Citrix Netscaler License Types
Melchior Dow
When importing VPX into a hypervisor, you can use VM advanced configuration parameters to set the NSIP. See CTX128250 How to Auto-Provision NetScaler VPX Appliance on a VMware ESX or ESXi Host, and CTX128236 How To Auto-Provision NetScaler VPX on XenServer.
In Citrix ADC Standard Edition or higher, some Citrix Gateway Universal Licenses are included in your Citrix ADC platform license. There is no need to allocate a license file for these built-in licenses.
Citrix Gateway VPX Enterprise Edition does not come with any Gateway Universal Licenses. Citrix Gateway VPX Enterprise Edition is a Gateway-only edition that has fewer features than Citrix ADC Standard Edition.
If you need more Gateway Universal licenses than your ADC Edition provides, then you can acquire Gateway Universal licenses by purchasing Citrix Virtual Apps and Desktops (CVAD) Premium Edition, Citrix Endpoint Management Enterprise Edition, or a la carte. Then allocate the additional Citrix Gateway Universal licenses at mycitrix.com.
NetScaler Console (formerly known as Citrix ADM) can upgrade firmware. NetScaler Console can also schedule the firmware upgrade instead of doing it immediately. NetScaler Console does a precheck to make sure there are no upgrade issues. For more details, see Creating Maintenance Tasks at NetScaler Docs.
Configure High Availability as soon as possible to ensure that almost all configurations are synchronized across the two appliances. The synchronization exceptions are mainly network interface configurations (e.g. LACP).
If you are configuring a Citrix ADC MPX (physical appliance), and if you plugged in multiple cables, and if more than one of those cables is configured on the switch for the same VLAN(s), then you must bond the interfaces together by configuring a Port Channel.
To configure Port Channels on a Citrix ADC, you can either enable LACP, or you can configure a Channel manually. If your switch is configured for LACP, do the following on Citrix ADC to enable LACP on the member interfaces.
You can also configure the Citrix ADC for switch-independent teaming. Create a Channel manually, but select a Channel ID starts with LR instead of LA. This is called Link Redundancy or Redundant Interface Set.
Channels can be configured so that a High Availability failover occurs when the Channel throughput drops below a configured value. For example, if you have four members in a Channel, you might want a High Availability failover to occur when two of the member interfaces fail.
The Citrix ADC will, by default, store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Application Delivery Management (ADM).
From the Citrix ADC release notes: Call Home is now enhanced to send Citrix ADC usage metrics to Citrix Insight Services (CIS) periodically. Citrix collects the data to understand how the appliance works and how to improve the product. By default, Call Home sends the metrics once in every 7 days. For more information, see Call Home at Citrix Docs.
Load balancing of LDAP servers is strongly recommended. If you bind multiple LDAP servers instead of load balancing them, Citrix ADC will try each of the LDAP servers, and for incorrect passwords, will lock out the user sooner than expected. But if you instead load balance your LDAP servers, the authentication attempt will only be sent to one of them.
Hi Carl, thanks for your reply. If I create a net_profile to specify the SNIP address as source it does not overwrite the /32 route that is present to route to the management server. Sounds logic. As the default route is pointing to the internet. I guess the only thing we can do is enable management on the SNIP. There is a firewall behind it anyway.
We have a customer that has an HA pair but they want to configure HA pair only via data port where SNIP resides. Also they want that when the time management network down still the the status of HA is normal and the access to applications still working.
No problem, noted.
The Gateway had the cert assigned (although the chain was incomplete) i have then recreated it using the gateway wizard and it now works (with the cert chain still incomplete) so not sure where i had gone wrong!
NSVLAN restricts the NSIP to a VLAN, which is restricted to an interface channel. I think HA heartbeat still uses all interfaces unless you disable HA Heartbeat on those interfaces. HA Sync is on the NSIP interface/VLAN.
I have a new pair of MPX 5901,
for simplicity, NSIP, SNIP, VIP will the same subnet, i will use one interface in netscaler, it is ok?
Could you provide more best practices design (one arm, two arm) for us, thank you again.
Hi Taylor, did you find an answer to this question ? We are currently having the same interrogation over here. Our vmxnet3 nics are recognized as 1G instead of 10G. We know that we could use SR-IOV to achieve that, but vmxnet3 should be able to do 10G.
Thanks for the fast response. Before shutting down both ADCs, which would make the whole system unavailable, i first tried another idea (with the snapshots ready to revert to, in case it would fail ;).
