Enhanced Authentication Feedback introduced since v10.1 is a NetScaler option disabled by default which provides more information to the end user about the reason for an authentication failure. By default when a user authenticates to as an example NetScaler Gateway and fails, the Incorrect user name or password message returned is the only reason NetScaler will give.

The reason could be entirely different though. A disabled account, expired password and restricted logon hours are just some of the reasons a failure could indeed occur. This is why the Enhanced Authentication Feedback option could prove useful to you and the end-user. It may reduce support calls and make it easier for the support team to resolve authentication failures because they will get a more granular reason as to the failures.

On the other hand, a security risk is included when enabling this option. Once this option is enabled it will be easier for an attacker to identify if a user account does not exist for example. It is important to highlight this.

To enable, via CLI run command set aaa param -enableEnhancedAuthFeedback or via GUI navigate to NetScaler Gateway -> Global Settings -> Change authentication AAA settings -> Enable Enhanced Authentication Feedback.

Error codes and a list of supported reasons are given below:

• 4001 – Invalid credentials. Catch-all error from previous versions. (Incorrect credentials. Try again.)
• 4002 – Login not permitted. Catch-all error from previous version. (You do not have permission to log on at this time.)
• 4003 – Server timeout. (Cannot connect to server. Try connecting again in a few minutes.)
• 4004 – System error. (Cannot connect. Try connecting again.)
• 4005 – Socket error talking to authentication server. (Cannot connect. Try connecting again.)
• 4006 – Bad (format) user passed to nsaaad. (Incorrect user name.)
• 4007 – Bad (format) password passed to nsaaad. (Incorrect password.)
• 4008 – Password mismatch (when entering new password). (Passwords do not match.)
• 4009 – User not found. (User not found.)
• 4010 – Restricted login hours. (You do not have permission to log on at this time.)
• 4011 – Account disabled. (Your account is disabled.)
• 4012 – Password expired. (Your password has expired.)
• 4013 – No dial-in permission (RADIUS specific). (You do not have permission to log on.)
• 4014 – Error changing password. (Could not change your password.)
• 4015 – Account locked. (Your account is temporarily locked.)
• 4016 – User password complexity requirement not met when changing password. (Could not update your password. The password must meet the length, complexity, and history requirements of the domain.)

User not found.

Account disabled.

How can I change the response codes returned by NetScaler?

Remember the point highlighted above. Enabling Enhanced Authentication Feedback will out of the box return a User not found response if you enter a user name and LDAP can not find that actual user name in Active Directory. This is a security concern. Now, the responses can be changed.

Note: Citrix do not support or assist with this configuration. Perform this modification at your own risk. If you do proceed, make sure to always take a backup before changing a live environment.

Open up WinSCP or similar, browse to and edit the following file:

• NSv11+ – /var/netscaler/logon/themes/default/resources/en.xml
• NSv10.5 – /netscaler/ns_gui/vpn/resources/en.xml

Edit the en.xml file and look for the section shown below.  

Change any of the values then save en.xml.

Now as an example, my modified User not found text contains some new information!

Error: 401 – Unauthorized: Access is denied due to invalid credentials. This error was appearing after authenticating to NetScaler Gateway just as users were being passed through to Citrix Web Interface v5.4.

By having a look at the Web Interface servers event logs the below appeared. This gave indication that there was a resolution problem between Citrix Web Interface and the NetScaler Gateway vServer. As a result the Web Interface server could not contact the NetScaler Authentication Service.

Turns out indeed it was down to a DNS resolution error. The Citrix Web Interface servers could not resolve the NetScaler authentication service (callback URL). This turned out to be a simple fix by adjusting the relevant DNS settings.

NetScaler can perform compression on data to reduce the size of the data in transit without any loss to that data. Compression advantages include reduced bandwidth, reduced stress on backend web servers and the quicker serving of content to users.

Compression can be enabled for HTTP and SSL services only.

Data that is compressible:

• HTML, XML, CSS.
• Microsoft Word, Excel, PowerPoint.
• Plain or rich text documents.

Quantum size: The minimum size an object must be to be compressed (default 56 KB). This setting exists to prevent the NetScaler wasting resources compressing content that is already very small to begin with.

Change Quantum size: Navigate to Optimization -> HTTP Compression -> Change compression settings -> Quantum size.

Note: Other settings such as the compression level can be configured by navigating to Optimization -> HTTP Compression -> Change compression settings -> Quantum size:

• Optimal – Corresponds to a GZIP level of 5-7. (default option).
• Best Speed – Corresponds to a GZIP level of 1.
• Best Compression – Corresponds to a GZIP level of 9.

Compression can be enabled at a global level or against individual services.

Enable compression globally: Navigate to System -> Settings -> Configure Basic Features -> HTTP Compression.

Enable compression per service: Navigate to Traffic Management -> Virtual Servers and Services -> Services -> edit existing service -> tick Compression under Settings.

Note: If you have configured services before enabling compression globally then you must enable compression individually on each service. Future created services will have compression enabled by default.

Compression Policies contain actions which dictate if compression applies or not and if so using which compression algorithm. Policies can be applied globally or to a vServer.

Compression Actions:

• COMPRESS – Compresses data using GZIP or DEFLATE algorithm (depending on which algorithm the web browser supports).
• NOCOMPRESS – Does not compress data.
• GZIP – Uses the GZIP algorithm to compress data on browsers that support this algorithm.
• DEFLATE – Uses the DEFLATE algorithm to compress data on browsers that support this algorithm.

To configure a policy, navigate to Optimization -> HTTP Compression -> Policies -> Add.

A number of built-in policies already exist which can be viewed by clicking on the Show built-in Compression Policies link. These policies are activated globally when you enable compression.

Now create a policy with the Response Action as COMPRESS and an expression that specifies the User Agent contains Mozilla//5.0 as shown below.

To find out what user agent your browser uses, there are websites out there such as https://msdn.microsoft.com/en-gb/library/ms537503(v=vs.85).aspx.

Next bind the policy so a vServer by navigating to Traffic Management -> Virtual Servers. Click on the desired vServer and select Edit.

Under Policies click Add.

Under Choose Policy select Compression and under Choose Type select Request. Click Continue.

Under Select Policy click Click to select.

Choose the policy we just created and click Select.

Click Bind.

Click Done.

Save the running configuration.

Now using your web browser visit the web page that is served through the Load Balanced vServer. This vServer will be the one we enabled the compression policy against.

Now on the Dashboard pane on your NetScaler, using the dropdown select Compression Policy. We can see that the ns_adv_cmp_mozilla_50 policy has received hits.

Next switch to Compression. You can see some compression statistics.

Then back over in Optimization -> HTTP Compression -> Policies the created policy also shows compression statistics.

When you attempt to uninstall or change the installation of Citrix Command Center you might get the below message:

“Could not find a valid Java virtual machine to load. You may need to reinstall a supported Java virtual machine.”

To fix, you need to insert the Java JRE bin folder location in to the Path system environment variable.

Within the Citrix Command Center server, launch computer properties and click the Advanced tab -> Environment Variables…

Highlight the Path system variable and click Edit.

Append the Java JRE bin folder location to the end of the value field as shown below and click OK.

The JRE bin folder location may vary depending on where you installed Command Center. The default location on this server is C:\Program Files (x86)\Citrix\Citrix Command Center\jre\bin\.

Now you can launch the uninstall wizard etc.

Windows could not start the Citrix Command Center service on Local Computer. Error 1067: The process terminated unexpectedly.

Error occured during initialization of VM. NoClassDefFoundError. These are some of the messages being shown randomly when I noticed Command Center was offline and I tried to start the service.

The logs showed some Java errors.

I then compared the Java JRE lib directory with a backup directory and noticed that there was 5 items more in the backup directory than what was in live. All .jar files.

The _jrebkup/lib directory contained more files than the live folder.

The next step was to copy the missing files across to the live lib directory.

After the copy had completed the Citrix Command Center service started.

Citrix NetScaler comes with a caching feature named Integrated Caching which can cache frequently accessed data to take the stress off backend servers and deliver content to users faster by elminating trips to backend servers.

The cached data is stored in RAM on the NetScaler appliance or SSD on MPX appliances. Integrated Caching is shipped with NetScaler Platinum or as an add-on license if using NetScaler Enterprise licenses.

To enable Intrgrated Caching, navigate to System -> Settings -> Configure Basic Features -> Integrated Caching or via CLI run command enable ns feature ic.

Next you need to allocate an amount of memory to store caching objects. You can allocate up to half of the NetScaler’s memory to cache however Citrix recommend allocating less than half. To configure memory allocation, navigate to Optimization -> Integrated Caching -> Change cache settings -> Memory Usage Limit (MB).

The caching policies themselves are made up of three settings:

1. Actions – Cache, do not cache etc.
2. Store in group – Store content in which content group.
3. Expression – The rule which needs to be matched before the policy is actioned.

Note: A Content Group contains settings such as when the cached content is set to expire and to not cache objects of a certain size.

To create a Content Group navigate to Optimization -> Integrated Caching -> Content Groups -> Add.

To create a cache policy navigate to Optimization -> Integrated Caching -> Policies -> Add.

Notice I used an expression of HTTP.REQ.HOSTNAME.CONTAINS(“storefront.citrixpro.co.uk”) which will cache all objects where the URL hostname contains storefront.citrixpro.co.uk.

To bind the policy to a vServer, navigate to Traffic Management -> Load Balancing -> Virtual Servers.

Edit an existing Virtual Server and under Policies click Add.

Under Choose Policy select Cache and under Choose Type select Request. Click Continue.

Click Click to select under Select Policy.

Choose the recently created policy and click Select.

Now click Bind.

Click Done.

You can also bind cache policies to LB vServers by navigating to Optimization -> Integrated Caching -> Cache Policy Manager.

Now when users hit the LB vServer all cacheable content will be cached. We can navigate to Dashboard -> Integrated Cache and Cache Policies to view statistics and see the new cache policy being hit.

You can also browse to Optimization -> Integrated Caching -> View Cache Objects.

Click Continue.

Here you can get details on specific cached objects, expire or flush objects.

Clicking the Details button shows information such as the Content Group that stores the cached object.

When creating a Content Group consider the following settings:

• Do not cache – if size is less than – This prevents objects that are too small in size from being cached.
• Do not cache – if size exceeds – This prevents NetScaler caching objects that are too large and unwanted within the cache memory.
• Do not cache – if hits are less than – Do not cache objects if the request hits (user hits) against these objects are less than the number specified. This prevents using cache space for objects that are not accessed often.
• Maximum memory usage limit – Sets a limit on the amount of NetScaler appliance memory that the content group can use.
• Prefetch – NetScaler will attempt to refresh cached objects that are about to go stale.
• Flash Cache – When multiple users request the same content, NetScaler will send one request to the backend server and that single response is used for all users.

You can flush and expire cached objects per content group basis on demand by navigating to Optimization -> Integrated Caching -> Content Groups.

Select a Content Group and select Action -> Invalidate.

Now select Flush or Expire and click OK.

There are multiple ways available to hide or show applications and desktops from users based on their username, group membership, connection method, etc.

Below are a list of some of the common methods you can use to control resource access.

Users and Groups

To assign a resource based on the user or group membership, edit your Delivery Group and under the Users section add a user group or username(s).

Connection Type

Again when editing a Delivery Group under the Access Policy section you can allow connections that do not come through NetScaler Gateway, do come through NetScaler Gateway or both.

Limit Visibility

To limit the visibility of an application to some users, locate the desired application and right-click, Properties.

Click Limit Visibility -> Limit Visibility for this application to the users listed below.

Per store via description

You can hide or show applications and desktops completely from stores based on the description of the resource. This cannot be done from the GUI so instead use PowerShell.

Log on to your primary StoreFront server and browse to C:\Program Files\Citrix\Receiver StoreFront\Scripts and copy the ImportModules.ps1 file.

Now browse to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ and create a new folder called ImportModules. Now copy the ImportModules.ps1 file to this folder.

Launch PowerShell as an administrator.

Run command Import-Module ImportModules.ps1.

Now in my scenario I have two stores, XenApp and CitrixPro.

Before continuing we need to find out the IIS Site ID for the web site hosting our Citrix store virtual directories. The Site ID in most cases will be 1. Launch IIS and then highlight the site which stores the Citrix virtual directories (in most cases Default Web Site).

Right-click the site, Manage Website -> Advanced Settings…

Next take note of the ID number and then close IIS.

I want to show only desktop resources in store CitrixPro and applications in store XenApp. The filtering of resource is done based on the description an application or desktop has been given. To make things easy, I am assigning a description of App to my applications only, and not giving any description to the desktops, however I could do if I wanted to get more granular with extra stores.

Using Citrix Studio, open the properties of an application and under Identification enter KEYWORDS: App then click OK.

