NetScaler Scripting

Last Modified: Nov 7, 2020 @ 6:34 am

Navigation

💡 = Recently Updated

Changelog

  • 2019 Mar 11 – Script to Extract Configuration – rewrote the section in instructional format
  • 2018 Dec 2 – Configuration Extractor – added a nFactor visualizer
  • 2018 Nov 17 – Configuration Extractor – Out-GridView (GUI) for vServer selection
  • 2018 Sep 19 – Configuration Extractor – several fixes
  • 2018 July 4 – Configuration Extractor
    • Added “*” to select all vServers
    • Updated for 12.1 (SSL Log Profile, IP Set, Analytics Profile)
    • Extract local LB VIPs from Session Action URLs (e.g. StoreFront URL to local LB VIP)
    • Extract DNS vServers from “set vpn parameter” and Session Actions
  • 2018 Jan 4 – Configuration Extractor, Sirius’ Mark Scott added code to browse to open and save files. Added kcdaccounts to extraction.
  • 2018 Jan 3 – new Powershell-based NetScaler Configuration Extractor script

NetScaler ADC Configuration Extractor

NetScaler ADC Configuration Extractor extracts every NetScaler ADC CLI command needed to rebuild one or more Virtual Servers. Here’s how to use the script:

  1. The extraction script loads a NetScaler ADC Configuration file and parses it. To get a NetScaler ADC Configuration file:
    1. On your NetScaler ADC, go to System > Diagnostics > Running Configuration and then click the link on bottom to save text to a file.

  2. To download the extraction script, point your browser to https://github.com/cstalhood/Get-ADCVServerConfig/blob/master/Get-ADCVServerConfig.ps1, right-click the Raw button, and Save link as.
  3. Run the extraction script in PowerShell. One option is to right-click the script file and click Run with PowerShell. (note: the script doesn’t seem to work on Windows 7)
  4. Browse for the Running Configuration file that you saved from an appliance.
  5. The script will prompt you to select one or more Virtual Servers.
  6. The script then enumerates all objects linked to the chosen Virtual Servers (e.g. Responder Policies) and provides their configuration too.
  7. The script also outputs global settings that might affect the operation of the chosen Virtual Servers.
  8. The CLI output is listed in proper order. For example, create monitors before binding them to Service Groups.
  9. If the config includes an “authentication vserver”, then a nFactor Visualizer will be shown.
  10. The extracted Virtual Server CLI configuration can be used for documentation
  11. Or you can apply the outputted configuration to a different NetScaler ADC appliance:
    1. To import this output to a different NetScaler ADC, first change the IP addresses of the outputted Virtual Servers so there won’t be any IP Conflict after you import.
    2. SSH (Putty) to the other NetScaler ADC.
    3. Then simply copy the outputted lines and paste them into the SSH prompt.
    4. Alternatively, for longer output file, you can upload the output file to the other NetScaler ADC (e.g. upload to /tmp directory), and then run batch -fileName on the new NetScaler ADC while specifying the uploaded filename (e.g. /tmp/nsconfig.conf).
      • Note: the batch command requires that the input file name be in lower case only and without any spaces in the file name.

I originally attempted a dynamic extraction using complicated regular expressions, but there wasn’t enough control over the extraction and output process. The new PowerShell script explicitly enumerates specific objects, thus providing complete control over the output. For example, before binding a cipher group to a Virtual Server, the current ciphers must first be removed.

The script uses several techniques to avoid false positive matches, primarily substring matches.

Let me know what bugs you encounter.

Configure NetScaler ADC from PowerShell

You can use any scripting language that supports REST calls. This section is based on PowerShell 3 and its Invoke-RestMethod cmdlet.

Brandon Olin published a PowerShell module for NetScaler at Github.  💡

CTP Esther Barthel maintains a PowerShell module for NetScaler at https://github.com/cognitionIT/PS-NITRO. See Citrix Synergy TV – SYN325 – Automating NetScaler: talking NITRO with PowerShell for an overview.

