NetScaler Fundamentals Lab guide - Amazon S3_+Lab+guide… · NetScaler appliance and the load...

NetScaler Fundamentals

Learning Labs exercise guide

February 2013

Module 1 -‐ Exercise 1: Initial Configuration

Table of Contents Table of Contents ............................................................................................................................................... 2

Overview .............................................................................................................................................................. 3

Lab Topology Diagram…………………………………………………………………………….4

How to login to the lab environment………………………………………………………………5

Module 1 - Exercise 1: Initial Configuration .................................................................................................. 6

Module 2 - Exercise 1: Load Balancing ....................................................................................................... 166

Module 3 - Exercise 1: Content Switching ................................................................................................... 22

Module 3 - Exercise 2: SSL Offload .............................................................................................................. 33

Module 5 - Exercise 1: HTTP header modification .................................................................................... 41

Module 5 - Exercise 2: HTTP to HTTPs redirection and URL body rewrite ........................................ 53


Overview Hands-on Training Module This training module has the following details:

Objective • This lab provides hands on training on the core NetScaler functionality

Audience • Primary: Partners and customers

Lab Environment Details Machine Details AD.training.lab Domain controller, DHCP, DNS NS10_HA1 Virtual instance of a NetScaler appliance (HA node) NS10_HA2 Virtual instance of a NetScaler appliance (HA node) Win7Client Administrative workstation Apache_MySQL_1 Linux server with Apache, PHP, MySQL Apache_MySQL_2 Linux server with Apache, PHP, MySQL Apache_MySQL_2 Linux server with Apache, PHP, MySQL SQLServer Microsoft SQL 2008 server and Microsoft Certificate Services WebBlue IIS server, PHP, WebGoat WebGreen IIS server, PHP, WebGoat WebRed IIS server, PHP, WebGoat


Lab Topology Diagram

Remote Network

Internal Router

Public Network

EXT-‐Win_7

Internal network

INT-‐Win_7 NS10_node1

NS10_node3

NS10_node2

192.168.10.X/24

AD/DNS/CA

172.16.1.0/24

Apache_2

Apache_3

Apache_1

172.16.2.0/24

NS10_HA1

NS10_HA2

WebGreen

WebRed

WebBlueSQLServer

SQLServer2

XD

XA1

XA1

VDA

NOTE: If prompted with a dialog to restart on any virtual machine, always select Restart Later.

Required Lab Credentials Below are the login credentials required to connect to the workshop system and complete the lab exercises.

Machine IP Address Username Password AD.training.lab 192.168.10.11 TRAINING\Administrator Citrix123 NS10_HA1 NSIP: 192.168.10.220

SNIP: 192.168.10.90 nsroot nsroot

NS10_HA2 NSIP: 192.168.10.225 SNIP: 192.168.10.90

nsroot nsroot

Win7Client DHCP assigned TRAINING\Administrator Citrix123 Apache_MySQL_1 192.168.10.13 root Citrix123 Apache_MySQL_2 192.168.10.14 root Citrix123 Apache_MySQL_2 192.168.10.15 root Citrix123 SQLServer 192.168.10.12 TRAINING\Administrator Citrix123 WebBlue 192.168.10.205 TRAINING\Administrator Citrix123 WebGreen 192.168.10.210 TRAINING\Administrator Citrix123 WebRed 192.168.10.215 TRAINING\Administrator Citrix123


How to log into the lab environment

The self-paced lab environment is hosted on a cloud-based Citrix XenServer. Connecting to your server from the portal page is as easy as 1-2-3.

Step-by-step login instructions

Step Action 1. Once logged in at the self-paced portal, click the Start lab button to launch a connection to

published XenCenter.

2. When XenCenter loads, right-click the XenCenter node and select Add…

3. On the Add New Server screen enter the XenServer IP address provided on the portal

and in the Password field enter the password provided on the portal. The user name will always be root.


Module 1 - Exercise 1: Initial Configuration Overview In this exercise you will configure the NetScaler with a management IP address, subnet IP and a DNS name server. Additionally you will configure licensing and set up a high availability pair.

Step-by-step guidance The lab environment required for this exercise is as follows:

1. NetScaler VPX appliance: (NS10_HA1) 2. NetScaler VPX appliance: (NS10_HA2) 3. Windows 7 Workstation: (Win7Client)

Estimated time to complete this lab: 20 minutes.

