Jump to content
Updated Privacy Statement
Chris Chau
You can use the Web server logging feature to send logs of HTTP and HTTPS requests to a client system for storage and retrieval.o configure Web server logging, you first enable the Web logging feature on the NetScaler and configure the size of the buffer for temporarily storing the log entries. Then, you install NSWL on the client system. You then add the NetScaler IP address (NSIP) to the NSWL configuration file. You are now ready to start the NSWL client to begin logging. You can customize Web server logging by making additional modifications to the NSWL configuration file (log.conf).
 
In this short video, you can follow how to configure NS web logging. Details information can be found in the following eDoc link: https://docs.netscaler.com/en-us/citrix-adc/current-release/system/web-server-logging
 
For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
 


Chris Chau
NetScaler Connect is a monthly webinar, held by NetScaler Community, targeting to release any updates of NetScaler technologies to our valued partners and customers. In this Sept webinar we will cover:
NetScaler for Openshift workloads Support Assist : Post NetScaler upgrade ADM Update: Cloud connector support on-prem You can find more information related to these topics here:
NetScaler for Openshift: https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/deploy/cic-openshift.html Upgrade and downgrade a NetScaler appliance: https://docs.netscaler.com/en-us/citrix-adc/current-release/upgrade-downgrade-citrix-adc-appliance ADM On-Prem Cloud Connector: https://docs.netscaler.com/en-us/citrix-application-delivery-management-software/current-release/cloud-connector
 

Chris Chau
Security as Code (SaC) is a concept that leverages code and automation to enforce security policies and practices across an organization's entire IT infrastructure. To successfully transition from DevOps to the security-integrated approach of DevSecOps means embracing SaC.
 
In this live session we will discuss:
Why SaC is important for Shifting Security left in the early stages of Software Development Life Cycle (SDLC) Demonstrate how Ansible can be used to configure NetScaler WAF for protecting your applications. Details information can be found in the following eDoc link:
Get Started with NetScaler Automation using Ansible: https://community.netscaler.com/s/article/Get-Started-with-NetScaler-Automation-using-Ansible ADC Automation Use Cases: https://www.netscaler.com/solutions/adc-automation NetScaler Ansible Collections: https://github.com/netscaler/ansible-collection-netscaleradc/tree/v2.0.0-alpha/examples For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
 

​​​​​​​

Chris Chau
NetScaler Connect is a monthly webinar, held by NetScaler Community, targeting to release any updates of NetScaler technologies to our valued partners and customers. In this Aug webinar we will cover:
NetScaler ADM Security Advisory - File Integrity Monitoring LDAP configuration: what you should and shouldn’t do? Ensure seamless conversion of NetScaler policy using NSPEPI Tool: Classic to Advanced policies using NSPEPI Improving TCP's robustness to blind in window attacks You can find more information related to our topics here:
NetScaler Community Article - File Integrity Monitoring: https://community.netscaler.com/s/article/NetScaler-File-Integrity-Monitoring LDAP Configuration on NetScaler: https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/citrix-adc-aaa-ldap-authentication-policies Converting policy expressions using the NSPEPI tool: https://docs.netscaler.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/converting-policy-expressions-nspepi-tool.html TCP Configurations for RFC 5961: https://docs.netscaler.com/en-us/citrix-adc/current-release/system/tcp-configurations.html#defending-tcp-against-spoofing-attacks-as-per-rfc-5961 For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
 

 

Chris Chau
NetScaler has introduced a new feature in the Application Delivery Management (ADM) Service called File Integrity Monitoring, which helps you determine if any unapproved changes have been made to your NetScaler build files. Unapproved changes may happen if your NetScaler has been compromised (or accessed by unapproved persons) and manipulation of those files has gone unnoticed.
 
Moreover, there is a huge volume of files within NetScaler. Monitoring each of these files for changes manually is an enormous task, prone to error, and often insufficient for detecting subtle or rapid alterations. Even with existing security measures in place, the dynamic nature of cyber threats demands a more proactive approach to identifying unauthorized modifications to your NetScaler build files.
 
NetScaler File Integrity Monitoring provides you with valuable insights that help you manage this risk. In this video, you can see how NetScaler ADM makes a comparison of the hash values by running a script in NetScaler and collecting the current binary hash values for the NetScaler build files. After the comparison, NetScaler ADM provides the result with total number of existing files modified and total number of newly added files. As an administrator, you can contact your organization digital forensics for further investigations on the scan results.
 