Return to PowerShell and run command Set-DSResourceFilterKeyword -SiteID 1 -VirtualPath “/Citrix/CitrixPro” -ExcludeKeywords @(“App”)

Now run command Set-DSResourceFilterKeyword -SiteID 1 -VirtualPath “/Citrix/XenApp” -ExcludeKeywords @(“App”)

Browse to the CitrixPro Receiver for Web site and only the desktop resource appears.

Over on the XenApp Receiver for Web site the applications only appear.

Per application or desktop

You can set Citrix stores to only show applications or desktops.

Launch PowerShell on your StoreFront server and import the required modules using the same method found above.

Run command Set-DSResourceFilterType -SiteID 1 -VirtualPath “/Citrix/XenApp” -IncludeTypes @(“Applications”)

Next run command Set-DSResourceFilterType -SiteID 1 -VirtualPath “/Citrix/CitrixPro” -IncludeTypes @(“Desktops”)

Now depending on which store you visit, you will either see Desktops or Applications.

Based on NetScaler Gateway connection

You can limit Delivery Groups to certain NetScaler Gateway addresses. To do this firstly edit the Delivery Group and browse to the Access Policy section.

Click Add.

Specify the URL for your NetScaler Gateway and click OK.

Uncheck All connections not through NetScaler Gateway if you wish. Click OK.

Now when using a different NetScaler Gateway URL the resources will not appear.

Here is a brief insight on how to configure and troubleshoot NTP synchronization on NetScaler.

To add an NTP server to NetScaler navigate to System -> NTP Servers -> Add.

Open putty and type shell -> date – This confirms the current date and time on the NetScaler device.

Type ntpdate -q ntpservername/ip – This queries the specified NTP server. If NTP communication (UDP 123) is blocked because of firewalls then you will get a message such as “No server suitable for synchronization found”.

If you find that your NetScaler is out of sync with one of your configured NTP servers (due to large time offset) run the following commands:

ps axfu | grep ntp (you won’t get any results if you have no servers configured under NTP in NetScaler)

kill 7943 (this is the process ID found above)

ntpdate ntpservername/ip

/usr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/ntpd.log

ps axfu | grep ntp (This confirms NTP is back up and running)

Typing date confirms the date and time is now in sync with the NTP server.

You can refer to the ntpd.log file found under /var/log to view logged NTP information.

New in NetScaler v11 is the ability to easily customise a theme from within the NetScaler GUI. I will show you how simple the customisation process can be for you to bring in a more targeted theme for your business.

We are all aware of the default Green Bubbles theme and X1 theme new in NS11.

Let’s have a look at first customising the X1 theme to out liking. Navigate to NetScaler Gateway -> Portal Themes -> Add.

Enter a name for your new theme and under Template Theme select X1. Click OK.

The following page shows some of the attributes we can modify but we aren’t interested in these ones for now as they only relate to Clientless Access.

If you click on the Help Legend link you are presented with a graphical page showing you which each section is named. This is to aid you when choosing what you want to edit.

Under the Common Attributes section, this is where we want to focus our time on. The settings here below are all configurable and relate to the NetScaler Gateway logon page.

Clicking Help Legend again gives insight to each component.

So first I want to specify a Header Logo. This file is a .JPG from my local machine and will be uploaded to NetScaler. Click OK.

Now click OK if your language is English.

To the right of our screen we have a number of different sections of NetScaler Gateway that we can modify such as the EPA Page, Login Page, Home Page.

If we click to select the Login Page there are additional parts we can edit such as the Page Title and Form Title.

I’ve gone and edited the Page Title and Password Field2 Title. The Password Field2 Title will be named Token Key as this is my 2-factor RADIUS token system. Click OK.

Now click Click to bind and view configured theme.

Select a NetScaler Gateway (pre-production) and click Preview. The theme is bound to the NetScaler Gateway and a new browser popup appears showing the newly edited theme.

The new theme appears with the small adjustments I have made. Good start, now we can continue.

Go back to Portal Themes and edit the CustomTheme.

Lets change the Form Background Color to white which can easily be done from the canvas.

Change the Background Image.

Select the desired background image.

Now lets change the opacity of the Form Background Color. This is performed by using the slider to your right above fgba(255, 255, 255, 0.9). The 0.9 value is the opacity value. Opacity relates to how transparent we want the color to be. The value ranges from 0.0-1.0.

We can also change the Form Font Color as the Form Background Color is white so we need something a little darker to display.

The same goes for the Button Color, Hover Color and Form Title Font Color. I’ve changed these to black.

Now our NetScaler Gateway logon page looks a little bit better. Not the perfect picture but better.

Let’s have a look at customising the GreenBubble theme. Navigate to NetScaler Gateway -> Themes -> Add -> specify a name and choose GreenBubble as the theme -> OK.

Now, notice the Common Attributes is a little bit different from what we had when customising the X1 theme. New configurable items appear such as Button Hover Image and Button Image.

Clicking Help Legend shows the Green Bubbles theme and each labelled section.

I’ve chosen the same customisations I’ve used on the X1 theme. Make your desired customisations and click OK.

Bind the theme to a NetScaler Gateway vServer (pre-production) and click Preview.

The theme displays, a little different from X1 with the layout and look. Notice the Log On button is different.

I’ve only gone and stolen the X1 logon button and uploaded it to my cusotmised NetScaler Green Bubbles theme.

Now the Log On button looks a bit different, little bit of improvement needed but you get the idea.

And that is that. Please note your custom theme files are stored on NetScaler /var/netscaler/logon/themes/.  You will find the custom CSS files, and any uploaded images used for background etc.

Good luck!

Both SmartAccess and SmartControl are similar in practice. One is implemented at the Delivery Controller level with the use of Citrix policies (SmartAccess) and the other is implemented at the NetScaler Gateway level (SmartControl). SmartControl was introduced in NetScaler v11.

SmartAccess and SmartControl can be used to block or allow certain components such as printer access, audio redirection, client device drive redirection and so on. SmartAccess policies can be applied based on the connecting user’s IP address, Delivery Group, Client Name, Delivery Group Type and many more conditions that can be found within Citrix Studio policies.

SmartAccess policies can be applied to internal connections through the use of Citrix policies that are enforced by DDCs when connecting to a resource. You can also use the “Access Control” object when assigning SmartAccess policies. Using this object allows you to enforce the policy to all connections coming through the NetScaler Gateway or certain vServers/Session Policies.

On the other hand, SmartControl is implemented directly on the NetScaler so that restrictions can be enforced at the network layer, before the user even gets to connect to a backend resource. SmartControl is implemented by using ICA policies and attaching them a NetScaler Gateway vServer, or globally.

Take for example a user has access to redirected printers when connecting to XenApp/XenDesktop resources within the corporate LAN however once they connect remotely through NetScaler Gateway printer redirection is blocked. This can be performed both by SmartAccess and SmartControl. A Citrix SmartAccess policy may be locally defined on DDCs that allows printer redirection from local client device to VDA. NetScaler may have SmartControl implemented via ICA Policy which restricts client printer redirection for anyone coming through the NetScaler.

Another example is client drive redirection is allowed when users route through NetScaler Gateway only if the machine has an approved anti-virus installed. EPA scans run before authentication takes place using pre-authentication policies which confirm if the machine has an appropriate anti-virus. If the machine does not, an ICA policy will be applied to the session which blocks client drive redirection.

What can be blocked with SmartControl on the NetScaler?

Connect Client LPT Ports – Not normally used these days however blocks LPT port redirection used for printers.

Client Audio Redirection – Redirect audio from VDA to client device.

Local Remote Data Sharing – Allows or disallows data sharing using Receiver HTML5.

Client Clipboard Redirection – Redirects client clipboard contents to VDA.

Client COM Port Redirection – Redirect COM (serial) ports from client to VDA.

Client Drive Redirection – Redirect client drives from client to VDA.

Client Printer Redirection – Redirects client printers from client to VDA.

Multistream – Allow or disable multistream.

Client USB Drive Redirection – Redirect USB drives from client to desktop VDA only.

Picture 1 (need picture from newer version which included client drives)

Configure ICA policy for SmartControl

Firstly take a look at my local client machine. I have a printer installed named HP OfficeJet Pro which by default does redirect to my Citrix session as shown by the from DESKTOP001.

Here’s the Citrix default policy allowing client printer redirection.

To use SmartControl we have to disable ICA Only on the vServer (NetScaler Gateway) we are using. In other words, the NetScaler Gateway vServer needs to be in SmartAccess mode. This allows us to make use of ICA policies. Universal licenses are used here. You cannot bing an ICA Policy to a NetScaler Gateway vServer until it is operating in SmartAccess mode.

Whilst the NetScaler Gateway vServer is in SmartAccess mode, the Session Policy I am using is configured for ICA proxy only, no client choices.

The Session Profile also has a simple ns_true expression to match all incoming connections.

To create an ICA Policy, Action and Profile, navigate to NetScaler Gateway -> Policies -> ICA -> Add.

Specify a name for your policy then click on the + sign beneath Action.

Specify a name for the action and then click the + sign beneath ICA Access Profile.

Configure the ICA Access Profile to block printer direction by specifying Disabled. Click Create.

Click Create.

Click on Expression Editor.

Here I am using the expression that this ICA Policy will apply if the connecting client IP matches 192.168.0.45. Click Done.

Click Create.The policy is ready to be applied to a resource. Next navigate to NetScaler Gateway -> Vitual Servers and edit the NS Gateway vServer.

Click on the + symbol beside Policies.

Choose ICA under Choose Policy.

Click Continue.

Click +.

Select the BlockPrinters_Policy and click Select.

Click Bind.

Click Done.

Now when a user logs in from that IP address, printer redirection is blocked even though by default Citrix policy allows redirection SmartControl is enforcing the restriction.

And back on the NetScaler you can see the ICA Policy has taken a hit.

Next unbind the ICA Policy.

Click Unbind.

Click Yes.

Click Done.

To use the Access control object for policy assignment within Citrix Studio you need to run the below command: Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true.

Once done, within Citrix Studio, navigate to Policies and click Create Policy.

Specify printer redirection as Prohibited and click OK.

Click Assign next to Access Control.

Here we can specify the NetScaler Gateway vServer and Session Policy that we want these policy settings to apply to. If you have multiple NS Gateways and Session Policies this is a way to achieve granularity. If you want this policy to apply to all NetScaler Gateway connections specify * both under NetScaler Gateway farm name and Access Condition. If not, use the names that are given within NetScaler for your NetScaler Gateway and Session Policy.

Click Next.

Click Finish.

At this stage when a user logs on from the NetScaler Gateway printer redirection will be prohibited as a result of SmartAccess and the Access control object.

The next example uses preauthentication policies to determine if a client has an appropriate anti-virus installed. If so, printer redirection is allowed. If not, printer redirection is disabled.

Navigate to NetScaler Gateway -> Policies -> Preauthentication -> Preauthentication Profiles -> Add.

Specify a name such as Antivirus_No, with action ALLOW and the Default EPA Group as NotTrusted. This profile will be used for non trusted computers. Click Create.

Create another profile however this time for trusted devices with a group name such as Trusted. Click Create.

Below are the two created profiles.

Click on the Preauthentication Policies tab -> Add.

Specify a name for computers holding anti-virus, select the Antivirus_Yes action and create an expression that matches the anti-virus you want to be present on the machine. Click Create.

Create another policy only this time for uncompliant computers. I am using an ns_true expression so all computers that do not have the desired anti-virus installed will match this policy. Click Create.

And now we have two policies ready to go. One for compliant computers and another for non-compliant Windows computers.

Navigate back to NetScaler Gateway -> Policies -> ICA -> Access Profiles -> Add.

The first profile we are creating is for compliant PCs. I am allowing client printer, drive and USB drive redirection by specifying a value of Default. Click Create.The second profile is for non-compliant computers that will receive no redirection. Click Create.

Two new profiles ready to go.

Click on ICA Action -> Add.

Specify a name for compliant computers and choose the compliant ICA Access Profile. Click Create.

Do the same for the non-compliant machines and choose the non-compliant ICA Access Profile. Click Create.

Now two ICA Actions are ready.

Click on the ICA Policies tab and click Add.

Speficy a name for the compliant policy. Choose the compliant Action and within the expression type HTTP.REQ.USER.IS_MEMBER_OF(“Trusted”). If you remember, the Trusted group name was specified within the Preauthentication profile we created earlier for compliant users. This means when a machine connects with anti-virus installed, it is processed by the compliant pre-authentication policy, the user is assigned to the Trusted EPA Group which in turn uses the compliant ICA Policy which looks for members of the Trusted group. Understand? Click Create.

Create a policy for non-compliant machines, choosing the non-compliant Action and an expression which triggers the ICA Policy when members are a member of group NotTrusted. Click Create.

The two ICA Policies are ready to be assigned to our NS Gateway vServer.

Edit the NetScaler Gateway vServer, click to add a policy, choose ICA as the policy type and click Continue.

