Section 4: Securing the NetScaler (i.e. enabling compliance, SSL VPN, etc.)
4.1
Task Description: Consider the compliance and security capabilities that are native to NetScaler
Testing Aspect: When
When split tunneling is NOT enabled, the Access Gateway Plug-in captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to Access Gateway, which can have an authorization policy that does not allow users to browse local Internet resources.
- For example, to the corporate LAN using a hotel WIFI connection.
Users can run applications installed on their user devices, which connect them to the network through a VPN tunnel.
- To start this configuration, use the following guidelines:
- Create a Web Interface site.
- Configure Advanced Access Control settings.
- Configure SmartAccess.
- Configure endpoint analysis on Access Gateway.
- Configure policies and filters on Citrix XenApp and XenDesktop.
- Configure Access Gateway so users log on by using the Access Gateway Plug-in to access published applications and virtual desktops.
4.2
Task Description: Importing, linking and verifying certificates including importing SSL certificates
Testing Aspect: How
An intermediate certificate is a certificate that goes between Access Gateway (the server certificate) and a root certificate (usually installed on the user device).
- An intermediate certificate is part of a chain.
- Link the intermediate certificate to the certificate used by Access Gateway.
- If users report they receive certificate errors in the browser, it might signify that the certificate chain is incomplete.
After receiving a signed certificate from a Certificate Authority (CA), pair it with the private key on the NetScaler appliance and install the certificate on NetScaler Gateway.
- To install the certificate on NetScaler Gateway:
- Copy the certificate to NetScaler Gateway to the folder nsconfig/ssl by using a Secure Shell (SSH) program such as WinSCP.
- In the configuration utility, on the Configuration tab, in the navigation pane, expand the SSL node and click Certificates.
- In SSL Certificates, click Install.
4.3
Task Description: Configure AAA (Authentication, Authorization, Accounting)
Testing Aspect: How
When configuring logging on NetScaler:
- The audit logs can be stored on NetScaler
OR
- Sent to a syslog server.
- Use the configuration utility to create auditing policies and configure settings to store the audit logs.
Before using AAA, it must be enabled.
- To enable AAA by using the configuration utility:
- Navigate to System > Settings.
- In the details pane, under Modes and Features, click Change basic features.
- In the Configure Basic Features dialog box, select the Authentication, Authorization and Auditing check box.
- Click OK.
4.4
Task Description: Configure AAA (Authentication, Authorization, Accounting)
Testing Aspect: What
AAA provides security for a distributed Internet environment by allowing any client with the proper credentials to connect securely to protected application servers from anywhere on the Internet.
- Any user who wants to access the intranet must have a valid user name and password.
- To meet the requirements, actions that the NetScaler appliance takes are:
- Collect the user’s credentials
- Deliver the credentials to the authentication server
- Cache the credentials in a directory that is accessible through LDAP
An authentication virtual server can be created to support two-factor authentication.
- For example:
- A company has a legacy web application that does NOT support two-factor authentication and company policy requires two-factor authentication for all web applications.
- Create a virtual server to support two-factor authentication.
4.7
Task Description: Set up two factor authentication (RADIUS, TACACS)
Testing Aspect: How
When configuring TACACS+ authentication on NetScaler Gateway, an administrator should:
- Click New next to Server.
- Type a name for the server.
- Under Server, type the IP address and port number of the TACACS+ server.
- Under TACACS server information, in TACACS Key and Confirm TACACS key, type the key.
To add a ROOT certificate for smart card authentication to a vServer:
- In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and click Virtual Servers.
- In the details pane, select a vServer and click Open.
- On the Certificates tab, under Available, select the certificate.
- Click the Add drop down box, click as CA and click OK.
Section 5: Integrating with Citrix, Microsoft and 3rd-party technologies
5.1
Task Description: Configure Secure Ticket Authority (STA) when configuring NetScaler for integration with XenDesktop/XenApp
Testing Aspect: How
Using the CLI to remove an STA vServer from Access Gateway, use the command:
- unbind vpn vserver <name> -staServer <URL>
- <name> is the name of the VPN vServer.
- <URL> is the URL of the STA server.
An administrator can bind the Secure Ticket Authority (STA) globally or to vServers.
