Richard Faulkner

Diagrams and Poster: NetScaler ADC - nsconmsg Commands Cheat Sheet Contributed By: Gene Whitaker Special Thanks To: Adrianna Pellitteri Overview Nsconmsg operates on NetScaler ADC newnslog and is the most widely used tool for troubleshooting Citrix ADC issues. The following are some of the most important points to remember: Reads newnslog formatted log files and displays the data The newnslog files are located in the /var/nslog/ directory Common items viewed from a newnslog are: counter statistics, console messages, events, commands, feature specific output, and system stats Run the following command, in shell, to view all nsconmsg usage operations: # nsconmsg -h The nsconmsg cheat sheet provides you with the most commonly used commands for your reference. Use the following link to download NetScaler ADC nsconmsg Commands Cheat Sheet .

Deployment Guide: Migrating Citrix ADM to Citrix ADM serviceMay 4, 2021 Author: Arnaud PainOverviewIn this document, you’ll discover how to migrate Citrix ADM (Application Delivery Management) on-premises to Citrix ADM service. Migrating to cloud resources modernizes your deployment, providing enhanced elasticity, scalability, and management. The guidance documented here is based on a deployment in a Citrix approved lab environment running on VMware vSphere Hypervisor. The initial and final deployments represent typical customer environments. AudienceWe’ve written this document for users who are Familiar with the administration of a Citrix ADMIt’s also helpful if you know Citrix Cloud fundamentals and understand Citrix ADM service. Set up a basic Citrix Cloud environmentFor more information on onboarding process see the Getting Started section. During the initial configuration of the ADM service agent , you need to provide the Service URL and Activation Code that are provided during the initial configuration in Citrix Cloud. After completing the initial network configuration, save the configuration settings. Run the script /mps/register_agent_cloud.py. You are prompted to change ADM (Application Delivery Management) Agent default password. Migrate to ADM serviceAfter the ADM service agent basic configuration is done, the next step is to upgrade the ADM to a Firmware that includes the script that will be used to migrate. You can migrate on-premises Citrix ADM 13.0 76.29 or a later version to Citrix Cloud. If your ADM has 12.1 or an earlier version, you must first upgrade to 13.0 76.29 or a later version and then migrate to Citrix Cloud. For more information, see the Upgrade section. Once your ADM is on the required version, you can start the process for the migration, the next step is to configure the on-premises ADM service agent. Configure ADM service agentTo enable communications between Citrix ADC instances and Citrix ADM, you must configure an agent. Citrix ADM agents are, by default, automatically upgraded to latest build. You can also select a specific time for the agent upgrade. For more information, see Configuring agent upgrade settings. If your existing on-premises ADM, standalone or HA pair, has no on-premises agents configured, you must configure at least one agent for ADM service.If your existing on-premises ADM, standalone or HA pair, has configured with on-premises agents for multisite deployments, it is advised to configure the same number of agents for ADM service.For more information on configuring an agent, see the Getting Started section. Connect to Citrix Cloud. Click API Access tab. Click Download. Take not of your Host ID and go to https://www.mycitrix.com to reallocate your licenses.Ensure your licenses are present in ADM service before starting the migration. We recommend to updating to ADM 76.x or later builds as the migration scripts (servicemigrationtool.py and config_collect_onprem.py) are available as part of the build, available in /mps/scripts. Note: Ensure that the on-premises ADM has internet connectivity during migration. For an ADM HA pair, log on to the primary node. Using an SSH client, log on to the on-premises ADM. Run the following commands to complete the migration: a. cd /mps/scripts b. python servicemigrationtool.py For example: python servicemigrationtool.py /var/secureclient.csv If you select Y, the migration continues by licensing the VIP randomly. If you select N, the script stops the migration. If you have the unsupported ADC instance version for the pooled license server, the following message is displayed: Note: You will only see above the Primary Node IP Address. If you select Y, the migration process continues by changing the license server. Depending upon the on-premises configuration, the approximate time for the migration to complete is between a few minutes and a few hours. After the migration is complete, you see the following message: You can connect to Citrix ADM service and ensure you see your ADC instance.

POC Guide: Deploying a NetScaler VPX on Nutanix AHVSpecial Thanks To: David Brett, Nagaraj Harikar, and Abhishek GautamOverviewThis proof of concept guide is designed to provide a step-by-step method to deploy an instance of the NetScaler VPX on Nutanix AHV and prepare it for use. NetScaler VPX running on Nutanix AHV is supported through the Citrix Ready Program. This guide will assist in deploying a VPX appliance using Prism Element with some basic best practices. This guide will NOT cover the specific needs for every deployment. It is recommended that deployments and testing are conducted to define the best method for a particular need. Nutanix Acropolis Hypervisor (AHV) is a modern and secure virtualization platform that powers VMs and containers for applications and cloud-native workloads on-premises and in public clouds that can run any application at any scale. PrerequisitesThis guide assumes the following prerequisites have been completed: Nutanix AHV is configured and ready for useNutanix Prism Element will be used for the deployment (not Prism Central)Sufficient resources are available to support the recommended VM configuration The NetScaler VPX requires a minimum of 2 vCPUs and 2 GB of RAM (4 GB RAM or more is recommended).At least one vNIC (2 or more vNICs recommended for Management and Production networks)At least 20 GB of disk space A basic understanding of Nutanix AHVA basic understanding of Nutanix Prism ElementFamiliarity with the Acropolis Command Line Interface (ACLI)Familiarity with the initial setup of a NetScaler VPX appliance.Considerations for NetScaler VPX appliancesA proof of concept deployment is set up to try out different functions of the VPX appliance. With a POC deployment, customers can: Try different featuresFamiliarize themselves with the environmentTry different configurations to see how they impact performance, usability, etc.A POC is not intended for production workloads and should only be utilized for learning and feasibility purposes. Therefore, a virtual appliance running with (2) vCPUs, (4) GB RAM, and 20 GB of disc drive should be sufficient. In a production environment, it is recommended to provision the appliance with adequate resources for the expected workload. With a virtual appliance on Nutanix AHV, scaling up or down on resources is very easy, making the virtual appliance very flexible. To determine the required resources for your workload, use the following NetScaler Form Factors Datasheet Deploying the NetScaler VPXDownload the VPX virtual appliance (the example below shows the latest 14.1 version of the firmware, however other versions are available for AHV should this meet your business requirements) On the first extraction, it will become a “tar” file. Extract that until you see the “.qcow2” and “.xml” files. 7. Once the file uploads, you should see the image listed and the status should show as “ACTIVE”, this may take some time as Prism Element processes the image file. 11. The disk will then be added 13. Do not set affinity now, as it will be set later in this guide14. Choose "Save" Once the VM is listed and shows as powered off, we must add a serial port. The VM appliance will not boot without a serial port connection, and Nutanix AHV does not add a serial port by default.To add the Serial Port SSH into the CVM using the username “nutanix” and the password you set for that account (You can find a list of CVM IP addresses in the “Hardware” section of the Prism Element console)Enter the ACLI acli Enter the following command to create the serial port where <vmname> is the name you gave to the VPX Appliance vm.serial_port_create <vmname> type=kServer index=0 Watch the VM Boot 6. Restart the VMWhen the appliance reboots, log back into the CLI and add the default route using the command below, replacing <default_route> with the default route assigned to the network that your NSIP resides on. route add 0.0.0.0 0.0.0.0 <default_route> Save the configuration using the command below to ensure the default route persists during a rebootsave ns config Now you can connect to the GUIAfter this point, the configuration proceeds like any other NetScaler setup. Additional ConsiderationsHigh CPU usageCPU usage will show high by default on NetScaler VPX appliances. If you desire to enable CPU sharing, then you should enable CPU Yield. From the GUI Navigate to Settings and click the “Change VPX Settings link 2. From the CLIset ns vpxparam -cpuyield YES Running a pair of appliances for high availability (HA)If you are going to run an HA pair of appliances, it is recommended that you set anti-affinity rules so the appliances will always be run on separate AHV hosts To accomplish this: Login to the CVM via SSHCreate the VM group where <vmgroupname> is the name you give to the group of NetScalers you deployed on AHV vm_group.create <vmgroupname> Add the existing NetScalers to the group where <vmgroupname> is the name from the previous step, and <vm1name> and <vm2name> are the NetScaler VMs to be added to the group vm_group.add_vms <vmgroupname> vm_list=<vm1name>,<vm2name> Set the Anti-affinity rule where <vmgroupname> is the name given in step 2 above vm_group.antiaffinity_set <vmgroupname> Disaster Recovery and GSLB Suppose multiple sites are to be used, and Global Server Load Balancing (GSLB) is utilized for access. In that case, it is recommended that an HA pair of NetScalers be deployed on AHV at both locations. You can then use Nutanix technologies such as DR replication to ensure the availability of your NetScaler pair should you experience a cluster outage. More information on Nutanix DR replication can be found here. ResourcesNetScaler Form Factors Datasheet FAQ on Deploying a NetScaler VPX

NetScaler ADC VPX on AWS Deployment Guide Part 3Contributed By: Luis Ugarte and Beth PollackContinued from Part 2Setting upUsers must enable Advanced Security Analytics and set Web Transaction Settings to All to view the following violations in NetScaler ADM: Unusually High Upload Transactions (WAF) Unusually High Download Transactions (WAF) Excessive Unique IPs (WAF) Account takeover (BOT) For other violations, ensure whether Metrics Collector is enabled. By default, Metrics Collector is enabled on the NetScaler ADC instance. For more information, see: Configure Intelligent App Analytics . Enable Advanced Security Analytics Navigate to Networks > Instances > NetScaler ADC, and select the instance type. For example, MPX. Select the NetScaler ADC instance and from the Select Action list, select Configure Analytics. Select the virtual server and click Enable Analytics. On the Enable Analytics window: Select Web Insight. After users select Web Insight, the read-only Advanced Security Analytics option is enabled automatically. Note: The Advanced Security Analytics option is displayed only for premium licensed ADC instances. Select Logstream as Transport Mode The Expression is true by default Click OK Click Ok.Security violations dashboardIn the security violations dashboard, users can view: Total violations occurred across all ADC instances and applications. The total violations are displayed based on the selected time duration. Total ADCs affected, total applications affected, and top violations based on the total occurrences and the affected applications. Click Reset Zoom to reset the zoom result Recommended Actions that suggest users troubleshoot the issue Other violation details such as violence occurrence time and detection message Bot InsightUsing Bot Insight in NetScaler ADMAfter users configure the bot management in NetScaler ADC, they must enable Bot Insight on virtual servers to view insights in NetScaler ADM. To enable Bot Insight: Navigate to Networks > Instances > NetScaler ADC and select the instance type. For example, VPX. Select the instance and from the Select Action list, select Configure Analytics. Select the virtual server and click Enable Analytics. On the Enable Analytics window: Select Bot Insight Under Advanced Option, select Logstream. Time list to view bot details Drag the slider to select a specific time range and click Go to display the customized results Total instances affected from bots Virtual server for the selected instance with total bot attacks Total Bots – Indicates the total bot attacks (inclusive of all bot categories) found for the virtual server. Total Human Browsers – Indicates the total human users accessing the virtual server. Bot Human Ratio – Indicates the ratio between human users and bots accessing the virtual server. Signature Bots, Fingerprinted Bot, Rate Based Bots, IP Reputation Bots, allow list Bots, and block list Bots – Indicates the total bot attacks occurred based on the configured bot category. For more information about bot categories, see: Configure Bot Detection Techniques in NetScaler ADC. Click > to view bot details in a graph format. The following diagram shows how the bot signatures are retrieved from the AWS cloud, updated on NetScaler ADC and view signature update summary on NetScaler ADM. Provides the Application Summary details such as: Average RPS – Indicates the average bot transaction requests per second (RPS) received on virtual servers. Bots by Severity – Indicates the highest bot transactions occurred based on the severity. The severity is categorized based on Critical, High, Medium, and Low. For example, if the virtual servers have 11770 high severity bots and 1550 critical severity bots, then NetScaler ADM displays Critical 1.55 K under Bots by Severity. Largest Bot Category – Indicates the highest bot attacks occurred based on the bot category. For example, if the virtual servers have 8000 block listed bots, 5000 allow listed bots, and 10000 Rate Limit Exceeded bots, then NetScaler ADM displays Rate Limit Exceeded 10 K under Largest Bot Category. Largest Geo Source – Indicates the highest bot attacks occurred based on a region. For example, if the virtual servers have 5000 bot attacks in Santa Clara, 7000 bot attacks in London, and 9000 bot attacks in Bangalore, then NetScaler ADM displays Bangalore 9 K under Largest Geo Source. Average % Bot Traffic – Indicates the human bot ratio. Displays the severity of the bot attacks based on locations in map view Displays the types of bot attacks (Good, Bad, and All) Displays the total bot attacks along with the corresponding configured actions. For example, if you have configured: IP address range (192.140.14.9 to 192.140.14.254) as block list bots and selected Drop as an action for these IP address ranges IP range (192.140.15.4 to 192.140.15.254) as block list bots and selected to create a log message as an action for these IP ranges In this scenario, NetScaler ADM displays: Total block listed bots Total bots under Dropped Total bots under Log View CAPTCHA botsIn webpages, CAPTCHAs are designed to identify if the incoming traffic is from a human or an automated bot. To view the CAPTCHA activities in NetScaler ADM, users must configure CAPTCHA as a bot action for IP reputation and device fingerprint detection techniques in a NetScaler ADC instance. For more information, see: Configure Bot Management. The following are the CAPTCHA activities that NetScaler ADM displays in Bot insight: Captcha attempts exceeded – Denotes the maximum number of CAPTCHA attempts made after login failures Captcha client muted – Denotes the number of client requests that are dropped or redirected because these requests were detected as bad bots earlier with the CAPTCHA challenge Human – Denotes the captcha entries performed from the human users Invalid captcha response – Denotes the number of incorrect CAPTCHA responses received from the bot or human, when NetScaler ADC sends a CAPTCHA challenge To identify the bot trap, a script is enabled in the webpage and this script is hidden from humans, but not to bots. NetScaler ADM identifies and reports the bot traps, when this script is accessed by bots. Click the virtual server and select Zero Pixel Request Users can also drag the bar graph to select the specific time range to be displayed with bot attacks. Instance IP – Indicates the NetScaler ADC instance IP address Total Bots – Indicates the total bot attacks occurred for that particular time HTTP Request URL – Indicates the URL that is configured for captcha reporting Country Code – Indicates the country where the bot attack occurred Region – Indicates the region where the bot attack occurred Profile Name – Indicates the profile name that users provided during the configuration Advanced searchUsers can also use the search text box and time duration list, where they can view bot details as per the user requirement. When users click the search box, the search box gives them the following list of search suggestions. Instance IP – NetScaler ADC instance IP address Client-IP – Client IP address Bot-Type – Bot type such as Good or Bad Severity – Severity of the bot attack Action-Taken – Action taken after the bot attack such as Drop, No action, Redirect Bot-Category – Category of the bot attack such as block list, allow list, fingerprint, and so on. Based on a category, users can associate a bot action to it Bot-Detection – Bot detection types (block list, allow list, and so on) that users have configured on NetScaler ADC instance Location – Region/country where the bot attack has occurred Request-URL – URL that has the possible bot attacks Users can also use operators in the user search queries to narrow the focus of the user search. For example, if users want to view all bad bots: Click the search box and select Bot-Type Click the search box again and select the operator = Click the search box again and select Bad Click Search to display the results Under Event Details, users can view: The affected application. Users can also select the application from the list if two or more applications are affected with violations. The graph indicating all violations The violation occurrence time The detection message for the violation, indicating the total IP addresses transacting the application The accepted IP address range that the application can receive Account Takeover Note: Ensure users enable the advanced security analytics and web transaction options. For more information, see Setting up: Setting up. Some malicious bots can steal user credentials and perform various kinds of cyberattacks. These malicious bots are known as bad bots. It is essential to identify bad bots and protect the user appliance from any form of advanced security attacks. PrerequisiteUsers must configure the Account Takeover settings in NetScaler ADM. Navigate to Analytics > Settings > Security Violations Click Add After users configure the settings, using the Account Takeover indicator, users can analyze if bad bots attempted to take over the user account, giving multiple requests along with credentials. Unusually High Upload VolumeWeb traffic also comprises data that is processed for uploading. For example, if the user average upload data per day is 500 MB and if users upload 2 GB of data, then this can be considered as an unusually high upload data volume. Bots are also capable to process uploading of data more quickly than humans. Using the Unusually High Upload Volume indicator, users can analyze abnormal scenarios of upload data to the application through bots. Under Event Details, users can view: The affected application. Users can also select the application from the list if two or more applications are affected with violations. The graph indicating all violations The violation occurrence time The detection message for the violation, indicating the total download data volume processed The accepted range of download data from the application Unusually High Request RateUsers can control the incoming and outgoing traffic from or to an application. A bot attack can perform an unusually high request rate. For example, if users configure an application to allow 100 requests/minute and if users observe 350 requests, then it might be a bot attack. Using the Unusually High Request Rate indicator, users can analyze the unusual request rate received to the application. Enable bot management feature Configure bot management settings Clone NetScaler bot default signature Import NetScaler bot signature Configure bot signature settings Create bot profile Create bot policy Enable Bot Management Feature On the navigation pane, expand System and then click Settings. On the Configure Advanced Features page, select the Bot Management check box. Click OK, and then click Close. Import Bot Signature FileIf users have their own signature file, then they can import it as a file, text, or URL. Perform the following the steps to import the bot signature file: Navigate to Security > NetScaler Bot Management and Signatures. On the NetScaler Bot Management Signatures page, import the file as URL, File, or text. Click Continue. IP ReputationConfigure IP Reputation by using NetScaler ADC GUIThis configuration is a prerequisite for the bot IP reputation feature. The detection technique enables users to identify if there is any malicious activity from an incoming IP address. As part of the configuration, we set different malicious bot categories and associate a bot action to each of them. Navigate to Security > NetScaler Bot Management and Profiles. On the NetScaler Bot Management Profiles page, select a signature file and click Edit. On the NetScaler Bot Management Profile page, go to Signature Settings section and click IP Reputation. On the IP Reputation section, set the following parameters: Enabled. Select the check box to validate incoming bot traffic as part of the detection process. Configure Categories. Users can use the IP reputation technique for incoming bot traffic under different categories. Based on the configured category, users can drop or redirect the bot traffic. Click Add to configure a malicious bot category. In the Configure NetScaler Bot Management Profile IP Reputation Binding page, set the following parameters: Category. Select a malicious bot category from the list. Associate a bot action based on category. Enabled. Select the check box to validate the IP reputation signature detection. Bot action. Based on the configured category, users can assign no action, drop, redirect, or CAPTCHA action. Log. Select the check box to store log entries. Log Message. Brief description of the log. Comments. Brief description about the bot category. Click OK. Click Update. Click Done. Click OK and Close.For more information on configuring IP Reputation using the CLI, see: Configure the IP Reputation Feature Using the CLI. ReferencesFor information on using SQL Fine Grained Relaxations, see: SQL Fine Grained Relaxations. For information on how to configure the SQL Injection Check using the command line, see: HTML SQL Injection Check. For information on how to configure the SQL Injection Check using the GUI, see: Using the GUI to Configure the SQL Injection Security Check. For information on using the Learn Feature with the SQL Injection Check, see: Using the Learn Feature with the SQL Injection Check. For information on using the Log Feature with the SQL Injection Check, see: Using the Log Feature with the SQL Injection Check. For information on Statistics for the SQL Injection violations, see: Statistics for the SQL Injection Violations. For information on SQL Injection Check Highlights, see: Highlights. For information about XML SQL Injection Checks, see: XML SQL Injection Check. For information on using Cross-Site Scripting Fine Grained Relaxations, see: SQL Fine Grained Relaxations. For information on configuring HTML Cross-Site Scripting using the command line, see: Using the Command Line to Configure the HTML Cross-Site Scripting Check. For information on configuring HTML Cross-Site Scripting using the GUI, see: Using the GUI to Configure the HTML Cross-Site Scripting Check. For information on using the Learn Feature with the HTML Cross-Site Scripting Check, see: Using the Learn Feature with the HTML Cross-Site Scripting Check. For information on using the Log Feature with the HTML Cross-Site Scripting Check, see: Using the Log Feature with the HTML Cross-Site Scripting Check. For information on statistics for the HTML Cross-Site Scripting violations, see: Statistics for the HTML Cross-Site Scripting Violations. For information on HTML Cross-Site Scripting highlights, see: Highlights. For information about XML Cross-Site Scripting, visit: XML Cross-Site Scripting Check. For information on using the command line to configure the Buffer Overflow Security Check, see: Using the Command Line to Configure the Buffer Overflow Security Check. For information on using the GUI to configure the Buffer Overflow Security Check, see: Configure Buffer Overflow Security Check by using the NetScaler ADC GUI. For information on using the Log Feature with the Buffer Overflow Security Check, see: Using the Log Feature with the Buffer Overflow Security Check. For information on Statistics for the Buffer Overflow violations, see: Statistics for the Buffer Overflow Violations. For information on the Buffer Overflow Security Check Highlights, see: Highlights. For information on Adding or Removing a Signature Object, see: Adding or Removing a Signature Object. For information on creating a signatures object from a template, see: To Create a Signatures Object from a Template. For information on creating a signatures object by importing a file, see: To Create a Signatures Object by Importing a File. For information on creating a signatures object by importing a file using the command line, see: To Create a Signatures Object by Importing a File using the Command Line. For information on removing a signatures object by using the GUI, see: To Remove a Signatures Object by using the GUI. For information on removing a signatures object by using the command line, see: To Remove a Signatures Object by using the Command Line. For information on configuring or modifying a signatures object, see: Configuring or Modifying a Signatures Object. For more information on updating a signature object, see: Updating a Signature Object. For information on using the command line to update Web Application Firewall Signatures from the source, see: To Update the Web Application Firewall Signatures from the Source by using the Command Line. For information on updating a signatures object from a NetScaler format file, see: Updating a Signatures Object from a NetScaler Format File. For information on updating a signatures object from a supported vulnerability scanning tool, see: Updating a Signatures Object from a Supported Vulnerability Scanning Tool. For information on Snort Rule Integration, see: Snort Rule Integration. For information on configuring Snort Rules, see: Configure Snort Rules. For information about configuring Bot Management using the command line, see: Configure Bot Management. For information about configuring bot management settings for device fingerprint technique, see: Configure Bot Management Settings for Device Fingerprint Technique. For information on configuring bot allow lists by using the NetScaler ADC GUI, see: Configure Bot White List by using NetScaler ADC GUI. For information on configuring bot block lists by using the NetScaler ADC GUI, see: Configure Bot Black List by using NetScaler ADC GUI. For more information on configuring Bot management, see: Configure Bot Management. PrerequisitesBefore attempting to create a VPX instance in AWS, users should ensure they have the following: An AWS account to launch a NetScaler ADC VPX AMI in an Amazon Web Services (AWS) Virtual Private Cloud (VPC). Users can create an AWS account for free at Amazon Web Services: AWS. An AWS Identity and Access Management (IAM) user account to securely control access to AWS services and resources for users. For more information about how to create an IAM user account, see the topic: Creating IAM Users (Console). An IAM role is mandatory for both standalone and high availability deployments. The IAM role must have the following privileges: ec2:DescribeInstances ec2:DescribeNetworkInterfaces ec2:DetachNetworkInterface ec2:AttachNetworkInterface ec2:StartInstances ec2:StopInstances ec2:RebootInstances ec2:DescribeAddresses ec2:AssociateAddress ec2:DisassociateAddress ec2:AssignPrivateIpAddresses autoscaling:* sns:* sqs:* cloudwatch:* iam:SimulatePrincipalPolicy iam:GetRole For more information on IAM permissions, see: AWS Managed Policies for Job Functions. If the NetScaler CloudFormation template is used, the IAM role is automatically created. The template does not allow selecting an already created IAM role. Note: When users log on the VPX instance through the GUI, a prompt to configure the required privileges for the IAM role appears. Ignore the prompt if the privileges have already been configured. Note: AWS CLI is required to use all the functionality provided by the AWS Management Console from the terminal program. For more information, see the AWS CLI user guide: What Is the AWS Command Line Interface?. Users also need the AWS CLI to change the network interface type to SR-IOV. For more information about NetScaler ADC and AWS including support for the NetScaler Networking VPX within AWS see NetScaler ADC and Amazon Web Services Validated Reference Design guide: NetScaler ADC and Amazon Web Services Validated Reference Design . Limitations and Usage GuidelinesThe following limitations and usage guidelines apply when deploying a NetScaler ADC VPX instance on AWS: Users should read the AWS terminology listed above before starting a new deployment. The clustering feature is supported only when provisioned with NetScaler ADM Auto Scale Groups. For the high availability setup to work effectively, associate a dedicated NAT device to the management Interface or associate an Elastic IP (EIP) to NSIP. For more information on NAT, in the AWS documentation, see: NAT Instances. Data traffic and management traffic must be segregated with ENIs belonging to different subnets. Only the NSIP address must be present on the management ENI. If a NAT instance is used for security instead of assigning an EIP to the NSIP, appropriate VPC level routing changes are required. For instructions on making VPC level routing changes, in the AWS documentation, see: Scenario 2: VPC with Public and Private Subnets. A VPX instance can be moved from one EC2 instance type to another (for example, from m3.large to an m3.xlarge). For more information, visit: Limitations and Usage Guidelines. For storage media for VPX on AWS, NetScaler recommends EBS, because it is durable and the data is available even after it is detached from the instance. Dynamic addition of ENIs to VPX is not supported. Restart the VPX instance to apply the update. NetScaler recommends users to stop the standalone or HA instance, attach the new ENI, and then restart the instance. The primary ENI cannot be changed or attached to a different subnet once it is deployed. Secondary ENIs can be detached and changed as needed while the VPX is stopped. Users can assign multiple IP addresses to an ENI. The maximum number of IP addresses per ENI is determined by the EC2 instance type, see the section “IP Addresses Per Network Interface Per Instance Type” in Elastic Network Interfaces: Elastic Network Interfaces. Users must allocate the IP addresses in AWS before they assign them to ENIs. For more information, see Elastic Network Interfaces: Elastic Network Interfaces. NetScaler recommends that users avoid using the enable and disable interface commands on NetScaler ADC VPX interfaces. The NetScaler ADC set ha node <NODE_ID> -haStatus STAYPRIMARY and set ha node <NODE_ID> -haStatus STAYSECONDARY commands are disabled by default. IPv6 is not supported for VPX. Due to AWS limitations, these features are not supported: Gratuitous ARP(GARP) L2 mode (bridging). Transparent virtual servers are supported with L2 (MAC rewrite) for servers in the same subnet as the SNIP. Tagged VLAN Dynamic Routing Virtual MAC For RNAT, routing, and Transparent virtual server to work, ensure Source/Destination Check is disabled for all ENIs in the data path. For more information, see “Changing the Source/Destination Checking” in Elastic Network Interfaces: Elastic Network Interfaces. In a NetScaler ADC VPX deployment on AWS, in some AWS regions, the AWS infrastructure might not be able to resolve AWS API calls. This happens if the API calls are issued through a non-management interface on the NetScaler ADC VPX instance. As a workaround, restrict the API calls to the management interface only. To do that, create an NSVLAN on the VPX instance and bind the management interface to the NSVLAN by using the appropriate command. For example: set ns config -nsvlan <vlan id> -ifnum 1/1 -tagged NO save config Restart the VPX instance at the prompt. For more information about configuring nsvlan, see Configuring NSVLAN: Configuring NSVLAN. In the AWS console, the vCPU usage shown for a VPX instance under the Monitoring tab might be high (up to 100 percent), even when the actual usage is much lower. To see the actual vCPU usage, navigate to View all CloudWatch metrics. For more information, see: Monitor your Instances using Amazon CloudWatch. Alternately, if low latency and performance are not a concern, users may enable the CPU Yield feature allowing the packet engines to idle when there is no traffic. Visit Citrix Support Knowledge Center for more details about the CPU Yield feature and how to enable it. Technical RequirementsBefore users launch the Quick Start Guide to begin a deployment, the user account must be configured as specified in the following table. Otherwise, the deployment might fail. ResourcesIf necessary, sign in to the user amazon account and request service limit increases for the following resources here: AWS/Sign in. You might need to do this if you already have an existing deployment that uses these resources, and you think you might exceed the default limits with this deployment. For default limits, see the AWS Service Quotas in the AWS documentation: AWS Service Quotas. The AWS Trusted Advisor, found here: AWS/Sign in, offers a service limits check that displays usage and limits for some aspects of some services. ResourceThis deployment usesVPCs1Elastic IP addresses0/1(for Bastion host)IAM security groups3IAM roles1Subnets6(3/Availability zone)Internet Gateway1Route Tables5WAF VPX instances2Bastion host0/1NAT gateway2RegionsNetScaler WAF on AWS isn’t currently supported in all AWS Regions. For a current list of supported Regions, see AWS Service Endpoints in the AWS documentation: AWS Service Endpoints. For more information on AWS regions and why cloud infrastructure matters, see: Global Infrastructure. Key PairMake sure that at least one Amazon EC2 key pair exists in the user AWS account in the Region where users are planning to deploy using the Quick Start Guide. Make note of the key pair name. Users are prompted for this information during deployment. To create a key pair, follow the instructions for Amazon EC2 Key Pairs and Linux Instances in the AWS documentation: Amazon EC2 Key Pairs and Linux Instances. If users are deploying the Quick Start Guide for testing or proof-of-concept purposes, we recommend that they create a new key pair instead of specifying a key pair that’s already being used by a production instance. Continued from Part 2