More information can be found in the following links:
NetScaler Community Article: NetScaler File Integrity Monitoring: https://community.netscaler.com/s/article/NetScaler-File-Integrity-Monitoring NetScaler ADM Security Advisory: https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/instance-advisory/security-advisory.html For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
 

 

Chris Chau
NetScaler Web App Firewall (WAF) Profile and WAF Signatures protect your web applications from malicious attacks. WAF signatures provide specific, configurable rules to simplify the task of protecting your websites against known attacks. To protect your application using signatures, you must review the rules, enable, and configure the ones that you want to apply.
 
Similarly, to prevent data breaches and provide the right security protection in the application for other known or unknown attacks, you must create a WAF profile with security checks. When you create a WAF profile with certain security checks, you may result in blocking legitimate traffic (as the security checks are too strict) or allowing malicious traffic passing through (as the security checks are not strict enough).
 
As an administrator, you must understand to enable the right signatures and create the right WAF profiles to protect the web application. Identifying the right signatures and the WAF profiles might be a difficult task at some scenarios. NetScaler ADM WAF recommendation scans the application for vulnerabilities and generates recommendations on WAF Profile and WAF Signature.
 
WAF recommendation database is updated on a frequent duration to include any new vulnerabilities. You can scan and then select to enable the required recommendations. In this video, a brief demo on how to use the WAF Recommendation Scanner, in ADM, to scan the web apps for any vulnerabilities and provide the correspoding reccommendations in WAF Signature and Security Checks.
 
For more detailed information, please go to the following eDoc link: https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/analytics/security/waf-recommendation.html.
 
For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
 

 

Chris Chau
To enhance resiliency, operators distribute multiple instances of the same application across various Kubernetes clusters situated in different data centers and cloud platforms. Managing and accurately directing traffic to applications within these Kubernetes clusters can be cumbersome and prone to errors.
 
In our live demonstration, we will highlight how the challenges can be addressed using the Multi-cluster Kubernetes ingress and load balancing solution that:
Monitors applications on a global scale. Gathers and disseminates metrics across numerous clusters. Offers intelligent load balancing decisions. For a detailed understanding, refer to the following links:
Multi-cluster ingress and load balancing solution using the NetScaler Ingress Controller: https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/multicluster/multi-cluster.html Configuring Multi-cluster Kubernetes Ingress with GSLB: https://community.netscaler.com/s/article/Configuring-Multi-cluster-Kubernetes-Ingress-with-GSLB For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
 



Guest Sara Austin
Delivering superior performance on Linux with NetScaler BLX
Submitted on: September 29, 2021Author: Ioannis Dounis
 NetScaler BLX is a software version of NetScaler  that delivers high performance and a rich set of features to your Linux server. Because it’s a Linux (daemon) process, getting the most out of it requires optimising aspects of your host system for the best performance. Check out this video to learn more about NetScaler BLX and how to deploy it.

NetScaler BLX gives you lightning-fast performance on your Linux server, along with extraordinary configurability. It operates on a custom user-space networking stack, which means performance is unaffected by continuous switching between kernel and user-space contexts. Also, NetScaler BLX, as a form of NetScaler , is distinguished from other products because it enables the user to configure protocol and feature-level options in great detail, without changing host system settings.
For example, by creating one or more TCP profiles, you can set any TCP protocol option specifically for each individual service (e.g., per load balancing server). This level of granularity removes the burden of changing system-wide settings, which can lead to configuration errors and, possibly, different behaviour between different Linux system kernels.
NetScaler BLX comes with and without DPDK support. In this post, the first in a series, we’ll look at how to optimise a Linux server for deployment in DPDK mode. Enabling DPDK for BLX means that packets reach BLX’s user-space networking stack directly, without Linux kernel processing.
You can learn more about deploying NetScaler BLX in DPDK Mode in our documentation.
Step 1 – Considering NUMA topology
The first step in our optimisation journey is to understand our server’s NUMA topology. (You can learn more about NUMA here.
We’ll need to identify the NUMA nodes of the data plane network interfaces that we’ll assign to DPDK drivers, then configure the NetScaler BLX to use them. We will use this information in Step 2, where we’ll choose the set of CPUs our BLX worker processes will run on.
With the NIC still in kernel mode (not yet assigning a DPDK poll mode driver, as described in BLX DPDK documentation linked earlier), we can easily get the NUMA node of our NIC(s) by examining the following:
/sys/class/net/$NIC_NAME/numa_node where $NIC_NAME is the Linux name of our NIC
(i.e., eth0, eth1, ens1)
We’ll allocate one network interface for NetScaler  BLX’s data plane — named “ens1f0” — on our Linux server. Examining the above file, we get:

