extend your networking skill set by learning netscaler...
TRANSCRIPT
Extend your networking skill set by
learning NetScaler fundamentals
Self-paced exercise guide
Module 1 - Exercise 1: Initial Configuration Page 2
Table of Contents
Table of Contents .............................................................................................................................................. 2
Overview............................................................................................................................................................. 3
Exercise 1: Initial Configuration ..................................................................................................................... 5
Exercise 2: Load Balancing ............................................................................................................................ 15
Exercise 3: Content Switching ....................................................................................................................... 21
Exercise 4: SSL Offload ................................................................................................................................. 32
Exercise 5: HTTP header modification ....................................................................................................... 40
Exercise 6: HTTP to HTTPs redirection and URL body rewrite ............................................................ 52
Module 1 - Exercise 1: Initial Configuration Page 3
Overview
Hands-on Training Module
This training module has the following details:
Objective This lab provides hands on training on the core NetScaler functionality
Audience Primary: Partners and customers
Lab Environment Details
Machine Details
AD.training.lab Domain controller, DHCP, DNS
NS10_HA1 Virtual instance of a NetScaler appliance (HA node)
NS10_HA2 Virtual instance of a NetScaler appliance (HA node)
Win7Client Administrative workstation
Apache_MySQL_1 Linux server with Apache, PHP, MySQL
Apache_MySQL_2 Linux server with Apache, PHP, MySQL
Apache_MySQL_2 Linux server with Apache, PHP, MySQL
SQLServer Microsoft SQL 2008 server and Microsoft Certificate Services
WebBlue IIS server, PHP, WebGoat
WebGreen IIS server, PHP, WebGoat
WebRed IIS server, PHP, WebGoat
Module 1 - Exercise 1: Initial Configuration Page 4
Lab Topology Diagram
Remote Network
Internal Router
Public Network
EXT-Win_7
Internal network
INT-Win_7 NS10_node1
NS10_node3
NS10_node2
192.168.10.X/24
AD/DNS/CA
172.16.1.0/24
Apache_2
Apache_3
Apache_1
172.16.2.0/24
NS10_HA1
NS10_HA2
WebGreen
WebRed
WebBlueSQLServer
SQLServer2
XD
XA1
XA1
VDA
NOTE: If prompted with a dialog to restart on any virtual machine, always select Restart Later.
Required Lab Credentials
Below are the login credentials required to connect to the workshop system and complete the lab
exercises.
Machine IP Address Username Password
AD.training.lab 192.168.10.11 TRAINING\Administrator Citrix123
NS10_HA1 NSIP: 192.168.10.220 SNIP: 192.168.10.90
nsroot nsroot
NS10_HA2 NSIP: 192.168.10.225 SNIP: 192.168.10.90
nsroot nsroot
Win7Client DHCP assigned TRAINING\Administrator Citrix123
Apache_MySQL_1 192.168.10.13 root Citrix123
Apache_MySQL_2 192.168.10.14 root Citrix123
Apache_MySQL_2 192.168.10.15 root Citrix123
SQLServer 192.168.10.12 TRAINING\Administrator Citrix123
WebBlue 192.168.10.205 TRAINING\Administrator Citrix123
WebGreen 192.168.10.210 TRAINING\Administrator Citrix123
WebRed 192.168.10.215 TRAINING\Administrator Citrix123
Module 1 - Exercise 1: Initial Configuration Page 5
Exercise 1: Initial Configuration
Overview
In this exercise you will configure the NetScaler with a management IP address, subnet IP and a DNS
name server. Additionally you will configure licensing and set up a high availability pair.
Step-by-step guidance
The lab environment required for this exercise is as follows:
1. NetScaler VPX appliance: (NS10_HA1)
2. NetScaler VPX appliance: (NS10_HA2)
3. Windows 7 Workstation: (Win7Client)
Estimated time to complete this lab: 20 minutes.
Step Action
1. In XenCenter, go to the networking tab of each NetScaler and confirm that the MAC
address is correct since it determines licensing.
NS10_HA1: 06:e0:89:e0:b0:fd
NS10_HA2: 22:64:cc:9b:ea:aa
Module 1 - Exercise 1: Initial Configuration Page 6
Step Action
2. Go to the console tab of NS10_HA1 and NS10_HA2 virtual machines and set the
following Initial Network Address Configuration:
NS10_HA1:
IP Address: 192.168.10.220
Netmask: 255.255.255.0
Gateway: 192.168.10.1
Select option #4 to Save and quit.
NS10_HA2
IP Adress: 192.168.10.225
Netmask: 255.255.255.0
Gateway: 192.168.10.1
Select option #4 to Save and quit.
