Jump to content
  • Isha Khurana
    Digital transformation and cloud application adoption are top business imperatives, and the need to connect a growing number of apps and digital experiences is only increasing. APIs give developers easily access to apps and the ability to combine digital assets in different systems, even if those systems were never intended to interoperate.
    APIs can automate the transfer of data between different apps and systems, ensuring greater efficiency, improved reliability, and faster rollouts for innovative solutions. According to the State of API Integration Report*, 83 percent of IT specialists, whether focused on the frontend or backend, consider API integration vital for their business. This has put DevOps front and center in digital business strategy as companies seek simple, streamlined ways to develop, deploy, change, and manage apps.
    Traditional automation methods like custom scripting, direct integrations, and web services introduce more complexity, and IT teams largely rely on REST APIs to facilitate their automation journey. As a result, Bain & Company estimates, the number of companies scaling their automation will double by 2023**.
    Security is the top priority for most organizations, and there’s increased demand for secure integrations with other APIs and systems. Organizations want and need products that can ensure a frictionless API integration experience. NetScaler App Delivery and Security Service provides a simple and rich app-centric configuration model for seamless app delivery, augmented with sophisticated analytics, rich security, and self-healing capabilities.
    NetScaler App Delivery and Security Service's APIs are designed using an “outside-in” approach, simplifying the user and developer experience. From APIs, API documentation, API developer portals, and API artifacts, NetScaler App Delivery and Security Service provides simple and intuitive APIs that offer a self-service developer portal, complete documentation, a great onboarding experience, consistent and useful error messaging, code samples, Postman scripts, and a free developer tier.
    NetScaler App Delivery and Security Service's REST APIs lets you build and tailor solutions to suit your business or functional intent. This is essential in enabling integration between discrete microservices APIs. NetScaler App Delivery and Security Service APIs are well documented on NetScaler's Developer Portal using the OpenAPI standard (formerly known as Swagger) to show parameters, enable live calls, and provide the specification itself for download by developers.
    DevOps teams use a variety of tools to automate APIs and set up new environments, which allows them to treat infrastructure as code. As APIs are becoming an essential component of software development, it’s necessary for developers and programmers to manage every stage of the API lifecycle. Let’s look at how the NetScaler App Delivery and Security Service does it.
    Postman Integration
    NetScaler App Delivery and Security Service seamlessly integrates with Postman to incorporate automated testing into your CI/CD pipeline ensuring to simplify each step of building an API and streamline collaboration so you can create better APIs faster. Key benefits of NetScaler App Delivery and Security Service APIs and Postman integration include:
    API-First Development: Release reliable services to build your API before deploying code. Application Development: To eliminate dependencies and reduce time to production by having front-end and back-end teams work in parallel. Automated Testing: To automate manual tests and integrate them into your CI/CD pipeline to ensure that any code changes will not break the API in production. Exploratory Testing: To explore the APIs output data in accordance to variable inputs. Developer Onboarding: To quickly get consumers up to speed on what your API can do and how it works. Developer Portals: To enable internal and external consumers to consume APIs for app delivery and security. /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.c0b204d3e26b9252d00068a7eed1aac4.jpg" data-ratio="56.4" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Delivering an app through Postman (click image to view larger) Terraform Integration for Automating Intent
    /applications/core/interface/js/spacer.png" data-src="/monthly_2022_12/image.jpg.433cfe96f85c5ad0951b7ac79ae7379f.jpg" data-ratio="11.59" width="811" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    To enable DevOps to implement business intent, NetScaler Application Delivery and Security Service lets DevOps teams use Terraform for automation with infrastructure as code. These APIs can be leveraged to build powerful Terraform scripts that will translate business intent into human-readable, declarative configuration files. Once you trigger these terraform configuration files, all the terraform resources (or Nitro API calls of NetScaler Application Delivery and Security Service) help you provision and integrate NetScaler ADC into your app delivery lifecycle, eliminating human errors.
    NetScaler Application Delivery and Security Service is useful in scenarios where admins want a SaaS solution that helps them manage, monitor, analyze, and troubleshoot their global hybrid multi-cloud application delivery infrastructure from a single touchpoint. The key benefits of NetScaler Application Delivery and Security Service APIs are:
    Enabling Operational Efficiency: NetScaler Application Delivery and Security Service helps and enables operational efficiency by providing an exceptionally reliable, available workflow execution engine that scales to meet your needs. Enabling DevOps Automation: Customers expect their CloudOps and DevOps teams to be able to leverage automation. NetScaler Application Delivery and Security Service APIs reduce operational overhead and free up IT and DevOps staff to focus on work that adds business value by moving the cloud management tasks to be run automatically. No Upfront Investment: Organizations can innovate without making large upfront investment in equipment and can control and power systems down to reduce costs as needed. Unlock New Use Cases: It opens the door to innovation, making it possible to unlock use cases that enable access to new customers and seamless integrations with third-party applications Increase Customer Retention and Experience (CX): Today’s users demand the ability to stitch together apps and features from different vendors. Products that integrate are more valuable to customers and get more use. Faster Time to Market: It gives you flexibility to build the frontend independent of the backend and reuse the components by focusing on core business capabilities and not the long tail. To get started with NetScaler Application Delivery and Security Service and your intent-based app delivery journey, go to your account today and access the App Delivery and Security tile for your 60-day free trial.
    Sources
    * 83 percent of IT specialists (frontend and backend developers), consider API integration vital for their business, per the State of API Integration Report.
    ** Bain & Company estimates number of companies scaling their automation will double by 2023.

