Jump to content

  • Articles

    Show all categories
    Suman Rajaraman 2
    NetScaler 12.1 (formerly Citrix ADC) has been certified for use on the Department of Defense Information Network
    Author: Pooja Bagga, Suman Rajaraman
    NetScaler (Formerly Citrix ADC) is proud to announce that its product MPX 8900-FIPS 12.1 Platinum Edition, has achieved the DoDIN’s stringent APL certification ( Department of Defense Information Network Approved Products List (DoDIN APL) ) and is available in DoD approved list of products. 
    The DoDIN APL helps to ensure that Department of Defense organizations and their agencies are using secure products that are tested and certified for deployment in DoD’s technology infrastructure and helps in protecting their information system by providing increased cyber security. NetScaler helps in protecting unauthorized access of data, reduces data breaches, and ensures products are able to communicate within the DoD infrastructure with improved interoperability.
    NetScaler MPX 8900-FIPS 12.1 Platinum Edition has been successfully tested and certified to meet all the above criteria including Multi Factor authentication with Radius and LDAP for DoD.
    This certification serves as a major milestone for NetScaler (a Business unit of Cloud Software Group). The certification demonstrates NetScaler’s commitment to providing secure and interoperable products to DoDIN organizations. 
    Cybersecurity is a complex and ever evolving issue, and therefore a  critical imperative for DoDIN approved products. US government agencies continue to take steps to improve their cybersecurity.
    NetScaler helps to protect cybersecurity and interoperability in a number of ways, few features to name:
    Web application firewall, API security, bot management, surge protection, SSL offloading, DDoS protection, and content filtering. 
    By using these features, DoDIN organizations can further protect their mission critical applications from attacks and improve the performance and availability of their applications.
     
    Learn more about the DOD Information Network Approved Product List and find the NetScaler (formerly Citrix ADC) certified listing on the DoDIN Website and use the Keyword Search as “netscaler”

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_09/image.jpg.df4918471a5671ca74cd80674c4ef378.jpg" data-ratio="42.71" width="1194" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_09/image.jpg.e9bca7c9227d51aa5109554039739fa4.jpg" data-ratio="20.1" width="2388" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Learn more about NetScaler MPX 8900-FIPS
     
    If you've any feedback please drop a note in the comments section below.
     
     
     
     
     
    Ricardo José Garrido Reichelt
    When publishing internal virtualized resources, it is common to use NetScaler  as Load Balancer  and security element (EPA , WAF , BOT , IP Reputation ) to protect the access to the virtualized company resources (Apps & Desktops; CVAD ).
     
    At some stage the organization might have the additional need to publish internal Web Applications to the business users. To be able to do so via NetScaler  it would be required to change certain settings, so that NetScaler  does publish the content to the user and not StoreFront.
     
    The settings that need to be changed for this purpose are:
    CVPN turned to ON ICA Proxy turned to Off CVPN Setting change

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.d69c0f44aa6c1c4c8681c2c569f6cf7c.jpg" data-ratio="107.76" width="696" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
     
    ICA Proxy setting change

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.ba7c7404fdfdef3814da9f514c2dd923.jpg" data-ratio="57.3" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    Expected Outcome:
     
    Virtualized Apps & Desktop and also published bookmarks are being shown. In this example the SharePoint Web is the shared Web resource.
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.19c887d5566eab277b8e706465b7913c.jpg" data-ratio="47.4" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    In the case we have a setup with a single StoreFront Server, which FQDN is used in the “Web Interface Address” configuration, we will experience no problem and the expected outcome above will be shown.
     
    Yet if we have following common setup when deploying our CVAD & NetScaler Infrastructure, we will run into a problem where the virtualized applications and desktops will not be displayed by NetScaler.
     
     
    The setup where this situation will reproduce is the following:
    A DNS record for the StoreFront FQDN entry is set in the DNS Record section of NetScaler. This DNS record is the one we are using in the session policy of the NetScaler Gateway in the “Web Interface Address” under Published Applications in the Session Profile. Also this DNS record will be pointing to our Load Balancing Virtual Server The Load Balancing Virtual server was configured with a public IP even if it would not be public available and only reached by the Virtual Gateway. And the Load Balancing Virtual Server will be pointing to our StoreFront farm (A/P or Cluster) When configured with CVPN turned to ON & ICA Proxy turned to OFF the virtualized elements will not be shown as expected.
     
    Here an example of the problem, where NetScaler is the publishing part, and where the virtualized elements are missing and only the Bookmarked elements are being shown:
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_09/image.jpg.56e3b249fba96ace818aa57b505b678f.jpg" data-ratio="48.98" width="1325" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    The described problem has to do with the Single Sign On policy. The IP for the Load Balancing VIP is being resolved as it is considered a public IP (remember the configuration), consequently the Single Sign On is turned off. It is required that the SSO is pushed by a Traffic Policy.
     
    This behavior has been put in place for security reasons in previous NetScaler versions.
     
    To fix this situation, it is required to create a traffic policy which is bound to the Gateway VIP as described in the following documentation reference:
     
    https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html
     
    The same can be accomplished by making the required changes via the NetScaler User Interface as we can extract from the below image.
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.d8e09a7c8012ddcb923ded9ef5d3f695.jpg" data-ratio="41.8" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    After the changes we should experience the expected behavior where we should see the publishing of:
     
