Citrix Systems NETSCALER 9.3 User Manual
Citrix NetScaler Administration Guide
Citrix® NetScaler® 9.3
Copyright and Trademark Notice
©
CITRIX SYSTEMS, INC., 2012. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE
REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK
(SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN
PERMISSION OF CITRIX SYSTEMS, INC.
ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL
RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.
CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE
USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS
DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN
EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to
comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to
provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the
interference at their own expense.
Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC
requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC
regulations, and you may be required to correct any interference to radio or television communications at your own
expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was
probably caused by the NetScaler appliance. If the NetScaler equipment causes interference, try to correct the
interference by using one or more of the following measures:
Move the NetScaler equipment to one side or the other of your equipment.
Move the NetScaler equipment farther away from your equipment.
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler
equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your
authority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch
are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft,
PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of
the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a
trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other
brand and product names may be registered trademarks or trademarks of their respective holders.
Software covered by the following third party copyrights may be included with this product and will also be subject to the
software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L.
Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler.
Copyright © 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos,
Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986,
1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo,
Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright
1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston
Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network,
Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights
reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002
Networks Associates Technology, Inc. Copyright 1999-2001 © The Open LDAP Foundation. All Rights Reserved.
Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000 The Apache Software Foundation. All rights
reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004
University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon.
All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas.
All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik
Lindergren.
All rights reserved.
Last Updated: March 2012
Document code: May 21 2012 05:40:33
Contents
Preface..................................................................................................17
Formatting Conventions for NetScaler Documentation .....................................17
Documentation Available on the NetScaler Appliance .....................................18
Getting Service and Support ................................................................19
NetScaler Documentation Feedback ........................................................19
1 Authentication and Authorization..................................................................21
Configuring Users and Groups...............................................................22
Configuring User Accounts.............................................................22
To create a user account by using the NetScaler command line.................22
To modify or remove a user account by using the NetScaler command line.....23
Parameters for configuring a user account.......................................23
To configure a user account by using the configuration utility....................24
Configuring User Groups...............................................................24
To create a user group by using the NetScaler command line................... 24
To modify or remove a user group by using the NetScaler command line ...... 25
To bind a user to a group by using the NetScaler command line................ 25
To unbind a user from a group by using the NetScaler command line...........25
Parameters for configuring a user group .........................................26
To configure a user group by using the configuration utility...................... 26
Configuring Command Policies..............................................................27
Built-in Command Policies..............................................................27
Creating Custom Command Policies...................................................28
To create a command policy by using the NetScaler command line............. 30
To modify or remove a command policy by using the NetScaler command line
......................................................................................30
Parameters for configuring a command policy....................................30
To configure a command policy by using the configuration utility................ 31
Binding Command Policies to Users and Groups......................................31
To bind command policies to a user by using the NetScaler command line..... 32
To unbind command policies from a user by using the NetScaler command
line..................................................................................32
v
Contents
Parameters for binding a command policy to a user..............................32
To bind command policies to a user by using the configuration utility............32
To bind command policies to a group by using the NetScaler command line
......................................................................................33
To unbind command policies from a group by using the NetScaler
command line......................................................................33
Parameters for binding a command policy to a group ...........................33
To bind command policies to a group by using the configuration utility..........34
Resetting the Default Administrator (nsroot) Password.....................................34
To reset the nsroot password...........................................................34
Example of a User Scenario.................................................................35
Configuration steps.....................................................................36
Configuring External User Authentication...................................................37
Configuring LDAP Authentication.......................................................38
To configure LDAP authentication by using the configuration utility..............40
Determining attributes in the LDAP directory.....................................41
Configuring RADIUS Authentication....................................................42
To configure RADIUS authentication by using the configuration utility...........42
Choosing RADIUS authentication protocols......................................42
Configuring IP address extraction.................................................43
Configuring TACACS+ Authentication..................................................44
To configure TACACS+ authentication by using the configuration utility.........44
Configuring NT4 Authentication........................................................44
To configure NT4 authentication by using the configuration utility...............45
Binding the Authentication Policies to the System Global Entity......................45
To bind an authentication policy globally by using the configuration utility.......45
To unbind a global authentication policy by using the configuration utility.......45
2 SNMP..................................................................................................47
