NetScaler Console 14.1 – Citrix ADM 13.1

Last Modified: Apr 30, 2024 @ 10:20 am

Navigation

In early 2024, NetScaler renamed Application Delivery Management (ADM) to NetScaler Console.

This post is for versions NetScaler Console 14.1 through Citrix ADM 13.1.

💡 = Recently Updated

Change Log

Planning

Why NetScaler Console?

The biggest change in ADM 13.1 and newer is the restructured menu.

NetScaler Console (formerly ADM) enables every NetScaler administrator to achieve the following:

  • Alert notifications – Receive email alerts whenever something goes down. For example, if a Load Balancing service goes down, you can receive an email alert.
    • NetScaler Console can email you for any SNMP trap produced by any NetScaler ADC appliance.
  • Automatically backup all NetScaler ADC instances.
    • NetScaler Console can even transfer the backups to an external system, which is then backed up by a normal backup tool.
  • SSL Certificate Expiration – Alert you when SSL certificates are about to expire.
    • Show you all SSL certificates across all NetScaler ADC appliances.
  • Configuration Record and Play – Use the Configuration Recorder to configure one NetScaler ADC appliance, and then push out the same configuration changes to additional appliances. This is the easiest method of managing NetScaler ADC appliances in multiple datacenters.
  • AppFlow Reporting – Receive ICA AppFlow traffic from NetScaler Gateway and show it in graphs.
    • Integrate NetScaler Console with Citrix Director so Help Desk can see the AppFlow data.

Everything listed above is completely free, so there’s no reason not to deploy NetScaler Console.

NetScaler Console Overview

For an overview of NetScaler Console, see Citrix’s YouTube video Citrix NetScaler MAS: Application visibility and control in the cloud.

Citrix Tech Zone Citrix Application Delivery Management (ADM) Overview Cheat Sheet

Cloud vs on-prem

NetScaler Console is available both on-premises and as a Cloud Service.

The Cloud version of NetScaler Console has new features that are not available in the on-premises version of NetScaler Console.

For the Cloud Service, you import a NetScaler Console Agent appliance to an on-prem hypervisor or deploy a NetScaler Console Agent to AWS or Azure. The NetScaler Console Agent is the proxy between the Cloud Service and the on-prem (or cloud hosted) NetScaler ADC appliances. For more info on the NetScaler Console Cloud Service, see the following:

The rest of this article focuses on the on-premises version, but much of it also applies to the Cloud Service.

On-premises NetScaler Console Licensing:

  • Instance management is free (unlimited). This includes Configuration Jobs, Instance Backups, Network Functions/Reporting. Basically everything in the Infrastructure node is free.
  • Analytics and Application monitoring are free in NetScaler Console build 21 and newer.

NetScaler Console version – The version/build of NetScaler Console must be the same or newer than the version/build of the NetScaler ADC appliances being monitored. NetScaler Console 14.1 can monitor many NetScaler ADC appliance versions including version 11.1, version 12.1, version 13.0, version 13.1, and version 14.1.

HDX Insight

See CTX239748 for a list of HDX Insight Quality Improvements in Citrix Gateway 12.1 and newer. These include:

  • NSAP protocol for reduced performance impact on NetScaler ADC
  • EDT support

HDX Insight Requirements (aka AppFlow Analytics for Citrix ICA traffic):

  • Your NetScaler ADC appliance must be running Advanced Edition or Premium Edition.
  • For EDT (UDP-based ICA), NetScaler ADC must be 12.1 build 49 or newer.
  • AppFlow statistics are only generated when ICA traffic flows through a Citrix Gateway. Internally, when a user clicks an icon from StoreFront, an ICA connection is established directly from Workspace app to the VDA, thus bypassing the internal NetScaler Gateway. Here are some methods of getting ICA traffic to flow through an internal NetScaler ADC:
    • Implement NetScaler Gateway ICA Proxy (SSL) internally.
    • Route ICA traffic (TCP/UDP 1494 and TCP/UDP 2598) through a NetScaler ADC SNIP, and NetScaler ADC routes it to the VDAs.
    • NetScaler ADC can proxy ICA traffic through a SOCKS protocol Cache Redirection Virtual Server.
    • NetScaler Docs Enabling HDX Insight Data Collection details additional ICA routing/proxy considerations – Transparent Mode, Citrix Gateway Single-Hop and Double-Hop, LAN User Mode (NetScaler ADC as SOCKS Proxy), Multi-Hop (NetScaler ADC connection chaining)
  • A new Workspace app Virtual Channel named NetScaler App Experience or NSAP can dramatically reduce the CPU needed on the NetScaler ADC to process AppFlow. Details at Citrix Blog Post HDX Insight 2.0.
  • For ICA round trip time calculations, in a Citrix Policy, enable the following settings:
    • ICA > End User Monitoring > ICA Round Trip Calculation
    • ICA > End User Monitoring > ICA Round Trip Calculation Interval
    • ICA > End User Monitoring > ICA Round Trip Calculation for Idle Connections
  • Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide contains the following contents:
    • Introduction
    • Prerequisites for Configuring HDX Insight
    • Troubleshooting
      • Issues Related to ICA parsing
      • Error Counter details
    • Checklist before Contacting Citrix Technical Support
    • Information to collect before Contacting Citrix Technical support
    • Known Issues

Citrix CTX204274 How ICA RTT is calculated on NetScaler Insight: ICA RTT constitutes the actual application delay. ICA_RTT = 1 + 2 + 3 + 4 +5 +6:

  1. Client OS introduced delay
  2. Client to NS introduced network delay (Wan Latency)
  3. NS introduced delay in processing client to NS traffic (Client Side Device Latency)
  4. NS introduced delay in processing NS to Server (XA/XD) traffic (Server Side Device Latency)
  5. NS to Server network delay (DC Latency)
  6. Server (XA/XD) OS introduced delay (Host Delay)

Multi-Datacenter Deployment Architecture

In a main datacenter, import two NetScaler Console appliances into the same subnet and configure them as an HA pair with a Floating IP address.

In a DR datacenter, import a DR node NetScaler Console appliance and configure it to replicate with the main datacenter.

  • Note: DR node requires a Floating IP, which requires NetScaler Console HA to be configured in the main datacenter.
  • Documentation at Configure disaster recovery for high availability at NetScaler Docs and will be detailed later in this article.