Step Action 1. In XenCenter, go to the networking tab of each NetScaler and confirm that the MAC

address is correct since it determines licensing. • NS10_HA1: 06:e0:89:e0:b0:fd • NS10_HA2: 22:64:cc:9b:ea:aa


Step Action 2. Go to the console tab of NS10_HA1 and NS10_HA2 virtual machines and set the

following Initial Network Address Configuration: NS10_HA1:

• IP Address: 192.168.10.220 • Netmask: 255.255.255.0 • Gateway: 192.168.10.1

Select option #4 to Save and quit. NS10_HA2

• IP Adress: 192.168.10.225 • Netmask: 255.255.255.0 • Gateway: 192.168.10.1

Select option #4 to Save and quit.

3. After the NetScaler VMs reboot, select the Win7Client VM and click the Console tab.


Step Action 4. Select the Send Ctrl+Alt+Del (Ctrl+Alt+Insert) button in the lower left hand corner of

XenCenter.

5. Login as…

Username: training\administrator Password: Citrix123

6. Open Internet Explorer and navigate to http://192.168.10.220 . 7. The NetScaler Configuration Utility is displayed.

Login as… Username: nsroot Password: nsroot

8. On the bottom of the screen, select Setup Wizard…

9. Click Next on the Introduction screen.


Step Action 10. On the Network Config screen, enter the following:

• Host Name: NS10_HA1 • Subnet IP (SNIP): 192.168.10.90 • Netmask: 255.255.255.0

Click Next.

11. On the Choose Application screen, click Next. 12. Click Finish on the Summary screen. Then click Exit to close the setup wizard. 13. On the top right side of the screen, save your configuration by clicking on the Save button.

Click Yes to confirm.

14. Open another tab in Internet Explorer and repeat steps 6-13 for NS10_HA2 (192.168.10.225). • Host name: NS10_HA2 • Subnet IP (SNIP): 192.168.10.90

Netmask: 255.255.255.0 15. On both nodes, use the CLI to copy the new license file to the /nsconfig/license

directory. Select the NS10_HA1 virtual machine and click on the Console tab.

16. If the you do not see the login: prompt, hit the enter key once or twice. Login as… Username: nsroot Password: nsroot


Step Action 17. At the NetScaler prompt, type shell. 18. You are now in the shell of NetScaler. Type the following command:

cp /var/license_backup/VPX_1000.lic /nsconfig/license/ Hit the Enter key.

19. Type exit to exit the shell. 20. Type reboot –warm to reboot the NetScaler.

Type Y and hit the Enter key to confirm you want to restart NetScaler.

The NetScaler now reboots.

21. Select the NS10_HA2 virtual machine in XenCenter and click on the Console tab. 22. Repeat steps 16-20 on NS10_HA2. 23. Select the Win7Client VM again. Close out your browser. Open a new instance of IE and

browse to http://192.168.10.220. 24. Login as…

Username: nsroot Password: nsroot

25. Navigate to System>Licenses page and note all the licensed features.


Step Action 26. Navigate to System > Settings > Configure basic features

Enable all features except HTTP Compression, Content Filter, Integrated Caching, and Application Firewall.

Click OK. 27. Next we will configure a DNS Name Server on the NetScaler for name resolution.

NetScaler can be configured as a DNS Name server, but in this exercise we will point to an external DNS server. Navigate to DNS > Name Servers. Click Add.


Step Action 28. Enter IP address 192.168.10.11 (This is the lab Domain Controller) and click Create.

Click Close to close the Create Name Server window.

29. Minimize your IE window and double-click on the Putty application on your desktop.

30. Enter 192.168.10.220 in the Host Name field and click Open.


Step Action 31. Login as…

Username: nsroot Password: nsroot Click Yes on the security alert pop-up.

32. At the NetScaler prompt, run each of the following commands:

> show run > sh ns ip (note the NSIP and SNIP) > sh route > sh ns feature > sh ns mode > sh ha node > sh license > show (tab complete to see all the available options)

> show ns (tab complete and check one or two options out) 33. Minimize the Putty window.


Step Action 34. Bring up the NetScaler Configuration Utility of NS10_HA1 again and navigate to System

> High Availability

Click Add.

35. Enter the IP of the NS10_HA2 (192.168.10.225). Enable the Login credentials for remote system are different from self node Username: nsroot Password: nsroot

Click OK. Click Ok on the Information pop-up window.