Click the + symbol beneath Select Policy.Select the compliant ICA Policy and click Select.

Click Bind.

Do the same for the non-compliant ICA Policy and then click Close.

Click to add another policy and specify Preauthentication as the policy type. Click Continue.

Click the + symbol beneath Select Policy.

Choose the compliant pre-authentication policy first. We want this policy to have a lower priority so that it is always processed first on compliant and non-compliant machines. Click Select.

Click Bind.

Do the same for the non-compliant preauthentication policy. Notice I have altered the priorities slightly however the compliant policy has a lower priority meaning it will be processed first. Non-compliant machines will fail this policy then move on to the non-compliant policy where it will succeed. Click Close.

Click Save.

Using a non-compliant machines, I logged on, and the non-compliant ICA Policy was processed as you can see by looking at the hit counter.

No printer redirection has taken place.

Logging on with a compliant machine that has corporate approved anti-virus installed results in the compliant ICA Policy being applied.

And sure enough the printer has been redirected.

Did you know it is possible to access XenApp/XenDesktop applications and desktops straight from the Clientless Access portal when using NetScaler? This eliminates the need for users to click and open “Virtual App and Desktop Access” (part of Client Choices) since instead the resources are integrated right into the Clientless Access section.

You need atleast StoreFront 3.0 to do this and NSv11 – NetScaler Unified Gateway will be used to perform this integration.

Firstly, log on to your StoreFront server and open the web.config file located by default in C:\inetpub\wwwroot\YourStoreName\YourStoreNameWeb.

Look for the following text (located towards the bottom of web.config):

“X-Frame-Options” value=”deny”

“Content-Security-Policy” value=”frame-ancestors ‘none””

As you can see there are three instances of the same value.

Change each value to:

“X-Frame-Options” value=”allow”

“Content-Security-Policy” value=”frame-ancestors ‘self””At this stage use the Propogate Changes feature within StoreFront to push this change to web.config to any other StoreFront servers within the StoreFront Server Group.

Frame-Ancestors is the predecessor to X-Frame-Options and the value of “self” is pretty much the same value of “Allow” set by X-Frame-Options. Not all browsers support Frame-Ancestors though such as Internet Explorer. X-Frame-Options has been deprecated in Firefox and Chrome so frame-ancestors must be set to “self” if using them browsers. If your users do not use Firefox/Chrome you only need to set the X-Frame-Options value to Allow.

Navigate to your NetScaler Gateway Session Profile and change the Web Interface Portal Mode to Normal then save the configuration. If you have multiple Session Policies which is normal with NetScaler Unified Gateway then change each one that applies.

Now the next time your users log on to NetScaler Unified Gateway and click Clientless Access -> Applications you will see the internal StoreFront resources.

Make sure Single Sign-on to Web Applications is enabled within the Session Profile.

If you don’t you will get the below Cannot complete your request error when trying to access Receiver for Web from Clientless Access.

NetScaler Unified Gateway can help in the common situation where a user has to remember too many different URLs to access different web, SaaS, enterprise applications, file shares and so on. The Unified Gateway provides a user with a single URL to access all these different systems wether they are on-premise or within the cloud. Authentication is simplified also as rather than authenticating to different URLs, now you authenticate to one and Unified Gateway performs SSO to any backend application.

The Unified Gateway makes use of Content Switching Virtual Servers to give you the ability to direct different users to different backend resources and get granular on the permissions/authorisation to resources.

Within NetScaler, click on Unified Gateway -> Get Started to start the Unified Gateway wizard. This wizard makes it easier for you to successfully deploy Unified Gateway.

Click Continue.

For your Unified Gateway Virtual Servers enter:

• Name for UG vServer.
• Unified Gateway IP Address (VIP).
• Port (likely 443).

Click Continue.

Select an existing certificate for Unified Gateway which will match the URL users will use for the single point of access for all their applications. If you do not have a certificate yet generate and install one on the NetScaler. Click Continue.

Specify your primary authentication method which will likely be LDAP and click Continue. If you have the need for a secondary authentication method such as RADIUS then you have the option to choose so.

Specify the portal theme you wish to use and click Continue.

At this stage you can add applications and XenApp/XenDesktop to be available from Unified Gateway. If integrating a XenApp/XenDesktop farm with Unified Gateway you can add a connection to StoreFront, Web Interface or Web Interface on NetScaler. I will show adding StoreFront. Click Continue.

Enter details such as the StoreFront URL, IP, Site Path, Protocol etc. and click Continue. You can make use of the Test Connection button which checks if the required ports to StoreFront are open and a connection can be made etc.

Under Configure specify XenApp/XenDesktop or both. I am using XenDesktop so will show that.

Enter the DDC IP address and the port. If Load Balancing is being used you have the option to specify so. Click Continue.

Click Done.

Click Continue.

Upon logging on to Unified Gateway you have the option for Virtual App and Desktop Access. Click this.

You are now directed to the internal StoreFront page and can launch Desktops or Applications. If you want to integrate StoreFront with the Clientless Access portal see http://www.jgspiers.com/adding-storefront-applications-desktops-to-clientless-access-netscaler-unified-gateway/.

If you click on the Unified Gateway wizard again you will see your existing configuration. From here you can edit specific settings and add more applications. You have the option to add Intranet Applications, Clientless Access applications such as SharePoint and OWA, SaaS or Preconfigured applications on the NetScaler. Choose Intranet Application.

Specify a name for the application and the backend URL. Click Continue. My web application is Active Directory Certificate Services web enrolment to allow certain users and administrators to request internal certificates.

Click Done.

Click Continue.

Click Done.

The application now shows in the Web Apps section.

Certificate Services successfully loads.

What happened when we created the Intranet Application using the wizard was as you see below, really all that happened was that a bookmark was created. You can create bookmarks as normal within NetScaler Gateway -> Resources -> Bookmarks and attach them as Published Applications against the NetScaler Gateway Unified vServer however the Unified Gateway wizard provides an easy way to automate some of these steps. Bookmarks can also be applied to AAA Groups and Users in the event you only want certain people seeing certain bookmarks.

If you want to disable different parts of the Clientless Access portal create a new theme.

Make and adjustment such as disabling the personal file shares section.

Bind the theme to the Unified Gateway Virtual Server.

And now you no longer have access to personal file shares.

Setting the CLI prompt on NetScaler can be used to provide warning messages to users such as Authorised users only or you could set a message of Use of this account to perform configurations is prohibited, please log off if for example you did not want anyone using the default nsroot account to make changes via CLI.

To set a CLI prompt navigate to System -> Users and edit an existing user. Note CLI prompts can also be set against Groups when you want a group of users to receive the prompt. I’ll use the nsroot account in this example.

Click the edit icon.

Enter a custom CLI prompt message and then click Continue. For this message you can include the current date, time, NetScaler hostname, username etc. using a mixture of variables such as %d for the current date.

Click Save.

Click Done.

The next time someone authenticates to CLI using the nsroot account the warning will be displayed. Notice the date is also displayed which is the result of defining %d within the CLI prompt message.

There are multiple ways to perform backups and restores on NetScaler. Usually you perform those backups for disaster recovery if the NetScaler corrupts, or you are performing an upgrade to NetScaler. You can manually backup and restore NetScaler configurations using the GUI, CLI, or you can use Citrix Command Center and NetScaler MAS to perform automatic backups and manual restores.

Backup and restore using GUI and CLI.

Navigate to System -> Backup and Restore -> Backup.

Specify a name for the backup and either Full or Basic backup.

Basic: Backs up configuration files only. These are the files that will change most often so you should consider frequently taking a basic backup of the NetScaler:

Folders and files that are backed up include /nsconfig/, /var/, /netscaler/, ns.conf.

Full: Backs up the same data as a basic backup however captures additional files that are less frequently updated:

Folders and files that are backed up include /nsconfig/, /var/, Certificates, License Files.

For a full list of what is backed up see http://support.citrix.com/article/CTX200418.

Click Backup.

After a few moments the backup file will appear as below.

Clicking on the Action button allows you to download the backup file to local HDD or perform a restore using this backup file.

Backups are stored in /var/ns_sys_backup/ on NetScaler.

To perform a backup using the CLI, run command create system bbackup “backupname” -level Basic/Full

You can specify Full or Basic and write a comment using the -comment switch.

The new backups are now within the backup directory.

The backups also show within the GUI.

Run show system backup using CLI to get a list of backup on NetScaler.To restore NetScaler to a previous backup, run command restore system backup “backupname”.

Now run reboot -warm, this performs a warm reboot of the NetScaler at which stage the restore will execute.

You can also restore via the GUI. By default before a restore a backup is performed on the NetScaler. You can skip the backup by checking the Skip Backup box. Click Restore.

Navigate to System -> Reboot.

Check Warm reboot and click OK.

Backup and restore using Citrix Command Center.

Citrix Command Center downloads NetScaler configuration, licence files and SSL certificate files from each discovered NetScaler and stores these files in the CCC database. As a NetScaler device is discovered or a rediscovery takes place, backups of the discovered/rediscovered device are also performed. By default backups are performed every 12 hours and a maximum of 50 backups are stored within the database.

To edit the backup schedule and frequency, navigate to Administration -> Inventory Settings.

As you can see below the archive interval is every 12 hours and the numberr of previous backups to retain is 50. You also have the check box to enable archiving once a Save Config trap is received by Citrix Command Center from the NetScaler appliance.

To view backups of a NetScaler appliance, navigate to Citrix Network, click on your NetScaler and click Details.

A new window pops up and at the bottom you will get a list of all the current backups. The date, time, and comments section give additional information such as the backup was created at the scheduled time.

Select a backup file and click Download -> OK to save a backup to your local machine.

To perform a manual backup, click Backup Config -> OK.

After a few moments you will see the newly created backup. Notice the comments indicates the user requested this backup which is correct.

To restore a NetScaler using a backup created with Citrix Command Center select a backup file of your choice and select Restore Configuration.

Click OK. The restore takes place and you will have to restart NetScaler using GUI or CLI.

Backup and restore using NetScaler MAS (Management and Analytics System).

NetScaler MAS is the newest platform to automate, manage, orchestrate and monitor appliances such as the NetScaler. It is seen as the replacement to both Citrix Command Center and NetScaler Insight Center. As a result it can perform many of the functions that you were familiar with on CCC/NSIC. Navigate to System -> Instances Backup Settings.

For any instance adding to NetScaler MAS, a backup is by default going to be taken every 12 hours and a single copy will be kept. You have the otion to password protect all backups using a password of your choice. You also have the option to modify the backup interval. From what I believe, the maximum number of backup files to retain is 3 however this is not something I can confirm at this stage.

To view or create a backup of an instance, navigate to Infrastructure -> Instances and select of your NetScaler then click View Backup.

As yet, no automatic backups have been performed. To create one click Back Up.

Specify to password protect the file. If you had of specified a global password under System -> Instances Backup Settings you would have the option to use that. Click Continue.

The new backup has been successfully created.

To restore check the backup file and click Restore -> Yes.

Specify the backup password you used when creating the backup, click OK.

You get a nice GUI view of the restore progress plus the NetScaler is automatically restarted for you.

Note: Do not modify backup file names or modify the contents of the backup as it will invalidate the backup file and cause restores to fail.

nFactor authentication with NetScaler provides a way to configure flexible multi-factor authentication based on factors such as who is connecting and from where users are connecting from or if users fail authentication. This allows NetScaler to provide authentication based on many different use cases and scenarios to provide secure access to backend applications and desktops.

nFactor is supported on NetScaler 11.0 build 62.x and onwards for Traffic Management use cases but 11.1 saw nFactor support added for NetScaler Gatway. With nFactor you can configure many numbers of authentication factors for users connecting based on location, corporate devices, non-corporate devices and so on. Take an example where users are connecting from non-corporate devices. For this you may like users to receive three factors of authentication. For corporate devices connecting in, let’s apply only two factors. If a device has a corporate certificate, extract the username from the certificate and only ask for the password. If the user device does not have a corporate certificate, ask for username, password and a token code.

Another example scenario could be around users from different domains connecting to NetScaler Gateway. Using a domains drop-down box, the selected domain can determine how many factors of authentication a user will receive. Authentication portals can also be designed based again on the user so for example contractor users can be shown a different logon page than company employees.

nFactor supports local authentication, RADIUS, LDAP, OAuth, TACAS, Certificates, SAML, Negotiate and Web.

What do you need to get nFactor working?

An AAA vServer (NetScaler Enterprise or Platinum license supports AAA).

Authentication Profile – The Authentication Profile bound to a NetScaler Gateway vServer.

Login Schema – These are made up of XML files. These files are what makes up the GUI display to users logging on. It is possible to present multiple GUI logon screens to users using a multi-factor approach. A number of these files are located in /nsconfig/loginschema/LoginSchema by default. Additional files can be downloaded from Citrix.

