Citrix NetScaler 10.5

I’m currently working on a project where load balancing is required.  I’ve never had the need to load balance in my personal labs so I wanted to educate myself on the matter.  I turned towards because they offer a “Citrix NetScaler 10.5 1Y0-253 NetScaler 10.5 Essentials and Networking” course with Keith Barker.   Once again, I highly recommend you visit, they provide great training videos for a number of technologies. Below are my notes from the course, they’re not complete (and images removed) because i don’t want to infridge on any copyrights.

The Citrix NetScaler 10.5 for App and Desktop Solutions course provides the concepts and training to install and configure a Citrix NetScaler load balancer and gateway in a virtualization environment such as Citrix XenDesktop/XenApp 7.x. Learners are strongly encouraged to build a lab environment to practice the NetScaler techniques learned in this course. This course is based on the Citrix NetScaler 10.5 product, and the fundamental concepts taught in these Nuggets are common to earlier NetScaler versions as well.

Citrix NetScaler is a multi-functional appliance that can perform as a Layer 4-7 proxy for load balancing, as well as an SSL VPN gateway (or both). Environments that include Citrix XenApp and XenDesktop are likely to use a NetScaler as their remote access and load balancing solution.

The Citrix NetScaler (NS) is a Physical (MPX, SDX) or Virtual (VPX) multi-functoinal appliance that can perform as an ISO Layer 4-7 proxy (Web Application Delivery Controller (ADC)  for load balancing, as well as a security gateway (SSL VPN, Posture Scans, Authentication), or both. NS is a TCP/IP Proxy. Packaged as an Open Virtual Format (.ovf) file.

Virtual IP address (VIP) – Address of the Virtual Server (VS), there will be multiple VS created on the NS.

Subnet IP (SNIP) – Is a configured address that the NS uses to communicate with other servers on that subnet.  SNIP purpose is for NS to believe it is directly connected to that specific network.

NSIP – NetScaler IP is the base address of the device.


LB Traffic Flow

HTTP Request from Client, going to Web Server

NS is configured with a virtual server and given a VIP.  A Firewall allows traffic into the NS and it interprets and manipulates that traffic to route it where it needs to go.  Source IP before it hits the NS is the client IP address and the destination is the logical entity (virtual server) on the NS.  When traffic leaves the NS, it uses the SNIP address as the source IP and the destination is an IP of a server on the local LAN running the service the requestor is looking for.


HTTP Response from Web Server, going back to Client

The destination IP before NS is the SNIP address of the NS, and the source IP before it hits NS is the web server.  Destination IP after NS is the client IP and source IP after NS is the VIP.



Static Routes

Board Gateway Protocol (BGP) – Coordinated effort to route traffic through the internet.

OSPF – is an interior gateway routing protocol.

NetScaler needs to know how to route the traffic it receives. During initial install it asks about default route which is configured as default gateway. The NS usually will use a Firewall configured with its own default gateway pointing to the internet as the NS default gateway.

Internal routes may point to one or more networks so the NS need’s a SNIP in those subnets so it can communicate with other devices within that subnet.

If you’re using physical interfaces on the NS the actual IP addresses for the SNIP’s are not bound to a specific interface.  Interfaces are willing to accept packets for any of the configured networks.


Mapped IP Address (MIP)

By default NS uses SNIP as source address when communicating with servers; and this feature is called “Use SNIP” (USNIP).

If no SNIP setup but a MIP is, it can be used as a last resort address used to communicate with servers in that subnet.


High Availability

Can use duel NS’s one in passive and the other in active mode.  One NS is doing all the work wile the other is sitting idle just making sure the primary is still up and running, if not it fails over.  Any configuration changes made on primary are replicated to the secondary NS.

During configuration, to prevent secondary node from replicating config to primary make sure node states are set to “Stayprimary”, and “Staysecondary”.  After configured and high availability is enabled properly, change the states back to “Enabled (Actively Participate in High Availability).


Building Blocks for LB


-LB Virtual Server (Protocol, VIP, Port) – Logical representation of a server.

-Service (what server, protocol, port) – An application running on a server.

-Monitor – Used for server health checks, ensures service is running on server.

-Real Server (IP / Name of Server) – Points to the real server.

A Virtual Server (VS) object is bound to a Service Object, which is bound to a Server Object.

A monitor function does a health check on the server to ensure its running the appropriate service. A monitor is bound between a Service and a Server.


Implementing Load Balancing (LB)

Add the server objects (actual servers), associate the service objects, add monitors for each service,  then create a load balancing virtual server object with the bound service objects.

Some Methods for load balancing: round robin, least connection, least response time, destination IP Hash, source IP Hash, Least Bandwidth, Least Packets, SRC IP Dest IP Hash, LRTM, SRC IP SRC Port Hash, etc.


Custom Monitors

Default monitors (such as TCP handshake) are very simple. You can use custom monitors to get more granular to ensure the service being monitored is the correct service.