Importing MIB Files to the SNMP Manager and Trap Listener..............................48
To import the MIB files to the SNMP manager and trap listener.......................48
Configuring the NetScaler to Generate SNMPv1 and SNMPv2 Traps.....................48
Enabling or Disabling an SNMP Alarm.................................................49
To enable or disable an SNMP alarm by using the command line...............49
To enable or disable an SNMP alarm by using the configuration utility..........49
Configuring Alarms......................................................................50
To configure an SNMP alarm by using the command line........................50
Parameters for configuring SNMP alarms........................................50
To configure SNMP alarms by using the configuration utility.....................51
vi
Citrix NetScaler Administration Guide
Configuring Traps.......................................................................51
To add an SNMP trap by using the NetScaler command line....................51
Parameters for configuring SNMP traps ..........................................52
To configure SNMP Traps by using the configuration utility .....................52
Enabling Unconditional SNMP Trap Logging..........................................53
To enable or disable unconditional SNMP trap logging by using the NetScaler
command line......................................................................53
Parameters for unconditional SNMP trap logging ................................54
To enable or disable unconditional SNMP trap logging by using the
configuration utility.................................................................54
Configuring the NetScaler for SNMP v1 and v2 Queries....................................54
Specifying an SNMP Manager..........................................................54
To add an SNMP manager by using the NetScaler command line...............55
To add an SNMP manager by specifying its IP address, using the NetScaler
command line......................................................................55
To add an SNMP manager by specifying its host name, using the NetScaler
command line......................................................................56
Parameters for configuring an SNMP manager ..................................56
To add an SNMP manager by using the configuration utility ....................57
Specifying an SNMP Community.......................................................58
To specify an SNMP community by using the NetScaler command line ........58
Parameters for configuring an SNMP community string .........................58
To configure an SNMP community string by using the configuration utility .....58
To remove an SNMP community string by using the configuration utility........59
Configuring SNMP Alarms for Rate Limiting................................................59
Configuring an SNMP Alarm for Throughput or PPS..................................59
To configure an SNMP alarm for the throughput rate by using the NetScaler
command line .....................................................................60
To modify or remove the threshold values by using the NetScaler command
line .................................................................................60
To modify or remove the threshold values by using the NetScaler command
line .................................................................................61
Parameters for configuring an SNMP alarm for throughput or PPS .............61
To configure an SNMP alarm for throughput or PPS by using the configuration
utility ...............................................................................62
Configuring SNMP Alarm for Dropped Packets........................................62
To configure an SNMP alarm for packets dropped because of excessive
throughput, by using the NetScaler command line ...............................62
vii
Contents
To configure an SNMP alarm for packets dropped because of excessive PPS,
by using the NetScaler command line ............................................62
Parameters for configuring an SNMP alarm for dropped packets................63
To configure an SNMP alarm for dropped packets by using the configuration
utility ...............................................................................63
Configuring the NetScaler for SNMPv3 Queries............................................63
Setting the Engine ID...................................................................64
To set the engine ID by using the NetScaler command line......................65
Parameters for setting the engine ID .............................................65
To set the engine ID by using configuration utility ................................65
Configuring a View......................................................................65
To add an SNMP view by using the NetScaler command line....................65
Parameters for configuring an SNMP view .......................................66
To configure an SNMP view by using the configuration utility ...................66
Configuring a Group.....................................................................66
To add an SNMP group by using the NetScaler command line..................66
Parameters for configuring an SNMP group .....................................67
To configure an SNMP group by using the configuration utility ..................67
Configuring a User......................................................................67
To configure a user by using the NetScaler command line.......................67
Parameters for configuring an SNMP user .......................................68
To configure an SNMP user by using the configuration utility ...................68
3 Audit Logging........................................................................................71
Configuring the NetScaler Appliance for Audit Logging.....................................73
Configuring Audit Servers...............................................................73
To configure a SYSLOG server action by using the command line..............73
To configure an NSLOG server action by using the command line..............74
Parameters for configuring auditing servers ......................................74
Log levels defined..................................................................75
To configure an auditing server action............................................76
Configuring Audit Policies...............................................................76
To configure a SYSLOG policy by using the command line......................76
To configure an NSLOG policy by using the command line......................77
Parameters for configuring audit policies .........................................77
To configure an audit server policy................................................78
Binding the Audit Policies Globally.....................................................78
To configure a SYSLOG policy by using the command line......................78
Parameters for binding the audit policies globally................................78
viii
Citrix NetScaler Administration Guide
To globally bind the audit policy...................................................79
Configuring Policy-Based Logging......................................................79
Pre Requisites.....................................................................79
Configuring an Audit Message Action.............................................79
Binding Audit Message Action to a Policy.........................................81
Installing and Configuring the NSLOG Server...............................................81
Installing NSLOG Server on the Linux Operating System.............................82
To install the NSLOG server package on a Linux operating system.............82
To uninstall the NSLOG server package on a Linux operating system..........83
Installing NSLOG Server on the FreeBSD Operating System.........................83
To download NSLOG package from www.Citrix.com.............................83
To install the NSLOG server package on a FreeBSD operating system.........84
To uninstall the NSLOG server package on a FreeBSD operating system......84
Installing NSLOG Server Files on the Windows Operating System...................84