Advanced Authentication Policies – Advanced Authentication Policies are composed of policy expressions and actions. An action can be an LDAP server, RADIUS etc. This means that if the policy expression i.e. true is matched, the action is imposed on a user. For simplicity, we could bind an Advanced Authentication Policy which has the action of LDAP to an AAA vServer and this basically would present the connecting user (if expression is matched) with an LDAP authentication factor. nFactor can only use Advanced Authentication Policies and not Basic.

Basic Authentication Policies – Also composed of policy expressions and actions such as LDAP, Certificate or RADIUS etc. These Basic Policies contain server/profile/action entries that are normally associated with an Advanced Authentication Policy for nFactor use. It is not a requirement to actually create a Basic Policy (the policy section). Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Policies -> LDAP -> Servers -> Add as an example of creating an LDAP server entry, which is then used within Advanced Authentication Policies for nFactor.

Policy Labels – Treat these as the secondary/user-defined factors of authentication. You can have any amount of Policy Labels/secondary factors of authentication. An Advanced Authentication Policy will link to a Policy Label which defines the next factor of authentication. Policy Labels are associated with a Login Schema. Multiple Authentication Policies can be bound to a Policy Label, and priorities associated.

Note on Login Schemas – There is a bug where no schema files exist in NSv11.1 build 47.14. This seems to be resolved in build 48.10. If you do not have schema files you can manually copy them from a working NetScaler version or download schema files from Citrix. Login Schema files can be modified, take a copy of an existing schema file and place the file in the /nsconfig/loginschema/ directory and edit using a basic text editor. Citrix recommend using this directory to store modified login schema files so that changes are preserved even after reboots.

Another option is to modify the file within the NetScaler GUI by selecting a schema file and clicking on Edit.

  Make required modifications and click Save.

Sample Scenario

User devices with a corporate Smart Card certificate are granted authentication to NetScaler Gateway. Users who do not have a corporate issued Smart Card certificate are prompted for two factor LDAP & RADIUS authentication.

To get started we will create an AAA vServer. Navigate to Security -> AAA – Application Traffic -> Virtual Servers -> Add.Enter a name, IP address and authentication domain. Click OK. Click on No Server Certificate. Click on Click to select. Select a certificate. This can be any certificate as at no time will we be addressing this AAA vServer via a FQDN. Click Select. Click Bind. Click No CA Certificate. Since we are doing certificate based authentication the NetScaler needs to trust the certificate being presented by the client and as such as need to add the Root CA certificate to be able to achieve this. Click Click to select. Specify the Root CA Cert. If you haven’t yet imported your domains Root Certificate to NetScaler then you should click the + symbol. After selecting the Root CA Certificate, click Select.

Click Bind.

Now click Continue.

Click Continue.

Click Done.

Navigate to Security -> Login Schema -> Profiles -> Add.

Enter an appropriate name and select the dual authentication Login Schema file. You can use the built in dual authentication file or download the login-2passwd.xml file which I am using. Click Select to the right after highlighting the Login Schema file.

You can leave the User Credential Index and Password Credential Index blank since LDAP will be used as the last authentication factor for users who fail certificate authentication. If it was one of the first authentication factors and you wanted to carry through these authentication values for SSO on to StoreFront for example you can assign a number (1-16) for each value and then configure a Traffic Policy for NetScaler Gateway. Click Create.

Click on the Policies tab, click Add.

Enter a name, select the profile just created and enter an expression value of true. Click Create.

Navigate to Security -> Policies -> Basic Policies -> LDAP -> Servers -> Add. Create a connection to your LDAP server if you have not already done so.

Next navigate to Security -> Policies -> Basic Policies -> RADIUS -> Servers -> Add. Create a connection to your RADIUS server.

Navigate to Security -> Policies -> Basic Policies -> CERT -> Profiles -> Add.

Check OFF for two factor and SubjectAltName:PrincipalName under User Name Field. Click OK.

Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Policy -> Add.

Enter a name, specify LDAP as the Action Type and choose the LDAP action you just created under Action. Enter true under Expression and click Create.

Create another Advanced Authentication Policy for certificate authentication, choosing CERT for Action Type, the certificate action you just created and True under Expression. Click Create.

Create a final third Advanced Authentication Policy for RADIUS. Click Create.

Now you will have a total of three Advaned Authentication Policies.

Navigate to Security -> Policies -> Authentication -> Advanced Policies -> PolicyLabel -> Add.

Specify via the name that this Policy Label is for RADIUS. Select the dual authentication Login Schema created earlier and click Continue.

Click Click to select.

Select the RADIUS Authentication Policy and click Select.

Change the Goto Expression to END and click Bind.

Click Done.Back within the properties of the AAA vServer click on No Authentication Policy.

Click Click to select.

Select the Certificate Authentication Policy. Click Select.

Change the priority to 1, and keep the Goto Expression as NEXT. Click Bind.

Click Add Binding. 

Select Click to select.Select the LDAP Authentication Policy. Click Select.

Change the priority to 2, keep the Goto Expression as NEXT and under Select Next Factor click on Click to select.

Select the RADIUS Authentication Policy Label. There will only be one for you to choose. Click Select.

Now click Bind.

Finally your Authentication Policies should be configured as below.

The last part of binding we need to do is to bind the dual authentication Login Schema to the AAA vServer. Navigate to Login Schemas and click No Login Schemas. 

Select Click to select.

Select the two factor authentication Login Schema you created earlier and click Select.

Click Bind.

We next need to create an Authentication Profile. This profile will link to the AAA vServer we just created and will be attached to our NetScaler Gateway vServer. Navigate to Security -> AAA – Application Traffic -> Authentication Profile -> Add.

Enter an appropriate name, choose any random Authentication Host URL (doesn’t matter what this is), select the AAA vServer you created under Authentication Virtual Server, enter an Authentication Domain and click Create.

Navigate to the NetScaler Gateway vServer, find SSL Parameters, click to edit.

Check Client Authentication, choose type Optional, click OK. This is a requirement since we are performing certificate authentication. You do not need to enable Client Certificate Authentication on the AAA vServer aswell.

Find Authentication Profile, select the profile you just created and click OK. Save your NetScaler running configuration.

Now when we navigate to the NetScaler Gateway vServer URL, if we have a Smart Card issued certificate we will be prompted to choose a certificate to present for authentication. Click OK.

Passthrough to NetScaler Gateway is complete.

Let’s delete the certificate.

Once again when navigating to NetScaler Gateway certificate authentication fails and we are presented with two factor LDAP/RADIUS authentication.

NetScaler MAS (Management and Analytics System) is deemed to be the successor of Citrix Command Center and NetScaler Insight Center. MAS provides automation, monitoring, reporting, and deep analytics of networking products such as NetScaler and SD-WAN.

Citrix Command Center – http://www.jgspiers.com/citrix-command-center-setup-configure-monitor/

NetScaler Insight Center – http://www.jgspiers.com/netscaler-insight-center/

The first release of NetScaler MAS was version 11.1 build 47.14 followed by 48.10. The current version at the time of this writing is 11.1 build 49.16.

If you are already familiar with NSIC and CCC, you will find that MAS can do just about everything, but with the benefit of using only one, unified console. NetScaler MAS brings the following abilities to the table:

• Manage NetScaler ADC (VPX, MPX, SDX), NetScaler CPX, NetScaler Gateway and NetScaler SD-WAN (only WAN Optimization edition at present) appliances.
• Certificate Management allowing you to install new certificates and receive alerts when certificates are near the expiry date.
• Configure appliances remotely allowing you to perform actions such as upgrading the device firmware, running configuration command across single or multiple devices with the use of Configuration Jobs.
• Web, HDX, Gateway and Security Insight which was a big part of NetScaler Insight Center. These features allow you to get an insight in to HDX and Web sessions, authentication failrues and statistics, and reports on the security of your NetScaler appliances.

Analytics data collection based on NetScaler appliance license:

HDX Insight: Standard = No HDX Insight. Enterprise = 1 hour (real time), Platinum = Historical.

Web Insight: Standard/Enterprise & Platinum.

Gateway Insight: Standard = Standard/Enterprise & Platinum.

NMAS Hardware and Software Requirements

8GB RAM.

4vCPU (8vCPU recommended for better performance).

120GB disk space (500GB recommended for better performance).

1 vNIC.

100Mbps or 1Gbps network throughput.

ESXi – version 4.1 or later

XenServer – version 5.6 or later

Hyper-V – 2012 or later

NetScaler v11 build 65.x and above for Gateway Insight to work.

♣ Migrate NSIC to MAS
♣ Install MAS (ESXi)
♣ Configure MAS Network Settings
♣ Add NetScaler Instance
♣ Change Network Settings, Password & Hostname
♣ Enable MAS GUI HTTPS
♣ Upgrade MAS
♣ Configure MAS Backups
♣ Configure NetScaler Instance Backups
♣ External LDAP Authentication
♣ MAS User Account Lockout
♣ MAS User Password Complexity
♣ Create Tenants
♣ NTP Configuration
♣ Configuring Cipher Groups
♣ Email Notifications
♣ Generate Tech Support File
♣ Upload Geo Database File
♣ Create Datacentre
♣ Configure NMAS for High Availability
♣ Viewing Web Insight
♣ Viewing HDX Insight
♣ Viewing Gateway Insight
♣ Analytics Network Reporting
♣ SSL Certificates Dashboard
♣ NetScaler Configuration Auditing
♣ Configuration Audit Templates
♣ NetScaler Configuration Advice
♣ NetScaler Severity Based Events
♣ NetScaler Instance Actions
♣ Upload MAS License (Virtual Server Packs)
♣ Choose Virtual Servers to manage (v11.1.49.16)
♣ Create Rules Based On Events
♣ Change Event Severity
♣ Install SSL Certificate On Remote Instance
♣ Create Configuration Jobs
♣ Upgrade Remote NetScaler
♣ Create Thresholds
♣ Integrate MAS with Citrix Director

You can migrate NSIC (NetScaler Insight Center) to MAS allowing you to retain all configurations previously made without having to start from scratch again. This is currently only supported for standalone deployements. To migrate NSIC to MAS you must be running NSIC 11.1 build 47.14 or later and have downloaded at a minimum the NetScaler MAS 11.1.49.16.tgz image file.

To initiate a migration, move the downloaded image file to the /var/mps/mps_images directory on NSIC using SCP.

Log on to NSIC shell using a program such as PuTTy and extract the image file using commands cd /var/mps/mps_images/ and tar -zxvf build-mas-11.1-49.16.tgz.

Finally run command ./installmas

You should make sure that you reconfigure the Virtual Machine CPU, RAM and disk size as recommended for MAS by Citrix. The system requirements for MAS can be found towards the top of this page.

You can download and install MAS for Hyper-V, ESX and XenServer platforms as a virtual appliance. The average MAS image file size if 335MB for Hyper-V and ESX, and 1.3GB for XenServer.

Once downloaded, within vSphere Client click File -> Deploy OVF Template…

Browse for the downloaded NMAS OVF image and click Next.

Click Next. Note the disk will be thin provisioned.

Choose a name and location for the virtual machine. Click Next. Follow through the remaing steps until the virtual machine creation is complete.

Once NMAS is powered on for the first time you will be asked to perform some initial network configurations. Enter 1, 2, 3, 4, 5 sequentially inserting the host name, IP address, Gateway address etc. as you go along.

The end result should look like below.

Press 7 and then press enter to save and quit.

Select option 1 to deploy the NetScaler MAS Server. Type yes to confirm this is a standalone deployment. You can type no if you want to configure HA. You can configure a multi-server deployment later down the line.

Type yes and press enter to restart NMAS.

Once NMAS is back online, you can browse to the NMAS GUI using the IP you specified during the initial network configuration step. The default credentials are:

Username – nsroot

Password – nsroot

Click Enable or Skip on the CUEIP. This can be enabled or disabled at a later stage.

Click Get Started.

Select Single Server Deployment and click Next.

Click New.

Using the Instance Type dropdown box, select to add a NetScaler or SD-WAN appliance. I am going to show adding a NetScaler.

Enter an IP address and choose the NetScaler Profile. Click OK.

You can edit and create new NetScaler Profiles. The default ns_nsroot_profile contains the username of nsroot and password of nsroot. You need to change the password and/or username to match an account with superadmin permissions on your NetScaler.

After completing the Add Instance wizard your NetScaler will show as below. Click Finish.

Click on the System tab and click Setup Wizard Settings.

This section allows you to re-configure any IP address settings, the Time Zone and Host Name. Click on NetScaler MAS Network.You can enter an Alternative DNS IP address and change the default NMAS nsroot password by selecting Change Password. Click Done.After clicking System Settings you can specify the Host Name, specify whether communication with instance(s) is over HTTPS or HTTP and change the Time Zone. Notice a check box for Secure Access Only, this means you will only be able to access the NMAS GUI over HTTPS. By default this is unchecked. Check this box and click Done.