NetScaler ADC VPX on AWS Deployment Guide Part 2Contributed By: Luis Ugarte and Beth PollackContinued from Part 1OverviewApplication Security ProtectionNetScaler ADMNetScaler Application Delivery Management Service (NetScaler ADM) provides a scalable solution to manage NetScaler ADC deployments that include NetScaler ADC MPX, NetScaler ADC VPX, NetScaler Gateway, NetScaler Secure Web Gateway, NetScaler ADC SDX, NetScaler ADC CPX, and NetScaler SD-WAN appliances that are deployed on-premises or on the cloud. NetScaler ADM Application Analytics and Management FeaturesThe following features are key to the ADM role in App Security. Application Analytics and ManagementThe Application Analytics and Management feature of NetScaler ADM strengthens the application-centric approach to help users address various application delivery challenges. This approach gives users visibility into the health scores of applications, helps users determine the security risks, and helps users detect anomalies in the application traffic flows and take corrective actions. The most important among these roles for App Security is Application Security Analytics: Application security analytics: Application Security Analytics. The App Security Dashboard provides a holistic view of the security status of user applications. For example, it shows key security metrics such as security violations, signature violations, threat indexes. The App Security dashboard also displays attack related information such as SYN attacks, small window attacks, and DNS flood attacks for the discovered NetScaler ADC instances.StyleBooksStyleBooks simplify the task of managing complex NetScaler ADC configurations for user applications. A StyleBook is a template that users can use to create and manage NetScaler ADC configurations. Here users are primarily concerned with the StyleBook used to deploy the Web Application Firewall. For more information on StyleBooks, see: StyleBooks. AnalyticsProvides an easy and scalable way to look into the various insights of the NetScaler ADC instances’ data to describe, predict, and improve application performance. Users can use one or more analytics features simultaneously. Most important among these roles for App Security are: Security Insight: Security Insight. Provides a single-pane solution to help users assess user application security status and take corrective actions to secure user applications. Bot Insight For more information on analytics, see Analytics: Analytics. Other features that are important to ADM functionality are: Event ManagementEvents represent occurrences of events or errors on a managed NetScaler ADC instance. For example, when there is a system failure or change in configuration, an event is generated and recorded on NetScaler ADM. Following are the related features that users can configure or view by using NetScaler ADM: Creating event rules: Create Event Rules View and export syslog messages: View and Export Syslog Messages For more information on event management, see: Events. Instance ManagementEnables users to manage the NetScaler ADC, NetScaler Gateway, NetScaler Secure Web Gateway, and NetScaler SD-WAN instances. For more information on instance management, see: Adding Instances. License ManagementAllows users to manage NetScaler ADC licenses by configuring NetScaler ADM as a license manager. NetScaler ADC pooled capacity: Pooled Capacity. A common license pool from which a user NetScaler ADC instance can check out one instance license and only as much bandwidth as it needs. When the instance no longer requires these resources, it checks them back in to the common pool, making the resources available to other instances that need them. NetScaler ADC VPX check-in and check-out licensing: NetScaler ADC VPX Check-in and Check-out Licensing. NetScaler ADM allocates licenses to NetScaler ADC VPX instances on demand. A NetScaler ADC VPX instance can check out the license from the NetScaler ADM when a NetScaler ADC VPX instance is provisioned, or check back in its license to NetScaler ADM when an instance is removed or destroyed. For more information on license management, see: Pooled Capacity. Configuration ManagementNetScaler ADM allows users to create configuration jobs that help them perform configuration tasks, such as creating entities, configuring features, replication of configuration changes, system upgrades, and other maintenance activities with ease on multiple instances. Configuration jobs and templates simplify the most repetitive administrative tasks to a single task on NetScaler ADM. For more information on configuration management, see Configuration jobs: Configuration Jobs. Configuration AuditEnables users to monitor and identify anomalies in the configurations across user instances. Configuration advice: Get Configuration Advice on Network Configuration. Allows users to identify any configuration anomaly. Audit template: Create Audit Templates. Allows users to monitor the changes across a specific configuration. For more information on configuration audit, see: Configuration Audit. Signatures provide the following deployment options to help users to optimize the protection of user applications: Negative Security Model: With the negative security model, users employ a rich set of preconfigured signature rules to apply the power of pattern matching to detect attacks and protect against application vulnerabilities. Users block only what they don’t want and allow the rest. Users can add their own signature rules, based on the specific security needs of user applications, to design their own customized security solutions. Hybrid security Model: In addition to using signatures, users can use positive security checks to create a configuration ideally suited for user applications. Use signatures to block what users don’t want, and use positive security checks to enforce what is allowed. To protect user applications by using signatures, users must configure one or more profiles to use their signatures object. In a hybrid security configuration, the SQL injection and cross-site scripting patterns, and the SQL transformation rules, in the user signatures object are used not only by the signature rules, but also by the positive security checks configured in the Web Application Firewall profile that is using the signatures object. The Web Application Firewall examines the traffic to user protected websites and web services to detect traffic that matches a signature. A match is triggered only when every pattern in the rule matches the traffic. When a match occurs, the specified actions for the rule are invoked. Users can display an error page or error object when a request is blocked. Log messages can help users to identify attacks being launched against user applications. If users enable statistics, the Web Application Firewall maintains data about requests that match a Web Application Firewall signature or security check. If the traffic matches both a signature and a positive security check, the more restrictive of the two actions are enforced. For example, if a request matches a signature rule for which the block action is disabled, but the request also matches an SQL Injection positive security check for which the action is block, the request is blocked. In this case, the signature violation might be logged as [not blocked], although the request is blocked by the SQL injection check. Customization: If necessary, users can add their own rules to a signatures object. Users can also customize the SQL/XSS patterns. The option to add their own signature rules, based on the specific security needs of user applications, gives users the flexibility to design their own customized security solutions. Users block only what they don’t want and allow the rest. A specific fast-match pattern in a specified location can significantly reduce processing overhead to optimize performance. Users can add, modify, or remove SQL injection and cross-site scripting patterns. Built-in RegEx and expression editors help users configure user patterns and verify their accuracy. Use CasesCompared to alternative solutions that require each service to be deployed as a separate virtual appliance, NetScaler ADC on AWS combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, flexible licensing, and other essential application delivery capabilities in a single VPX instance, conveniently available via the AWS Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises NetScaler ADC deployments. The net result is that NetScaler ADC on AWS enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers. NetScaler Web Application Firewall (WAF)NetScaler Web Application Firewall (WAF) is an enterprise grade solution offering state of the art protections for modern applications. NetScaler WAF mitigates threats against public-facing assets, including websites, web applications, and APIs. NetScaler WAF includes IP reputation-based filtering, Bot mitigation, OWASP Top 10 application threats protections, Layer 7 DDoS protection and more. Also included are options to enforce authentication, strong SSL/TLS ciphers, TLS 1.3, rate limiting and rewrite policies. Using both basic and advanced WAF protections, NetScaler WAF provides comprehensive protection for your applications with unparalleled ease of use. Getting up and running is a matter of minutes. Further, using an automated learning model, called dynamic profiling, NetScaler WAF saves users precious time. By automatically learning how a protected application works, NetScaler WAF adapts to the application even as developers deploy and alter the applications. NetScaler WAF helps with compliance for all major regulatory standards and bodies, including PCI-DSS, HIPAA, and more. With our CloudFormation templates, it has never been easier to get up and running quickly. With auto scaling, users can rest assured that their applications remain protected even as their traffic scales up. Web Application Firewall Deployment StrategyThe first step to deploying the web application firewall is to evaluate which applications or specific data need maximum security protection, which ones are less vulnerable, and the ones for which security inspection can safely be bypassed. This helps users in coming up with an optimal configuration, and in designing appropriate policies and bind points to segregate the traffic. For example, users might want to configure a policy to bypass security inspection of requests for static web content, such as images, MP3 files, and movies, and configure another policy to apply advanced security checks to requests for dynamic content. Users can use multiple policies and profiles to protect different contents of the same application. The next step is to baseline the deployment. Start by creating a virtual server and run test traffic through it to get an idea of the rate and amount of traffic flowing through the user system. Then, deploy the Web Application Firewall. Use NetScaler ADM and the Web Application Firewall StyleBook to configure the Web Application Firewall. See the StyleBook section below in this guide for details. After the Web Application Firewall is deployed and configured with the Web Application Firewall StyleBook, a useful next step would be to implement the NetScaler ADC WAF and OWASP Top 10. Finally, three of the Web Application Firewall protections are especially effective against common types of Web attacks, and are therefore more commonly used than any of the others. Thus, they should be implemented in the initial deployment. They are: HTML Cross-Site Scripting. Examines requests and responses for scripts that attempt to access or modify content on a different website than the one on which the script is located. When this check finds such a script, it either renders the script harmless before forwarding the request or response to its destination, or it blocks the connection. HTML SQL Injection. Examines requests that contain form field data for attempts to inject SQL commands into a SQL database. When this check detects injected SQL code, it either blocks the request or renders the injected SQL code harmless before forwarding the request to the Web server. Note: If both of the following conditions apply to the user configuration, users should make certain that your Web Application Firewall is correctly configured: If users enable the HTML Cross-Site Scripting check or the HTML SQL Injection check (or both), and User protected websites accept file uploads or contain Web forms that can contain large POST body data. For more information about configuring the Web Application Firewall to handle this case, see Configuring the Application Firewall: Configuring the Web App Firewall. Buffer Overflow. Examines requests to detect attempts to cause a buffer overflow on the Web server.Configuring the Web Application Firewall (WAF)The following steps assume that the WAF is already enabled and functioning correctly. NetScaler recommends that users configure WAF using the Web Application Firewall StyleBook. Most users find it the easiest method to configure the Web Application Firewall, and it is designed to prevent mistakes. Both the GUI and the command line interface are intended for experienced users, primarily to modify an existing configuration or use advanced options. SQL InjectionThe Application Firewall HTML SQL Injection check provides special defenses against the injection of unauthorized SQL code that might break user Application security. NetScaler Web Application Firewall examines the request payload for injected SQL code in three locations: 1) POST body, 2) headers, and 3) cookies. A default set of keywords and special characters provides known keywords and special characters that are commonly used to launch SQL attacks. Users can also add new patterns, and they can edit the default set to customize the SQL check inspection. There are several parameters that can be configured for SQL injection processing. Users can check for SQL wildcard characters. Users can change the SQL Injection type and select one of the 4 options (SQLKeyword, SQLSplChar, SQLSplCharANDKeyword, SQLSplCharORKeyword) to indicate how to evaluate the SQL keywords and SQL special characters when processing the payload. The SQL Comments Handling parameter gives users an option to specify the type of comments that need to be inspected or exempted during SQL Injection detection. Users can deploy relaxations to avoid false positives. The learning engine can provide recommendations for configuring relaxation rules. The following options are available for configuring an optimized SQL Injection protection for the user application: Block — If users enable block, the block action is triggered only if the input matches the SQL injection type specification. For example, if SQLSplCharANDKeyword is configured as the SQL injection type, a request is not blocked if it contains no key words, even if SQL special characters are detected in the input. Such a request is blocked if the SQL injection type is set to either SQLSplChar, or SQLSplCharORKeyword. Log — If users enable the log feature, the SQL Injection check generates log messages indicating the actions that it takes. If block is disabled, a separate log message is generated for each input field in which the SQL violation was detected. However, only one message is generated when the request is blocked. Similarly, 1 log message per request is generated for the transform operation, even when SQL special characters are transformed in multiple fields. Users can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack. Stats — If enabled, the stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that the user application is under attack. If legitimate requests are getting blocked, users might have to revisit the configuration to see if they need to configure new relaxation rules or modify the existing ones. Learn — If users are not sure which SQL relaxation rules might be ideally suited for their applications, they can use the learn feature to generate recommendations based on the learned data. The Web Application Firewall learning engine monitors the traffic and provides SQL learning recommendations based on the observed values. To get optimal benefit without compromising performance, users might want to enable the learn option for a short time to get a representative sample of the rules, and then deploy the rules and disable learning. Transform SQL special characters—The Web Application Firewall considers three characters, Single straight quote (‘), Backslash (), and Semicolon (;) as special characters for SQL security check processing. The SQL Transformation feature modifies the SQL Injection code in an HTML request to ensure that the request is rendered harmless. The modified HTML request is then sent to the server. All default transformation rules are specified in the /netscaler/default_custom_settings.xml file. The transform operation renders the SQL code inactive by making the following changes to the request: Single straight quote (‘) to double straight quote (“). Backslash () to double backslash (). Semicolon (;) is dropped completely. These three characters (special strings) are necessary to issue commands to a SQL server. Unless a SQL command is prefaced with a special string, most SQL servers ignore that command. Therefore, the changes that the Web Application Firewall performs when transformation is enabled prevent an attacker from injecting active SQL. After these changes are made, the request can safely be forwarded to the user protected website. When web forms on the user protected website can legitimately contain SQL special strings, but the web forms do not rely on the special strings to operate correctly, users can disable blocking and enable transformation to prevent blocking of legitimate web form data without reducing the protection that the Web Application Firewall provides to the user protected websites. The transform operation works independently of the SQL Injection Type setting. If transform is enabled and the SQL Injection type is specified as a SQL keyword, SQL special characters are transformed even if the request does not contain any keywords. Tip: Users normally enable either transformation or blocking, but not both. If the block action is enabled, it takes precedence over the transform action. If users have blocking enabled, enabling transformation is redundant. Check for SQL Wildcard Characters—Wild card characters can be used to broaden the selections of a SQL (SQL-SELECT) statement. These wild card operators can be used with LIKE and NOT LIKE operators to compare a value to similar values. The percent (%), and underscore (_) characters are frequently used as wild cards. The percent sign is analogous to the asterisk (*) wildcard character used with MS-DOS and to match zero, one, or multiple characters in a field. The underscore is similar to the MS-DOS question mark (?) wildcard character. It matches a single number or character in an expression. For example, users can use the following query to do a string search to find all customers whose names contain the D character. SELECT * from customer WHERE name like “%D%”: The following example combines the operators to find any salary values that have 0 in the second and third place. SELECT * from customer WHERE salary like ‘_00%’: Different DBMS vendors have extended the wildcard characters by adding extra operators. The NetScaler Web Application Firewall can protect against attacks that are launched by injecting these wildcard characters. The 5 default Wildcard characters are percent (%), underscore (_), caret (^), opening bracket ([), and closing bracket (]). This protection applies to both HTML and XML profiles. The default wildcard chars are a list of literals specified in the *Default Signatures: <wildchar type=” LITERAL”>% <wildchar type=”LITERAL”]>_ <wildchar type=”LITERAL”>^ <wildchar type=”LITERAL”>[ <wildchar type=”LITERAL”>] Wildcard characters in an attack can be PCRE, like [^A-F]. The Web Application Firewall also supports PCRE wildcards, but the literal wildcard chars shown here are sufficient to block most attacks. Note: The SQL wildcard character check is different from the SQL special character check. This option must be used with caution to avoid false positives. Check Request Containing SQL Injection Type—The Web Application Firewall provides 4 options to implement the desired level of strictness for SQL Injection inspection, based on the individual need of the application. The request is checked against the injection type specification for detecting SQL violations. The 4 SQL injection type options are: SQL Special Character and Keyword—Both a SQL keyword and a SQL special character must be present in the input to trigger a SQL violation. This least restrictive setting is also the default setting. SQL Special Character—At least one of the special characters must be present in the input to trigger a SQL violation. SQL key word—At least one of the specified SQL keywords must be present in the input to trigger a SQL violation. Do not select this option without due consideration. To avoid false positives, make sure that none of the keywords are expected in the inputs. SQL Special Character or Keyword—Either the key word or the special character string must be present in the input to trigger the security check violation. Tip: If users configure the Web Application Firewall to check for inputs that contain a SQL special character, the Web Application Firewall skips web form fields that do not contain any special characters. Since most SQL servers do not process SQL commands that are not preceded by a special character, enabling this option can significantly reduce the load on the Web Application Firewall and speed up processing without placing the user protected websites at risk. SQL comments handling — By default, the Web Application Firewall checks all SQL comments for injected SQL commands. Many SQL servers ignore anything in a comment, however, even if preceded by an SQL special character. For faster processing, if your SQL server ignores comments, you can configure the Web Application Firewall to skip comments when examining requests for injected SQL. The SQL comments handling options are: ANSI — Skip ANSI-format SQL comments, which are normally used by UNIX-based SQL databases. For example: /– (Two Hyphens) - This is a comment that begins with two hyphens and ends with end of line. - Braces (Braces enclose the comment. The { precedes the comment, and the } follows it. Braces can delimit single- or multiple-line comments, but comments cannot be nested) /**/: C style comments (Does not allow nested comments). Please note /*! <comment that begins with a slash followed by an asterisk and an exclamation mark is not a comment > */ MySQL Server supports some variants of C-style comments. These enable users to write code that includes MySQL extensions, but is still portable, by using comments of the following form: [/*! MySQL-specific code */] .#: Mysql comments : This is a comment that begins with the # character and ends with an end of the line Nested — Skip nested SQL comments, which are normally used by Microsoft SQL Server. For example; – (Two Hyphens), and /**/ (Allows nested comments) ANSI/Nested — Skip comments that adhere to both the ANSI and nested SQL comment standards. Comments that match only the ANSI standard, or only the nested standard, are still checked for injected SQL. Check all Comments — Check the entire request for injected SQL without skipping anything. This is the default setting. Tip: In most cases, users should not choose the Nested or the ANSI/Nested option unless their back-end database runs on Microsoft SQL Server. Most other types of SQL server software do not recognize nested comments. If nested comments appear in a request directed to another type of SQL server, they might indicate an attempt to breach security on that server. Check Request headers — Enable this option if, in addition to examining the input in the form fields, users want to examine the request headers for HTML SQL Injection attacks. If users use the GUI, they can enable this parameter in the Advanced Settings -> Profile Settings pane of the Web Application Firewall profile. Note: If users enable the Check Request header flag, they might have to configure a relaxation rule for the User-Agent header. Presence of the SQL keyword like and a SQL special character semi-colon (;) might trigger false positive and block requests that contain this header. Warning: If users enable both request header checking and transformation, any SQL special characters found in headers are also transformed. The Accept, Accept-Charset, Accept-Encoding, Accept-Language, Expect, and User-Agent headers normally contain semicolons (;). Enabling both Request header checking and transformation simultaneously might cause errors. InspectQueryContentTypes — Configure this option if users want to examine the request query portion for SQL Injection attacks for the specific content-types. If users use the GUI, they can configure this parameter in the Advanced Settings -> Profile Settings pane of the Application Firewall profile. Cross-Site ScriptingThe HTML Cross-Site Scripting (cross-site scripting) check examines both the headers and the POST bodies of user requests for possible cross-site scripting attacks. If it finds a cross-site script, it either modifies (transforms) the request to render the attack harmless, or blocks the request. Note: The HTML Cross-Site Scripting (cross-site scripting) check works only for content type, content length, and so forth. It does not work for cookie. Also ensure to have the ‘checkRequestHeaders’ option enabled in the user Web Application Firewall profile. To prevent misuse of the scripts on user protected websites to breach security on user websites, the HTML Cross-Site Scripting check blocks scripts that violate the same origin rule, which states that scripts should not access or modify content on any server but the server on which they are located. Any script that violates the same origin rule is called a cross-site script, and the practice of using scripts to access or modify content on another server is called cross-site scripting. The reason cross-site scripting is a security issue is that a web server that allows cross-site scripting can be attacked with a script that is not on that web server, but on a different web server, such as one owned and controlled by the attacker. Unfortunately, many companies have a large installed base of JavaScript-enhanced web content that violates the same origin rule. If users enable the HTML Cross-Site Scripting check on such a site, they have to generate the appropriate exceptions so that the check does not block legitimate activity. The Web Application Firewall offers various action options for implementing HTML Cross-Site Scripting protection. In addition to the Block, Log, Stats and Learn actions, users also have the option to Transform cross-site scripts to render an attack harmless by entity encoding the script tags in the submitted request. Users can configure Check complete URLs for the cross-site scripting parameter to specify if they want to inspect not just the query parameters but the entire URL to detect a cross-site scripting attack. Users can configure the InspectQueryContentTypes parameter to inspect the request query portion for a cross-site scripting attack for the specific content-types. Users can deploy relaxations to avoid false positives. The Web Application Firewall learning engine can provide recommendations for configuring relaxation rules. The following options are available for configuring an optimized HTML Cross-Site Scripting protection for the user application: Block — If users enable block, the block action is triggered if the cross-site scripting tags are detected in the request. Log — If users enable the log feature, the HTML Cross-Site Scripting check generates log messages indicating the actions that it takes. If block is disabled, a separate log message is generated for each header or form field in which the cross-site scripting violation was detected. However, only one message is generated when the request is blocked. Similarly, 1 log message per request is generated for the transform operation, even when cross-site scripting tags are transformed in multiple fields. Users can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack. Stats — If enabled, the stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that the user application is under attack. If legitimate requests are getting blocked, users might have to revisit the configuration to see if they must configure new relaxation rules or modify the existing ones. Learn — If users are not sure which relaxation rules might be ideally suited for their application, they can use the learn feature to generate HTML Cross-Site Scripting rule recommendations based on the learned data. The Web Application Firewall learning engine monitors the traffic and provides learning recommendations based on the observed values. To get optimal benefit without compromising performance, users might want to enable the learn option for a short time to get a representative sample of the rules, and then deploy the rules and disable learning. Transform cross-site scripts — If enabled, the Web Application Firewall makes the following changes to requests that match the HTML Cross-Site Scripting check: Left angle bracket (<) to HTML character entity equivalent (<) Right angle bracket (>) to HTML character entity equivalent (>) This ensures that browsers do not interpret unsafe html tags, such as <script>, and thereby run malicious code. If users enable both request-header checking and transformation, any special characters found in request headers are also modified as described above. If scripts on the user protected website contain cross-site scripting features, but the user website does not rely upon those scripts to operate correctly, users can safely disable blocking and enable transformation. This configuration ensures that no legitimate web traffic is blocked, while stopping any potential cross-site scripting attacks. Check complete URLs for cross-site scripting — If checking of complete URLs is enabled, the Web Application Firewall examines entire URLs for HTML cross-site scripting attacks instead of checking just the query portions of URLs. Check Request headers — If Request header checking is enabled, the Web Application Firewall examines the headers of requests for HTML cross-site scripting attacks, instead of just URLs. If users use the GUI, they can enable this parameter in the Settings tab of the Web Application Firewall profile. InspectQueryContentTypes — If Request query inspection is configured, the Application Firewall examines the query of requests for cross-site scripting attacks for the specific content-types. If users use the GUI, they can configure this parameter in the Settings tab of the Application Firewall profile. Important: As part of the streaming changes, the Web Application Firewall processing of the cross-site scripting tags has changed. In earlier releases, the presence of either open bracket (<), or close bracket (>), or both open and close brackets (<>) was flagged as a cross-site scripting Violation. The behavior has changed in the builds that include support for request side streaming. Only the close bracket character (>) is no longer considered as an attack. Requests are blocked even when an open bracket character (<) is present, and is considered as an attack. The Cross-site scripting attack gets flagged. Buffer Overflow CheckThe Buffer Overflow check detects attempts to cause a buffer overflow on the web server. If the Web Application Firewall detects that the URL, cookies, or header are longer than the configured length, it blocks the request because it can cause a buffer overflow. The Buffer Overflow check prevents attacks against insecure operating-system or web-server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle. Proper programming techniques prevent buffer overflows by checking incoming data and either rejecting or truncating overlong strings. Many programs, however, do not check all incoming data and are therefore vulnerable to buffer overflows. This issue especially affects older versions of web-server software and operating systems, many of which are still in use. The Buffer Overflow security check allows users to configure the Block, Log, and Stats actions. In addition, users can also configure the following parameters: Maximum URL Length. The maximum length the Web Application Firewall allows in a requested URL. Requests with longer URLs are blocked. Possible Values: 0–65535. Default: 1024 Maximum Cookie Length. The maximum length the Web Application Firewall allows for all cookies in a request. Requests with longer cookies trigger the violations. Possible Values: 0–65535. Default: 4096 Maximum Header Length. The maximum length the Web Application Firewall allows for HTTP headers. Requests with longer headers are blocked. Possible Values: 0–65535. Default: 4096 Query string length. Maximum length allowed for a query string in an incoming request. Requests with longer queries are blocked. Possible Values: 0–65535. Default: 1024 Total request length. Maximum request length allowed for an incoming request. Requests with a longer length are blocked. Possible Values: 0–65535. Default: 24820 Virtual Patching/SignaturesThe signatures provide specific, configurable rules to simplify the task of protecting user websites against known attacks. A signature represents a pattern that is a component of a known attack on an operating system, web server, website, XML-based web service, or other resource. A rich set of preconfigured built-in or native rules offers an easy to use security solution, applying the power of pattern matching to detect attacks and protect against application vulnerabilities. Users can create their own signatures or use signatures in the built-in templates. The Web Application Firewall has two built-in templates: Default Signatures: This template contains a preconfigured list of over 1,300 signatures, in addition to a complete list of SQL injection keywords, SQL special strings, SQL transform rules, and SQL wildcard characters. It also contains denied patterns for cross-site scripting, and allowed attributes and tags for cross-site scripting. This is a read-only template. Users can view the contents, but they cannot add, edit, or delete anything in this template. To use it, users must make a copy. In their own copy, users can enable the signature rules that they want to apply to their traffic, and specify the actions to be taken when the signature rules match the traffic.The signatures are derived from the rules published by SNORT: SNORT, which is an open source intrusion prevention system capable of performing real-time traffic analysis to detect various attacks and probes. *Xpath Injection Patterns: This template contains a preconfigured set of literal and PCRE keywords and special strings that are used to detect XPath (XML Path Language) injection attacks.Blank Signatures: In addition to making a copy of the built-in Default Signatures template, users can use a blank signatures template to create a signature object. The signature object that users create with the blank signatures option does not have any native signature rules, but, just like the *Default template, it has all the SQL/XSS built-in entities. External-Format Signatures: The Web Application Firewall also supports external format signatures. Users can import the third-party scan report by using the XSLT files that are supported by the NetScaler Web Application Firewall. A set of built-in XSLT files is available for selected scan tools to translate external format files to native format (see the list of built-in XSLT files later in this section). While signatures help users to reduce the risk of exposed vulnerabilities and protect the user mission critical Web Servers while aiming for efficacy, Signatures do come at a Cost of additional CPU Processing. It is important to choose the right Signatures for user Application needs. Enable only the signatures that are relevant to the Customer Application/environment. NetScaler offers signatures in more than 10 different categories across platforms/OS/Technologies. These signatures files are hosted on the AWS Environment and it is important to allow outbound access to NetScaler IPs from Network Firewalls to fetch the latest signature files. There is no effect of updating signatures to the ADC while processing Real Time Traffic Application Security AnalyticsThe Application Security Dashboard provides a holistic view of the security status of user applications. For example, it shows key