To download NSLOG package from www.Citrix.com.............................85
To install NSLOG server on a Windows operating system.......................85
To uninstall the NSLOG server on a Windows operating system................86
NSLOG Server Command Options.....................................................86
Adding the NetScaler Appliance IP Addresses on the NSLOG Server................87
To add the IP addresses of the NetScaler appliance.............................87
Verifying the NSLOG Server Configuration File........................................88
Running the NSLOG Server.................................................................88
To start audit server logging............................................................88
To stop audit server logging that starts as a background process in FreeBSD or
Linux.....................................................................................88
To stop audit server logging that starts as a service in Windows......................88
Customizing Logging on the NSLOG Server................................................89
Creating Filters..........................................................................89
To create a filter ...................................................................89
Specifying Log Properties...............................................................90
Default Settings for the Log Properties......................................................91
Sample Configuration File (audit.conf).......................................................92
4 Web Server Logging.................................................................................93
Configuring the NetScaler Appliance for Web Server Logging.............................94
Enabling or Disabling Web Server Logging............................................94
To enable or disable Web server logging by using the NetScaler command
line .................................................................................94
To enable or disable Web server logging by using the configuration utility......95
ix
Contents
Modifying the Default Buffer Size.......................................................95
To modify the buffer size by using the NetScaler command line ................95
Parameter for modifying the buffer size...........................................95
To modify the buffer size by using the configuration utility........................96
Installing and Configuring the Client System for Web Server Logging.....................96
Installing NSWL Client on a Solaris Operating System................................97
To install the NSWL client package on a Solaris operating system.............. 97
To uninstall the NSWL client package on a Solaris operating system........... 98
Installing NSWL Client on a Linux Operating System..................................98
To install the NSWL client package on a Linux operating system................98
To uninstall the NSWL client package on a Linux operating system ............ 99
To get more information about the NSweblog RPM file ..........................99
To view the installed Web server logging files ....................................99
Installing NSWL Client on a FreeBSD Operating System.............................99
To install the NSWL client package on a FreeBSD operating system............99
To uninstall the NSWL client package on a FreeBSD operating system.......100
Installing NSWL Client on a Mac OS Operating System.............................100
To install the NSWL client package on a Mac OS operating system...........100
To uninstall the NSWL client package on a Mac OS operating system.........101
Installing NSWL Client on a Windows Operating System............................101
To download NSWL client package from www.Citrix.com.......................101
To install the NSWL client on a Windows system...............................101
To uninstall the NSWL client on a Windows system.............................102
Installing NSWL Client on an AIX Operating System.................................102
To install the NSWL client package on an AIX operating system...............102
To uninstall the NSWL client package on an AIX operating system............102
To get more information about the NSweblog RPM file.........................103
To view the installed Web server logging files...................................103
NSWL Client Command Options......................................................103
Adding the IP Addresses of the NetScaler Appliance................................104
To add the NSIP address of the NetScaler appliance...........................104
Verifying the NSWL Configuration File................................................105
To verify the configuration in the NSWL configuration file.......................105
Running the NSWL Client..................................................................105
To start Web server logging...........................................................105
To stop Web server logging started as a background process on the Solaris or
Linux operating systems...............................................................105
To stop Web server logging started as a service on the Windows operating system
.........................................................................................105
x
Citrix NetScaler Administration Guide
Customizing Logging on the NSWL Client System........................................105
Creating Filters.........................................................................106
....................................................................................106
To create a filter ..................................................................107
To create a filter for a virtual server .............................................107
Specifying Log Properties.............................................................107
Understanding the NCSA and W3C Log Formats....................................109
NCSA Common Log Format.....................................................109
W3C Extended Log Format......................................................110
Entries.............................................................................111
Directives..........................................................................111
Fields..............................................................................112
Identifiers..........................................................................112
Creating a Custom Log Format........................................................114
Creating a Custom Log Format by Using the NSWL Library....................114
Creating a Custom Log Format Manually........................................115
Creating Apache Log Formats...................................................116
Sample Configuration File..................................................................116
Arguments for Defining a Custom Log Format.............................................118
Time Format Definition......................................................................121
5 Advanced Configurations..........................................................................125
Configuring Clock Synchronization.........................................................126
Setting Up Clock Synchronization by Using the CLI or the Configuration Utility.....126
To add an NTP server by using the NetScaler command line..................126
To modify or remove NTP servers by using the NetScaler command line......127
Parameters for configuring an NTP server......................................127
To configure an NTP server by using the configuration utility...................127
Starting or Stopping the NTP Daemon................................................128
To enable or disable NTP synchronization by using the NetScaler command
line................................................................................128
To enable or disable NTP synchronization by using the configuration utility...128
Configuring Clock Synchronization Manually.........................................128
To enable clock synchronization on your NetScaler by modifying the
ntp.conf file........................................................................128