You’ll get a warning saying you can not enable Secure Access Only unless you are already connected with HTTPS.

Enter the HTTPS URL for NMAS and log on, click System -> Setup Wizard Settings -> System Settings -> tick Secure Access Only -> Done.

Secure Access Only will now show as Enabled. After enabling HTTPS (Secure Access Only) any HTTP requests will automatically be redirected to HTTPS. Click Done.

Click Install SSL Certificate.

Locate and insert the NetScaler MAS certificate which you can generate using an internal Certificate Services environment. Click OK.

Click Yes to restart NMAS.

Now the new certificate is presented when navigating to NMAS.

Navigate back to the Settings tab and click View SSL Certificate.

The certificate we have just installed will show as below.

To reboot the NMAS server, click on Reboot NetScaler MAS under System Administration.

Click Yes.

To upgrade MAS to the latest version download the upgrade package from the Citrix website.

Then navigate to System -> Upgrade NetScaler MAS -> browse for the downloaded MAS upgrade package and click OK.

Click Yes.

The upgrade takes place.

MAS reboots to complete the upgrade.

When MAS has rebooted we see the latest version has been installed as shown below.

By clicking Change System Settings you can specify settings such as Secure Access Only and Session Timeout. Set the Session Timeout to 5 minutes for NMAS sessions to end automatically after 5 minutes.

Under System -> SSL Settings you can enable/disable Protocols and choose Cipher Suites. By default all Cipher Suites are enabled on NMAS.

Click Configure User Experience Improvement Settings.

Enable or disable CUXIP. You will remember that at the very start of our NMAS installation when logging on to the GUI for the first time we are asked if we want to enable CUXIP. Click OK.

Click System Prune Settings under System -> Policy Administration.

By default events, audit logs and task logs are pruned every 15 days from the NMAS system. Click OK.

Click Configure System Backup Settings. Here you can configure the number of NetScaler MAS server backups to retain, encryption settings if desired and the option to transfer backups to an external location such as an FTP server. By default NMAS backups occur every night at 12:30AM. You can keep a maximum of 30 backups.

NetScaler MAS also backs up your NetScaler VPX, SDX, SD-WAN instances etc. Here you can choose to password protect those backup files and specify backup intervals. You can retain up to 3 instance backups on NMAS. You can also create on demand backups and restores straight from the NMAS console. See http://www.jgspiers.com/netscaler-backup-restore/ for more information on NetScaler ADC backups and restores.

To configure external authentication to NMAS using LDAP, click System -> Authentication -> LDAP -> Add.

Configure your LDAP server parameters. Notice the Enable Change Password option. This feature is available for NetScaler Gateway/Unified Gateway when using Secure LDAP. Using NMAS, you have to also use LDAPS to get this to work. If you use standard LDAP and have this checked, users are still prompted to change their expired passwords however they won’t be able to succeed as I will show.

Here’s an example of the password change feature using plain LDAP. See http://www.jgspiers.com/configuring-ldaps-citrix-netscaler/ for information on configuring LDAPS on NetScaler Gateway to allow the changing of passwords when they have expired.

When users try and change their password using non-secure LDAP they won’t succeed. If capturing authentication logs on NMAS you will get a Server is unwilling to perform error. Instead, use LDAPS or if you have to use standard LDAP do not check the Enable Change Password box.

When passwords are changed and secure LDAP is used a more promising Password modified success, authenticated message will be generated.

Now that we have configured LDAP for external authentication, click Authentication -> Authentication Configuration.

Choose EXTERNAL under Server Type, click Insert.

Tick the newly created LDAP object and click OK.

You can leave Enable fallback local authentication enabled or disable it based on your preference. This allows local authentication to be used in the event LDAP is unavailable for example. Click OK.Click User Administration -> Groups -> Add.

Type a group name as available in Active Directory. Assing the admin permission and click Next.

Click Finish.

Now log on using a domain user who is a member of the IT Admins domain group.

That user will be granted admin permissions to NMAS.

Navigate back to System -> User Administration -> Users -> Add.

Create a user name, password, assign groups and enable external authentication if the user is part of Active Directory. Click Create and you have a new NMAS user.

To enable account lockouts on logon failures to NMAS, navigate to System -> User Administration -> User Lockout Configuration.

Check Enable User Lockout. As a minimum you must set 3 or more invalid login attempts. Specify a User Lockout Interval in seconds and click OK.

The next time a user enters their password wrong to NMAS 3 times, they will be locked out for the defined amount of time as shown below.

To configure password complexity for NMAS accounts, navigate to System -> User Administration -> Password Policy.

Check Enable Password Complexity and then enter a Minimum Password Length value. Click OK.The next time you try and create a user or change a password for an NMAS user without meeting the complexity requirements, an error message will appear as below.

Tenants (multi-tenancy) gives you a way to provide access to external, outside or tenants simply put. Doing so allows tenants to add and manage their own network instances including monitoring them and creating their own users and groups. Click Tenants -> Add. For example, you may host a NetScaler VPX for a 3rd party but they have full control for management. Using NMAS, creating a tenant for that 3rd party will allow them to manage their own NetScaler device through NMAS. They only see and manage their own instances in other words tenants are only able to see their own instances and not others.

Provide a tenant name (for example a domain name or company name) and the username/password. Click Create.

As you can see below the new root tenant account is visible under Users.

When editing the properties of the root account notice that it is a member of a newly created group external_admin_group.

When creating tenants two groups are created by default for admin and read only permission.

As an example logging on using the external/root tenant account and viewing Groups, only the two tenant groups are visible and not anything else.

Under System -> Events you can view MAS related events such as user logons and the system state.

Under System -> NTP Servers click Add.

Specify the details for your internal or external NTP server and click Create.

Click Yes.

Click NTP Synchronization.

Check Enable NTP Synchronization -> OK.

Click Yes. NMAS will restart.

To create a more secure Cipher Group to use with NMAS rather than the default, click System -> Cipher Groups -> Add.

Specify a name, description (mandatory), move secure Cipher Suites to the right and then click Create.

To attach the Cipher Group to NMAS navigate to System -> SSL Settings and under Cipher Suites use the dropdown to select the newly created Cipher Group. click OK.

Click Yes.

NMAS restarts to apply the new Cipher Group.

As an example, a secure HTTPS connection to the NMAS GUI shows the below secure Cipher Suite in use which has been negotiated by my browser and the NMAS server.

To enable email notifications for alerts on certificate expiration and SNMP traps etc. click System -> Notifications -> Email -> Add.

Enter your SMTP server details. Click Create.

Click the Email Distribution List tab -> Add.

Enter a name and email address that you want the alerts to go to including the from address. Click Create. You can now create rules which send an email alert once triggered. Rules are explained later.

You can also send notifications via SMS using an SMS server.

To send SNMP Traps received by NMAS to another location click on SNMP -> Trap Destinations -> Add to add a new destination.

Take a look at the NetScaler you added to NMAS. During discovery, Trap destinations are configured pointing to the NMAS server as shown below.

Back over on NMAS, navigating to System -> Diagnostics -> Task Log to view the status of completed or running tasks. A running task could be the discovery and adding of a NetScaler device to NMAS or manual backups, certificate installation etc.

To generate a Technical Support File for Citrix or analysing through CIS navigate to System -> Diagnostivs -> Technical Support -> Generate Technical Support File or use command show techsupport via CLI.

Specify a collection duration and click OK.

Click Download to download the generated file to your local computer, then upload to CIS. For more information on CIS see http://www.jgspiers.com/citrix-insight-services/Navigate to Configure ICA Session Timeout.

Here you can specify a time limit for which inactive ICA sessions will be timed out. Click OK.

Click Configure Database Settings. By default, database indexing is enabled which allows for efficient database querying. You can also enable Database Cleanup which runs in the event that the regular cleanup job is prevented due to heavy load on NMAS. Click OK.

Click Configure Database Cache Settings. Here you can reset the database cache or disable database caching in the event you want all queries to be submitted against the SQL server for any reason. Click OK.

Click Configure Data Record Settings. Here you can enable or disable certain logs. You can also specify data persistency values and show certain Web Insight reports on the dashboard.

Navigate to System -> Analytics Settings -> Database Summarization. Here you can see the default minute, hourly and daily data persistency values for Gateway, Web, Security, HDX Insight and Wan Optimization.

Navigate to System -> Advanced Settings -> SSL Certificate Files. Here you can view SSL certificates and SSL keys currently uploaded to NMAS. You also have the ability to upload, delete or download certificates.

To upload a Geo Database File navigate to System -> Advanced Settings -> Geo Database Files -> Upload. You can download a Geo Database File from http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz. This is the free Open Source version. Using a Geo Location database allows you to map connecting IPs to City’s which in NMAS will be defined as a datacentre. Gathering location information helps determine if issues such as slow access to NetScaler hosted resources are coming from a certain location.

The GeoLiteCity.dat database file is uploading.

And now the upload is complete. Later I will show how to add datacentres and how to view where users are connecting from.

Navigate to System -> Advanced Settings -> Backup Files. Here you can backup the NMAS server. Click Back Up.

Choose to password protect the file and then click Continue.

The backup is complete and the file can be used to restore NMAS. You can also download the file, or transfer is externally to a server such as FTP.

Back to Geo Locations. To enable Geo data collection navigate to the Infrastructure tab and click Instances. Navigate to your NetScaler device, click Action -> Enable/Disable Insight.

Check Enable Geo data collection for Web and HDX Insight. You will receive the Success! message. Click the back button.

Click Data Centers.

Specify a name, and other IP information etc. as shown below. You map the IP address information to Country and Region. If you route internal connections through NetScaler and collect HDX Insight data via NMAS this provides a way to group those connections by region. Take another example where you have a mobile workforce that use Verizon 4G LTE on Androids and connect through NetScaler, you’ll be able to tell these users apart just by grouping them in to a location by using the Verizone mobile public IP address scope. Click Create.

The next time a user connects using an IP from the UK data center location, it will appear in the World map. You can group locations by RTT, WAN latency etc. giving you an overview of how each location is performing.MAS high availability requires both NetScaler MAS servers to be running the same software. If you are load balancing client requests to NMAS using NetScaler (recommended) the NetScaler version must be v11 or later. Citrix also recommend placing both nodes within the same subnet.

To deploy a secondary NMAS server for high availability deploy the second NMAS server and after configuring the IP address, host name etc. specify 1. NetScaler MAS Server to deploy a NMAS server. When asked if this is a MAS standalone deployment type no and press enter. Then type no when asked if this is the first server node. Press enter.Type the first NetScaler MAS node’s IP address. Enter the password of an NMAS administrator account such as nsroot and press enter.

Type yes to restart the NMAS server and press enter.

Log on to the first NMAS server, click on the System tab. Notice a new Deployment menu is available. Click this. You will see the two NMAS server IP’s in the list of Server Nodes. These nodes should be accompanied by an orange circle symbol. Click Deploy to deploy the NMAS high availability deplyoment configuration.

Click Yes. At this stage both NetScaler MAS nodes will be restarted.

It will take around 8-10 minutes for the highly available deployment to complete.

Once the deployment is complete, you can log back on to NMAS and each MAS node will be online. Click on the first node.

A new screen appears showing which instanced are being managed by the 192.168.0.180 node.

If the first node goes offline, the second node takes over the management of any instances that were being managed by the first node. Note that MAS high availability is active-active. Heart beats are sent between nodes to determine health.

If we log on to the managed NetScaler instance and look at traps for example, you will notice it is configured to send traps to 192.168.0.181.

If we simulate a failure of 192.168.0.181, the traps dynamically change back to MAS node one which is 192.168.0.180.

As another example of failover the below App Flow Policies have dynamically altered to include the second MAS node IP address.

To degrade a MAS configuration from high availability to single node, navigate to System -> Deployment -> Break HA.

Click Yes. Both nodes will restart and the high availability deployment will break.

To view Web, HDX and Gateway analytics, click on the Analytics tab and then click Instances. Here you can see the NetScaler instance I have added to NMAS, the hits and bandwidth consumed within the past hour.

You can click on the instance name which gives you further analytics information such as the browsers used to access the NetScaler. This could be helpful in the situation that users are complaining about slowness and every one of them is using the same browser. Maybe the browser isn’t compatible with the NetScaler hosted application for example.

Click on Applications under Web Insight. This shows any vServer hosted applications including the hits, bandwidth, response time etc.

If response time is high on a particular vServer for example a web application vServer, you can click the vServer for further statistics. If server processing time is high, there may be an issue with the servers hosting the application such as overloading. If client network latency is high then you know the problem lies at the client network. This type of insight is invaluable when troubleshooting issues.

If server processing time is high which server is the culprit? You can actually sort the processing time by server so you will immediately be able to identify if a certain server has a fault. Click on Servers then sort by server processing time located to the right of your screen.

Click on Clients to get a view of the connecting clients including the clients IP address and how many clients connected over a certain time frame.

