The NetScaler HowTo Guide enable administrators to get NetScaler up and running by providing instructions for common configuration scenarios and some not so common ones. The more than 50 guides cover everything from how to block security attacks like Heartbleed to how to configure quotas on CGNAT. By using the HowTo Guides you can get your NetScaler up and running quickly and tune it to your particular application needs without having to dig through lengthy documentation. Each guide covers a particular topic and gets right to the point. The guides are downloadable in PDF format for easy use on any device.
How to synchronize GSLB configuration across sites on a NetScaler Load Balancer?
NetScaler GSLB synchronize tools helps to synchronize GSLB running configuration across all the sites by the click of one button. In the guide, learn all the extended options of GSLB sync option along with prerequisites to synchronize GSLB configuration from master to slave nodes.
How to disable services without disrupting traffic by using TROFS monitor on a NetScaler load balancer?
When servers go to maintenance mode, the existing connections may get affected if it is not handled well. NetScaler supports graceful shutdown of services, which could be triggered automatically by the use of TROFS monitors.
How to enable TCP Fast Open in NetScaler?
TCP Fast Open (TFO) is a mechanism in TCP connection establishment process, which helps to speed up the opening of the connections and data flow. It allows data to be carried during the initial TCP connection handshake. This guide will throw light on how to enable TCP Fast Open and when it should be enabled in NetScaler.
How to enable Subscriber aware session termination in NetScaler?
In today’s environment, subscribers who goes to internet through Large Scale NAT (LSN, also called Carrier Grade NAT—CGNAT) terminates connections and creates new connections frequently. In such a dynamic environment, it is important for the CGNAT device to identify if the subscriber session is closed and free the resources allocated for the specific subscriber session. This guide will provide information on how to enable subscriber aware session termination in NetScaler.
How to use DS-Lite in NetScaler?
For successful migration to the IPv6 network, service providers need to deploy IPv6 without impact in their network. DS-Lite is one of such transition mechanism which allows the service provider to deploy an IPv6-only infrastructure in their network, and IPv4 traffic goes through the IPv6 infrastructure through the use of tunneling. This guide will throw light on the use case for DS-Lite and how to configure NetScaler as AFTR in DS-Lite environment.
How to configure a NetScaler appliance for Nested Active Directory Group Extraction of LDAP
Some policies, such as authorization, session, and traffic policies, can be applied to a session on the basis of the user’s group membership (for example, to allow or deny an access to a certain resource). The credentials of a user attempting to log on to NetScaler Gateway are sent to the Active Directory for validation. If the user name and password are valid, the Active Directory sends the user attributes to the NetScaler appliance. This guide aims to configure the NetScaler appliance for Nested Active Directory Group Extraction
How to configure a NetScaler appliance for Active Directory Group Extraction by using LDAP
Some policies, such as authorization, session, and traffic policies, can be applied to a session on the basis of the user’s group membership (for example, to allow or deny an access to a certain resource). The credentials of a user attempting to log on to NetScaler Gateway are sent to the Active Directory for validation. If the user name and password are valid, the Active Directory sends the user attributes to the NetScaler appliance. This guide aims to configure the NetScaler appliance for Active Directory Group Extraction
How to enable the change password option for NetScaler Gateway users
This guide aims to achieve the use case wherein NetScaler Gateway users would like the option to change their own passwords, without any dependency on the admins.
How to disable authentication on an LDAP server and use it only for group extraction
If you want to use LDAP for group extraction but not for authentication, you can set the NetScaler appliance to disable authentication on the LDAP server. This guide helps to achieve the same.
How to autoprovision a NetScaler VPX instance on OpenStack Nova
To support on-demand consumption model of the OpenStack clouds, NetScaler MAS supports on-demand autoprovisioning of NetScaler VPX instances on OpenStack Nova. This guide helps with the configurations to be done on the MAS and commands to run on the OpenStack.
How to debug OpenStack Integration
When a NetScaler is integrated with OpenStack using MAS, lot of API calls are called between these components, in case of errors during these API calls, MAS request/tasks helps to debug the issue. This guide helps to understand the usage of request/tasks option in the MAS.