Step Action 36. Click Refresh until Synchronization State is ‘SUCCESS’ and save the configuration.

37. Bring up the Putty window again. Run the following command (hit enter a few times to get

the CLI moving) > sh ha node | more

Note: Sync state Enabled. The Master State is (Primary) on NS10_HA1. If you run this command on NS10_HA2, the Master State should show as (Secondary).

38. Failover is a feature that allows the secondary node to automatically receive incoming requests in the event the primary node stops functioning. Manually failover to the secondary node by entering the following commands: > force ha failover > sh ha node

Note: The Master State has changed. Force it back so NS10_HA1 is primary. Confirm that the enabled features such as SSL Offload and Load Balancing are enabled.

39. Run the following command: > sh ns feature | more Confirm that SSL Offloading and Load Balancing are enabled.

40. Close out the putty window. END OF EXERCISE

Module 2 - Exercise 1: Load Balancing Overview You want to demonstrate NetScaler load balancing. You need to configure the NetScaler to load balance the Red, Blue and Green web servers. A server is a virtual representation of a physical server on the backend. It consists of a server name and IP address. A service provides the connection between the NetScaler appliance and the load balanced backend server. It consists of a server name, IP address, and port, and data type to be served. If you prefer to identify servers by name rather than IP address, you can create server objects and then specify a server's name instead of its IP address when you create a service. After you create your services, you must create a virtual server to accept traffic for the load balanced Web sites, applications, or servers. Once load balancing is configured, users connect to the load-balanced Web site, application, or server through the virtual server’s IP address or FQDN. Create servers, services and virtual servers with persistence and protocol aware monitors.


1. NetScaler VPX appliance: (NS10_HA1) 2. NetScaler VPX appliance: (NS10_HA2) 3. Windows 7 Workstation: (Win7Client) 4. IIS Web Server: (WebBlue) 5. IIS Web Server: (WebGreen) 6. IIS Web Server: (WebRed)

Estimated time to complete this lab: 20 minutes. Step Action

1. In the NetScaler Configuration Utility of NS10_HA1, navigate to Load Balancing > Servers.

Click Add. 2. Enter the following configuration:

Server Name: Blue_Server IP Address: 192.168.10.205

Click Create. 3. Repeat steps 2-3 to create the following servers:

Red_Server 192.168.10.215 Green_Server 192.168.10.210 After creating the servers, click Close.

4. Once done, you should see the servers created as follows.

5. Navigate to Load Balancing > Services. Click Add.

6. Create service objects for the servers created in the steps 1-4.

Enter the following configuration: Service Name: Blue_Service Server: Blue_Server (192.168.10.205) Protocol: HTTP Port: 80

Click Create. 7. Repeat steps 5-6 to create services for the following:

Red_Service 192.168.10.215 Green_Service 192.168.10.210

8. Once you are done, click Close. You should see the following services:

9. Navigate to Load Balancing > Virtual Server. Click Add.

10. Create a virtual server with the following configuration:

Name: RBG1 Protocol : HTTP IP address: 192.168.10.216 Port: 80 Bind all three services by checking the box next to each service.

Click Create.

11. Open another browser tab and browse to http://192.168.10.216 . Refresh multiple times. The Red Blue and Green web servers should be load balanced since no persistence is configured.

12. Go to Load Balancing > Services and disable two of the three services.

13. Test load balancing by browsing to http://192.168.10.216 again. You should connect to the same

server. 14. Re-Enable the services when done. 15. Go back to the NetScaler Configuration Utility and open the RBG1 virtual server.

Select the Method and Persistence tab. 16. Configure the following:

Method: change from Least Connection (Default) to Round Robin. Persistence: CookieInsert Time-Out value: Change from 2 (Default) to 0

17. A DNS record was created for 192.168.10.216. Browse to http://web1.training.lab and refresh

multiple times. This time you will notice that your session will persist to either the Red, Blue or Green server for the duration of the session.

18. In the NetScaler Configuration Utility, navigate to Loadbalancing > Services. Double-click the Blue_Service.

19. Select the http monitor from the list of available monitors on the left. Click Add. Select the tcp-default monitor from the list of configured monitors on the right. Click Remove. The HTTP monitor expects a 200 OK response code to consider the service state as UP.

Click OK. Click OK on the warning as this only informs you that the default TCP monitor cannot be unbound. Since we are selecting a new HTTP monitor, the health-check is still performed.