On the HDX Insight section, analytics for HDX traffic to XenApp & XenDesktop is shown. Below you can see ICA RTT (screen lag time), WAN latency, DC latency and bandwidth including connecting users. This is the same sort of information you will be familiar with when using NetScaler Insight Center.

If you click on an individual user, you can see each HDX session, active or terminated, that the user made within the selected time frame. Other information includes several latency statistics and bandwidth consumed during the session. You can also get bandwidth information from individual virtual channels such as audio, printer mapping and client drive mapping.

Clicking the Desktops section shows latency metrics and any past or present connections to Desktop sessions. 

Over to Gateway Insight you can see statistics on failed logons, EPA failures, Application Launch failures, Single Sign-On failures. You can see what browsers were used during authentication and Operating Systems used. You can see active user sessions, licenses consumed, terminated sessions, bandwidth uses by all or specific Gateways etc.

To use Gateway Insight you must be running NetScaler v11 build 65.x and above. To enable Gateway Insight, enable AppFlow by ticking HTTP within the Enable AppFlow box as shown below.

To enable EPA scan logging you must enable AAA Username logging using either your NetScaler CLI or GUI. To use the GUI, navigate to Configuration -> System -> AppFlow -> Settings -> Change AppFlow Settings.

Select AAA Username -> OK.

Now navigate to NetScaler MAS and click Analytics -> Gateway Insight. On the main overview page you will see statistics for EPA/SSO/Authentication and Application Launch plus some other pieces.

Under the User Logon Activity section you get a view of the number of users who have authenticated to NetScaler Gateway over the selected period of time.

Click on the Authentication tab to get a list of user authentication failures, what gateway was used, client IP address and timestamp information is also included.

If you click on an individual user MAS sorts all authentication failures in to view for that user including failure reasons etc.

Clicking on Terminated Session and Active Sessions towards the bottomg of the page gives you a list of Active and Terminated Sessions for that particular specified time frame.

Click on Gateways. Here you can see current Active Sessions to any NetScaler Gateway/Unified Gateway, the number of sessions, Operating Systems used, bandwidth consumed and so on. If you have multiple Gateways, you can click on one to get specific details such as authentication failures against this Gateway, total number of sessions etc.

Navigate to Analytics -> Network Reporting -> NetScaler. This section allows you to generate a number of reports against instances such as:

Client – Server connections to a Load Balanced vServer.

TCP Established Server – Active Server Connections over a specified timeframe.

IP Bytes Usage for transmitted IP bytes received and send per second.

Resource Utilization usage for memory and CPU.

And more.

Click on the Infrastructure tab. This section gives you an overview of the environment such as how many certificates, NetScalers, Virtual Servers, Applications, SD-WAN appliances have been configured within NMAS.

If you scroll down the page you will come to the Events by Severity section. This graphics shows any clear, minor or major events that have occured on any of your configured instanced in the last 5 minutes, hour, day, week or month. In this example during the past day my NetScaler has encountered a number of minor and major events. Directly below you can also see the health and up time for the appliance over the past day.

Scroll down further and you will come across models, versions, certificate expiry, NetScaler Config saved status and configuration drift. This is helpful, because if you for example have expiring certificates or you have NetScaler configurations that are not saved you will be alerted.

Click on Dashboard -> SSL Certificates. This shows a nice dashboard with the certificates, key strength, self signed vs CA signed and so on.

If you click on to one of the sections on the dashboard such as Self Signed, you will be directed to a view containing the self-signed certificates for easy viewing and management.

Navigate to Infrastructure -> Configuration Audit. From here, you can see a report for Configuration Saved, Not Saved and Configuration Drift. If you click on one of the sections i.e. Config Saved you are brought to the below screen. From here you see a list of your instances that have their configuration saved.

If you select an instance and click Action, you have the option to poll now, run configuration differences between points in time, and download configuration locally.

If you click on the Running Configuration button, you get a list of all configration entries currently running. The same goes for the Saved Configuration button.

Audit Templates can be used to make sure certain configurations exist on your NetScaler appliances. Say for example you want to make sure all appliances have the optimal cache settings configured or have certain SNIPS or NTP servers configured, the Audit Templates runs every 12 hours and if the NetScaler appliance does not have the configuration the template is looking for, the appliance is flagged as being different from the template.

To get started, navigate to Infrastructure -> Configuration Audit -> Audit Templates -> Add. In this example, I’ll use an Audit Template to make sure certain DNS name servers are configured on my appliance.Enter a template name, description (optional) and click Add Instances.

Add the NetScaler instance(s) or Instance Groups and click OK.

Now under Template Commands enter the commands you want the template to check is present in ns.conf and click OK.The audit template is ready to go. As previously mentioned, audits run every 12 hours. We can however force an audit.

Navigate to Infrastructure -> Configuration Audit and click on Config Saved.Select the instance you have configured auditing for, click Action -> Poll Now.

Click Yes to begin a poll on ns.conf.

Navigate back to Infrastructure -> Configuration Audit. After a few moments (if the DNS name server/command is not present in ns.conf) a Diff Exists alert will show in red. Click on Diff Exists.

Here we can see the appliance and that a difference exists between the template and running configuration. Click on Diff Exists again.

Now we can see that the template CheckforDNS has failed and the NetScaler appliance has a different configuration from what the template is looking for. Click Diff Exists.Finally you are shown the configuration the template is looking for and the running configuration which is blank because no such name server has been configured or has been removed/lost. You also get a view of the correction configuration/the command to run to correct the configuration. Using the Export all the corrective commands exports the commands to a TXT file. You could then run the commands via CLI to correct the configuration or use Configuration Jobs straight from NMAS to correct multiple instances.

Navigate to Infrastructure -> Configuration Audit -> Configuration Advice. NMAS has the ability to scan your instance and give you a list of best practice recommendations to configure on the NeScaler. What’s even better is you can deploy most recommendations straight from the NMAS console. You can upload a configuration file or select and scan a managed instance. Click Select Device, choose your instance and click Get Configuration.

NMAS analyzes the configuration.

Once complete, a list of recommendations will be displayed in view.

Check a recommendation such as the one I have below.

Enter some required user information.

To the right of the screen is a small icon. Click this then choose Apply Now.

The recommendation has been applied to the remote appliance.

Over on the remote appliance we can see the new user has been created successfully.

Notice that the user wasn’t added to any groups and remember there was no field to select a group over on NMAS. With this in mind, be aware that you may have to perform some final configurations on an applied recommendation.

Navigate to Infrastructure -> Events -> Reports and click on an instace that is reporting events by severity. You may need to adjust the time period to 1 month for example. From there you can see a list of events logged such as configuration changes, if the NetScaler went down, SNMP authentication from devices etc. Select an event and click Details.

This view gives you a easy to read view of the event and what happened during this event.

Navigate to Infrastructure -> Instances and click the subgroup that applied to you i.e. NetScaler VPX. In here you will find any discovered NetScaler VPX appliances. If we select the appliance, we can click View Backup.

No backup exists. This is because this NetScaler was only recently discovered and automatic backups take place at 12:30am. To take a manual backup, simply select Back Up.

Enter a password to protect the file if desired and click Continue.

After a few moments the backup will complete. From here you can download the file or perform a restore.

Navigate back to the Infrastructure -> Instances section and select one of your NetScaler instances. Click Action. Notice the different actions you can perform on an instance such as ping, view events, reboot, Enable/Disable Insight.

You can also replicate configuration of one device to another.

Navigate to Infrastructure -> Licenses -> Settings. Here you can upload a license to NMAS. By default MAS can monitor up to 30 virtual servers within discovered instances. If you want to go beyond that, you will need to purchase licenses known as “virtual server packs” that come in 100, 200 and 1000 license packs etc.

By clicking System Licenses you can see the virtual server limit of 30 and the actual number of managed virtual servers.

Introduced with the 11.1.49.16 version of NetScaler MAS is the ability to choose which Virtual Servers you want to manage. This is great in the situation you only want to manage up to 30 without having to buy additional server packs for Virtual Servers that you don’t care so much about managing. To pick and choose navigate to Infrastructure -> Licenses -> System Licenses -> Modify licensed Virtual Servers.  

Select a Virtual Server and click Mark Unlicensed.

If you click on Event Messages you can get a list of clear, minor and major events logged by your NetScaler, SDX and SD-WAN (WAN Op edition) instances.

Click on Rules. Here we can create a rule based on an incoming event. Click Add.

We will create a rule that sends an email based on a certain type of received critical event.

Under Category choose entitydown and sslCertificateExpiry. At the bottom of the page, click Add Action.

Set the Action Type to Send e-mail Action and choose your pre-created email distribution list. You can choose to repeat the email notifications and the frequency they are repeated. Click OK.

The new rule is created.The new rule can be triggered if the device is rebooted or goes offline.

Click on Event Settings. Here you can alter the severity settings for any event category. Choose an event category and click Configure Severity.

Use the Severity dropdown box to choose a severity other than Major.

Navigate to SSL Certificates -> Install.

We can use this wizard to install a certificate on a remote NetScaler instance. Complete the below fields.

After the below fields have been completed such as the Certificate Name, Certificate File, Key File, click OK.

If everything was correct we should now have a new GatewayCert certificate installed on the remote NetScaler appliance.

Navigating to SSystem -> Diagnostics -> Task Log you can see the InstallSSLCert task completed.

Drill in to the task to see the actual different steps (commands) used to complete the certificate install.

To create configuration jobs to automate tasks on NetScaler appliances navigate to Infrastructure -> Configuration Jobs -> Create Job.

Here’s a look at the difference deployment types we can use. Jobs are able to run on NetScaler, NetScaler SDX and NetScaler SD-WAN WO.

Using an Inbuilt Template shows one possible configuration job (NSConfigureSyslogServer) to configure Syslog on the NetScaler.

By selecting Instance as the Configuration Source you can extract commands ran on the selected source instance over a defined period of time and use these commands to create a configuration job. As you can see over the past day 2 commands have been run. Click (hold click) and drag the 2 commands item to the middle white canvas. Doing this allows you to replicate configuration easily from one NetScaler to another.

Now we can see the actual commands. If they are the commands we need, we can make a configuration job out of them.

If you choose File as the configuration source, you can upload a file containing commands to be used for a configuration job.

Selecting Record and Play as the configuration source let’s you run GUI actions manually on the NetScaler with NMAS recording those commands. This is a handy feature! Select a source instance and click Record.

NMAS is attempting to authenticate with the NetScaler instance using whichever profile you have attached to the NetScaler Instance.

If for any reason the NetScaler profile contains a wrong username or password for the appliance, you may get this message aswell as the instance becoming down/unmanaged by NMAS.

Once authentication is done a popup window will appear showing the NetScaler GUI. From here you will make any configurations that you like.

Since I am simple, let’s just create a new user (superadmin). 

Now navigate back to NMAS and click Stop.

NMAS will retrieve a list of the commands ran on the NetScaler appliance. I only configured one user but you can run an capture multiple/advanced configurations.

Once complete 2 commands from instanceip appears as shown below. Drag this item on to the white canvas.

The commands appear as below, showing what was involved to create the user.

Once happy, click Next.

Now since we have to run this job on an instance, we need to add one. Click Add Instances. If you do not want to run a job right now you can click Save & Exit and pick up where you left off at a later stage.

Select an instance or instance group and click OK.

Click Next.

Click Next.

Specify to Ignore error and continue, Stop further execution or Rollback successful commands upon command failure.

Specify an execution time, now or later.

If you click later, you can run the job daily, or on a specific day of the month or week.

If you have selected this job to run on multiple instances, specify to execute the jobs in parallel or in sequence. Now, click Finish.

You will be directed to the Jobs screen and shown the progress of the job.

Now the job is complete once you get the Completed message under Execution Summary. You can download a report of the job or email it. Click Download.

The file downloads as a PDF and is displayed as below, showing the commands ran and on what instance they ran on etc.

Back on the NMAS console, you can execute the job again or view the execution history.

The execution history shows below with some important yet brief information on the job. Notice the Download Report and Email Report options are here giving you the option to perform these actions at any time.

If you clicked on Execute Again you will receive a warning that the job will perform the same commands against the same instance. Click Yes if you want to proceed.

Starting with NetScaler MAS version 11.1 build 49.16 you can edit completed Configuration Jobs, add or remove commands and run them again against the same or different NetScaler Instances or Instance Groups. Simply select a completed job and click Edit.

Make any desired changes and continue on with the wizard until complete.

To upgrade a NetScaler appliance straight from NMAS, navigate to Infrastructure -> Configuration Jobs -> Maintenance Tasks. Highlight the UpgradeNetScaler built-in task and click Execute. Notice there are other tasks to configure HA pairs etc.

Click Add Instances.

Select the instance you want to upgrade and click OK.

Insert the NetScaler upgrade file (in .tgz format) and click OK.