For NetScaler ADC appliances in additional datacenters, import two NetScaler Console Agent appliances into each datacenter. Remote NetScaler ADC instances are discovered and managed through remote NetScaler Console agents.

Import NetScaler Console Appliance

If you are upgrading an existing NetScaler Console or ADM, skip to the Upgrade section.

There are two different NetScaler Console appliances:

  • ADM appliance for the main datacenter, including High Availability, and for the DR node.
  • ADM Agent appliance for remote datacenters

To import a NetScaler Console Appliance into vSphere, do the following:

  1. Download Citrix ADM Image for ESX.

    • The download page for NetScaler Console has two different images: one called ADM Image, and one called ADM Agent Image. The first image should be the non-agent image.
  2. Extract the downloaded .zip file for the non-agent image (MAS-ESX-14.1).
  3. In vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  4. In the Select an OVF Template page, select Local file and browse to the NetScaler Console .ovf files. If .ova file is available, then only select the one .ova file. Otherwise, select all three files (.ovf, .mf, and .vmdk). Click Next.

  5. In the Select name and folder page, enter a name for the virtual machine, and select an inventory folder. Then click Next.
  6. In the Select a resource page, select a cluster or resource pool, and click Next.
  7. In the Review details page, click Next.
  8. In the Select storage page, select a datastore. Due to high IOPS requirement, SSD is recommended.
  9. Change the virtual disk format to Thin Provision. Click Next.
  10. In the Select networks page, choose a valid port group, and click Finish.
  11. In the Ready to Complete page, click Finish.

Appliance Hardware Configuration

  1. Before powering on the appliance, you can review its hardware specs. Right-click the NetScaler Console virtual machine and click Edit Settings.
  2. Review the specs. NetScaler Docs NetScaler Console on VMware ESXi recommends 8 vCPUs and 32 GB RAM.
  3. You can add a second hard disk at this time.
  4. NetScaler Docs Attach an additional disk to NetScaler Console says that an additional disk must be added before initial deployment.
    • Use the NetScaler Console storage calculator to determine the recommended size of the disk. Ask your Citrix Partner for the tool.
    • The new disk must be larger than 120 GB.
    • The new disk can be larger than 2 TB.
    • The new disk can be grown later, and /mps/DiskPartitionTool.py can resize the partition, but only up to 2 TB. If you need more than 2 TB, the initial disk should be larger than 2 TB.
  5. Power on the Virtual Machine.

Appliance IP Address Configuration

  1. Open the console of the virtual machine.
  2. Configure IP address information.
  3. Enter 7 when done.

Second Disk

  1. SSH to the appliance and login as nsrecover/nsroot.
  2. Enter /mps/DiskPartitionTool.py

  3. Enter info to see that there are no existing partitions on the second disk.
  4. Enter create to create partitions on the second disk. A reboot is required.
  5. During the reboot, the database is moved to the second disk.
  6. After the reboot, the Disk Partition Tool info command shows the partition on the second disk.
  7. If you need to increase the size of the disk, reboot the NetScaler Console appliance so it detects the larger size. Then use the Disk Partition Tool resize command.

Deployment Modes

HA Pair in the Main Datacenter

If NetScaler Console 14.1 build 17 or newer, HA is no longer configured from the CLI. Instead, use the GUI.

  1. Latency to the HA node must not exceed 10 ms.
  2. The HA nodes must be on the same subnet.
  3. Import a second NetScaler Console appliance.
  4. If you added a second disk to the first NetScaler Console appliance, then you must add the same size second disk to the second NetScaler Console appliance.
  5. Configure the new node’s IP address.
  6. SSH to the second appliance, login as nsrecover/nsroot, and run the Disk Partition tool.
  7. Point your browser using https to the first NetScaler Console IP address.
  8. Login using nsroot/nsroot credentials.
  9. Change the nsroot password when prompted.
  10. Click Get Started.
  11. In the Instances page, click Next.
  12. In the Connect to NetScaler Console Service page, click Skip.
  13. In the Notifications page, click Skip.
  14. Click Finish.
  15. In the left menu, expand Settings and click Administration.
  16. On the right, click IP Address, Second NIC, Host Name and Proxy Server.
  17. Configure the Alternate DNS and click Save. You can only configure this before you create the HA pair. Repeat on both nodes.
  18. On the right, click Configure NetScaler Console High Availability (HA).
  19. Enter the IP of the second NetScaler Console appliance.
  20. Enter a new IP that will float between the two nodes. Click Configure.
  21. Click Yes to reboot.
  22. It will take several minutes to configure HA.
  23. After the reboot, log into the floating IP.
  24. In the left menu, expand Settings and click HA Deployment.
  25. You can view the status of the HA pair and fix the database sync if it is broken. You can Break HA, Force Failover, or change the Floating IP (in HA Settings).

If this is older Citrix ADM, on the First Node, do the following:

  1. SSH to the first node and login as nsrecover/nsroot.
  2. Enter deployment_type.py.
  3. Enter 1 for NetScaler Console Server.
  4. Enter no when prompted for NetScaler Console Standalone deployment.
  5. For the First Server Node prompt, enter yes.
  6. Enter yes to Restart the system.

Older Citrix ADM Second Node:

  1. Import another ADM appliance to the same subnet and configure an IP address.
    • Latency to the HA node must not exceed 10 ms.
    • The HA nodes must be on the same subnet.
  2. If you added a second disk to the first ADM appliance, then you must add the same size second disk to the second ADM appliance.
  3. Configure the new node’s IP address.
  4. SSH to the second appliance, login as nsrecover/nsroot, and run the Disk Partition tool.
  5. SSH to the second appliance, login as nsrecover/nsroot, and run deployment_type.py.
  6. Enter 1 for Citrix ADM Server.
  7. Enter no when prompted for Citrix ADM Standalone deployment.
  8. Enter no when prompted is this is First Server Node.
  9. Enter the IP address of the first ADM node.
  10. Enter the nsroot password of the first node. The default password is nsroot.
  11. Enter a new Floating IP address.
  12. Enter yes to restart the system.