How to autoprovision a NetScaler VPX on SDX for load balancing OpenStack workloads
To support on-demand consumption model of the OpenStack clouds, NetScaler MAS supports on-demand autoprovisioning of NetScaler VPX instances on SDX. This guide helps with the configurations to be done on the MAS and commands to run on the OpenStack.
How do I add or update a NetScaler resource seamlessly, using a single NITRO API call
In large NetScaler deployments, to help simplify management operations and optimize the length of automation scripts, administrators can use a single API call that could be used for both add and update operations. This guide helps on the usage of such NITRO API call.
How do I perform multiple operations on my NetScaler appliance by using single NITRO API call
One of the most basic sets of API operations used frequently by administrators require multiple NITRO API commands. This guide helps on the usage of new API resource with which administrators can configure heterogeneous resources with a single API command.
How do I upgrade a fleet of NetScaler appliances using NITRO API?
Administrators are trying to automate NetScaler configuration and monitoring, so that they can upgrade their complete fleet of NetScaler appliances in one single go. This guide helps on the usage of API calls using which administrators can automate the upgrade or downgrade of NS devices
- How do I perform complete SSL Certificate monitoring and management using NetScaler MAS
NetScaler Management and Analytics System allows you to manage and monitor all NetScaler SSL certificates from one single console. This guide includes details on how MAS helps with various SSL Certificate management scenarios.
- How do I Content Switch based on User-Agent
NetScaler can be configured to redirect clients to specific set of servers based on client's unique capabilities and needs. User-agent is used to identify and categorize different client. This guide details the steps to be configured on NetScaler to redirect clients based on User-agent
- How to scale GSLB deployment using parent-child topology in NetScaler load balancer
NetScaler supports parent-child topology for large-scale deployment of GSLB, which helps in keeping the MEP traffic low, which grows exponentially with every new site added. This guide details about the design of the parent-child topology and provides a sample configuration.
- How to connect to ADFS 3 0 from NetScaler ADC load balancer
Microsoft ADFS 3.0 mandates clients to send Server Name Indication (SNI) extension in client hello. NetScaler now supports SNI on backend connections and can insert server name configured on SSL service. This guide details the use cases of SNI on backend and configuration example.
- How do I filter traffic using DNS lookup in NetScaler ADC load
Traditionally Access Control Lists (ACLs) have provided a strong layer of security based on IP and port information. In today's layer 7 network world, IPs may not be fixed or known in advance. NetScaler allows adding ACLs with domain names thus providing advanced security functionality.
- How do I easily redirect all HTTP traffic to HTTPS on NetScaler ADC Load Balancer (No policy needed)
NetScaler now eases the configuration to redirect HTTP traffic to HTTPS from 11.1. There is no need to add complex policies and bindings anymore. A redirectFromPort parameter is added to LB virtual server for this purpose. This guide details the usage of this parameter along with sample configuration.
- How do I disable client choices in NetScaler Gateway
Client choices are the logon choices received by a user who logs on to a NetScaler Gateway. These choices can be determined by creating a session policy and profile. NetScaler Gateway gives administrators an option to disable these client choices by modifying the session profile so that users are not directed to select a choice every time they login to the Gateway.
- How to use SNIP for authentication(AAA) server communication
Authentication server communication on NetScaler is by default done using the NetScaler IP (NSIP). So, apart from it being used for management purposes, it is also used as a source IP and similar AAA protocols. But, in some scenarios NSIP cannot be used so, NetScaler gives the ability to a subnet IP (SNIP) to be used as a Source IP for traffic that is sent to the authentication server instead of an NSIP.
- How to configure ICA Proxy Connection Termination upon AAA Session Time Out
AAA session is established once a user has been authenticated and logged in to the NetScaler Gateway. Administrators can configure AAA session timeouts via NetScaler GUI and CLI. ICA connections are the sessions on the XenApps/XenDesktops environments. NetScaler gives administrator an option to kill ICA connections the moment a user session timeouts.
- How to limit one session per user on NetScaler Gateway
Administrators can use a session policy or the global NetScaler Gateway settings to control whether or not intranet IP addresses are assigned during a user session. Administrators can define the IP address pool options to ensure that at any point in time a given user can only have one active session with NetScaler Gateway.
- How do I restrict an administrator's scope to specific applications using NetScaler MAS
In most enterprises, the application administrators have defined roles wherein they need to manage only a subset of the applications. This guide details how MAS can support role based access (RBA mechanism) settings.
