1Y0-250 Citrix Study Guide Part Three

By Jeff Rohrer, on May 25, 2015

Part 1, Part 2

Section 7: Customizing Traffic in a NetScaler implementation

 

7.1

 

Task Description: Configure Responder, Rewrite, or URL transform

 

Testing Aspect: How (Consider the when)

 

  • When redirecting client requests to an alternative URL, NetScaler redirects HTTP or HTTPS client requests when the push virtual server is down or disabled.

 

  • This URL can be a local or a remote link.

 

  • Redirects can be absolute URLs or relative URLs.

 

  • The domain specified in the redirect URL must not be the same as the domain specified in the domain name argument of a content switching policy.

 

  • If the same domain is specified in both arguments, the request is redirected continuously to the same unavailable virtual server in the NetScaler appliance and the user cannot get the requested content.

 

  • To accept any type of image to a specific virtual server, an administrator should use the following syntax expression:
    • REQ.HEADER(“Content-Type”).CONTAINS(“image”)

 

  • CONTAINS(“image”) checks for any image.

 

7.2

 

Task Description: Configure SSL Offload

 

Testing Aspect: How (Consider the when)

 

  • An SSL based virtual server is a load balancing virtual server of protocol type SSL or SSL_TCP.

 

  • The load balancing feature must be enabled on the NetScaler.

 

  • Since the NetScaler appliance performs SSL offload and acceleration on behalf of the web servers, the appliance does not usually authenticate the web servers' certificates.

 

  • However, the servers can be authenticated in deployments that require end-to-end SSL encryption.

 

  • In such a situation, the NetScaler:

 

  • Becomes the SSL client

 

  • Carries out a secure transaction with the SSL server

 

  • Verifies that a CA whose certificate is bound to the SSL service has signed the server certificate

 

  • Checks the validity of the server certificate

 

  • If web servers are NOT SSL clients, the web servers' connection port should be changed to 80.

 

7.3

 

Task Description: Set up Content Switching

 

Testing Aspect: How (Consider the when)

 

  • Content switching can present different content to different users.

 

  • For example:

 

  • Present content relevant to a specific geographical area to users from that area.

 

  • Present content in different languages to the speakers of those languages.

 

  • To provide a fault-tolerant website to ensure that users will always have access to their information, an administrator should configure a backup server in the Content Switching node

 

  • If the primary content switching virtual server is marked DOWN or DISABLED, the NetScaler appliance can direct requests to a backup content switching virtual server.

 

  • It can also send a notification message to the client regarding the site outage or maintenance.

 

  • The backup content switching virtual server is a proxy and is transparent to the client.

 

 

Section 8: Setting up auditing, monitoring and reporting for the NetScaler implementation

 

8.1

 

Task Description: Determine what needs to be monitored (services/servers)

 

Testing Aspect: Where [method] to send what [services/sercers/etc] monitoring information

 

  • The Simple Network Management Protocol (SNMP) network management application, running on an external computer, queries the SNMP agent on the NetScaler.

 

  • The agent searches the management information base (MIB) for data requested by the network management application and sends the data to the application.

 

  • SNMP monitoring uses traps messages and alarms.
  • SNMP traps messages are asynchronous events that the agent generates to signal abnormal conditions, which are indicated by alarms.

 

  • Reverse monitors are monitors that mark the service as DOWN when the probe criteria is met and marks the service as UP when criteria is NOT met.

 

  • Reverse monitors can be used in a situation when only one of the two available services is used.
    • The reverse monitor marks the secondary service as DOWN as long as the primary service is UP.

 

  • When the primary service goes DOWN, it marks the secondary as UP.

 

  • Reverse monitors monitor the server directly.

 

8.2

 

Task Description: Identify which reporting tool to use for monitoring (EdgeSight, Command Center, SNMP, Syslog, etc.)

 

Testing Aspect: What

 

  • Using Command Center, an administrator can configure views to monitor specific events and alarms based on the supplied criteria.

