Citrix NetScaler MPX User Manual

Download

About the NetScaler Gateway MPX Appliance

Model MPX Speciﬁcations

Front and Back Panel Components

Ports

Preparing for Installation

Unpacking the Model MPX Appliance

Preparing the Site and Rack

Cautions and Warnings

Install and Setup

Getting Ready to Install the Model MPX Appliance

Selecting a Location for the Appliance

Set t ing Up the Model MPX Appliance

Installing the Model MPX Appliance in a Rack

Connecting the Cables to the MPX Appliance

Turning on the Model MPX Appliance

Performing the Initial Conﬁguration of the MPX Appliance

Configuring the Model MPX Appliance

Configuring the MPX Appliance by Using the LCD Keyboard

Configuring Initial Settings by Using the Serial Console

Configuring Initial Settings by Using the Setup Wizard

Using DHCP f or Initial Access

Accessing an Appliance by Using SSH Keys and No Password

NetScaler Gateway Virtual Appliances

Introducing NetScaler Gateway VPX

NetScaler Gateway VPX Architecture

About XenCenter

NetScaler Gateway Appliances

Jun 05, 20 15

About vSphere

About Microsoft Hyper-V

System Requirements

Prerequisites f or Installing NetScaler Gateway VPX on XenServer or VMware ESX

Prerequisites f or Installing NetScaler Gateway VPX on Windows Server 2012 and Windows Server 2008 R2

Downloading the Virtual Image

To install NetScaler Gateway VPX by Using XenCenter

Installing NetScaler Gateway VPX by Using vSphere

Importing NetScaler Gateway VPX to VMware

Installing NetScaler Gateway VPX on Microsoft Server 2008 R2

Upgrading NetScaler Gateway VPX

Conﬁguring NetScaler Gateway VPX for the First Time

Deleting the NetScaler Gateway Virtual Image

Former Access Gateway Appliance

Model 2010 Specifications

Prerequisites f or Installing Access Gateway VPX Version 5.0 or 4.6

Set t ing Up the Model 2010 Appliance

Installing the Model 2010 Appliance in a Rack

Turning on the Model 2010 Appliance

Configuring the Model 2010 Appliance

Replacing the Secure Gateway with NetScaler Gateway

Migrating from the Secure Gateway to Net Scaler Gateway

About the NetScaler Gateway MPX Appliance

May 11, 20 15

The hardware platf orm (appliance) used for Net Scaler Gateway is the MPX t hat runs on the Net Scaler platf orm. This

appliance supports classic and nCore Net Scaler Gateway sof t ware deployments. The MPX appliance supports NetScaler

Gateway 10.1 and later, Access Gateway 10, Access Gateway 9.3, Enterprise Edition, and Access Gat eway 9.2, Enterprise

Edition.

Not e: NetScaler Gateway 10.5. NetScaler Gateway 10.1, and Access Gat eway 10 must run on an nCore version of the appliance. The f ollowing table shows the versions of the Net Scaler Gateway and Access Gateway soft ware that are supported on

the MPX appliance.

NetScaler Gateway version MPX support

9.2 Classic Yes

9.2 nCore

You must install a minimum of Build 55.5 to use nCore on a 9.2 appliance.

Yes

9.3 nCore Yes

10 nCore Yes

10.1 nCore and newer Yes

The preconﬁgured IP address of Net Scaler Gateway is 192.168.100.1 and the subnet mask is 255.255.0.0. To change the IP

address, you can use a serial cable and a terminal emulation program, or you can connect Net Scaler Gateway by using

network cables and the conﬁguration utility.

You can install the NetScaler Gateway appliances in the DMZ or the secure network. For more information about

deployment scenarios, see Deploying NetScaler Gateway.

For information about setting up the MPX appliance in a rack, see Installing the Model MPX Appliance in a Rack. This

sect ion discusses t he MPX speciﬁcations and how to install and conﬁgure the MPX appliance.

Model MPX Speciﬁcations

Jul 15, 20 13

The Model MPX is a single dual-core processor, 1U appliance that ships with 4 gigabytes (GB) of memory.

The f ollowing ﬁgure shows the f ront panel of the MPX.

Figure 1. MPX front panel

The MPX has t he f ollowing ports:

One RS232 serial console port.

Two 10/100/1000Base-T copper Ethernet management ports, numbered 0/1 and 0/2 f rom left to right. You can use

these ports to connect directly to the appliance t o enable system administration functions.

Four 10/100/1000Base-T copper Ethernet ports numbered 1/1, 1/2, 1/3, and 1/4 f rom left t o right.

Not e: The network port numbers on all appliances consist of two numbers separated by a forward slash. The f irst number is the port adapter slot number. The second number is t he int erface port number. Ports on appliances are numbered sequentially starting with 1. The f ollowing ﬁgure shows the back panel of t he MPX.

Figure 2. MPX back panel

The f ollowing components are visible on the back panel of the MPX:

A 4-GB removable CompactFlash card that is used to st ore the operating system.

A power switch that turns off power to t he MPX, as if you were to unplug the power supply. Press the switch for five

seconds to t urn off the power.

A removable hard disk drive t hat is used to st ore user data. Appliances shipped before February, 2012 store user data on

a hard disk drive. In appliances shipped aft er February, 2012, a solid-state drive replaces t he hard disk drive. Bot h types of

drive have the same functionality and support t he same software releases.

One USB port (not functional in this release; reserved for a future release).

A non-maskable interrupt (NMI) but ton that is used at the request of T echnical Support and produces a core dump on

the appliance. You must use a pen, pencil, or other pointed object to press this red button, which is recessed to prevent

unintentional activation.

A single 300 wat t , 110–220 volt power supply with fan. The power-supply f an is designed to turn on when the internal

temperature of the power supply reaches a certain value. You cannot see the fan turning on the back panel. You can see

the fixed part of the fan that holds the spinning motor.

Front and Back Panel Components

Nov 0 2, 20 12

The f ront panel of the appliance has an LCD display and various ports, including an RS232 serial console port, copper

Ethernet ports, and copper and ﬁber Small Form Fact or Pluggable (SFP) ports. The number, type, and location of ports vary

by hardware platform. T he back panel of the appliance provides access to the power supply, f an, CompactFlash card, and

hard disk drive.

Power Supply and Fan. Appliances are conﬁgured with either a single power supply or, f or higher capacity f ault-tolerant

models, a dual-power supply conﬁgurat ion. The power supply on the MPX appliance is conﬁgured with a single fan. Each

unit ships with a standard power cord that plugs into the appliance's power supply and an NEMA 5-15 plug on the ot her

end for connecting to the power outlet on the rack or in the wall.

CompactFlash Card. T he Compact Flash drive in all appliances contains the operating system for the unit . It is mounted as

/ﬂash.

Hard Disk Drive. The hard disk drive on all appliances contains logs and other data ﬁles. It is mounted as /var.

Ports

Jul 15, 20 13

Ports are used to connect t he appliance t o ext ernal devices. NetScaler Gateway appliances support RS232 serial ports,

10/100/1000Base-T copper Ethernet ports, 1-gigabit copper and ﬁber Small Form Fact or Pluggable (SFP) ports, and 10-

gigabit ﬁber SFP+ ports. All appliances have a combination of some or all of t hese ports. For details on the type and number

of ports available on your appliance, see the speciﬁc topic that describes your appliance.

RS232 Serial Console Port

The RS232 serial console port on the f ront of each appliance provides a direct connection between the appliance and a

workstation or laptop, allowing direct access t o the appliance for initial conﬁguration or troubleshooting.

All hardware platf orms ship with an appropriate serial cable that you can use to connect your workstation or laptop

comput er to the appliance. For instructions on connect ing your workstat ion or laptop to the appliance, see Setting Up the

Model MPX Appliance.

Copper Ethernet Ports

The copper Ethernet ports installed on many models of t he appliance are standard RJ45 ports.

The f ollowing two t ypes of copper Ethernet ports may be installed on your appliance:

10/100BASE-T port. This type of port has a maximum transmission speed of 100 megabits per second (Mbps). T he MPX

appliance has a single 10/100BASE-T port.

10/100/1000BASE-T port. T his type of port has a maximum t ransmission speed of 1 GB, which is 10 times f aster than the

other type of copper Ethernet port. The MPX has six copper Ethernet ports.

To connect any of these ports to your network, you plug one end of a standard Ethernet cable int o the port and plug the

other end into the appropriate network connector.

SFP Port s

An SFP port can operate at speeds of up to 1 gigabit per second. The port accepts either a copper SFP t ransceiver for

operation as a copper Ethernet port or a ﬁber SFP t ransceiver for operation as a ﬁberoptic port.

The f ollowing tables list the maximum distance speciﬁcations for NetScaler Gateway pluggable media (1G SFP and XFP

transceivers). The1G Pluggable Media table has the following columns:

SKU: Citrix maintains multiple SKUs for the same part.

Description: The price list description of the part.

Transmit Wavelengt h: The nominal transmit wavelengt h.

Cable/Fiber Type: Fiber characteristics af fect the maximum t ransmit distance achievable. This is especially true with 10G

on multi-mode fiber (MMF), where various dispersion components become dominant.

Typical Reach: Maximum transmit distance.

Products: Some chassis are available with dif ferent media options. Use the appropriat e data sheet to confirm that your

particular chassis type supports the media.

1G Pluggable Media

The f ollowing table lists the maximum distance speciﬁcations for 1G transceivers.

Table 1. Copper 1G SFP Distance Specificat ions

SKU Description Transmitt er

Wavelength (nm)

Cable Type

Typical Reach (m)

Product s

EW3A0000235, EW3B0000235, EW3C0000235, EW3D0000235, EW3E0000235, EW3F0000235, EW3P0000143, EW3X0000235, EW3Z0000087

Citrix NetScaler 1G SFP Ethernet Copper (100m) - 4 Pack

n/a Category

5 (Cat-5) Copper Cable

100 m MPX

Table 2. Short Reach Fiber 1G SFP Distance Specifications

SKU Description Transmitt er

Wavelength (nm)

Fiber Type Typical

Reach (m)

Product s

EW3A0000234 , EW3B0000234, EW3C0000234 , EW3D0000234, EW3E0000234, EW3F0000234, EW3P0000142, EW3X0000234, EW3Z0000086

Citrix NetScaler 1G SFP Ethernet SX (300m) - 4 Pack

850nm (nominal)

50/125um MMF, 2000MHzkm (OM3)

550 m MPX

50/125um MMF, 500MHzkm (OM2)

550 m

50/125um MMF, 400MHzkm

550 m

62.5/125um MMF, 200MHzkm (OM1)

300 m

62.5/125um MMF, 160MHzkm

300 m

LED Port-Status Indicators

Not e: This section applies to the MPX appliance. The port LEDs show whether the link is established and trafﬁc is ﬂowing through the port. T he f ollowing table describes

the LED indicators f or each port. T here are two LED indicators for each port type.

Table 3. LED port-stat us indicators

Port T ype LED

Locat ion

LED Function

LED Color LED Indicates

10G SFP+ (10 Gbps)

Left Link/Activit y Off No link.

Solid Color Link is established but no traf f ic is passing through the

port.

Blinking green

Traff ic is passing through the port.

Right Speed Off No connection.

Solid green Traffic rate of 10 gigabits per second.

1G SFP (1 Gbps) Left Link/Act ivity Off No link.

Solid green Link is established but no traff ic is passing through the

port.

Blinking green

Traff ic is passing through the port.

Right Speed Off No connection.

Yellow Traff ic rate of 1 gigabit per second.

Ethernet (RJ4 5) Left Speed Off No connection, or a traf fic rate of 10 megabits per

second (Mbps).