The upgrade image will start to upload to the NetScaler appliance. Once complete you are returned to the NMAS screen. You have to view the Task Logs to check the status of the upgrade.

If we navigate to Task Logs you can see the task is In Progress.

Drilling in to the Task Command Log shows that NetScaler build 11.1 47.14 is installing.

After a few moments, and a few refreshes, the install should return “Completed”.

The UpgradeNetScaler task reports complete and the appliance has been upgraded. I have used this method on production NetScaler devices and have not had any issue with upgrades so far. Using NMAS to upgrade the NetScaler could not be easier!

To create thresholds to receive alerts based on certain factors exceeding limits navigate to System -> Analytics Settings -> Thresholds -> Add.
Enter a name. Select Traffic Type (HDX/Web) and then the entity such as Desktops, Applications, Licenses in use for HDX. Check Enable Alert, Notify through Email and select your email distribution list. Select a metric such as DC latency (ms), select a comparator such as equals to, greater than and finally enter a value.

For this threshold an email will be sent if DC latency for Desktops is greater than 5ms for the duration of 1 hour. Click Create.

The new threshold shows created as below.

Integrating MAS with Citrix Director allows you to view HDX Insight data, trends and historical analytics data straight from the Director dashboard. You will need Director 7.11 and a Platinum XenApp or XenDesktop license. Other points to note are:

• Citrix Receiver 11.8 for MAC and Citrix Receiver 3.4 and later versions are required to display accurate ICA RTT metrics.
• NetScaler MAS 11.1.49.16 or later is required.
• VDAs running v7 or later is required.

To integrate MAS with Directory, firstly open CMD (as administrator) and run command cd c:\inetpub\wwwroot\citrix\director\tools. Next run DirectorConfig /confignetscaler. Enter the IP of your MAS server. Enter MAS credentials and complete the other challenges. Eventually you should see a Director configuration completed! message.

Troubleshooting NMAS

This document should still apply largely to MAS http://docs.citrix.com/en-us/netscaler-insight/11-0/ni-troubleshoot-tips-ref.html

When you have enabled AppFlow against your NetScaler Gateway or Load Balanced vServer etc. and you can not see any Insight traffic, make sure firewall rules are in place to allow UDP 4739 from NetScaler NSIP to NMAS IP. You can check if MAS is receiving any appflow traffic by performing the following steps:

Launch PuTTY, and connect to your NetScaler Insight Center IP.

Type shell. Press enter.

Type command tcpdump -i 1 src NSIP and dst port 4739 where NSIP = your NetScaler IP.

If you still do not see NetScaler AppFlow data, connect to your NetScaler appliance with PuTTy.

Run command disable feature appflow followed by enable feature appflow.

Review the MAS putty screen to see if traffic is appearing. If not, review firewall configuration.

Example output showing AppFlow traffic between NetScaler MAS and NetScaler VPX.

Azure Multi Factor Authentication (previously PhoneFactor) is a multi-factor authentication technology that can be used with IIS, VPNs, OWA, ADFS, Office 365 and NetScaler to name a few using either the LDAP or RADIUS protocols from Azure cloud or on-premise. MFA has the ability to verify a users identity by calling their phone, texting their phone or using an app for verification. Using a phone for the second factor allows you to make use of something everyone will likely already have without additional bits of hardware whilst making it a great deal harder for attackers to break into accounts.

MFA can be deployed on-permise using the cloud service for second factor authentication which I will show today or fully served from the Azure public cloud. Azure Multi-Factor Authentication is available free of charge for Office 365 users and Azure administrators to protect log ons to the Azure management portal. MFA itself can be purchased as a standalone license which contains the most features and is bundled with Azure Active Directory Premium or the Enterprise Mobility Suite.

Two deployment methods for MFA:

• On premise – Use on-premise if your users are located on-permise in Active Directory and you want to use MFA for on-permise VPN, NetScaler Gateway, Remote Desktop Gateway etc.
• Azure cloud – Use cloud if your users are in Azure Active Directory and only have to protect services in the cloud.

MFA System Requirements:

• 200MB hard disk space.
• 1GB RAM or more.
• Windows Server 2008 or greater server OS
• Windows 7 or greater client OS
• .NET 4.0.
• IIS 7.0 or greater if installing MFA User Portal or web service SDK.
• ASP.NET & IIS 6 metabase compatibility IIS 7.0+ features if installing MFA User Portal.
• Port 443 outbound to https://pfd.phonefactor.net, https://pfd2.phonefactor.net and https://css.phonefactor.net.

♣ Download MFA
♣ Install MFA
♣ Configure MFA for two-factor with NetScaler
♣ Configure NetScaler for two-factor with MFA
♣ MFA Secure LDAP
♣ Add Second MFA Server
♣ NetScaler MFA vServer Configuration
♣ Deploying the MFA User Portal
♣ One Time Bypass
♣ Deploying the MFA Mobile App

Downloading MFA

You can download the MFA software for an on-premise install either via service settings or by clicking manage on an MFA Authentication Provider. To download via service settings in the Azure portal you can navigate to your Active Directory instance and click on Try it now under Get Azure AD Premium if you do not already have a license and want to trial the software.

Click Try Azure Active Directory Premium Now. Click the tick icon. Now click on Microsoft Azure Active Directory Premium. Click Enable directory features. Click Manage service settings. Click Go to the portal. Click Downloads. Click Download. Alternatively to download MFA by managing an Azure MFA Authentication Provider navigate to Active Directory -> Multi-Factor Auth Providers -> Create a new multi-factor authentication provider if you do not currently have one created.Enter a name and choose your usage model. License usage can be either per enabled user or per authentication. Link the Authentication Provider to a directory if you use Azure to manage user accounts. Otherwise, select Do not link a directory -> Create. Now click Manage. Click Downloads. The installation media is 121MB in size. On the MFA designated on-premise server launch the installation media. For Server 2012 R2 KB2919355 is a prerequisite. KB2919442 should be installed before installing KB2919355. Once installed click OK.Download update KB2919355 if required. Back over on the install wizard click Install to install Visual C++ software. Agree to the license terms and click Install.Click Close. Agree to the license terms and click Install. Click Close. Specify an installation folder for MFA or accept the default location. Click Next. Click Finish. Shortly after clicking finish the MFA configuration wizard appears. Click Next. Now to subscribe to MFA you need to enter activation credentials that can be generated from the Azure MFA portal. Navigate back to the downloads section for MFA and click Generate New Activation Credentials. Take a copy of the email and password. Passwords expire after 10 minutes however new credentials can be generated. Enter the credentials (email/password) in to the MFA configuration wizard and click Next. Use the existing default group or create a new one. Servers in the same group replicate and peform failover which I will show later. Click Next. Select Enable replication between servers if you are going to have multiple MFA on-premise servers for redundancy which I will. Keep the default boxes checked to enable secure communications between MFA servers and click Next. Now for replication the requirements will be that MFA Servers are placed in a PhoneFactor Admins Active Directory Security Group and certificates are present on the boxes. Keep the default boxes checked and click Next. Click Next. Certificates will be generated for secure communication between MFA servers. This is an example of the certificate created on one of the servers. Since NetScaler is not in the list we have to select some sort of deployment option to continue. Select Terminal Services -> Next.Click Next. Click Finish. The MFA server will now restart. Once the MFA server has restarted launch the MFA administration console. Navigate to Windows Authentication and delete the terminal services server we added since we don’t actually need it.Click Yes. Navigate to LDAP Authentication, click Add. Enter your NetScaler NSIP (NetScaler IP) and a name. When performing load balancing through NetScaler we insert the SNIP here. By default Require Multi-Factor Authentication user match is checked and for security reasons should be left enabled. If you disable this any user not configured within MFA can potentially authenticate to NetScaler without providing two-factor authentication. If you leave this enabled, users must be imported in to MFA so the user match check can pass. Next browse to Directory Integration. Uncheck Include trusted domains to increase performance if you have multiple domain trusts but won’t be importing users from those domains. For LDAP we must specify a specific LDAP configuration. Click on Edit. Enter details as below. The Bind username should match the account used in your NetScaler Gateway LDAP authentication policy. Multiple Active Directory servers can be specified by making use of semicolons. Once the required information is entered click on Test. You should get a success message. Click OK. Click on the Synchronization tab. Click to enable synchronization with Active Directory. You can click Add to add items you want to keep synchronized for example a Security Group. As members are added to the Security Group they are added as an MFA user providing automation or if their mobile phone number changes or user account details change those details are updated on the MFA database. You can also choose the Remove users no longer in Active Directory which is a good idea to keep the MFA users list clean. You can specify the synchronization interval as below. Click on Company Settings. Here we can specify which type of secondary factor to use. For now I will select text message so that when users successfully enter LDAP credentials to the NetScaler they will need to respond to a one time password text message. Secondary factors can be changed for individual or groups of users so even though you are selecting the second factor here this doesn’t mean one setting for all.Click on Users. We need to add users to MFA so that the can use multi-factor authentication. It is also required to add the service account used in your NetScaler LDAP policy to make bind connections to LDAP. Click on Import from LDAP. Here you can browse the directory structure and select multiple users to import. I am going to import one user account by highlighting the user and clicking Import. If you click on the Method Defaults tab you can choose which second factor of authentication that user should be prompted for, otherwise the default factor you choose earlier applies. The mobile numer from Active Directory is read and displayed in MFA.To test multi-factor authentication click on the Test button. Enter an MFA username and password. Click Test. You should receive a text message, reply with the OTP. If all is good you will receive a success message. Now because NetScaler (the LDAP client) uses a bind account for LDAP we need to import it to MFA. You can use the search function, another way to locate and import users in to MFA. Notice that this bind account is disabled and must remain disabled.The NetScaler needs some configuration before multi-factor authentication will work. Modify the existing LDAP authentication policy. Enter the MFA server IP address (or load balanced address) and increase the time-out to something reasonable giving users time to reply to the text message or other form of authentication. Make sure the LDAP bind DN matches the user account specified within MFA and the LDAP configuration. The next time you authenticate to NetScaler Gateway using an MFA configured user account you will receive a text message like below, respond and shortly after you should gain access to NetScaler Gateway. To enable Secure LDAP you need to import a certificate on all MFA servers and select that certificate through the MFA console. The NetScaler also has to trust the certificate. I am going to use a self-signed certificate generated from ADCS. Navigate to LDAP Authentication and click Browse beside SSL certificate.Select the computer certificate that matches the MFA server FQDN. Click OK. To add a second MFA server to an MFA server group launch the installation media on the second MFA server, run through the configuration and join to an existing group as below. Once complete all configuration should replicate to the second MFA server. You can now see both servers as below including which server is the master and which one is slave. Keep in mind that servers participating in replication must either have a certificate generated for replication and/or be members of the PhoneFactor Admins Active Directory group.To promote a slave server to master simply right-click the slave and select Promote to Master. If an MFA server goes offline your slave server will still accept LDAP authentication requests so authentication will not be affected. If you need to use the MFA administration console you launch the console via the slave MFA server. The slave server tries to contact the master (now offline) MFA server. After realising that contact cannot be made to the master you are presented with the option of promoting the slave to master. Keep in mind the warning that comes with promoting a slave to master. Click Yes.Click Yes again. Now the slave server has been promoted to master. MF01 shows as Not Connected as it is offline. Authentication requests should be directed fully to MF02. You can use a Load Balanced vServer on NetScaler to load balance authentication across both MFA servers and provide high availability with back-end service monitoring.As you can see MF01 is marked as down because the TCP 636 probes are failing since the server is offline. Once MF01 is back online the probes succeed and the service state is marked UP. You can deploy an MFA User Portal allowing users to enroll for MFA themselves and manage aspects of their account. The portal runs on IIS within a Windows Server OS and is configurable within the MFA administration console. Review the software pre-requisites for the MFA User Portal at the top of this guide. The MFA User Portal can be installed on an MFA server itself or on separate server(s).

