the nsconfig directory already contains an ntp conf file 4 Check the nsconfig ntp conf file for the following entries and if they are present remove them restrict localhost restrict 127 0 0 2 5 Add the IP address for the desired NTP server to the nsconfig ntp conf file beneath the file s server and restrict entries Note For security reasons there should be a corresponding restrict entry for each server entry Citrix NetScaler Administration Guide 6 If the nsconfig directory does not contain a file named rc netscaler create the file 7 Add the following entry to nsconfig rc netscaler usr sbin ntpd c nsconfig ntp conf l var log ntpd log amp This entry starts the ntpd service checks the ntp conf file and logs messages in the var log directory This process runs every time the NetScaler is restarted 8 Reboot the NetScaler to enable clock synchronization Note If you want to start the time synchronization process without restarting the NetScaler run the following command from the shell prompt usr sbin ntpd c nsconfig ntp conf l var log ntpd log amp Viewing the System Date and Time To c
175. oolbar Within a report you can use the chart toolbars to add modify or delete charts as described in Working with Charts on page 188 By default newly created custom reports contain one chart named System Overview that displays a CPU Usage counter plotted for the last day To create a custom report 185 Chapter8 Reporting Tool 1 In the Reporting tool on the report toolbar click Create or if you want to create a new custom report based on an existing report open the existing report and then click Save As 2 In Report Name box type a name for the custom report 3 Do one of the following e To add the report to an existing folder in Create in or Save in click the down arrow to choose an existing folder and then click OK e To create a new folder to store the report click the Click to add folder icon in Folder Name type the name of the folder and in Create in specify where you want the new folder to reside in the hierarchy and then click OK Note You can create up to 128 folders To delete a custom report 1 In the left pane of the Reporting tool next to Custom Reports click the Click to manage custom reports icon 2 Select the check box that corresponds with the report you want to delete and then click Delete Note When you delete a folder all the contents of that folder are deleted Modifying the Time Interval By default built in reports display data for the last day However if you want to
176. ory usage are displayed in first and second order at the bottom of the chart CPU usage is equal to Data Set 1 and Memory usage is equal to Data Set 2 e To plot each data set in its own hidden y axis click Multiple Axes and then click Enable To change the background color edge color and gridlines for a plot area of a chart 1 In the left pane of the Reporting tool select a report 2 In the right pane under the chart for which you want to customize the plot area click Customize 3 On the Plot Area tab under Category click one or more of the following e To change the background color and edge color of the chart click Background Color and Edge Color and then select the options for color transparency and effects e To change the horizontal or vertical grids of the chart click Horizontal Grids or Vertical Grids and then select the options for displaying the grids grid width grid color transparency and effects To change the color and graph type of a data set 1 In the left pane of the Reporting tool select a report 2 In the right pane under the chart for which you want to customize the display of the data set counters click Customize 3 On the Data Set tab in Select Data Set select the data set counter for which you want to customize the graphical display Note The data set numbers such as Data Set 1 correspond to the order in which the counters in your graph are displayed at the bottom of the cha
177. other entities that users and user groups are permitted to use The Citrix NetScaler appliance provides a set of built in command policies and you can configure custom policies To apply the policies you bind them to users and or groups Here are the key points to keep in mind when defining and applying command policies You cannot create global command policies Command policies must be bound directly to NetScaler users and groups Users or groups with no associated command policies are subject to the default DENY ALL command policy and are therefore unable to execute any configuration commands until the proper command policies are bound to their accounts All users inherit the policies of the groups to which they belong You must assign a priority to a command policy when you bind it to a user account or group account This enables the NetScaler to determine which policy has priority when two or more conflicting policies apply to the same user or group The following commands are available by default to any user and are unaffected by any command you specify help cli show cli attribute clear cli prompt alias unalias help history quit exit whoami config set cli mode unset cli mode show cli mode set cli prompt and show cli prompt Built in Command Policies The following table describes the built in policies 27 Chapter 1 Authentication and Authorization Table 1 1 Built in Command Policies P
178. ou press the Space bar 3 You can use the Add Expression dialog box as described in To add an expression by using the Add Expression dialog box e Comments comment Click Create or OK depending on whether you are creating a new policy or modifying an existing policy Click Close A message appears in the status bar stating that the configuration has been successfully implemented To add an expression by using the Add Expression dialog box 1 In the Add Expression dialog box in the first list box choose the first term for your expression HTTP The HTTP protocol Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol SYS The protected Web site s Choose this if you want to examine some aspect of the request that pertains to the recipient of the request Citrix NetScaler Administration Guide CLIENT The computer that sent the request Choose this if you want to examine some aspect of the sender of the request When you make your choice the rightmost list box lists appropriate terms for the next part of your expression 2 In the second list box choose the second term for your expression The choices depend upon which choice you made in the previous step and are appropriate to the context After you make your second choice the Help window below the Construct Expression window which was blank displays help describing the purpose and use of the term you just chose
179. pace ace a ethical cae 128 Viewing the System Date and TiMe 0 cece eee eee eee e eee een eee e anes 129 To view the system date and time by using the NetScaler command line 129 To view the system date and time by using the configuration utility 130 Configuring TCP Window Scaling 0 cece cece eee eee eee eee e eee nurnrnaru 130 xi Contents To configure window scaling by using the NetScaler command line 131 Parameters for configuring window sCaling ceeeeee seen eee ee eee neees 131 To configure window scaling by using the configuration utility 8 132 Configuring Selective Acknowledgment 0c ecee eee e eee tent eee teen tenn need 132 To enable Selective Acknowledgment SACK by using the NetScaler command E E E si aa caceaGeeian se adhesin 04 oe aed soo dees SE A EE ees 132 To enable SACK by using the Configuration Utility 0 eee eee 133 Clearing the Configuration 00 cece cece cence ee EA EE o SETAE Y 133 To clear a configuration by using the NetScaler command line 133 Parameters for clearing a configuration 00 cece cece eee ete eee eee e eens 134 To clear a configuration by using the configuration utility cece eee eee 134 Viewing the HTTP Band Statistics 0 ccc cece eee eee teen eee eee ee eens 134 To view HTTP request and response size statisti
180. parate alarms 59 Chapter 2 60 SNMP To configure an SNMP alarm for the throughput rate by using the NetScaler command line At the NetScaler command prompt type the following commands to configure the SNMP alarm and verify the configuration set snmp alarm PF RL RATE THRESHOLD thresholdValue lt positive_integer gt normalValue lt positive_integer gt state ENABLED DISABLED severity lt severity gt logging ENABLED DISABLED show snmp alarm PF RL RATE THRESHOLD Example gt set snmp alarm PF RL RATE THRESHOLD thresholdValue 70 normalValue 50 Done gt show snmp alarm PF RL RATE THRESHOLD Alarm Alarm Threshold Normal Threshold Time State Severity Logging E SHOLD 70 N A DISABLE ED To modify or remove the threshold values by using the NetScaler command line To modify the threshold values type the set snmp alarm PF RL RATE THRESHOLD command and the parameters to be changed with their new values To remove the threshold values type the unset snmp alarm PF RL RATE THRESHOLD command followed by the thresholdValue parameter but do not specify any value for the parameter Note The normal threshold value is automatically unset when you unset the high threshold value To configure an SNMP alarm for PPS by using the NetScaler command line At the NetScaler command prompt type the following commands to configure