    Virtualized Desktops Virtualized Apps Published Applications by NetScaler (Bookmark section of the Gateway Appliance, in this case as example SharePoint Web) /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.d7111bf9aaf8a3c7b6e208861c9d2763.jpg" data-ratio="47.4" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    NetScaler Cyber Threat Intelligence
    NetScaler WAF Signatures Update v112
     NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate several CVEs, with two 9.8 (Critical) CVSS v3 among them, namely CVE-2023-29357 Microsoft SharePoint Server Elevation of Privilege Vulnerability and  CVE-2023-32563 Ivanti Avalanche.   
    CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server. This vulnerability allows authenticated attackers to escalate their privileges by exploiting certain misconfigurations in the affected Microsoft SharePoint Server versions. Microsoft has released a security update that resolves this vulnerability, along with other vulnerabilities such as a denial of service vulnerability and a spoofing vulnerability. The security update is available for SharePoint Server 2019 Language Pack and can be obtained through Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center.
    Ivanti Avalanche is an enterprise mobile device management solution, and CVE-2023-32563 is a directory traversal flaw that has been identified in Ivanti Avalanche. This vulnerability could allow remote code execution and is rated as critical. Ivanti has released a security update that addresses this vulnerability, along with other vulnerabilities such as a stack-based buffer overflow vulnerability, multiple remote code execution vulnerabilities, and multiple authentication bypass vulnerabilities. The security update is available for Avalanche 6.4.1 and older versions and can be obtained through the Ivanti website.
     Signatures included in v112:
    Rule
    CVE ID
    Description
    998632
    CVE-2023-39526
    WEB-MISC PrestaShop Prior to 8.0.5, 8.1.1 and 1.7.8.10 - Arbitrary File Write Vulnerability via OUTFILE (CVE-2023-39526)
    998633
    CVE-2023-39526
    WEB-MISC PrestaShop Prior to 8.0.5, 8.1.1 and 1.7.8.10 - Arbitrary File Write Vulnerability via DUMPFILE (CVE-2023-39526)
    998634
    CVE-2023-39143
    WEB-MISC PaperCut NG/MF Prior to 22.1.3 - Path Traversal Vulnerability in CustomReportExampleServlet (CVE-2023-39143)
    998635
    CVE-2023-37979
    WEB-WORDPRESS Ninja Forms Contact Form Plugin Up to 3.6.25 - Cross-Site Scripting Vulnerability (CVE-2023-37979)
    998636
    CVE-2023-33652
    WEB-MISC Sitecore - Remote Code Execution Vulnerability (CVE-2023-33652)
    998637
    CVE-2023-32563
    WEB-MISC Ivanti Avalanche Prior to 6.4.1 - Arbitrary File Upload Vulnerability (CVE-2023-32563)
    998638
    CVE-2023-29357
    WEB-MISC Microsoft SharePoint Server - Elevation of Privilege Vulnerability via access_token/proof token (CVE-2023-29357)
    998639
    CVE-2023-29357
    WEB-MISC Microsoft SharePoint Server - Elevation of Privilege Vulnerability via Authorization Header (CVE-2023-29357)
    998640
    CVE-2023-22480
    WEB-MISC KubeOperator Prior to 3.16.4 - Improper Authorization Vulnerability (CVE-2023-22480)
    998664
    CVE-2023-26360
    WEB-MISC Adobe ColdFusion - Deserialization of Untrusted Data Vulnerability (CVE-2023-26359, CVE-2023-26360)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 112 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
    Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
    Brian Huhn 2
    https://www.buzzsprout.com/2215674
     

     
    Business has come to rely on technology and applications for its very existence. Used correctly, the new tech provides real advantages over competitors, faster responses to market conditions and allows organizations to streamline costs. But, with business applications so pivotal it is vital that consideration is given to how each apps is delivered an secured - or face the consequences.
     
    In this podcast, we will look at the changes that offer so many advantages to business, but leave them so exposed. In particular we will examine:
    - How application architectures are changing and introducing complexity
    - Application cloud deployment and the pitfalls of inconsistency
    - Evolving threat landscape and how applications are the most vulnerable point in the supply chain
    - Understand how application delivery controllers help businesses to overcome these issues.
    Mayur Vadhar
    NetScaler is an advanced application delivery, load balancing and security solution for your web apps. Ansible modules simplify the NetScaler management, providing agility to your IT operations.
    In this hands-on lab, we will learn how to use Ansible to configure load balancing service in NetScaler and expose your public web apps over internet. The lab will provision the NetScaler, pair of web-servers, and automation controller and then guide you on using Ansible workflow.

    Click the Start hands-on Lab at the top of the post to try out !
    Let us know your feedback or any issues in the comments section.
    Konstantinos Kaltsas
    Learn how to deploy & configure a Content Switching virtual server for routing traffic to your applications. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to deploy a content switching virtual server to route traffic to your apps. How to route traffic based on URL path How to route traffic based on HTTP Header values. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.
    Konstantinos Kaltsas
    Learn how to leverage basic Rewrite / Responder Policies for manipulating Requests and Responses. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to create rewrite / responder policies. What is the difference between the two? How to bind a policy on a content switching server. How to manipulate an incoming request based on different criteria. How to redirect a request based on different criteria. Click the Start hands-on Lab at the top of the post to try out!Please share your feedback or any issues in the comments section.
    Konstantinos Kaltsas
    Learn how to leverage WAF Policies for protecting your Applications. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to create WAF policies and profiles. How to enable WAF policies on load balancing or content switching virtual server level. How to block or log malicious requests based on different criteria. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.
    Sumanth Lingappa
    NetScaler is an advanced application delivery, load balancing and security solution for your web apps. Terraform provides infrastructure-as-code and declarative approach to managing your NetScaler infrastructure.
    In this hands-on lab, we will learn how to use Terraform to configure load balancing service in NetScaler and expose your public web-apps over internet. The lab will provision the NetScaler, pair of web-servers, and automation controller and then guide you on using Terraform.