Older Citrix ADM Get Started:

  1. Use a browser to log into the first ADM appliance as nsroot/nsroot.
  2. Logging in to NetScaler ADM might show you the Get Started wizard. If you don’t see this wizard, then skip to the next section.
  3. In the Add NetScaler Instances page, you can Add Instance now, or just click Next and add instances later.
  4. In the Customer Identity page, you can login to Citrix Cloud, configure data sharing, or click Skip to do it later.

  5. In the System Notifications page, you can configure Email notifications now, or click Skip and do it later.
  6. In the Done page, click Finish.

Older Citrix ADM Deploy HA Configuration:

  1. After both appliances are fully booted, point your browser to the first appliance’s IP address and login as nsroot/nsroot. It will take several minutes after booting before the ADM appliance is ready.
  2. The top of the screen has some banners.
  3. If you want to make any network changes (e.g., DNS servers) to either node, then you must make those changes before you deploy the HA pair. Move your mouse over the left menu, expand Settings and click Administration.
  4. On the right, click IP Address, Second NIC, Host Name and Proxy Server.

    1. Enter an Alternate DNS and then click Save.
    2. Click the back arrow to go back.
    3. If you already created the HA pair, then the only way to add a second DNS server is through the command line on both nodes. See CTX281388 Error Message “Network configuration change is not allowed in Citrix ADM HA setup” When Changing Network Settings in ADM
      echo "echo \"nameserver DNS_IP\" >> /etc/resolv.conf" >> /mpsconfig/svm.conf
  5. Move your mouse to the left side of the screen, expand Settings, and then click Deployment.
  6. In the top right, click Deploy.
  7. Click Yes to reboot.
  8. It takes around 10 minutes to restart.
  9. After deployment, you can now use the Floating IP to manage the appliance pair.
  10. Logging in might show you the Get Started wizard. Proceed through the wizard as described in the previous section.
  11. Move your mouse to the left menu, expand Settings, and click Deployment.
  12. The Settings > Deployment page should show both nodes as UP and syncing.

Afterwards, you can manage High Availability.

  1. Settings> Deployment lets you see the HA nodes.
  2. You can Force Failover from here. Note: HA failover only occurs after three minutes of no heartbeats.
  3. On the top right is a HA Settings button that lets you change the Floating IP.

DR Node

Requirements for the DR node:

  • The main datacenter must have an HA pair of NetScaler Console appliances. Standalone in the main datacenter is not supported.
  • Latency from the main datacenter HA pair to the DR node must not exceed 200 ms.
  • Ports 5454 and 22 open between the NetScaler Console nodes.

To configure a DR node:

  1. Import another NetScaler Console appliance into a remote datacenter and configure an IP address.
  2. If you added a second disk to the main datacenter NetScaler Console appliances, then you must add the same size second disk to the DR NetScaler Console appliance.
  3. After configuring the new nodes’ IP address, SSH to the DR appliance and login as nsrecover/nsroot.
  4. Enter deployment_type.py.
  5. Enter 2 for Remote Disaster Recovery Node.
  6. Enter the Floating IP address of the HA pair in the main datacenter.
  7. Enter the nsroot password, which is nsroot by default.
  8. The DR node registers with the NetScaler Console HA Pair.
  9. You can change the password of the DR node by running the following command:
    ./mps/change_freebsd_password.sh <username> <password>
  10. Point your browser to the Floating IP Address and login.
  11. Go to Settings > Administration.
  12. On the right, in the right column, click Disaster Recovery Settings.
  13. The Registered Recovery Node should already be filled in. Click Deploy DR Node.
  14. Click Yes to enable DR.
  15. A System Backup is performed and replicated to the DR appliance. Click Close when done.
  16. The status of the DR node is displayed. You can click the Refresh icon on the top right to update the display.
  17. There’s a Sync DR Node button in case it gets out of sync.
  18. Disaster Recovery is not automatic. See the manual DR procedure at NetScaler Docs. Docs also shows how to fail back.
    • /mps/scripts/pgsql/pgsql_restore_remote_backup.sh

NetScaler Console Agents

NetScaler Console Agents help NetScaler Console discover and manage instances on the other side of a high latency WAN link.

The virtual appliance for NetScaler Console Agent is different than the normal NetScaler Console appliance.

  1. Download the NetScaler Console Agent from the main NetScaler Console download page. On the NetScaler Console download page for a particular build, scroll down the page to find the ADM Agent images.
  2. Extract the downloaded .zip file.
  3. Import the MASAGENT .ova to vSphere. You can import the single .ova file, or you can import the .ovf file plus the .mf file and the .vmdk file.


  4. Edit the settings of the virtual machine to see the allocated CPU and Memory.
  5. There’s no need to add a disk to the Agent.
  6. Power on the NetScaler Console Agent virtual machine.
  7. At the virtual machine’s console, configure an IP address.
  8. Login as nsrecover/nsroot.
  9. Run /mps/register_agent_onprem.py
  10. Enter the floating IP address of the main NetScaler Console HA Pair. Enter nsroot credentials for NetScaler Console. Enter a new password for NetScaler Console Agent.
  11. The Agent will be registered, and services restarted.
  12. To change the nsrecover password on NetScaler Console Agents, putty (SSH) to the NetScaler Console Agent appliance, login as nsrecover and then run the script at /mps/change_agent_system_password.py. Or you can change the password in the NetScaler Console interface at Infrastructure > Agents.
  13. Login to the NetScaler Console Floating IP.
  14. Go to Infrastructure > Instances > Agents.
  15. On the right, select the NetScaler Console Agent, and then click Attach Site.
  16. In the Site drop-down, if you don’t see your site, then you can click the Add button to create a new site.

    1. Enter a name and other location information.
    2. Make sure you enter the coordinates. Google can find coordinates for various locations. If Longitude is West, then the value is negative.
    3. Click Create when done.
  17. Click Save to attach the Site to the Agent. Any NetScaler instance discovered through this Agent will be attached to the configured Site.
  18. For Agent HA, import two NetScaler Console Agents into your hypervisor and attach both Agents to the same Site.
  19. You can change the Agent’s nsrecover password from the NetScaler Console GUI.
  20. ADM 13.1 build 24 and newer have a Settings button on the top-right of the Agents page where you can enable Notifications when a  NetScaler Console Agent is unreachable.