    Akhil Nair
    Key Use Cases:
           
     
     
    Unified Application Security - A new config workflow that consolidates all WAF and Bot capabilities into a single pane of glass while abstracting the need to learn about how security works. End users will have access to templates such as OWASP Top-10 checks and CVE related checks. It is available in ADM Service and available in ADM on-prem starting from version 14.1 12.x Builds.
      WAF Recommendation Scanner on ADM on-prem - Available as part of the Unified Application Security workflow, users can now scan their external/internal web apps and the scanner will automatically suggest WAF checks based on the Web App’s underlying technology. Available in ADM on-prem starting from version 14.1 12.x Builds.
      API Security: API aware NetScaler as proxy - API Spec files can now be uploaded on ADCs directly to validate every endpoint and ensure that it conforms to the schema. Additionally, you can apply WAF or AAA policies and use PI expressions to apply security, authenticate endpoints or route API traffic
    Other use cases:
    Protect internal apps accessed via Gateway (SPA/Storefront) from malicious attacks - You can now protect all your applications that are behind the VPN virtual server by binding the Web App Firewall policy to the VPN virtual server.
    For example - 
    A company hosts three critical applications (SAP, Workday, and Tally) behind a VPN virtual server. 
    Create multiple profiles based on the required application. Configure the profile with the necessary security checks based on the application’s need.
    Add the app firewall policies that are applicable for each application and associate the policy with the profile.
    add appfw policy sap_policy true HTTP.REQ.URL.CONTAINS (“sap.com”) pr-basic1
    add appfw policy workday_policy true HTTP.REQ.URL.CONTAINS (“workday.com”) pr-basic2
    add appfw policy tally_policy true HTTP.REQ.URL.CONTAINS (“tally.com”) pr-basic3
    Bind the created policy to VPN vserver
    Bot related expressions - You can now use bot related expressions in your policies for routing or taking a certain action on your traffic.
    For example - 
    HTTP.REQ.BOT.IS_SUSPECTED - Returns true if the client is suspected as a BOT.
    HTTP.REQ.BOT.TYPE.EQ(<bot type>) - Returns true if the client BOT type is the same as the argument. Possible values of BOT types: GOOD, BAD, and UNKNOWN.
    Security violations display OWASP tags - In the NetScaler Console GUI, the security violations now display OWASP tags. It supports the OWASP 2017 and OWASP 2021 lists and these tags help you determine whether the violation belongs to the OWASP top 10 list.
    Create or Update API definitions from discovered API endpoints - NetScaler admins can create or update an existing API Definition from the discovered API endpoints. This removes the need for admins to wait for API Schema file from the app owners/developers
    Proxy auth support for signatures and IP Reputation - In cases where NetScaler cannot connect to the internet directly or if the customer needs an added layer of security, one can configure a proxy server for retrieving latest WAF and Bot signatures and IP Reputation feeds.
    Custom keyword support for JSON payload - SQL injection and command injection have a predefined set of keywords or patterns that they look for in the incoming requests. However, if the end user wants to add additional keywords to reduce false positives, they can leverage this feature to add custom keywords of their choice.
    CLI/API support to enable WAF signatures - You can now enable individual signatures in your NetScaler Web App Firewall through CLI commands or API calls.
    For example:
    import appfw signature DEFAULT object_name -sigRuleId 1001 9882 2000 1250 810 -Enabled ON -Action LOG BLOCK
    import appfw signature DEFAULT object_name -sigCategory web-misc -Enabled ON -Action LOG BLOCK
    Configurable payload size for inspection - Post Body Limit (Bytes) - Limits the request payload (in bytes) inspected by Web Application Firewall. 
    Default value: 20000000 Minimum value: 0 Maximum Value: 10 GB