3. After the NetScaler VMs reboot, select the Win7Client VM and click the Console tab.
Module 1 - Exercise 1: Initial Configuration Page 7
Step Action
4. Select the Send Ctrl+Alt+Del (Ctrl+Alt+Insert) button in the lower left hand corner of
XenCenter.
5. Login as…
Username: training\administrator
Password: Citrix123
6. Open Internet Explorer and navigate to http://192.168.10.220 .
7. The NetScaler Configuration Utility is displayed.
Login as…
Username: nsroot
Password: nsroot
8. On the bottom of the screen, select Setup Wizard…
9. Click Next on the Introduction screen.
Module 1 - Exercise 1: Initial Configuration Page 8
Step Action
10. On the Network Config screen, enter the following:
Host Name: NS10_HA1
Subnet IP (SNIP): 192.168.10.90
Netmask: 255.255.255.0
Click Next.
11. On the Choose Application screen, click Next.
12. Click Finish on the Summary screen. Then click Exit to close the setup wizard.
13. On the top right side of the screen, save your configuration by clicking on the Save button.
Click Yes to confirm.
14. Open another tab in Internet Explorer and repeat steps 6-13 for NS10_HA2
(192.168.10.225).
Host name: NS10_HA2
Subnet IP (SNIP): 192.168.10.90
Netmask: 255.255.255.0
15. On both nodes, use the CLI to copy the new license file to the /nsconfig/license
directory.
Select the NS10_HA1 virtual machine and click on the Console tab.
16. If the you do not see the login: prompt, hit the enter key once or twice.
Login as…
Username: nsroot
Password: nsroot
Module 1 - Exercise 1: Initial Configuration Page 9
Step Action
17. At the NetScaler prompt, type shell.
18. You are now in the shell of NetScaler. Type the following command:
cp /var/license_backup/VPX_1000.lic /nsconfig/license/
Hit the Enter key.
19. Type exit to exit the shell.
20. Type reboot –warm to reboot the NetScaler.
Type Y and hit the Enter key to confirm you want to restart NetScaler.
The NetScaler now reboots.
21. Select the NS10_HA2 virtual machine in XenCenter and click on the Console tab.
22. Repeat steps 16-20 on NS10_HA2.
23. Select the Win7Client VM again. Close out your browser. Open a new instance of IE and
browse to http://192.168.10.220.
24. Login as…
Username: nsroot
Password: nsroot
25. Navigate to System>Licenses page and note all the licensed features.
Module 1 - Exercise 1: Initial Configuration Page 10
Step Action
26. Navigate to System > Settings > Configure basic features
Enable all features except HTTP Compression, Content Filter, Integrated Caching, and
Application Firewall.
Click OK.
27. Next we will configure a DNS Name Server on the NetScaler for name resolution.
NetScaler can be configured as a DNS Name server, but in this exercise we will point to an
external DNS server.
Navigate to DNS > Name Servers. Click Add.
Module 1 - Exercise 1: Initial Configuration Page 11
Step Action
28. Enter IP address 192.168.10.11 (This is the lab Domain Controller) and click Create.
Click Close to close the Create Name Server window.
29. Minimize your IE window and double-click on the Putty application on your desktop.
30. Enter 192.168.10.220 in the Host Name field and click Open.
Module 1 - Exercise 1: Initial Configuration Page 12
Step Action
31. Login as…
Username: nsroot
Password: nsroot
Click Yes on the security alert pop-up.
32. At the NetScaler prompt, run each of the following commands:
> show run
> sh ns ip (note the NSIP and SNIP)
> sh route
> sh ns feature
> sh ns mode
> sh ha node
> sh license
> show (tab complete to see all the available options)
> show ns (tab complete and check one or two options out)
33. Minimize the Putty window.
Module 1 - Exercise 1: Initial Configuration Page 13
Step Action
34. Bring up the NetScaler Configuration Utility of NS10_HA1 again and navigate to System
> High Availability
Click Add.
35. Enter the IP of the NS10_HA2 (192.168.10.225).
Enable the Login credentials for remote system are different from self node
Username: nsroot
Password: nsroot
Click OK. Click Ok on the Information pop-up window.
Module 1 - Exercise 1: Initial Configuration Page 14
Step Action
36. Click Refresh until Synchronization State is „SUCCESS‟ and save the configuration.
37. Bring up the Putty window again. Run the following command (hit enter a few times to get
the CLI moving)
> sh ha node | more
Note: Sync state Enabled. The Master State is (Primary) on NS10_HA1. If you run this
command on NS10_HA2, the Master State should show as (Secondary).
38. Failover is a feature that allows the secondary node to automatically receive incoming
requests in the event the primary node stops functioning.
