Creating a Citrix NetScaler Test environment

C

Citrix ADC/NetScaler Test environment by Johannes Norz

last updated: December 2020

Creating a Citrix NetScaler Test environment

New since February 2020: Instead of downloading, you may just use my environment, hosted at my private data centre.

Being a Citrix Certified Instructor I am very much aware of the Red/Green/Blue website used during official Citrix NetScaler training (CNS-220, CNS-222). I created my own test website. I usually use it during product demonstrations to present anything from basic load balancing to the web application firewall.

I am also aware of problems with the original Citrix labs: They sometimes seem to not load balance. Actually, they do, but, because this page is compromised of several files, it may appear to show the same colour all the time. I wanted to avoid this, so my default page doesn’t use external style-sheets, scripts and images, instead, I added everything into the HTML file (you may include images using base 64 encoding).

I discontinued developing these test-websites, as I am now hosting a free to use online version, however, I will not stop distributing the current version. You may download my test website from here. You may download it as often as you like. The download will ask you for your name. I promise not to abuse it, instead, I’ll just count the numbers of downloads.

There are 3 servers:

  1. the red server
  2. the blue server
  3. the green server

My labs can be used together with official Citrix lab guides (but using my IP addresses instead) or using my great wonderkitchen tuturial. There is also a very, very basic lab guide at the end of this document.

Requirements and prerequisites

Most of the files are simple HTML-files, so there is nothing OS-specific. The files are tested using I tested using CentOS 7.4.1708 on an Apache web-server.

Linux

You may set up an apache web server on CentOS (or any Linux distribution you love), install php, add multiple IPs and configure apache to use several virtual instances, an IP per instance.

I also provide some files to test files for WAF, requiring PHP.

Windows

Similar to Linux, I suggest adding several IP addresses to your Windows server and creating virtual webserver instances using IP addresses.

Unfortunately, my website is not tested with Windows, as I don’t own a Windows license to test.

Installation procedure for Citrix ADC / NetScaler

Import a Citrix ADC / NetScaler VPX into your virtualization solution. (www.citrix.com -> downloads -> NetScaler ADC -> Reliese xxx -> Virtual Appliances).

IP addressing

I used 192.168.229.10 as an NSIP, 192.168.229.11 as a SNIP, and addresses from 192.168.229.100 onwards for virtual servers.

The machine hosting the web-server uses 192.168.229.5 for the red, 192.168.229.6 for the blue and 192.168.229.7 for the green server.

Windows set up

(sorry, there is no description for Linux setup, as it’s very easy)

Roles and features

After setting up this windows machine you have to set up IIS. Start Server Manager (if it’s not already started) and click “Add roles and features”. Click Next 3 times.

Select Active Directory Certificate authorityWeb Server IIS and DNS. If asked select following roll- services:

  • .NET Extensibility 4.5
  • ISAPI Extensions
  • ISAPI Filters
  • .NET Extensibility 3.5
  • Certificate Authority
  • Certificate enrolment web service

Setting up the Certificate Authority:

  • stand-alone CA
  • root CA
  • create a new key
  • SHA 256 (or higher)
  • confirm all the rest of the questions

IP configuration

select your network adapter. Change the IP address. Set 192.168.229.3 255.255.255.0 as an IP address (you may use any other address range you like, but I use 192.168.229.x in my example). DNS should be 127.0.0.1, gateway depending on your settings.

Click advanced. add 3 more IP addresses (192.168.229.5 to 192.168.229.7).

IIS settings

Copy my files into c:\inetpub directory.

Open Internet Information Server Management.

Open your server and select sites. Right-click your server and select add website. Create 4 virtual websites:

Sitename: Sitie1 (2,3)
Site path: C:\inetpub\wwwroot1 (2,3)
type: HTTP
IP address: 192.168.229.5 (6,7)
hostname: (empty)

ASPx is not needed.

additional software

If you want to use this machine as a workstation as well install Google’s Chrome Browser together with Mozilla FireFox. Alternatively, you may create a dedicated work station or use your desktop work station.

You’ll very likely need the SSH terminal putty, the secure copy tool WinSCP and the network monitor WireShark. They can be considered to be the tools used by a NetScaler admin during his daily work.

Labs:

Prerequisites

in DNS manager create a new Forward lookup zone called workspacelabs.com.