Viewing the System Date and Time........................................................129
To view the system date and time by using the NetScaler command line...........129
To view the system date and time by using the configuration utility..................130
Configuring TCP Window Scaling..........................................................130
xi
Contents
To configure window scaling by using the NetScaler command line.................131
Parameters for configuring window scaling...........................................131
To configure window scaling by using the configuration utility.......................132
Configuring Selective Acknowledgment....................................................132
To enable Selective Acknowledgment (SACK) by using the NetScaler command
line......................................................................................132
To enable SACK by using the Configuration Utility...................................133
Clearing the Configuration..................................................................133
To clear a configuration by using the NetScaler command line......................133
Parameters for clearing a configuration...............................................134
To clear a configuration by using the configuration utility.............................134
Viewing the HTTP Band Statistics..........................................................134
To view HTTP request and response size statistics by using the NetScaler
command line..........................................................................134
To view HTTP request and response size statistics by using the configuration utility
.........................................................................................135
To modify the band range by using the NetScaler command line....................135
Parameters for modifying the band range for HTTP request or response size
statistics................................................................................135
To modify the band range by using the configuration utility..........................136
Configuring HTTP Profiles..................................................................136
To add an HTTP profile by using the NetScaler command line......................136
Parameters for adding an HTTP profile...............................................137
To add an HTTP profile by using the configuration utility.............................138
Configuring TCP Profiles...................................................................138
To add a TCP profile by using the NetScaler command line.........................139
Parameters for creating a TCP profile................................................140
To add a TCP profile by using the configuration utility................................141
Specifying a TCP Buffer Size...............................................................142
To set the TCP buffer size in an entity-level TCP profile by using the NetScaler
command line..........................................................................142
Example...........................................................................143
To set the TCP buffer size in the global TCP profile by using the NetScaler
command line .........................................................................143
Example...........................................................................143
Parameters for setting the TCP buffer size in a TCP profile..........................144
To set the TCP buffer size in a TCP profile by using the NetScaler configuration
utility....................................................................................144
Optimizing the TCP Maximum Segment Size for a Virtual Server Configuration.........144
xii
Citrix NetScaler Administration Guide
Specifying the MSS Value in a TCP Profile...........................................145
To specify the MSS value in a TCP profile by using the NetScaler command-
line................................................................................ 145
Parameters for specifying the MSS value in a TCP profile......................145
To specify the MSS value in a TCP profile by using the NetScaler configuration
utility...............................................................................145
Configuring the NetScaler to Learn the MSS Value from Bound Services...........146
To configure the NetScaler to learn the MSS for a virtual server by using the
NetScaler command-line.........................................................146
Parameters for configuring the NetScaler to learn the MSS for a virtual server
....................................................................................147
To configure the NetScaler to learn the MSS for a virtual server by using the
NetScaler configuration utility....................................................147
6 Web Interface........................................................................................149
How Web Interface Works..................................................................150
Prerequisites................................................................................150
Installing the Web Interface.................................................................151
To install the Web interface and JRE tar files by using the NetScaler command line
......................................................................................... 151
Parameters for installing the Web interface and JRE tar files .......................152
To install the Web interface and JRE tar files by using the configuration utility......152
Configuring the Web Interface..............................................................152
Parameters for configuring Web interface sites.......................................153
Configuring a Web Interface Site for LAN Users Using HTTP.......................155
To configure a Web interface site for LAN users using HTTP by using the
configuration utility................................................................156
To configure a Web interface site for LAN users using HTTP by using the
command line.....................................................................158
Configuring a Web Interface Site for LAN Users Using HTTPS......................159
To configure a Web interface site for LAN users using HTTPS by using the
configuration utility................................................................159
To configure a Web interface site for LAN users using HTTPS by using the
command line.....................................................................161
Configuring a Web Interface Site for Remote Users Using AGEE...................163
To configure a Web interface site for remote users using AGEE by using the
configuration utility................................................................164
To configure a Web interface site for remote users using AGEE by using the
command line.....................................................................165
xiii
Contents
7 AppFlow.............................................................................................167
How AppFlow Works........................................................................168
Flow Records..........................................................................169
Templates..............................................................................169
Configuring the AppFlow Feature..........................................................170
Enabling or Disabling the AppFlow Feature..........................................171
To enable or disable the AppFlow feature by using the NetScaler command
line................................................................................171
To enable the AppFlow feature by using the configuration utility...............171
Specifying a Collector................................................................. 171
To specify a collector by using the NetScaler command line....................171
To remove a collector by using the NetScaler command line ..................172
Parameters for specifying a collector............................................172
To specify a collector by using the configuration utility..........................172
Configuring an AppFlow Action.......................................................172