NetScaler Console Appliance Maintenance

Add NetScaler Instances

NetScaler Console must discover NetScaler instances before they can be managed. NetScaler Docs How NetScaler Console discovers instances.

  1. Point your browser to the NetScaler Console Floating IP address and login as nsroot/nsroot.

Before adding instances, NetScaler Console needs to know the nsroot password for the instances. You create Admin Profiles to specify the nsroot passwords.

  1. When adding instances during the initial Welcome wizard, next to Profile Name, click Add to create an Admin Profile.
  2. Or in the main interface, to edit or create new Admin Profiles, move your mouse to the left menu, then go to Infrastructure > Instances > NetScaler.
  3. On the right, open the menu named Select Action, and click Profiles.

  4. Click the Add button to create an Admin Profile.
  5. In the top half, give the Profile a name and enter the password for the instance’s nsroot account. Create a separate Admin Profile for each unique nsroot password.
  6. In the bottom, make up some SNMP settings. You can do SNMP v3. Change the Authentication Type and Privacy Type to stronger options.
  7. Click Create when done.

To add instances:

  1. Move your mouse to the left, expand Infrastructure, expand Instances, and click NetScaler.
  2. On the right, select a tab (e.g. MPX), and then click Add.
  3. The Add instance screen is the same as shown during the getting started wizard. To authenticate to the NetScaler ADC using nsroot, select an existing Profile or create a new one. If you have Sites or Agents, you can select one. Select a Site so it’s shown correctly on the world map. Click OK when done.

Tags:

  1. You can assign Tags to instances. See How to create tags and assign to instances at NetScaler Docs.

  2. You can then search instances based on the Tags.

Instance Authentication from NetScaler Console

By default, when you click the blue link for one of the instances, NetScaler Console will do single sign-on to the instance using nsroot credentials. This is probably a security risk, or certainly an auditing risk.

To prevent NetScaler Console from doing single sign-on to instances:

  1. In NetScaler Console, go to Settings > Administration.
  2. On the right, click System, Time zone, Allowed URLs and Agent Settings.
  3. In the Basic Settings page, check the box next to Prompt Credentials for Instance Login and click Save.

NetScaler SDX

  1. At Infrastructure > Instances > NetScaler, on the SDX tab, you can click Add to discover a SDX appliance plus all VPXs on that SDX appliance. You don’t have to discover the VPXs separately.
  2. In the Add NetScaler SDX page, click the Add button next to the Profile Name drop-down to create an SDX profile. Note: SDX profiles are different than VPX profiles.

    1. Enter the credentials for the SDX SVM Management Service.
    2. For NetScaler Profile, select an admin profile that has nsroot credentials for the VPX instances. After the SDX’s VPX instances are discovered, NetScaler Console uses this NetScaler Profile to login to each VPX. If you don’t have a VPX Admin Profile in your drop-down list, click the Add button. Note: You can only select one NetScaler Profile. If each VPX instance has different nsroot credentials, you can fix it after SDX discovery has been performed. The NetScaler Profile is different than the SDX Profile.
    3. Back in the Configure NetScaler Profile page, enter new SNMP settings that SDX will use to communicate with NetScaler Console.
    4. Click Create when done.
  3. Back in the Add NetScaler SDX page, select a Site, and optionally an Agent.
  4. Click OK to start discovery.
  5. After discovery is complete, switch to the VPX tab. You should automatically see the VPX instances.
  6. To specify the nsroot credentials for a VPX, right-click the VPX, and click Edit.

    • In the Modify NetScaler VPX page, either select an existing Profile Name, or click the Add button to create a new one. Click OK when done. It should start rediscovery automatically.
  7. After fixing the nsroot credentials, right-click the VPX instance and click Configure SNMP. NetScaler Console will configure the VPX to send SNMP Traps to NetScaler Console.

Instance management

  • REST API proxy – NetScaler Console can function as a REST API proxy server for its managed instances. Instead of sending API requests directly to the managed instances, REST API clients can send the API requests to NetScaler Console. See NetScaler Console as an API Proxy Server
  • NetScaler Flexed Licensing – Your Flexed license includes software instance licenses (VPX/CPX/BLX, SDX, MPX, and VPX FIPS) and bandwidth capacity licenses. You must apply the Flexed license on NetScaler Console. You must also apply the MPX Z-Cap and SDX Z-Cap license on NetScaler MPX and NetScaler SDX hardware respectively. A Flexed license also offers analytics for unlimited virtual servers. See Flexed capacity license at NetScaler Docs.

Enable AppFlow / Insight / Analytics

NetScaler Console build 21 and newer remove the VIP licensing requirement for Analytics.

  1. Go to Infrastructure > Instances > NetScaler.
  2. On the right, switch to one of the instance type tabs (e.g. VPX).
  3. Select an instance, open the Select Action menu, and click Configure Analytics.
  4. Select one or more Virtual Servers and then click the button labelled Enable Analytics.
  5. Different options are available for different types of Virtual Servers.
  6. For NetScaler Gateways, you want HDX Insight. Gateway Insight provides AAA and EPA info for the Gateway. Enable WAF Security Violations if you enabled WAF on your Citrix Gateway.

    • Expand Advanced Settings and select NetScaler Gateway.
  7. For HTTP Load Balancing Virtual Servers, you want Web Insight. If you are licensed for NetScaler ADC Premium Edition, then you can also enable WAF Security Violations for Web App Firewall and Bot Protection monitoring.

    • For analytics on HTTP Virtual Servers, expand Advanced and click Enable X-Forwarded-For.
  8. Click OK to enable AppFlow on the Virtual Servers.
  9. Click Close when configuration is complete.
  10. Enable Analytics on more Virtual Servers.
  11. Login to the NetScaler ADC (not NetScaler Console) and go to System > Settings.
  12. On the right, click Configure Modes.
  13. If you are using LogStream, then make sure ULFD is checked. Click OK.

    enable mode ulfd
  14. On the right, click Change Global System Settings.
  15. Scroll down to ICA port(s) and add 1494 and 2598 to the list. Click OK. (Source = Citrix Discussions)

    set ns param -icaPort 1494 2598
  16. On the right, click Change HTTP Parameters.
  17. At the top, add 80 and 443 to the Http Ports list. Click OK. (Source = Citrix Discussions)

    set ns param -httpPort 80 443
  18. By default, with AppFlow enabled, if a NetScaler ADC High Availability pair fails over, then all Citrix connections will drop, and users must reconnect manually. NetScaler ADC has a feature to replicate Session Reliability state between both HA nodes.
    1. From Session Reliability on NetScaler High Availability Pair at NetScaler Docs: Enabling this feature will result in increased bandwidth consumption, which is due to ICA compression being turned off by the feature, and the extra traffic between the primary and secondary nodes to keep them in sync.
    2. On NetScaler ADC, go to System > Settings.
    3. On the right, in the Settings section, click Change ICA Parameters.
    4. Check the box next to Session Reliability on HA Failover and click OK.
  19. On NetScaler ADC at System > AppFlow > Collectors, you can see if the AppFlow Collector (NetScaler Console) is up or not.