    Guest
    NetScaler WAF Signatures Update v122
     NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate several CVEs with variable CVSS.
    CVE-2023-50968: This vulnerability is an arbitrary file properties reading flaw in Apache Software Foundation Apache OFBiz. When a user operates an URI call without authorizations, the same URI can be operated to realize a server-side request forgery (SSRF) attack also without authorizations. The vulnerability has been fixed in version 18.12.11, and users are recommended to upgrade to this version.
    CVE-2023-51467: This vulnerability is an authentication bypass flaw in Apache OFBiz. A threat actor sends an HTTP request to exploit a flaw in the checkLogin function. When null or invalid username and password parameters are supplied and the requirePasswordChange parameter is set to Y in the URI, the checkLogin function fails to validate the credentials, leading to authentication bypass. The vulnerability has been patched in Apache OFBiz product version 18.12.11 or above.
    It is important to protect against these vulnerabilities as they can lead to unauthorized access to the system, compromising confidential information and disrupting vital services. The exploit might also create opportunities for supply chain attacks. Therefore, it is recommended that users upgrade to the latest version of Apache OFBiz (version 18.12.11 or above) to mitigate these vulnerabilities.
      Signatures included in v122:
    Rule
    CVE ID
    Description
    998554
    CVE-2023-51467
    WEB-MISC Apache Ofbiz Multiple Versions - Server-Side Request Forgery Vulnerability (CVE-2023-51467)
    998555
    CVE-2023-50968
    WEB-MISC Apache Ofbiz Multiple Versions - Server-Side Request Forgery Vulnerability (CVE-2023-50968)
    998557
    CVE-2023-48777
    WEB-WORDPRESS Elementor Plugin Prior to 3.18.1 - File Upload/Remote Code Execution Vulnerability Via ID (CVE-2023-48777)
    998560
    CVE-2023-49105
    WEB-MISC ownCloud Prior to 10.13.1 - Access Control Bypass Vulnerability (CVE-2023-4105)
    999415
    CVE-2020-9446
    WEB-MISC Apache OFBiz 17.12.03 - XML-RPC Unsafe Deserialization Vulnerability (CVE-2020-9446)
    999416
    CVE-2020-9446
    WEB-MISC Apache OFBiz 17.12.03 - XML-RPC Cross-Site Scripting Vulnerability (CVE-2020-9446)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 122 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
     Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
     
     
     

    Chris Chau
    Join our upcoming webinar to explore the intricate landscape of cloud deployments, encompassing dependencies like security groups, IAM roles, and much more at the cloud environment level. For customers transitioning from on-premises to the cloud, replicating the NetScaler deployments could be daunting. However, our NetScaler Cloud Sanity Checker tool guarantees deployment accuracy in every aspect and provides actionable insights for error scenarios.
     
    In this live demo, NetScaler experts will cover:
    Overview of NetScaler Public Cloud Common challenges with cloud deployments How NetScaler Cloud Sanity Checker Tool works Details information can be found in the following eDoc link:
    NetScaler Hybrid Multicloud Deployment: https://docs.netscaler.com/en-us/netscaler-console-service/hybrid-multi-cloud-deployments For more latest NetScaler technical information, please feel free to visit and register our NetScaler Community: https://community.netscaler.com
     

     

    Chris Chau
    Join us for a live demonstration session where we will dive into the art of tuning the NetScaler VPX running on ESX for the best performance. Get ready to explore the keys to achieve top-tier efficiency in this interactive, hands-on session.
     