To deploy the MFA User Portal on an existing MFA server simply launch the console, navigate to User Portal and click Install User Portal…Click Next. Click Next. This step creates an Active Directory user account and adds that acount to the PhoneFactor Admins group. Click Next. Choose the default Site, Virtual Directory name and Application Pool or choose your own. Click Next. Click Close. Launching the User Portal with HTTP gives the following 403.4 – Forbidden error because we need to configure and enable an HTTPS binding against the site. Make sure an HTTPS binding exists for the site and a certificate is installed that will match the MFA User Portal URL. Now we can browse to the MFA User Portal over HTTPS. Navigate back to the MFA Administration Console. There are a number of different options you can configure such as allowing users to select a method of secondary authentication when they log on to the User Portal. By default, Automatically trigger user’s default method is selected which will result in the user being challenged with the default secondary authentication method when they log on to the User Portal. In our case, this is text message verification. You can allow users to select their own method of secondary authentication so that when they log on to the User Portal options are given based on allowed authentication methods.Tick Allow user enrollment so that users can log on to the User Portal and enrol themselves for muti-factor authentication. As a user logs on to the User Portal for the first time with text message verification selected as default and they do not have a phone number associated with their account they are prompted to specify one and to authenticate using a text message to confirm the phone number they enter is owned by them. Enter a phone number and click Text Me Now to Authenticate.  Next you will be asked for a number of security questions. Security questions are used as a fallback if you fail authentication to the User Portal. Again security questions can be turned on or off. The user must specify answers to four security questions by default. Click Continue when ready.You can use the drop down on any of the four questions to change them. Once security questions have been answered you are brought to the welcome screen. Your account is now configured to use multi-factor authentication. The below message can change based on what multi-factor authentication method the user is using e i.e. text message/phone call. Click on the Change Phone icon if you want to change your mobile number. Click on Change Security Questions if you want to change any of your security questions. If you fail secondary authentication when logging on to the User Portal you are given the choice to log on by correctly answering your security questions. This can be turned off by unticking Use security questions for fallback in the MFA console. You can also specify how many questions a user must correctly answer (minimum 1, maximum 4). You can add, edit, remove and change the order of questions by using the Security Questions tab within the MFA console. On the Trusted IPs tab click Add. You can add single IPs, ranges or subnets meaning that IPs connecting to the User Portal are not challenged by a secondary authentication method as they are trusted. Instead these users only need to enter their Active Directory credentials. You can allow users to initiate One-Time Bypass by checking Allow users to initiate One-Time Bypass.Now users, within the User Portal, can initiate a one-time multi-factor authentication bypass and specify the number of seconds the bypass it valid for. If the user signs in to NetScaler Gateway for example within the next 300 seconds they will not be challenged with a second factor for authentication. Another authentication method which I have not talked about is achieved by using the MFA mobile app. Using the app you can simply tap an authenticate button or enter a pin along with tapping the button.

MFA mobile app system requirements:

• MFA v6.0+ used in your environment.
• MFA Mobile App web service installed on IIS 7 or higher and internet facing.
• ASP.NET v4.0.30319 installed, registered and set to allowed.
• IIS6 Metabase Compatibility IIS feature installed.
• MFA Mobile App web service accessible via public URL and secured with SSL certificate.
• The Mobile App portal must be able to communicate with the web service SDK using SSL meaning it must trust the certificate issued to the SDK server.

The MFA web service SDK must also be installed on your MFA server(s) to ensure communication between MFA servers and the Mobile Web app service is possible.

MFA web service SDK system requirements:

• Basic Authentication for Web Service SDK
• IIS6 Metabase Compatibility IIS feature installed.
• Web service SDK must be installed on IIS 7+ and secured with SSL certificate.

To get started install the Web Service SDK on all participating MFA servers. Launch the MFA console, navigate to Web Service SDK -> Install Web Service SDK.Click Next if you are happy with the default settings. Click Close.

You must secure the SDK Web Service with an SSL certificate. This can be an internally issued certificate. The Web Portal front-end server must trust this certificate as both services will communicate over HTTPS. Both of my MFA servers that have the SDK Web Service installed will use an existing computer certificate, matching the FQDN of each respective server name.On one of the MFA servers navigate to C:\Program Files\Multi-Factor Authentication Server and copy MultiFactorAuthenticationMobileAppWebServiceSetup64.msi. This file must be copied to your Mobile App Web Service server. Launch the Mobile App installation media from the Mobile App Web Service server. Click Yes to download Visual C++ 64bit media. Download and run the installer. Click Close. You will have to run the Mobile Web App installer again. Click Yes to download the Visual C++ 32bit media.  Click Close. Now the installation wizard allows you to configure IIS settings. You will want to trim the virtual directory name as potentially users may have to type this in as part of the URL when configuring the Microsoft Authenticator app. Trim the Virtual Directory to something simple. Click Next. Click Close. On the Web App Service server, navigate to C:\inetpub\wwwroot\AWS and edit web.config. Look for the section containing SDK_AUTHENTICATION_USERNAME and SDK_AUTHENTICATION_PASSWORD. These fields should be completed to include the username and password of an Active Directory service account used to communicate back to the SDK web service. Insert DOMAIN\username and password as below inside the quotation marks. Next find the section containing PfWsSdk. Remove https://www.contoso.com/ replacing it with the server name hosting your Web Service SDK. This may be a load balanced address if you have this configuration. Now save web.config. Secure the Web App Service with a public certificate. Make sure you can browse to the publicly accessible URL without any certificate warnings. Now on your MFA server navigate to the MFA console and under User Portal -> Allow users to select method you can select Mobile app which allows users to enrol their mobile phone for mobile app authentication. The mobile app authentication can also be a mandatory authentication method by changing the secondary authentication default in Company Settings or within the users own properties. Users can also select their own authentication method within the User Portal. Select Allow users to activate mobile app. You can limit the amount of devices a user can activate using Device limit. In the MFA console, navigate to Mobile App. Complete the Mobile App Web Service URL and specify an Account Name. Account Names are those that appear within the users Authenticator application to make identification between different accounts easier. The next time a user logs on to the User Portal they can activate their own mobile app. Navigate to Activate Mobile App -> Generate Activation Code. You can now add the MFA account to your mobile either by manually typing the activation code and URL (notice why it was important to shorten the virtual directory name) or by scanning the QR code. Activation codes expire after 10 minutes. Completing either method adds the company MFA account to your app. Next time you sign in to NetScaler Gateway and your method is mobile app authentication, the Authenticator app pushes a notification to your phone asking you to approve or deny sign-in. Click approve and authentication to NetScaler Gateway will be granted. Note that push notifications should be allowed on your phone. As previously mentioned you can also secure mobile app authentication with a PIN. Edit a users account using the MFA console, and select PIN using the dropdown box. Clicking Generate provides you with a 4-digit PIN. Select User must change PIN and click Apply. You can generate your own PIN for users. You can also generate and assign PINs to multiple user accounts at once. Now as the user logs in and clicks Approve they must enter the 4 digit PIN. Once that PIN is entered correctly you are prompted to change your PIN to something different. Going forward this will be the PIN you use for authentication. PIN settings including minimum length can be changed in the MFA console by navigating to Company Settings.

Whilst this guide specifically uses NetScaler v11.1 many of the tweaks that secure the NetScaler configuration can be applied to prior versions. This guide shows how to obtain an A+ rating score from SSL Labs for your NetScaler Gateway vServer.

When we build a NetScaler Gateway vServer by default and run it through SSL Labs you get a “C” score.Some of the reasons you get a grade of C are due to SSLv3 being enabled which is prone to various vulnerabilities. Another is due to Secure Renegotiation not being available. Certificates issued to the NetScaler Gateway vServer should be SHA2 issued certificates including the intermediate certificate. That is not covered here however does affect the score and if you are getting a grade worse than C that may be why.Firstly on the NetScaler you want to replace the default ciphers offered by the NetScaler Gateway vServer with more secure cipher suites. Navigate to the NetScaler and browse to Traffic Management -> SSL -> Cipher Groups -> Add. Specify a name for the Cipher Group. Click Add. Move all secure cipher suites to the right. I’m selecting all TLS 1.2 suites. You can look on the internet for a list of secure cipher suites available today. Save the new Ciphher Group.Navigate to your NetScaler Gateway vServer and click edit on SSL Ciphers. Click the minus symbol beside DEFAULT. Now click on Cipher Groups. Use the dropdown to select the newly created Cipher Group and click OK. Secure_Cipher_Group is the only group you should now see in the list. If Default is still showing in the list go in and remove it again. Next click edit on SSL Parameters. You want to disable SSL protocols such as SSLv3 so uncheck unsecure protocols. I’m leaving TLSv1.2 as the only available protocol NetScaler Gateway will use this protocol only when negotiating a secure connection with an end-users browser. Click OK. Click Done. Now SSL Labs is reporting as A-. Still some work to do. Notice that the NetScaler Gateway is no longer subject to possible attacks such as POODLE. Secure Renegotiation still is an issue though so we will tackle that next.Navigate back to the NetScaler Gateway. Under SSL Profile nothing will be selected by default. Click + and add the default SSL Profile. Now click the edit button. Change Deny SSL Renegotiation to NONSECURE. Save your configuration. Still A- but the Secure Renegotiation warning is gone. Let’s tackle Forward Secrecy next. Navigate back to the Cipher Group you created earlier. You want to move all ECDHE Cipher Suits to the top so that the NetScaler Gateway will offer these to servers first. The ECDHE (Elliptic Curve Ephemeral diffie-Hellman) ciphers include Forward Secrecy. Click OK. Now SSL Labs reports A. Getting there. To get that A+ rating all that is left to do is to implement a rewrite action to insert a Strict Transport Security header in to the response headers. Navigate to AppExpert -> Rewrite -> Actions -> Add. Supply a name, choose INSERT_HTTP_HEADER under Type and under Header Name type Strict-Transport-Security. Under Expression enter “max-age=157680000”. Click Create. Now navigate to Policies -> Add. Supply a name, specify the action we just created and enter true under Expression.Click Create. Next navigate to the NetScaler Gateway vServer, under Policies click +. Choose Rewrite and Reponse. Click Continue. Select the Insert-HTS-Header Policy. Click Bind. And there you have it. A+ on the NetScaler Gateway.

Ever used a Load Balancing Virtual Server configured for two different services that utilise the same port? I have. How about when you want to send multiple or a range of ports through the same vServer? This is also possible and easy to implement.

As a result, I’ve produced this quick post just to show how it is possible.

When you are creating a Load Balancing Virtual Server, choose ANY under Protocol or you can choose TCP/HTTP etc. if for example you are working with multiple ports using the same protocol. Under Port type *. Continue on with the creation of the LB vServer.

When you have the Load Balancing Virtual Server configured how you like, click on the edit icon next to Basic Settings. The requirement is to create a listen policy so the Load Balancing Virtual Server only listens on specific ports that you specify. Use a command such as CLIENT.TCP.DSTPORT.EQ(8080) || CLIENT.TCP.DSTPORT.EQ(80). You can add as many ports as you like. Click Continue. Now the Virtual Server will only listen and answer on ports 8080 and 80.

If you have a range of ports you can use a command such as CLIENT.TCP.DSTPORT.BETWEEN(8080, 8090).

To Load Balance via NetScaler you need an Enterprise ADC license at minimum. This post will show how to load balance the Delivery Controllers and ensure their services are health monitored by using NetScaler built-in monitoring. The Delivery Controllers will use HTTPS for communication.

If you have not already enabled Load Balancing, right-click Load Balancing within NetScaler and choose Enable.

First create server objects for each of your Delivery Controllers. Navigate to Traffic Management -> Load Balancing -> Servers -> Add.

Enter a name and the IP of your Delivery Controller. Click Create. Do the same for your remaining Delivery Controllers. Now each server object will go in to a Service Group. Navigate to Traffic Management -> Load Balancing -> Service Groups -> Add. Specify a name and choose SSL as the protocol. You can configure HTTP/80 but I like to secure the XML broker communication and it is recommended for security. Click OK. Click on No Service Group Member to bind a members to this Service Group. Click Click to select. Select your Delivery Controller server objects, click Select. Now enter 443 as the port. Click Create. Click OK. Expand Monitors. Click on No Service Group to Monitor Binding. Click on the + symbol. Enter a name and under Type choose CITRIX-XD-DDC. Towards the bottom of the Standard Parameters tab check Secure. Click on the Special Parameters tab. Here you can validate credentials against your Delivery Controllers. This is just an added monitoring capability to ensure the Delivery Controllers are online even if the standard monitor probe is successful. Click Create. Click Done. The new Service Group shows as UP. A load balanced certificate needs to be installed on your Delivery Controllers and additional work binding that SSL certificate and the Citrix Broker Service together needs performed. If the Delivery Controllers have IIS then you use that to do your certificate to HTTPS bindings however most Delivery Controller installs are on a dedicated machine and does not run IIS. See http://www.jgspiers.com/securing-ddc-xml-broker-communication-over-https/ Now we create the Load Balanced vServer. Navigate to Traffic Management -> Load Balancing -> Virtual Servers -> Add. Specify a name, set the protocol as SSL and enter an IP. Click OK. Click No Load Balancing Virtual Server ServiceGroup Binding to bind the Service Group to this Virtual Server. Click on Click to select. Select the Service Group. Click Select Click Bind. Click Continue. Click No Server Certificate. Click on Click to select. Select the Load Balanced certificate that is also installed on the Delivery Controllers. In my case, it matches the URL of ddclb.jgspiers.com. Click Select. Click Bind. Expand Persistence. Choose SOURCEIP and click OK. Expand Method. Choose ROUNDROBIN and click OK. Click Done. The Virtual Server reports UP and is ready to be used. Within StoreFront make sure you specify the Load Balanced FQDN against your stores.