As the NetScaler Tipster has tweeted well in excess of 250 posts I figured it was time to collate the best of and include them in on Citrix blog post. Below you will find a selection of posts in sections in a close to random order!

Thanks to all my followers for the favourites, retweets, questions and providing great tweets too. There’s still plenty more to come from the Citrix Tipsters. For now, enjoy!

@NStipster Blogs

@NStipster Series: NetScaler Insight Center Part 1 “Preparing for your implementation” | Citrix Blogs
@NStipster Series: NetScaler Insight Center Part 2 “Getting some data into Insight” | Citrix Blogs
@NStipster Series: NetScaler Insight Center Part 3 “Tips, Troubleshooting and Upgrade” | Citrix Blogs
Welcome the Tipsters! | Citrix Blogs

Citrix Blogs

Older blog but full of great LB and persistence related info

External Blogs

@AdamInTheCloud: Citrix StoreFront Beacons Explained <useful info for NS Gateway deployments
@archynet: Side by Side Feature Comparison Matrix of Citrix Storefront 2.1 vs Web Interface via @AdamInTheCloud
@dokanovic: NetScaler VPX as Secure Gateway replacement <thorough & excellent guide
Nice blog from @IngmarVerheij Import #NetScaler on Windows Server 2012R2 / 8.1
@IngmarVerheij: New article: @Citrix @NetScaler: DSR, a poor man’s load balancing solution
@KBaggerman: I wrote a new blog: Explaining the NetScaler Policy and Packet Engine #Citrix #NetScaler #Packet #Policy
@marcus_jaeger: Find out how Citrix NetScaler 1000V is taking #CiscoCloud network services to the next level: #NetScaler
Great blog from @neilspellings on using diff usernames in 2-factor auth on NSGW
@neilspellings: From the architect: Troubleshooting AD auth on #NetScaler GW – a real world example <Great tips from Neil
Great blog update on the new NetScaler hardware offerings from @NetScalerTaylor
@SoftLayer: KnowledgeLayer Overview: URL Redirection NetScaler VPX <love the always up monitor & fake service
@stuart_carroll: @swivelsecure integration with @Citrix @NetScaler 10.1 using rewrite and responder

NetScaler Datasheet

Updated #Citrix #NetScaler datasheet – The world’s most advanced cloud network platform! #NetScaler via @netscaler

NetScaler Command Line Tips

> add rewrite action act1 insert_http_header MyHeader HTTP.REQ.BODY(HTTP.REQ.CONTENT_LENGTH)
> stat lb vserver [<name>] [-clearstats ( basic | full )]  <<<<basic = vserver level, full = vserver, service(s) and policy counters
> add rewrite action act1 INSERT_HTTP_HEADER “ServerBW” ‘SERVER.TCP.BANDWIDTH’
> add rewrite policy pol1 “”sys.vserver(\””vip1\””).is_dynamic_limit_reached”” drop http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-protect-configure-spillover-select-expr-for-pol-con.html
> add policy expression p1 HTTP.REQ.CONTENT_LENGTH.IS_DOUBLE_AT
> add rewrite policy pol1 SERVER.IP.DST.IS_IPV6 norewrite

NetScaler free ports: CLI # nsapimgr -d freeports; listening ports: sockstat -l, netstat -anp tcp, ps -aux. <<<Grep -i is useful here, look for “listen”.