I disabled synchronization on both sides, updated secondary, failover, updated other one, enabled synchronization, force synchronization on both sides.
It seems to work fine, did you see any danger in this approach?
MBF handles reply traffic. PBR handles routing of traffic initiated by the NSIP (e.g., syslog, snmp, etc.). If ADC only has a route through the a SNIP network then ADC might use the SNIP instead. You can do a nstcpdump.sh to see what source IP ADC is using.
Hi Carl, is there any benefit of using multiple subnets and VLANs for different load balanced services vs if using single network and single VLAN on which you have a SNIP and NSIP and same SNIP is talking to different backend servers. Our Cybersecurity team is purposing to use different subnet, VLAN and SNIP of each service we load balance through ADC. Thanks.
From an ISO image? Is this a physical machine with Linux OS? In that case you should be running the BLX image. Or is this a virtual machine? If so, deploy a VPX. In either case, you can move your configs to the new appliances.
Sir,
I have query, My NSIP is on different subnet & SNIP,VIP & LB IPs are on different Subnet & VLAN.
Could you please let me know what Network routing I need to do in this scenario.
Traffic is allowed from firewall even though nothing is working.
However, do you have any idea why this would be happening? Is there some gotcha with the free license that comes built into the appliance? If I look at the license item in the config menu, none is listed, but the summary says i have the free express license and that I am licensed for load balancing.
UAG sends HTTP traffic to Connection Servers through the load balancing VIP. Once the user launches a session, the connection is now PCoIP or Blast. UAG sends PCoIP or Blast directly to the Horizon Agent, not through a load balancer.
Hi Carl, I just deploy an ADC VPX 13 on VMWARE. I notice the Guest OS is Oracle Solaris 10 (64-bit). Is this correct or do I need to change it to FreeBSD? So far the ADC is running fine without any issue,
Hi Carl, thanks for your detailed guides, they have been invaluable in setting up our new environment! Could you tell me which Netscaler licence would be required to provide users with a web interface via NS to our storefront? I have been told (and purchased) Citrix Gateway Advanced VPX is correct but when I load the licence Web Interface is not listed as a licenced option?
Are you trying to host HTML pages on your NetScaler? NetScaler has an old Web Interface feature, and a WebFront feature that nobody used. Most people just proxy HTTP to the StoreFront servers and let HTML be served by StoreFront. See -gateway-12-ica-proxy/
You have a Citrix ADC or Citrix Gateway (formerly Netscaler) and want to backup the configuration of the machine? This is usually relatively easy. All you have to do is call up the configuration website.
Here only the configuration files and some files that change frequently are backed up.
An overview of the files can be found here -de/citrix-application-delivery-management-software/13/networks/instance-management/backup-restore-netscaler-instances.html
However, there is a workaround for this problem, with which you can still get to your backup. I prefer to use this web, because I am not a big fan of WebGUIs and prefer to rely on the direct feedback of a shell ?
You can use WinSCP ( ) to connect directly to the Netscaler via the SSH port and download the backups. This is how it works. First you download and install WinSCP. When you start WinSCP you will be asked for a connection, you can save it for later. It is also useful if you have multiple machines.
Check it out and try it yourself. Feel free to test it on your own and give me a feedback how it works for you. Also check out my other posts about Citrix ADC. Have fun. Feel free to share my site or post on social media. You can also follow me on Twitter @thomaspreischl
Next, compromised devices have been observed downloading an executable file from Ukraine ( [.]12/netscalerd), containing an ELF:BitCoinMiner Malware, triggering the cryptocurrency mining and command and control beaconing alerts.
The Darktrace Threat Research team investigated network artifacts related to Qilin and identified three probable cases of the ransomware across the Darktrace customer base between June 2022 and May 2024.
Qilin operates as a Ransomware-as-a-Service (RaaS) that employs double extortion tactics, whereby harvested data is exfiltrated and threatened of publication on the group's DLS, which is hosted on Tor. Qilin ransomware has samples written in both the Golang and Rust programming languages, making it compilable with various operating systems, and is highly customizable. When building Qilin ransomware variants to be used on their target(s), affiliates can configure settings such as the encryption mode (i.e., skip-step, percent, and speed), the file extension being appended, files, extensions and directories to be skipped during the encryption, and the processes and services to be terminated, among others[1] [2].
e59dfda104