Green Traff ic rate of 100 Mbps.

Yellow Traff ic rate of 1 gigabit per second.

Right Link/Activit y Off No link.

Solid green Link is established but no traff ic is passing through the

port.

Blinking green

Traff ic is passing through the port.

Management Left Speed Off No connection, or a traf fic rate of 10 Mbps.

(RJ4 5)

Green Traff ic rate of 100 Mbps.

Amber T raffic rate of 1 gigabit per second.

Right Link/Activit y Off No link.

Solid yellow Link is established but no t raf fic is passing through the

port.

Blinking yellow

Traff ic is passing through the port.

Plan

Jul 15, 20 13

Bef ore you install your new MPX appliance, carefully unpack the appliance and make sure that you received all of t he parts

according to the appliance you ordered. Next , verify that the locat ion where you will install t he appliance meets

temperature and power requirements. Also, verif y that t he server cabinet or ﬂoor-to-ceiling cabinet is securely bolted to the

ﬂoor and has sufﬁcient airﬂow.

Only trained and qualiﬁed personnel should install, maintain, or replace the appliance and should be sure to f ollow all

cautions and warnings.

Unpacking the Model MPX Appliance

Jul 15, 20 13

Your appliance comes with hardware accessories, such as cables, adapters, and rail kit, will vary depending on the hardware

platf orm you order. Unpack the box t hat contains your new appliance on a st urdy table with plenty of space and inspect

the contents.

Use the f ollowing list t o verify t hat you received everything that should be in the box:

The appliance you ordered.

One RJ-45 t o DB-9 adapter.

One 6 f t RJ-45/DB-9 cable.

One power cable.

One mount ing rail kit with all t he models.

In addition to the items included in the box with your new appliance, you will need the following it ems to complete t he installation and initial configuration process:

Ethernet cables for each addit ional Ethernet port that you will connect to your network.

One available Ethernet port on your network switch or hub for each Ethernet port you want t o connect t o your

network.

Not e: Transceiver modules are sold separately. Please contact your Citrix sales representative to order transceiver

modules for your appliance. Only transceivers supplied by Citrix are supported on the appliance.

A comput er to serve as a management workstation.

Preparing the Site and Rack

Jul 15, 20 13

The NetScaler Gateway appliance has speciﬁc site and rack requirements. You must make sure that adequate

environmental control and power density are available. Racks must be bolted to t he ground and have sufﬁcient airﬂow.

Preparing the site and rack are important steps in the installation process and will help ensure a smoot h installation.

Site Requirements

The appliance should be installed in a server room or server cabinet with the following f eatures:

Environment control. An air conditioner, preferably a dedicated comput er room air conditioner (CRAC), capable of

maintaining the cabinet or server room at a temperature of no more than 21°C/70° F at altitudes up to 2100 m/7000 ft,

or 15°C/60°F at higher altitudes, a humidit y level no greater than 45 percent, and a dust-f ree environment.

Power density. Wiring capable of handling at least 4000 W per rack unit in addition to power needs for the CRAC.

Rack Requirements

The rack on which you install your appliance should meet the f ollowing criteria:

Rack characterist ics. Racks should be either integrated into a purpose-designed server cabinet or be the f loor-to-ceiling

type, bolted down at bot h top and bottom to ensure stability. If you have a cabinet, you should install t he cabinet

perpendicular to a load-bearing wall for stability and suff icient airf low. If you have a server room, you should install your

racks in rows spaced at least 1 meter/3 f eet apart f or sufficient airflow. Your rack must give your IT personnel the ability

to access the front and back of each appliance and all power and network connect ions.

Power connections. At minimum, two standard power outlets per unit.

Network connections. At minimum, f our Ethernet connections per rack unit.

Space requirements. One empty rack unit.

Cautions and Warnings

May 03, 20 12

The installation instructions for the appliance provide instructions for carefully connecting the appliance to a power source.

Heed all cautions and warnings regarding safety practices when working with power sources and supplies. To help ensure

secure rack installation, sufﬁcient airﬂow, and appliance st ability, follow all prescribed precautions.

Important: Only trained and qualified personnel should install, maintain, or replace the appliance.

Power Supply Precautions

Remove all jewelry and other met al objects t hat might come into contact with power sources or wires bef ore installing

or repairing t he appliance. When you touch both a live power source or wire and ground, any metal objects can heat up

rapidly and may cause burns, set clothing on f ire, or fuse the metal object to an exposed terminal.

Never stack t he appliance on top of any ot her server or electronic equipment.

Do not block access to t he power socket or power socket s where your appliance is plugged in. In emergencies,

unplugging the appliance is the fallback disconnection met hod.

All appliances are designed to be installed on power systems that use TN earthing. Do not install your device on a power

system that uses either TT or IT earthing.

Ensure that t he appliance has a direct physical connection to the earth during normal use. When installing or repairing an

appliance, always ensure that the ground circuit is connected first and is disconnected last.

Ensure that a fuse or circuit breaker no larger than 120 VAC, 15 A U.S. (240 VAC, 16 A international) is used on all current-

carrying conductors on the power system to which your appliances are connected.

Always unplug any appliance before performing repairs or upgrades.

Do not overload the wiring in your server cabinet or on your server room rack.

During thunderstorms, or anticipated thunderstorms located in the vicinity of the building where your appliance is

located, avoid performing any repairs or upgrades until the danger of lightning has passed.

Never touch a power supply when the power cord is plugged in. As long as the power cord is plugged in, line voltages are

present in the power supply even when the power switch is off.

Ensure the st ability of your appliance by installing it as f ollows:

If t he appliance is the only unit in the rack, mount it at the bottom of the rack.

When mounting the appliance in a partially filled rack, load the rack f rom the bott om to t he t op with the heaviest

server at t he bot t om of the rack.

If t he rack has stabilizing devices available, install them before mounting or servicing the appliance in the rack.

When you dispose of an old appliance or any components, follow any local and national laws on disposal of elect ronic

wast e.

To prevent possible explosions, replace expired batteries with the same model or a manufacturer-recommended

substitute and follow t he manufacturer’s instructions on battery replacement.

Never remove a power supply cover or any sealed part that has a label that reads: Hazardous voltage, current, and

energy levels are present inside any component that has t his label attached. There are no user-serviceable parts inside

these components. If you suspect a problem wit h none of these parts, contact Citrix Technical Support.

Appliance Precautions

Det ermine the placement of each component in the rack before you install the rail.

Install the heaviest appliance on the bottom of the rack first, and then work up. Equipment should be mount ed into a

rack so that a hazardous condit ion does not arise due to uneven mechanical loading.

Allow the power supply units and hot plug hard drives to cool before touching t hem.

To maintain proper cooling, always keep the rack's front door, panels, and appliance components closed.

Install the equipment near a socket outlet f or easy access.

If installed in a closed or multi-unit rack assembly, the ambient operating temperature of the rack environment may be

great er than the ambient temperature of the room. Therefore, consideration should be given to installing the equipment

in an environment compatible with the manuf acturer's maximum rated ambient t emperature (Tmra).

Clearance Precaut ions

Mount equipment into a rack with airflow suff icient f or safe operation.

Leave enough clearance in front of t he rack to open the f ront door completely (25 inches).

Leave approximately 30 inches of clearance behind t he rack to allow for suff icient airf low and ease in servicing.

This product is for installation only in Restricted Access Locations (RALs) such as dedicated equipment rooms and service

closets.

Rack Precautions

Ensure that t he leveling jackets on the bot tom of the rack are f ully extended to the floor with the f ull weight of the

rack resting on them.

In a single rack installation, attach a stabilizer to t he rack.

In multiple rack installations, couple (att ach) the racks together.

Always make sure the rack is stable before ext ending a component f rom t he rack.

Ext end only one component at a time. Extending two or more simultaneously may cause the rack to become unstable.

Install and Setup

Jul 15, 20 13

When you receive your MPX appliance, you unpack t he appliance and prepare t he site and rack. After you determine that

the location where you will install your appliance meets the environmental standards and the server rack is in place

according to the instructions, you install t he hardware. After you mount t he appliance, you connect it to the network, to a

power source, and to the console terminal that you use f or the initial conﬁguration of NetScaler Gateway. After you t urn

on the appliance, you perform the init ial conﬁguration, and assign management and network IP addresses. Be sure to

observe the cautions and warnings listed with the installation inst ructions.

Getting Ready to Install the Model MPX Appliance

Jul 15, 20 13

To install the Model MPX appliance, verif y that t he contents of the box match the packing list . If an item on the packing

list is missing from the box, contact Citrix Customer Care.

Bef ore installing NetScaler Gateway, collect materials for the init ial conﬁguration and for the connect ion to your network.

For initial configuration, use one of t he following setups:

A cross-over cable and Windows-based computer

Two network cables, a network switch, and a Windows-based computer

A serial cable and a computer with terminal emulation sof t ware

For a connection to a local area network, use the f ollowing items:

One network cable to connect NetScaler Gateway inside a firewall or to a server load balancer

Two network cables to connect NetScaler Gateway locat ed in t he DMZ to the Internet and secure network

Citrix recommends that you use a pre-installation checklist for the Model MPX. For more information, see the NetScaler

Gateway Pre-Installation Checklist . You can use the checklist to collect t he following network inf ormation for appliances

that are locat ed in t he secure network and in the DMZ:

The NetScaler Gateway internal IP address and subnet mask.

The NetScaler Gateway ext ernal IP address and subnet mask.

The NetScaler Gateway fully qualif ied domain name (FQDN) for network address translation (NAT).

The IP address of the default gat eway device.

The port to be used for connections. The def ault is 443.

If connecting NetScaler Gateway to a server load balancer, you need the f ollowing information:

The NetScaler Gateway IP address and subnet mask.

The set t ings of the server load balancer as t he def ault gateway device (if required). See the load balancer

manufact urer’s documentat ion for more information.

The FQDN of t he server load balancer to be used as the ext ernal public address of NetScaler Gateway.

The port to be used for connections. The def ault is 443.

Not e: NetScaler Gateway requires t he use of st atic IP addresses and does not support Dynamic Host Configuration Protocol (DHCP).

Selecting a Location for the Appliance

Jul 15, 20 13

When selecting where to put the Net Scaler Gateway appliance, consider the f ollowing:

Leave enough clearance in front of t he rack so that you can access the LCD and various ports on the f ront panel of the

appliance.

Leave approximately 30 inches of clearance in the back of t he rack to allow for sufficient airflow and easy servicing.

Install the Net Scaler Gateway appliance in a restricted area, such as a dedicated lab or service closet.

Ground the rack t o ensure that a reliable ground is maintained at all t imes.

Leave enough clearance in front of t he rack to enable you to open the front bezel complet ely.

Setting Up the Model MPX Appliance

Jul 15, 20 13

The f ollowing procedure describes how t o set up the Net Scaler Gateway Model MPX appliance for the ﬁrst t ime.

To physically connect the NetScaler Gateway appliance

1. Install NetScaler Gateway in a rack if it is rack-mounted.

2. Connect the power cord to t he AC power receptacle.

3. Connect either the serial cable to a Windows-based computer, a cross-over cable to a Windows-based comput er, or an

RJ-45 network cable to a network switch and Net Scaler Gateway.

4. Configure the T CP/IP set t ings by following the instructions in Configuring Initial Settings by Using the Serial Console.

Installing the Model MPX Appliance in a Rack

Jul 15, 20 13

Most appliances can be installed in standard server racks. The appliances ship with a set of rails, which you must install

before you mount the appliance. The only tool you will need to install an appliance is a Phillips screwdriver.

