The Netscaler ADC is an application switch that handles traffic from layer 4 to 7 of the OSI 7 layer model.
The appliances handle features such as:
- Availability
- Acceleration
- Security
Availability
Load balance services such as: Web, DNS, LDAP, App-V, Exchange, SQL
Session Persistence (Sticky sessions)
Content switching. For example: Present content in different languages or from different devices
Traffic Domains: Create Mulitple isolated environments
GSLB (Global Server Load Balancing) - To ensure availability is routed to the datacenter closest to the connection endpoint
Surge Protection: Ensure that connections occur at the rate that servers can handle traffic
Priority queuing: Filter Http traffic and ensure users get access to the high priority services
Acceleration
PRR - Proportional Rate Recovery: Reduce web latency caused by packet loss. Leverage TCP Fast open (TFO) to enable speed & safe data exchange between client and server during the initial TCP handshake
App Compress - Http response compression. Compress text within HTML, XML, Plain text, CSS, Microsoft Documents
App Cache - In memory storage on the Netscaler appliance that serves web content to users without round trip to an origin server.
Security
Protect web apps from application layer attacks
Allows legitimate client requests & blocks malicious requests
Built in Denial of Service defences
Protect against legitimate searches in app traffic
Built in Firewall - Protect against app layer attacks such as Buffer overflow, SQL injections, cross-site scripting. Also offers identity theft protection
Front -End / TCP Optimisation
Reduce the number of requests
Reduce the number of bytes in a page response
Simplify - Optimise the content from server to client browser:
Image Optimisation
Optimise style sheets + javascript
Multipath TCP
Compress traffic with BIX, Cubic Westwood TCP congestion control and Nile or West Nile TCP performance for things such as 3g
Platforms:
MPX - 200-500Gbps - Ultra high performance for the likes of Ecommerce (Physical)
SDX - up to 200Gbps - Up to 115 ADC instances - Consolidate multiple netscalers. This runs a Xenserver OS (Physical)
VPX - 10Mbps-100Gbps-Good for SMB or small business or business with less NS infrastructure and lower throughput requirements (Virtual appliance)
CPX - Docker container appliance
ADC in the Cloud (AWS & Azure) - Good for Hybrid or public cloud deployments (Depending on authentication infrastructure location and resoure location)
Boot OS
BSD
Kernel OS
ADC Kernel (BSD hands over to ADC Kernel after boot)
Config
As with most network appliances, the configuration runs in memory until it is commited to disk.
Changes to a Netscaler configuration are saved to the ns.conf file. You can view the configuration by typing: show ns config
If you wish to view the size of consumed storage on the appliance, got to the shell from cli: shell. Then type df -h
To view configuration within running memory: show runningconfig
To save(commit) running config to file: save ns config
When you browse via the CLI to /nsconfig directory, you will see the ns.conf file. You may also see ns.conf.0 etc. This is because Netscaler creates a backup of the last file when the configuration is saved. So you can restore to a previous configuration
Other locations in the shell would be:
/License (License files stored here)
/SSL (SSL Certs stored here)
/Monitors (Monitor config files stored here)
Console Timeout
If you find the console timeout annoying and would like to change it:
set system parameter -timeout <insert number> Then save the config: save ns c
Change NSIP
set ns config -ipaddress x.x.x.x
To add an IP
add ns ip x.x.x.x x.x.x.x -type (Specify the IP, Mask, and then type eg SNIP etc)
Change System Root Password
set system user nsroot -pass gdfgdfjgdsfjgd
Run the initial Netscaler configuration again
configns
Save config
save ns config, save c
Use Source IP
This is not recommended. If you really need to have the application server know the client IP, then best to use insert client IP into header option.
Routing Supported
RIP - Routing Information Protocol
OSPF - Open Shortest Path First
BGP - Border Gaeway Protocol
RIPng for IP6 - Routing Information Protocol Next Generatiogn for IP6
OSPF version 3 for IP6
SIS
Jumbo Frames
Enable by interface - set int<insert number> -mtu <insert number>
sh int
Access Control List
Filter IP addresses
Block DDOS
Extended ACL is more powerful and can be enabled to provide parameters for actions. you can filter on things like source IP, source port, action, protocol. you can specify the tasts to allow a packet, deny a packet or bridge a packet
NAT
INAT - Inbound NAT - Replaces the destination IP address in packets with private IP of server
RNAT - Reverse NAT - Replaces the source IP from servers with public IP address.
Netscaler High Availability
UDP Port 3003 - Heartbeat
TCP 3010 or 3008 (secure) HA synchronisation port
TCP 3011 or 3009(secure) propagation port
When a Netscaler fails over it will update the ARP table of the connected router via a Gratuitous ARP (GARP)
HA Failsafe Node
If both nodes in the HA pair are down, they will automatically demote their status to Secondary. So both appliances are secondary, which can cause issues. So enable Fail safe mode so that one of the appliances will remain primary in such a scenario.
HA without GARP
Some routers do not support GARP, so use Virtual MACs (VMACS) so that MACS are floated and shared by the nodes
When Upgrading
Upgrade secondary node first
Configure HA Pair
Secondary node - Stay seocndary(Remain in listening mode)
Primary node - Add IP of secondary via Create HA Node
Secondary - Enable (Actively participate in HA)
Test failover
Always make sure you logon to the active node
Create a SNIP and enable management features on it. Use this IP to manage the NS pair. It will always use the active primary
Show HA status
command: show ha node
Show Netscaler IP information
show ns ip
Failover (Force)
force ha failover -force
Load balancing monitors
Usual ping or http connection. To run more advanced checks use:
ECV - Extended Content Verification - http-ecv.mysql-env for example. To run a sql query
or
EAV - Extended Application Monitor - To run DNS, FTP or Citrix advanced service checks
Persistence
Ensure that the connection goes to the same server and sticks (Sticky session).
Can use: source IP (same client IP to determine)
HTTP Cookie insert - coookie header
ssl session ID
URL
Netscaler builds a persistence table that can be accessed via CLI
Best practice is to use cookie insert for HTTP & SSL and use Source IP for others
LB Protection
If the load balancer fails, you can redirect traffic to an alternative URL by configuring a backup LB Vserver and stateful connection failover
Spillover can occur when:
The number of connections hits the max threshold
Bandwidth of incoming connections exceeds threshold
When the percentage of weight UP status drops below thresholds