  20. Go to Traffic Management > Load Balancing > Services and find the adm_metric_collector_svc. If it’s not UP, then you can change it to use NSIP instead of SNIP.

    1. Go to System > AppFlow. On the right, click Change AppFlow Settings.
    2. Check the box next to Time Series Data Over NSIP and click OK.
  21. When AppFlow is enabled on a Gateway Virtual Server, an AppFlow policy is bound to twice to the Gateway: once for Request Policies (i.e., HTTP), and once for ICA Request Policies. You might want to verify that these bindings are actually configured.
  22. On the NetScaler Console appliance, AppFlow for ICA (HDX Insight) information can be viewed under the Gateway > HDX Insight node.
  23. Web Insight for HTTP Virtual Servers is under Applications > Web Insight. WAF Violations is under Security.

NetScaler Console nsroot Password

Changing NetScaler Console’s nsroot password also changes NetScaler Console’s nsrecover password.

  1. In NetScaler Console, go to Settings > Users & Roles.
  2. On the right, on the tab named Users, select the nsroot account, and click Edit.
  3. Check the box next to Change Password and enter a new password.
  4. You can also specify a session timeout by checking the box next to Configure Session Timeout.
  5. Click OK.

NetScaler Console Management Certificate

  1. The certificate to upload must already be in PEM format. If you have a .pfx, you must first convert it to PEM (Base64 certificate and key files). You can use a NetScaler ADC’s Import PKCS#12 feature to convert the .pfx to PEM and then download the converted certificate from the NetScaler ADC appliance.
    1. On any NetScaler ADC, go to Traffic Management > SSL.
    2. On the right, click Import PKCS#12.
    3. Enter a name for a new file that will contain the PEM certificate and PEM key.
    4. Browse to the .pfx file and enter the password.
    5. You can optionally encrypt the PEM key by selecting an Encoding Format and entering an encryption key.
    6. Click OK.
    7. To download the PEM file, go to Manage Certificates / Keys / CSRs.
    8. Scroll to the bottom of the list, right-click the new file, and click Download.
  2. Back in NetScaler Console, go to Settings > Administration.
  3. On the right, in the SSL Settings section, click Install SSL Certificate.
  4. Click Choose File to browse to the PEM format certificate and key files. If the PEM certificate and PEM key are in the same file, then browse to the same file for both fields.
  5. If the keyfile is encrypted, enter the password.
  6. Click OK.
  7. Click Yes to reboot the system.

  8. To force users to use https when accessing the NetScaler Console management page, go to Settings > Administration.

  9. On the right, click System, Time zone, Allowed URLs and Agent Settings.

  10. On the Basic Settings page, check the box next to Secure Access Only and click Save.

System Configuration

  1. Go to Settings > Administration.
  2. On the right, click System, Time zone, Allowed URLs and Agent Settings.

    1. Check the box next to Enable Session Timeout and specify a value.
    2. By default, at InfrastructureInstances > NetScaler , if you click a blue IP address link, NetScaler Console does single sign on to the instance using the nsroot credentials. If you want to force NetScaler Console users to login using non-nsroot credentials, then check the bottom box for Prompt Credentials for Instance Login.

    3. Click Save.
    4. On the left, click the Message of the day tab.
    5. On the right, check the box next to Enable Message.
    6. Enter a message, and then click Save.
    7. Click the back arrow when done.
    8. When you login to NetScaler Console, you’ll be shown the message.
  3. Settings > Administration > Configure SSL Settings lets you disable TLS 1 and TLS 1.1.

    1. On the right, click the Protocol Settings section in the Edit Settings section on the right side of the screen.
    2. On the left, uncheck TLSv1 and TLSv1.1. Then click OK.
    3. Click Yes when asked to confirm the restart.

Prune Settings

  1. To see the current database disk usage, go to Settings > Data Storage Management. You can manually initiate pruning from this page.
  2. Go to Settings > Data Storage Management > Data Retention Policy.
  3. System Pruning defaults to deleting System Events, Audit Logs, and Task Logs after 15 days. System events are generated by the NetScaler Console appliance, which is different than Instance events (SNMP traps) that are generated by NetScaler ADC appliances.
  4. If you change anything on these pages, click the Save button before switching to a different tab/node/page.
  5. NetScaler Console can initiate a purge automatically as the database starts to get full.
  6. Instance Events page controls when instance SNMP traps are pruned, which defaults to 40 days.

Backup Settings

  1. In Settings > Administration, in the middle column, under Backup, click Configure System and Instance backup.
  2. System Backup Settings defines how many NetScaler Console backups you want to keep. These are NetScaler Console backups, not NetScaler ADC backups.
    1. There’s an option for External Transfer.
    2. NetScaler Console System backups (not Instance Backups) are at Settings > Backup Files.
  3. The Instance page lets you configure how often the instances are backed up.
    1. You probably want to increase the number of instance backups or decrease the backup interval. The backups are quite small (e.g. 700 KB).
    2. There is an option to perform a backup whenever the NetScaler ADC configuration is saved.
    3. The Enable External Transfer checkbox lets you transfer the backups to an external system so it can be backed up by your backup tool.
    4. Instance backups can be found at Infrastructure > Instances > NetScaler. Right-click an instance and click Backup/Restore.
    5. You can Restore a backup, Download the backup, or Transfer it to an external system.

Analytics Settings

  1. There are more settings at Settings > Analytics Settings.
  2. ICA/Gateway Session Timeout can be configured by clicking the link.