    In this live demo, we will:
    Uncover the techniques and best practices to supercharge your application delivery and network performance Details information can be found in the following eDoc link:
    Optimize the NetScaler VPX Performance: https://docs.netscaler.com/en-us/citrix-adc/current-release/deploying-vpx/vpx-performance-on-esx-kvm-xen.html For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
     

     

    Chris Chau
    When NetScaler is deployed as a proxy for application deployments, NetScaler inspects each user request or response for global routing and local data center routing. With the thousands of logs and counters provided by NetScaler you can have granular information about HTTP, TCP, SSL, and DNS packets. You can leverage such rich data and insights from NetScaler to troubleshoot and pinpoint issues. You can export the data from NetScaler to your preferred observability endpoints to create visualizations and get real-time, granular application insights.
     
    NetScaler Intelligent Traffic Management (ITM) provides a revolutionary approach to Global Traffic Management/Global Server Load Balancing (GTM/GSLB). The mission of NetScaler ITM is to enable next-generation cloud strategies based on real-time Internet data feeds. The platform provides a highly robust means to ingest real-time data from various Internet sources and provides a DNS-based approach to Load-balancing. ITM uses DNS CNAME or records where its DNS responses can be altered in real-time based on the required business logic.
     
    In this demo, we will cover:
    Internet health monitoring: Internet visibility using NetScaler ITM Infrastructure health monitoring: exporting NetScaler logs and events to Splunk Details information can be found in the following eDoc link:
    NetScaler Intelligent Traffic Management (ITM): https://docs.netscaler.com/en-us/citrix-intelligent-traffic-management/openmix NetScaler Observability: https://docs.netscaler.com/en-us/citrix-adc/current-release/observability.html For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
     

     

    Uttam Somani
    Author : Uttam Somani, Bibek Ranjan Sahu
     
    In today’s digital world, where online privacy and security are paramount, the need for robust security tools and systems has become increasingly obvious. The domain name system or DNS, as it is called is one of the most critical parts of internet communication, that translates human-readable domain names into machine-readable IP addresses. The traditional DNS protocol operates over plain text, leaving it vulnerable to interception and potential manipulation by malicious entities. DNS over TLS (DoT) has emerged as one of the most important solutions to reinforce the security and privacy of DNS queries and responses. 
     DNS over TLS (DoT) is a network security protocol that enhances the privacy and integrity of Domain Name System (DNS) queries by encrypting the communication between DNS clients and servers. By aligning with the DNS PRIVate Exchange (DPRIVE) RFC 7858 standards and specifications, NetScaler ensures that its DoT implementation meets the industry-recognized privacy and security standards. The traditional DNS resolution process makes it susceptible to eavesdropping and potential data manipulation. DoT addresses these security concerns and more by adding a layer of encryption to the DNS communication. Here’s how:
    Encryption of DNS Queries:  DoT encrypts the entire communication channel between clients and DNS resolvers for heightened privacy.
    TLS Protocol:
    Utilizes Transport Layer Security (TLS) to secure connections, similar to HTTPS, preventing unauthorized access and man-in-the-middle attacks. Improved Privacy:
    Shields DNS queries from network surveillance, enhancing user privacy, especially on untrusted networks  Mitigation of DNS Spoofing:
    Encrypting DNS transactions in DNS over TLS helps mitigate DNS spoofing and tampering risks, ensuring authentic responses. NetScaler supports DoT by encrypting both authoritative DNS (ADNS) and DNS proxy modes. The new DoT service type decrypts encrypted DNS requests, validates packet formats, and ensures secure client responses. This advancement underscores NetScaler's commitment to fortifying DNS communication channels with encryption protocols.

    Configuration of DoT in proxy mode
    You can set up an LB Vserver and backend service of type DoT. NetScaler initiates TLS handshakes with the client and server to establish a secure TLS connection. Subsequently, clients transmit encrypted DNS queries to NetScaler, which decrypts them, applies any configured DNS or SSL policies on the virtual server, re-encrypts the request, and forwards it to the backend server. The server responds with an encrypted DNS reply, which Netscaler decrypts, applies configured policies if present, re-encrypts the response, and sends it back to the client. It is essential to bind the SSL server certificate to enable the LB virtual server of DOT type.
     Flexible Security Configurations: Mixed Mode Support in NetScaler's Proxy Mode NetScaler introduces mixed mode support, allowing the configuration of (DoT + DNS_TCP) or (DNS_TCP + DoT) for both frontend and backend service types. This flexibility empowers users to secure the frontend listening channel while trusting the backend, or vice versa, adapting to specific security requirements.
     