    Click the Start hands-on Lab at the top of the post to try out !
    Let us know your feedback or any issues in the comments section.
    Guest
    NetScaler ADC VPX on AWS Deployment Guide Part 3
    Contributed By: Luis Ugarte and Beth Pollack
    Continued from Part 2Setting up
    Users must enable Advanced Security Analytics and set Web Transaction Settings to All to view the following violations in NetScaler ADM:
    Unusually High Upload Transactions (WAF)
    Unusually High Download Transactions (WAF)
    Excessive Unique IPs (WAF)
    Account takeover (BOT)
    For other violations, ensure whether Metrics Collector is enabled. By default, Metrics Collector is enabled on the NetScaler ADC instance. For more information, see: Configure Intelligent App Analytics .
    Enable Advanced Security Analytics
    Navigate to Networks > Instances > NetScaler ADC, and select the instance type. For example, MPX.
    Select the NetScaler ADC instance and from the Select Action list, select Configure Analytics.
    Select the virtual server and click Enable Analytics.
    On the Enable Analytics window:
    Select Web Insight. After users select Web Insight, the read-only Advanced Security Analytics option is enabled automatically.

    Note: The Advanced Security Analytics option is displayed only for premium licensed ADC instances.
    Select Logstream as Transport Mode
    The Expression is true by default
    Click OK

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.55666d0ab4de0901a76e01d1decc9a76.jpg" data-ratio="84.59" width="331" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Enable Web Transaction settings
    Navigate to Analytics > Settings. The Settings page is displayed.
    Click Enable Features for Analytics.
    Under Web Transaction Settings, select All.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.c7e36652b67eb880ce03b6fc9ab86920.jpg" data-ratio="39.38" width="419" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click Ok. Security violations dashboard
    In the security violations dashboard, users can view:
    Total violations occurred across all ADC instances and applications. The total violations are displayed based on the selected time duration.
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.036d958ad39c86f3dd27d46845b96b66.jpg" data-ratio="5.01" width="419" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Total violations under each category.
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.496885b3d99d7dec472011a126565625.jpg" data-ratio="11.48" width="418" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Total ADCs affected, total applications affected, and top violations based on the total occurrences and the affected applications.
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.e1a0e479cc634953a5ca6dbb275da751.jpg" data-ratio="32.93" width="416" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Violation details
    For each violation, NetScaler ADM monitors the behavior for a specific time duration and detects violations for unusual behaviors. Click each tab to view the violation details. Users can view details such as:
    The total occurrences, last occurred, and total applications affected
    Under event details, users can view:
    The affected application. Users can also select the application from the list if two or more applications are affected with violations.
    The graph indicating violations.
    Drag and select on the graph that lists the violations to narrow down the violation search.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.e9d29c22f250f0f976694c0cc927fd21.jpg" data-ratio="31.76" width="381" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click Reset Zoom to reset the zoom result
    Recommended Actions that suggest users troubleshoot the issue
    Other violation details such as violence occurrence time and detection message
    Bot Insight
    Using Bot Insight in NetScaler ADM
    After users configure the bot management in NetScaler ADC, they must enable Bot Insight on virtual servers to view insights in NetScaler ADM.
    To enable Bot Insight:
    Navigate to Networks > Instances > NetScaler ADC and select the instance type. For example, VPX.
    Select the instance and from the Select Action list, select Configure Analytics.
    Select the virtual server and click Enable Analytics.
    On the Enable Analytics window:
    Select Bot Insight
    Under Advanced Option, select Logstream.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.d72c9a17388cf1175bab9ac9474dff8f.jpg" data-ratio="83.42" width="374" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click OK. After enabling Bot Insight, navigate to Analytics > Security > Bot Insight.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.ea15074627002a3d24d5f59ebd5df819.jpg" data-ratio="33.25" width="394" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Time list to view bot details
    Drag the slider to select a specific time range and click Go to display the customized results
    Total instances affected from bots
    Virtual server for the selected instance with total bot attacks
    Total Bots – Indicates the total bot attacks (inclusive of all bot categories) found for the virtual server.
    Total Human Browsers – Indicates the total human users accessing the virtual server.
    Bot Human Ratio – Indicates the ratio between human users and bots accessing the virtual server.
    Signature Bots, Fingerprinted Bot, Rate Based Bots, IP Reputation Bots, allow list Bots, and block list Bots – Indicates the total bot attacks occurred based on the configured bot category. For more information about bot categories, see: Configure Bot Detection Techniques in NetScaler ADC.
    Click > to view bot details in a graph format.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.101ed7ace8376829256ebd00cfe13bba.jpg" data-ratio="56.35" width="417" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    View events history
    Users can view the bot signature updates in the Events History, when:
    New bot signatures are added in NetScaler ADC instances.
    Existing bot signatures are updated in NetScaler ADC instances.
    You can select the time duration on the bot insight page to view the events history.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.203d403dd919543e2875e14b8b196292.jpg" data-ratio="66.51" width="415" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    The following diagram shows how the bot signatures are retrieved from the AWS cloud, updated on NetScaler ADC and view signature update summary on NetScaler ADM.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.3809f0e834d0bb6e7ef871f13e9158a5.jpg" data-ratio="56.3" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    The bot signature auto update scheduler retrieves the mapping file from the AWS URI.
    Checks the latest signatures in the mapping file with the existing signatures in the ADC appliance.
    Downloads the new signatures from AWS and verifies the signature integrity.
    Updates the existing bot signatures with the new signatures in the bot signature file.
    Generates an SNMP alert and sends the signature update summary to NetScaler ADM.
    View Bots
    Click the virtual server to view the Application Summary