- How do I monitor NetScaler MAS resource consumption
Administrators may want to proactively monitor MAS resource consumption to understand whether the usage numbers are well in control and as expected. This guide includes details on how MAS resource consumption can be monitored.
- How do I fetch bindings for all NetScaler entities of an entity type using a single NITRO API
Many enterprises use NITRO API scripts to programmatically interact with NetScaler. This guide throws light on a new API parameter using which administrators can fetch bindings for all NetScaler entities of an entity type in single API call.
- How do I restrict an administrator's scope to specific instances using NetScaler MAS
In most enterprises, the network administrators have defined roles wherein they need to manage only a subset of the NetScaler instances. This guide details how MAS can support role based access (RBA mechanism) settings.
- How to use policy based TCP profile using AppQoE in NetScaler
There is a need to change TCP profile based on traffic going through the system. Policy based TCP profile in NetScaler helps us to allocate TCP profiles based on attributes in traffic going through the system. This guides helps in understanding policy based TCP profile in NetScaler with examples.
- How to use Port Control Protocol in NetScaler
Port Control Protocol commonly referred as PCP enables applications and equipment to read/write explicit mappings between an external IP address, protocol and port, and an internal IP address, protocol and port. These explicit mappings allows inbound communication to reach the hosts behind a NAT or firewall. This guide provides information on how to enable PCP in NetScaler.
- How to enable Connection Mirroring for RNAT traffic in NetScaler
Connection Mirroring / Session Synchronization enables NetScaler to duplicate connection and persistence information to a standby system in a HA pair. This guide helps in understanding the need for connection mirroring for RNAT and guides in configuring the same in NetScaler.
- How to enable compact logging for CGNAT in NetScaler
Compact format is the technique of reducing the amount of log by using a notational change involving short operational codes for the events and protocol names. This guide helps in understanding the Compact logging usecase and helps in enabling compact logging in NetScaler.
- How do I create a Placement policy
In a Multi-tenant environment like OpenStack cloud, when NetScaler resources are being allocated there could be a requirement to allocate NetScaler resources based on subnet, HTTP request header, or any other property of a pool. Placement policy in the service package of MAS helps to fulfill this requirement. This guide helps to configure the Placement policies in MAS.
- How do I create a Service Package in NetScaler MAS
When different cloud tenants/applications try to consume NetScaler resources through OpenStack Cloud, SLAs defined in Service Packages are used by NetScaler MAS to allocate NetScaler resources. This guide helps to configure the Service Packages in NetScaler MAS.
- How to add OpenStack tenants to NetScaler MAS
In an OpenStack cloud if enterprise wants to provide LBaaS (using NetScaler) for selective tenants, they can add those tenants to the NetScaler MAS and only those tenants can be added to the Service packages in MAS. This guide helps with the process of adding OpenStack tenants to MAS.
- How to assign a group of NetScaler instances to group of OpenStack tenants
Using NetScaler MAS, enterprises can offer scalable NetScaler resources to cloud tenants/applications. This guide helps with the process of creating a group of NetScaler's and offer them to a single tenant or group of tenants.
- How can ISPs log subscriber control plane information using NetScaler
With surge in mobile data usage in recent years, a huge amount of control plane traffic flows through the ISP network which needs to be logged. This logging of data primarily helps ISPs in traffic analysis and mass surveillance. This adds value to service providers by helping them to debug failures by identifying events that lead to failure and most importantly helps identifying subscribers who used their services. This guide speaks about how NetScaler can log subscriber information.
- How do I bind an SSL certificate to a vServer on NetScaler
An SSL certificate is an integral element of the SSL encryption and decryption process. This guide speaks about binding an SSL certificate to a Vserver on NetScaler.
- How do I configure HTTP Public Key Pinning in NetScaler ADC Load Balancer
HTTP Public-Key-Pinning (HPKP) is a purpose built HTTP extension, which stores pins in browsers and prevents them to accept a fraudulent certificate for the same host, in future. This guide elaborates on this functionality and how to configure it on NetScaler.
