Page Not Found - Citrix Docs

Loading...
 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.2

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.3

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.4

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.5

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.6

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.7

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.8

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.9

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.10

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.11

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.12

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.13

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.14

Jul 25, 20 17

What is an admin connect ion? An admin connection establishes a connection to the NetScaler IP (NSIP) address and allows administrators to configure and monitor the NetScaler appliance. What are t he t ypes of admin connect ions? T here are two types of admin connections: SSH connection – Admin users use an SSH client to logon through the NetScaler IP (NSIP) address. NIT RO API connection – Admin users use NIT RO API’s to automate the logon process to NetScaler appliance. Note: Admin users can also log on through the NetScaler GUI to log on, by using a browser to connect to the NSIP address. T he GUI internally opens a NIT RO API connection. T herefore, a GUI session is equivalent to a NIT RO API connection, and FAQs related to NIT RO API apply to GUI. How many concurrent admin connect ions are allowed on a Net Scaler appliance? T he appliance allows up to 20 concurrent admin connections. Which login credent ials are required f or an admin logon? Admin logon requires a user name and a password. Note: An authentication key can be used instead of a password. Which ext ernal aut hent icat ion met hods does a Net Scaler appliance support ? T he appliance supports the following external authentication methods: RADIUS LDAP T ACACS For more details, see External Authentication What is a client ? A client is a device (laptop or desktop), used by admin user to open an admin connection. What is a session t oken? A session token is a unique identifier that the NetScaler appliance issues to a client that sends a NIT RO API logon request. API clients can reuse the session token, if it has not expired, for subsequent API requests on new T CP connections GUI clients internally open NIT RO API connections and keep the session token active for the duration of the GUI session. What is an act ive session on a Net Scaler appliance? A CLI session is considered active if the session has not expired and has an open SSH connection with a NetScaler appliance. A NIT RO API session is considered active if the session token timeout has not expired on the NetScaler appliance. How does Net Scaler enf orce t he concurrent connect ion limit ? Every time the NetScaler appliance receives an admin connection request (SSH or NIT RO API), it checks the number of

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.15

admin connections it has open. If the number is lower than 20, a new connection is opened. Which count er ref lect s t he number of admin connect ions on a Net Scaler appliance? T he connection counter (nsconfigd_cur_clients) reflects the number of active connections. T his counter is incremented when a client opens new connection to the appliance, and is decremented when a connection is closed. Which count er ref lect s t he number of act ive t okens on t he Net Scaler appliance? T he configd_cur_tokens counter reflects the number of active tokens on NetScaler appliance. How does Net Scaler appliance handle errors on a connect ion? T he NetScaler appliance immediately closes the client (CLI, API, and GUI) connection if it encounters errors on a connection. Does a CLI or GUI session on a connect ion t o t he management address count against t he admin connect ion limit ? Yes, all CLI and GUI connections are T CP based connections, and every T CP connection to the management address counts against the admin connection limit. Does a NIT RO session count against t he admin connect ion limit ? A NIT RO session counts against the admin connection limit if there is an open T CP connection using the session token issued by the NetScaler appliance. What is t he def ault t imeout period f or AP I, GUI, and CLI sessions on Net Scaler appliance? T he following table lists the default timeout period for API, GUI and CLI sessions on the NetScaler appliance: Net Scaler

CLI def ault t imeout

AP I def ault t imeout

GUI def ault t imeout period

Releases

period (min)

period (min)

(min)

NetScaler 9.3

None

30 Minutes

30 Minutes

NetScaler 10.1

None

30 Minutes

30 Minutes

NetScaler 10.5

15 Minutes

30 Minutes

15 Minutes

Onwards

How can you set t he CLI sessions t ime out on a Net Scaler appliance? T he CLI session timeout can be configured by executing the following command at the CLI prompt: set cli mode -timeout How do you override t he def ault t imeout period when using t he NIT RO AP I? You can override the default timeout period for a NIT RO API by setting the timeout duration in the “timeout” field of the login object. If the session timeout is set to zero, the session token has an infinite timeout. Note: An infinite timeout is not advisable, because sessions that do not time out continue to count against the admin connection count. What happens if a user account is delet ed f rom t he Net Scaler appliance af t er an admin session is creat ed? For internal system users, NetScaler appliance closes the existing CLI or NIT RO API session.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.16

For external system users, session remains active until it expires. Can NIT RO AP I client s use a single session t oken t o open mult iple admin connect ions on t he Net Scaler appliance? Yes. Each such connection counts against the admin connection limit. If management access is enabled f or a MIP or SNIP address, do admin connect ions t o t hat address count against t he limit f or t he number of admin connect ions? Yes, admin connections to management address (MIP or SNIP) count against the admin connection limit on NetScaler ADC. Can a Net Scaler admin log on t o t he Net Scaler appliance af t er t he maximum connect ions limit is reached? Yes. One additional admin connection is allowed after the maximum connection limit is reached. Can NIT RO AP I endpoint s open mult iple admin connect ions on Net Scaler t he appliance? Yes, NIT RO API endpoints can open multiple admin connections and exhaust the concurrent admin connection limit on a NetScaler appliance. In such situations, an additional SSH/CLI connection is allowed and the admin can force closure of old API sessions, or reduce the session timeout duration for the existing API sessions. Can same client open mult iple AP I sessions on a Net Scaler appliance? Yes, a client can open multiple API session by repeatedly logging on. For example, the client might log back on after a reboot. Note: Repeated client logons count against the admin connection limit on NetScaler appliance. Can AP I client s use t he ent ire AP I session t oken limit ? Yes, API clients can use the entire API session token limit, provided by repeatedly logging on without using a previously issued token. Note: If a client’s session timeout is zero, the token is valid forever. Repeated logons using new session tokens can count against the limit for API session tokens. Do CLI sessions count against t he AP I session t oken limit ? No, CLI sessions are not counted against the API session token limit. Can admin users use t elnet t o open a CLI session? No. Only an SSH client can open a CLI session. What is connect ion limit and AP I session limit applicable f or various Net Scaler releases? T he following table lists the maximum concurrent admin connection and active API session limits applicable for various NetScaler releases: Net Scaler Releases

9.3

10.1

10.1

10.1

(Bef ore 130.x)

(Bef ore 130.10)

(F rom 130.10)

Maximum number of concurrent admin connections

20

20

20

20

Maximum number of active API sessions*

1000

20

1000

1000

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.17

Not e* : API sessions are considered active if they have not timed out. For example, if 500 API sessions were created but 100 have expired, 400 API sessions are active. An API session need not open a T CP connection to the NetScaler appliance.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.18

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.19

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.20

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.21

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.22

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.23

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.24

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.25

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.26

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.27

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.28

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.29

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.30

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.31

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.32

Jul 25, 20 17

What is SDX? SDX is a true service delivery networking platform for enterprises and cloud datacenters. SDX features an advanced virtualization architecture that supports multiple NetScaler instances on a single hardware appliance. When do I need SDX? If you have multiple enterprise applications that have independent life cycle needs for L4– L7 networking services, or if you have a need to consolidate multiple underutilized load balancing appliances, you benefit from SDX. What 's unique about SDX? SDX uniquely delivers key benefits from advancements in server hardware virtualization, hardware-assisted SSL acceleration, and the market-proven, award-winning NetScaler product line. T he Management Service features an advanced control plane to unify provisioning, monitoring, and management in the most demanding multitenant environments, while providing full resource isolation for data separation and to meet service level agreement guarantees, such as availability, reliability, and performance. How will I benef it f rom SDX? SDX delivers isolated multitenancy with up to 40:1 consolidation. As a key pillar in Citrix's T riScale technology framework, SDX addresses the growing need to "scale in" within virtual data centers and cloud network infrastructures. T he T riScale scale-in factor enables IT to provide the foundation for consolidating L4– L7 network services today, thereby simplifying the build-out of cloud based services down the line, in accordance with business requirements. Will I need t o go out side my normal procurement procedure t o purchase SDX? SDX is a fully contained networking appliance, designed for network deployment. SDX is not designed to be managed through standard hypervisor management tools such as XenCenter. How do I purchase an SDX? An SDX order has three basic product components: SDX appliance SKU, SDX support contract SKU, and Add-On Instance Packs. SKUs are also available for platform conversion (MPX-to-SDX) and platform upgrade (SDX-to-SDX). SDX today is available in Platinum Edition only. Is t here SDX-specif ic document at ion? Yes, please visit http://support.citrix.com/proddocs/topic/netscaler/sdx-ag-wrapper-con.html. Do Net Scaler edit ions apply t o Net Scaler SDX? T he editions do not apply from a packaging perspective. NetScaler SDX appliances and the instance 5-packs are priced the same regardless of the edition. However, when provisioning new instances, the administrator is free to deploy the Standard, Enterprise, or Platinum edition of the NetScaler software.

How much memory can I assign t o each inst ance?

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.33

T here is no maximum limit to the memory that can be assigned to each instance. Minimum memory required per instance is 2GB. Can we migrat e t he exist ing conf igurat ion (ns.conf ) f rom t he MP X plat f orm t o SDX VP X inst ance? Yes, but some configuration, such as RBA policies and SNMP community configuration, is deleted.

What Net Scaler f eat ures do I get wit h SDX? All NetScaler features are available on SDX. Does SDX accelerat e SSL in hardware like MP X does? Yes. You can assign SSL cores to an instance during provisioning. What changes t o my net work are required f or me t o deploy SDX? SDX fits into your network environment through standard Ethernet interfaces. You must disable link aggregation control protocol (LACP) on any external switch ports connected to the appliance. Is SDX int eroperable wit h my rout ing and swit ching inf rast ruct ure? Yes, although link aggregation control protocol (LACP) is currently not supported. However, SDX supports manual link aggregation. Is SDX int eroperable wit h my exist ing Net Scaler deployment ? Yes, although standard VPX-to-MPX limitations apply. For example, high availability is supported only across homogeneous devices (you cannot pair a virtual device with a physical device), some configuration, such as RBA policies and SNMP configuration, is deleted, and license transfer is not supported. Can I manage SDX f rom Command Cent er? Yes. You can identify SDX appliances and provision and de-provision VPX instances by using Command Center. How does SDX deliver mult it enancy? Each instance runs as a separate virtual machine with its own dedicated NetScaler kernel, CPU resources, memory resources, address space, and bandwidth allocation. Network I/O is done in a way that not only maintains aggregate system performance but also enables complete segregation of each tenant's data-plane and management-plane traffic. Do I need t o manage an SDX t hrough XenCent er? No. XenCenter is not supported. Use the Management Service to manage XenServer. We are a VMware shop. We have no inf rast ruct ure available t o support XenServer, do you have a VMware variant of SDX? No additional XenServer infrastructure is necessary. SDX is a fully contained networking appliance with its own control plane, and the virtualization layer is transparent to the deployment. Why is t he syst em healt h monit oring page not showing any dat a? You have to install the supplemental pack before you can use this feature. For installation instructions for the supplemental pack, see http://support.citrix.com/article/CT X132877. How do I verif y t hat t he supplement al pack inst allat ion was successf ul? After installation, a pop up window shows whether installation was successful or if there was an error.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.34

Why is t he VP X inst ance not reachable af t er int erf aces on t he appliance are modif ied? When you provision a NetScaler VPX instance with L2VLAN configuration, physical interfaces on the SDX appliance are mapped to virtual interfaces on the VPX instance. If you remove an interface, you might change the mapping between the physical interfaces and VPX instances, and therefore you might lose connectivity to the VPX instance. For example, 1. You provision a VPX instance, by using the Management Service, with interfaces 10/1, 10/2, 10/7, and tag VLAN 512 to interface 10/2. When you log on to that VPX instance, you see that interfaces 10/1, 10/2, and 10/3 are configured. 2. If you later modify the instance and remove interface 10/1, you lose connectivity to the instance, because interface 10/2 is renamed to 10/1 in the VPX instance. Are IP v6 addresses support ed on t he Net Scaler SDX appliance? Yes. All NetScaler-supported IPv6 functionality is available on the SDX appliance. Where are link paramet ers, such as speed and duplex, conf igured? Link parameters are configured from the Management Service. Should t he appliance be rest art ed if t he plat f orm license is upgraded? No. You do not need to restart the appliance for the new license to apply. Do I need t o rest art t he appliance t o upgrade t he device-level f irmware? Yes, this upgrade is handled through the Management Service and requires that the appliance be restarted. T his is the only time that the SDX appliance needs a complete restart. Do I need t o rest art t he appliance when I upgrade it by using a P ay-As-You-Grow license? No. Upgrading the appliance upgrades the platform license. Restart the Management Service but not the instances running on the SDX appliance. Once upgraded, the Management Service detects the higher throughput available for the instances. If you decide to increase the bandwidth limit for an instance, restart that instance after modifying the bandwidth limit. What happens t o product ion inst ances if I remove my plat f orm license? T here is no change to the production instances. However, you cannot add new instances. How can we readd a gadget t o t he Home page? Click the << button in the top-right corner of the Home page. T hen, type the name of the gadget, or press Enter for all gadgets. Click "Add to Dashboard". Should member int erf aces in manual link aggregat ion be part of same VLAN? Yes. Member interfaces in manual link aggregation should be part of the same VLAN. How many VLANs are support ed per int erf ace wit h VLAN f ilt ering enabled? What happens if I conf igure more? With VLAN filtering enabled, 10G interfaces support up to 63 VLANs, and 1G interfaces suppport up to 31 VLANs. T his is a hard limit based on the number of the queues supported by the NIC. An error message appears if the limit is exceeded. How many inst ances can be shared on a single NIC? For a 10G interface, SDX supports up to 63 virtual functions per physical port, which translates to 63 instances per 10G NIC. For 1G interfaces, the maximum number of shared instances per NIC is 7. Why is t he XenServer password t he same as t he Management Service password?

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.35

T he XenServer password and the Management Service password are the same to maintain administrative consistency. Changing the XenServer password causes the internal communication between the Management Service and XenServer to fail. If I have separat e management net works, do I need t o manually add t hese net works t o t he Management Service? No. Communication is over an external device. Why can't I modif y t he def ault administ rat or prof ile? T he default administrator profile enables multiple administrative roles to exist on the SDX. You cannot change the password of the nsroot administrator profile, but you can create a new administrator profile and make it the default profile. Why does Core usage show 50% when I'm not passing any t raf f ic t hrough my Net Scaler inst ance? CPU core usage shows, from the hypervisor perspective, the CPU utilization of one physical CPU, which has two hyperthreads: one for the packet engine and one for the management CPU. For example, assume a single instance with one dedicated core. Even if you are not passing any traffic through your appliance, PE CPU utilization will be 100%, and average core utilization will be 50%. Will rest art ing t he Management Service int errupt my product ion inst ances? No. Your production instances will continue to pass traffic without interruption while the Management Service restarts. T he same applies when you upgrade the Management Service. Can I conf igure t he Management Service t o send syslog? Syslog through the Management Service is currently not supported. Am I required t o upgrade all VP X inst ances if I upgrade t he Management Service? No, instance life cycles can be managed independently of one other and of the life cycle of the Management Service. If my Management Service and VP X inst ances are on dif f erent net works, how can I manage t he VP X inst ance t hrough HT T P S? T he same way as if they are on the same network. If my Management Service and VP X inst ances are on dif f erent net works, how can I manage t he VP X inst ance t hrough t he Management Service? If the Management Service and the VPX instance are in different networks but the instance can be reached from Management Service, the Management Service shows the instance as UP. If an instance is UP, you can manage it from the Management Service. However, if communication between the two fails, the Management Service shows the instance as "Out of Service". I f orgot t he IP address of my Management Service. What can I do? Log on to XenServer, and then use the default IP address (169.254.0.10) to log on to the Management Service. At the shell prompt, type networkconfig to view or modify the IP address of the Management Service. Can I specif y VLANs on management int erf aces? VLANs on management interfaces are currently not supported. How do I rest art XenServer?

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.36

T he only supported method for restarting XenServer is from the Management Service. It is equivalent to restarting the appliance. How many inst ances can I provision on t he SDX appliance? How much aggregat e t hroughput can I expect ? T his number is dependent on the hardware and the license that you purchased, as shown below: 11500, 13500, 14500, 16500, 18500, 20500— 5 to 20 instances. T hroughput ranges from 8 to 42 Gbps. 17500, 19500, 21500— 5 to 20 instances. T hroughput ranges from 20 to 50 Gbps. 17550, 19550, 20550, 21550— 5 to 40 instances. T hroughput ranges from 20 to 50 Gbps. 8400, 8600— 2 to 5 instances. T hroughput ranges from 4 to 6 Gbps. Note: For more information, see the NetScaler datasheet at http://www.citrix.com/content/dam/citrix/en_us/documents/products/netscaler-data-sheet.pdf Can I rest rict f unct ionalit y on t he VP X inst ances? Some functionality can be restricted by specifying the license (Standard, Enterprise, or Platinum) when you provision the instance.

How many SDX models are t here, and how do t hey dif f er? T he NetScaler SDX appliance comes in the following variants: SDX 11500/13500/14500/16500/18500/20500— 8 to 42 Gbps, maximum 20 instances, 8x1G ports, 4x10G ports. SDX 17500/19500/21500— 20 to 50 Gbps, maximum 20 instances, 8x10G ports. Note: T his platform is going EOS this year. SDX 17550/19550/20550/ 21550— 20 to 50 Gbps, maximum 40 instances, 8x10G ports. SDX 8400/8600— 4 to 6 Gbps, maximum 5 instances, (6x10/100/1000Base-T copper Ethernet ports + 6x1G SFP) and (6x10/100/1000Base-T copper Ethernet ports + 2x10G SFP+) What is t he minimum Net Scaler sof t ware version required f or SDX inst ances? NetScaler VPX instances should run release 9.3 and later to be able to work on SDX. How many physical int erf aces will I need t o use? If you have a single management network, you'll need on an average 1 or 2 physical NICs per instance. For 2 or more management networks (multiple VLANs for NetScaler IP addresses), you'll need a dedicated separate physical NIC for each management VLAN trunk. You can share physical NICs among multiple instances with L2 separation. T herefore, depending on your topology, you can offset the management VLAN trunk count with multiple instances sharing a physical NIC. Can I upgrade my MP X t o an SDX? What about my MP X F IP S plat f orm? A non-FIPS MPX platform that supports the SDX architecture can be converted to a similar class of SDX platform. T he MPX platform must have a platinum license to be eligible for this upgrade. T his is a one way upgrade, and it wipes out the entire configuration on that MPX platform. For more information about this upgrade, see http://support.citrix.com/article/CT X129423. How many SSL cards (cores) are support ed on a Net Scaler SDX appliance? T he number of SSL cards supported varies by the platform as follows: SDX 17500/19500/21500— 16 cards. SDX 11500/13500/14500/16500/18500/20500— 16 cards. SDX 17550/19550/20550/21550— 36 cards.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.37

SDX 8400/8600— 4 cards. Note: Instances cannot share SSL cores. Any SSL cores that are allocated at the time of provisioning an instance are dedicated to that instance. Can I apply my VP X license t o SDX? No. NetScaler SDX and NetScaler VPX have different licensing models. One license cannot be used for the other. Why are t he hardware sensors not displayed on t he Net Scaler SDX 17 500/19500/21500 appliance? T he NetScaler SDX 17500/19500/21500 is built on the MPX 17500/19500/21500 hardware platform. T hese appliance configurations do not support monitoring of hardware components. When I upgraded my MP X t o an SDX, t he LCD panel went dark. Is t hat expect ed? Yes, that is normal behavior. SDX does not support the LCD panel. What are RX and T X errors on t he Net Scaler SDX appliance? RX and T X errors include cyclic redundancy check (CRC) errors and small or runt packet errors. What happens if a hardware component is removed f rom t he SDX appliance? If a hardware component is physically removed from the appliance, it no longer appears in the Management Service user interface. Do I need t o rest art my appliance af t er I reconf igure VLAN f ilt ering? No. However, you need to restart the VPX instances that are affected by this change. T he Management Service restarts the affected instances if you select "Reboot associated Instances" in the Enable/Disable VLAN Filter dialog box. What is t he NMI but t on f or on t he SDX appliance? T he NMI button is not operational on the SDX appliance.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.38

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.39

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.40

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.41

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.42

Jul 25, 20 17

Information and Communication Technology (ICT ) is about bringing the Internet user closer to the apps and data. T he latest datacenter technologies have enabled the user, apps and data to be located anywhere. A user can access apps and data from the office or from home, or from a location such as an airport. T he apps and data can be located either on the enterprise's premises, in a public or private cloud, or on a hybrid host. T he result has been on only increased productivity, but also reduced costs of ownership and maintenance. Service provides offer the core infrastructure needed for carrying the user's apps and data over the network. Because the core infrastructure serves millions of subscribers and a wide variety of apps and data, requirements for scale and protocol support are very high. T he core infrastructure handles two major types of traffic: data plane and control plane. Each of these planes has its own scale and protocol-support requirements. T he data plane is the part of the core infrastructure that carries user apps and data from end to end, that is, between enduser equipment and the application server. T he number of users accessing apps and data is in the thousands of millions, so throughput and IP-addressing requirements are very high. Every user in the network must be uniquely identifiable. Only then can the service provider control the traffic, monitor network usage, deliver user-specific services, and log information correctly. Many of the today's client devices and application servers support IPv6 natively. T he core infrastructure must not only support a mix of IPv4 and IPv6 clients and servers, but also provide the technologies for cross-communication between IPv4 and IPv6. Finally, a service provider is measured by the quality of service (directly related to end-user experience) and the availability of service without disruptions. T he data plane should be resilient enough to provide both quality and availability at the same time. T he control-plane infrastructure manages user traffic and maintains the business and network operations services. T he most important of the many protocols that run in this plane are Diameter, Radius, and SMPP. Diameter is a base protocol over which several other function-specific protocols have been developed. For example: Gx interface between the Policy and Charging Enforcement Function (PCEF) and the Policy and Charging Rules Function (PCRF) Gy interface between the Online Charging System (OCS) and the Cisco Packet Data Network Gateway (PGW)/Policy and Charging Enforcement Function (PCEF) T he volume of control plane traffic is in direct proportion to user activity. To manage the control plane traffic, service providers use several ADC functionalities, such as load balancing and content switching. T hey need fine-grain control of control plane traffic, which equals data-plane traffic in complexity. Service providers must meet demanding service-level agreements (SLAs), and are scrutinized thoroughly by regulators for compliance. Adhering to requirements while managing the data and control plane traffic requires a service provider to keep its infrastructure nimble, within budget, easily upgradable, and flexible. As the most powerful and advanced ADCs in the market today, Citrix NetScaler products are a natural fit for the service-provider environment.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.43

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.44

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.45

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.46

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.47

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.48

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.49

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.50

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.51

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.52

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.53

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.54

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.55

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.56

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.57

Jul 25, 20 17

T he NetScaler appliance supports Application Layer Gateways (ALGs) for the Point-to-Point Tunneling Protocol (PPT P). PPT P is a network protocol that enables secure transfer of data from a remote client to an enterprise server by creating a tunnel across TCP/IP-based data networks. PPT P encapsulates PPP packets into IP packets for transmission over the Internet. PPT P establishes a tunnel for each communicating PPT P network server (PNS)-PPT P Access Concentrator (PAC) pair. After the tunnel is set up, enhanced generic routing encapsulation (GRE) is used to exchange PPP packets. A call ID in the GRE header indicates the session to which a particular PPP packet belongs. T he NetScaler appliance recognizes PPT P packets that arrive on the default TCP port, 1723. T he appliance parses PPT P control packets, translates the call ID, and assigns a NAT IP address. For two-way data communication between the client and server, the NetScaler appliance creates an LSN session entry based on the server call ID, and an LSN session based on the client call ID. T he appliance then parses the GRE data packets and translates call IDs on the basis of the two LSN session entries. For PPT P protocol, the NetScaler also includes timeout setting for any idle PPT P LSN sessions. If a PPT P LSN session is idle for a time that exceeds the timeout setting, the NetScaler appliance removes the session. Limit at ions T he following are the limitations of PPT P ALG on a NetScaler appliance: PPT P ALG is not supported for hairpin LSN flow. PPT P ALG is not supported to work with any RNAT configuration. PPT P ALG is not supported in NetScaler clusters. Configuring P P T P ALG Configuring PPT P ALG on the NetScaler appliance consist of the following tasks: Create an LSN configuration and enable PPT P ALG on it. In an LSN configuration, the LSN group includes the PPT P ALG setting. For instructions on creating an LSN configuration, see Configuration Steps for LSN. (Optional) Set the global timeout for idle PPT P LSN sessions. To enable PPT P ALG for an LSN configuration by using the NetScaler command line At the command prompt, type: add lsn group -client name [-ppt p ( ENABLED | DISABLED )] show lsn group To set the global timeout for idle PPT P LSN sessions by using the NetScaler command line At the command prompt, type: set appAlgP aram -ppt pGreIdleT imeout show appAlgP aram

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.58

In t he following sample LSN configurat ion, PPTP ALG is enabled for subscribers in t he 192.0.2.0/24 net work. Also idle PPTP LSN session t imeout is set t o 200 secs.

>add lsn client LSN-CLIENT-1 Done

>bind lsn client LSN-CLIENT-1 -net work 192.0.2.0 -net mask 255.255.255.0 Done

>add lsn pool LSN-POOL-1 Done

>bind lsn pool LSN-POOL-1 203.0.113.3 Done

>add lsn group LSN- GROUP-1 -client name LSN-CLIENT-1 -ppt p ENABLED Done

>bind lsn group LSN- GROUP-1 -poolname pool1 LSN-POOL-1 Done

>set appAlgParam -ppt pGreIdleTimeout 200 Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.59

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.60

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.61

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.62

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.63

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.64

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.65

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.66

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.67

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.68

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.69

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.70

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.71

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.72

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.73

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.74

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.75

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.76

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.77

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.78

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.79

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.80

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.81

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.82

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.83

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.84

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.85

Jul 25, 20 17

Deterministic NAT allocation for DS-Lite LSN deployments is a type of NAT resource allocation in which the NetScaler appliance pre-allocates, from the LSN NAT IP pool and on the basis of the specified port block size, an LSN NAT IP address and a block of ports to each subscriber (subscriber behind B4 device). Not e: T his feature is supported in release 11.0 build 64.x and later. T he appliance sequentially allocates NAT resources to these subscribers. It assigns the first block of ports on the beginning NAT IP address to the beginning subscriber IP address. T he next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. At that point, the first port block on the next NAT address is assigned to the subscriber, and so on. T he NetScaler appliance logs the allocated NAT IP address and the port block for a subscriber. For a connection, a subscriber can be identified by just its mapped NAT IP address and port block. For this reason, the NetScaler appliance does not log the creation or deletion of an LSN session. A DS-Lite subscriber can have only one deterministic port block. If the entire block of ports is being used, the NetScaler appliance drops any new connection from the subscriber.

In this example, a deterministic DS-Lite configuration includes four subscribers with IP addresses 192.0.17.5, 192.0.17.6, 192.0.17.7, and 192.0.17.8. T hese ipv4 subscribers are behind a B4 device having the IPv6 address 2001:DB8::3:4. In this configuration, the port block size is set to 20480 and LSN NAT IP address pool has IP addresses in the range 203.0.113.41203.0.113.42. T he NetScaler appliance sequentially pre-allocates, from the LSN NAT IP pool and on the basis of the set port block size, an LSN NAT IP address and a block of ports to each subscriber. It assigns the first block of ports (1024-21503) on the beginning NAT IP address (203.0.113.41) to the beginning subscriber IP address (192.0.17.5). T he next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. At that point, the first port block on the next NAT IP address is assigned to the subscriber, and so on. T he NetScaler logs the NAT IP address and the block of ports allocated for each subscriber. T he NetScaler appliance does not log any LSN session created or deleted for these subscribers. T he following table lists the NAT IP address and blocks of ports allocated to each subscriber in this example: Subscriber IP address

Allocated NAT IP address

Allocated Block of Ports

IPv6 address of B4

192.0.17.5

203.0.113.41

1024 - 21503

2001:DB8::3:4

192.0.17.6

203.0.113.41

21504 - 41983

2001:DB8::3:4

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.86

192.0.17.7

203.0.113.41

41984 - 62463

2001:DB8::3:4

192.0.17.8

203.0.113.42

1024 - 21503

2001:DB8::3:4

You need to configure deterministic NAT as part of the DS-Lite configuration. For instructions on configuring DS-Lite, see Configuring DS-Lite. While configuring DS-Lite, make sure that you: Set the NAT T ype parameter to Deterministic when adding the LSN pool and the LSN group. Set the desired port block size parameter when adding the LSN group, unless you can accept the default value.

Consider the following points before configuring deterministic DS-Lite: T he complete IP address of each subscriber must be specified in a separate add lsn client command, by setting the Network and Netmask parameters. (Set Netmask to 255.255.255.255.) Also the IPv4 address of the B4 device specified in Network6 parameter must be complete (/128 prefix). In other words, Network and Network6 parameter do not accept addresses other than /32 bit mask and /128 prefix, respectively. T he NetScaler appliance drops connections from subscribers that are not specified in any deterministic DS-Lite configuration but are behind B4 devices specified in a deterministic DS-lite configuration. T he NetScaler appliance recognizes subscribers having the same IPv4 address as different subscribers if they are behind different B4 devices. A combination of subscriber IPv4 address and B4 device defines a unique subscriber in the LSN client entity of a DS-Lite configuration.

The following configurat ion uses t he set t ings list ed in sect ion Example: Det erminist ic DS-Lit e.

> add lsn client LSN-DSLITE-CLIENT-10 Done

> bind lsn client LSN-DSLITE-CLIENT-10 -net work 192.0.17.5 -net mask 255.255.255.255 -net work6 2001:DB8::3:4/128 Done

> bind lsn client LSN-DSLITE-CLIENT-10 -net work 192.0.17.6 -net mask 255.255.255.255 -net work6 2001:DB8::3:4/128 Done

> bind lsn client LSN-DSLITE-CLIENT-10 -net work 192.0.17.7 -net mask 255.255.255.255 -net work6 2001:DB8::3:4/128 Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.87

Done

> bind lsn client LSN-DSLITE-CLIENT-10 -net work 192.0.17.8 -net mask 255.255.255.255 -net work6 2001:DB8::3:4/128 Done

> add lsn pool LSN-DSLITE-POOL-10 -nat t ype DETERMINISTIC Done

> bind lsn pool LSN-DSLITE-POOL-10 203.0.113.41-203.0.113.42 Done

> add lsn ip6profile LSN-DSLITE-PROFILE-10 -t ype DS-Lit e -net work6 2001:DB8::5:6 Done

> add lsn group LSN-DSLITE- GROUP-10 -client name LSN-DSLITE-CLIENT-10 -nat t ype DETERMINISTIC -port blocksize 20480 -ip6profile Done

> bind lsn group LSN-DSLITE- GROUP-10 -poolname LSN-DSLITE-POOL-10 Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.88

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.89

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.90

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.91

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.92

Jul 25, 20 17

Using DS-Lite with Session Initiation Protocol (SIP) is complicated, because SIP messages contain IP addresses in the SIP headers as well as in the SIP body. When LSN is used with SIP, the SIP headers contain information about the caller and the receiver, and the device translates this information to hide it from the outside network. T he SIP body contains the Session Description Protocol (SDP) information, which includes IP addresses and port numbers for transmission of the media. SIP ALG for DS-Lite is compliant with RFC 3261, RFC 3581, RFC 4566, and RFC 4475.

SIP ALG for DS-Lite has the following limitations: Only SDP payload is supported. T he following are not supported: Multicast IP addresses Encrypted SDP SIP T LS FQDN translation SIP layer authentication Admin partitions NetScaler Clusters Multipart body Line folding

You need to configure the SIP ALG as part of the LSN configuration. For instructions on configuring LSN, see Configuring DS-Lite. While configuring LSN, make sure that you: Set the following parameters while adding an LSN application profile: o IP Pooling = PAIRED o Address and Port Mapping = ENDPOINT -INDEPENDENT o Filtering = ENDPOINT -INDEPENDENT Create a SIP ALG profile and make sure that you define either the source port range or destination port range. Bind the SIP ALG profile to the LSN group Enable SIP ALG in the LSN group To enable SIP ALG f or an LSN configurat ion by using t he Net Scaler command line At the command prompt, type: add lsn group -client name [-sipalg ( ENABLED | DISABLED )] show lsn group To enable SIP ALG f or an LSN configurat ion by using t he Net Scaler command line

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.93

At the command prompt, type: add lsn sipalgprof ile [-dat aSessionIdleT imeout ][-sipSessionT imeout ] [-regist rat ionT imeout ] [-sipsrcport range ] [-sipdst port range ] [-openRegist erP inhole ( ENABLED | DISABLED )] [-openCont act P inhole ( ENABLED | DISABLED )] [-openViaP inhole ( ENABLED | DISABLED )] [-openRecordRout eP inhole ( ENABLED | DISABLED )]sipT ransport P rot ocol ( T CP | UDP ) [-openRout eP inhole ( ENABLED | DISABLED )] [-rport ( ENABLED | DISABLED )] show lsn sipalgprof ile

T he following sample DS-Lite configuration, SIP ALG is enabled for TCP traffic from B4 devices in the network 2001:DB8::3:0/96.

> add lsn client LSN-DSLITE-CLIENT-1

Done

> bind lsn client LSN-DSLITE-CLIENT-1 -net work6 2001:DB8::3:0/96

Done

> add lsn pool LSN-DSLITE-POOL-1

Done

> bind lsn pool LSN-DSLITE-POOL-1 203.0.113.61 - 203.0.113.70

Done

> add lsn ip6profile LSN-DSLITE-PROFILE-1 -t ype DS-Lit e -net work6 2001:DB8::5:6

Done

> add lsn appsprofile LSN-DSLITE-APPS-PROFILE-1 TCP -ippooling PAIRED –mapping ENDPOINT-INDEPENDENT -filt ering ENDPOINT-INDEP

Done

> add lsn sipalgprofile SIPALGPROFILE-1 -sipdst port range 5060 -sipTransport Prot ocol TCP

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.94

Done

> add lsn group LSN-DSLITE- GROUP-1 -client name LSN-DSLITE-CLIENT-1 -port blocksize 1024 -ip6profile LSN-DSLITE-PROFILE-1 -sipalg

Done

> bind lsn group LSN-DSLITE- GROUP-1 -poolname LSN-DSLITE-POOL-1

Done

> bind lsn group LSN-DSLITE- GROUP-1 -appsprofilename LSN-DSLITE-APPS-PROFILE-1

Done

> bind lsn group LSN-DSLITE- GROUP-1 -sipalgprofilename SIPALGPROFILE-1

Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.95

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.96

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.97

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.98

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.99

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.100

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.101

Jul 25, 20 17

Because of the imminent exhaustion of IPv4 addresses, ISPs have started transitioning to IPv6 infrastructure. But during the transition, ISPs must continue to support IPv4 along with IPv6, because most of the public Internet still uses IPv4. Large scale NAT 64 is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv6-only subscribers to the IPv4 Internet. DNS64 is a solution for enabling discovery of IPv4-only domains by IPv6-only clients. DNS64 is used with large scale NAT 64 to enable seamless communication between IPv6-only clients and IPv4-only servers. A NetScaler appliance implements large scale NAT 64 and DNS64 and is compliant with RFCs 6145, 6146, 6147, 6052, 3022, 2373, 2765, and 2464.

T he NAT 64 architecture of an ISP using a NetScaler appliance consists of IPv6 subscribers accessing the IPv4 Internet through a NetScaler appliance deployed in the ISP’s core network. IPv6 subscribers are connected to the ISP core network through the ISP’s IPv6-only access network.

T he large scale NAT 64 functionality of a NetScaler appliance enables communication between IPv6 clients and IPv4 servers through IPv6-to-IPv4 packet translation, and vice versa, while maintaining session information on the NetScaler appliance. NetScaler DNS64 functionality represents IPv4-only domains to IPv6-subscribers by synthesizing DNS AAAA records for IPv4-only domains and sending them to the subscribers. Large scale NAT 64 has two main components: NAT 64 prefix and NAT IPv4 pool. DNS64 has one main component, DNS64 prefix, which has the same value as NAT 64 prefix. Upon receiving an AAAA request from an IPv6-only subscriber for a domain name that is hosted on an IPv4-only web server on the Internet, the NetScaler DNS64 functionality synthesizes an AAAA record for the domain name and sends it to the subscriber. T he AAAA record is synthesized by concatenating the DNS64 prefix (which is set to the NAT 64 prefix) and the actual IPv4 address of the domain name. T he subscriber now has an IPv6 destination address that corresponds to the desired domain name. T he subscriber sends the request to the synthesized IPv6 address. Upon receiving the IPv6 request, the large scale NetScaler NAT 64 functionality translates the IPv6 request packet to an IPv4 request packet. Large scale NAT 64 sets the IPv4 request’s destination address to the IPv4 address, which is extracted from the IPv6 request’s destination address by stripping the NAT 64 prefix

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.102

from the IPv6 address. T he destination port is retained from the IPv6 request. Large Scale NAT 64 also sets the source IP address:source port of the IPv4 packet to the NAT IP address:NAT port selected from the configured NAT pool. T he appliance maintains a record of all active sessions that use the large scale NAT 64 functionality. T hese sessions are called large scale NAT 64 sessions. T he appliance also maintains the mappings between subscriber IPv6 address and port, and NAT IPv4 address and port, for each large scale NAT 64 session. T hese mappings are called large scale NAT 64 mappings. From large scale NAT 64 session entries and large scale NAT 64 mapping entries, the NetScaler appliance recognizes a response packet (received from the Internet) as belonging to a particular NAT 64 session. When the appliance receives an IPv4 response packet belonging to a particular NAT 64 session, it uses the information stored in the NAT 64 session to translate the IPv4 packet into an IPv6 packet, and then sends the IPv6 response packet to the subscriber.

Consider an example of a large scale NAT 64 and DNS64 deployment consisting of NetScaler appliance NS-1 and two local DNS servers, DNS-1 and DNS-2, in an ISP’s core network, and IPv6 subscriber SUB-1. SUB-1 is connected to NS-1 through the ISP’s IPv6 access network. NS-1 includes large scale NAT 64 and DNS64 configurations for enabling the communication between IPv6 subscriber SUB-1 and IPv4 hosts (internal and external). Large scale NAT 64 configuration includes a NAT 64 prefix (2001:DB8:300::/96) and NAT IPv4 pool for translation of IPv6 requests to IPv4 requests and IPv4 responses to IPv6 responses. DNS64 configuration includes a DNS load balancing virtual server LBVS-DNS64-1 (2001:DB8:9999::99) and a DNS64 prefix (2001:DB8:300::/96). LBVS-DNS64-1 represents local DNS server DNS-1 and DNS-2 to ISP's subscribers. T he DNS64 prefix, which has the same value as the NAT 64 prefix, is used for synthesizing DNS AAAA records from DNS A records received from DNS servers DNS-1 and DNS-2. NS-1 responds with a synthesized AAAA record to SUB-1 for a DNS request to resolve an IPv4 host.

Traffic flows between IPv6 subscriber SUB-1 and site www.example.com, which resides on an IPv4-only web server on the Internet, as follows: 1. IPv6 subscriber SUB-1 sends a DNS AAAA request for www.example.com to its designated DNS server (2001:DB8:9999::99). 2. DNS load balancing virtual server LBVS-DNS64-1 (2001:DB8:9999::99) on NetScaler appliance NS1 receives the AAAA request. LBVS-DNS64-1's load balancing algorithm selects DNS server DNS-1 and forwards the AAAA request to it.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.103

3. DNS-1 returns an empty record or an error message, because there is no AAAA record available for www.example.com. 4. Because the DNS64 option is enabled on LBVS-DNS64-1 and the AAAA request from CL1 matches the condition specified in DNS64-Policy-1, NS1 sends a DNS A request to DNS-1 for the IPv4 address of www.example.com. 5. DNS-1 responds with the A record of 192.0.2.60 for www.example.com. 6. DNS64 module on NS1 synthesizes an AAAA record for www.example.com by concatenating the DNS64 Prefix (2001:DB8:300::/96) associated with LBVS-DNS64-1, and IPv4 address (192.0.2.60) for www.example.com = 2001:DB8:300::192.0.2.60 7. NS1 sends the synthesized AAAA record to IPv6 client CL1. NS1 also caches the A record into its memory. NS1 uses the cached A record to synthesize AAAA records for subsequent AAAA requests.

1. IPv6 subscriber SUB-1 sends a request to 2001:DB8:5001:30 (www.example.com). T he IPv6 packet has: Source IP address = 2001:DB8:5001:30 Source port = 2552 Destination IP address = 2001:DB8:300::192.0.2.60 Destination port = 80 2.IPv6 subscriber SUB-1 sends a request to 2001:DB8:5001:30 (www.example.com). T he IPv6 packet has: Source IP address = 2001:DB8:5001:30 Source port = 2552 Destination IP address = 2001:DB8:300::192.0.2.60 Destination port = 80 3. When NS-1 receives the IPv6 packet, the large scale NAT 64 module creates a translated IPv4 request packet with: Source IP address = One of the IPv4 addresses available in the configured NAT pool (203.0.113.61) Source port = One of ports available with the allocated NAT IPv4 address (3002) Destination IP address = IPv4 address extracted from the IPv6 request’s destination address by stripping the NAT 64 prefix (2001:DB8:300::/96) from the IPv6 address (192.0.2.60) Destination port = IPv6 request’s destination port (80) 4. T he large scale NAT 64 module also creates mapping and session entries for this large scale NAT 64 flow. T he session and mapping entries include the following information: Source IP address of the IPv6 packet = 2001:DB8:5001:30 Source port of the IPv6 packet = 2552 NAT IP address = 203.0.113.61 NAT port = 3002 NS-1 sends the resulting IPv4 packet to its destination on the Internet. 5. Upon receiving the request packet, the server for www.example.com processes the packet and sends a response packet to NS-1. T he IPv4 response packet has: Source IP address = 192.0.2.60 Source port = 80 Destination IP address = 203.0.113.61 Destination port = 3002

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.104

6. Upon receiving the IPv4 response packet, NS-1 examines the large scale NAT 64 mapping and session entries and finds that the IPv4 response packet belongs to a large scale NAT 64 session. T he large scale NAT 64 module creates a translated IPv6 response packet: Source IP address = 2001:DB8:300::192.0.2.60 Source port = 80 Destination IP address = 2001:DB8:5001:30 Destination port = 2552 7. NS-1 sends the translated IPv6 response to client SUB-1.

Large scale NAT 64 on a NetScaler appliance supports the standard LSN feature set. For more information on these LSN features, see http://docs.citrix.com/en-us/netscaler/11/solutions/netscaler-support-for-telecom-service-providers/lsnintroduction.html. Following are some of the large scale NAT 64 features supported on NetScaler appliances: ALGs. Support of application Layer Gateway (ALG) for SIP, RT SP, FT P, ICMP, and T FT P protocols. Deterministic/Fixed NAT . Support for pre-allocation of blocks of ports to subscribers to minimize logging. Mapping. Support of Endpoint-independent mapping (EIM), Address-dependent mapping (ADM), and Address-Port dependent mapping (APDM). Filtering. Support of Endpoint-Independent Filtering (EIF), Address-Dependent Filtering (ADF), and Address-PortDependent Filtering (APDF). Quotas. Configurable limits on number of ports, sessions per subscriber, and sessions per LSN group. Static Mapping. Support for manually defining a large scale NAT 64 mapping. Hairpin Flow. Support for communication between subscribers or internal hosts using NAT IP addresses. 464XLAT connections. Support for communication between IPv4-only applications on IPv6 subscriber hosts and IPv4 hosts on the Internet through IPv6 network. Variable length NAT 64 and DNS64 prefixes. T he NetScaler appliance supports defining NAT 64 and DNS64 prefixes of lengths of 32, 40, 48, 56, 64, and 96. Multiple NAT 64 and DNS64 prefix. T he NetScaler appliance supports multiple NAT 64 and DNS64 prefixes. LSN Clients. Support for specifying or identifying subscribers for large scale NAT 64 by using IPv6 prefixes and extended ACL6 rules. Logging. Support for logging NAT 64 sessions for law enforcement. In addition, the following are also supported for logging. Reliable SYSLOG . Support for sending SYSLOG messages over T CP to external log servers for a more reliable transport mechanism. Load balancing of log servers . Support for load balancing of external log servers for preventing storage of redundant log messages. Minimal Logging . Deterministic LSN configurations or Dynamic LSN configurations with port block significantly reduce the large scale NAT 64 log volume. Logging MSISDN inf ormat ion . Support for including subscribers' MSISDN information in large scale NAT 64 logs to identify and track subscriber activity over the Internet.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.105

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.106

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.107

Jul 25, 20 17

Creating the required entities for stateful NAT 64 configuration on the NetScaler appliance involves the following procedures: Add DNS services. DNS services are logical representations of DNS servers for which the NetScaler appliance acts as a DNS proxy server. For more information on setting optional parameters of a service, see "Load Balancing". Add DNS64 action and DNS64 policy and then bind the DNS64 action to the DNS64 policy. A DNS64 policy specifies conditions to be matched against traffic for DNS64 processing according to the settings in the associated DNS64 action. T he DNS64 action specifies the mandatory DNS64 prefix and the optional exclude-rule and mapped-rule settings. Create a DNS load balancing virtual server and bind the DNS services and the DNS64 policy to it. T he DNS load balancing virtual server acts as a DNS proxy server for DNS servers represented by the bound DNS services. T raffic arriving at the virtual server is matched against the bound DNS64 policy for DNS64 processing. For more information on setting optional parameters of a load balancing virtual server, see "Load Balancing".

T he command line interface has separate commands for these two tasks, but the NetScaler GUI combines them in a single dialog box.

Enable caching of DNS records. Enable the global parameter for the NetScaler appliance to cache DNS records, which are obtained through DNS proxy operations. For more information on enabling caching of DNS records, see "Enabling Caching of DNS Records". To creat e a service of t ype DNS by using t he command line int erf ace At the command prompt, type: add service … To creat e a DNS64 act ion by using t he command line int erf ace At the command prompt, type: add dns act ion64 -Prefix [-mappedRule ] [-excludeRule ] To creat e a DNS64 policy by using t he command line int erf ace At the command prompt, type: add dns policy64 -rule -action To creat e a DNS load balancing virt ual server by using t he command line int erf ace At the command prompt, type: add lb vserver DNS -dns64 (ENABLED | DISABLED) [-bypassAAAA ( YES | NO)] …

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.108

To bind t he DNS services and t he DNS64 policy t o t he DNS load balancing virt ual server by using t he command line int erf ace At the command prompt, type: bind lb vserver ... bind lb vserver -policyName -priority ...

> add service SVC-DNS-1 203.0.113.50 DNS 53 Done

> add service SVC-DNS-2 203.0.113.60 DNS 53 Done

> add dns Act ion64 DNS64-Act ion-1 -Prefix 2001:DB8:300::/96 Done

> add dns Policy64 DNS64-Policy-1 -rule "CLIENT.IPv6.SRC.IN_SUBNET(2001:DB8:5001::/64)" -act ion DNS64-Act ion-1 Done

> add lb vserver LBVS-DNS64-1 DNS 2001:DB8:9999::99 53 -dns64 ENABLED Done

> bind lb vserver LBVS-DNS64-1 SVC-DNS-1 Done

> bind lb vserver LBVS-DNS64-1 SVC-DNS-2 Done

> bind lb vserver LBVS-DNS64-1 -policyname DNS64-Policy-1 -priorit y 2 Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.109

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.110

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.111

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.112

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.113

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.114

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.115

Jul 25, 20 17

Using Large Scale NAT 64 with Session Initiation Protocol (SIP) is complicated, because SIP messages contain IP addresses in the SIP headers as well as in the SIP body. When LSN is used with SIP, the SIP headers contain information about the caller and the receiver, and the device translates this information to hide it from the outside network. T he SIP body contains the Session Description Protocol (SDP) information, which includes IP addresses and port numbers for transmission of the media. SIP ALG for large scale NAT 64 is compliant with RFC 3261, RFC 3581, RFC 4566, and RFC 4475.

SIP ALG for large scale NAT 64 has the following limitations: Only SDP payload is supported. T he following are not supported: Multicast IP addresses Encrypted SDP SIP T LS FQDN translation SIP layer authentication T raffic Domains Admin partitions NetScaler Clusters Multipart body Line folding

You need to configure the SIP ALG as part of the LSN configuration. For instructions on configuring LSN, see Configuration Large Scale NAT 64. While configuring LSN, make sure that you: Set the following parameters while adding an LSN application profile: IP Pooling = PAIRED Address and Port Mapping = ENDPOINT -INDEPENDENT Filtering = ENDPOINT -INDEPENDENT Create a SIP ALG profile and make sure that you define either the source port range or destination port range. Bind the SIP ALG profile to the LSN group. Enable SIP ALG in the LSN group. To enable SIP ALG f or an LSN configurat ion by using t he Net Scaler command line At the command prompt, type: add lsn group -client name [-sipalg ( ENABLED | DISABLED )] show lsn group To enable SIP ALG f or an LSN configurat ion by using t he Net Scaler command line At the command prompt, type:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.116

add lsn sipalgprof ile [-dat aSessionIdleT imeout ][-sipSessionT imeout ] [-regist rat ionT imeout ] [-sipsrcport range ] [-sipdst port range ] [-openRegisterPinhole ( ENABLED | DISABLED )] [-openCont act P inhole ( ENABLED | DISABLED )] [openViaP inhole ( ENABLED | DISABLED )] [-openRecordRout eP inhole ( ENABLED | DISABLED )]sipT ransport P rot ocol ( T CP | UDP ) [-openRout eP inhole ( ENABLED | DISABLED )] [-rport ( ENABLED | DISABLED )] show lsn sipalgprof ile
T he following sample large scale NAT 64 configuration, SIP ALG is enabled for TCP traffic from subscriber devices in the network 2001:DB8:1003::/96.

> add lsn client LSN-NAT64-CLIENT-9 Done

> bind lsn client LSN-NAT64-CLIENT-9 -net work6 2001:DB8:1002::/96 Done

> add lsn pool LSN-NAT64-POOL-9 Done

> bind lsn pool LSN-NAT64-POOL-9 203.0.113.90 Done

> add lsn ip6profile LSN-NAT64-PROFILE-9 -t ype NAT64 -nat prefix 2001:DB8:309::/96 Done

> add lsn appsprofile LSN-NAT64-APPS-PROFILE-9 TCP -ippooling PAIRED –mapping ENDPOINT-INDEPENDENT -filt ering ENDPOINT-INDEP Done

> add lsn sipalgprofile SIPALGPROFILE-9 -sipdst port range 5060 -sipTransport Prot ocol TCP Done

> add lsn group LSN-NAT64- GROUP-9 -client nameLSN-NAT64-CLIENT-9 -ip6profile LSN-NAT64-PROFILE-7 -sipalg ENABLED Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.117

> bind lsn group LSN-NAT64- GROUP-9 -poolnameLSN-NAT64-POOL-9

Done

> bind lsn group LSN-NAT64- GROUP-9 -appsprofilename LSN-NAT64-APPS-PROFILE-9

Done

> bind lsn group LSN-NAT64- GROUP-9 -sipalgprofilename SIPALGPROFILE-9

Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.118

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.119

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.120

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.121

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.122

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.123

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.124

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.125

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.126

Jul 25, 20 17

Mapping Address and Port using Translation (MAP-T ) is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv4 subscribers to the IPv4 internet . MAP-T is built on stateless IPv4 and IPv6 address translation technologies. MAP-T is a mechanism that performs double translation (IPv4 to IPv6 and vice versa) on customer edge (CE) devices and border routers (in ISP core network). In a MAP-T deployment, the CE device implements a combination of stateful NAPT 44 translation and stateless NAT 46 translation. T he CE device obtains NAT -IP and the port-block to be used for translation through DHCPv6 or any other method. When an IPv4 packet from a subscriber device arrives at the CE device, the CE device performs NAPT 44 and stores the NAPT 44 binding information. After NAT 44 translation, the packet is subjected to NAT 46 translation and then forwarded to the border router (BR) device located in the ISP’s core network. T he BR device receives the IPv6 packets from the CE device, extracts and validates the NAT -IP and port-block embedded in the IPv6 header, and forwards the IPv4 packet to the IPv4 Internet. When the BR receives the IPv4 packet from the Internet, it translates the IPv4 packet to an IPv6 packet and send the IPv6 packet to the CE device. MAP-T is stateless on a BR device, so it does not require the BR device to perform NAT on the traffic. Instead, NAT functionality is delegated to the CE devices. T his delegation and stateless functionality in BR devices allows the BR deployment to scale in proportion to the volume of traffic. T he NetScaler appliance implements the BR functionality of a MAP-T solution as described by RFC 7599.

Configuring MAP-T on a NetScaler appliance consists of the following tasks: Add a default mapping rule Add a basic mapping rule Bind an IPv4 NAT address range of CE devices to a basic mapping rule Add a map domain and bind a basic mapping rule and default mapping rule to the domain To add a def ault mapping rule by using t he Net Scaler command line At the command prompt, type: add MapDmr -BRIpv6P ref ix ( | <*> ) show MapDmr To add a basic mapping rule by using t he Net Scaler command line At the command prompt, type: add MapBmr -RuleIpv6P ref ix | <*> [-psidof f set ] [-EAbit Lengt h ] [-psidlengt h ] show MapBmr

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.127

To bind IP v4 NAT address range of CE devices t o a basic mapping rule by using t he Net Scaler command line At the command prompt, type: bind MapBmr (-net work [-net mask ]) show MapBmr To add a map domain by using t he Net Scaler command line At the command prompt, type: add MapDomain -MapDmrName show MapDomain To bind a basic mapping rule t o a map domain by using t he Net Scaler command line At the command prompt, type: bind MapDomain -MapBmrName show MapDomain

> add mapdmr DMR-1 -BRIpv6Prefix 2002:db8::/64

Done

> add mapbmr BMR-1 -ruleIpv6Prefix 2002:db8:89ab::/48 -eAbit Lengt h 16 -psidlengt h 8 -psidoffset 6

Done

> bind mapbmr BMR-1 -net work 192.0.1.0 -net mask 255.255.255.0

Done

> add MapDomain MAP-DOMAIN-1 -mapdmrname DMR-1

Done

> bind MapDomain MAP-DOMAIN-1 -mapbmrname BMR-1

Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.128

Jul 25, 20 17

T he number of subscribers in a telco network is increasing at an unprecedented rate, and managing them is becoming a challenge for service providers. Newer, faster, and smarter devices are placing high demand on the network and the subscriber management systems. It is no longer feasible to provide each subscriber the same standard of service, and the need for traffic processing on a per-subscriber basis is imperative. T he NetScaler appliance provides the intelligence to profile subscribers on the basis of their information stored in the Policy and Charging Rules Function (PCRF). When a mobile subscriber connects to the Internet, the packet gateway associates an IP address with the subscriber and forwards the data packet to the appliance. T he appliance receives the subscriber information dynamically, or you can configure static subscribers. T his information enables the NetScaler to apply its rich traffic management capabilities, such as content switching, integrated caching, rewrite, and responder, on a per-subscriber basis to manage the traffic. Before you configure the NetScaler appliance to manage subscribers, you must allocate memory to the module that stores subscriber sessions. For dynamic subscribers, you must configure an interface through which the appliance receives session information. Static subscribers must be assigned IDs, and you can associate them with policies. You can also do the following: Subscriber policy enforcement and management. Configure the appliance to uniquely identify a subscriber by using only the IPv6 prefix instead of the complete IPv6 address. Use policies to optimize T CP traffic for both dynamic and static subscribers. T hese policies associate different T CP profiles with different types of users. Manage idle sessions on a NetScaler appliance. Enable logging to a log server. Remove LSN sessions for deleted subscriber sessions.

Each subscriber session entry consumes 1 KB of memory. Storing 500,000 subscriber sessions at any point in time requires 500 MB of memory. T his value must be added to the minimum memory requirement, which is shown as part of the output of the “show extendedmemoryparam” command. In the following example, the output is for a NetScaler VPX instance with 3 packet engines and 8 GB memory. To store 500,000 subscriber sessions on this appliance, the configured memory must be 2058+500 MB (500,000 x 1 KB = 500 MB.)

The configured memory must be in mult iples of 2 MB and must not exceed t he maximum memory usage limit . The appliance must be rest art ed for t he changes t o t ake effect .

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.129

> show ext endedmemoryparam

Ext ended Memory Global Configurat ion. This memory is ut ilized by LSN and Subscriber Session St ore Modules:

Act ive Memory Usage: 0 MByt es

Configured Memory Limit : 0 MByt es

Minimum Memory Required: 2058 MByt es

Maximum Memory Usage Limit : 2606 MByt es

Done

> set ext endedmemoryparam -memLimit 2558

Done

> show ext endedmemoryparam

Ext ended Memory Global Configurat ion. This memory is ut ilized by LSN and Subscriber Session St ore Modules:

Act ive Memory Usage: 2558 MByt es

Configured Memory Limit : 2558 MByt es

Minimum Memory Required: 2058 MByt es

Maximum Memory Usage Limit : 2606 MByt es

Done

T he NetScaler appliance dynamically receives the subscriber information through any of the following types of interface: Gx Interface RADIUS Interface RADIUS and Gx Interface

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.130

High availability (HA) is supported from release 11.0 build 63.x. In an HA setup, the subscriber sessions are continually synchronized on the secondary node. In the event of a failover, the subscriber information is still available on the secondary node.