Support Articles

CTX113357 NetScaler Hardware/Software Compatibility – Supported Upgrade/Downgrade Paths – Citrix Knowledge Center
CTX114999 Troubleshoot Auth with Aaad.debug – #Citrix KC <updated w/ examples & my fave UNIX cmd tee for stdout & log
CTX118657 How to Add Drop-Down Menu with Domain Names on Logon Page for NetScaler Gateway – Citrix Knowledge Center
CTX118716 NetScaler System Limits from 8.0 to 10.1. My favourite stat? 10 million persistent sessions per packet engine on 10.1!
CTX120804 One I use myself, great for managing NetScaler from the CLI: How to Access NetScaler by using SSH keys
CTX121840 NetScaler Software Release Dates – Citrix KC < Useful to find out how old the build you’re on is!
CTX123736 Customized Logon Page for each NetScaler Gateway vServer redirecting Users Based on Each FQDN – Citrix KC
CTX124629 LLB with RNAT -avoid asymmetric routing for return traffic. Many of these older articles still work on newer releases
CTX130962 Speaking of TCP profiles, here’s a good article with some blurb about the different settings and profiles included
CTX131024 Convert classic expressions to advanced PI? nspepi tool. Article says 9.3 works fine on 10.1
CTX131681 Updated – Case Study: Using NetScaler Appliance to Avoid Layer 7 DDoS Attacks
CTX132802 NS Gateway, LDAP profile attributes retrieved via the client itself, not the appliance! ldapsearch an option to source from NS.
CTX136023 How to Add a SSL Certificate Bundle on the NetScaler Appliance: #NetScaler <order of certs important via @marcus_jaeger
Need to know more about Micro-VPNs on NetScaler? These two links should help http://support.citrix.com/article/CTX136914 /blogs/2013/09/13/myth-buster-netscaler-gateway-microvpns-multiple-tunnels/
CTX137259 Cisco DAC Cables Supported on a NetScaler Appliance – Citrix Knowledge Center
CTX137664 Citrix NetScaler 10.1 Syslog Message Reference: #NetScaler via @marcus_jaeger
CTX137970 Updated – How to Upgrade the LOM Firmware for a NetScaler Appliances via @citrixsupport
CTX138202 Filter Expressions for Wireshark When Using #NetScaler – Citrix KC Focus on nstrace format – very useful
CTX138858 Signature Auto Update Feature of Application Firewall – Citrix Knowledge Center
CTX138979 How to change the IP address of the NetScaler Insight Center VM /mps/networkconfig from the CLI
CTX139133 Kerberos SSO on NS 10.1.120.13 onwards, lots of under-the-hood improvements. Great new detailed Implementation Guide
CTX139206 Updated – Changing NSIP of VPX Instance in SDX via @citrixsupport
CTX139211 How to Customize the Logon Page of a NetScaler Gateway 10.1 Appliance – Citrix Knowledge Center
CTX139242 Adaptive Features of Citrix NetScaler Application Firewall – Citrix Knowledge Center
CTX139319 How To Configure NS Gateway with StoreFront and AppController – Citrix KC <Very comprehensive article!
CTX139337 Access Gateway Universal License issue with NS 10.0 77.5nc and 10.1 119.7nc – Citrix Knowledge Center via @citrixsupport
CTX139420 #Citrix #NetScaler Quick Start Guide #MPX 22040/22060/22080/22100/22120 – Release 10.1 – Knowledge Center
CTX139485 – Resource Requirements for  Multi-PE Configuration for NetScaler VPX – Citrix KC <Thx @marcus_jaeger
CTX140290 – How to Configure Read-Only Access for Users to the NetScaler Management Console – Citrix Knowledge Center
CTX140293 New Article: How to Create a Customized Error Page with Variables for AppFirewall Feature <very useful
CTX140321 – Power Supply Temperature 1 is Incorrectly Reported as 255C in System Statistics Output – Citrix KC

NetScaler in eDocs

NetScaler announces support for QSFP+ for 40G interfaces #Cisco Can be found in #Citrix #NetScaler eDocs (Table 12) via @netscaler
LB not only client IP insertion, we can insert the LB Vserver IP and port into a HTTP Header. Use case backup Vserver.
Ciphers supported on the NetScaler
NetScaler 10.1 virtual appliance is supported on Microsoft Hyper-V Server 2008 R2 and Microsoft Hyper-V Server 2012
Had fun in class with HTML body rewrites, have to remove Accept-Encoding header on request for it to work though
Ever wonder about NS TCP Parameters you can tweak? Here’s a guide
#NetScaler eDocs quick start guide for #MPX platforms via @netscaler @citrix
Use a AAA-TM Vserver on the LB Vserver LDAP, RADIUS, Kerberos, NTLM, Forms & more supported.
Backing up and restoring an NS – not the same as techsupport file – new-ish v useful feature
IP tunnels using GRE Also NS to Cloud using CloudBridge Connector