Create hosts:

  • colours.workspacelabs.com 192.168.229.100
  • cs-test.workspacelabs.com 192.168.0.101
  • aaa.workspacelabs.com 192.168.0.102

1st lab: create a load balancing vServer

Server:

  • srv_red -> 192.168.229.5
  • srv_green -> 192.168.229.6
  • srv_blue -> 192.168.229.7

Services:

  • svc_red (HTTP/80)
  • svc_green (HTTP/80)
  • svc_blue (HTTP/80)

Loadbalancing vServer

  • lb_vsrv_colors (192.168.229.100/HTTP/80)

additional labs:

  • add persistence (source IP, cookie-based, …)
  • disable services and see what hapens (re-enable these)
  • unbind red service, create an additional loadbalancing vServer (non addressable), called lb_vsrv_red. Set this one in protection as a backup virtual server. Disable service blue and green. Which status does lb_vsrv_colors have now? Does it work? Why? rebind red service.

2nd lab: certificates

  • use the wizard to create a key and a CSR (hostname *.workspacelabs.com). Surf to 192.168.229.4/certsrv. Request a certificate. download this certificate as BASE 64. Install it into NetScaler
  • create a lb vServer lb_vsrv_colors_secure (192.168.229.100/SSL/443). Bind the 3 services and your newly created certificate. Surf to https://colours.workspacelabs.com

3rd lab: content switching

  • create a new content switching vServer cs_vsrv_browser 192.168.229.101/HTTP/80
  • create two new cs-policies
    • HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Firefox”) action pointing to red
    • HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Chrome”) action pointing to green
  • bind these policies to cs_vsrv_browser. Let the default server be blue.
  • Surf to cs-test.workspacelabs.com using any browser you have. Google Chrome should show green, FireFox red content, all other browsers should show blue content.
    keep in mind: Some browsers pretend to be Google Chrome. So they may show green as well

4th lab: responding

  • create a responder policy to forward users from https://colorsworkspacelabs.com/ to https://colors.workspacelabs.com/ and bind it to lb_vsrv_colours
  • create a responder policy forwarding users from https://colorsworkspacelabs.com/ to https://colors.workspacelabs.com/home.htm
  • unbind the responder policy from lb_vsrv_colours

5th lab: rewriting

  • create a rewriting policy rewriting requests for https://colors.workspacelabs.com into https://colors.workspacelabs.com/home.htm and bind it to lb_vsrv_colours
  • remove server header from HTTP-response and bind it to lb_vsrv_colours
  • add a server header into HTTP response stating your server to be an Apache and bind it to lb_vsrv_colours

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

6 comments

Leave a Reply to fabrice chrzanowski Cancel reply

  • Hello
    you say : “I used 192.168.0.100 as a NSIP, 192.168.0.110 as a SNIP, 192.168.200 ff for virtual servers”
    So you are using only one network ‘
    ———————————————————–
    I created a lab on HV windows 10 Laptop
    I have 2 vswitch (private) on my NS1
    Config of my NS 1 :
    192.168.10.101 ENABLED NetScaler IP Active ENABLED ENABLED -N/A- 0
    10.0.0.1 ENABLED Subnet IP Active ENABLED ENABLED -N/A-

    I created a DC 10.0.0.10 and ping OK from NS1 to ad
    Is it a good configuration
    So when will start to created my virtual server for load balacing with VIP must I use
    10.0.0.x ???

    tks

    • It’s OK to have SNIP and NSIP in different subnets. In fact SNIPs are designed to reside in different subnets. That’s the main difference to Mapped IPs, the type of IPs we used in very old versions of NetScalers like 8.x.

      You usually put your SNIPs into the same network as the backend servers or, if this is not possible (i.e. for security reasons) you put it into the same subnet as the router pointing there. VIPs may reside in different subnets as well.

      I just did a single subnet deployment it as this is a testing environment, I wanted to keep it as simple as any possible. In production you usually put NSIP into management network, the VIP into client network and the SNIPs into server network. If you go with a HA deployment (you should) you’ll probably add a SNIP into management network as well, however it will be used for management only.

      So, to answer your final question: The VIP has to be reachable from client side. They usually get separated from SNIPs. However there has to be a working route from VIP to client’s IP

      Cheers

      Johannes

    • Of course it will! You may place these IPs in same or different subnets. Best choice depends on your design. I have done anything you can think of: all IPs in the same subnet, NSIP and SNIP in oe subnet, VIP in an other, VIP and SNIP in the same, NSIP in a different one. Anything is fine, anything is supported!

  • Hello
    How are you
    So I did all the labs with one subnet
    192.168.1.0/24
    All fine

    Now I!m doing the lab on NetScaler gateway to configure Ica hdx proxy
    I could also create a vip in the same subnet but I don’t want to show that to my customer . How can I build my lab to simulate external client connecting to my NS . Can I use PfSense tks for your help

Recent Posts

Recent Comments