Gx Int erf ace A Gx interface (as specified in 3GPP 29.212) is a standard interface based on the Diameter protocol that allows exchange of policy control and charging rules between a PCRF and a Policy and Charging Enforcement Function (PCEF) entity in a Telco network. As soon as an IP-CAN session is established, the packet gateway forwards the subscriber ID, such as the MSISDN, and Framed-IP address information about the subscriber to the PCRF as a Diameter message. When the data packet arrives at the appliance from packet gateway (PGW), the appliance uses the subscriber IP address to query the PCRF to get the subscriber information. T his is also known as secondary PCEF functionality. T he Policy and Charging Control (PCC) rules received by the appliance over the Gx interface are stored on the appliance for the duration of the subscriber session, that is, until the PCRF sends a Re-Auth-Request (RAR) message with a Session-Release-Cause AVP or the subscriber session is terminated from the NetScaler command line or the configuration utility. If there are any updates to an existing subscriber, the PCRF sends the updates in an RAR message. A subscriber session is initiated when a subscriber logs on to the network, and terminated when the subscriber logs off. T he following illustration shows the high-level traffic flow. It assumes that the data plane traffic is HT T P. T he appliance sends a Credit Control Request (CCR) over a Gx interface to the PCRF server and, in the credit control answer (CCA), receives the PCC rules and, optionally, other information, such as the Radio Access Technology (RAT ) type, that applies to the particular subscriber. PCC rules include one or more policy (rule) names and other parameters. T he appliance uses this information to retrieve the predefined rules stored on the appliance, and to direct the flow of traffic. It also stores this information in the subscriber policy and enforcement management system for the duration of the subscriber session. After a subscriber session is terminated, the appliance discards all the information about the subscriber.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.131

T he following example shows the commands for configuring a Gx interface. T he commands are in boldface. To set up a Gx interface, perform the following tasks: 1. Add a DIAMET ER service for each Gx interface. For example: > add service pcrf-svc1 203.0.113.1 DIAMET ER 3868 > add service pcrf-svc2 203.0.113.2 DIAMET ER 3868 2. Add a non-addressable DIAMET ER load balancing virtual sever and bind the services created in step 1 to this virtual server. For more than one service, specify a persistenceType and the persistAVPno so that specific sessions are handled by the same PCRF server. For example: > add lb vserver vdiam DIAMET ER 0.0.0.0 0 -persist enceT ype DIAMET ER -persist AVP no 263 > bind lb vserver vdiam pcrf-svc1 > bind lb vserver vdiam pcrf-svc2 3. Configure NetScaler diameter identity and realm. Identity and realm are used as Origin-Host and Origin-Realm AVPs in diameter messages sent by the Gx client. For example: > set ns diamet er – ident it y netscaler.com – realm com 4. Configure the Gx interface to use the virtual server created in step 2 as the PCRF virtual server. Specify the PCRF realm to use as Destination-Realm AVP in diameters messages sent by the Gx client. For example: > set subscriber gxInt erf ace -vServer vdiam -pcrf Realm pcrf.com 5. Set the subscriber interface type to GxOnly. For example: > set subscriber param -int erf aceT ype GxOnly 6. To see the Gx interface configuration and status, type: > show subscriber gxint erf ace

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.132

> sho w subscriber gxinterface

Gx Int erface paramet ers:

PCRF Vserver: vdiam (UP)

Gx Client Ident it y...: net scaler.com

Gx Client Realm ..........: com

PCRF Realm: pcrf.com

Hold Packet s On Subscriber Absence: YES

CCR Request Timeout : 10 Seconds

CCR Request Ret ry At t empt s: 3

Revalidat ionTimeout : 1200 Seconds

Negat iveTTL: 120 Seconds

ServicePat h AVP code:262099 ServicePat h AVP VendorID: 3845

PCRF Connect ion St at e: Gx Connect ion Est ablished wit h PCRF.

Done

ARGUMENT S vServer Name of the load balancing or content switching virtual server to which the Gx connections are established. T he service type of the virtual server must be DIAMET ER or SSL_DIAMET ER. T his parameter is mutually exclusive with the service parameter. T herefore, you cannot set both service and the virtual server in the Gx interface. Service Name of DIAMET ER or SSL_DIAMET ER service corresponding to PCRF to which the Gx connection is established. T his parameter is mutually exclusive with the vserver parameter. T herefore, you cannot set both service and the virtual server in the Gx Interface. pcrf Realm T he realm of PCRF to which the message is to be routed. T his is the realm used in Destination-Realm AVP by NetScaler Gx client (as a Diameter node).

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.133

holdOnSubscriberAbsence Set to Yes to hold packets until the subscriber session information is fetched from the PCRF server. If set to No, the default subscriber profile is applied until the subscriber session information is fetched from the PCRF server. If a default subscriber profile is not configured, an UNDEF is raised for expressions that use subscriber attributes. request T imeout T ime, in seconds, within which the Gx CCR request must complete. If the request does not complete within this time, the request is retransmitted for the number of times specified in the requestRetryAttempts parameter. If request is not complete even after retransmitting, then the default subscriber profile is applied to this subscriber. If a default subscriber profile is not configured, an UNDEF is raised for expressions that use subscriber attributes. Zero disables the timeout. Default value: 10 request Ret ryAt t empt s Specify the number of times a request must be retransmitted if the request does not complete within the value specified in the requestT imeout parameter. Default value: 3 revalidat ionT imeout T ime, in seconds, after which the Gx CCR-U request is sent after any PCRF activity on a session. Any RAR or CCA message resets the timer. Zero value disables the idle timeout. negat iveT T L T ime, in seconds, after which the Gx CCR-I request is resent for sessions that have not been resolved by PCRF because the server is down or there is no response or a failed response is received. Instead of polling the PCRF server constantly, a negative-T T L makes the appliance hold on to an unresolved session. For negative sessions, the appliance inherits the attributes from the default subscriber profile, if one is configured and from the RADIUS accounting message, if one is received. Zero value disables the negative sessions. T he appliance does not install negative sessions even if a subscriber session could not be fetched. Default value: 600 servicePat hAVP T he AVP code in which PCRF sends the service path applicable to a subscriber. servicePat hVendorid T he vendor id of the AVP in which PCRF sends the service path applicable to a subscriber. RADIUS Int erf ace With a RADIUS interface, the packet gateway forwards the subscriber information in a RADIUS Accounting Start message to the appliance through the RADIUS interface as soon as an IP-CAN session is established. A service of type RADIUSListener processes RADIUS Accounting messages. Add a shared secret for the RADIUS client. If a shared secret is not configured, the RADIUS message is silently dropped. T he following example shows the commands for configuring a RADIUS interface. T he commands are in boldface. To set up a RADIUS interface, perform the following tasks: 1. Create a RADIUS listener service at the NetScaler SNIP address where the RADIUS messages are received. For example: > add service srad1 192.0.0.206 RADIUSLIST ENER 1813 2. Configure the subscriber RADIUS interface to use this service. For example: > set subscriber radiusInt erf ace -list eningService srad1 3. Set the subscriber interface type to RadiusOnly. For example: > set subscriber param -int erf aceT ype RadiusOnly

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.134

4. Add a RADIUS client specifying a subnet and shared secret. For example: > add radius client 192.0.2.0/24 -radkey client123 A subnet of 0.0.0.0/0 implies that it is the default shared secret for all clients.To see the RADIUS interface configuration and status, type: > show subscriber radiusInt erf ace RADIUS Interface parameters: Radius Listener Service: srad1(UP) Done ARGUMENT S List eningService Name of the RADIUS listening service that will process the RADIUS accounting requests. svrSt at e T he state of the RADIUS listening service.

T he following illustration shows the high-level traffic flow.

RADIUS and Gx Interface Wit h a RADIUS and Gx int erface, as soon as an IP-CAN session is est ablished, t he packet gat eway forwards t he subscriber ID, such as t he MSISDN, and Framed-IP address informat ion about t he subscriber t o t he appliance t hrough t he RADIUS int erface. The appliance uses t his subscriber ID t o query t he PCRF on t he Gx int erface t o get t he subscriber informat ion. This is known as primary PCEF funct ionalit y. The following example shows t he commands for configuring a RADIUS and Gx int erface.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.135

set subscriber param -interfaceType RadiusandGx

add service pcrf-svc 203.0.113.1 DIAMETER 3868

add lb vserver vdiam DIAMETER 0.0.0.0 0 -persist enceType DIAMETER -persist AVPno 263

bind lb vserver vdiam pcrf-svc

set subscriber gxInt erface -vServer vdiam -pcrfRealm t est realm1.net -holdOnSubscriberAbsence YES -revalidat ionTimeout 60 -negat iveTTL 120

add service srad1 192.0.0.206 RADIUSLISTENER 1813

set subscriber radiusInt erface -list eningService srad1

T he following illustration shows the high-level traffic flow.

You can configure the subscribers manually on the NetScaler appliance by using the command line or the configuration utility. You create static subscribers by assigning a unique subscriber ID and optionally associating a policy with each subscriber. T he following examples show the commands for configuring a static subscriber. In the following examples, subscript ionIdvalue specifies the international telephone number, and subscript ionIdT ype (E164 in this example) specifies the general format for international telephone numbers.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.136

add subscriber profile 203.0.113.6 -subscriberRules policy1 policy2 -subscript ionIdType E164 –subscript ionIdvalue 98767543211

add subscriber profile 2002::a66:e8d3/64 -subscriberRules policy1 policy3 -subscript ionIdt ype E164 –subscript ionIdvalue 98767543212

To view the configured subscriber profiles, type: > show subscriber profile

> show subscriber profile

1)

Subscriber IP: 2002::/64

Profile At t ribut es:

Act ive Rules: policy1, policy3

Subscriber Id Type: E164

Subscriber Id Value: 98767543212

2)

Subscriber IP: 203.0.113.6

Profile At t ribut es:

Act ive Rules: policy1, policy2

Subscriber Id Type: E164

Subscriber Id Value: 98767543211

Done

A default subscriber profile is used if the subscriber IP address is not found in the subscriber session store on the appliance. In the following example, a default subscriber profile is added with the subscriber rule policy1.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.137

> add subscriber profile * -subscriberRules policy1

Use the following command to display all the static and dynamic subscriber sessions. > show subscriber sessions

> show subscriber sessions

1)

Subscriber IP: 2002::/64

Session At t ribut es:

Act ive Rules: policy1, policy3

Subscriber Id Type: E164

Subscriber Id Value: 98767543212

2)

Subscriber IP: *

Session At t ribut es:

Act ive Rules: policy1

3)

Subscriber IP: 203.0.113.6

Session At t ribut es:

Act ive Rules: policy1, policy2

Subscriber Id Type: E164

Subscriber Id Value: 98767543211

4)

Subscriber IP: 192.168.0.11

Session At t ribut es:

Idle TTL remaining: 361 Seconds

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.138

Act ive Rules: policy1

Subscriber Id Type: E164

Subscriber Id Value: 1234567811

Service Pat h: policy1

AVP(44): 34 44 32 42 42 38 41 43 2D 30 30 30 30 30 30 31 31

AVP(257): 00 01 C0 A8 0A 02

PCRF-Host : host .pcrf.com

AVP(280): 74 65 73 74 2E 63 6F 6D



Done

Use the following command to clear a single session or the complete session store. If you do not specify an IP address, the complete subscriber session store is cleared. > clear subscriber sessions

T he NetScaler appliance uses the subscriber's IP address as the key to the subscriber policy enforcement and management system. You can add subscriber expressions to read the subscriber information available in the Subscriber Policy Enforcement & Management System. T hese expressions can be used with policy rules and actions that are configured for NetScaler features, such as integrated caching, rewrite, responder, and content switching. T he following commands are an example of adding a subscriber-based responder action and policy. T he policy evaluates to true if the subscriber rule value is“pol1”.

add responder act ion error_msg respondwit h '\"HTTP/1.1 403 OK\r\n\r\n" + \" You are not aut horized t o access Int ernet "'

add responder policy no_int ernet _access "SUBSCRIBER.RULE_ACTIVE(\"pol1\")" error_msg

The following example shows t he commands t o add a subscriber-based rewrit e act ion and policy. The act ion insert s an HTTP header “X-NokiaMSISDN” by using t he value of AVP(45) in t he subscriber session.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.139

> add rewrit e act ion AddHDR-act insert _ht t p_header X-Nokia-MSISDN "SUBSCRIBER.AVP(45).VALUE"

> add rewrit e policy AddHDR-pol "HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).EQUALS_ANY(\"pat set -t est \")" AddHDR-act

In t he following example, t wo policies are configured on t he appliance. When t he appliance checks t he subscriber informat ion and t he subscriber rule is cache_enable, it performs caching. If t he subscriber rule is cache_disable, t he appliance does not perform caching.

> add cache policy nocachepol -rule "SUBSCRIBER.RULE_ACTIVE(\"cache_disable\")" - act ion NOCACHE

> add cache policy cachepol -rule "SUBSCRIBER.RULE_ACTIVE(\"cache_enable\")" - act ion CACHE -st oreInGroup cg1

For a complete list of expressions starting with “SUBSCRIBER.” see the Policy Configuration Guide.

A telco user is generally identified by the IPv6 prefix rather than the complete IPv6 address. T he NetScaler appliance now uses the prefix instead of the complete IPv6 address (/128) to identify a subscriber in the database (subscriber store). For communicating with the PCRF server (for example, in a CCR-I message), the appliance now uses the framed-IPv6-Prefix AVP instead of the complete IPv6 address. T he default prefix length is /64, but you can configure the appliance to use a different value. To configure t he IP v6 prefix by using t he command line set subscriber param [-ipv6PrefixLookupList ...] T he first example command below sets a single prefix and the second example command sets multiple prefixes.

set subscriber param -ipv6PrefixLookupList 64

set subscriber param -ipv6PrefixLookupList 64 72 96

To configure t he IP v6 prefix by using t he configurat ion ut ilit y 1. Navigate to T raf f ic Management > Subscriber > P aramet ers . 2. In the details pane, under Set t ings , click Conf igure Subscriber P aramet ers and in IP v6 P ref ix Lookup List , specify one or more prefixes.

Subscriber session cleanup on a NetScaler appliance is based on control plane events, such as a RADIUS Accounting Stop message, a

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.140

Diameter RAR (session release) message, or a "clear subscriber session" command. In some deployments, the messages from a RADIUS client or a PCRF server might not reach the appliance. Additionally, during heavy traffic, the messages might be lost. A subscriber session that is idle for a long time continues to consume memory and IP resources on the NetScaler appliance. T he idle session management feature provides configurable timers to identify idle sessions, and cleans up these sessions on the basis of the specified action. A session is considered idle if no traffic from this subscriber is received on the data plane or the control plane. You can specify an update, terminate (inform PCRF and then delete the session), or delete (without informing PCRF) action. T he action is taken only after the session is idle for the time specified in the idle timeout parameter. To configure t he idle session t imeout and t he associat ed act ion by using t he command line set subscriber param [-idleT T L ] [-idleAction ]

set subscriber param -idleTTL 3600 -idleAct ion ccrTerminat e

set subscriber param -idleTTL 3600 -idleAct ion ccrUpdat e

set subscriber param -idleTTL 3600 -idleAct ion delet e

To disable the idle session timeout, set the idle timeout to zero. set subscriber param – idleT T L 0 To configure t he idle session t imeout and t he associat ed act ion by using t he configurat ion ut ilit y 1. Navigate to T raf f ic Management > Subscriber > P aramet ers . 2. In the details pane, under Set t ings , click Conf igure Subscriber P aramet ers and specify an Idle T ime and Idle Act ion .

If you enable subscriber logging, you can track the RADIUS and Gx control plane messages specific to a subscriber, and use the historical data to analyze subscriber activities. Some of the key attributes are MSISDN and time stamp. T he following attributes are also logged: Session Event (Install, Update, Delete, Error) Gx Message T ype (CCR-I, CCR-U, CCR-T , RAR) Radius Message T ype (Start, Stop) Subscriber IP SubscriberID T ype (MSISDN(E164), IMSI) SubscriberID value By using these logs, you can track users by IP address and, if available, MSISDN. You can enable subscriber session logging to a local or remote syslog or nslog server. T he following example shows how to enable subscriber logging to a remote syslog server.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.141

> add syslogAct ion sysact 1 192.0.2.0 -loglevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -subscriberlog enabled

From t hese logs, you can learn about any act ivit y relat ed t o a user, such as t he t ime when a session was updat ed, delet ed, or creat ed (inst alled). Addit ionally, error messages are also logged. Examples 1. The following log ent ries are examples of RADIUSandGx session creat ion, session updat e, and session delet ion.

09/30/2015:16:29:18 GMT Informational 0-PPE-0 : default SUBSCRIBER SESSION_EVENT 147 0 : Session Install, GX MsgType: CCR-I, RADIUS MsgType: Start, IP: 100.10.1.1, ID: E164 - 30000000001 09/30/2015:16:30:18 GMT Informational 0-PPE-0 : default SUBSCRIBER SESSION_EVENT 148 0 : Session Update, GX MsgType: CCR-U, IP: 100.10.1.1, ID: E164 - 30000000001 09/30/2015:17:27:56 GMT Informational 0-PPE-0 : default SUBSCRIBER SESSION_EVENT 185 0 : Session Delete, GX MsgType: CCR-T, RADIUS MsgType: Stop, IP: 100.10.1.1, ID: E164 - 30000000001 2. The following log ent ries are examples of failure messages, such as when a subscriber is not found on t he PCRF server and when t he appliance cannot connect t o t he PCRF server. 09/30/2015:16:44:15 GMT Error 0-PPE-0 : default SUBSCRIBER SESSION_FAILURE 169 0 : Failure Reason: PCRF failure response, GX MsgType: CCR-I, IP: 100.10.1.1 Sep 30 13:03:01 09/30/2015:16:49:08 GMT 0-PPE-0 : default SUBSCRIBER SESSION_FAILURE 176 0 : Failure Reason: Unable t o connect t o PCRF, GX MsgType: CCR-I, RADIUS MsgType: St art , IP: 100.10.1.1, ID: E164 30000000001#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000

In earlier releases, if a subscriber session is deleted when a RADIUS Accounting STOP or a PCRF-RAR message is received, or as a result of any other event, such as T T L expiry or flush, the corresponding LSN sessions of the subscriber are removed only after the configured LSN timeout period. LSN sessions that are kept open until this timeout expires continue to consume resources on the appliance. From release 11.1, a new parameter (subscrSessionRemoval) is added. If this parameter is enabled, and the subscriber information is deleted from the subscriber database, LSN sessions corresponding to that subscriber are also removed. If this parameter is disabled, the subscriber sessions are timed out as specified by the LSN timeout settings. To configure subscriber aware LSN session t erminat ion by using t he Net Scaler command line At the command prompt, type: set lsn paramet er -subscrSessionRemoval ( ENABLED | DISABLED )

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.142

> set lsn paramet er -subscrSessionRemoval ENABLED

Done

> sh lsn paramet er

LSN Global Configurat ion:

Act ive Memory Usage: 0 MByt es

Configured Memory Limit : 0 MByt es

Maximum Memory Usage Limit : 912 MByt es

Session synchronizat ion: ENABLED

Subscriber aware session removal: ENABLED

To configure subscriber aware LSN session t erminat ion by using t he Net Scaler GUI 1. Navigate to Syst em > Large Scale NAT . 2. In Get t ing st art ed , click Set LSN P aramet er. 3. Set the Subscriber Aware Session Removal paramet er.

If your deployment is not working as expected, use the following commands to troubleshoot: show subscriber gxinterface T his command's output can include the following error messages (shown here with suggested responses): Gx Interface Not Configured-Use set subscriber param command to configure the correct interface type. PCRF not configured-Configure a Diameter vServer or Service on GxInterface-Use the set subscriber gx interface command to assign a Diameter virtual server or service to this interface. PCRF is not ready-Check corresponding vserver/service for more details-Use the show LB vserver or show service command to check the state of the service. NetScaler is waiting for CEA from PCRF-Capability negotiation between the PCRF and NetScaler might be failing. T his could be an intermittent state. If it persists, check the DIAMET ER settings on your PCRF server. Memory is not configured to store subscriber sessions. Please use 'set extendedmemoryparam -memlimit <>'-Use the set extendedmemoryparam command to configure extended memory. show subscriber radiusinterface If "Not Configured" is the output of this command, use the set subscriber radiusinterface command to specify a RADIUSListener service. If subscriber logging is enabled, you can get more detailed information from the log files.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.143

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.144

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.145

Jul 25, 20 17

With the huge increase in the data traffic passing through telco networks, it is no longer feasible for service providers to steer all the traffic through all the value added services (VAS). A service provider should be able to optimize usage of VAS and intelligently steer traffic to improve the user experience. For example, video optimization is not required for traffic that does not include a video. Moreover, if a subscriber is connected to a 4G network, content can be streamed in high definition (HD), and video optimization might not be needed. However, video optimization improves the experience for a user in a 3G network. Similarly, caching provides a faster and better user experience and can be enabled depending on the subscriber plan. Another example of VAS is parental control. If parents provide a mobile handset to a minor child, they would like some kind of control over the websites that their child visits. To do the above and more, service providers must be able to provide value-added services on a per-subscriber basis. In other words, entities in the service provider network must be capable of extracting the subscriber information and intelligently steering the packet on the basis of this information. Service chaining determines the set of services through which the traffic from a subscriber must pass before going to the Internet. Instead of sending all the traffic to all the services, the NetScaler intelligently routes all requests from a subscriber to a specific set of services on the basis of the policy defined for that subscriber. T he following figure shows the entities involved in service chaining. T he values shown are configured in the procedure that follows the figure. A content switching virtual server on the NetScaler appliance directs requests to the value added services or skips them, depending on the defined rule, and then sends the packet out to the Internet after performing LSN.

To configure service chaining f or t he above deployment by using t he Net Scaler command line: 1. Add the appliance’s subnet IP (SNIP) addresses. Example

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.146

add ns ip 192.168.10.1 255.255.255.0 -type snip add ns ip 192.168.20.1 255.255.255.0 -type snip add ns ip 192.168.30.1 255.255.255.0 -type snip add ns ip 192.168.40.1 255.255.255.0 -type snip add ns ip 192.168.50.1 255.255.255.0 -type snip add ns ip 192.168.60.1 255.255.255.0 -type snip add ns ip 100.1.1.1 255.0.0.0 -type snip add ns ip 200.201.1.1 255.0.0.0 -type snip 2. Add the VLANs. VLANs help the appliance identify the source of the traffic. Bind the VLANs to the interfaces and subnet IP addresses. Add an ingress and an egress VLAN for each VAS. Example add vlan 10 add vlan 20 add vlan 30 add vlan 40 add vlan 50 add vlan 60 add vlan 100 add vlan 200 bind vlan 10 -ifnum 1/4 -tagged -IPAddress 192.168.10.1 255.255.255.0 bind vlan 20 -ifnum 1/4 -tagged -IPAddress 192.168.20.1 255.255.255.0 bind vlan 20 -ifnum 1/4 -tagged -IPAddress 192.168.30.1 255.255.255.0 bind vlan 20 -ifnum 1/4 -tagged -IPAddress 192.168.40.1 255.255.255.0 bind vlan 20 -ifnum 1/4 -tagged -IPAddress 192.168.50.1 255.255.255.0 bind vlan 20 -ifnum 1/4 -tagged -IPAddress 192.168.60.1 255.255.255.0 bind vlan 100 -ifnum 1/2 -tagged -IPAddress 100.1.1.1 255.0.0.0 bind vlan 200 -ifnum 1/3 -tagged -IPAddress 200.201.1.1 255.0.0.0 3. Specify the VLAN on which the subscriber traffic arrives on the appliance. Specify the service path AVP that tells the appliance where to look for the service path name within the subscriber session. For primary PCEF functionality, specify the interfaceType as RadiusAndGx.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.147

Example set ns param -servicePathIngressVLAN 100 set subscriber gxinterface -servicepathAVP 1001 1005 -servicepathVendorid 10415 set subscriber param -interfaceType RadiusAndGx 4. Configure a service and virtual server of type Diameter, and bind the service to the virtual server. T hen, specify the PCRF realm and subscriber Gx interface parameters. For primary PCEF functionality, configure a RADIUS listener service and RADIUS interface. Example add service sd1 10.102.232.200 DIAMET ER 3868 add lb vserver vdiam DIAMET ER 0.0.0.0 0 -persistenceType DIAMET ER -persistAVPno 263 bind lb vserver vdiam sd1 set ns diameter -identity netscaler.sc1.net -realm pcrf1.net set subscriber gxInterface -vServer vdiam -pcrfRealm pcrf1.net -holdOnSubscriberAbsence YES -idleT T L 1200 negativeT T L 120 add service srad1 10.102.232.236 RADIUSList ener 1813 set subscriber radiusInterface -listeningService srad1 5. Add service functions to associate a VAS with an ingress VLAN. Add a service path to define the chain, that is, specify the VAS that the packet must be sent to and the order in which it must go to that VAS. T he service path name is usually sent by the PCRF. However, the service path of the default subscriber profile (*) applies if any of the following is true: PCRF does not have the subscriber information. T he subscriber information does not include this AVP. T he appliance is unable to query the PCRF. For example, the service representing the PCRF is DOWN. T he service path AVP that contains this name must be configured as part of the global configuration earlier. Bind the service function to the service path. T he service index specifies the order in which the VAS is added to the chain. T he highest number (255) indicates the beginning of the chain. Example add ns servicefunction SF1 -ingressVLAN 20 add ns servicefunction SF2 -ingressVLAN 40 add ns servicefunction SF3 -ingressVLAN 60 add ns servicepath pol1 bind ns servicepath pol1 -servicefunction SF1 -index 255 bind ns servicepath pol1 -servicefunction SF2 -index 254

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.148

bind ns servicepath pol1 -servicefunction SF3 -index 253 add ns servicepath pol2 bind ns servicepath pol2 -servicefunction SF2 -index 255 add ns servicepath pol3 bind ns servicepath pol3 -servicefunction SF1 -index 255 add subscriber profile * -subscriberrules default_path 6. Add the LSN configuration. T hat is, define the NAT pool and identify the clients for which the appliance must perform LSN. Example add lsn pool pool1 bind lsn pool pool1 200.201.1.1 add lsn client client1 bind lsn client client1 -network 100.0.0.0 -netmask 255.0.0.0 add lsn group group1 -clientname client1 bind lsn group group1 -poolname pool1 7. T he appliance performs LSN by default. To override LSN, you must create a net profile with overrideLsn parameter enabled and bind this profile to all the load balancing virtual servers that are configured for value added services (VASs). Example add netprofile np1 set netprofile np1 -overrideLsn ENABLED set lb vserver vs1 -netprofile np1 8. Configure the VAS on the appliance. T his includes creating the services and virtual servers and then binding the services to the virtual servers. Example add service vas1 192.168.10.2 ANY 80 -usip YES add service vas2 192.168.30.2 ANY 80 -usip YES add service vas3 192.168.50.2 ANY 80 -usip YES add service sint 200.10.1.10 ANY 80 -usip YES add lb vserver vs1 ANY -m MAC -l2Conn ON add lb vserver vs2 ANY -m MAC -l2Conn ON

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.149

add lb vserver vs3 ANY -m MAC -l2Conn ON add lb vserver vint ANY -m MAC -l2Conn ON bind lb vserver vs1 vas1 bind lb vserver vs2 vas2 bind lb vserver vs3 vas3 bind lb vserver vint sint 9. Add the content switching (CS) configuration. T his includes virtual servers, policies, and their associated actions. T he traffic arrives at the CS virtual server and is then redirected to the appropriate load balancing virtual server. Define expressions that associate a virtual server with a service function. Example add cs vserver cs1 ANY * 80 -l2Conn ON add cs action csact1 -targetLBVserver vs1 add cs action csact2 -targetLBVserver vs2 add cs action csact3 -targetLBVserver vs3 add cs action csactint -targetLBVserver vint add cs policy cspol1 -rule "SUBSCRIBER.SERVICEPAT H.IS_NEXT (\"SF1\") && SYS.VSERVER(\"vs1\").STAT E.EQ(UP)" -action csact1 add cs policy cspol2 -rule "SUBSCRIBER.SERVICEPAT H.IS_NEXT (\"SF2\") && SYS.VSERVER(\"vs2\").STAT E.EQ(UP)" -action csact2 add cs policy cspol3 -rule "SUBSCRIBER.SERVICEPAT H.IS_NEXT (\"SF3\") && SYS.VSERVER(\"vs3\").STAT E.EQ(UP)" -action csact3 bind cs vserver cs1 -policyName cspol1 -priority 110 bind cs vserver cs1 -policyName cspol2 -priority 120 bind cs vserver cs1 -policyName cspol3 -priority 130 bind cs vserver cs1 -lbvserver vint To configure service chaining on t he appliance by using t he Net Scaler GUI 1. Navigate to Syst em > Net work > IP s and add the subnet IP addresses. 2. Navigate to Syst em > Net work > VLANs and add VLANs, Bind the VLANs to the interfaces and subnet IP addresses. 3. Navigate to T raf f ic Management > Service Chaining > Conf igure Service P at h Ingress VLAN and specify an ingress VLAN. 4. Navigate to T raf f ic Management > Subscriber > P aramet ers > Conf igure Subscriber P aramet ers and specify the following: Interface T ype: Specify RadiusAndGx .

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.150

Configure a diameter virtual server, PCRF realm, and the subscriber GX interface parameters. Specify the RADIUS interface parameters. 5. Navigate to T raf f ic Management > Service Chaining > Service F unct ion and add service functions to associate a value-added service with an ingress VLAN. 6. Navigate to Syst em > Net work > Large Scale NAT . Click P ools and add a pool. Click Client s and add a client. Click Groups and add a group and specify the client. Edit the group and bind the pool to this group. 7. Navigate to Syst em > Net work > Net P rof iles and add a net profile. Select Override LSN . Optionally, navigate to Syst em > Net work > Set t ings > Conf igure Layer 3 P aramet ers and verify that Override LSN is not selected. 8. Navigate to T raf f ic Management > Load Balancing > Virt ual Servers and configure the virtual servers and valueadded services on the appliance. Bind the services and the net profile to the virtual server. 9. Navigate to T raf f ic Management > Cont ent Swit ching > Virt ual Servers and configure a virtual server, policy, and action. Specify the target load balancing virtual server.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.151

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.152

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.153

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.154

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.155

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.156

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.157

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.158

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.159

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.160

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.161

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.162

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.163

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.164

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.165

Jul 25, 20 17

Citrix provides a wide breath of NetScaler models that might be loosely based on two factors: Capacity, currently ranging from hundreds of Mbps for the low-end VPX appliance to 160Gbps for the high-end 25000 MPX series appliance T elco grade, with the availability of the T 1000 series for T elco datacenters. Your Citrix Sales or Support representative can help you select the appropriate hardware for your demo, trial, or production needs. T he remainder of this section uses a NetScaler T 1200 as a reference hardware. Note that putting aside superficial differences related to number and notation of available interfaces* or well-documented limitations of NetScaler VPX** the instructions should apply mostly verbatim regardless of the NetScaler model selected.

*

For instance a the T 1010 model only has 12x1GbE typically marked as 1/1-1/12 rather than the 10/x notation used in this

document. **

A NetScaler VPX instance typically doesn’t support LACP aggregation; it might also not support VLAN tagging.

After a serial cable is connected, you can log on to the NetScaler appliance with the following credentials: Username: nsroot Password: nsroot Once logged in, configure the basic details of the NetScaler appliance as shown in the screen capture below.

> set ns config –IPAddress -net mask > saveconfig > reboot -warm

After you restart the appliance, you might use SSH for further configuration of the T 1100 nodes.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.166

Lights out Management (LOM) port on the front panel of the NetScaler appliance allows operator to remotely monitor and manage the appliance independently of the operating system. Operator can change the IP address, power cycle, and perform a code dump by connecting to the NetScaler appliance through the LOM port. Default IP Address of LOM port is 192.168.1.3 F igure. Intial Configuration of LOM Module

Set a static IP on your laptop and plug it directly into the LOM interface with a crossover cable or into a switch in the same broadcast domain as the LOM interface. For initial configuration, type the port’s default address: http://192.168.1.3 in a web browser and change the LOM port’s default IP address. Refer to Configuration Guides for further details.

T he NetScaler TCP optimization for mobile networks is constantly evolving. T he capabilities and tunings outlined in this document require a NetScaler Telco build. Here is an example showing the NetScaler Telco build.

> show ver Net Scaler NS11.0: Build 64.957.nc, Dat e: Aug 26 2016, 02:00:23

If the T 1000 has not shipped with the appropriate build revision, contact the NetScaler Customer Support.

Both the appliances should have the same software image.

A NetScaler appliance can be configured by using either the NetScaler CLI or the HT ML5 GUI. However, this section provides only CLI-based instructions.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.167

While the NetScaler CLI is accessible through the NetScaler serial console, an SSH client is normally recommended to allow for remote NetScaler configuration.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.168

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.169

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.170

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.171

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.172

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.173

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.174

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.175

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.176

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.177

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.178

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.179

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.180

Jul 25, 20 17

T he stat command might be used to verify that TCP optimization is properly applied:

> st at lb vserver vsrv-wireless

Virt ual Server Summary

vsvrIP port

vsrv...eless

*

Prot ocol

0

St at e Healt h act Svcs

TCP

UP

100

1

inact Svcs

vsrv...eless

0

Virt ual Server St at ist ics

Rat e (/s)

Tot al

Vserver hit s

0

10

Request s

0

0

Responses

Request byt es

0

0

0

1580

Response byt es

0

532594360

Tot al Packet s rcvd

0

216463

Tot al Packet s sent

0

369898

Current client connect ions

http://docs.citrix.com

--

0

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.181

Current client connect ions

--

Current Client Est connect ions

0

--

Current server connect ions

0

--

Request s in surge queue

0

--

0

Request s in vserver's surgeQ

--

0

Request s in service's surgeQs

--

0

Spill Over Threshold

--

Spill Over Hit s

0

--

0

Labeled Connect ion

--

Push Labeled Connect ion

0

--

Deferred Request

0

0

Invalid Request /Response

0

--

Invalid Request /Response Dropped

0

--

0

Bound Service(s) Summary

IP port

svc-int ernet

Req

svc-int ernet

Type

192.168.2.2

Req/s

0

0/s

0

Rsp

St at e

TCP

Hit s Hit s/s

UP

10

Rsp/s Throughp Clnt Conn SurgeQ

0

0/s

0

0

0

SvrConn ReuseP MaxConn Act vTran SvrTTFB

http://docs.citrix.com

0/s

Load

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.182

svc-int ernet

0

0

0

0

0

0

T he Total counters should constantly increase for an operational system. In addition, the Rate counters should be nonzero.

T he preceding output is from an operational yet idle lab system, explaining the zero rate.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.183

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.184

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.185

Jul 25, 20 17

T he NetScaler T 1 models provide advanced features and a powerful policy configuration language that allow for evaluation of complex decision in runtime. While it is not possible to evaluate all capabilities that are potentially unlocked by the T 1000 features and policy configuration guide, technical receipes consider implementation of various requirements brought in by Telco operators. Feel free to re-use the “recipes” as is or adapt to your environment.

T he NetScaler T 1 model can be configured to limit the number of connections per unique subscriber IP. With the below configuration, N concurrent TCP connections per IP (CLIENT.IP.SRC) is allowed. For every attempt for connection beyond the configured threshold, T 1 sends an RST. For maximum 2 concurrent connections per user:

> add st ream select or st reamSel_usrlimit CLIENT.IP.SRC

> add ns limit Ident ifier limit Id_usrlimit -t hreshold 2 -mode CONNECTION -select orName st reamSel_usrlimit

> add responder policy respPol_usrlimit "SYS.CHECK_LIMIT(\"limit Id_usrlimit \")" RESET

> bind lb vserver vsrv-wireless -policyName respPol_usrlimit -priorit y 1 -got oPriorit yExpression END

Many operators concern about TCP connections disruption when the NetScaler T 1 model is activated inline for TCP optimization or when it is disabled for maintenance purposes. To avoid breaking existing connections when vserver is introduced, the following configuration needs to be applied before configuring or activating vserver for TCP optimization:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.186

> add ns acl acl-ingress ALLOW –vlan 100

> add forwardingSession fwd-ingress –aclname acl-ingress

> apply ns acls

Forwarding sessions are effective on top of routing (either static or dynamic or PBR) and create session entries for traffic that is routed (L3 mode). Any existing connection is handled by forwarding session due to corresponding sessions, and upon vserver introduction it starts capturing only new TCP connections. ACLs can be configured to capture only specific ports like vserver, in order to avoid creating sessions for unnecessary traffic, which is memory consuming. Another option is to remove specific configuration after vserver activation. For maintenance purposes, vserver should be disabled and its state appears as OUT OF SERVICE. When this happens, the vserver terminates all connections immediately by default. To make vserver to still serve the existing connections and not accept new, the following configuration should be applied:

> set lb vserver vsrv-wireless –downSt at eFlush DISABLED

New connections go through the routing table, and corresponding session entries are created due to forwarding sessions.

Policy-based TCP Profile selection allows operators to configure TCP profile dynamically for clients coming from different traffic domains (i.e. 3G or 4G). Some of the QoS metrics are different for these traffic domains, and in order to achieve better performance, you need to change some of the TCP parameter dynamically. Consider a case where clients coming from 3G and 4G hit same vserver and use same TCP profile, which have negative impact on some client's performance. AppQoE functionality can classify these clients and dynamically change TCP profile on vserver.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.187

> enable feat ure AppQoE

> add ns t cpProfile nst cpprofile1 -WS ENABLED -SACK ENABLED -WSVal 8 -mss 1460 -maxBurst 30 -init ialCwnd 16 -oooQSize 15000

> add ns t cpProfile nst cpprofile2 -WS ENABLED -SACK ENABLED -WSVal 8 -mss 1460 -maxBurst 15 -init ialCwnd 16 -oooQSize 15000

> add appqoe act ion act ion_1 -priorit y HIGH -t cpprofile nst cpprofile1

> add appqoe act ion act ion_2 -priorit y HIGH -t cpprofile nst cpprofile2

> add appqoe policy appqoe_4G -rule "CLIENT.VLAN.ID.EQ(100)" -act ion act ion_1

> add appqoe policy appqoe_3G -rule "CLIENT.VLAN.ID.EQ(200)" -act ion act ion_2

> bind lb vserver vsrv-wireless -policyName appqoe_4G -priorit y 100

> bind lb vserver vsrv-wireless -policyName appqoe_3G -priorit y 110

T he NetScaler T 1 model is capable to receive the subscriber information dynamically through Gx or Radius or Radius and Gx interface and apply different TCP profile on a per-subscriber basis.

> add appqoe act ion act ion_1 -priorit y HIGH -t cpprofile nst cpprofile1

> add appqoe act ion act ion_2 -priorit y HIGH -t cpprofile nst cpprofile2

> add appqoe policy appqoe_4G -rule "SUBSCRIBER.RULE_ACTIVE(\"3G\")" -act ion act ion_1

> add appqoe policy appqoe_3G -rule "SUBSCRIBER.RULE_ACTIVE(\"4G\")" -act ion act ion_2

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.188

For integration of the NetScaler T 1 model with operator control-plane network, see Telco Subscriber Management.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.189

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.190

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.191

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.192

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.193

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.194

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.195

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.196

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.197

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.198

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.199

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.200

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.201

To upload a premium license file, follow the steps given below: 1. A valid license file should be installed on the NetScaler appliance. The license should support at least as many Gbps as the expected maximum Gi-LAN throughput. License files should be copied through an SCP client to the /nsconfig/license of the appliance, as shown in the screen capture below.

To upload a premium license

复制

> shell ls /nsconfig/license/

CNS_V3000_SERVER_PLT_Ret ail.lic ssl

2. Do a warm restart to apply the new license, as shown in the screen capture below.

To warm boot the appliance

复制

> reboot -warm

Are you sure you want t o rest art Net Scaler (Y/N)? [N]:y

Done

Example

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.202

> show license

License st at us:

Video Opt imizat ion: YES

...

Model Number ID: 3000

License Type: Plat inum License

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.203

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.204

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.205

1. Detecting Clear-text PD

2. Detecting Clear-text ABR

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.206

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.207

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.208

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.209

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.210

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.211

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.212

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.213

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.214

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.215

RISE Functionality

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.216

RISE Network Topologies

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.217

RISE Connection Modes

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.218

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.219

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.220

Installing the Cisco Nexus Switch and the NetScaler ADC

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.221

Accessing the Cisco Nexus Switch and the NetScaler ADC

Configuring RISE

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.222

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.223

Configuring High Availability

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.224

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.225

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.226

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.227

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.228

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.229

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.230

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.231

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.232

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.233

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.234

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.235

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.236

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.237

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.238

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.239

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.240

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.241

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.242

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.243

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.244

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.245

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.246

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.247

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.248

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.249

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.250

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.251

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.252

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.253

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.254

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.255

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.256

Jul 25, 20 17

Note: T his section applies to the MPX 8005/8015/8200/8400/8600/8800, MPX 9700/10500/12500/15500, MPX 15000, MPX 17000, MPX 11500/13500/14500/16500/18500/20500, MPX 11515/11520/11530/11540/11542, MPX 14000, MPX 17500/19500/21500, MPX 17550/19550/20550/21550, MPX 22040/22060/22080/22100/22120, MPX 24100/24150, MPX 25100T /25160T , and T 1100 (Gen1), T 1100 (16), T 1120, T 1300, and T 1300-40G appliances. A 10-Gigabit Small Form-Factor Pluggable (XFP or SFP+) is a compact optical transceiver that can operate at speeds of up to 10 gigabits per second.Autonegotiation is enabled by default on the XFP/10G SFP+ ports into which you insert your XFP/10G SFP+ transceiver. As soon as a link between the port and the network is established, the mode is matched on both ends of the cable and for 10G SFP+ transceivers, the speed is also autonegotiated. Note: An XFP transceiver is not hot-swappable on the NetScaler appliances. You must restart a NetScaler appliance after you insert an XFP transceiver. However, the 10G SFP+ transceiver is hot-swappable from release 9.3 build 57.5 and later on the NetScaler appliances that use the ixgbe (ix) interface. T he following platforms support 10G SPF+ transceivers: MPX 8005/8015/8200/8400/8600/8800 MPX 9700/10500/12500/15500 10G and 10G FIPS MPX 11500/13500/14500/16500/18500/20500 MPX 11515/11520/11530/11540/11542 MPX 14000 MPX 17500/19500/21500 MPX 17550/19550/20550/21550 MPX 22040/22060/22080/22100/22120 MPX 24100/24150 MPX 25100T /25160T T 1100 (Gen1) T 1100 (16) T 1120 T 1300 T 1300-40G T he following platforms support XFP transceivers: MPX 15000 MPX 17000 Caution: NetScaler appliances do not support XFP/10G SFP+ transceivers provided by vendors other than Citrix Systems. Attempting to install third-party XFP/10G SFP+ transceivers on your NetScaler appliance voids the warranty. Insert the XFP/10G SFP+ transceivers into the XFP/10G SFP+ ports on the front panel of the appliance. Frequent installation and removal of transceivers shortens their life span. Follow the removal procedure carefully to avoid damaging the transceiver or the appliance. Caution: Do not install the transceivers with the cables attached. Doing so can damage the cable, the connector, or the

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.257

optical interface of the transceiver.

1. Remove the XFP/10G SFP+ transceiver carefully from its box. Danger: Do not look directly into fiber optic transceivers and cables. T hey emit laser beams that can damage your eyes. 2. Align the XFP/10G SFP+ transceiver to the front of the XFP/10G SFP+ transceiver port on the front panel of the appliance. 3. Hold the XFP/10G SFP+ transceiver between your thumb and index finger and insert it into the XFP/10G SFP+ transceiver port, pressing it in until you hear the transceiver snap into place. 4. Move the locking hinge to the DOWN position as shown in the following figure. Figure 1. Locking an XFP transceiver

5. Verify that the LED is green and blinks twice, which indicates that the transceiver is functioning correctly. 6. Do not remove the dust caps attached to the transceiver and cable until you are ready to insert the cable.

1. Disconnect the cable from the XFP/10G SFP+ transceiver. Replace the dust cap on the cable before putting it away. Danger: Do not look directly into fiber optic transceivers or cables. T hey emit laser beams that can damage your eyes. 2. Unlock the XFP/10G SFP+ transceiver by moving the locking hinge to the UP position. 3. Hold the XFP/10G SFP+ transceiver between your thumb and index finger and slowly pull it out of the port. 4. Replace the dust cap on the transceiver before putting it away. 5. Put the XFP/10G SFP+ transceiver into its original box or another appropriate container.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.258

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.259

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.260

Jul 25, 20 17

A NetScaler appliance has both a command line interface (CLI) and a graphical user interface (GUI). T he GUI includes a configuration utility for configuring the appliance and a statistical utility, called Dashboard. For initial access, all appliances ship with the default NetScaler IP address (NSIP) of 192.168.100.1 and default subnet mask of 255.255.0.0. You can assign a new NSIP and an associated subnet mask during initial configuration. If you encounter an IP address conflict when deploying multiple NetScaler units, check for the following possible causes: Did you select an NSIP that is an IP address already assigned to another device on your network? Did you assign the same NSIP to multiple NetScaler appliances? T he NSIP is reachable on all physical ports. T he ports on a NetScaler are host ports, not switch ports. T he following table summarizes the available access methods. Table 1. Methods f or Accessing a NetScaler appliance Access Method

Port

Def ault IP Address Required? (Y/N)

CLI

Console

N

CLI and GUI

Ethernet

Y

Updated: 2013-09-04 You can access the CLI either locally, by connecting a workstation to the console port, or remotely, by connecting through secure shell (SSH) from any workstation on the same network.

T he appliance has a console port for connecting to a computer workstation. T o log on to the appliance, you need a serial crossover cable and a workstation with a terminal emulation program. 1. Connect the console port to a serial port on the workstation, as described in . 2. On the workstation, start HyperT erminal or any other terminal emulation program. If the logon prompt does not appear, you may need to press ENT ER one or more times to display it. 3. Log on by using the administrator credentials. T he command prompt (>) appears on the workstation monitor.

T he SSH protocol is the preferred remote access method for accessing an appliance remotely from any workstation on the same network. You can use either SSH version 1 (SSH1) or SSH version 2 (SSH2.) If you do not have a working SSH client, you can download and install any of the following SSH client programs:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.261

PuT T Y Open Source software supported on multiple platforms. Available at: "http://www.chiark.greenend.org.uk/~sgtatham/putty/" Vandyke Software SecureCRT Commercial software supported on the Windows platform. Available at: "http://www.vandyke.com/products/securecrt/" T hese programs have been tested by the Citrix NetScaler team, which has verified that they work correctly with a NetScaler appliance. Other programs may also work correctly, but have not been tested. To verify that the SSH client is installed properly, use it to connect to any device on your network that accepts SSH connections.

1. On your workstation, start the SSH client. 2. For initial configuration, use the default NetScaler IP address (NSIP), which is 192.168.100.1. For subsequent access, use the NSIP that was assigned during initial configuration. Select either SSH1 or SSH2 as the protocol. 3. Log on by using the administrator credentials. For example: login as: nsroot Using keyboard-interactive authentication. Password: Last login: Tue Jun 16 10:37:28 2009 from 10.102.29.9 Done >

Updated: 2014-06-30 Important: A certificate-key pair is required for HT T PS access to the NetScaler configuration utility. On a NetScaler ADC, a certificate-key pair is automatically bound to the internal services. On an MPX or SDX appliance, the default key size is 1024 bytes, and on a VPX instance, the default key size is 512 bytes. However, most browsers today do not accept a key that is less than 1024 bytes. As a result, HT T PS access to the VPX configuration utility is blocked. Additionally, if a license is not present on an MPX appliance when it starts, and you add a license later and restart the appliance, you might lose the certificate binding. Citrix recommends that you install a certificate-key pair of at least 1024 bytes on a NetScaler ADC for HT T PS access to the configuration utility, and that you install an appropriate license before starting the ADC. T he graphical user interface includes a configuration utility and a statistical utility, called Dashboard, either of which you access through a workstation connected to an Ethernet port on the appliance. T he system requirements for the workstation running the GUI are as follows: For Windows-based workstations, a Pentium 166 MHz or faster processor. For Linux-based workstations, a Pentium platform running Linux kernel v2.2.12 or above, and glibc version 2.12-11 or later.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.262

A minimum of 32 MB RAM is required, and 48 MB RAM is recommended. T he workstation should support 16-bit color mode, KDE and KWM window managers used in conjunction, with displays set to local hosts. For Solaris-based workstations, a Sun running either Solaris 2.6, Solaris 7, or Solaris 8. Your workstation must have a supported web browser to access the configuration utility and Dashboard. T he following browsers are supported. Operating System

Browser

Versions

Windows 7

Internet Explorer

9, 10, and 11

Mozilla Firefox

3.6.25 and above

Google Chrome

Latest

Internet Explorer

8, 9, 10, and 11

Google Chrome

Latest

Mozilla Firefox

3.6.25 and above

Safari

5.1.3 and above

Google Chrome

Latest

Windows 64 bit

MAC

Once you log on to the configuration utility, you can configure the appliance through a graphical interface that includes context-sensitive help. To log on to the configuration utility 1. Open your web browser and enter the NetScaler IP (NSIP) as an HT T P address. If you have not yet set up the initial configuration, enter the default NSIP (http://192.168.100.1). T he Citrix Logon page appears. Note: If you have two NetScaler appliances in a high availability setup, make sure that you do not access the GUI by entering the IP address of the secondary NetScaler. If you do so and use the GUI to configure the secondary NetScaler, your configuration changes will not be applied to the primary NetScaler. 2. In the User Name text box, type nsroot. 3. In the Password text box, type the administrative password you assigned to the nsroot account during initial configuration and click Login. T he Configuration Utility page appears. If you need to access the online help, select Help from the Help menu at the top right corner.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.263

Dashboard, the statistical utility, is a browser-based application that displays charts and tables on which you can monitor the performance of a NetScaler. To log on to Dashboard 1. Open your web browser and enter the NSIP as an HT T P address (http://). T he Citrix Logon page appears. 2. In the User Name text box, type nsroot. 3. In the Password text box, type the administrative password you assigned to the nsroot account during initial configuration.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.264

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.265

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.266

Jul 25, 20 17

You can deploy two NetScaler appliances in a high availability configuration, where one unit actively accepts connections and manages servers while the secondary unit monitors the first. T he NetScaler that is actively accepting connections and managing the servers is called a primary unit and the other one is called a secondary unit in a high availability configuration. If there is a failure in the primary unit, the secondary unit becomes the primary and begins actively accepting connections. Each NetScaler in a high availability pair monitors the other by sending periodic messages, called heartbeat messages or health checks, to determine the health or state of the peer node. If a health check for a primary unit fails, the secondary unit retries the connection for a specific time period. For more information about high availability, see "High Availability." If a retry does not succeed by the end of the specified time period, the secondary unit takes over for the primary unit in a process called failover. T he following figure shows two high availability configurations, one in one-arm mode and the other in two-arm mode. Figure 1. High availability in one-arm mode

Figure 2. High availability in two-arm mode

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.267

In one-arm configuration, both NS1 and NS2 and servers S1, S2, and S3 are connected to the switch. In two-arm configuration, both NS1 and NS2 are connected to two switches. T he servers S1, S2, and S3 are connected to the second switch. T he traffic between client and the servers passes through either NS1 or NS2. To set up a high availability environment, configure one NetScaler as primary and another as secondary. Perform the following tasks on each of the NetScalers: Add a node. Disable high availability monitoring for unused interfaces.

Updated: 2013-06-24 A node is a logical representation of a peer NetScaler appliance. It identifies the peer unit by ID and NSIP. An appliance uses these parameters to communicate with the peer and track its state. When you add a node, the primary and secondary units exchange heartbeat messages asynchronously. T he node ID is an integer that must not be greater than 64.

At the command prompt, type the following commands to add a node and verify that the node has been added: add HA node show HA node Example add HA node 0 10.102.29.170 Done > show HA node 0 1)

Node ID:

0

IP: 10.102.29.200 (NS200)

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.268

Node State: UP Master State: Primary SSL Card Status: UP Hello Interval: 200 msecs Dead Interval: 3 secs Node in this Master State for: 1:0:41:50 (days:hrs:min:sec)

1. Navigate to System > High Availability. 2. Click Add on the Nodes tab. 3. On the Create HA Node page, in the Remote Node IP Address text box, type the NSIP Address (for example, 10.102.29.170) of the remote node. 4. Ensure that the Conf igure remote system to participate in High Availability setup check box is selected. Provide the login credentials of the remote node in the text boxes under Remote System Login Credentials. 5. Select the Turn of f HA monitor on interf aces/channels that are down check box to disable the HA monitor on interfaces that are down. Verify that the node you added appears in the list of nodes in the Nodes tab.

Updated: 2013-06-24 T he high availability monitor is a virtual entity that monitors an interface. You must disable the monitor for interfaces that are not connected or being used for traffic. When the monitor is enabled on an interface whose status is DOWN, the state of the node becomes NOT UP. In a high availability configuration, a primary node entering a NOT UP state might cause a high availability failover. An interface is marked DOWN under the following conditions: T he interface is not connected T he interface is not working properly T he cable connecting the interface is not working properly

At the command prompt, type the following commands to disable the high availability monitor for an unused interface and verify that it is disabled: set interface -haMonitor OFF show interface Example > set interface 1/8 -haMonitor OFF Done > show interface 1/8 Interface 1/8 (Gig Ethernet 10/100/1000 MBits) #2 flags=0x4000 MTU=1514, native vlan=1, MAC=00:d0:68:15:fd:3d, downtime 238h55m44s

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.269

Requested: media AUTO, speed AUTO, duplex AUTO, fctl OFF, throughput 0 RX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) TX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set. When the high availability monitor is disabled for an unused interface, the output of the show interface command for that interface does not include "HAMON."

1. Navigate to System > Network > Interfaces. 2. Select the interface for which the monitor must be disabled. 3. Click Open. T he Modify Interface dialog box appears. 4. In HA Monitoring, select the OFF option. 5. Click OK. 6. Verify that, when the interface is selected, "HA Monitoring: OFF" appears in the details at the bottom of the page.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.270

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.271

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.272

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.273

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.274

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.275

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.276

Jul 25, 20 17

Configuration of system settings includes basic tasks such as configuring HT T P ports to enable connection keep-alive and server offload, setting the maximum number of connections for each server, and setting the maximum number of requests per connection. You can enable client IP address insertion for situations in which a proxy IP address is not suitable, and you can change the HT T P cookie version. You can also configure a NetScaler appliance to open FT P connections on a controlled range of ports instead of ephemeral ports for data connections. T his improves security, because opening all ports on the firewall is insecure. You can set the range anywhere from 1,024 to 64,000. Before deployment, go through the verification checklists to verify your configuration. To configure HT T P parameters and the FT P port range, use the NetScaler configuration utility. You can modify the types of HT T P parameters described in the following table. Table 1. HTTP Parameters Parameter Type

Specif ies

HT T P Port

T he web server HT T P ports used by your managed servers. If you specify the ports, the

Information

appliance performs request switching for any client request that has a destination port matching a specified port. Note: If an incoming client request is not destined for a service or a virtual server that is specifically configured on the appliance, the destination port in the request must match one of the globally configured HT T P ports. T his allows the appliance to perform connection keep-alive and server off-load.

Limits

T he maximum number of connections to each managed server, and the maximum number of requests sent over each connection. For example, if you set Max Connections to 500, and the appliance is managing three servers, it can open a maximum of 500 connections to each of the three servers. By default, the appliance can create an unlimited number of connections to any of the servers it manages. To specify an unlimited number of requests per connection, set Max Requests to 0. Note: If you are using the Apache HT T P server, you must set Max Connections equal to the value of the MaxClients parameter in the Apache httpd.conf file. Setting this parameter is optional for other web servers.

Client IP Insertion

Enable/disable insertion of the client's IP address into the HT T P request header. You can specify a name for the header field in the adjacent text box. When a web server managed by an appliance receives a mapped IP address or a subnet IP address, the server identifies it as the client’s IP address. Some applications need the client’s IP address for logging purposes or to dynamically determine the content to be served by the web server. You can enable insertion of the actual client IP address into the HT T P header request sent from the client to one, some, or all servers managed by the appliance. You can then access the

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.277

Parameter Type

inserted Specif iesaddress through a minor modification to the server (using an Apache module, ISAPI interface, or NSAPI interface).

Cookie Version

T he HT T P cookie version to use when COOKIEINSERT persistence is configured on a virtual server. T he default, version 0, is the most common type on the Internet. Alternatively, you can specify version 1.

Requests/Responses

Options for handling certain types of requests, and enable/disable logging of HT T P error responses.

Server Header

Insert a server header in NetScaler-generated HT T P responses.

Insertion

1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, under Settings, click Change HT T P parameters. 3. In the Configure HT T P parameters dialog box, specify values for some or all of the parameters that appear under the headings listed in the table above. 4. Click OK.

1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, under Settings, click Change global system settings. 3. Under FT P Port Range, in the Start Port and End Port text boxes, type the lowest and highest port numbers, respectively, for the range you want to specify (for example, 5000 and 6000). 4. Click OK.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.278

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.279

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.280

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.281

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.282

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.283

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.284

Jul 25, 20 17

You can configure a NetScaler appliance to function as an Authoritative Domain Name Server (ADNS), DNS proxy server, End Resolver, or Forwarder. You can add DNS resource records such as SRV Records, AAAA Records, A Records, MX Records, NS Records, CNAME Records, PT R Records, and SOA Records. Also, the appliance can balance the load on external DNS servers. A common practice is to configure an appliance as a forwarder. For this configuration, you need to add external name servers. After you have added the external servers, you should verify that your configuration is correct. You can add, remove, enable, and disable external name servers. You can create a name server by specifying its IP address, or you can configure an existing virtual server as the name server. When adding name servers, you can specify IP addresses or virtual IP addresses (VIPs). If you use IP addresses, the appliance load balances requests to the configured name servers in a round robin manner. If you use VIPs, you can specify any load balancing method.