To configure an AppFlow action by using the NetScaler command line........172
To modify or remove an AppFlow action by using the NetScaler command line
....................................................................................173
Parameters for configuring an AppFlow action..................................173
To configure an AppFlow action by using the configuration utility..............174
Configuring an AppFlow Policy........................................................174
To configure an AppFlow policy by using the NetScaler command line........174
To modify or remove an AppFlow policy by using the NetScaler command line
....................................................................................175
Parameters for configuring an AppFlow policy..................................175
To configure an AppFlow policy by using the configuration utility...............176
To add an expression by using the Add Expression dialog box.................176
Binding an AppFlow Policy............................................................177
To globally bind an AppFlow policy by using the NetScaler command line.....177
To bind an AppFlow policy to a specific virtual server by using the NetScaler
command line.....................................................................178
Parameters for binding an AppFlow policy......................................178
To globally bind an AppFlow policy by using the configuration utility...........178
To bind an AppFlow policy to a specific virtual server by using the
configuration utility................................................................179
Enabling AppFlow for Virtual Servers.................................................179
To enable AppFlow for a virtual server by using the NetScaler command line
....................................................................................179
xiv
Citrix NetScaler Administration Guide
To enable AppFlow for a virtual server by using the configuration utility.......179
Enabling AppFlow for a Service.......................................................180
To enable AppFlow for a service by using the NetScaler command line.......180
To enable AppFlow for a service by using the configuration utility..............180
Setting the AppFlow Parameters......................................................180
To set the AppFlow Parameters by using the NetScaler Command Line.......180
To return AppFlow parameters to their default values by using the NetScaler
command line.....................................................................181
AppFlow Parameters.............................................................181
To set the AppFlow parameters by using the configuration utility...............182
8 Reporting Tool...................................................................................... 183
Using the Reporting Tool....................................................................184
To invoke the Reporting tool...........................................................184
Working with Reports..................................................................184
Using Built-in Reports............................................................185
Creating and Deleting Reports...................................................185
Modifying the Time Interval.......................................................186
Setting the Data Source and Time Zone.........................................187
Exporting and Importing Custom Reports.......................................187
Working with Charts...................................................................188
Adding a Chart....................................................................188
Modifying a Chart.................................................................188
Viewing a Chart...................................................................189
Deleting a Chart..................................................................192
Examples...............................................................................192
To display the trend report for CPU usage and memory usage for the last week
....................................................................................192
To compare the bytes received rate and the bytes transmitted rate between
two interfaces for the last week..................................................192
Stopping and Starting the Data Collection Utility...........................................193
To stop nscollect.......................................................................194
To start nscollect on the local system.................................................194
To start nscollect on the remote system...............................................195
Example...........................................................................195
xv
Contents
xvi
Preface
Learn about the Citrix® NetScaler® collection of documentation, including information
about support options and ways to send us feedback.
In This Preface:
w Formatting Conventions for NetScaler Documentation
w Documentation Available on the NetScaler Appliance
w Getting Service and Support
w NetScaler Documentation Feedback
For information about new features and enhancements for this release, see the Citrix
NetScaler 9.3 Release Notes at http://support.citrix.com/article/CTX128669.
Formatting Conventions for NetScaler Documentation
The NetScaler documentation uses the following formatting conventions.
Table 1. Formatting Conventions
Convention Meaning
Boldface In text paragraphs or steps in a
procedure, information that you type
exactly as shown (user input), or an
element in the user interface.
Monospace
<angle brackets> A term enclosed in angle brackets is a
[ brackets ]
Text that appears in a command-line
interface. Used for examples of
command-line procedures. Also used to
distinguish interface terms, such as
names of directories and files, from
ordinary text.
variable placeholder, to be replaced with
an appropriate value. Do not enter the
angle brackets.
Optional items in command statements.
For example, in the following command,
[ -range <positiveInteger> ] means that
17
Preface
Convention Meaning
you have the option of entering a range,
but it is not required:
add lb vserver <name> <serviceType>
<IPAddress> <port> [ -range
<positiveInteger>]
Do not type the brackets themselves.
| (vertical bar)
… (ellipsis) You can repeat the previous item or
A separator between options in braces or
brackets in command statements. For
example, the following indicates that
you choose one of the following load
balancing methods:
<lbMethod> = ( ROUNDROBIN |
LEASTCONNECTION |
LEASTRESPONSETIME | URLHASH |
DOMAINHASH | DESTINATIONIPHASH |
SOURCEIPHASH | SRCIPDESTIPHASH |
LEASTBANDWIDTH | LEASTPACKETS |
TOKEN | SRCIPSRCPORTHASH | LRTM |
CALLIDHASH | CUSTOMLOAD )
items in command statements. For
example, /route:<DeviceName>[ ,…]
means you can type additional
<DeviceNames> separated by commas.
Documentation Available on the NetScaler Appliance
A complete set of Citrix® NetScaler® documentation is available on the Documentation
tab of your NetScaler appliance and at http://support.citrix.com/ (PDF version), and at
http://edocs.citrix.com (HTML version). (The PDF version of the documents require
Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. From a Web browser, log on to the NetScaler Appliance.
2. Click the Documentation tab.
3. To view a short description of each document, hover the mouse pointer over the
title. To open a document, click the title.
18
Getting Service and Support
Citrix® offers a variety of resources for support with your Citrix environment, including
the following:
w The Knowledge Center is a self-service, Web-based technical support database that
contains thousands of technical solutions, including access to the latest hotfixes,
service packs, and security bulletins.
w Technical Support Programs for both software support and appliance maintenance
are available at a variety of support levels.
w The Subscription Advantage program is a one-year membership that gives you an
easy way to stay current with the latest product version upgrades and enhancements.
w Citrix Education provides official training and certification programs on virtually all
Citrix products and technologies.
