Mathieu Durupt1709161922
-
Posts
18 -
Joined
-
Last visited
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Mathieu Durupt1709161922
-
-
Maybe I should find a solution using Context Switching ?!
-
49 minutes ago, Julian Jakob said:
Hi Mathieu,
you're looking for the protection feature. Create a separate LB only linked to ServiceGroup2 with Member Server2. Link that LB as a backup vServer in your LB1, so all traffic will automatically redirected to LB2 if the member of LB1 goes down.
Regards
Julian
Thank you Julian for your Feedback,
I already thought about this solution. I use it for a maintenance webpage for another application butI was wondering if there was another way to do it?
-
Hi,
My question sounds easy but I couldn't find out a good solution regarding the request I have received.
VirtualServer1 is binded to ServiceGroup1 with 2 members (server1+ server2).
I want all the connexion to go to sever1, none to server2 . If member1 is down, I want all the traffic to member2.
I thought I could play with RoundRobin and add different weight to server1 and server2 but if i put server1 weight=100 and server2=1 it's still 1..... and If i'm correct, i can put 0, but no connexion will reach this server. Unless server1 is down?
Thank you for you help
Regards, Mathieu
-
On 8/31/2022 at 8:09 AM, Jens Dellner said:
Hi Mathieu,
i think there is a bug starting with VPX 13.1.24.38 too. There are no Responder Policies displayed in the GUI. The counter shows 0 Responder Policies. It will show all your created Responder Policies and the built-in Policies, when you click on "Show built-in Responder Policies" on the right top. The counter now shows the right amount of Responder Policies. Maybe it helps you with 12.1. too.
Best regards,
Jens
OMG Thank you!
Citrix support told me to upgrade 13.0 but you found my "problem"
Cheers! -
Hi Guys,
I installed 2 separte VPX with release 12.1 65.15 and experience the same bug.
I discovered that my responder policies are empty using my GUI (see below)
However, using SSH I can list them
Yes I tried different browser, delete cookies/cache, ...
Do you guys have a workaround?
Thanks -
Hi,
During a force failover of a VPX between 2 SDX, my customer loose connectivity for about 15 seconds.
It's not the end of the world but my remote customer uses AlwaysON VPN and it's quite disturbing.
Do you have a solution or a workaround regarding this? How to configure what's synchronized between 2 nodes? Car we synchronize UDP sessions between 2 nodes?
ℹ️ Regarding network switches, my interfaces has portfast configured
Thank you for your help
Best Regards
-
Hi Nicola,
You were true! I went for lunch and when I came back, my Appliance was upgraded.
-
Hi all,
Just received 4 brand new SDX 8900 to migration my old MPX 8005.
I configure the LOM & Management address to match my subnet management IP.
I'm connected to GUI, version is 11.0-72.16, I try to add the licence but it doesn't work... probably because of the build, so I decided to upgrade slowly to 11.1
I downloaded build-sdx-11.1-65.10.tgz and go back to my GUI, system, upgrade appliance, choose my build and install....
However, after 10minutes I got this message and now I have lost access to my GUI and SSH... ping is working
Am I doing something wrong? What should I do now? factory Reset and start again?
Thank you for your help, I feel doomed
-
2 hours ago, Carl Stalhood1709151912 said:
Looks good I will take a look at this! It has information with SDX appliance too. nice job!
It's a shame Citrix doesn't provide this kind of procedure maybe because they want to sell professional services... -
5 years later. Do you guys have a new migration guide?
Currently we own 4 MPX and we are migrating to 4 new SDX. I am looking for documentation, tips and help.
Regards!
-
On 7/10/2020 at 4:44 AM, Rhonda Rowland1709152125 said:
The HTTP profile on the ADC (and TCP profiles) are going to manage various http protocol settings; but you're right it won't handle these header manipulations on their own.
1) Header Insert: X-Forwarded-Proto
So your traffic will have to come to either the lb_vsrv_app_http (HTTP:80) or lb_vsrv_app_ssl (HTTPS:443). Based on which vserver your traffic hits, if you want the ADC to insert this header, then it will be done REQUEST time using a rewrite feature. The services behind the lb vserver will then see which vserver you came from.
If the scenarios for when you want the rewrite to occur aren't specific enough they can be adjusted. But Rewrite can insert any header by identifying the header name to insert, and the string to insert there.
To insert the header (only if one doesn't already exist):
add rewrite action rw_act_inshdr_PROTO_http insert_http_header X-FORWARDED-PROTO "\"HTTP\""
add rewrite policy rw_pol_inshdr_PROTO_http "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_PROTO_httpbind lb vserver lb_vsrv_app_http -policyName rw_pol_inshdr_PROTO_http -priority 100 -gotoPriorityExpression NEXT -type REQUEST
add rewrite action rw_act_inshdr_PROTO_https insert_http_header X-FORWARDED-PROTO "\"HTTPS\""
add rewrite policy rw_pol_inshdr_PROTO_https "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_PROTO_httpsbind lb vserver lb_vsrv_app_ssl -policyName rw_pol_inshdr_PROTO_https -priority 100 -gotoPriorityExpression NEXT -type REQUEST
To replace a header with the appropriate value if one is already present:
add rewrite action rw_act_rephdr_PROTO_http insert_http_header X-FORWARDED-PROTO "\"HTTP\""
add rewrite policy rw_pol_rephdr_PROTO_http "http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_rephdr_PROTO_http
bind lb vserver lb_vsrv_app_http -policyName rw_pol_rephdr_PROTO_http -priority 200 -gotoPriorityExpression NEXT -type REQUEST
add rewrite action rw_act_rephdr_PROTO_https insert_http_header X-FORWARDED-PROTO "\"HTTPS\""
add rewrite policy rw_pol_rephdr_PROTO_https "http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_rephdr_PROTO_https
bind lb vserver lb_vsrv_app_http -policyName rw_pol_rephdr_PROTO_https -priority 200 -gotoPriorityExpression NEXT -type REQUEST
We can do rewrite to also delete headers, but if you plan to delete OLD and insert NEW, then just use the REPLACE.