At the command prompt, type the following commands to add a name server and verify the configuration: add dns nameServer show dns nameServer Example > add dns nameServer 10.102.29.10 Done > show dns nameServer 10.102.29.10 1)

10.102.29.10 - State: DOWN

Done >

1. Navigate to T raffic Management > DNS > Name Servers. 2. In the details pane, click Add. 3. In the Create Name Server dialog box, select IP Address. 4. In the IP Address text box, type the IP address of the name server (for example, 10.102.29.10). If you are adding an external name server, clear the Local check box. 5. Click Create, and then click Close. 6. Verify that the name server you added appears in the Name Servers pane.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.285

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.286

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.287

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.288

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.289

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.290

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.291

Jul 25, 20 17

To configure load balancing, you must first create services. T hen, you create virtual servers and bind the services to the virtual servers. By default, the NetScaler appliance binds a monitor to each service. After binding the services, verify your configuration by making sure that all of the settings are correct. Note: After you deploy the configuration, you can display statistics that show how the entities in the configuration are performing. Use the statistical utility or the stat lb vserver command. Optionally, you can assign weights to a service. T he load balancing method then uses the assigned weight to select a service. For getting started, however, you can limit optional tasks to configuring some basic persistence settings, for sessions that must maintain a connection to a particular server, and some basic configuration-protection settings. T he following flow chart illustrates the sequence of the configuration tasks. Figure 1. Sequence of T asks to Configure Load Balancing

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.292

Updated: 2013-06-05 Before configuring load balancing, make sure that the load balancing feature is enabled.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.293

At the command prompt, type the following commands to enable load balancing and verify that it is enabled: enable feature lb show feature Example

> enable feature lb Done > show feature Feature -------

Acronym -------

1) Web Logging

Status

-----WL

OFF

2) Surge Protection

SP

OFF

3) Load Balancing

LB

ON

SSL

ON

. . . 9) SSL Offloading . . . Done

1. In the navigation pane, expand System, and then click Settings. 2. In the details pane, under Modes and Features, click Change basic features. 3. In the Configure Basic Features dialog box, select the Load Balancing check box, and then click OK. 4. In the Enable/Disable Feature(s)? message, click Yes.

Updated: 2013-06-24 When you have identified the services you want to load balance, you can implement your initial load balancing configuration by creating the service objects, creating a load balancing virtual server, and binding the service objects to the virtual server.

At the command prompt, type the following commands to implement and verify the initial configuration: add service add lb vserver [ ] bind lb vserver

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.294

show service bindings Example > add service service-HTTP-1 10.102.29.5 HTTP 80 Done > add lb vserver vserver-LB-1 HTTP 10.102.29.60 80 Done > bind lb vserver vserver-LB-1 service-HTTP-1 Done > show service bindings service-HTTP-1 service-HTTP-1 (10.102.29.5:80) - State : DOWN 1)

vserver-LB-1 (10.102.29.60:80) - State : DOWN

Done

1. Navigate to T raffic Management > Load Balancing. 2. In the details pane, under Getting Started, click Load Balancing wizard, and follow the instructions to create a basic load balancing setup. 3. Return to the navigation pane, expand Load Balancing, and then click Virtual Servers. 4. Select the virtual server that you configured and verify that the parameters displayed at the bottom of the page are correctly configured. 5. Click Open. 6. Verify that each service is bound to the virtual server by confirming that the Active check box is selected for each service on the Services tab.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.295

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.296

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.297

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.298

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.299

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.300

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.301

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.302

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.303

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.304

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.305

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.306

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.307

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.308

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.309

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.310

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.311

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.312

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.313

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.314

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.315

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.316

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.317

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.318

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.319

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.320

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.321

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.322

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.323

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.324

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.325

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.326

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.327

Installing NetScaler Virtual Appliances on VMware ESX Jul 25, 20 17

After you have installed and configured VMware ESX, you can use the VMware vSphere client to install virtual appliances on the VMware ESX server. T he number of virtual appliances that you can install depends on the amount of memory available on the hardware that is running VMware ESX.

注意 By default, the NetScaler Virtual Appliance uses E1000 network interfaces.

To install NetScaler virtual appliances on VMware ESX by using VMware vSphere Client: 1. Start the VMware vSphere client on your workstation. 2. In the IP address / Name text box, type the IP address of the VMware ESX server that you want to connect to. 3. In the User Name and Password text boxes, type the administrator credentials, and then click Login. 4. On the File menu, click Deploy OVF Template. 5. In the Deploy OVF Template dialog box, in Deploy f rom f ile, browse to the location at which you saved the NetScaler virtual appliance setup files, select the .ovf file, and click Next. 6. Map the networks shown in the virtual appliance OVF template to the networks that you configured on the ESX host. Click Next to start installing a virtual appliance on VMware ESX. When installation is complete, a pop-up window informs you of the successful installation. 7. You are now ready to start the NetScaler virtual appliance. In the navigation pane, select the NetScaler virtual appliance that you have just installed and, from the right-click menu, select Power On. Click the Console tab to emulate a console port. 8. If you want to install another virtual appliance, repeat steps 4 through 6.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.328

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.329

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.330

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.331

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.332

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.333

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.334

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.335

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.336

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.337

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.338

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.339

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.340

Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVM Platform Jul 25, 20 17

Hardware Requirements T he following table describes the minimum system requirements for Linux-KVM servers running NetScaler VPX. Component CPU

Requirement 64-bit x86 processors with the hardware virtualization features included in the AMD-V and Intel VT -X processors. To test whether your CPU supports Linux host, enter the following command at the host Linux shell prompt: .egrep'^flags.*(vmx|svm)'/proc/cpuinfo If the BIOS settings for the above extension are disabled, you must enable them in BIOS. Provide at least 2 CPU cores to Host Linux. T here is no specific recommendation for processor speed, but higher the speed, the better the performance of the VM application.

Memory (RAM)

Minimum 4 GB for the host Linux kernel. Add additional memory as required by the VMs.

Hard Disk

Calculate the space for Host Linux kernel and VM requirements. A single NetScaler VPX VM requires 20 GB of disk space.

Sof tware Requirements T he Host kernel used must be a 64-bit Linux kernel, release 2.6.20 or later, with all virtualization tools. Citrix recommends newer kernels, such as 3.6.11-4 and later. Many Linux distributions such as Red Hat, Centos, and Fedora, have tested kernel versions and associated virtualization tools.

Guest VM Hardware Requirements NetScaler VPX supports IDE and virtIO hard disk type. T he Hard Disk Type has been configured in the XML file, which is a part of the NetScaler package.

Networking Requirements NetScaler VPX supports virtIO para-virtualized, SR-IOV, and PCI Passthrough network interfaces. For more information about the supported network interfaces, see: Provisioning the NetScaler Virtual Appliance by using the Virtual Machine Manager

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.341

Configuring NetScaler Virtual Appliances to use Single Root I/O Virtualization (SR-IOV) Network Interface Configuring NetScaler Virtual Appliances to use PCI Passthrough Network Interface Source Interf ace and Modes T he source device type can be either Bridge or MacVT ap. In case of MacVT ap, four modes are possible - VEPA, Bridge, Private and Pass-through. T he following tables list the types of interfaces that you can use and the supported traffic types. For best performance by the NetScaler instance, make sure that the gro and lro capabilities are switched off on the source interfaces Table 1. Interf ace Types Interf ace Type

Considerations

Source: Bridge

Linux Bridge. Ebtables and iptables settings on host Linux might filter the traffic on the bridge if you do not choose the correct setting or disable IPtable services.

Source: MacVT ap Mode : VEPA

Better performance than a bridge. Interfaces from the same lower device can be shared across the VMs. Inter-VM communication using the same lower device is possible only if upstream or downstream switch supports VEPA mode.

Source:

Better performance than a bridge.

MacVT ap

Interfaces from the same lower device can be shared across the VMs.

Mode :

Inter-VM communication using the same lower device is not possible.

Private

Source:

Better as compared to bridge.

MacVT ap

Interfaces out of same lower device can be shared across the VMs.

Mode :

Inter-VM communication using the same lower device is possible, if lower device link is UP.

Bridge

Source: MacVT ap

Better as compared to bridge.

Mode : Pass-

Only one VM can use the lower device.

Interfaces out of same lower device cannot be shared across the VMs.

through

Properties Of Source Interf aces Make sure that you switch off the generic-receive-offload (gro) and large-receive-offload (lro) capabilities of the source interfaces. To switch off the gro and lro capabilities, run the following commands at the host Linux shell prompt. ethtool -K eth6 gro off

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.342

ethool -K eth6 lro off Example command

复制

[root @localhost ~]# et ht ool -K et h6 Offload paramet ers for et h6: rx-checksumming: on t x-checksumming: on scat t er-gat her: on t cp-segment at ion-offload: on udp-fragment at ion-offload: off generic-segment at ion-offload: on generic-receive-offload: off large-receive-offload: off rx-vlan-offload: on t x-vlan-offload: on nt uple-filt ers: off receive-hashing: on [root @localhost ~]#

Example If the host Linux bridge is used as a source device, as in the following example, gro and lro capabilities must be switched off on the vnet interfaces, which are the virtual interfaces connecting the host to the guest VMs. command

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.343

[root @localhost ~]# brct l show et h6_br bridge name et h6_br

bridge id

STP enabled int erfaces

8000.00e0ed1861ae

no

et h6

vnet 0 vnet 2 [root @localhost ~]#

In the above example, the two virtual interfaces are derived from the eth6_br and are represented as vnet0 and vnet2. Run the following commands to switch off gro and lro capabilities on these interfaces. command

复制

et ht ool -K vnet 0 gro off

et ht ool -K vnet 2 gro off

et ht ool -K vnet 0 lro off

et ht ool -K vnet 2 lro off

Promiscuous Mode T he promiscuos mode has to be enabled for the following features to work: L2 mode Multicast traffic processing Broadcast IPV6 traffic VMAC Dynamic routing Use the following command to enable the promicuous mode.

command

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.344

[root @localhost ~]# ifconfig et h6 promisc

[root @localhost ~]# ifconfig et h6

et h6

Link encap:Et hernet HWaddr 78:2b:cb:51:54:a3

inet 6 addr: fe80::7a2b:cbff:fe51:54a3/64 Scope:Link

UP BROADCAST RUNNING PROMISC MULTICAST MTU:9000 Met ric:1

RX packet s:142961 errors:0 dropped:0 overruns:0 frame:0

TX packet s:2895843 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 t xqueuelen:1000

RX byt es:14330008 (14.3 MB) TX byt es:1019416071 (1.0 GB)

[root @localhost ~]#

Module Required For better network performance, make sure the vhost_net module is present in the Linux host. To check the existence of vhost_net module, run the following command on the Linux host : lsmod | grep " vhost_net" If vhost_net is not yet running, enter the following command to run it: modprobe vhost_net

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.345

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.346

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.347

Provisioning the NetScaler Virtual Appliance by using the Virtual Machine Manager Jul 25, 20 17

T he Virtual Machine Manager is a desktop tool for managing VM Guests. It enables you to create new VM Guests and various types of storage, and manage virtual networks. You can access the graphical console of VM Guests with the built-in VNC viewer and view performance statistics, either locally or remotely. After installing your preferred Linux distribution, with KVM virtualization enabled, you can proceed with provisioning virtual machines.

Provisioning the NetScaler Virtual Appliance using the RAW Image Using the Virtual Machine Manager, you can provision the NetScaler VPX using the RAW image. To provision a NetScaler VPX by using Virtual Machine Manager 1. Open the Virtual Machine Manager (Application > System Tools > Virtual Machine Manager) and enter the logon credentials in the Authenticate window. 2. Click the

icon or right-click localhost (QEMU) to create a new NetScaler VPX instance.

3. In the Name text box, enter a name for the new VM (for example, NetScaler-VPX). 4. In the New VM window, under "Choose how you would like to install the operating system," select Import existing disk image, and then and click Forward.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.348

5. In the Provide the existing storage path field, navigate the path to the image. Choose the OS type as UNIX and Version as FreeBSD 6.x. T hen, click Forward.

6. Under "Choose Memory and CPU settings," select the following settings, and then click Forward: Memory (RAM)— 2048 MB CPUs— 2

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.349

7. Select the Customize conf iguration bef ore install check box. Optionally, under "Advanced options," you can you can customize the MAC address. Make sure the Virt Type selected is kvm and the Architecture selected is x86_64. Click Finish.

8. Select a NIC and provide the following configuration: Source device— ethX macvtap or Bridge Device model— virtio

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.350

Source mode— Bridge

9. Click Apply, and then click Begin Installation. After you have provisioned the NetScaler VPX on KVM, you can add additional interfaces

Provisioning the NetScaler Virtual Appliance by using the QCOW2 Image Using the Virtual Machine Manager, you can provision the NetScaler VPX using the QCOW2 image. Note: You can also convert the NetScaler VPX RAW image to QCOW2 image and provision the NetScaler VPX. For instructions to convert the RAW image to QCOW2, see Converting the RAW Image Format to a QCOW2 Image Format. To provision the NetScaler VPX using QCOW2 image: 1. Follow step 1 to step 8 in Provisioning the NetScaler Virtual Appliance by using the RAW Image. Note: Make sure that you select qcow2 image in step 5. 2. Select Disk 1 and click Advanced options. Select qcow2 from the Storage format drop-down list.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.351

4. Click Apply, and then click Begin Installation. After you have provisioned the NetScaler VPX on KVM, you can add additional interfaces.

Adding Additional Interf aces to NetScaler VPX by using Virtual Machine Manager Updated: 2015-03-11 After you have provisioned the NetScaler VPX on KVM, you can add additional interfaces. To add additional interf aces 1. Shut down the NetScaler VPX instance running on the KVM. 2. Right-click the VPX instance and choose Open from the pop-up menu. 3. Click the

icon in the header to view the virtual hardware details.

4. Click Add Hardware. In the Add New Virtual Hardware window, select Network from the navigation menu.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.352

5. In Host Device field, select the physical interface type. T he host device type can be either Bridge or MacVT ap. In case of MacVT ap, four modes possible are VEPA, Bridge, Private and Pass-through. 1. For Bridge 1. Host device— Select the "Specify shared device name" option. 2. Provide the Bridge name that is configured in the KVM host. Note: Make sure that you have configured a Linux bridge in the KVM host, bound the physical interface to the bridge, and put the bridge in the UP state.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.353

3. Device model— virtio. 4. Click Finish. 2. For MacVT ap 1. Host device— Select the physical interface from the menu. 2. Device model— virtio.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.354

3. Click Finish. You can view the newly added NIC in the navigation pane.

4. Select the newly added NIC and select the Source mode for this NIC. T he available modes are VEPA, Bridge, Private, and Passthrough. For more details on the interface and modes, see Source Interface and Modes. 5. Click Apply. 6. Start the NetScaler VPX VM.

Important Limition: Interface parameter configurations such as speed, duplex, and autonegotiation are not supported.

Converting the RAW Image Format to a QCOW2 Image Format You can convert the NetScaler VPX RAW image to QCOW2 image and provision the NetScaler VPX. To convert the RAW image to QCOW2 image. At the command prompt, enter the following command: qemu-img convert -O qcow2 original-image.raw image-converted.qcow For example: qemu-img convert -O qcow2 NSVPX-KVM-11.1-12.5_nc.raw NSVPX-KVM-11.1-12.5_nc.qcow

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.355

Configuring NetScaler Virtual Appliances to use Single Root I/O Virtualization (SR-IOV) Network Interface Jul 25, 20 17

After you have installed and configured the NetScaler virtual appliance on Linux-KVM platform, you can use the Virtual Machine Manager to configure the virtual appliance to use SR-IOV network interfaces.

Limitations T he following features are not supported for on SR-IOV interface with an Intel 82599 10G NIC on KVM VPX: L2 mode switching. Admin partitioning [shared VLAN mode]. High availability [active - active mode]. Jumbo Frames. IPv6: You can configure only up to 30 unique IPv6 addresses in a VPX instance if you've alteast one SR-IOV interface. VLAN configuration on Hypervisor for SRIOV VF interface through “ip link” command is not supported. Interface parameter configurations such as speed, duplex, and autonegotiations are not supported.

Prerequisites Make sure that you: Add the Intel 82599 Network Interface Card (NIC) to the KVM Host. Download and Install the latest IXGBE driver from Intel. Blacklist the IXGBEVF driver on the KVM Host. Add the following entry in the /etc/modprobe.d/blacklist.conf file: blacklist ixgbevf IXGBE driver version 4.3.15 is recommended. Enable SR-IOV Virtual Functions (VFs) on the KVM Host. Do any one of the following:

Important While you are creating the SR-IOV VFs, make sure that you do not assign MAC addresses to the VFs.

- If you are using earlier version of kernel 3.8 then add the following entry to the /etc/modprobe.d/ixgbe file and restart the KVM host:

options ixgbe max_vfs= - If you are using kernel 3.8 version or later, create VFs using the following command:

echo > /sys/class/net//device/sriov_numvfs Where:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.356

* number_of_VFs – T he number of Virtual Functions that you want to create. * device_name – T he interface name.

Make the VFs persistent, add the commands that you used to created VFs to the rc.local file.

To configure NetScaler Virtual Appliances to use SR-IOV network interf ace by using Virtual Machine Manager: 1. Power off the NetScaler virtual machine. 2. Select the NetScaler VPX instance and click Open.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.357

3. In the window, click the i icon.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.358

4. Click Add Hardware.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.359

5. In the Add New Virtual Hardware dialog box, do the following: a. Select PCI Host Device. b. In the Host Device section, select the VF you have created and click Finish.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.360

6. Repeat Step 4 and 5 to add the VFs that you have created. 7. Power on the NetScaler virtual appliance. 8. Once the NetScaler virtual appliance powers on, you can use the following command to verify the configuration: command

复制

> show int erface summary

T he output should show all the interfaces that you configured:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.361

Configuring Static LA/LACP on the SR-IOV Interf ace

Important While you are creating the SR-IOV VFs, make sure that you do not assign MAC addresses to the VFs.

To use the SR-IOV Virtual Functions in link aggregation mode, you need to disable spoof checking for Virtual Functions that you have created. On the KVM host, use the following command to disable spoof checking:

ip link set vf spoofchk off Where: Interface_name – is the interface name. VF_id – is the Virtual Function id. For example:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.362

Once you disable spoof checking for all the Virtual Function that you have created. Restart the NetScaler virtual machine and configure link aggregation, for detailed instructions, see Configure Link Aggregation.

Configuring VLAN on the SR-IOV Interf ace You can configure VLAN on the SR-IOV Virtual Functions, for detailed instructions, see Configuring a VLAN.

Important Make sure that the KVM host does not contain VLAN settings for the VF interface.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.363

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.364

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.365

Provisioning the NetScaler Virtual Appliance by using the virsh Program Jul 25, 20 17

T he virsh program is a command line tool for managing VM Guests. Its functionality is similar to that of Virtual Machine Manager. It enables you to change a VM Guest's status (start, stop, pause, and so on), to set up new Guests and devices, and to edit existing configurations. T he virsh program is also useful for scripting VM Guest management operations. To provision NetScaler VPX by using the virsh program 1. Use the tar command to untar the the NetScaler VPX package. T he NSVPX-KVM-*_nc.tgz package contains following components: T he Domain XML file specifying VPX attributes [NSVPX-KVM-*_nc.xml] Check sum of NS-VM Disk Image [Checksum.txt] NS-VM Disk Image [NSVPX-KVM-*_nc.raw] Example: tar -xvzf NSVPX-KVM-10.1-117_nc.tgz NSVPX-KVM-10.1-117_nc.xml NSVPX-KVM-10.1-117_nc.raw checksum.txt 2. Copy the NSVPX-KVM-*_nc.xml XML file to a file named -NSVPX-KVM-*_nc.xml. T he is also the name of the virtual machine. Example: cp NSVPX-KVM-10.1-117_nc.xml NetScaler-VPX-NSVPX-KVM-10.1-117_nc.xml 3. Edit the -NSVPX-KVM-*_nc.xml file to specify the following parameters: name— Specify the name. mac— Specify the MAC address. Note: T he domain name and the MAC address have to be unique. sourcefile— Specify the absolute disk-image source path. T he file path has to be absolute. You can specify the path of the RAW image file or a QCOW2 image file. If you want to specify a RAW image file, specify the disk image source path as shown in the following example: Example:

NetScaler-VPX Specify the absolute QCOW2 disk-image source path and define the driver type as qcow2, as

shown in the

following example: Example:

NetScaler-VPX

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.366

4. Edit the -NSVPX-KVM-*_nc.xml file to configure the networking details: source dev— specify the interface. mode— specify the mode. T he default interface is Macvtap Bridge. Example: Mode: MacVT ap Bridge Set target interface as ethx and mode as bridge Model type as virtio
Here, eth0 is the physical interface attached to the VM. 5. Define the VM attributes in the -NSVPX-KVM-*_nc.xml file by using the following command: virsh define -NSVPX-KVM-*_nc.xml Example: virsh define NS-VPX-NSVPX-KVM-10.1-117_nc.xml 6. Start the VM by entering following command: virsh start [ | ] Example: virsh start NetScaler-VPX 7. Connect the Guest VM through the console virsh console [ | | ] Example: virsh console NetScaler-VPX

Adding Additional Interf aces to NetScaler VPX using virsh Program Updated: 2015-03-09 After you have provisioned the NetScaler VPX on KVM, you can add additional interfaces. To add additional interf aces 1. Shut down the NetScaler VPX instance running on the KVM. 2. Edit the -NSVPX-KVM-*_nc.xml file using the command: virsh edit [ | ] 3. In the -NSVPX-KVM-*_nc.xml file, append the following parameters: 1. For MacVTap Interface type— Specify the interface type as 'direct'. Mac address— Specify the Mac address and make sure the MAC address is unique across the interfaces. source dev— Specify the interface name. mode— Specify the mode; the modes supported are - Bridge, VEPA, Private, and Pass-through model type— Specify the model type as virtio Example: Mode: MacVTap Pass-through Set target interface as ethx, Mode as bridge, and model type as virtio

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.367

Here eth1 is the physical interface attached to the VM. 2. For Bridge Mode Note: Make sure that you have configured a Linux bridge in the KVM host, bound the physical interface to the bridge, and put the bridge in the UP state. Interface type— Specify the interface type as 'bridge'. Mac address— Specify the Mac address and make sure the MAC address is unique across the interfaces. source bridge— Specify the bridge name. model type— Specify the model type as virtio Example: Bridge Mode

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.368

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.369

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.370

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.371

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.372

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.373

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.374

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.375

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.376

Jul 25, 20 17

Before attempting to create a NetScaler instance in AWS, make sure you have the following: An AWS account: to launch a NetScaler VPX AMI in an Amazon Web Services (AWS) Virtual Private Cloud (VPC). You can create an AWS account for free at www.aws.amazon.com. An AWS Identity and Access Management (IAM) user account: to securely control access to AWS services and resources for your users. You can create a NetScaler VPX standalone instance without creating an IAM user account; however, it’s mandatory for NetScaler VPX HA deploymentFor more information about how to create an IAM user account, see the topic Creating IAM Users (Console). AWS CLI: to use all of the functionality provided by the AWS Management Console from your terminal program. For more information , see the AWS CLI user guide.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.377

Jul 25, 20 17

You can deploy a Citrix NetScaler VPX instance in AWS by using the following options: 1. AWS web console 2. AWS CLI 3. Citrix-authored CloudFormation template 4. 1-Click launch Before you start your deployment, refer to Prerequisites.

You can deploy a NetScaler VPX instance on AWS through the AWS web console. T he deployment process includes the following steps: 1. Create a Virtual Private Cloud (VPC) 2. Add additional subnets 3. Create security groups 4. Add security rules 5. Add route tables 6. Create an internet gateway 7. Create a NetScaler VPX instance 8. Create and attach additional network interfaces 9. Attach elastic IPs to the management NIC Log on to the AWS web console by using your credentials to complete the above steps. Step 1: Create a VPC A NetScaler VPC instance is deployed inside an AWS VPC. A VPC allows you to define virtual network dedicated to your AWS account. For more information about AWS VPC, see Getting Started With Amazon VPC. While creating a VPC for your NetScaler VPX instance, keep the following points in mind. Use the VPC with a Single Public Subnet Only option to create a new AWS VPC in an AWS availability zone. Citrix recommends that you create at least three subnets, of the following types: One subnet for NetScaler management traffic. You place the NetScaler management IP(NSIP) on this subnet. One or more subnets for client-access (user-to-NetScaler) traffic, through which clients connect to one or more virtual IP (VIP) addresses assigned to NetScaler load balancing virtual servers. One or more subnets for the server-access (NetScaler-to-server) traffic, through which your servers connect to NetScaler-owned subnet IP (SNIP) addresses. For more information about NetScaler load balancing and virtual servers, virtual IP addresses (VIPs), and subnet IP addresses (SNIPs), see: All subnets should be in the same availability zone. You can launch a NetScaler AMI in an AWS VPC with a single subnet. In this configuration, the management traffic, client-side traffic, and server-side traffic all use the same subnet, and high availability (HA) cannot be configured. You can launch the NetScaler AMI into an AWS VPC with two subnets. In this configuration, one subnet is used for management traffic, and the other subnet is used for both client-side and server-side traffic. T his topology supports

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.378

NetScaler HA. Step 2: Add subnets When you used the VPC wizard, only one subnet was created. Depending on your requirement, you might want to create additional subnets. For more information about how to create additional subnets, see Adding a Subnet to Your VPC. Step 3: Create security groups and security rules To control inbound and outbound traffic, create security groups and add rules to the groups. For more information how to create groups and add rules, see Security Groups for Your VPC. For NetScaler VPX instances, the EC2 wizard gives default security groups, which is generated by AWS Marketplace and is based on recommended settings by Citrix Systems. However, you can create additional security groups based on your requirements. Step 4 : Add Route tables Route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table. For more information about how to create a route table, see Route Tables.

Step 5: Create an Internet Gateway An Internet gateway serves two purposes: to provide a target in your VPC route tables for Internet-routable traffic, and to perform network address translation (NAT ) for instances that have been assigned public IPv4 addresses. Create an internet gateway for internet traffic. For more information about how to create an Internet Gateway, see the section Attaching an Internet Gateway. Step 6: Create a NetScaler VPX instance by using the AWS EC2 service To create a NetScaler VPX instance by using the AWS EC2 service, complete the following steps. 1. From the AWS dashboard, go to Compute > EC2 > Launch Instance > AWS Marketplace. Before you click Launch Instance, make sure your region is correct by checking the note that appears below Launch Instance.

2. In the Search AWS Marketplace bar, search with the keyword NetScaler VPX.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.379

3. Select the version (relicensed or BYOL) you want to deploy and then click Select. T he Launch Instance wizard starts. Follow the wizard to create an instance. T he wizard prompts you to: Choose Instance T ype Configure Instance Add Storage Add T ags Configure Security Group Review

Step 7: Create and attach additional network interf aces Create two additional network interfaces (eth1 and eth2) for VIP and SNIP. For more information about how to create additional network interfaces, see the Creating a Network Interface section. After you’ve created the network interfaces, you need to attach them to the VPX instance. For more information about how to attach network interfaces, see the Attaching a Network Interface When Launching an Instance section. Step 8: Allocate and associate elastic IPs If you assign a public IP address to an EC2 instance, it remains assigned only until the instance is stopped, and then the address is released back to the pool. When you restart the instance, a new public IP address is assigned. In contrast, an elastic IP (EIP) address remains assigned until the address is disassociated from an instance. Allocate and associate an elastic IP for the management NIC. For more information about how to allocate and associate elastic IP addresses, see the Allocating an Elastic IP Address and Associating an Elastic IP Address with a Running Instance sections. T hese steps complete the procedure to create a NetScaler VPX instance on AWS. It can take a few minutes for the instance to be ready. Check that your instance has passed its status checks - you can view this information in the Status Checks column on the Instances page. Step 9: Connect to the NetScaler instance After you’ve created the VPX instance, you connect the instance by using the following options: NetScaler GUI T he following are the default administrator credentials to access a NetScaler VPX instance Username: nsroot Password: T he default password for the nsroot account is set to the AWS instance-ID of the NetScaler VPX instance. SSH client

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.380

From the AWS management console, select the NetScaler VPX instance and click Connect. Follow the instructions given on the Connect to Your Instance page.

For more information about how to deploy a NetScaler VPX on AWS, see this video http://www.youtube.com/watch? v=STspuSgB9H4.

Updated: 2015-01-29 1-Click helps you to launch an instance of NetScaler VPX on AWS, quickly as compared to other launching methods, with the default options. After the instance is launched on AWS, you can modify these options by using either the AWS CLI or the AWS GUI. T he default options include the following elastic network interfaces (ENIs) for the NetScaler instance: Management Interf ace— Associates a subnet for management related traffic. You add the NetScaler management IP (NSIP) address to this subnet. Public Interf ace— Associates a subnet for the client-access (user-to-NetScaler) traffic. You add one or more virtual IP (VIP) addresses on this subnet. Private Interf ace— Associates a subnet for server-access (NetScaler-to-server) traffic. You add subnet IP (SNIP) addresses on this subnet. Before you begin launching an instance of NetScaler VPX on AWS, consider the following points : For security reasons, none of the elastic IP addresses are attached to the ENIs of the NetScaler VPX instance launched by using 1-Click. T his means that the NetScaler VPX instance (including the management IP address) is not reachable from outside the AWS Virtual Private Cloud (VPC). If your VPC uses a Virtual Gateway or other method to provide a VPN access to the VPC, you can administer the instance by using the IP address of the network interface in the management subnet. If you do not have VPN access to your VPC, Citrix recommends that you set up a jump box instance within the VPC, and then use this as the source for accessing or managing other instances within the VPC. For instructions to create an SSH jump box, see http://s3.amazonaws.com/awsmp-usageinstructions/Creating_and_using_VPC.txt. T hree default security policies are created. A policy each is attached to the management, public and private interfaces, respectively. T he security policy for the management interface allows traffic from a set of ports. T he security policies for the public and private interfaces block all the traffic to or from these interfaces. You can later modify these security groups to filter the desired traffic. High Availability configuration is not supported for a NetScaler VPX instance launched by using AWS 1-click. Before you begin launching an instance of NetScaler VPX on AWS, make sure that you have the following: An AWS account An AWS Virtual Private Cloud (VPC) T hree subnets within the AWS VPC (one each for management interface, public interface, and private interface of the NetScaler instance) An IAM key pair For information about creating an AWS account, a VPC, subnets in a VPC, and an IAM key pair, see Launching NetScaler VPX for AWS by Using the Amazon GUI and CLI toolkit.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.381

To launch an instance of NetScaler VPX on AWS by using 1-Click 1. Log on to the AWS marketplace (http://aws.amazon.com/marketplace) by using your Amazon AWS credentials. 2. In the search field, type NetScaler VPX to search for the NetScaler AMI, and click Go. 3. On the search result page, click the desired Citrix NetScaler VPX offering.

4. On the Citrix NetScaler VPX page, click Continue.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.382

5. Click the 1-Click Launch tab. On the 1-Click Launch tab, specify values for the following fields: Version Region EC2 Instance type Key Pair

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.383

6. On the VPC Settings pane, click Setup.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.384

7. On the VPC Settings page, specify values for the following fields, and then click Done: VPC Network Interface (Management subnet) Network Interface (Private subnet) Network Interface (Public subnet) Note: You need to make sure that the subnets attached to these ENIs are different from each other. Attaching the same subnet to more than one ENI might cause routing issues.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.385

8. Click Accept T erms & Launch with 1-Click.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.386

After few minutes, the NetScaler instance is launched with three ENIs. You can now connect to the NSIP address (the IP address on the management ENI) of the instance by using the NetScaler CLI or NetScaler GUI and start configuring the NetScaler features, for example, load balancing.

An AWS account An AWS Virtual Private cloud (VPC) T he AWS API toolkit (if creating a VPX instance with three or more ENIs). An IAM account

Use the AWS CLI to launch the NetScaler AMI in an AWS VPC. Use the ec2-run-instances command. For information about the ec2-run-instances command, see http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-RunInstances.html. Following are Windows and Linux examples of running the command to launch a single NetScaler instance. T he EC2 instance type is m3.large. It is configured with the following entities:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.387

NetScaler AMI named ami-bd2986d4. T hree ENIs (named NSIP, CLIENT -SIDE, and SERVER-SIDE) associated with the three subnets (15fa057e, 1547ba7e, and 1547ba7e) within the VPC. A single IP address for the NSIP ENI. Multiple private IP addresses (for multiple VIPs) on the CLIENT -SIDE ENI. Multiple private IPs (for multiple SNIPs) on the SERVER-SIDE ENI. On a Windows platf orm: C:\aws-vpc-config>ec2-run-instances ami-bd2986d4 -n 1 -t m1.large -k keyPairName -f access-secret-key-file -a :0:subnet15fa057e:"NSIP":10.20.15.21 -a :1:subnet-1547ba7e:"CLIENT SIDE":10.20.10.21::::"10.20.10.22,10.20.10.23,10.20.10.24,10.20.10.25,10.20.10.26,10.20.10.27,10.20.10.28,10.20.10.29,10.20.10.30" -a :2:subnet-cc47baa7:"SERVERSIDE":10.20.1.21::::"10.20.1.22,10.20.1.23,10.20.1.24,10.20.1.25,10.20.1.26,10.20.1.27,10.20.1.28,10.20.1.29,10.20.1.30" Note: T he access-secret-key-file file contains the access and secret keys. On a Linux platf orm: AWS PROMPT > ec2-run-instances ami-bd2986d4 -n 1 -t m1.large -k keyPairName -f access-secret-key-file -a :0:subnet15fa057e:"NSIP":10.20.15.21 -a :1:subnet-1547ba7e:"CLIENT SIDE":10.20.10.21::::10.20.10.22,10.20.10.23,10.20.10.24,10.20.10.25,10.20.10.26,10.20.10.27,10.20.10.28,10.20.10.29,10.20.10.30 a :2:subnet-cc47baa7:"SERVERSIDE":10.20.1.21::::10.20.1.22,10.20.1.23,10.20.1.24,10.20.1.25,10.20.1.26,10.20.1.27,10.20.1.28,10.20.1.29,10.20.1.30 Note: T he access-secret-key-file file contains the access and secret keys. T he command returns the instance ID and the associated information. You can see the instance running within your AWS GUI Console. Note: Make sure that the environment variable EC2_URL points to the region where you want to launch the VPX instance. To access the EC2 instance 1. In a web browser, open the website at www.aws.amazon.com and log on with AWS credentials.

2. Click My Account/Console, and then click AWS Management Console.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.388

3. On the Amazon Web Services page, click EC2.

4. On the Amazon EC2 Console Dashboard page, in the Navigation pane, click Instances and verify that all of the NetScaler VPX instances are configured with the IP addresses that you specified when you used the ec2-run-instances command. Note: T he VPX instance or instances can take from five to ten minutes to start running.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.389

T he ec2-run-instances command does not allow associating AWS elastic IP with an ENI. To associate one or more EIPs with an ENI in the Navigation pane, in the NET WORK & SECURIT Y area, click Elastic IPs and associate EIPs with Private IP addresses for any of the VIPs that need to be externally routable. You must also associate the instance ENIs with appropriate security groups. Go to the Network Interfaces section, rightclick on the individual ENI, and select the Change Security Groups option. You can then associate a proper VPC security group.

Citrix also provides a CloudFormation template that can be used to automate NetScaler instance launch. T he tool requires an existing VPC environment. It launches a NetScaler instance with three ENIs. T herefore, to use the CloudFormation template, make sure that you have the following: 1. AWS account 2. AWS VPC 3. T hree subnets within the VPC 4. A security group to use for the NetScaler instances ENIs Refer to Creating an AWS Virtual Private Cloud (VPC) for information about how to configure subnets and security groups within a VPC. After configuring the required subnets and security groups, you can launch the NetScaler VPX AMI in AWS VPC. T he CloudFormation tool provides functionality to launch a single NetScaler VPX instance or, to create a high availability environment, a pair of NetScaler VPX instances. Launching a single NetScaler VPX instance in AWS 1. In a web browser, open the website at www.aws.amazon.comand log on with AWS credentials.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.390

2. Click My Account/Console, and then click AWS Management Console.

3. On the Amazon Web Services page, click Cloud Formation in the Deployment & Management section.

4. On the CloudFormation Stacks page, select the Region in which you plan to deploy the NetScaler VPX instance, and

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.391

then click Create New Stack.

5. In the Create Stack dialog box, specify a value for Stack Name, select the Upload a T emplate File option, and then click Browse. Select the template for a standalone NetScaler VPX from the local drive, and then click Continue.

Note:

6. In the next pane, specify values for: VpcID : An identifier to assign to the Virtual Private Cloud (VPC). NsipSubnet : Subnet in which the NSIP is configured in the VPC ServerSubnet: Subnet in which the server farm is configured in the VPC ClientSubnet: SubnetId in which the client side is configured in the VPC SecurityGroup: VPC Security group ID VPXPrimary: Name of the primary VPX instance type AccessKey: Access Key for IAM user account SecretKey: Secret Key for IAM user account TenancyType: Instance tenancy type, can be default or dedicated NsIP: Private IP assigned to the NSIP ENI. T he last octet of NSIP should be between 5 and 254. ServerIP: Private IP assigned to the Server ENI. T he last octet should be between 5 and 254.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.392

ClientIP: Private IP assigned to the Client ENI. T he last octet should be between 5 and 254. KeyName: Name of an existing EC2 KeyPair to enable SSH access to the instances. Note: Make sure that the VPC, subnets, security groups, routes and gateway associations are already configured.

7. Click Continue. 8. Review the values in the Create Stack dialog box.

9. Click Continue to create a Stack.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.393

10. Click Close to close the Create Stack dialog box. 11. T he new stack that you created appears on the CloudFormation Stacks page.

Note: Currently, the CloudFormation utility does not provide the functionality to add secondary IP addresses. Use the AWS console, after deploying a NetScaler VPX instance, to add the secondary IP addresses to the ENIs. T he CloudFormation scripts for the standalone and HA pair VPX instances have the latest AMIs for the five supported regions. You have to update the scripts to synchronize with the latest AMIs. T he script automatically selects the correct AMI for the region in which the VPX instance is being deployed. By default, all the ENIs are attached to one security group, use the AWS console to attach an ENI to a different security group. EIPs are automatically allocated and assigned to an instance. If the EIP limit exceeds the threshold for the region, the CloudFormation script fails and displays an error message.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.394

Jul 25, 20 17

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.395

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.396

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.397

Jul 25, 20 17

You can attach additional IP addresses to an instance as follows: 1. Add a secondary IP address to an ENI. 2. Associate an EIP with the secondary IP address that you created. To add a secondary IP address to the ENI 1. In a web browser, open the website at www.aws.amazon.com and log on with AWS credentials. 2. Click My Account/Console, and then click AWS Management Console. 3. On the Amazon Web Services page, click EC2. 4. On the Amazon EC2 Console's Dashboard page, in the Navigation pane, in NET WORK & SECURIT Y, click Network Interfaces. 5. In the Network Interfaces pane, right-click the ENI attached to the subnet, and then select the Manage Private IP Addresses option from the pop-up menu.

6. In the Manage Private IP Addresses dialog box, click Assign a secondary private IP address and either let AWS automatically assign an IP address or type an IP address in the auto-assign text-field. Click Yes, Update.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.398

Associating an EIP with the secondary IP Complete the following steps to associate an EIP with a secondary IP address: 1. On the Amazon EC2 Console Dashboard page, in the Navigation pane, in NET WORK & SECURIT Y, click Elastic IPs. 2. In the Addresses pane, click Allocate New Address. 3. In the Allocate New Address dialog box, select VPC from the EIP used in drop-down list and click Yes, Allocate. 4. Select the newly allocated EIP, and click Associate Address. 5. In the Associate Address dialog box, select, from the Instance and the Private IP address drop-down lists, the instance and private address that you want to associate with the EIP. T hen, click Yes, Associate.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.399

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.400

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.401

Jul 25, 20 17

A NetScaler instance can be used to load balance servers running in the same availability zone, or in: A different availability zone (AZ) in the same AWS VPC A different AWS region AWS EC2 in a VPC T o enable NetScaler to load balance servers running outside the AWS VPC that the NetScaler instance is in, configure the NetScaler to use EIPs to route traffic through the Internet gateway, as follows: 1. Configure a SNIP on the NetScaler by using the NetScaler CLI or the NetScaler GUI 2. Enable traffic to be routed out of the AZ, by creating a public facing subnet for the server-side traffic. 3. Add an Internet gateway route to the routing table, using the AWS GUI console. 4. Associate the routing table you just updated with the server-side subnet. 5. Associate an EIP with the server-side private IP address that is mapped to a NetScaler SNIP address.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.402

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.403

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.404

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.405

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.406

Jul 25, 20 17

You can upgrade the EC2 instance type, throughput, software edition, and the system software of a NetScaler VPX running on AWS. For certain types of upgrades, Citrix recommends using the High Availability Configuration method to minimize downtime. Note: NetScaler software release 10.1.e-124.1308.e or later for a NetScaler VPX AMI (including both utility license and customer license) does not support the M1 and M2 instance families. Because of changes in NetScaler instance support, downgrading from 10.1.e-124 or a later release to 10.1.123.x or an earlier release is not supported. Most of the upgrades do not require the launch of a new AMI, and the upgrade can be done on the current NetScaler AMI instance. If you do want to upgrade to a new NetScaler AMI instance, use the high availability configuration method.

Updated: 2014-04-22 If your NetScaler VPX instances are running release 10.1.e-124.1308.e or later, you can change the EC2 instance type from the AWS console as follows: 1. Stop the VPX instance. 2. Change the EC2 instance type from the AWS console. 3. Start the instance. You can also use the above procedure to change the EC2 instance type for a release, earlier than 10.1.e-124.1308.e, unless you want to change the instance type to M3. In that case, you must first follow the standard NetScaler upgrade procedure, at , to upgrade the NetScaler software to 10.1.e-124 or a later release, and then follow the above steps.

Updated: 2014-04-22 To upgrade the software edition (for example, to upgrade from standard to platinum edition) or throughput (for example, to upgrade from 200 mbps to 1000mbps), the method depends on the instance’s license. Using a customer license (Bring-Your-Own-License) If you are using a customer license, you can purchase and download the new license from the Citrix Licensing portal (MyCitrix), and then install the license on the VPX instance. For more information about downloading and installing a license from the MyCitrix portal, see the VPX Licensing Guide. Using a utility license (Utility license with hourly f ee) AWS does not support direct upgrades for fee-based instances. To upgrade the software edition or throughput of a fee based NetScaler VPX instance, launch a new AMI with the desired license and capacity and migrate the older instance configuration to the new instance. T his can be achieved by using a NetScaler high availability configuration as described in “Upgrading to a New NetScaler AMI Instance by Using a NetScaler High Availability Configuration.”

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.407

Updated: 2014-04-22 If you need to upgrade a NetScaler instance running 10.1.e-124.1308.e or a later release, follow the standard NetScaler upgrade procedure at . If you need to upgrade a NetScaler instance running a release older than 10.1.e-124.1308.e to 10.1.e-124.1308.e or a later release, first upgrade the system software, and then change the instance type to M3 as follows: 1. Stop the VPX instance. 2. Change the EC2 instance type from the AWS console. 3. Start the instance.

Updated: 2014-04-22 T o use the high availability method of upgrading to a new NetScaler AMI instance, perform the following tasks: Create a new instance with the desired EC2 instance type, software edition, throughput, or software release from the AWS marketplace. Configure high availability between the old instance (to be upgraded) and the new instance. After high availability is configured between the old and the new instance, configuration from the old instance is synchronized to the new instance. Force an HA failover from the old instance to the new instance. As a result, the new instance becomes primary and starts receiving traffic. Stop, and reconfigure or remove the old instance from AWS. Prerequisites and Points to Consider Make sure you understand how high availability works between two NetScaler VPX instances on AWS. For more information about high availability configuration between two NetScaler VPX instances on AWS, see High Availability. You must create the new instance in the same availability zone as the old instance, having the exact same security group and subnet. High availability setup requires access and secret keys associated with the user's AWS Identity and Access Management (IAM) account for both instances. If the correct key information is not used when creating VPX instances, the HA setup fails. For more information about creating an IAM account for a VPX instance, see Creating an IAM Account. You must use the EC2 console to create the new instance. You cannot use the AWS 1-click launch, because it does not accept the access and secret keys as the input. T he new instance should have only one ENI interface. To upgrade a NetScaler VPX Instance by using a high availability conf iguration 1. Configure high availability between the old and the new instance. T o configure high availability between two NetScaler VPX instances, at the NetScaler command prompt of each intance, type: add ha node save config Example At the NetScaler command prompt of the old instance, type: > add ha node 30 192.0.2.30 Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.408

At the NetScaler command prompt of the new instance, type: > add ha node 10 192.0.2.10 Done Note the following: In the HA setup, the old instance is the primary node and the new instance is the secondary node. T he NSIP IP address is not copied from the old instance to the new instance. T herefore, after the upgrade, your new instance has a different management IP address from the previous one. T he nsroot account password of the new instance is set to that of the old instance after HA synchronization. For more information about high availability configuration between two NetScaler VPX instances on AWS, see High Availability. 2. Force an HA failover. T o force a failover in a high availability configuration, at the NetScaler command prompt of either of the instances, type: force HA failover As the result of forcing a failover, the ENIs of the old instance are migrated to the new instance and traffic flows through the new instance (the new primary node). T he old instance (the new secondary node) restarts. If the following warning message appears, type N to abort the operation: WARNING]:Force Failover may cause configuration loss, peer health not optimum. Reason(s): HA version mismatch HA heartbeats not seen on some interfaces Please confirm whether you want force-failover (Y/N)? T he warning message appears because the system software of the two VPX instances is not HA compatible. As a result, the configuration of the old instance cannot be automatically synced to the new instance during a forced failover. Following is the workaround for this issue: 1. At the NetScaler shell prompt of the old instance, type the following command to create a backup of the configuration file (ns.conf): copy /nsconfig/ns.conf to /nsconfig/ns.conf.bkp 2. Remove the following line from the backup configuration file (ns.conf.bkp): set ns config -IPAddress -netmask For example, set ns config -IPAddress 192.0.2.10 -netmask 255.255.255.0 3. Copy the old instance’s backup configuration file (ns.conf.bkp) to the /nsconfig directory of the the new instance. 4. At the NetScaler shell prompt of the new instance, type the following command to load the old instance’s configuration file (ns.conf.bkp) on the new instance: batch -f /nsconfig/ns.conf.bkp 5. Save the configuration on the new instance. Save conifg 6. At the NetScaler command prompt of either of the nodes, type the following command to force a failover, and then type Y for the warning message to confirm the force failover operation: force ha failover Example > force ha failover WARNING]:Force Failover may cause configuration loss, peer health not optimum.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.409

Reason(s): HA version mismatch HA heartbeats not seen on some interfaces Please confirm whether you want force-failover (Y/N)? Y 3. Remove the HA configuration, so that the two instances are no longer in an HA configuration. First remove the HA configuration from the secondary node and then remove the HA configuration from the primary node. To remove an HA configuration between two NetScaler VPX instances, at the command prompt of each instance, type: remove ha node save config For more information about high availability configuration between two NetScaler instances on AWS, see High Availability. Example At the NetScaler command prompt of the old instance (new secondary node), type: > remove ha node 30 Done > save config Done At the NetScaler command prompt of the new instance (new primary node), type: > remove ha node 10 Done > save config Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.410

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.411

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.412

Jul 25, 20 17

Microsoft Azure Resource Manager (ARM) is a management framework that allows administrators to deploy, manage and monitor Azure resources. Azure Resource Manager can handle these tasks as a group, rather than individually, in a single operation. T he NetScaler VPX virtual appliance is available as an image in the Microsoft Azure Marketplace. When you deploy NetScaler VPX on Microsoft Azure Resource Manager (ARM), you can leverage the Azure cloud computing capabilities and use NetScaler load balancing and traffic management features for your business needs. You can deploy NetScaler VPX instances on Azure Resource Manager either as standalone instances or as high availability pairs in active-active or activestandby modes.

T his document describes how NetScaler VPX works when deployed with Azure Resource Manager (ARM). For information about NetScaler VPX deployment and architecture in Azure cloud services, see the details provided in Deploying NetScaler VPX on Azure 10.5 release.

T his document assumes that you are familiar with Azure terminology and network details. For information about Microsoft Azure services, see Microsoft Azure Documentation Center. T his document also assumes that you have basic knowledge of a NetScaler appliance. For detailed information about NetScaler appliances, see: NetScaler NetScaler Gateway T his document provides information about: Network Architecture How NetScaler VPX Works on Azure T raffic Flow through Port Address T ranslation T raffic Flow through Network Address T ranslation Port Usage Guidelines NetScaler VPX Licensing Limitations For information about NetScaler Gateway configuration for Citrix XenApp and XenDesktop in Azure cloud, see http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-vpx-deployment-withxendesktop-and-xenapp-on-microsoft-azure.pdf.

T he Citrix XenApp and XenDesktop NetScaler Gateway configuration is based on the Azure Service Management mode and not on

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.413

the Azure Resource Management mode.

In ARM, a NetScaler VPX virtual machine (VM) resides in a virtual network. A virtual Network Interface Card (NIC) is created on each NetScaler VM. T he network security group (NSG) configured in the virtual network is bound to the NIC, and together they control the traffic flowing into the VM and out of the VM. T he NSG forwards the requests to the NetScaler VPX instance, and the VPX instance sends them to the servers. T he response from a server follows the same path in reverse. T he NSG can be configured to control a single VPX VM, or, with subnets and virtual networks, can control traffic in multiple VPX VM deployment. T he NIC contains network configuration details such as the virtual network, subnets, internal IP address, and Public IP address. While on ARM, it is good to know the following IP addresses used to access the VMs: Public IP (PIP) address is the Internet-facing IP address configured directly on the virtual NIC of the NetScaler VM. T his allows you to directly access a VM from the external network without the need to configure inbound and outbound rules on the NSG. NetScaler IP (NSIP) address is internal IP address configured on the VM. It is non-routable. Virtual IP address (VIP) is configured by using the NSIP and a port number. Clients access NetScaler services through the PIP address, and when the request reaches the NIC of the NetScaler VPX VM or the Azure load balancer, the VIP gets translated to internal IP (NSIP) and internal port number. Internal IP address is the private internal IP address of the VM from the virtual network’s address space pool. T his IP address cannot be reached from the external network. T his IP address is by default dynamic unless you set it to static. T raffic from the internet is routed to this address according to the rules created on the NSG. T he NSG works with the NIC to selectively send the right type of traffic to the right port on the NIC, which depends on the services configured on the VM. T he following figure shows how traffic flows from a client to a server through a NetScaler VPX instance provisioned in ARM.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.414

In an on-premises deployment, a NetScaler VPX instance requires at least three IP addresses: Management IP address, called the NetScaler IP (NSIP) address Subnet IP (SNIP) address for communicating with the server farm Virtual server IP (VIP) address for accepting client requests In an Azure deployment, you can provision a NetScaler VPX instance on Azure in two ways: With a multi-NIC, multi-IP architecture With a single-IP architecture

VPX virtual appliances can be deployed on any instance type that has two or more cores and more than 2GB memory.

T he following image illustrates how multiple IP addresses are used to perform the functions of NSIP, SNIP, and VIP, with a single NIC in a standalone deployment. According to your requirement, you can configure multiple NICs with different IP addresses.

For more information about NetScaler multi-NIC, multi-IP deployment on Azure, see the following links: Configuring Multiple IPs for a NetScaler VPX Appliance in Azure Resource Manager Configuring Multiple IP Addresses for a NetScaler VPX Instance in Standalone Mode Configuring Multiple Azure NICs and IP Addresses for NetScaler VPX Instances in HA Mode T he following image illustrates how multiple IP addresses are used to perform the functions of NSIP, SNIP, and VIP, with a single NIC in a standalone deployment. According to your requirement, you can configure multiple NICs with different IP addresses.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.415

T he single IP mode is available only in Azure deployments. T his mode is not available for a NetScaler VPX instance on your premises, on AWS, or in in other type of deployment.

In an Azure deployment, when you provision the NetScaler VPX instance as a virtual machine (VM), Azure assigns a Public IP address and an internal IP address (non-routable) to the NetScaler virtual machine. Inbound and Outbound rules are defined on the NSG for the NetScaler instance, along with a public port and a private port for each rule defined. T he NetScaler instance listens on the internal IP address and private port. Any external request is received on the NetScaler VPX VM's virtual NIC. T he NIC is bound to the NSG, which specifies the private IP and private port combination into which to translate the request's destination address and port (the Public IP address and port). ARM performs port address translation (PAT ) to map the Public IP address and port to the internal IP address and private port of the NetScaler virtual machine, and forwards the traffic to the virtual machine. T he following figure shows how Azure performs port address translation to direct traffic to the NetScaler internal IP address and private port.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.416

In this example, the Public IP address assigned to the VM is 140.x.x.x, and the internal IP address is 10.x.x.x. When the inbound and outbound rules are defined, public HT T P port 80 is defined as the port on which the client requests are received, and a corresponding private port, 10080, is defined as the port on which the NetScaler virtual machine listens. T he client request is received on the Public IP address 140.x.x.x at port 80. Azure performs port address translation to map this address and port to internal IP address 10.x.x.x on private port 10080 and forwards the client request. For information about port usage guidelines while, see Port Usage Guidelines. For information about NSG and access control lists, see What is a Network Security Group?

You can also request a Public IP (PIP) address for your NetScaler virtual machine (instance level). If you use this direct PIP at the VM level, you need not define inbound and outbound rules to intercept the network traffic. T he incoming request from the Internet is received on the VM directly. Azure performs network address translation (NAT ) and forwards the traffic to the internal IP address of the NetScaler instance. T he following figure shows how Azure performs network address translation to map the NetScaler internal IP address.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.417

In this example, the Public IP assigned to the NSG is 140.x.x.x and the internal IP address is 10.x.x.x. When the inbound and outbound rules are defined, public HT T P port 80 is defined as the port on which the client requests are received, and a corresponding private port, 10080, is defined as the port on which the NetScaler virtual machine listens. T he client request is received on the Public IP address (140.x.x.x). Azure performs network address translation to map the PIP to the internal IP address 10.x.x.x on port 10080, and forwards the client request.

NetScaler VPX VMs in high availability are controlled by external or internal load balancers that have inbound rules defined on them to control the load balancing traffic. T he external traffic is first intercepted by these load balancers and the traffic is diverted according to the load balancing rules configured, which has backend pools, NAT rules, and health probes defined on the load balancers.

You can configure additional inbound and outbound rules n NSG while creating the NetScaler virtual machine or after the virtual machine is provisioned. Each inbound and outbound rule is associated with a public port and a private port. Before configuring NSG rules, note the following guidelines regarding the port numbers you can use: 1. T he following ports are reserved by the NetScaler virtual machine. You cannot define these as private ports when using the Public IP address for requests from the Internet. Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000. However, if you want Internet-facing services such as the VIP to use a standard port (for example, port 443) you have to create port mapping by using the NSG. T he standard port is then mapped to a different port that is configured on the NetScaler for this VIP service. For example, a VIP service might be running on port 8443 on the NetScaler instance but be mapped to public port 443. So, when the user accesses port 443 through the Public IP, the request is actually directed to private port 8443.

2. Public IP address does not support protocols in which port mapping is opened dynamically, such as passive FT P or ALG. 3. High availability does not work for traffic that uses a public IP address (PIP) associated with a VPX instance, instead of a PIP configured on the Azure load balancer. For more information about configuring NetScaler VPX HA in ARM, see Configuring NetScaler VPX in High Availability Mode in Azure Resource Manager and Configuring Multiple Azure NICs and IP Addresses for NetScaler VPX Instances in HA Mode. 4. In a NetScaler Gateway deployment, you need not configure a SNIP address, because the NSIP can be used as a SNIP when no SNIP is configured. You must configure the VIP address by using the NSIP address and some nonstandard port number. For call-back configuration on the backend server, the VIP port number has to be specified along with the VIP URL (for example, url:port).

In Azure Resource Manager, a NetScaler VPX instance is associated with two IP addresses - a public IP address (PIP) and an internal IP address. While the external traffic connects to the PIP, the internal IP address or the NSIP is non-routable. To configure VIP in VPX, use the internal IP address (NSIP) and any of the free ports available. Do not use the PIP to configure VIP.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.418

For example, if NSIP of a NetScaler VPX instance is 10.1.0.3 and an available free port is 10022, then you can configure VIP by providing the 10.1.0.3:10022 (NSIP address+port) combination.

A NetScaler VPX instance on Azure requires a license. T he following licensing options are available for NetScaler VPX instances running on Azure. Subscription based licensing: NetScaler VPX appliances are available as paid instances on Azure Marketplace. Subscription based licensing is a pay-as-you-go option. Users are charged hourly. T he following VPX models and licence types are available on Azure Marketplace. VPX Model

License Type

VPX10

Standard, Enterprise, Platinum

VPX200

Standard, Enterprise, Platinum

VPX1000

Standard, Enterprise, Platinum

VPX3000

Standard, Enterprise, Platinum

Bring your own license (BYOL): If you bring your own license (BYOL), see the VPX Licensing Guide at http://support.citrix.com/article/CT X122426. You have to: Use the licensing portal within MyCitrix to generate a valid license. Upload the license to the instance. NetScaler VPX Check-In/Check-Out licensing: For more information about Check-In/Check-Out licensing, see: http://docs.citrix.com/en-us/netscaler-mas/12/NetScaler-CICO0.html

Running the NetScaler VPX load balancing solution on ARM imposes the following limitations: 1. T he Azure architecture does not accommodate support for the following NetScaler features: Clustering IPv6 Gratuitous ARP (GARP) L2 Mode T agged VLAN Dynamic Routing Virtual MAC (VMAC) USIP CloudBridge Connector

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.419

2. If you expect that you might have to shut down and temporarily deallocate the NetScaler VPX virtual machine at any time, assign a static Internal IP address while creating the virtual machine. If you do not assign a static internal IP address, Azure might assign the virtual machine a different IP address each time it restarts, and the virtual machine might become inaccessible. 3. In an Azure deployment, only the following NetScaler VPX models are supported: VPX 10, VPX 25, VPX 200, VPX 1000, and VPX 3000. For for information, see the NetScaler VPX Data Sheet. If you use a NetScaler VPX instance with a model number higher than VPX 3000, the network throughput might not be the same as specified by the instance's license. However, other features, such as SSL throughput and SSL transactions per second, might improve. 4. T he "deployment ID" that is generated by Azure during virtual machine provisioning is not visible to the user in ARM. You cannot use the deployment ID to deploy NetScaler VPX appliance on ARM. 5. Active-passive or active-standy HA mode is not supported for VPX configured with multiple NICs and multiple IP addresses. 6. T he NetScaler VPX appliance supports 5 Mb/s throughput and standard edition features when it’s initialized. 7. For a XenApp and XenDesktop deployment, a VPN virtual server on a NetScaler appliance can be configured in the following modes: Basic mode, where the ICAOnly VPN virtual server parameter is set to ON. T he Basic mode works fully on an unlicensed NetScaler VPX instance. Smart-Access mode, where the ICAOnly VPN virtual server parameter is set to OFF. T he Smart-Access mode works for only 5 AAA session users on an unlicensed NetScaler VPX instance.