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.f198ab358aa2d47740fd8d356d2a5e73.jpg" data-ratio="71.19" width="413" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Provides the Application Summary details such as:
    Average RPS – Indicates the average bot transaction requests per second (RPS) received on virtual servers.
    Bots by Severity – Indicates the highest bot transactions occurred based on the severity. The severity is categorized based on Critical, High, Medium, and Low.
    For example, if the virtual servers have 11770 high severity bots and 1550 critical severity bots, then NetScaler ADM displays Critical 1.55 K under Bots by Severity.
    Largest Bot Category – Indicates the highest bot attacks occurred based on the bot category.
    For example, if the virtual servers have 8000 block listed bots, 5000 allow listed bots, and 10000 Rate Limit Exceeded bots, then NetScaler ADM displays Rate Limit Exceeded 10 K under Largest Bot Category.
    Largest Geo Source – Indicates the highest bot attacks occurred based on a region.
    For example, if the virtual servers have 5000 bot attacks in Santa Clara, 7000 bot attacks in London, and 9000 bot attacks in Bangalore, then NetScaler ADM displays Bangalore 9 K under Largest Geo Source.
    Average % Bot Traffic – Indicates the human bot ratio.
    Displays the severity of the bot attacks based on locations in map view
    Displays the types of bot attacks (Good, Bad, and All)
    Displays the total bot attacks along with the corresponding configured actions. For example, if you have configured:
    IP address range (192.140.14.9 to 192.140.14.254) as block list bots and selected Drop as an action for these IP address ranges
    IP range (192.140.15.4 to 192.140.15.254) as block list bots and selected to create a log message as an action for these IP ranges
    In this scenario, NetScaler ADM displays:
    Total block listed bots
    Total bots under Dropped
    Total bots under Log
    View CAPTCHA bots
    In webpages, CAPTCHAs are designed to identify if the incoming traffic is from a human or an automated bot. To view the CAPTCHA activities in NetScaler ADM, users must configure CAPTCHA as a bot action for IP reputation and device fingerprint detection techniques in a NetScaler ADC instance. For more information, see: Configure Bot Management.
    The following are the CAPTCHA activities that NetScaler ADM displays in Bot insight:
    Captcha attempts exceeded – Denotes the maximum number of CAPTCHA attempts made after login failures
    Captcha client muted – Denotes the number of client requests that are dropped or redirected because these requests were detected as bad bots earlier with the CAPTCHA challenge
    Human – Denotes the captcha entries performed from the human users
    Invalid captcha response – Denotes the number of incorrect CAPTCHA responses received from the bot or human, when NetScaler ADC sends a CAPTCHA challenge

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.ee29813b6dcf80da802be7c09420bbdb.jpg" data-ratio="41.75" width="412" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    View bot traps
    To view bot traps in NetScaler ADM, you must configure the bot trap in the NetScaler ADC instance. For more information, see Configure Bot Management.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.dcc6d393275a98da17046fa881698956.jpg" data-ratio="21.12" width="412" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    To identify the bot trap, a script is enabled in the webpage and this script is hidden from humans, but not to bots. NetScaler ADM identifies and reports the bot traps, when this script is accessed by bots.
    Click the virtual server and select Zero Pixel Request

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.45352830970df1459e123bde3b591f4f.jpg" data-ratio="12.9" width="411" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    View bot details
    For further details, click the bot attack type under Bot Category.
    The details such as attack time and total number of bot attacks for the selected captcha category are displayed.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.5a89e5e0380bec5b468febd0842b3f4f.jpg" data-ratio="23.21" width="405" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Users can also drag the bar graph to select the specific time range to be displayed with bot attacks.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.ab7b1cd6616638c42b014c0403087178.jpg" data-ratio="22.3" width="408" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    To get additional information of the bot attack, click to expand.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.6a9857e5c172a0da0fc615af86c8be55.jpg" data-ratio="20.53" width="414" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Instance IP – Indicates the NetScaler ADC instance IP address
    Total Bots – Indicates the total bot attacks occurred for that particular time
    HTTP Request URL – Indicates the URL that is configured for captcha reporting
    Country Code – Indicates the country where the bot attack occurred
    Region – Indicates the region where the bot attack occurred
    Profile Name – Indicates the profile name that users provided during the configuration
    Advanced search
    Users can also use the search text box and time duration list, where they can view bot details as per the user requirement. When users click the search box, the search box gives them the following list of search suggestions.
    Instance IP – NetScaler ADC instance IP address
    Client-IP – Client IP address
    Bot-Type – Bot type such as Good or Bad
    Severity – Severity of the bot attack
    Action-Taken – Action taken after the bot attack such as Drop, No action, Redirect
    Bot-Category – Category of the bot attack such as block list, allow list, fingerprint, and so on. Based on a category, users can associate a bot action to it
    Bot-Detection – Bot detection types (block list, allow list, and so on) that users have configured on NetScaler ADC instance
    Location – Region/country where the bot attack has occurred
    Request-URL – URL that has the possible bot attacks
    Users can also use operators in the user search queries to narrow the focus of the user search. For example, if users want to view all bad bots:
    Click the search box and select Bot-Type
    Click the search box again and select the operator =
    Click the search box again and select Bad
    Click Search to display the results

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.438a911d408a45803b4709a3b184cd38.jpg" data-ratio="33.17" width="416" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Bot violation details
    Excessive Client Connections
    When a client tries to access the web application, the client request is processed in NetScaler ADC appliance, instead of connecting to the server directly. Web traffic comprises bots and bots can perform various actions at a faster rate than a human.
    Using the Excessive Client Connections indicator, users can analyze scenarios when an application receives unusually high client connections through bots.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.1536ef51770cd8b045502f1fc87a5021.jpg" data-ratio="53.25" width="415" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Under Event Details, users can view:
    The affected application. Users can also select the application from the list if two or more applications are affected with violations.
    The graph indicating all violations
    The violation occurrence time
    The detection message for the violation, indicating the total IP addresses transacting the application
    The accepted IP address range that the application can receive
    Account Takeover

    Note:
    Ensure users enable the advanced security analytics and web transaction options. For more information, see Setting up: Setting up.
    Some malicious bots can steal user credentials and perform various kinds of cyberattacks. These malicious bots are known as bad bots. It is essential to identify bad bots and protect the user appliance from any form of advanced security attacks.
    Prerequisite
    Users must configure the Account Takeover settings in NetScaler ADM.
    Navigate to Analytics > Settings > Security Violations
    Click Add