security metrics such as security violations, signature violations, and threat indexes. Application Security dashboard also displays attack related information such as syn attacks, small window attacks, and DNS flood attacks for the discovered NetScaler ADC instances. Note: To view the metrics of the Application Security Dashboard, AppFlow for Security insight should be enabled on the NetScaler ADC instances that users want to monitor. To view the security metrics of a NetScaler ADC instance on the application security dashboard Log on to NetScaler ADM using the administrator credentials. Navigate to Applications > App Security Dashboard, and select the instance IP address from the Devices list. Users can further drill down on the discrepancies reported on the Application Security Investigator by clicking the bubbles plotted on the graph. Centralized Learning on ADMNetScaler Web Application Firewall (WAF) protects user web applications from malicious attacks such as SQL injection and cross-site scripting (XSS). To prevent data breaches and provide the right security protection, users must monitor their traffic for threats and real-time actionable data on attacks. Sometimes, the attacks reported might be false-positives and those need to be provided as an exception. The Centralized Learning on NetScaler ADM is a repetitive pattern filter that enables WAF to learn the behavior (the normal activities) of user web applications. Based on monitoring, the engine generates a list of suggested rules or exceptions for each security check applied on the HTTP traffic. It is much easier to deploy relaxation rules using the Learning engine than to manually deploy it as necessary relaxations. To deploy the learning feature, users must first configure a Web Application Firewall profile (set of security settings) on the user NetScaler ADC appliance. For more information, see Creating Web Application Firewall profiles: Creating Web App Firewall Profiles. NetScaler ADM generates a list of exceptions (relaxations) for each security check. As an administrator, users can review the list of exceptions in NetScaler ADM and decide to deploy or skip. Using the WAF learning feature in NetScaler ADM, users can: Configure a learning profile with the following security checks Buffer Overflow HTML Cross-Site Scripting Note: The cross-site script limitation of location is only FormField. HTML SQL Injection Note: For the HTML SQL Injection check, users must configure set -sqlinjectionTransformSpecialChars to ON and set -sqlinjectiontype sqlspclcharorkeywords in the NetScaler ADC instance. Check the relaxation rules in NetScaler ADM and decide to take necessary action (deploy or skip) Get the notifications through email, slack, and ServiceNow Use the dashboard to view relaxation details To use the WAF learning in NetScaler ADM: Configure the learning profile: Configure the Learning Profile See the relaxation rules: View Relaxation Rules and Idle Rules Use the WAF learning dashboard: View WAF Learning Dashboard StyleBookNetScaler Web Application Firewall is a Web Application Firewall (WAF) that protects web applications and sites from both known and unknown attacks, including all application-layer and zero-day threats. NetScaler ADM now provides a default StyleBook with which users can more conveniently create an application firewall configuration on NetScaler ADC instances. Deploying Application Firewall ConfigurationsThe following task assists you in deploying a load balancing configuration along with the application firewall and IP reputation policy on NetScaler ADC instances in your business network. To Create an LB Configuration with Application Firewall SettingsIn NetScaler ADM, navigate to Applications > Configurations > StyleBooks. The StyleBooks page displays all the StyleBooks available for customer use in NetScaler ADM. Scroll down and find HTTP/SSL Load Balancing StyleBook with application firewall policy and IP reputation policy. Users can also search for the StyleBook by typing the name as lb-appfw. Click Create Configuration.The StyleBook opens as a user interface page on which users can enter the values for all the parameters defined in this StyleBook. Enter values for the following parameters: Load Balanced Application Name. Name of the load balanced configuration with an application firewall to deploy in the user network. Load balanced App Virtual IP address. Virtual IP address at which the NetScaler ADC instance receives client requests. Load Balanced App Virtual Port. The TCP Port to be used by the users in accessing the load balanced application. Load Balanced App Protocol. Select the front-end protocol from the list. Application Server Protocol. Select the protocol of the application server. Optionally, users can also set up an authentication server for authenticating traffic for the load balancing virtual server. Users can also create FQDN names for application servers. Users can also create monitors in the target NetScaler ADC instance. Optionally, users can configure detailed application firewall profile settings by enabling the application firewall Profile Settings check box. Optionally, if users want to configure application firewall signatures, enter the name of the signature object that is created on the NetScaler ADC instance where the virtual server is to be deployed. Note: Users cannot create signature objects by using this StyleBook. Next, users can also configure any other application firewall profile settings such as, StartURL settings, DenyURL settings and others. Tip: NetScaler recommends that users select Dry Run to check the configuration objects that must be created on the target instance before they run the actual configuration on the instance. When the configuration is successfully created, the StyleBook creates the required load balancing virtual server, application server, services, service groups, application firewall labels, application firewall policies, and binds them to the load balancing virtual server. The following figure shows the objects created in each server: Security Insight AnalyticsWeb and web service applications that are exposed to the Internet have become increasingly vulnerable to attacks. To protect applications from attack, users need visibility into the nature and extent of past, present, and impending threats, real-time actionable data on attacks, and recommendations on countermeasures. Security Insight provides a single-pane solution to help users assess user application security status and take corrective actions to secure user applications. How Security Insight WorksSecurity Insight is an intuitive dashboard-based security analytics solution that gives users full visibility into the threat environment associated with user applications. Security insight is included in NetScaler ADM, and it periodically generates reports based on the user Application Firewall and ADC system security configurations. The reports include the following information for each application: Threat index. A single-digit rating system that indicates the criticality of attacks on the application, regardless of whether the application is protected by an ADC appliance. The more critical the attacks on an application, the higher the threat index for that application. Values range from 1 through 7.The threat index is based on attack information. The attack-related information, such as violation type, attack category, location, and client details, gives users insight into the attacks on the application. Violation information is sent to NetScaler ADM only when a violation or attack occurs. Many breaches and vulnerabilities lead to a high threat index value. Safety index. A single-digit rating system that indicates how securely users have configured the ADC instances to protect applications from external threats and vulnerabilities. The lower the security risks for an application, the higher the safety index. Values range from 1 through 7.The safety index considers both the application firewall configuration and the ADC system security configuration. For a high safety index value, both configurations must be strong. For example, if rigorous application firewall checks are in place but ADC system security measures, such as a strong password for the nsroot user, have not been adopted, applications are assigned a low safety index value. Actionable Information. Information that users need for lowering the threat index and increasing the safety index, which significantly improves application security. For example, users can review information about violations, existing and missing security configurations for the application firewall and other security features, the rate at which the applications are being attacked, and so on.Configuring Security Insight Note: Security Insight is supported on ADC instances with Premium license or ADC Advanced with AppFirewall license only. To configure security insight on an ADC instance, first configure an application firewall profile and an application firewall policy, and then bind the application firewall policy globally. Then, enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally. When users configure the collector, they must specify the IP address of the NetScaler ADM service agent on which they want to monitor the reports. Configure Security Insight on an ADC InstanceRun the following commands to configure an application firewall profile and policy, and bind the application firewall policy globally or to the load balancing virtual server.add appfw profile <name> [-defaults ( basic or advanced )] set appfw profile <name> [-startURLAction <startURLAction> ...] add appfw policy <name> <rule> <profileName> bind appfw global <policyName> <priority> or, bind lb vserver <lb vserver> -policyName <policy> -priority <priority> Sample: add appfw profile pr_appfw -defaults advancedset appfw profile pr_appfw -startURLaction log stats learnadd appfw policy pr_appfw_pol "HTTP.REQ.HEADER("Host").EXISTS" pr_appfwbind appfw global pr_appfw_pol 1or,bind lb vserver outlook –policyName pr_appfw_pol –priority "20" Run the following commands to enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally or to the load balancing virtual server:add appflow collector <name> -IPAddress <ipaddress> set appflow param [-SecurityInsightRecordInterval <secs>] [-SecurityInsightTraffic ( ENABLED or DISABLED )] add appflow action <name> -collectors <string> add appflow policy <name> <rule> <action> bind appflow global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>] or, bind lb vserver <vserver> -policyName <policy> -priority <priority> Sample: add appflow collector col -IPAddress 10.102.63.85set appflow param -SecurityInsightRecordInterval 600 -SecurityInsightTraffic ENABLEDadd appflow action act1 -collectors coladd appflow action af_action_Sap_10.102.63.85 -collectors coladd appflow policy pol1 true act1add appflow policy af_policy_Sap_10.102.63.85 true af_action_Sap_10.102.63.85bind appflow global pol1 1 END -type REQ_DEFAULTor,bind lb vserver Sap –policyName af_action_Sap_10.102.63.85 –priority "20" Enable Security Insight from NetScaler ADM Navigate to Networks > Instances > NetScaler ADC and select the instance type. For example, VPX. Select the instance and from the Select Action list, select Configure Analytics. On the Configure Analytics on virtual server window: Select the virtual servers that you want to enable security insight and click Enable Analytics. The Enable Analytics window is displayed. Select Security Insight Under Advanced Options, select Logstream or IPFIX as the Transport Mode The Expression is true by default Click OK Note: When users create a group, they can assign roles to the group, provide application-level access to the group, and assign users to the group. NetScaler ADM analytics now supports virtual IP address-based authorization. Customer users can now see reports for all Insights for only the applications (virtual servers) for which they are authorized. For more information on groups and assigning users to the group, see Configure Groups on NetScaler ADM: Configure Groups on NetScaler ADM. ThresholdsUsers can set and view thresholds on the safety index and threat index of applications in Security Insight. To set a threshold Navigate to System > Analytics Settings > Thresholds, and select Add. Select the traffic type as Security in the Traffic Type field, and enter required information in the other appropriate fields such as Name, Duration, and entity. In the Rule section, use the Metric, Comparator, and Value fields to set a threshold. For example, “Threat Index” “>” “5” Click Create. To view the threshold breaches Navigate to Analytics > Security Insight > Devices, and select the ADC instance. In the Application section, users can view the number of threshold breaches that have occurred for each virtual server in the Threshold Breach column. Security Insight Use CaseThe following use cases describe how users can use security insight to assess the threat exposure of applications and improve security measures. Obtain an Overview of the Threat EnvironmentIn this use case, users have a set of applications that are exposed to attacks, and they have configured NetScaler ADM to monitor the threat environment. Users need to frequently review the threat index, safety index, and the type and severity of any attacks that the applications might have experienced, so that they can focus first on the applications that need the most attention. The security insight dashboard provides a summary of the threats experienced by the user applications over a time period of user choosing, and for a selected ADC device. It displays the list of applications, their threat and safety indexes, and the total number of attacks for the chosen time period. For example, users might be monitoring Microsoft Outlook, Microsoft Lync, SharePoint, and an SAP application, and users might want to review a summary of the threat environment for these applications. To obtain a summary of the threat environment, log on to NetScaler ADM, and then navigate to Analytics > Security Insight. Key information is displayed for each application. The default time period is 1 hour. To view a summary for a different ADC instance, under Devices, click the IP address of the ADC instance. To sort the application list by a given column, click the column header. Determine the Threat Exposure of an ApplicationAfter reviewing a summary of the threat environment on the Security Insight dashboard to identify the applications that have a high threat index and a low safety index, users want to determine their threat exposure before deciding how to secure them. That is, users want to determine the type and severity of the attacks that have degraded their index values. Users can determine the threat exposure of an application by reviewing the application summary. In this example, Microsoft Outlook has a threat index value of 6, and users want to know what factors are contributing to this high threat index. To determine the threat exposure of Microsoft Outlook, on the Security Insight dashboard, click Outlook. The application summary includes a map that identifies the geographic location of the server. Click Signature Violations and review the violation information that appears. In the previous use case, users reviewed the threat exposure of Microsoft Outlook, which has a threat index value of 6. Now, users want to know what security configurations are in place for Outlook and what configurations can be added to improve its threat index. On the Security Insight dashboard, click Outlook, and then click the Safety Index tab. Review the information provided in the Safety Index Summary area. Review the configuration status of each protection type in the application firewall summary table. To sort the table on a column, click the column header. Determine the Number of Attacks in a Given Period of TimeUsers might want to determine how many attacks occurred on a given application at a given point in time, or they might want to study the attack rate for a specific time period. On the Security Insight page, click any application and in the Application Summary, click the number of violations. The Total Violations page displays the attacks in a graphical manner for one hour, one day, one week, and one month. While users can always view the time of attack in an hourly report as seen in the image, now they can view the attack time range for aggregated reports even for daily or weekly reports. If users select “1 Day” from the time-period list, the Security Insight report displays all attacks that are aggregated and the attack time is displayed in a one-hour range. If users choose “1 Week” or “1 Month,” all attacks are aggregated and the attack time is displayed in a one-day range. For information about the resources that were requested, review the URL column. For information about the sources of the attacks, review the Client IP column. View Log Expression DetailsNetScaler ADC instances use log expressions configured with the Application Firewall profile to take action for the attacks on an application in the user enterprise. In Security Insight, users can view the values returned for the log expressions used by the ADC instance. These values include, request header, request body and so on. In addition to the log expression values, users can also view the log expression name and the comment for the log expression defined in the Application Firewall profile that the ADC instance used to take action for the attack. PrerequisitesEnsure that users: Configure log expressions in the Application Firewall profile. For more information, see Application Firewall. Enable log expression-based Security Insights settings in NetScaler ADM. Do the following: Navigate to Analytics > Settings, and click Enable Features for Analytics. In the Enable Features for Analytics page, select Enable Security Insight under the Log Expression Based Security Insight Setting section and click OK. Determine the Safety Index before Deploying the Configuration Security breaches occur after users deploy the security configuration on an ADC instance, but users might want to assess the effectiveness of the security configuration before they deploy it. For example, users might want to assess the safety index of the configuration for the SAP application on the ADC instance with IP address 10.102.60.27. On the Security Insight dashboard, under Devices, click the IP address of the ADC instance that users configured. Users can see that both the threat index and the total number of attacks are 0. The threat index is a direct reflection of the number and type of attacks on the application. Zero attacks indicate that the application is not under any threat. In the application firewall summary, users can view the configuration status of different protection settings. If a setting is set to log or if a setting is not configured, the application is assigned a lower safety index.

NetScaler ADC VPX on AWS Deployment Guide Part 1 Contributed By: Luis Ugarte and Beth Pollack Continued in Part 2 Overview NetScaler ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments. As an undisputed leader of service and application delivery, NetScaler ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, NetScaler ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. NetScaler ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required. NetScaler ADC VPX The NetScaler ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms. This deployment guide focuses on NetScaler ADC VPX on Amazon Web Services. Amazon Web Services Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services offer tools such as compute power, database storage, and content delivery services. AWS offers the following essential services: AWS Compute Services Migration Services Storage Database Services Management Tools Security Services Analytics Networking Messaging Developer Tools Mobile Services AWS Terminology Here is a brief description of key terms used in this document that users must be familiar with: Elastic Network Interface (ENI) – A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC). Elastic IP (EIP) address – A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change. Subnet – A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs. Virtual Private Cloud (VPC) – A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define. Here is a brief description of other terms used in this document that users should be familiar with: Amazon Machine Image (AMI) – A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud. Elastic Block Store – Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Simple Storage Service (S3) – Storage for the Internet. It is designed to make web-scale computing easier for developers. Elastic Compute Cloud (EC2) – A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. Elastic Kubernetes Service (EKS) – Amazon EKS is a managed service that makes it easy for users to run Kubernetes on AWS without needing to stand up or maintain their own Kubernetes control plane. ... Amazon EKS runs Kubernetes control plane instances across multiple Availability Zones to ensure high availability. Amazon EKS is a managed service that makes it easy for users to run Kubernetes on AWS without needing to install and operate their own Kubernetes clusters. Application Load Balancing (ALB) – Amazon ALB operates at layer 7 of the OSI stack so it's employed when users want to route or select traffic based on elements of the HTTP or HTTPS connection, whether host-based or path-based. The ALB connection is context-aware and can have direct requests based on any single variable. Applications are load balanced based on their peculiar behavior not solely on server (operating system or virtualization layer) information. Elastic Load Balancing (ALB/ELB/NLB) – Amazon ELB Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. This increases the fault tolerance of user applications. Network Load Balancing (NLB) – Amazon NLB operates at layer 4 of the OSI stack and below and is not designed to consider anything at the application layer such as content type, cookie data, custom headers, user location, or application behavior. It is context-less, caring only about the network-layer information contained within the packets it is directing. It distributes traffic based on network variables such as IP address and destination ports. Instance type – Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications. Identity and Access Management (IAM) – An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup. Internet Gateway – Connects a network to the Internet. Users can route traffic for IP addresses outside their VPC to the Internet gateway. Key pair – A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key. Route table – A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time. Auto Scale Groups – A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks. CloudFormation – A service for writing or changing templates that creates and deletes related AWS resources together as a unit. Web Application Firewall (WAF) – WAF is defined as a security solution protecting the web application layer in the OSI network model. A WAF does not depend on the application it is protecting. This document focuses on the exposition and evaluation of the security methods and functions provided specifically by NetScaler WAF. Bot – Bot is defined as an autonomous device, program, or piece of software on a network (especially the internet) that can interact with computer systems or users to run commands, reply to messages, or perform routine tasks. A bot is a software program on the internet that performs repetitive tasks. Some bots can be good, while others can have a huge negative impact on a website or application. Sample NetScaler WAF on AWS Architecture The preceding image shows a virtual private cloud (VPC) with default parameters that builds a NetScaler WAF environment in the AWS Cloud. In a production deployment, the following parameters are set up for the NetScaler WAF environment: This architecture assumes the use of an AWS CloudFormation Template and an AWS Quick Start Guide, which can be found here: GitHub/AWS-Quickstart/Quickstart-NetScaler-ADC-VPX . A VPC that spans two Availability Zones, configured with two public and four private subnets, according to AWS best practices, to provide you with your own virtual network on AWS with a /16 Classless Inter-Domain Routing (CIDR) block (a network with 65,536 private IP addresses). * Two instances of NetScaler WAF (Primary and Secondary), one in each Availability Zone. Three security groups, one for each network interface (Management, Client, Server), that acts as virtual firewalls to control the traffic for their associated instances. Three subnets, for each instance- one for management, one for client, and one for back-end server. An internet gateway attached to the VPC, and a Public Subnets route table which is associated with public subnets so as to allow access to the internet. This gateway is used by the WAF host to send and receive traffic. For more information on Internet Gateways, see: Internet Gateways. * 5 Route tables-one public route table associated with client subnets of both primary and secondary WAF. The remaining 4 route tables link to each of the 4 private subnets (management and server-side subnets of primary and secondary WAF). * AWS Lambda in WAF takes care of the following: Configuring two WAF in each availability zone of HA mode Creating a sample WAF Profile and thus pushing this configuration with respect to WAF AWS Identity and Access Management (IAM) to securely control access to AWS services and resources for your users. By default, the CloudFormation Template (CFT) creates the required IAM role. However, users can provide their own IAM role for NetScaler ADC instances. In the public subnets, two managed Network Address Translation (NAT) gateways to allow outbound internet access for resources in public subnets. Note: The CFT WAF template that deploys the NetScaler WAF into an existing VPC skips the components marked by asterisks and prompts users for their existing VPC configuration. Backend servers are not deployed by the CFT. Logical Flow of NetScaler WAF on AWS Logical Flow The Web Application Firewall can be installed as either a Layer 3 network device or a Layer 2 network bridge between customer servers and customer users, usually behind the customer company’s router or firewall. It must be installed in a location where it can intercept traffic between the web servers that users want to protect and the hub or switch through which users access those web servers. Users then configure the network to send requests to the Web Application Firewall instead of directly to their web servers, and responses to the Web Application Firewall instead of directly to their users. The Web Application Firewall filters that traffic before forwarding it to its final destination, using both its internal rule set and the user additions and modifications. It blocks or renders harmless any activity that it detects as harmful, and then forwards the remaining traffic to the web server. The preceding image provides an overview of the filtering process. Note: The diagram omits the application of a policy to incoming traffic. It illustrates a security configuration in which the policy is to process all requests. Also, in this configuration, a signatures object has been configured and associated with the profile, and security checks have been configured in the profile. As the diagram shows, when a user requests a URL on a protected website, the Web Application Firewall first examines the request to ensure that it does not match a signature. If the request matches a signature, the Web Application Firewall either displays the error object (a webpage that is located on the Web Application Firewall appliance and which users can configure by using the imports feature) or forwards the request to the designated error URL (the error page). If a request passes signature inspection, the Web Application Firewall applies the request security checks that have been enabled. The request security checks verify that the request is appropriate for the user website or web service and does not contain material that might pose a threat. For example, security checks examine the request for signs indicating that it might be of an unexpected type, request unexpected content, or contain unexpected and possibly malicious web form data, SQL commands, or scripts. If the request fails a security check, the Web Application Firewall either sanitizes the request and then sends it back to the NetScaler ADC appliance (or NetScaler ADC virtual appliance), or displays the error object. If the request passes the security checks, it is sent back to the NetScaler ADC appliance, which completes any other processing and forwards the request to the protected web server. When the website or web service sends a response to the user, the Web Application Firewall applies the response security checks that have been enabled. The response security checks examine the response for leaks of sensitive private information, signs of website defacement, or other content that should not be present. If the response fails a security check, the Web Application Firewall either removes the content that should not be present or blocks the response. If the response passes the security checks, it is sent back to the NetScaler ADC appliance, which forwards it to the user. Cost and Licensing Users are responsible for the cost of the AWS services used while running AWS deployments. The AWS CloudFormation templates that can be used for this deployment include configuration parameters that users can customize as necessary. Some of those settings, such as instance type, affect the cost of deployment. For cost estimates, users should refer to the pricing pages for each AWS service they are using. Prices are subject to change. A NetScaler ADC WAF on AWS requires a license. To license NetScaler WAF, users must place the license key in an S3 bucket and specify its location when they launch the deployment. Note: When users elect the Bring your own license (BYOL) licensing model, they should ensure that they have an AppFlow feature enabled. For more information on BYOL licensing, see: AWS Marketplace/NetScaler ADC VPX - Customer Licensed . The following licensing options are available for NetScaler ADC WAF running on AWS. Users can choose an AMI (Amazon Machine Image) based on a single factor such as throughput. License model: Pay as You Go (PAYG, for the production licenses) or Bring Your Own License (BYOL, for the Customer Licensed AMI - NetScaler ADC Pooled Capacity). For more information on NetScaler ADC Pooled Capacity, see: NetScaler ADC Pooled Capacity. For BYOL, there are 3 licensing modes: Configure NetScaler ADC Pooled Capacity: Configure NetScaler ADC Pooled Capacity NetScaler ADC VPX Check-in and Check-out Licensing (CICO): NetScaler ADC VPX Check-in and Check-out Licensing Tip: If users elect CICO Licensing with VPX-200, VPX-1000, VPX-3000, VPX-5000, or VPX-8000 application platform type, they should ensure that they have the same throughput license present in their ADM licensing server. NetScaler ADC virtual CPU Licensing: NetScaler ADC virtual CPU Licensing Note: If users want to dynamically modify the bandwidth of a VPX instance, they should elect a BYOL option, for example NetScaler ADC pooled capacity where they can allocate the licenses from NetScaler ADM, or they can check out the licenses from NetScaler ADC instances according to the minimum and maximum capacity of the instance on demand and without a restart. A restart is required only if users want to change the license edition. Throughput: 200 Mbps or 1 Gbps Bundle: Premium Deployment Options This deployment guide provides two deployment options: The first option is to deploy using a Quick Start Guide format and the following options: Deploy NetScaler WAF into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, security groups, and other infrastructure components, and then deploys NetScaler WAF into this new VPC. Deploy NetScaler WAF into an existing VPC. This option provisions NetScaler WAF in the user existing AWS infrastructure. The second option is to deploy using WAF StyleBooks using NetScaler ADM Deployment Steps using a Quick Start Guide Step 1: Sign in to the User AWS Account Sign in to the user account at AWS: AWS with an IAM (Identity and Access Management) user role that has the necessary permissions to create an Amazon Account (if necessary) or sign in to an Amazon Account. Use the region selector in the navigation bar to choose the AWS Region where users want to deploy High Availability across AWS Availability Zones. Ensure that the user AWS account is configured correctly, refer to the Technical Requirements section of this document for more information. Step 2: Subscribe to the NetScaler WAF AMI This deployment requires a subscription to the AMI for NetScaler WAF in the AWS Marketplace. Sign in to the user AWS account. Open the page for the NetScaler WAF offering by choosing one of the links in the following table. When users launch the Quick Start Guide in to deploy NetScaler WAF in Step 3 below, they use the NetScaler WAF Image parameter to select the bundle and throughput option that matches their AMI subscription. The following list shows the AMI options and corresponding parameter settings. The VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory. Note: To retrieve the AMI ID, refer to the NetScaler Products on AWS Marketplace page on GitHub: NetScaler Products on AWS Marketplace . AWS Marketplace AMI NetScaler Web Application Firewall (WAF) - 200 Mbps: NetScaler Web App Firewall (WAF) - 200 Mbps NetScaler Web Application Firewall (WAF) - 1000 Mbps: NetScaler Web App Firewall (WAF) - 1000 Mbps On the AMI page, choose Continue to Subscribe. Review the terms and conditions for software usage, and then choose Accept Terms. Note: Users receive a confirmation page, and an email confirmation is sent to the account owner. For detailed subscription instructions, see Getting Started in the AWS Marketplace Documentation: Getting Started . When the subscription process is complete, exit out of AWS Marketplace without further action. Do not provision the software from AWS Marketplace—users will deploy the AMI with the Quick Start Guide. Step 3: Launch the Quick Start Guide to Deploy the AMI Sign in to the user AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see deployment options earlier in this guide. Deploy NetScaler VPX into a new VPC on AWS using one of the AWS CloudFormation Templates located here: Citrix/Citrix-ADC-AWS-CloudFormation/Templates/High-Availability/Across-Availability-Zone Citrix/Citrix-ADC-AWS-CloudFormation/Templates/High-Availability/Same-Availability-Zone Deploy NetScaler WAF into a new or existing VPC on AWS using the AWS Quickstart template located here: AWS-Quickstart/Quickstart-Citrix-ADC- WAF Important: If users are deploying NetScaler WAF into an existing VPC, they must ensure that their VPC spans across two Availability Zones, with one public and two private subnets in each Availability Zone for the workload instances, and that the subnets are not shared. This deployment guide does not support shared subnets, see Working with Shared VPCs: Working with Shared VPCs . These subnets require NAT Gateways in their route tables to allow the instances to download packages and software without exposing them to the internet. For more information about NAT Gateways, see: NAT Gateways . Configure the subnets so there is no overlapping of subnets. Also, users should ensure that the domain name option in the DHCP options is configured as explained in the Amazon VPC documentation found here: DHCP Options Sets: DHCP Options Sets. Users are prompted for their VPC settings when they launch the Quick Start Guide. Each deployment takes about 15 minutes to complete. Check the AWS Region that is displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for NetScaler WAF will be built. The template is launched in the US East (Ohio) Region by default. Note: This deployment includes NetScaler WAF, which isn’t currently supported in all AWS Regions. For a current list of supported Regions, see the AWS Service Endpoints: AWS Service Endpoints . On the Select Template page, keep the default setting for the template URL, and then choose Next. On the Specify Details page, specify the stack name as per user convenience. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. In the following table, parameters are listed by category and described separately for the deployment option: Parameters for deploying NetScaler WAF into a new or existing VPC (Deployment Option 1) When users finish reviewing and customizing the parameters, they should choose Next. Parameters for Deploying NetScaler WAF into a new VPC VPC Network Configuration For reference information on this deployment refer to the CFT template here: AWS-Quickstart/Quickstart-Citrix-ADC-WAF/Templates. Parameter label (name) Default Description Primary Availability Zone (PrimaryAvailabilityZone) Requires input The Availability Zone for Primary NetScaler WAF deployment Secondary Availability Zone (SecondaryAvailabilityZone) Requires input The Availability Zone for Secondary NetScaler WAF deployment VPC CIDR (VPCCIDR) 10.0.0.0/16 The CIDR block for the VPC. Must be a valid IP CIDR range of the form x.x.x.x/x. Remote SSH CIDR IP(Management) (RestrictedSSHCIDR) Requires input The IP address range that can SSH to the EC2 instance (port: 22). For example Using 0.0.0.0/0, will enable all IP addresses to access the user instance using SSH or RDP. Note: Authorize only a specific IP address or range of addresses to access the user instance because it is unsafe to use it in production. Remote HTTP CIDR IP(Client) (RestrictedWebAppCIDR) 0.0.0.0/0 The IP address range that can HTTP to the EC2 instance (port: 80) Remote HTTP CIDR IP(Client) (RestrictedWebAppCIDR) 0.0.0.0/0 The IP address range that can HTTP to the EC2 instance (port: 80) Primary Management Private Subnet CIDR (PrimaryManagementPrivateSubnetCIDR) 10.0.1.0/24 The CIDR block for Primary Management Subnet located in Availability Zone 1. Primary Management Private IP (PrimaryManagementPrivateIP) — Private IP assigned to the Primary Management ENI (last octet has to be between 5 and 254) from the Primary Management Subnet CIDR. Primary Client Public Subnet CIDR (PrimaryClientPublicSubnetCIDR) 10.0.2.0/24 The CIDR block for Primary Client Subnet located in Availability Zone 1. Primary Client Private IP (PrimaryClientPrivateIP) — Private IP assigned to the Primary Client ENI (last octet has to be between 5 and 254) from Primary Client IP from the Primary Client Subnet CIDR. Primary Server Private Subnet CIDR (PrimaryServerPrivateSubnetCIDR) 10.0.3.0/24 The CIDR block for Primary Server located in Availability Zone 1. Primary Server Private IP (PrimaryServerPrivateIP) — Private IP assigned to the Primary Server ENI (last octet has to be between 5 and 254) from the Primary Server Subnet CIDR. Secondary Management Private Subnet CIDR (SecondaryManagementPrivateSubnetCIDR) 10.0.4.0/24 The CIDR block for Secondary Management Subnet located in Availability Zone 2. Secondary Management Private IP (SecondaryManagementPrivateIP) — Private IP assigned to the Secondary Management ENI (last octet has to be between 5 and 254). It would allocate Secondary Management IP from the Secondary Management Subnet CIDR. Secondary Client Public Subnet CIDR (SecondaryClientPublicSubnetCIDR) 10.0.5.0/24 The CIDR block for Secondary Client Subnet located in Availability Zone 2. Secondary Client Private IP (SecondaryClientPrivateIP) — Private IP assigned to the Secondary Client ENI (last octet has to be between 5 and 254). It would allocate Secondary Client IP from the Secondary Client Subnet CIDR. Secondary Server Private Subnet CIDR (SecondaryServerPrivateSubnetCIDR) 10.0.6.0/24 The CIDR block for Secondary Server Subnet located in Availability Zone 2. Secondary Server Private IP (SecondaryServerPrivateIP) — Private IP assigned to the Secondary Server ENI (last octet has to be between 5 and 254). It would allocate Secondary Server IP from the Secondary Server Subnet CIDR. VPC Tenancy attribute (VPCTenancy) default The allowed tenancy of instances launched into the VPC. Choose Dedicated tenancy to launch EC2 instances dedicated to a single customer. Bastion host configuration Parameter label (name) Default Description Bastion Host required (LinuxBastionHostEIP) No By default, no bastion host will be configured. But if users want to opt for sandbox deployment select “yes” from the menu which would deploy a Linux Bastion Host in the public subnet with an EIP that would give users access to the components in the private and public subnet. NetScaler WAF Configuration Parameter label (name) Default Description Key pair name (KeyPairName) Requires input A public/private key pair, which allows users to connect securely to the user instance after it launches. This is the key pair users created in their preferred AWS Region; see the Technical Requirements section. NetScaler ADC Instance Type (CitrixADCInstanceType) m4.xlarge The EC2 instance type to use for the ADC instances. Ensure that the instance type opted for aligns with the instance types available in the AWS marketplace or else the CFT might fail. NetScaler ADC AMI ID (CitrixADCImageID) — The AWS Marketplace AMI to be used for NetScaler WAF deployment. This must match the AMI users subscribed to in step 2. NetScaler ADC VPX IAM role (iam:GetRole) — This Template: AWS-Quickstart/Quickstart-Citrix-ADC-VPX/Templates creates the IAM role and the Instance Profile required for NetScaler ADC VPX. If left empty, CFT creates the required IAM role. Client PublicIP(EIP) (ClientPublicEIP) No Select "Yes" if users want to assign a public EIP to the user Client Network interface. Otherwise, even after the deployment, users still have the option of assigning it later if necessary. Pooled Licensing configuration Parameter label (name) Default Description ADM Pooled Licensing No If choosing the BYOL option for licensing, select yes from the list. This allows users to upload their already purchased licenses. Before users begin, they should Configure NetScaler ADC Pooled Capacity to ensure ADM pooled licensing is available, see: Configure NetScaler ADC Pooled Capacity. Reachable ADM / ADM Agent IP Requires input For the Customer Licensed option, whether users deploy NetScaler ADM on-prem or an agent in the cloud, make sure to have a reachable ADM IP which would then be used as an input parameter. Licensing Mode Optional Users can choose from the 3 licensing modes: Configure NetScaler ADC Pooled Capacity: Configure NetScaler ADC Pooled Capacity NetScaler ADC VPX Check-in and Check-out Licensing (CICO): NetScaler ADC VPX Check-in and Check-out Licensing NetScaler ADC virtual CPU Licensing: NetScaler ADC virtual CPU Licensing| |License Bandwidth in Mbps|0 Mbps|Only if the licensing mode is Pooled-Licensing, then this field comes into the picture. It allocates an initial bandwidth of the license in Mbps to be allocated after BYOL ADCs are created. It should be a multiple of 10 Mbps.| |License Edition|Premium|License Edition for Pooled Capacity Licensing Mode is Premium| |Appliance Platform Type|Optional|Choose the required Appliance Platform Type, only if users opt for CICO licensing mode. Users get the options listed: VPX-200, VPX-1000, VPX-3000, VPX-5000, VPX-8000| |License Edition|Premium|License Edition for vCPU based Licensing is Premium.| AWS Quick Start Guide Configuration Note: We recommend that users keep the default settings for the following two parameters, unless they are customizing the Quick Start Guide templates for their own deployment projects. Changing the settings of these parameters will automatically update code references to point to a new Quick Start Guide location. For more details, see the AWS Quick Start Guide Contributor’s Guide located here: AWS Quick Starts/Option 1 - Adopt a Quick Start . Parameter label (name) Default Description Quick Start Guide S3 bucket name (QSS3BucketName) aws-quickstart The S3 bucket users created for their copy of Quick Start Guide assets, if users decide to customize or extend the Quick Start Guide for their own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen. Quick Start Guide S3 key prefix (QSS3KeyPrefix) quickstart-citrix-adc-vpx/ The S3 key name prefix, from the Object Key and Metadata: Object Key and Metadata, is used to simulate a folder for the user copy of Quick Start Guide assets, if users decide to customize or extend the Quick Start Guide for their own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes. On the Options page, users can specify a Resource Tag or key-value pair for resources in your stack and set advanced options. For more information on Resource Tags, see: Resource Tag. For more information on setting AWS CloudFormation Stack Options, see: Setting AWS CloudFormation Stack Options. When users are done, they should choose Next. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and that it might require the capability to auto-expand macros. Choose Create to deploy the stack. Monitor the status of the stack. When the status is CREATE_COMPLETE, the NetScaler WAF instance is ready. Use the URLs displayed in the Outputs tab for the stack to view the resources that were created. Step 4: Test the Deployment We refer to the instances in this deployment as primary and secondary. Each instance has different IP addresses associated with it. When the Quick Start has been deployed successfully, traffic goes through the primary NetScaler WAF instance configured in Availability Zone 1. During failover conditions, when the primary instance does not respond to client requests, the secondary WAF instance takes over. The Elastic IP address of the virtual IP address of the primary instance migrates to the secondary instance, which takes over as the new primary instance. In the failover process, NetScaler WAF does the following: NetScaler WAF checks the virtual servers that have IP sets attached to them. NetScaler WAF finds the IP address that has an associated public IP address from the two IP addresses that the virtual server is listening on. One that is directly attached to the virtual server, and one that is attached through the IP set. NetScaler WAF reassociates the public Elastic IP address to the private IP address that belongs to the new primary virtual IP address. To validate the deployment, perform the following: Connect to the primary instance For example, with a proxy server, jump host (a Linux/Windows/FW instance running in AWS, or the bastion host), or another device reachable to that VPC or a Direct Connect if dealing with on-prem connectivity. Perform a trigger action to force failover and check whether the secondary instance takes over. Tip: To further validate the configuration with respect to NetScaler WAF, run the following command after connecting to the Primary NetScaler WAF instance : Sh appfw profile QS-Profile Connect to NetScaler WAF HA Pair using Bastion Host If users are opting for Sandbox deployment (for example, as part of CFT, users opt for configuring a Bastion Host), a Linux bastion host deployed in a public subnet will be configured to access the WAF interfaces. In the AWS CloudFormation console, which is accessed by signing in here: Sign in, choose the master stack, and on the Outputs tab, find the value of LinuxBastionHostEIP1. PrivateManagementPrivateNSIP and PrimaryADCInstanceID key’s value to be used in the later steps to SSH into the ADC. Choose Services. On the Compute tab, select EC2. Under Resources, choose Running Instances. On the Description tab of the primary WAF instance, note the IPv4 public IP address. Users need that IP address to construct the SSH command. To store the key in the user keychain, run the command ssh-add -K [your-key-pair].pem On Linux, users might need to omit the -K flag. Log in to the bastion host using the following command, using the value for LinuxBastionHostEIP1 that users noted in step 1. ssh -A ubuntu@[LinuxBastionHostEIP1] From the bastion host, users can connect to the primary WAF instance by using SSH. ssh nsroot@[Primary Management Private NSIP] Password: [Primary ADC Instance ID] Now users are connected to the primary NetScaler WAF instance. To see the available commands, users can run the help command. To view the current HA configuration, users can run the show HA node command. NetScaler Application Delivery Management NetScaler Application Delivery Management Service (NetScaler ADM) provides an easy and scalable solution to manage NetScaler ADC deployments that include NetScaler ADC MPX, NetScaler ADC VPX, NetScaler Gateway, NetScaler Secure Web Gateway, NetScaler ADC SDX, NetScaler ADC CPX, and NetScaler SD-WAN appliances that are deployed on-premises or on the cloud. Users can use this cloud solution to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified, and centralized cloud-based console. NetScaler ADM Service provides all the capabilities required to quickly set up, deploy, and manage application delivery in NetScaler ADC deployments and with rich analytics of application health, performance, and security. NetScaler ADM Service provides the following benefits: Agile – Easy to operate, update, and consume. The service model of NetScaler ADM Service is available over the cloud, making it easy to operate, update, and use the features provided by NetScaler ADM Service. The frequency of updates, combined with the automated update feature, quickly enhances user NetScaler ADC deployment. Faster time to value – Quicker business goals achievement. Unlike with the traditional on-premises deployment, users can use their NetScaler ADM Service with a few clicks. Users not only save the installation and configuration time, but also avoid wasting time and resources on potential errors. Multi-Site Management – Single Pane of Glass for instances across Multi-Site data centers. With the NetScaler ADM Service, users can manage and monitor NetScaler ADCs that are in various types of deployments. Users have one-stop management for NetScaler ADCs deployed on-premises and in the cloud. Operational Efficiency – Optimized and automated way to achieve higher operational productivity. With the NetScaler ADM Service, user operational costs are reduced by saving user time, money, and resources on maintaining and upgrading the traditional hardware deployments. How NetScaler ADM Service Works NetScaler ADM Service is available as a service on the NetScaler Cloud. After users sign up for NetScaler Cloud and start using the service, install agents in the user network environment or initiate the built-in agent in the instances. Then, add the instances users want to manage to the service. An agent enables communication between the NetScaler ADM Service and the managed instances in the user data center. The agent collects data from the managed instances in the user network and sends it to the NetScaler ADM Service. When users add an instance to the NetScaler ADM Service, it implicitly adds itself as a trap destination and collects an inventory of the instance. The service collects instance details such as: Host name Software version Running and saved configuration Certificates Entities configured on the instance, and so on. NetScaler ADM Service periodically polls managed instances to collect information. The following image illustrates the communication between the service, the agents, and the instances: Documentation Guide The NetScaler ADM Service documentation includes information about how to get started with the service, a list of features supported on the service, and configuration specific to this service solution. Deploying NetScaler ADC VPX Instances on AWS using NetScaler ADM When customers move their applications to the cloud, the components that are part of their application increase, become more distributed, and need to be dynamically managed. With NetScaler ADC VPX instances on AWS, users can seamlessly extend their L4-L7 network stack to AWS. With NetScaler ADC VPX, AWS becomes a natural extension of their on-premises IT infrastructure. Customers can use NetScaler ADC VPX on AWS to combine the elasticity and flexibility of the cloud, with the same optimization, security, and control features that support the most demanding websites and applications in the world. With NetScaler Application Delivery Management (ADM) monitoring their NetScaler ADC instances, users gain visibility into the health, performance, and security of their applications. They can automate the setup, deployment, and management of their application delivery infrastructure across hybrid multi-cloud environments. Architecture Diagram The following image provides an overview of how NetScaler ADM connects with AWS to provision NetScaler ADC VPX instances in AWS. Configuration Tasks Perform the following tasks on AWS before provisioning NetScaler ADC VPX instances in NetScaler ADM: Create subnets Create security groups Create an IAM role and define a policy Perform the following tasks on NetScaler ADM to provision the instances on AWS: Create site Provision NetScaler ADC VPX instance on AWS To Create Subnets Create three subnets in a VPC. The three subnets that are required to provision NetScaler ADC VPX instances in a VPC - are management, client, and server. Specify an IPv4 CIDR block from the range that is defined in the VPC for each of the subnets. Specify the availability zone in which the subnet is to reside. Create all the three subnets in the same availability zone. The following image illustrates the three subnets created in the customer region and their connectivity to the client system. For more information on VPC and subnets, see VPCs and Subnets. To Create Security Groups Create a security group to control inbound and outbound traffic in the NetScaler ADC VPX instance. A security group acts as a virtual firewall for a user instance. Create security groups at the instance level, and not at the subnet level. It is possible to assign each instance in a subnet in the user VPC to a different set of security groups. Add rules for each security group to control the inbound traffic that is passing through the client subnet to instances. Users can also add a separate set of rules that control the outbound traffic that passes through the server subnet to the application servers. Although users can use the default security group for their instances, they might want to create their own groups. Create three security groups - one for each subnet. Create rules for both incoming and outgoing traffic that users want to control. Users can add as many rules as they want. For more information on security groups, see: Security Groups for your VPC. To Create an IAM Role and Define a Policy Create an IAM role so that customers can establish a trust relationship between their users and the NetScaler trusted AWS account and create a policy with NetScaler permissions. In AWS, click Services. In the left side navigation pane, select IAM > Roles, and click Create role. Users are connecting their AWS account with the AWS account in NetScaler ADM. So, select Another AWS account to allow NetScaler ADM to perform actions in the AWS account. Type in the 12-digit NetScaler ADM AWS account ID. The NetScaler ID is 835822366011. Users can also find the NetScaler ID in NetScaler ADM when they create the cloud access profile. Enable Require external ID to connect to a third-party account. Users can increase the security of their roles by requiring an optional external identifier. Type an ID that can be a combination of any characters. Click Permissions. In Attach permissions policies page, click Create policy. Users can create and edit a policy in the visual editor or by using JSON. The list of permissions from NetScaler is provided in the following box: {"Version": "2012-10-17","Statement":[ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeImageAttribute", "ec2:DescribeInstanceAttribute", "ec2:DescribeRegions", "ec2:DescribeDhcpOptions", "ec2:DescribeSecurityGroups", "ec2:DescribeHosts", "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeAddresses", "ec2:DescribeKeyPairs", "ec2:DescribeTags", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DescribeVolumeAttribute", "ec2:CreateTags", "ec2:DeleteTags", "ec2:CreateKeyPair", "ec2:DeleteKeyPair", "ec2:ResetInstanceAttribute", "ec2:RunScheduledInstances", "ec2:ReportInstanceStatus", "ec2:StartInstances", "ec2:RunInstances", "ec2:StopInstances", "ec2:UnmonitorInstances", "ec2:MonitorInstances", "ec2:RebootInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses", "ec2:CreateNetworkInterface", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ResetNetworkInterfaceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:AssociateAddress", "ec2:AllocateAddress", "ec2:ReleaseAddress", "ec2:DisassociateAddress", "ec2:GetConsoleOutput" ], "Resource": "*" }]} Copy and paste the list of permissions in the JSON tab and click Review policy. In the Review policy page, type a name for the policy, enter a description, and click Create policy. To Create a Site in NetScaler ADM Create a site in NetScaler ADM and add the details of the VPC associated with the AWS role. In NetScaler ADM, navigate to Networks > Sites. Click Add. Select the service type as AWS and enable Use existing VPC as a site. Select the cloud access profile. If the cloud access profile does not exist in the field, click Add to create a profile. In the Create Cloud Access Profile page, type the name of the profile with which users want to access AWS. Type the ARN associated with the role that users have created in AWS. Type the external ID that users provided while creating an Identity and Access Management (IAM) role in AWS. See step 4 in “To create an IAM role and define a policy” task. Ensure that the IAM role name specified in AWS starts with NetScaler-ADM- and it correctly appears in the Role ARN. The details of the VPC, such as the region, VPC ID, name and CIDR block, associated with your IAM role in AWS are imported in NetScaler ADM. Type a name for the site. Click Create. To Provision NetScaler ADC VPX on AWS Use the site that users created earlier to provision the NetScaler ADC VPX instances on AWS. Provide NetScaler ADM service agent details to provision those instances that are bound to that agent. In NetScaler ADM, navigate to Networks > Instances > NetScaler ADC. In the VPX tab, click Provision. This option displays the Provision NetScaler ADC VPX on Cloud page. Select Amazon Web Services (AWS) and click Next. In Basic Parameters, Select the Type of Instance from the list. Standalone: This option provisions a standalone NetScaler ADC VPX instance on AWS. HA: This option provisions the high availability NetScaler ADC VPX instances on AWS. To provision the NetScaler ADC VPX instances in the same zone, select the Single Zone option under Zone Type. To provision the NetScaler ADC VPX instances across multiple zones, select the Multi Zone option under Zone type. In the Cloud Parameters tab, make sure to specify the network details for each zone that is created on AWS. Specify the name of the NetScaler ADC VPX instance. In Site, select the site that you created earlier. In Agent, select the agent that is created to manage the NetScaler ADC VPX instance. In Cloud Access Profile, select the cloud access profile created during site creation. In Device Profile, select the profile to provide authentication. NetScaler ADM uses the device profile when it requires to log on to the NetScaler ADC VPX instance. Click Next. In Cloud Parameters, Select the NetScaler IAM Role created in AWS. An IAM role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. In the Product field, select the NetScaler ADC product version that users want to provision. Select the EC2 instance type from the Instance Type list. Select the Version of NetScaler ADC that users want to provision. Select both Major and Minor version of NetScaler ADC. In Security Groups, select the Management, Client, and Server security groups that users created in their virtual network. In IPs in server Subnet per Node, select the number of IP addresses in server subnet per node for the security group. In Subnets, select the Management, Client, and Server subnets for each zone that are created in AWS. Users can also select the region from the Availability Zone list. Click Finish. The NetScaler ADC VPX instance is now provisioned on AWS. Note: NetScaler ADM doesn’t support deprovisioning of NetScaler ADC instances from AWS. To View the NetScaler ADC VPX Provisioned in AWS From the AWS home page, navigate to Services and click EC2. On the Resources page, click Running Instances. Users can view the NetScaler ADC VPX provisioned in AWS. The name of the NetScaler ADC VPX instance is the same name users provided while provisioning the instance in NetScaler ADM. To View the NetScaler ADC VPX Provisioned in NetScaler ADM In NetScaler ADM, navigate to Networks > Instances > NetScaler ADC. Select NetScaler ADC VPX tab. The NetScaler ADC VPX instance provisioned in AWS is listed here. NetScaler ADC WAF and OWASP Top 10 – 2017 The Open Web Application Security Project: OWASP released the OWASP Top 10 for 2017 for web application security. This list documents the most common web application vulnerabilities and is a great starting point to evaluate web security. Here we detail how to configure the NetScaler ADC Web Application Firewall (WAF) to mitigate these flaws. WAF is available as an integrated module in the NetScaler ADC (Premium Edition) as well as a complete range of appliances. The full OWASP Top 10 document is available at OWASP Top Ten. OWASP Top-10 2017 NetScaler ADC WAF Features A1:2017- Injection Injection attack prevention (SQL or any other custom injections such as OS Command injection, XPath injection, and LDAP Injection), auto update signature feature A2:2017 - Broken Authentication NetScaler ADC AAA, Cookie Tampering protection, Cookie Proxying, Cookie Encryption, CSRF tagging, Use SSL A3:2017 - Sensitive Data Exposure Credit Card protection, Safe Commerce, Cookie proxying, and Cookie Encryption A4:2017 XML External Entities (XXE) XML protection including WSI checks, XML message validation & XML SOAP fault filtering check A5:2017 Broken Access Control NetScaler ADC AAA, Authorization security feature within NetScaler ADC AAA module of NetScaler, Form protections, and Cookie tampering protections, StartURL, and ClosureURL A6:2017 - Security Misconfiguration PCI reports, SSL features, Signature generation from vulnerability scan reports such as Cenznic, Qualys, AppScan, WebInspect, Whitehat. Also, specific protections such as Cookie encryption, proxying, and tampering A7:2017 - Cross Site Scripting (XSS) XSS Attack Prevention, Blocks all OWASP XSS cheat sheet attacks A8:2017 – Insecure Deserialisation XML Security Checks, GWT content type, custom signatures, Xpath for JSON and XML A9:2017 - Using Components with known Vulnerabilities Vulnerability scan reports, Application Firewall Templates, and Custom Signatures A10:2017 – Insufficient Logging & Monitoring User configurable custom logging, NetScaler ADC Management and Analytics System A1:2017- Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into running unintended commands or accessing data without proper authorization. ADC WAF Protections SQL Injection prevention feature protects against common injection attacks. Custom injection patterns can be uploaded to protect against any type of injection attack including XPath and LDAP. This is applicable for both HTML and XML payloads. The auto update signature feature keeps the injection signatures up to date. Field format protection feature allows the administrator to restrict any user parameter to a regular expression. For instance, you can enforce that a zip-code field contains integers only or even 5-digit integers. Form field consistency: Validate each submitted user form against the user session form signature to ensure the validity of all form elements. Buffer overflow checks ensure that the URL, headers, and cookies are in the right limits blocking any attempts to inject large scripts or code. A2:2017 – Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. ADC WAF Protections NetScaler ADC AAA module performs user authentication and provides Single Sign-On functionality to back end applications. This is integrated into the NetScaler ADC AppExpert policy engine to allow custom policies based on user and group information. Using SSL offloading and URL transformation capabilities, the firewall can also help sites to use secure transport layer protocols to prevent stealing of session tokens by network sniffing. Cookie Proxying and Cookie Encryption can be employed to completely mitigate cookie stealing. A3:2017 - Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such poorly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. ADC WAF Protections Application Firewall protects applications from leaking sensitive data like credit card details. Sensitive data can be configured as Safe objects in Safe Commerce protection to avoid exposure. Any sensitive data in cookies can be protected by Cookie Proxying and Cookie Encryption. A4:2017 XML External Entities (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. ADC WAF Protections In addition to detecting and blocking common application threats that can be adapted for attacking XML-based applications (that is, cross-site scripting, command injection, and so forth). ADC Application Firewall includes a rich set of XML-specific security protections. These include schema validation to thoroughly verify SOAP messages and XML payloads, and a powerful XML attachment check to block attachments containing malicious executables or viruses. Automatic traffic inspection methods block XPath injection attacks on URLs and forms aimed at gaining access. ADC Application Firewall also thwarts various DoS attacks, including external entity references, recursive expansion, excessive nesting, and malicious messages containing either long or a large number of attributes and elements. A5:2017 Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, and so on. ADC WAF Protections NetScaler ADC AAA feature that supports authentication, authorization, and auditing for all application traffic allows a site administrator to manage access controls with the ADC appliance. The Authorization security feature within the NetScaler ADC AAA module of the ADC appliance enables the appliance to verify, which content on a protected server it should allow each user to access. Form field consistency: If object references are stored as hidden fields in forms, then using form field consistency you can validate that these fields are not tampered on subsequent requests. Cookie Proxying and Cookie consistency: Object references that are stored in cookie values can be validated with these protections. Start URL check with URL closure: Allows user access to a predefined allow list of URLs. URL closure builds a list of all URLs seen in valid responses during the user session and automatically allows access to them during that session. A6:2017 - Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or improvised configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. ADC WAF Protections The PCI-DSS report generated by the Application Firewall, documents the security settings on the Firewall device. Reports from the scanning tools are converted to ADC WAF Signatures to handle security misconfigurations. ADC WAF supports Cenzic, IBM AppScan (Enterprise and Standard), Qualys, TrendMicro, WhiteHat, and custom vulnerability scan reports. A7:2017 - Cross Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing webpage with user-supplied data using a browser API that can create HTML or JavaScript. Cross-site scripting allows attackers to run scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites. ADC WAF Protections Cross-site scripting protection protects against common XSS attacks. Custom XSS patterns can be uploaded to modify the default list of allowed tags and attributes. The ADC WAF uses an allow list of allowed HTML attributes and tags to detect XSS attacks. This is applicable for both HTML and XML payloads. ADC WAF blocks all the attacks listed in the OWASP XSS Filter Evaluation Cheat Sheet. Field format check prevents an attacker from sending inappropriate web form data which can be a potential XSS attack. Form field consistency. A8:2017 - Insecure Deserialization Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. ADC WAF Protections JSON payload inspection with custom signatures. XML security: protects against XML denial of service (xDoS), XML SQL and Xpath injection and cross site scripting, format checks, WS-I basic profile compliance, XML attachments check. Field Format checks in addition to Cookie Consistency and Field Consistency can be used. A9:2017 - Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. ADC WAF Protections NetScaler recommends having the third-party components up to date. Vulnerability scan reports that are converted to ADC Signatures can be used to virtually patch these components. Application Firewall templates that are available for these vulnerable components can be used. Custom Signatures can be bound with the firewall to protect these components. A10:2017 - Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show that the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. ADC WAF Protections When the log action is enabled for security checks or signatures, the resulting log messages provide information about the requests and responses that the application firewall has observed while protecting your websites and applications. The application firewall offers the convenience of using the built-in ADC database for identifying the locations corresponding to the IP addresses from which malicious requests are originating. Default format (PI) expressions give the flexibility to customize the information included in the logs with the option to add the specific data to capture in the application firewall generated log messages. The application firewall supports CEF logs. Continued in Part 2