So, our NIC belongs to NUMA Node 0. If we get a value of -1 instead, we operate on a non-NUMA machine and we can use any combination of CPUs without any NUMA-related impact on performance.
If there are multiple data NICs, you should take into account all NUMA nodes and split the NetScaler BLX worker processes’ CPU affinity between them accordingly.
We have observed a stunning 20 percent performance improvement just by taking into consideration the NUMA locality!
Step 2 – Isolation of Cores.
Now, we can decide which set of CPU cores to isolate for our NetScaler BLX worker processes. Isolating a core means that no other user-space process will be scheduled by the Linux kernel to run on it, and our BLX worker processes get full attention.
Please note, only BLX worker processes will execute on isolated cores. Other BLX processes will be scheduled to run on different system cores.
Let’s begin by identifying the NUMA node for each CPU of our server using the “lscpu” command:

That’s a lot of output about our system’s CPUs, but we’re just interested in NUMA node{n}. We can see that on our 24-core system, cores 0-11 are in node0 and cores 12-23 are on node1. Our NIC belongs to node0, so we’ll need to select as many CPUs from this set as possible because we’re going to pin BLX worker processes and CPUs on a 1-1 basis. If we’re deploying BLX with five worker processes, we’ll use five CPUs from node0. We’ll pick [0-4] and then isolate them.
We can then use isolcpus, a kernel command line parameter, to isolate our CPU set. Using grub, we can set this by altering GRUB_CMDLINE_LINUX setting in /etc/default/grub, adding or modifying the isolcpus option to isolcpus=0,1,2,3,4. More details are available at https://www.linuxtopia.org/online_books/linux_kernel/kernel_configuration/re46.html and https://www.kernel.org/doc/html/v4.14/admin-guide/kernel-parameters.html.

Next, we’ll generate a new grub configuration file pointing to the correct path for our system. For example, on an EFI CentOS-based server, you’ll get:
grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
Then we’ll reboot our system for the isolation to take effect.
Please refer to your Linux distribution guide for distribution-specific tools and paths.
Step 3 – Setting BLX Main Worker CPU Affinity
After our server reboots, we can verify that our command was executed as a kernel command line parameter by issuing the command cat /proc/cmdline. The exact setting is configured in /etc/default/grub.
Click image to view larger.Having isolated the appropriate cores, we can use them to set the affinity for our BLX worker processes.
As described in this BLX DPDK deployment article, for BLX in DPDK mode, we’ll need to edit
/etc/blx/blx.conf
We’ll set CPU affinity by manipulating this field:
worker-processes: -c
The -c option of this fields represents a hexadecimal bit mask of the CPU we want to set the affinity on. In our case, for CPUs [0-4] we can calculate the bit mask as follows:

Each hexadecimal digit represents four CPUs because it’s composed of four binary digits. Setting a binary digit to “1” specifies that we’ll assign BLX worker processes to it. In our example, a 24-core system, we’ll have six hexadecimal digits representing our bit mask; we want to set the affinity to cpus[0-4] for a five-worker process BLX, which means setting a value of “1” to bits [0-4].
Our final hexadecimal bit mask is 0x1f and the option is set as "worker-processes: -c 0x1f".
Summary
NetScaler ADC BLX gives you the feature-rich NetScaler ADC as a standalone process on Linux machines. With the right system optimisations in place, your BLX deployment can enable you to utilise your server resources to help you lower latency and maximise performance.
In our next post, we’ll look at optimising our BLX DPDK deployment at the network protocol level according to an organisation’s specific needs, and we’ll demonstrate the unique, fine-grained configurability of NetScaler ADC!

Chris Chau
In the recent years, nearly ALL of the apps configured in NetScaler are SSL/TLS encrypted HTTPS Apps. Hence, it is a very common task for installing the existing server certificate into the NetScaler or creating a new certificate request and installing the new certificate in the NetScaler.
 
In this short video, you can follow how to create a new RSA key / certificate request, install the new server certificate and bind the new certificate-key pair.
 
Details information can be found in the following eDoc link:
https://docs.netscaler.com/en-us/citrix-adc/current-release/ssl/ssl-certificates/create-a-certificate.html
 


×
×
  • Create New...