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.7f340fee7309633efc5f51764067b0b1.jpg" data-ratio="29.4" width="415" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    On the Add Application page, specify the following parameters:
    Application - Select the virtual server from the list.
    Method - Select the HTTP method type from the list. The available options are GET, PUSH, POST, and UPDATE.
    Login URL and Success response code - Specify the URL of the web application and specify the HTTP status code (for example, 200) for which users want NetScaler ADM to report the account takeover violation from bad bots.
    Click Add.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.9ff14c57b505191549e74847609355cc.jpg" data-ratio="52.01" width="398" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    After users configure the settings, using the Account Takeover indicator, users can analyze if bad bots attempted to take over the user account, giving multiple requests along with credentials.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.fe2afdd65b9441b7e08b36f1bafcccbc.jpg" data-ratio="59.63" width="379" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Under Event Details, users can view:
    The affected application. Users can also select the application from the list if two or more applications are affected with violations.
    The graph indicating all violations
    The violation occurrence time
    The detection message for the violation, indicating total unusual failed login activity, successful logins, and failed logins
    The bad bot IP address. Click to view details such as time, IP address, total successful logins, total failed logins, and total requests made from that IP address.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.9a453bd7f9bf5d32cfbf2392f0f5032f.jpg" data-ratio="28.8" width="375" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Unusually High Upload Volume
    Web traffic also comprises data that is processed for uploading. For example, if the user average upload data per day is 500 MB and if users upload 2 GB of data, then this can be considered as an unusually high upload data volume. Bots are also capable to process uploading of data more quickly than humans.
    Using the Unusually High Upload Volume indicator, users can analyze abnormal scenarios of upload data to the application through bots.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.42503e8f8daa962e949e5903f2aa0fd8.jpg" data-ratio="50.64" width="393" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Under Event Details, users can view:
    The affected application. Users can also select the application from the list if two or more applications are affected with violations.
    The graph indicating all violations
    The violation occurrence time
    The detection message for the violation, indicating the total upload data volume processed
    The accepted range of upload data to the application
    Unusually High Download Volume
    Similar to high upload volume, bots can also perform downloads more quickly than humans.
    Using the Unusually High Download Volume indicator, users can analyze abnormal scenarios of download data from the application through bots.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.ffea8c6d15f958725eeff22bec52f58d.jpg" data-ratio="56.96" width="395" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Under Event Details, users can view:
    The affected application. Users can also select the application from the list if two or more applications are affected with violations.
    The graph indicating all violations
    The violation occurrence time
    The detection message for the violation, indicating the total download data volume processed
    The accepted range of download data from the application
    Unusually High Request Rate
    Users can control the incoming and outgoing traffic from or to an application. A bot attack can perform an unusually high request rate. For example, if users configure an application to allow 100 requests/minute and if users observe 350 requests, then it might be a bot attack.
    Using the Unusually High Request Rate indicator, users can analyze the unusual request rate received to the application.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.11f9d6c513a80b9d23ecaf05879f3b47.jpg" data-ratio="55.44" width="395" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Under Event Details, users can view:
    The affected application. Users can also select the application from the list if two or more applications are affected with violations.
    The graph indicating all violations
    The violation occurrence time
    The detection message for the violation, indicating the total requests received and % of excessive requests received than the expected requests
    The accepted range of expected request rate range from the application
    Use Cases
    Bot
    Sometimes the incoming web traffic is comprised of bots and most organizations suffer from bot attacks. Web and mobile applications are significant revenue drivers for business and most companies are under the threat of advanced cyberattacks, such as bots. A bot is a software program that automatically performs certain actions repeatedly at a much faster rate than a human. Bots can interact with webpages, submit forms, run actions, scan texts, or download content. They can access videos, post comments, and tweet on social media platforms. Some bots, known as chatbots, can hold basic conversations with human users. A bot that performs a helpful service, such as customer service, automated chat, and search engine crawlers are good bots. At the same time, a bot that can scrape or download content from a website, steal user credentials, spam content, and perform other kinds of cyberattacks are bad bots. With a good number of bad bots performing malicious tasks, it is essential to manage bot traffic and protect the user web applications from bot attacks. By using NetScaler bot management, users can detect the incoming bot traffic and mitigate bot attacks to protect the user web applications. NetScaler bot management helps identify bad bots and protect the user appliance from advanced security attacks. It detects good and bad bots and identifies if incoming traffic is a bot attack. By using bot management, users can mitigate attacks and protect the user web applications.
    NetScaler ADC bot management provides the following benefits:
    Defends against bots, scripts, and toolkits. Provides real-time threat mitigation using static signature-based defense and device fingerprinting.
    Neutralizes automated basic and advanced attacks. Prevents attacks, such as App layer DDoS, password spraying, password stuffing, price scrapers, and content scrapers.
    Protects user APIs and investments. Protects user APIs from unwarranted misuse and protects infrastructure investments from automated traffic.
    Some use cases where users can benefit by using the NetScaler bot management system are:
    Brute force login. A government web portal is constantly under attack by bots attempting brute force user logins. The organization discovers the attack by looking through web logs and seeing specific users being hit over and over again with rapid login attempts and passwords incrementing using a dictionary attack approach. By law, they must protect themselves and their users. By deploying the NetScaler bot management, they can stop brute force login using device fingerprinting and rate limiting techniques.