Deployment Guide NetScaler ADC VPX on Azure - AutoscaleAuthor: Blake Schindler, Solutions ArchitectOverviewNetScaler ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments. As an undisputed leader of service and application delivery, NetScaler ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, NetScaler ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. NetScaler ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required. NetScaler VPXThe NetScaler ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms: XenServer VMware ESX Microsoft Hyper-V Linux KVM Amazon Web Services Microsoft Azure Google Cloud Platform This deployment guide focuses on NetScaler ADC VPX on Microsoft Azure Microsoft AzureMicrosoft Azure is an ever-expanding set of cloud computing services built to help organizations meet their business challenges. Azure gives users the freedom to build, manage, and deploy applications on a massive, global network using their preferred tools and frameworks. With Azure, users can: Be future-ready with continuous innovation from Microsoft to support their development today—and their product visions for tomorrow. Operate hybrid cloud seamlessly on-premises, in the cloud, and at the edge—Azure meets users where they are. Build on their terms with Azure’s commitment to open source and support for all languages and frameworks, allowing users to be free to build how they want and deploy where they want. Trust their cloud with security from the ground up—backed by a team of experts and proactive, industry-leading compliance that is trusted by enterprises, governments, and startups. Azure TerminologyHere is a brief description of the key terms used in this document that users must be familiar with: Azure Load Balancer – Azure load balancer is a resource that distributes incoming traffic among computers in a network. Traffic is distributed among virtual machines defined in a load-balancer set. A load balancer can be external or internet-facing, or it can be internal. Azure Resource Manager (ARM) – ARM is the new management framework for services in Azure. Azure Load Balancer is managed using ARM-based APIs and tools. Back-End Address Pool – These are IP addresses associated with the virtual machine NIC to which load is distributed. BLOB - Binary Large Object – Any binary object like a file or an image that can be stored in Azure storage. Front-End IP Configuration – An Azure Load balancer can include one or more front-end IP addresses, also known as a virtual IPs (VIPs). These IP addresses serve as ingress for the traffic. Instance Level Public IP (ILPIP) – An ILPIP is a public IP address that users can assign directly to a virtual machine or role instance, rather than to the cloud service that the virtual machine or role instance resides in. This does not take the place of the VIP (virtual IP) that is assigned to their cloud service. Rather, it is an extra IP address that can be used to connect directly to a virtual machine or role instance. Note: In the past, an ILPIP was referred to as a PIP, which stands for public IP. Inbound NAT Rules – This contains rules mapping a public port on the load balancer to a port for a specific virtual machine in the back-end address pool. IP-Config - It can be defined as an IP address pair (public IP and private IP) associated with an individual NIC. In an IP-Config, the public IP address can be NULL. Each NIC can have multiple IP-Configs associated with it, which can be up to 255. Load Balancing Rules – A rule property that maps a given front-end IP and port combination to a set of back-end IP addresses and port combinations. With a single definition of a load balancer resource, users can define multiple load balancing rules, each rule reflecting a combination of a front-end IP and port and back end IP and port associated with virtual machines. Network Security Group (NSG) – NSG contains a list of Access Control List (ACL) rules that allow or deny network traffic to virtual machine instances in a virtual network. NSGs can be associated with either subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all the virtual machine instances in that subnet. In addition, traffic to an individual virtual machine can be restricted further by associating an NSG directly to that virtual machine. Private IP addresses – Used for communication within an Azure virtual network, and user on-premises network when a VPN gateway is used to extend a user network to Azure. Private IP addresses allow Azure resources to communicate with other resources in a virtual network or an on-premises network through a VPN gateway or ExpressRoute circuit, without using an Internet-reachable IP address. In the Azure Resource Manager deployment model, a private IP address is associated with the following types of Azure resources – virtual machines, internal load balancers (ILBs), and application gateways. Probes – This contains health probes used to check availability of virtual machines instances in the back-end address pool. If a particular virtual machine does not respond to health probes for some time, then it is taken out of traffic serving. Probes enable users to track the health of virtual instances. If a health probe fails, the virtual instance is taken out of rotation automatically. Public IP Addresses (PIP) – PIP is used for communication with the Internet, including Azure public-facing services and is associated with virtual machines, Internet-facing load balancers, VPN gateways, and application gateways. Region - An area within a geography that does not cross national borders and that contains one or more data centers. Pricing, regional services, and offer types are exposed at the region level. A region is typically paired with another region, which can be up to several hundred miles away, to form a regional pair. Regional pairs can be used as a mechanism for disaster recovery and high availability scenarios. Also referred to generally as location. Resource Group - A container in Resource Manager that holds related resources for an application. The resource group can include all resources for an application, or only those resources that are logically grouped. Storage Account – An Azure storage account gives users access to the Azure blob, queue, table, and file services in Azure Storage. A user storage account provides the unique namespace for user Azure storage data objects. Virtual Machine – The software implementation of a physical computer that runs an operating system. Multiple virtual machines can run simultaneously on the same hardware. In Azure, virtual machines are available in various sizes. Virtual Network - An Azure virtual network is a representation of a user network in the cloud. It is a logical isolation of the Azure cloud dedicated to a user subscription. Users can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. Users can also further segment their VNet into subnets and launch Azure IaaS virtual machines and cloud services (PaaS role instances). Also, users can connect the virtual network to their on-premises network using one of the connectivity options available in Azure. In essence, users can expand their network to Azure, with complete control on IP address blocks with the benefit of the enterprise scale Azure provides. Use CasesCompared to alternative solutions that require each service to be deployed as a separate virtual appliance, NetScaler ADC on Azure combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, and other essential application delivery capabilities in a single VPX instance, conveniently available via the Azure Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises NetScaler ADC deployments. The net result is that NetScaler ADC on Azure enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers. Datacenter Expansion with AutoscaleIn an application economy where applications are synonymous with business productivity, growth, and customer experience, it becomes indispensable for organizations to stay competitive, innovate rapidly and scale to meet customer demands while minimizing downtime and to prevent revenue losses. When an organization outgrows the on-prem data center capacity, instead of thinking about procuring more hardware and spending their capex budget, they are thinking about expanding their presence in the public cloud. With the move to the public cloud, when selecting the right ADC for the user public cloud deployments, scale and performance are important factors. There is always a need to scale applications in response to fluctuating demand. Under provisioning may lead to lost customers, reduced employee productivity, and lower revenue. Right sizing the user infrastructure on demand is even more important in the public cloud where over provisioning is costly. In response to the need for greater performance and scalability in the public cloud, NetScaler ADC remains the best option. The best-in-class solution lets users automatically scale up to 100 Gbps/region and because of its superior software architecture, it delivers a latency advantage of 100 ms on a typical eCommerce webpage compared to other ADC vendors and cloud provider options. Benefits of AutoscalingHigh availability of applications. Autoscaling ensures that your application always has the right number of NetScaler ADC VPX instances to handle the traffic demands. This is to ensure that your application is up and running all the time irrespective of traffic demands. Smart scaling decisions and zero touch configuration. Autoscaling continuously monitors your application and adds or removes NetScaler ADC instances dynamically depending on the demand. When demand spikes upward, the instances are automatically added. When the demand spikes downward, the instances are automatically removed. The addition and removal of NetScaler ADC instances happens automatically making it a zero-touch manual configuration. Automatic DNS management. The NetScaler ADM Autoscale feature offers automatic DNS management. Whenever new NetScaler ADC instances are added, the domain names are updated automatically. Graceful connection termination. During a scale-in, the NetScaler ADC instances are gracefully removed avoiding the loss of client connections. Better cost management. Autoscaling dynamically increases or decreases NetScaler ADC instances as needed. This enables users to optimize the costs involved. Users save money by launching instances only when they are needed and terminate them when they are not needed. Thus, users pay only for the resources they use. Observability. Observability is essential to application dev-ops or IT personnel to monitor the health of the application. The NetScaler ADM’s Autoscale dashboard enables users to visualize the threshold parameter values, Autoscale trigger time stamps, events, and the instances participating in Autoscale. Autoscaling of NetScaler ADC VPX in Microsoft Azure using NetScaler ADM Autoscaling ArchitectureNetScaler ADM handles the client traffic distribution using Azure DNS or Azure Load Balancer (ALB). Traffic Distribution using Azure DNSThe following diagram illustrates how the DNS based autoscaling occurs using the Azure traffic manager as the traffic distributor: Azure Load Balancer is the distribution tier to the cluster nodes. ALB manages the client traffic and distributes it to NetScaler ADC VPX clusters. ALB sends the client traffic to NetScaler ADC VPX cluster nodes that are available in the NetScaler ADM autoscaling group across availability zones. Note: Public IP address is allocated to Azure Load Balancer. NetScaler ADC VPX instances do not require a public IP address. NetScaler ADM triggers the scale-out or scale-in action at the cluster level. When a scale-out is triggered the registered virtual machines are provisioned and added to the cluster. Similarly, when a scale-in is triggered, the nodes are removed and de-provisioned from the NetScaler ADC VPX clusters. NetScaler ADM Autoscale GroupAutoscale group is a group of NetScaler ADC instances that load balance applications as a single entity and trigger autoscaling based on the configured threshold parameter values. Resource GroupResource group contains the resources that are related to NetScaler ADC autoscaling. This resource group helps users to manage the resources required for autoscaling. For more information, see: Manage Azure Resources by using the Azure Portal. Azure Back-end Virtual Machine Scale SetAzure virtual machine scale set is a collection of identical VM instances. The number of VM instances can increase or decrease depending on the client traffic. This set provides high-availability to your applications. For more information, see: What are Virtual Machine Scale Sets?. Availability ZonesAvailability Zones are isolated locations within an Azure region. Each region is made up of several availability zones. Each availability zone belongs to a single region. Each availability zone has one NetScaler ADC VPX cluster. For more information, see: Regions and Availability Zones in Azure. Availability SetsAn availability set is a logical grouping of a NetScaler ADC VPX cluster and application servers. Availability Sets are helpful to deploy ADC instances across multiple isolated hardware nodes in a cluster. With an availability set, users can ensure a reliable ADM autoscaling if there is hardware or software failure within Azure. For more information, see: Tutorial: Create and Deploy Highly Available Virtual Machines with Azure PowerShell. The following diagram illustrates the autoscaling in an availability set: The NetScaler ADM collects the statistics (CPU, Memory, and throughput) from the autoscale provisioned clusters for every minute. The statistics are evaluated against the configuration thresholds. Depending on the statistics, scale out or scale in is triggered. Scale-out is triggered when the statistics exceed the maximum threshold. Scale-in is triggered when the statistics are operating below the minimum threshold. If a scale-out is triggered: A new node is provisioned. The node is attached to the cluster and the configuration is synchronized from the cluster to the new node. The node is registered with NetScaler ADM. The new node IP addresses are updated in the Azure traffic manager. If a scale-in is triggered: The node is identified for removal. Stop new connections to the selected node. Waits for the specified period for the connections to drain. In DNS traffic, it also waits for the specified TTL period. The node is detached from the cluster, deregistered from NetScaler ADM, and then de-provisioned from Microsoft Azure. Note: When the application is deployed, an IP set is created on clusters in every availability zone. Then, the domain and instance IP addresses are registered with the Azure traffic manager or ALB. When the application is removed, the domain and instance IP addresses are deregistered from the Azure traffic manager or ALB. Then, the IP set is deleted. Example Autoscaling ScenarioConsider that users have created an autoscale group named asg_arn in a single availability zone with the following configuration. Selected threshold parameters – Memory usage. Threshold limit set to memory: Minimum limit: 40 Maximum limit: 85 Watch time – 2 minutes. Cooldown period – 10 minutes. Time to wait during de-provision – 10 minutes. DNS time to live – 10 seconds. After the autoscale group is created, statistics are collected from the autoscale group. The autoscale policy also evaluates if any autoscale event is in progress. If autoscaling is in progress, wait for that event to complete before collecting the statistics. Set up Microsoft Azure ComponentsPerform the following tasks in Azure before users Autoscale NetScaler ADC VPX instances in NetScaler ADM. Create a Virtual Network. Create Security Groups. Create Subnets. Subscribe to the NetScaler ADC VPX License in Microsoft Azure . Create and Register an Application. Create a Virtual Network Log on to the user Microsoft Azure portal. Select Create a resource. Select Networking and click Virtual Network. Specify the required parameters. In Resource group, users must specify the resource group where they want to deploy a NetScaler ADC VPX product. In Location, users must specify the locations that support availability zones such as: Central US East US2 France Central North Europe Southeast Asia West Europe West US2 Note: The application servers are present in this resource group. Click Create. For more information, see Azure Virtual Network here: What is Azure Virtual Network?. Create Security GroupsCreate three security groups in the user virtual network (VNet) - one each for the management, client, and server connections. Create a security group to control inbound and outbound traffic in the NetScaler ADC VPX instance. Create rules for incoming traffic that users want to control in the NetScaler Autoscale groups. Users can add as many rules as they want. Management: A security group in the user account dedicated for management of NetScaler ADC VPX. NetScaler ADC has to contact Azure services and requires Internet access. Inbound rules are allowed on the following TCP and UDP ports. TCP: 80, 22, 443, 3008–3011, 4001 UDP: 67, 123, 161, 500, 3003, 4500, 7000 For more information, see Azure Virtual Network here: What is Azure Virtual Network?. Create Security GroupsCreate three security groups in the user virtual network (VNet) - one each for the management, client, and server connections. Create a security group to control inbound and outbound traffic in the NetScaler ADC VPX instance. Create rules for incoming traffic that users want to control in the NetScaler Autoscale groups. Users can add as many rules as they want. Management: A security group in the user account dedicated for management of NetScaler ADC VPX. NetScaler ADC has to contact Azure services and requires Internet access. Inbound rules are allowed on the following TCP and UDP ports. TCP: 80, 22, 443, 3008–3011, 4001 UDP: 67, 123, 161, 500, 3003, 4500, 7000 Note: Ensure that the security group allows the NetScaler ADM agent to be able to access the VPX. Client: A security group in the user account dedicated for client-side communication of NetScaler ADC VPX instances. Typically, inbound rules are allowed on the TCP ports 80, 22, and 443. Server: A security group in the user account dedicated for server-side communication of NetScaler ADC VPX. For more information on how to create a security group in Microsoft Azure, see: Create, Change, or Delete a Network Security Group. Create SubnetsCreate three subnets in the user virtual network (VNet) - one each for the management, client, and server connections. Specify an address range that is defined in the user VNet for each of the subnets. Specify the availability zone in which users want the subnet to reside. Management: A subnet in the user Virtual Network (VNet) dedicated for management. NetScaler ADC has to contact Azure services and requires internet access. Client: A subnet in the user Virtual Network (VNet) dedicated for the client side. Typically, NetScaler ADC receives client traffic for the application via a public subnet from the internet. Server: A subnet where the application servers are provisioned. All the user application servers are present in this subnet and receive application traffic from the NetScaler ADC through this subnet. Note: Specify an appropriate security group to the subnet while creating a subnet. For more information on how to create a subnet in Microsoft Azure, see: Add, Change, or Delete a Virtual Network Subnet. Subscribe to the NetScaler ADC VPX License in Microsoft Azure Log on to the user Microsoft Azure portal. Select Create a resource. In the Search the marketplace bar, search NetScaler ADC and select the required product version. In the Select a software plan list, select one of the following license types: Bring your own license Enterprise Platinum Note: If users choose the Bring your own license option, the Autoscale group checks out the licenses from the NetScaler ADM while provisioning NetScaler ADC instances. In NetScaler ADM, the Advanced and Premium are the equivalent license types for Enterprise and Platinum respectively. Ensure the programmatic deployment is enabled for the selected NetScaler ADC product. Beside Want to deploy programmatically? click Get Started. Important: Enabling the programmatic deployment is required to Autoscale NetScaler ADC VPX instances in Azure. Click Save. Close Configure Programmatic Deployment. Click Create. Create and Register an ApplicationNetScaler ADM uses this application to Autoscale NetScaler ADC VPX instances in Azure. To create and register an application in Azure: In the Azure portal, select Azure Active Directory. This option displays the user organization’s directory. Select App registrations: In Name, specify the name of the application. Select the Application type from the list. In Sign-on URL, specify the application URL to access the application. Click Create. For more information on App registrations, see: How to: Use the Portal to Create an Azure AD Application and Service Principal that can Access Resources. Azure assigns an application ID to the application. The following is an example application registered in Microsoft Azure: Subscription ID: Copy the subscription ID from the user storage account.Assign the Role Permission to an ApplicationNetScaler ADM uses the application-as-a-service principle to Autoscale NetScaler ADC instances in Microsoft Azure. This permission is applicable only to the selected resource group. To assign a role permission to the user registered application, users have to be the owner of the Microsoft Azure subscription. In the Azure portal, select Resource groups. Select the resource group to which users want to assign a role permission. Select Access control (IAM). In Role assignments, click Add. Select Owner from the Role list. Select the application that is registered for autoscaling NetScaler ADC instances. Click Save. In Vnet, select the virtual network containing NetScaler ADC VPX instances that users want to manage. Specify a Site Name. Click Finish. Mapping Cloud Access Profile to the Azure ApplicationNetScaler ADM TermMicrosoft Azure TermTenant Active Directory ID / Tenant IDDirectory IDSubscription IDSubscription IDApplication ID / Client IDApplication IDApplication Key Password / Secretkeys or Certificates or Client SecretsAttach the Site to a NetScaler ADM Service Agent In NetScaler ADM, navigate to Networks > Agents. Select the agent for which users want to attach a site. Click Attach Site. Select the site from the list that users want to attach. Click Save. Step 1: Initialize Autoscale Configuration in NetScaler ADM In NetScaler ADM, navigate to Networks > AutoScale Groups. Click Add to create Autoscale groups. The Create AutoScale Group page appears. Select Microsoft Azure and click Next. In Basic Parameters, enter the following details: Name: Type a name for the Autoscale group. Site: Select the site that users have created to Autoscale the NetScaler ADC VPX instances on Microsoft Azure. If users have not created a site, click Add to create a site. Agent: Select the NetScaler ADM agent that manages the provisioned instances. Cloud Access Profile: Select the cloud access profile. Users can also add or edit a Cloud Access Profile. Device Profile: Select the device profile from the list. NetScaler ADM uses the device profile when it requires users to log on to the NetScaler ADC VPX instance. Note: Ensure the selected device profile conforms to Microsoft Azure password rules, which can be found here: Password Policies that only Apply to Cloud User Accounts. Traffic Distribution Mode: The Load Balancing using Azure LB option is selected as the default traffic distribution mode. Users can also choose the DNS using Azure DNS mode for the traffic distribution. Enable AutoScale Group: Enable or disable the status of the ASG groups. This option is enabled, by default. If this option is disabled, autoscaling is not triggered. Availability Set or Availability Zone: Select the availability set or availability zones in which users want to create the Autoscale groups. Depending on the cloud access profile that users have selected, availability zones appear on the list. Tags: Type the key-value pair for the Autoscale group tags. A tag consists of a case-sensitive key-value pair. These tags enable users to organize and identify the Autoscale groups easily. The tags are applied to both Microsoft Azure and NetScaler ADM. Minimum Instances: Select the minimum number of instances that must be provisioned for this Autoscale group. The default minimum number of instances is equal to the number of zones selected. Users can only increment the minimum instances in the multiples of the specified number of zones. For example, if the number of availability zones is 4, the minimum instances are 4 by default. Users can increase the minimum instances by 8, 12, 16. Maximum Instances: Select the maximum number of instances that must be provisioned for this Autoscale group. The maximum number of instances must be greater than or equal to the value of the minimum instances. The maximum number of instances cannot exceed the number of availability zones multiplied by 32. Maximum number of instances = number of availability zones * 32 Watch-Time (minutes): Select the watch-time duration. The time for which the scale parameter’s threshold has to stay breached for scaling to happen. If the threshold is breached on all samples collected in this specified time then a scaling happens. Cooldown period (minutes): Select the cooldown period. During scale-out, the cooldown period is the time for which evaluation of the statistics has to be stopped after a scale-out occurs. This period ensures the organic growing of instances of an Autoscale group. Before triggering the next scaling decision, it waits for the current traffic to stabilize and average out on the current set of instances. Time to wait during Deprovision (minutes): Select the drain connection timeout period. During scale-in action, an instance is identified to de-provision. NetScaler ADM restricts the identified instance from processing new connections until the specified time expires before de-provision. In this period, it allows existing connections to this instance to be drained out before it gets de-provisioned. DNS Time To Live (seconds): Select the time (in seconds). In this period, a packet is set to exist inside a network before a router discards the packet. This parameter is applicable only when the traffic distribution mode is DNS using the Microsoft Azure traffic manager. Click Finish. Step 5: Configure an application for the Autoscale group In NetScaler ADM, navigate to Networks > Autoscale Groups. Select the Autoscale group that users created and click Configure. In Configure Application, specify the following details: Application Name - Specify the name of an application. Domain Name - Specify the domain name of an application. Zone Name - Specify the zone name of an application. This domain and zone name redirects to the virtual servers in Azure. For example, if users host an application in app.example.com, the app is the domain name and example.com is the zone name. Access Type - Users can use ADM autoscaling for both external and internal applications. Select the required application access type. Choose the required StyleBook that users want to deploy configurations for the selected Autoscale group. If users want to import StyleBooks, click Import New StyleBook. Specify the values for all the parameters.The configuration parameters are pre-defined in the selected StyleBook. Check the Application Server Group Type CLOUD check box to specify the application servers available in the virtual machine scale set. In Application Server Fleet Name, specify Autoscale setting name of your virtual machine scale set. Select the Application Server Protocol from the list. In Member Port, specify the port value of the application server. Note: Ensure AutoDisable Graceful shutdown is set to No and AutoDisable Delay field is blank. If users want to specify the advanced settings for the user application servers, check the Advanced Application Server Settings check box. Then, specify the required values listed under Advanced Application Server Settings. Click Create. Modify the Autoscale Groups ConfigurationUsers can modify an Autoscale group configuration or delete an Autoscale group. Users can modify only the following Autoscale group parameters: Maximum and minimum limits of the threshold parameters Minimum and maximum instance values Drain connection period value Cooldown period value Watch duration value Users can also delete the Autoscale groups after they are created. When an Autoscale group is deleted, all the domains and IP addresses are deregistered from DNS and the cluster nodes are de-provisioned. For more detailed information on provisioning NetScaler ADC VPX instances on Microsoft Azure, see Provisioning NetScaler ADC VPX Instances on Microsoft Azure. ARM (Azure Resource Manager) TemplatesThe GitHub repository for NetScaler ADC ARM (Azure Resource Manager) templates hosts NetScaler ADC custom templates for deploying NetScaler ADC in Microsoft Azure Cloud Services. The templates in this repository are developed and maintained by the NetScaler ADC engineering team. Each template in this repository has co-located documentation describing the usage and architecture of the template. The templates attempt to codify the recommended deployment architecture of the NetScaler ADC VPX, or to introduce the user to the NetScaler ADC or to demonstrate a particular feature / edition / option. Users can reuse / modify or enhance the templates to suit their particular production and testing needs. Most templates require sufficient subscriptions to portal.azure.com to create resource and deploy templates. NetScaler ADC VPX Azure Resource Manager (ARM) templates are designed to ensure an easy and consistent way of deploying standalone NetScaler ADC VPX. These templates increase reliability and system availability with built-in redundancy. These ARM templates support Bring Your Own License (BYOL) or Hourly based selections. Choice of selection is either mentioned in the template description or offered during template deployment. For more information on how to provision a NetScaler ADC VPX instance on Microsoft Azure using ARM (Azure Resource Manager) templates, visit NetScaler ADC Azure Templates. For more information on how to add Azure autoscale settings, visit: Add Azure Autoscale Settings. For more information on how to deploy a NetScaler ADC VPX instance on Microsoft Azure, refer to Deploy a NetScaler ADC VPX Instance on Microsoft Azure. For more information on how a NetScaler ADC VPX instance works on Azure, visit How a NetScaler ADC VPX Instance Works on Azure. PrerequisitesUsers need some prerequisite knowledge before deploying a NetScaler VPX instance on Azure: Familiarity with Azure terminology and network details. For information, see the Azure terminology in the previous section. Knowledge of a NetScaler ADC appliance. For detailed information about the NetScaler ADC appliance, see: NetScaler ADC 13.0. Knowledge of NetScaler ADC networking. See: Networking. Azure Autoscale PrerequisitesThis section describes the prerequisites that users must complete in Microsoft Azure and NetScaler ADM before they provision NetScaler ADC VPX instances. This document assumes the following: Users possess a Microsoft Azure account that supports the Azure Resource Manager deployment model. Users have a resource group in Microsoft Azure. For more information on how to create an account and other tasks, see Microsoft Azure Documentation. LimitationsRunning the NetScaler ADC VPX load balancing solution on ARM imposes the following limitations: The Azure architecture does not accommodate support for the following NetScaler ADC features: Clustering IPv6 Gratuitous ARP (GARP) L2 Mode (bridging). Transparent virtual server are supported with L2 (MAC rewrite) for servers in the same subnet as the SNIP. Tagged VLAN Dynamic Routing Virtual MAC USIP Jumbo Frames If users think that they might have to shut down and temporarily deallocate the NetScaler ADC VPX virtual machine at any time, they should assign a static Internal IP address while creating the virtual machine. If they do not assign a static internal IP address, Azure might assign the virtual machine a different IP address each time it restarts, and the virtual machine might become inaccessible. In an Azure deployment, only the following NetScaler ADC VPX models are supported: VPX 10, VPX 200, VPX 1000, and VPX 3000. For more information, see the NetScaler ADC VPX Data Sheet. If a NetScaler ADC VPX instance with a model number higher than VPX 3000 is used, the network throughput might not be the same as specified by the instance’s license. However, other features, such as SSL throughput and SSL transactions per second, might improve. The “deployment ID” that is generated by Azure during virtual machine provisioning is not visible to the user in ARM. Users cannot use the deployment ID to deploy a NetScaler ADC VPX appliance on ARM. The NetScaler ADC VPX instance supports 20 Mb/s throughput and standard edition features when it is initialized. For a XenApp and XenDesktop deployment, a VPN virtual server on a VPX instance can be configured in the following modes: Basic mode, where the ICAOnly VPN virtual server parameter is set to ON. The Basic mode works fully on an unlicensed NetScaler ADC VPX instance. SmartAccess mode, where the ICAOnly VPN virtual server parameter is set to OFF. The SmartAccess mode works for only 5 NetScaler ADC AAA session users on an unlicensed NetScaler ADC VPX instance. Note: To configure the SmartControl feature, users must apply a Premium license to the NetScaler ADC VPX instance. Azure-VPX Supported Models and LicensingIn an Azure deployment, only the following NetScaler ADC VPX models are supported: VPX 10, VPX 200, VPX 1000, and VPX 3000. For more information, see the NetScaler ADC VPX Data Sheet. A NetScaler ADC VPX instance on Azure requires a license. The following licensing options are available for NetScaler ADC VPX instances running on Azure. Users can choose one of these methods to license NetScaler ADCs provisioned by NetScaler ADM: Using ADC licenses present in NetScaler ADM: Configure pooled capacity, VPX licenses, or virtual CPU licenses while creating the autoscale group. So, when a new instance is provisioned for an autoscale group, the already configured license type is automatically applied to the provisioned instance. Pooled Capacity: Allocates bandwidth to every provisioned instance in the autoscale group. Ensure users have the necessary bandwidth available in NetScaler ADM to provision new instances. For more information, see: Configure Pooled Capacity.Each ADC instance in the autoscale group checks out one instance license and the specified bandwidth from the pool. VPX licenses: Applies the VPX licenses to newly provisioned instances. Ensure users have the necessary number of VPX licenses available in NetScaler ADM to provision new instances. When a NetScaler ADC VPX instance is provisioned, the instance checks out the license from the NetScaler ADM. For more information, see: NetScaler ADC VPX Check-in and Check-out Licensing. Virtual CPU licenses: Applies virtual CPU licenses to newly provisioned instances. This license specifies the number of CPUs entitled to a NetScaler ADC VPX instance. Ensure users have the necessary number of Virtual CPUs in NetScaler ADM to provision new instances. When a NetScaler ADC VPX instance is provisioned, the instance checks out the virtual CPU license from the NetScaler ADM. For more information, see: NetScaler ADC Virtual CPU Licensing. When the provisioned instances are destroyed or de-provisioned, the applied licenses are automatically returned to NetScaler ADM. To monitor the consumed licenses, navigate to the Networks > Licenses page. Using Microsoft Azure subscription licenses: Configure NetScaler ADC licenses available in the Azure Marketplace while creating the autoscale group. So, when a new instance is provisioned for the autoscale group, the license is obtained from Azure Marketplace. Supported NetScaler ADC Azure Virtual Machine ImagesSupported NetScaler ADC Azure Virtual Machine Images for ProvisioningUse the Azure virtual machine image that supports a minimum of three NICs. Provisioning NetScaler ADC VPX instance is supported only on the Premium and Advanced editions. For more information on Azure virtual machine image types, see: General Purpose Virtual Machine Sizes. The following are the recommended VM sizes for provisioning: Standard_DS3_v2 Standard_B2ms Standard_DS4_v2 Port Usage GuidelinesUsers can configure more inbound and outbound rules on the NetScaler Gateway while creating the NetScaler ADC VPX instance or after the virtual machine is provisioned. Each inbound and outbound rule is associated with a public port and a private port. Before configuring NSG rules, note the following guidelines regarding the port numbers users can use: The NetScaler ADC VPX instance reserves the following ports. Users cannot define these as private ports when using the Public IP address for requests from the internet. Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000. However, if users want internet-facing services such as the VIP to use a standard port (for example, port 443) users have to create port mapping by using the NSG. The standard port is then mapped to a different port that is configured on the NetScaler ADC VPX for this VIP service. For example, a VIP service might be running on port 8443 on the VPX instance but be mapped to public port 443. So, when the user accesses port 443 through the Public IP, the request is directed to private port 8443. The Public IP address does not support protocols in which port mapping is opened dynamically, such as passive FTP or ALG. High availability does not work for traffic that uses a public IP address (PIP) associated with a VPX instance, instead of a PIP configured on the Azure load balancer. In a NetScaler Gateway deployment, users need not configure a SNIP address, because the NSIP can be used as a SNIP when no SNIP is configured. Users must configure the VIP address by using the NSIP address and some nonstandard port number. For call-back configuration on the back-end server, the VIP port number has to be specified along with the VIP URL (for example, url: port). Note: In the Azure Resource Manager, a NetScaler ADC VPX instance is associated with two IP addresses - a public IP address (PIP) and an internal IP address. While the external traffic connects to the PIP, the internal IP address or the NSIP is non-routable. To configure a VIP in VPX, use the internal IP address (NSIP) and any of the free ports available. Do not use the PIP to configure a VIP. For example, if the NSIP of a NetScaler ADC VPX instance is 10.1.0.3 and an available free port is 10022, then users can configure a VIP by providing the 10.1.0.3:10022 (NSIP address + port) combination.