20. Click Close and Save the configuration. END OF EXERCISE

Module 3 - Exercise 1: Content Switching Overview You want to demonstrate NetScaler Content Switching. You need to configure NetScaler with a Content Switching virtual server to achieve the following:

• HTTP requests to home.php should be switched to a load balancing virtual server with CookieInsert persistence and Round Robin load balancing.

• HTTP requests for blue.php, red.php, and green.php should be switched to their own respective servers.

• HTTP requests that meet no configured content switching policy should trigger the Default content switching policy and be switched to a load balancing virtual server with no persistence and Round Robin load balancing.

In order to achieve this objective, the following must be configured

• Server, services and load balancing virtual servers for each web server • The three services (Red, Blue, Green) are bound to non-directly addressable load balancing virtual

servers • Multiple content switching policies (e.g. HTTP.REQ.URL.CONTAINS("blue.php")) • A content switching virtual server with bound policies.


1. NetScaler VPX appliance: (NS10_HA1) 2. NetScaler VPX appliance: (NS10_HA2) 3. Windows 7 Workstation: (Win7Client) 4. IIS Web Server: (WebBlue) 5. IIS Web Server: (WebGreen) 6. IIS Web Server: (WebRed)


Step Action

1. In the NetScaler Configuration Utility, navigate to Load Balancing > Virtual Servers. Delete the RBG1 virtual server.

2. Create a new virtual server with the following configuration: Name: RBG_Default Uncheck the Directly Addressable box. Bind all services to this virtual server.

3. Select the Method and Persistence tab.

Configure the following: Method: Round Robin Persistence: None (No Persistence)

4. Create a new virtual server.

Configure the following: Name: RBG_Home Uncheck the Directly Addressable box. Bind all services to this virtual server.

5. Configure the following:

Method: Round Robin Persistence: CookieInsert Time-out: 0

6. Create a new virtual server.

Configure the following: Name: RBG_Red Uncheck the Directly Addressable box. Bind only the Red service to this virtual server.


Configure the following:


8. Create a new virtual server. Configure the following: Name: RBG_Blue Uncheck the Directly Addressable box. Bind only the Blue service to this virtual server.


Configure the following: Method: Round Robin Persistence: CookieInsert Time-out: 0

10. Create a new virtual server. Configure the following: Name: RBG_Green Uncheck the Directly Addressable box. Bind only the Green service to this virtual server.


Configure the following:


12. You should have the following virtual servers configured:

13. Navigate to Content Switching > Policies.

Click Add.

14. Add a policy with the following configuration: Name: Home_Policy Click Configure.

15. In the Expression section type:

HTTP.REQ.URL.CONTAINS(“home.php”)

Click Create to close the Create Expression window.

16. Click Create to close the Create Content Switching Policy window. 17. Repeat steps 15-17 to create the following policies:

Name: Red_Policy Expression: HTTP.REQ.URL.CONTAINS(“red.php”)

& Name: Blue_Policy Expression: HTTP.REQ.URL.CONTAINS(“blue.php”)

& Name: Green_Policy Expression: HTTP.REQ.URL.CONTAINS(“green.php”)

18. Navigate to Content Switching > Virtual Servers.

Click Add.

19. Configure the following: Name: RBG_CSW IP Address: 192.168.10.217 Protocol: HTTP Port: 80

Step Action

20. Note: The content switching virtual server’s state is UP although no policies have been bound. Browse to https://192.168.10.217 . The service is unavailable when browsing to the address.

21. Open the RBG_CSW virtual server. Click Insert Policy

22. Select the Home_Policy.

23. Click the dropdown arrow under the GoTo Expression column and select the blank option.

24. Select the dropdown arrow under the Target column and select RBG_Home.

25. Double-click the text box under the Priority column and change the priority to 120.

Hit the Enter key.

26. Bind the remaining content switching policies to the respective targets (ie: Red_Policy to RBG_Red etc…). Configure the priorities in those policies as indicated below.

27. A new DNS record was created for 192.168.10.217. Open another browser tab and browse to

http://web2.training.lab. Refresh multiple times. The Red Blue and Green web servers should be load balanced in a round robin manner. This is because your request hit the Default policy and was switched to RBG_Default which has no persistence is configured.

28. Change the request URL to http://web2.training.lab/home.php. Note: Hitting refresh multiple

times will keep you on the same server since your request was sent to the RBG_Home virtual server which has CookieInsert configured for persistence.