To configure the Smart Control feature, you must apply a platinum license to the NetScaler VPX instance.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.420

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.421

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.422

Jul 25, 20 17 In a Microsoft Azure deployment, a high availability configuration of two NetScaler virtual machines is achieved by using the Azure load balancer, which distributes the client traffic across the virtual servers configured on both the NetScaler instances. Two types of Azure load balancers are available for high availability: Azure ext ernal load balancer: If the client traffic originates from the Internet, you have to deploy the external load balancer between the Internet and the NetScaler VPX instances to distribute client traffic. Azure int ernal load balancer: If the client traffic originates from within the virtual network, or is forwarded by a gateway or firewall within the virtual network, you have to deploy the internal load balancer to distribute client traffic. To achieve high availability on Azure, you must add the two NetScaler VMs as a load balanced set and configure the NSG. When two NetScaler VPX instances are configured in active-active mode, both instances must have the same configuration. The client traffic is distributed across the virtual servers in both the instances by the Azure load balancer. The VIP addresses in both the instances are different and should match the NSIP of that VPX instance. The active-passive mode provides failover capability. In this mode, the VPX instances synchronize their configuration states. When the primary instance fails, the secondary instance takes over. For information about high availability in NetScaler appliance, see http://docs.citrix.com/en-us/netscaler/11/system/high-availabilityintroduction.html

Note the following before you begin configuring the NetScaler instances in high availability mode in the Azure virtual network. T he two NetScaler virtual machines that you want to add to a load balanced set should be provisioned in the same virtual network. A load balanced set applies only to a VM’s default NIC. T herefore the VIP has to be configured on the VPX’s default NIC. In an active-passive deployment, the Azure load balancer monitors both the primary and the secondary NetScaler VM by sending them T CP probes. T hese T CP probes are sent on port 9000.

1. Configure a resource group 2. Configure a network security group 3. Configure virtual network and its subnets 4. Configure a storage account 5. Configure an availability set 6. Configure a NetScaler VPX instance 7. Configure internal and external load balancers 8. Configure health probes 9. Configure backend pools 10. Configure NAT rules 11. Configure load balancing rules After configuring all the resources, you can configure the VMs in high availability mode with either an external load balancer or with an internal load balancer.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.423

T his article provides procedures to configure resources specific to high availability mode. For procedures to configure the other resources, see Configuring NetScaler VPX in a Standalone Mode in Azure Resource Manager. You need to set up two NetScaler VPX instances for high availability mode. To set up a NetScaler VPX instance, see Configuring a NetScaler VPX Instance.

Create a load balancer to distribute traffic between the vidtaul machines that are part of the same virtual network. T he load balancing features can load balance level 4 traffic and support only TCP and UDP traffic.

1. Click +New > Networking > Load Balancer. 2. In the Create load balancer pane, enter the following details: Name of the load balancer Scheme - select Internal to configure an internal load balancer Virtual network - select the newly created virtual network from the drop-down list Subnet - select the associated subnet IP address assignment - select Static Private IP address - assign a private IP address for the internal load balancer Resource group - select the newly created resource group from the drop-down list 3. Click Create.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.424

1. T o create an external load balancer, follow similar steps as creating an internal load balancer with the following differences: Schema - select Public Public IP address - assign a public IP address to the external load balancer 2. Click Create.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.425

Create custom TCP or HT T P probes to monitor the health of the various server instances. When the VM fails to respond to the probe for three consecutive times, the Azure load balancer will not send the traffic to the nonresponsive VM. 1. Click All resources and search for the load balancer that you created by typing the name in the search box. 2. In the Settings pane, click Probes.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.426

3. Click +Add and in the Add probe pane, enter the following details: Name of the health probe Protocol - select T CP Port - type 9000 Set the Interval and Unhealthy threshold limits 4. Click OK.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.427

Create backend pools, that is, a pool of IP addresses associated with the virtual machine Network Interface Cards (NIC) to which the load is distributed. 1. Click All resources and search for the load balancer that you have created by typing the name in the search box. 2. In the Settings pane, select Backend pools. 3. Click +Add and in the Add backend pool pane, enter the following details: Name of the backend pool Availability set - select the availability set created earlier Virtual machines - select the NetScaler VPX instances that are in high availability deployment. Press to select multiple instances. 4. Click OK.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.428

Create custom NAT rules on LB to define the inbound traffic flowing through the front end IP address and distributed to the back end IP address. Make sure that no two NAT rules has the combination of same service and same target port.

A front end IP address is the external IP address on the load balancer that faces the incoming traffic and a back end IP address is the VM facing IP address that receives the traffic from the load balancer.

1. Click All resources and search for the load balancer that you have created by typing the name in the search box. 2. In the Settings pane, select Inbound NAT rules. 3. Click +Add and in the Add inbound NAT rule pane, add a NAT rule for each type of request. You can add multiple NAT rules. 4. Enter the following details, and then click OK. Name of the rule Service - select the required service from the drop-down list Port - type the correct port number T arget - select the NetScaler VPX that will be the target of this rule T arget port - the target port is automatically populated depending on the service selected

Citrix recommends TCP services for the NetScaler VPX VM on port 9000.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.429

By creating a load balancer rule, you can define a combination of a front end IP address and port, and back end IP address and port associated with VMs. For example, create a rule so that all HT T P requests coming on the public IP will be forwarded to the availability set on their port 80. 1. Click All resources and search for the load balancer that you have created by typing the name in the search box. 2. In the Settings pane, select Load balancing rules. 3. Click +Add and in the Add load balancing rules pane, create load balancing rules for each type of incoming network traffic. 4. Enter the following details: Name of the rule Protocol - select the protocol Port - type the port number based on the port selected Backend pool - select the backend pool from the drop-down list Probe - select the health probe from the drop-down list 5. Click OK.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.430

If your client traffic originates from the Internet, you have to deploy the external load balancer to create a high availability configuration of NetScaler virtual machines in a load-balanced set. T he following figure shows how high availability is achieved in active-active mode by using the external load balancer. T he two NetScaler VMs are in a load-balanced set that accepts client traffic from the Internet over port 15000. T he Azure external load balancer load balances these client requests between the two virtual machines.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.431

Before you begin configuring the load-balanced set through the Azure portal, do one of the following: For an active-passive deployment, configure the NetScaler virtual machines as primary and secondary nodes by using the following command: add ha node . For an active-active deployment, configure the required services on the two NetScaler virtual machines.

If your client traffic originates from within the virtual network with a regional scope, you have to deploy the internal load balancer to achieve high availability of NetScaler virtual machines added to a load-balanced set. T he following figure shows how high availability is achieved in an active-active mode by using the internal load balancer. T he two NetScaler virtual machines are in a load-balanced set that accepts client traffic from the Internet at port 15001. T he Azure internal load balancer load balances these client requests between the two virtual machines.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.432

Before you begin configuring the load-balanced set by using Azure PowerShell, do one of the following: For an active-passive deployment, configure the NetScaler virtual machines as primary and secondary nodes by using the following command: add ha node . For an active-active deployment, configure the required services on the two NetScaler virtual machines. You can configure the load-balanced set only by using Azure PowerShell.

You can access the NetScaler instance either through its graphical user interface (GUI) or through the command line interface (CLI). You can use the PIP to access the NetScaler virtual machine instance. To log on to the virtual machine, use your username and password specified while creating the virtual machine. You can change the password after you log on to the instance.

In a browser’s address field, type the virtual network public IP address provided by Azure during virtual machine provisioning, or type the PIP address.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.433

Make sure you have created NSG inbound or outbound rules to allow access to the private port 80 or 443 when accessing the GUI by using the virtual network IP.

Use any command line access tool (for example, Putty). Specify either the virtual network public IP address provided by Azure during NetScaler VPX provisioning, or specify the PIP address. Use SSH protocol with port 22.

Make sure that you have created NSG inbound or outbound rules to allow access to private port 22 when accessing the CLI by using the virtual network IP.

For information about getting started with a NetScaler appliance, see http://docs.citrix.com/en-us/netscaler/11.html.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.434

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.435

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.436

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.437

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.438

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.439

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.440

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.441

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.442

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.443

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.444

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.445

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.446

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.447

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.448

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.449

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.450

Configuring GSLB on NetScaler VPX Appliances Running on Azure Jul 25, 20 17

NetScaler appliances configured for global server load balancing (GSLB) provide disaster recovery and continuous availability of applications by protecting against points of failure in a wide area network (WAN). GSLB can balance the load across data centers by directing client requests to the closest or best performing data center, or to surviving data centers in case of an outage. T his section describes how to enable GSLB on VPX instances on two sites in a Microsoft Azure environment, by using Windows PowerShell commands.

注意 For more information about GSLB, see Global Server Load Balancing.

You can configure GSLB on a NetScaler VPX instances on Azure, in two steps: 1. Create a VPX instance with multiple NICs and multiple IP addresses, on each site. 2. Enable GSLB on the VPX instances.

注意 For more information about configuring multiple NICs and IP addresses see: Configuring Multiple IPs for a NetScaler VPX Appliance in Standalone Mode Configuring Multiple Azure NICs and IPs in NetScaler VPX in an HA Mode

Use Case T his use case includes two sites - Site 1 and Site 2. Each site has a VM (VM1 and VM2) configured with multiple NICs, multiple IP addresses, and GSLB. Figure. GSLB setup implemented across two sites - Site 1 and Site 2.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.451

In this use case, each VM has three NICs - NIC 0/1, 1/1, and 1/2. Each NIC can have multiple private and public IP addresses. T he NICs are configured for the following purposes. NIC 0/1: to serve management traffic NIC 1/1: to serve client-side traffic NIC 1/2: to communicate with back-end servers For information about the IP addresses configured on each NIC in this use case, see the IP Configuration Details section.

Parameters Following are sample parameters settings for this use case in this document. You can use different settings if you wish. $location="West Central US" $vnetName="NSVPX-vnet" $RGName="multiIP-RG" $prmStorageAccountName="multiipstorageaccnt" $avSetName="MultiIP-avset" $vmSize="Standard_DS3_V2" Note: T he minimum requirement for a VPX instance is 2 vCPUs and 2GB RAM. $publisher="citrix" $offer="netscalervpx111" $sku="netscalerbyol" $version="latest" $vmNamePrefix="MultiIPVPX" $nicNamePrefix="MultiipVPX" $osDiskSuffix="osdiskdb"

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.452

$numberOfVMs=1 $ipAddressPrefix="10.0.0." $ipAddressPrefix1="10.0.1." $ipAddressPrefix2="10.0.2." $pubIPName1="MultiIP-pip1" $pubIPName2="MultiIP-pip2" $IpConfigName1="IPConfig1" $IPConfigName2="IPConfig-2" $IPConfigName3="IPConfig-3" $IPConfigName4="IPConfig-4" $frontendSubnetName="default" $backendSubnetName1="subnet_1" $backendSubnetName2="subnet_2" $suffixNumber=10

1. Create a Multi-NIC, Multi-IP VM by Using PowerShell Commands Follow steps 1-10 to create VM1 with multiple NICs and multi IP addresses, by using PowerShell commands: 1. Create Resource Group 2. Create Storage Account 3. Create Availability Set 4. Create Virtual Network 5. Create Public IP Address 6. Create NIC 1, 2, and 3 7. Create VM Config Object 8. Get Credentials and Set OS Properties for the VM 9. Add NICs 10. Specify OS Disk and Create VM After you complete all the steps and commands to create VM1, repeat these steps to create VM2 with parameters specific to it.

Create Resource Group http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.453

command

复制

New-AzureRMResourceGroup -Name $RGName -Locat ion $locat ion

Create Storage Account command

复制

$prmSt orageAccount =New-AzureRMSt orageAccount -Name $prmSt orageAccount Name -ResourceGroupName $RGName -Type St an

Create Availability Set command

复制

$avSet =New-AzureRMAvailabilit ySet -Name $avSet Name -ResourceGroupName $RGName -Locat ion $locat ion

Create Virtual Network 1. Add subnets. command

复制

$subnet 1=New-AzureRmVirt ualNet workSubnet Config -Name $front endSubnet Name -AddressPrefix "10.0.0.0/24"

$subnet 2=New-AzureRmVirt ualNet workSubnet Config -Name $backendSubnet Name1 -AddressPrefix "10.0.1.0/24"

$subnet 3=New-AzureRmVirt ualNet workSubnet Config -Name $backendSubnet Name2 -AddressPrefix "10.0.2.0/24"

2. Add virtual network object. command

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.454

$vnet =New-AzureRmVirt ualNet work -Name $vnet Name -ResourceGroupName $RGName -Locat ion $locat ion -AddressPrefix 10.0.0.0

3. Retrieve subnets. command

复制

$front endSubnet =$vnet .Subnet s|?{$_.Name -eq $front endSubnet Name}

$backendSubnet 1=$vnet .Subnet s|?{$_.Name -eq $backendSubnet Name1}

$backendSubnet 2=$vnet .Subnet s|?{$_.Name -eq $backendSubnet Name2}

Create Public IP Address command

复制

$pip1=New-AzureRmPublicIpAddress -Name $pubIPName1 -ResourceGroupName $RGName -Locat ion $locat ion -Allocat ionMet hod D

$pip2=New-AzureRmPublicIpAddress -Name $pubIPName2 -ResourceGroupName $RGName -Locat ion $locat ion -Allocat ionMet hod Dy

Create NIC 0/1 command

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.455

$nic1Name=$nicNamePrefix + $suffixNumber + "-Mgmnt "

$ipAddress1=$ipAddressPrefix + $suffixNumber

$IPConfig1=New-AzureRmNet workInt erfaceIpConfig -Name $IPConfigName1 -Subnet Id $front endSubnet .Id -PublicIpAddress $pip1 -P

$nic1=New-AzureRMNet workInt erface -Name $nic1Name -ResourceGroupName $RGName -Locat ion $locat ion -IpConfigurat ion $IpCo

Create NIC 1/1 command

复制

$nic2Name $nicNamePrefix + $suffixNumber + "-front end"

$ipAddress2=$ipAddressPrefix1 + ($suffixNumber)

$ipAddress3=$ipAddressPrefix1 + ($suffixNumber + 1)

$IPConfig2=New-AzureRmNet workInt erfaceIpConfig -Name $IPConfigName2 -PublicIpAddress $pip2 -Subnet Id $backendSubnet 1.Id

$IPConfig3=New-AzureRmNet workInt erfaceIpConfig -Name $IPConfigName3 -Subnet Id $backendSubnet 1.Id -Privat eIpAddress $ipAd

nic2=New-AzureRMNet workInt erface -Name $nic2Name -ResourceGroupName $RGName -Locat ion $locat ion -IpConfigurat ion $IpCon

Create NIC 1/2 command

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.456

$nic3Name=$nicNamePrefix + $suffixNumber + "-backend"

$ipAddress4=$ipAddressPrefix2 + ($suffixNumber)

$IPConfig4=New-AzureRmNet workInt erfaceIpConfig -Name $IPConfigName4 -Subnet Id $backendSubnet 2.Id -Privat eIpAddress $ipAd

$nic3=New-AzureRMNet workInt erface -Name $nic3Name -ResourceGroupName $RGName -Locat ion $locat ion -IpConfigurat ion $IpCo

Create VM Config Object command

复制

$vmName=$vmNamePrefix

$vmConfig=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -Availabilit ySet Id $avSet .Id

Get Credentials and Set OS Properties for the VM command

复制

$cred=Get -Credent ial -Message "Type t he name and password for VPX login."

$vmConfig=Set -AzureRMVMOperat ingSyst em -VM $vmConfig -Linux -Comput erName $vmName -Credent ial $cred

$vmConfig=Set -AzureRMVMSourceImage -VM $vmConfig -PublisherName $publisher -Offer $offer -Skus $sku -Version $version

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.457

Add NICs command

复制

$vmConfig=Add-AzureRMVMNet workInt erface -VM $vmConfig -Id $nic1.Id -Primary

$vmConfig=Add-AzureRMVMNet workInt erface -VM $vmConfig -Id $nic2.Id

$vmConfig=Add-AzureRMVMNet workInt erface -VM $vmConfig -Id $nic3.Id

Specify OS Disk and Create VM command

复制

$osDiskName=$vmName + "-" + $osDiskSuffix

$osVhdUri=$prmSt orageAccount .PrimaryEndpoint s.Blob.ToSt ring() + "vhds/" +$osDiskName + ".vhd"

$vmConfig=Set -AzureRMVMOSDisk -VM $vmConfig -Name $osDiskName -VhdUri $osVhdUri -Creat eOpt ion fromImage

Set -AzureRmVMPlan -VM $vmConfig -Publisher $publisher -Product $offer -Name $sku

New-AzureRMVM -VM $vmConfig -ResourceGroupName $RGName -Locat ion $locat ion

注意 Repeat steps 1-10 listed in "Create Multi-NIC VMs by Using PowerShell Commands" to create VM2 with parameters specific to VM2.

IP Configuration Details In this use case, the following IP addresses are used. Table 1. IP addresses used in VM1 NIC

Private IP

http://docs.citrix.com

Public IP (PIP)

Description

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.458

0/1

10.0.0.10

PIP1

Configured as NSIP (management IP)

1/1

10.0.1.10

PIP2

Configured as SNIP/GSLB Site IP Configured as LB server IP

10.0.1.11

Public IP is not mandatory Configured as SNIP for sending monitor probes to services

1/2

Public IP is not mandatory

10.0.2.10

Table 2. IP addresses used in VM2 NIC

Internal IP

Public IP (PIP)

Description

0/1

20.0.0.10

PIP4

Configured as NSIP (management IP)

1/1

20.0.1.10

PIP5

Configured as SNIP/GSLB Site IP Configured as LB server IP

20.0.1.11

Public IP is not mandatory Configured as SNIP for sending monitor probes to services

1/2

20.0.2.10

Public IP is not mandatory

Here are sample configurations for this use case, showing the IP addresses and intial LB configurations as created through the NetScaler CLI for VM1 and VM2. Example: Configuration on VM1

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.459

add ns ip 10.0.1.10 255.255.255.0 -mgmt Access ENABLED

Add nsip 10.0.2.10 255.255.255.0

add service svc1 10.0.1.10 ADNS 53

add lb vserver v1 HTTP 10.0.1.11 80

add service s1 10.0.2.120 ht t p 80

Add service s2 10.0.2.121 ht t p 80

Bind lb vs v1 s[1-2]

Example: Configuration on VM2

复制

add ns ip 20.0.1.10 255.255.255.0 -mgmt Access ENABLED

Add nsip 20.0.2.10 255.255.255.0

add service svc1 20.0.1.10 ADNS 53

add lb vserver v1 HTTP 20.0.1.11 80

Add service s1 20.0.2.90 ht t p 80

Add service s2 20.0.2.91 ht t p 80

Bind lb vs v1 s[1-2]

2. Configure GSLB Sites and Other Necessary GSLB Settings Perform the tasks described in the following topic to configure the two GSLB sites and other necessary settings:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.460

Configuring Global Server Load Balancing (GSLB) For more information, see this support article: http://support.citrix.com/article/CT X110348 Here is a sample GSLB configuration for this use case. Example: GSLB Configuration on VM1 and VM2

复制

enable ns feat ure LB GSLB

add gslb sit e sit e1 10.0.1.10 -publicIP PIP2

add gslb sit e sit e2 20.0.1.10 -publicIP PIP5

add gslb service sit e1_gslb_ht t p_svc1 10.0.1.11 HTTP 80 -publicIP PIP3 -publicPort 80 -sit eName sit e1

add gslb service sit e2_gslb_ht t p_svc1 20.0.1.11 HTTP 80 -publicIP PIP6 -publicPort 80 -sit eName sit e2

add gslb vserver gslb_ht t p_vip1 HTTP

bind gslb vserver gslb_ht t p_vip1 -serviceName sit e2_gslb_ht t p_svc1

bind gslb vserver gslb_ht t p_vip1 -serviceName sit e1_gslb_ht t p_svc1

bind gslb vserver gslb_ht t p_vip1 -domainName www.gslbindia.com -TTL 5

You've configured GSLB on NetScaler VPX instances running on Azure. For additional information about how to configure GSLB on NetScaler VPX instances, see the Configuring Citrix NetScaler GSLB in Microsoft Azure video.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.461

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.462

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.463

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.464

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.465

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.466

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.467

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.468

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.469

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.470

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.471

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.472

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.473

Scenario Jul 25, 20 17

Important NetScaler VPX instance on Oracle is in Limited Availability. If you’d like to participate, contact your local sales team or request a call at http://www.citrix.com/products/netscaler-adc/form/inquiry/.

T his scenario illustrates how to deploy a NetScaler VPX standalone instance in Oracle Public Cloud (OPC). T he user creates a standalone VPX instance with multiple NICs. T he instance, which is configured as a load balancing virtual server, communicates with back-end servers (the server farm). For this configuration, you have to set up the required communication routes between the instance and the back-end servers, and between the instance and the external hosts on the public Internet. Figure: A NetScaler LB vServer communicates with two back-end servers

You create three NICs. Each NIC can be configured with a pair of IP addresses (public and private). T he NICs serve the following purposes. NIC

Purpose

Associated with Public IP address

NIC 1/1

Serves management traffic (NSIP)

Private IP address

Public IP address NIC 1/2

Serves client-side traffic (VIP)

Private IP address

Private IP address NIC 1/3

Communicates with back-end servers (SNIP)

http://docs.citrix.com

(Public IP is not mandatory)

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.474

T he following public IP addresses are used in this example. Entity

Public IP address

NSIP

192.168.30.2

VIP

192.168.10.2

SNIP

192.168.20.2

Back-end server1

192.168.20.10

Back-end server2

192.168.20.11

注意 Oracle assigns a static public IP address and a dynamic private IP. For more information, see Network Settings.

To create the required instances and set up the required security rules for this scenario, complete the following tasks: 1. From the Oracle Web Console, click Create Instance and click Private Images. 2. Select the required image and click Review and Create. T he Create Instance wizard starts, displaying the default settings.

注意 If you click Create without going through the pages in the wizard, an image with the default settings is created. No SSH keys are associated with it. So make sure you enter the necessary details on each page of the wizard.. While deploying a NetScaler VPX instance on Oracle Public Cloud, an SSH key pair is mandatory. However, the user won’t be able to use the key pair to log on to the VPX instance. T he user must use nsroot as the user name and as the password to log on.

3. On the Shape page, select the shape that you want to use. T he shape specifies the OCPU and memory resources to be allocated to the instance. Click the arrow next to the Review and Create tab on the upper right corner to go to the Instance page. In this scenario, you create an instance with 1 OCPU.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.475

4. On the Instance page, select or enter the following, and then go to the next page: High Availability Policy: Active Name: Label: default value Description: None T ags: None SSH Keys: Add the SSH key that you created in the Prerequisites section.

Custom Attributes: None

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.476

5. On the Network page , clear the Shared Network check box and click Configure Interf ace. 6. In the Configure IP Network Interface window, click Create IP Network to create an IP network for the management IP (NSIP). Add an IP Address Prefix (192.168.30.0/24), a name, and a description. Click Create.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.477

7. In the Configure IP Network Interface window, select the IP Network that you’ve just created, add a static IP address, and select an auto-generated public IP address. Make sure the Def ault Gateway check box is selected

8. Similary create IP networks for NIC 1/2 and NIC 1/3 as follows: NIC 1/2 Name: IPConfig1 (for NIC 1/2) IP Address Prefix: 192/168.10.0/24 NIC 1/3 Name: IPConfig2 (for NIC 1/3) IP Address Prefix: 192.168.20.0/24 9. Configure IP Network Interface as follows: NIC 1/2

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.478

Interface: eth1 IP Network: IPConfig1 Static IP Addresses: 192.168.10.2 Public IP Address: Auto Generated NIC 1/3 Interface: eth2 IP Network: IPConfig2 Static IP Addresses: 192.168.20.2 Next, click the arrow to go to the Storage page.

注意 For NIC 1/2 and 1/3, do not select the Default Gateway check box .

8. On the Storage page, you can attach existing storage volumes to your instance, if required, or create storage volumes and attach them to the instance. In this example, select the default storage. 9. On the Review page, verify the information that you’ve entered, and then click Create.

10. Monitor the status of the instance. When the status is shown as "Running," the instance is ready. Follow the same steps to create two back-end servers. 11. From the Oracle web console, click IP Network > IP Address Prefix Sets > Create IP Network. Specify the name and the IP Address Prefix Set.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.479

12. Create a security protocol with which to create security rules. You’ll create a security protocol for HT T P.

13. Create a security rule to allow external traffic to access the NetScaler Instance. You’ll create a rule to allow HT T P requests from external traffic to the NetScaler instance.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.480

Now you can log on to your instance by using either GUI or SSH and complete the initial configuration. To find the oracleassigned NetScaler management IP address, in the Oracle web console, click Instances. To the find the NetScaler management IP address pair, click the instance details icon for the instance that you created. You can use SSH to log on to your instance as an nsroot user, by using the following command: ssh -i ./ [email protected] When prompted, type the password nsroot.

Next, configure the NetScaler-owned IP addresses and the NetScaler instance as a load balancing virtual server: Configure the NetScaler-owned IP addresses by using the NetScaler GUI or the command “add ns ip.” For more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/ip-addressing/configuring-netscaler-ownedip-addresses.html

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.481

Configure the NetScaler instance as a load balancing virtual server. For more information, see http://docs.citrix.com/enus/netscaler/11-1/load-balancing/load-balancing-setup.html . Example: Here’s a sample LB configuration done by using the NetScaler CLI. Sample LB Configuration

复制

Add nsip 192.168.20.2 255.255.255.0

Add lb vs v1 ht t p 192.168.10.2 80

Add service s[1-2] 192.168.20.[10-11] ht t p 80

Bind lb vs v1 s[1-2]

Add vlan 10

Bind vlan 10 –Ifnum 1/3 –Ipaddress 192.168.20.2 255.255.255.0

T he above configuration is based on the following assumptions: Entity

Private IP address

VIP

192.168.10.2

SNIP

192.168.20.2

Back-end server1

192.168.20.10

Back-end server2

192.168.20.11

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.482

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.483

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.484

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.485

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.486

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.487

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.488

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.489

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.490

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.491

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.492

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.493

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.494

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.495

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.496

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.497

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.498

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.499

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.500

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.501

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.502

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.503

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.504

Citrix NetScaler MPX 11500, MPX 13500, MPX 14500, MPX 16500, MPX 18500, and MPX 20500 Jul 25, 20 17

T he Citrix NetScaler models MPX 11500/13500/14500/16500/18500/20500 are 2U appliances. Each model has two 6-core processors for a total of 12 physical cores (24 cores with hyper-threading), and 48 gigabytes (GB) of memory. T he following figure shows the front panel of the MPX 11500/13500/14500/16500/18500/20500 appliance. Figure 1. Citrix NetScaler MPX 11500/13500/14500/16500/18500/20500 appliance, front panel

T he MPX 11500/13500/14500/16500/18500/20500 appliances have the following ports: 10/100Base-T copper Ethernet Port (RJ45), also called LOM port. You can use this port to remotely monitor and manage the appliance independently of the NetScaler software. Note: T he LEDs on the LOM port are not operational by design. RS232 serial console port. T wo 10/100/1000Base-T copper Ethernet management ports (RJ45), numbered 0/1 and 0/2 from left to right. T hese ports are used to connect directly to the appliance for system administration functions. Eight 1G SFP ports numbered 1/1, 1/2, 1/3, 1/4 from top to bottom in the first column, and 1/5, 1/6, 1/7, and 1/8 from top to bottom in the second column. Four 10G SFP+ ports numbered 10/1 and 10/2 from top to bottom in the first column, and 10/3 and 10/4 from top to bottom in the second column. T he following figure shows the back panel of the MPX 11500/13500/14500/16500/18500/20500 appliance. Figure 2. Citrix NetScaler MPX 11500/13500/14500/16500/18500/20500 appliance, back panel

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.505

T he following components are visible on the back panel of the MPX 11500/13500/14500/16500/18500/20500 appliance: 160 GB removable solid-state drive that is used to store the NetScaler software. USB port (reserved for a future release). Power switch, which turns off power to the appliance, just as if you were to unplug the power supply. Press the switch for five seconds to turn off the power. Non-maskable interrupt (NMI) Button that is used at the request of T echnical Support and produces a core dump on the NetScaler. You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent unintentional activation. T wo removable hard-disk drives that are used to store user data. Disable alarm button. T his button is functional only when the appliance has two power supplies. Press this button to stop the power alarm from sounding when you have plugged the appliance into only one power outlet or when one power supply is malfunctioning and you want to continue operating the appliance until it is repaired. Dual power supplies, each rated at 650 watts, 110-220 volts. For information about installing the rails, rack mounting the hardware, and connecting the cables, see "Installing the Hardware." For information about performing initial configuration of your appliance, see "Initial Configuration."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.506

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.507

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.508

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.509

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.510

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.511

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.512

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.513

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.514

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.515

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.516

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.517

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.518

Citrix NetScaler MPX 22040, MPX 22060, MPX 22080, MPX 22100, and MPX 22120 Jul 25, 20 17

T he Citrix NetScaler MPX 22040/22060/22080/22100/22120 are 2U appliances. Each model has two 8-core processors and 256 gigabytes (GB) of memory. T he MPX 22040/22060/22080/22100/22120 appliances are available in two port configurations: T welve 1G SFP ports and twenty-four 10G SFP+ ports (12x1G SFP + 24x10G SFP+) T wenty-four 10G SFP+ ports (24x10G SFP+) T he following figure shows the front panel of the MPX 22040/22060/22080/22100/22120 (12x1G SFP + 24x10G SFP+) appliance. Figure 1. Citrix NetScaler MPX 22040/22060/22080/22100/22120 (12x1G SFP + 24x10G SFP+), front panel

T he following figure shows the front panel of the MPX 22040/22060/22080/22100/22120 (24x10G SFP+) appliance. Figure 2. Citrix NetScaler MPX 22040/22060/22080/22100/22120 (24x10G SFP+), front panel

Depending on the model, the appliance has the following ports: RS232 serial Console Port. 10/100Base-T copper Ethernet Port (RJ45), also called the LOM port. You can use this port to remotely monitor and manage the appliance independently of the NetScaler software. T wo 10/100/1000Base-T copper Ethernet Management Ports (RJ45), numbered 0/1 and 0/2 from left to right. T hese ports are used to connect directly to the appliance for system administration functions.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.519

Network Ports MPX 22040/22060/22080/22100/22120 (12x1G SFP + 24x10G SFP+). T welve copper or fiber 1G SFP ports and twenty-four 10G SFP+ ports. MPX 22040/22060/22080/22100/22120 (24x10G SFP+). T wenty-four 10G SFP+ ports. T he following figure shows the back panel of the MPX 22040/22060/22080/22100/22120 appliances. Figure 3. Citrix NetScaler MPX 22040/22060/22080/22100/22120, back panel

T he following components are visible on the back panel of the MPX 22040/22060/22080/22100/22120 appliance: Non-maskable interrupt (NMI) Button, used at the request of T echnical Support to initiate a core dump. T o press this red button, which is recessed to prevent unintentional activation, use a pen, pencil, or other pointed object. T he NMI Button is also available remotely over the network in the LOM GUI, in the Remote Control menu. System status LED, which indicates the status of the appliance, as described in LCD Display and LED Status Indicators. Note: On an MPX 22040/22060/22080/22100/22120 appliance running LOM firmware version 3.22, the system status LED indicates an error (continuously glows RED) even though the appliance is functioning properly. Four power supplies, each rated at 750 watts, 100-240 volts. A minimum of two power supplies are required for proper operation. T he extra power supplies act as backup. Each power supply has an LED that indicates the status of the power supply, as described in LCD Display and LED Status Indicators. Power switch, which turns off power to the appliance. Press the switch for less than two seconds to turn off the power. T wo 256 GB removable solid-state drives. T he leftmost solid-state drive stores the NetScaler software. T he other solidstate drive stores user data. T wo 1T B removable hard disk drives that are used to store user data. For information about installing the rails, rack mounting the hardware, and connecting the cables, see "Installing the Hardware." For information about performing initial configuration of your appliance, see "Initial Configuration."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.520

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.521

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.522

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.523

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.524

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.525

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.526

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.527

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.528

Citrix NetScaler MPX 14040–40S, MPX 14060–40S, MPX 14080–40S, MPX14100–40S Jul 25, 20 17

T he Citrix NetScaler MPX 14040-40S, MPX 14060-40S, MPX 14080-40S, MPX 14100-40S are 2U appliances. Each model has two 6-core processors, 64 gigabytes (GB) of memory, four 40G QSFP+ ports, and eight 10G SFP+ ports. T he front panel of the MPX 14040-40S, MPX 14060-40S, MPX 14080-40S, MPX 14100-40S has the following port configuration (4x40G QSFP+, 8x10G SFP+).

T he NetScaler MPX 14040-40S, MPX 14060-40S, MPX 14080-40S, MPX 14100-40S appliances have the following ports: RS232 serial Console Port. 10/100Base-T copper Ethernet Port (RJ45), also called the LOM port. You can use this port to remotely monitor and manage the appliance independently of the NetScaler software. T wo 10/100/1000Base-T copper Ethernet Management Ports (RJ45), numbered 0/1 and 0/2 from left to right. T hese ports are used to connect directly to the appliance for system administration functions. Network Ports, four 40G QSFP+ ports and sixteen 10G SFP+ ports (4x40G QSFP+, 8x10G SFP+). Note the following points regarding the network ports on 14000-40S appliances: 10G ports do not support 1G copper or 1G fiber transceivers. 40G ports do not support 10G and 1G transceivers. T he following figure shows the back panel of the MPX 14040-40S, MPX 14060-40S, MPX 14080-40S, | MPX 14100-40S appliance. Figure 1. Citrix NetScaler MPX 14040-40S, MPX 14060-40S, MPX 14080-40S, MPX 14100-40S, back panel.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.529

The following component s are visible on t he back panel of t he MPX 14040-40S, MPX 14060-40S, MPX 14080-40S, MPX 1410040S appliance: Two 300 GB removable solid-st at e drives These appliances are redundant array of independent disks (RAID) devices. In a RAID configurat ion, t he same dat a is st ored on mult iple drives t o improve performance, increase st orage capacit y, lower t he risk of dat a loss, and provide fault t olerance. Power swit ch This swit ch t urns t he power t o t he appliance on or off. Press t he swit ch for less t han t wo seconds t o t urn off t he power. Two power supplies Each power supply is rat ed at 1000 wat t s, 100-240 volt s. Each power supply has an LED t hat indicat es t he st at us of t he power supply, as described in ht t p://docs.cit rix.com/en-us/net scaler/11-1/net scaler-hardware-inst allat ion/commonhardware-component s.ht ml. Disable alarm but t on This but t on is funct ional only when t he appliance has t wo power supplies. Press t his but t on t o st op t he power alarm from sounding when you have plugged t he appliance int o only one power out let , or when one power supply is malfunct ioning and you want t o cont inue operat ing t he appliance unt il it is repaired. Non-maskable int errupt (NMI) but t on This but t on is used at t he request of Technical Support t o init iat e a core dump. To press t his red but t on, which is recessed t o prevent unint ent ional act ivat ion, use a pen, pencil, or ot her point ed object . The NMI But t on is also available remot ely over t he net work in t he LOM GUI, in t he Remot e Cont rol menu. For more informat ion about light s out management port of t he appliance, see ht t p://docs.cit rix.com/en-us/net scaler/11-1/net scaler-hardware-inst allat ion/net scaler-mpx-light s-out management -port -lom.ht ml.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.530

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.531

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.532

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.533

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.534

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.535

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.536

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.537

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.538

Citrix NetScaler MPX 25100 40G, MPX 25160 40G Jul 25, 20 17

T he Citrix NetScaler MPX 25100 40G, MPX 25160 40G are 2U appliances. Each model has two 10-core processors, 256 gigabytes (GB) of memory, four 40G QSFP+ ports, and sixteen 10G SFP+ ports (4x40G QSFP+ 16x10G SFP+). T he following figure shows the front panel of the MPX 25100 40G, MPX 25160 40G (4x40G QSFP+ 16x10G SFP+) appliance. Figure 1. Citrix NetScaler MPX 25100 40G, MPX 25160 40G (4x40G QSFP+ + 16x10G SFP+), front panel

RS232 serial Console Port. 10/100Base-T copper Ethernet Port (RJ45), also called the LOM port. You can use this port to remotely monitor and manage the appliance independently of the NetScaler software. Network Ports, four 40G QSFP+ ports and sixteen 10G SFP+ ports (4x40G QSFP+, 4x10G SFP+, 4X10G Base-T ). Note the following points regarding the network ports on MPX 25100 40G and MPX 25160 40G appliances: 10G ports do not support 1G copper or 1G fiber transceivers. 40G ports do not support 10G and 1G transceivers.

T he following components are visible on the back panel of the MPX 25100 40G, MPX 25160 40G appliance:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.539

T wo 300 GB removable solid-state drives T hese appliances are redundant array of independent disks (RAID) devices. In a RAID configuration, the same data is stored on multiple drives to improve performance, increase storage capacity, lower the risk of data loss, and provide fault tolerance. Power switch T his switch turns the power to the appliance on or off. Press the switch for less than two seconds to turn off the power. T wo power supplies Each power supply is rated at 1000 watts, 100-240 volts. Each power supply has an LED that indicates the status of the power supply, as described in http://docs.citrix.com/en-us/netscaler/10-1/ns-gen-hardware- wrapper-10-con/nshardware-common-components-ref.html. Disable alarm button T his button is functional only when the appliance has two power supplies. Press this button to stop the power alarm from sounding when you have plugged the appliance into only one power outlet, or when one power supply is malfunctioning and you want to continue operating the appliance until it is repaired. Non-maskable interrupt (NMI) button T his button is used at the request of T echnical Support to initiate a core dump. T o press this red button, which is recessed to prevent unintentional activation, use a pen, pencil, or other pointed object. T he NMI Button is also available remotely over the network in the LOM GUI, in the Remote Control menu. For more information about lights out management port of the appliance, see http://docs.citrix com/en-us/netscaler/10-1/ns-gen-hardware-wrapper-10con/ns-hardware-lom-intro-wrapper-con.html

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.540

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.541

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.542

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.543

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.544

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.545

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.546

Jul 25, 20 17

T he Citrix NetScaler T 1200 is a 2U appliance, with a dual-core processor and 256 GB memory. T he following figure shows the front panel of the T 1200 appliance. Figure 1. Citrix NetScaler T 1200 front panel

T he T 1200 appliance has the following ports: 24 10GBASE-X SFP+ data plane ports 12 1000BASE-X SFP data plane ports T wo 10/100/1000BASE-T , RJ45 management ports One 10/100BASE-T , RJ-45 LOM port T he following figure shows the back panel of the T 1200 appliance. Figure 2. Citrix NetScaler T 1200 back panel

T he following components are visible on the back panel of the T 1200 appliance:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.547

System status LED, which indicates the status of the appliance, as described in LCD Display and LED Status Indicators. Four power supplies, each rated at 750 watts, 100-240 volts. A minimum of two power supplies are required for proper operation. T he extra power supplies act as backup. Each power supply has an LED that indicates the status of the power supply, as described in LCD Display and LED Status Indicators. Power switch, which turns off power to the appliance. Press the switch for less than two seconds to turn off the power. T wo 256 GB removable solid-state drives. T he leftmost solid-state drive stores the NetScaler software. T he other solidstate drive stores user data. T wo 1T B removable hard disk drives that are used to store user data. For information about installing the rails, rack mounting the hardware, and connecting the cables, see "Installing the Hardware." For information about performing initial configuration of your appliance, see "Initial Configuration."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.548

Jul 25, 20 17

T he Citrix NetScaler T 1300 is a 2U appliance, with a dual-core processor and 128 GB memory. T he following figure shows the front panels of the T 1300-10GE and T 1300-40GE appliances. Figure 1. Citrix NetScaler T 1300-10GE and T 1300-40GE front panels

T he T 1300 appliance has the following ports: T wo 10/100/1000BASE-T , RJ45 management plane ports One 10/100BASE-T , RJ-45 LOM port 32 10GBASE-X SFP+ data plane ports (T 1300-10GE) Four 40G QSFP+ data plane ports (T 1300-40GE)

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.549

16 10GBASE-X SFP+ data plane ports (T 1300-40GE) T he following figure shows the back panel of the T 1300 appliance. Figure 2. Citrix NetScaler T 1300 back panel

T he following components are visible on the back panel of the T 1300 appliance: One 300 GB removable solid-state drive. Power switch, which turns power to the appliance on or off. Press the switch for less than two seconds to turn off the power. T wo power supplies, each rated at 1000 watts, 100-240 volts. Disable alarm button, which is functional only when the appliance has two power supplies. Press this button to stop the power alarm from sounding when you have plugged the appliance into only one power outlet, or when one power supply is malfunctioning, and you want to continue operating the appliance until it is repaired. For information about installing the rails, rack mounting the hardware, and connecting the cables, see "Installing the Hardware." For information about performing initial configuration of your appliance, see "Initial Configuration."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.550

Jul 25, 20 17

T he Citrix NetScaler T 1310 is a 2U appliance. It has two 10-core processors and 256 GB memory. T he T 1310 appliance is available in the eight 40G QSFP+ ports ( 8x40G QSFP+) configuration. Not e: T he T 1310 appliance is not a RAID device. T he following figure shows the front panel of the T 1310 appliance. Figure 1. Citrix NetScaler T 1310 front panel

T he T 1310 appliance has the following ports: RS232 serial Console Port. 10/100Base-T copper Ethernet Port (RJ45), also called the LOM port. You can use this port to remotely monitor and manage the appliance independently of the NetScaler software. T wo 10/100/1000Base-T copper Ethernet Management Ports (RJ45), numbered 0/1 and 0/2 from left to right. T hese ports are used to connect directly to the appliance for system administration functions. Network Ports: eight 40G QSFP+ ports (8x40G QSFP+). Note: 40G QSFP+ transceivers are sold separately. 40G ports do not support 10G and 1G transceivers. Contact your Citrix sales representative to order transceivers for your appliance. T he following figure shows the back panel of the T 1310 appliance. Figure 2. Citrix NetScaler T 1310 back panel

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.551

T he following components are visible on the back panel of the T 1310 appliance: One 300 GB removable solid-state drive. Power switch, which turns power to the appliance on or off. Press the switch for less than two seconds to turn off the power. T wo power supplies, each rated at 1000 watts, 100-240 volts. Each power supply has an LED that indicates the status of the power supply, as described in LCD Display and LED Status Indicators. Disable alarm button, which is functional only when the appliance has two power supplies. Press this button to stop the power alarm from sounding when you have plugged the appliance into only one power outlet, or when one power supply is malfunctioning, and you want to continue operating the appliance until it is repaired. Non-maskable interrupt (NMI) Button, used at the request of T echnical Support to initiate a core dump. T o press this red button, which is recessed to prevent unintentional activation, use a pen, pencil, or other pointed object. T he NMI Button is also available remotely over the network in the LOM GUI, in the Remote Control menu. For more information on the Lights Out Management Port of the appliance, see Lights Out Management Port of the NetScaler MPX Appliance. For information about installing the rails, rack mounting the hardware, and connecting the cables, see "Installing the Hardware." For information about performing initial configuration of your appliance, see "Initial Configuration."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.552

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.553

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.554

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.555

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.556

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.557

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.558

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.559

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.560

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.561

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.562

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.563

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.564

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.565

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.566

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.567

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.568

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.569

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.570

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.571

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.572

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.573

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.574

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.575

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.576

Jul 25, 20 17

You can restore the BMC to its factory-default settings, including deleting the SSL Certificate and SSL key.

1. Navigate to Maintenance > Factory Default. 2. Click Restore.

At the shell prompt, type: ipmitool raw 0x30 0x41 0x1

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.577

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.578

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.579

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.580

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.581

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.582

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.583

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.584

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.585

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.586

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.587

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.588

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.589

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.590

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.591

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.592

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.593

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.594

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.595

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.596

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.597

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.598

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.599

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.600

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.601

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.602

login: nsroot Password: nsroot Last login: Mon Apr 24 02:06:52 2017 from 10.102.29.9 Done > save config > shell root @NSnnn# cp ns.conf.NS10.5 ns.conf root @NSnnn# cd /var/nsinst all root @NSnnn# mkdir 10.5nsinst all root @NSnnn# cd 10.5nsinst all root @NSnnn# mkdir build_57 root @NSnnn# cd build_57 root @NSnnn# ft p 10.102.1.1 ft p> mget build-10.5-57_nc.t gz ft p> bye root @NSnnn# t ar -xzvf build-10.1-125_nc.t gz root @NSnnn# ./inst allns inst allns version (10.5-57) kernel (ns-10.5-57.gz) ... ... ... Copying ns-10.5-57.gz t o /flash/ns-10.5-57_nc.gz ... Changing /flash/boot /loader.conf for ns-10.5-57 ...

Inst allat ion has complet ed.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.603

Reboot NOW? [Y/N] Y

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.604

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.605

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.606

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.607

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.608

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.609

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.610

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.611

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.612

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.613

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.614

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.615

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.616

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.617

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.618

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.619

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.620

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.621

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.622

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.623

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.624

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.625

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.626

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.627

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.628

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.629

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.630

Creating an Authentication Profile Jul 25, 20 17

When you want the same authentication settings to be used by multiple traffic management virtual servers, you can create an authentication profile which specifies the authentication virtual server, the authentication host, the authentication domain, and authentication level. T his authentication profile can be associated with the relevant traffic management virtual servers.

To configure an authentication profile by using the NetScaler CLI 1. Create the authentication profile and set the required parameters. For example, to create a profile with an authentication virtual server named "authVS".

ns-cli-prompt> add authentication authnProf ile authProfile1 -authnVsName authVS -authenticationHost authnVS.example.com -authenticationDomain example.com -authenticationLevel 1 2. Bind the authentication profile to the relevant traffic management virtual servers. For example, to bind authProfile1 to a load balancing virtual server named "vserver1".

ns-cli-prompt> set lb vserver vserver1 -authnProfile authProfile1

To configure an authentication profile by using the NetScaler GUI In the Configuration tab, navigate to Security > AAA - Application Traf fic > Authentication Profile, and configure the authentication profile as required.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.631

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.632

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.633

Configuring AAA Policies Jul 25, 20 17

After you set up your users and groups, you next configure authentication policies, authorization policies, and audit policies to define which users are allowed to access your intranet, which resources each user or group is allowed to access, and what level of detail AAA will preserve in the audit logs. An authentication policy defines the type of authentication to apply when a user attempts to log on. If external authentication is used, the policy also specifies the external authentication server. Authorization policies specify the network resources that users and groups can access after they log on. Auditing policies define the audit log type and location. You must bind each policy to put it into effect. You bind authentication policies to authentication virtual servers, authorization policies to one or more user accounts or groups, and auditing policies both globally and to one or more user accounts or groups. When you bind a policy, you assign a priority to it. T he priority determines the order in which the policies you define are evaluated. You can set the priority to any positive integer. In the NetScaler operating system, policy priorities work in reverse order: the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy assigned an order of 1000. T he AAA feature implements only the first of each type of policy that a request matches, not any additional policies of that type that a request might also match, so policy priority is important for getting the results you intend. You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the order you want, by setting priorities with intervals of 50 or 100 between each policy when you bind the policies. You can then add additional policies at any time without having to reassign the priority of an existing policy. For additional information about binding policies on the NetScaler, see the Citrix NetScaler Traffic Management Guide at "Traffic Management."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.634

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.635

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.636

LDAP Authentication Policies Jul 25, 20 17

As with other types of authentication policies, a Lightweight Directory Access Protocol (LDAP) authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy. In addition to standard authentication functions, LDAP can search other active directory (AD) servers for user accounts for users that do not exist locally. T his function is called referral support or referral chasing. Normally you configure the NetScaler ADC to use the IP address of the authentication server during authentication. With LDAP authentication servers, you can also configure the ADC to use the FQDN of the LDAP server instead of its IP address to authenticate users. Using an FQDN can simplify an otherwise much more complex AAA configuration in environments where the authentication server might be at any of several IP addresses, but always uses a single FQDN. To configure authentication by using a server's FQDN instead of its IP address, you follow the normal configuration process except when creating the authentication action. When creating the action, you use the serverName parameter instead of the serverIP parameter, and substitute the server's FQDN for its IP address. Before you decide whether to configure the ADC to use the IP or the FQDN of your LDAP server to authenticate users, consider that configuring AAA to authenticate to an FQDN instead of an IP address adds an extra step to the authentication process. Each time the ADC authenticates a user, it must resolve the FQDN. If a great many users attempt to authenticate simultaneously, the resulting DNS lookups might slow the authentication process. LDAP referral support is disabled by default and cannot be enabled globally. It must be explicitly enabled for each LDAP action. You must also make sure that the AD server accepts the same binddn credentials that are used with the referring (GC) server. To enable referral support, you configure an LDAP action to follow referrals, and specify the maximum number of referrals to follow. If referral support is enabled, and the NetScaler ADC receives an LDAP_REFERRAL response to a request, AAA follows the referral to the active directory (AD) server contained in the referral and performs the update on that server. First, AAA looks up the referral server in DNS, and connects to that server. If the referral policy requires SSL/T LS, it connects via SSL/T LS. It then binds to the new server with the binddn credentials that it used with the previous server, and performs the operation which generated the referral. T his feature is transparent to the user. Note: T hese instructions assume that you are already familiar with the LDAP protocol and have already configured your chosen LDAP authentication server. For more information about setting up authentication policies in general, see "Authentication Policies". For more information about NetScaler expressions, which are used in the policy rule, see the Citrix NetScaler Policy Configuration and

Reference Guide at "Policies and Expressions."

To enable LDAP ref erral support by using the command line interf ace At the command prompt, type the following commands: set authentication ldapAction -followReferrals ON set authentication ldapAction -maxLDAPReferrals Example > set authentication ldapAction ldapAction-1 -followReferrals ON

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.637

set authentication ldapAction ldapAction-1 -maxLDAPReferrals 2

To enable LDAP ref erral support by using the configuration utility Note: In the configuration utility, the term server is used instead of action, but refers to the same task. 1. Navigate to Security > AAA - Application T raffic > Policies > LDAP. 2. In the details pane, on the Servers tab, select the LDAP server that you want to configure, and then click Edit. 3. In the Configure Authentication Server dialog, scroll down to the Referrals check box, and select it. 4. In the Maximum Referral Level text box, type the maximum number of referrals to allow. 5. Click OK, and then click Close.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.638

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.639

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.640

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.641

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.642

SAML Authentication Policies Jul 25, 20 17

For information on NetScaler as a SAML SP and IdP, see SAML Authentication.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.643

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.644

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.645

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.646

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.647

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.648

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.649

Authorizing User Access to Application Resources Jul 25, 20 17

You can control the resources that an authenticated user can access within an application. To do this, associate an authorization policy to each of the users, either individually or by associating the policy to a group of users. T he authorization policy must specify the following: Rule. T he resource to which access must be authorized. T his can be specified by using basic or advanced expressions. Action. Whether access to the resource must be allowed or denied. For examples, see Sample Authorization Configurations. By default, access to all resources within an application is DENIED to all users. However, you can change this default authorization action to ALLOW access to all users (by setting the session parameters in session profile or by setting the global session parameters).

警告 For optimum security, Citrix recommends that you do not to change the default authorization action from DENY to ALLOW. Instead, it is advised to create specific authorization policies for users who need access to specific resources.

To configure authorization by using the NetScaler CLI 1. Configure the authorization policy.

ns-cli-prompt > add authorization policy 2. Associate the policy with the appropriate user or group. Bind the policy to a specific user.

ns-cli-prompt > bind aaa user -policy Bind the policy to a specific group.

ns-cli-prompt > bind aaa group -policy

To configure authorization by using the NetScaler GUI (Configuration tab) 1. Create the authorization policy. Navigate to Security > AAA - Application Traf f ic > Policies > Authorization, click Add and then define the policy as required.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.650

2. Associate the policy with the appropriate user or group. Navigate to Security > AAA - Application Traf f ic > Users or Groups, and edit the relevant user or group to associate it with the authorization policy.

Sample Authorization Configurations Here are some example configurations to authorize user access to some application resources. Note that these are CLI commands. You can do similar configurations using the GUI, although you must not enclose the expression within quotes ("). Example 1: Allow "user1" access to URLs that have the suffix "gif"

复制

> add aut horizat ion policy aut hzpol1 "HTTP.REQ.URL.SUFFIX.EQ(\"gif\")" ALLOW

> bind aaa user user1 -policy aut hzpol1

Example 2: Deny users of "group1" access to URLs that have the suffix "png"

复制

> add aut horizat ion policy aut hzpol2 "HTTP.REQ.URL.SUFFIX.EQ(\"png\")" DENY

> bind aaa group group1 -policy aut hzpol2

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.651

Auditing Authenticated Sessions Jul 25, 20 17

You can configure the NetScaler appliance to keep a log of all the events that are triggered in an authenticated session. Using this information, you can audit state and status information, to see the history for users in chronological order. To do this, define an audit policy that specifies the following: Log type. T he logs can be stored remotely (syslog) or locally on the NetScaler appliance (nslog). Rule. T he conditions on which the logs are stored. Action. Details of the log server and other details for creating the log entries. T his audit policy can be configured at different levels: user-level, group-level, AAA virtual server, and global system level. T he policies configured at the user-level have the highest priority.

注意 T his topic details steps for using syslog. Make necessary changes to use nslog.

To configure syslog auditing by using the NetScaler CLI 1. Configure the audit server with the relevant log settings.

ns-cli-prompt > add audit syslogAction ... 2. Configure the audit policy by associating the audit server.

ns-cli-prompt > add audit syslogPolicy 3. Associate the audit policy with one of the following entities: Bind the policy to a specific user.

ns-cli-prompt > bind aaa user -policy ... Bind the policy to a specific group.

ns-cli-prompt > bind aaa group -policy ... Bind the policy to a AAA virtual server.

ns-cli-prompt > bind authentication vserver -policy ...

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.652

Bind the policy globally to the NetScaler. ns-cli-prompt> bind tm global -policyName ...

To configure syslog auditing by using the NetScaler GUI (Configuration tab) 1. Configure the audit server and policy. Navigate to Security > AAA - Application Traf f ic > Policies > Auditing > Syslog, and configure the server and the policy in the relevant tabs. 2. Associate the policy with one of the following: Bind the policy to a specific user. Navigate to Security > AAA - Application Traf f ic > Users, and associate the authorization policy with the relevant user. Bind the policy to a specific group. Navigate to Security > AAA - Application Traf f ic > Groups, and associate the authorization policy with the relevant group. Bind the policy to a AAA virtual server. Navigate to Security > AAA - Application Traf f ic > Virtual Servers, and associate the authorization policy with the relevant virtual server. Bind the policy globally to the NetScaler. Navigate to Security > AAA - Application Traf f ic > Policies > Auditing > Syslog or Nslog, select the authorization policy, and click Action > Global Bindings to bind the policy globally.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.653

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.654

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.655

Session Profiles Jul 25, 20 17

T o customize your user sessions, you first create a session profile. T he session profile allows you to override global settings for any of the session parameters. Note: T he terms “session profile” and “session action” mean the same thing.

To create a session profile by using the command line interf ace At the command prompt, type the following commands to create a session profile and verify the configuration: add tm sessionAction [-sessT imeout ] [-defaultAuthorizationAction ( ALLOW | DENY )] [-SSO ( ON | OFF )] [-ssoCredential ( PRIMARY | SECONDARY )] [-ssoDomain ] [-httpOnlyCookie ( YES | NO )] [-persistentCookie ( ENABLED | DISABLED )] [-persistentCookieValidity ] show tm sessionAction Example > add tm sessionAction session-profile -sessTimeout 30 -defaultAuthorization ALLOW Done > show tm sessionAction session-profile 1) Name: session-profile Authorization action : ALLOW Session timeout: 30 minutes Done

To modif y a session profile by using the command line interf ace At the command prompt, type the following commands to modify a session profile and verify the configuration: set tm sessionAction [-sessT imeout ] [-defaultAuthorizationAction ( ALLOW | DENY )] [-SSO ( ON | OFF )] [-ssoCredential ( PRIMARY | SECONDARY )] [-ssoDomain ] [-httpOnlyCookie ( YES | NO )] [-persistentCookie ( ENABLED | DISABLED )] [-persistentCookieValidity ] show tm sessionAction Example

> set tm sessionAction session-profile -sessTimeout 30 -defaultAuthorization ALLOW Done > show tm sessionAction session-profile 1) Name: session-profile Authorization action : ALLOW Session timeout: 30 minutes Done

To remove a session profile by using the command line interf ace At the command prompt, type the following command to remove a session profile: rm tm sessionAction

To configure session profiles by using the configuration utility 1. Navigate to Security > AAA - Application T raffic > Session. 2. Navigate to Security > AAA - Application T raffic > Policies > Session.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.656

3. In the details pane, click the Profiles tab. 4. On the Profiles tab, do one of the following: T o create a new session profile, click Add. T o modify an existing session profile, select the profile, and then click Edit. 5. In the Create T M Session Profile or Configure T M Session Profile dialog, type or select values for the parameters. Name*— actionname (Cannot be changed for a previously configured session action.) Session T ime-out— sesstimeout Default Authorization Action— defaultAuthorizationAction Single Signon to Web Applications— sso Credential Index— ssocredential Single Sign-on Domain— ssoDomain HT T POnly Cookie— httpOnlyCookie Enable Persistent Cookie— persistentCookie Persistent Cookie Validity— persistentCookieValidity 6. Click Create or OK. T he session profile that you created appears in the Session Policies and Profiles pane.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.657

Session Policies Jul 25, 20 17

After you create one or more session profiles, you create session policies and then bind the policies globally or to an authentication virtual server to put them into effect.