Caution: If you are installing the appliance as t he only unit in the rack, mount it at the bottom. If the rack contains other units, make sure that t he heaviest unit is at the bottom. If the rack has st abilizing devices available, install t hem before mounting the appliance. The MPX appliance requires one rack unit . Each unit ships with a mounting rail kit t hat contains two rail assemblies, one f or

the left side and the other for the right side of the appliance, as well as screws to attach the rails. You must install the

assemblies before mounting the appliance in the rack.

To mount t he appliance, you must ﬁrst install the rails and then install the appliance in the rack.

Perform the following t asks to install the rails:

Remove the inner rails f rom t he rail assembly.

Attach the inner rails t o the appliance.

Adjust t he lengt h of the rack rails.

Install the rack rails on the server cabinet or rack.

The f ollowing ﬁgure illustrates t he steps to attach the inner rails to the appliance, at t ach the outer rails t o the rack, and

then slide the appliance out of the rack to ensure that it is locked in place.

Figure 1. Rack mounting the appliance

To remove the inner rails from the rail assembly

1. Place t he rail assembly on a flat surface.

2. Slide out the inner rail toward the f ront of the assembly.

3. Depress the locking tabs until t he inner rail comes all t he way out of the rail assembly, as shown in the following f igure.

Figure 2. Removing inner rails

4. Repeat st eps 1 through 3 to remove the second inner rail.

To attach the inner rails to the appliance

1. Position the right inner rail behind the ear bracket on the right side of the appliance.

2. Align the holes on the rail with the corresponding holes on the side of the appliance.

3. At t ach the rail to the appliance with screws, as shown in the following f igure.

Figure 3. Attaching inner rails

4. Repeat st eps 1 through 3 to install t he left inner rail on the left side of the appliance.

To install the rack rails

1. Position the rack rails at t he desired locat ion in the rack, keeping the sliding rail guide f acing inward.

2. Snap the tool-less rails to t he rack.

Not e: Make sure that bot h rack rails are at same height and that the rail guides are f acing inward.

To install the appliance in a rack

1. Align the inner rails, attached to the appliance, with the rack rails.

2. Slide t he appliance into the rack rails, keeping the pressure even on both sides.

3. Verify that the appliance is locked in place by pulling it all the way out f rom t he rack.

Connecting the Cables to the MPX Appliance

Nov 18 , 20 13

When the Net Scaler Gateway appliance is securely mounted on the rack, you are ready to connect t he cables. Ethernet cables and console cables are connected first . Connect the power cable last.

Connect ing the Ethernet Cables

Ethernet cables connect your appliance to the network. The type of cable you need depends on the type of port used to connect t o the network. Use a category 5e or category 6 Ethernet cable with a st andard RJ-45 connector on the 10/100/1000BASE-T port or 1-gigabit SFP copper transceiver. Use a fiber-optic cable with an LC duplex connector with SFP transceivers. The type of connector at the other end of t he fiber-optic cable depends on the port of the device t hat you are connect ing to.

To connect an Ethernet cable to a 10/100/1000BASE-T port or 1-gigabit SFP copper transceiver

1. Insert the RJ-45 connector on one end of your Ethernet cable into an appropriate port on the f ront panel of the

appliance as shown in the f ollowing figure.

Figure 1. Inserting an Ethernet cable

2. Insert the RJ-45 connector on the other end into the target device, such as a router or switch.

3. Verify that the LED glows amber when the connection is established.

To connect the Ethernet cable to an SFP ﬁber transceiver

1. Remove the dust caps from the transceiver and cable.

2. Insert the LC connect or on one end of the f iber-optic cable into the appropriate port on the f ront panel of the

appliance.

3. Insert the connect or on the other end into t he t arget device, such as a router or switch.

4. Verify t hat the LED glows amber when the connection is established.

Connect ing the Console Cable

You can use the console cable to connect your appliance to a comput er or terminal from which you will conﬁgure the

appliance. Alternatively, you can use a computer connected to t he net work. Before connecting t he console cable, you can

accept the following default sett ings:

Computer or terminal supports VT 100 terminal emulation

9600 baud

8 data bits

1 stop bit

Parity set t o none

Flow control set to none

Connect one end of the console cable to the RS232 serial port on the appliance and the other end to t he computer or

terminal.

To connect the console cable to a computer or terminal

1. Insert the DB-9 connector at the end of the cable into the console port t hat is located on the front panel of the

appliance, as shown in the following figure.

Figure 2. Inserting a console cable

Not e: To use a cable with an RJ-45 converter, insert the optional converter provided into the console port and att ach

the cable to it.

2. Insert the RJ-45 connector at the other end of t he cable int o the serial port of the computer or terminal.

Connect ing the Power Cable

The MPX 5500 appliances has one power cable. A separate ground cable is not required because grounding is provided by the three-prong plug.

To connect the appliance to the power source

1. Connect one end of the power cable to the power outlet on the back panel of the appliance, next to t he power supply

and fan, as shown in the f ollowing figure.

Figure 3. Inserting a power cable

2. Connect the ot her end of t he power cable to a st andard 110V/220V power outlet.

3. If a second power supply is provided, repeat st eps 1 and 2 to connect the second power supply.

Turning on the Model MPX Appliance

Jul 15, 20 13

After you install t he NetScaler Gateway appliance in a rack and connect the cables, you are ready to t urn on the appliance. Bef ore you turn on the appliance, verif y that you connect ed the power cable properly. When two power supplies are present, make sure the second cable is connect ed to an outlet for a dif ferent circuit t han the f irst.

1. Verify that you are connect ed to the appliance through a console or Ethernet port. This step will ensure that you can

configure the appliance aft er you turn it on.

2. Press the ON/OFF toggle power switch on the back panel of the appliance, as shown in the following f igure.

Figure 1. Power switch on back panel

3. Verify that the LCD on the front panel is backlit and the start message appears, as shown in the f ollowing figure.

Figure 2. LCD startup screen

Caution: Be aware of the locat ion of t he emergency power of f (EPO) switch so t hat you can quickly turn off power to

the appliance if an elect rical accident occurs. (T he EPO can be located anywhere, including on the rack, the data center,

or the lab.)

Performing the Initial Conﬁguration of the MPX Appliance

Feb 20 , 2014

After you have installed the MPX appliance in a rack, you are ready to perform the initial conﬁguration. When the init ial

conﬁguration is complet e, you can then conﬁgure NetScaler Gateway to work in your network.

To perform the init ial conﬁguration, you can use the LCD keypad on the front panel of the appliance, the serial console, or

the Set up Wizard. You can access the Set up Wizard from any computer that is on the same network as the new Net Scaler

Gateway appliance. However, because t his method uses the default IP address for Net Scaler Gateway, you must install and

conﬁgure one appliance at a time.

If you want to conﬁgure a new NetScaler Gateway appliance from a remot e network, or if you want to install multiple

appliances and then conﬁgure them without using the console port, you can use Dynamic Host Conﬁguration Protocol

(DHCP) to assign each new appliance an IP address at which you can access the appliance for remote conﬁguration.

When you ﬁnish installing and conﬁguring the initial settings on the NetScaler Gateway 10.1 appliance by using the

command-line interface, when you log on to t he conﬁguration utility f or the ﬁrst time, the First-time conﬁguration appears

if the f ollowing is true:

You did not install a license on t he appliance.

You did not configure a subnet or mapped IP address.

You left the default IP address of the appliances as 192.168.100.1.

For more information about the ﬁrst time conﬁguration, see Conﬁguring NetScaler Gateway with the First Time Use

Conﬁguration.

You can also use the Set up Wizard to conﬁgure the NetScaler Gateway appliance. For more information about available

wizards, see Conﬁguring the Net Scaler Gateway by Using Wizards.

Conﬁguring the Model MPX Appliance

Jul 15, 20 13

You can perform the initial conﬁguration of NetScaler Gateway by using a serial console, the Setup Wizard in the

conﬁguration utility, or Dynamic Host Conﬁguration Protocol (DHCP). You can also perform the initial conﬁguration by using

the LCD keypad on the front panel of t he appliance.

You can access the Setup Wizard from any computer that is on the same network as the new Net Scaler Gateway

appliance. However, because this method uses the default IP address for Net Scaler Gateway, you must install and

conﬁgure one appliance at a time. If you want t o conﬁgure a new appliance from a remote network, or if you want to

install multiple appliances and then conﬁgure them wit hout using the console port, you can use DHCP to assign each new

NetScaler Gateway appliance a unique IP address at which you can access the appliance f or remot e conﬁguration.

Conﬁguring the MPX Appliance by Using the LCD Keyboard

Jul 15, 20 13

When you f irst install t he MPX appliance, you can configure the init ial settings by using the LCD keypad on the f ront panel of t he appliance. T he keypad interacts with the LCD display module, which also appears on the f ront panel of t hese appliances. Not e: You can use the LCD keypad for initial configuration on a new appliance with the default configuration. The configuration file (ns.conf) should contain the following command and default values: set ns conﬁg -IPAddress 192.168.100.1 -net mask 255.255.0.0

The f unctions of the diff erent keys are explained in the f ollowing table.

Table 1. LCD Key Funct ions

Key Function

< Moves t he cursor one digit to the left.

> Moves t he cursor one digit to the right.

^ Increments the digit under the cursor.

v Decrements t he digit under the cursor.

. Processes the information or terminates t he configuration, if none of the values is changed. This key is also

known as the ENT ER key.

You are prompted to enter the subnet mask, NetScaler Gateway IP address, and default gateway, in that order. The subnet

mask is associated with both the NetScaler Gateway IP address and default gat eway IP address. The NetScaler Gateway

IP address is the IP address of t he appliance. T he def ault gateway is the IP address f or the router, which handles external

IP trafﬁc that NetScaler Gateway cannot otherwise route. T he NetScaler Gateway IP address and the default gateway

should be on the same subnet.

If you enter a valid value for the subnet mask, such as 255.255.255.224 , you are prompted to enter the IP address. Similarly,

if you enter a valid value for the IP address, you are prompted to enter the gateway address. If the value you entered is

invalid, the following error message appears for three seconds, where xxx.xxx.xxx.xxx is the IP address you entered,

followed by a request t o reenter the value.

Invalid addr!

xxx.xxx.xxx.xxx

If you press the ENT ER (.) key without changing any of the digits, the sof tware interprets this keystroke as a user exit request. T he f ollowing message appears for three seconds.

Exiting menu...

xxx.xxx.xxx.xxx

If all of t he values you enter are valid, when you press the ENT ER (.) key, the f ollowing message appears.

Values accepted,

Rebooting...

The subnet mask, NetScaler Gateway IP address, and gateway values are saved in the conf iguration file.

Conﬁguring Initial Settings by Using the Serial Console

Jul 11, 20 13

When you ﬁrst install t he appliance, you can conﬁgure the init ial settings by using the serial console. With the serial console,

you can change the system IP address, create a mapped IP address, conﬁgure advanced network settings, and change the

time zone.

Not e: To locat e the serial console port on your appliance, see Ports.

1. Connect the console cable into your appliance. For more information, see Connecting the Cables to the MPX Appliance.

2. Run the terminal emulation program on your computer to connect t o the appliance.

For Microsof t Windows, you can use HyperTerminal.

Not e: HyperTerminal is not automatically installed on Windows 2000 Server, Windows Server 2003, or Windows Server

2008. T o install HyperTerminal, use Add or Remove Programs in Control Panel.

For Apple Macintosh OS X, you can use the T erminal program or the shell-based telnet client.

Not e: Mac OS X is based on the FreeBSD UNIX platf orm. Most st andard UNIX shell programs are available from t he

OSX command line.