Deployment Guide NetScaler ADC VPX on Azure - GSLBAuthor: Blake Schindler, Solutions ArchitectOverviewNetScaler ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments. As an undisputed leader of service and application delivery, NetScaler ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, NetScaler ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. NetScaler ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required. NetScaler VPXThe NetScaler ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms: XenServer VMware ESX Microsoft Hyper-V Linux KVM Amazon Web Services Microsoft Azure Google Cloud Platform This deployment guide focuses on NetScaler ADC VPX on Microsoft Azure Microsoft AzureMicrosoft Azure is an ever-expanding set of cloud computing services built to help organizations meet their business challenges. Azure gives users the freedom to build, manage, and deploy applications on a massive, global network using their preferred tools and frameworks. With Azure, users can: Be future-ready with continuous innovation from Microsoft to support their development today and their product visions for tomorrow. Operate hybrid cloud seamlessly on-premises, in the cloud, and at the edge—Azure meets users where they are. Build on their terms with Azure’s commitment to open source and support for all languages and frameworks, allowing users to be free to build how they want and deploy where they want. Trust their cloud with security from the ground up—backed by a team of experts and proactive, industry-leading compliance that is trusted by enterprises, governments, and startups. Azure TerminologyHere is a brief description of the key terms used in this document that users must be familiar with: Azure Load Balancer – Azure load balancer is a resource that distributes incoming traffic among computers in a network. Traffic is distributed among virtual machines defined in a load-balancer set. A load balancer can be external or internet-facing, or it can be internal. Azure Resource Manager (ARM) – ARM is the new management framework for services in Azure. Azure Load Balancer is managed using ARM-based APIs and tools. Back-End Address Pool – IP addresses associated with the virtual machine NIC to which load is distributed. BLOB - Binary Large Object – Any binary object like a file or an image that can be stored in Azure storage. Front-End IP Configuration – An Azure Load balancer can include one or more front-end IP addresses, also known as a virtual IPs (VIPs). These IP addresses serve as ingress for the traffic. Instance Level Public IP (ILPIP) – An ILPIP is a public IP address that users can assign directly to a virtual machine or role instance, rather than to the cloud service that the virtual machine or role instance resides in. This does not take the place of the VIP (virtual IP) that is assigned to their cloud service. Rather, it is an extra IP address that can be used to connect directly to a virtual machine or role instance. Note: In the past, an ILPIP was referred to as a PIP, which stands for public IP. Inbound NAT Rules – This contains rules mapping a public port on the load balancer to a port for a specific virtual machine in the back-end address pool. IP-Config - It can be defined as an IP address pair (public IP and private IP) associated with an individual NIC. In an IP-Config, the public IP address can be NULL. Each NIC can have multiple IP-Configs associated with it, which can be up to 255. Load Balancing Rules – A rule property that maps a given front-end IP and port combination to a set of back-end IP addresses and port combinations. With a single definition of a load balancer resource, users can define multiple load balancing rules, each rule reflecting a combination of a front-end IP and port and back end IP and port associated with virtual machines. Network Security Group (NSG) – NSG contains a list of Access Control List (ACL) rules that allow or deny network traffic to virtual machine instances in a virtual network. NSGs can be associated with either subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all the virtual machine instances in that subnet. In addition, traffic to an individual virtual machine can be restricted further by associating an NSG directly to that virtual machine. Private IP addresses – Used for communication within an Azure virtual network, and user on-premises network when a VPN gateway is used to extend a user network to Azure. Private IP addresses allow Azure resources to communicate with other resources in a virtual network or an on-premises network through a VPN gateway or ExpressRoute circuit, without using an internet-reachable IP address. In the Azure Resource Manager deployment model, a private IP address is associated with the following types of Azure resources – virtual machines, internal load balancers (ILBs), and application gateways. Probes – This contains health probes used to check availability of virtual machines instances in the back-end address pool. If a particular virtual machine does not respond to health probes for some time, then it is taken out of traffic serving. Probes enable users to track the health of virtual instances. If a health probe fails, the virtual instance is taken out of rotation automatically. Public IP Addresses (PIP) – PIP is used for communication with the Internet, including Azure public-facing services and is associated with virtual machines, internet-facing load balancers, VPN gateways, and application gateways. Region - An area within a geography that does not cross national borders and that contains one or more data centers. Pricing, regional services, and offer types are exposed at the region level. A region is typically paired with another region, which can be up to several hundred miles away, to form a regional pair. Regional pairs can be used as a mechanism for disaster recovery and high availability scenarios. Also referred to generally as location. Resource Group - A container in Resource Manager that holds related resources for an application. The resource group can include all resources for an application, or only those resources that are logically grouped. Storage Account – An Azure storage account gives users access to the Azure blob, queue, table, and file services in Azure Storage. A user storage account provides the unique namespace for user Azure storage data objects. Virtual Machine – The software implementation of a physical computer that runs an operating system. Multiple virtual machines can run simultaneously on the same hardware. In Azure, virtual machines are available in various sizes. Virtual Network - An Azure virtual network is a representation of a user network in the cloud. It is a logical isolation of the Azure cloud dedicated to a user subscription. Users can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. Users can also further segment their VNet into subnets and launch Azure IaaS virtual machines and cloud services (PaaS role instances). Also, users can connect the virtual network to their on-premises network using one of the connectivity options available in Azure. In essence, users can expand their network to Azure, with complete control on IP address blocks with the benefit of the enterprise scale Azure provides. Use CasesCompared to alternative solutions that require each service to be deployed as a separate virtual appliance, NetScaler ADC on Azure combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, and other essential application delivery capabilities in a single VPX instance, conveniently available via the Azure Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises NetScaler ADC deployments. The net result is that NetScaler ADC on Azure enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers. Global Server Load Balancing (GSLB) Global Server Load Balancing (GSLB) is huge for many of our customers. Those businesses have an on-prem data center presence serving regional customers, but with increasing demand for their business, they now want to scale and deploy their presence globally across AWS and Azure while maintaining their on-prem presence for regional customers. Customers want to do all of this with automated configurations as well. Thus, they are looking for a solution that can rapidly adapt to either evolving business needs or changes in the global market. With NetScaler ADC on the network administrator’s side, customers can use the Global Load Balancing (GLB) StyleBook to configure applications both on-prem and in the cloud, and that same config can be transferred to the cloud with NetScaler ADM. Users can reach either on-prem or cloud resources depending on proximity with GSLB. This allows for a seamless experience no matter where the users are located in the world. Deployment TypesMulti-NIC Multi-IP Deployment (Three-NIC Deployment) Use Cases Multi-NIC Multi-IP (Three-NIC) Deployments are used to achieve real isolation of data and management traffic. Multi-NIC Multi-IP (Three-NIC) Deployments also improve the scale and performance of the ADC. Multi-NIC Multi-IP (Three-NIC) Deployments are used in network applications where throughput is typically 1 Gbps or higher and a Three-NIC Deployment is recommended. Multi-NIC Multi-IP (Three-NIC) Deployments are also used in network applications for WAF Deployment. Multi-NIC Multi-IP (Three-NIC) Deployment for GSLBCustomers would potentially deploy using three-NIC deployment if they are deploying into a production environment where security, redundancy, availability, capacity, and scalability are critical. With this deployment method, complexity and ease of management are not critical concerns to the users. Azure Resource Manager (ARM) Template DeploymentCustomers would deploy using Azure Resource Manager (ARM) Templates if they are customizing their deployments or they are automating their deployments. Deployment StepsWhen users deploy a NetScaler ADC VPX instance on a Microsoft Azure Resource Manager (ARM), they can use the Azure cloud computing capabilities and use NetScaler ADC load balancing and traffic management features for their business needs. Users can deploy NetScaler ADC VPX instances on Azure Resource Manager either as standalone instances or as high availability pairs in active-standby modes. But users can deploy a NetScaler ADC VPX instance on Microsoft Azure in either of two ways: Through the Azure Marketplace. The NetScaler ADC VPX virtual appliance is available as an image in the Microsoft Azure Marketplace. NetScaler ADC ARM templates are available in the Azure Marketplace for standalone and HA deployment types. Using the NetScaler ADC Azure Resource Manager (ARM) json template available on GitHub. For more information, see the GitHub repository for NetScaler ADC Azure Templates. How a NetScaler ADC VPX Instance Works on AzureIn an on-premises deployment, a NetScaler ADC VPX instance requires at least three IP addresses: Management IP address, called NSIP address Subnet IP (SNIP) address for communicating with the server farm Virtual server IP (VIP) address for accepting client requests For more information, see: Network Architecture for NetScaler ADC VPX Instances on Microsoft Azure. Note: VPX virtual appliances can be deployed on any instance type that has two or more cores and more than 2 GB memory. In an Azure deployment, users can provision a NetScaler ADC VPX instance on Azure in three ways: Multi-NIC multi-IP architecture Single NIC multi IP architecture ARM (Azure Resource Manager) templates Depending on requirements, users can deploy any of these supported architecture types. Multi-NIC Multi-IP Architecture (Three-NIC)In this deployment type, users can have more than one network interfaces (NICs) attached to a VPX instance. Any NIC can have one or more IP configurations - static or dynamic public and private IP addresses assigned to it. Refer to the following use cases: Configure a High-Availability Setup with Multiple IP Addresses and NICs Configure a High-Availability Setup with Multiple IP Addresses and NICs by using PowerShell Commands Configure a High-Availability Setup with Multiple IP Addresses and NICsIn a Microsoft Azure deployment, a high-availability configuration of two NetScaler ADC VPX instances is achieved by using the Azure Load Balancer (ALB). This is achieved by configuring a health probe on ALB, which monitors each VPX instance by sending health probes at every 5 seconds to both primary and secondary instances. In this setup, only the primary node responds to health probes and the secondary does not. Once the primary sends the response to the health probe, the ALB starts sending the data traffic to the instance. If the primary instance misses two consecutive health probes, ALB does not redirect traffic to that instance. On failover, the new primary starts responding to health probes and the ALB redirects traffic to it. The standard VPX high availability failover time is three seconds. The total failover time that might occur for traffic switching can be a maximum of 13 seconds. Users can deploy a pair of NetScaler ADC VPX instances with multiple NICs in an active-passive high availability (HA) setup on Azure. Each NIC can contain multiple IP addresses. The following options are available for a multi-NIC high availability deployment: High availability using Azure availability set High availability using Azure availability zones For more information about Azure Availability Set and Availability Zones, see the Azure documentation: Manage the Availability of Linux Virtual Machines. High Availability using Availability SetA high availability setup using an availability set must meet the following requirements: An HA Independent Network Configuration (INC) configuration The Azure Load Balancer (ALB) in Direct Server Return (DSR) mode All traffic goes through the primary node. The secondary node remains in standby mode until the primary node fails. Note: For a NetScaler VPX high availability deployment on the Azure cloud to work, users need a floating public IP (PIP) that can be moved between the two VPX nodes. The Azure Load Balancer (ALB) provides that floating PIP, which is moved to the second node automatically in the event of a failover. In an active-passive deployment, the ALB front-end public IP (PIP) addresses are added as the VIP addresses in each VPX node. In an HA-INC configuration, the VIP addresses are floating and the SNIP addresses are instance specific. Users can deploy a VPX pair in active-passive high availability mode in two ways by using: NetScaler ADC VPX standard high availability template: use this option to configure an HA pair with the default option of three subnets and six NICs. Windows PowerShell commands: use this option to configure an HA pair according to your subnet and NIC requirements. This section describes how to deploy a VPX pair in active-passive HA setup by using the NetScaler template. If you want to deploy with PowerShell commands, see Configure a High-Availability Setup with Multiple IP Addresses and NICs by using PowerShell Commands. Configure HA-INC Nodes by using the NetScaler High Availability TemplateUsers can quickly and efficiently deploy a pair of VPX instances in HA-INC mode by using the standard template. The template creates two nodes, with three subnets and six NICs. The subnets are for management, client, and server-side traffic, and each subnet has two NICs for both of the VPX instances. Complete the following steps to launch the template and deploy a high availability VPX pair, by using Azure Availability Sets. From Azure Marketplace, select and initiate the NetScaler solution template. The template appears. Ensure deployment type is Resource Manager and select Create. The Basics page appears. Create a Resource Group and select OK. The General Settings page appears. Type the details and select OK. The Network Setting page appears. Check the VNet and subnet configurations, edit the required settings, and select OK. The Summary page appears. Review the configuration and edit accordingly. Select OK to confirm. The Buy page appears. Select Purchase to complete the deployment. It might take a moment for the Azure Resource Group to be created with the required configurations. After completion, select the Resource Group in the Azure portal to see the configuration details, such as LB rules, back-end pools, health probes. The high availability pair appears as ns-vpx0 and ns-vpx1. If further modifications are required for the HA setup, such as creating more security rules and ports, users can do that from the Azure portal. Next, users need to configure the load-balancing virtual server with the ALB’s Frontend public IP (PIP) address, on the primary node. To find the ALB PIP, select ALB > Frontend IP configuration. See the Resources section for more information about how to configure the load-balancing virtual server. Resources: The following links provide additional information related to HA deployment and virtual server (virtual server) configuration: Configuring High Availability Nodes in Different Subnets Set up Basic Load Balancing Related resources: Configure a High-Availability Setup with Multiple IP Addresses and NICs by using PowerShell Commands Configure GSLB on an Active-Standby High-Availability Setup High Availability using Availability ZonesAzure Availability Zones are fault-isolated locations within an Azure region, providing redundant power, cooling, and networking and increasing resiliency. Only specific Azure regions support Availability Zones. For more information, see: Regions and Availability Zones in Azure. Users can deploy a VPX pair in high availability mode by using the template called “NetScaler 13.0 HA using Availability Zones,” available in Azure Marketplace. Complete the following steps to launch the template and deploy a high availability VPX pair, by using Azure Availability Zones. From Azure Marketplace, select and initiate the NetScaler solution template. Ensure deployment type is Resource Manager and select Create. The Basics page appears. Enter the details and click OK. Note: Ensure that an Azure region that supports Availability Zones is selected. For more information about regions that support Availability Zones, see: Regions and Availability Zones in Azure. The General Settings page appears. Type the details and select OK. The Network Setting page appears. Check the VNet and subnet configurations, edit the required settings, and select OK. The Summary page appears. Review the configuration and edit accordingly. Select OK to confirm. The Buy page appears. Select Purchase to complete the deployment. It might take a moment for the Azure Resource Group to be created with the required configurations. After completion, select the Resource Group to see the configuration details, such as LB rules, back-end pools, health probes, in the Azure portal. The high availability pair appears as ns-vpx0 and ns-vpx1. Also, users can see the location under the Location column. If further modifications are required for the HA setup, such as creating more security rules and ports, users can do that from the Azure portal. ARM (Azure Resource Manager) TemplatesThe GitHub repository for NetScaler ADC ARM (Azure Resource Manager) templates hosts NetScaler ADC Azure Templates for deploying NetScaler ADC in Microsoft Azure Cloud Services. All templates in the repository are developed and maintained by the NetScaler ADC engineering team. Each template in this repository has co-located documentation describing the usage and architecture of the template. The templates attempt to codify the recommended deployment architecture of the NetScaler ADC VPX, or to introduce the user to the NetScaler ADC or to demonstrate a particular feature, edition, or option. Users can reuse, modify, or enhance the templates to suit their particular production and testing needs. Most templates require sufficient subscriptions to portal.azure.com to create resource and deploy templates. NetScaler ADC VPX Azure Resource Manager (ARM) templates are designed to ensure an easy and consistent way of deploying standalone NetScaler ADC VPX. These templates increase reliability and system availability with built-in redundancy. These ARM templates support Bring Your Own License (BYOL) or Hourly based selections. Choice of selection is either mentioned in the template description or offered during template deployment. For more information on how to provision a NetScaler ADC VPX instance on Microsoft Azure using ARM (Azure Resource Manager) templates, visit NetScaler ADC Azure Templates. NetScaler ADC GSLB and Domain Based Services Back-end Autoscale with Cloud Load BalancerGSLB and DBS OverviewNetScaler ADC GSLB supports using DBS (Domain Based Services) for Cloud load balancers. This allows for the auto-discovery of dynamic cloud services using a cloud load balancer solution. This configuration allows the NetScaler ADC to implement Global Server Load Balancing Domain-Name Based Services (GSLB DBS) in an Active-Active environment. DBS allows the scaling of back end resources in Microsoft Azure environments from DNS discovery. This section covers integrations between NetScaler ADC in the Azure Auto Scaling environments. The final section of the document details the ability to set up a HA pair of NetScaler ADCs that span two different Availability Zones (AZs) specific to an Azure region. Domain-Name Based Services – Azure ALBGLSB DBS utilizes the FQDN of the user Azure Load Balancer to dynamically update the GSLB Service Groups to include the back-end servers that are being created and deleted within Azure. To configure this feature, users point the NetScaler ADC to their Azure Load Balancer to dynamically route to different servers in Azure. They can do this without having to manually update the NetScaler ADC every time an instance is created and deleted within Azure. The NetScaler ADC DBS feature for GSLB Service Groups uses DNS-aware service discovery to determine the member service resources of the DBS namespace identified in the Autoscale group. Diagram: NetScaler ADC GSLB DBS Autoscale Components with Cloud Load Balancers Add the created NetScaler ADC back-end Pools Configure NetScaler ADC GSLB Domain Based ServiceThe following configurations summarize what is required to enable domain-based services for autoscaling ADCs in a GSLB enabled environment. Traffic Management Configurations Note: It is required to configure the NetScaler ADC with either a nameserver or a DNS virtual server through which the ELB /ALB Domains are resolved for the DNS Service Groups. Navigate to Traffic Management > Load Balancing > Servers Repeat step 2 to add the second ALB from the second resource in Azure. GSLB Configurations Click the Add button to configure a GSLB Site Name the Site. Type is configured as Remote or Local based on which NetScaler ADC users are configuring the site on. The Site IP Address is the IP address for the GSLB site. The GSLB site uses this IP address to communicate with the other GSLB sites. The Public IP address is required when using a cloud service where a particular IP is hosted on an external firewall or NAT device. The site should be configured as a Parent Site. Ensure the Trigger Monitors are set to ALWAYS. Also, be sure to check off the three boxes at the bottom for Metric Exchange, Network Metric Exchange, and Persistence Session Entry Exchange. NetScaler recommends that you set the Trigger monitor setting to MEPDOWN, please refer to: Configure a GSLB Service Group. Click Add to add a service group. Name the Service Group, use the HTTP protocol, and then under Site Name choose the respective site that was created in the previous steps. Be sure to configure autoscale Mode as DNS and check off the boxes for State and Health Monitoring. Click OK to create the Service Group. The Service group Member Binding should populate with 2 instances that it is receiving from the Elastic Load Balancer. Once the GSLB Virtual Server is created, click No GSLB Virtual Server ServiceGroup Binding. Next configure the GSLB Virtual Server Domain Binding by clicking No GSLB Virtual Server Domain Binding. Configure the FQDN and Bind, the rest of the settings can be left as the defaults. Configure the Method as LEASTCONNECTION and the Backup Method as ROUNDROBIN. Click Done and verify that the user GSLB Virtual Server is shown as Up. The NetScaler ADC GLB nodes handle the DNS name resolution. Any of these GLB nodes can receive DNS requests from any client location. The GLB node that receives the DNS request returns the load balancer virtual server IP address as selected by the configured load balancing method. Metrics (site, network, and persistence metrics) are exchanged between the GLB nodes using the metrics exchange protocol (MEP), which is a proprietary NetScaler protocol. For more information on the MEP protocol, see: Configure Metrics Exchange Protocol. The monitor configured in the GLB node monitors the health status of the load balancing virtual server in the same data center. In a parent-child topology, metrics between the GLB and NetScaler ADC nodes are exchanged by using MEP. However, configuring monitor probes between a GLB and NetScaler ADC LB node is optional in a parent-child topology. The NetScaler Application Delivery Management (ADM) service agent enables communication between the NetScaler ADM and the managed instances in your data center. For more information on NetScaler ADM service agents and how to install them, see: Getting Started. Note: This document makes the following assumptions: If users have an existing load balancing setup, it is up and running. A SNIP address or a GLB site IP address is configured on each of the NetScaler ADC GLB nodes. This IP address is used as the data center source IP address when exchanging metrics with other data centers. An ADNS or ADNS-TCP service is configured on each of the NetScaler ADC GLB instances to receive the DNS traffic. The required firewall and security groups are configured in the cloud service providers. SECURITY GROUPS CONFIGURATIONUsers must set up the required firewall/security groups configuration in the cloud service providers. For more information about AWS security features, see: AWS/Documentation/Amazon VPC/User Guide/Security. For more information about Microsoft Azure Network Security Groups, see: Azure/Networking/Virtual Network/Plan Virtual Networks/Security. In addition, on the GLB node, users must open port 53 for ADNS service/DNS server IP address and port 3009 for GSLB site IP address for MEP traffic exchange. On the load balancing node, users must open the appropriate ports to receive the application traffic. For example, users must open port 80 for receiving HTTP traffic and open port 443 for receiving HTTPS traffic. Open port 443 for NITRO communication between the NetScaler ADM service agent and NetScaler ADM. For the dynamic round trip time GLB method, users must open port 53 to allow UDP and TCP probes depending on the configured LDNS probe type. The UDP or the TCP probes are initiated using one of the SNIPs and therefore this setting must be done for security groups bound to the server-side subnet. Capabilities of the NetScaler ADC Hybrid and Multi-Cloud GLB SolutionSome of the capabilities of the NetScaler ADC hybrid and multi-cloud GLB solution are described in this section: Compatibility with other Load Balancing SolutionsThe NetScaler ADC hybrid and multi-cloud GLB solution supports various load balancing solutions, such as the NetScaler ADC load balancer, NGINX, HAProxy, and other third-party load balancers. Note: Load balancing solutions other than NetScaler ADC are supported only if proximity-based and non-metric based GLB methods are used and if parent-child topology is not configured. GLB MethodsThe NetScaler ADC hybrid and multi-cloud GLB solution supports the following GLB methods. Metric-based GLB methods. Metric-based GLB methods collect metrics from the other NetScaler ADC nodes through the metrics exchange protocol. Least Connection: The client request is routed to the load balancer that has the fewest active connections. Least Bandwidth: The client request is routed to the load balancer that is currently serving the least amount of traffic. Least Packets: The client request is routed to the load balancer that has received the fewest packets in the last 14 seconds. Non-metric based GLB methods Round Robin: The client request is routed to the IP address of the load balancer that is at the top of the list of load balancers. That load balancer then moves to the bottom of the list. Source IP Hash: This method uses the hashed value of the client IP address to select a load balancer. Proximity-based GLB methods Static Proximity: The client request is routed to the load balancer that is closest to the client IP address. Round-Trip Time (RTT): This method uses the RTT value (the time delay in the connection between the client’s local DNS server and the data center) to select the IP address of the best performing load balancer. For more information on the load balancing methods, see: Load Balancing Algorithms. GLB TopologiesThe NetScaler ADC hybrid and multi-cloud GLB solution supports the active-passive topology and parent-child topology. Active-passive topology - Provides disaster recovery and ensures continuous availability of applications by protecting against points of failure. If the primary data center goes down, the passive data center becomes operational. For more information about GSLB active-passive topology, see: Configure GSLB for Disaster Recovery. Parent-child topology – Can be used if customers are using the metric-based GLB methods to configure GLB and LB nodes and if the LB nodes are deployed on a different NetScaler ADC instance. In a parent-child topology, the LB node (child site) must be a NetScaler ADC appliance because the exchange of metrics between the parent and child site is through the metrics exchange protocol (MEP). For more information about parent-child topology, see: Parent-Child Topology Deployment using the MEP Protocol. IPv6 SupportThe NetScaler ADC hybrid and multi-cloud GLB solution also supports IPv6. MonitoringThe NetScaler ADC hybrid and multi-cloud GLB solution supports built-in monitors with an option to enable the secure connection. However, if LB and GLB configurations are on the same NetScaler ADC instance or if parent-child topology is used, configuring monitors is optional. PersistenceThe NetScaler ADC hybrid and multi-cloud GLB solution supports the following: Source IP based persistence sessions, so that multiple requests from the same client are directed to the same service if they arrive within the configured time-out window. If the time-out value expires before the client sends another request, the session is discarded, and the configured load balancing algorithm is used to select a new server for the client’s next request. Spillover persistence so that the backup virtual server continues to process the requests it receives, even after the load on the primary falls below the threshold. For more information, see: Configure Spillover. Site persistence so that the GLB node selects a data center to process a client request and forwards the IP address of the selected data center for all subsequent DNS requests. If the configured persistence applies to a site that is DOWN, the GLB node uses a GLB method to select a new site, and the new site becomes persistent for subsequent requests from the client. Configuration by using the NetScaler ADM StyleBooksCustomers can use the default Multi-cloud GLB StyleBook on NetScaler ADM to configure the NetScaler ADC instances with hybrid and multi-cloud GLB configuration. Customers can use the default Multi-cloud GLB StyleBook for LB Node StyleBook to configure the NetScaler ADC load balancing nodes which are the child sites in a parent-child topology that handle the application traffic. Use this StyleBook only if users want to configure LB nodes in a parent-child topology. However, each LB node must be configured separately using this StyleBook. Workflow of the NetScaler ADC Hybrid and Multi-Cloud GLB Solution ConfigurationCustomers can use the shipped Multi-cloud GLB StyleBook on NetScaler ADM to configure the NetScaler ADC instances with hybrid and multi-cloud GLB configuration. The following diagram shows the workflow for configuring the NetScaler ADC hybrid and multi-cloud GLB solution. The steps in the workflow diagram are explained in more detail after the diagram. PNG 19 Perform the following tasks as a cloud administrator: Sign up for a Citrix Cloud account. To start using NetScaler ADM, create a Citrix Cloud company account or join an existing one that has been created by someone in your company. After users log on to Citrix Cloud, click Manage on the NetScaler Application Delivery Management tile to set up the ADM service for the first time. Download and install multiple NetScaler ADM service agents. Users must install and configure the NetScaler ADM service agent in their network environment to enable communication between the NetScaler ADM and the managed instances in their data center or cloud. Install an agent in each region, so that they can configure LB and GLB configurations on the managed instances. The LB and GLB configurations can share a single agent. For more information on the above three tasks, see: Getting Started. Deploy load balancers on Microsoft Azure/AWS cloud/on-premises data centers. Depending on the type of load balancers that users are deploying on cloud and on-premises, provision them accordingly. For example, users can provision NetScaler ADC VPX instances in a Microsoft Azure Resource Manager (ARM) portal, in an Amazon Web Services (AWS) virtual private cloud and in on-premises data centers. Configure NetScaler ADC instances to function as LB or GLB nodes in standalone mode, by creating the virtual machines and configuring other resources. For more information on how to deploy NetScaler ADC VPX instances, see the following documents: NetScaler ADC VPX on AWS.Configure a NetScaler VPX Standalone Instance. Perform security configurations. Configure network security groups and network ACLs in ARM and AWS to control inbound and outbound traffic for user instances and subnets. Add NetScaler ADC instances in NetScaler ADM. NetScaler ADC instances are network appliances or virtual appliances that users want to discover, manage, and monitor from NetScaler ADM. To manage and monitor these instances, users must add the instances to the service and register both LB (if users are using NetScaler ADC for LB) and GLB instances. For more information on how to add NetScaler ADC instances in the NetScaler ADM, see: Getting Started. Implement the GLB and LB configurations using default NetScaler ADM StyleBooks. Use Multi-cloud GLB StyleBook to execute the GLB configuration on the selected GLB NetScaler ADC instances. Implement the load balancing configuration. (Users can skip this step if they already have LB configurations on the managed instances.) Users can configure load balancers on NetScaler ADC instances in one of two ways: Manually configure the instances for load balancing the applications. For more information on how to manually configure the instances, see: Set up Basic Load Balancing. Use StyleBooks. Users can use one of the NetScaler ADM StyleBooks (HTTP/SSL Load Balancing StyleBook or HTTP/SSL Load Balancing (with Monitors) StyleBook) to create the load balancer configuration on the selected NetScaler ADC instance. Users can also create their own StyleBooks. For more information on StyleBooks, see: StyleBooks. Use Multi-cloud GLB StyleBook for LB Node to configure GLB parent-child topology in any of the following cases: If users are using the metric-based GLB algorithms (Least Packets, Least Connections, Least Bandwidth) to configure GLB and LB nodes and if the LB nodes are deployed on a different NetScaler ADC instance If site persistence is required Using StyleBooks to Configure GLB on NetScaler ADC LB NodesCustomers can use the Multi-cloud GLB StyleBook for LB Node if they are using the metric-based GLB algorithms (Least Packets, Least Connections, Least Bandwidth) to configure GLB and LB nodes and if the LB nodes are deployed on a different NetScaler ADC instance. Users can also use this StyleBook to configure more child sites for an existing parent site. This StyleBook configures one child site at a time. So, create as many configurations (config packs) from this StyleBook as there are child sites. The StyleBook applies the GLB configuration on the child sites. Users can configure a maximum of 1024 child sites. Note: Use Multi-cloud GLB StyleBook found here: Using StyleBooks to Configure GLB to configure the parent sites. This StyleBook makes the following assumptions: A SNIP address or a GLB site IP address is configured. The required firewall and security