To create a session policy by using the command line interf ace At the command prompt, type the following commands to create a session policy and verify the configuration: add tm sessionPolicy show tm sessionPolicy Example > add tm sessionPolicy session-pol " URL == /*.gif" session-profile Done > show tm sessionPolicy session-pol 1)

Name: session-pol Rule: URL == ' /*.gif' Action: session-profile Done

To modif y a session policy by using the command line interf ace At the command prompt, type the following commands to modify a session policy and verify the configuration: set tm sessionPolicy [-rule ] [-action ] show tm sessionPolicy Example

> set tm sessionPolicy session-pol " URL == /*.gif" session-profile Done > show tm sessionPolicy session-pol 1) Name: session-pol Rule: URL == ' /*.gif' Action: session-profile Done

To globally bind a session policy by using the command line interf ace At the command prompt, type the following commands to globally bind a session policy and verify the configuration: bind tm global -policyName [-priority ] Example > bind tm global -policyName session-pol Done > show tm sessionPolicy session-pol 1) Name: session-pol Rule: URL == ' /*.gif' Action: session-profile Policy is bound to following entities 1) TM GLOBAL PRIORITY : 0 Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.658

To bind a session policy to an authentication virtual server by using the command line interf ace At the command prompt, type the following command to bind a session policy to an authentication virtual and verify the configuration: bind authentication vserver -policy [-priority ] Example > bind authentication vserver auth-vserver-1 -policyName Session-Pol-1 -priority 1000 Done

To unbind a session policy f rom an authentication virtual server by using the command line interf ace At the command prompt, type the following commands to unbind a session policy from an authentication virtual server and verify the configuration: unbind authentication vserver -policy Example > unbind authentication vserver auth-vserver-1 -policyName Session-Pol-1 Done

To unbind a globally bound session policy by using the command line interf ace At the command prompt, type the following commands to unbind a globally-bound session policy: unbind tm global -policyName Example

> unbind tm global -policyName Session-Pol-1 Done

To remove a session policy by using the command line interf ace First unbind the session policy from global, and then, at the command prompt, type the following commands to remove a session policy and verify the configuration: rm tm sessionPolicy Example

> rm tm sessionPolicy Session-Pol-1 Done

To configure and bind session policies by using the configuration utility 1. Navigate to Security > AAA - Application T raffic > Session. 2. Navigate to Security > AAA - Application T raffic > Policies > Session. 3. In the details pane, on the Policies tab, do one of the following: T o create a new session policy, click Add. T o modify an existing session policy, select the policy, and then click Edit. 4. In the Create Session Policy or Configure Session Policy dialog, type or select values for the parameters. Name*— policyname (Cannot be changed for a previously configured session policy.) Request Profile*— actionname Expression*— rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression text area and then typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.) 5. Click Create or OK. T he policy that you created appears in the details pane of the Session Policies and Profiles page.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.659

6. T o globally bind a session policy, in the details pane, select Global Bindings from the Action drop-down list, and fill in the dialog. 1. Select the name of the session policy you want to globally bind. 2. Click OK. 7. T o bind a session policy to an authentication virtual server, in the navigation pane, click Virtual Servers, and add that policy to the policies list. 1. In the details pane, select the virtual server, and then click Edit. 2. In the Advanced selections to the right of the detail area, click Policies. 3. Select a policy, or click the plus icon to add a policy. 4. In the Priority column to the left, modify the default priority as needed to ensure that the policy is evaluated in the proper order. 5. Click OK. A message appears in the status bar, stating that the policy has been configured successfully.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.660

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.661

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.662

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.663

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.664

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.665

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.666

Jul 25, 20 17

After you create one or more form SSO and traffic profiles, you create traffic policies and then bind the policies, either globally or to a traffic management virtual server, to put them into effect.

At the command prompt, type: add tm trafficPolicy

add tm trafficPolicy Traffic-Pol-1 " HTTP.REQ.HEADER(" Cookie" ).CONTAINS(" login=true" )" Traffic-Prof-1

At the command prompt, type: set tm trafficPolicy

set tm trafficPolicy Traffic-Pol-1 " HTTP.REQ.HEADER(" Cookie" ).CONTAINS(" login=true" )" Traffic-Prof-1

At the command prompt, type: bind tm global -policyName [-priority ]

bind tm global -policyName Traffic-Pol-1

At the command prompt, type one of the following commands: bind lb vserver -policy [-priority ] bind cs vserver -policy [-priority ]

bind authentication vserver auth-vserver-1 -policyName Traffic-Pol-1 -priority 1000

At the command prompt, type: unbind tm global -policyName

unbind tm global -policyName Traffic-Pol-1

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.667

At the command prompt, type one of the following commands: unbind lb vserver -policy unbind cs vserver -policy

unbind authentication vserver auth-vserver-1 -policyName Traffic-Pol-1

First unbind the session policy from global, and then, at the command prompt, type: rm tm trafficPolicy

rm tm trafficPolicy Traffic-Pol-1

1. Navigate to Security > AAA - Application T raffic > T raffic. 2. Navigate to Security > AAA - Application T raffic > Policies > T raffic. 3. In the details pane, do one of the following: T o create a new session policy, click Add. T o modify an existing session policy, select the policy, and then click Edit. 4. In the Create T raffic Policy or Configure T raffic Policy dialog, specify values for the parameters. Name*— policyName (Cannot be changed for a previously configured session policy.) Profile*— actionName Expression— rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression text area and then typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.) 5. Click Create or OK. T he policy that you created appears in the details pane of the Session Policies and Profiles page.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.668

Jul 25, 20 17

To enable and configure forms-based SSO, you first create an SSO profile. Note: Forms-based single sign-on does not work if the form is customized to include Javascript. In this feature, the terms “profile” and “action” mean the same thing.

At the command prompt, type: add tm formSSOAction -actionURL -userField -passwdField -ssoSuccessRule [-nameValuePair ] [-responsesize ] [-nvtype ( ST AT IC | DYNAMIC )] [submitMethod ( GET | POST ) show tm formSSOAction []

add tm formSSOAction SSO-Prof-1 -actionURL " /logon.php" -userField " loginID" -passwdField " passwd" -nameValuePair " loginID passwd" -responsesize " 9096" -ssoSuccessRule " HTTP.RES.HEADER(" Set-Cookie" ).CONTAINS(" LogonID" )" -nvtype STATIC -submitMethod GET –sessTimeout 10 -defaultAuthorizationAction ALLOW

At the command prompt, type: set tm formSSOAction -actionURL -userField -passwdField -ssoSuccessRule [-nameValuePair ] [-responsesize ] [-nvtype ( ST AT IC | DYNAMIC )] [-submitMethod ( GET | POST )

set tm formSSOAction SSO-Prof-1 -actionURL " /logon.php" -userField " loginID" -passwdField " passwd" -ssoSuccessRule " HTTP.RES.HEADER(" Set-Cookie" ).CONTAINS(" LogonID" )" -nameValuePair " loginID passwd" -responsesize " 9096" -nvtype STATIC -submitMethod GET –sessTimeout 10 -defaultAuthorizationAction ALLOW

At the command prompt, type: rm tm formSSOAction

rm tm sessionAction SSO-Prof-1

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.669

1. Navigate to Security > AAA - Application T raffic > Policies > T raffic. 2. In the details pane, click the Form SSO Profiles tab. 3. On the Form SSO Profiles tab, do one of the following: T o create a new form SSO profile, click Add. T o modify an existing form SSO profile, select the profile, and then click Edit. 4. In the Create Form SSO Profile or Configure Form SSO Profile dialog, specify values for the parameters: Name*— name (Cannot be changed for a previously configured session action.) Action URL*— actionURL User Name Field*— userField Password Field*— passField Expression*— ssoSuccessRule Name Value Pair— nameValuePair Response Size— responsesize Extraction— nvtype Submit Method— submitMethod 5. Click Create or OK, and then click Close. T he form SSO profile that you created appears in the T raffic Policies, Profiles, and Form SSO Profiles pane.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.670

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.671

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.672

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.673

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.674

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.675

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.676

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.677

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.678

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.679

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.680

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.681

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.682

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.683

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.684

Jul 25, 20 17

T his topic provides the detailed steps to configure Kerberos authentication on the NetScaler by using the CLI and the GUI. Configuring Kerberos aut hent icat ion on t he Net Scaler CLI 1. Enable the AAA feature to ensure the authentication of traffic on the appliance.

ns-cli-prompt> enable ns f eat ure AAA 2. Add the keytab file to the NetScaler appliance. A keytab file is necessary for decrypting the secret received from the client during Kerberos authentication. A single keytab file contains authentication details for all the services that are bound to the traffic management virtual server on the NetScaler. First generate the keytab file on the Active Directory server and then transfer it to the NetScaler appliance. 1. Log on to the Active Directory server and add a user for Kerberos authentication. For example, to add a user named "Kerb-SVC-Account": net user Kerb-SVC-Account f [email protected] #4 56 /add Not e: In the User P ropert ies section, ensure that the "Change password at next logon option" is not selected and the "Password does not expire" option is selected. 2. Map the HT T P service to the above user and export the keytab file. For example, run the following command on the Active Directory server: kt pass /out keyt abf ile /princ HT T P /[email protected] NEWACP .COM /pass f [email protected] #4 56 /mapuser newacp\dummy /pt ype KRB5_NT _P RINCIP AL Not e: You can map more than one service if authentication is required for more than one service. If you want to map more services, repeat the above command for every service. You can give the same name or different names for the output file. 3. T ransfer the keytab file to the NetScaler by using the unix f t p command or any other file transfer utility of your choice. 4. Log on to the NetScaler appliance, and run the kt ut il utility to verify the keytab file. T he keytab file has an entry for the HT T P service after it is imported. T he kut il interactions are as follows: [email protected]# ktutil

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.685

ktutil: rkt /var/keytabfile ktutil: list slot KVNO Principal --------------------------------------------------------------------

ktutil: wkt /etc/ krb5.keytab ktutil: list slot KVNO Principal ---- ---- ---------------------------------------------------------------1 2 HT T P/[email protected] ktutil: quit 3. T he NetScaler must obtain the IP address of the domain controller from the fully qualified domain name (FQDN). T herefore, Citrix recommends configuring the NetScaler with a DNS server.

ns-cli-prompt> add dns nameserver Not e: Alternatively, you can add static host entries or use any other means so that the NetScaler can resolve the FQDN name of the domain controller to an IP address. 4. Configure the authentication action and then associate it to an authentication policy. 1. Configure the negotiate action.

ns-cli-prompt> add aut hent icat ion negot iat eAct ion -domain domainUser -domainUserPasswd 2. Configure the negotiate policy and associate the negotiate action to this policy.

ns-cli-prompt> add aut hent icat ion negot iat eP olicy 5. Create an authentication virtual server and associate the negotiate policy with it. 1. Create an authentication virtual server.

ns-cli-prompt> add aut hent icat ion vserver SSL 443 authenticationDomain 2. Bind the negotiate policy to the authentication virtual server.

ns-cli-prompt> bind aut hent icat ion vserver -policy

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.686

6. Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server.

ns-cli-prompt> set lb vserver -authn401 ON -authnVsName Not e: Similar configurations can also be done on the content switching virtual server. 7. Verify the configurations by doing the following: 1. Access the traffic management virtual server, using the FQDN. For example, http://owa.newacp.com. 2. View the details of the session on the NetScaler CLI.

ns-cli-prompt> show aaa session Configuring Kerberos aut hent icat ion on t he Net Scaler GUI 1. Enable the AAA feature. Navigate to Syst em > Set t ings , click Conf igure Basic F eat ures and enable the AAA feature. 2. Add the keytab file as detailed in step 2 of the CLI procedure mentioned above. 3. Add a DNS server. Navigate to T raf f ic Management > DNS > Name Servers , and specify the IP address for the DNS server. 4. Configure the Negot iat e action and policy. Navigate to Securit y > AAA - Applicat ion T raf f ic > P olicies > Aut hent icat ion > Advanced P olicies > P olicy , and create a policy with Negot iat e as the action type. 5. Bind the negotiate policy to the authentication virtual server. Navigate to Securit y > AAA - Applicat ion T raf f ic > Virt ual Servers , and associate the Negot iat e policy with the authentication virtual server. 6. Associate the authentication virtual server with the traffic management (load balancing or content switching) virtual server. Navigate to T raf f ic Management > Load Balancing > Virt ual Servers , and specify the relevant authentication settings. Not e: Similar configurations can also be done on the content switching virtual server. 7. Verify the configurations as detailed in step 7 of the CLI procedure mentioned above.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.687

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.688

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.689

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.690

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.691

Jul 25, 20 17

NetScaler appliances now support single sign-on (SSO) using the Kerberos 5 protocol. Users log on to a proxy, the Application Delivery Controller (ADC), which then provides access to protected resources. T he NetScaler Kerberos SSO implementation requires the user's password for SSO methods that rely on basic, NT LM, or forms-based authentication. T he user's password is not required for Kerberos SSO, although if Kerberos SSO fails and the NetScaler appliance has the user's password, it uses the password to attempt NT LM SSO. If the user's password is available, the KCD account is configured with a realm, and no delegated user information is present, the NetScaler Kerberos SSO engine impersonates the user to obtain access to authorized resources. Impersonation is also called unconstrained delegation. T he NetScaler Kerberos SSO engine can also be configured to use a delegated account to obtain access to protected resources on the user's behalf. T his configuration requires delegated user credentials, a keytab, or a delegated user certificate and matching CA certificate. Configuration that uses a delegated account is called constrained delegation.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.692

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.693

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.694

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.695

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.696

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.697

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.698

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.699

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.700

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.701

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.702

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.703

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.704

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.705

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.706

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.707

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.708

Jul 25, 20 17

Security Assertion Markup Language (SAML) is an XML-based authentication mechanism that provides single sign-on capability and is defined by the OASIS Security Services Technical Committee. Why SAML? Consider a scenario in which a service provider (LargeProvider) hosts a number of applications for a customer (BigCompany). BigCompany has users that must seamlessly access these applications. In a traditional setup, LargeProvider would need to maintain a database of users of BigCompany. T his raises some concerns for each of the following stakeholders: LargeProvider must ensure security of user data. BigCompany must validate the users and keep the user data up-to-date, not just in its own database, but also in the user database maintained by LargeProvider. For example, a user removed from the BigCompany database must also be removed from the LargeProvider database. A user has to log on individually to each of the hosted applications. T he SAML authentication mechanism provides an alternative approach. T he following deployment diagram shows how SAML works.

T he concerns raised by traditional authentication mechanisms are resolved as follows: LargeProvider does not have to maintain a database for BigCompany users. Freed from identity management, LargeProvider can concentrate on providing better services. BigCompany does not bear the burden of making sure the LargeProvider user database is kept in sync with its own user database. A user can log on once, to one application hosted on LargeProvider, and be automatically logged on to the other applications that are hosted there. T he NetScaler appliance can be deployed as a SAML Service Provider (SP) and a SAML Identity Provider (IdP). Read through the relevant topics to understand the configurations that must be performed on the NetScaler appliance. T he following table lists some articles that are specific to deployments where the NetScaler appliance is used as a SAML SP or a SAML IdP.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.709

S AML S P

S AML IdP

Info rm a tio n Link

NetScaler

Citrix AppController Z3

http://support.citrix.com/article/CT X133820

NetScaler

CloudGateway

http://support.citrix.com/article/CT X133558

NetScaler

Microsoft AD FS 2.0

http://support.citrix.com/article/CT X133919

NetScaler

Shibboleth

http://support.citrix.com/article/CT X200271

NetScaler

Shibboleth (With SAML single logout configuration)

http://support.citrix.com/article/CT X200392

Siteminder

NetScaler

http://support.citrix.com/article/CT X200177

ShareFile

NetScaler

http://support.citrix.com/article/CT X200323

Some information on other specific deployments: NetScaler as SAML SP on FIPS Device Configuring Office365 for Single Sign-on with NetScaler as SAML IdP

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.710

Jul 25, 20 17

T he SAML Service Provider (SP) is a SAML entity that is deployed by the service provider. When a user tries to access a protected application, the SP evaluates the client request. If the client is unauthenticated (does not have a valid NSC_T MAA or NSC_T MAS cookie), the SP redirects the request to the SAML Identity Provider (IdP). T he SP also validates SAML assertions that are received from the IdP. When the NetScaler appliance is configured as an SP, all user requests are received by a traffic management virtual server (load balancing or content switching) that is associated with the relevant SAML action. T he NetScaler appliance also supports POST and Redirect bindings during logout.

A NetScaler appliance can be used as a SAML SP in a deployment where the SAML IdP is configured either on the appliance or on any external SAML IdP.

When used as a SAML SP, a NetScaler appliance: Can extract the user information (attributes) from the SAML token. T his information can then be used in the policies that are configured on the NetScaler. For example, if you want to extract the GroupMember and emailaddress attributes, in the SAMLAction, specify the At t ribut e2 parameter as GroupMember and the At t ribut e3 parameter as emailaddress. Not e: Default attributes such as username, password, and logout URL must not be extracted in attributes 1 to 16, because they as are implicitly parsed and stored in the session. Can extract attribute names of upto 127 bytes from an incoming SAML assertion. T he previous limit was 63 bytes. Support introduced in NetScaler 11.0 Build 64.x. Supports post, redirect, and artifact bindings. Support for redirect and artifact bindings is introduced in NetScaler 11.0 Build 55.x. Not e: Redirect binding should not be used for large amount of data, when the assertion after inflate or decoding is greater than 10K. Can decrypt assertions. Support introduced in NetScaler 11.0 Build 55.x. Can extract multi-valued attributes from a SAML assertion. T hese attributes are sent is nested XML tags such as: Value1 Value2

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.711

When presented with above XML, the NetScaler appliance can extract both Value1 and Value2 as values of a given attribute, as opposed to the old firmware that extracts only Value1. Not e: Support introduced in NetScaler 11.0 Build 64.x. Can specify the validity of a SAML assertion. If the system time on NetScaler SAML IdP and the peer SAML SP is not in sync, the messages might get invalidated by either party. T o avoid such cases, you can now configure the time duration for which the assertions will be valid. T his duration, called the "skew time," specifies the number of minutes for which the message should be accepted. T he skew time can be configured on the SAML SP and the SAML IdP. Not e: Support introduced in NetScaler 11.0 Build 64.x. Can send additional attribute called 'ForceAuth' in the authentication request to external IDP (Identity Provider). By default, the ForceAuthn is set to 'False'. It can be set to 'T rue' to suggest IDP to force authentication despite existing authentication context. Additionally, NetScaler SP does authentication request in query parameter when configured with artifact binding. To configure t he Net Scaler appliance as a SAML SP by using t he command line int erf ace 1. Configure a SAML SP action. Example: T he following command adds a SAML action that redirects unauthenticated user requests. > add aut hent icat ion samlAct ion SamlSPAct1 -samlIdPCertName nssp – samlRedirectUrl http://auth1.example.com 2. Configure the SAML policy. Example: T he following command defines a SAML policy that applies the above defined SAML action to all traffic. > add aut hent icat ion samlP olicy SamlSPPol1 ns_true SamlSPAct1 3. Bind the SAML policy to the authentication virtual server. Example: T he following command binds the SAML policy to a authentication virtual server named "av_saml". > bind aut hent icat ion vserver av_saml -policy SamlSPPol1 4. Bind the authentication virtual server to the appropriate traffic management virtual server. Example: T he following command adds a load balancing virtual server named "lb1_ssl" and associates the authentication virtual server named "av_saml" to the load balancing virtual server. > add lb vserver lb1_ssl SSL 10.217.28.224 443 -persistenceT ype NONE -cltT imeout 180 -AuthenticationHost auth1.example.com -Authentication ON -authnVsName av_saml To configure a Net Scaler appliance as a SAML SP by using t he graphical user int erf ace 1. Configure the SAML action and policy. Navigate to Securit y > AAA - Applicat ion T raf f ic > P olicies > Aut hent icat ion > Advanced P olicies > P olicy ,

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.712

create a policy with SAML as the action type, and associate the required SAML action with the policy. 2. Associate the SAML policy with an authentication virtual server. Navigate to Securit y > AAA - Applicat ion T raf f ic > Virt ual Servers , and associate the SAML policy with the authentication virtual server. 3. Associate the authentication server with the appropriate traffic management virtual server. Navigate to T raf f ic Management > Load Balancing (or Cont ent Swit ching ) > Virt ual Servers , select the virtual server, and associate the authentication virtual server with it.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.713

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.714

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.715

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.716

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.717

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.718

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.719

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.720

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.721

Jul 25, 20 17

T he primary entity used for nFactor authentication is called a login schema. A login schema specifies an authentication schema XML file that defines the manner in which the login form will be rendered. Considering the interaction that the user must have when logging in to the application, you can create a single file for multiple factors or different files for different factors. View sample XML file. Single f ile f or mult iple f act ors. User will be provided a single form in which to provide credentials for multiple authentication factors. Dif f erent f iles f or dif f erent f act ors. User will be provided a different form for each authentication factor. Next, you must associate the XML file(s) with login schema(s). You can also specify expressions to extract the user name and the password from the login form.

You can configure an authentication factor to be pass-through. T his means that the user is not required to provide credentials explicitly and there is no login form for that factor. T he credentials are either taken from the previous factor or the user name and/or password are dynamically extracted by using the username/password expressions that are configured for that login schema. You must set the login schema to "NOSCHEMA", instead of an XML file.

Now that the login schemas are configured, you must specify the manner in which they must be invoked. A login schema can be invoked by using either a login schema policy or an authentication policy label. T he decision depends on the following: Login schema policy. Specifies the condition on which the login form must be presented to the user. Must be bound to an authentication virtual server. In an authentication virtual server that has multiple login schema policies, the policy with the highest priority that evaluates to true is executed. T hat is, the login form associated with that policy is presented to the user. T he login schema policy is only used to present the first login form. Aut hent icat ion policy label. Specifies a collection of authentication policies for a particular factor. Each policy label corresponds to a single factor. Specifies the login form that must be presented to the user. Must be bound as the next factor of an authentication policy or of another authentication policy label. T ypically, a policy label includes authentication policies for a specific authentication mechanism. However, you can also have a policy label that has authentication policies for different authentication mechanisms. T o summarize, the configurations you must perform to set up nFactor authentication are as follows: 1. Create the authentication schema XML files. 2. Associate each XML file with a login schema. 3. Associate each login schema with a login schema policy or authentication policy label. 4. Bind login schema policy to an authentication virtual server.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.722

5. Bind authentication policy label, as next factor, to an authentication policy.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.723

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.724

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.725

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.726

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.727

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.728

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.729

Jul 25, 20 17

You can avail the following benefits by using admin partitions for your deployment: Allows delegation of administrative ownership of an application to the customer. Reduces the cost of ADC ownership without compromising on performance and ease-of-use. Safeguards from unwarranted configuration changes. In a non-partitioned NetScaler, authorized users of other application could intentionally or unintentionally change configurations that are required for your application. T his could lead to undesirable behavior. T his possibility is reduced in a partitioned NetScaler. Isolates traffic between different applications by the use of dedicated VLANs for each partition. Accelerates and allows to scale application deployments. Allows application-level or localized management and reporting. Let us analyze a couple of cases to understand the scenarios in which you can use admin partitions.

 

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.730

Jul 25, 20 17

Only superusers are authorized to create and configure admin partitions. Unless specified otherwise, configurations to set up an admin partition must be done from the default partition.

By partitioning a NetScaler appliance, you are in-effect creating multiple instances of a single NetScaler appliance. Each instance has its own configurations and the traffic of each of these partitions is isolated from the other by assigning each partition a dedicated VLAN or a shared VLAN. A partitioned NetScaler has one default partition and the admin partitions that are created. To set up an admin partition, you must first create a partition with the relevant resources (memory, maximum bandwidth, and connections). T hen, specify the users that can access the partition and the level of authorization for each of the users on the partition.

In a partitioned NetScaler appliance, a network administrator can create a partition with partition resources such as memory, bandwidth, and connection limit configured as unlimited. T his is done by specifying Zero as the partition resource value, where Zero indicates the resource is unlimited on the partition and it can be consumed up to system limits. Partition resource configuration is useful when you migrate a traffic domain deployment to an administrative partition or if you do not know about resource allocation limit for a partition in a given deployment. Resource limit for an administrative partition is as follows: 1. Partition memory. T his is the maximum allocated memory for a partition. You must make sure to specify the values when creating a partition. Not e : From NetScaler 12.0 onwards, when you create a partition, you must the set the memory limit as Zero or if a partition is already created with a specific memory limit, you can reduce the limit to any value or set the limit as Zero. Parameter: maxMemLimit Maximum memory is allocated in megabytes in a partition. A zero value indicates the memory is unlimited on the partition and it can consume up to the system limits. Default value: 10 2. Partition bandwidth. Maximum allocated bandwidth for a partition. If you specify a limit, make sure it is within the appliance’s licensed throughput. Otherwise, you are not limiting the bandwidth that can be used by the partition. T he specified limit is accountable for the bandwidth that the application requires. If the application bandwidth exceeds the specified limit, packets are dropped. Not e : From NetScaler 12.0 onwards, when you can create a partition, you can set the partition bandwidth limit to Zero or if a partition is already created with a specific bandwidth, you can reduce bandwidth or set the limit as Zero.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.731

Parameter: maxBandwidth Maximum bandwidth is allocated in Kbps in a partition. A zero value indicates the bandwidth is unrestricted. T hat is, the partition can consume up to the system limits. Default value: 10240 Maximum Value: 4294967295 3. Partition connection. Maximum number of concurrent connections that can be open in a partition. T he value must accommodate the maximum simultaneous flow expected within the partition. T he partition connections are accounted from the partition quota memory. Previously, the connections were accounted from the default partition quota memory. It is configured only on the client-side, not on the back-end server-side TCP connections. New connections cannot be established beyond this configured value. Not e : From NetScaler 12.0 onwards, you can create a partition with number of open connections set to Zero or if you have already created a partition with a specific number of open connections, you can reduce the connection limit or set the limit as Zero. Parameter: maxConnections Maximum number of concurrent connections that can be open in the partition. A zero value indicates no limit on number of open connections. Default value: 1024 Minimum value: 0 Maximum Value: 4294967295

On a partitioned NetScaler appliance, a PART IT ION-RAT E-LIMIT alarm can generate six SNMP traps for notification that a partition resource (such as connection or memory) has reached its limit or returned to normal. Previously, only three SNMP traps were available for rate limiting partition resources. Not e : To enable generation of the SNMP trap messages, you must enable the SNMP-RAT E-LIMIT alarm on the appliance and then configure the destination device to which the appliance can send the trap messages. T he threshold and limit values for partition rate limiting are: Highest threshold = 80% (applicable for all partition rate limit traps) Lowest threshold = 60 % (applicable for all partition rate limit traps) Memory limit = 95% (applicable only for partition memory traps) T he six new SNMP traps are: part it ionCONNT hresholdReached . Number of active connections for a partition exceeds its high threshold. part it ionCONNT hresholdNormal. Number of active connections are less than or equal to the configured normal threshold percentage. part it ionBWT hresholdReached . Partition’s bandwidth usage reaches configured high threshold percentage. part it ionMEMT hresholdReached. Current memory usage of the partition exceeds its high threshold percentage.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.732

part it ionMEMT hresholdNormal. Current memory usage of the partition is less than or equal to the configured normal threshold percentage. part it ionMEMLimit Exceeded . Current memory usage of the partition exceeds its memory limit percentage.

To configure PART IT ION-RAT E-LIMIT alarm in a specific partition and enable generation of the SNMP trap messages. 1. Enable PART IT ION-Rate-Limit Alarm 2. Configure PART IT ION-Rate-Limit Alarm 3. Configure PART IT ION-Rate-Limit T rap Destination

At the command prompt, type the following commands:

enable snmp alarm

sho w snmp alarm

At the command prompt, type the following command

set snmp alarm [-state ( ENABLED | DISABLED )] [-severity ] [-lo gging ( ENABLED | DISABLED )]

At the command prompt, type the following command:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.733

set snmp trap [-versio n ] [-td ] [-destPo rt ] [-co mmun

At the command prompt, type the following command: Navigate to Syst em > SNMP > Alarms , select Rat e-Limit -T hreshold-Exceeded alarm and configure the alarm parameters.

At the command prompt, type the following command: Navigate to Syst em > SNMP > T rap , specify the IP address of the destination device.

VLANs can be bound to a partition as a “Dedicated” VLAN or a “Shared” VLAN. Based on your deployment, you can bind a VLAN to a partition to isolate its network traffic from other partitions. Dedicated VLAN – A VLAN bound only to one partition with “Sharing” option disabled and must be a tagged VLAN. For example, in a client-server deployment, for security reasons a system administrator creates a dedicated VLAN for each partition on the server side. Shared VLAN – A VLAN bound (shared across) to multiple partitions with “Sharing” option enabled. For example, in a clientserver deployment, if the system administrator does not have control over the client side network, a VLAN is created and shared across multiple partitions. Not e : If a NetScaler Virtual Appliance is deployed on a ESX platform, you must enable the Promiscuous mode for shared VLANs with partition. Otherwise, if the traffic is through a dedicated VLAN, you must enable the VLAN with Portgroup properties of the virtual switch.

Citrix recommends you to bind a Dedicated or Shared VLAN to multiple partitions. You can bind only a tagged VLAN to a partition. If there are untagged VLANs, you must enable them as “Shared” VLANs and then bind them to other partitions. T his ensures that you control traffic packets (for example, LACP, LLDP, and xST P packets) handled in the default partition. If you have already bound an untagged VLAN for a partition in 11.0, see “Deployment procedure for upgrading a sharable VLAN to NetScaler 11.1 software” procedure.

In a partitioned (multi-tenant) NetScaler appliance, a system administrator can isolate the traffic flowing to a particular partition or partitions by binding one or more VLANs to each partition. A VLAN can be dedicated to one partition or Shared

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.734

across multiple partitions.

To isolate the traffic flowing into a partition, create a VLAN and associate it with the partition. T he VLAN is then visible only to the associated partition, and the traffic flowing through the VLAN is classified and processed only in the associated partition.

To implement a dedicated VLAN for a particular partition, do the following. 1. Add a VLAN (V1). 2. Bind a network interface to VLAN as a tagged network interface. 3. Create a partition (P1). 4. Bind partition (P1) to the dedicated VLAN (V1).

At the command prompt, type:

add vlan

Example

add vlan V1

At the command prompt, type:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.735

bind vlan -ifnum -t agged

Example

bind vlan V1 –ifnum 1/8 -t agged

At the command prompt, type:

Add ns part it ion [-maxBandwidt h ] [-maxConn ] [-maxMemLimit
Example

Add ns part it ion P1 –maxBandwidt h 200 –maxconn 50 –maxmemlimit 90

Done

At the command prompt, type:

bind part it ion -vlan

Example

bind part it ion P1 –vlan V1

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.736

1. Navigate to Conf igurat ion > Syst em > Net work > VLANs and click Add to create a VLAN. 2. On the Creat e VLAN page, set the following parameters: 1. VLAN ID 2. Alias Name 3. Maximum Transmission Unit 4. Dynamic Routing 5. IPv6 Dynamic Routing 6. Partitions Sharing 3. In the Int erf ace Bindings section, select one or more interfaces and bind it to the VLAN. 4. In the IP Bindings section, select one or more IP addresses and bind to the VLAN. 5. Click OK and Done.

In a shared VLAN configuration, each partition has a MAC address, and traffic received on the shared VLAN is classified by MAC address. Using a Layer3 VLAN is recommended because it can restrict the subnet traffic. Not e: Shared VLAN in a partitioned appliance does not support dynamic routing protocol. T he following diagram shows how a VLAN (VLAN 10) is shared across two partitions.

To deploy a shared VLAN configuration, do the following: 1. Create a VLAN with the sharing option ‘enabled’, or enable the sharing option on an existing VLAN. By default, the option is ‘disabled’. 2. Bind partition interface to shared VLAN. 3. Create the partitions, each with its own PartitionMAC address. 4. Bind the partitions to the shared VLAN.

At the command prompt, type one of the following commands to add a new VLAN or set the sharing parameter of an existing VLAN:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.737

add vlan [-sharing (ENABLED | DISABLED)]

set vlan [-sharing (ENABLED | DISABLED)]

Examples

add vlan V1 –sharing ENABLED

set vlan V1 –sharing ENABLED

At the command prompt, type:

bind part it ion -vlan

Example

bind part it ion P1 –vlan

At the command prompt, type:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.738

Add ns part it ion [-maxBandwidt h ] [-maxConn ] [-maxMemLimit
Example

Add ns part it ion P1 –maxBandwidt h 200 –maxconn 50 –maxmemlimit 90 -part it ionMAC
Done

At the command prompt, type:

set ns part it ion [-part it ionMAC]

Example

set ns part it ion P1 –part it ionMAC 22:33:44:55:66:77

At the command prompt, type: bind partition -vlan bind partition -vlan Example bind partition P1 – vlan V1 bind partition P2 – vlan V1 bind partition P3 – vlan V2

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.739

bind partition P4 – vlan V1

1. Navigate to Conf igurat ion > Syst em > Net work > VLANs and then select a VLAN profile and click Edit to set the partition sharing parameter. 2. On the Creat e VLAN page, select the P art it ions Sharing checkbox. 3. Click OK and then Done .

In a partitioned NetScaler appliance, similar to configuring a VLAN, you can configure a VXLAN in the default partition. After configuring a VXLAN, you can bind it to an administrative partition or If a VXLAN is extending a VLAN that is bound to a partition, the appliance binds the VXLAN to the partition under the same broadcasting domain. This is applicable in unbinding a VLAN that unbinds a VXLAN from the partition. For more information about how VXLAN works in a NetScaler appliance, see http://docs.citrix.com/en-us/netscaler/11/networking/vxlans.html. Also, for more information on how VLAN works in a partitioned NetScaler appliance, see http://docs.citrix.com/en-us/netscaler/11-1/adminpartition/admin-partition-setup.html.

Remember the following points before you configure a VXLAN in a partitioned NetScaler appliance: When you extend a VLAN over VXLAN, make sure VLAN is bound to the partition. Only a partition administrator must configure the IP and dynamic routing for the VXAN in the administrative partition. A shared VXLAN is not supported in a partitioned appliance and so a VXLAN cannot be tagged to a shared VLAN or you cannot make a VLAN a shared one when it is tagged to a VXLAN

Following are the supportable VXLAN configurations. Case 1: Extending VLAN over a VXLAN in the same broadcast domain Follow the steps given below to extend a VLAN over a VXLAN and vice versa within the same broadcast domain: 1. Add a VLAN in the default partition

Add vlan

2. Extend VLAN over a VXLAN within the same broadcast domain.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.740

Add vxlan –vlan

3. Configure a peer vtep to carry all BUM (broadcast unknown multicast) traffic. Not e : the vtep address can be multicast addresss.

add bridget able -mac -vxlan -vt ep

[-vni ] [-deviceVlan ]

4. Bind IP addresses to VXLAN.

Bind vxlan [-srcIP ] [-IPAddress []]

5. Bind VLAN to an administrative partition.

Bind part it ion -vxlan

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.741

Add vlan 3000

Add vxlan 3000 –vlan 10

Add bridget able –mac 00:00:00:00:00:00 –vxlan 3000 -vt ep 10.102.58.8 –vni 11

Bind vxlan 3000 – srcIP 10.102.101.15

Bind part it ion p1 –vlan 10

Follow the steps given below to bind a VXLAN to an administrative partition. 1. Add a VXLAN in the default partition.

add vxlan [-vlan ] [-port ]

2. Configure bridge table and vxlan settings in the partition.

add bridget able -mac -vxlan -vt ep

[-vni ] [-deviceVlan ]

3. Bind partition to VXLAN.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.742

Bind part it ion -vxlan [-vlan ] [-port ]

Add vxlan 3000

add bridget able - mac 00:00:00:00:00:00 -vxlan 3000 -vt ep 10.102.58.8

Bind part it ion p1 –vxlan 3000

Follow the steps given below to set VXLAN and VLAN in the same broadcast domain. 1. Add a VLAN in the default partition.

Add vlan

2. Bind VLAN to a specific partition.

Bind part it ion -vxlan [-vlan ] [-port ]

3. Add a VXLAN to the default partition.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.743

add vxlan [-vlan ] [-port ]

4. Configure the bridge table and vxlan settings in the partition.

add bridget able -mac -vxlan -vt ep

[-vni ] [-deviceVlan ]

Add vlan 3000

Bind part it ion p1 –vlan 3000

Add vxlan 3000

add bridget able - mac 00:00:00:00:00:00 -vxlan 3000 -vt ep 10.102.58.8

1. Add a VXLAN to the default partition.

add vxlan [-vlan ] [-port ]

2. Configure the bridge table and vxlan settings in the default partition for multicast tunnel. Note: the vtep address can be multicast addresss.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.744

add bridget able -mac -vxlan -vt ep

[-vni ] [-deviceVlan ]

3. Bind VXLAN to a partition.

Bind part it ion -vxlan [-vlan ] [-port ]

Add vxlan 3000

add bridget able -mac 00:00:00:00:00:00 -vxlan 3000 -vt ep 225.0.0.2 -deviceVlan 30

Bind part it ion p1 –vxlan 3000

Configuring a VXLAN on a partitioned appliance consists of the following tasks. 1. Adding or Removing a VXLAN 2. Setting Ports for a VXLAN 3. Binding a VXLAN to a Partition

At the command prompt, type:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.745

add vxlan [-vlan ] [-port ]

show vxlan

At the command prompt, type:

add vxlan 12345 -port 1234

At the command prompt, type:

bind part it ion p1 -vxlan 12345

On a partitioned NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) is supported on non-shared VLANs only. T his protocol is blocked on a shared VLAN (tagged or untagged) bound to a default or any administrative partition. To understand about how VRRP works in an active-active configuration, see http://docs.citrix.com/en-us/netscaler/111/networking/interfaces/active-active-mode-using-vrrp.html.

For shared VLAN to work in a partitioned deployment on a NetScaler SDX platform, you must log on to a Storage Virtualization Manager (SVM) appliance and assign each partition's MAC (VMAC) to a NetScaler VPX appliance.

On the command prompt, do the following: 1. Create a partition and configure the NetScaler resources for that partition. add ns part it ion [-maxBandwidth ] [-maxConn ] [-maxMemLimit ]

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.746

Not e: Check the rate limiting content provided above for tips to update the maximum memory limit, maximum bandwidth, and maximum number of connections. 2. Associate the appropriate users with the partition. bind syst em user -partitionName 3. Specify the level of authorization for each user by associating one of the following command policies: partition-

operator, partition-read-only, partition-network, and partition-admin. bind syst em user 4. Configure the VLAN through which traffic for this partition must be routed. You can use bridgegroups instead of VLANs to route the traffic. Add the VLAN and bind the required interfaces to it. add vlan bind vlan -ifnum Not e: When a VLAN is bound to an admin partition, its IP address bindings are lost. To make sure that the VLAN continues to have the IP address, create the IP address on the admin partition and then bind it to that VLAN. OR Add the bridgegroup and bind the required VLANs to it. add bridgegroup bind bridgegroup -vlan 5. Bind the VLAN or bridgegroup to the partition. bind ns partition -vlan OR bind ns partition -bridgegroup Note: Use the show vlan or the show bridgegroup command to view the partitions associated with that VLAN or bridgegroup. 6. Verify the configurations of the partition. show ns partition Note: You can also use the stat ns partition command to view partition configurations. 7. Save the configuration. save ns config

On the Configuration tab of the graphical user interface: 1. Navigate to System > Partition Administration, click Add and do the following: 1. Create and configure the resources for the admin partition. 2. Specify the VLANs or bridgegroups to be associated with the partition. 3. Associate user(s) with the partition.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.747

Note: Make sure you bind users who are not yet associated with partition type command policies. 2. Navigate to System > User Administration, and to the partition user, bind the appropriate command policy. T he command policy must be one of the partition- entries. T he choice depends on the level of authorization you intend the user to have. 3. Save the configuration.

After creating a partition, inform the users that the NetScaler configurations they perform will be isolated from users who are not members of the partition. Make sure the relevant users, command policies, VLANs, and bridgegroups are available on the NetScaler appliance. For deployments that have large size of NetScaler configuration and large quantum of traffic, Citrix advises that you increase the default values for the maximum memory limit, maximum bandwidth, and maximum number of connections.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.748

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.749

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.750

Jul 25, 20 17

Accessing a partitioned NetScaler is the same as accessing a non-partitioned NetScaler: through the NetScaler IP (NSIP) address or any other management IP address. As a user, after you provide your valid logon credentials, you are taken to the partition to which you are bound. Any configurations that you create are saved to that partition. If you are associated with more than one partition, you are taken to the first partition with which you were associated. If you want to configure entities on one of your other partitions, you must explicitly switch to that partition. After accessing the appropriate partition, configurations that you perform are saved to that partition and are specific to that partition.

NetScaler superusers and other non-partition users are taken to the default partition. Users of all the 512 partitions can log in simultaneously.

To access a partitioned NetScaler appliance over HT T PS by using the SNIP (with management access enabled), make sure that each partition has the certificate of its partition administrator. Within the partition, the partition admin must do the following: 1. Add the certificate to the NetScaler. > a dd s s l ce rtKe y ns-server-certificate -ce rt ns-server.cert -ke y ns-server.key 2. Bind it to a service named "nskrpcs--3009", where must be replaced with the SNIP address, in this case 100.10.10.1. > bind s s l s e rv ice nskrpcs-100.10.10.1-3009 -ce rtke y Na m e ns-server-certificate

To configure in a Net Scaler part it ion by using t he command line int erf ace 1. Log on to the NetScaler appliance. 2. Check if you are in the correct partition. T he command prompt displays the name of the currently selected partition. If yes, skip to the next step. If no, get a list of the partitions with which you are associated and switch over to the appropriate partition. show syst em user swit ch ns part it ion 3. Now, you can perform the required configurations just as a non-partitioned NetScaler.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.751

To configure in a Net Scaler part it ion by using t he configurat ion ut ilit y 1. Log on to the NetScaler appliance. 2. Check if you are in the correct partition. T he top bar of the graphical user interface displays the name of the currently selected partition. If yes, skip to the next step. If no, navigate to Conf igurat ion > Syst em > Administ rat ive P art it ions > P art it ions , right-click the partition to which you want to switch, and select Swit ch . 3. Now, you can perform the required configurations just as a non-partitioned NetScaler.

In authenticating and authorizating a partitioned NetScaler appliance, a root administrator can assign a partition administrator to one or more partitions. The partition administrator can authorize users to that partition without affecting other partitions. These are partition users and they are authorized to access only that partition using SNIP address. Both the root administrator and the partition administrator can configure role based access (RBA by authorizing users to access different applications. Administrators and user roles can be described as follows: Root Administrator: Accesses the partitioned appliance through its NSIP address and can grant user access to one or more partitions. The administrator can also assign partition administrators to one or more partitions. The administrator can create a partition administrator from the default partition using a NSIP address or switch to a partition and then create a user and assign partition admin access using a SNIP address. Partition Administrator: Accesses the specified partition through a NSIP address assigned by the root administrator. The administrator can assign role-based access to partition user access to that partition and also configure external server authentication using partition specific configuration. System User: Accesses partitions through the NSIP address. Has access to the partitions and resources specified by the root administrator. Partition User: Accesses a partition through a SNIP address. This user account is created by the partition administrator and the user has access to resources, only within the partition.

Following are some points to remember when providing role-based access in a partition. 1. NetScaler users accessing NetScaler GUI through NSIP address will use default partition authentication configuration to log on to the appliance. 2. Partition system users accessing NetScaler GUI through partition SNIP address will use partition specific authentication configuration to log on to the appliance. 3. Partition user created in a partition cannot login using NSIP address. 4. NetScaler user bound to a partition cannot login using partition SNIP address. 5. External users accessing a partition through external server configuration as LDAP, Radius, or T ACACS added in the partition. T he user must access using SNIP address to directly log onto the partition.

Consider a scenario where an enterprise organization, www.example.com has multiple business units and a centralized administrator who manages all instances in their network. However, they want to provide exclusive user privileges and

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.752

environment for each business unit. Following are the administrators and users managed by default partition authentication configuration and partition specific configuration in a partitioned appliance. John: Root Administrator George: Partition Administrator Adam: System User Jane: Partition User John, is the root administrator of a partitioned NetScaler appliance. John manages all user accounts and administrative user accounts across partitions (for example, P1, P2, P3, P4, and P5) within the appliance. He provides granular role-based access to entities from the default partition of the appliance. John creates user accounts and assigns partition access to each account. George being a network engineer within the organization prefers to have a role based access to few applications running on partition P2. Based on user management, John creates a partition administrator role for George and associates his user account with partition-admin command policy in P2 partition. Adam being another network engineer prefers to access an application running on P2. John creates a system user account for Adam and associates his user account to P2 partition. Once his account is created, Adam can log into the appliance to access the NetScaler Management interface through NSIP address and can switch to partition P2 based on user/group binding. Suppose, Jane who is another network engineer wants to directly access an application running only on partition P2, George (partition administrator) can create a partition user account for her and associate her account with command policies for authorization privileges. Jane’s user account created within the partition is now directly associated with P2. Now Jane can access the NetScaler Management interface through SNIP address and cannot switch to any other partition. Note: If Jane’s user account is created by a partition administrator in partition P2, she can access the NetScaler Management interface only through SNIP address (created within the partition) and not permitted to access the interface through NSIP address. Similarly, if Adam’s user account is created by a root administrator in the default partition and is bound to P2 partition, he can access the NetScaler Management interface only through NSIP address or SNIP address created in the default partition (with management access enabled) and not permitted to access the partition interface through SNIP address created in the administrative partition.

Following are the configurations performed by a root administrator in a default partition. Creating administrative partitions and system users – A root administrator creates administrative partitions and system users in the default partition of the appliance. T he administrator then associates the users to different partitions. If you are bound to one or more partitions, you can switch from one partition to another based on user bindings. Also, your access to one or more bound partitions is authorized only by the root administrator. Authorizing system user as partition administrator for a specific partition – Once a user account is created, the root administrator switches to a specific partition and authorizes the user as the partition administrator. T his is done by assigning partition-admin command policy to the user account. Now, the user can access the partition as partition administrator and manage entities within the partition. Following are the configurations perform by a partition administrator in an administrative partition.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.753

Configuring SNIP address in an administrative partition- T he partition administrator logs on to the partition and creates a SNIP address and provides management access to the address. Creating and Binding a Partition System User with Partition Command Policy -T he partition administrator creates partition users and defines the scope of user access. T his is done by binding the user account to partition command policies. Creating and Binding a Partition System User Groups with Partition Command Policy -T he partition administrator creates partition user groups and defines the scope of user group access. T his is done by binding the user group account to partition command policies. Configuring External Server authentication for external users (optional)-T his configuration is done for authenticating external TACACS users accessing the partition using SNIP address.

Following are the tasks performed in configuring role-based access for partition users in an Administrative Partition. 1. Creating an Administrative Partition – Before you create partition users in an administrative partition, you must first create the partition. As a root administrator, you can create a partition from the default partition using the configuration utility or a command line interface. 2. Switching user access from default partition to partition P2 – If you are partition administrator accessing the appliance from the default partition, you can switch from default partition to a specific partition (for example, partition P2) based on user binding. 3. Adding SNIP address to the Partition user account with Management access enabled-Once you have switched your access to an administration partition, you must create a SNIP address and provide management access to the address. 4. Creating and Binding a Partition System User with Partition Command Policy-If you are a partition administrator, you can create partition users and define the scope of user access. T his is done by binding the user account to partition command policies. 5. Creating and Binding Partition user group with Partition Command Policy-If you are a partition administrator, you can create partition user groups and define the scope of user access control. T his is done by bind the user group account to partition command policies. Configuring External Server authentication for external users (optional)-T his configuration is done for authenticating external TACACS users accessing the partition using SNIP address.

T he root administrator adds an administrative partition from the default partition and binds the partition with VLAN 2. To creat e an administ rat ive part it ion by using t he command line int erf ace: At the command prompt, type:

add part it ion

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.754

Swit ching user access f rom def ault part it ion t o bound admin part it ion Now switch user access from default partition to partition Par1. To swit ch a user account f rom def ault part it ion t o an administ rat ive part it ion by using t he command line int erf ace: At the command prompt, type:

Swit ch ns part it ion

Adding SNIP address t o t he Part it ion user account wit h Management access enabled In the partition, create SNIP address with management access enabled. To add SNIP address t o t he part it ion user account wit h management access enabled by using t he command line int erf ace: At the command prompt, type:

> add ns ip -mgmt Access enabled

Creat ing and Binding a Part it ion Syst em User wit h Part it ion Command P olicy In partition, create a partition system user and bind the user with partition-admin command policies. To creat e and bind a part it ion syst em user wit h part it ion command policy by using t he command line int erf ace: At the command prompt, type:

> add syst em user

Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.755

Creat ing and Binding Part it ion user group wit h Part it ion Command P olicy In Partition Par1, create a partition system user group and bind the group with partition command policy such as partition admin, partition read-only, partition-operator, or partition-network. To creat e and bind a part it ion user group wit h part it ion command policy by using t he command line int erf ace:

> add syst em user group

> bind syst em user group -policyname

> bind syst em user group -username

Configuring Ext ernal Server aut hent icat ion f or ext ernal users In partition Par1 you can configure an external server authentication to authenticate external TACACS users accessing the partition through SNIP address. To configure ext ernal server aut hent icat ion f or ext ernal users by using t he command line int erf ace: At the command prompt, type:

add aut hent icat ion t acacsact ion -serverip -t acacsSecret -aut horizat ion ON -account ing ON

add aut hent icat ion policy -rule t rue -act ion

bind syst em global -priorit y 1

To configure a partition user account in an administrative partition, you must create a partition user or a partition user group and bind it partition command policies. Also, you can configure the external server authentication for an external user. To creat e a part it ion user account in a part it ion by using t he Net Scaler GUI Navigate to System > User Administration, click Users to add a partition system user and bind the user to command policies

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.756

(partitionadmin/partitionread-only/partition-operator/partition-network). To creat e a part it ion user group account in a part it ion by using t he Net Scaler GUI Navigate to System > User Administration, click Groups to add a partition system user group and bind the user group to command policies (partitionadmin/partitionread-only/partition-operator/partition-network). To configure Ext ernal server aut hent icat ion f or ext ernal users by using t he Net Scaler GUI Navigate to Syst em > Aut hent icat ion > Basic Act ions and click T ACACS to configure TACACS server for authenticating external users accessing the partition.

T he following configuration shows how to create a partition user or a partition user group and bind it partition command policies. Also, how to configure the external server authentication for authenticating an external user.

add part it ion Par1

swit ch ns part it ion Par1

> add ns ip 10.102.29.203 255.255.255.0 -mgmt Accessenabled

> add syst em user John Password

> bind syst em user Jane part it ion-read-only -priorit y 1

> add syst em group Ret ail

> bind syst em group Ret ail -policyname part it ion-net work 1 (where 1 is t he priorit y number)

> bind syst em group Ret ail –username Jane

> add aut hent icat ion t acacssact ion t acuser –serverip 10.102.29.200 –t acacsSecret Password –aut horizat ion ON –account ing ON

> add aut hent icat ion policy polname –rule t rue –act ion t acacsAct ion

> bind syst em global polname –priorit y 1

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.757

Commands to authorize an user

Command Policies available inside an

account inside Administrative

Administrative Partition (built-in policies)

User Account access type

Partition

add system user

Partition-admin

SNIP (with management access enabled)

add system group

Partition-network

SNIP (with management access enabled)

add authentication ,

Partition-read-only

bind system global

SNIP (with management access enabled)

remove system user

Partition-admin

SNIP (with management access enabled)

remove system group

Partition-admin

SNIP (with management access enabled)

bind system cmdpolicy to system user

Partition-admin

SNIP (with management access

bind system cmdpolicy to system

enabled)

group

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.758

With Link Aggregation Control Protocol (LACP), you can combine multiple ports into a single, high-speed link (also called a channel). An LACP-enabled appliance exchanges LACP Data Units (LACPDU) over the channel. T here are three LACP configuration modes that you can enable in the default partition of a NetScaler appliance: 1. Active. A port in active mode sends LACPDUs. Link aggregation is formed if the other end of the Ethernet link is in the LACP active or passive mode. 2. Passive. A port in passive mode sends LACPDUs only when it receives LACPDUs. T he link aggregation is formed if the other end of the Ethernet link is in the LACP active mode. 3. Disable. Link aggregation is not formed. Not e : By default, the link aggregation is disabled in the default partition of the appliance. LACP exchanges LACPDU between devices connected by an Ethernet link. T hese devices are typically referred as an actor or partner. A LACPDU data unit contains the following parameters: LACP Mode. Active, passive or disable. LACP timeout. T he waiting period before timing out the partner or actor. Possible values: Long and Short. Default: Long. Port Key. T o distinguish between the different channel. When key is 1, LA/1 is created. When key is 2, LA/2 is created. Possible values: Integer from 1 through 8. 4 through 8 is for cluster CLAG. Port Priority. Minimum value: 1. Maximum value: 65535. Default: 32768. System Priority. Uses this priority along with system MAC to form the system ID to uniquely identify the system during LACP negotiation with the partner. Sets system priority from 1 and 65535. T he default value is set to 32768. Interface. Supports 8 interfaces per channel on NetScaler 10.1 appliance and supports 16 interfaces per channel on NetScaler 10.5 and 11.0 appliances. After exchanging LACPDUs, the actor and partner negotiate the settings and decide whether to add the ports to the aggregation.

To configure and verify LACP on a NetScaler appliance by using the command line 1. Enable LACP on each interface. At the command prompt, type: set interface -lacpMode PASSIVE -lacpKey 1 When you enable LACP on an interface, the channels are dynamically created. Additionally, when you enable LACP on an interface and set lacpKey to 1, the interface is automatically bound to channel LA/1. Note: When you bind an interface to a channel, the channel parameters take precedence over the interface parameters, so the interface parameters are ignored. If a channel was created dynamically by LACP, you cannot perform add, bind, unbind, or remove operations on the channel. A channel dynamically created by LACP is automatically deleted when you disable

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.759

LACP on all interfaces of the channel. 2. Set the system priority. At the command prompt, type: set lacp -sysPriority 3. Verify that LACP is working as expected. show interface show channel show LACP Not e : In some versions of Cisco IOS, running the switchport trunk native vlan command causes the Cisco switch to tag LACP PDUs. T his causes the LACP channel between the Cisco switch and the NetScaler appliance to fail. However, this issue does not affect the static link aggregation channels configured in the above procedure.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.760

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.761

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.762

Jul 25, 20 17

When upgrading NetScaler appliances in a high availability setup to software release 11.1, be sure to upgrade the secondary appliance first, and then upgrade the primary appliance. Not e: If you encounter any issues during the upgrade, roll back to version 11.0 for services managed by the NetScaler appliance.

Any customization within the partitioned appliance might cause an unexpected behavior during or after the upgrade process. T his might lead to a configuration loss. T herefore, be sure to back up the running configuration of each admin partition and default partition before you begin the upgrade.

T he deployment described here is applicable when you have untagged VLANs passing through the port interface and bound to admin partitions.

There are two ways of implementing this deployment on a partitioned appliance. 1. Tagging few VLANs before deploying NetScaler 11.1 2. Enabling VLANs as "Shared" after deploying NetScaler 11.1

1. Before you begin the upgrade on the secondary appliance, make a few VLANs tagged members of the port interface. For example: >bind partition p1 - vlan 10 > unbind vlan 10 -ifnum 1/2 >Done > bind vlan 10 -ifnum 1/2 -tagged >Done 2. Access the secondary NetScaler appliance by entering its NSIP address in an SSH utility, such as PuTTY, and use the nsroot credentials to log on to the appliance. 3. From the command line interface of the appliance, type the "save configuration" command to save the existing configuration. 4. Switch to the shell prompt login as: username Using keyboard-interactive authentication. Password: Last login: Wed Jun 24 14:59:16 2015 from 10.252.252.65 Done shell Copyright (c) 1992-20 5. Run the following command to change to the default installation directory:

cd/var/nsinstall

6. Run the following command to create a temporary subdirectory of the nsinstall directory: # mkdir x.xnsinstall Not e: The text x.x is used to name the NetScaler version for future configurations. For example, the directory for the installation files of NetScaler 11.1 will be called 11.1nsinstall.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.763

7. Change to the x.xnsinstall directory. 8. Download the installation package and documentation bundle, such as "ns-x.0-xx.x-doc.tgz", to the temporary directory created in Step 4. Not e: Some builds do not have a documentation bundle. Installing the documentation is optional. 9. Click the Document at ion tab from the GUI to access the documentation. 10. Before you run the install script, the files must be extracted and placed on the appliance. Use the following command to uncompress the bundle downloaded from Citrix website. tar -zxvf ns-x.0-xx.x-doc.tgz where z = The file is a "gzipped" file x = Extract files v = Print the file names as they are extracted one by one f = Use the following tar archive for the operation 11. Run the following command to install the downloaded software. # ./installns Not e: If the appliance does not have sufficient disk space to install the new kernel files, the installation process performs an automatic cleanup of the flash drive. 12. After the installation process is completed you are prompted to restart the appliance. Press y to restart the appliance. 13. Upgrade the secondary appliance to release 11.1, and then perform a force failover to make the secondary appliance primary. > force failover 14. Access the new secondary appliance (formerly the primary) by entering its NSIP address in an SSH utility, such as PuTTY, and use the nsroot credentials to log on to the appliance. 15. Repeat steps 3 through 13 to upgrade the current secondary appliance to release 11.1. 16. After the installation process is complete, you are prompted to restart the appliance. Press y to restart the appliance. 17. From the command line interface of the secondary appliance, type the following command to save the running configuration: save config 18. Run "save config" command to make the secondary appliance is the primary appliance. 19. Run "> force failover" command to make the secondary appliance is the primary appliance. 20. Verify the appliance is now the primary appliance. 21. After upgrading both the primary and secondary appliances, enable the tagged VLANs as "Shared". This is a preferred choice as you will not encounter a configuration loss during upgrade.