- How do I create a Certificate Signing Request (CSR) on NetScaler
Any web site that is to use SSL must generate a Certificate Signing Request (CSR), an electronic document that contains a public key and a company/domain name. This guide speaks about creating a Certificate Signing Request (CSR) on NetScaler
- How do I generate a trace for a specific Admin Partition
While managing an application, the admin may need to take packet trace on NetScaler for any troubleshooting purpose. If the NetScaler has admin partitions, it is important that the trace can be taken within Partition wherein it should not capture any packets which do not belong to the partition. This guide helps a user generate such a trace, which is specific to a partition.
- How do I monitor and manage changes on NetScaler using Command Center
Changes done on NetScaler can be easily monitored and managed using the Change Management feature in Command Center. By following the steps given in this guide, user can track any unwanted changes to his/her NetScaler configuration and take necessary measures to get it back to the desired state/configuration.
- How do I optimize Syslog Maintenance on Citrix Command Center
Command Center (CC) can act as a Syslog Server. Syslog consume a lot of storage space and may lead to storage space issues on CC if not configured optimally. This guide helps the user optimally configure Command Center as a syslog server, which would make syslog maintenance on Command Center a smooth activity.
- How do I select TCP congestion control algorithm in NetScaler
First 20 years of internet had simple applications which used simpler networks with less heterogeneity and speed. With applications becoming much more diverse and demanding the networks became complex and TCP congestion control which worked earlier gradually became unsuitable. Congestion control methods needed tinkering to adapt to new complex networks and evolved gradually over time. This guide speaks about TCP congestion control algorithms supported by NetScaler and how to select the right algorithm for your network.
- How do I setup RSA keys on NetScaler
RSA is one of the widely used Public Key cryptosystem used for encrypted data exchange. This guide throws light on the advantages, disadvantages of using RSA key and how to setup RSA keys in NetScaler
- How do I suppress Command Center alarm actions
Alarm triggers are an important alerting feature popularly used by Command Center users to receive important notifications but receiving alarm trigger related notifications during a maintenance activity can get annoying and overwhelming. By following the simple steps given in this guide, user can configure such alarm triggers that will notify user only during necessary/appropriate time periods.
- How do I upgrade NetScaler using Command Center
The NetScaler upgrade via. Command Center is a simple process. By following the steps given in this guide, user can upgrade all his/her NetScaler ADC device deployments in one go and can also keep a closer look at the execution status/logs.
- How do I upload different types of certificates on NetScaler
There are many well recognized Certificate Authorities(CA) who can issue certificates and they are quite often not the same format. This guide speaks about how one can upload different types of certificates on NetScaler.
- How to create your own TCP Profile in NetScaler
A TCP Profile is a collection of TCP parameters like TCP Flavor, TCP timers, Window parameters, Buffer parameters, Multipath TCP and other related parameters which offers flexibility and ease of configuration. This article throws light on how to create your own TCP Profile in NetScaler.
- How to handle certificate expiry on NetScaler
An SSL certificate is valid for a specific period of time. A typical deployment includes multiple virtual servers that process SSL transactions, and the certificates bound to them can expire at different times. This guide speaks about handling certificate expiry on NetScaler.
- Generic NetScaler FAQs
This guide details on how to upgrade NetScaler, where to find latest release notes, details about Safe Harbor builds and where to find security updates for NetScaler.
- How do I block FREAK on NetScaler
Freak attack is an SSL/TLS vulnerability that allows intruders to intercept HTTPS communication between a client and a server and forces them to use weak encryption. This guide throws light on how to block FREAK attacks on NetScaler. It also gives information on versions of NetScaler Service Delivery Appliance Service VM (SVM) where the vulnerabilities are removed.
- How do I block Heartbleed on NetScaler
Heartbleed is a bug identified in OpenSSL’s implementation of TLS heartbeat extension which allows intruders to get information from the server’s memory thereby revealing potential user data which was assumed to be safe using TLS. This article describes how Heartbleed functions and it provides information on how NetScaler is immune to Heartbleed vulnerability.
- How do I block POODLE on NetScaler
Using POODLE attack an intruder can force a website to downgrade from TLS 1.0 to SSL 3.0 by negotiating to use SSL 3.0. It thereby utilizes a flaw that was discovered in SSL 3.0 to intercept the data in transit. This article describes how POODLE/POODLE2 attack can be defended against by using NetScaler.
- How do I configure EPA for Registery Check
Configure End Point Analysis on NetScaler Gateway to check a device registry before allowing it the access to internal network.