    Block bad bots and device fingerprint unknown bots. A web entity gets 100,000 visitors each day. They have to upgrade the underlying footprint and they are spending a fortune. In a recent audit, the team discovered that 40 percent of the traffic came from bots, scraping content, picking news, checking user profiles, and more. They want to block this traffic to protect their users and reduce their hosting costs. Using bot management, they can block known bad bots, and fingerprint unknown bots that are hammering their site. By blocking these bots, they can reduce bot traffic by 90 percent.
    Permit good bots. “Good” bots are designed to help businesses and consumers. They have been around since the early 1990s when the first search engine bots were developed to crawl the Internet. Google, Yahoo, and Bing would not exist without them. Other examples of good bots—mostly consumer-focused—include:
    Chatbots (a.k.a. chatterbots, smart bots, talk bots, IM bots, social bots, conversation bots) interact with humans through text or sound. One of the first text uses was for online customer service and text messaging apps like Facebook Messenger and iPhone Messages. Siri, Cortana, and Alexa are chatbots; but so are mobile apps that let users order coffee and then tell them when it will be ready, let users watch movie trailers and find local theater showtimes, or send users a picture of the car model and license plate when they request a ride service.
    Shopbots scour the Internet looking for the lowest prices on items users are searching for.
    Monitoring bots check on the health (availability and responsiveness) of websites. Downdetector is an example of an independent site that provides real-time status information, including outages, of websites and other kinds of services. For more information about Downdetector, see: Downdetector.
    Bot Detection
    Configuring Bot Management by using NetScaler ADC GUI
    Users can configure NetScaler ADC bot management by first enabling the feature on the appliance. Once users enable, they can create a bot policy to evaluate the incoming traffic as bot and send the traffic to the bot profile. Then, users create a bot profile and then bind the profile to a bot signature. As an alternative, users can also clone the default bot signature file and use the signature file to configure the detection techniques. After creating the signature file, users can import it into the bot profile. All these steps are performed in the following sequence:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.eb7ebda49e0f53f9d9bc1b3fde1fbfa8.jpg" data-ratio="48.43" width="413" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Enable bot management feature
    Configure bot management settings
    Clone NetScaler bot default signature
    Import NetScaler bot signature
    Configure bot signature settings
    Create bot profile
    Create bot policy
    Enable Bot Management Feature
    On the navigation pane, expand System and then click Settings.
    On the Configure Advanced Features page, select the Bot Management check box.
    Click OK, and then click Close.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.ca72781cbdf38d25757e8f78dadc0de6.jpg" data-ratio="100.29" width="344" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Clone Bot Signature File
    Navigate to Security > NetScaler Bot Management > Signatures.
    In NetScaler Bot Management Signatures page, select the default bot signatures record and click Clone.
    In the Clone Bot Signature page, enter a name and edit the signature data.
    Click Create.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.fea4458cdad70d34f9d2d6f79f024317.jpg" data-ratio="53.25" width="415" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Import Bot Signature File
    If users have their own signature file, then they can import it as a file, text, or URL. Perform the following the steps to import the bot signature file:
    Navigate to Security > NetScaler Bot Management and Signatures.
    On the NetScaler Bot Management Signatures page, import the file as URL, File, or text.
    Click Continue.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.5253bb320b4413a3a0a8be15ac20e785.jpg" data-ratio="49" width="400" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    On the Import NetScaler Bot Management Signature page, set the following parameters.
    Name. Name of the bot signature file.
    Comment. Brief description about the imported file.
    Overwrite. Select the check box to allow overwriting of data during file update.
    Signature Data. Modify signature parameters
    Click Done.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.3e285313b06457c09c53af5cdfcb2751.jpg" data-ratio="67.22" width="418" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    IP Reputation
    Configure IP Reputation by using NetScaler ADC GUI
    This configuration is a prerequisite for the bot IP reputation feature. The detection technique enables users to identify if there is any malicious activity from an incoming IP address. As part of the configuration, we set different malicious bot categories and associate a bot action to each of them.
    Navigate to Security > NetScaler Bot Management and Profiles.
    On the NetScaler Bot Management Profiles page, select a signature file and click Edit.
    On the NetScaler Bot Management Profile page, go to Signature Settings section and click IP Reputation.
    On the IP Reputation section, set the following parameters:
    Enabled. Select the check box to validate incoming bot traffic as part of the detection process.
    Configure Categories. Users can use the IP reputation technique for incoming bot traffic under different categories. Based on the configured category, users can drop or redirect the bot traffic. Click Add to configure a malicious bot category.
    In the Configure NetScaler Bot Management Profile IP Reputation Binding page, set the following parameters:
    Category. Select a malicious bot category from the list. Associate a bot action based on category.
    Enabled. Select the check box to validate the IP reputation signature detection.
    Bot action. Based on the configured category, users can assign no action, drop, redirect, or CAPTCHA action.
    Log. Select the check box to store log entries.
    Log Message. Brief description of the log.
    Comments. Brief description about the bot category.
    Click OK.
    Click Update.
    Click Done.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.30a420a901aa15e221232321c07f2567.jpg" data-ratio="46.78" width="404" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Auto Update for Bot Signatures
    The bot static signature technique uses a signature lookup table with a list of good bots and bad bots. The bots are categorized based on user-agent string and domain names. If the user-agent string and domain name in incoming bot traffic matches a value in the lookup table, a configured bot action is applied. The bot signature updates are hosted on the AWS cloud and the signature lookup table communicates with the AWS database for signature updates. The auto signature update scheduler runs every 1-hour to check the AWS database and updates the signature table in the ADC appliance.
    The Bot signature mapping auto update URL to configure signatures is: Bot Signature Mapping.