    DNS Secure Caching If a record is requested via a secure channel (either Vserver or service is of type DoT), NetScaler caches the record as a secure record, or else it is an insecure record. Now, if a request for that specific record comes through a secure channel, NetScaler will provide it instantly. However, if the request is in a secure channel, and NetScaler does not have the secure record in the memory (cache), it won't serve the record from the cache. Instead, NetScaler will directly contact the source (backend server), read the most recent data, and share the secure record while updating the cache as a secured record. If the Vserver or service isn’t of type DoT, it will continue to work with an unsecured cache.

     

     
    Configuring DoT in ADNS mode:
    NetScaler can configure the ADNS_DOT service type for ADNS service, where it works as a listening service that accepts encrypted DNS queries from clients. If a corresponding record for the domain is available in the Netscaler, it responds with encrypted information, otherwise, it sends an empty response. You have the flexibility to set up records directly on the NetScaler. To make this listening entity operational, binding an SSL certificate is crucial, ensuring secure communication in every interaction. This encrypted communication adds additional security to DNS transactions.
    For more information, please visit NetScaler docs
    Conclusion
    Securing DNS queries is crucial for safeguarding online privacy and enhancing overall security. Implementing DNS over TLS (DoT) is a highly effective measure to encrypt these queries, thereby reducing the vulnerabilities associated with data interception and DNS attacks. NetScaler has already incorporated this technology to enhance online security, introducing additional security features aimed at fortifying protection for online users. These enhancements are designed to defend against emerging threats that could jeopardize the security and privacy of your business. Furthermore, we have introduced the Automated Signature Roll-over feature in DNSSEC. For more details on this topic, refer to this article.

    Nagaraj Harikar
    Authors: Nagaraj Harikar, Dinesh Bansal

    In the realm of the internet infrastructure, DNSSEC (Domain Name System Security Extensions) plays a crucial role in safeguarding domain names and the associated data they point to. It employs cryptographic signatures to verify the authenticity and integrity of DNS records, preventing unauthorized modifications and protecting against DNS spoofing attacks. However, maintaining the effectiveness of DNSSEC requires regular key rollovers to ensure the continued validity of these signatures.
    Traditional key rollovers, often performed manually, can be a time-consuming and error-prone process. Automated DNSSEC signature rollover has emerged as a powerful and efficient solution to streamline this essential task.
    Understanding DNSSEC Key Rollover
    DNSSEC keys are employed to generate digital signatures that authenticate DNS records. These keys have a defined lifespan, and their timely renewal is essential for maintaining the integrity of DNSSEC protection. Key rollovers involve replacing the existing keys with new ones, ensuring that the cryptographic signatures remain valid and effective.
    Manual vs. Automated Key Rollover
    Manual key rollovers, while effective, can be cumbersome and prone to human error. As shown in the steps below, the process involves generating new keys, updating the DNS zone, and propagating the changes across the DNS hierarchy. This manual intervention can be time-consuming and increases the risk of errors, potentially leading to disruptions in DNS resolution.

    Figure 1: DNSSEC Key rollover steps
     
    Steps involved in creating a new key:
     The first step involves creating a new cryptographic key on NetScaler. This key can be either a Zone Signing Key (ZSK) or a Key Signing Key (KSK) (create DNS key).  In the second step, the newly created key is published. However, it cannot be used to sign any records (add DNS key). The published key is now active for use and is added to the zone to sign the zone (sign DNS zone). In the final step, the old key is deactivated and no longer used to sign any records (unsign DNS zone). Once the new signatures have been propagated and the old signatures are no longer needed, the old key is removed (remove DNS key). The entire process from step A to step D needs to be repeated in order to create a new ZSK or KSK.
    In the automated key rollover process, the steps from A to D are automated using the DNSSEC key rollover feature on NetScaler, which simplifies the key management and rollover tasks. For more information, refer to the Zone Maintenance documentation.
    Automatic Distribution of DNSSEC Keys in GSLB Deployments
    Earlier, if a global server load balancing (GSLB) domain was signed by a DNSSEC key that required a rollover, you had to create the keys on one of the GSLB site nodes and manually transfer these to other GSLB sites using scp or some other tool before they could be used. Now, this entire process can be automated by enabling the DNS zone transfer parameter and ensuring the AutomaticConfigSync option is enabled. For more information, refer to the Zone Maintenance for GSLB deployments.
    Benefits of Automated DNSSEC Signature Rollover
    Automated DNSSEC signature rollover offers several compelling advantages:
    Reduced Operational Overhead: Automation eliminates the need for manual intervention, freeing up IT staff to focus on other critical tasks. Enhanced Security: NetScaler can perform rollovers more consistently and accurately, minimizing the risk of human error and any potential security vulnerabilities. Improved Efficiency: Automation streamlines the rollover process, reducing the time and resources required to maintain DNSSEC protection. Reduced Disruptions: NetScaler can perform rollovers without disrupting DNS resolution, ensuring consistent service availability. Implementing Automated DNSSEC Signature Rollover
     As mentioned above, there are two types of keys used by DNSSEC: Zone Signing Key (ZSK) and Key Signing Key (KSK). ZSK-type key is used to sign DNS resource records of various types such as A, AAAA, NS, SOA, etc. KSK-type key is used to sign DNSKEY records. Usually, the KSK-type key is created with a stronger algorithm and a bigger key size. 