Extended App Verification (EAV)

Extended Content Verification (ECV) – Can look for specific patterns (strings) in a GET request.

XML Broker, Web Interface, Storefront, DC, etc.


Weights and Persistence

Persistence will always use the same server when a request is made by a specific IP address.

Weights are used to determine which server to route traffic to. For example if server A has more resources then server B, you can weight server A higher then B so server A gets more requests.



SSL/TLS Concepts

Steps for installing a Certificate Authority (CA) signed certificate on the NetScaler.

Key Pair (Public and Private)


Certificate contains:
-Public Key of Server
-Signature of CA.

  1. Bob initiates a request.
  2. Server returns a certificate containing the server’s public key.
  3. Bob sends a message encrypted with the servers public key back to the server. Only party that can decrypt this message is the party with the private key (the server).
  4. Server sends a communication back over to Bob which establishes a session key used for the rest of the session. Session key negotiated and established secretly uses symmetrical encryption such as RC4 or 3DES based on capabilities of both parties and what was negotiated.

Authentication provides verification that a client is connecting to the correct server.

 Public Key Infrastructure (PKI)

Certificate Authority (CA) are known trusted authorities such as GoDaddy.

The servers certificate with Public Key are sent to common CA and then signed by that trusted CA. Once signed by a trusted CA, other clients requesting the servers certificate can trust that server because its certificate is signed by a trusted CA.

Implement a CA Signed Certificate:

  1. Generate RSA Key Pair
  2. Create Certificate Signing Request (CSR)
  3. Submit request to the CA
  4. Download and Install the certificate

Wildcard Certificates allow you to use the certificate on multiple servers. i.e. *


Policy Fundamentals

Policies are given a name.

Policies are IF/THEN Statements

The IF is an expression.

The THEN is an action.

The WHERE is where the policy is applied, 1. user objects, 2. group objects, 3. virtual server, 4. globally. It’s important to understand the orders policies are checked 1-4.

Multiple policies can be assigned so policy priority numbers are used to determine which policy to process first, lowest number gets proceeded first.


LDAP Authentication for System Users

System vs AAA: Users and Groups

Local vs External




Xen Monitors


NetScaler as a Gateway

AAA, VPN, Endpoint Analysis

Client Options:

Plug-ins, Clientless, Receiver, iOS, Android

NetScaler should still be behind a firewall.

NetScaler Gateway Wizard



NS Gateway Policies

Set global pre-authentication settings to deny

Create policy with conditions and action of permit

Apply as AAA Global Policy

Pre-Authentication policy require certain configurations be met before a user can login. Helps to ensure that the users PC is secure.  The pre-authentication policy can run an Endpoint Analysis plugin to look for certain elements such as patch levels, anti-virus, or anything else we specify, on the users PC.


Gateway LDAP Authentication


Gateway User Authorization

Set global default policy

Create authorization policy

Bind the policy

Just because a user authenticates with the NS Gateway doesn’t mean we want that user to have full access to all resources.   Via authorization policies we can allow or deny access to local resources, and even routes to the internet.

First thing to do is set the default Authorization action to DENY.

NetScaler Gateway -> Global Settings -> Change Global Settings -> Security

Second, create authorization policy:

NetScaler Gateway -> Policies -> Authorization

Here is where you add policies with specific expressions that specify what is allowed.

To bind the policy to an AD user that doesn’t exist locally on the NS you need to make a representation of that user on the NS under the User Administration -> AAA Users.  You can do the same for AD groups.


NS Gateway Split Tunneling

Create Intranet Apps, representing network(s)

Turn on split tunneling

Point to the VPN intranet Apps

One challenge with NS Gateway Remote access with VPN is that by default it is a full tunnel VPN. Meaning all of the users traffic will be routed through the gateway, even internet routed traffic will go out the gateway then reply traffic will come back into the gateway and back to the user over the VPN.  From a security perspective this might be great as we can monitor all that traffic.

Split tunneling allows you to split traffic to allow corporate traffic through the VPN and other traffic out through the users internet gateway.  A little more dangerous because an attacker can maintain a connection through the VPN tunnel into the corporate network where as if all traffic flowed through the VPN it would be a lot tougher for the attacker to maintain that connection as the traffic is routed and NAT’d through the NS gateway.

NetScaler Gateway -> Resources -> Intranet Application -> Add

Create objects that refer to the IP Subnets. An intranet application represents the network.

NetScaler Gateway -> Global Settings -> Client Experience -> Turn on Split Tunnel.

NetScaler Gateway -> Global Settings -> Intranet Applications -> Add applications defined earlier.

You can use tracert to verify the route the traffic takes. To reach resources internal you should see direct connection to the server.


LB Storefront Demonstration

Gateway + Storefront Integration

Content switching

GSLB – Global Server Load Balancing

Exam Preparation