    • If NetScaler Console doesn’t receive AppFlow records for a session, it will consider that session has got terminated in NetScaler ADC and stops monitoring that session further. The time for which NetScaler Console needs to wait before considering a session terminated is ICA session timeout. This is configurable in NetScaler Console, by default it is set to 15 minutes. (source = Citrix Discussions)
  3. Go to Applications > Dashboard.
  4. On the top right, click the gear icon.
  5. Configure App Score factors and thresholds.
  6. Settings > Analytics Settings > Data Persistence lets you configure how long Analytics data is retained. Adjusting these values could dramatically increase disk space consumption.

    • To see the current database disk usage, go to Settings > Data Storage Management.

NTP Servers

  1. On the left, click Settings > Administration.
  2. On the right, click NTP Servers.
  3. Click Add.
  4. Enter an NTP server and click Create.

  5. After adding NTP servers, click the NTP Synchronization button.
  6. Check the box next to Enable NTP Synchronization and click OK.
  7. Click Yes to restart.

Syslog

This is for syslog entries generated by NetScaler Console server, and not for syslog entries generated by the instances.

  1. Go to Settings > NetScaler Console Audit Log Messages > Syslog Servers.
  2. On the right, click Add.
  3. Enter the syslog server IP address and select Log Levels. Click Create.
  4. You can click Syslog Parameters to change the timezone and date format.

Email Notification Server

  1. Go to Settings > Notifications.
  2. On the right, on the Email tab, click the button named Email Servers.

    1. Click Add.
    2. Enter the SMTP Email server address and click Create.
  3. In the breadcrumb, click Notifications.
  4. On the right, on the Email tab, and click Add.

    • Enter information for a destination distribution list and click Create.
  5. You can highlight a Distribution List and click the Test button.


  6. On the left, click Settings > Administration.
  7. On the right, click Change Event Notification and Digest.

    1. Move notification categories (e.g. UserLogin) to the right.
    2. Check the box next to Send Email. Select a notification distribution list. Then click Save.

Authentication

  1. Go to Settings > Authentication.
  2. On the right, switch to the tab named LDAP.
  3. Click Add.
  4. This is configured identically to NetScaler ADC.
    1. Enter a Load Balancing VIP for LDAP.
    2. Change the Security Type to SSL, and Port to 636. Scroll down.
    3. Enter the Base DN in LDAP format.
    4. Enter the bind account credentials.
    5. Check the box for Enable Change Password.
    6. Click Retrieve Attributes and scroll down.
    7. For Server Logon Attribute, select sAMAccountName.
    8. For Group Attribute, select memberOf.
    9. For Sub Attribute Name, select cn.
    10. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
    11. If desired, configure Nested Group Extraction.
  5. Click Create.
  6. On the left, go to Settings > Users & Roles.
  7. On the right, click the tab named Groups.
  8. On the right, click Add.

    1. Enter the case sensitive name of your NetScaler Console Admins AD group.
    2. Move the admin Role to the right.
    3. The Configure User Session Timeout checkbox lets you configure a session timeout.
    4. Click Next.
    5. On the Authorization Settings page, if you are delegating limited permissions, you can uncheck these boxes and delegate specific entities.
      • All DNS Domain Names (GSLB) is an option for Stylebooks in ADM 12.1 build 49 and newer.
    6. Click Next.
    7. In the Assign Users page, click Finish. Group membership comes from LDAP, so there’s no need to add local users.
  9. On the top right, click the button named Settings.

    • If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
  10. On the left, go to Settings > Authentication.
  11. On the top right, click the button named Settings.
  12. Change the Server Type to EXTERNAL and click Insert.
  13. Select the LDAP server you created and click OK.
  14. Make sure Enable fallback local authentication is checked and click OK.

Analytics Thresholds

  1. Go to Settings > Analytics Settings > Thresholds.
  2. On the right, click Add.
  3. Enter a name.
  4. Use the Traffic Type drop-down to select HDXWEBSECURITY, or APPANALYTICS.
  5. Use the Entity drop-down to select a category of alerts. What you choose here determines what’s available as Metrics when you click Add Rule.
  6. Click Add Rule to select a metric and threshold.

    • To add multiple rules for multiple Entity types, simply change the Entity drop-down before adding a new rule.
  7. If the Traffic Type is HDX, and the Entity drop-down is set to Users, on the bottom in the Configure Geo Details section, you can restrict the rule so it only fires for users for a specific geographical location.
  8. In the Notification Settings section, check the box to Enable Threshold.
  9. Check the box to Notify through Email, and select an existing Email Distribution List.
  10. Click Create.

Private IP Blocks

You can define Geo locations for internal subnets.

  1. Go to Settings > Analytics Settings > IP Blocks.
  2. On the right, click Add.
  3. In the Create IP Blocks page:
    1. Enter a name for the subnet.
    2. Enter the starting and ending IP address.
    3. Select a Geo Location (Country, Region, City). As you change the fields, the coordinates are automatically filled in.
  4. Click Create.

SSL Certificate Expiration Notification

SSL Dashboard can notify you when certificates will expire soon.

  1. In the NetScaler Console menu, expand Infrastructure and click SSL Dashboard.
  2. On the top right, click the button named Settings.
  3. In the Certificate is expiring in (days) field, enter the number of days before expiration that you want to receive a notification. The default is 30 days.
  4. Check one of the boxes (e.g. Email) below How would you like to be notified.
  5. Select a notification profile (e.g. Mail Profile) or Add one.
  6. Click Save and Exit or click Next to see more SSL Dashboard settings.

Instance Email Alerts (SNMP Traps)

You can receive email alerts whenever a NetScaler ADC appliance sends a critical SNMP trap.

  1. On the left, go to Infrastructure > Events > Rules.
  2. On the right, click Add.
  3. Give the rule a name.
  4. Move Severity filters (e.g. Major, Critical) to the right by clicking the plus icon next to each Severity.
  5. While scrolling down, you can configure additional alert filters. Leaving them blank will alert you for all categories, objects, and instances. If you want to exclude some Categories (e.g., entitydown), then move all Categories to the right and move the excluded categories back to the left.
  6. On the bottom of the page, in the Event Rule Actions section, click Add Action.
  7. In the Add Event Action page:
    1. Select an Action Type (e.g. Send e-mail Action).
    2. Select the recipients (or click the Add button to add recipients).
    3. Optionally, enter a Subject and/or Message.
    4. If you enter a Subject, you can check Prefix severity, category, and failure object information to the custom email subject.
    5. Emails can be repeated by selecting Repeat Email Notification until the event is cleared.
  8. Click OK.
  9. Then click Create to finish creating the event rule.
  10. See the Event Management section at All how to articles at NetScaler Docs.