For UNIX-based workstat ions, you can use the shell-based telnet client or any supported terminal emulation program.

3. Press ENTER. The terminal screen displays the logon prompt.

Not e: You might have to press ENT ER t wo or three times, depending on the terminal program you are using.

4. Log on to the appliance by using the administrator credentials.

The default user name and password is nsroot.

5. At the command prompt, type config ns to run the configurat ion script .

6. T o complete t he initial configuration of your appliance, follow t he prompts.

Not e: To prevent an attacker from breaching your ability to send packets to the appliance, choose a non-routable IP

address on your organization's LAN as your appliance IP address.

Instead of step 5 and 6, you can directly enter the commands for the init ial configuration. Log on to the appliance and at the command prompt, type:

set ns config - ipaddress <IPAddress> -netmask <Netmask>

add ns ip <IPAddress> <Netmask> -type <Type>

add route <Network> <Netmask> <Gateway>

set system user nsroot <Password>

save ns config

reboot

Example

set ns config - ipaddress 10.102.29.60 - netmask 255.255.255.0

add ns ip 10.102.29.61 255.255.255.0 -type snip

add route 0.0.0.0 0.0.0.0 10.102.29.1

set system user nsroot administrator

save ns config

reboot

The initial configurat ion of your appliance is complete. T o continue configuring the appliance, see NetScaler Gateway. Not e: For information about deploying a high availability pair, see Conf iguring High Availability on NetScaler Gateway.

Conﬁguring Initial Settings by Using the Setup Wizard

Jul 15, 20 13

To configure the NetScaler Gateway appliance by using the Setup Wizard in the conf iguration utility, you need a computer that is configured on the same network as t he appliance. You also need a minimum of Java Runtime Environment (JRE) version 1.6. You can use the Setup Wizard to configure the f ollowing initial sett ings on the appliance:

System IP address and subnet mask

Mapped IP address and subnet mask

Host name

Def ault gateway

Licenses

Important: Before running the Set up Wizard, you should download your licenses from the Citrix web site and put them in a location on your computer or another device where you can access them from your web browser during configuration. Not e: When you finish installing and configuring the initial sett ings on the NetScaler Gateway appliance by using the command-line interface, when you log on to t he configuration utilit y for the f irst t ime, the First-time configuration appears if the f ollowing conditions are not met:

You did not install a license on t he appliance.

You did not configure a subnet or mapped IP address.

If t he default IP address of the appliances is 192.168.100.1.

For more information about the ﬁrst time conﬁguration, see Conﬁguring NetScaler Gateway with the First Time Use

Conﬁguration.

To run the Setup Wizard

1. In a Web browser, type http://192.168.100.1

Not e: NetScaler Gateway is preconfigured with a default IP address of 192.168.100.1 and associated subnet mask of

255.255.0.0.

2. In User Name and Password, type the administrator credentials and then click Login.

The default user name and password is nsroot.

3. In the conf iguration utility, in the navigation pane, click System.

4. In the details pane, click Set up Wizard.

5. In the Set up Wizard, click Next , and then follow the instructions in the wizard.

Not e: On the Choose Application page, click Skip this step. The Choose Application page is used primarily for appliances

that are licensed to use NetScaler feat ures.

Not e: To prevent an attacker from breaching your ability to send packets to the appliance, choose a non-routable IP address on your organization's LAN as your appliance IP address. The initial configurat ion of your appliance is complete. T o continue configuring the appliance, see NetScaler Gateway 10.1 ,

Access Gateway 10, or Access Gateway 9.3, Enterprise Edition.

Not e: For information about deploying a high availability pair, see Conf iguring High Availability on NetScaler Gateway.

Using DHCP for Initial Access

Jul 15, 20 13

For the init ial conﬁguration of a NetScaler Gateway appliance, Dynamic Host Conﬁguration Protocol (DHCP) can eliminate

dependency on the console by providing an IP address at which you can access the appliance to conﬁgure it remotely. You

can also use DHCP af t er the initial conﬁguration if, for example, you want to move an appliance to a different subnet.

To use DHCP, you must ﬁrst specify t he NetScaler Gateway vendor class identiﬁer on a DHCP server. Optionally, you can

also specify the pool of IP addresses from which your appliance can acquire an IP address. If a pool is not speciﬁed, the

address is acquired from t he general pool.

A new NetScaler Gateway appliance does not have a conﬁguration ﬁle. When you connect a NetScaler Gateway appliance

without a conﬁguration ﬁle t o the network, it s DHCP client automatically polls t he DHCP server for an IP address. If you

have speciﬁed the vendor class identiﬁer on the DHCP server, the server returns an address. You can also enable the DHCP

client on a previously conﬁgured Net Scaler Gateway appliance.

Prerequisites

To use DHCP, you must:

1. Not e the syst em ID (sysid) on the serial number sticker on the back panel of t he appliance.

2. Set up a DHCP server and configure it with the vendor class identifier.

To conﬁgure a Linux or UNIX DHCP server for NetScaler Gateway

1. Specify "citrix-NS" as t he vendor class identifier for the appliance by adding the following configuration to the server's

dhcpd.conf file:

subclass "citrix-1" "citrix-NS"{

vendor-option-space auto;

option auto.key "citrix-NS";

Not e: The location of the dhcpd.conf f ile can be diff erent in dif ferent versions and flavors of the Linux/UNIX-based

operating system (for example, in FreeBSD 6.3 t he f ile is present in the /etc/ folder). For the location, see the dhcpd man

page of t he DHCP server.

2. If you do not want Net Scaler Gateway to use IP addresses f rom the general pool, specify a pool of addresses f or the

appliance. For example, adding the following configuration to the dhcpd.conf f ile specifies a pool of IP addresses ranging

from 10.102.33.246 to 10.102.33.249.

pool {

allow members of "citrix-1";

range 10.102.33.246 10.102.33.249;

option subnet-mask 255.255.255.0;

}

3. T erminate t he DHCP process and restart it to reflect the change to t he configuration file. At the shell command prompt,

type:

killall dhcpd

dhcpd&

Implementing an Initial NetScaler Gateway Conﬁguration from a Remote Computer

When a new NetScaler Gateway (or any appliance that does not have a conﬁguration ﬁle) starts, it automatically polls the

DHCP server for an IP address and provides the DHCP server with its sysid. The DHCP server includes this sysid with the IP

address t hat it assigns t o the appliance in the server's dhcpd.leases ﬁle. To ﬁnd the IP address currently assigned to your

NetScaler Gateway, look in the dhcpd.leases ﬁle for the last entry with the sysid of your appliance in the uid or client-

hostname ﬁeld. Verify that the binding stat e in this entry is active. If the binding stat e is not active but free, the IP address

is not yet associated with the appliance.

You can use this address to connect t o Net Scaler Gateway and remot ely conﬁgure the initial sett ings. For example, you can

change the IP address, subnet mask, and gateway set tings that were f etched from the DHCP server. After completing the

initial conﬁguration, you can manually return the DHCP IP address to the server pool. Alternatively, restarting the appliance

automatically releases t he DHCP IP address back to the server pool. A restart also saves the NetScaler Gateway

conﬁguration ﬁle.

Example

The f ollowing code example shows an entry in a DHCP server’s dhcpd.leases ﬁle. This entry veriﬁes the binding stat e of the

appliance with a sysid of 4 5eae1a8157e89b9314f.

lease 10.102.33.248 {

starts 3 2009/08/19 00:40:37;

ends 3 2009/08/19 06:40:37;

cltt 3 2009/08/19 00:40:37;

binding state active;

next binding state free;

hardware ethernet 00:d0:68:11:f4:d6;

uid "45eae1a8157e89b9314f";

client-hostname "45eae1a8157e89b9314f";

In the preceding example, the binding stat e is ACTIVE and the IP address assigned to the Net Scaler is 10.102.33.248.

The f ollowing table describes DHCP-related command-line interface commands that you might want t o use when

conﬁguring a new Net Scaler Gateway.

Table 1. Command-line interf ace commands f or using DHCP with a new NetScaler Gateway

Task At the command

prompt , type:

To verif y the DHCP fet ched details, such as IP address, subnet mask, and gateway on the

appliance.

> sh dhcpParams

To release the DHCP IP address and return it t o the IP address pool on the DHCP server

when the appliance conﬁguration is complet e.

> release dhcpIP

Using DHCP When a Conﬁguration File Is Present

If you need to move a NetScaler Gateway appliance to a different subnet, such as from a testing environment to a

production environment, you can use DHCP to access a NetScaler Gateway t hat already has a conﬁguration ﬁle. Bef ore

moving the appliance, enable its DHCP client and save the conﬁguration. As a result , when the appliance restarts, it

automatically polls the DHCP server for an IP address. If you did not enable the DHCP client and save the conﬁgurat ion

before shutt ing down the appliance, you will need to connect t o the appliance through the console and dynamically run

the DHCP client on the appliance. The DHCP server will t hen provide an IP address, a gateway, and a subnet mask. You can

use the IP address to access the appliance and conﬁgure the other settings remotely.

If t he DHCP client is enabled in the conﬁguration ﬁle, you should disable it and then save t he conﬁguration ﬁle. If the DHCP

client is enabled, the appliance will poll the DHCP server again for an IP address when it rest arts.

The f ollowing table lists the command-line interface commands associated with each task.

Table 2. Command-line interf ace commands f or using DHCP with a previously conf igured NetScaler Gateway

Task At the command prompt , type:

To dynamically run the DHCP client to fetch an IP address from the

DHCP server

> set dhcpParams dhcpClient on

To conﬁgure the DHCP client t o run when the appliance restarts > set dhcpParams dhcpClient on

> save conﬁg

To prevent the DHCP client f rom running when the appliance restarts > set dhcpParams dhcpClient off

> save conﬁg

Not e: This is required only if t he ON setting was saved.

The initial conﬁgurat ion of your appliance is complet e.

Accessing an Appliance by Using SSH Keys and No Password

Apr 16, 20 13

In a setup where you have a large number of appliances in a network, you need to store and look up passwords for each

appliance bef ore you can log on to t he appliance. You can set up Secure Shell (SSH) access with public key encryption on

the appliances so that you are not prompted for the password. To do this, generate t he public/private key on the Linux

client and then copy the public key t o the appliance.

To generate the public/private key on a Linux client

1. Change the directory to /root/.ssh.

2. Generate the public and private key pair. At the command prompt, type [root@localhost .ssh]# ssh-keygen -t rsa

3. Press Enter when prompted for a file name to save the key.

4. Press Enter when prompted for a passphrase.

To copy the public key (id_rsa.pub) to the remote appliance

1. Log on to the remote appliance f rom t he Linux client.

2. Change the directory to /nsconfig/ssh. At t he command prompt, type: cd /nsconfig/ssh

3. Change to binary mode and copy t he public key to t his direct ory. At the command prompt, type:

bin

put id_rsa.pub

To set up SSH access with public key encrypt ion on the appliance

1. Open a connection to t he appliance using a t elnet/SSH client, such as PuT T Y.

2. Log on to the appliance using the administrator credentials.

3. At the shell prompt, change the directory to /nsconfig/ssh.

4. Append the public key to the authorized_keys file and change permissions. At the command prompt, type:

cat id_rsa.pub >> authorized_keys

chmod 755 authorized_keys

5. Remove the public key (optional). At t he command prompt, type rm id_rsa.pub

6. At the prompt type t he f ollowing command to complete the conf iguration:

cp authorized_keys /root/.ssh/authorized_keys2

7. Change the directory to /nsconfig. At the prompt type:

cd /nsconﬁg

8. T o prevent your changes from being lost if t he appliance is restarted, add the following line to the rc.netscaler file:

cp /nsconfig/ssh/authorized_keys /root/.ssh/authorized_keys2

Important: If t he /nsconfig directory does not contain a rc.netscaler file, you must creat e one.