181. product CD or download them from ftp netscaler com Log on to the Linux system as an administrator Use the following procedure to install the NSLOG server executable files on the system To install the NSLOG server package on a Linux operating system 1 At a Linux command prompt type the following command to copy the NSauditserver rpm file to a temporary directory cp lt path_to_cd gt Utilities auditserver Linux NSauditserver rpm tmp 2 Type the following command to install the NSauditserver rpn file rpm i NSauditserver rpm This command extracts the files and installs them in the following directories 82 Citrix NetScaler Administration Guide e usr local netscaler etc e usr local netscaler bin e usr local netscaler samples To uninstall the NSLOG server package on a Linux operating system 1 At a command prompt type the following command to uninstall the audit server logging feature rpm e NSauditserver 2 For more information about the NSauditserver RPM file use the following command rpm qpi rpm 3 To view the installed audit server files use the following command rpm qpl rpm rpm Specifies the file name Installing NSLOG Server on the FreeBSD Operating System Before you can install the NSLOG server you have to copy the NSLOG package from the NetScaler product CD or download it from www citrix com The NSLOG package has the following name format AuditServer lt release number gt lt b
182. prompt type the following commands to set the parameters and verify the configuration 76 Citrix NetScaler Administration Guide add audit syslogPolicy lt name gt lt rule gt lt action gt show audit syslogPolicy lt name gt Example gt ece adit siysilocolicy syslog ng viue eibkelaic actionl Done gt show audit syslogpolicy syslog poll 1 Name syslog poll RULES ng true AMOrLons EuL ECTO Done To configure an NSLOG policy by using the command line At the NetScaler command prompt type the following commands to set the parameters and verify the configuration add audit nslogPolicy lt name gt lt rule gt lt action gt show audit nslogPolicy lt name gt Example gt ade audit msilogPolicy mslog jpOlll ng trus nalog actionl Done gt show audit nslogPolicy nslog poll Name nslog poll Rules ne True Action nslog actionl Parameters for configuring audit policies name The name of NSLOG policy or SYSLOG policy rule The name of the rule or expression that the policy will use It currently supports only the rule ns_true This parameter is only for the command line In the configuration utility ns_true is internally assigned as a rule for the SYSLOG or the NSLOG policy action SYSLOG server action or the NSLOG server action NSLOG server action is bind to a NSLOG audit policy and SYSLOG server action is bind to a SYSLOG audit policy 77 Chapter3 Audit L
183. pt Booting kernel in seconds 2 Press CTRL C The following message appears Citrix NetScaler Administration Guide Type for a list of commands help for more detailed help ok Type boot s and press the ENTER key to start the NetScaler in single user mode After the NetScaler boots it displays the following message Enter full path name of shell or RETURN for bin sh Press the ENTER key to display the prompt and type the following commands to mount the file systems fsck dev adOs1a mount dev ad0s1a flash Using a text editor of your choice edit the flash nsconfig ns conf file and remove the set system user nsroot entry Save the file and exit the text editor Type reboot and press the ENTER key to reboot the NetScaler When the NetScaler completes rebooting it prompts for the user name and password Log on with the nsroot user credentials Once logged on to the NetScaler you will be required to enter a new nsroot user password Follow the prompts to change the password Exit the config ns menu Example of a User Scenario The following example shows how to create a complete set of user accounts groups and command policies and bind each policy to the appropriate groups and users The company Example Manufacturing Inc has three users who can access the Citrix NetScaler appliance John Doe The IT manager John needs to be able to see all parts of t
184. pter4 Web Server Logging b lt root directory extracted from the Windows NSWL client package zip file gt etc for example C nswl win 9 3 51 5 etc c lt root directory extracted from the Windows NSWL client package zip file gt samples for example C nswl win 9 3 51 5 samples 4 At a command prompt run the following command from the lt root directory extracted from the Windows NSWL client package zip file gt bin path nswl install f lt directorypath gt log conf lt directorypath gt Specifies the path to the configuration file log conf By default log conf isin the lt root directory extracted from the Windows NSWL client package zip file gt samples directory But you can copy log conf to your desired directory To uninstall the NSWL client on a Windows system At a command prompt run the following from the lt root directory extracted from the Windows NSWL client package zip file gt bin path nswl remove Installing NSWL Client on an AIX Operating System Copy the installation files from the NetScaler product CD or download them from ftp netscaler com Log on to the AIX system as an administrator Use the following procedure to install the NSWL executable and the other files on the system To install the NSWL client package on an AIX operating system 1 Copy the NSweblog rpm file into a temporary directory cp lt path_to_cd gt Utilities weblog AIX NSweblog rpm tmp 2 To install the NSWL ex
185. r Administration Guide You do not configure window scaling unless you clearly know why you want to change the window size Both hosts in the TCP connection send a window scale option during connection establishment If only one side of a connection sets this option windows scaling is not used for the connection Each connection for same session is an independent Window Scaling session For example when a client s request and the server s response flow through the NetScaler appliance it is possible to have window scaling between the client and the appliance without window scaling between the appliance and the server By default window scaling is not enabled To configure window scaling by using the NetScaler command line At the NetScaler command prompt type the following command to configure window scaling and verify the configuration set ns tcpParam WS ENABLED DISABLED WSVal lt positive_integer gt show ns tcpParam Example gt set ns tcpParam WS ED WSVal 6 Done gt Sly iis CEPE ren TCP Parameters Window Scaling status Window Scaling factor SAC Ker sie cis WE isin RIO la msLiLilsLeees 1000 INCI Silene Seek inaeieeumieimes Z Parameters for configuring window scaling WSVal Factor used to calculate new window size Possible values 0 to 8 Default 4 WS Enables or disables window scaling 131 Chapter5 Advanced Configurations To configu
186. r Retransmission The maximum limit on the number of packets that should be retransmitted on receiving a partial ACK Minimum value 1 Maximum value 100 Default 1 minRTO Minimum RTO in millisec The minimum round trip to origin RTO time in milliseconds Minimum value 10 Maximum value 64 000 Default 1 000 slowStartincr Slow Start Increment The multiplier that determines the rate at which slow start increases the size of the TCP transmission window after each acknowledgement of successful transmission Minimum value 1 Maximum value 100 Default 2 SACK Selective Acknowledgement Enable or disable selective acknowledgement SACK Possible values ENABLED DISABLED Default DISABLED nagle Use Nagle s Algorithm Enable or disable the Nagle algorithm on TCP connections Possible values ENABLED DISABLED Default DISABLED ackOnPush Immediate ACK on Receiving Packet with PUSH Send immediate positive acknowledgement ACK on receipt of TCP packets when doing Web 2 0 PUSH Possible values ENABLED DISABLED Default ENABLED To add a TCP profile by using the configuration utility 1 In the navigation pane expand System and then click Profiles 2 In the details pane on the TCP Profiles tab click Add 3 In the Create TCP Profiles dialog box set the following parameters e Name e Window Scaling e Factor e Maximum Burst Limit e Initial Congestion Window Size e TCP Delayed ACK Time out msec e Max