Manually failover to the secondary node by entering the following commands:
> force ha failover
> sh ha node
Note: The Master State has changed. Force it back so NS10_HA1 is primary. Confirm that
the enabled features such as SSL Offload and Load Balancing are enabled.
39. Run the following command:
> sh ns feature | more
Confirm that SSL Offloading and Load Balancing are enabled.
40. Close out the putty window.
END OF EXERCISE
Page 15
Exercise 2: Load Balancing
Overview
You want to demonstrate NetScaler load balancing. You need to configure the NetScaler to load balance
the Red, Blue and Green web servers. A server is a virtual representation of a physical server on the
backend. It consists of a server name and IP address. A service provides the connection between the
NetScaler appliance and the load balanced backend server. It consists of a server name, IP address, and
port, and data type to be served. If you prefer to identify servers by name rather than IP address, you can
create server objects and then specify a server's name instead of its IP address when you create a service.
After you create your services, you must create a virtual server to accept traffic for the load balanced Web
sites, applications, or servers. Once load balancing is configured, users connect to the load-balanced Web
site, application, or server through the virtual server‟s IP address or FQDN. Create servers, services and
virtual servers with persistence and protocol aware monitors.
Step-by-step guidance
The lab environment required for this exercise is as follows:
1. NetScaler VPX appliance: (NS10_HA1)
2. NetScaler VPX appliance: (NS10_HA2)
3. Windows 7 Workstation: (Win7Client)
4. IIS Web Server: (WebBlue)
5. IIS Web Server: (WebGreen)
6. IIS Web Server: (WebRed)
Estimated time to complete this lab: 20 minutes.
Step Action
1. In the NetScaler Configuration Utility of NS10_HA1, navigate to Load Balancing > Servers.
Page 16
Click Add.
2. Enter the following configuration:
Server Name: Blue_Server
IP Address: 192.168.10.205
Click Create.
3. Repeat steps 2-3 to create the following servers:
Red_Server 192.168.10.215
Green_Server 192.168.10.210
After creating the servers, click Close.
4. Once done, you should see the servers created as follows.
5. Navigate to Load Balancing > Services. Click Add.
Page 17
6. Create service objects for the servers created in the steps 1-4.
Enter the following configuration:
Service Name: Blue_Service
Server: Blue_Server (192.168.10.205)
Protocol: HTTP
Port: 80
Click Create.
7. Repeat steps 5-6 to create services for the following:
Red_Service 192.168.10.215
Green_Service 192.168.10.210
8. Once you are done, click Close. You should see the following services:
Page 18
9. Navigate to Load Balancing > Virtual Server. Click Add.
10. Create a virtual server with the following configuration:
Name: RBG1
Protocol : HTTP
IP address: 192.168.10.216
Port: 80
Bind all three services by checking the box next to each service.
Page 19
Click Create.
11. Open another browser tab and browse to http://192.168.10.216 . Refresh multiple times. The Red
Blue and Green web servers should be load balanced since no persistence is configured.
12. Go to Load Balancing > Services and disable two of the three services.
13. Test load balancing by browsing to http://192.168.10.216 again. You should connect to the same
server.
14. Re-Enable the services when done.
15. Go back to the NetScaler Configuration Utility and open the RBG1 virtual server.
Select the Method and Persistence tab.
16. Configure the following:
Method: change from Least Connection (Default) to Round Robin.
Persistence: CookieInsert
Time-Out value: Change from 2 (Default) to 0
Page 20
17. A DNS record was created for 192.168.10.216. Browse to http://web1.training.lab and refresh
multiple times. This time you will notice that your session will persist to either the Red, Blue or
Green server for the duration of the session.
18. In the NetScaler Configuration Utility, navigate to Loadbalancing > Services.
Double-click the Blue_Service.
19. Select the http monitor from the list of available monitors on the left.
Click Add.
Select the tcp-default monitor from the list of configured monitors on the right.
Click Remove.
The HTTP monitor expects a 200 OK response code to consider the service state as UP.
Click OK.
Click OK on the warning as this only informs you that the default TCP monitor cannot be
unbound. Since we are selecting a new HTTP monitor, the health-check is still performed.
20. Click Close and Save the configuration.
END OF EXERCISE
Page 21
Exercise 3: Content Switching
Overview
You want to demonstrate NetScaler Content Switching. You need to configure NetScaler with a Content
Switching virtual server to achieve the following:
HTTP requests to home.php should be switched to a load balancing virtual server with
CookieInsert persistence and Round Robin load balancing.
HTTP requests for blue.php, red.php, and green.php should be switched to their own respective
servers.
HTTP requests that meet no configured content switching policy should trigger the Default
content switching policy and be switched to a load balancing virtual server with no persistence and
Round Robin load balancing.