 

  • Command Center views make it easier to monitor a large number of events generated across a NetScaler infrastructure.

 

  • The Call Home feature monitors a NetScaler appliance for common error conditions.

 

  • Call Home registers the appliance with the Citrix Technical Support server.

 

  • If the appliance is successfully registered with the Support server, Call Home automatically uploads system data to that server in the event that one of the conditions occurs.

 

  • The NetScaler Appliance keeps a full log of all upload events.

 

  • If an administrator is unable to correct the problem after reviewing the appliance's log, the administrator can contact the Citrix Technical Support team and open a service request and the team can analyze the uploaded system data and recommend possible solutions.

 

8.4

 

Task Description: Determine how to configure auditing through Syslog from the wizard

 

Testing Aspect: How

 

  • The syslog viewer can be invoked for a security check.

 

  • The current ns.log file is downloaded and the entries that are relevant to the desired security check are displayed.

 

  • When configuring logging on Access Gateway, an administrator can choose to store the audit logs on a server or on Access Gateway.

 

  • While configuring an audit policy, Syslog should be chosen to store the audit logs on a syslog server.

 

OR

 

  • Choose Nslog to store the audit logs on Access Gateway.

 

 

Section 9: Troubleshooting issues on NetScaler

 

9.1

 

Task Description: Debug Authentication, Authorization and Accounting (AAA)

 

Testing Aspect: How

 

  • NetScaler keeps track of the interfaces through which operations are executed.

 

  • View the information in the ns.log file, located in the /var/log/ directory.

 

  • For example, if monitoring software generates the following error message during some operations:

    ERROR: Not authorized to execute this command

    the log file ns.log can be used to find the denied commands.

 

  • An administrator should use the command:

    stat aaa authfails

    to show the number of failed authentication attempts on an Access Gateway.

 

  • The hostname or host ID required is based on the MAC address of the NetScaler VPX virtual appliance.

 

  • The host ID of the NetScaler VPX appliance on which a license is installed must match the host ID on the NetScaler VPX Platinum platform license.

 

  • Every NetScaler appliance that is added to a cluster must have a copy of the cluster license file in the /nsconfig/license/ directory.

 

  • Additionally, every appliance must have the same license files available.

 

9.3

 

Task Description: Troubleshooting Certificates

 

Testing Aspect: How

 

  • A NetScaler appliance supports the SSLv2, SSLv3, TLSv1 , TLSv1.1, and TLSv1.2 protocols.

 

  • Each of these can be set on the appliance as required by the deployment and the type of clients that will connect to the appliance.

 

  • To configure SSL protocol support by using the configuration utility:

 

  • Expand SSL Offload, click Virtual Servers, and navigate to Traffic Management > SSL Offload > Virtual Servers.

 

  • Select the virtual server on which to customize SSL settings and click Open.

 

  • On the SSL Settings tab, click SSL Parameters.

 

  • In the Configure SSL Params dialog box, in the SSL Protocol group, select the protocol options to enable.

 

  • For SSL transactions, establishing the initial SSL handshake requires CPU-intensive public key encryption operations.

 

  • Most handshake operations are associated with the exchange of the SSL session key (client key exchange message).

 

  • When a client session is idle for some time and is then resumed, the SSL handshake is typically conducted all over again.

 

  • With the session reuse feature enabled, session key exchange is avoided for session resumption requests received from the client.

 

  • Session reuse is enabled on a NetScaler appliance by default.

 

  • Session reuse reduces server load, improves response time, and increases the number of SSL transactions per second (TPS) that can be supported by the server.

 

  • To configure session reuse by using the configuration utility:
    • Expand SSL Offload, click Virtual Servers, select the virtual server on which to customize SSL settings, and click Open.

 

  • On the SSL Settings tab, click SSL Parameters.

 

  • In the Configure SSL Params dialog box, specify a value for session reuse.