187. r change it to that of the LDAP server type you are using This attribute enables the NetScaler to obtain the groups associated with a user during authorization 11 In Security Type select the security type If you select PLAINTEXT or TLS for security use port number 389 If you select SSL use port number 636 12 To allow users to change their LDAP password select Allow Password Change If you select PLAINTEXT as the security type allowing users to change their passwords is not supported 13 Click Create 14 In the Create Authentication Policy dialog box next to Named Expressions select the expression click Add Expression click Create and click Close After the LDAP server settings are configured on the NetScaler bind the policy to the system global entity For more information about binding authentication policies globally see Binding the Authentication Policies to the System Global Entity on page 45 Determining attributes in the LDAP directory If you need help determining your LDAP directory attributes you can easily look them up with the free LDAP browser from Softerra You can download the LDAP browser from the Softerra LDAP Administrator Web site at http www ldapbrowser com After the browser is installed set the following attributes The host name or IP address of your LDAP server The port of your LDAP server The default is 389 The base DN field can be left blank The information provided b
188. r each virtual host To ensure continuous logging the maximum number of files that a process can have open should be sufficiently large See your operating system documentation for a procedure to change the number of files that can be opened Creating Apache Log Formats You can derive from the custom logs most of the log formats that Apache currently supports The custom log formats that match Apache log formats are NCSA combined LogFormat custom h l u t r s B referer i user agent i NCSA Common LogFormat custom h l u t r s B Referer Log LogFormat custom freferer i gt U Useragent LogFormat custom f user agent i Similarly you can derive the other server log formats from the custom formats Sample Configuration File 116 Following is a sample configuration file HEREREE EH This is the NSWL configuration file Only the default filter is active Remove leading to activate other filters HEPERE HET HEEERE HEH Default filter default on W3C Format logging new file is created every hour or on reaching 10MB file size and the file name is Exyymmdd log HEREREH EH Filter default begin default logFormat W3C logInterval Hourly logFileSizeLimit 10 Citrix NetScaler Administration Guide logFilenameFormat Ex Sysmsd t log end default HEPEEE EET netscaler caches example CACHE F filter covers all the transaction with HOST name www netscaler com and the liste
189. r the NetScaler appliance To add an HTTP profile by using the NetScaler command line At the NetScaler command prompt type 136 Citrix NetScaler Administration Guide add ns httpProfile name maxReusePool lt value gt dropInvalReqs ENABLED DISABLED markHttp09Inval ENABLED DISABLED markConnRealInval ENABLED DISABLED cmpOnPush ENABLED DISABLED conMultiplex ENABLED DISABLED sh ns httpProfile Example add ns httpProfile http profilel maxReuse dropInvalReqs ENABLED markHttp09Inval ENABLE markConnReqInval ED cmpOnPush ENABLE conMultiplex DISABLED Parameters for adding an HTTP profile name Name The name for an HTTP profile Can be from 1 to 127 characters and must begin with a letter a number or the underscore symbol _ Additional characters allowed after the first character are the hyphen period pound sign space at sign and equals sign maxReusePool Max Connection in reusepool The maximum allowed number of connections from the NetScaler appliance to a particular server in the reuse pool This setting is helpful for optimal memory utilization and for reducing the idle connections to the server just after a peak in the number of connections conMultiplex Connection Multiplexing Reuse existing server connections for multiple client connections Possible values ENABLED DISABLED
190. rd 00 cece cece ee eee ees 34 To reset the nsroot paSSword 0200 cece cece eee cece eee eee eee eeeeeeeeeees 34 Example of a User Scenario 2 00 0 cece cece cece eee e eee e eee eeeeeneeaees 35 Configuration Steps sdi ety teed tee saan eleva dete sean dee a 36 Configuring External User Authentication 00 cece cece eee eee e eee eee tees 37 Configuring LDAP Authentication 0 0 2 0 ccc cece eee ener renee een eee enenees 38 To configure LDAP authentication by using the configuration utility 40 Determining attributes in the LDAP directory 0 cece eee eee ees 41 Configuring RADIUS Authentication 0 cc cece cece cnet nee eee ene eens 42 To configure RADIUS authentication by using the configuration utility 42 Choosing RADIUS authentication protocols 0 ccc eee eee eee eens 42 Configuring IP address extraction 0 cece eect eee tenet nent eee e tees 43 Configuring TACACS Authentication 0 0 c cece eect eee ee eee eens 44 To configure TACACS authentication by using the configuration utility 44 Configuring NT4 Authentication 00 cece cece eee eee eee eee eee eens 44 To configure NT4 authentication by using the configuration utility 45 Binding the Authentication Policies to the System Global Entity 45 To bind an authentication policy globally by using the
191. re window scaling by using the configuration utility 1 In the navigation pane expand System and then click Settings 2 In the details pane under Settings click Configure TCP Parameters 3 In the Configure TCP Parameters dialog box under TCP select the Windows Scaling check box to enable window scaling 4 In the Factor text box type a windows scaling factor for example 6 For possible values see Parameters for configuring window scaling 5 Click OK A message appears in the status bar stating that window scaling has been configured successfully Configuring Selective Acknowledgment NetScaler appliances support Selective Acknowledgment SACK as defined in RFC 2018 Using SACK the data receiver either a NetScaler or a client notifies the sender about all the segments that have been received successfully As a result the sender either a NetScaler or a client needs to retransmit only those segments that were lost during transmission This improves the performance of data transmission SACK is important in long fat networks LFNs By default SACK is disabled To enable Selective Acknowledgment SACK by using the NetScaler command line At the NetScaler command prompt type the following commands to enable Selective Acknowledgment SACK and verify the configuration set ns tcpParam SACK ENABLED DISABLED show ns tcpParam Example gt set ns tcpParam SACK ENABLE Done
192. ression click Create and click Close When the settings for Windows NT 4 0 authentication are configured bind the policy to the system global entity For more information about binding authentication policies globally see Binding the Authentication Policies to the System Global Entity on page 45 Binding the Authentication Policies to the System Global Entity When the authentication policies are configured bind the policies to the system global entity To bind an authentication policy globally by using the configuration utility 1 In the navigation pane expand System and then click Authentication On the Policies tab click Global Bindings Under Details click Insert Policy a ier Under Policy Name select the policy and click OK To unbind a global authentication policy by using the configuration utility 1 In the navigation pane expand System and then click Authentication 45 Chapter 1 46 Authentication and Authorization 2 On the Policies tab click Global Bindings 3 In the Bind Unbind Authentication Policies dialog box in Policy Name select the policy click Unbind Policy and then click OK Chapter 2 SNMP Topics Importing MIB Files to the SNMP Manager and Trap Listener Configuring the NetScaler to Generate SNMPv1 and SNMPv2 Traps Configuring the NetScaler for SNMP v1 and v2 Queries Configuring SNMP Alarms for Rate Limiting Configuring the NetScaler for SNMPv3 Queries You
193. ring User o dat 6T Prompt Inherited From User Done To modify or remove a user account by using the NetScaler command line To modify a user s password type the set system user lt userName gt command and the parameters to be changed with their new values To remove a user account type the rm system user lt userName gt command Parameters for configuring a user account userName User Name A name for the user The name can begin with a letter number or the underscore symbol and can consist of from 1 to 31 letters numbers and the hyphen period pound space at sign equals colon and underscore _ symbols password Password A password that the user uses to log on promptString CLI Prompt A name for the user s NetScaler command line prompt The name can consist of letters numbers the hyphen period pound space at sign equals colon underscore _ symbols and the following variables u Is replaced by the user name h Is replaced by the host name of the NetScaler appliance t Is replaced by the current time in 12 hour format T Is replaced by the current time in 24 hour format d Is replaced by the current date s ls replaced by the state of the NetScaler appliance A maximum of 63 characters are allowed for this parameter A variable for example u is counted as two characters The resulting prompt can