For more information about Citrix services and support, see the Citrix Systems Support
Web site at http://www.citrix.com/lang/English/support.asp.
You can also participate in and follow technical discussions offered by the experts on
various Citrix products at the following sites:
Citrix NetScaler Administration Guide
w http://community.citrix.com
w http://twitter.com/citrixsupport
w http://forums.citrix.com/support
NetScaler Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance the
documentation. You can send an email to nsdocs_feedback@citrix.com. In the subject
line, specify "Documentation Feedback." Please include the title of the guide and the
page number in the email message.
You can also provide feedback through the Knowledge Center at http://
support.citrix.com/.
To provide feedback at the Knowledge Center home page
1. Go to the Knowledge Center home page at http://support.citrix.com/.
2. On the Knowledge Center home page, under Products, expand NetScaler, and then
click the NetScaler release for which you want to provide feedback.
3. On the Documentation tab, click the guide name, and then click Article Feedback.
4. On the Documentation Feedback page, complete the form, and then click Submit.
19
Preface
20
Chapter 1
Authentication and Authorization
Topics:
• Configuring Users and
Groups
• Configuring Command
Policies
• Resetting the Default
Administrator (nsroot)
Password
• Example of a User Scenario
• Configuring External User
Authentication
To configure Citrix® NetScaler® authentication and
authorization, you must first define the users who have access
to the NetScaler appliance, and then you can organize these
users into groups. After configuring users and groups, you
need to configure command policies to define types of access,
and assign the policies to users and/or groups.
You must log on as an administrator to configure users,
groups, and command policies. The default NetScaler
administrator user name is nsroot. After logging on as the
default administrator, you should change the password for the
nsroot account. Once you have changed the password, no user
can access the NetScaler appliance until you create an
account for that user. If you forget the administrator password
after changing it from the default, you can reset it to nsroot.
21
Chapter 1 Authentication and Authorization
Configuring Users and Groups
You must define your users by configuring accounts for them. To simplify the
management of user accounts, you can organize them into groups.
You can also customize the NetScaler command-line prompt for a user. Prompts can be
defined in a user’s configuration, in a user-group configuration, and in the global
configuration. The prompt displayed for a given user is determined by the following
order of precedence:
1. Display the prompt as defined in the user's configuration.
2. Display the prompt as defined in the group configuration for the user’s group.
3. Display the prompt as defined in the system global configuration.
You can now specify a time-out value for inactive CLI sessions for a system user. If a
user's CLI session is idle for a time that exceeds the time-out value, the NetScaler
appliance terminates the connection. The timeout can be defined in a user’s
configuration, in a user-group configuration, and in the global configuration. The timeout for inactive CLI sessions for a user is determined by the following order of precedence:
1. Time-out value as defined in the user's configuration.
2. Time-out value as defined in the group configuration for the user’s group.
3. Time-out value as defined in the system global configuration.
Configuring User Accounts
To configure user accounts, you simply specify user names and passwords. You can
change passwords and remove user accounts at any time.
To create a user account by using the NetScaler command line
At the NetScaler command prompt, type the following command to create a user
account and verify the configuration:
w add system user <userName> [-promptString <string>] [-timeout <secs>]
w show system user
Example
> add system user user1
Enter password:
Confirm password:
Done
22
> add system user johnd -promptString user-%u-at-%T
Enter password:
Confirm password:
Done
Citrix NetScaler Administration Guide
> show system user
1) User name: nsroot
2) User name: user1
3) User name: johnd Prompt String: user-%u-at%T Prompt Inherited From: User
Done
To modify or remove a user account by using the NetScaler command line
w To modify a user's password, type the set system user <userName> command and
the parameters to be changed, with their new values.
w To remove a user account, type the rm system user <userName> command.
Parameters for configuring a user account
userName (User Name)
A name for the user. The name can begin with a letter, number, or the underscore
symbol, and can consist of from 1 to 31 letters, numbers, and the hyphen (-), period
(.), pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols.
password (Password)
A password that the user uses to log on.
promptString (CLI Prompt)
A name for the user’s NetScaler command-line prompt. The name can consist of
letters, numbers, the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals
(=), colon (:), underscore (_) symbols, and the following variables:
w %u—Is replaced by the user name.
w %h—Is replaced by the host name of the NetScaler appliance.
w %t—Is replaced by the current time in 12-hour format.
w %T—Is replaced by the current time in 24-hour format.
w %d—Is replaced by the current date.
w %s—Is replaced by the state of the NetScaler appliance.
A maximum of 63 characters are allowed for this parameter. A variable (for example,
%u) is counted as two characters. The resulting prompt can be longer than 63
characters.
timeout (CLI Idle Session Timeout (Secs))
Time-out value, in seconds, for inactive CLI sessions for a system user. If a user's CLI
session is idle for a time that exceeds the time-out value, the NetScaler appliance
terminates the connection.