To verif y SSH access with public key encryption on the appliance

On the Linux client, verify that you can connect to t he remote appliance using SSH, without entering the password.

At the prompt, type:

ssh nsroot@<NSIPaddress>

You should not receive a prompt for a password.

Example

ssh nsroot@10.102.96.50

NetScaler Gateway Virtual Appliances

Jul 18 , 20 13

Citrix NetScaler Gateway VPX is a virt ual appliance that delivers the same features and functionality as t he physical

appliance. You can deploy NetScaler Gateway VPX as a virtual workload on your own hardware, in addition to or as an

alternative to using a physical appliance.

Like the NetScaler Gateway physical appliance, NetScaler Gateway VPX is a secure applicat ion access solution that

provides administrators granular application-level control while empowering users with access from anywhere. It gives IT

administrators a single point of control to manage access and act ions based on both the user and the endpoint device,

providing better risk, security, and compliance management.

NetScaler Gateway VPX supports the following versions:

NetScaler Gateway 10.1

Access Gateway 10

Access Gateway 9.3, Enterprise Edition

Access Gateway 5.0

You can inst all t he soft ware on your hypervisor of choice and receive the same granular conﬁguration as with the physical

appliance. User connections work the same as with the virt ual appliance and you can use the same settings that you

conﬁgure on the physical appliance.

In This Section

This section of eDocs contains inf ormation about installing, setting up, and conﬁguring the basic settings for NetScaler

Gateway VPX.

Introducing Net Scaler

Gateway VPX

Contains information about the NetScaler Gateway VPX archit ecture and hypervisor

management tools.

System Requirements

for Net Scaler Gateway

VPX

Contains information about speciﬁc hardware, virt ual computer, and operating system

requirements for the hypervisor management consoles and virt ual appliances.

Downloading the

Virtual Image for

NetScaler Gateway

VPX

Contains information about downloading and installing NetScaler Gateway VPX on Citrix

XenServer, VMware ESX, or Microsoft Hyper-V. It also includes information about upgrading

NetScaler Gateway VPX f or 10.1, 10, or 9.3 .

Conﬁguring Net Scaler

Gateway VPX for the

First T ime

Contains instructions for conﬁguring basic settings for NetScaler Gateway VPX for the ﬁrst

time.

Introducing NetScaler Gateway VPX

Jul 18 , 20 13

NetScaler Gateway VPX is a virtual NetScaler Gateway appliance that is hosted on a hypervisor, such as Citrix XenServer.

NetScaler Gateway VPX supports all the features and functionalit y of the physical NetScaler Gateway appliance.

You install the Net Scaler Gateway VPX into your network where it functions as if you installed the physical appliance.

NetScaler Gateway 10.1, and Access Gateway VPX 9.3 or 10 are virtual machine images that you can install and run on any

hardware device that support the f ollowing minimum versions:

XenServer 5 Update 3

VMware ESX Version 3.5

VMware ESXi Version 3.5

Windows Server 2008 R2 with Hyper-V role

Access Gateway VPX 5.0 is supported on the f ollowing hypervisors:

XenServer Version 5.5 and Version 5.6

VMware ESX Version 4.1 and Version 4.1

VMware ESXi Version 4.0 and Version 4.1

For more information about XenServer, see the XenServer documentation. For more information about VMware ESX or

vSphere, or Microsoft Hyper-V, see the manuf act urer's documentation.

Each supported hypervisor also has management software that you use to install and manage virtual appliances. The

soft ware includes:

XenCenter that is the management console for XenServer

vSphere that is the management console for VMware ESX and ESXi

Hyper-V Manager that is the management console for Windows Server 2008 R with the Hyper-V role enabled

These requirements are for the NetScaler Gateway virt ual appliance and are in addit ion to t he hypervisor requirements.

Bef ore you begin installing NetScaler Gateway VPX, do the following:

Obtain the NetScaler Gateway license f iles from t he Citrix web site.

Install XenServer, VMware ESX, VMware ESXi, or Microsof t Hyper-V on hardware that meets the minimum requirements.

Install XenCenter or vSphere on a management computer (or server) that meets the minimum system requirements. For

details about the hardware requirements, see Prerequisit es for Installing NetScaler Gateway VPX on XenServer or

VMware ESX.

This section discusses the Net Scaler Gateway VPX architecture and the management consoles you can use to install and

manage the virt ual appliance.

NetScaler Gateway VPX Architecture

Jul 18 , 20 13

NetScaler Gateway VPX runs on a server virtualization platform that off ers the same functionalit y as t he physical

appliance.

The f ollowing ﬁgureshows the architecture of NetScaler Gateway VPX:

The solution architect ure has the f ollowing components:

Hardware or physical layer:

Physical hardware components, including memory, CPU, network cards, and disk drives.

Hypervisor:

The hypervisor is a thin layer of sof t ware that runs on top of the hardware. The XenServer hypervisor, for example, gives

each virtual machine a dedicated view of the hardware.

Virtual computer:

The operating system hosted on the hypervisor that appears to the user as a separate physical machine. The machine,

however, shares physical resources with other virtual machines. The virtual machine is port able because it is abstracted f rom

the physical hardware.

For example, you install NetScaler Gateway VPX on the hypervisor. The virtual appliance then uses drivers to access storage

and network resources. NetScaler Gateway VPX appears to users as an independent Net Scaler Gateway appliance with its

own network identity, user authorization and authentication capabilities, conﬁguration, and data. T he virtual computers

use the paravirtualizat ion technique, which presents a sof tware interface to virt ual computers that is similar but not

identical to t hat of t he underlying hardware. T his technique enables the virt ual computers and the hypervisor to work

together to achieve high performance f or I/O and for CPU and memory virtualization.

About XenCenter

Jul 18 , 20 13

XenCenter is a graphical virtualizat ion-management interface for XenServer that enables you to manage servers, resource

pools, and shared storage, and to deploy, manage, and monitor virtual machines f rom your Windows-based desktop

comput er.

You use XenCenter to install NetScaler Gateway VPX on XenServer.

For more information about XenCenter, see t he XenServer documentat ion.

Example of a NetScaler Gateway VPX Setup on XenServer

A Net Scaler Gateway VPX setup provides secure remote access t o applications and data.

The f ollowing ﬁgure shows how you can use NetScaler Gateway VPX with XenServer to deliver secure virtual application

access.

As shown in the preceding ﬁgure, NetScaler Gateway VPX, when deployed in front of application servers, act s as a secure

entry point in the internal network for authenticated users.

About vSphere

Jul 18 , 20 13

vSphere is t he management tool that you need to install to use and manage VMware ESX and VMware ESXi.

You use vSphere to install the virt ual image ﬁle (.ova) for Net Scaler Gateway on VMware. You also use vSphere to conﬁgure

the basic settings of t he virtual appliance. For details, see Conﬁguring NetScaler Gateway VPX for the First Time.

For more information about vSphere, see the vSphere documentat ion.

About Microsoft Hyper-V

Jul 18 , 20 13

The NetScaler Gateway VPX set up for the Microsof t Hyper-V platform requires Windows Server 2008 R2 with the Hyper-V

role installed. Like all virt ualization systems, Hyper-V enables you to create a virtualized computing environment that results

in better usage of your hardware resources.

Hyper-V is a type 1 hypervisor that comes preinstalled with Windows Server 2008 R2. It needs to be enabled as a role on the

Windows Server.

For more information about Hyper-V, see the Microsof t web site.

Not e: Only Access Gateway VPX Versions 9.3 and 10 and NetScaler Gateway 10.1 support Microsoft Hyper-V.

System Requirements for NetScaler Gateway VPX

Jul 18 , 20 13

NetScaler Gateway VPX has speciﬁc hardware, virtual computer, and operating syst em requirements for the hypervisor

management consoles. These requirements diff er depending on the version of NetScaler Gateway VPX t hat you install.

This section contains the speciﬁcations for installing NetScaler Gateway VPX on XenServer, VMware ESX or ESXi, and

Microsoft Hyper-V.

Prerequisites for Installing NetScaler Gateway VPX on XenServer or VMware ESX

Jul 18 , 20 13

NetScaler Gateway VPX is supported on the following minimum versions of XenServer and VMware hypervisors:

XenServer 5 with Update 3

VMWare ESX or ESXi 3.5

The f ollowing table describes t he minimum speciﬁcations for the hardware on which the hypervisor—XenServer, VMware

ESX, or VMware ESXi—runs Access Gateway VPX Versions 9.3 or 10, and NetScaler Gateway VPX 10.1.

For VMware system requirements, see the VMware web site.

Minimum requirements for the physical host server include:

Table 1. Minimum Hardware Requirements f or t he Hypervisor Host

CPU Two or more 64-bit x86 CPUs with virt ual assist enabled.

RAM At least 4 gigabytes (GB).

Disk space Locally attached storage (PATA, SATA, SCSI) with minimum of 20 GB of disk space.

Network One 1 Gbps network adapter required; Recommended: Two network adapters of 1 Gbps each.

For NetScaler Gateway VPX installed on VMware, the network adapter should be E1000.

Import ant Notes

To run NetScaler Gateway VPX, you must enable hardware support f or virtualizat ion on the XenServer or VMware ESX

host. Make sure that t he BIOS option for virtualizat ion support is enabled. Consult your BIOS documentation for more

details.

XenServer inst allation creates a 4-GB partition for the XenServer host control domain; the remaining space is available

for Net Scaler Gateway VPX and other virtual machines.

XenServer and VMware must provide adequate virt ual computing resources to the NetScaler Gateway VPX as listed in the

following table.

Table 2. Virtual Computing Resources of NetScaler Gateway VPX

Memory 2 GB for NetScaler Gateway VPX

Virtual CPU (VCPU) Two VCPUs minimum f or NetScaler Gateway VPX

Virtual Network Interfaces For NetScaler Gateway, two virtual network interfaces

Minimum storage requirement 12 GB

Import ant Note

If t he virtual appliance is installed on ESX 3.5 or ESXi 3.5, you can install a maximum of 4 virtual network interfaces. If the

virtual appliance is installed on ESX 4.0, the maximum is 10.

XenCenter System Requirements

XenCenter is a Windows-based application. The application cannot run on the same computer as the XenServer host. The following table describes the syst em requirements for XenCenter.

Table 3. System Requirements f or XenCent er Inst allation

Operating system Windows XP, Windows Server 2003, Windows Vista, or Windows 7

.NET Framework Version 2.0, 3.0, 3.5, or 4

CPU 750 MHz minimum, 1 GHz or faster recommended

RAM 1 GB minimum, 2 GB recommended

Network 100 Mbps or faster network adapter

Prerequisites for Installing NetScaler Gateway VPX on Windows Server 2012 and Windows Server 2008 R2

Dec 23, 20 13

You can inst all Access Gateway VPX 9.3 or 10, and NetScaler Gateway VPX 10.1 on Windows Server 2008 R2 or Windows

Server 2012 with Hyper-V enabled.

Bef ore you begin installing a virtual appliance, do the following:

Enable the Hyper-V role. For more information about this task for Windows Server 2008 R2, see Hyper-V Installation on

the Microsoft website. For more information for Windows Server 2012, see Install the Hyper-V Role and Configure a

Virtual Machine on the Microsoft website.

Download the VPX setup files.

Obtain NetScaler Gateway VPX license f iles.

Windows Server 2008 R2 Hardware Requirements

The f ollowing table describes t he minimum system requirements f or Windows Server 2008 R2.