The below NetScalerPowerShell.zip contains PowerShell functions that use REST calls to configure a NetScaler appliance. It only takes a few seconds to wipe a NetScaler and configure it with almost everything detailed on this site. A glaring omission is file operations including licenses, certificate files, and customized monitor scripts and the PowerShell script assumes these files are already present on the appliance.

[sdm_download id=”1909″ fancy=”0″]

Most of the functions should work on 10.5 and 11.0 with a few obvious exceptions like RDP Proxy. Here are some other differences between 10.5 and 11.0:

  • PUT operations in NetScaler 11 do not need an entity name in the URL; however 10.5 does require entity names in every PUT URL.
  • https URL for REST calls works without issue in NetScaler 11, but NetScaler 10.5 had inconsistent errors. http works without issue in NetScaler 10.5.

Nitro REST API Documentation

NetScaler Nitro REST API documentation can be found on any NetScaler by clicking the Downloads tab. The documentation is updated whenever you upgrade your firmware.

Look for the Nitro API Documentation.

Extract the files, and then launch index.html.

Start by reading the Getting Started Guide, and then expand the Configuration node to see detailed documentation for every REST call.

The Nitro API is also documented at REST Web Services at Citrix Docs.

71 thoughts on “NetScaler Scripting”

  1. Carl,

    I’m having trouble getting my scripts to work against a 13.1 ADC using the NetScaler powershell module. Works fine against a 13.0 instance. I narrowed it down to new-NSLBServiceGroup that fails with an errocode 278. My ciphers and protocols are good as I can create servers/VIPs with the respective functions.

    Example Command –
    New-NSLBServiceGroup -name test -servicetype http -healthmonitor yes -state enabled

    I tried against two different 13.1 ADCs and got the same results. 13.0 and prior works all day long. Any ideas? Kinda pulling my hair out at this point.

      1. You hit the nail on the head. Thanks!

        Invoke-RestMethod : { “errorcode”: 278, “message”: “Invalid argument [sc]”, “severity”: “ERROR” }

  2. Carl,

    I work for an organization that requires the settings to be listed for DR purposes. I have used the Netscaler_Script_v2_6.ps1 script and it did exactly what I was wanting, but when I run it against a Citrix ADC VPX I get errors about “WARNING: No columns specified and therefore, specified headers will be ignored.”

    I have looked through your other scripts, but do not see anything about exporting or capable of doing anything like the original script. Am I not finding a switch on something?

    I appreciate all that you do for the community.

    Keith L. Jones

    1. I am Looking for a script – I think it will have to be a POWERSHELL script that uses WINSCP.exe or WINSCP.com to log into all my VPX instances and download the ns.conf for backup purposes. Has anyone worked on something like this? Please help and share!

          1. ADM downloads it to ADM’s drives or database. There’s an option in ADM to perform an external transfer using SCP, SFTP, etc.

          2. thank you – but These are ADM backups, not ADC backups.
            I have written a CMD based .bat script which calls winSCP.com and passes another script that iterates through all my VPX instances and backs up all ns.conf using the hostname.conf or IP.conf to my local machine. Don’t have admin access so could not use powershell and 3rd party tools. I consider this a win. Thanks for your assistance.

          3. You are right I found it on the ADM but my script is a lot more efficient and puts the backups exactly where I want them faster. Thank you again for your support

  3. Hi,

    If I want to take backup few of Netscaler from ADM then i we can do it, Suppose 100 VPX is config on ADM out which i want to take only backup of 40 then how i can do it

  4. Hi Carl,
    Thanks again for all the writeups… I am slowly working myself up (or maybe even sideways) the ADC ladder 🙂

    Whilst I am familiar with setting up SSH key access to ADC’s from a Linux system and running bash commands to poll/pull data, I cannot seem to find anything online that gives me info on running NITRO scripts using SSH key as I do not want to list passwords on automated scripts.

    Any suggestions or leads to use SSH key on NITRO scripts would be gratefully received.

    Thanks in advance,
    Newbie.