23
Chapter 1 Authentication and Authorization
To configure a user account by using the configuration utility
1. In the navigation pane, expand System and click Users.
2. In the details pane, do one of the following:
• To create a user account, click Add.
• To modify an existing user account, select the user, and then click Open.
3. In the Create System User or Configure System User dialog box, set the following
parameters:
• User Name*(Cannot be changed for an existing user.)
• Password*
• Confirm Password*
• CLI Prompt
• CLI Idle Session Timeout (Secs)
* A required parameter
4. Click Create or OK, and then click Close.
A message appears in the status bar, stating that the user has been configured
successfully.
Configuring User Groups
After configuring a user group, you can easily grant the same access rights to everyone
in the group. To configure a group, you create the group and bind users to the group.
You can bind each user account to more than one group. Binding user accounts to
multiple groups may allow more flexibility when applying command policies.
To create a user group by using the NetScaler command line
At the NetScaler command prompt, type the following commands to create a user
group and verify the configuration:
w add system group <groupName> [-promptString <string>] [-timeout <secs>]
w show system group
Example
> add system group Managers -promptString GroupManagers-at-%h
Done
> show system group
1) Group name: group1
2) Group name: Managers Prompt String: GroupManagers-at-%h
Done
24
Citrix NetScaler Administration Guide
To modify or remove a user group by using the NetScaler command line
w To modify a user group, type the set system group <groupName> command and the
parameters to be changed, with their new values.
w To remove a user group, type rm system group <groupName>.
To bind a user to a group by using the NetScaler command line
At the NetScaler command prompt, type the following commands to bind a user
account to a group and verify the configuration:
w bind system group <groupName> -userName <userName>
w show system group <groupName>
Example
> bind system group Managers -userName user1
Done
> bind system group Managers -userName johnd
Done
> show system group Managers
Group name: Managers Prompt String: GroupManagers-at-%h
User name: user1
User name: johnd
Done
> show system user user1
User name: user1 Prompt String: Group-Managers-at%h Prompt Inherited From: Group
Group name: Managers
Done
> show system user johnd
User name: johnd Prompt String: user-%u-at-%T
Prompt Inherited From: User
Group name: Managers
Done
To unbind a user from a group by using the NetScaler command line
At the NetScaler command prompt, type the following commands to unbind a user
account and verify the configuration:
25
Chapter 1 Authentication and Authorization
w unbind system group <groupName> -userName <userName>
w show system group <groupName>
Parameters for configuring a user group
groupName (Group Name)
A name for the group you are creating. The name can begin with a letter, number, or
the underscore symbol, and can consist of from 1 to 31 letters, numbers, and the
hyphen (-), period (.), pound (#), space ( ), at sign (@), equals (=), colon (:), and
underscore (_) symbols. (Cannot be changed for existing groups.)
userName
The name that was assigned to a previously configured user.
promptString (CLI Prompt)
A name for the NetScaler command-line prompt for all the users that are part of this
group. The name can consist of letters, numbers, the hyphen (-), period (.), pound
(#), space ( ), at sign (@), equals (=), colon (:), underscore (_) symbols, and the
following variables:
w %u—Is replaced by the user name.
w %h—Is replaced by the host name of the NetScaler appliance.
w %t—Is replaced by the current time in 12-hour format.
w %T—Is replaced by the current time in 24-hour format.
w %d—Is replaced by the current date.
w %s—Is replaced by the state of the NetScaler appliance.
A maximum of 63 characters are allowed for this parameter. A variable (for example,
%u) is counted as two characters. The resulting prompt can be longer than 63
characters.
timeout (CLI Idle Session Timeout (Secs))
Time-out value, in seconds, for inactive CLI sessions for all the users that are part of
this group. If a user's CLI session is idle for a time that exceeds the time-out value,
the NetScaler appliance terminates the connection.
To configure a user group by using the configuration utility
1. In the navigation pane, expand System, and then click Groups.
2. In the details pane, do one of the following:
• To create a new user group, click Add.
• To modify an existing user group, select the group, and then click Open.
26
3. In the Create System Group or Configure System Group dialog box, set the
following parameters:
Citrix NetScaler Administration Guide
• Group Name* (Required for a new group. Cannot be changed for an existing
group.)
• CLI Prompt
• CLI Idle Session Timeout (Secs)
* A required parameter
4. Under Members, select users from the Available Users list and click Add to move
them to the Configured Users list.
5. Click Create or OK, and then click Close.
A message appears in the status bar, stating that the group has been configured
successfully.
Configuring Command Policies
Command policies regulate which commands, command groups, vservers, and other
entities that users and user groups are permitted to use.
The Citrix® NetScaler® appliance provides a set of built-in command policies, and you
can configure custom policies. To apply the policies, you bind them to users and/or
groups.