29. Change the request URL to http://web2.training.lab/red.php. Note: Your request was sent to the

RBG_Red virtual server. Repeat the request with http://web2.training.lab/blue.php and http://web2.training.lab/green.php

30. You can view the hit counts increase in the Content Switching > Policies node or when you open

the content switching virtual server.

END OF EXERCISE

Module 3 - Exercise 2: SSL Offload Overview You want to secure traffic to your web servers using SSL certificates. In this lab, you will create a certificate and configure NetScaler to offload the SSL transactions while load balancing the Red, Blue and Green Web servers. SSL Offload is how the NetScaler appliance transparently accelerates SSL transactions. All SSL processing is performed on the appliance instead of the backend web server. This reduced workload allows the web server to serve web pages much faster.


1. NetScaler VPX appliance: (NS10_HA1) 2. NetScaler VPX appliance: (NS10_HA2) 3. Windows 7 Workstation: (Win7Client) 4. Microsoft SQL Server 2008: (SQLServer) 5. IIS Web Server: (WebBlue) 6. IIS Web Server: (WebGreen) 7. IIS Web Server: (WebRed)


Step Action

1. Open the NetScaler Configuration Utility. Navigate to SSL > Create CSR (Certificate Signing Request

Configure the following: • File name: wildcard.req • Key File Name: (Browse > ns-root.key) • Format: PEM • Common name: *.training.lab

Fill all other required fields, but do not put a password.

2.

Navigate to SSL > Manage Certificates / Keys / CSRs.

Step Action 3. Select the wildcard.req file and click Download.

Save the file in C:\Users\administrator.TRAINING\Documents. Click Close twice.

4. Open another tab in IE and browse to https://192.168.10.12/certsrv . Login as… Username: Administrator Password: Citrix123

5. Select Request a certificate

6. Select Advanced Cert Request.

Then select Submit a certificate request by using a base-64…

Step Action 7. Open the wildcard.req filewith Notepad.exe and copy the contents.

8. Paste the contents into the Saved Request field.

Choose Web Server as the Certificate Template and click Submit.

9. Download a Base 64 encoded certificate (certnew.cer) to the documents folder.

10. Using the NetScaler Configuration Utility, navigate to SSL > Manage Certificates / Keys /

CSRs.

Step Action

11. Click Upload. Browse to C:\Users\administrator.TRAINING\Documents . Select the certnew.cer file and upload to the appliance.

Note: the file will be uploaded to the /nsconfig/ssl directory.

12. To install the certificate, navigate to SSL > Certificates > Install.

13. Configure the following: Certificate-Key Pair Name: wildcard-cert Certificate File Name: browse (Appliance) to certnew.cer Private Key File Name: browse (Appliance) to ns-root.key

Click Install. Then click Close.

14. Navigate to Content Switching > Virtual Servers. Open the RBG_CSW virtual server and unbind all the content switching policies.

15. Add a new virtual server. Configure as follows: Name: RBG_CSW_HTTPS IP Address: 192.168.10.217 Protocol: SSL Bind the CSW policies with priorities as shown below.

16. Note that the virtual server is in a down state since it has not certificate bound.

17. Double-click the virtual server and select the SSL Settings tab. 18. Select the wildcard-cert and click Add. Click OK

Note: This binds the certificate to the virtual server. The state is now UP.

19. Browse to https://web2.training.lab and confirm that you are connecting using HTTPs and the NetScaler is offloading the SSL transactions.

END OF EXERCISE

Module 5 - Exercise 1: HTTP header modification Overview In today’s web, applications often require different responses or information sent to backend servers as part of the HTTP requests/response. For example, when the home page is requested, a different response is required depending upon the user’s location, or the language the browser accepts, or simple the type of browser it is being used to connect to the site.

With the help of rewrite and responder, we can manipulate the parameters on the request or response and based on certain conditions take a different action. This is especially useful when you want to masquerade any information return by the server or simply redirect the client connection to a secure site.

In this module, we will explore different examples on how to use the rewrite and responder feature to perform HTTP to HTTPs redirection, as well as changing the body of the response to ensure all links are displayed with the correct secure protocol. In addition, we will also configure a simple URL transformation to hide the application path and also garble some of the parameters returned by the backend server with the purpose to enhance application security.


1. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1) 2. Linux Server 2 : Apache_MySQL_2 - (GENTOO_2) 3. Linux Server 2 : Apache_MySQL_3 - (GENTOO_3) 4. NetScaler VPX: (NS10_HA1) 5. NetScaler VPX: (NS10_HA1) 6. Windows 7 workstation: (Win7Client)


Step Action 1. We will complete a simple load

balancing configuration to be used in our rewrite examples. In this lab, we will configure additional servers and services for an Apache web server farm. Open IE and browse to http://192.168.10.220 Navigate to Load Balancing -> Servers and configure the following: Name: GENTOO_3 IP Address: 192.168.10.15 Click Create. Then click Close.

2. Create a service with the following configuration: Name: GENTOO_3_HTTP_TCP_80 Monitor: TCP

3. Create a Loadbalanced vserver with the following configuration:

Name: HTTP_vserver IP address: 192.168.10.218 Protocol: HTTP Port: 80

4. Bind the service we created on step 2 to it.

5. Apache_MySQL_3 has been provisioned with a simple PHP page that outputs all the server variables and headers included in the HTTP request. This page is served as the default 404 not found HTML. For this lab, we will use this server to visually inspect the information the backend server received after the traffic is processed by the NetScaler appliance. In IE, browse to a non-existing URL on the new HTTP_vserver. http://192.168.10.218/nonexistenturl/ Inspect the headers and variables to familiarize with the output.

6. First, we will start with a header insertion to include the CLIENT-IP address in the HTTP

request. This can be accomplished in two different ways:

• Using the CLIENT-IP option in the Advanced Properties of the service. • Using a rewrite rule to insert a new HTTP header.

7. We will start with option 1. Open the GENTOO_3_HTTP_TCP_80 service and select the Advanced tab. Under Settings, check the Client IP option. Fill in the header name Client-IP.

8. Open a new browser instance

and attempt your request again. http://192.168.10.218/nonexistenturl/ You should be able to see the “Client-IP” being inserted in the request.

9. Now, we will attempt to use a rewrite policy to insert the same information. Remove the CLIENT-IP insertion configuration from the Settings section of the Advanced tab.

10. Open a browser and navigate to the same URL to ensure the header is not inserted.

http://192.168.10.218/nonexistenturl/ 11. Next, create the rewrite action.

Navigate to Rewrite > Actions. Click on Add and configure the following: Name: InserClientIP Type: INSERT_HTTP_HEADER Header Name: Client-IP String Expression: CLIENT.IP.SRC Click Create. Then click Close.

12. Next, we need to create a new policy

and bind it to the rewrite action. Navigate to the Rewrite > Policies. Click on Add and configure the following: Name: InsertClientIP_pol Action: InsertClientIP Expression: true

Click Create. Then click Close.

13. Finally, we need to bind the policy to the HTTP_vserver. Double-click the HTTP_vserver and select the Rewrite (Request) tab. Bind the InsertClientIP_pol policy with the default priority. Click OK to commit the changes. NOTE: If the rewrite policy does not show up when attempting to bind, close the Configure Virtual Server window and perform a Refresh. Then attempt the binding again.

14. Select the IE tab in which you browsed

to: http://192.168.10.217/nonexistenturl Refresh the window and verify that the client IP was inserted.

15. Next, we will create a Response Rewrite policy to obscure some of the information sent by

the backend server. 16. To visualize the request and

response headers received, open a new IE instance and display the ieHTTPHeaders. Note, the add-on is already installed and enabled. Navigate to Tools menu and select Display ieHTTPHeaders

17. Now, navigate to the IP Address of the virtual server. http://192.168.10.218 You should see the request and response headers.

18. Take a closer look at the

response headers. Since this backend server runs Apache, it includes a Server header in its response. A common practice is to masquerade this information and include a generic response.

19. We will create a rewrite action to replace the HTTP header. In the NetScaler Configuration Utility, navigate to Rewrite > Actions and click on Add.

20. Configure the following settings: Name: ReplaceServerHeader Type: REPLACE Expression to choose target: HTTP.RES.HEADER(“Server”) String expression for replacement text: “MyWebServer” (include the quotes)


21. Next, create a rewrite policy. Since we need to perform the action on every response, use a true expression. Navigate to Rewrite > Policies. Click Add. Configure the following settings: Name: ReplaceServerHeader_pol Action: ReplaceServerHeader Expression: TRUE


22. Navigate to Load Balancing > Virtual Servers. Double-click on the HTTP_vserver and select the Policies tab. Under the Policies tab, select the Rewrite tab. Bind this rewrite policy to the HTTP_vserver. Ensure you click the dropdown arrow and select the RESPONSE rewrite; otherwise, the policy will not be listed. Click OK.