    Note:
    Users can also configure a proxy server and periodically update signatures from the AWS cloud to the ADC appliance through a proxy. For proxy configuration, users must set the proxy IP address and port address in the bot settings.
    Configure Bot Signature Auto Update
    For configuring bot signature auto update, complete the following steps:
    Enable Bot Signature Auto Update
    Users must enable the auto update option in the bot settings on the ADC appliance.
    At the command prompt, type:
    set bot settings –signatureAutoUpdate ON
    Configure Bot Signature Auto Update using the NetScaler ADC GUI
    Complete the following steps to configure bot signature auto update:
    Navigate to Security > NetScaler Bot Management.
    In the details pane, under Settings click Change NetScaler Bot Management Settings.
    In the Configure NetScaler Bot Management Settings, select the Auto Update Signature check box.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_08/image.jpg.62059fbaa9c731ec4f548610e06edcfb.jpg" data-ratio="73.98" width="246" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click OK and Close. For more information on configuring IP Reputation using the CLI, see: Configure the IP Reputation Feature Using the CLI.
    References
    For information on using SQL Fine Grained Relaxations, see: SQL Fine Grained Relaxations.
    For information on how to configure the SQL Injection Check using the command line, see: HTML SQL Injection Check.
    For information on how to configure the SQL Injection Check using the GUI, see: Using the GUI to Configure the SQL Injection Security Check.
    For information on using the Learn Feature with the SQL Injection Check, see: Using the Learn Feature with the SQL Injection Check.
    For information on using the Log Feature with the SQL Injection Check, see: Using the Log Feature with the SQL Injection Check.
    For information on Statistics for the SQL Injection violations, see: Statistics for the SQL Injection Violations.
    For information on SQL Injection Check Highlights, see: Highlights.
    For information about XML SQL Injection Checks, see: XML SQL Injection Check.
    For information on using Cross-Site Scripting Fine Grained Relaxations, see: SQL Fine Grained Relaxations.
    For information on configuring HTML Cross-Site Scripting using the command line, see: Using the Command Line to Configure the HTML Cross-Site Scripting Check.
    For information on configuring HTML Cross-Site Scripting using the GUI, see: Using the GUI to Configure the HTML Cross-Site Scripting Check.
    For information on using the Learn Feature with the HTML Cross-Site Scripting Check, see: Using the Learn Feature with the HTML Cross-Site Scripting Check.
    For information on using the Log Feature with the HTML Cross-Site Scripting Check, see: Using the Log Feature with the HTML Cross-Site Scripting Check.
    For information on statistics for the HTML Cross-Site Scripting violations, see: Statistics for the HTML Cross-Site Scripting Violations.
    For information on HTML Cross-Site Scripting highlights, see: Highlights.
    For information about XML Cross-Site Scripting, visit: XML Cross-Site Scripting Check.
    For information on using the command line to configure the Buffer Overflow Security Check, see: Using the Command Line to Configure the Buffer Overflow Security Check.
    For information on using the GUI to configure the Buffer Overflow Security Check, see: Configure Buffer Overflow Security Check by using the NetScaler ADC GUI.
    For information on using the Log Feature with the Buffer Overflow Security Check, see: Using the Log Feature with the Buffer Overflow Security Check.
    For information on Statistics for the Buffer Overflow violations, see: Statistics for the Buffer Overflow Violations.
    For information on the Buffer Overflow Security Check Highlights, see: Highlights.
    For information on Adding or Removing a Signature Object, see: Adding or Removing a Signature Object.
    For information on creating a signatures object from a template, see: To Create a Signatures Object from a Template.
    For information on creating a signatures object by importing a file, see: To Create a Signatures Object by Importing a File.
    For information on creating a signatures object by importing a file using the command line, see: To Create a Signatures Object by Importing a File using the Command Line.
    For information on removing a signatures object by using the GUI, see: To Remove a Signatures Object by using the GUI.
    For information on removing a signatures object by using the command line, see: To Remove a Signatures Object by using the Command Line.
    For information on configuring or modifying a signatures object, see: Configuring or Modifying a Signatures Object.
    For more information on updating a signature object, see: Updating a Signature Object.
    For information on using the command line to update Web Application Firewall Signatures from the source, see: To Update the Web Application Firewall Signatures from the Source by using the Command Line.
    For information on updating a signatures object from a NetScaler format file, see: Updating a Signatures Object from a NetScaler Format File.
    For information on updating a signatures object from a supported vulnerability scanning tool, see: Updating a Signatures Object from a Supported Vulnerability Scanning Tool.
    For information on Snort Rule Integration, see: Snort Rule Integration.
    For information on configuring Snort Rules, see: Configure Snort Rules.
    For information about configuring Bot Management using the command line, see: Configure Bot Management.
    For information about configuring bot management settings for device fingerprint technique, see: Configure Bot Management Settings for Device Fingerprint Technique.
    For information on configuring bot allow lists by using the NetScaler ADC GUI, see: Configure Bot White List by using NetScaler ADC GUI.
    For information on configuring bot block lists by using the NetScaler ADC GUI, see: Configure Bot Black List by using NetScaler ADC GUI.
    For more information on configuring Bot management, see: Configure Bot Management.
    Prerequisites
    Before attempting to create a VPX instance in AWS, users should ensure they have the following:
    An AWS account to launch a NetScaler ADC VPX AMI in an Amazon Web Services (AWS) Virtual Private Cloud (VPC). Users can create an AWS account for free at Amazon Web Services: AWS.
    An AWS Identity and Access Management (IAM) user account to securely control access to AWS services and resources for users. For more information about how to create an IAM user account, see the topic: Creating IAM Users (Console).
    An IAM role is mandatory for both standalone and high availability deployments. The IAM role must have the following privileges:
    ec2:DescribeInstances
    ec2:DescribeNetworkInterfaces
    ec2:DetachNetworkInterface
    ec2:AttachNetworkInterface
    ec2:StartInstances
    ec2:StopInstances
    ec2:RebootInstances
    ec2:DescribeAddresses
    ec2:AssociateAddress
    ec2:DisassociateAddress
    ec2:AssignPrivateIpAddresses
    autoscaling:*
    sns:*
    sqs:*
    cloudwatch:*
    iam:SimulatePrincipalPolicy
    iam:GetRole
    For more information on IAM permissions, see: AWS Managed Policies for Job Functions.
    If the NetScaler CloudFormation template is used, the IAM role is automatically created. The template does not allow selecting an already created IAM role.