Here are the key points to keep in mind when defining and applying command policies.
w You cannot create global command policies. Command policies must be bound
directly to NetScaler users and groups.
w Users or groups with no associated command policies are subject to the default (DENY-
ALL) command policy, and are therefore unable to execute any configuration
commands until the proper command policies are bound to their accounts.
w All users inherit the policies of the groups to which they belong.
w You must assign a priority to a command policy when you bind it to a user account
or group account. This enables the NetScaler to determine which policy has priority
when two or more conflicting policies apply to the same user or group.
w The following commands are available by default to any user and are unaffected by
any command you specify:
help cli, show cli attribute, clear cli prompt, alias, unalias, help, history, quit,
exit, whoami, config, set cli mode, unset cli mode, show cli mode, set cli
prompt, and show cli prompt.
Built-in Command Policies
The following table describes the built-in policies.
27
Chapter 1 Authentication and Authorization
Table 1-1. Built-in Command Policies
Policy name Allows
read-only Read-only access to all show commands
operator Read-only access and access to
network Full access, except to the set and unset
superuser Full access. Same privileges as the
except show runningconfig, show
ns.conf, and the show commands for
the NetScaler command group.
commands to enable and disable services
and servers or place them in
ACCESSDOWN mode.
SSL commands, sh ns.conf, sh
runningconfig, and sh gslb
runningconfig commands.
nsroot user.
Creating Custom Command Policies
Regular expression support is offered for users with the resources to maintain more
customized expressions, and for those deployments that require the flexibility that
regular expressions offer. For most users, the built-in command policies are sufficient.
Users who need additional levels of control but are unfamiliar with regular expressions
may want to use only simple expressions, such as those in the examples provided in this
section, to maintain policy readability.
When you use a regular expression to create a command policy, keep the following in
mind.
w When you use regular expressions to define commands that will be affected by a
command policy, you must enclose the commands in double quotation marks. For
example, to create a command policy that includes all commands that begin with
show, type the following:
"^show .*$"
To create a command policy that includes all commands that begin with rm, type
the following:
"^rm .*$"
w Regular expressions used in command policies are not case sensitive.
The following table lists examples of regular expressions:
28
Citrix NetScaler Administration Guide
Table 1-2. Examples of Regular Expressions for Command Policies
Command specification Matches these commands
"^rm\s+.*$" All remove actions, because all remove
actions begin with the rm string,
followed by a space and additional
parameters and flags.
"^show\s+.*$" All show commands, because all show
actions begin with the show string,
followed by a space and additional
parameters and flags.
"^shell$" The shell command alone, but not
combined with any other parameters or
flags.
"^add\s+vserver\s+.*$" All create vserver actions, which consist
of the add vserver command followed
by a space and additional parameters
and flags.
"^add\s+(lb\s+vserver)\s+.*" All create lb vserver actions, which
consist of the add lb vserver command
followed by a space and additional
parameters and flags.
The following table shows the command specifications for each of the built-in
command policies.
Table 1-3. Expressions Used in the Built-in Command Policies
Policy name Command specification regular
expression
read-only
operator
network
(^man.*)|(^show\s+(?!system)(?!ns
ns.conf)(?!ns runningConfig).*)|(^stat.*)
(^man.*)|(^show\s+(?!system)(?!ns
ns.conf)(?!ns runningConfig).*)|(^stat.*)|
(^set.*-accessdown.*)|(^(enable|disable)
(server|service).*)
^(?!shell)\S+\s+(?!system)(?!ns ns.conf)(?!
ns runningConfig).*
superuser .*
29
Chapter 1 Authentication and Authorization
To create a command policy by using the NetScaler command line
At the NetScaler command prompt, type the following commands to create a command
policy and verify the configuration:
w add system cmdPolicy <policyname> <action> <cmdspec>
w sh system cmdPolicy
Example
> add system cmdPolicy read_all ALLOW (^show\s+(!
system)(!ns ns.conf)(!ns runningConfig).*)|
(^stat.*)
Done
> sh system cmdPolicy
1) Command policy: operator
2) Command policy: read-only
3) Command policy: network
4) Command policy: superuser
5) Command policy: allow_portaladmin
6) Command policy: read_all
Done
To modify or remove a command policy by using the NetScaler command line
w To modify a command policy, type the set system cmdPolicy <PolicyName>
command and the parameters to be changed, with their new values.
w To remove a command policy, type rm system cmdPolicy <PolicyName>.
Note: The built-in command policies cannot be removed.
Parameters for configuring a command policy
policyname
A name for the command policy you are creating. The name can begin with a letter,
number, or the underscore symbol, and can consist of from one to 31 letters,
numbers, and the hyphen (-), period (.), pound (#), space ( ), at sign (@), equals (=),
colon (:), and underscore (_) symbols. (Cannot be changed for existing policies.)
action
The action the policy applies when the command specification pattern matches.
Possible values: ALLOW, DENY
cmdspec
Rule (expression) that the policy uses for pattern matching.
30
Loading...