23. Open a new browser instance and browse to http://192.168.10.218 24. Inspect the response headers. Verify the server header value was replaced.

END OF EXERCISE

Summary Key Takeaways

The key takeaways for this exercise are: • Rewrite and responder can be used in conjunction to manipulate the data and enhance

application security.

• Rewrite policies can modify data on the request and/or response.

Module 5 - Exercise 2: HTTP to HTTPs redirection and URL body rewrite Overview Certain applications require specific requests to occur over a secure connection. Leveraging the responder module, the NetScaler can issue a redirect to a secure site, ensuring a seamless user experience. Additionally, the rewrite module can be used to rewrite any HTLM content containing any reference to an HTTP URI, forcing the connecting client to navigate the site using HTTPs only. In this exercise, we will configure a responder policy that redirects requests to an alternate URL and continue to setup a rewrite policy that rewrites any HTTP URIs to force secure browsing.


1. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1) 2. Linux Server 2 : Apache_MySQL_2 - (GENTOO_2) 3. Linux Server 2 : Apache_MySQL_3 - (GENTOO_3) 4. Web Server Blue: (WebBlue) 5. Web Server Green: (WebGreen) 6. Web Server Red: (WebRed) 7. SQLServer 8. NetScaler VPX: (NS10_HA1) 9. NetScaler VPX: (NS10_HA1) 10. Windows 7 workstation: (Win7Client)

Estimated time to complete this lab: 40 minutes. Step Action

1. The first step in securing an application is to ensure all requests occur over an encrypted channel. For this example, we will use a pre-installed web application (PHPMyAdmin) available on the Linux web server (Apache_MySQL_3). Since this application lives in the “/phpmyadmin” subdirectory, we will configure a responder action to redirect all request to HTTPs.

Step Action 2. In the NetScaler

Configuration Utility, navigate to System > Settings > Configure Advanced Features and enable the Responder option.

3. Navigate to Responder > Actions. Click Add. 4. Create a responder action that redirects to a secure URL.

Configure the following settings: Name: RedirectToSecureSite Type: Redirect Target: “https://” + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY The target specified above ensures that any hostname is redirected regardless of the host header. Since this expression could potentially create a redirect loop, make sure that you select the “Bypass Safety Check” option to allow the action to be created.


Step Action 5. Next, create a responder policy to

trigger the action. Navigate to Responder > Policies. Click Add. Configure the following settings: Name: RedirectToSecureSite_pol Action: RedirectToSecureSite Expression: true Since this will be bound to HTTP_vserver, use a “true” expression. Click Create. Then click Close.

6. Navigate to Load Balancing > Virtual Servers. Double-click the HTTP_vserver and select the Policies tab. Under the Policies tab, select the Responder tab. Select Insert Policy and bind this policy using the default priority. Click OK.

Step Action 7. Open a browser instance and navigate

to the VIP. http://192.168.10.218 Use the ieHTTPHeaders to verify the redirect is triggered. Why is the page not displayed?

8. Since we do not have a Virtual server listening on port 443, the redirect does not complete

properly. Let’s proceed to create a new SSL vserver. Navigate to Load Balancing -> Virtual Servers. Click Add.

9. Create the vserver with the following configuration: Name: HTTPs_vserver IP Address: 192.168.10.218 Protocol: SSL Port: 443 Ensure that you bind the same service: GENTOO_3_HTTP_TCP_80.

Step Action 10. Since this is an SSL vserver,

we need to bind a server certificate. Select the SSL Settings tab. Select the wildcard-cert and click Add to bind this certificate to the vserver. Click Create to complete the configuration. Click Close.

11. Attempt to test the responder policy by navigating to the HTTP URL. http://192.168.10.218/phpmyadmin Since we are not using an FQDN, a warning is displayed. Proceed to accept the warning. The default content should be displayed over a secure channel. (https://...)

Step Action 12. To avoid this SSL warning,

let’s re-issue the request using the FQDN that resolves to the VIP: http://web3.training.lab/phpmyadmin The redirect should complete without any warning message.

13. This responder policy will redirect any request to port 80 to 443; however, some applications

hardcode absolute URLs or require special Host headers to serve content. This is especially troublesome when the application is SSL Offloaded as it could render all the links inaccessible or the application fails to work.