194. riority value 5 The configuration you just created results in the following John Doe the IT manager has read only access to the entire NetScaler configuration but he cannot make modifications Maria Ramirez the IT lead has near complete access to all areas of the NetScaler configuration having to log on only to perform NetScaler level commands Michael Baldrock the IT administrator responsible for load balancing has read only access to the NetScaler configuration and can modify the configuration options for load balancing The set of command policies that applies to a specific user is a combination of command policies applied directly to the user s account and command policies applied to the group s of which the user is a member Each time a user enters a command the operating system searches the command policies for that user until it finds a policy with an ALLOW or DENY action that matches the command When it finds a match the operating system stops its command policy search and allows or denies access to the command If the operating system finds no matching command policy it denies the user access to the command in accordance with the NetScaler appliance s default deny policy Note When placing a user into multiple groups take care not to cause unintended user command restrictions or privileges To avoid these conflicts when organizing your users in groups bear in mind the NetScaler command policy search pro
195. rs are configured Possible Values ENABLED DISABLED Default DISABLED To enable or disable unconditional SNMP trap logging by using the configuration utility 1 In the navigation pane expand System and then click SNMP 2 In the details pane under Settings click Configure SNMP Options 3 In the Configure SNMP Options dialog box select the SNMP Trap Logging check box 4 Click OK Configuring the NetScaler for SNMP v1 and v2 Queries You can query the NetScaler SNMP agent for system specific information from a remote device called SNMP managers The agent then searches the management information base MIB for the data requested and sends the data to the SNMP manager The following types of SNMP v1 and v2 queries are supported by the SNMP agent GET GET NEXT ALL GET BULK You can create strings called community strings and associate each of these to query types You can associate one or more community strings to each query type Community string are passwords and used to authenticate SNMP queries from SNMP managers For example if you associate two community strings such as abc and bcd to the query type GET NEXT the SNMP agent on the NetScaler appliance considers only those GET NEXT SNMP query packets that contain abc or bcd as the community string Specifying an SNMP Manager 54 You must configure the NetScaler appliance to allow the appropriate SNMP managers to query it You must also provide the SNMP m
196. rt For example if CPU usage and Memory usage are displayed in first and second order at the bottom of the chart CPU usage is equal to Data Set 1 and Memory usage is equal to Data Set 2 4 Under Category do one of more of the following e To change the background color click Color and then select the options for color transparency and effects e To change the graph type click Plot type and then select the graph type you want to display for the data set If you want to display the graph as 3D select the Use 3D check box Exporting Chart Data to Excel For further data analysis you can export charts to Excel in a comma separated value CSV format 191 Chapter8 Reporting Tool To export chart data to Excel 1 In the left pane of the Reporting tool select a report 2 In the right pane under the chart with the data you want to export to Excel click Export Deleting a Chart If you do not want to use a chart you can remove it from the report You can permanently remove charts from custom reports only If you delete a chart from a built in report and want to retain the changes you need to save the report as a custom report To delete a chart 1 In the left pane of the Reporting tool select a report 2 In the right pane under the chart that you want to delete click the Delete icon Examples To display the trend report for CPU usage and memory usage for the last week 1 In the left pane of the Report
197. rtual server on the NetScaler appliance and bind the Web interface service running on port 8080 of the NetScaler appliance to the virtual server Clients on the LAN use the virtual server IP address to access the Web interface When using this access method the URL format for the Web interface site is as follows lt HTTP or HTTPS gt lt HTTP or HTTPS vserver IP address gt lt vserver port number gt lt Web Interface site path gt Gateway Direct Mode You associate the Web interface site with Access Gateway Remote clients use the Access Gateway URL to access the Web interface site With this access method the URL format for the Web interface site is as follows Citrix NetScaler Administration Guide HTTPS lt Access Gateway URL gt lt Web Interface site path gt Parameters for configuring Web interface sites Site Type Type of site Possible values XenApp XenDesktop Web Site configures the Web interface site for access by a Web browser XenApp XenDesktop Services Site configures the Web interface site for access by the XenApp plug in Default XenApp XenDesktop Web Site Site Path Path to the Web interface site This parameter is required Type a site path or select one of the following Citrix XenApp Citrix DesktopWeb Citrix PNAgent Published Resource Type Method for accessing the published XenApp and XenDesktop resources Possible values Online allows applications to be launched on the XenApp
198. rver farm 1 A user authenticates to the Web interface through a Web browser or by using the XenApp plug in 2 The Web interface reads the user s credentials and forwards the information to the Citrix XML Service running on servers in the server farm 3 The Citrix XML Service on the designated server retrieves from the servers a list of resources that the user can access These resources constitute the user s resource set and are retrieved from the Independent Management Architecture IMA system 4 The Citrix XML Service then returns the user s resource set to the Web interface running on the NetScaler The user clicks an icon that represents a resource on the HTML page The Web interface queries the Citrix XML Service for the least busy server The Citrix XML Service returns the address of this server to the Web interface The Web interface sends the connection information to the Web browser eo ON DBD VI The Web browser initiates a session with the server Prerequisites The following prerequisites are required before you begin installing and configuring the Web interface XenApp or XenDesktop farms are set up and running in your environment For more information about XenApp see the XenApp documentation at http 150 Citrix NetScaler Administration Guide edocs citrix com For more information about XenDesktop see the XenDesktop farms documentation at http edocs citrix com Conceptual knowledge
199. secure LDAP connections LDAP connections that use the StartTLS command use port number 389 If port numbers 389 or 3268 are configured on the NetScaler it tries to use StartTLS to make the connection If any other port number is used connection attempts use SSL TLS If StartTLS or SSL TLS cannot be used the connection fails When configuring the LDAP server the case of the alphabetic characters must match that on the server and on the NetScaler If the root directory of the LDAP server is specified all of the subdirectories are also searched to find the user attribute In large directories this can affect performance For this reason Citrix recommends that you use a specific organizational unit OU The following table lists examples of user attribute fields for LDAP servers 38 Citrix NetScaler Administration Guide Table 1 5 User Attribute Fields for LDAP Servers LDAP server User attribute Case sensitive Microsoft Active Directory Server sAMAccountName No Novell eDirectory cn Yes IBM Directory Server uid Yes Lotus Domino CN Yes Sun ONE directory uid or cn Yes formerly iPlanet The following table lists examples of the base distinguished name DN Table 1 6 Examples of Base Distinguished Name LDAP server Base DN Microsoft Active Directory DC citrix DC local Novell eDirectory dc citrix dc net IBM Directory Server cn users Lotus Domino OU City
200. server logging started as a background process on the Solaris or Linux operating systems At the command prompt type nswl stop To stop Web server logging started as a service on the Windows operating system At the command prompt type nswl stopservice Customizing Logging on the NSWL Client System You can customize logging on the NSWL client system by making additional modifications to the NSWL client configuration file log conf Use a text editor to modify the log conf configuration file on the client system 105 Chapter4 Web Server Logging To customize logging use the configuration file to define filters and log properties Log filters Filter log information based on the host IP address domain name and host name of the Web servers Log properties Each filter has an associated set of log properties Log properties define how to store the filtered log information Creating Filters You can use the default filter definition located in the configuration file log conf or you can modify the filter or create a new filter You can create more than one log filter Note Consolidated logging which logs transactions for which no filter is defined uses the default filter if it is enabled Consolidated logging of all servers can be done by defining only the default filter If the server hosts multiple Web sites and each Web site has its own domain name and each domain is associated with a virtual server you can