For more information about Windows Server 2008 R2 system requirements, see Windows Server 2008 System

Requirements.

For information about installing Windows Server 2008 R2, see Installing Windows Server 2008 R2 in the Microsof t Technet

Library.

The f ollowing table lists the virtual computing resources for each NetScaler Gateway VPX running on Hyper-V.

Table 1. Minimum Virtual Computing Resources Required for Running NetScaler Gat eway VPX

Component Requirement

RAM 4 GB

Virtual CPU 2

Disk space 20 GB

Virtual Network Interfaces 1

Downloading the Virtual Image for NetScaler Gateway VPX

Aug 26, 20 13

The virt ual image contains the package that you need in order to install NetScaler Gateway VPX on XenServer, VMware, or

Hyper-V.

For the XenServer installation, the virtual image is a ﬁle with the ﬁle name ext ension of .xva.

For the VMware installation, the virtual image is a ﬁle with the ﬁle name ext ension of .ova.

For the Hyper-V installation on Microsoft Server 2008 R2, the virt ual image is a ﬁle name with the ﬁle name ext ension of

.vhd.

You can get t he virtual image from the Citrix web site after you purchase NetScaler Gateway VPX.

To download NetScaler Gateway VPX

1. Go to t he Citrix web site.

2. Click My Account and log on.

3. Click Downloads.

4. Under Find Downloads, select NetScaler Gateway.

5. In Select Download Type, select Virtual Appliances and then click Find.

6. On the NetScaler Gateway page, expand NetScaler Gateway or Access Gateway.

7. Click the appliance sof tware version you want t o download.

8. On the appliance soft ware page for the version you want to download, select the virtual appliance and then click

Download.

9. Follow the instructions on your screen to download the sof tware.

To install NetScaler Gateway VPX by Using XenCenter

May 11, 20 15

To install NetScaler Gateway VPX on XenServer, you must ﬁrst install XenServer on a computer with adequate hardware

resources. To perform the Net Scaler Gateway VPX installation, you use XenCenter, which you must install on a remote

comput er that can connect to t he XenServer host t hrough the network. After you install Net Scaler Gateway VPX, you can

create virtual hardware components on XenServer. You can then use XenCenter to allocate the components to NetScaler

Gateway VPX.

To use the virt ual image of the NetScaler Gateway sof tware, you need to obtain the exported virtual image ﬁle (.xva) and

use XenCenter to import it to XenServer.

After you have installed and conﬁgured XenServer and XenCenter, you can use XenCenter to install NetScaler Gateway VPX

on XenServer. Each instance of NetScaler Gateway VPX is a virtual NetScaler Gateway appliance running the same ﬁrmware

as a physical appliance.

You can inst all XenCenter on any Windows-based computer in your network. You can download XenCenter from t he

XenServer download page on My Citrix. When you go to the download page, select your version of XenServer and then

select the XenCenter Windows Management Console for your version to download and install XenCenter.

1. Click Start > All Programs > Citrix XenCenter.

2. In the navigation pane, click the name of the XenServer on which you want t o install NetScaler Gateway VPX.

3. On the File menu, click Import.

4. In the Import dialog box, in Import f ile name, browse to the location to which you saved the NetScaler Gateway VPX

.xva image f ile, click Open and then click Next .

5. On the Home server page, select the XenServer on which you want to install Net Scaler Gateway VPX and then click

Next .

6. On the Storage page, select t he local storage repository in which to place the NetScaler Gateway VPX and then click

Import t o begin the import process.

7. On the Network page, click Add t o add one or more virt ual network interfaces and then click Next .

Not e: NetScaler Gateway VPX requires two net work int erfaces— one f or the public (Internet) network and the second

for the internal network.

Caution: You must att ach at least one network interface. If you do not attach a network interface, the virtual appliance

automatically restarts and enters recovery mode. Subsequent logon att empts will fail. You will then need to delete the

virtual appliance and reinstall it.

8. Click Finish to complete t he import process.

Not e: You can click the Logs tab to view the st atus of the import process.

When importing the Net Scaler Gateway virtual image is complete, you can then conﬁgure the basic sett ings for the

appliance. For more information, see Conﬁguring NetScaler Gateway VPX for the First Time.

Installing NetScaler Gateway VPX by Using vSphere

May 11, 20 15

To install NetScaler Gateway VPX on VMware ESX or VMware ESXi, you must ﬁrst install VMware on a comput er with

adequate hardware resources. To perform the Net Scaler Gateway VPX installation, you use vSphere, which you must install

on a remote computer that can connect to t he VMware host through the network. After you install Net Scaler Gateway

VPX, you can create virtual hardware components on VMware and then use vSphere to allocate t hem to Net Scaler

Gateway VPX.

To use the virt ual image of the NetScaler Gateway sof tware, you need to obtain the exported virtual image ﬁle (.ova) and

import it to VMware by using vSphere.

After you install and conﬁgure VMware ESX and vSphere, you can use vSphere to install NetScaler Gateway VPX on

VMware. Each instance of NetScaler Gateway VPX is a virt ual NetScaler Gateway appliance running the same ﬁrmware as a

physical appliance. NetScaler Gateway VPX and Access Gat eway VPX Versions 10 and 9.3 support the VMware hypervisor

and vSphere management tool.

Caution: During installation, you must att ach at least one network interface. If you do not attach a network interface, the virtual appliance will automatically restart and enter recovery mode. Subsequent logon attempts will f ail. You will then need to delete the virt ual appliance and reinstall it.

To import the virtual image ﬁle to the vSphere Client

Make sure that the VMware computer or server is running.

1. Open the VMware vSphere Client. Click St art > VMware > VMware Vsphere Client.

2. Log on with your vSphere credentials.

3. Click File and then click Deploy OVF T emplate. T he Deploy OVF Wizard opens.

4. In Source, select Deploy from file, browse to t he .ova file on your computer, select the file and then click Next .

5. In OVF T emplate Details, click Next.

6. In Name and Locat ion, type a name for the template, such as Citrix Access Gateway and then click Next.

7. In Ready to Complete, confirm the deployment set t ings, such as the host and cluster name, datast ore, and network

mapping and then click Finish.

Expand the IP address and the virtual appliance appears. If you want t o install another Net Scaler Gateway VPX image ﬁle,

repeat St eps 3 through 7.

To turn on the virtual appliance

In the navigation pane, right-click the Citrix Net Scaler Gateway VPX virt ual image, click Power and then click Power On.

Installing NetScaler Gateway VPX on Microsoft Server 2008 R2

Jul 18 , 20 13

To install the Net Scaler Gateway virtual appliance on Microsoft Windows Server 2008 R2, you must ﬁrst install Windows

Server 2008 R2, with the Hyper-V role enabled, on a computer with adequate system resources. While installing the Hyper-V

role, make sure you specify the network adapters on the server that Hyper-V will use t o create the virtual networks. You

can reserve some network adapters for the host . You can use Hyper-V Manager to perform the NetScaler Gateway VPX

installation.

Not e: This functionality is only available in NetScaler Gateway 10.1 and Access Gateway Versions 9.3 and 10. NetScaler Gateway VPX f or Hyper-V is delivered in virtual hard disk (VHD) format. It includes the default conﬁguration for

elements, such as CPU, network interfaces, and hard-disk size, and format.

After you install NetScaler Gateway VPX, you can conﬁgure the net work adapters on NetScaler Gateway VPX and add

virtual network adapters. Next, you assign the Net Scaler Gateway IP address, subnet mask, and default gateway, and then

you complete t he basic conﬁgurat ion of t he virtual appliance.

After you enable the Hyper-V role on Microsof t Server 2008 R2 and extract ed the VPX ﬁles, you can use Hyper-V Manager

to install NetScaler Gateway VPX. After you import the virtual appliance, you need to conﬁgure the virtual network

adapters by associating them to the virtual networks created by Hyper-V.

You can configure a maximum of eight virtual network adapters. Even if the physical network adapter is down, the virtual appliance assumes that t he virtual network adapter is up, because it can still communicate with the ot her virtual appliances on the same host (server). Not e: You cannot change any settings while the virt ual appliance is running. Shut down the virt ual appliance and then make changes.

To install NetScaler Gateway VPX by using Hyper-V Manager

1. To st art Hyper-V Manager, click Start, point to Administrative Tools, and then click Hyper-V Managers.

2. In the navigation pane, under Hyper-V Manager, select the server on which you want t o install NetScaler Gateway VPX.

3. On the Action menu, click Import Virtual Machine.

4. In the Import Virtual Machine dialog box, in Location, specify the pat h of the folder that contains the Net Scaler

Gateway VPX sof t ware f iles and then select Copy the virtual machine (create a new unique ID). This folder is the parent

folder that contains the Snapshots, Virt ual Hard Disks, and Virt ual Machines f olders.

Not e: If you received a compressed file, make sure that you extract t he f iles into a folder before you specify the path to

the folder.

5. Click Import.

6. Verify that the virt ual appliance that you imported is list ed under Virtual Machines.

7. T o install another virtual appliance, repeat steps 2 t hrough 6.

Important: Make sure that you ext ract the f iles to a diff erent f older in step 4.

To conﬁgure virtual network adapters f or NetScaler Gateway VPX

1. Select t he virtual appliance that you imported, and then on the Action menu, select Settings.

2. In the Set tings f or <virtual appliance name> dialog box, click Add Hardware in the left pane.

3. In the right pane, from the list of devices, select Net work Adapter.

4. Click Add.

5. Verify that Network Adapter (not connected) appears in the left pane.

6. Select the net work adapter in the left pane.

7. In the right pane, from the Net work drop-down list, select t he virtual network to connect the adapter to.

8. T o select the virtual network for additional network adapters that you want t o use, repeat steps 6 and 7.

9. Click Apply, and then click OK.

To conﬁgure NetScaler Gateway VPX

1. Right -click the virtual appliance t hat you previously inst alled and then click St art.

2. Access the console by double-clicking t he virtual appliance.

3. T ype t he NetScaler Gateway IP address, subnet mask, and default gateway f or your virtual appliance.

You have complet ed the basic configurat ion of your virtual appliance. Type t he IP address in a Web browser to access the configuration utility f or the virtual appliance.

Conﬁguring NetScaler Gateway VPX for the First Time

Dec 27, 20 13

After you import the virtual appliance to your hypervisor of choice, you can then conﬁgure the init ial settings for the virt ual

appliance.

Conﬁguring Basic Sett ings for NetScaler Gateway VPX

On Net Scaler Gateway VPX 10.1 and Access Gat eway VPX 9.3 or 10, you can conﬁgure the initial settings by either running

a script in the command line or by using the Setup Wizard in the conﬁguration utility. If you are using XenCenter or VMWare

ESX or ESXi, you can click t he Console tab, log on to NetScaler Gateway and then run the script .

To access t he conﬁguration utility f or the ﬁrst time t o conﬁgure basic settings, type the NetScaler Gateway IP address

default IP address into t he address ﬁeld of any web browser. You must be running a minimum of Java RunTime Environment

(JRE) Version 1.6.

Conﬁguring Basic Sett ings for Access Gateway VPX 5.0

After installing an inst ance of the Access Gateway VPX 5.0, you need to access the virtual appliance to conﬁgure the basic

settings. When the installation is complete, you conﬁgure settings on the Console tab in the XenCenter Console or in

vSphere. You conﬁgure the basic sett ings of the Access Gat eway VPX as you would for a physical appliance that you

connect using a serial cable and the serial console.

For details on using the command line to conﬁgure initial network settings, see Deﬁning Net work Set t ings on the Access

Gateway Appliance by Using Express Setup.