In order to achieve this objective, the following must be configured
Server, services and load balancing virtual servers for each web server
The three services (Red, Blue, Green) are bound to non-directly addressable load balancing virtual
servers
Multiple content switching policies (e.g. HTTP.REQ.URL.CONTAINS("blue.php"))
A content switching virtual server with bound policies.
Step-by-step guidance
The lab environment required for this exercise is as follows:
1. NetScaler VPX appliance: (NS10_HA1)
2. NetScaler VPX appliance: (NS10_HA2)
3. Windows 7 Workstation: (Win7Client)
4. IIS Web Server: (WebBlue)
5. IIS Web Server: (WebGreen)
6. IIS Web Server: (WebRed)
Page 22
Estimated time to complete this lab: 30 minutes.
Step Action
1. In the NetScaler Configuration Utility, navigate to Load Balancing > Virtual Servers.
Delete the RBG1 virtual server.
2. Create a new virtual server with the following configuration:
Name: RBG_Default
Uncheck the Directly Addressable box.
Bind all services to this virtual server.
3. Select the Method and Persistence tab.
Configure the following:
Method: Round Robin
Persistence: None (No Persistence)
4. Create a new virtual server.
Configure the following:
Name: RBG_Home
Uncheck the Directly Addressable box.
Bind all services to this virtual server.
Page 23
5. Configure the following:
Method: Round Robin
Persistence: CookieInsert
Time-out: 0
6. Create a new virtual server.
Configure the following:
Name: RBG_Red
Uncheck the Directly Addressable box.
Bind only the Red service to this virtual server.
7. Select the Method and Persistence tab.
Configure the following:
Page 24
Method: Round Robin
Persistence: CookieInsert
Time-out: 0
8. Create a new virtual server.
Configure the following:
Name: RBG_Blue
Uncheck the Directly Addressable box.
Bind only the Blue service to this virtual server.
9. Select the Method and Persistence tab.
Configure the following:
Method: Round Robin
Persistence: CookieInsert
Time-out: 0
10. Create a new virtual server.
Configure the following:
Name: RBG_Green
Uncheck the Directly Addressable box.
Bind only the Green service to this virtual server.
11. Select the Method and Persistence tab.
Configure the following:
Page 25
Method: Round Robin
Persistence: CookieInsert
Time-out: 0
12. You should have the following virtual servers configured:
13. Navigate to Content Switching > Policies.
Click Add.
14. Add a policy with the following configuration:
Name: Home_Policy
Click Configure.
15. In the Expression section type:
HTTP.REQ.URL.CONTAINS(“home.php”)
Page 26
Click Create to close the Create Expression window.
16. Click Create to close the Create Content Switching Policy window.
17. Repeat steps 15-17 to create the following policies:
Name: Red_Policy
Expression: HTTP.REQ.URL.CONTAINS(“red.php”)
&
Name: Blue_Policy
Expression: HTTP.REQ.URL.CONTAINS(“blue.php”)
&
Name: Green_Policy
Expression: HTTP.REQ.URL.CONTAINS(“green.php”)
Page 27
18. Navigate to Content Switching > Virtual Servers.
Click Add.
19. Configure the following:
Name: RBG_CSW
IP Address: 192.168.10.217
Protocol: HTTP
Port: 80
Page 28
Step Action
20. Note: The content switching virtual server‟s state
is UP although no policies have been bound.
Browse to https://192.168.10.217 . The service is
unavailable when browsing to the address.
21. Open the RBG_CSW virtual server. Click Insert Policy
22. Select the Home_Policy.
23. Click the dropdown arrow under the GoTo Expression column and select the blank option.
Page 29
24. Select the dropdown arrow under the Target column and select RBG_Home.
25. Double-click the text box under the Priority column and change the priority to 120.
Hit the Enter key.
26. Bind the remaining content switching policies to the respective targets (ie: Red_Policy to
RBG_Red etc…). Configure the priorities in those policies as indicated below.
27. A new DNS record was created for 192.168.10.217. Open another browser tab and browse to
http://web2.training.lab. Refresh multiple times. The Red Blue and Green web servers should be
load balanced in a round robin manner. This is because your request hit the Default policy and was
switched to RBG_Default which has no persistence is configured.
28. Change the request URL to http://web2.training.lab/home.php. Note: Hitting refresh multiple
Page 30
times will keep you on the same server since your request was sent to the RBG_Home virtual server
which has CookieInsert configured for persistence.
29. Change the request URL to http://web2.training.lab/red.php. Note: Your request was sent to the
RBG_Red virtual server.
Repeat the request with http://web2.training.lab/blue.php and http://web2.training.lab/green.php
30. You can view the hit counts increase in the Content Switching > Policies node or when you open
the content switching virtual server.