Events Digest

NetScaler Console can email you a daily digest (PDF format) of system and instance events.

To enable the daily digest:

  1. Go to Settings > Administration.
  2. On the right, click Configure Event Notification and Digest.
  3. Switch to the Event Digest page.
  4. Uncheck the box next to Disable Event Digest.
  5. Configure the other settings as desired and click OK.

Director Integration

Integrating NetScaler Console with Director adds Network tabs to Director’s Trends and Session Details views. Citrix Blog Post Configure Director with Netscaler Management & Analytics System (MAS)

Requirements:

  • Citrix Virtual Apps and Desktops (CVAD) must be licensed for Premium Edition (formerly known as Platinum Edition). This is only required for the Director integration. Without Premium, you can still access the HDX Insight data by visiting the NetScaler Console web site instead of from Director.
  • Director must be 7.11 or newer for NetScaler Console support.

To link Citrix Director with NetScaler Console:

  1. On the Director server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler.
  2. Enter credentials for a user that only has HDX Insight permissions. 
    User Role for ADM Director Integration
  3. If HTTPS Connection (recommended), the NetScaler Console certificate must be valid and trusted by both the Director Server and the Director user’s browser.
  4. Enter 1 for NetScaler Console (formerly Insight).
  5. Do this on both Director servers.

Use NetScaler Console

Infrastructure

Everything under the Infrastructure node is free.

Infrastructure Analytics – there’s an Infrastructure Analytics node under the Infrastructure node. For details, see Infrastructure Analytics at NetScaler Docs.

  • On the top right, the gear icon above the table shows the Settings Panel.
  • The tab named Score Indicator Settings lets you adjust how Infrastructure Analytics scores instance CPU, Memory, Disk, etc.
  • The Notifications tab lets you be notified when score thresholds are crossed.
  • You can click the Circle Pack button to change to the Circle Pack view.

At Infrastructure > Instances > NetScaler, select an instance and view its Dashboard.

  • The Instance Dashboard has tabs.

Backups are available by selecting an instance and clicking Backup/Restore.

Infrastructure > Network Reporting lets you create Dashboards where you can view Instance performance data.


Infrastructure > Network Reporting has a Thresholds button that lets you create thresholds when counters cross a threshold. For example, you might want a notification when Throughput gets close to the licensed limit.


At the bottom of the threshold are Notification Settings.

Configuration Record and Play

Use NetScaler Console to record a configuration change on one instance and push the change to other instances.

  1. Go to Infrastructure > Configuration > Configuration Jobs.
  2. On the right, click Create Job.
  3. Give the job a name.
  4. Change the Configuration Source drop-down to Record and Play.
  5. Change the Source Instance drop-down to the instance you want to record.
  6. Click Record.
  7. You might have to allow pop-ups in your browser.
  8. NetScaler Console opens the instance GUI. Make changes as desired.
  9. When done, go back to NetScaler Console and click Stop.
  10. NetScaler Console retrieves the changed config.
  11. On the left, you’ll see the changed commands. Drag them to the right.
  12. On the right, you can change instance-specific values to variables by simply highlighting the values. This allows you to change the values for each instance you push this config to.
  13. Proceed through the rest of the Configuration Job wizard like normal. You’ll select instances, specify variable values for each instance, and schedule the job.

Analytics and Applications

The AppFlow Analysis tools (e.g., HDX Insight) are located under the Applications, Security, and Gateway nodes. See Viewing HDX Insight Reports and Metrics at NetScaler Docs.

Applications > Dashboard automatically includes all Virtual Servers.

  • On the top right, click Manage Apps to add a custom group of Virtual Servers together into an application. The grouped Virtual Servers are removed from the Others list.
  • Click New Application.

  • Back in the App Dashboard, you can then click any Application’s box to view stats.
  • For Custom Applications, it combines stats about all of the vServers in that Custom Application.
  • There are buttons at the top the page to view more info about the application.

Applications > Configurations > StyleBooks lets you use StyleBooks to create new NetScaler ADC configurations.

There are built-in Enterprise StyleBooks for Exchange, SharePoint, Oracle, ADFS, etc. Or you can create your own StyleBook and use it to create NetScaler ADC configurations. For details, see StyleBooks at NetScaler Docs.

The Applications Node has quite a bit of functionality. See Application Analytics and Management at NetScaler Docs for details.

Link:

HDX Insight

HDX Insight Dashboard displays ICA session details including the following:

  • WAN Latency
  • DC Latency
  • RTT (round trip time)
  • Retransmits
  • Application Launch Duration
  • Client Type/Version
  • Bandwidth
  • Licenses in use

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide contains the following contents:

  • Introduction
  • Prerequisites for Configuring HDX Insight
  • Troubleshooting
    • Issues Related to ICA parsing
    • Error Counter details
  • Checklist before Contacting Citrix Technical Support
  • Information to collect before Contacting Citrix Technical support
  • Known Issues

Gateway Insight

In the Gateway node is Gateway Insight.

This feature displays the following details:

  • Gateway connection failures due to failed EPA scans, failed authentication, failed SSON, or failed application launches.
  • Bandwidth and Bytes Consumed for ICA and other applications accessed through Gateway.
  • Number of users
  • Session Modes (clientless, VPN, ICA)
  • Client Operating Systems
  • Client Browsers

More details at Gateway Insight at NetScaler Docs.

Security Dashboard

The Security Dashboard uses data from Application Firewall to display Threat Index (criticality of attack), Safety Index (how securely NetScaler ADC is configured), and Actionable Information. More info at Application Security Dashboard at NetScaler Docs.