201. shown e Severity severity e Logging logging 5 Select the Enable check box to enable the alarm 6 Click OK and then click Close Configuring the NetScaler for SNMPv3 Queries Simple Network Management Protocol Version 3 SNMPv3 is based on the basic structure and architecture of SNMPv1 and SNMPv2 However SNMPv3 enhances the basic architecture to incorporate administration and security capabilities such as authentication access control data integrity check data origin verification message timeliness check and data confidentiality To implement message level security and access control SNMPv3 introduces the user based security model USM and the view based access control model VACM User Based Security Model The user based security model USM provides message level security It enables you to configure users and security parameters for the SNMP agent and the SNMP manager USM offers the following features 63 Chapter 2 SNMP e Data integrity To protect messages from being modified during transmission through the network e Data origin verification To authenticate the user who sent the message request e Message timeliness To protect against message delays or replays e Data confidentiality To protect the content of messages from being disclosed to unauthorized entities or individuals View Based Access Control Model The view based access control model VACM enables you to configure access rights
202. sociated action Finally you bind each policy either globally or to a specific vservers to put it into effect You can further set AppFlow parameters to specify the template refresh interval and to enable the exporting of httpURL httpCookie and httpReferer information On each collector you must specify the NetScaler IP address as the address of the exporter Note For information about configuring the NetScaler as an exporter on the collector see the documentation for the specific collector The configuration utility provides tools that help users define the policies and actions that determine exactly how the NetScaler appliance export records for a particular flow to a set of collectors action The NetScaler command line provides a corresponding set of CLI based commands for experienced users who prefer a command line Citrix NetScaler Administration Guide Enabling or Disabling the AppFlow Feature To be able to use the AppFlow feature you must first enable it To enable or disable the AppFlow feature by using the NetScaler command line At the NetScaler command prompt type one of the following commands enable ns feature appflow disable ns feature appflow To enable the AppFlow feature by using the configuration utility 1 In the navigation pane expand System and then click Settings 2 In the details pane under Modes and Features click Configure advanced features 3 In the Configure Advanced Features dialog box selec
203. sorei a to ones Ravage tava leak hoe aa Sea ee Bannon uae detention 71 Configuring the NetScaler Appliance for Audit Logging cceeeeee eee eee eens 73 Configuring Audit Servers ccc cece cece eee nee n ee ee nee e teen tenn ne een ented 73 To configure a SYSLOG server action by using the command line 73 To configure an NSLOG server action by using the command line 74 Parameters for configuring auditing Servers 0 cece eee e ee eens 74 Log levels defined poraa prora arn A TAEA EA KAUAA seeders 75 To configure an auditing server action ccs cece cece e eee eee ee 76 Configuring Audit Polas rren 0 cece cece nee AASA eee n teen n nee 76 To configure a SYSLOG policy by using the command line 5 76 To configure an NSLOG policy by using the command line 5255 77 Parameters for configuring audit policies 00 cee cece e eee eee eens 77 To configure an audit server pOlicy cece eee eee eee eee e eee eee e eae 78 Binding the Audit Policies Globally 0 cece cece eect e eee ene ene eet ne eens 78 To configure a SYSLOG policy by using the command line 5 78 Parameters for binding the audit policies globally 0 cece eee eens 78 viii Citrix NetScaler Administration Guide To globally bind the audit policy n 0 cece eee ete eeee eee eee eee e eee 79 Configuring Polic
204. sses of the NetScaler appliance 2 2 0e 0e 87 Verifying the NSLOG Server Configuration File 00 cece eee eee eee e eens 88 Running the NSLOG Servel cece cece eee eee eee eee tebe ene ete eee ne eens 88 To start audit server lOQGiNG 6 cee eee e cee e eee tenet eee e eee eee ne eens 88 To stop audit server logging that starts as a background process in FreeBSD or LINUX A oxo bate c tea E E L E E E E E E aaa E TE E EET TE 88 To stop audit server logging that starts as a service in Windows 65 88 Customizing Logging on the NSLOG Server 0 cece ee eee eee eee eee ee eens 89 Creating FINGIS sca tice ced tee eke id Adega aie peed tase ASARAN A 89 To create a filleri ctes veate ended meine ae es deena Oe ein eae A eee Ld 89 Specifying Log Properes arria a aaa APE eeb eae AEA REETA 90 Default Settings for the Log Properties sssssassrrssressrrerrererrsirrrsarsrnarerne 91 Sample Configuration File audit conf 0 0 cece cece e eee eee eee eee tener eens 92 4 Web Server Logging lt cccciccdseeckwininecis caraaeeoiae a E a E a A SA a AAE A 93 Configuring the NetScaler Appliance for Web Server Logging 0 e eeeeeeeees 94 Enabling or Disabling Web Server Logging c cece eee eee eee eee ee eees 94 To enable or disable Web server logging by using the NetScaler command E EEEE EE PEIE ALLEI E ESTE TE SE E TEE NE TS 94 To enable or disable
205. st and more general policies in descending order finishing with the most general policy gotoPriorityExpression The priority of the next policy that should be evaluated if this policy matches If set to END this parameter halts the policy evaluation process after evaluation of the current policy If you are careful to assign your policy priorities in the right order you can use this parameter to skip over policies in the event that the current policy matches and go directly to a specific policy type Bind point specifying where to bind the policy invoke Invoke flag labelType Type of policy label invocation labelName Name of the label to invoke if the current policy rule evaluates to TRUE To globally bind an AppFlow policy by using the configuration utility 1 In the navigation pane expand AppFlow 2 On the AppFlow page click Policy Manager 3 In the AppFlow Policy Manager dialog box in the Bind Points menu select Default Global 4 Click Insert Policy to insert a new row and display a drop down list of all unbound AppFlow policies Citrix NetScaler Administration Guide 5 Click one of the policies on the list That policy is inserted into the list of globally bound AppFlow policies 6 Click Apply Changes 7 Click Close A message appears in the status bar stating that the configuration has been successfully implemented To bind an AppFlow policy to a specific virtual server by using the configuratio
206. t the AppFlow check box and then click OK 4 In the Enable Disable Feature s dialog box click Yes Specifying a Collector A collector receives flow records generated by the NetScaler appliance To be able to send flow records you must specify at least one collector You can specify up to four However you cannot export the same data to multiple collectors You can remove unused collectors To specify a collector by using the NetScaler command line At the NetScaler command prompt type the following commands to add a collector and verify the configuration add appflowCollector lt name gt IPAddress lt ipaddress gt port lt port_number gt show appflowCollector lt name gt Example gt add appflowCollector colll IPAddress 10 102 29 251 port SOOC Done gt show appflowCollector colll 1 Collector name colll Collectou wr A addres Se m LORM02Zm2Z9e Zam Collector UDP port 8000 171 Chapter 7 AppFlow To remove a collector by using the NetScaler command line At the NetScaler command prompt type rm appflowCollector lt name gt Parameters for specifying a collector name Name of the collector to which to export data Maximum characters 255 ipaddress The IPv4 address of the collector port The UDP port on which the collector is listening Default port 4739 To specify a collector by using the configuration utility 1 In the navigation pane expand AppFlow and then click Collectors