You can use the XenCenter or vSphere serial console to set the IP address and subnet of the network adapter that is called

eth0, as well as the IP address of the default gat eway device. For Access Gateway VPX 5.0, you use the management

console. You can also use the XenCenter or vSphere console to t est a connect ion by using the PING command.

Access Gateway VPX requires two network interfaces— one for the public (Internet) network and the second for the

internal network. For Access Gat eway VPX 5.0, you can conﬁgure up t o f our network interfaces.

Caution: You must att ached at least one network interface. If you do not attach a network interface, the virtual appliance will automatically rest art and enter recovery mode. Subsequent logon att empts will fail. You will then need to delete the virtual appliance and reinstall it. In Access Gateway VPX 5.0, you can select a management role for a network adapter that administrators use to connect

to the management console and, optionally, to connect with Secure Shell (SSH) to t he appliance. For details, see

Designating Network Adapters for Speciﬁc Uses. On the same Networking panel in the management console, you can

conﬁgure two Access Gateway appliances as a failover pair. You must designate an appliance failover role for a network

adapter on each appliance in the pair to support healthy monitoring trafﬁc and to synchronize session information. For

details, see How Appliance Failover Works on Access Gateway 5.0.

Conﬁguring Basic Sett ings for Access Gateway VPX 4.6

After installing an inst ance of the Access Gateway VPX 4 .6, you need to access the virtual appliance t o conﬁgure the basic

settings. When the installation is complete, you conﬁgure settings on the Console tab in the XenCenter console. You

conﬁgure the basic settings of Access Gateway VPX as you would for a physical appliance that you connect using a serial

cable and the serial console.

For details on using the command line to conﬁgure initial network settings, see Access Gat eway 4.6 St andard Edition

documentation in the eDocs archive.

You can use the XenCenter serial console to set t he IP address and subnet of t he net work adapter that is called eth0, as

well as the IP address of the default gateway device. For Access Gat eway VPX 4.6, you use the Administration Tool to

conﬁgure all other settings. You can also use the XenCenter console to t est a connection by using the PING command.

Access Gateway VPX requires two network interfaces— one for the public (Internet) network and the second for the

internal network. For Access Gat eway VPX 4.6, you cannot conﬁgure more than two network interfaces.

Access Gateway VPX 4.6 and 5.0 supports both one-arm and two-arm modes:

One-arm mode uses one virtual network interface f or inbound and outbound connections. In one-arm mode, a single IP

address is assigned to Access Gateway. T he def ault configuration of Access Gateway is one-arm mode.

Two-arm mode uses two virtual network interfaces, one for external and one f or internal connections. In two-arm

mode, two IP addresses are assigned to Access Gateway— one for the external interface and one for the internal

interface.

Upgrading NetScaler Gateway VPX

Jul 18 , 20 13

After you install NetScaler Gateway VPX on your hypervisor, you can then upgrade to new versions of the sof t ware by

using the same method that you use for the physical appliance.

You can upgrade the software that resides on NetScaler Gateway when new releases are made available. You can check

for updates on the Citrix Web site. You can upgrade to a new release only if your NetScaler Gateway licenses are under the

Subscription Advantage program when the update is released. You can renew Subscription Advantage at any t ime. For more

information, see the Citrix Web site.

When a new version is released, you download the .tgz ﬁle to your computer, copy the ﬁle to the NetScaler Gateway virt ual

appliance, and then upgrade by using either the command line or the conﬁguration utility.

For the most recent Access Gateway 9.3, Enterprise Edition maintenance release readme, see article CTX129345 in the

Citrix Knowledge Center.

For the most recent Access Gateway 10 maintenance release readme, see article CT X133966 in the Citrix Knowledge

Center.

To download the VPX soft ware for your NetScaler Gateway version, see Downloading the Virtual Image for NetScaler

Gateway VPX.

To upgrade NetScaler Gateway by using the Upgrade Wizard

1. In the configuration utility, in the navigation pane, click Syst em.

2. In the details pane, click Upgrade Wizard.

3. Click Next and then follow the directions in the wizard.

To upgrade NetScaler Gateway by using a command prompt

1. Upload the software to NetScaler Gateway by using a secure FTP client, such as WinSCP, to connect to the appliance.

2. Copy the sof tware from your computer to the /var/nsinstall directory on the appliance.

3. Use a Secure Shell ( SSH) client, such as PuTT Y, t o open an SSH connection to the appliance.

4. Log on to Net Scaler Gateway.

5. At a command prompt , type: shell

6. T o change to the nsinstall directory, at a command prompt, type: cd /var/nsinstall

7. T o view the contents of t he direct ory, type: ls

8. T o unpack the sof tware, type: tar –xvzf build_X_XX.tgz

where build_X_XX.tgz is the name of the build to which you want to upgrade.

9. T o st art t he installation, at a command prompt , type: ./installns

10. When the installation is complete, restart Net Scaler Gateway.

After Net Scaler Gateway restarts, to verify successf ul installation, start t he conﬁguration utility. The NetScaler Gateway

version that is on the appliance appears in the upper-right corner.

Deleting the NetScaler Gateway Virtual Image

Jul 09, 20 13

If a virt ual image is no longer required, you can use XenCenter or vSphere to delete t he virtual image. Deleting a virt ual

image is the same as disconnect ing the physical appliance from your network and removing it from the rack.

Not e: When you delete the virt ual appliance from XenCenter, if you do not delete t he attached virtual disks, the virtual disks consume disk space in the XenServer resource pool.

To delet e the virtual image in XenCenter

1. Start XenCenter on your computer.

2. In the navigation pane, right-click a NetScaler Gateway virtual image and then click Shut Down.

3. WhenNetScaler Gateway is shut down, right-click the virt ual image and then click Delete.

4. Select Delete att ached virtual disks and then click OK.

To delet e the virtual image in vSphere

1. Open the VMware vSphere Client.

2. In the navigation pane, right-click the NetScaler Gateway virt ual image, click Power and then click Power Off .

3. When NetScaler Gateway is shut down, right-click the virt ual image and then click Delete f rom Disk.

To delet e the virtual image in Microsoft Hyper-V

To delete t he virtual image from Microsof t Hyper-V, you use the Hyper-V Manager. You can use the following guidelines:

Remove all snapshots f rom t he virtual image.

Shut down the virtual image.

1. Remove all snapshots f rom t he virtual image.

2. Shut down the virtual image.

3. Right-click t he virtual image and click Delete.

4. Click Delete again.

This procedure removes the virtual image, but does not remove the virtual image ﬁles. To remove all the ﬁles, browse to the

location where the virtual image is stored and delete t he parent f older.

Importing NetScaler Gateway VPX to VMware

Jul 18 , 20 13

To install NetScaler Gateway VPX on VMware ESX or VMware ESXi, you must ﬁrst install VMware on a comput er with

adequate hardware resources. To perform the Net Scaler Gateway VPX installation, you use vSphere, which you must install

on a remote computer that can connect to t he VMware host through the network. After you install Net Scaler Gateway

VPX, you can create virtual hardware components on VMware and then use vSphere to allocate t hem to Net Scaler

Gateway VPX.

To use the virt ual image of the NetScaler Gateway sof tware, you need to obtain the exported virtual image ﬁle (.ova) and

import it to VMware by using vSphere.

Former Access Gateway Appliance

Apr 18 , 2013

The Model 2010 appliance supports Access Gat eway 5.0. You can install t he model 2010 in the DMZ or the secure network.

The preconﬁgured IP address of Access Gateway 5.0 on the Model 2010 is 10.20.30.40. To change the IP address, you can

use a serial cable and a terminal emulation program, or you can connect Access Gateway by using network cables and the

Access Gateway Management Console in Access Gateway 5.0.

Model 2010 Speciﬁcations

Sep 16, 20 10

The Model 2010 appliance is a standard 1U 19 inch rack-mountable appliance that supports up to 500 concurrent users.

The 2010 appliance has the following ports:

Two front-mounted 10/100/1000 Et hernet ports

One RS232 f ront-mounted serial console port

One rear-facing USB port

Prerequisites for Installing Access Gateway VPX Version 5.0 or 4.6

Sep 18 , 20 12

The f ollowing table describes t he minimum speciﬁcations for the hardware on which the hypervisor—XenServer, VMware

ESX, or VMware ESXi—runs Access Gateway VPX.

Table 1. Minimum Hardware Requirements f or t he Hypervisor Host

CPU One or more 64-bit x86 CPUs

RAM At least 2 gigabytes (GB)

Disk

space

Locally attached storage (PATA, SATA, SCSI) with minimum of 40 GB of disk space.

General disk space requirements f or Access Gateway VPX: XenServer inst allation creates a 4-GB partition

for the XenServer host control domain; remaining space is available for Access Gat eway VPX and other

virtual machines.

Network One 1 Gbps network adapter required; Recommended: Two network adapters of 1 Gbps each

To install XenServer, see the XenServer Installation Guide on the Citrix Support Web site.

To install VMware, see the manufact urer's documentat ion.

XenServer and VMware must provide adequate virt ual computing resources to the Access Gat eway VPX as list ed in the following table.

Table 2. Virtual Computing Resources of Access Gat eway VPX

Memory 1 GB for Access Gat eway VPX 4 .6

From 1 up to 4 GB f or Access Gateway VPX 5.0

Virtual CPU (VCPU) One VCPU minimum, two VCPUs recommended for better performance. Access Gateway VPX

can support up to eight cores.

Virtual Network

Interfaces

For Access Gat eway VPX 4.6, you can use one or two virt ual network interfaces.

For Access Gat eway VPX 5.0, you can use up to four virtual network interfaces.

Minimum St orage

Requirement

12 GB

XenCenter System Requirements

XenCenter is a Windows-based application. The application cannot run on the same computer as the XenServer host. The following table describes the syst em requirements for XenCenter:

Table 3. System Requirements f or XenCent er Inst allation

Operating system Windows XP, Windows Server 2003, Windows Vista, or Windows 7

.NET Framework Version 2.0, 3.0, 3.5, or 4

CPU 750 MHz minimum, 1 GHz or faster recommended

RAM 1 GB minimum, 2 GB recommended

Network 100 Mbps or faster network adapter

For VMware system requirements, see the VMware Web site.

Setting Up the Model 2010 Appliance

May 16, 20 11

The f ollowing procedures describe how t o set up the Access Gateway Model 2010 appliance for the ﬁrst t ime.

To physically connect the Access Gateway appliance

1. Install Access Gateway in a rack if it is rack-mounted.

2. Connect the power cord to t he AC power receptacle.

3. Connect either the serial cable to a Windows-based computer, a cross-over cable to a Windows-based comput er, or an

RJ-45 network cable to a network switch and Access Gateway.

4. Configure the T CP/IP set t ings by following the instructions in Configuring the Model 2010 Appliance.

Figure 1. Access Gateway connection options using a cross-over cable, a network switch, or terminal emulation

Installing the Model 2010 Appliance in a Rack

May 16, 20 11

The f ollowing sect ions explain how to install the Access Gateway Model 2010 appliance in a rack:

Identifying the Sect ions of the Rack Rails for the 2010 Appliance

Installing the 2010 Appliance in a Four-Post Rack

Identif ying the Sections of the Rack Rails f or the 2010 Appliance

The 2010 appliance is delivered with a set of inner rails in two sections: inner rails and inner rail extensions. The inner rails are

attached to the appliance and do not interfere with normal use of t he appliance if you choose not to install the appliance

in a rack.

The f ollowing illustration shows the sections of the outer rails f or the Model 2010 appliance and how you should attach

them to the rack.