Troubleshooting

Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide: Syslog messages; Error counters; Troubleshooting checklist, Logs

Citrix CTX224502 Frequently Asked Questions During NetScaler MAS Troubleshooting

Upgrade NetScaler Console

Licensing – NetScaler Console build 21 and newer remove Analytics licenses thus enabling unlimited Analytics VIPs. 

  1. Upgrade paths from Before you upgrade at NetScaler Docs.
    1. If you upgrade from 12.0 build 57.24 and higher, first upgrade to 12.1, then to 13.1, and then to 14.1.
    2. If you upgrade from 12.1, you must first upgrade to 13.0 64.xx, and then directly to 14.1.
    3. If you upgrade from versions lower than 13.0 64.xx, for better user experience, first upgrade to 13.0 64.xx and then to 14.1.
  2. Download the latest Citrix Application Delivery Management (ADM) Upgrade Package. You want the ADM Upgrade Package, not the ADM image. It’s around halfway down the page.
  3. Login to NetScaler Console Floating IP or Active Node. Upgrading the Active Node automatically upgrades the Passive Node.
  4. Go to Settings > Deployment and make sure both nodes are online and replicating.

  5. Go to Settings > Administration.
  6. On the right, in the far-right column, click Upgrade NetScaler Console.
  7. Browse to the build-mas-14.1…tgz Upgrade Package and click OK. The file name starts with build-mas-14.1 or build-mas-13.1 (not masagent).


  8. Click Upgrade.
  9. Click Yes to continue with the upgrade.

  10. After it says that NetScaler Console upgrade completed, click Login again.
  11. The new firmware version can be seen by clicking your username in the top right corner.

Upgrade Disaster Recovery Node

After you upgrade the HA pair in the primary datacenter, you can upgrade the DR node.

  1. Use WinSCP or similar to connect to the DR node using the nsrecover credentials.
  2. On the NetScaler Console DR node, navigate to /var/mps/mps_images.
  3. Create a new Directory with the same name as the 13.1 build number. Then double-click the new directory to open it.

  4. Double-click the new directory to open it and then upload the file named build-mas-14.1-##.##.tgz or build-mas-13.1-##.##.tgz to the version-specific directory. This is the regular NetScaler Console upgrade file with a name starting with build-mas-14.1 or build-mas-13.1. It’s not the Agent upgrade file.
  5. SSH (Putty) to the DR node and login as nsrecover.
  6. Enter the following. Replace the # with the version number.
    cd /var/mps/mps_images/14.1-##.##
    tar xvzf build-mas-14.1-##.##.tgz

  7. Then enter the following. The appliance will reboot automatically.
    ./installmas

  8. After the reboot, the file /var/mps/log/install_state
  9. …shows you the installed version.

Upgrade NetScaler Console Agents

After you upgrade the NetScaler HA pair in the primary datacenter, and after you upgrade the DR node, you can then upgrade the NetScaler Console Agents.

  1. From the NetScaler Console download page, at the bottom of the page, download the ADM Agent Upgrade Package. This Agent Upgrade file is different than the regular NetScaler Console upgrade file. And it is different than the files to deploy a new Agent. Find it at the bottom of the downloads page.
  2. Use WinSCP or similar to connect to the NetScaler Console Agent using the nsrecover credentials.
  3. On the NetScaler Console Agent, navigate to /var/mps/mps_images.
  4. Create a new Directory with the same name as the agent build number. Then double-click the new directory to open it.

  5. Upload the file named build-masagent-14.1-##.##.tgz or build-masagent-13.1-##.##.tgz to the version-specific directory. This is the NetScaler Console Agent upgrade file, and not the regular NetScaler Console upgrade file.
  6. SSH (Putty) to the NetScaler Console Agent and login as nsrecover.
  7. Enter the following. Replace the # with the version number.
    cd /var/mps/mps_images/14.1-##.##
    tar xvzf build-masagent-14.1-##.##.tgz

  8. Then enter the following. The appliance will reboot automatically.
    ./installmasagent

  9. After the reboot, the file /var/mps/log/install_state
  10. …shows you the installed version.
  11. Repeat for any additional NetScaler Console Agents.
  12. If you login to NetScaler Console and go to Infrastructure > Instances > Agents
  13. …you should see the new Version. It will take several minutes for the version number to update.

14 thoughts on “NetScaler Console 14.1 – Citrix ADM 13.1”

  1. Greetings,
    Changed adm aelf signed to an internal cert cert but it is not trusted by browser.

    Anyway to upload the CA cert ?

    1. In your browser, open Developer Tools and click the Security tab. There should be more info on the issue.

  2. Hi Carl,

    We’re experiencing a peculiar issue. We’ve deployed Citrix Secure Access version 23.1.1.11 (Always On – Split tunnel mode), but occasionally, some users receive downgrade notifications to version 22.10.1.9 or other versions. Unfortunately, I don’t have access to the NetScaler (Model: MPX 5901, version 13.0.190.7), but I’ve checked the client and found nothing unusual.

    Do you have any ideas about this issue ?

    Thanks.
    Tom

    1. Are you doing GSLB across multiple NetScalers? Maybe they have different versions of the Secure Access client.

      1. We actually have two load-balanced NetScalers. I will need to check with our NetScaler specialist regarding this issue. However, is it possible that this issue is originating from the NetScaler side ? (in order to exclude investigation on Client)

        1. By default, NetScalers try to push down the Secure Access client that is installed on the NetScalers.

  3. Hello, Im setting up new ADM agents(virtual appliances). They are currently configured to use a proxy for outbound connections. Proxy presents a cert that ADM agents need to trust. Is there also a way to add CA cert for outbound trusts??

  4. Great article Carl. One thing I noticed is after the upgrade. In the “Customer Identity page” for release 13.0.85.15 there is no “Skip” button.

  5. Maybe obvious but for a fresh install with NetScaler and all V-Servers in the DMZ would the ADM also be deployed in the DMZ? What ports need to be available from the LAN?

    1. ADM talks to the NSIP. You should be able to open firewall between NSIP and ADM.

      However, ADM on-premises is no longer receiving feature updates so you should consider the cloud version instead.

  6. Hey Carl,
    Have you noticed that a fresh deployment of Citrix ADC VPX 13.1 Build 9.60 is missing all the Login Schemas available in other versions? The LoginSchema folder is non existant

Leave a Reply

Your email address will not be published. Required fields are marked *