Page 31
END OF EXERCISE
Page 32
Exercise 4: SSL Offload
Overview
You want to secure traffic to your web servers using SSL certificates. In this lab, you will create a
certificate and configure NetScaler to offload the SSL transactions while load balancing the Red, Blue and
Green Web servers. SSL Offload is how the NetScaler appliance transparently accelerates SSL
transactions. All SSL processing is performed on the appliance instead of the backend web server. This
reduced workload allows the web server to serve web pages much faster.
Step-by-step guidance
The lab environment required for this exercise is as follows:
1. NetScaler VPX appliance: (NS10_HA1)
2. NetScaler VPX appliance: (NS10_HA2)
3. Windows 7 Workstation: (Win7Client)
4. Microsoft SQL Server 2008: (SQLServer)
5. IIS Web Server: (WebBlue)
6. IIS Web Server: (WebGreen)
7. IIS Web Server: (WebRed)
Estimated time to complete this lab: 40 minutes.
Page 33
Step Action
1. Open the NetScaler Configuration Utility. Navigate to SSL > Create CSR (Certificate
Signing Request
Configure the following:
File name: wildcard.req
Key File Name: (Browse > ns-root.key)
Format: PEM
Common name: *.training.lab
Fill all other required fields, but do not put a password.
2.
Navigate to SSL > Manage Certificates / Keys / CSRs.
Page 34
Step Action
3. Select the wildcard.req file and click Download.
Save the file in C:\Users\administrator.TRAINING\Documents.
Click Close twice.
4. Open another tab in IE and browse to https://192.168.10.12/certsrv .
Login as…
Username: Administrator
Password: Citrix123
5. Select Request a certificate
6. Select Advanced Cert Request.
Then select Submit a certificate request by using a base-64…
Page 35
Step Action
7. Open the wildcard.req filewith Notepad.exe and copy the contents.
8. Paste the contents into the Saved Request field.
Choose Web Server as the Certificate Template and click Submit.
9. Download a Base 64 encoded certificate (certnew.cer) to the documents folder.
10. Using the NetScaler Configuration Utility, navigate to SSL > Manage Certificates / Keys /
CSRs.
Page 36
Step Action
11. Click Upload.
Browse to C:\Users\administrator.TRAINING\Documents .
Select the certnew.cer file and upload to the appliance.
Note: the file will be uploaded to the /nsconfig/ssl directory.
12. To install the certificate, navigate to SSL > Certificates > Install.
Page 37
13. Configure the following:
Certificate-Key Pair Name: wildcard-cert
Certificate File Name: browse (Appliance) to certnew.cer
Private Key File Name: browse (Appliance) to ns-root.key
Click Install.
Then click Close.
14. Navigate to Content Switching > Virtual Servers.
Open the RBG_CSW virtual server and unbind all the content switching policies.
Page 38
15. Add a new virtual server.
Configure as follows:
Name: RBG_CSW_HTTPS
IP Address: 192.168.10.217
Protocol: SSL
Bind the CSW policies with priorities as shown below.
16. Note that the virtual server is in a down state since it has not certificate bound.
17. Double-click the virtual server and select the SSL Settings tab.
18. Select the wildcard-cert and click Add. Click OK
Note: This binds the certificate to the virtual server. The state is now UP.
Page 39
19. Browse to https://web2.training.lab and confirm that you are connecting using HTTPs and the
NetScaler is offloading the SSL transactions.
END OF EXERCISE
Page 40
Exercise 5: HTTP header modification
Overview
In today‟s web, applications often require different responses or information sent to backend servers as
part of the HTTP requests/response. For example, when the home page is requested, a different response
is required depending upon the user‟s location, or the language the browser accepts, or simple the type of
browser it is being used to connect to the site.
With the help of rewrite and responder, we can manipulate the parameters on the request or response and
based on certain conditions take a different action. This is especially useful when you want to masquerade
any information return by the server or simply redirect the client connection to a secure site.
In this module, we will explore different examples on how to use the rewrite and responder feature to
perform HTTP to HTTPs redirection, as well as changing the body of the response to ensure all links are
displayed with the correct secure protocol. In addition, we will also configure a simple URL
transformation to hide the application path and also garble some of the parameters returned by the
backend server with the purpose to enhance application security.
Step-by-step guidance
The lab environment required for this exercise is as follows:
1. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1)
2. Linux Server 2 : Apache_MySQL_2 - (GENTOO_2)
3. Linux Server 2 : Apache_MySQL_3 - (GENTOO_3)
4. NetScaler VPX: (NS10_HA1)
5. NetScaler VPX: (NS10_HA1)
6. Windows 7 workstation: (Win7Client)
Estimated time to complete this lab: 30 minutes.