- How do I configure EPA for Symantec Antivirus Check
Configure End Point Analysis on NetScaler Gateway to check for antivirus on the device before allowing it the access to internal network.
- How do I configure EPA for Windows Update Check
Configure End Point Analysis on NetScaler Gateway to check a device Windows update before allowing it the access to internal network.
- How do I configure Framehawk support on NetScaler Gateway
Configure Framehawk on NetScaler Gateway to get the best user experience with XenApp and XenDesktop even on lossy network.
- How do I configure GSLB for NetScaler Gateway
The guide details how GSLB for NetScaler Gateway ensures that the organization’s internal network is always available to end users from anywhere in world.
- How do I configure HDX Insight
This guide details how HDX Insight enables an administrator to find out the underlying network issue when there is a slowdown in ICA users sessions.
- How do I configure L4 load balancing on NetScaler
This guide helps with configuring a L4 load balancing on NetScaler.
- How do I configure Split Tunnel on Gateway
The guide details how to configure the split tunnel feature on NetScaler Gateway that can be used to direct traffic that is bound for the Internet away from the VPN tunnel to the data center, thus saving resources on the VPN.
- How do I configure Unified Gateway for common Enterprise Applications
The guide explains how to configure the Unified Gateway to do AAA and single sign-on for common enterprise applications like SharePoint and Exchange.
- How do I configure Unified Gateway
The guide elaborates the steps involved in setting up Unified Gateway to unify remote access for all enterprise, web, cloud, SaaS and Citrix applications into a single end-to-end solution.
- How do I customize Unified Gateway Portal
The guide details on how an administrator can customize the look and feel, color, logo and labels on the NetScaler Unified Gateway portal.
- How do I do HSTS on NetScaler
HSTS is used protect websites against various attacks like SSL strip, Cookie Hijacking, Downgrade attack etc. This article explains how various attacks can be executed using man-in-the-middle spoofs and how HSTS works to defend against them. The article also provides information on how HSTS can be enabled in NetScaler.
- How do I load balance DNS traffic (DNS proxy) on NetScaler
This guide will help to configure a basic DNS load balancing setup on NetScaler.
- How do I load balance FTP on NetScaler
This guide helps to configure an FTP load balancer on NetScaler.
- How do I only use FIPS-accepted ciphers on NetScaler
This guide helps to use FIPS-approved ciphers on NetScaler.
- How do I remove legacy ciphers on NetScaler
This article provides input on good practices to be followed while selecting ciphers, by not choosing legacy ciphers with vulnerabilities and it gives instructions on how to remove these legacy ciphers from NetScaler.
- How do I remove RC4 ciphers in NetScaler
RC4 is an encryption algorithm having some vulnerability at initial stages. The first few bytes of output reveals information about the key which allows intruder to gain access to sensitive information. The articles explains how to remove RC4 ciphers in NetScaler.
- How do I setup a DH Key on NetScaler
Diffie-Hellman key exchange is a method for sharing a secret between two entities which have no prior knowledge of each other. It can be used for encrypted communication in order to exchange sensitive information in a public channel. This article provides information on how to setup Diffie-Hellman key on NetScaler.
- How do I setup cookie based persistence on NetScaler
Description:This guide will help to configure cookie based persistence on NetScaler.
- How do I setup secure access to NetScaler Management GUI
NetScaler GUI can be accessed through NSIP or SNIP. This guide will help to secure this access
- How do I setup SSL profile on NetScaler
An SSL profile is a collection of SSL parameter settings which offers ease of configuration and flexibility. This article speaks about how one can setup SSL profile on NetScaler.
- How do I setup TLS_FALLBACK_SCSV on NetScaler
The guide explains how NetScaler protects server against POODLE attack by preventing the protocol downgrade attack.
- How do I setup URL hash based load balancing on NetScaler
This guide helps with configuring a URL hash based load balancing on NetScaler.
- How do I upload PFX certificates on NetScaler
PFX is a format for storing a server certificate or any intermediate certificate along with private a key in one encrypted file. This article explains how to upload PFX certificates on NetScaler.
- How do I use HTTPS-ECV health check monitor on NetScaler
This guide helps the admin with adding an HTTPS-ECV monitor (HTTP-ECV monitor with secure option enabled) during the creation of the service.
