My employer purchased a few Netscalers (NS) and put me and another dozen or so folks through training on how to configure and use it. But, nothing prepared me for the strange way Citrix and Citrix-fans write their documentation.
So here are a few things I learned in the last few weeks working with it:
1) AD and AAA - there are many articles on how to use AAA with Active Directory. (
http://support.citrix.com/article/CTX111079 for example) I searched for quite some time trying to figure out how to "link" an AD group to a NS group. I assumed I would have to create a group on the NS, then tell the NS to associate that group with the AD group.... But no. I wanted to customize what the NS group was called, but you cannot. So here was my trick:
Create a group on the NS EXACTLY the way it is spelled in AD and associate it with a policy ( I used a built-in NS policy). Then under "System, authentication, LDAP, Servers tab, the value I used was:
"memberOf=CN=ad_group_name_here,OU=ou_where_group_is_located,DC=domain_name,DC=dopmain_name,DC=domain_name,DC=com" . In short, a NS local group of the same name is associated with a local LDAP policy which is searched for using location in AD.
Also, here is another thing that I hope will save you some time. LDAP using FQDNs did not work for us.
Instead,
I had to create one server LDAP policy for each of our domain controllers using their individual IPs. DNS is setup, and seems to work great with everything else tested (ping, traceroute), but it appears the Nestcaler does not handle multiple A record responses from a DNS server in this circumstance.
2) AppExpert Templates - I was experimenting with SharePoint behind the NS, and I came across the
AppExpert Template for it. It looked pretty neat, with lots of optimizations and promises of improved performance.
I tried using many walk-troughs to implement it, but none of them seemed to work:
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-sharepoint-2013-with-citrix-netscaler.pdf
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technology-solutions-briefs/citrix/panw-netscaler-sharepoint.pdf
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-datasheet-microsoft-sharepoint-2013.pdf
So, here is what I had to know to get the template properly installed:
-- The
NAME you first enter MUST NOT include any special characters. It will error towards the end with a strange message if you do.
-- You
must not already have the resource of the "public endpoint" as a current Load balanced server or anywhere else if you can help it. The only thing you should have configured is the VIP configured on the NS itself. The template will create the server for you.
-- Only a N00b like me probably thought this, but
the template does not create a "load balanced" server, it created a "content switching server."
-- If you need to delete the template, you will have to remove all of the Response, Rewrite, and all the other Policies and Actions it creates. Luckily they will start with the name you provided above.
3) Mac address filtering - We have some "real servers" and some VIPs behind and in front of the NS. We could not figure out why the traffic would disappear. It turned out that
you must enable "
MAC based forwarding" under System, Settings, Configure Modes. The networking team here hated me for a few days, and they thought I was an idiot, as their NS instance worked fine... but they didn't have anything that had to traverse a firewall. This little checkbox was the reason it only half-worked for me.
4) Routes - For me, the GUI is really confusing, as they have a column that says "Gateway/Owned IP/Name."
Long story short, add Routes using the CLI as it makes a hell of a lot more sense.
May your life and servers be forever balanced,
-_Bryan