Page 41
Step Action
1. We will complete a simple load
balancing configuration to be used in
our rewrite examples. In this lab, we will
configure additional servers and services
for an Apache web server farm.
Open IE and browse to
http://192.168.10.220
Navigate to Load Balancing ->
Servers and configure the following:
Name: GENTOO_3
IP Address: 192.168.10.15
Click Create. Then click Close.
2. Create a service with the following configuration:
Name: GENTOO_3_HTTP_TCP_80
Monitor: TCP
3. Create a Loadbalanced vserver with the following configuration:
Name: HTTP_vserver
IP address: 192.168.10.218
Protocol: HTTP
Port: 80
Page 42
4. Bind the service we created on step 2 to it.
Page 43
5. Apache_MySQL_3 has been
provisioned with a simple PHP
page that outputs all the server
variables and headers included in
the HTTP request. This page is
served as the default 404 not
found HTML.
For this lab, we will use this
server to visually inspect the
information the backend server
received after the traffic is
processed by the NetScaler
appliance.
In IE, browse to a non-existing
URL on the new
HTTP_vserver.
http://192.168.10.218/nonexist
enturl/
Inspect the headers and
variables to familiarize with the
output.
6. First, we will start with a header insertion to include the CLIENT-IP address in the HTTP
request. This can be accomplished in two different ways:
Using the CLIENT-IP option in the Advanced Properties of the service.
Using a rewrite rule to insert a new HTTP header.
Page 44
7. We will start with option 1.
Open the
GENTOO_3_HTTP_TCP_
80 service and select the
Advanced tab.
Under Settings, check the
Client IP option. Fill in the
header name Client-IP.
8. Open a new browser instance
and attempt your request again.
http://192.168.10.218/nonexis
tenturl/
You should be able to see the
“Client-IP” being inserted in
the request.
Page 45
9. Now, we will attempt to use a
rewrite policy to insert the
same information.
Remove the CLIENT-IP
insertion configuration from
the Settings section of the
Advanced tab.
10. Open a browser and navigate to the same URL to ensure the header is not inserted.
http://192.168.10.218/nonexistenturl/
11. Next, create the rewrite action.
Navigate to Rewrite > Actions.
Click on Add and configure the
following:
Name: InserClientIP
Type: INSERT_HTTP_HEADER
Header Name: Client-IP
String Expression: CLIENT.IP.SRC
Click Create.
Then click Close.
12. Next, we need to create a new policy
and bind it to the rewrite action.
Navigate to the Rewrite > Policies.
Click on Add and configure the
following:
Name: InsertClientIP_pol
Action: InsertClientIP
Expression: true
Page 46
Click Create.
Then click Close.
13. Finally, we need to bind the policy to
the HTTP_vserver.
Double-click the HTTP_vserver and
select the Rewrite (Request) tab.
Bind the InsertClientIP_pol policy
with the default priority.
Click OK to commit the changes.
NOTE: If the rewrite policy does not
show up when attempting to bind,
close the Configure Virtual Server
window and perform a Refresh. Then
attempt the binding again.
14. Select the IE tab in which you browsed
to:
http://192.168.10.217/nonexistenturl
Refresh the window and verify that the
client IP was inserted.
15. Next, we will create a Response Rewrite policy to obscure some of the information sent by
Page 47
the backend server.
16. To visualize the request and
response headers received,
open a new IE instance and
display the
ieHTTPHeaders.
Note, the add-on is already
installed and enabled.
Navigate to Tools menu
and select Display
ieHTTPHeaders
17. Now, navigate to the IP
Address of the virtual
server.
http://192.168.10.218
You should see the request
and response headers.
18. Take a closer look at the
response headers. Since this
backend server runs
Apache, it includes a Server
header in its response. A
common practice is to
masquerade this information
and include a generic
response.
Page 48
19. We will create a rewrite action to replace the HTTP header.
In the NetScaler Configuration Utility, navigate to Rewrite > Actions and click on Add.
20. Configure the following settings:
Name: ReplaceServerHeader
Type: REPLACE
Expression to choose target: HTTP.RES.HEADER(“Server”)
String expression for replacement text: “MyWebServer” (include the quotes)
Click Create.
Then click Close.
21. Next, create a rewrite policy. Since we need to perform the action on every response, use a true
expression. Navigate to Rewrite > Policies. Click Add.
Configure the following settings:
Name: ReplaceServerHeader_pol
Action: ReplaceServerHeader
Expression: TRUE
Page 49
Click Create.
Then click Close.
22. Navigate to Load
Balancing > Virtual
Servers.
Double-click on the
HTTP_vserver and select
the Policies tab.
Under the Policies tab,
select the Rewrite tab.
Bind this rewrite policy to
the HTTP_vserver.