 

9.4

 

Task Description: Show connection table and routes

 

Testing Aspect: How

 

  • The command-line interface command:

 

show ns connectiontable

 

displays the current TCP/IP connection table.

 

  • STATE==ESTABLISHED shows only established connections.

 

  • The parameter:

    -detail

    specifies display options for the connection table.

  • The parameter

    LINK

    displays the linked Protocol Control Block.

  • A full synopsis of the command:

 

show ns connectiontable [<filterexpression>] [-detail <detail> ...]

 

  • Using the configuration utility, an administrator can view configured IPv4 routes with the following steps:
    • Navigate to System > Network > Routes.

 

  • In the details pane, on the Basic tab, click Open to see existing IPv4 routes.

 

9.5

 

Task Description: Read and interpret logs

 

Testing Aspect: What [does it mean]

 

  • An invalid host error requires /nsconfig/hosts to be deleted and /nsconfig/rc.conf to be modified with the correct host name and a restart after each action when an administrator encounters the data output below.

1:33:22 (lmgrd) Unknown host: cag
1:33:22 (lmgrd) Shut down FLEXnet CITRIX license server system on machine node0
1:33:22 (lmgrd) EXITING DUE TO SIGNAL 33
lmstat - Copyright (c) 1989-2006 Macrovision Europe Ltd. and/or Macrovision Corporation. All Rights Reserved.
Flexible License Manager status on Thu 8/9/2007 01:33
Error getting status: Cannot find license file. (-1,359:2 "No such file or directory")

 

  • A Wrong hostid on SERVER error requires that the rc.conf file be modified with the correct host name. An example is the data output below.

 

17:48:02 (CITRIX) Server started on node0 for: CNS_CLUST_SERVER
17:48:02 (CITRIX) CNS_SPE_SERVER   CNS_SPE_SERVER   CNS_V1000_SERVER
17:48:02 (CITRIX)
17:48:02 (CITRIX) Licenses are case sensitive for CITRIX
17:48:02 (CITRIX)
17:48:02 (CITRIX) Wrong hostid on SERVER line for license file: /nsconfig/license/node1-VPX_3000.lic
17:48:02 (CITRIX) SERVER line says 4e2003036c47, hostid is 06e089e0b0fd
17:48:02 (CITRIX) Invalid hostid on SERVER line

 

9.6

 

Task Description: Troubleshoot High Availability (HA)

 

Testing Aspect: What [is causing the issue]

 

  • An administrator should run the commands show node and show interface to collect the necessary information about constant changes to the high availability (HA) status.
    • The command, show ha node, displays the HA settings of both nodes or just the specified node.

 

  • Use this command to display the master state (primary or secondary) of the nodes in a HA configuration.

 

  • The command show interface displays the settings of all interfaces or of the specified interface on the NetScaler appliance.

 

  • To display the settings of all interfaces, run the command without any parameters.

 

  • To display the settings of a particular interface, specify the ID of the interface.

 

  • When an administrator receives an alert that monitored NetScaler appliances are failing over unexpectedly, the following are possible causes:

 

  • Interface is down

 

  • SSL acceleration card is down

 

  • System stopped responding

 

9.8

 

Task Description: Use telnet or monitors to check the ports

 

Testing Aspect: How

 

  • When an administrator creates a service group, the default monitor of the type appropriate for the group is automatically bound to it.

 

  • Monitors periodically probe the servers in the service group to which they are bound and update the state of the service groups.

 

  • It is possible to bind different monitors to the service group.

 

  • DNS communicates through TCP port 53.

 

  • If a NetScaler appliance is using a DNS server on a separate network with a firewall in between the appliance and the DNS server, make sure that port 53 is not blocked.

 

  • Check the logs of the firewall.

 

  • Use telnet from the NetScaler shell to test connectivity to the DNS server on port 53.

 

9.9

 

Task Description: Conduct packet tracing in GUI and shell.