    Figure 2: Automatic DNSSEC key rollover with NetScaler
     
    In the following example, we use the ‘create DNS key’ command to generate a DNSSEC key (example.ksk) of type KSK in zone example.com with key size 1024 using algorithm RSASHA256. Then we publish this key in the zone ‘add DNS key’ command with auto-rollover enabled.The key has an expiry period of ten days and needs to roll over five days before the expiry determined by the notification period. Then use the ‘sign DNS zone’ command to use this key to sign the records under DNS Zone ‘example.com.’ All these steps will be performed automatically at the time of rollover of the successor key since auto-rollover is enabled on the key. This process with a rollover period R is shown in Figure 2 above.
      
    Figure 3: Example of configuring auto-rollover of DNSSEC key
     Conclusion
    The Automated DNSSEC Signature Rollover feature will be critical for maintaining the effectiveness of DNSSEC protection. Streamlining the key rollover process, it reduces administrative burden, enhances security, and ensures the integrity of DNS records. As the demand for secure and reliable DNS services grows, automated DNSSEC signature rollover will play an increasingly important role in safeguarding the internet infrastructure.
    NetScaler also supports DNS over TLS, which encrypts DNS queries, enhancing privacy and security by safeguarding against potential eavesdropping and manipulation of domain name resolution, ensuring a safer online experience.
     

    Ravi Shekhar
    NetScaler VPX 's storage allocation is pivotal and contingent upon your sizing estimations. By default, it offers a standard storage capacity of 20GB.

    If your data storage needs surpass this limit, attaching an additional disk becomes essential. This extra disk typically defaults to the /var/crash path, intended for storing heavy core-dumps and crash files.
    Yet, various folders within /var, such as nsinstall, nstrace, log etc., often contribute to space consumption, potentially impacting storage availability.
    In this article, we unveil an easy yet effective strategy to optimize storage by leveraging the additional disk for folders that might consume excessive space.
    In this article, we will give you a simple hack on how to utilize the additional disk for any folder that may consume more space.

    Key Considerations:
    Evaluate and estimate storage needs before attaching an extra disk.
    For NetScaler VPX deployments, we recommend using solid-state drive (SSD) technology.
    Step by Step Guide
    In this example, we bring you the detailed instructions on mapping the /var/log folder to the additional disk on a NetScaler VPX instance running on an ESXi hypervisor has been provided. 
    Step 1 - Shut down the NetScaler VPX virtual machine (if running) from the hypervisor management console

    Step 2 - Add a new virtual hard disk


    Step 3 - Power on the virtual machine

    Step 4 - The new virtual disk will be mounted at /var/crash after NetScaler VPX  boots up. 
    Please note that the mounted partition will be slightly smaller than the actual virtual disk size



    Step 5 - Create a new directory within /var/crash that will later replace the existing directory from your NetScaler VPX



    Step 6 - Use the new disk for storing all log files, you can create the log directory inside /var/crash

    Step 7 - Copy/move all files recursively from the old directory (/var/log/) to new directory (/var/crash/log/)

    Step 8 - Once the file operation has completed, delete the old directory (eg., /var/log/) and create a symlink at it's place pointing to the new directory (/var/crash/log/)



    Step 9 - Now the NetScaler ADC VPX will use the newly added disk for all files stored inside this directory

    In a similar way, multiple directories can be created inside /var/crash following the same method each mapped to a different directory path on the system (/root, /var/core, etc.)

×
×
  • Create New...