groups are configured in the cloud service providers. Configuring a Child Site in a Parent-Child Topology by using Multi-cloud GLB StyleBook for LB Node Navigate to Applications > Configuration, and click Create New. The Choose StyleBook page displays all the StyleBooks available for customer use in NetScaler Application Delivery Management (ADM). Scroll down and select Multi-cloud GLB StyleBook for LB Node. The StyleBook appears as a user interface page on which users can enter the values for all the parameters defined in this StyleBook. Note: The terms data center and sites are used interchangeably in this document. Set the following parameters: Application Name. Enter the name of the GLB application deployed on the GLB sites for which you want to create child sites. Protocol. Select the application protocol of the deployed application from the drop-down list box. LB Health Check (Optional) Health Check Type. From the drop-down list box, select the type of probe used for checking the health of the load balancer VIP address that represents the application on a site. Secure Mode. (Optional) Select Yes to enable this parameter if SSL based health checks are required. HTTP Request. (Optional) If users selected HTTP as the health-check type, enter the full HTTP request used to probe the VIP address. List of HTTP Status Response Codes. (Optional) If users selected HTTP as the health check type, enter the list of HTTP status codes expected in responses to HTTP requests when the VIP is healthy. Configuring parent site. Provide the details of the parent site (GLB node) under which you want to create the child site (LB node). Site Name. Enter the name of the parent site. Site IP Address. Enter the IP address that the parent site uses as its source IP address when exchanging metrics with other sites. This IP address is assumed to be already configured on the GLB node in each site. Site Public IP Address. (Optional) Enter the Public IP address of the parent site that is used to exchange metrics, if that site’s IP address is NAT’ed. Configuring child site. Provide the details of the child site. Site name. Enter the name of the site. Site IP Address. Enter the IP address of the child site. Here, use the private IP address or SNIP of the NetScaler ADC node that is being configured as a child site. Site Public IP Address. (Optional) Enter the Public IP address of the child site that is used to exchange metrics, if that site’s IP address is NAT’ed. Configuring active GLB services (optional) Configure active GLB services only if the LB virtual server IP address is not a public IP address. This section allows users to configure the list of local GLB services on the sites where the application is deployed. Service IP. Enter the IP address of the load balancing virtual server on this site. Service Public IP Address. If the virtual IP address is private and has a public IP address NAT’ed to it, specify the public IP address. Service Port. Enter the port of the GLB service on this site. Site Name. Enter the name of the site on which the GLB service is located. Click Target Instances and select the NetScaler ADC instances configured as GLB instances on each site on which to deploy the GLB configuration. Click Create to create the LB configuration on the selected NetScaler ADC instance (LB node). Users can also click Dry Run to check the objects that would be created in the target instances. The StyleBook configuration that users have created appears in the list of configurations on the Configurations page. Users can examine, update, or remove this configuration by using the NetScaler ADM GUI. For more information on how to deploy a NetScaler ADC VPX instance on Microsoft Azure, see Deploy a NetScaler ADC VPX Instance on Microsoft Azure. For more information on how a NetScaler ADC VPX instance works on Azure, visit How a NetScaler ADC VPX Instance Works on Azure. For more information on how to configure GSLB on NetScaler ADC VPX instances, see Configure GSLB on NetScaler ADC VPX Instances. For more information on how to configure GSLB on an active-standby high-availability setup on Azure, visit Configure GSLB on an Active-Standby High-Availability Setup. PrerequisitesUsers need some prerequisite knowledge before deploying a NetScaler VPX instance on Azure: Familiarity with Azure terminology and network details. For information, see the Azure terminology in the previous section. Knowledge of a NetScaler ADC appliance. For detailed information about the NetScaler ADC appliance, see: NetScaler ADC 13.0. For knowledge of NetScaler ADC networking, see the Networking topic: Networking. Azure GSLB PrerequisitesThe prerequisites for the NetScaler ADC GSLB Service Groups include a functioning Amazon Web Services / Microsoft Azure environment with the knowledge and ability to configure Security Groups, Linux Web Servers, NetScaler ADCs within AWS, Elastic IPs, and Elastic Load Balancers. GSLB DBS Service integration requires NetScaler ADC version 12.0.57 for AWS ELB and Microsoft Azure ALB load balancer instances. NetScaler ADC GSLB Service Group Feature Enhancements GSLB Service Group entity: NetScaler ADC version 12.0.57 GSLB Service Group is introduced which supports autoscale using DBS dynamic discovery. DBS Feature Components (domain-based service) must be bound to the GSLB service group Example: > add server sydney_server LB-Sydney-xxxxxxxxxx.ap-southeast-2.elb.amazonaws.com> add gslb serviceGroup sydney_sg HTTP -autoscale DNS -siteName sydney> bind gslb serviceGroup sydney_sg sydney_server 80 LimitationsRunning the NetScaler ADC VPX load balancing solution on ARM imposes the following limitations: The Azure architecture does not accommodate support for the following NetScaler ADC features: Clustering IPv6 Gratuitous ARP (GARP) L2 Mode (bridging). Transparent virtual server are supported with L2 (MAC rewrite) for servers in the same subnet as the SNIP. Tagged VLAN Dynamic Routing Virtual MAC USIP Jumbo Frames If you think you might need to shut down and temporarily deallocate the NetScaler ADC VPX virtual machine at any time, assign a static Internal IP address while creating the virtual machine. If you do not assign a static internal IP address, Azure might assign the virtual machine a different IP address each time it restarts, and the virtual machine might become inaccessible. In an Azure deployment, only the following NetScaler ADC VPX models are supported: VPX 10, VPX 200, VPX 1000, and VPX 3000. For more information, see the NetScaler ADC VPX Data Sheet. If a NetScaler ADC VPX instance with a model number higher than VPX 3000 is used, the network throughput might not be the same as specified by the instance’s license. However, other features, such as SSL throughput and SSL transactions per second, might improve. The “deployment ID” that Azure generates during virtual machine provisioning is not visible to the user in ARM. Users cannot use the deployment ID to deploy NetScaler ADC VPX appliance on ARM. The NetScaler ADC VPX instance supports 20 Mb/s throughput and standard edition features when it is initialized. For a XenApp and XenDesktop deployment, a VPN virtual server on a VPX instance can be configured in the following modes: Basic mode, where the ICAOnly VPN virtual server parameter is set to ON. The Basic mode works fully on an unlicensed NetScaler ADC VPX instance. SmartAccess mode, where the ICAOnly VPN virtual server parameter is set to OFF. The SmartAccess mode works for only 5 NetScaler ADC AAA session users on an unlicensed NetScaler ADC VPX instance. Note: To configure the Smart Control feature, users must apply a Premium license to the NetScaler ADC VPX instance. Azure-VPX Supported Models and LicensingIn an Azure deployment, only the following NetScaler ADC VPX models are supported: VPX 10, VPX 200, VPX 1000, and VPX 3000. For more information, see the NetScaler ADC VPX Data Sheet. A NetScaler ADC VPX instance on Azure requires a license. The following licensing options are available for NetScaler ADC VPX instances running on Azure. Subscription-based licensing: NetScaler ADC VPX appliances are available as paid instances on Azure Marketplace. Subscription based licensing is a pay-as-you-go option. Users are charged hourly. The following VPX models and license types are available on Azure Marketplace:VPX ModelLicense TypeVPX10Standard, Advanced, PremiumVPX200Standard, Advanced, PremiumVPX1000Standard, Advanced, PremiumVPX3000Standard, Advanced, Premium Bring your own license (BYOL): If users bring their own license (BYOL), they should see the VPX Licensing Guide at: CTX122426/NetScaler VPX and CloudBridge VPX Licensing Guide. Users have to: Use the licensing portal within MyCitrix to generate a valid license. Upload the license to the instance. NetScaler ADC VPX Check-In/Check-Out licensing: For more information, see: NetScaler ADC VPX Check-in and Check-out Licensing. Starting with NetScaler release 12.0 56.20, VPX Express for on-premises and cloud deployments does not require a license file. For more information on NetScaler ADC VPX Express see the “NetScaler ADC VPX Express license” section in NetScaler ADC licensing overview, which can be found here: Licensing Overview. Note: Regardless of the subscription-based hourly license bought from Azure Marketplace, in rare cases, the NetScaler ADC VPX instance deployed on Azure might come up with a default NetScaler license. This happens due to issues with Azure Instance Metadata Service (IMDS). Perform a warm restart before making any configuration change on the NetScaler ADC VPX instance, to enable the correct NetScaler ADC VPX license. Port Usage GuidelinesUsers can configure more inbound and outbound rules n NSG while creating the NetScaler VPX instance or after the virtual machine is provisioned. Each inbound and outbound rule is associated with a public port and a private port. Before configuring NSG rules, note the following guidelines regarding the port numbers users can use: The NetScaler VPX instance reserves the following ports. Users cannot define these as private ports when using the Public IP address for requests from the internet. Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000. However, if users want internet-facing services such as the VIP to use a standard port (for example, port 443) users have to create port mapping by using the NSG. The standard port is then mapped to a different port that is configured on the NetScaler ADC VPX for this VIP service. For example, a VIP service might be running on port 8443 on the VPX instance but be mapped to public port 443. So, when the user accesses port 443 through the Public IP, the request is directed to private port 8443. The Public IP address does not support protocols in which port mapping is opened dynamically, such as passive FTP or ALG. In a NetScaler Gateway deployment, users need not configure a SNIP address, because the NSIP can be used as a SNIP when no SNIP is configured. Users must configure the VIP address by using the NSIP address and some nonstandard port number. For call-back configuration on the back-end server, the VIP port number has to be specified along with the VIP URL (for example, url: port). Note: In Azure Resource Manager, a NetScaler ADC VPX instance is associated with two IP addresses - a public IP address (PIP) and an internal IP address. While the external traffic connects to the PIP, the internal IP address or the NSIP is non-routable. To configure a VIP in VPX, use the internal IP address (NSIP) and any of the free ports available. Do not use the PIP to configure a VIP. For example, if NSIP of a NetScaler ADC VPX instance is 10.1.0.3 and an available free port is 10022, then users can configure a VIP by providing the 10.1.0.3:10022 (NSIP address + port) combination.

Deployment Guide NetScaler ADC VPX on AWS - GSLBOverviewNetScaler ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments. As an undisputed leader of service and application delivery, NetScaler ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, NetScaler ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. NetScaler ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required. NetScaler VPXThe NetScaler ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms: XenServer Hypervisor VMware ESX Microsoft Hyper-V Linux KVM Amazon Web Services Microsoft Azure Google Cloud Platform This deployment guide focuses on NetScaler ADC VPX on Amazon Web Services. Amazon Web ServicesAmazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services can offer tools such as compute power, database storage, and content delivery services. AWS offers the following essential services AWS Compute Services Migration Services Storage Database Services Management Tools Security Services Analytics Networking Messaging Developer Tools Mobile Services AWS TerminologyHere is a brief description of essential terms used in this document that users must be familiar with: Elastic Network Interface (ENI) - A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC). Elastic IP (EIP) address - A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change. Subnet - A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs. Virtual Private Cloud (VPC) - A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define. Here is a brief description of other terms used in this document that users should be familiar with: Amazon Machine Image (AMI) - A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud. Elastic Block Store - Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Simple Storage Service (S3) - Storage for the Internet. It is designed to make web-scale computing easier for developers. Elastic Compute Cloud (EC2) - A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. Elastic Load Balancing (ELB) - Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. This increases the fault tolerance of user applications. Instance type - Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications. Identity and Access Management (IAM) - An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup. Internet Gateway - Connects a network to the Internet. Users can route traffic for IP addresses outside their VPC to the Internet gateway. Key pair - A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key. Route table - A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time. Auto Scaling - A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks. CloudFormation - A service for writing or changing templates that create and delete related AWS resources together as a unit. Use CasesCompared to alternative solutions that require each service to be deployed as a separate virtual appliance, NetScaler ADC on AWS combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, and other essential application delivery capabilities in a single VPX instance, conveniently available via the AWS Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises NetScaler ADC deployments. The net result is that NetScaler ADC on AWS enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers. Global Server Load Balancing (GSLB)Global Server Load Balancing (GSLB) is important for many of our customers. Those businesses have an on-prem data center presence serving regional customers, but with increasing demand for their business, they now want to scale and deploy their presence globally across AWS and Azure while maintaining their on-prem presence for regional customers. Customers want to do all of this with automated configurations as well. Thus, they are looking for a solution that can rapidly adapt to either evolving business needs or changes in the global market. With NetScaler ADC on the network administrator’s side, customers can use the Global Load Balancing (GLB) StyleBook to configure applications both on-prem and in the cloud, and that same config can be transferred to the cloud with NetScaler ADM. Users can reach either on-prem or cloud resources depending on proximity with GSLB. This allows for a seamless experience no matter where the users are located in the world. Deployment TypesThree-NIC Deployment Typical Deployments GLB StyleBook With ADM With GSLB (Route53 w/domain registration) Licensing - Pooled/Marketplace Use Cases Three-NIC Deployments are used to achieve real isolation of data and management traffic. Three-NIC Deployments also improve the scale and performance of the ADC. Three-NIC Deployments are used in network applications where throughput is typically 1 Gbps or higher and a Three-NIC Deployment is recommended. CFT DeploymentCustomers would deploy using CloudFormation Templates if they are customizing their deployments or they are automating their deployments. Deployment StepsThree-NIC Deployment for GSLBThe NetScaler ADC VPX instance is available as an Amazon Machine Image (AMI) in the AWS marketplace, and it can be launched as an Elastic Compute Cloud (EC2) instance within an AWS VPC. The minimum EC2 instance type allowed as a supported AMI on NetScaler VPX is m4.large. The NetScaler ADC VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory. An EC2 instance launched within an AWS VPC can also provide the multiple interfaces, multiple IP addresses per interface, and public and private IP addresses needed for VPX configuration. Each VPX instance requires at least three IP subnets: A management subnet A client-facing subnet (VIP) A back-end facing subnet (SNIP) Citrix recommends three network interfaces for a standard VPX instance on AWS installation. AWS currently makes multi-IP functionality available only to instances running within an AWS VPC. A VPX instance in a VPC can be used to load balance servers running in EC2 instances. An Amazon VPC allows users to create and control a virtual networking environment, including their own IP address range, subnets, route tables, and network gateways. Note: By default, users can create up to 5 VPC instances per AWS region for each AWS account. Users can request higher VPC limits by submitting Amazon’s request form here: Amazon VPC Request. LicensingA NetScaler ADC VPX instance on AWS requires a license. The following licensing options are available for NetScaler ADC VPX instances running on AWS: Free (unlimited) Hourly Annual Bring your own license Free Trial (all NetScaler ADC VPX-AWS subscription offerings for 21 days free in AWS marketplace). Deployment OptionsUsers can deploy a NetScaler ADC VPX standalone instance on AWS by using the following options: AWS web console Citrix-authored CloudFormation template AWS CLI Three-NIC Deployment StepsUsers can deploy a NetScaler ADC VPX instance on AWS through the AWS web console. The deployment process includes the following steps: Create a Key Pair Create a Virtual Private Cloud (VPC) Add more subnets Create security groups and security rules Add route tables Create an internet gateway Create a NetScaler ADC VPX instance Create and attach more network interfaces Attach elastic IPs to the management NIC Connect to the VPX instance Create a Key PairAmazon EC2 uses a key pair to encrypt and decrypt logon information. To log on to an instance, users must create a key pair, specify the name of the key pair when they launch the instance, and provide the private key when they connect to the instance. When users review and launch an instance by using the AWS Launch Instance wizard, they are prompted to use an existing key pair or create a new key pair. For more information about how to create a key pair, see: Amazon EC2 Key Pairs and Linux Instances. Create a VPCA NetScaler ADC VPC instance is deployed inside an AWS VPC. A VPC allows users to define virtual networks dedicated to their AWS account. For more information about AWS VPC, see: Getting Started With IPv4 for Amazon VPC. While creating a VPC for a NetScaler ADC VPX instance, keep the following points in mind. Use the VPC with a Single Public Subnet Only option to create an AWS VPC in an AWS availability zone. Citrix recommends that users create at least three subnets, of the following types: One subnet for management traffic. Place the management IP (NSIP) on this subnet. By default, elastic network interface (ENI) eth0 is used for the management IP. One or more subnets for client-access (user-to-NetScaler ADC VPX) traffic, through which clients connect to one or more virtual IP (VIP) addresses assigned to NetScaler ADC load balancing virtual servers. One or more subnets for the server-access (VPX-to-server) traffic, through which user servers connect to VPX-owned subnet IP (SNIP) addresses. For more information about NetScaler ADC load balancing and virtual servers, virtual IP addresses (VIPs), and subnet IP addresses (SNIPs). All subnets must be in the same availability zone. Add SubnetsWhen the VPC wizard is used for deployment, only one subnet is created. Depending on user requirements, users may want to create more subnets. For more information about how to create more subnets, see: VPCs and Subnets. Create Security Groups and Security RulesTo control inbound and outbound traffic, create security groups and add rules to the groups. For more information about how to create groups and add rules, see: Security Groups for Your VPC. For NetScaler ADC VPX instances, the EC2 wizard gives default security groups, which are generated by AWS Marketplace and is based on recommended settings by Citrix. However, users can create more security groups based on their requirements. Note: Port 22, 80, 443 to be opened on the Security group for SSH, HTTP, and HTTPS access respectively. Add Route TablesRoute tables contain a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table. For more information about how to create a route table, see: Route Tables. Create an Internet GatewayAn internet gateway serves two purposes: to provide a target in the VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. Create an internet gateway for internet traffic. For more information about how to create an Internet Gateway, see the section: Creating and Attaching an Internet Gateway. Create a NetScaler ADC VPX Instance by using the AWS EC2 ServiceTo create a NetScaler ADC VPX instance by using the AWS EC2 service, complete the following steps: From the AWS dashboard, go to Compute > EC2 > Launch Instance > AWS Marketplace. Before clicking Launch Instance, users should ensure their region is correct by checking the note that appears under Launch Instance. In the Search AWS Marketplace bar, search with the keyword NetScaler ADC VPX. Select the version the user wants to deploy and then click Select. For the NetScaler ADC VPX version, users have the following options: A licensed version NetScaler ADC VPX Express appliance (This is a free virtual appliance, which is available from NetScaler ADC version 12.0 56.20.) Bring your own device The Launch Instance wizard starts. Follow the wizard to create an instance. The wizard prompts users to: Choose Instance Type Configure Instance Add Storage Add Tags Configure Security Group Review Create and Attach more Network InterfacesCreate two more network interfaces for the VIP and SNIP. For more information about how to create more network interfaces, see: Creating a Network Interface. After users have created the network interfaces, they must attach the interfaces to the VPX instance. Before attaching the interfaces, shut down the VPX instance, attach the interfaces, and power on the instance. For more information about how to attach network interfaces, see the section: Attaching a Network Interface When Launching an Instance. Allocate and Associate Elastic IPsIf users assign a public IP address to an EC2 instance, it remains assigned only until the instance is stopped. After that, the address is released back to the pool. When users restart the instance, a new public IP address is assigned. In contrast, an elastic IP (EIP) address remains assigned until the address is disassociated from an instance. Allocate and associate an elastic IP for the management NIC. For more information about how to allocate and associate elastic IP addresses, see these topics: Allocating an Elastic IP Address Associating an Elastic IP Address with a Running Instance These steps complete the procedure to create a NetScaler ADC VPX instance on AWS. It can take a few minutes for the instance to be ready. Check that the instance has passed its status checks. Users can view this information in the Status Checks column on the Instances page. Connect to the VPX InstanceAfter users have created the VPX instance, users can connect to the instance by using the GUI and an SSH client. GUIThe following are the default administrator credentials to access a NetScaler ADC VPX instance: User name: nsroot Password: The default password for the nsroot account is set to the AWS instance-ID of the NetScaler ADC VPX instance. SSH clientFrom the AWS management console, select the NetScaler ADC VPX instance and click Connect. Follow the instructions given on the Connect to Your Instance page. For more information about how to deploy a NetScaler ADC VPX standalone instance on AWS by using the AWS web console, see: Scenario: Standalone Instance Configure GSLB in two AWS LocationsSetting up GSLB for the NetScaler ADC on AWS basically consists of configuring the NetScaler ADC to load balance traffic to servers located outside the VPC that the NetScaler ADC belongs to, such as within another VPC in a different Availability Region or an on-premises data center. Configure AWS ComponentsSecurity Groups Note: Recommendation should be to create different security groups for ELB, NetScaler ADC GSLB Instance, and Linux instance, as the set of rules required for each of these entities is different. This example has a consolidated Security Group configuration for brevity. To ensure the proper configuration of the virtual firewall, see: Security Groups for Your VPC. Step 1: Log in to the user AWS resource group and navigate to EC2 > NETWORK & SECURITY > Security Groups. Step 3: Add the inbound port rules from the following screenshot. Note: Limiting Source IP access is recommended for granular hardening. For more information, see: Web Server Rules. Step 5: Click Launch Instance using the details that follow to configure the Amazon Linux instance. Fill in details about setting up a Web Server or back-end service on this instance. Step 7: Click Launch Instance and use the following details to configure the Amazon AMI instance. Elastic Load BalancerStep 9: Log in to the user AWS resource group and navigate to EC2 > LOAD BALANCING > Load Balancers. Configuring Global Server Load Balancing Domain-Name Based ServicesTraffic Management Configurations Note: It is required to configure the NetScaler ADC with either a nameserver or a DNS virtual server through which the ELB/ALB Domains will be resolved for the DBS Service Groups. Step 1: Navigate to Traffic Management > Load Balancing > Servers. GSLB ConfigurationStep 1: Navigate to Traffic Management > GSLB > Sites. Citrix recommends setting the Trigger monitor setting to MEPDOWN. For more information, see: Configure a GSLB Service Group . Step 3: The following screenshot from the AWS configurations shows where users can find the Site IP Address and Public IP Address. The IPs are found under Network & Security > Elastic IPs. Click Create, repeat steps 2 and 3 to configure the GSLB site for the other resource location in AWS (this can be configured on the same NetScaler ADC). Step 5: Click Add to add a service group. Name the Service Group, use the HTTP protocol, and then under Site Name, choose the respective site that was created in the previous steps. Be sure to configure AutoScale Mode as DNS and check off the boxes for State and Health Monitoring. Click OK to create the Service Group. Step 7: The Service group Member Binding should populate with two instances that it is receiving from the Elastic Load Balancer. Repeat steps to configure the Service Group for the second resource location in AWS. (This can be done from the same location). Step 9: When the GSLB Virtual Server is created, click No GSLB Virtual Server ServiceGroup Binding. Click Add to create the virtual server. Name the server, DNS Record Type is set as A, Service Type is set as HTTP, and check the boxes for Enable after Creating and AppFlow Logging. Click OK to create the GSLB Virtual Server. (NetScaler ADC GUI) Step 11: Next configure the GSLB Virtual Server Domain Binding by clicking No GSLB Virtual Server Domain Binding. Configure the FQDN and Bind, the rest of the settings can be left as the defaults. Step 12: Configure the ADNS Service by clicking No Service. Add a Service Name, click New Server, and enter the IP Address of the ADNS server. Also, if the user ADNS is already configured users can select Existing Server and then choose their ADNS from the menu. Make sure the Protocol is ADNS and the traffic is over Port 53. Configure the Method as LEASTCONNECTION and Backup Method as ROUNDROBIN. The NetScaler ADC GLB nodes handle the DNS name resolution. Any of these GLB nodes can receive DNS requests from any client location. The GLB node that receives the DNS request returns the load balancer virtual server IP address as selected by the configured load balancing method. Metrics (site, network, and persistence metrics) are exchanged between the GLB nodes using the metrics exchange protocol (MEP), which is a proprietary Citrix protocol. For more information on the MEP protocol, see: Configure Metrics Exchange Protocol . The monitor configured in the GLB node monitors the health status of the load balancing virtual server in the same data center. In a parent-child topology, metrics between the GLB and NetScaler ADC nodes are exchanged by using MEP. However, configuring monitor probes between a GLB and NetScaler ADC LB node is optional in a parent-child topology. The NetScaler Application Delivery Management (ADM) service agent enables communication between the NetScaler ADM and the managed instances in the user data center. For more information on NetScaler ADM service agents and how to install them, see: Getting Started . Note: This document makes the following assumptions: If users have an existing load balancing setup, it is up and running. A SNIP address or a GLB site IP address is configured on each of the NetScaler ADC GLB nodes. This IP address is used as the data center source IP address when exchanging metrics with other data centers. An ADNS or ADNS-TCP service is configured on each of the NetScaler ADC GLB instances to receive the DNS traffic. The required firewall and security groups are configured in the cloud service providers. Security Groups ConfigurationUsers must set up the required firewall/security groups configuration in the cloud service providers. For more information about AWS security features, see: AWS/Documentation/Amazon VPC/User Guide/Security. Also, on the GLB node, users must open port 53 for ADNS service/DNS server IP address and port 3009 for GSLB site IP address for MEP traffic exchange. On the load balancing node, users must open the appropriate ports to receive the application traffic. For example, users must open port 80 for receiving HTTP traffic and open port 443 for receiving HTTPS traffic. Open port 443 for NITRO communication between the NetScaler ADM service agent and NetScaler ADM. For the dynamic round trip time GLB method, users must open port 53 to allow UDP and TCP probes depending on the configured LDNS probe type. The UDP or the TCP probes are initiated using one of the SNIPs and therefore this setting must be done for security groups bound to the server-side subnet. Capabilities of the NetScaler ADC Hybrid and Multi-Cloud GLB SolutionSome of the capabilities of the NetScaler ADC hybrid and multi-cloud GLB solution are described in this section. Compatibility with other Load Balancing SolutionsThe NetScaler ADC hybrid and multi-cloud GLB solution supports various load balancing solutions such as the NetScaler ADC load balancer, NGINX, HAProxy, and other third-party load balancers. Note: Load balancing solutions other than NetScaler ADC are supported only if proximity-based and non-metric based GLB methods are used and if parent-child topology is not configured. GLB MethodsThe NetScaler ADC hybrid and multi-cloud GLB solution supports the following GLB methods. Metric-based GLB methods. Metric-based GLB methods collect metrics from the other NetScaler ADC nodes through the metrics exchange protocol. Least Connection: The client request is routed to the load balancer that has the fewest active connections. Least Bandwidth: The client request is routed to the load balancer that is currently serving the least amount of traffic. Least Packets: The client request is routed to the load balancer that has received the fewest packets in the last 14 seconds. Non-metric based GLB methods Round Robin: The client request is routed to the IP address of the load balancer that is at the top of the list of load balancers. That load balancer then moves to the bottom of the list. Source IP Hash: This method uses the hashed value of the client IP address to select a load balancer. Proximity-based GLB methods Static Proximity: The client request is routed to the load balancer that is closest to the client IP address. Round-Trip Time (RTT): This method uses the RTT value (the time delay in the connection between the client’s local DNS server and the data center) to select the IP address of the best performing load balancer. For more information on the load balancing methods, see: Load Balancing Algorithms . GLB TopologiesThe NetScaler ADC hybrid and multi-cloud GLB solution supports the active-passive topology and parent-child topology. Active-passive topology - Provides disaster recovery and ensures continuous availability of applications by protecting against points of failure. If the primary data center goes down, the passive data center becomes operational. For more information about GSLB active-passive topology, see: Configure GSLB for Disaster Recovery . Parent-child topology – Can be used if customers are using the metric-based GLB methods to configure GLB and LB nodes and if the LB nodes are deployed on a different NetScaler ADC instance. In a parent-child topology, the LB node (child site) must be a NetScaler ADC appliance because the exchange of metrics between the parent and child site is through the metrics exchange protocol (MEP). For more information about parent-child topology, see: Parent-Child Topology Deployment using the MEP Protocol . IPv6 SupportThe NetScaler ADC hybrid and multi-cloud GLB solution also supports IPv6. MonitoringThe NetScaler ADC hybrid and multi-cloud GLB solution supports built-in monitors with an option to enable the secure connection. However, if LB and GLB configurations are on the same NetScaler ADC instance or if parent-child topology is used, configuring monitors is optional. PersistenceThe NetScaler ADC hybrid and multi-cloud GLB solution supports the following: Source IP based persistence sessions, so that multiple requests from the same client are directed to the same service if they arrive within the configured time-out window. If the time-out value expires before the client sends another request, the session is discarded, and the configured load balancing algorithm is used to select a new server for the client’s next request. Spillover persistence so that the backup virtual server continues to process the requests it receives, even after the load on the primary falls below the threshold. For more information, see: Configure Spillover. Site persistence so that the GLB node selects a data center to process a client request and forwards the IP address of the selected data center for all subsequent DNS requests. If the configured persistence applies to a site that is DOWN, the GLB node uses a GLB method to select a new site, and the new site becomes persistent for subsequent requests from the client. Configuration by using NetScaler ADM StyleBooksCustomers can use the default Multi-cloud GLB StyleBook on NetScaler ADM to configure the NetScaler ADC instances with hybrid and multi-cloud GLB configurations. Customers can use the default Multi-cloud GLB StyleBook for the LB Node StyleBook to configure the NetScaler ADC load balancing nodes which are the child sites in a parent-child topology that handle the application traffic. Use this StyleBook only if users want to configure LB nodes in a parent-child topology. However, each LB node must be configured separately using this StyleBook. Workflow of the NetScaler ADC Hybrid and Multi-Cloud GSLB Solution ConfigurationCustomers can use the shipped Multi-cloud GLB StyleBook on NetScaler ADM to configure the NetScaler ADC instances with hybrid and multi-cloud GLB configurations. The following diagram shows the workflow for configuring a NetScaler ADC hybrid and multi-cloud GLB solution. The steps in the workflow diagram are explained in more detail after the diagram.