Otherwise, the above scenario in your message is not clear.
If a user hits http and you then redirect to https, and then they make a new connect to https and you want to insert in the redirect response that the came from http, we can get the client to insert the x-forwarded-for header in the new request to pass through to the services.
So I based the above answer on you need the header inserted if the users hit the HTTP vserver, insert the http header to send to the destination services. And insert the HTTPS header when traffic hits the HTTPS vserver to send to the backend services.
2) Inserting client ip via an X-forwarded-for header
Also a request time rewrite and easy to do. The ADC can insert the header to the backend based on the client IP the adc sees.
If the traffic is going from client --> proxy --> then ADC lb vserver --> service, and you need to insert a new header in addition to what the proxy passes to the adc, we can do that too. Just need more info.
add rewrite action rw_act_inshdr_x-forwarded-for insert_http_header X-FORWARDED-FOR client.IP.SRC
add rewrite policy rw_pol_inshdr_x-forwarded-for "!http.REQ.HEADER(\"x-forwarded-for\").EXISTS" rw_act_inshdr_x-forwarded-forbind lb vserver lb_vsrv_app_http -policyName rw_pol_inshdr_x-forwarded-for -priority 10 -gotoPriorityExpression NEXT -type REQUEST
bind lb vserver lb_vsrv_app_https -policyName rw_pol_inshdr_x-forwarded-for -priority 10 -gotoPriorityExpression NEXT -type REQUEST
Hi Rhonda,
Can I add multiple header action into one rewrite policy binded to a LB vserver?
I need to add those settings into my header
- X-Forwarded-For
- X-Forwarded-Proto
- X-Forwarded-Port
This is very NGINX base, but I have been challenged to set this into Citrix ADC.
Thank you for your help
Matt
-
On 11/30/2020 at 12:32 AM, Rhonda Rowland1709152125 said:
To verify the BODY is being generated, you need to use the http-ecv monitor to search for a string that is present in the body portion of the response.
You can use the http monitor (monitor1) to confirm the status code 200 (OK) is received. Use an HTTP monitor with HEAD /health and receive string and confirm 200 response code received.
Use a separate http-ecv monitor (monitor2) to search for Get /somepage.asp and then use the receive string to confirm a string in the actual BODY content. Searching for the 200 OK header isn't going to confirm the body was generated. The receive string is a simple string comparison and case sensitive.
Hi Rhonda,
Thank you for your answer.
Usually, I would use a normal HTTP monitor to make sure the server status code is 200 (or anything else OK). However, the GET or HEAD request brings errors to their console so they challenge me to find another way.
Otherwise, If a webserver has a dedicated monitoring page like /healthcheck /status /... I will use a HTTP-ECV and monitor a specific receive string.
That's what I want to do now, but I need to send a string with a specific body to get the right answer... This might be not possible but I'm still looking for a solution ;)
-
On 11/27/2020 at 5:55 PM, Daniel Weppeler1709159306 said:
Hey,
Have you tried this configuration? It's only an example because I don't know about path and secure parameter.
CLI Command:
add lb monitor LBMON_AppHealth HTTP-ECV -send "GET /health" -recv "<status-code>200</status-code>" -LRTM ENABLED
Cheers,
Hi Daniel,
Thank you for your answer.
Well, your solution will work like a normal HTTP-ECV monitor IF I COULD fill the http body into the send string request :( (see picture1 I uploaded)
-
Hi guys,
I have been asked to create a HTTP-ECV Monitor, this one is pretty special because I need to use a BODY HTML to get the right answer (string). See example bellow
Example NOK : no BODY using Postman
Exemple OK: custom BODY using Postman
I searched around but couldn't find answer. Could you please give me a hand? It will be very appreciated :)
Thank you
Matt
PS: Yes I know, If I want to monitor HTTP code I could use a simple HTTP monitor but unfortunately I have been challenged to find another way regarding this application -
Hi,
I am currently running my 2 ADC appliance with version NS12.1 and I have been asked to change the RPC Password.
However, I don't see any comments or warning about generating downtime. Does changing RPC password and secure the communication generate down time during the process?
Sadly my lab environnement doesn't have HA so I cannot test it.
Guidline is here: https://docs.citrix.com/en-us/citrix-adc/13/getting-started-with-citrix-adc/change-rpc-node-password.html
Best Regards
-
Pretty old stuff and based on RADIUS instead of TACACS. But i'm gonna give it a try on my lab plateform! I'll keep you inform
-
Hi,
Any news regarding this issue?
reverse proxy how to redirect from an internal domain to a SAAS services
in Core ADC use cases
Posted
Hi Guys,
Well my company is using an external portal for some training. The website isn't hosted into my company, it's a SAAS Services.
https://training-exemple.com/portal/Login
But they want to access using an internal FQDN to make it more friendly like:
https://training.mycompany.com
How could I use my netscaler to reverse proxy from a domain to another domain and keeping /portal/Login
I cannot use DNS CNAME because of /portal/Login
Looking forward for a solution
Best regards