    Note:
    When users log on the VPX instance through the GUI, a prompt to configure the required privileges for the IAM role appears. Ignore the prompt if the privileges have already been configured. Note:
    AWS CLI is required to use all the functionality provided by the AWS Management Console from the terminal program. For more information, see the AWS CLI user guide: What Is the AWS Command Line Interface?. Users also need the AWS CLI to change the network interface type to SR-IOV.
    For more information about NetScaler ADC and AWS including support for the NetScaler Networking VPX within AWS see NetScaler ADC and Amazon Web Services Validated Reference Design guide: NetScaler ADC and Amazon Web Services Validated Reference Design .
    Limitations and Usage Guidelines
    The following limitations and usage guidelines apply when deploying a NetScaler ADC VPX instance on AWS:
    Users should read the AWS terminology listed above before starting a new deployment.
    The clustering feature is supported only when provisioned with NetScaler ADM Auto Scale Groups.
    For the high availability setup to work effectively, associate a dedicated NAT device to the management Interface or associate an Elastic IP (EIP) to NSIP. For more information on NAT, in the AWS documentation, see: NAT Instances.
    Data traffic and management traffic must be segregated with ENIs belonging to different subnets.
    Only the NSIP address must be present on the management ENI.
    If a NAT instance is used for security instead of assigning an EIP to the NSIP, appropriate VPC level routing changes are required. For instructions on making VPC level routing changes, in the AWS documentation, see: Scenario 2: VPC with Public and Private Subnets.
    A VPX instance can be moved from one EC2 instance type to another (for example, from m3.large to an m3.xlarge). For more information, visit: Limitations and Usage Guidelines.
    For storage media for VPX on AWS, NetScaler recommends EBS, because it is durable and the data is available even after it is detached from the instance.
    Dynamic addition of ENIs to VPX is not supported. Restart the VPX instance to apply the update. NetScaler recommends users to stop the standalone or HA instance, attach the new ENI, and then restart the instance. The primary ENI cannot be changed or attached to a different subnet once it is deployed. Secondary ENIs can be detached and changed as needed while the VPX is stopped.
    Users can assign multiple IP addresses to an ENI. The maximum number of IP addresses per ENI is determined by the EC2 instance type, see the section “IP Addresses Per Network Interface Per Instance Type” in Elastic Network Interfaces: Elastic Network Interfaces. Users must allocate the IP addresses in AWS before they assign them to ENIs. For more information, see Elastic Network Interfaces: Elastic Network Interfaces.
    NetScaler recommends that users avoid using the enable and disable interface commands on NetScaler ADC VPX interfaces.
    The NetScaler ADC set ha node <NODE_ID> -haStatus STAYPRIMARY and set ha node <NODE_ID> -haStatus STAYSECONDARY commands are disabled by default.
    IPv6 is not supported for VPX.
    Due to AWS limitations, these features are not supported:
    Gratuitous ARP(GARP)
    L2 mode (bridging). Transparent virtual servers are supported with L2 (MAC rewrite) for servers in the same subnet as the SNIP.
    Tagged VLAN
    Dynamic Routing
    Virtual MAC
    For RNAT, routing, and Transparent virtual server to work, ensure Source/Destination Check is disabled for all ENIs in the data path. For more information, see “Changing the Source/Destination Checking” in Elastic Network Interfaces: Elastic Network Interfaces.
    In a NetScaler ADC VPX deployment on AWS, in some AWS regions, the AWS infrastructure might not be able to resolve AWS API calls. This happens if the API calls are issued through a non-management interface on the NetScaler ADC VPX instance. As a workaround, restrict the API calls to the management interface only. To do that, create an NSVLAN on the VPX instance and bind the management interface to the NSVLAN by using the appropriate command.
    For example:
    set ns config -nsvlan <vlan id> -ifnum 1/1 -tagged NO
    save config
    Restart the VPX instance at the prompt.
    For more information about configuring nsvlan, see Configuring NSVLAN: Configuring NSVLAN.
    In the AWS console, the vCPU usage shown for a VPX instance under the Monitoring tab might be high (up to 100 percent), even when the actual usage is much lower. To see the actual vCPU usage, navigate to View all CloudWatch metrics. For more information, see: Monitor your Instances using Amazon CloudWatch. Alternately, if low latency and performance are not a concern, users may enable the CPU Yield feature allowing the packet engines to idle when there is no traffic. Visit Citrix Support Knowledge Center for more details about the CPU Yield feature and how to enable it.
    Technical Requirements
    Before users launch the Quick Start Guide to begin a deployment, the user account must be configured as specified in the following table. Otherwise, the deployment might fail.
    Resources
    If necessary, sign in to the user amazon account and request service limit increases for the following resources here: AWS/Sign in. You might need to do this if you already have an existing deployment that uses these resources, and you think you might exceed the default limits with this deployment. For default limits, see the AWS Service Quotas in the AWS documentation: AWS Service Quotas.
    The AWS Trusted Advisor, found here: AWS/Sign in, offers a service limits check that displays usage and limits for some aspects of some services.
    ResourceThis deployment usesVPCs1Elastic IP addresses0/1(for Bastion host)IAM security groups3IAM roles1Subnets6(3/Availability zone)Internet Gateway1Route Tables5WAF VPX instances2Bastion host0/1NAT gateway2Regions
    NetScaler WAF on AWS isn’t currently supported in all AWS Regions. For a current list of supported Regions, see AWS Service Endpoints in the AWS documentation: AWS Service Endpoints.
    For more information on AWS regions and why cloud infrastructure matters, see: Global Infrastructure.
    Key Pair
    Make sure that at least one Amazon EC2 key pair exists in the user AWS account in the Region where users are planning to deploy using the Quick Start Guide. Make note of the key pair name. Users are prompted for this information during deployment. To create a key pair, follow the instructions for Amazon EC2 Key Pairs and Linux Instances in the AWS documentation: Amazon EC2 Key Pairs and Linux Instances.
    If users are deploying the Quick Start Guide for testing or proof-of-concept purposes, we recommend that they create a new key pair instead of specifying a key pair that’s already being used by a production instance.
    Continued from Part 2

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...