207. ta Data Collection Utility from the database and displays them in charts Reports are a collection of charts The Reporting tool provides built in reports as well as the option to create custom reports In areport you can modify the charts and add new charts You can also modify the operation of the data collection utility nscollect and stop or start its operation 183 Chapter 8 Reporting Tool Using the Reporting Tool The Reporting tool is a Web based interface accessed from the Citrix NetScaler appliance Use the Reporting tool to display the performance statistics data as reports containing graphs In addition to using the built in reports you can create custom reports which you can modify at any time Reports can have between one and four charts You can create up to 256 custom reports To invoke the Reporting tool 1 Use the Web browser of your choice to connect to the IP address of the NetScaler for example http 10 102 29 170 The Web Logon screen appears In the User Name text box type the user name assigned to the NetScaler In the Password text box type the password KR WwW N In the Start in drop down box select Reporting 5 Click Login The following screen shots show the report toolbar and the chart toolbar which are frequently referenced in this documentation Figure 8 1 Report Toolbar SY Duration A Zoomin AZoom out Scroll ge Reset Create fSave bSave As Delete 4 Settings
208. talls them in the following directories e usr local netscaler etc e usr local netscaler bin e usr local netscaler samples To uninstall the NSWL client package on a Linux operating system At a command prompt type rpm e NSweblog To get more information about the NSweblog RPM file At a command prompt type rpm qpi rpm To view the installed Web server logging files At a command prompt type rpm qpl rpm Installing NSWL Client on a FreeBSD Operating System Copy the installation files from the NetScaler product CD or download them from ftp netscaler com Log on to the FreeBSD system as an administrator Use the following procedure to install the NSWL executable and the other files on the system To install the NSWL client package on a FreeBSD operating system 1 At a command prompt copy the NSweblog tgz file into a temporary directory cp lt path_to_cd gt Utilities weblog Freebsd NSweblog tgz tmp 2 Change to the temporary directory cd tmp 3 Install the package using the following command pkg_add NSweblog tgz 99 Chapter4 Web Server Logging This command extracts the files and installs them in the following directories e usr local netscaler etc e usr local netscaler bin e usr local netscaler samples 4 To verify that the package is installed use the following command pkg_info grep NSweblog To uninstall the NSWL client package on a FreeBSD operating system At a command prompt
209. te s ls replaced by the state of the NetScaler appliance A maximum of 63 characters are allowed for this parameter A variable for example u is counted as two characters The resulting prompt can be longer than 63 characters timeout CLI Idle Session Timeout Secs Time out value in seconds for inactive CLI sessions for all the users that are part of this group If a user s CLI session is idle for a time that exceeds the time out value the NetScaler appliance terminates the connection To configure a user group by using the configuration utility 1 In the navigation pane expand System and then click Groups 2 In the details pane do one of the following e To create a new user group click Add e To modify an existing user group select the group and then click Open 3 In the Create System Group or Configure System Group dialog box set the following parameters Citrix NetScaler Administration Guide e Group Name Required for a new group Cannot be changed for an existing group e CLI Prompt e CLI Idle Session Timeout Secs A required parameter Under Members select users from the Available Users list and click Add to move them to the Configured Users list Click Create or OK and then click Close A message appears in the status bar stating that the group has been configured successfully Configuring Command Policies Command policies regulate which commands command groups vservers and
210. the log conf file The following table describes the NCSA Common log format 109 Chapter 4 110 Web Server Logging Table 4 5 NCSA Common Log Format Argument Specifies Client _IP_address The IP address of the client computer User Name The user name Date The date of the transaction Time The time when the transaction was completed Time Zone The time zone Greenwich Mean Time or local time Method The request method for example GET POST Object The URL HTTP_version The version of HTTP used by the client HTTP_StatusCode The status code in the response Bytes Sent The number of bytes sent from the server W3C Extended Log Format An extended log file contains a sequence of lines containing ASCII characters terminated by either a Line Feed LF or the sequence Carriage Return Line Feed CRLF Log file generators must follow the line termination convention for the platform on which they are run Log analyzers must accept either LF or CRLF form Each line may contain either a directive or an entry If you want to use the W3C Extended log format enter W3C as the Log Format argument in the log conf file By default the standard W3C log format is defined internally as the custom log format shown as follows 6 SY Sm SdSH M SS t ta Su 6S SA Sp Sm SU SQ SS z user agent i cookie i referer i oe eh oe I ole am ae ait For a description of the mea
211. the entity database If the first n counters change in the subsequent fetch the database stores more than n entries for that entity type However you need to delete the unused entity counters manually Note The Reporting tool supports only numerical counters By default nscollect retrieves data at every 5 minute interval Data is maintained in 5 minute granularity for one day hourly for the last 30 days and daily for three years When you start the NetScaler the nscollect utility automatically starts However if data is not updated accurately or there is corrupted data displayed in the reports you can stop and then restart the utility You may also want to stop nscollect to back up the databases or to create a new data source To stop nscollect At a NetScaler command prompt type the following netscaler nscollect stop You can start nscollect on either the local system or a remote system To start nscollect on the local system At a NetScaler command prompt type the following 194 Citrix NetScaler Administration Guide netscaler nscollect start To start nscollect on the remote system At a NetScaler command prompt type the following netscaler nscollect start U NS_ P UserName Password ds DataSourceName Example netscaler nscollect start U O10229 170s ne roots naroon es Cerewet 195
212. the trap and then click Open 3 In the Create SNMP Trap Destination or Configure SNMP Trap dialog box set the following parameters e Type trapClass e Version version e Destination IP Address trapDestination e Destination Port destPort e Source IP Address srclP e Minimum Severity severity e Community Name communityName A required parameter 4 Click Create or OK and then click Close A message appears in the status bar stating that the trap has been configured successfully Enabling Unconditional SNMP Trap Logging By default the NetScaler appliance logs any SNMP trap messages for SNMP alarms in which logging is enabled when at least one trap listener is specified on the NetScaler appliance However you can specify that SNMP trap messages be logged even when no trap listeners are configured To enable or disable unconditional SNMP trap logging by using the NetScaler command line At a NetScaler command prompt type set snmp option snmpTrapLogging ENABLED DISABLED show snmp option Example gt set snmp option snmpset Done gt show snmp option Snmpset DISABLE SnmpTrapLogging ENABLED Done z 53 Chapter 2 SNMP Parameters for unconditional SNMP trap logging SnmpTrapLogging SNMP Trap Logging Enable the NetScaler appliance to log any SNMP traps messages for those respective SNMP alarms in which logging is enabled even when no trap listene
213. tility 1 In the navigation pane expand the feature node for which you want to enable AppFlow and then click Virtual Servers 179 Chapter 7 AppFlow For example expand Content Switching to enable AppFlow for a content switching virtual server and then click Virtual Servers In the details pane do one of the following e To enable AppFlow for a new virtual server click Add e To enable AppFlow for an existing virtual server select the virtual server and then click Open In the Create Virtual Server feature_name dialog box or the Configure Virtual Server feature_name dialog box select the AppFlow Logging check box Click Create or OK and then click Close Enabling AppFlow for a Service You can enable AppFlow for services that are to be bound to the load balancing virtual servers To enable AppFlow for a service by using the NetScaler command line At the NetScaler command prompt type set service lt name gt appflowLog ENABLED To enable AppFlow for a service by using the configuration utility 1 2 In the navigation pane expand Load Balancing and then click Services In the details pane do one of the following e To enable AppFlow for a new service click Add e To enable AppFlow for an existing service select the service and then click Open In the Create Service or the Configure Service dialog box select the AppFlow Logging check box Click OK and then click Close Setting the