Figure 1. Access Gateway Model 2010 rails

To identify the sections of the rack rails for the 2010 appliance

Attach the inner rail extension to stabilize t he appliance within the rack.

Installing the 2010 Appliance in a Four-Post Rack

The steps f or inst alling the 2010 appliance in a four-post rack are:

Installing the inner rail extensions on the appliance

Installing the outer rails to t he rack

Installing the appliance in the rack

To install the inner rail extension

1. Place t he inner rack extensions on the side of t he appliance, aligning the hooks of the appliance with the rail extension

holes. Make sure the ext ension faces outward like the preattached inner rail.

2. Slide t he extension toward the front of the chassis.

3. Secure the chassis with the t wo screws.

4. Repeat t he above steps to mount t he rack on the other side of the appliance.

The f ollowing illustration shows how you should attach the right-side rail rack sect ions to t he appliance.

Figure 2. Attaching the rail rack sections to the right side of t he appliance

When the rails are attached to the appliance, install the outer rails t o the rack.

To install the outer rails to the rack

1. Attach the short bracket to the outside of the long bracket. The pins must be aligned wit h the slides. Both bracket ends

must f ace the same direction.

2. Adjust both the short and long bracket s to t he correct distance so the rail f its t ightly into the rack.

3. Secure the long bracket to the front side of the outer rail with two M5 screws and the short bracket t o the rear side of

the outer rail with three M5 screws.

4. Repeat t he above steps f or the second rail.

Figure 3. Assembling the outer rails to t he rack

Figure 4 . Installing the outer rails to t he server rack

When the rails are installed in the rack, you can install Access Gateway.

To install the appliance in the rack

1. Confirm that the appliance includes the inner rails (A) and rail extensions (B). Confirm that the outer rails (C) are installed

on the rack.

2. Line up the rails on the appliance (A and B) with the front of the rack rails (C).

3. Slide t he appliance rails into t he rack rails, keeping the pressure even on both sides. You might have to depress the locking

tabs during insertion. When the appliance is pushed completely into the rack, you should hear the locking tabs click.

4. (Optional) Insert and tighten the thumbscrews t hat hold the front of the appliance to the rack.

Figure 5. Installing the Access Gateway into the rack

Installing the 2010 Appliance in a Two-Post Rack

If you are installing the appliance in a two-post (Telco) rack, follow the directions given on the previous pages f or rack

installation. The only dif f erence in the installation procedure is the positioning of the rack brackets to t he rack. Space t hem

apart just enough to accommodate the width of t he Telco rack, as shown in the following illustration.

Figure 6. Installing the Access Gateway in a two-post (Telco) rack

Turning on the Model 2010 Appliance

Jan 25, 20 11

After you install t he Access Gateway appliance in a rack and connect the cables, you are ready to turn on the appliance.

1. Verify that you are connect ed to the appliance through a console or Ethernet port.

This step will ensure that you can conﬁgure the appliance after you turn it on.

2. Plug in the power cable.

Not e: The model 2010 appliance does not have a power switch, so the appliance turns on when you plug it in.

As it turns on, the appliance hums, and various lights on the surface ﬂash. After a f ew seconds, the rapid changes in sound

and lights become a steady hum.

Conﬁguring the Model 2010 Appliance

Nov 12, 20 12

You can use a serial console to conﬁgure the initial settings of Access Gateway. You can use t he serial console to set the IP

address and subnet of t he net work adapter that is called Interface 0, as well as the IP address of the default gateway

device. You conﬁgure subsequent settings using the Management Console in Access Gateway 5.0 or the Administration

Tool in Access Gateway 4 .6.

For more information about conf iguring Access Gat eway to work in your network, see the f ollowing:

If you are using Access Gateway 5.0, see Access Gateway 5.0.

If you are using Access Gateway 4.6, download the Access Gat eway 4.6, St andard Edition PDF.

Replacing the Secure Gateway with NetScaler Gateway

Jul 15, 20 13

If you currently use the Secure Gateway to enable remote access to servers running Citrix XenApp or Cit rix XenDesktop,

you can replace the Secure Gateway with Citrix NetScaler Gateway.

One of the beneﬁts of choosing the appliance-based NetScaler Gateway includes support f or additional applications and

protocols. The sof t ware-based Secure Gateway is limit ed to support trafﬁc on computers running XenApp or XenDesktop.

Therefore, organizat ions that use t he Secure Gateway might also deploy a remote access solution for other types of

internal resources, adding more expense and work for administrators.

NetScaler Gateway can handle your organizat ion’s remote access needs by securing traf ﬁc to applications hosted by

XenApp, desktops hosted by XenDesktop, as well as access t o internal resources, such as email, internal Web applicat ions,

and network ﬁle shares. NetScaler Gateway, like the Secure Gateway, supports connections between Citrix online plug-ins,

Desktop Receiver, and published resources in single-hop and double-hop DMZ deployments.

Not e: When NetScaler Gateway is deployed in a double-hop DMZ, only connect ions between online plug-ins and published applicat ions are supported. In this scenario, NetScaler Gateway does not support connect ions to addit ional internal resources by using the NetScaler Gateway Plug-in. The benefits of replacing the Secure Gateway with NetScaler Gateway include:

Replacing one or two Windows servers in the DMZ.

Allowing f or additional VPN f unctionalit y while maintaining the ability t o access published applications and desktops.

Allowing a broad range of user devices to connect to published applications in t he secure network using Cit rix online

plug-ins.

The f ollowing ﬁgure shows a Secure Gateway deployment with the Web Interface in the DMZ with connect ions to

comput ers running XenApp.

Figure 1. Secure Gateway deployment

In this deployment, the Secure Gateway is running on a Windows server in the DMZ. T he Web Interface is also deployed in

the DMZ. XenApp or XenDesktop is running in the secure network. The Secure Ticket Authority (STA) is installed and

conﬁgured automatically on XenApp and XenDesktop. If you have multiple servers running XenApp, you can receive

ticketing informat ion from the STA on one server and published applications or desktops f rom another server.

The f ollowing ﬁgure shows the NetScaler Gateway deployment in the DMZ with the Web Interface located in the secure

network:

Figure 2. NetScaler Gateway deployment

When the Secure Gateway is removed f rom the DMZ and replaced with NetScaler Gateway, you have the option of

moving the Web Interface to the secure network. NetScaler Gateway authenticat es and authorizes users and then

connects t o the Web Interface. This scenario provides greater security because t here are two f ewer Windows servers in

the DMZ.

Important: When the Web Interface is placed in the secure network, you must configure authenticat ion and authorizat ion on Net Scaler Gateway.

Migrating from the Secure Gateway to NetScaler Gateway

Jul 15, 20 13

This topic discusses how to prepare to migrate from the Secure Gateway t o NetScaler Gateway, and the t wo migration

options you can choose: In-place migration or parallel migration.

Preparing to Migrate

Bef ore migrating from the Secure Gateway t o Net Scaler Gateway, consider the following:

Make sure that user devices meet system requirements. For more information about syst em requirements, see t he

appropriate guide for the Citrix online plug-in.

Make sure port 443, the default security port on the firewall is open between the Internet and NetScaler Gateway. T his

requirement is identical in a Secure Gateway deployment.

Install NetScaler Gateway. For details, see t he installation instructions for your NetScaler Gateway appliance.

Acquire and install the appropriate certificates on NetScaler Gateway. These include:

Server certificate f or NetScaler Gateway

Root certificat es for NetScaler Gateway, Secure Ticket Authority (ST A), and user devices

Configure the net works that users can connect to t hrough NetScaler Gateway.

Migrating Options

You can choose f rom t he f ollowing two options for migrating from the Secure Gateway t o Net Scaler Gateway:

In-place migrat ion, in which you transfer the certificate and fully qualif ied domain name (FQDN) on the Secure Gateway

to NetScaler Gateway

Parallel migration, in which you obtain a new signed certificat e and FQDN f or NetScaler Gateway

Each option is valid; however, the in-place migration has the potential to temporarily disrupt access to internal resources

when compared with a new installation.

After the migration is complete, users can log on with their current credentials and do not have t o perform any

conﬁguration to their device. Each option requires minimal user support.

Performing an In-Place Migration

When you choose an in-place migration from the Secure Gateway t o NetScaler Gateway, you export the Secure Gateway

certiﬁcat e, upload it to NetScaler Gateway and bind it to a virtual server.

The certificate must be in PEM f ormat before you can install it on NetScaler Gateway. If you are unfamiliar with the process of converting certificates, Citrix recommends a new installation of NetScaler Gateway and the use of a new certificate. Important: If you are transferring a certificate f rom t he Secure Gateway to Access Gateway Enterprise Edition, the FQDN of t he certificate installed on the virtual server must match the FQDN of the Secure Gateway. With this option, you cannot take a phased approach because t wo identical FQDNs cannot reside on the same network. An in-place migration is identical to a new installation of Net Scaler Gateway, except f or the following it ems:

You use the Secure Gateway certificate on NetScaler Gateway

The FQDN on the Net Scaler Gateway certificat e must match the FQDN of the Secure Gateway

Although in-place migration result s in the least amount of user support (users do not need to be notiﬁed of a new Web

address), if any mistakes are made in the conﬁguration of t he NetScaler Gateway t hat were not identiﬁed by proper

testing procedures, all of your users are directly impact ed. Mistakes could prevent users from logging on or connecting t o

published applications or desktops in the server farm.

Performing a Parallel Migration

Citrix recommends as a best practice that you run Secure Gateway parallel to NetScaler Gateway until all users are properly

migrated to the appliance. To perform a parallel migration, you need to do the following:

Obtain a new FQDN and certificate.

Provide users with a new Web address for accessing resources to users.

Provide users with a dat e when they will start using NetScaler Gateway.

A parallel migration gives you a greater level of control over conﬁguration. You can undertake a phased migration approach,

rather than transferring all users at one time as you would do during an in-place migration. You can migrate users to

NetScaler Gateway in groups, thereby preventing downtime f or connections.

Performing a parallel migration is identical to a new installation of NetScaler Gateway. You follow the steps t o install the

appliance, licenses, and certiﬁcates, in addition to conﬁguring authentication and other settings on the appliance. Users

continue to connect t o the Secure Gateway until conﬁguration of Net Scaler Gateway is complete. T he Secure Gateway

runs parallel to NetScalter Gateway until you migrate all users successfully to the new environment. T his option requires

you to purchase or generate a new server certiﬁcate. A signiﬁcant beneﬁt, however, is that users do not experience a

disrupt ion in their access t o internal resources.

To perform a parallel migration to NetScaler Gateway, complete the following steps:

1. Install NetScaler Gateway.

This step conﬁgures t he basic TCP/IP set tings for NetScaler Gateway.

2. Configure t he STA settings on Net Scaler Gateway to connect to resources on comput ers running XenApp.

Not e: You can add more than one server running the ST A t o the list. The list of servers must be identical to t he servers

configured f or the Web Interface.

3. Install a server certificate on Net Scaler Gateway to secure client connections.

Not e: To use names that you can resolve for the ST A and Web Interface, conf igure your Domain Name Syst em (DNS)

servers.

4. Configure the settings in the Web Interface f or user access.

5. Remove the Web Interface f rom the DMZ and place it in the secure network.

Not e: You can also remove the server running t he Secure Gateway from the DMZ and the server can be repurposed for

another role.

6. Af ter Net Scaler Gateway is installed in your network, creat e a t est user on Net Scaler Gateway to test the connection.

If you have conﬁgured single sign-on to the Web Interface, users are logged on automatically and have access to published

applicat ions and desktops. If not , users log on to t he Web Interface and can then can access t heir published applications or

desktops.

Citrix NetScaler MPX User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual