NetScaler SDX 12

Last Modified: Sep 30, 2017 @ 6:47 pm

Navigation

Overview

CItrix CTX226732 Introduction to Citrix NetScaler SDX.

NetScaler SDX is normal NetScaler hardware, but runs XenServer hypervisor, and several virtual machines:

  • Service VM (aka Management Service, aka SVM) – every SDX comes with this Virtual Machine. This VM enables the SDX Administrator to create additional VMs on XenServer.
    • It’s not possible to build this VM yourself. If it something happens to it, your only choice is to do a factory reset on the physical appliance, which deletes all local virtual machines, and recreates the Service VM.
    • Each Service VM only manages the VMs on the local SDX. Each SDX has its own Service VM. To manage multiple SDXs, use NetScaler MAS.
    • XenServer on SDX is a special build. Do not attempt to directly upgrade XenServer, patch XenServer, configure XenServer, etc. Instead, all upgrades and configurations should be performed by the Service VM.
  • NetScaler VPX Instances – you create one or more NetScaler instances on top of XenServer
    • The number of NetScaler instances you can create is limited by your SDX license.
    • The physical resources (CPU, Memory, NICs, SSL Chips, FIPS HSM) of the SDX are partitioned to the different instances.
    • The amount of bandwidth (throughput) available to the VPX instances depends on your license. For example, the 14040 SDX license gives you 40 Gbps of throughput, which is partitioned across the instances.
    • The NetScaler instances are created from a normal XenServer .xva template.
    • Each VPX has its own NSIP. Once the VPX is provisioned, you connect to the NSIP, and configure it like a normal NetScaler.

If the top left of the window says SDX, then you are logged into the Management Service (aka Service VM, aka SVM). If it says VPX, then you are logged into an instance.

High Availability – NetScaler SDX does not have any High Availability capability at the XenServer or SVM layer. In other words, every SDX is completely standalone. To achieve HA, you create NetScaler VPX instances on two separate SDXs, and pair the VPX instances in the normal fashion.

Why NetScaler VPX on top of SDX instead of normal hypervisors?

  • VPX on SDX gets physical access to SSL chips. These SSL ASICs are not available on normal hypervisors. SSL Chips provide significantly higher SSL throughput than normal hypervisors.
  • VPX on SDX gets SR-IOV access to the Network interfaces. This enables full 40 Gbps throughput to a single VM.
  • The SDX NICs can filter VLANs to different instances, thus ensuring that VPX instances cannot cross security boundaries by adding the wrong VLANs.
  • Some SDXs have Hardware Security Modules (HSM) for FIPS compliance. The VPXs on SDX can utilize this hardware security resource.

SDX Networking

  • Management port – Every SDX has a 0/1 port. The SVM and XenServer management IP are on this NIC. You need a minimum of two IPs on a management network connected to the 0/1 port. SVM and XenServer cannot use any of the data ports for management.
  • LOM port – Every SDX has a Lights Out Management (LOM) port. This port gives you out-of-band console access to XenServer. Once you’re on XenServer, you can use Xen commands to see the SVM console, and/or VPX consoles.
  • Data ports – The remaining interfaces can be aggregated into port channels. Port channels are configured at XenServer, and not from inside the VPXs. Use the Service VM to create channels, and then connect the VPXs to the channels.
  • VPX networking – When VPXs are created, you specify which physical ports to connect it to.
    • If you want the VPX NSIP to be on the same subnet as SVM and XenServer, then connect the VPX to 0/1.
    • Connect the VPX to one or more LA/x interfaces (port channels).
    • Once the VPX is created, log into it, and create VLAN objects in the normal fashion. VLAN tagging is handled by the VPX, not XenServer.
    • On SVM, when creating the VPX instance, you can specify a list of allowed VLANs. The VPX administrator is only allowed to add VLANs that are in this list.
  • SVM to NSIP – SVM must be able to communicate with every VPX NSIP. If VPX NSIP is on a different subnet than SVM, then ensure that routing/firewall allows this connection.

LOM IP Configuration

There are two ways to set the IP address of the Lights Out Module (LOM):

  • Crossover Ethernet cable from a laptop with an IP address in the 192.168.1.0 network.
  • ipmitool from the NetScaler SDX XenServer command line
    • For MPX, you can run¬†ipmitool from the BSD shell.

Ipmitool Method:

  1. For NetScaler SDX, SSH to the XenServer IP address (this is not the Service VM IP).
    1. For NetScaler MPX, SSH to the NetScaler NSIP.
  2. Default XenServer credentials are root/nsroot.
    1. Default MPX credentials are nsroot/nsroot.
  3. If MPX, run shell. XenServer is already in the shell.
  4. Run the following:
    ipmitool lan set 1 ipaddr x.x.x.x
    ipmitool lan set 1 netmask 255.255.255.0
    ipmitool lan set 1 defgw ipaddr x.x.x.x

  5. You should now be able to connect to the LOM using a browser.

Laptop method:

  1. Configure a laptop with static IP address 192.168.1.10 and connect it to the Lights Out Module port.
  2. In a Web browser, type the IP address of the LOM port. For initial configuration, type the LOM port’s default address: http://192.168.1.3
  3. In the User Name and Password boxes, type the administrator credentials. The default username and password are nsroot/nsroot.
  4. In the Menu bar, click Configuration, and then click Network.
  5. Under Options, click Network, and type values for the following parameters:
    1. IP Address‚ÄĒThe IP address of the LOM port.
    2. Subnet Mask‚ÄĒThe mask used to define the subnet of the LOM port.
    3. Default Gateway‚ÄĒThe IP address of the router that connects the appliance to the network.
  6. Click Save.
  7. Disconnect the laptop, and instead connect a cable from a switch to the Lights Out Module.

LOM Firmware Upgrade

The LOM firmware at https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade differs depending on the hardware platform. The LOM firmware for the 8000 series is different than the 11000 series and the 14000 series. Do not mix them up.

While this article focuses on SDX, note that NetScaler MDX has a new method for updating LOM as detailed at CTX218264 How to Upgrade the LOM Firmware on Any NetScaler MPX Platform

The SDX Update Bundle does not include LOM firmware update so you must update it separately:

  1. Determine which firmware level you are currently running. You can point your browser to the LOM and login to the see the firmware level. Or you can run ipmitool mc info from the XenServer shell.
  2. If your LOM firmware is older than 3.0.2, follow the instructions at http://support.citrix.com/article/CTX137970 to upgrade the firmware.
  3. If your LOM firmware is version 3.02 or later, follow the instructions at http://support.citrix.com/article/CTX140270 to upgrade the firmware. This procedure is shown below.
  4. Now that the firmware is version 3.0.2 or later, you can upgrade to 3.39. Click the Maintenance menu and then click Firmware Update.
  5. On the right, click Enter Update Mode.
  6. Click OK when prompted to enter update mode.
  7. Click Choose File, and browse to the extracted bin file.
  8. After the file is uploaded, click Upload Firmware.
  9. Click Start Upgrade.
  10. The Upgrade progress will be displayed.
  11. After upgrade is complete, click OK to acknowledge the 1 minute message.
  12. The LOM will reboot.
  13. After the reboot, login and notice that the LOM firmware is now 3.39.

SDX IP Configuration

Default IP for Management Service is 192.168.100.1/16 bound to interface 0/1. Use a laptop with crossover cable to reconfigure the IP. Point your browser to http://192.168.100.1. Default login is nsroot/nsroot.

Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot. Note: XenServer IP and Management Service IP must be on the same subnet.

There should be no need to connect to XenServer directly. Instead, all XenServer configuration (e.g. create new VM) is performed through the Management Service (SVM).

To change the XenServer IP, make the change through the SVM as detailed below:

  1. Point a browser to http://192.168.100.1, and login as nsroot/nsroot.
  2. When you first login to the SDX Management Service, the Welcome! Wizard appears. Click Management Network.
  3. Configure the IP addresses.
    1. Appliance Management IP = SVM (Management Service). This is the IP you’ll normally use to manage SDX.
    2. Application supportability IP = XenServer. You’ll almost never connect to this IP.
    3. The bottom has an Additional DNS checkbox that lets you enter more DNS servers.
    4. You can change the nsroot password at this time, or change it later after LDAP is configured.
  4. Click Done.
  5. Click the System Settings box.
  6. Enter a Host Name.
  7. Select the time zone, and click Continue.
  8. Click the Licenses box.
  9. Click Add New License.
  10. Allocate NetScaler SDX licenses normally.
    1. The SDX license defines the number of instances you can create.
    2. It also defines the amount of throughput available to the instances.
    3. The SDX license is allocated to ANY, which means you can use the same license on all SDX hardware, assuming all of them are purchased with the same license model.
  11. After uploading, click Finish and it should apply automatically.
  12. Or you can click Apply Licenses.
  13. Then click Continue.

Another way to change the Management Service IP address is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.

The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label="Management Service VM"

Then run /usr/lib64/xen/bin/xenconsole <dom-id>

SDX Platform Software Bundle

If your NetScaler SDX is not version 11 or newer, and if your NetScaler SDX is running 10.5 build 57 or later, then do the following:

  1. Go to Management Service > Software Images, and upload the Single Bundle for 12.0. The single bundle is around 1.3 GB.
  2. On the left, click System. On the right, click Upgrade Management Service. Select the Single Bundle upgrade file you already uploaded.
  3. Management Service will upgrade and reboot. A few minutes after that, XenServer will be upgraded. Be patient as there’s no notification that the box will reboot again.

Starting with SDX 11.0, all updates are bundled together and installed at once.

  1. Make sure your Management Service (SVM) is running SDX 11.0 or newer.
  2. Download the latest SDX Platform Software bundle from Downloads > NetScaler ADC > Release 12.0 > Service Delivery Appliances.

  3. Login to the SDX Management Service, go to Configuration > System.
  4. On the right, in the right column, click Upgrade Appliance.
  5. Browse to the build-sdx-12.0.tgz software bundle, and click OK.
  6. It should show you the estimated installation time. Check boxes next to the instances that need configs saved. Click Upgrade.
  7. Click Yes to continue with the upgrade.
  8. The Management Service displays installation progress.
  9. Once the upgrade is complete, click Login.

  10. If you click the Configuration tab, the Information page will be displayed showing the version of XenServer, Management Service (Build), etc.

FIPS

If your SDX is a FIPS appliance, see Citrix Blog Post Meet Security Compliance and Be Scalable with NetScaler FIPS SDX for detailed HSM setup instructions:

  1. Zeroize the HSM
  2. Upgrade HSM firmware
  3. Create HSM partitions
  4. Create NetScaler instance and attach HSM partition:
    • Only one CPU core
  5. From inside NetScaler instance:
    1. Reset FIPS
    2. Initialize FIPS
    3. Create FIPS Key
    4. Create HA Pair and synchronize FIPS

DNS Servers

Older versions of SDX only let you enter one DNS server. To add more, do the following:

  1. In the Management Service, on the left, click System.
  2. On the right, click Network Configuration.
  3. On the bottom, there’s a checkbox for¬†Additional DNS that lets you put in more DNS servers.
  4. Click OK when done.

Management Service NTP

  1. On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
  2. To add a new NTP server, in the right pane, click Add.
  3. In the Create NTP Server dialog box, enter the NTP server name (e.g. pool.ntp.org), and click Create.
  4. Click Yes when prompted to restart NTP Synchronization.
  5. In the right pane, click NTP Synchronization.
  6. In the NTP Synchronization dialog box, select Enable NTP Sync. Click OK.
  7. Click¬†Yes when asked to restart the Management Service. This only restarts the SVM. Other instances on the same box won’t be affected.

Management Service Alerting

Syslog

  1. On the Configuration tab, expand System > Auditing, and click Syslog Servers.
  2. In the right pane, click the Add button.

    1. Enter a name for the Syslog server.
    2. Enter the IP address of the Syslog server.
    3. Change the Choose Log Level section to Custom, and select log levels.
  3. Click Create.
  4. On the right is Syslog Parameters.
  5. You can configure the Date Format and Time Zone. Click OK.

Mail Notification

  1. On the Configuration tab, expand System > Notifications, and click Email.
  2. In the right pane, on the Email Servers tab, click Add.
  3. Enter the DNS name of the mail server, and click Create.
  4. In the right pane, switch to the Email Distribution List tab, and click Add.
  5. In the Create Email Distribution List page:
    1. Enter a name for the mail profile.
    2. Select the Email Server to use.
    3. Enter the destination email address (distribution list).
  6. Click Create.

System SNMP

  1. Go to System > SNMP.
  2. On the right, click Configure SNMP MIB.
  3. Enter asset information, and click OK. Your SNMP management software will read this information.
  4. Under the SNMP node, configure normal SNMP including: Trap Destinations, Managers, Alarms, etc.

  5. MIBs can be downloaded from the Downloads tab.

Instance SNMP

  1. The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand NetScaler, expand Events, and click Event Rules.
  2. On the right, click Add.

    1. Give the rule a name.
    2. Select the Major and Critical severities, and move them to the right.
    3. Scroll down.
    4. For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them, then only the configured entities will be alerted.
    5. Scroll down.
    6. Click Save.
  3. Select an Email Distribution List, and click Done.

Management Service nsroot Password and AAA

Change nsroot password

  1. On the Configuration tab, in the navigation pane, expand System, expand User Administration, and then click Users.
  2. On the right, in the Users pane, right-click the nsroot user account, and then click Edit.
  3. In the Configure System User dialog box, check the box next to Change Password.
  4. In Password and Confirm Password, enter the password of your choice. Click OK.

AAA Authentication

To enable LDAP authentication for the Service VM:

  1. Go to Configuration > System > Authentication > LDAP.
  2. In the right pane, click Add.
  3. This is configured identically to NetScaler.
    1. Enter a Load Balancing VIP for LDAP servers.
    2. Change the Security Type to SSL, and Port to 636.
    3. Scroll down.
    4. Note: if you want to Validate LDAP Certificate, then there are special instructions for installing the root certificate on the SVM. See Installing CA certificates to the SDX/SVM for LDAPS user authentication at Citrix Discussions for details.
    5. Enter the Base DN in LDAP format.
    6. Enter the bind account in UPN format, or Domain\Username format, or DN format.
    7. Check the box for Enable Change Password.
    8. Click Retrieve Attributes, and scroll down.
    9. For Server Logon Attribute, select sAMAccountName.
    10. For Group Attribute, select memberOf.
    11. For Sub Attribute Name, select CN.
    12. To prevent unauthorized users from logging in, configure a Search Filter as detailed in the LDAP post. Scroll down.
  4. Click Create.
  5. Expand System, expand User Administration, and click Groups.
  6. On the right, click Add.
  7. In the Create System Group page:
    1. Enter the case sensitive name of the Active Directory group.
    2. Check the box next to System Access.
    3. Configure the Session Timeout.
  8. Click Create.
  9. On the left, under System, click User Administration.
  10. On the right, click User Lockout Configuration.

    1. If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
  11. On the left, under System, click Authentication.
  12. On the right, click Authentication Configuration.

    1. Change the Server Type drop-down to EXTERNAL, and click Insert.
    2. Select the LDAP server you created earlier, and click OK.
    3. Make sure Enable fallback is enabled, and click OK.

SSL Certificate and Encryption

Replace SDX Management Service Certificate

To replace the Management Service certificate:

  1. PEM format: The certificate must be in PEM format. The Management Service does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a NetScaler instance.
  2. On the left, click System.
  3. On the right, in the left column, in the Set Up Appliance section, click Install SSL Certificate.
  4. Select the certificate and key files in PEM format. If the key file is encrypted, enter the password. Then click OK.
  5. The Management Service will restart. Only the SVM restarts; the NetScaler instances do not restart.


Force HTTPS to the Management Service

  1. Connect to the SVM using HTTPS. You can’t make this upcoming change if you are connected using HTTP.
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Check the box next to Secure Access Only, and click OK. This forces you to use HTTPS to connect to the Management Service.

SSL Encrypt Management Service to NetScaler Communication

From http://support.citrix.com/article/CTX134973: Communication from the Management Service to the NetScaler VPX instances is HTTP by default. If you want to configure HTTPS access for the NetScaler VPX instances, then you have to secure the network traffic between the Management Service and NetScaler VPX instances. If you do not secure the network traffic from the Management Service configuration, then the NetScaler VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

  1. Log on to the Management Service .
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Change the Communication with NetScaler Instance drop-down to https, as shown in the following screen shot:
  5. Run the following command on the NetScaler VPX instance, to change the Management Access (-gui) to SECUREONLY:

set ns ip ipaddress -gui SECUREONLY

Or in the NetScaler instance management GUI, go to Network > IPs, edit the NSIP, and then check the box next to Secure access only.

SDX/XenServer LACP Channels

For an overview of NetScaler SDX networking, see Citrix CTX226732 Introduction to Citrix NetScaler SDX

To use LACP, configure Channels in the Management Service, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel.

  1. In the Management Service, on the Configuration tab, expand System, and click Channels.
  2. On the right, click Add.
  3. In the Create Channel page:
    1. Select a Channel ID.
    2. For Type, select LACP or STATIC. If using Cisco vPC, then LACP is required. The other two options are for switch independent load balancing.
    3. In the Interfaces section, move the Channel Member interfaces to the right by clicking the plus icon.
    4. In the Settings section, for LACP you can select Long or Short, depending on switch configuration. Long is the default.
  4. Click Create when done.
  5. Click Yes when asked to proceed.
  6. The channel will then be created on XenServer.

VPX Instances ‚Äď Provision

Admin profile

Admin profiles specify the nsroot user credentials for the instances. Management Service uses these nsroot credentials later when communicating with the instances to retrieve configuration data.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. To specify a different nsroot password, create a new admin profile.

  • You can create a single admin profile that is used by all instances. To delegate administration, don’t give out the nsroot password to the instance administrators. One option is to enable LDAP inside the instance before granting access to a different department.
  • When creating an instance, there’s an option to create a non-nsroot account, which has almost the same permissions as nsroot, but leaves out some SDX specific features (e.g interfaces). This is another option for delegating administration to a different team.
  • Or you can create different admin profiles for different instances, which allows you to inform the different departments the nsroot password for their VPX instances.

Important: Do not change the password directly on the NetScaler VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.

  1. On the Configuration tab, in the navigation pane, expand NetScaler, and then click Admin Profiles.
  2. In the Admin Profiles pane, click Add.
  3. In the Create Admin Profile dialog box, set the following parameters:
    • Profile Name*‚ÄĒName of the admin profile.
    • User Name‚ÄĒUser name used to log on to the NetScaler instances. The user name of the default profile is nsroot and cannot be changed.
    • Password*‚ÄĒThe password used to log on to the NetScaler instance. Maximum length: 31 characters.
    • Confirm Password*‚ÄĒThe password used to log on to the NetScaler instance.
    • Use global settings for NetScaler communication – you can uncheck this box and change the protocol to¬†https.
  4. Click Create. The admin profile you created appears in the Admin Profiles pane.

Upload a NetScaler VPX .xva file

You must upload a NetScaler VPX .xva file to the SDX appliance before provisioning the NetScaler VPX instances. XVA files are only used when creating a new instance. Once the instance is created, use normal firmware upgrade procedures.

  1. Download the NetScaler XVA (for XenServer)¬†from the SDX Software Bundle Download Page. It’s in the Virtual Appliance section.
  2. After downloading, extract the .gz file (use 7-zip). You can’t upload the .gz file to SVM. You must extract it first.
  3. On the Configuration tab, in the navigation pane, expand NetScaler, and then click Software Images.
  4. On the right, switch to the XVA Files tab, and then click Upload.
  5. In the Upload NetScaler Instance XVA dialog box, click Browse, and select the XVA image file that you want to upload. Click Upload.

  6. The XVA image file appears in the XVA Files pane after it is uploaded.

Provision a NetScaler instance

  1. On the SDX Management Service, go to the Dashboard page.
  2. On the bottom right, the System Resource Utilization pane shows you the amount of physical resources that are available for allocation.
  3. On the Configuration tab, in the navigation pane, expand NetScaler, and then click Instances.
  4. In the NetScaler Instances pane, click Add.
  5. In the Provision NetScaler section, enter a name for the instance.
  6. Enter the NSIP, mask, and Gateway.
  7. Nexthop to Management Service¬†– If the instance’s NSIP is on a different subnet than the SVM IP, and if the instance’s default gateway is on a different network than the NSIP, then enter a next hop router address on the NSIP network, so the instance can respond to the SDX Management Service.
  8. In the XVA File field, you can Browse > Local to select an XVA file on your local machine that hasn’t been uploaded to SDX yet. Or you can Browse > Appliance, and select an XVA file that has already been uploaded to SDX.

  9. Select an Admin Profile created earlier. Or you can click the plus icon to create a new Admin Profile.
  10. Enter a Description. Scroll down.
  11. In the License Allocation section, change the Feature License to Platinum.
  12. For Throughput, partition your licensed bandwidth. If you are licensed for 40 Gbps, make sure the total of all VPX instances does not exceed that number.
  13. For Allocation Mode, Burstable is also an option. Fixed bandwidth can’t be shared with other instances. Burstable can be shared. See Bandwidth Metering in NetScaler SDX at Citrix Docs.
  14. In the Resource Allocation section, consider changing the Total Memory to 4096.
  15. For SSL Chips, specify a number. Some SSL/TLS features require at least one chip.
    • NetScaler SDX 8900 series does not use SSL Chips. Instead, it uses Crypto Units. See¬†Crypto Management at Citrix Docs.
  16. For CPU, for production instances, select one of the Dedicated options. Dev/Test instances can use Shared CPU. Then scroll down.
  17. In the Instance Administration section, you can optionally add an instance administrator. Enter a new local account that will be created on the VPX. This instance admin is in addition to the nsroot user. Note, networking functionality is not available to this account. Scroll down.

  18. In the Network Settings section, leave 0/1 selected, and deselect 0/2.
  19. Click Add to connect the VPX to more interfaces.
  20. If you have Port Channels, select one of the LA interfaces.
  21. If you configure any VLAN settings here, then XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Click Add. Note: VLAN tagging is configured inside the instance.
  22. In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN.
  23. Click Done.
  24. After a couple minutes the instance will be created. Click Close.

  25. If you go to the¬†Dashboard page…

    1. If you click an instance name, you can see how the instance is connected to the physical NICs.
  26. Back in Configuration > NetScaler > Instances, in your Instances list, click the IP address link to launch the VPX management console. Or, simply point your browser to the NSIP and login.
  27. Do the following at a minimum (instructions are in the NetScaler System Configuration post):
    1. Create Policy Based Route for the NSIP¬†‚Äď System > Settings > Network > PBRs
    2. Add SNIPs for each VLAN ‚Äď System > Network > IPs
    3. Add VLANs and bind to SNIPs ‚Äď System > Network > VLANs
    4. Create Static Routes for internal networks – System > Network > Routes
    5. Change default gateway ‚Äď System > Network > Routes > 0.0.0.0
    6. Create another instance on a different SDX, and High Availability pair them together ‚Äď System > High Availability

VPX Instances ‚Äď Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP addresses, and SSL certificates, from SDX, rather than from inside the VPX instance. The SDX Management Service does not have the ability to create certificates, so it’s probably best to do that from within the VPX instance.

View the console of a NetScaler instance

  1. Connect to the Management Service using https.
    1. Viewing the virtual machine console might not work unless you install a valid certificate for the Management Service.
  2. In the Management Service, go to Configuration > NetScaler > Instances.
  3. On the right, right-click an instance, and click Console.
  4. The instance console then appears.
  5. Another option is to use the Lights Out Module, and the xl console command, as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

Start, stop, delete, or restart a NetScaler instance

  1. On the Configuration tab, in the navigation pane, expand NetScaler, and click Instances.
  2. On the right, in the Instances pane, right-click the NetScaler instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
  3. In the Confirm message box, click Yes.

Create a Subnet IP Address on a NetScaler Instance

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. On the right, in the NetScaler Configuration pane, click Create IP.
  3. In the Create NetScaler IP dialog box, specify values for the following parameters.
    • IP Address* – Specify the IP address assigned as the SNIP address.
    • Netmask* – Specify the subnet mask associated with the SNIP address.
    • Type* – Specify the type of IP address. Possible values: SNIP.
    • Save Configuration* – Specify whether the configuration should be saved on the NetScaler. Default value is false.
    • Instance IP Address* – Specify the IP address of the NetScaler instance on which this SNIP will be created.
  4. Click Create.

Create a VLAN on a NetScaler instance

  1. Go to NetScaler > Instances.
  2. On the right, right-click an instance, and click VLAN Bindings.
  3. Click Add.
  4. Enter a VLAN ID, and select an interface.
  5. Check the box for Tagged if needed.
  6. Notice there’s no way to bind a SNIP. You do that inside the instance. Click Create.

Save the configuration of a NetScaler instance

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. On the right, in the NetScaler pane, click Save Configuration.
  3. In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the NetScaler instances whose configuration you want to save.
  4. Click OK.

Change NSIP of VPX Instance

The best way to change the NSIP is to edit the instance.

If you change NSIP inside of VPX instead of Editing the Instance in the Management Service, see article CTX139206 How to Change NSIP of VPX Instance in SDX to adjust the XenServer settings.

Enable Call Home

  1. On the Configuration tab, in the navigation pane, click the NetScaler node.
  2. On the right, click Call Home.
  3. Enter an email address to receive communications regarding NetScaler Call Home.
  4. Check the box next to Enable Call Home.
  5. Click Add.
  6. Select the instances to enable Call Home by moving them to the right, and click OK.
  7. You can view the status of Call Home by expanding NetScaler, and clicking Call Home.
  8. The right pane indicates if it’s enabled or not. You can also configure Call Home from here.

VPX Instance ‚Äď Firmware Upgrade

Upload NetScaler Firmware Build Files

To upgrade a VPX instance from the Management Service, first upload the firmware build file.

  1. Download the NetScaler firmware using the normal method. It’s in the¬†Build section.
  2. On the SDX, in the Configuration tab, on the left, expand NetScaler, and click Software Images.
  3. On the right, in the Software Images tab, click Upload.
  4. Browse to the build…tgz file, and click Open.

Upgrade Multiple NetScaler VPX Instances

You can upgrade multiple instances at the same time:

  1. To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
  2. On the Configuration tab, in the navigation pane, expand NetScaler, and click Instances.
  3. Right-click an instance, and click Upgrade.
  4. In the Upgrade NetScaler dialog box, in Build File, select the NetScaler upgrade build file of the version you want to upgrade to. Click OK.

Management Service Monitoring

  1. To view syslog, in the navigation pane, expand System, click Auditing, and then click Syslog Message in the right pane.
  2. To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
  3. To view Management Service events, on the Configuration tab, in the expand System and click Events.
  4. NetScaler > Entities lets you see the various Load Balancing entities configured on the instances. You might have to click Poll Now to get them to show up.
  5. To view instance alerts, go to NetScaler > Events > All Events.
  6. There is also event reporting.

Management Service Backups

The SDX appliance automatically keeps three backups of the Management Service configuration that are taken daily at 12:30 am.

Backups in NetScaler SDX contain the following:

  • Single bundle image
  • NetScaler XVA image
  • NetScaler upgrade image
  • Management Service image
  • Management Service configuration
  • NetScaler SDX configuration
  • NetScaler configuration

You can go to Management Service > Backup Files to backup or restore the SDX appliance’s configuration. And you can download the backup files.

You can configure the number of retained backups by clicking System on the left, and then clicking Backup Policy in the right pane.

You can even transfer the backup files to an external system.

11 thoughts on “NetScaler SDX 12”

  1. Hello Carl, is it possible to change the password of the nsroot/root user of the XenServer (of a SDX)? What would be the proper way to do so (passwd on the command line?)?

    1. Login to the SVM. Go to System > User Administration > Users. Change the nsroot password. Changing it in the SVM layer also changes it in XenServer.

      1. Thanks. I tried this earlier this day on a SDX running a 10.5 version with the result that the nsroot/root passwords were not changed. Is this a change in a recent version? What happens if I set the nsroot/root password manually on the XenServer via passwd?

        1. Are they not the same now?

          From Citrix Docs: “Do not change the password directly on the XenServer.”

          If the passwords are different, then you might have to call Support.

          1. Thanks again for your reply.
            I first set the nsroot password via SVM but was still able to login to the XenServer (SSH) with the standard nsroot password so I thought it would be a good idea to set the nsroot password via passwd. I have no idea, why the change did not “went through” to the XenServer. I took the same passwords (on the SVM and on the shell via passwd) so hopefully I didn’t break anything.
            BUT: there is also the user root on the XenServer (standard password: nsroot)… how do you set this password via the SVM? Because if you don’t change it you can open a SSH session as root with the default password to the XenServer shell…

          2. Here a final update on this issue:
            1. Before SDX update (version 11.0 66.11 (?) running): changing password in SVM does not change the password of root or nsroot on XenServer! (that’s why I set it via passwd, but I chose the same password for the SVM user and for nsroot/root on XenServer)
            2. After SDX update to version 11.1 55.13: update via sdx-bundle with no problem (even with set passwords for root and nsroot via passwd before), changing password in SVM now also changes password of root and nsroot on XenServer

  2. Carl,
    Do they have a way to export netscaler instances so they can be loaded on other SDXs. Moving from one set of older SDX appliances to a new set and I am looking for a way to get the instance onto the new appliance. I didn’t know if they offered a feature or if it could be done as an export inside the included XenServer.
    Thanks.

    1. You can do it the traditional way, which means export ns.conf and /nsconfig/ssl from the instance and import to a new instance elsewhere.

      1. OK, I figured that but that will leave me with a longer migration time since I have to worry about duplicate IP addresses. I was hoping I could import the VM and leave it powered down then when I have a change window power the old one down and the new one up.

Leave a Reply