214. ting MIB Files to the SNMP Manager and Trap Listener You must download the following files to SNMP managers and trap listeners before you start monitoring a NetScaler appliance NS MIB smiv1 mib This file is used by SNMPv1 managers and trap listeners NS MIB smiv2 mib This file is used by SNMPv2 and SNMPv3 managers and SNMPv2 trap listeners The MIB files include the following A subset of standard MIB 2 groups Provides the MIB 2 groups SYSTEM IF ICMP UDP and SNMP A NetScaler enterprise MIB Provides NetScaler specific configuration and statistics To import the MIB files to the SNMP manager and trap listener Logon to the Downloads page of NetScaler appliance GUI Under SNMP Files do one of the following a If your SNMP management application is other than WhatsUpGold download the following files to your SNMP management application NS MIB smiv2 mib NS MIB smiv1 mib b If you are using the WhatsUpGold SNMP management application download only the following files to the SNMP management application mib txt traps txt Configuring the NetScaler to Generate SNMPv and SNMPv2 Traps You can configure the NetScaler to generate asynchronous events which are called traps The traps are generated whenever there are abnormal conditions on the NetScaler The traps are sent to a remote device called a trap listener This helps administrators monitor the NetScaler and respond promptly to any issues
215. tion of system resources The default value of the LearnVsvrMSS parameter is DISABLED When enabled MSS learning is applicable only to virtual servers of type TCP HTTP and FTP To configure the NetScaler to learn the MSS for a virtual server by using the NetScaler command line At the NetScaler command prompt type the following commands to configure the NetScaler to learn the MSS for a virtual server and verify the configuration set ns tcpParam learnVsvrMSS ENABLED DISABLED show ns tcpParam Example gt set ns tcpParam learnVsvrMSS ENABLED Done gt show ns tcpParam TCP Parameters Window Scaling status DISABLED Window Scaling factor me SACK status DISABLED Learn MSS for VServer ENABLED Citrix NetScaler Administration Guide Done gt Parameters for configuring the NetScaler to learn the MSS for a virtual server learnVsvrMSS Enable or disable MSS learning for virtual servers Possible values ENABLED DISABLED Default DISABLED To configure the NetScaler to learn the MSS for a virtual server by using the NetScaler configuration utility 1 In the navigation pane expand System and then click Settings 2 In the details pane click Change TCP parameters 3 In the Configure TCP Parameters dialog box select the Learn MSS check box 147 Chapter5 Advanced Configurations 148 Chapter 6 Web Interface Topics How We
216. tional SNMP trap logging by using the NetScaler COMMANGE MING Ja deanna EE ESANA RTI AN SEAIA EEVEE 53 Parameters for unconditional SNMP trap logging cece eee e eee ees 54 To enable or disable unconditional SNMP trap logging by using the CONIQUHAtION ya oeiia arean os vonadi de dates noes GaGa nad daw E VETERE ae vere 54 Configuring the NetScaler for SNMP v1 and v2 QuerieS 0 00eeceeee eee ee eee 54 Specifying an SNMP Managel 0 c cece cece ee eee eee eee en eee tne eee en ees 54 To add an SNMP manager by using the NetScaler command line 55 To add an SNMP manager by specifying its IP address using the NetScaler COMMANG NINO xe ro Erener nt Er erT AARETE AA cis Hhewher RAEV ERAAN aia 55 To add an SNMP manager by specifying its host name using the NetScaler command IMNE s arsaa alee tag deta A AA be desta ANEAN A TARET NAAA 56 Parameters for configuring an SNMP manager 2 0eeeeee eee eee ees 56 To add an SNMP manager by using the configuration utility 57 Specifying an SNMP Commuhity 000 cece eee eee e eee eee eet eee enn eee 58 To specify an SNMP community by using the NetScaler command line 58 Parameters for configuring an SNMP community string e eee 58 To configure an SNMP community string by using the configuration utility 58 To remove an SNMP community string by using the configuration utility 59 Config
217. tly supports Creating a Custom Log Format by Using the NSWL Library Use one of the following NSWL libraries depending on whether the NSWL executable has been installed on a Windows or Solaris host computer Windows The nswl lib library located in ns bin directory on the system manager host computer Citrix NetScaler Administration Guide Solaris The libnswl a library located in usr local netscaler bin To create the custom log format by using the NSWL Library 1 Add the following two C functions defined by the system in a C source file ns_userDefFieldName This function returns the string that must be added as a custom field name in the log record ns_userDefFieldVal This function implements the custom field value then returns it as a string that must be added at the end of the log record 2 Compile the file into an object file 3 Link the object file with the NSWL library and optionally with third party libraries to form a new NSWL executable 4 Adda d string at the end of the logFormat string in the configuration file log conf Example EERE HEHE HH A new file is created every midnight or on reaching 20MB file size and the file name is datadisk5 netscaler log NS lt hostname gt Nsmmddyy log and create digital signature field for each record BEGIN CACHE F logFormat custom Sa S user agent i d SB SY ST g Sx Ss Sb referrer i S user agent i S cookie i d logInt
218. tracted to the NSweblog directory 4 Install the package with the following command pkgadd d The list of available packages appears In the following example one NSweblog package is shown 1 NSweblog NetScaler Weblogging SunOS sparc 7 0 5 You are prompted to select the packages Select the package number of the NSweblog to be installed After you select the package number and press Enter the files are extracted and installed in the following directories e usr local netscaler etc e usr local netscaler bin e usr local netscaler samples 6 At a command prompt type the following command to check whether the package is installed pkginfo grep NSweblog To uninstall the NSWL client package on a Solaris operating system At a command prompt type pkgrm NSweblog Installing NSWL Client on a Linux Operating System 98 Copy the installation files from the NetScaler product CD or download them from ftp netscaler com Log on to the Linux system as an administrator Use the following procedure to install the NSWL executable and the other files on the system To install the NSWL client package on a Linux operating system 1 At a command prompt copy the NSweblog rpm file into a temporary directory Citrix NetScaler Administration Guide cp lt path_to_cd gt Utilities weblog Linux NSweblog rpm tmp 2 To install the NSWL executable use the following command rpm i NSweblog rpm This command extracts the files and ins
219. ts specified by the INFORMATION setting but in greater detail 75 Chapter3 Audit Logging INFORMATION Log actions taken by the NetScaler This level is useful for troubleshooting problems DEBUG Log extensive detailed information to help developers troubleshoot problems To configure an auditing server action 1 In the navigation pane expand System expand Auditing and then click Policies 2 In the details pane on the Servers tab do one of the following e To create a new server action click Add e To modify an existing server action select the server and then click Open 3 In the Create Auditing Server or Configure Auditing Server dialog box specify values for the following parameters which correspond to parameters described in Parameters for configuring auditing servers as shown e Name name e IP Address serverIP e Port serverPort e Log Levels logLevel e Log Facility logFacility e Date format dateFormat e Time Zone timeZone e TCP Logging tcp e ACL Logging acl e User Configurable Log Messages userDefinedAuditlog e AppFlow Export appflowExport A required parameter 4 Click Create or OK and then click Close A message appears in the status bar stating that the auditing server has been configured successfully Configuring Audit Policies The audit policies define the SYSLOG or NSLOG protocol To configure a SYSLOG policy by using the command line At the NetScaler command
220. uild number gt zip for example AuditServer 9 3 51 5 zip This package contains NSLOG installation packages for all supported platforms Note NSLOG server is not supported on the underlying FreeBSD OS of the NetScaler appliance To download NSLOG package from www Citrix com 1 In a web browser go to www citrix com In the menu bar click Log In Enter your login credentials and then click Log In 2 3 4 In the menu bar click Downloads 5 Search to find the page that provides the appropriate release number and build 6 On that page under Audit Servers click Download to download the NSLOG package having the format AuditServer lt release number gt lt build number gt zip to your local system for example AuditServer 9 3 51 5 zip 83 Chapter3 Audit Logging To install the NSLOG server package on a FreeBSD operating system 1 On the system to which you have downloaded the NSLOG package AuditServer lt release number gt lt build number gt zip for example AuditServer 9 3 51 5 zip extract the FreeBSD NSLOG server package audserver bsd lt release number gt lt build number gt tgz for example audserver bsd 9 3 51 5 tgz from the package 2 Copy the FreeBSD NSLOG server package audserver bsd lt release number gt lt build number gt tgz for example audserver bsd 9 3 51 5 tgz toa directory on a system running FreeBSD OS 3 At a command prompt for the directory into which t
221. ure has been enabled or disabled Modifying the Default Buffer Size You can change the default buffer size of 16 megabytes MB for Web server logging to suit your requirements To activate your modification you must disable and reenable Web server logging To modify the buffer size by using the NetScaler command line At the NetScaler command prompt type the following commands to modify the buffer size and verify the configuration set weblogparam bufferSizeMB lt size gt sh weblogparam Example gt set weblogparam bufferSizeMB 32 gt sh weblogparam Web Logging parameters Log buffer size 32MB Parameter for modifying the buffer size Buffer Size Memory in megabytes allocated for buffering the HTTP and HTTPS request log entries before sending them to the NSWL client 95 Chapter 4 Web Server Logging To modify the buffer size by using the configuration utility 1 In the navigation pane expand System and then click Settings 2 In the details pane under Settings click Change global system settings 3 In the Configure Global Settings dialog box under Web Logging enter a value in the Buffer_Size in MBytes text box for example 32 4 Click OK Installing and Configuring the Client System for Web Server Logging 96 During installation the NSWL client executable file nswl is installed along with other files The nswl executable file includes options for performing several actions on th
222. uring SNMP Alarms for Rate Limiting 00 ccc e eee e eee eee een eens 59 Configuring an SNMP Alarm for Throughput or PPS 0 0e e cence eee ees 59 To configure an SNMP alarm for the throughput rate by using the NetScaler command IME ae ede le ee hedges Seda AAA a dated ee Seated fee eee AAEN 60 To modify or remove the threshold values by using the NetScaler command JING ibeet aed lowkaiwedlsaadiawedeatadiadeopiadiaiwannd oenel dent sadds sageiddadiates 60 To modify or remove the threshold values by using the NetScaler command AE ea RQ ce PRO cdl ten th ek tea ae Cale gah OR ae ake LOE acl he a Ch heen ee 61 Parameters for configuring an SNMP alarm for throughput or PPS 61 To configure an SNMP alarm for throughput or PPS by using the configuration UIT 22 cur adediideaee ee hideorda eset lauadiaoes E deeds ERATEN AEE ales 62 Configuring SNMP Alarm for Dropped Packets 2 0eceeeeeeeeeeeeeeees 62 To configure an SNMP alarm for packets dropped because of excessive throughput by using the NetScaler command line eee e eee eee eee 62 vii Contents To configure an SNMP alarm for packets dropped because of excessive PPS by using the NetScaler command line cece eect e eee eee tee eens 62 Parameters for configuring an SNMP alarm for dropped packets 63 To configure an SNMP alarm for dropped packets by using the configuration UCHR Yeo cst E lading cht
223. ust be in the strftime 3 format For format descriptions see Time Format Definition on page 121 T The time taken to serve the request in seconds u The remote user from auth may be bogus if return status s is 401 U The URL path requested V The canonical name of the server serving the request V This is the virtual server IPv4 address in the system if load balancing content switching and or cache redirection is used V6 This is the virtual server IPv6 address in the system if load balancing content switching and or cache redirection is used For example if you define the log format as user agent i and if the user agent value is Citrix NetScaler system Web Client then the information is logged as Citrix NetScaler system Web Client An alternative is to use double quotation marks For example f user agent i logs it as Citrix NetScaler system Web Client Do not use the lt Esc gt key on strings from r iand o This complies with the requirements of the Common Log Format Note that clients can insert control characters into the log Therefore you should take care when working with raw log files 120 Citrix NetScaler Administration Guide Time Format Definition The following table lists the characters that you can enter as the format part of the format t string described in the Custom Log Format table of Arguments for Defining a Custom
224. utable is present On Windows ns bin On Solaris and Linux usr local netscaler bin The audit server configuration files are present in the following directories On Windows ns etc On Linux usr local netscaler etc The audit server executable is started as auditserver in Linux and FreeBSD Adding the NetScaler Appliance IP Addresses on the NSLOG Server In the configuration file auditlog conf add the IP addresses of the NetScaler appliances whose events must be logged To add the IP addresses of the NetScaler appliance At a command prompt type the following command audserver addns f lt directorypath gt auditlog conf lt directorypath gt Specifies the path to the configuration file auditlog conf 87 Chapter3 Audit Logging You are prompted to enter the information for the following parameters NSIP Specifies the IP address of the NetScaler appliance for example 10 102 29 1 Userid Specifies the user name for example nsroot Password Specifies the password for example nsroot If you add multiple NetScaler IP addresses NSIP and later you do not want to log all of the NetScaler appliance event details you can delete the NSIPs manually by removing the NSIP statement at the end of the auditlog conf file For a high availability HA setup you must add both primary and secondary NetScaler IP addresses to auditlog conf by using the audserver command Before adding the IP address make sur
225. y Based LOgQing 00s ecee cece eee e eee ee nett teen teen eee es 79 Pre ReEqQuISILES wii neater ehidekn cea a a a a A eesle nl a 79 Configuring an Audit Message ACtiOn ccc cee eect e eee eee e eee aeees 79 Binding Audit Message Action to a Policy cece cece e eee tenes 81 Installing and Configuring the NSLOG Server 0 cce cece eect eee e eee ee eens 81 Installing NSLOG Server on the Linux Operating System cee eee 82 To install the NSLOG server package on a Linux operating system 82 To uninstall the NSLOG server package on a Linux operating system 83 Installing NSLOG Server on the FreeBSD Operating System e sees 83 To download NSLOG package from Www Citrix cOM 0 6 cee cece eee eee 83 To install the NSLOG server package on a FreeBSD operating system 84 To uninstall the NSLOG server package on a FreeBSD operating system 84 Installing NSLOG Server Files on the Windows Operating System 84 To download NSLOG package from Www Citrix cOM 0 cee cece eee eee 85 To install NSLOG server on a Windows operating system 0265 85 To uninstall the NSLOG server on a Windows operating system 86 NSLOG Server Command Options 0 0cc cece cece cence eee e tent eeeeeaes 86 Adding the NetScaler Appliance IP Addresses on the NSLOG Server 87 To add the IP addre
226. y the LDAP browser can help you determine the base DN needed for the Authentication tab The Anonymous Bind check determines whether the LDAP server requires user credentials for the browser to connect to it If the LDAP server requires credentials leave the check box cleared After completing the settings the LDAP browser displays the profile name in the left pane and connects to the LDAP server 41 Chapter 1 Authentication and Authorization Configuring RADIUS Authentication 42 You can configure the NetScaler appliance to authenticate user access with one or more RADIUS servers If you are using RSA SecurlD SafeWord or Gemalto Protiva products use a RADIUS server Your configuration might require using a network access server IP address NAS IP or a network access server identifier NAS ID When configuring your NetScaler to use a RADIUS authentication server use the following guidelines If you enable use of the NAS IP the appliance sends its configured IP address to the RADIUS server rather than the source IP address used in establishing the RADIUS connection If you configure the NAS ID the appliance sends the identifier to the RADIUS server If you do not configure the NAS ID the appliance sends its host name to the RADIUS server When the NAS IP is enabled the appliance ignores any NAS ID that was configured by using the NAS IP to communicate with the RADIUS server To configure RADIUS authenticati
Download Pdf Manuals
Related Search