 

Testing Aspect: How

 

  • To run and download network path trace files from a NetScaler appliance:

 

  • Use a Secure Shell (SSH) client to run the network path traces.

 

  • Such as PuTTy

 

  • Use a Secure Copy (SCP) client to download the network path traces.

 

  • Such as WinSCP

 

  • When a support case has been created with Citrix Technical Support to troubleshoot an issue:

 

  • Create an archive of the system configuration data and statistics for submission to Citrix Technical Support so they can further investigate the issue.

 

  • To obtain the collector file by using the command line interface, run the following command:

 

show techsupport

 

  • After the appliance generates the collector archive, the location of the file is displayed.

 

  • Download the file from the appliance using a Secure FTP (SFTP) or Secure Copy (SCP) utility.

 

  • Such as WinSCP

 

  • Upload it to Auto Support for analysis.

 

9.10

 

Task Description: Troubleshooting connectivity between rules (like rewrites) and third party products (like XA/XD/web apps)

 

Testing Aspect: What to look for when there is an issue

 

  • When an administrator publishes Microsoft Exchange Outlook Web App (OWA) through NetScaler using a secure HTTPS connection and obtains an SSL wildcard certificate for the purpose of publishing OWA, users might receive an error message that the certificate is NOT trusted when they try to log on.
    • In this case, the administrator should:
      • Export the certificate from the OWA server.

 

  • Import the certificate into NetScaler.

 

  • Bind the certificate to an OWA virtual server.
  • Because the NetScaler will be terminating the SSL connections on behalf of the Exchange system (offloading that burden), the NetScaler will need an SSL certificate imported into its system for use in this role.

 

  • Rewrite refers to the rewriting of some information in the requests or responses handled by a NetScaler appliance.

 

  • Rewriting can help in providing access to requested content (in a virtual directory) without exposing unnecessary details about a web site's actual configuration.

 

  • Use rewrite for manipulating data on HTTP requests and responses.

 

9.11

 

Task Description: Verify the network settings

 

Testing Aspect: How

 

  • The CLI command:

 

show ns ip

 

displays all of the IP addresses such as VIP, MIP, NSIP, and SNIP.

 

  • Mapped IP addresses (MIP) are used for server-side connections.

 

  • If the mapped IP address is the first in the subnet, the NetScaler appliance adds a route entry with this IP address as the gateway to reach the subnet.

 

  • The backend server with the IP address that is first in its subnet will receive communications from the NetScaler MIP.

 

  • Configuration of a virtual server IP address (VIP) is not mandatory during initial configuration of a NetScaler.

 

  • When load balancing is being configured, VIPs are assigned to virtual servers.

 

  • To display a list of IP addresses that are configured for content switching virtual servers, type the CLI command:

 

show ns ip <IPAddress>

 

9.13

 

Task Description: Troubleshooting the NetScaler start up, possibly including web portal page (modification/customizing)

 

Testing Aspect: Where

 

  • When an administrator is required to rebuild the configuration of the Receiver Theme to the Logon Page on a NetScaler, the administrator should launch the command:

 

tar -xvzf receivertheme.tar.gz

 

in the directory /var/netscaler/gui/vpns/customization/receivertheme.

 

  • To accomplish this, the administrator should:

 

  • Make an SSH connection to NetScaler

 

  • Type shell

 

  • Type cd /var/netscaler/gui/vpns/customization/receivertheme

 

  • Type tar xvzf receivertheme.tar.gz

 

  • In a NetScaler HA implementation, the configuration file must be copied to the other node or create an identical file on that node.

 

  • For example, if an administrator notices that the secondary node is down in a high availability (HA) pair of NetScaler appliances after users report that the NetScaler Gateway Logon Page has changed, this is because:

 

  • The configuration file was NOT copied to the secondary node

 

OR

 

  • An identical file was not created on the secondary node
Comments are closed   CCA-N, Exam Prep, NetScaler

, , ,  

 
 

Comments are closed.