Reference Architecture: Application Delivery ManagementContributed By: Albert LeeSpecial Thanks To: Andrew Gravett OverviewNetScaler Application Delivery Management (ADM) is a centralized management solution. It simplifies operations by providing administrators with enterprise-wide visibility and automating management jobs that are getting ran across multiple instances. You can manage and monitor NetScaler application networking products including NetScaler Application Delivery Controllers (ADC) MPX, VPX, SDX, CPX, BLX, NetScaler Gateway, NetScaler Web Application Firewall (WAF), and Citrix SD-WAN. You can use ADM to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified console. ADM also addresses the application visibility challenge by collecting detailed information about web-application and virtual-desktop traffic including application flow, security events, user-session-level information, webpage performance data, and database information flowing through the managed NetScaler Appliances, and providing actionable reports. This approach enables administrators to troubleshoot and proactively monitor customer issues in a matter of minutes. NetScaler ADM Software virtual appliances can be deployed in several deployment modes and provide the flexibility to integrate within your existing NetScaler networking design. The following are some of the deployment scenarios implemented by using ADM Software appliances. Single ServerHigh Availability (Recommended)Disaster Recovery ModeADM Agent Deployment (for adding remote Sites)This ADM Reference document defines a set of architectural building blocks for delivering NetScaler Application Delivery Management (NetScaler ADM). The target audiences are technical professionals and architects seeking knowledge on how to key components to support the following objectives. ADM Appliance Software ArchitectureThe NetScaler Application Delivery Management (ADM) software uses a built-in data store to provide integration with the server, and the server manages all the key processes, such as data collection, NITRO API calls. In its data store, the server stores an inventory of instance details, such as host name, software version, running, and saved the configuration, certificate details, entities configured on the instance. Single server deployment is suitable if you want to process small amounts of traffic or store data for a limited time. The following image shows the different internal and external subsystem components of a NetScaler ADM appliance and the communication flow between the internal ADM server components and externally managed networking appliances and instances. ADM Key System RequirementsBefore importing a NetScaler ADM appliance to your current platform (that is, Hypervisors), understanding the critical system licensing, hypervisor requirements, appliance image requirements, and ADC Build Integration limitations is a must. Licensing OverviewNetScaler ADM requires a verified NetScaler ADC license to manage and monitor the NetScaler ADC instances. You can manage and monitor any number of supported instances and entities without a license. However, you can select and configure Analytics for an initial 30 discovered applications on the App Dashboard and view analytics data for 30 virtual servers without applying for extra licenses. To collect Analytics for more than 30 discovered applications (30 virtual servers), you must purchase and apply the desired licenses. Full information on licensing is available in the NetScaler ADM product documentation about licensing . Supported HypervisorsAn ADM appliance deployed on-premises as virtual appliances can run on Citrix Hypervisor, VMware ESXi, Microsoft Hyper-V, and Linux KVM. The following table lists the hypervisors supported by NetScaler ADM. HypervisorVersionsProduct DocumentationCitrix Hypervisor7.1 or laterNetScaler ADM with Citrix HypervisorVMware ESXi6.0, 6.5, 6.7, and 7.0NetScaler ADM with VMware ESXiMicrosoft Hyper-V6.2 or laterNetScaler ADM with Microsoft Hyper-VLinux KVM3.6.11-4 or laterNetScaler ADM with Linux KVM serverKubernetes Cluster1.20 or later (Server and Client)NetScaler ADM on Kubernetes ClusterRequirements for ADM appliance and agent ImagesNetScaler ADC instances deployed in remote data centers can be managed and monitored from NetScaler ADM running in a primary data center. NetScaler ADC instances sent data directly to the primary NetScaler ADM that resulted in the consumption of WAN bandwidth. Also, the processing of analytics data utilizes CPU and memory resources of primary NetScaler ADM. Customers have their data centers located across the globe. Agents play a vital role in following scenarios where the customers can choose: To install agents in remote data centers so that there is a reduction in WAN bandwidth consumption.To limit the amount of instances directly sending traffic to primary NetScaler ADM for data processing.Requirements for NetScaler ADM applianceComponentRequirementRAM32 GB requiredVirtual CPUEight vCPUs requiredStorage spaceNetScaler recommends using solid-state drive (SSD) technology for NetScaler ADM deployments. The default value is 120 GB. Actual storage requirement depends on NetScaler ADM sizing estimation. If your NetScaler ADM storage requirement exceeds 120 GB, you to have to attach an extra disk. You can add only one extra disk. NetScaler recommends you estimate storage and attach the extra disk at the time of initial deployment. Use the sizing calculator to do the exact sizing estimation for your NetScaler ADM deployment, and for more information, see How to Attach an Additional Disk to NetScaler ADM.Virtual network interfaces1Throughput1 Gbps or 100 MbpsRequirements for NetScaler ADM on-prem agentAgents work as an intermediary between the primary NetScaler ADM and the discovered instances across different data centers. Following are the benefits of installing agents: The instances are configured to agents so that the unprocessed data is sent directly to agents instead of primary NetScaler ADM. Agents do the first level of data processing and send the processed data in a compressed format to the primary NetScaler ADM for storage.Agents and instances are co-located in the same data center so that the data processing is faster.Clustering the agents provides redistribution of NetScaler ADC instances on agent failover. When one agent in a site fails, traffic from NetScaler ADC instances switched to another available agent on the same site.The following is the minimum requirements for NetScaler ADM on-prem agent: ComponentRequirementRAM8 GB required Note: The default value is 32 GB. NetScaler recommends that you increase the default value to 32 GB for better performance.Virtual CPUTwo vCPUs requiredStorage space30 GBVirtual network interfaces1Throughput1 GbpsThe following figure shows NetScaler ADC instances in two data centers and NetScaler ADM high availability deployment using multisite agent-based architecture. Components of high availability architectureIn high availability deployment, one of the NetScaler ADM nodes configured as the primary node (ADM HA Node 1) and the other as the secondary node (ADM HA Node 2). If the primary node goes down due to any reason, the secondary node takes over as the new primary node. The image shows the disaster recovery setup before the disaster. The primary site has NetScaler ADM nodes deployed in the high availability mode, as shown in the previous section. The recovery site has a standalone NetScaler ADM disaster recovery node deployed remotely. The disaster recovery node is in read-only mode and receives data from the primary node to create data backup. NetScaler ADC instances in the recovery site are also discovered, but they do not have any traffic flowing through them. During the backup process, all data, files, and configurations are sent and replicated on the disaster recovery node from the primary node.

Continued from Part 3 Configure an initial authentication flowPattern Set - Gateway and AAA Hostname add policy patset PATSET_GATEWAY_HOSTHEADERbind policy patset PATSET_GATEWAY_HOSTHEADER access.ctxdemos.com -index 1 -charset ASCIIbind policy patset PATSET_GATEWAY_HOSTHEADER aaa.ctxdemos.com -index 2 -charset ASCII Policy Expression - Gateway and AAA Hostname add policy expression is_GATEWAY_HOSTNAME "HTTP.REQ.HEADER(\"Host\").TO_LOWER.CONTAINS_ANY(\"PATSET_GATEWAY_HOSTHEADER\")" Create Initialization Load Balancing vServer add lb vserver LBVS_SAML_SP_INITIALIZATION SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile AAA_AUTH_PRFset ssl vserver LBVS_SAML_SP_INITIALIZATION -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YESbind lb vserver LBVS_SAML_SP_INITIALIZATION LBSVC_ALWAYS_UPbind ssl vserver LBVS_SAML_SP_INITIALIZATION -certkeyName CTXDEMOS_PUBLIC_CERTbind ssl vserver LBVS_SAML_SP_INITIALIZATION -cipherName CTXDEMOS_FRONTEND_APLUS Create Initialization Content Switching Policy and Action add cs action CSACT_SAML_SP_INITIALIZATION -targetLBVserver LBVS_SAML_SP_INITIALIZATIONadd cs policy CSPOL_SAML_SP_INITIALIZATION -rule "is_GATEWAY_HOSTNAME && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH(\"/samltolb\")" -action CSACT_SAML_SP_INITIALIZATION Bind Content Switching Policies to NetScaler Gateway Content Switching vServer bind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_SAML_SP_INITIALIZATION -priority 500 Create Initialization NetScaler ADC AAA Traffic Policy and Action and Bind it to Load Balancing vServer add tm samlSSOProfile AAATM_SAMLSSOPRF_VPN_TO_LB -samlSigningCertName CTXDEMOS_PUBLIC_CERT -assertionConsumerServiceURL "https://access.ctxdemos.com/cgi/samlauth" -relaystateRule "HTTP.REQ.URL.QUERY.VALUE(\"RelayState\")" -signatureAlg RSA-SHA256 -digestMethod SHA256 -Attribute1 Password -Attribute1Expr AAA.USER.PASSWD -Attribute2 Groups -Attribute2Expr AAA.USER.GROUPS -encryptAssertion ON -samlSPCertName CTXDEMOS_PUBLIC_CERTadd tm trafficAction AAATM_PRF_VPN_TO_LB -SSO ON -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE -samlSSOProfile AAATM_SAMLSSOPRF_VPN_TO_LBadd tm trafficPolicy AAATM_POL_VPN_TO_LB "HTTP.REQ.URL.STARTSWITH(\"/samltolb\")" AAATM_PRF_VPN_TO_LBbind lb vserver LBVS_SAML_SP_INITIALIZATION -policyName AAATM_POL_VPN_TO_LB -priority 100 -gotoPriorityExpression END -type REQUEST Cipher groups Create Cipher Group for Backend vServers add ssl cipher CTXDEMOS_BACKENDbind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 4bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 5bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 6bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 7 Create Cipher Group for Frondend vServers add ssl cipher CTXDEMOS_FRONTENDbind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 4bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 5bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 6bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 7bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-ECDSA-AES128-SHA -cipherPriority 8bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-ECDSA-AES256-SHA -cipherPriority 9bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 10bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 11bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 12bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 13bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 15bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 16bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 17bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 18bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 19bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 20 Create Cipher Group for Frondend vServers - A+add ssl cipher CTXDEMOS_FRONTEND_APLUSbind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 4bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 5bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 -cipherPriority 6bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 7bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 8bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 9bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 13bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 14bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 15bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 16 Login schema XML file CTXDEMOS_USER_NAME_PASS.XML<?xml version="1.0" encoding="utf-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"> <Status>success</Status> <Result>more-info</Result> <StateContext/> <AuthenticationRequirements> <PostBack>/nf/auth/doAuthentication.do</PostBack> <CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack> <CancelButtonText>Cancel</CancelButtonText> <Requirements> <Requirement> <Credential> <ID>login</ID> <SaveID>ExplicitForms-Username</SaveID> <Type>username</Type> </Credential> <Label> <Text>User name</Text> <Type>plain</Type> </Label> <Input> <AssistiveText>Please supply username</AssistiveText> <Text> <Secret>false</Secret> <ReadOnly>false</ReadOnly> <InitialValue>${AAA.USER.NAME}</InitialValue> <Constraint>.+</Constraint> </Text> </Input> </Requirement> <Requirement> <Credential> <ID>passwd</ID> <SaveID>ExplicitForms-Password</SaveID> <Type>password</Type> </Credential> <Label> <Text>Password:</Text> <Type>plain</Type> </Label> <Input> <Text> <Secret>true</Secret> <ReadOnly>false</ReadOnly> <InitialValue/> <Constraint>.+</Constraint> </Text> </Input> </Requirement> <Requirement> <Credential> <ID>saveCredentials</ID> <Type>savecredentials</Type> </Credential> <Label> <Text>Remember my password</Text> <Type>plain</Type> </Label> <Input> <CheckBox> <InitialValue>false</InitialValue> </CheckBox> </Input> </Requirement> <Requirement> <Credential> <ID>loginBtn</ID> <Type>none</Type> </Credential> <Label> <Type>none</Type> </Label> <Input> <Button>Log On</Button> </Input> </Requirement> </Requirements> </AuthenticationRequirements></AuthenticateResponse> CTXDEMOS_USER_NAME_ONLY.XML CTXDEMOS_USER_NAME_ONLY.XML<?xml version="1.0" encoding="utf-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"> <Status>success</Status> <Result>more-info</Result> <StateContext/> <AuthenticationRequirements> <PostBack>/nf/auth/doAuthentication.do</PostBack> <CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack> <CancelButtonText>Cancel</CancelButtonText> <Requirements> <Requirement> <Credential> <ID>login</ID> <SaveID>ExplicitForms-Username</SaveID> <Type>username</Type> </Credential> <Label> <Text>User name</Text> <Type>plain</Type> </Label> <Input> <AssistiveText>Please supply username</AssistiveText> <Text> <Secret>false</Secret> <ReadOnly>false</ReadOnly> <InitialValue/> <Constraint>.+</Constraint> </Text> </Input> </Requirement> <Requirement> <Credential> <Type>none</Type> </Credential> <Label> <Text> Please submit credentials to continue Login ...</Text> <Type>confirmation</Type> </Label> <Input/> </Requirement> <Requirement> <Credential> <ID>saveCredentials</ID> <Type>savecredentials</Type> </Credential> <Label> <Text>Remember my password</Text> <Type>plain</Type> </Label> <Input> <CheckBox> <InitialValue>false</InitialValue> </CheckBox> </Input> </Requirement> <Requirement> <Credential> <ID>loginBtn</ID> <Type>none</Type> </Credential> <Label> <Type>none</Type> </Label> <Input> <Button>Log On</Button> </Input> </Requirement> </Requirements> </AuthenticationRequirements></AuthenticateResponse> References Authentication to NetScaler using AD FS 4.0 on Server 2016, Citrix FAS, and Azure MFA in Azure Cloud. (2018). Retrieved from https://www.jgspiers.com/authentication-to-netscaler-using-ad-fs-4-0-server-2016-citrix-fas-azure-mfa-azure-cloud/Configure Azure MFA as authentication provider with AD FS. (2019). Retrieved from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfaDeploying a Federation Server Farm. (2017). Retrieved from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farmFederated Authentication Service ADFS deployment. (Current). Retrieved from https://docs.citrix.com/en-us/federated-authentication-serviceGuide to deploying NetScaler as an Active Directory Federation Services Proxy. (n.d.). Retrieved from https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/adfs-proxy-wsfed.htmlHow it works: Azure Multi-Factor Authentication. (2018). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworksPlanning a cloud-based Azure Multi-Factor Authentication deployment. (2019). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstartedTijl Van den Broeck. (Dec 7, 2017). ADFS v3 on Windows Server 2012 R2 with NetScaler. Retrieved from https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/Transition to hybrid cloud and SaaS with Citrix Gateway. (n.d.). Retrieved from https://www.citrix.com/products/citrix-gateway/resources/netscaler-unified-gateway.htmlUser sign-in with Azure Active Directory Pass-through Authentication. (2018). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

POC Guide: Migrating Applications from Citrix ADC to the new Citrix App Delivery and Security Service October 25, 2022 Author: Nagaraj Harikar Special thanks: Steve Beals, Arvind Kandula, Kiran Ghodgaonkar Introduction This document provides an overview of the steps, tools, architecture, and considerations for migrating Citrix ADC traffic management and security solutions to the new Citrix App Delivery and Security (CADS) service. This guide is intended for technical engineering and architectural teams who want to migrate applications to AWS. The scope of this guide is limited to Citrix ADC hardware or software-based appliances on product version 13 and later. What is CADS Service - Citrix Managed? CADS service – Citrix Managed is a new SaaS offering for application delivery and security. Citrix App Delivery and Security service removes the complexity from every step of app delivery, including provisioning, securing, on-boarding, and management, empowering IT to deliver a superior experience that keeps users engaged and productive. Getting Started There are four key steps for migrating to the new CADS service: Deployment models - Evaluation of the current deployment, assessment of how your applications fit together, and the design the architecture for the AWS environment. Use cases and feature mapping - Develop a high-level plan for your migration and making key decisions about what to migrate. Licensing – Identify the right CADS service – Citrix Managed entitlement by converting the current ADC capacity. Traffic flow - Migrate your application user’s traffic to the new site. Follow the Getting Started Guide Deployment Models Customers have designed their application architecture based on requirements such as specific feature need, performance, high availability, compliance, etc. When you migrate applications and their associated dependencies to AWS there is no standard approach. The following table provides an overview of the common use cases for different applications and ADC workloads that are migrated to CADS service – Citrix Managed. Application Type Use Case Suggested Action Development/Testing/PoC web app with temporary capacity needs Web application utilizing SSL-offload, load balancing and content switching capabilities of Citrix ADC Depending on the required location of the datacenter, create an environment as described here. Use CADS service Modern App delivery workflow to deploy your application as documented here. Trial License can be used, for more details see the Licensing section. Custom/Commercial, external facing application to be deployed across multiple Availability Zones, high availability (HA) You either plan to expand a datacenter or run a mix of self-managed and Citrix manged CADS services. You might have integrated Citrix Application Delivery Controller (ADC) as part of the application’s logic, and required it to port the same logic to CADS. You can leverage the Cloud Recommendation engine to determine the optimal site location for application. For details click here. Depending on the required location of the new datacenter, choose multiple availability zones for the region while you create an environment as described here. Review current Citrix ADC configurations (ns.conf) and break them down into the application components that need to be migrated. You can use the app migration workflow as described here. You can refer to feature mapping in Figure 2 to decide on modern app workflow or migration. External application across multiple Regions, high availability (HA) with DNS / GSLB Expand application presence globally with the help of global server load-balancing capability of CADS Based on the feature usage, you can either choose the Modern App or Migration (Classic App) workflow for application deployment. Once the applications are deployed in the desired region and availability zones, you can use the Multi-Site application delivery to create a GSLBaaS solution with CADS as described here. Internal application across multiple Availability Zones, high availability (HA) but no DNS / GSLB Deploy application for internal users only. In the Application creation workflow, while creating endpoints, ensures you select Internal for Access type. This ensures no public IP association for your application is configured. Applications with high compliance or security-related requirements. WAF or IDS/IPS applications These applications require advanced security features such as signatures, bot protections, deep and complex WAF rule sets, protection from OWASP top 10. You need to have a CADS Premium license to use these features. Ensure you enable the desired security protection features for your application deployment as described here. Cloud Native applications Use CADS to deploy an application as an Ingress controller to manage and route traffic into your Kubernetes cluster Not Supported with CADS. However, you can use CADS as the first (relatively static) tier of load balancing to an existing second tier of Citrix ADC CPX. Use Cases and Feature Mapping There are many aspects of migration that need to be considered, but before beginning your Citrix ADC workload migration, the following assessments help clarify the migration process. Application and the associated feature dependency to migrate: Assess whether the entire application is moving or only the web (UI) tier. You should also consider additional dependencies around features like use of caching, compression, authentication, security and more. Your evaluation needs to determine what would be required from the network topology. Reasons for application migration: You might be migrating your application because you are decommissioning your on-prem datacenter or because you want more elasticity or creating a disaster recovery site. Assess whether the application is migrating to have a per-application architecture, compared to the shared monolithic patterns common in many datacenters. Destination of the migration: Assess if the application needs to move to a single VPC with one Availability Zone or two Availability Zones. Determine the peer or transit VPC topology, along with the need for multi-Region deployments. These will impact the migration pattern design You can refer to Deployment types and the Datasheet for full set of supported features with CADS service – Citrix Managed. Following flow chart in Figure 2 shows the feature list for Modern and Classic App. You can start with the Modern App decision flow and check if all the required functionalities are addressed. If not, then you can validate the Classic app flow. Licensing The Citrix App Delivery and Security Service license is based on flexible consumption-based metering, where your applications automatically consume capacity from available entitlements. You get full architectural flexibility to deploy what you need when you need it. Details of the licensing entitlements are available here. Following calculation can be used to determine the consumption. If your application serves an average throughput of 250 Mbps per year, then the annual data usage can be calculated. Average application throughput per year (T) = 250 Mbps Data usage per sec (d) = T x 0.125 i.e. 250 x 0.125 = 31.25 MB per sec Total data usage in TB per year = (d x 365 x 24 x 3600)/1048576 i.e. (31.25 x 24 x 3600)/1048576 = 939.85 TB. For a data usage of ~1000 TB, the preferred license entitlement is Advance or Premium 1200 TB bandwidth + 100 million DNS queries. Traffic Flow With applications deployed with CADS service – Citrix Managed, the final step is to migrate the application traffic from an existing datacenter. For this, use Multi-site application delivery and define the existing and new Citrix Managed site. For traffic migration use weighted Round-Robin as the algorithm. Configure a weight in 90(existing site):10 (new Citrix managed site) ratio. Weights are proportional, i.e. 90 % of the traffic is received by the existing site and 10% by the Citrix Managed site. You can alter this to control the traffic proportions to your datacenters. Finally, perform application tests and complete the migration process with 100% traffic to the Citrix Managed site. Summary Following above pattern enables admins to migrate applications delivered and secured by an ADC to CADS service - Citrix Managed.

Reference Architecture: Application Delivery Controller - Global Server Load BalancingContributed By: Rajendra Soebhag, Albert LeeSpecial Thanks To: Brendan Lin, Sarah Steinhoff OverviewNetScaler Application Delivery Controller (ADC) Global Server Load Balancing (GSLB) is a DNS-based solution which describes a range of technologies to distribute resources around multi-site data center locations. This document describes the deployment topology and configuration architecture needed to set up GSLB between multi-sites where Citrix Virtual Apps and Desktops StoreFront servers are load-balanced by NetScaler Gateway and NetScaler ADC. Fundamental Design FactorsThe following includes fundamental design factors during an assessment and design phase that affects the formation of the design to cater for requirements. It highlights those considerations and provides background information and insight to support these. Multi-site Geo-dispersed Data center deployment with ADC - Customer operates NetScaler ADC appliances deployed across data center sites (that is, data center 1 and data center 2). A NetScaler ADC high availability pair deployment consisting of two appliances commonly shares physical peripheral hardware components placed within the same data center site. It is intended to protect against NetScaler ADC services outages caused by NetScaler ADC appliance or peripheral hardware component failures (that is, network switches, power distribution units, and so on). As NetScaler ADC appliances are deployed to two different sites (that is, data center 1 and data center 2) not physically sharing peripheral hardware components (that is, network switches, power distribution units, and so on), the design caters for a deployment that uses NetScaler ADC GSLB to provide for resilience and redundancy. Business continuity - For component resilience and redundancy, business requirements exist for the design to cater for single systems failure within and across data center sites without affecting services availability and performance. A disaster can involve a single data center failure or failure of individual services within a single data center site resulting in failing over services and client connections to another data center site. NetScaler ADC GSLB is used to cater to network traffic distribution, high availability, and failover services across both data center 1 and data center 2 sites. Network traffic flow efficiency - The design incorporates network traffic flows involving multiple serial hops to access individual services within the customer infrastructure. To ensure network traffic flow efficiency and eliminate routing inefficiency, network traffic flows are designed to remain within each local data center site. As such, the design caters to primary traffic flows to use back-end systems within the same data center site, and secondary (backup) traffic flows use back-end systems within the opposite data center site. Global Server Load BalancingGSLB Feature OverviewWith ordinary DNS, when a client sends a domain name system (DNS) request, it receives a list of IP addresses of the domain or service. Generally, the client chooses the first IP address in the list and initiates a connection with that server. The DNS server uses a technique called DNS round robin to rotate through the IPs on the list. It sends the first IP address to the end of the list and promotes the others after it responds to each DNS request. This technique ensures equal distribution of the load, but it does not support disaster recovery, load balancing based on load or proximity of servers, or persistency. Fundamentally, GSLB based on DNS works the same way as standard DNS, with the exception that more logic is in place to determine what addresses to return. The logic in most situations is based on: The load and capacity of resources on the networkThe IP address or interface the query came fromPrevious requests made from the same IP or networkThe health state of resourcesTo ensure the various pieces of information are in place, the ADC system makes use of several ways to determine state so that proper decision making can occur: Via explicit monitors that check for availability of remote resources by accessing the resource itselfVia Metric Exchange Protocol (MEP), which is a channel of communication between distinct NetScaler devices, and provides a mechanism for one ADC to provide state information about resources to another ADCThrough SNMP based load monitors, which poll a remote resource for statistics such as CPU load, network load Figure-2 Active-Active Site Deployment Active-Passive site deployment - An active-passive site consists of an active and a passive data center. This deployment type is ideal for disaster recovery. In this type of deployment, some of the sites (remote sites) are reserved only for disaster recovery. These sites do not participate in any decision making until all the active sites are DOWN. A passive site does not become operational unless a disaster event triggers a failover. Once you have configured the primary data center, replicate the configuration for the backup data center and designate it as the passive GSLB site by designating a GSLB virtual server at that site as the backup virtual server. An active-passive deployment can include a maximum of 32 GSLB sites, because MEP cannot synchronize more than 32 sites. Figure-4 DNS and GSLB workflow Figure 4 describes a DNS workflow from the client's application access request via DNS, which will be handled by GSLB entities. As a DNS request comes into the global DNS server, which delegates the request subzone to each ADNS IP as subzone name servers. Upon reception of a DNS request by an ADNS service, the appliance checks for a GSLB virtual server bound to that domain. If a GSLB virtual server is bound to the domain, it is queried for the best IP address to which to send the DNS response. Figure 5 diagram illustrates its actual deployment architecture topology. It lists all necessary interfaces associated with designated ADC IP addresses accordingly (that is, NSIP, SNIP/ADNS IP, Gateway IP, Load Balance IP) overlays with GSLB topology and services.

NetScaler ADC Admin Partitions Validated Reference Design Part 1 September 12, 2022 Continued in Part 2 Author: Luis Ugarte, Beth PollackFeature overviewCitrix ADC Admin Partitions enables multi-tenancy at the software level in a single Citrix ADC instance. Each partition has its own control plane and network plane. The key benefits of Admin Partitions are: Control Plane – Isolated configuration and managementData Plane – Key partition data and files tightly controlled within partition boundaryNetwork plane – Traffic is isolated with its own network configuration. Two partitions on same Citrix ADC do not see the same traffic passing through each partitionThis document covers the typical use cases in detail that are enabled by Admin Partitions and guidelines for using Admin Partitions in customer environment. Admin partitions use casesEnterprise use case for admin partitionsCitrix ADC admins can partition a Citrix ADC into multiple ADCs and assign the partitions to different application administrators like Microsoft SharePoint and Microsoft Lync. Each application administrator/owner can make his own configuration changes. IP overlapping: The key benefit of IP Overlapping is that the same IP range can be used across different Admin Partitions without any IP conflict. For the backend servers, you can use the same set of private IP address. In an IP Overlapping scenario, the VLANs cannot be shared. Virtual routing: Routing configuration is unique to each partition and each partition owner can configure their own routing protocols. Name space isolation: Entity names are unique across different partitions, so you can use the same names across different Admin Partition. Reference diagram: Single Nic – Multiple Vlans Service provider use case for admin partitionsService Providers can partition a Citrix ADC and assign it to individual clients based on their bandwidth requirements and number of concurrent connections. Service Providers can develop orchestration tools using NITRO APIs to get input from their individual clients on their bandwidth requirements and concurrent connections, create partitions and assign them to their clients. Below is a set of isolations that aid Service Providers: Filesystem: Each partition is assigned part of a file system and files stored in that respective partition space are not visible to other partitions. SSL certs/keys are stored in that partition and are not visible to other partition owners, thereby making each partition secure. Shared VLAN: In a typical Service Provider with a multi-tenant deployment, the end customers might not have independent VLANs for incoming traffic. The Shared VLAN feature shares the VLAN when it is not possible to have dedicated VLAN. VLAN tagging: A single interface can be shared across multiple admin partitions and isolated by using a tagged VLAN. For an untagged VLAN, use a shared VLAN. Troubleshooting and debugging: Admins can see traffic stats of each partition independently and separate out the logs by filtering by the partition ID. The trace function ensures partition independence since the trace fired from one partition will never see packets from another partition. Reference diagram