This scenario is about untagged VLANs and how to enable it as shared for VLAN deployment from an earlier release to 11.1 release. This is a least preferred scenario as it involves configuration loss during the software upgrade. 1. Follow steps 2 to 20 of the previous procedure to upgrade the secondary appliance with NetScaler 11.1 software. 2. After you have upgraded the software on the secondary appliance, VLAN bindings to partitions are lost, and the configuration depends on the VLAN inside the partition during the upgrade process. 3. Now enable the untagged VLANs of any port interface "Shared" and bind the "Shared" VLAN to the partitions and configure the VLAN inside each partition. Note: Make sure you first enable the untagged VLANs as shared before you bind it to a partition. unbind partition p1 -vlan 10 Done set vlan 10 -sharing enabled Done bind partition p1 -vlan 10 Done 4. From the command line interface of the appliance, type "save config" command to save the configuration in all the affected partition and the default partition. 5. If the appliance is not a primary appliance, run the "> force failove" command to perform a force failover to ensure that the appliance is a primary appliance. 6. Upgrade the new secondary (formerly the primary) appliance with NetScaler 11.1 software and reboot it to synchronize its configuration from the primary appliance. 7. From the command line interface of the primary appliance, type the "save config" command to save the configuration in the primary appliance. 8. If the appliance is not a primary appliance, run the "> force failover" command to perform a force failover to ensure that the appliance is a primary appliance. 9. Verify that the appliance is a primary appliance.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.764

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.765

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.766

Jul 25, 20 17

On a partitioned NetScaler appliance, for enhanced data security, you can configure audit logging in an administrative partition by using advanced policies. For example, you might want to view logs (states and status information) of a specific partition that has multiple users accessing different sets of features on the basis of their levels of authorization in the partition.

1. T he audit logs generated from the partition will be stored as a single log file (/var/log/ns.log). 2. You must configure the audit log server’s (syslog or nslog) subnet address as the source IP address in the partition for sending the audit-log messages. 3. T he default partition uses the NetScaler IP(NSIP) as the source IP address for the audit log messages by default. 4. You can display the audit-log message by using the “show audit messages” command. For information on audit-log configuration, see http://docs.citrix.com/en-us/netscaler/11-1/system/auditlogging/configuring-audit-logging.html

Complete the following tasks to configure audit logging in an administrative partition. 1. Configure partition subnet IP address. An IPv4 SNIP address of an administrative partition. 2. Configure audit-log (syslog and nslog) action. An Audit action is a collection of information that specifies the messages to be logged and how to log the messages on the external log server. 3. Configure audit-log (syslog and nslog) policies. Audit-log policies define log messages for the source partition to the syslog or nslog server. 4. Bind audit-log policy to sysGlobal and nsGlobal entity. You must bind an audit-log policy to a system global entity. 5. Review audit-log statistics. Display the audit-log statistics and evaluate the configuration. To configure the partition's subnet IP address by using the command line interface At the command prompt, type:

add ns ip

To configure a syslog action by using the command line interface At the command prompt, type:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.767

add audit syslo gActio n [-serverPo rt ] -lo gLevel [-dateFo rmat (MMDDYYYY

To configure an nslog action by using the command line interface At the command prompt, type:

add audit nslo gActio n [-serverPo rt ] -lo gLevel [-dateFo rmat (MMDDYYYY

To configure syslog audit-log policies by using the command line interface At the command prompt, type:

add audit syslo gpo licy syslo g-po l1 true audit-actio n1

To configure nslog audit-log policies by using the command line interface. At the command prompt, type:

add audit nslo gpo licy nslo g-po l1 true audit-actio n1

To bind audit-log policy to syslogGlobal entity by using the command line interface.

bind audit syslo gglo bal -po licyName -prio rity -glo balBindType SYST EM_GLOBAL

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.768

To bind audit-log policy to nslogGlobal entity by using the command line interface. At the command prompt, type:

bind audit nslo gglo bal -po licyName -prio rity -glo balBindType SYST EM_GLOBAL

To display audit-log statistics by using the command line interface. At the command prompt, type:

stat audit -detail

add ns ip 10.102.1.1 255.255.255.0

add audit syslogAct ion syslog_act ion1 10.102.1.2 –logLevel INFORMATIONAL –dat eFormat MMDDYYYY –t ransport UDP

add audit syslogpolicy syslog-pol1 t rue syslog_act ion1

bind audit syslogglobal –policyName syslog-pol1 –priorit y 1 –globalBindType SYSTEM_GLOBAL

When SYSLOG or NSLOG server collects log information from all partitions, it is stored as log messages in ns.log file. T he log messages contain the following information: Partition Name. T he IP address. A time stamp.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.769

T he message type T he predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency) T he message information.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.770

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.771

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.772

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.773

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.774

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.775

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.776

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.777

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.778

Jul 25, 20 17

You configure a stream identifier to specify parameters for collecting statistical data from requests identified by a given selector. An identifier specifies the selector to be used, the statistics collection interval, the sample count, and the field on which the records are to be sorted. T he NetScaler appliance includes the following built-in stream identifiers for common use cases. All the built-in identifiers specify a sample count of 1 and an interval of 1 minute. Additionally, they sort the data on the REQUESTS attribute. T hey differ only in being associated with different built-in selectors. Each built-in identifier is associated with a built-in selector of the same name (for example, the built in identifier Top_URL is associated with the built-in selector Top_URL). Following are the built-in identifiers: Top_URL Top_CLIENTS Top_URL_CLIENTS_LBVSERVER Top_URL_CLIENTS_CSVSERVER Top_MSSQL_QUERY_DB_LBVSERVER Top_MYSQL_QUERY_DB_LBVSERVER For more information about the built-in selectors, see "Configuring a Selector." Note: T he maximum length for storing string results of selectors (for example, HT T P.REQ.URL) is 60 characters. If the string (for example, URL) is 1000 characters long, of which 50 characters are enough to uniquely identify a string, use an expression to extract only the required 50 characters. You cannot modify a built-in identifier's configuration. However, you can create an identifier with a configuration of your choice.

At the command prompt, type the following commands to configure a stream identifier and verify the configuration: add stream identifier [-interval ] [-SampleCount ] [-sort ] show stream identifier

> add stream identifier myidentifier Top_URL -interval 10 -sampleCount 100 Done

1. Navigate to AppExpert > Action Analytics > Stream Identifiers. 2. In the details pane, do one of the following: T o create a stream identifier, click Add. T o modify a stream identifier, select the identifier, and then click Open. 3. In the Configure Stream Identifier dialog box, set one or more of the following parameters: Name Selector Interval

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.779

Sample Count Sort 4. Click Create or OK, and then click Close.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.780

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.781

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.782

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.783

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.784

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.785

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.786

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.787

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.788

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.789

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.790

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.791

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.792

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.793

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.794

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.795

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.796

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.797

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.798

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.799

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.800

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.801

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.802

Jul 25, 20 17

After you verify that the AppExpert application is working correctly, you can customize the configuration to suit your requirements. After you verify that the AppExpert application configuration is working correctly, you can configure the application and the deployment settings to suit your requirements. When you import an application template and deployment file, the system automatically populates the target application with the available configuration settings (such as application units, application unit rules, policies, persistence settings, load balancing methods, profiles, and traffic settings). In this application, you can configure deployment settings such as public endpoints, services, and service groups for each traffic subset. If you want the AppExpert application to manage a traffic subset that is not included in the template, you can either add an application unit for a traffic subset or modify the existing application unit. After you customize the configuration, you can also specify the order of evaluation for each traffic subset that the application manages. Configuring an AppExpert application consists of the following steps: 1. Configuring Public Endpoints 2. Configuring Application Units 3. Specifying the Order of Evaluation 4. Viewing Application Configuration using Visualizer Also, you can configure the policies that the template provided. If the AppExpert application template does not include policies for a particular NetScaler feature, such as Rewrite or application firewall, you can configure your own policies.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.803

Jul 25, 20 17

If you did not specify a public endpoint when importing an AppExpert application, you can specify public endpoints after you create the application. You can configure one public endpoint of type HT T P and one public endpoint of type HT T PS for your AppExpert application. If endpoints are already configured for the application, you can dissociate endpoints from the AppExpert application and delete any endpoints that you no longer need. Note that when you dissociate a public endpoint from the AppExpert application, the endpoint is automatically unbound from the associated application unit, but it is not deleted from the system.

1. Navigate to AppExpert > Applications. 2. In the details pane, right-click the application for which you want to configure public endpoints, and then click Configure Public Endpoints. 3. In the Choose Public Endpoints dialog box for the application, do one of the following: If the endpoints you want are listed in the dialog box, click the corresponding check boxes. If you want to specify all the public endpoints, click Activate All. If you want to dissociate endpoints from the AppExpert application, clear the corresponding check boxes. If you want to create a new public endpoint, click Add. T hen, in the Create public endpoint dialog box, configure endpoint settings, and then click OK.

In the Create public endpoint dialog box, you can specify only the name, IP address, port, and protocol for the endpoint. You can specify additional endpoint settings after you create the public endpoint. To specify additional endpoint settings, after you create the endpoint, in the Choose Public Endpoints dialog box, click the endpoint, and then click Open. T hen, in the Configure Public Endpoint dialog box, provide additional settings, and then click OK. For more information about the parameters in the Create public endpoint and Configure Public Endpoint dialog boxes, see "Content Switching." If you want to modify a public endpoint, click the endpoint, and then click Open. T hen, in the Configure Public Endpoint dialog box, modify settings for the endpoint, and then click OK.

For more information about the parameters in the Configure Public Endpoint dialog box, see "Content Switching." 4. Click Close.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.804

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.805

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.806

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.807

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.808

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.809

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.810

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.811

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.812

Configuring Application Unit Rules Jul 25, 20 17

You might want to configure an application unit rule to include or exclude certain types of traffic. When you configure the rule, you can also define the syntax of the expression.

To configure an application unit rule 1. In the navigation pane of the NetScaler configuration utility, expand AppExpert, and then click Applications. 2. In the details pane, right-click the application unit for which you want to modify the rule, and then click Open. 3. In the Configure Application Unit dialog box, do the following: 1. T o specify the format of the new expression, do one of the following: T o specify that you want to configure a classic expression in the Rule box, click Classic Syntax. T o specify that you want to configure an advanced expression in the Rule box, click Default Syntax. 2. In the Rule box, configure the expression. 4. Click OK.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.813

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.814

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.815

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.816

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.817

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.818

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.819

Specifying the Order of Evaluation of Application Units Jul 25, 20 17

Application unit rules are evaluated in the order in which they are placed in the configuration utility. T he rule that is configured for the topmost application unit is always configured first, followed by the rule that is configured for the second topmost application unit, and so on. T he default application unit is always evaluated last. When a request matches the rule that is configured for an application unit, the request is processed by the application unit, and no further matching is performed. T herefore, the order of evaluation of application units becomes an important factor if the traffic subsets for two or more application units overlap. If the traffic subsets for two or more application units overlap, you must specify the order in which an incoming request is matched against the application unit rules.

To specif y the order of evaluation of application units 1. Navigate to AppExpert > Applications, select an application and click Edit. In the Application Unit section, click the Pencil icon and then hover the cursor over the check box to the left of the name of the application unit. Click the icon that appears next to the check box and hold down the mouse to drag the application up or down to a new location in the priority list.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.820

Configuring Persistency Groups for Application Units Jul 25, 20 17

You can configure a persistency group for the application units in an AppExpert application. In the context of an AppExpert application, a persistency group is a group of application units that you can treat as a single entity for the purpose of applying common persistence settings. When the application is exported to an application template file, the persistency group settings are included, and they are automatically applied to the application units when you import the AppExpert application.

To configure a persistency group f or an application by using the configuration utility 1. Navigate to AppExpert > Applications. 2. In the Applications View dialog box, click the name of the application for whose application units you want to configure a persistency group, and then click Configure Persistency Groups. 3. In the Configure Persistency Groups dialog box, do one of the following: T o add a persistency group, click Add. T o modify a persistency group, click Open. 4. In the Create Persistency Group or Configure Persistency Group dialog box, set the following parameters: Group Name*— Name of the persistency group. For the NetScaler appliance to recognize the persistency group as part of the application's configuration, the name of the AppExpert application must be included in the name of the persistency group, as a prefix. T herefore, by default, the appliance displays the prefix in the Group Name box, and you cannot remove that prefix. Enter a name of your choice after the prefix. Persistence— T ype of persistence for the virtual server. If you select SOURCEIP, in the IPv4 Netmask box, enter a network mask that specifies the number of bits that the appliance must consider when creating persistence sessions. If you select COOKIEINSERT , in the Cookie Domain and Cookie Name boxes, specify a domain attribute to send in the Set-Cookie directive, and a name for the cookie, respectively. T imeout— T ime period for which a persistence session is in effect. Backup Persistence— T ype of backup persistence for the group. Backup T imeout— T ime period, in minutes, for which backup persistence is in effect. Application Units— T o add an application unit to the persistency group, in the Available Application Units box, click the application unit, and then click Add. T o remove an application unit from the persistency group, in the Configured Application Units box, click the application unit, and then click Remove. 5. Click OK.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.821

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.822

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.823

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.824

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.825

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.826

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.827

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.828

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.829

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.830

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.831

Setting Up a Custom NetScaler Application Jul 25, 20 17

If an AppExpert application template is not available for the Web application that you want to manage through the NetScaler appliance, or if available AppExpert application templates do not suit your requirements, you can create an AppExpert application without a template. To create an AppExpert application without a template, you must first create an application and application units. T hen, you configure public endpoints, services, and service groups. Finally, you configure the policies that determine how application traffic is evaluated and processed. After you create the application and application units and configure policies, you must verify the configuration and test it to make sure that it is working correctly, just as you would when you configure an application by using a prebuilt AppExpert application template. T hen, you must monitor the application to make sure that the application and its entities are working correctly. T his document includes the following details: Creating an Application Creating Application Units Configuring Public Endpoints for an AppExpert Application Configuring Public Endpoints for an Application Unit Configuring Services and Service Groups for an AppExpert Application Configuring Services and Service Groups for an Application Unit Configuring Policies

Creating an Application Updated: 2013-08-30 When you create an AppExpert application, the appliance creates a container to which you can add application units. T he default application unit is not created until you create the first application unit.

To create an AppExpert application 1. Navigate to AppExpert > Applications. 2. In the details pane, right-click Applications, and then click Add. 3. In the Create Application dialog box, in Name, enter a name for the application, and then click OK.

Creating Application Units Updated: 2013-08-30 For each subset of traffic associated with your web application, you must create an application unit.

To create an application unit for the AppExpert application 1. Navigate to AppExpert > Applications. 2. In the details pane, right-click the application for which you want to add an application unit, and then click Add. 3. Click Create.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.832

Configuring Public Endpoints f or an AppExpert Application Updated: 2013-08-30 After you have created all the application units that you require, you must configure one or more public endpoints to enable clients to access the web application through the NetScaler appliance.

To configure public endpoints for an AppExpert application 1. Navigate to AppExpert > Applications. 2. In the details pane, right-click the application for which you want to configure public endpoints, and then click Configure Public Endpoints. 3. In the Choose Public Endpoints dialog box for the application, do one of the following: If the endpoints you want are listed in the dialog box, click the corresponding check boxes. If you want to specify all the public endpoints, click Activate All. If you want to dissociate endpoints from the AppExpert application, clear the corresponding check boxes. If you want to create a new public endpoint, click Add. T hen, in the Create public endpoint dialog box, configure endpoint settings, and then click OK. In the Create public endpoint dialog box, you can specify only the name, IP address, port, and protocol for the endpoint. You can specify additional endpoint settings after you create the public endpoint. To specify additional endpoint settings, after you create the endpoint, in the Choose Public Endpoints dialog box, click the endpoint, and then click Open. T hen, in the Configure Public Endpoint dialog box, provide additional settings, and then click OK. For more information about the parameters in the Create public endpoint and Configure Public Endpoint dialog boxes, see "Content Switching." If you want to modify a public endpoint, click the endpoint, and then click Open. T hen, in the Configure Public Endpoint dialog box, modify settings for the endpoint, and then click OK. For more information about the parameters in the Configure Public Endpoint dialog box, see "Content Switching." 4. Click Close.

Configuring Public Endpoints f or an Application Unit Updated: 2013-08-30 For an application unit, you specify public endpoints in the same way as you would specify public endpoints for an application that is created from an AppExpert application template. For more information about specifying a subset of the endpoints for an application unit, see "Configuring Endpoints for an Application Unit."

To configure endpoints for an application unit 1. Navigate to AppExpert > Applications. 2. In the details pane, right-click the application unit for which you want to specify public endpoints, and then click Configure Public Endpoints. 3. In the Choose Public Endpoints dialog box for the application unit, do one of the following: If you are specifying endpoints for the application unit for the first time, clear the check boxes that correspond to the endpoints that you do not want to be bound to the application unit. If you want to specify endpoints that are listed in the dialog box but not currently bound to the application unit, click

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.833

the corresponding check boxes. 4. Click OK.

Configuring Services and Service Groups f or an AppExpert Application Updated: 2013-08-30 Services and service groups are available for application units only after you configure the services and service groups for the AppExpert application. T herefore, you must configure services and service groups for the AppExpert application before you configure the services for the application units. All the services and service groups that you configure for an AppExpert application must use the same protocol (either HT T P or HT T PS). T he procedure for configuring services and service groups for an AppExpert application that is not created from a template is the same as that for an application created from a template.

To configure a service or service group for the AppExpert application 1. Navigate to AppExpert > Applications. 2. In the details pane, right-click the application for which you want to configure services or service groups, and then click Configure Backend Services. 3. In the Configure Backend Services dialog box, do one of the following: T o configure services, click the Services tab. T o configure service groups, click the Service Groups tab. 4. On the Service or Service Groups tab, do one of the following: If the services or service groups that you want are listed on the tab, click the corresponding check boxes. If you want to specify all the services or service groups, click Activate All. If you want to create a new service or service group, click Add. T hen, in the Create Service dialog box or Create Service Group dialog box, configure settings for the service or service group, respectively, and then click Create. If you want to modify a service, click the service, and then click Open. T hen, in the Configure Service dialog box or Create Service Group dialog box, configure settings for the service or service group, respectively, and then click OK. For information about the settings in the Create Service, Configure Service, and Create Service Group dialog boxes, see "Load Balancing."

Configuring Services and Service Groups f or an Application Unit Updated: 2013-08-30 After you configure services and service groups, you must configure services and service groups for each application unit. However, this step is not necessary if each backend service hosts all the content associated with the web application. You configure services and service groups for an application unit if the content associated with the application unit is hosted on only a subset of the backend servers.

To configure services or service groups for an application unit 1. Navigate to AppExpert > Applications. 2. In the details pane, right-click the application unit for which you want to configure a service or service group, and then click Configure Backend Services. 3. In the Configure Backend Services dialog box, do one of the following: T o configure services, click the Services tab. T o configure service groups, click the Service Groups tab.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.834

4. In the Services or Service Groups tab, do one of the following: Clear the check boxes that correspond to the services or service groups that you do not want configured for the application unit. Make sure that the check boxes that correspond to the services or service groups that you want configured for the application unit are selected. T hen, in the Weight column, specify the weight that you want to assign to each configured service. T o specify all services or service groups, click Activate All. 5. On the Method and Persistence and Advanced tabs, specify the desired parameters. 6. Click OK.

Configuring Policies Updated: 2013-08-30 T he procedures for configuring policies for an AppExpert application that is created without using a template are the same as those for an AppExpert application that was created from a template. For more information, see "Configuring Policies for Application Units."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.835

Creating and Managing Template Files Jul 25, 20 17

After you set up an AppExpert application and customize it to suit your requirements, you can create a template from the configuration and then share the template with other administrators. Or, you can create a template and then import the template to other NetScaler appliances that require a similar AppExpert application configuration. T his simplifies and expedites the process of setting up similar applications on other appliances. AppExpert application template files can be exported either to the template directory on the NetScaler appliance or to a folder on your local computer. You can then upload and download the templates to and from the NetScaler appliance and rename the templates that are stored in the AppExpert application templates directory on your appliance. AppExpert application template files can be exported either to the template directory on the NetScaler appliance or to a folder on your local computer. You can then upload and download the templates to and from the NetScaler appliance and rename the templates that are stored in the AppExpert application templates directory on your appliance. T his document includes the following information: Exporting an AppExpert Application to a T emplate File Uploading and Download T emplate Files Understanding Netscaler Application T emplates and Deployment Files Deleting an Application T emplate

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.836

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.837

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.838

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.839

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.840

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.841

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.842

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.843

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.844

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.845

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.846

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.847

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.848

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.849

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.850

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.851

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.852

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.853

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.854

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.855

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.856

Jul 25, 20 17

You can configure NetScaler Gateway authorization policies for AAA users and groups to access a resource.

1. In the navigation pane of the NetScaler configuration utility, expand AppExpert, and then click Access Gateway Applications. 2. In the details pane, in the Authorization column, click the icon for the application, file share, intranet subnet, or resource for which you want to configure authorization policies for AAA users and groups. 3. Do one of the following: If the AAA user or group for which you want to configure permissions is already in the Groups/Users tree, drag the user or group from the Groups/Users tree to the Users or Groups node in the tree. T hen, right-click the user or group and click Allow. If the AAA user or group for which you want to configure permissions is not configured on the appliance, in the tree, right-click Users or Groups, and then click Add. In the Create AAA Group or Create AAA User dialog box, fill in the values, click Create, and then click Close. T he user or group is created with the permission set to Allow. To change the permission setting, right-click the group or user, and then click the permission setting. 4. Click Close.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.857

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.858

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.859

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.860

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.861

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.862

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.863

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.864

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.865

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.866

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.867

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.868

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.869

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.870

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.871

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.872

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.873

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.874

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.875

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.876

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.877

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.878

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.879

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.880

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.881

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.882

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.883

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.884

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.885

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.886

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.887

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.888

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.889

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.890

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.891

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.892

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.893

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.894

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.895

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.896

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.897

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.898

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.899

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.900

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.901

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.902

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.903

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.904

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.905

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.906

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.907

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.908

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.909

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.910

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.911

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.912

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.913

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.914

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.915

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.916

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.917

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.918

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.919

Jul 25, 20 17

For certain types of requests, or when certain criteria are met during policy evaluation, you might want to stall policy evaluation briefly, retrieve information from a server, and then perform a specific action that depends on the information that is retrieved. At other times, when you receive certain types of requests, you might want to update a database or the content hosted on a Web server. HT T P callouts enable you to perform all these tasks. An HT T P callout is an HT T P or HT T PS request that the NetScaler appliance generates and sends to an external application when certain criteria are met during policy evaluation. T he information that is retrieved from the server can be analyzed by default syntax policy expressions, and an appropriate action can be performed. You can configure HT T P callouts for HT T P content switching, TCP content switching, rewrite, responder, and for the token-based method of load balancing. Before you configure an HT T P callout, you must set up an application on the server to which the callout will be sent. T he application, which is called the HTTP callout agent , must be configured to respond to the HT T P callout request with the required information. T he HT T P callout agent can also be a Web server that serves the data for which the NetScaler appliance sends the callout. You must make sure that the format of the response to an HT T P callout does not change from one invocation to another. After you set up the HT T P callout agent, you configure the HT T P callout on the NetScaler appliance. Finally, to invoke the callout, you include the callout in a default syntax policy in the appropriate NetScaler feature and then bind the policy to the bind point at which you want the policy to be evaluated. After you have configured the HT T P callout, you must verify the configuration to make sure that the callout is working correctly.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.920

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.921

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.922

Jul 25, 20 17

T he NetScaler appliance does not check for the validity of the HT T P callout request. T herefore, before you configure HT T P callouts, you must know the format of an HT T P request. You must also know the format of an HT T P response, because configuring an HT T P callout involves configuring expressions that evaluate the response from the HT T P callout agent. T his document includes the following details: Format of an HT T P Request Format of an HT T P Response

An HT T P request contains a series of lines that each end with a carriage return and a line feed, represented as either or \r\n. T he first line of a request (the message line ) contains the HT T P method and target. For example, a message line for a GET request contains the keyword GET and a string that represents the object that is to be fetched, as shown in the following example: GET /mysite/mydirectory/index.html HTTP/1.1\r\n T he rest of the request contains HT T P headers, including a required Host header and, if applicable, a message body. T he request ends with a bank line (an extra or \r\n). Following is an example of a request: Get /mysite/index.html HTTP/1.1\r\n Host: 10.101.101.10\r\n Accept: */*\r\n \r\n

An HT T P response contains a status message, response HT T P headers, and the requested object or, if the requested object cannot be served, an error message. Following is an example of a response: HTTP/1.1 200 OK\r\n Content-Length: 55\r\n Content-Type: text/html\r\n Last-Modified: Wed, 12 Aug 1998 15:03:50 GMT\r\n Accept-Ranges: bytes\r\n ETag: “04f97692cbd1:377”\r\n Date: Thu, 19 Jun 2008 19:29:07 GMT\r\n \r\n

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.923

<55-character response>

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.924

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.925

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.926

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.927

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.928

Jul 25, 20 17

After you configure an HT T P callout, you invoke the callout by including the SYS.HTTP_CALLOUT() expression in a default syntax policy rule. In this expression, is the name of the HT T P callout that you want to invoke. You can use default syntax expression operators with the callout expression to process the response and then perform an appropriate action. T he return type of the response from the HT T P callout agent determines the set of operators that you can use on the response. If the part of the response that you want to analyze is text, you can use a text operator to analyze the response. For example, you can use the CONTAINS() operator to check whether the specified portion of the response contains a particular string, as in the following example: SYS.HTTP_CALLOUT(mycallout).contains(" Good IP address" ) If you use the preceding expression in a responder policy, you can configure an appropriate responder action. Similarly, if the part of the response that you want to evaluate is a number, you can use a numeric operator such as GT (int). If the response contains a Boolean value, you can use a Boolean operator. Note: An HT T P callout can invoke itself recursively. HT T P callout recursion can be avoided by combining the HT T P callout expression with a default syntax expression that prevents recursion. For information about how you can avoid HT T P callout recursion, see "Avoiding HT T P Callout Recursion." You can also cascade HT T P callouts by configuring policies that each invoke a callout after evaluating previously generated callouts. In this scenario, after one policy invokes a callout, when the NetScaler appliance is parsing the callout before sending the callout to the callout server, a second set of policies can evaluate the callout and invoke additional callouts, which can in turn be evaluated by a third set of policies, and so on. Such an implementation is described in the following example. First, you could configure an HT T P callout called myCallout1, and then configure a responder policy, Pol1, to invoke myCallout1. T hen, you could configure a second HT T P callout, myCallout2, and a responder policy, Pol2. You configure Pol2 to evaluate myCallout1 and invoke myCallout2. You bind both responder policies globally. T o avoid HT T P callout recursion, myCallout1 is configured with a unique custom HT T P header called "Request1." Pol1 is configured to avoid HT T P callout recursion by using the default syntax expression, HTTP.REQ.HEADER(\" Request1\" ).EQ(\" Callout Request\" ).NOT. Pol2 uses the same default syntax expression, but excludes the .NOT operator so that the policy evaluates myCallout1 when the NetScaler appliance is parsing it. Note that myCallout2 identifies its own unique header called "Request2," and Pol2 includes a default syntax expression to prevent myCallout2 from invoking itself recursively. Example > add policy httpCallout myCallout1 Done > set policy httpCallout myCallout1 -IPAddress 10.102.3.95 -port 80 -returnType TEXT -hostExpr " \" 10.102.3.95\" " -urlStemExpr " \" /cgi-bin/check_clnt_from_database.pl\" " -headers Request1 (" Callout Request" ) -parameters cip(CLIENT.IP.SRC) -resultExpr " HTTP.RES.BODY(100)" Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.929

> add responder policy Pol1 " HTTP.REQ.HEADER(\" Request1\" ).EQ(\" Callout Request\" ).NOT && SYS.HTTP_CALLOUT(myCallout1).CONTAINS(\" IP Matched\" )" RESET Done > bind responder global Pol1 100 END -type OVERRIDE Done > add policy httpCallout myCallout2 Done > set policy httpCallout myCallout2 -IPAddress 10.102.3.96 -port 80 -returnType TEXT -hostExpr " \" 10.102.3.96\" " -urlStemExpr " \" /cgi-bin/check_clnt_location_from_database.pl\" " -headers Request2 (" Callout Request" ) -parameters cip(CLIENT.IP.SRC) -resultExpr " HTTP.RES.BODY(200)" Done > add responder policy Pol2 " HTTP.REQ.HEADER(\" Request2\" ).EQ(\" Callout Request\" ).NOT && HTTP.REQ.HEADER(\" Request1\" ).EQ(\" Callout Request\" ) && SYS.HTTP_CALLOUT(myCallout2).CONTAINS (\" APAC\" )" RESET Done > bind responder global Pol2 110 END -type OVERRIDE Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.930

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.931

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.932

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.933

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.934

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.935

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.936

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.937

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.938

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.939

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.940

Jul 25, 20 17

Spam filtering is the ability to dynamically block emails that are not from a known or trusted source or that have inappropriate content. Spam filtering requires an associated business logic that indicates that a particular kind of message is spam. When the NetScaler appliance processes Outlook Web Access (OWA) messages based on the HT T P protocol, HT T P callouts can be used to filter spam. You can use HT T P callouts to extract any portion of the incoming message and check with an external callout server that has been configured with rules that are meant for determining whether a message is legitimate or spam. In case of spam email, for security reasons, the NetScaler appliance does not notify the sender that the email is marked as spam. T he following example conducts a very basic check for various listed keywords in the email subject. T hese checks can be more complex in a production environment. To implement this configuration, you must perform the following tasks: 1. Enable the responder feature on the NetScaler appliance. 2. Create an HT T P callout on the NetScaler appliance and configure it with details about the external server and other required parameters. 3. Create a responder policy to analyze the response, and then bind the policy globally. 4. Create a callout agent on the remote server.

Updated: 2013-08-30 T he responder feature must be enabled before it can be used on the NetScaler appliance.

1. Make sure that the responder license is installed. 2. In the configuration utility, expand AppExpert, and right-click Responder, and then click Enable Responder feature.

Updated: 2013-08-30 Create an HT T P callout, HT T P-Callout-4, with the parameter settings shown in the following table. For more information about creating an HT T P callout, see "Configuring an HT T P Callout." T able 1. P aramet ers and Values f or HT T P -Callout -4 P aramet er

Value

Name

HT T P-Callout-4

Server t o receive callout request IP Address

10.103.56.51

Port

80

Request t o send t o t he server Method

POST

Host Expression

fffffff

URL Stem Expression

"/cgi-bin/Callout/spam_filter.pl"

Headers Name

Request

Value-expression

Callout Request

P aramet ers Name

Subject

Value-expression

("\"" + HT T P.REQ.BODY(1000).AFT ER_ST R("urn:schemas:httpmail:subject=").BEFORE_ST R("\n").T O_LOWER + "\"")

Server Response

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.941

Return T ype P aramet er

BOOL Value

Expression to extract data from the response

HT T P.RES.BODY(100) .CONT AINS(\"Matched\")

Updated: 2013-08-30 Create a responder action, Action-Responder-4. Create the action with the parameter settings shown in the following table. T able 2. P aramet ers and Values f or Act ion-Responder-4 P aramet er

Value

Name

Action-Responder-4

T ype

Respond with

T arget

"\"HT T P/1.1 200 OK\r\nServer: Microsoft-IIS/6.0\r\nX-Powered-By: ASP.NET \r\nContent-Length: 0\r\nMS-WebStorage: 6.5.6944\r\nCache-Control: no-cache\r\n\r\n\""

1. Navigate to AppExpert > Responder > Actions. 2. In the details pane, click Add. 3. In the Create Responder Action dialog box, in Name, type Action-Responder-4. 4. In T ype, click Respond with. 5. In T arget, type: " \" HTTP/1.1 200 OK\r\nServer: Microsoft-IIS/6.0\r\nX-Powered-By: ASP.NET\r\nContent-Length: 0\r\nMS-WebStorage: 6.5.6944\r\nCache-Control: no-cache\r\n\r\n\" " 6. Click Create, and then click Close.

Updated: 2013-08-30 Create a responder policy, Policy-Responder-4, that will check the request body and, if the body contains the word “subject ,” invoke the HT T P callout to verify the email. Create the policy with the parameter settings shown in the following table. While you can create a responder policy in the Policies subnode and then bind it globally by using the Responder Policy Manager, this demonstration uses the Responder Policy Manager to create the responder policy and bind it globally. T able 3. P aramet ers and Values f or P olicy-Responder-4 P aramet er

Value

Name

Policy-Responder-4

Action

Action-Responder-4

Undefined-Result-Action

-Global undefined-result action-

Expression

"HT T P.REQ.BODY(1000).CONT AINS(\"urn:schemas:httpmail:subject\") && SYS.HT T P_CALLOUT (HT T P-Callout-4)"

1. Navigate to AppExpert > Responder. 2. In the details pane, under Policy Manager, click Responder policy manager. 3. In the Responder Policy Manger dialog box, click Override Global. 4. Click Insert Policy, and then, in the Policy Name column, click New Policy. 5. In the Create Responder Policy dialog box, do the following: 1. In Name, type Policy-Responder-4. 2. In Action, click Action-Responder-4. 3. In Undefined-Result Action, click Global undefined-result action. 4. In the Expression text box, type: " HTTP.REQ.BODY(1000).CONTAINS(\" urn:schemas:httpmail:subject\" ) && SYS.HTTP_CALLOUT(HTTP-Callout-4)" 5. Click Create, and then click Close. 6. Click Apply Changes, and then click Close.

You will now need to create an HT T P callout agent on the remote callout server. T he HT T P callout agent receives callout requests from the NetScaler appliance and responds accordingly. T he callout agent is a script that is different for each deployment and must be written with server specifications in mind, such as the type of database and the scripting language supported. T he following pseudo-code provides instructions for creating a callout agent that checks a list of words that are generally understood to indicate spam mails. T he agent can be implemented in any programming language of your choice. T he pseudo-code is to be used only as a guideline for developing the callout agent. You can build additional functionality into the program.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.942

1. Accept the email subject provided by the NetScaler appliance. 2. Connect to the database that contains all the terms against which the email subject is checked. 3. Check the words in the email subject against the spam word list. 4. Format the response as required by the HT T P callout. 5. Send the response to the NetScaler appliance.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.943

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.944

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.945

Jul 25, 20 17

Policy expressions for string matching operations on a large set of string patterns tend to become long and complex. Resources consumed by the evaluation of such complex expressions are significant in terms of processing cycles, memory, and configuration size. You can create simpler, less resource-intensive expressions by using pattern matching. Depending on the type of patterns that you want to match, you can use one of the following features to implement pattern matching: A pattern set is an array of indexed patterns used for string matching during default syntax policy evaluation. Example of a pattern set: imagetypes {svg, bmp, png, gif, tiff, jpg}. A data set is a specialized form of pattern set. It is an array of patterns of types number (integer), IPv4 address, or IPv6 address. In many cases, you can use either pattern sets or data sets. However, in cases where you want specific matches for numerical data or IPv4 and IPv6 addresses, you must use data sets. Note: Pattern sets and data sets can be used only in default syntax policies. To use pattern sets or data sets, first create the pattern set or data set and bind patterns to it. T hen, when you configure a policy for comparing a string in a packet, use an appropriate operator and pass the name of the pattern set or data set as an argument.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.946

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.947

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.948

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.949

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.950

Jul 25, 20 17

To configure a data set, you must specify the strings that are to serve as patterns, and assign a type (number, IPv4 address, or IPv6 address) to each pattern. You can manually assign a unique index value to each of these patterns, or you can allow the index values to be assigned automatically. Note: Data sets are case sensitive (unless you specify the expression to ignore case). T herefore, the string pattern "product1," for example, is not the same as the string pattern "Product1." T he rules applied for index values of data sets are the same as those applied for pattern sets. For information about index values, see "Configuring a Pattern Set."

At the command prompt, do the following: 1. Create a data set. add policy dataset Example: > add policy dataset sampledataset ipv4 2. Bind patterns to the data set. bind policy dataset [-index ] Example: > bind policy dataset sampledataset 10.102.29.1 -index 1 Note: Repeat this step for all the patterns you want to bind to the data set. 3. Verify the configuration. show policy dataset

Navigate to AppExpert > Data Sets, click Add and specify the relevant details.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.951

Jul 25, 20 17

Default syntax policy expressions that take pattern sets or data sets as an argument can be used to perform string matching operations. T he usage is as follows: .(" " ) where, is the expression that identifies a string in a packet. Example: HTTP.REQ.HEADER(" Host" ). is one of the operators described in the following table. T able 1. Operat ors f or pat t ern set s and dat a set s Operat or

Descript ion

.CONTAINS_ANY()

Returns true if the target text contains one or more of the patterns defined in the specified pattern set or data set.

.SUBSTR_ANY()

Returns the first string that matches any pattern defined in the specified pattern set or data set.

.BEFORE_STR_ANY()

Returns the text that is present before the first occurrence of any of the patterns defined in the specified pattern set or data set.

.AFTER_STR_ANY()

Returns the text that is present after the first occurrence of any of the patterns defined in the specified pattern set or data set.

.EQUALS_ANY ()

Returns true if the target text exactly matches any of the patterns defined in the specified pattern set or data set.

.ENDSWITH_ANY()

Returns true if the target text ends with any of the patterns that are defined in the specified pattern set or data set.

.STARTSWITH_ANY()

Returns true if the target text starts with any of the patterns that are defined in the specified pattern set or data set.

.STARTSWITH_INDEX()

Evaluates whether the target text starts with any of the patterns that are defined in the specified pattern set or data set. If a match is found, the index of the matching pattern is returned. Otherwise, 0 is returned.

.ENDSWITH_INDEX()

Evaluates whether the target text ends with any of the patterns that are defined in the specified pattern set or data set. If a match is found, the index of the matching pattern is returned. Otherwise, 0 is returned.

.CONTAINS_INDEX()

http://docs.citrix.com

Evaluates whether the target text contains any of the patterns that

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.952

are defined in the specified pattern set or data set. If a match is Descript ion found, the index of the matching pattern is returned. Otherwise, 0 is

Operat or

returned. .EQUALS_INDEX()

Evaluates whether the target text exactly matches any of the patterns that are defined in the specified pattern set or data set. If an exact match is found, the index of the pattern is returned. Otherwise, 0 is returned.

is the name of the pattern set or data set For sample usage, see "Sample Usage."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.953

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.954

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.955

Jul 25, 20 17

Variables are named objects that store information in the form of tokens. T hese tokens are used within and across different transactions on the NetScaler Appliance for internal computation and policy processing. T he NetScaler appliance supports creation of variables of the following types: Singlet on variables. Can have a single value of one of the following types: ulong and text (max-size). T he ulong type is an unsigned 64-bit integer, the text type is a sequence of bytes, and max-size is the maximum number of bytes in the sequence. Map variables. Maps hold values associated with keys: each key-value pair is called a map entry. T he key for each entry is unique within the map. Maps are specified as follows: map (key_type, value_type, max-values). where,

key_type is the data type of the key. It is of type text (max-size). value_type is the data type of the values of the map. It can be of type ulong or text (max-size). max-values is the maximum number of entries that the map can contain. It is of type ulong. Values for these variables are set using assignments which must be invoked on policy actions. Note: Variables are not yet supported in a high-availability setup or in a cluster.

A map variable or a singleton variable can have a global scope. Alternatively, the scope of a singleton variable can be limited to a single transaction. Global Scope Variable - A variable with global scope (the default) has only one instance, and that instance has the same value(s) across all cores of a NetScaler appliance and across all nodes of a cluster or HA configuration. Global variable values exist until they are explicitly deleted, until they expire, or until a standalone appliance is restarted or all nodes of a cluster or HA configuration are restarted. T ransact ion Scope Variable - A variable with transaction scope has a separate instance, with its own value, for each transaction processed by the NetScaler appliance. When the transaction processing is complete, the transaction variable value is deleted. Note: T ransaction scope variables are available in NetScaler release 10.5.e or later.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.956

Jul 25, 20 17

You must first create a variable and then assign a value or specify the operation that must be performed on the variable. After performing these operations, you can use the assignment as a policy action. Note: Once configured, a variable's settings cannot be modified or reset. If the variable needs to be changed, the variable and all references to the variable (expressions and assignments) must be deleted. T he variable can then be re-added with new settings, and the references (expressions and assignments) can be re-added.

1. Create a variable. add ns variable -type [-scope global] [-ifFull ( undef | lru )] [-ifValueTooBig ( undef | truncate )] [-ifNoValue ( undef | init )] [-init ] [-expires ] [-comment ] Note: Refer to the man page "man add ns variable" for description of the command parameters. Example 1: Create a ulong variable named "my_counter" and initialize it to 1. add ns variable my_counter –type ulong -init 1 Example 2: Create a map named "user_privilege_map". T he map will contain keys of maximum length 15 characters and text values of maximum length 10 characters, with a maximum of 10000 entries. add ns variable user_privilege_map -type map(text(15),text(10),10000) Note: If the map contains 10000 unexpired entries, assignments for new keys reuse one of the least recently used entries. By default, an expression trying to get a value for a non-existent key will initialize an empty text value. 2. Assign the value or specify the operation to be performed on the variable. T his is done by creating an assignment. add ns assignment -variable [-set | -add | -sub | -append | -clear] [-comment ] Note: A variable is referenced by using the variable selector ($). T herefore, $variable1 is used to refer to text or ulong variables. Similarly, $variable2[keyexpression] is used to refer to map variables. Example 1: Define an assignment named "inc_my_counter" that automatically adds 1 to the "my_counter" variable. add ns assignment inc_my_counter -variable $my_counter -add 1 Example 2: Define an assignment named "set_user_privilege" that adds to the "user_privilege_map" variable an entry for the client's IP address with the value returned by the "get_user_privilege" HT T P callout. add ns assignment set_user_privilege -variable $user_privilege_map[client.ip.src.typecast_text_t] -set sys.http.callout(get_user_privilege) Note: If an entry for that key already exists, the value will be replaced. Otherwise a new entry for the key and value will be added. Based on the previous declaration for user_privilege_map, if the map already has 10000 entries, one of the least recently used entries will be reused for the new key and value. 3. Invoke the variable assignment in a policy. T here are two functions that can operate on map variables. $name.valueExist s(key-expression). Returns true if there is a value in the map selected by the key-expression. Otherwise returns false. T his function will update the expiration and LRU information if the map entry exists, but will not create a new map entry if the value does not exist. $name.valueCount . Returns the number of values currently held by the variable. T his is the number of entries in a map. For a singleton variable, this is 0 if the variable is uninitialized or 1 otherwise. Example: Invoke the assignment named "set_user_privilege" with a compression policy. > add cmp policy set_user_privilege_pol -rule $user_privilege_map.valueExists(client.ip.src.typecast_text_t).not -resAction set_user_privilege

1. Navigate to AppExpert > NS Variables, to create a variable. 2. Navigate to AppExpert > NS Assignments, to assign value(s) to the variable. 3. Navigate to the appropriate feature area where you want to configure the assignment as an action.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.957

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.958

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.959

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.960

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.961

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.962

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.963

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.964

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.965

Jul 25, 20 17

Classic policies evaluate basic characteristics of traffic and other data. For example, classic policies can identify whether an HT T P request or response contains a particular type of header or URL. Default syntax policies can perform the same type of evaluations as classic policies. In addition, default syntax policies enable you to analyze more data (for example, the body of an HT T P request) and to configure more operations in the policy rule (for example, transforming data in the body of a request into an HT T P header). In addition to assigning a policy an action or profile, you bind the policy to a particular point in the processing associated with the NetScaler features. T he bind point is one factor that determines when the policy will be evaluated. T his document includes the following details: Benefits of Using Default Syntax Policies Basic Components of a Classic or Default Syntax Policy How Different NetScaler Features Use Policies About Actions and Profiles About Policy Bindings About Evaluation Order of Policies Order of Evaluation Based on T raffic Flow

Default syntax policies use a powerful expression language that is built on a class-object model, and they offer several options that enhance your ability to configure the behavior of various NetScaler features. With default syntax policies, you can do the following: Perform fine-grained analyses of network traffic from layers 2 through 7. Evaluate any part of the header or body of an HT T P or HT T PS request or response. Bind policies to the multiple bind points that the default syntax policy infrastructure supports at the default, override, and virtual server levels. Use goto expressions to transfer control to other policies and bind points, as determined by the result of expression evaluation. Use special tools such as pattern sets, policy labels, rate limit identifiers, and HT T P callouts, which enable you to configure policies effectively for complex use cases. Additionally, the configuration utility extends robust graphical user interface support for default syntax policies and expressions and enables users who have limited knowledge of networking protocols to configure policies quickly and easily. T he configuration utility also includes a policy evaluation feature for default syntax policies. You can use this feature to evaluate a default syntax policy and test its behavior before you commit it, thus reducing the risk of configuration errors.

Updated: 2013-09-02 Following are a few characteristics of both classic and default syntax policies: Name. Each policy has a unique name.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.966

Rule. T he rule is a logical expression that enables the NetScaler feature to evaluate a piece of traffic or another object. For example, a rule can enable the NetScaler to determine whether an HT T P request originated from a particular IP address, or whether a Cache-Control header in an HT T P request has the value “No-Cache.” Default syntax policies can use all of the expressions that are available in a classic policy, with the exception of classic expressions for the SSL VPN client. In addition, default syntax policies enable you to configure more complex expressions. Bindings. T o ensure that the NetScaler can invoke a policy when it is needed, you associate the policy, or bind it, to one or more bind points. You can bind a policy globally or to a virtual server. For more information, see "About Policy Bindings." An associat ed act ion. An action is a separate entity from a policy. Policy evaluation ultimately results in the NetScaler performing an action. For example, a policy in the integrated cache can identify HT T P requests for .gif or .jpeg files. An action that you associate with this policy determines that the responses to these types of requests are served from the cache. For some features, you configure actions as part of a more complex set of instructions known as a profile. For more information, see "Order of Evaluation Based on Traffic Flow."

Updated: 2013-09-30 T he NetScaler supports a variety of features that rely on policies for operation. T he following table summarizes how the NetScaler features use policies. T able 1. Net Scaler F eat ure, P olicy T ype, and P olicy Usage F eat ure

P olicy T ype

How You Use P olicies in t he F eat ure

Classic

For the Authentication function, policies contain authentication schemes for

Name

System

different authentication methods. For example, you can configure LDAP and certificate-based authentication schemes. You also configure policies in the Auditing function.

DNS

Default

To determine how to perform DNS resolution for requests.

SSL

Classic and Default

To determine when to apply an encryption function and add certificate information to clear text. To provide end-to-end security, after a message is decrypted, the SSL feature re-encrypts clear text and uses SSL to communicate with Web servers.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.967

F eat ure Compression Name

P olicy and T ype Classic Default

How You Usewhat P olicies he F eat ure To determine type in of ttraffic is compressed.

Integrated

Default

To determine whether HT T P responses are cacheable.

Responder

Default

To configure the behavior of the Responder function.

Protection

Classic

To configure the behavior of the Filter, SureConnect, and Priority Queuing

Caching

Features

Content

functions.

Classic and Default

Switching

To determine what server or group of servers is responsible for serving responses, based on characteristics of an incoming request. Request characteristics include device type, language, cookies, HT T P method, content type, and associated cache server.

AAA - Traffic Management

Classic

To check for client-side security before users log in and establish a session.

Exceptions:

Traffic policies, which determine whether single sign-on (SSO) is required, use

T raffic policies

only the default syntax.

support only

Authorization policies authorize users and groups that access intranet

default syntax

resources through the appliance.

policies Authorization policies support both classic and default syntax policies.

Cache

Classic

Redirection

Rewrite

To determine whether responses are served from a cache or from an origin server.

Default

To identify HT T P data that you want to modify before serving. T he policies provide rules for modifying the data. For example, you can modify HT T P data to redirect a request to a new home page, or a new server, or a selected server based on the address of the incoming request, or you can modify the data to mask server information in a response for security purposes. T he URL Transformer function identifies URLs in HT T P transactions and text files for the purpose of evaluating whether a URL should be transformed.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.968

Application F eat ure Firewall Name

Classic and Default P olicy T ype

To identify characteristics of traffic and data that should or should not be How You Use P olicies in t he F eat ure admitted through the firewall.

NetScaler

Default

To define rewrite rules for general Web access using the NetScaler Gateway.

Classic

To determine how the NetScaler Gateway performs authentication,

Gateway, Clientless Access function

NetScaler Gateway

authorization, auditing, and other functions.

Updated: 2013-09-30 Policies do not themselves take action on data. Policies provide read-only logic for evaluating traffic. To enable a feature to perform an operation based on a policy evaluation, you configure actions or profiles and associate them with policies. Note: Actions and profiles are specific to particular features. For information about assigning actions and profiles to features, see the documentation for the individual features.

Actions are steps that the NetScaler takes, depending on the evaluation of the expression in the policy. For example, if an expression in a policy matches a particular source IP address in a request, the action that is associated with this policy determines whether the connection is permitted. T he types of actions that the NetScaler can take are feature specific. For example, in Rewrite, actions can replace text in a request, change the destination URL for a request, and so on. In Integrated Caching, actions determine whether HT T P responses are served from the cache or an origin server. In some NetScaler features actions are predefined, and in others they are configurable. In some cases, (for example, Rewrite), you configure the actions using the same types of expressions that you use to configure the associated policy rule.

Some NetScaler features enable you to associate profiles, or both actions and profiles, with a policy. A profile is a collection of settings that enable the feature to perform a complex function. For example, in the application firewall, a profile for XML data can perform multiple screening operations, such as examining the data for illegal XML syntax or evidence of SQL injection.

T he following table summarizes the use of actions and profiles in different NetScaler features. T he table is not exhaustive. For more information about specific uses of actions and profiles for a feature, see the documentation for the feature.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.969

T able 2. Use of Act ions and P rof iles in Dif f erent Net Scaler F eat ures F eat ure

Use of an Act ion

Use of a P rofile

Application

Synonymous with a profile

All application firewall features use profiles to

firewall

define complex behaviors, including patternbased learning. You add these profiles to policies.

NetScaler

T he following features of the NetScaler Gateway use

Gateway

actions:

Pre-Authentication

P re-Aut hent icat ion. Uses Allow and Deny

Session

actions. You add these actions to a profile.

T raffic

Aut horizat ion. Uses Allow and Deny actions. You

Clientless Access

add these actions to a policy. T CP Compression. Uses various actions. You add these actions to a policy.

Rewrite

T he following features use a profile:

You configure URL rewrite actions and add them to a

After configuring the profiles, you add them to policies.

Not used.

policy.

Integrated

You configure caching and invalidation actions within a

Not used.

Caching

policy

AAA - Traffic

You select an authentication type, set an

You can configure session profiles with a

Management

authorization action of ALLOW or DENY, or set

default timeout and authorization action.

auditing to SYSLOG or NSLOG.

Protection

You configure actions within policies for the following

Features

functions:

Not used.

Filter Compression Responder SureConnect

SSL

You configure actions within SSL policies

Not used.

System

T he action is implied. For the Authentication function,

Not used.

it is either Allow or Deny. For Auditing, it is Auditing On or Auditing Off.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.970

DNS F eat ure

T he action implied. Use of an is Act ion It is either Drop Packets or the location of a DNS server.

Not used. Use of a P rofile

SSL Offload

T he action is implied. It is based on a policy that you

Not used.

associate with an SSL virtual server or a service.

Compression

Determine the type of compression to apply to the

Not used.

data

Content

T he action is implied. If a request matches the policy,

Switching

the request is directed to the virtual server associated

Not used.

with the policy.

Cache

T he action is implied. If a request matches the policy,

Redirection

the request is directed to the origin server.

Not used.

Updated: 2013-09-30 A policy is associated with, or bound to, an entity that enables the policy to be invoked. For example, you can bind a policy to request-time evaluation that applies to all virtual servers. A collection of policies that are bound to a particular bind point constitutes a policy bank. Following is an overview of different types of bind points for a policy: Request t ime global. A policy can be available to all components in a feature at request time. Response t ime global. A policy can be available to all components in a feature at response time. Request t ime, virt ual server-specif ic. A policy can be bound to request-time processing for a particular virtual server. For example, you can bind a request-time policy to a cache redirection virtual server to ensure that particular requests are forwarded to a load balancing virtual server for the cache, and other requests are sent to a load balancing virtual server for the origin. Response t ime, virt ual server-specif ic. A policy can also be bound to response-time processing for a particular virtual server. User-def ined policy label. For default syntax policies, you can configure custom groupings of policies (policy banks) by defining a policy label and collecting a set of related policies under the policy label. Ot her bind point s. T he availability of additional bind points depends on type of policy (classic or default syntax), and specifics of the relevant NetScaler feature. For example, classic policies that you configure for the NetScaler Gateway have user and group bind points.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.971

For additional information about default syntax policy bindings, see "Binding Policies T hat Use the Default Syntax" and Configuring a Policy Bank for a Virtual Server. For additional information about classic policy bindings, see "Configuring a Classic Policy."

For classic policies, policy groups and policies within a group are evaluated in a particular order, depending on the following: T he bind point for the policy, for example, whether the policy is bound to request-time processing for a virtual server or global response-time processing. For example, at request time, the NetScaler evaluates all request-time classic policies before evaluating any virtual server-specific policies. T he priority level for the policy. For each point in the evaluation process, a priority level that is assigned to a policy determines the order of evaluation relative to other policies that share the same bind point. For example, when the NetScaler evaluates a bank of request-time, virtual server-specific policies, it starts with the policy that is assigned to the lowest priority value. In classic policies, priority levels must be unique across all bind points. For default syntax policies, as with classic policies, the NetScaler selects a grouping, or bank, of policies at a particular point in overall processing. Following is the order of evaluation of the basic groupings, or banks, of default syntax policies: 1. Request-time global override 2. Request-time, virtual server-specific (one bind point per virtual server) 3. Request-time global default 4. Response-time global override 5. Response-time virtual server-specific 6. Response-time global default However, within any of the preceding banks of policies, the order of evaluation is more flexible than in classic policies. Within a policy bank, you can point to the next policy to be evaluated regardless of the priority level, and you can invoke policy banks that belong to other bind points and user-defined policy banks.

As traffic flows through the NetScaler and is processed by various features, each feature performs policy evaluation. Whenever a policy matches the traffic, the NetScaler stores the action and continues processing until the data is about to leave the NetScaler. At that point, the NetScaler typically applies all matching actions. Integrated Caching, which only applies a final Cache or NoCache action, is an exception. Some policies affect the outcome of other policies. Following are examples: If a response is served from the integrated cache, some other NetScaler features do not process the response or the request that initiated it. If the Content Filtering feature prevents a response from being served, no subsequent features evaluate the response. If the application firewall rejects an incoming request, no other features can process it.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.972

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.973

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.974

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.975

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.976

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.977

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.978

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.979

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.980

Jul 25, 20 17

T he names of identifiers in the named expression, HT T P callout, pattern set, and rate limiting features must begin with an ASCII alphabet or an underscore (_). T he remaining characters can be ASCII alphanumeric characters or underscores (_). T he names of these identifiers must not begin with the following reserved words: T he words ALT, TRUE, or FALSE or the Q or S one-character identifier. T he special-syntax indicator RE (for regular expressions) or XP (for XPath expressions). Expression prefixes, which currently are the following: CLIENT EXTEND HTTP SERVER SYS TARGET TEXT URL MYSQL MSSQL Additionally, the names of these identifiers cannot be the same as the names of enumeration constants used in the policy infrastructure. For example, the name of an identifier cannot be IGNORECASE, YEAR, or LATIN2_CZECH_CS (a MySQL character set). Note: T he NetScaler appliance performs a case-insensitive comparison of identifiers with these words and enumeration constants. For example, names of the identifiers cannot begin with TRUE, True, or true.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.981

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.982

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.983

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.984

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.985

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.986

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.987

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.988

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.989

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.990

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.991

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.992

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.993

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.994

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.995

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.996

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.997

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.998

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.999

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1000

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1001

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1002

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1003

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1004

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1005

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1006

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1007

Jul 25, 20 17

You can configure a default syntax expression that contains Boolean or arithmetic operators and multiple atomic operations. T he following compound expression contains a boolean AND: http.req.hostname.eq(" mycompany.com" ) && http.req.method.eq(post) T he following expression adds the value of two targets, and compares the result to a third value: http.req.url.length + http.req.cookie.length <= 500 A compound expression can contain any number of logical and arithmetic operators. T he following expression evaluates the length of an HT T P request on the basis of its URL and cookie, evaluates text in the header, and performs a Boolean AND on these two results: http.req.url.length + http.req.cookie.length <= 500 && http.req.header.contains(" some text" ) You can use parentheses to control the order of evaluation in a compound expression. T his document includes the following details: Booleans in Compound Expressions Parentheses in Compound Expressions Compound Operations for Strings Compound Operations for Numbers

You configure compound expressions with the following operators: &&. T his operator is a logical AND. For the expression to evaluate to T RUE, all components that are joined by the And must evaluate to T RUE. Following is an example: http.req.url.hostname.eq(" myHost" ) && http.req.header(" myHeader" ).exists ||. T his operator is a logical OR. If any component of the expression that is joined by the OR evaluates to T RUE, the entire expression is T RUE. !. Performs a logical NOT on the expression. In some cases, the NetScaler configuration utility offers AND, NOT, and OR operators in the Add Expression dialog box. However, these are of limited use. Citrix recommends that you use the operators &&, ||, and ! to configure compound expressions that use Boolean logic.