Ensure you click the
dropdown arrow and select
the RESPONSE rewrite;
otherwise, the policy will
not be listed.
Click OK.
23. Open a new browser instance and browse to http://192.168.10.218
24. Inspect the response headers. Verify the server header value was replaced.
Page 50
END OF EXERCISE
Page 51
Summary
Key
Takeaways
The key takeaways for this exercise are:
Rewrite and responder can be used in conjunction to manipulate the data and enhance
application security.
Rewrite policies can modify data on the request and/or response.
Page 52
Exercise 6: HTTP to HTTPs redirection and
URL body rewrite
Overview
Certain applications require specific requests to occur over a secure connection. Leveraging the responder
module, the NetScaler can issue a redirect to a secure site, ensuring a seamless user experience.
Additionally, the rewrite module can be used to rewrite any HTLM content containing any reference to an
HTTP URI, forcing the connecting client to navigate the site using HTTPs only. In this exercise, we will
configure a responder policy that redirects requests to an alternate URL and continue to setup a rewrite
policy that rewrites any HTTP URIs to force secure browsing.
Step-by-step guidance
The lab environment required for this exercise is as follows:
1. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1)
2. Linux Server 2 : Apache_MySQL_2 - (GENTOO_2)
3. Linux Server 2 : Apache_MySQL_3 - (GENTOO_3)
4. Web Server Blue: (WebBlue)
5. Web Server Green: (WebGreen)
6. Web Server Red: (WebRed)
7. SQLServer
8. NetScaler VPX: (NS10_HA1)
9. NetScaler VPX: (NS10_HA1)
10. Windows 7 workstation: (Win7Client)
Estimated time to complete this lab: 40 minutes.
Step Action
1. The first step in securing an application is to ensure all requests occur over an encrypted channel.
For this example, we will use a pre-installed web application (PHPMyAdmin) available on the
Linux web server (Apache_MySQL_3). Since this application lives in the “/phpmyadmin”
subdirectory, we will configure a responder action to redirect all request to HTTPs.
Page 53
Step Action
2. In the NetScaler
Configuration Utility, navigate
to System > Settings >
Configure Advanced
Features and enable the
Responder option.
3. Navigate to Responder > Actions. Click Add.
4. Create a responder action that redirects to a secure URL.
Configure the following settings:
Name: RedirectToSecureSite
Type: Redirect
Target: “https://” + HTTP.REQ.HOSTNAME +
HTTP.REQ.URL.PATH_AND_QUERY
The target specified above ensures that any hostname is redirected regardless of the host header.
Since this expression could potentially create a redirect loop, make sure that you select the
“Bypass Safety Check” option to allow the action to be created.
Click Create.
Then click Close.
Page 54
Step Action
5. Next, create a responder policy to
trigger the action.
Navigate to Responder > Policies.
Click Add.
Configure the following settings:
Name: RedirectToSecureSite_pol
Action: RedirectToSecureSite
Expression: true
Since this will be bound to
HTTP_vserver, use a “true”
expression.
Click Create.
Then click Close.
6. Navigate to Load Balancing >
Virtual Servers.
Double-click the HTTP_vserver and
select the Policies tab.
Under the Policies tab, select the
Responder tab.
Select Insert Policy and bind this
policy using the default priority.
Click OK.
Page 55
Step Action
7. Open a browser instance and navigate
to the VIP.
http://192.168.10.218
Use the ieHTTPHeaders to verify the
redirect is triggered.
Why is the page not displayed?
8. Since we do not have a Virtual server listening on port 443, the redirect does not complete
properly. Let‟s proceed to create a new SSL vserver. Navigate to Load Balancing -> Virtual
Servers. Click Add.
9. Create the vserver with the
following configuration:
Name: HTTPs_vserver
IP Address: 192.168.10.218
Protocol: SSL
Port: 443
Ensure that you bind the
same service:
GENTOO_3_HTTP_TCP_80.
Page 56
Step Action
10. Since this is an SSL vserver,
we need to bind a server
certificate.
Select the SSL Settings tab.
Select the wildcard-cert and
click Add to bind this
certificate to the vserver.
Click Create to complete the
configuration.
Click Close.
11. Attempt to test the responder
policy by navigating to the
HTTP URL.
http://192.168.10.218/phpm
yadmin
Since we are not using an
FQDN, a warning is
displayed. Proceed to accept
the warning. The default
content should be displayed
over a secure channel.
(https://...)
Page 57
Step Action
12. To avoid this SSL warning,
let‟s re-issue the request using
the FQDN that resolves to
the VIP:
http://web3.training.lab/php
myadmin
The redirect should complete
without any warning message.