NetScaler Tips

  • TCP profile nstcp_default_XA_XD_profile great for use with NSGateway. Optimize TCP for ICA proto with SACK, Nagles algo & Westwood etc.
  • 10.1 UI shows max ICA users as 0? CLI = unlimited? Non functionality affecting display bug fixed in 10.1.120.13. ICA users unlimited in 10.1
  • Native StoreFront LB monitor in 10.1 build 120.13 no longer requires a hostname for the parameters. Making it even easier to LB StoreFront!
  • Add multiple SSL certs from 1 PEM file? Certificate bundle option. Certs in order: server, key, inter1, inter2 and so on. Max 9 certs.
  • One for the @xdtipster Integrate NS Insight into XD7 Director. CLI C:\inetpub\wwwroot\Director\tools\directorconfig.exe /confignetscaler
  • For PVS types: TFTP is available natively in 10.1 to LB the PVS bootstrap file. No need for complex USIP, DSR configurations. Really easy.
  • Want to encrypt NetScaler Gateway EPA result in the nsepa.txt logfile? Global setting: >set VPN parameter -encryptCsecExp ENABLED
  • Enable CEF Logging on NetScaler 10.0+ App Firewall Engine settings to get more comprehensive logs!
  • Prefer the old school UI on NetScaler 10? Switch the URL in your browser from /menu/neo to /menu/guia!
  • Also other  expressions Client.TCP.Bandwidth Client.TCP.SmoothRtt Server.TCP.SmoothRtt T averaged out with ‘Smoothing’ algo
  • New feats: NS SDX SVM support for AAA; support long user name/password up to 127 chars; Transparent Cache (Content Accelerator)
  • Highlights from 10.1.122.11: SDX and also RAID support on 22000 platform! Enhancements to NetScaler Insight Center and general NS bugfixes!
  • Backup and Restore functionality in #NetScaler UI, 10.1.121.10
  • Re Wireshark versions, driver is the nstrace format. This changed in 10.0 with Clustering & again enhanced in 10.1 requiring new WS support.
  • Highlights NS GW 10.1.120.1316.e Enhanced XM simplified setup, New ShareFile wizard, Kerberos CD, Proxy support in Traffic Policies
  • Highlights NS GW 10.1.120.1316.e Device Certificate support, Mac Client Cert support via plug-in, Win81 full plug-in, beta plug-in Mavericks
  • New option in #NetScaler 10.1 LB Vserver Health Threshold. Set a percentage of services to be up, below which the Vserver goes down.
  • LDP.exe on DCs to chk TLS. Make sure FW allow TLS 389 to NSG. TLS radio button in auth prof. Aaad.debug when testing logon.
  • A diff tip for NSCLI use ‘set ns hostname’. ‘set cli prompt %u@%h-%T’ example result nsroot@vpx-10:56>!

NetScaler Exams

Networking certifications CCP-N CCA-N, Releasing late 2013 #NetScaler
New NetScaler exams available 1Y0-250 NS10 Apps and Desktops. 1Y0-350 NS10 Essentials &amp; Networking.
There’s a new @CitrixEducation Adv NetScaler course CNS-301 available. Details here. @mrjlturn3r @netscaler

NetScaler Builds

9.3 gets some bugfix love with new build 64.4 maintenance release  release notes here
New 9.3 build 65.8 Release notes <<22k platform supported &amp; 8800 now w/ 10Gbps throughput
NetScaler 10.0 gets some bugfix love with new build 78.6 – Citrix Release notes here
New release of NetScaler 10.1 build 120.13 DNS64, 8192 service groups, new XA/XD wizard, Management Pack for Microsoft SCOM2012
NetScaler 10.1 Build 121.10 – Support for 22000 hardware and ECDHE cipher support; Kerberos improvements
Slight delay after Thanksgiving but finally here, latest 10.1 MR build 122.11  Release notes
NetScaler 10.1 build 123.9 Release Notes  Couple HDX Insight changes and bugfixes
NetScaler firmware release 10.1.124.13  Support for new 115xx appliances. Release notes
BOOOOOOM. Advanced EPA on NS GW, powered by OPSWAT. We listened and we delivered! 10.1.120.1316.e as part of XM 8.6
New 10.1.e build released, 121.1013.e  Same bug fixes as 120.10 MR
Command Center 5.2 – Beta – Citrix via @marcus_jaeger
NetScaler SDK at for latest release. API docs and WSDL available too via @netscaler

NetScaler in the News

Multipath TCP in the news currently. NetScaler 10.1 supports this exciting new enhancement to TCP

@Citrix & @PaloAltoNtwks Deliver Consolidated, Multi-tenant Network Security & #ADC Services on #NetScaler #SDX via @netscaler


OpenSSL Commands

PEM to P7B # openssl crl2pkcs7 -nocrl -certfile crt.cer -out crt.p7b -certfile CA.cer
Decrypt private key # openssl rsa –in private.key –out decrypt.key
PEM to PFX # openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.cer -certfile CA.cer
PFX to PEM # openssl pkcs12 -in cr.pfx -out cert.cer -nodes
Convert PEM to DER # openssl x509 -outform der -in cert.pem -out cert.der
Decode a CSR # openssl req -in server.csr -noout -text
P7B to PFX # openssl pkcs7 -print_certs -in crt.p7b -out crt.cer # openssl pkcs12 -export -in cert.cer -inkey private.key -out cert.pfx -certfile CA.cer
DER to PEM # openssl x509 -inform der -in cert.cer -out cert.pem
P7B to PEM # openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

Non-NetScaler related tips

Non-NS tip: hard to beat the flexibility of Cygwin on Windows for *nix utilities OpenSSL, SSH, SFTP, crypt utils