    1. Nitro is a REST API that is HTTP-based (no SSH).

      PowerShell has a method of asking a user for a password and securely saving it in a file for later retrieval. I suspect Linux can do the same.

      For production scripts, you should have an orchestrator tool that can capture credentials and pass them to your script as variables.

  5. Carl the script is really awesome. Thank you. Has anyone come up with a way to automate collecting screenshots of a CSVS, cert used, the CS-POL and CS-ACT, the LBVS, SRVG and Members?
    Basically, where I work they want screen shots and not the actual CLI config.
    I can use SNIPPING tool and cut and paste each screen into a WORD template, but this is time consuming.
    I also used MS STEP RECORDER but this records all the clicks as steps and you spend a lot of time deleting all this extra garbage.

  6. Carl, as always great article. I am working on a very large configuration file and need to remove a lot of vservers. So I ran your powershell script with that configuration and it took almost 30 minutes to load it to where I could select the vservers. I have a file that has all the names of the vservers I need the full configurations for. Can your script pull from that file and then output the configuration file for those vservers as if I selected them individually? Thanks in advance.

    1. I recently modified the script to speed up that process. When did you last download the script?

      Otherwise, I think you can specify the $vserver argument when running the script.

      1. I downloaded it yesterday. The slowness I am sure was the size of the file (config file is over 14 MB). I will look into the $vserver argument. Thanks again.

  7. If anyone else is getting 404’d when trying to hit the downloads section on their appliance, you can grab the tgz directly from /var/netscaler/nitro/ using WinSCP

  8. On a newly deployed ADC I am getting a 404 when trying to download nitro-rest.tgz, is it stored somewhere in particular on the appliance?

  9. Hey Carl,

    I am looking to pull a list of ALL Vservers, associated IPs and Ciphers they are using, is there any commands or script to get these info in tabular form. Output will be something like below:

    ———————————–
    vserver | IP | Cipher
    ————————————

  10. Hello Carl,
    How to monitor cpu utilisation, vip,services and threshold throughout bandwidth in netscaler vpx adc.

      1. Thanks Carl. I’m currently using Citrix netscaler vpx 12.1adc. Does Citrix ADM is free? Or should I buy a new license.
        Can’t I configure email alerts directly on netscaler vpx?

          1. Thanks a lot. Can you please tell me or share me the procedure of installing and login to the adm?

  11. Carl, I see you all over on the Citrix boards too. You seem to be the Netscaler/ADC genius! Here’s a stumper for you… I figured if anyone knew, it would be you.

    How do you get the monitor status/feedback for a service via Nitro? Have you figured out how? If I go to the cli and do something like show service SERVICENAME | grep “Last response:” it spits back the pertinent info, like “Last response: Failure – HTTP response code 503 received”. This is such valuable info that seems only available in the GUI and the CLI.

    $100 Amazon gift card for you if you tell me where it is in Nitro. Not kidding!

    Cheers,
    Chuck

      1. Incredible! I’ve looked for 2 days and you knew exactly where it was. You have my email, reply with yours and I’ll send the gift card. Worth every penny!

  12. Hi Carl, It is really good to see your script which could help extract specific configuration. However, when I run script on powershell, it doesn’t show any output on Notepad++. It just get closed on its own. May you please help me?

    1. I fixed that issue. My requirement basically is to import config in excel or .csv format. Is it possible by any chance?

      1. Those are not formats that NetScaler ADC can use. There are output functions that can be modified to your desired format. Can you provide more info on what you’re trying to accomplish? If you’re just looking for a list of VIPs and Servers, you can easily write a for loop that finds a vServer, checks its bindings, and then gets the IP addresses from the bindings. Nitro API can also output the list of service bindings.

  13. Hi Carl,

    I recently upgraded my Netscaler firmware version to 12.1.56.22 and after few days HA Sync stopped on secondary device. Unable to connect on SSH port and also unable to run trace on run cli from diagnostic options of GUI.

    Can you please suggest if this is a known issue with this firmware version. And how I can fix it.