13. This responder policy will redirect any request to port 80 to 443; however, some applications
hardcode absolute URLs or require special Host headers to serve content. This is especially
troublesome when the application is SSL Offloaded as it could render all the links inaccessible or
the application fails to work.
14. Attempt to login to the
phpMyAdmin application
using the following
credentials:
Username: root
Password: Citrix123
Did the login request work?
You should see that a redirect
diverts traffic directly to the
backend server, effectively
bypassing the load balancer.
Page 58
Step Action
15. In order to get through the
initial login, we need to
rewrite the redirect request
the backend server is sending
to include the FQDN for the
VIP. To do this, we will use a
Rewrite Response policy.
Observe the “header trace”
captured. The Location
header has the wrong
information.
Page 59
Step Action
16. Proceed to create a Rewrite Action with the following configuration:
Name: ReplaceLocationHeader
Type: Replace
Expression to choose: HTTP.RES.HEADER(“Location”)
String expression for replacement: “https://web3.training.lab” +
HTTP.RES.HEADER(“Location”).TYPECAST_HTTP_URL_T.PATH_AND_QUERY
The above expression looks for the Location Header value in the response and changes the
hardcoded IP address for the VIP FQDN.
Click Create.
Then click Close.
17. Next, create the rewrite policy.
Navigate to Rewrite > Policies.
Configure the policy as follows:
Name: ReplaceRedirect_pol
Action: ReplaceLocationHeader
Click Create.
Then click Close.
Page 60
Step Action
18. Bind the rewrite policy to the HTTPs_vserver
load balanced virtual server.
Ensure to select the Response queue, otherwise
the policy will not show up in the list.
19. Attempt to login to the application.
http://web3.training.lab/phpmyadmin/
Is the request redirected to HTTPs?
Does the application complete the login
request?
After binding the previous policies, the
application works as intended. Navigate a few
links to verify correct behavior. Observe the
links on the page.
Page 61
Step Action
20. Close the ieHTTPHeaders window.
Click the home icon on the top left side of the
phpMyAdmin site.
Once on the home page, scroll to the bottom
of the page and hover the mouse pointer over
the “here” hyperlink.
There is one more problem with this
configuration. Unfortunately, some of the links
are hardcoded by the application and the URL
includes the backend server IP. Notice the IP
in the URL in the screenshot to the right.
We need to configure a rewrite policy to
modify the response body and replace this
static value for the correct FQDN.
21. Let‟s configure another rewrite policy to adjust
the body.
First, configure the rewrite action as follows:
Name: Rewrite_Body_HTTP_HTTPs
Type: REPLACE_ALL
Expression to choose:
HTTP.RES.BODY(100000)
String expression: https://web3.training.lab
Pattern: http://192.168.10.15
Click Create.
Then click Close.
Note: Choose the response body as the target
text reference. For the body argument, use
100000 characters. This should be plenty to
catch all instances of the pattern to replace.
Page 62
Step Action
22. Create the policy with the following
configuration:
Name: Rewrite_Body_HTTP_HTTPs_pol
Action: Rewrite_Body_HTTP_HTTPs
Expression: true
The true expression will trigger the action on
every instance that matches the pattern. 23. Next, bind the policy to HTTPs_vserver
response queue using the default priority.
Make sure that you select NEXT for the
“Goto Expression” on the first policy,
otherwise the policy with lower priority will not
be evaluated.
24. Test the application one more time by
refreshing the PHPMyAdmin page. The URL
should now be rewritten and the web
application was correctly SSL offloaded
through NetScaler.
END OF EXERCISE
Summary
Key
Takeaways Rewrite policies can be string together to manipulate the request or
response data sequentially.
For some web-apps, deeper knowledge of the application logic is required
to successfully configure the necessary rewrite policies. Additional
information can be inherited from header/network traces and log analysis.
Page 63
Please complete the survey
We value your feedback! Please take a moment to let us know about your self-paced
lab experience by completing a brief survey on the web portal before you logout.
Revision History
Revision Change Description Date
1.0 Original Version June 2013
About Citrix
Citrix Systems, Inc. designs, develops and markets technology solutions that enable information technology (IT)
services. The Enterprise division and the Online Services division constitute its two segments. Its revenues are
derived from sales of Enterprise division products, which include its Desktop Solutions, Datacenter and Cloud
Solutions, Cloud-based Data Solutions and related technical services and from its Online Services division's Web
collaboration, remote access and support services. It markets and licenses its products directly to enterprise
customers, over the Web, and through systems integrators (Sis) in addition to indirectly through value-added
resellers (VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July 2012, the
Company acquired Bytemobile, provider of data and video optimization solutions for mobile network operators.
http://www.citrix.com
© 2013 Citrix Systems, Inc. All rights reserved.