- How to accomodate hairpinning behaviour in NetScaler
Hairpinning is a special scenario with respect to CGNAT. It allows the packets which arrive at the NAT from a private network to be translated and looped back to the private network without needing to go through the public network. This guide explains the concept of hairpinning and how it is handled in NetScaler.
- How to configure CGNAT Deterministic NAT on NetScaler
Deterministic NAT is a type of configuration under carrier-grade NAT (CGNAT) where in there is a pre-determined mapping between the subscriber IP and NATIP. Such a configuration helps reduce the log volume and the cost associated with logging infrastructure needs. This guide explains how Deterministic NAT can be configured using NetScaler.
- How to configure CGNAT EIM and EIF on NetScaler
Endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF) are features under carrier-grade NAT (CGNAT). EIM & EIF allow private users to have a stable external (NAT) IP address and Port (for a period of time) that external users can use to connect. This guide explains the concept of EIM and EIF and how it can be configured using NetScaler.
- How to configure CGNAT Static NAT on NetScaler
Static NAT is a feature in CGNAT which allows a user to opt for creating a static mapping between a subscriber IP/port and a NAT IP/port. Such a configuration enables Internet hosts to reach a particular internal service by ensuring that traffic from a specific subscriber IP address and port always gets the same NAT IP address and port. This guide explains the concept of Static NAT and how it can be configured using NetScaler.
- How to configure End to end SSL on NS
This guide explains the concept of end-to-end SSL and how to configure it using NetScaler.
- How to configure healthcheck monitors on NetScaler
This guide helps a user configure healthcheck monitors on NetScaler. Monitors check the availability of the backend servers and thus help in making effective real time routing decisions related to the traffic flowing through the NetScaler.
- How to configure PFS on NS v3
Perfect Forward Secrecy (PFS) ensures protection of current SSL communications even if the session key of a web server is compromised at a later time. This guide explains the concept of PFS and how to configure it on NetScaler.
- How to configure Quotas in CGNAT on NetScaler
Port Quotas/Session Quotas are features related to carrier-grade NAT (CGNAT). They help limit the number of NAT ports/sessions per subscriber to ensure fair distribution of resources among users. This guide explains how to configure such quotas on NetScaler.
- How to configure SNI on NS
Server Name Indication (SNI) is an extension of the TLS protocol that enables a webserver to host multiple DNS hostnames on a single IP address. This guide explains the concept of SNI and how to configure SNI on NetScaler.
- How to disable SSL v2 on NS v3
This guide helps a user with the configuration to disable SSL version 2 on NetScaler.
- How to do rate limiting of Diameter messages using NetScaler
This guide helps to configure a rate limit identifier that measures the rate of incoming traffic and drops packets that exceed the maximum allowed rate within a particular time interval
- How to enable SSL Client Auth on NetScaler
SSL Client authentication lets you authenticate the users who are trying to gain access to resources protected over SSL. This guide helps explains how to configure SSL Client Authentication on NetScaler.
- How to enable syslog over TCP in Netscaler
In case of logging significant events, the syslog messages needs to be transported over a reliable channel for it to be stored safely on a server. This necessity paved the way for syslog over TCP. This article provides information on how to enable syslog over TCP in NetScaler.
- How to log MSISDN in LSN logging
In order to track subscriber activity MSISDN, which is the primary key for uniquely identifying a subscriber in a UMTS/GSM, network needs to be logged for every subscriber session. This article speaks about how to enable logging of MSISDN in LSN logs in NetScaler for tracking user session activities.
- How to Setup ECC on NS
Elliptic Curve Cryptography (ECC) is an asymmetric public key cryptography method based on elliptic curves over finite fields. It is especially useful in a mobile (wireless) environment or in an interactive voice response environment. This guide explains how to configure ECC on NetScaler.
- How to Setup Self Signed Cert on NS v3
A Self-signed SSL Certificate (mostly used for test purposes) is needed to be able to test NetScaler’s SSL Offloading feature internally (in a non-production environment). This guide helps you to set up the self-signed certificate on NetScaler.
- What is SSL profile on NetScaler
SSL profile contains Ciphers, ECC curves and SSL parameters which gives a myriad of combinations and options. This article explains the different types of SSL profiles and provides information on the list of parameters present in these profiles.