You can use parentheses to control the order of evaluation of an expression. T he following is an example: http.req.url.contains(" myCompany.com" ) || (http.req.url.hostname.eq(" myHost" ) && http.req.header(" myHeader" ).exists)

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1008

T he following is another example: (http.req.header(" Content-Type" ).exists && http.req.header(" Content-Type" ).eq(" text/html" )) || (http.req.header(" Transfer-Encoding" ).exists || http.req.header(" Content-Length" ).exists)

T he following table describes operators that you can use to configure compound operations on string data. T able 1. St ring-Based Operat ions f or Compound Def ault Synt ax Expressions All st ring operat ions

Operat ions t hat produce a st ring value

str +

Concatenates the value of the expression on the left of the operator with the value on the right. Following is

str

an example: http.req.hostname + http.req.url.protocol

str +

Concatenates the value of the expression on the left of the operator with a numeric value on the right.

num

Following is an example: http.req.hostname + http.req.url.content_length

num

Concatenates the numeric value of the expression on the left side of the operator with a string value on the

+ str

right. Following is an example: http.req.url.content_length + http.req.url.hostname

str +

Concatenates the string value of the expression on the left side of the operator with an IP address value on

ip

the right. Following is an example: http.req.hostname + 10.00.000.00

ip +

Concatenates the IP address value of the expression on the left of the operator with a string value on the

str

right.Following is an example: client.ip.dst + http.req.url.hostname

str1

Uses the string1 or string2 value that is derived from the expression on either side of the operator, as long as

ALT

neither of these expressions is a compound expressions. Following is an example:

str2

http.req.hostname alt client.ip.src

Operat ions on st rings t hat produce a result of T RUE or FALSE

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1009

str Evaluates whether the strings on either side of the operator are the same. Following is an example: All st ring operat ions == http.req.header(" myheader" ) == http.res.header(" myheader" ) str

str

Evaluates whether the string on the left side of the operator is the same as the string on the right, or precedes

<=

it alphabetically.

str

str

Evaluates whether the string on the left side of the operator is the same as the string on the right, or follows it

>=

alphabetically.

str

str <

Evaluates whether the string on the left side of the operator precedes the string on the right alphabetically.

str

str >

Evaluates whether the string on the left side of the operator follows the string on the right alphabetically.

str

str

Evaluates whether the strings on either side of the operator are different.

!!= str

Logical operat ions on st rings

bool

T his operator is a logical AND. When evaluating the components of the compound expression, all components

&&

that are joined by the AND must evaluate to T RUE. Following is an example:

bool

http.req.method.eq(GET) && http.req.url.query.contains(" viewReport && my_pagelabel" )

bool

T his operator is a logical OR. When evaluating the components of the compound expression, if any component

||

of the expression that is joined by the OR evaluates to T RUE, the entire expression is T RUE. Following is an

bool

example: http.req.url.contains(" .js" ) || http.res.header.(" Content-Type" ).contains(" javascript" )

!bool

Performs a logical NOT on the expression.

Updated: 2013-09-02 You can configure compound numeric expressions. For example, the following expression returns a numeric value that is the sum of an HT T P header length and a URL length:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1010

http.req.header.length + http.req.url.length T he following tables describes operators that you can use to configure compound expressions for numeric data. T able 2. Arit hmet ic Operat ions on Numbers Operat or

Descript ion

num +

Add the value of the expression on the left of the operator to the value of the expression on the right.

num

Following is an example: http.req.content_length + http.req.url.length

num –

Subtract the value of the expression on the right of the operator from the value of the expression on the

num

left.

num *

Multiply the value of the expression on the left of the operator with the value of the expression on the

num

right. Following is an example: client.interface.rxthroughput * 9

num /

Divide the value of the expression on the left of the operator by the value of the expression on the right.

num

num %

Calculate the modulo, or the numeric remainder on a division of the value of the expression on the left of

num

the operator by the value of the expression on the right. For example, the values "15 mod 4" equals 3, and "12 mod 4" equals 0.

~number

Returns a number after applying a bitwise logical negation of the number. T he following example assumes that numeric.expression returns 12 (binary 1100): ~numeric.expression. T he result of applying the ~ operator is -11 (a binary 1110011, 32 bits total with all ones to the left). Note that all returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.

number ^

Compares two bit patterns of equal length and performs an XOR operation on each pair of corresponding

number

bits in each number argument, returning 1 if the bits are different, and 0 if they are the same. Returns a number after applying a bitwise XOR to the integer argument and the current number value. If the values in the bitwise comparison are the same, the returned value is a 0. T he following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 10 (binary 1010): numeric.expression1 ^ numeric.expression2

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1011

Operat or

T he result of applying the ^ operator to the entire expression is 6 (binary 0110). Descript ion Note that all returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.

number |

Returns a number after applying a bitwise OR to the number values. If either value in the bitwise

number

comparison is a 1, the returned value is a 1. T he following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 10 (binary 1010): numeric.expression1 | numeric.expression2 T he result of applying the | operator to the entire expression is 14 (binary 1110). Note that all returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.

number &

Compares two bit patterns of equal length and performs a bitwise AND operation on each pair of

number

corresponding bits, returning 1 if both of the bits contains a value of 1, and 0 if either bits are 0. T he following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 10 (binary 1010): numeric.expression1 & numeric.expression2 T he whole expression evaluates to 8 (binary 1000). Note that all returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.

num <<

Returns a number after a bitwise left shift of the number value by the right-side number argument number

num

of bits. Note that the number of bits shifted is integer modulo 32. T he following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 3: numeric.expression1 << numeric.expression2 T he result of applying the LSHIFT operator is 96 (a binary 1100000). Note that all returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.

num >> num

Returns a number after a bitwise right shift of the number value by the integer argument number of bits. Note that the number of bits shifted is integer modulo 32. T he following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 3: numeric.expression1 >> numeric.expression2 T he result of applying the RSHIFT operator is 1 (a binary 0001).

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1012

Operat or

Note that all returned values of less than 32 bits before applying the operator implicitly have zeros to the Descript ion left to make them 32 bits wide.

T able 3. Numeric Operat ors T hat P roduce a Result of T RUE or F ALSE Operat or

Descript ion

num ==

Determine if the value of the expression on the left of the operator is equal to the value of the

num

expression on the right.

num !=

Determine if the value of the expression on the left of the operator is not equal to the value of the

num

expression on the right.

num >

Determine if the value of the expression on the left of the operator is greater than the value of the

num

expression on the right.

num <

Determine if the value of the expression on the left of the operator is less than the value of the

num

expression on the right.

num >=

Determine if the value of the expression on the left of the operator is greater than or equal to the value

num

of the expression on the right.

num <=

Determine if the value of the expression on the left of the operator is less than or equal to the value of

num

the expression on the right

T he NetScaler policy infrastructure supports the following numeric data types: Integer (32 bits) Unsigned long (64 bits) Double (64 bits) Simple expressions can return all of these data types. T herefore, you can create compound expressions that use arithmetic operators and logical operators to evaluate or return values of these data types. Additionally, you can use all of these values in policy expressions. Literal constants of type unsigned long can be specified by appending the string ul to the number. Literal constants of type double contain a period (.), an exponent, or both.

In compound expressions, the following standard arithmetic and logical operators can be used for the double and unsigned long data types:

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1013

+, -, *, and / %, ~, ^, &, |, <<, and >> (do not apply to double) ==, !=, >, <, >=, and <= All of these operators have the same meaning as in the C programming language. In all cases of mixed operations between operands of type integer, unsigned long, and double, type promotion is performed so that the operation can be performed on operands of the same type. A type of lower precedence is automatically promoted to the type of the operand with the highest precedence involved in the operation. T he order of precedence (higher to lower) is as follows: Double Unsigned long Integer T herefore, an operation that returns a numeric result returns a result of the highest type involved in the operation. For example, if the operands are of type integer and unsigned long, the integer operand is automatically converted to type unsigned long. T his type conversion is performed even in simple expressions in which the type of data identified by the expression prefix does not match the type of data that is passed as the argument to the function. To illustrate such an example, in the operation HTTP.REQ.CONTENT_LENGTH.DIV(3ul), the integer returned by the prefix HTTP.REQ.CONTENT_LENGTH is automatically converted to unsigned long (the type of the data passed as the argument to the DIV() function), and an unsigned long division is performed. Similarly, the argument can be promoted in an expression. For example, HTTP.REQ.HEADER(" myHeader" ).TYPECAST_DOUBLE_AT.DIV(5) promotes the integer 5 to type double and performs double-precision division. T he following table describes the arithmetic and Boolean functions that can be used with the integer, unsigned long, and double data types. For information about expressions for casting data of one type to data of another type, see "Typecasting Data."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1014

Jul 25, 20 17

T he policy infrastructure on the Citrix® NetScaler® appliance supports the ASCII and UT F-8 character sets. T he default character set is ASCII. If the traffic for which you are configuring an expression consists of only ASCII characters, you need not specify the character set in the expression. However, you must specify the character set in every simple expression that is meant for UT F-8 traffic. To specify the UT F-8 character set in a simple expression, you must include the SET_CHAR_SET() function, with specified as UT F_8, as shown in the following examples: HTTP.REQ.BODY(10).SET_CHAR_SET(UTF_8).CONTAINS(" ß" ) HTTP.RES.BODY(100).SET_CHAR_SET(UTF_8).BEFORE_STR(" Bücher" ).AFTER_STR(" Wörterbuch" ) In an expression, the SET_CHAR_SET() function must be introduced at the point in the expression after which data processing must be carried out in the specified character set. For example, in the expression HTTP.REQ.BODY(1000).AFTER_REGEX(re/following example/).BEFORE_REGEX(re/In the preceding example/).CONTAINS_ANY(" Greek_ alphabet" ), if the strings stored in the pattern set "Greek_alphabet" are in UT F-8, you must include the SET_CHAR_SET(UTF_8) function immediately before the CONTAINS_ANY(" " ) function, as follows: HTTP.REQ.BODY(1000).AFTER_REGEX(re/following example/).BEFORE_REGEX(re/In the preceding example/).SET_CHAR_SET(UTF_8).CONTAINS_ANY(" Greek_ alphabet" ) T he SET_CHAR_SET() function sets the character set for all further processing (that is, for all subsequent functions) in the expression unless it is overridden later in the expression by another SET_CHAR_SET() function that changes the character set. T herefore, if all the functions in a given simple expression are intended for UT F-8, you can include the SET_CHAR_SET(UTF_8) function immediately after functions that identify text (for example, the HEADER(" " ) or BODY() functions). In the second example that follows the first paragraph above, if the ASCII arguments passed to the AFTER_REGEX() and BEFORE_REGEX() functions are changed to UT F-8 strings, you can include the SET_CHAR_SET(UTF_8) function immediately after the BODY(1000) function, as follows: HTTP.REQ.BODY(1000).SET_CHAR_SET(UTF_8).AFTER_REGEX(re/Bücher/).BEFORE_REGEX(re/Wörterbuch/).CONTAINS_ANY(" Greek_alphabet" ) T he UT F-8 character set is a superset of the ASCII character set, so expressions configured for the ASCII character set continue to work as expected if you change the character set to UT F-8.

In a compound expression, if one subset of expressions is configured to work with data in the ASCII character set and the rest of the expressions are configured to work with data in the UT F-8 character set, the character set specified for each individual expression is considered when the expressions are evaluated individually. However, when processing the compound expression, just before processing the operators, the appliance promotes the character set of the returned ASCII values to UT F-8. For example, in the following compound expression, the first simple expression evaluates data in the ASCII character set while the second simple expression evaluates data in the UT F-8 character set: HTTP.REQ.HEADER(" MyHeader" ) == HTTP.REQ.BODY(10).SET_CHAR_SET(UTF_8) However, when processing the compound expression, just before evaluating the "is equal to" Boolean operator, the NetScaler appliance promotes the character set of the value returned by HTTP.REQ.HEADER(" MyHeader" ) to UT F-8. T he first simple expression in the following example evaluates data in the ASCII character set. However, when the NetScaler appliance processes the compound expression, just before concatenating the results of the two simple expressions, the appliance promotes the character set of the value returned by HTTP.REQ.BODY(10) to UT F-8. HTTP.REQ.BODY(10) + HTTP.REQ.HEADER(" MyHeader" ).SET_CHAR_SET(UTF_8) Consequently, the compound expression returns data in the UT F-8 character set.

You can set the character set to UT F-8 on the basis of traffic characteristics. If you are not sure whether the character set of the traffic being evaluated is UT F8, you can configure a compound expression in which the first expression checks for UT F-8 traffic and subsequent expressions set the character set to UT F-8. Following is an example of a compound expression that first checks the value of "charset" in the request's Content-Type header for "UT F-8" before checking whether the first 1000 bytes in the request contain the UT F-8 string Bücher: HTTP.REQ.HEADER(" Content-Type" ).SET_TEXT_MODE(IGNORECASE).TYPECAST_NVLIST_T(' =' , ' ; ' , ' " ' ).VALUE(" charset" ).EQ(" UTF-8" ) && HTTP.REQ.BODY(1000).SET_CHAR_SET(UTF_8).CONTAINS(" Bücher" ) If you are sure that the character set of the traffic being evaluated is UT F-8, the second expression in the example is sufficient.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1015

During expression evaluation, even if the current character set is ASCII, character literals and string literals, which are enclosed in single quotation marks ('') and quotation marks (""), respectively, are considered to be literals in the UT F-8 character set. In a given expression, if a function is operating on character or string literals in the ASCII character set and you include a non-ASCII character in the literal, an error is returned.

When configuring an expression, you can enter values in octal and hexadecimal formats. However, each hexadecimal or octal byte is considered a UT F-8 byte. Invalid UT F-8 bytes result in errors regardless of whether the value is entered manually or pasted from the clipboard. For example, "\xce\x20" is an invalid UT F-8 character because "c8" cannot be followed by "20" (each byte in a multi-byte UT F-8 string must have the high bit set). Another example of an invalid UT F-8 character is "\xce \xa9," since the hexadecimal characters are separated by a white-space character.

Only the .XPATH and .XPATH_JSON functions always return UT F-8 strings. T he following MYSQL routines determine at runtime which character set to return, depending on the data in the protocol: MYSQL_CLIENT_T.USER MYSQL_CLIENT_T.DATABASE MYSQL_REQ_QUERY_T.COMMAND MYSQL_REQ_QUERY_T.TEXT MYSQL_REQ_QUERY_T.TEXT() MYSQL_RES_ERROR_T.SQLSTATE MYSQL_RES_ERROR_T.MESSAGE MYSQL_RES_FIELD_T.CATALOG MYSQL_RES_FIELD_T.DB MYSQL_RES_FIELD_T.TABLE MYSQL_RES_FIELD_T.ORIGINAL_TABLE MYSQL_RES_FIELD_T.NAME MYSQL_RES_FIELD_T.ORIGINAL_NAME MYSQL_RES_OK_T.MESSAGE MYSQL_RES_ROW_T.TEXT_ELEM()

When you set up a connection to the NetScaler appliance by using a terminal connection (by using PuT T Y, for example), you must set the character set for transmission of data to UT F-8.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1016

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1017

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1018

Jul 25, 20 17

You can configure a default syntax expression of up to 1,499 characters in a policy. T he user interface for default syntax expressions depends to some extent on the feature for which you are configuring the expression, and on whether you are configuring an expression for a policy or for another use. When configuring expressions on the command line, you delimit the expression by using quotation marks (“. . .” or '. . .'). Within an expression, you escape additional quotation marks by using a back-slash (\). For example, the following are standard methods for escaping quotation marks in an expression: " \" abc\" " ‘\" abc\" ’ You must also use a backslash to escape question marks and other backslashes on the command line. For example, the expression http.req.url.contains(“\?”) requires a backslash so that the question mark is parsed. Note that the backslash character will not appear on the command line after you type the question mark. On the other hand, if you escape a backslash (for example, in the expression ' http.req.url.contains(" \\\\http" )' ), the escape characters are echoed on the command line. To make an entry more readable, you can escape the quotation marks for an entire expression. At the start of the expression you enter the escape sequence “q” plus one of the following special characters: /{<|~$^+=&%@`?. You enter only the special character at the end of the expression, as follows: [email protected](" sometext" ) && [email protected] q~http.req.url.contains(" sometext" ) && http.req.cookie.exists~ Note that an expression that uses the { delimiter is closed with }. For some features (for example, Integrated Caching and Responder), the policy configuration dialog box provides a secondary dialog box for configuring expressions. T his dialog enables you to choose from drop-down lists that show the available choices at each point during expression configuration. You cannot use arithmetic operators when using these configuration dialogs, but most other default syntax expression features are available. To use arithmetic operators , write your expressions in free-form format.

At the command prompt, type the following commands to configure a default syntax rule and verify the configuration: 1. add cache|dns|rewrite|cs policy policyName -rule expression featureSpecificParameters -action 2. show cache|dns|rewrite|cs policy policyName Following is an example of configuring a caching policy: Example > add cache policy pol-cache -rule http.req.content_length.le(5) -action INVAL Done > show cache policy pol-cache

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1019

Name: pol-cache Rule: http.req.content_length.le(5) CacheAction: INVAL Invalidate groups: DEFAULT UndefAction: Use Global Hits: 0 Undef Hits: 0 Done

1. In the navigation pane, click the name of the feature where you want to configure a policy, for example, you can select Integrated Caching, Responder, DNS, Rewrite, or Content Switching, and then click Policies. 2. Click Add. 3. For most features, click in the Expression field. For Content Switching, click Configure. 4. Click the Prefix icon (the house) and select the first expression prefix from the drop-down list. For example, in Responder, the options are HT T P, SYS, and CLIENT . T he next set of applicable options appear in a drop-down list. 5. Double-click the next option to select it, and then type a period (.). Again, a set of applicable options appears in another drop-down list. 6. Continue selecting options until an entry field (signalled by parentheses) appears. When you see an entry field, enter an appropriate value in the parentheses. For example, if you select GT (int) (greater-than, integer format), you specify an integer in the parentheses. T ext strings are delimited by quotation marks. Following is an example: HTTP.REQ.BODY(1000).BETWEEN(" this" ," that" ) 7. T o insert an operator between two parts of a compound expression, click the Operators icon (the sigma), and select the operator type. Following is an example of a configured expression with a Boolean OR (signalled by double vertical bars, ||): HTTP.REQ.URL.EQ(" www.mycompany.com" )||HTTP.REQ.BODY(1000).BETWEEN(" this" ," that" ) 8. T o insert a named expression, click the down arrow next to the Add icon (the plus sign) and select a named expression. 9. T o configure an expression using drop-down menus, and to insert built-in expressions, click the Add icon (the plus sign). T he Add Expression dialog box works in a similar way to the main dialog box, but it provides drop-down lists for selecting options, and it provides text fields for data entry instead of parentheses. T his dialog box also provides a Frequently Used Expressions drop-down list that inserts commonly used expressions. When you are done adding the expression, click OK. 10. When finished, click Create. A message in the status bar indicates that the policy expression is configured successfully.

1. In the navigation pane, click the name of the feature for which you want to configure a policy (for example, you can select Integrated Caching, Responder, DNS, Rewrite, or Content Switching), and then click Policies. 2. Select a policy and click Open. 3. T o test the expression, click the Evaluate icon (the check mark). 4. In the expression evaluator dialog box, select the Flow T ype that matches the expression. 5. In the HT T P Request Data or HT T P Response Data field, paste the HT T P request or response that you want to parse with the expression, and click Evaluate. Note that you must supply a complete HT T P request or response, and the header and body should be separated by blank line. Some programs that trap HT T P headers do not also trap the response. If you are copying and pasting only the header, insert a blank line at the end of the header to form a complete HT T P request or response.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1020

6. Click Close to close this dialog box.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1021

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1022

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1023

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1024

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1025

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1026

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1027

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1028

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1029

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1030

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1031

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1032

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1033

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1034

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1035

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1036

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1037

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1038

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1039

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1040

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1041

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1042

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1043

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1044

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1045



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1046

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1047

WEEKDAY_STRING_SHORT

WEEKDAY_STRING

UNDEF

.WEEKDAY_STRING_SHORT

SYS.TIME.WEEKDAY.WEEKDAY_STRING_SHORT WEEKDAY

Sun Sat

.WEEKDAY_STRING SYS.TIME.WEEKDAY.WEEKDAY_STRING Sunday

WEEKDAY

Saturday

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1048



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1049

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1050



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1051

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1052

SYS.VSERVER(" " ) T HROUGHPUT SYS.VSERVER(" vserver" ).THROUGHPUT CONNECT IONS SYS.VSERVER(" vserver" ).CONNECTIONS ST AT E

UP DOWN

OUT_OF_SERVICE

EQ() TRUE

FALSE

SYS.VSERVER(" vserver" ).STATE HEALT H

UP

SYS.VSERVER(" vserver" ).HEALTH RESPT IME SYS.VSERVER(" vserver" ).RESPTIME SURGECOUNT SYS.VSERVER(" vserver" ).SURGECOUNT

LBvserver add rewrite policy norewrite_pol sys.vserver(" LBvserver" ).connections.gt(10000) norewrite

TP LBvserver add rewrite action tp_header insert_http_header TP SYS.VSERVER(" LBvserver" ).THROUGHPUT

add audit messageaction log_vserver_resptime_act INFORMATIONAL " \" NS Response Time to Servers:\" +

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1053

sys.vserver(\" ssllb\" ).resptime + \" millisec\" " -logtoNewnslog YES -bypassSafetyCheck YES

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1054



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1055

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1056

http.req.header(““) exists

http.req.header(" myHeader" ).exists

(http.req.header(" Content-Type" ).exists && http.req.header(" Content-Type" ).eq(" text/html" )) || (http.req.header(" Transfer-Encoding" ).exists) || (http.req.header(" Content-Length" ).exists)

http.res.body(1024).after_str(" start_string" ).before_str(" end_string" ).contains(" https" )

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1057

PROTOCOL CLIENT.IP.PROTOCOL.EQ(6) CLIENT.IP.PROTOCOL.EQ(6)

6 CLIENT.IP.PROTOCOL.EQ(TCP)

PROTOCOL

TCP

UDP

ICMP

AH

ESP

GRE

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1058

IPIP

ICMPv6

FRAGMENT

EQ()

NE()

CLIENT.IP.PROTOCOL.EQ(TCP)

ANY

CLIENT.IP.PROTOCOL

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1059



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1060

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1061

http.req.url.suffix.eq(" jpeg" ) || http.req.url.suffix.eq(" gif" )

HTTP.REQ.URL.PATH VPN.BASEURL.PATH VPN.CLIENTLESS_BASEURL.PATH

HTTP.REQ.URL.PATH.GET()

http://www.mycompany.com/dir1/dir2/dir3/index.html?a=1

http.req.url.path.get(1)

http.req.url.path.get(2)

HTTP.REQ.URL.PATH.GET_REVERSE()

http://www.mycompany.com/dir1/dir2/dir3/index.html?a=1

http.req.url.path.get_reverse(0)

http.req.url.path.get_reverse(1)

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1062

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1063



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1064

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1065



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1066

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1067



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1068

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1069



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1070

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1071



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1072

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1073



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1074

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1075



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1076

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1077



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1078

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1079

client.ip.src.in_subnet(147.1.0.0/16)

add add add add

rewrite rewrite rewrite rewrite

action URL1-rewrite-action replace " http.req.header(\" Host\" )" " \" www.mycompany1.com\" " policy URL1-rewrite-policy " http.req.header(\" Host\" ).contains(\" www.test1.com\" ) && client.ip.src.in_subnet(147.1.0.0/16)" URL1-rewrite-action action URL2-rewrite-action replace " http.req.header(\" Host\" )" " \" www.mycompany2.com\" " policy URL2-rewrite-policy " http.req.header(\" Host\" ).contains(\" www.test2.com\" ) && client.ip.src.in_subnet(10.202.0.0/16)" URL2-rewrite-action

CLIENT.IP.SRC

CLIENT.IP.DST

SERVER.IP.SRC

SERVER.IP.DST

.EQ(
)

client.ip.dst.eq(10.100.10.100)

.GET1. . .GET4

client.ip.src.get1 Returns 10

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1080

client.ip.src.get2 returns 100 client.ip.src.get3 returns 200 .IN_SUBNET()

client.ip.dst.eq(10.100.10.100/18)

.SUBNET()

CLIENT.IP.SRC.SUBNET(24) returns 192.168.1.0 if the IP address represented by the prefix is 192.168.1.[0255].

.IS_IPV6

client.ip.src.is_ipv6

.MATCHES()

.MATCHES_LOCATION()

client.ip.src.matches_location(\" Europe.GB.17.London.*.*\" )

9901:0ab1:22a2:88a3:3333:4a4b:5555:6666 http://[9901:0ab1:22a2:88a3:3333:4a4b:5555:6666]/ http://[9901:0ab1:22a2:88a3:3333:4a4b:5555:6666]:8080/

client.ipv6.src + server.ip.dst

CLIENT.IPV6

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1081

CLIENT.IPV6.DST

CLIENT.IPV6.SRC client.ipv6.src.in_subnet(2007::2008/64) client.ipv6.src.get1.le(2008)

SERVER.IPV6

SERVER.IPV6.DST

SERVER.IPV6.SRC server.ipv6.src.in_subnet(2007::2008/64) server.ipv6.src.get1.le(2008)

.EQ( )

client.ipv6.dst.eq(ABCD:1234::ABCD) .GET1. . .GET8

client.ipv6.dst.get5 client.ipv6.dst.get6 extracts 89AB. client.ipv6.dst.get7

CLIENT.IPV6.SRC

.IN_SUBNET()

client.ipv6.dst.eq(1000:1001:CD10:0000:0000:89AB:4567:CDEF/60) .IS_IPV4

.SUBNET()

CLIENT.IPV6.SRC.SUBNET(24)

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1082

client.ether.dstmac

client.ether.srcmac

.EQ(
)

.GET1. . .GET4

client.ether.dstmac.get2

client.interface.rxthroughput

client.interface.txthroughput

client.interface.rxtxthroughput

server.interface.rxthroughput

server.interface.txthroughput

server.interface.rxtxthroughput

server.vlan.id

client.vlan.id

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1083



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1084

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1085

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1086

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1087

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1088

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1089

Jul 25, 20 17

When you want to perform string matching operations that are more complex than the operations that you perform with the CONTAINS(“”) or EQ(““) operators, you use regular expressions. T he policy infrastructure on the Citrix® NetScaler® appliance includes operators to which you can pass regular expressions as arguments for text matching. T he names of the operators that work with regular expressions include the string REGEX. T he regular expressions that you pass as arguments must conform to the regular expression syntax that is described in "http://www.pcre.org/pcre.txt." You can learn more about regular expressions at "http://www.regular-expressions.info/quickstart.html" and at "http://www.silverstones.com/thebat/Regex.html." T he target text for an operator that works with regular expressions can be either text or the value of an HT T P header. Following is the format of a default syntax expression that uses a regular expression operator to operate on text: .(re) T he string represents the default syntax expression prefix that identifies a text string in a packet (for example, HT T P.REQ.URL). T he string represents the regular expression operator. T he regular expression always begins with the string re. A pair of matching delimiters, represented by , enclose the string , which represents the regular expression. T he following example expression checks whether the URL in an HT T P packet contains the string *.jpeg (where * is a wildcard) and returns a Boolean T RUE or FALSE to indicate the result. T he regular expression is enclosed within a pair of slash marks (/), which act as delimiters. http.req.url.regex_match(re/*.jpeg/) Regular expression operators can be combined to define or refine the scope of a search. For example, .AFTER_REGEX(re/regex_pattern1/).BEFORE_REGEX(re/regex_pattern2/) specifies that the target for string matching is the text between the patterns regex_pattern1 and regex_pattern2. You can use a text operator on the scope that is defined by the regular expression operators. For example, you can use the CONTAINS(“”) operator to check whether the defined scope contains the string abc: .AFTER_REGEX(re/regex_pattern1/).BEFORE_REGEX(re/regex_pattern2/).CONTAINS(“abc”) Note: T he process of evaluating a regular expression inherently takes more time than that for an operator such as CONT AINS(“”) or EQ(“”), which work with simple string arguments. You should use regular expressions only if your requirement is beyond the scope of other operators.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1090

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1091

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1092

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1093

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1094

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1095

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1096

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1097

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1098

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1099

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1100

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1101

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1102

Jul 25, 20 17

You can view classic policies by using either the configuration utility or the command line. You can view details such as the policy’s name, expression, and bindings.

At the command prompt, type the following commands to view a classic policy and its binding information: show policy [policyName]

> show appfw policy GenericApplicationSSL_ Name: GenericApplicationSSL_ Rule: ns_only_get_adv Profile: GenericApplicationSSL_Prof1 Hits: 0 Undef Hits: 0 Policy is bound to following entities 1) REQ VSERVER app_u_GenericApplicationSSLPortalPages PRIORITY : 100 Done Note: If you omit the policy name, all policies are listed without the binding details.

1. In the navigation pane, expand the feature whose policies you want to view, (for example, if you want to view application firewall policies, expand Application Firewall), and then click Policies. 2. In the details pane, do one or more of the following: T o view details for a specific policy, click the policy. Details appear in the Details area of the configuration pane. T o view bindings for a specific policy, click the policy, and then click Show Bindings. T o view global bindings, click the policy, and then click Global Bindings. Note that you cannot bind a Content Switching, Cache Redirection, SureConnect, Priority Queuing, or NetScaler Gateway Authorization policy globally.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1103

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1104

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1105

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1106

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1107

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1108

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1109

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1110

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1111

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1112

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1113

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1114

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1115

Jul 25, 20 17

T he Apache HT T P Server provides an engine known as mod_rewrite for rewriting HT T P request URLs. If you migrate the mod_rewrite rules from Apache to the NetScaler, you boost back-end server performance. In addition, because the NetScaler typically load balances multiple (sometimes thousands of) Web servers, after migrating the rules to the NetScaler you will have a single point of control for these rules. Following are examples of mod_rewrite functions, and translations of these functions into Rewrite and Responder policies on the NetScaler. T his document includes the following details: Converting URL Variations into Canonical URLs Converting Host Name Variations to Canonical Host Names Moving a Document Root Moving Home Directories to a New Web Server Working with Structured Home Directories Redirecting Invalid URLs to Other Web Servers Rewriting a URL Based on T ime Redirecting to a New File Name (Invisible to the User) Redirecting to New File Name (User-Visible URL) Accommodating Browser Dependent Content Blocking Access by Robots Blocking Access to Inline Images Creating Extensionless Links Redirecting a Working URI to a New Format Ensuring T hat a Secure Server Is Used for Selected Pages

On some Web servers you can have multiple URLs for a resource. Although the canonical URLs should be used and distributed, other URLs can exist as shortcuts or internal URLs. You can make sure that users see the canonical URL regardless of the URL used to make an initial request. In the following examples, the URL /~user is converted to /u/user. Apache mod_rewrit e solut ion f or convert ing a URL RewriteRule ^/~([^/]+)/?(.*)

/u/$1/$2[R]

Net Scaler solut ion f or convert ing a URL add responder action act1 redirect ' " /u/" +HTTP.REQ.URL.AFTER_STR(" /~" )' -bypassSafetyCheck yes add responder policy pol1 ' HTTP.REQ.URL.STARTSWITH(" /~" ) && HTTP.REQ.URL.LENGTH.GT(2)' act1 bind responder global pol1 100

You can enforce the use of a particular host name for reaching a site. For example, you can enforce the use of www.example.com instead of example.com. Apache mod_rewrit e solut ion f or enf orcing a part icular host name f or sit es running on a port ot her t han 80

RewriteCond %{HTTP_HOST} !^www.example.com RewriteCond %{HTTP_HOST} !^$ RewriteCond %{SERVER_PORT} !^80$ RewriteRule ^/(.*) http://www.example.com:%{SERVER_PORT}/$1 [L,R] Apache mod_rewrit e solut ion f or enf orcing a part icular host name f or sit es running on port 80

RewriteCond %{HTTP_HOST} !^www.example.com RewriteCond %{HTTP_HOST} !^$ RewriteRule ^/(.*) http://www.example.com/$1 [L,R] Net Scaler solut ion f or enf orcing a part icular host name f or sit es running on a port ot her t han 80

add responder action act1 redirect ' " http://www.example.com:" +CLIENT.TCP.DSTPORT+HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 ' !HTTP.REQ.HOSTNAME.CONTAINS(" www.example.com" )&&!HTTP.REQ.HOSTNAME.EQ(" " )&&!HTTP.REQ.HOSTNAME.PORT.EQ(80)&&HTTP.REQ.HOSTNAM bind responder global pol1 100 END Net Scaler solut ion f or enf orcing a part icular host name f or sit es running on port 80

add responder action act1 redirect ' " http://www.example.com" +HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 ' !HTTP.REQ.HOSTNAME.CONTAINS(" www.example.com" )&&!HTTP.REQ.HOSTNAME.EQ(" " )&&HTTP.REQ.HOSTNAME.PORT.EQ(80)&&HTTP.REQ.HOSTNAM bind responder global pol1 100 END

Usually the document root of a Web server is based on the URL “/”. However, the document root can be any directory. You can redirect traffic to the document root if it changes from the top-level “/” directory to another directory. In the following examples, you change the document root from / to /e/www. T he first two examples simply replace one string with another. T he third example is more universal because, along with replacing the root directory, it preserves the rest of the URL (the path and query string), for example, redirecting /example/file.html to /e/www/example/file.html. Apache mod_rewrit e solut ion f or moving t he document root

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1116

RewriteEngine on RewriteRule ^/$ /e/www/ [R] Net Scaler solut ion f or moving t he document root

add responder action act1 redirect ' " /e/www/" ' -bypassSafetyCheck yes add responder policy pol1 ' HTTP.REQ.URL.EQ(" /" )' act1 bind responder global pol1 100 Net Scaler solut ion f or moving t he document root and appending pat h inf ormat ion t o t he request

add responder action act1 redirect ' " /e/www" +HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 ' !HTTP.REQ.URL.STARTSWITH(" /e/www/" )' act1 bind responder global pol1 100 END

You may want to redirect requests that are sent to home directories on a Web server to a different Web server. For example, if a new Web server is replacing an old one over time, as you migrate home directories to the new location you need to redirect requests for the migrated home directories to the new Web server. In the following examples, the host name for the new Web server is newserver. Apache mod_rewrit e solut ion f or redirect ing t o anot her Web server

RewriteRule ^/(.+) http://newserver/$1

[R,L]

Net Scaler solut ion f or redirect ing t o anot her Web server (met hod 1)

add responder action act1 redirect ' " http://newserver" +HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 ' HTTP.REQ.URL.REGEX_MATCH(re#^/(.+)#)' act1 bind responder global pol1 100 END Net Scaler solut ion f or redirect ing t o anot her Web server (met hod 2)

add responder action act1 redirect ' " http://newserver" +HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 ' HTTP.REQ.URL.LENGTH.GT(1)' act1 bind responder global pol1 100 END

Typically, a site with thousands of users has a structured home directory layout. For example, each home directory may reside under a subdirectory that is named using the first character of the user name. For example, the home directory for jsmith (/~jsmith/anypath) might be /home/j/smith/.www/anypath, and the home directory for rvalveti (/~rvalveti/anypath) might be /home/r/rvalveti/.www/anypath. T he following examples redirect requests to the home directory. Apache mod_rewrit e solut ion f or st ruct ured home direct ories

RewriteRule ^/~(([a-z])[a-z0-9]+)(.*) /home/$2/$1/.www$3 Net Scaler solut ion f or st ruct ured home direct ories

NetScaler solution for structured home directories

add rewrite action act1 replace ' HTTP.REQ.URL' ' " /home/" + HTTP.REQ.URL.AFTER_STR(" ~" ).PREFIX(1)+" /" + HTTP.REQ.URL.AFTER_STR(" ~" ).BEFORE_STR(" /" )+" /.www" +HTTP.RE add rewrite policy pol1 ' HTTP.REQ.URL.PATH.STARTSWITH(" /~" )' act1 bind rewrite global pol1 100

If a URL is not valid, it should be redirected to another Web server. For example, you should redirect to another Web server if a file that is named in a URL does not exist on the server that is named in the URL. On Apache, you can perform this check using mod_rewrite. On the NetScaler, an HT T P callout can check for a file on a server by running a script on the server. In the following NetScaler examples, a script named file_check.cgi processes the URL and uses this information to check for the presence of the target file on the server. T he script returns T RUE or FALSE, and the NetScaler uses the value that the script returns to validate the policy. In addition to performing the redirection, the NetScaler can add custom headers or, as in the second NetScaler example, it can add text in the response body. Apache mod_rewrit e solut ion f or redirect ion if a URL is wrong

RewriteCond /your/docroot/%{REQUEST_FILENAME} !-f RewriteRule ^(.+) http://webserverB.com/$1 [R] Net Scaler solut ion f or redirect ion if a URL is wrong (met hod 1)

add HTTPCallout Call set policy httpCallout Call -IPAddress 10.102.59.101 -port 80 -hostExpr ' " 10.102.59.101" ' -returnType BOOL -ResultExpr ' HTTP.RES.BODY(100).CONTAINS(" True" )' -urlStemExpr ' " /c add responder action act1 redirect ' " http://webserverB.com" +HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol1 ' !HTTP.REQ.HEADER(" Name" ).EXISTS && !SYS.HTTP_CALLOUT(call)' act1 bind responder global pol1 100 Net Scaler solut ion f or redirect ion if a URL is wrong (met hod 2)

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1117

add HTTPCallout Call set policy httpCallout Call -IPAddress 10.102.59.101 -port 80 -hostExpr ' " 10.102.59.101" ' -returnType BOOL -ResultExpr ' HTTP.RES.BODY(100).CONTAINS(" True" )' -urlStemExpr ' " /c add responder action act1 respondwith ' " HTTP/1.1 302 Moved Temporarily\r\nLocation: http://webserverB.com" +HTTP.REQ.URL+" \r\n\r\nHTTPCallout Used" ' -bypassSafetyCheck ye add responder policy pol1 ' !HTTP.REQ.HEADER(" Name" ).EXISTS && !SYS.HTTP_CALLOUT(call)' act1 bind responder global pol1 100

You can rewrite a URL based on the time. T he following examples change a request for example.html to example.day.html or example.night.html, depending on the time of day. Apache mod_rewrit e solut ion f or rewrit ing a URL based on t he t ime

RewriteCond RewriteCond RewriteRule RewriteRule

%{TIME_HOUR}%{TIME_MIN} >0700 %{TIME_HOUR}%{TIME_MIN} <1900 ^example\.html$ example.day.html [L] ^example\.html$ example.night.html

Net Scaler solut ion f or rewrit ing a URL based on t he t ime

add rewrite action act1 insert_before ' HTTP.REQ.URL.PATH.SUFFIX(\' .\' ,0)' ' " day." ' add rewrite action act2 insert_before ' HTTP.REQ.URL.PATH.SUFFIX(\' .\' ,0)' ' " night." ' add rewrite policy pol1 ' SYS.TIME.WITHIN(LOCAL 07h 00m,LOCAL 18h 59m)' act1 add rewrite policy pol2 ' true' act2 bind rewrite global pol1 101 bind rewrite global pol2 102

If you rename a Web page, you can continue to support the old URL for backward compatibility while preventing users from recognizing that the page was renamed. In the first two of the following examples, the base directory is /~quux/. T he third example accommodates any base directory and the presence of query strings in the URL. Apache mod_rewrit e solut ion f or managing a file name change in a fixed locat ion

RewriteEngine on RewriteBase /~quux/ RewriteRule ^foo\.html$ bar.html Net Scaler solut ion f or managing a file name change in a fixed locat ion

add rewrite action act1 replace ' HTTP.REQ.URL.AFTER_STR(" /~quux" ).SUBSTR(" foo.html" )' ' " bar.html" ' add rewrite policy pol1 ' HTTP.REQ.URL.ENDSWITH(" /~quux/foo.html" )' act1 bind rewrite global pol1 100 Net Scaler solut ion f or managing a file name change regardless of t he base direct ory or query st rings in t he URL

add rewrite action act1 replace ' HTTP.REQ.URL.PATH.SUFFIX(\' /\' ,0)' ' " bar.html" ' Add rewrite policy pol1 ' HTTP.REQ.URL.PATH.CONTAINS(" foo.html" )' act1 Bind rewrite global pol1 100

If you rename a Web page, you may want to continue to support the old URL for backward compatibility and allow users to see that the page was renamed by changing the URL that is displayed in the browser. In the first two of the following examples, redirection occurs when the base directory is /~quux/. T he third example accommodates any base directory and the presence of query strings in the URL. Apache mod_rewrit e solut ion f or changing t he file name and t he URL displayed in t he browser

RewriteEngine on RewriteBase /~quux/ RewriteRule ^old\.html$ new.html [R] Net Scaler solut ion f or changing t he file name and t he URL displayed in t he browser

add responder action act1 redirect ' HTTP.REQ.URL.BEFORE_STR(" foo.html" )+" new.html" ' -bypassSafetyCheck yes add responder policy pol1 ' HTTP.REQ.URL.ENDSWITH(" /~quux/old.html" )' act1 bind responder global pol1 100 Net Scaler solut ion f or changing t he file name and t he URL displayed in t he browser regardless of t he base direct ory or query st rings in t he URL

add responder action act1 redirect ' HTTP.REQ.URL.PATH.BEFORE_STR(" old.html" )+" new.html" +HTTP.REQ.URL.AFTER_STR(" old.html" )' -bypassSafetyCheck yes add responder policy pol1 ' HTTP.REQ.URL.PATH.CONTAINS(" old.html" )' act1 bind responder global pol1 100

To accommodate browser-specific limitations— at least for important top-level pages— it is sometimes necessary to set restrictions on the browser type and version. For example, you might want to set a maximum version for the latest Netscape variants, a minimum version for Lynx browsers, and an average feature version for all others. T he following examples act on the HT T P header "User-Agent", such that if this header begins with "Mozilla/3", the page MyPage.html is rewritten to MyPage.NS.html. If the browser is "Lynx" or "Mozilla" version 1 or 2, the URL becomes MyPage.20.html. All other browsers receive page MyPage.32.html.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1118

Apache mod_rewrit e solut ion f or browser-specific set t ings

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/3.* RewriteRule ^MyPage\.html$ MyPage.NS.html [L] RewriteCond %{HTTP_USER_AGENT} ^Lynx/.* [OR] RewriteCond %{HTTP_USER_AGENT} ^Mozilla/[12].* RewriteRule ^MyPage\.html$ MyPage.20.html [L] RewriteRule ^fMyPage\.html$ MyPage.32.html [L] NetScaler solution for browser-specific settings add patset pat1 bind patset pat1 Mozilla/1 bind Patset pat1 Mozilla/2 bind patset pat1 Lynx bind Patset pat1 Mozilla/3 add rewrite action act1 insert_before ' HTTP.REQ.URL.SUFFIX' ' " NS." ' add rewrite action act2 insert_before ' HTTP.REQ.URL.SUFFIX' ' " 20." ' add rewrite action act3 insert_before ' HTTP.REQ.URL.SUFFIX' ' " 32." ' add rewrite policy pol1 ' HTTP.REQ.HEADER(" User-Agent" ).STARTSWITH_INDEX(" pat1" ).EQ(4)' act1 add rewrite policy pol2 ' HTTP.REQ.HEADER(" User-Agent" ).STARTSWITH_INDEX(" pat1" ).BETWEEN(1,3)' act2 add rewrite policy pol3 ' !HTTP.REQ.HEADER(" User-Agent" ).STARTSWITH_ANY(" pat1" )' act3 bind rewrite global pol1 101 END bind rewrite global pol2 102 END bind rewrite global pol3 103 END

You can block a robot from retrieving pages from a specific directory or a set of directories to ease up the traffic to and from these directories. You can restrict access based on the specific location or you can block requests based on information in User-Agent HT T P headers. In the following examples, the Web location to be blocked is /~quux/foo/arc/, the IP addresses to be blocked are 123.45.67.8 and 123.45.67.9, and the robot’s name is NameOfBadRobot. Apache mod_rewrit e solut ion f or blocking a pat h and a User-Agent header

RewriteCond %{HTTP_USER_AGENT} ^NameOfBadRobot.* RewriteCond %{REMOTE_ADDR} ^123\.45\.67\.[8-9]$ RewriteRule ^/~quux/foo/arc/.+ - [F] Net Scaler solut ion f or blocking a pat h and a User-Agent header

add responder action act1 respondwith ' " HTTP/1.1 403 Forbidden\r\n\r\n" ' add responder policy pol1 ' HTTP.REQ.HEADER(" User_Agent" ).STARTSWITH(" NameOfBadRobot" )&&CLIENT.IP.SRC.EQ(123.45.67.8)&&CLIENT.IP.SRC.EQ(123.45.67.9) && HTTP.REQ bind responder global pol1 100

If you find people frequently going to your server to copy inline graphics for their own use (and generating unnecessary traffic), you may want to restrict the browser’s ability to send an HT T P Referer header. In the following example, the graphics are located in http://www.quux-corp.de/~quux/. Apache mod_rewrit e solut ion f or blocking access t o an inline image

RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$ RewriteRule .*\.gif$ - [F] Net Scaler solut ion f or blocking access t o an inline image

add patset pat1 bind patset pat1 .gif bind patset pat1 .jpeg add responder action act1 respondwith ' " HTTP/1.1 403 Forbidden\r\n\r\n" ' add responder policy pol1 ' !HTTP.REQ.HEADER(" Referer" ).EQ(" " ) && !HTTP.REQ.HEADER(" Referer" ).STARTSWITH(" http://www.quux-corp.de/~quux/" )&&HTTP.REQ.URL.ENDSWITH_ bind responder global pol1 100

To prevent users from knowing application or script details on the server side, you can hide file extensions from users. To do this, you may want to support extensionless links. You can achieve this behavior by using rewrite rules to add an extension to all requests, or to selectively add extensions to requests. T he first two of the following examples show adding an extension to all request URLs. In the last example, one of two file extensions is added. Note that in the last example, the mod_rewrite module can easily find the file extension because this module resides on the Web server. In contrast, the NetScaler must invoke an HT T P callout to check the extension of the requested file on the Web server. Based on the callout response, the NetScaler adds the .html or .php extension to the request URL. Note: In the second NetScaler example, an HT T P callout is used to query a script named file_check.cgi hosted on the server. T his script checks whether the argument that is provided in the callout is a valid file name. Apache mod_rewrit e solut ion f or adding a .php ext ension t o all request s

RewriteRule ^/?([a-z]+)$ $1.php [L] Net Scaler policy f or adding a .php ext ension t o all request s

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1119

add rewrite action act1 insert_after ' HTTP.REQ.URL' ' " .php" ' add rewrite policy pol1 ' HTTP.REQ.URL.PATH.REGEX_MATCH(re#^/([a-z]+)$#)' act1 bind rewrite global pol1 100 Apache mod_rewrit e solut ion f or adding eit her .ht ml or .php ext ensions t o request s

RewriteCond %{REQUEST_FILENAME}.php -f RewriteRule ^/?([a-zA-Z0-9]+)$ $1.php [L] RewriteCond %{REQUEST_FILENAME}.html –f RewriteRule ^/?([a-zA-Z0-9]+)$ $1.html [L] Net Scaler policy f or adding eit her .ht ml or .php ext ensions t o request s

add HTTPCallout Call_html add HTTPCallout Call_php set policy httpCallout Call_html -IPAddress 10.102.59.101 -port 80 -hostExpr ' " 10.102.59.101" ' -returnType BOOL -ResultExpr ' HTTP.RES.BODY(100).CONTAINS(" True" )' -urlStemExp set policy httpCallout Call_php -IPAddress 10.102.59.101 -port 80 -hostExpr ' " 10.102.59.101" ' -returnType BOOL -ResultExpr ' HTTP.RES.BODY(100).CONTAINS(" True" )' -urlStemExpr add patset pat1 bind patset pat1 .html bind patset pat1 .php bind patset pat1 .asp bind patset pat1 .cgi add rewrite action act1 insert_after ' HTTP.REQ.URL.PATH' ' " .html" ' add rewrite action act2 insert_after " HTTP.REQ.URL.PATH" ' " .php" ' add rewrite policy pol1 ' !HTTP.REQ.URL.CONTAINS_ANY(" pat1" ) && SYS.HTTP_CALLOUT(Call_html)' act1 add rewrite policy pol2 ' !HTTP.REQ.URL.CONTAINS_ANY(" pat1" ) && SYS.HTTP_CALLOUT(Call_php)' act2 bind rewrite global pol1 100 END bind rewrite global pol2 101 END

Suppose that you have a set of working URLs that resemble the following: /index.php?id=nnnn To change these URLs to /nnnn and make sure that search engines update their indexes to the new URI format, you need to do the following: Redirect the old URIs to the new ones so that search engines update their indexes. Rewrite the new URI back to the old one so that the index.php script runs correctly. To accomplish this, you can insert marker code into the query string (making sure that the marker code is not seen by visitors), and then removing the marker code for the index.php script. T he following examples redirect from an old link to a new format only if a marker is not present in the query string. T he link that uses the new format is re-written back to the old format, and a marker is added to the query string. Apache mod_rewrit e solut ion

RewriteCond %{QUERY_STRING} !marker RewriteCond %{QUERY_STRING} id=([-a-zA-Z0-9_+]+) RewriteRule ^/?index\.php$ %1? [R,L] RewriteRule ^/?([-a-zA-Z0-9_+]+)$ index.php?marker&id=$1 [L] NetScaler solution add responder action act_redirect redirect ' HTTP.REQ.URL.PATH.BEFORE_STR(" index.php" )+HTTP.REQ.URL.QUERY.VALUE(" id" )' -bypassSafetyCheck yes add responder policy pol_redirect ' !HTTP.REQ.URL.QUERY.CONTAINS(" marker" )&& HTTP.REQ.URL.QUERY.VALUE(" id" ).REGEX_MATCH(re/[-a-zA-Z0-9_+]+/) && HTTP.REQ.URL.PATH bind responder global pol_redirect 100 END add rewrite action act1 replace ' HTTP.REQ.URL.PATH.SUFFIX(\' /\' ,0)' ' " index.phpmarker&id=" +HTTP.REQ.URL.PATH.SUFFIX(\' /\' ,0)' -bypassSafetyCheck yes add rewrite policy pol1 ' !HTTP.REQ.URL.QUERY.CONTAINS(" marker" )' act1 bind rewrite global pol1 100 END

To make sure that only secure servers are used for selected Web pages, you can use the following Apache mod_rewrite code or NetScaler Responder policies. Apache mod_rewrit e solut ion

RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/?(page1|page2|page3|page4|page5)$ http://www.example.com/%1 [R,L] Net Scaler solut ion using regular expressions

add responder action res_redirect redirect ' " http://www.example.com" +HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol_redirect ' !CLIENT.TCP.DSTPORT.EQ(443)&&HTTP.REQ.URL.REGEX_MATCH(re/page[1-5]/)' res_redirect bind responder global pol_redirect 100 END Net Scaler solut ion using pat t ern set s

add patset pat1 bind patset pat1 bind patset pat1 bind patset pat1 bind patset pat1 bind patset pat1

page1 page2 page3 page4 page5

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1120

add responder action res_redirect redirect ' " http://www.example.com" +HTTP.REQ.URL' -bypassSafetyCheck yes add responder policy pol_redirect ' !CLIENT.TCP.DSTPORT.EQ(443)&&HTTP.REQ.URL.CONTAINS_ANY(" pat1" )' res_redirect bind responder global pol_redirect 100 END

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1121

Jul 25, 20 17

T he rate limiting feature enables you to define the maximum load for a given network entity or virtual entity on the Citrix NetScaler appliance. T he feature enables you to configure the appliance to monitor the rate of traffic associated with the entity and take preventive action, in real time, based on the traffic rate. T his feature is particularly useful when the network is under attack from a hostile client that is sending the appliance a flood of requests. You can mitigate the risks that affect the availability of resources to clients, and you can improve the reliability of the network and the resources that the appliance manages. You can monitor and control the rate of traffic that is associated with virtual and user-defined entities, including virtual servers, URLs, domains, and combinations of URLs and domains. You can throttle the rate of traffic if it is too high, base information caching on the traffic rate, and redirect traffic to a given load balancing virtual server if the traffic rate exceeds a predefined limit. You can apply rate-based monitoring to HT T P, TCP, and DNS requests. To monitor the rate of traffic for a given scenario, you configure a rate limit identifier. A rate limit identifier specifies numeric thresholds such as the maximum number of requests or connections (of a particular type) that are permitted in a specified time period called a time slice. Optionally, you can configure filters, known as stream selectors, and associate them with rate limit identifiers when you configure the identifiers. After you configure the optional stream selector and the limit identifier, you must invoke the limit identifier from a default syntax policy. You can invoke identifiers from any feature in which the identifier may be useful, including rewrite, responder, DNS, and integrated caching. You can globally enable and disable SNMP traps for rate limit identifiers. Each trap contains cumulative data for the rate limit identifier's configured data collection interval (time slice), unless you specified multiple traps to be generated per time slice. For more information about configuring SNMP traps and managers, see "SNMP."

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1122

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1123

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1124

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1125

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1126

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1127

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1128

sh limitsession myLimitSession

“No session exists”

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1129

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1130

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1131

add stream selector ipStreamSelector http.req.url " client.ip.src" add ns limitIdentifier ipLimitIdentifier -threshold 4 -timeSlice 1000 -mode request_rate -limitType smooth -selectorName ipStreamSelector add responder action myWebSiteRedirectAction redirect " \" http://www.mycompany.com/\" " add responder policy ipLimitResponderPolicy " http.req.url.contains(\" myasp.asp\" ) && sys.check_limit(\" ipLimitIdentifier\" )" myWebSiteRedirectAction bind responder global ipLimitResponderPolicy 100 END -type default add stream selector cacheStreamSelector http.req.url add ns limitidentifier cacheRateLimitIdentifier -threshold 5 -timeSlice 2000 -selectorName cacheStreamSelector add cache policy cacheRateLimitPolicy -rule " http.req.method.eq(get) && sys.check_limit(\" cacheRateLimitIdentifier\" )" -action cache bind cache global cacheRateLimitPolicy -priority 10 add stream selector reqCookieStreamSelector " http.req.cookie .value(\" mycookie\" )" " client.ip.src.subnet(24)" add ns limitIdentifier myLimitIdentifier -Threshold 2 -timeSlice 3000 -selectorName reqCookieStreamSelector add responder action sendRedirectUrl redirect ' \" http://www.mycompany.com\" + http.req.url' -bypassSafetyCheck YES add responder policy rateLimitCookiePolicy " http.req.url.contains(\" www.yourcompany.com\" ) && sys.check_limit(\" myLimitIdentifier\" )" sendRedirectUrl add stream selector dropDNSStreamSelector client.udp.dns.domain client.ip.src add ns limitIdentifier dropDNSRateIdentifier -timeslice 20000 -mode request_rate -selectorName dropDNSStreamSelector -maxBandwidth 1 -trapsintimeslice 20 add dns policy dnsDropOnClientRatePolicy " sys.check_limit (\" dropDNSRateIdentifier\" )" -drop yes

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1132

add stream selector ipv6_sel " CLIENT.IPv6.src.subnet(32)" CLIENT.IPv6.dst Q.URL add ns limitIdentifier ipv6_id -imeSlice 20000 -selectorName ipv6_sel add lb vserver ipv6_vip HTTP 3ffe::209 80 -persistenceType NONE -cltTimeout 180 add responder action redirect_page redirect " \" http://redirectpage.com/\" " add responder policy ipv6_resp_pol " SYS.CHECK_LIMIT(\" ipv6_id\" )" redirect_page bind responder global ipv6_resp_pol 5 END -type DEFAULT

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1133

add stream selector DNSSelector1 client.udp.dns.domain add ns limitIdentifier DNSLimitIdentifier1 -threshold 5 -timeSlice 1000 -selectorName DNSSelector1 add dns policy DNSLimitPolicy1 " client.ip.src.matches_location(\" Europe.GB.17.London.*.*\" ) && sys.check_limit(\" DNSLimitIdentifier1\" )" -preferredLocation " North America.US.TX.Dallas.*.*" bind dns global DNSLimitPolicy1 5

add stream selector LDNSSelector1 client.udp.dns.domain client.ip.src add ns limitIdentifier LDNSLimitIdentifier1 -threshold 5 -timeSlice 1000 -selectorName LDNSSelector1 add dns policy LDNSPolicy1 " client.udp.dns.domain.contains(\" .\" ) && sys.check_limit(\" LDNSLimitIdentifier1\" )" -drop YES bind dns global LDNSPolicy1 6 show gslb vserver gvip gvip - HTTP State: UP Last state change was at Mon Sep 8 11:50:48 2008 (+711 ms) Time since last state change: 1 days, 02:55:08.830 Configured Method: STATICPROXIMITY BackupMethod: ROUNDROBIN No. of Bound Services : 3 (Total) 3 (Active) Persistence: NONE Persistence ID: 100 Disable Primary Vserver on Down: DISABLED

Site Persistence: NONE

Backup Session Timeout: 0 Empty Down Response: DISABLED Multi IP Response: DISABLED Dynamic Weights: DISABLED Cname Flag: DISABLED Effective State Considered: NONE 1) site11_svc(10.100.00.00: 80)- HTTP State: UP Dynamic Weight: 0 Cumulative Weight: 1

Weight: 1

Effective State: UP Threshold : BELOW

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1134

Location: Europe.GB.17.London.UK-East.ISP-UK 2) site12_svc(10.101.00.100: 80)- HTTP State: UP Dynamic Weight: 0 Cumulative Weight: 1

Weight: 1

Effective State: UP Threshold : BELOW Location: North America.US.TX.Dallas.US-East.ISP-US 3) site13_svc(10.102.00.200: 80)- HTTP State: UP Weight: 1 Dynamic Weight: 0 Cumulative Weight: 1 Effective State: UP Threshold : BELOW Location: North America.US.NJ.Salem.US-Mid.ISP-US 1) www.gslbindia.com TTL: 5 secn Cookie Timeout: 0 min Site domain TTL: 3600 sec Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1135

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1136

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1137

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1138

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1139

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1140

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1141

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1142

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1143

add responder action act404Error respondWith ' " HTTP/1.1 404 Not Found\r\n\r\n" + " HTTP.REQ.URL.HTTP_URL_SAFE" + " does not exist on the web server." ' Done > show responder action 1)

Name: act404Error Operation: respondwith Target: " HTTP/1.1 404 Not Found

" + " HTTP.REQ.URL.HTTP_URL_SAFE" + " does not exist on the web server." BypassSafetyCheck : NO Hits: 0 Undef Hits: 0 Action Reference Count: 0 Done

add responder action act404Error respondWith ' " HTTP/1.1 404 Not Found\r\n\r\n" + " HTTP.REQ.URL.HTTP_URL_SAFE" + " does not exist on the web server." ' Done > show responder action 1)

Name: act404Error Operation: respondwith Target: " HTTP/1.1 404 Not Found

" + " HTTP.REQ.URL.HTTP_URL_SAFE" + " does not exist on the web server." BypassSafetyCheck : NO Hits: 0 Undef Hits: 0 Action Reference Count: 0 Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1144

set responder action act404Error -target ' " HTTP/1.1 404 Not Found\r\n\r\n" + " HTTP.REQ.URL.HTTP_URL_SAFE" + " does not exist on the web server." ' Done > show responder action 1)

Name: act404Error Operation: respondwith Target: " HTTP/1.1 404 Not Found

" + " HTTP.REQ.URL.HTTP_URL_SAFE" + " does not exist on the web server." BypassSafetyCheck : NO Hits: 0 Undef Hits: 0 Action Reference Count: 0 Done

rm responder action act404Error Done > show responder action Done



http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1145

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1146

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1147

> bind responder global poliError 100 Done > show responder global 1) Global bindpoint: REQ_DEFAULT Number of bound policies: 1 Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1148

> bind lb vserver vs-loadbal -policyName policyTwo -priority 100 Done > show lb vserver 1) vs-loadbal (10.102.29.20:80) - HTTP Type: ADDRESS State: OUT OF SERVICE Last state change was at Wed Aug 19 09:05:47 2009 (+211 ms) Time since last state change: 2 days, 00:58:03.260 Effective State: DOWN Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Port Rewrite : DISABLED No. of Bound Services : 0 (Total) 0 (Active) Configured Method: LEASTCONNECTION Mode: IP Persistence: NONE Vserver IP and Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NO Push Label Rule: none 2)

vs-cont-sw (0.0.0.0:0) - TCP Type: ADDRESS State: DOWN Last state change was at Wed Aug 19 10:03:46 2009 (+213 ms) Time since last state change: 2 days, 00:00:04.260 Effective State: DOWN Client Idle Timeout: 9000 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED No. of Bound Services : 0 (Total) 0 (Active) Configured Method: LEASTCONNECTION Mode: IP Persistence: NONE

Connection Failover: DISABLED Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1149

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1150

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1151

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1152

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1153

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1154

aaa://host.example.com

host1.example.net

> add responder action act_resp-dm-redirect RESPONDWITH " DIAMETER.NEW_REDIRECT(\" aaa://host.example.com\" )" > add responder pol_resp-dm-redirect " diameter.req.avp(264).value.eq(\" host1.example.net\" )" act_resp-dm-redirect > bind lb vserver vs1 -policyName pol_resp-dm-redirect -priority 10 -type REQUEST Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1155

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1156

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1157

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1158

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1159

add responder action sorry_page respondwith q{" HTTP/1.0 200 OK" +" \r\n\r\n" + " Sorry, this page is not available " + " \r\n" } .