  14. I launch the script on a ‘ns.conf’ files with Windows 10 and an ADC 13 running config, I select my virtual server, the script end well but nothing happen after 🙁

    The ns.conf remain the same, it should edit the files right ? Nothing else is created in the directory. Have you got an idea ?

    Regards.

  15. I am looking for scripts which can configure basic SSL based Storefront, Director, WEM loadbalanced VIPs and bind Gateway on the latest NSVPX-ESX-13.0-47.24_nc_64. I have a lab environment and would really like to automate the basic Gateway configurations – but I am not a scripter. I tried to get my head around this NITRO stuff/Powershell – i find it very hard to grasp it.

    Searched and even tested Esther Barthel’s https://github.com/cognitionIT/PS-NITRO scripts but they seem to have errors. Somethings work and something error out.

    Please help me out 🙂

    -Manoj

      1. Use this to get past untrusted certs in PowerShell or buy a public cert.

        add-type @”
        using System.Net;
        using System.Security.Cryptography.X509Certificates;
        public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
        }
        }
        “@
        [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

  16. Hi Carl

    we have some method to create a task scheldule in Netscaler to disable and enable some members group from one service group via scripting.

    Greatings

    1. NetScaler has a BSD shell with cron. Or you can use a scheduler on any remote machine and have it run scripts that do Nitro API to the NetScaler.

  17. Hi Carl. Any idea if NITRO can be used to send arbitrary shell commands to the NetScaler? I’m using Ether Barthel’s PS module and the built-in cmdlets work great, but I don’t see any way to send, e.g. “shell; df -h /var” and get that back.

      1. Thanks, Carl. While disk stats will prove helpful, unfortunately, for my particular requirement I was forced to go a different route. Since I needed to run the following command “find /var/ns_system_backup/ -maxdepth 1 -name backup* -mtime +14 -exec rm -rf {} \;”, I wrote a PowerShell script that calls “plink.exe” from the Putty distribution, and runs it against the list of NetScalers. Thanks for the help!

        1. HI could you please tell me in details. I also want to run the sae command “find /var/ns_system_backup/” but from my ansible playbook. And I could not find any module to let me run shell commands on netscaler from ansible.

  18. Hi Carl,

    This is really cool stuff.
    I was trying to get ssl certificates with bindings plus I want to add one more column there for Certificate expiration dates.

    Any suggestion on this.

  19. Carl- I am looking to pull a list of ALL SSL Certificates installed on the Netscaler and each resource – each SSL cert is bound to.
    I have inherited an SSL MESS and the GUI is too slow and painful to go through the 400 + certs.
    I was hoping a PS script would work but I do not know how to start this.

    Thanks
    Leo

    1. One method is to grep the running configuration for “ssl certKey”. That should give you the add and bind commands.

      1. When I did the JSON – I received this:
        {“errorcode”:-1,”message”:”Invalid query parameters”,”severity”:”ERROR”}

        1. What build of NetScaler? Download the Nitro documentation from your Downloads page and check the syntax.

          I had to add ?bulkbindings=yes to get it to work.

    2. I got something for people in Leo’s situation. There is Powershell Nitro Library from Citrix I have added some scripts in my branch to collect inventory on VServers and associated certs (might get merged into the original repo maintained by CognitionIT as well) https://github.com/closedstack/PS-NITRO

      I have a python script to allow parsing certs over the network which can be very handy since it allows getting expiration dates for certs bound to servers and/OR VIPs https://relevantsecurity.wordpress.com/2018/12/29/parsing-certificates-on-sites-using-python/

  20. Hey Carl,

    For the headers in my version of powershell, it threw an error (the content-type=application/vnd/etc)

    The fix was to use the -content-type [String] flag rather than the dictionary object to specify the content-type header. Hope this helps anyone else running into the error I was facing yesterday.

    For reference, the error was “The ‘content-Type’ header must be modified using the appropriate property or method.

    -Trey

Leave a Reply to Sarath Cancel reply

Your email address will not be published. Required fields are marked *