- It is also possible to add multiple servers running the STA when configuring a vServer.
- When securing communications between the Access Gateway and the STA, make sure a server certificate is installed on the server running the STA.
- To bind the STA globally or to virtual servers:
¨ In the configuration utility, in the navigation pane, click Access Gateway.
¨ In the details pane, under Policy Manager, click Change group settings and user permissions.
¨ In the Access Gateway Policy Manager, under Configured Policies / Resources, expand either Access Gateway Global or Virtual Servers.
- If Virtual Servers is selected, expand a node and then select a server.
- Click STA Servers.
- Under Related Tasks, click Bind new STA server.
- In the STA Server dialog box, in URL, type the IP address or fully qualified domain name (FQDN) of the server running the STA and click Create.
¨ Note: More than one server running the STA can be added to the list.
¨ The STAs that are listed in the Web Interface must match the STAs that are configured on Access Gateway.
5.2
Task Description: Use AppExpert templates to integrate with 3rd-party technologies
Testing Aspect: How
Using the configuration utility, an administrator can import AppExpert templates to a NetScaler appliance two ways:
- One way is to navigate to AppExpert > Applications.
- In the details pane, click Applications and click Import.
- Follow the instructions in the AppExpert Template Wizard.
- The second way is to upload an AppExpert application template from a local computer to a NetScaler appliance and navigate to AppExpert > Templates.
- In the details pane, click Manage Templates.
- In the Manage Application Templates dialog box, click Application Templates and click Upload.
- In the Upload Application Template dialog box, browse to the directory in which the template file is stored, click the template file, and click Select.
- The template file is uploaded to the AppExpert application template directory on the appliance.
When exporting an AppExpert application, all application-configuration information is exported to a template file.
5.3
Task Description: Configure NetScaler for integration with Microsoft products i.e. IS, SharePoint, Exchange (load balance, outlook) etc.
Testing Aspect: How
To direct users to a specific virtual directory, an administrator should configure Rewrite for the request from the NetScaler to the server.
- Rewrite refers to the rewriting of some information in the requests or responses handled by a NetScaler appliance.
- Rewriting can help in providing access to requested content (in a virtual directory) without exposing unnecessary details about a web site's actual configuration.
- Use rewrite for manipulating data on HTTP requests and responses.
To provide access for users on a Microsoft Exchange 2010 platform using RPC Client Access:
- Select the TCP health monitor
- Use the Round Robin load balancing algorithm
Section 6: Configuring Disaster Recovery (i.e. for NetScaler appliance, server/service and datacenter failures)
6.3
Task Description: Configure high availability
Testing Aspect: How
To configure two NetScaler appliances in different physical locations and different subnets, ensure the INC mode is enabled during the creation of the HA pair.
- When in INC mode, route monitors are neither propagated by nodes nor exchanged during synchronization but they are active on both the primary and secondary nodes.
- Also, each NetScaler appliance displays the state of the route monitor as DOWN if the corresponding route entry is not present in the internal routing table.
In an HA setup, the secondary node can be forced to stay secondary regardless of the state of the primary node.
- To force the secondary node to stay secondary when using the configuration utility:
- In the Configure Node dialog box, under High Availability Status, select STAY SECONDARY.
- In the CLI, type:
- set ha node -hastatus STAYSECONDARY
6.4
Task Description: Enable disaster recovery for datacenter failure
Testing Aspect: How
GSLB extends the traffic management capabilities of a NetScaler to include distributed Internet sites and global enterprises.
- Whether installations are spread across multiple network locations or multiple clusters in a single location, the NetScaler maintains availability and distributes traffic across them.
- An administrator should configure the NetScaler implementation as a GSLB cluster in a situation such as the following:
- Two NetScalers must be configured to sustain a possible failure of a datacenter.
- The Internet connection and both NetScalers must be actively used.
- Each datacenter has an Internet connection from different Internet service providers.
A high availability (HA) deployment of two NetScaler appliances can provide uninterrupted operation in any transaction.
- When one appliance configured as the primary node and the other as the secondary node:
- The primary node accepts connections and manages servers
- The secondary node monitors the primary
- If, for any reason, the primary node is unable to accept connections, the secondary node takes over.
Comments are closed 