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1160

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1161

HTTP

SSL

TCP

http://docs.citrix.com

SSL_TCP

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1162

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1163

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1164

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1165

Jul 25, 20 17

Enable the rewrite feature on the NetScaler appliance if you want to rewrite the HT T P or T CP requests or responses. If the feature is enabled, NetScaler takes rewrite action according to the specified policies. For more information, see "How Rewrite Works."

At the command prompt, type the following commands to enable the rewrite feature and verify the configuration: enable ns feature REWRIT E show ns feature Example > enable ns feature REWRITE Done > show ns feature Feature ------1) 2) .

Web Logging Surge Protection

Acronym -------

Status ------

WL SP

. . 19)

Rewrite

REWRIT E

. . 24)

NetScaler Push

push

OFF ON

ON

OFF

Done

1. In the navigation pane, click System, and then click Settings. 2. In the details pane, under Modes and Features, click Configure basic features. 3. In the Configure Basic Features dialog box, select the Rewrite check box, and then click OK. 4. In the Enable/Disable Feature(s) dialog box, click Yes. A message appears in the status bar, stating that the selected feature was enabled.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1166

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1167

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1168

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1169

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1170

Jul 25, 20 17

After creating a rewrite policy, you must bind it to put it into effect. You can bind your policy to Global if you want to apply it to all traffic that passes through your NetScaler, or you can bind your policy to a specific virtual server or bind point to direct only that virtual server or bind point’s incoming traffic to that policy. If an incoming request matches a rewrite policy, the action associated with that policy is carried out. Rewrite policies for evaluating HT T P requests and responses can be bound to virtual servers of type HT T P or SSL, or they can be bound to the REQ_OVERRIDE, REQ_DEFAULT, RES_OVERRIDE, and RES_DEFAULT bind points. Rewrite policies for T CP rewrite can be bound only to virtual servers of type TCP or SSL_TCP, or to the OTHERTCP_REQ_OVERRIDE, OTHERTCP_REQ_DEFAULT, OTHERTCP_RES_OVERRIDE, and OTHERTCP_RES_DEFAULT bind points. Note: T he term OTHERTCP is used in the context of the NetScaler appliance to refer to all TCP or SSL_TCP requests and responses that you want to treat as a raw stream of bytes regardless of the protocols that the T CP packets encapsulate. When you bind a policy, you assign it a priority. T he priority determines the order in which the policies you define are evaluated. You can set the priority to any positive integer. In the NetScaler operating system, policy priorities work in reverse order - the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is applied first, then the policy assigned a priority of 100, and finally the policy assigned an order of 1000. Unlike most other features in the NetScaler operating system, the rewrite feature continues to evaluate and implement policies after a request matches a policy. However, the effect of a particular action policy on a request or response will often be different depending on whether it is performed before or after another action. Priority is important to get the results you intended. You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the order you want, by setting priorities with intervals of 50 or 100 between each policy when you bind it. If you do this, you can add additional policies at any time without having to reassign the priority of an existing policy. When binding a rewrite policy, you also have the option of assigning a goto expression (gotoPriorityExpression) to the policy. A goto expression can be any positive integer that matches the priority assigned to a different policy that has a higher priority than the policy that contains the goto expression. If you assign a goto expression to a policy, and a request or response matches the policy, the NetScaler will immediately go to the policy whose priority matches the goto expression. It will skip over any policies with priority numbers that are lower than that of the current policy, but higher than the priority number of the goto expression, and not evaluate those policies. For more information about binding policies on the NetScaler, see "Binding a Rewrite Policy."

At the command prompt, type the following commands to globally bind a rewrite policy and verify the configuration: bind rewrite global [] [-type ] [-invoke ( ) ] show rewrite global Example

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1171

>bind rewrite global policyNew 10 Done > show rewrite global 1) Global bindpoint: RES_DEFAULT Number of bound policies: 1 2)

Global bindpoint: REQ_OVERRIDE Number of bound policies: 1

Done

At the command prompt, type the following commands to bind rewrite policy to a specific virtual server and verify the configuration: bind lb vserver @ (@ [-weight ]) | @ | (-policyName @ [-priority ] [-gotoPriorityExpression ] [-type ( REQUEST | RESPONSE )] [-invoke ( ) ] ) show lb vserver Example > bind lb vserver lbvip -policyName ns_cmp_msapp -priority 50 Done > > show lb vserver lbvip lbvip (8.7.6.6:80) - HTTP

Type: ADDRESS

State: DOWN Last state change was at Wed Jul 15 05:54:24 2009 (+226 ms) Time since last state change: 28 days, 01:57:26.350 Effective State: DOWN Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Port Rewrite : DISABLED No. of Bound Services : 0 (Total)

0 (Active)

Configured Method: LEASTCONNECTION Mode: IP Persistence: NONE Vserver IP and Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NO Push Label Rule: none 1)

Policy : ns_cmp_msapp Priority:50

2)

Policy : cf-pol Priority:1

Inherited

Done

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1172

1. Navigate to AppExpert > Rewrite > Policies. 2. In the details pane, select the rewrite policy you want to globally bind, and then click Policy Manager. 3. In the Rewrite Policy Manager dialog box, in the Bind Points menu, do one of the following: 1. If you want to configure bindings for HT T P rewrite policies, click HT T P, and then click either Request or Response, depending on whether you want to configure request-based rewrite policies or response-based rewrite policies. 2. If you want to configure bindings for T CP rewrite policies, click T CP, and then click either Client or Server, depending on whether you want to configure client-side T CP rewrite policies or server-side T CP rewrite policies. 4. Click the bind point to which you want to bind the rewrite policy. T he Rewrite Policy Manager dialog box displays all the rewrite policies that are bound to the selected bind point. 5. Click Insert Policy to insert a new row and display a drop-down list with all available, unbound rewrite policies. 6. Click the policy you want to bind to the bind point. T he policy is inserted into the list of rewrite policies bound to the bind point. 7. In the Priority column, you can change the priority to any positive integer. For more information about this parameter, see priority in "Parameters for binding a rewrite policy." 8. If you want to skip over policies and go directly to a specific policy in the event that the current policy is matched, change the value in the Goto Expression column to equal the priority of the next policy to be applied.. For more information about this parameter, see gotoPriorityExpression in "Parameters for binding a rewrite policy." 9. T o modify a policy, click the policy, and then click Modify Policy. 10. T o unbind a policy, click the policy, and then click Unbind Policy. 11. T o modify an action, in the Action column, click the action you want to modify, and then click Modify Action. 12. T o modify an invoke label, in the Invoke column, click the invoke label you want to modify, and then click Modify Invoke Label. 13. T o regenerate the priorities of all the policies that are bound to the bind point you are currently configuring, click Regenerate Priorities. T he policies retain their existing priorities relative to the other policies, but the priorities are renumbered in multiples of ten. 14. Click Apply Changes. 15. Click Close. A message appears in the status bar, stating that the Policy has been configured successfully.

1. Navigate to T raffic Management > Load Balancing > Virtual Servers. 2. In the details pane list of virtual servers, select the virtual server to which you want to bind the rewrite policy, and then click Open. 3. In the Configure Virtual Server (Load Balancing) dialog box, select the Policies tab. All policies configured on your NetScaler appear on the list. 4. Select the check box next to the name of the policy you want to bind to this virtual server. 5. Click OK. A message appears in the status bar, stating that the Policy has been configured successfully.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1173

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1174

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1175

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1176

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1177

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1178

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1179

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1180

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1181

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1182

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1183

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1184

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1185

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1186

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1187

Jul 25, 20 17

Example Inc. wants to modify the HT T P Server: header so that unauthorized users and malicious code cannot use the header to identify the software that the HT T P server uses. To modify the HT T P Server: header, you would create a rewrite action and a rewrite policy with the values in the following tables. Act ion Name

T ype of Rewrit e Act ion

Expression t o choose t arget ref erence

St ring expression f or replacement t ext

Action-RewriteServer_Mask

REPLACE

HT T P.RES.HEADER("Server")

"Web Server 1.0"

P olicy Name

Act ion Name

Undef ined Act ion

Expression

Policy-Rewrite-Server_Mask

Action-Rewrite-Server_Mask

NOREWRIT E

HT T P.RES.IS_VALID

You would then globally bind the rewrite policy, assigning a priority of 100 and setting the Goto Priority Expression of the policy to END. T he HT T P Server: header is now modified to read “Web Server 1.0,” masking the actual HT T P server software used by the Example Inc. Web site.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1188

Jul 25, 20 17

Example Inc. wants to hide its actual server room configuration from users to improve security on its Web servers. To do this, you would create a rewrite action with the values as shown in the following tables. For request headers, the action in the table modifies www.example.com to web.hq.example.net. For response headers, the action does the opposite, translating web.hq.example.net to www.example.com. Act ion Name

T ype of Rewrit e Act ion

Expression t o choose t arget ref erence

St ring expression f or replacement t ext

Action-RewriteRequest_Server_Replace

REPLACE

HT T P.REQ.HOST NAME.SERVER

"Web.hq.example.net"

Action-RewriteResponse_Server_Replace

REPLACE

HT T P.RES.HEADER("Server")

"www.example.com"

Next, you would create rewrite policies using the values shown in the following tables. T he first policy checks incoming requests to see if they are valid, and if they are, it performs the Action-Rewrite-Request_Server_Replace action. T he second policy checks responses to see if they originate at the server web.hq.example.net. If they do, it performs the Action-Rewrite-Response_Server_Replace action. P olicy Name

Act ion Name

Undef ined Act ion

Expression

Policy-RewriteRequest_Server_Replace

Action-RewriteRequest_Server_Replace

NOREWRIT E

HT T P.REQ.HOST NAME.SERVER.EQ("www.example.com")

Policy-RewriteResponse_Server_Replace

Action-RewriteResponse_Server_Replace

NOREWRIT E

HT T P.RES.HEADER("Server").EQ("web.hq.example.net")

Finally, you would bind the rewrite policies, assigning each a priority of 500 because they are in different policy banks and therefore will not conflict. You should set the goto expression to NEXT for both bindings. All instances of www.example.com in the request headers are now changed to web.hq.example.net, and all instances of web.hq.example.net in response headers are now changed to www.example.com.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1189

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1190

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1191

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1192

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1193

Jul 25, 20 17

Example Inc. wants to redirect query requests to the appropriate server, as shown here. Request: GET /query.cgi?server=5HOST : www.example.com Redirect URL: http://web-5.example.com/ To implement this redirection, you would first create a rewrite action with the values in the following table. Act ion Name

T ype of Rewrit e Act ion

Expression t o choose t arget ref erence

St ring expression f or replacement t ext

Action-RewriteReplace_Hostheader

REPLACE

HT T P.REQ.HEADER("Host").BEFORE_ST R(".example.com")

"server-" + HT T P.REQ.URL.QUERY.VALUE("web")

You would then create a rewrite policy with the values in the following table. P olicy Name

Act ion Name

Undef ined Act ion

Expression

Policy-RewriteReplace_Hostheader

Action-RewriteReplace_Hostheader

NOREWRIT E

HT T P.REQ.HEADER("Host").EQ("www.example.com")

Finally, you would bind the rewrite policy, assigning it a priority of 900. Because this policy should be the last policy applied to a request that matches its criteria, you set the goto expression to END. Incoming requests to any URL that begins with http://www.example.com/query.cgi?server= are redirected to the server number in the query.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1194

Jul 25, 20 17

New Company, Inc. recently acquired a smaller competitor, Purchased Company, and wants to redirect the home page for Purchased Company to a new page on its own Web site, as shown here. Old URL: http://www.purchasedcompany.com/* New URL: http://www.newcompany.com/products/page.htm To redirect requests to the Purchased Company home page, you would create rewrite actions with the values in the following table. Act ion Name

T ype of Rewrit e Act ion

Expression t o choose t arget ref erence

St ring expression f or replacement t ext

Action-Rewrite-

REPLACE

HT T P.REQ.URL.PAT H_AND_QUERY

"/products/page.htm"

REPLACE

HT T P.REQ.HOST NAME

"www.newcompany.com"

Replace_URLr Action-RewriteReplace_Host

You would then create rewrite policies with the values in the following table. P olicy Name

Act ion Name

Undef ined Act ion

Expression

PolicyRewriteReplaceNone

Action-RewriteReplace-None

NOREWRIT E

!HT T P.REQ.HOST NAME.SERVER.EQ("www.purchasedcompany.com")

PolicyRewriteReplaceHost

Action-RewriteReplace_Host

NOREWRIT E

HT T P.REQ.HOST NAME.SERVER.EQ("www.purchasedcompany.com")

PolicyRewriteReplaceURL

Action-RewriteReplace_URL

NOREWRIT E

HT T P.REQ.IS_VALID

Finally, you would bind the rewrite policies globally, assigning the first a priority of 100, the second a priority of 200, and the third a priority of 300. T hese policies should be the last policies applied to a request that matches the criteria. For this reason, set the goto expression to END for the first and third policies, and to 300 for the second policy. T his ensures that all remaining requests are processed correctly. Requests to the acquired company's old Web site are now redirected to the correct page on the New Company home page.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1195

Jul 25, 20 17

T he URL transformation feature provides a method for modifying all URLs in designated requests from an external version seen by outside users to an internal URL seen only by your Web servers and IT staff. You can redirect user requests seamlessly, without exposing your network structure to users. You can also modify complex internal URLs that users may find difficult to remember into simpler, more easily remembered external URLs. Note: Before you can use the URL transformation feature, you must enable the Rewrite feature. T o enable the Rewrite feature, see Enabling the Rewrite Feature. To begin configuring URL transformation, you create profiles, each describing a specific transformation. Within each profile, you create one or more actions that describe the transformation in detail. Next, you create policies, each of which identifies a type of HT T P request to transform, and you associate each policy with an appropriate profile. Finally, you globally bind each policy to put it into effect.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1196

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1197

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1198

Jul 25, 20 17

After you create a URL transformation profile, you next create a URL transformation policy to select the requests and responses that the NetScaler should transform by using the profile. URL transformation considers each request and the response to it as a single unit, so URL transformation policies are evaluated only when a request is received. If a policy matches, the NetScaler transforms both the request and the response. Note: T he URL transformation and rewrite features cannot both operate on the same HT T P header during request processing. Because of this, if you want to apply a URL transformation to a request, you must make sure that none of the HT T P headers it will modify are manipulated by any rewrite action.

You must create a new policy. On the command line, an existing policy can only be removed. At the NetScaler command prompt, type the following commands to configure a URL transformation policy and verify the configuration: add transform policy show transform policy Example > add transform policy polsearch HTTP.REQ.URL.SUFFIX.EQ(" Searching" ) prosearching Done > show transform policy polsearch 1) Name: polsearch Rule: HTTP.REQ.URL.SUFFIX.EQ(" Searching" ) Profile: prosearching Priority: 0 Hits: 0 Done

At the NetScaler command prompt, type the following command to remove a URL transformation policy: rm transform policy Example

> rm transform policy polsearch Done

1. In the navigation pane, expand Rewrite, expand URL T ransformation, and then click Policies. 2. In the details pane, do one of the following: T o create a new policy, click Add. T o modify an existing policy, select the policy, and then click Open. 3. In the Create URL T ransformation Policy or Configure URL T ransformation Policy dialog box, type or select values for the parameters. T he contents of the dialog box correspond to the parameters described in "Parameters for configuring URL transformation policies" as follows (asterisk indicates a required parameter): Name*— name (Cannot be changed for a previously configured policy.) Profile*— profileName Expression— rule

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1199

If you want help with creating an expression for a new policy, you can either hold down the Control key and press the space bar while your cursor is in the Expression text box. To create the expression, you can type it directly as described below, or you can use the Add Expression dialog box as described in To add an expression by using the Add Expression dialog box. 1. Click Prefix, and choose the prefix for your expression. Your choices are: HT T P— T he HT T P protocol. Choose this if you want to examine some aspect of the request that pertains to the HT T P protocol. SYS— T he protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request. CLIENT — T he computer that sent the request. Choose this if you want to examine some aspect of the sender of the request. SERVER— T he computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request. URL— T he URL of the request. Choose this if you want to examine some aspect of the URL to which the request was sent. T EXT — Any text string in the request. Choose this if you want to examine a text string in the request. T ARGET — T he target of the request. Choose this if you want to examine some aspect of the request target. After you choose a prefix, the NetScaler displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom. T he choices depend on which prefix you chose. 2. Select your next term. If you chose HT T P as your prefix, your choices are REQ, which specifies HT T P requests, and RES, which specifies HT T P responses. If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window. When you are certain which choice you want, double-click it to insert it into the Expression window. 3. T ype a period, and then continue selecting terms from the list boxes that appear to the right of the previous list box. You type the appropriate text strings or numbers in the text boxes that appear to prompt you to enter a value, until your expression is finished. 4. Click Create or OK, depending on whether you are creating a new policy or modifying an existing policy. 5. Click Close. A message appears in the status bar, stating that the Policy has been configured successfully.

1. In the Create Responder Action or Configure Responder Action dialog box, click Add. 2. In the Add Expression dialog box, in the first list box choose the first term for your expression. HT T P T he HT T P protocol. Choose this if you want to examine some aspect of the request that pertains to the HT T P protocol. SYS T he protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request. CLIENT

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1200

T he computer that sent the request. Choose this if you want to examine some aspect of the sender of the request. SERVER T he computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request. URL T he URL of the request. Choose this if you want to examine some aspect of the URL to which the request was sent. T EXT Any text string in the request. Choose this if you want to examine a text string in the request. T ARGET T he target of the request. Choose this if you want to examine some aspect of the request target. When you make your choice, the rightmost list box lists appropriate terms for the next part of your expression. 3. In the second list box, choose the second term for your expression. T he choices depend upon which choice you made in the previous step, and are appropriate to the context. After you make your second choice, the Help window below the Construct Expression window (which was blank) displays help describing the purpose and use of the term you just chose. 4. Continue choosing terms from the list boxes that appear to the right of the previous list box, or typing strings or numbers in the text boxes that appear to prompt you to enter a value, until your expression is finished.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1201

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1202

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1203

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1204

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1205

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1206

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1207

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1208

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1209

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1210

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1211

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1212

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1213

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1214

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1215

Jul 25, 20 17 To get started with an AppExpert application, you must first obtain an application template and import the template to a NetScaler appliance. After the AppExpert application is set up, you must verify that the application is working correctly. If required, you can customize the configuration to suit your requirements. Periodically, you can verify and monitor the configuration by viewing the hit counters for various application components. You can also configure authentication, authorization, and auditing (AAA) policies for the application. The process of setting up an application can be done in two ways: 1. Using a prebuilt application template 2. Creating a custom application without using a template. If you prefer to set up the application by using a prebuilt application template, do the following: 1. Download an application template. 2. Import template files to Netscaler appliance. 3. Verify application setup. 4. Configure application and deployment settings. 5. Export the configuration to new template files (optional). 6. Import the template files to other NetScaler appliances that require a similar AppExpert application configuration. Citrix NetScaler's video tutorials enable you to understand NetScaler features in easy and simple way. Watch http://www.youtube.com/watch? v=aqayflvCR_0 video to learn how to set up an application using AppExpert Application template.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1216

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1217

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1218

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1219

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1220

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1221

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1222

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1223

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1224

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1225

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1226

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1227

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1228

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1229

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1230

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1231

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1232

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1233

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1234

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1235

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1236

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1237

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1238

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1239

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1240

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1241

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1242

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1243

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1244

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1245

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1246

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1247

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1248

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1249

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1250

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1251

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1252

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1253

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1254

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1255

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1256

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1257

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1258

Jul 25, 20 17

After you set up an AppExpert application and customize it to suit your requirements, you can create a template from the configuration and then share the template with other administrators. Or, you can create a template and then import the template to other NetScaler appliances that require a similar AppExpert application configuration. T his simplifies and expedites the process of setting up similar applications on other appliances. AppExpert application template files can be exported either to the template directory on the NetScaler appliance or to a folder on your local computer. You can then upload and download the templates to and from the NetScaler appliance and rename the templates that are stored in the AppExpert application templates directory on your appliance. AppExpert application template files can be exported either to the template directory on the NetScaler appliance or to a folder on your local computer. You can then upload and download the templates to and from the NetScaler appliance and rename the templates that are stored in the AppExpert application templates directory on your appliance. T his document includes the following information: Exporting an AppExpert Application to a T emplate File Uploading and Download T emplate Files Understanding Netscaler Application T emplates and Deployment Files Deleting an Application T emplate

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1259

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1260

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1261

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1262

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1263

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1264

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1265

Jul 25, 20 17

T emplate files can be uploaded from your local computer to the NetScaler appliance or downloaded from the appliance to your local computer. On the appliance, AppExpert application templates are always stored in the AppExpert application templates directory, which is /nsconfig/nstemplates/applications/.

1. Navigate to AppExpert > T emplates. 2. In the details pane, click Manage T emplates. 3. In the Manage Application T emplates dialog box, click Application T emplates, and then click Upload. 4. In the Upload Application T emplate dialog box, browse to the directory in which the template file is stored, click the template file, and then click Select. T he template file is uploaded to the AppExpert application template directory on the appliance.

1. Navigate to AppExpert > T emplates. 2. In the details pane, click Manage T emplates. 3. In the Manage Application T emplates dialog box, click the AppExpert application template that you want to download, and click Download. 4. In the Download Application T emplate dialog box, browse to the location to which you want to save the file, and then click Save.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1266

Jul 25, 20 17

When you export a NetScaler application, the following two files are automatically created: Net Scaler applicat ion t emplat e f ile . Contains application-configuration information such as application units, rules, and configured policies. Deployment f ile . Contains deployment-specific information such as public endpoints, services, associated IP addresses, and configured variables. In a template file or deployment file, each unit of application-configuration information is encapsulated in a specific XML element that is meant for that unit type. For example, each public endpoint and associated endpoint details are encapsulated within the and tags, and all the endpoint elements are encapsulated within the and tags. Not e : After you export a NetScaler application, you can add elements, remove elements, and modify existing elements before importing the application to a NetScaler appliance.

Following is an example of a template file that was created from a NetScaler application called "SharePoint_T eam_Site":

Following is the deployment file associated with the "SharePoint_T eam_Site" application in the preceding example: SharePoint_Team_Site 1 1 Ed An application for managing a SharePoint team site with images, reports, and, XML content. This template includes variables 9 3 38 10.111.111.1 80 HTTP 10.102.29.5 80 HTTP .

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1269

. .
. . .
body_size Evaluation Scope 10000 . . . . . .


http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1270

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1271

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1272

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1273

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1274

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1275

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1276

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1277

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1278

Jul 25, 20 17

For a network resource that you add to Other Resources, you must configure a classic expression that identifies the subset of traffic associated with the resource. For more information about configuring a classic expression, see the .

1. In the navigation pane of the NetScaler configuration utility, expand AppExpert, and then click Access Gateway Applications. 2. In the details pane, do one of the following: T o add a resource, click Other Resources, and then click Add. T o modify a resource, click a resource, and then click Open. 3. In the Create Resource or Configure Resource dialog box, do the following: 1. In the Name box, type a name for the resource you are adding. T his parameter cannot be changed for an existing resource. 2. In the Rule box, type the rule that will identify the subset of traffic that is associated with the resource you are adding. Alternatively, click Configure, and then create the rule in the Create Expression dialog box. 3. Click Create or OK, and then click Close.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1279

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1280

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1281

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1282

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1283

Configuring Clientless Access Policies Jul 25, 20 17

Clientless access, when configured for a resource on the NetScaler appliance, allows end-users to access the resource without using the NetScaler Gateway client software. Users can use web browsers to access resources such as Outlook Web Access. You configure clientless access for a resource by configuring a clientless access policy that is associated with a clientless access profile.

To configure a clientless access policy f or a resource in the NetScaler Gateway Applications node 1. In the navigation pane of the NetScaler configuration utility, expand AppExpert, and then click Access Gateway Applications. 2. In the details pane, in the Clientless Access column, click the icon for the application, file share, intranet subnet, or resource for which you want to configure a clientless access policy. 3. In the Configure Clientless Access Policies dialog box, do the following: T o specify an existing clientless access policy, click Insert Policy, and then, in the Policy Name column, click the name of the policy. To configure a new clientless access policy, click Insert Policy, and then, in the Policy Name column, click New Policy. In the Create Clientless Access Policy dialog box, in the Name box, after the underscore (_), type a name for the policy. T hen, in Profile, either select an existing profile or click New to configure a new profile. You can also select an existing profile and then click Modify to modify the profile. For more information about configuring a clientless access policy or profile, see NetScaler Gateway , Enterprise Edition at http://edocs.citrix.com/. T o modify a policy that you have inserted, in the Policy Name column, click the policy name, and then click Modify Policy. T o modify only the associated profile, in the Profile column, click the name of the profile, and then click Modify Profile. T o specify a new priority value for a policy, in the Priority column, double-click the assigned priority, and then enter the value you want. T o unbind a policy, click the policy, and then click Unbind Policy. 4. Click Apply Changes, and then click Close.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1284

Configuring TCP Compression Policies Jul 25, 20 17

You can configure TCP compression policies for an application to increase the performance of the application. TCP compression reduces network latency, reduces bandwidth requirements, and increases the speed of transmission. When configuring a TCP compression policy, you associate a compression action with the policy. T he compression action specifies either Compress, GZIP, Deflate, or NoCompress as the compression type. For more information about the compression policies, and compression actions, see NetScaler Gateway , Enterprise Edition at http://edocs.citrix.com/.

To configure a TCP compression policy f or a resource in the NetScaler Gateway Applications node 1. In the navigation pane of the NetScaler configuration utility, expand AppExpert, and then click Access Gateway Applications. 2. In the details pane, in the T CP Compression column, click the icon for the application, file share, intranet subnet, or resource for which you want to configure a T CP compression policy. 3. In the Configure T CP Compression Policies dialog box, do the following: T o specify an existing T CP compression policy, click Insert Policy, and then, in the Policy Name column, click the name of the policy. To create a new TCP compression policy, click Insert Policy, and then, in the Policy Name column, click New Policy. In the Create TCP Compression Policy dialog box, in the Policy Name box, after the underscore (“_”), type a name for the policy. T hen, in Action, either select an existing action or click New and configure a new action. You can also click View to view the configured compression type. For more information about configuring a TCP compression policy or action, see NetScaler Gateway , Enterprise Edition at http://edocs.citrix.com/. T o modify a policy that you have inserted, in the Policy Name column, click the policy name, and then click Modify Policy. T o regenerate the priorities assigned to the policies, click Regenerate Priorities. T o specify a new priority value for a policy, in the Priority column, double-click the assigned priority, and then enter the value you want. T o unbind a policy, click the policy, and then click Unbind Policy. 4. Click Apply Changes, and then click Close.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1285

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1286

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1287

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1288

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1289

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1290

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1291

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1292

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1293

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1294

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1295

Configuring URL Set Jul 25, 20 17

You can perform the following tasks to configure a URL set and restrict URLs on a NetScaler platform: 1. Import a URL set (download and encrypt it). Importing a URL set in a NetScaler appliance allows you to download the URL file, adding the file to the appliance, and then encrypting the file. Until you add the URL set to the system, it will not be visible to the user. You can download a set in the following ways: 1. Download a URL set once from a specific URL using HT T P and HT T PS supported for the file download. 2. Download a URL set using FT P. 3. Downloading a URL set periodically, using a scheduler that periodically downloads or imports URL sets for example, IWF URL set. T he time interval is set in seconds for example, http://10.29.102.200/urls.txt -interval 3600. Sample URL Set without a meta data http://10.102.145.135/top10k Sample URL Set with a meta data http://10.102.145.135/blacklists/audio-video/categorized_av T he imported URL set is further categorized into different categories and category groups in the database. T his is valid only if categories exist in the metadata of the URL set file. Note: T here can be a chance that you might have URL patterns without metadata. Once you have downloaded the file, it is pushed into the appliance and at this point of interval, you can update, delete or display file properties. After the file is pushed into the appliance, you can modify the entries by adding further rows as it remains static. T he imported set is then stored in an encrypted file format on the NetScaler directory. T he imported list contains millions of URL entries. Otherwise, the appliance returns an error message saying that the value exceeds the limit. If the imported URL set has blacklisted entries with metadata, the metadata it is detected by the appliance when it is imported. Once you import a URL set and add it into the appliance, the URL set is available for advanced policies to identify the correct URL set during incoming URL evaluation. HT T P.REQ.HOST NAME.APPEND(HT T P.REQ.URL).URLSET _MATCHES_ANY() 2. Updating a URL set on the NetScaler appliance. Once you have pushed the file into the appliance, at this interval you can manually update a URL file by using command line interface. 3. Exporting a URL set. If you prefer a backup of the URL set, you can export the list of URL patterns and save a copy of it to a destination URL. Before you export, check whether the URL set is marked as private. If is marked private, the URL set cannot be exported. 4. Removing a URL set. If you want to delete a URL set of blacklisted entries, you can use the remove command to delete

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1296

the URL set from the NetScaler appliance. 5. Displaying a URL set. You can display the properties of a URL set by using the show command. Example: > show urlset Name: top100

PatternCount: 100

Delimiter:

RowSeparator:

Interval: 0

Done

To import a URL set with meta by using the command line interf ace At command prompt, type: command

复制

import urlset [-o verwrite] [–delimiter ] [-ro wSeparato r ] [-url] [-interval ]

Where, delimiter is a CSV file record with default value set as 44. rowSeparator is a CSV file row separator with default value set as 10. Interval is the time interval in secs, rounded to the nearest 15 minutes at which the update of urlset occurs. CanaryURL is a URL used for testing when contents of the urlset is kept confidential.

To show URL set by using the command line interf ace At the command prompt, type: command

复制

show urlset

To export an URL set by using the command line interf ace At the command prompt, type: command

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1297

export urlset

To add an URL set by using the command line interf ace At the command prompt, type: command

复制

add urlset

To update an URL set by using the command line interf ace At the command prompt, type: command

复制

updat e urlset

To remove a URL set command by using the command line interf ace At the command prompt, type: command

复制

remove urlset

Example command

http://docs.citrix.com

复制

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1298

import policy urlset t op-1k -url ht t p://10.78.79.80/alyt ra/t op-1k.csv -delimit er "," -rowSeparat or "\n" -int erval 10 -privat eSet -overw

add policy urlset t op1k[DR1]

updat e policy urlset t op1k

sh policy urlset

sh policy urlset t op1k

export policy urlset urlset 1 -url http://www.example.com/PUT_file_1

import policy urlset t op10k -url http://10.102.145.135/top10k -privat e

add policy urlset t op10k

updat e policy urlset t op10k

show policy urlset t op10k

To import a URL set by using the NetScaler GUI Navigate to AppExpert > URL Sets, click Import to download the URL set.

To add a URL set by using the NetScaler GUI Navigate to AppExpert > URL Sets, click Add to create a URL set file for the downloaded URL set.

To edit a URL set by using the NetScaler GUI Navigate to AppExpert > URL Set s, select a URL set and click Edit to modify.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1299

To Update a URL set by using the NetScaler GUI Navigate to AppExpert > URL Sets, select a URL set and click Update URL Set to update URL set with the latest modifications made to the file.

To Export a URL set by using the NetScaler GUI Navigate to AppExpert > URL Sets, select a URL set and click Export URL Set to export the URL patterns in a set to a destination URL and save it in that location.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1300

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1301

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1302

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1303

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1304

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1305

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1306

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1307

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1308

Exporting Performance Data of Web Pages to AppFlow Collector Jul 25, 20 17

T he EdgeSight Monitoring application provides web page monitoring data with which you can monitor the performance of various Web applications served in a Netscaler environment. You can now export this data to AppFlow collectors to get an in-depth analysis of the web page applications. AppFlow, which is based on IPFIX standard, provides more specific information about web application performance than does EdgeSight monitoring alone. You can configure both load balancing and content switching virtual servers to export EdgeSight Monitoring data to AppFlow collectors. Before configuring a virtual server for AppFlow export, associate an Appflow action with the EdgeSight Monitoring responder policy. T he following web page performance data is exported to AppFlow: Page Load Time. Elapsed time, in milliseconds, from when the browser starts to receive the first byte of a response until the user starts to interact with the page. At this stage, all the page content might not be loaded. Page Render Time.Elapsed time, in milliseconds, from when the browser receives the first byte of response until either all page content has been rendered or the page load action has timed out. Time Spent on the Page. T ime spent by users on a page. Represents the period of time from one page request to the next one. AppFlow transmits the performance data by using the Internet Protocol Flow Information eXport (IPFIX) format, which is an open Internet Engineering Task Force (IET F) standard defined in RFC 5101. T he AppFlow templates use the following enterprise-specific Information Elements (EIEs) to export the information: Client Load End Time. T ime at which the browser received the last byte of a response to load all the objects of the page such as images, scripts, and stylesheets. Client Load Start Time.T ime at which the browser receives the first byte of the response to load any objects of the page such as images, scripts, and stylesheets. Client Render End Time. T ime at which browser finished rendering the entire page, including the embedded objects. Client Render Start Time. T ime at which the browser started rendering the page. T his topic includes the following details: Prerequisites for Exporting Performance Data of Web Pages to AppFlow Collectors Associating an AppFlow Action with the EdgeSight Monitoring Responder Policy

Prerequisites f or Exporting Perf ormance Data of Web Pages to AppFlow Collectors Updated: 2013-09-13 Before associating the AppFlow action with the AppFlow policy, verify that the following prerequisites have been met: T he AppFlow feature has been enabled and configured. For instructions, see "Configuring the AppFlow feature". T he Responder feature has been enabled. For instructions, see "Enabling a Responder Feature". T he EdgeSight Monitoring feature has been enabled. For instructions, see "Enabling an Application for EdgeSight Monitoring." EdgeSight Monitoring has been enabled on the load balancing or content switching virtual servers bound to the services of applications for which you want to collect the performance data. For instructions, see "Enabling an Application for

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1309

EdgeSight Monitoring."

Associating an AppFlow Action with the EdgeSight Monitoring Responder Policy Updated: 2013-10-31 To export the web page performance data to the AppFlow collector, you must associate an AppFlow action with the EdgeSight Monitoring responder policy. An AppFlow action specifies which set of collectors receive the traffic.

To associate an AppFlow action with the EdgeSight Monitoring Responder policy by using the command line interface At the command prompt, type: set responder policy -appflowAction Example set responder policy pol -appflowAction actn

To associate an AppFlow action with the EdgeSight Monitoring Responder policy by using the configuration utility 1. Navigate to AppExpert > Responder > Policies. 2. In the details pane, select an EdgeSight Monitoring responder policy, and then click Open. 3. In the Conf igure Responder Policy dialog box, in the AppFlow Action drop-down list, select the AppFlow action associated with the collectors to which you want to send the web-page performance data. 4. Click OK.

Configuring a Virtual Server to Export EdgeSight Statistics to Appflow Collectors To export EdgeSight statistics information from a virtual server to the AppFlow collector, you must associate an AppFlow action with the virtual server. To associate an AppFlow action with a Load Balancing or Content Switching virtual server by using the configuration utility 1. Navigate to T raffic Management > Load Balancing > Virtual Servers or T raffic Management > Content Switching > Virtual Servers. 2. In the details pane, select a virtual server, or multiple virtual servers, and then click Enable EdgeSight Monitoring. 3. In the Enable EdgeSight Monitoring dialog box, select the Export EdgeSight statistics to Appflow check box. 4. From the Appflow Action drop-down list, select the AppFlow action. T he AppFlow action defines the list of AppFlow collectors to which it exports EdgeSight Monitoring statistics. If you have selected multiple load balancing virtual servers, the same AppFlow Action will be associated with the responder policies bound to them. You can later change the AppFlow Action configured for each of the selected Load Balancing virtual server individually, if required. 5. Click OK.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1310

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1311

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1312

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1313

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1314

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1315

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1316

Introduction Jul 25, 20 17

T he Citrix NetScaler Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to web sites that access sensitive business or customer information. It does so by filtering both requests and responses, examining them for evidence of malicious activity, and blocking those that exhibit such activity. Your site is protected not only from common types of attacks, but also from new, as yet unknown attacks. In addition to protecting web servers and web sites from unauthorized access and misuse by hackers and malicious programs, the application firewall provides protection against security vulnerabilities in legacy CGI code or scripts, other web frameworks, web server software, and the underlying operating systems. T he NetScaler Application Firewall is available as a stand-alone appliance, or as a feature on a Citrix NetScaler application delivery controller (ADC) or Citrix NetScaler virtual appliance (VPX). In the application firewall documentation, the term NetScaler ADC refers to the platform on which the application firewall is running, regardless of whether that platform is a dedicated firewall appliance, a NetScaler ADC on which other features have also been configured, or a NetScaler VPX. To use the application firewall, you must create at least one security configuration to block connections that violate the rules that you set for your protected web sites. T he number of security configurations that you might want to create depends on the complexity of your web site. In some cases, a single configuration is sufficient. In other cases, particularly those that include interactive web sites, web sites that access database servers, online stores with shopping carts, you might need several different configurations to best protect sensitive data without wasting significant effort on content that is not vulnerable to certain types of attacks. You can often leave the defaults for the global settings, which affect all security configurations, unchanged. However, you can change the global settings if they conflict with other parts of your configuration or you prefer to customize them.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1317

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1318

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1319

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1320

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1321

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1322

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1323

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1324

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1325

Jul 25, 20 17

Before you can create an application firewall security configuration, you must make sure that the application firewall feature is enabled. If you are configuring a dedicated Citrix Application Firewall ADC or are upgrading an existing Citrix NetScaler ADC or VPX, the feature is already enabled. You do not have to perform either of the procedures described here. If you have a new NetScaler ADC or VPX, you need to enable the application firewall feature before you configure it. If you are upgrading a NetScaler ADC or VPX from a previous version of the NetScaler operating system to the current version, you might need to enable the application firewall feature before you configure it. Note: If you are upgrading a NetScaler ADC or VPX from a previous version, you might also need to update the licenses on your ADC or VPX before you can enable the application firewall. Check with your Citrix representative or reseller to obtain the correct license. You can enable the application firewall by using the command line or the configuration utility.

At the command prompt, type the following command: enable ns feature AppFW

1. Navigate to System > Settings. 2. In the details pane, click Configure Basic Features. 3. In the Configure Basic Features dialog box, check the Application Firewall check box. 4. Click OK.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1326

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1327

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1328

Jul 25, 20 17

If you want to bind a profile to a bind point other than Global, you must manually configure the binding. Also, certain security checks require that you either manually enter the necessary exceptions or enable the learning feature to generate the exceptions that your Web sites and Web services need. Some of these tasks cannot be performed by using the application firewall wizard. If you are familiar with how the application firewall works and prefer manual configuration, you can manually configure a signatures object and a profile, associate the signatures object with the profile, create a policy with a rule that matches the web traffic that you want to configure, and associate the policy with the profile. You then bind the policy to Global, or to a bind point, to put it into effect, and you have created a complete security configuration. For manual configuration, you can use the configuration utility (a graphical interface) or the command line. Citrix recommends that you use the configuration utility. Not all configuration tasks can be performed at the command line. Certain tasks, such as enabling signatures and reviewing learned data, must be done in the configuration utility. Most other tasks are easier to perform in the configuration utility.

When you use the configuration utility (GUI) or the command line interface (CLI) to manually configure the application firewall, the configuration is saved in the /nsconfig/ns.conf file. You can use the commands in that file to replicate the configuration on another appliance. You can cut and paste the commands into the CLI one by one, or you can save multiple commands in a text file in the /var/tmp folder and run them as a batch file. Following is an example of running a batch file containing commands copied from the /nsconfig/ns.conf file of a different appliance: > bat ch -f /var/tmp/appfw_add.txt

Import commands are not saved in the ns.conf file. Before running commands from the ns.conf file to replicate the configuration on another appliance, you must import all the objects used in the configuration (for example, signatures, error page, WSDL, and Schema) to the appliance on which you will replicate the configuration. T he add command to add an application firewall profile saved in an ns.conf file might include the name of an imported object, but such a command might fail when executed on another appliance if the referenced object does not exist on that appliance.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1329

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1330

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1331

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1332

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1333

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1334

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1335

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1336

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1337

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1338

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1339

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1340

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1341

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1342

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1343

Jul 25, 20 17

You should update your signatures objects frequently to ensure that your application firewall is providing protection against current threats. You should regularly update both the default application firewall signatures and any signatures that you import from a supported vulnerability scanning tool. Citrix regularly updates the default signatures for the application firewall. You can update the default signatures manually or automatically. In either case, ask your Citrix representative or Citrix reseller for the URL to access the updates. You can enable automatic updates of the Citrix native format signatures in the "Engine Settings" and "Signature Auto Update Settings" dialog boxes. Most makers of vulnerability scanning tools regularly update the tools. Most web sites also change frequently. You should update your tool and rescan your web sites regularly, exporting the resulting signatures to a file and importing them into your application firewall configuration.

When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

T he following applies to merging a third-party signature object with a user-defined signature object with Native rules and useradded rules: When a version 0 signatures is merged with a new imported file, the resultant signatures will remain as version 0. T his means all native (or built-in) rules in the imported file will be ignored after the merge. T his is to ensure that the version 0 signatures are maintained as is after a merge. In order to include the native rules in the imported file for merge, you should update the existing signatures from version 0 first before the merge. T his means you need to abandon the version 0 nature of the existing signatures.

At the command prompt, type the following commands: update appfw signatures [-mergedefault] save ns config

T he following example updates the signatures object named MySignatures from the default signatures object, merging new signatures in the default signatures object with the existing signatures. T his command does not overwrite any user-

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1344

created signatures or signatures imported from another source, such as an approved vulnerability scanning tool. update appfw signatures MySignatures -mergedefault save ns config

Updated: 2014-10-06 Citrix regularly updates the signatures for the Application Firewall. You should regularly update the signatures on your Application Firewall to ensure that your Application Firewall is using the most current list. Ask your Citrix representative or Citrix reseller for the URL to access the updates.

At the command prompt, type the following commands: update appfw signatures [-mergeDefault] save ns config

1. Navigate to Security > Application Firewall > Signatures. 2. In the details pane, select the signatures object that you want to update. 3. In the Action drop-down list, select Merge. 4. In the Update Signatures Object dialog box, choose one of the following options. Import f rom URL — Choose this option if you download signature updates from a web URL. Import f rom Local F ile — Choose this option if you import signature updates from a file on your local hard drive, network hard drive, or other storage device. 5. In the text area, type the URL, or type or browse to the local file. 6. Click Update. T he update file is imported, and the Update Signatures dialog box changes to a format nearly identical to that of the Modify Signatures Object dialog box. T he Update Signatures Object dialog box displays all branches with new or modified signature rules, SQL injection or cross-site scripting patterns, and XPath injection patterns if there are any. 7. Review and configure the new and modified signatures. 8. When you are finished, click OK, and then click Close.

Updated: 2014-01-17 Note: Before you update a signatures object from a file, you must create the file by exporting signatures from the vulnerability scanning tool.

1. Navigate to Security > Application Firewall > Signatures. 2. In the details pane, select the signatures object that you want to update, and then click Merge. 3. In the Update Signatures Object dialog box, on the External Format tab, Import section, choose one of the following

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1345

options. Import f rom URL — Choose this option if you download signature updates from a Web URL. Import f rom Local F ile — Choose this option if you import signature updates from a file on your local or a network hard drive or other storage device. 4. In the text area, type the URL, or browse or type the path to the local file. 5. In the XSLT section, choose one of the following options. Use Built -in XSLT F ile — Choose this option if you want to use a built-in XSLT files. Use Local XSLT F ile — Choose this option to use an XSLT file on your local computer. Ref erence XSLT f rom URL — Choose this option to import an XSLT file from a web URL. 6. If you chose Use Built-in XSLT File, in the Built-In XSLT drop-down list select the file that you want to use from the following options: Cenzic . Deep_Securit y_f or_Web_Apps. Hewlet t _P ackard_Ent erprise_WebInspect . IBM-AppScan-Ent erprise. IBM-AppScan-St andard . Qualys. Whit ehat . 7. Click Update. T he update file is imported, and the Update Signatures dialog box changes to a format nearly identical to that of the Modify Signatures Object dialog box, which is described in "Configuring or Modifying a Signatures Object." T he Update Signatures Object dialog box displays all branches with new or modified signature rules, SQL injection or cross-site scripting patterns, and XPath injection patterns if there are any. 8. Review and configure the new and modified signatures. 9. When you are finished, click OK, and then click Close.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1346

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1347

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1348

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1349

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1350

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1351

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1352

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1353

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1354

Jul 25, 20 17

When using the signature editor to perform an import and merge operation from the NetScaler GUI, you can now see the new, updated, duplicate, and invalid rules. T he signature editor displays the following four new rows: 1. New Rules 2. Updated Rules 3. Duplicate Rules 4. Invalid Rules T he output of the New Rules Only and Updated Rules Only filters also appears in the Category filter pane of the Edit window in signature editor. You will need to import the files from GUI to see the corresponding links for New, duplicate, invalid and updated rules. For example, you can use GUI to import the following signature files: http://10.217.30.16/testsite/signatures/sig-3100000.xml. To import signature rules: 1. In the NetScaler web GUI, go to Configuration > Security > Application Firewall > Signatures. In the Signatures window, click Add. T hen select File Format > Native, Import From > URL and in the URL field, add the above link. For example; http://10.217.30.16/testsite/signatures/sig-3100000.xml.

2. After you click Open , the signature file will open and you can see links for New Rule and Invalid Rules.

3. If you import a 3rd party signature rule from the following site, for example; http://10.217.30.16/FFC/sig_validation/trendmicro_sample2.xml as shown below, you can see 90 new Rules and 9 duplicate Rules in the imported .xml file.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1355

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1356

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the F eedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1357

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1358

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1359

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1360

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1361

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1362

 / AppDNA Citrix App Layering Citrix Cloud Citrix Receiver CloudBridge CloudPortal Services Manager NetScaler

Yikes! 404 ... We feel your pain.

NetScaler Gateway

NetScaler SD-WAN T he page you are trying to view is not here. T he link might be misspelled or outdated. NetScaler Secure Web Gateway ShareFile Unidesk Some things to try: VDI-in-a-Box Go to Docs.citrix.com and search or navigate for the content XenAppClear and XenDesktop your browser cache and retry the link XenMobile Report the problem and we'll investigate XenServer Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it Advanced Concepts Developer Legacy Documentation

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1363

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1364

Jul 25, 20 17

Many web applications have web forms that use SQL to communicate with relational database servers. Malicious code or a hacker can use an insecure web form to send SQL commands to the web server. T he application firewall HT ML SQL Injection check provides special defenses against injection of unauthorized SQL code that might break security. If the application firewall detects unauthorized SQL code in a user request, it either transforms the request, to render the SQL code inactive, or blocks the request. T he application firewall examines the request payload for injected SQL code in three locations: 1) POST body, 2) headers, and 3) cookies. A default set of keywords and special characters provides known keywords and special characters that are commonly used to launch SQL attacks. You can add new patterns, and you can edit the default set to customize the SQL check inspection. T he application firewall offers various action options for implementing SQL Injection protection. In addition to the Block, Log, Stats and Learn actions, the application firewall profile also offers the option to transf orm SQL special characters to render an attack harmless. In addition to actions, there are several parameters that can be configured for SQL injection processing. You can check for SQL wildcard characters. You can change the SQL Injection type and select one of the 4 options (SQLKeyword, SQLSplChar, SQLSplCharANDKeyword, SQLSplCharORKeyword) to indicate how to evaluate the SQL keywords and SQL special characters when processing the payload. T he SQL Comments Handling parameter gives you an option to specify the type of comments that need to be inspected or exempted during SQL Injection detection. You can deploy relaxations to avoid false positives. T he application firewall learning engine can provide recommendations for configuring relaxation rules. Following options are available for configuring an optimized SQL Injection protection for your application: Block— If you enable block, the block action is triggered only if the input matches the SQL injection type specification. For example, if SQLSplCharANDKeyword is configured as the SQL injection type, a request is not blocked if it contains no key words, even if SQL special characters are detected in the input. Such a request is blocked if the SQL injection type is set to either SQLSplChar, or SQLSplCharORKeyword. Log— If you enable the log feature, the SQL Injection check generates log messages indicating the actions that it takes. If block is disabled, a separate log message is generated for each input field in which the SQL violation was detected. However, only one message is generated when the request is blocked. Similarly, one log message per request is generated for the transform operation, even when SQL special characters are transformed in multiple fields. You can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack. Stats— If enabled, the stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that your application is under attack. If legitimate requests are getting blocked, you might have to revisit the configuration to see if you need to configure new relaxation rules or modify the existing ones. Learn— If you are not sure which SQL relaxation rules might be ideally suited for your application, you can use the learn feature to generate recommendations based on the learned data. T he application firewall learning engine monitors the traffic and provides SQL learning recommendations based on the observed values. To get optimal benefit without compromising performance, you might want to enable the learn option for a short time to get a representative sample of the rules, and then deploy the rules and disable learning. Transf orm SQL special characters— T he application firewall considers three characters, Single straight quote ('), Backslash (\), and Semicolon (;) as special characters for SQL security check processing. T he SQL Transformation feature modifies the SQL Injection code in an HT ML request to ensure that the request is rendered harmless. T he modified HT ML request is then sent to the server. All default transformation rules are specified in the /netscaler/default_custom_settings.xml file. T he transform operation renders the SQL code inactive by making the following changes to the request: Single straight quote (') to double straight quote ("). Backslash (\) to double backslash (\\). Semicolon (;) is dropped completely. T hese three characters (special strings) are necessary to issue commands to an SQL server. Unless an SQL command is prefaced with a special string, most SQL servers ignore that command. T herefore, the changes that the application firewall performs when transformation is enabled prevent an attacker from injecting active SQL. After these changes are made, the request can safely be forwarded to your protected web site. When web forms on your protected web site can legitimately contain SQL special strings, but the web forms do not rely on the special strings to operate correctly, you can disable blocking and enable transformation to prevent blocking of legitimate web form data without reducing the protection that the application firewall provides to your protected web sites. T he transform operation works independently of the SQL Injection Type setting. If transform is enabled and the SQL Injection type is specified as SQL keyword, SQL special characters are transformed even if the request does not contain any keywords.

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1365

You normally enable either transformation or blocking, but not both. If the block action is enabled, it takes precedence over the transform action. If you have blocking enabled, enabling transformation is redundant.

Check f or SQL Wildcard Characters— Wild card characters can be used to broaden the selections of a structured query language (SQL-SELECT ) statement. T hese wild card operators can be used in conjunction with LIKE and NOT LIKE operators to compare a value to similar values. T he percent (%), and underscore (_) characters are frequently used as wild cards. T he percent sign is analogous to the asterisk (*) wildcard character used with MS-DOS and to match zero, one, or multiple characters in a field. T he underscore is similar to the MS-DOS question mark (?) wildcard character. It matches a single number or character in an expression. For example, you can use the following query to do a string search to find all customers whose names contain the D character. SELECT * f rom customer WHERE name like "%D%" T he following example combines the operators to find any salary values that have 0 in the second and third place. SELECT * f rom customer WHERE salary like '_00%' Different DBMS vendors have extended the wildcard characters by adding extra operators. T he NetScaler application firewall can protect against attacks that are launched by injecting these wildcard characters. T he 5 default Wildcard characters are percent (%), underscore (_), caret (^), opening square bracket ([), and closing square bracket (]). T his protection applies to both HT ML and XML profiles. T he default wildcard chars are a list of literals specified in the *Def ault Signatures: % _ ^ [ ] Wildcard characters in an attack can be PCRE, like [^A-F]. T he application firewall also supports PCRE wildcards, but the literal wildcard chars above are sufficient to block most attacks.

T he SQL wildcard character check is different from the SQL special character check. T his option must be used with caution to avoid false positives.

Check Request Containing SQL Injection Type— T he application firewall provides 4 options to implement the desired level of strictness for SQL Injection inspection, based on the individual need of the application. T he request is checked against the injection type specification for detecting SQL violations. T he 4 SQL injection type options are: SQL Special Character and Keyword— Both an SQL keyword and an SQL special character must be present in the input to trigger SQL violation. T his least restrictive setting is also the default setting. SQL Special Character— At least one of the special characters must be present in the input to trigger SQL violation. SQL key word— At least one of the specified SQL keywords must be present in the input to trigger an SQL violation. Do not select this option without due consideration. T o avoid false positives, make sure that none of the keywords are expected in the inputs. SQL Special Character or Keyword— Either the key word or the special character string must be present in the input to trigger the security check violation.

If you configure the application firewall to check for inputs that contain an SQL special character, the application firewall skips web form fields that do not contain any special characters. Since most SQL servers do not process SQL commands that are not preceded by a special character, enabling this option can significantly reduce the load on the application firewall and speed up processing without placing your protected web sites at risk.

SQL comments handling— By default, the application firewall checks all SQL comments for injected SQL commands. Many SQL servers ignore anything in a comment, however, even if preceded by an SQL special character. For faster processing, if your SQL server ignores comments, you can configure the application firewall to skip comments when examining requests for injected SQL. T he SQL comments handling options are: ANSI— Skip ANSI-format SQL comments, which are normally used by UNIX-based SQL databases. For example: -- (T wo Hypens) - T his is a comment that begins with two hyphens and ends with end of line. {} - Braces (Braces enclose the comment. T he { precedes the comment, and the } follows it. Braces can delimit single- or multiple-line comments, but

http://docs.citrix.com

© 1999-2017 Citrix Systems, Inc. All rights reserved.

p.1366

comments cannot be nested) /* */ : C style comments (Does not allow nested comments). Please note /*! */ MySQL Server supports some variants of C-style comments. T hese enable you to write code that includes MySQL extensions, but is still portable, by using comments of the following form: /*! MySQL-specific code */ . # : Mysql comments : T his is a comment that begins with # character and ends with end of the line

Nested— Skip nested SQL comments, which are normally used by Microsoft SQL Server. For example; -- (T wo Hypens), and /* */ (Allows nested comments) ANS I/Ne ste d—Skip comments that adhere to both the ANSI and nested SQL comment standards. Comments that match only the ANSI standard, or only the nested standard, are still checked for injected SQL.

Check all Comments— Check the entire request for injected SQL without skipping anything. T his is the default setting.

In most cases, you should not choose the Nested or the ANSI/Nested option unless your back-end database runs on Microsoft SQL Server. Most other types of SQL server software do not recognize nested comments. If nested comments appear in a request directed to another type of SQL server, they might indicate an attempt to breach security on that server.

Check Request headers— Enable this option if, in addition to examining the input in the form fields, you want to examine the request headers for HT ML SQL Injection attacks. If you use the configuration utility, you can enable this parameter in the Advanced Settings -> Profile Settings pane of the application firewall profile.

If you enable the Check Request header flag, you might have to configure relaxation rule for the User-Agent header. Presence of the SQL keyword like and SQL special character semi-colon (;) might trigger false positive and block requests that contain this header.

If you enable both request header checking and transformation, any SQL special characters found in headers are also transformed. T he Accept, Accept-Charset, AcceptEncoding, Accept-Language, Expect, and User-Agent headers normally contain semicolons (;). Enabling both Request header checking and transformation simultaneously might cause errors.

T he application firewall gives you an option to exempt a specific form field, header, or Cookie from SQL Injection inspection check. You can completely bypass the inspection for one or more of these fields by configuring relaxation rules for the SQL Injection check. T he application firewall allows you to implement tighter security by fine tuning the relaxation rules. An application might require the flexibility to allow specific patterns, but configuring a relaxation rule to bypass the security inspection might make the application vulnerable to attacks, because the target field is exempted from inspection for any SQL attack patterns. SQL fine grained relaxation provides the option to allow specific patterns and block the rest. For example, the application firewall currently has a default set of more than 100 SQL keywords. Because hackers can use these keywords in SQL Injection attacks, the applica