14. Attempt to login to the phpMyAdmin application using the following credentials: Username: root Password: Citrix123 Did the login request work? You should see that a redirect diverts traffic directly to the backend server, effectively bypassing the load balancer.

Step Action 15. In order to get through the

initial login, we need to rewrite the redirect request the backend server is sending to include the FQDN for the VIP. To do this, we will use a Rewrite Response policy. Observe the “header trace” captured. The Location header has the wrong information.

Step Action 16. Proceed to create a Rewrite Action with the following configuration:

Name: ReplaceLocationHeader Type: Replace Expression to choose: HTTP.RES.HEADER(“Location”) String expression for replacement: “https://web3.training.lab” + HTTP.RES.HEADER(“Location”).TYPECAST_HTTP_URL_T.PATH_AND_QUERY

The above expression looks for the Location Header value in the response and changes the hardcoded IP address for the VIP FQDN.


17. Next, create the rewrite policy. Navigate to Rewrite > Policies. Configure the policy as follows: Name: ReplaceRedirect_pol Action: ReplaceLocationHeader Click Create. Then click Close.

Step Action 18. Bind the rewrite policy to the HTTPs_vserver

load balanced virtual server. Ensure to select the Response queue, otherwise the policy will not show up in the list.

19. Attempt to login to the application.

http://web3.training.lab/phpmyadmin/ Is the request redirected to HTTPs? Does the application complete the login request? After binding the previous policies, the application works as intended. Navigate a few links to verify correct behavior. Observe the links on the page.

Step Action 20. Close the ieHTTPHeaders window.

Click the home icon on the top left side of the phpMyAdmin site. Once on the home page, scroll to the bottom of the page and hover the mouse pointer over the “here” hyperlink. There is one more problem with this configuration. Unfortunately, some of the links are hardcoded by the application and the URL includes the backend server IP. Notice the IP in the URL in the screenshot to the right. We need to configure a rewrite policy to modify the response body and replace this static value for the correct FQDN.

21. Let’s configure another rewrite policy to adjust the body. First, configure the rewrite action as follows: Name: Rewrite_Body_HTTP_HTTPs Type: REPLACE_ALL Expression to choose: HTTP.RES.BODY(100000) String expression: https://web3.training.lab Pattern: http://192.168.10.15 Click Create. Then click Close. Note: Choose the response body as the target text reference. For the body argument, use 100000 characters. This should be plenty to catch all instances of the pattern to replace.

Step Action 22. Create the policy with the following

configuration: Name: Rewrite_Body_HTTP_HTTPs_pol Action: Rewrite_Body_HTTP_HTTPs Expression: true The true expression will trigger the action on every instance that matches the pattern.

23. Next, bind the policy to HTTPs_vserver response queue using the default priority. Make sure that you select NEXT for the “Goto Expression” on the first policy, otherwise the policy with lower priority will not be evaluated.

24. Test the application one more time by

refreshing the PHPMyAdmin page. The URL should now be rewritten and the web application was correctly SSL offloaded through NetScaler.

END OF EXERCISE

Summary Key Takeaways

• Rewrite policies can be string together to manipulate the request or response data sequentially.

• For some web-apps, deeper knowledge of the application logic is required to successfully configure the necessary rewrite policies. Additional information can be inherited from header/network traces and log analysis.

Revision History

Revision Change Description Updated By Date

1.0 Original Version Curtis Kegler February 2013

About Citrix

Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Services product families radically simplify computing for millions of users, delivering applications as an on-demand service to any user, in any location on any device. Citrix customers include the world’s largest Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2008 was $1.6 billion.

http://www.citrix.com

© 2012 Citrix Systems, Inc. All rights reserved. Citrix®, Citrix Delivery Center™, Citrix Cloud Center™, XenApp™, XenServer™, NetScaler®, XenDesktop™, Citrix Repeater™, Citrix Receiver™, Citrix Workflow Studio™, GoToMyPC®, GoToAssist®, GoToMeeting®, GoToWebinar®, GoView™ and HiDef Corporate™ are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners.

NetScaler Fundamentals Lab guide - Amazon S3_+Lab+guide… · NetScaler appliance and the load...

Documents

Transcript of NetScaler Fundamentals Lab guide - Amazon S3_+Lab+guide… · NetScaler appliance and the load...