Navigation
Overview
Lights Out Module (LOM)
LOM IP Configuration
LOM Firmware Upgrade
SDX IP Configuration
SDX Software Bundle Upgrade
DNS Servers
Management Service NTP
Licensing
Management Service Alerting
Management Service nsroot Password and AAA
SSL Certificate and Encryption
SDX/XenServer LACP Channels
VPX Instances:
VPX Instances – Provision
VPX Instances – Manage
VPX Instance – Firmware Upgrade
Management Service Monitoring
Management Service Backup
Overview
CItrix CTX226732 Introduction to Citrix NetScaler SDX.
NetScaler SDX is normal NetScaler hardware, but runs XenServer hypervisor, and several virtual machines:
Service VM (aka Management Service, aka SVM) – every SDX comes with this Virtual Machine. This VM enables the SDX Administrator to create additional VMs on XenServer.
It’s not possible to build this VM yourself. If it something happens to it, your only choice is to do a factory reset on the physical appliance, which deletes all local virtual machines, and recreates the Service VM.
Each Service VM only manages the VMs on the local SDX. Each SDX has its own Service VM. To manage multiple SDXs, use NetScaler MAS.
XenServer on SDX is a special build. Do not attempt to directly upgrade XenServer, patch XenServer, configure XenServer, etc. Instead, all upgrades and configurations should be performed by the Service VM.
NetScaler VPX Instances – you create one or more NetScaler instances on top of XenServer
The number of NetScaler instances you can create is limited by your SDX license.
The physical resources (CPU, Memory, NICs, SSL Chips, FIPS HSM) of the SDX are partitioned to the different instances.
The amount of bandwidth (throughput) available to the VPX instances depends on your license. For example, the 14040 SDX license gives you 40 Gbps of throughput, which is partitioned across the instances.
The NetScaler instances are created from a normal XenServer .xva template.
Each VPX has its own NSIP. Once the VPX is provisioned, you connect to the NSIP, and configure it like a normal NetScaler.
If the top left of the window says SDX, then you are logged into the Management Service (aka Service VM, aka SVM). If it says VPX, then you are logged into an instance.
High Availability – NetScaler SDX does not have any High Availability capability at the XenServer or SVM layer. In other words, every SDX is completely standalone. To achieve HA, you create NetScaler VPX instances on two separate SDXs, and pair the VPX instances in the normal fashion.
Why NetScaler VPX on top of SDX instead of normal hypervisors?
VPX on SDX gets physical access to SSL chips. These SSL ASICs are not available on normal hypervisors. SSL Chips provide significantly higher SSL throughput than normal hypervisors.
VPX on SDX gets SR-IOV access to the Network interfaces. This enables full 40 Gbps throughput to a single VM.
The SDX NICs can filter VLANs to different instances, thus ensuring that VPX instances cannot cross security boundaries by adding the wrong VLANs.
Some SDXs have Hardware Security Modules (HSM) for FIPS compliance. The VPXs on SDX can utilize this hardware security resource.
SDX Networking
Management port – Every SDX has a 0/1 port. The SVM and XenServer management IP are on this NIC. You need a minimum of two IPs on a management network connected to the 0/1 port. SVM and XenServer cannot use any of the data ports for management.
LOM port – Every SDX has a Lights Out Management (LOM) port. This port gives you out-of-band console access to XenServer. Once you’re on XenServer, you can use Xen commands to see the SVM console, and/or VPX consoles.
Data ports – The remaining interfaces can be aggregated into port channels. Port channels are configured at XenServer, and not from inside the VPXs. Use the Service VM to create channels, and then connect the VPXs to the channels.
VPX networking – When VPXs are created, you specify which physical ports to connect it to.
If you want the VPX NSIP to be on the same subnet as SVM and XenServer, then connect the VPX to 0/1.
Connect the VPX to one or more LA/x interfaces (port channels).
Once the VPX is created, log into it, and create VLAN objects in the normal fashion. VLAN tagging is handled by the VPX, not XenServer.
On SVM, when creating the VPX instance, you can specify a list of allowed VLANs. The VPX administrator is only allowed to add VLANs that are in this list.
SVM to NSIP – SVM must be able to communicate with every VPX NSIP. If VPX NSIP is on a different subnet than SVM, then ensure that routing/firewall allows this connection.
LOM IP Configuration
There are two ways to set the IP address of the Lights Out Module (LOM):
Crossover Ethernet cable from a laptop with an IP address in the 192.168.1.0 network.
ipmitool from the NetScaler SDX XenServer command line
For MPX, you can run ipmitool from the BSD shell.
Ipmitool Method:
For NetScaler SDX, SSH to the XenServer IP address (this is not the Service VM IP).
For NetScaler MPX, SSH to the NetScaler NSIP.
Default XenServer credentials are root/nsroot.
Default MPX credentials are nsroot/nsroot.
If MPX, run shell. XenServer is already in the shell.
Run the following:
You should now be able to connect to the LOM using a browser.
Laptop method:
Configure a laptop with static IP address 192.168.1.10 and connect it to the Lights Out Module port.
In a Web browser, type the IP address of the LOM port. For initial configuration, type the LOM port’s default address: http://192.168.1.3
In the User Name and Password boxes, type the administrator credentials. The default username and password are nsroot/nsroot.
In the Menu bar, click Configuration, and then click Network.
Under Options, click Network, and type values for the following parameters:
IP Address—The IP address of the LOM port.
Subnet Mask—The mask used to define the subnet of the LOM port.
Default Gateway—The IP address of the router that connects the appliance to the network.
Click Save.
Disconnect the laptop, and instead connect a cable from a switch to the Lights Out Module.
LOM Firmware Upgrade
The LOM firmware at https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade differs depending on the hardware platform. The LOM firmware for the 8000 series is different than the 11000 series and the 14000 series. Do not mix them up.
While this article focuses on SDX, note that NetScaler MDX has a new method for updating LOM as detailed at CTX218264 How to Upgrade the LOM Firmware on Any NetScaler MPX Platform
The SDX Update Bundle does not include LOM firmware update so you must update it separately:
Determine which firmware level you are currently running. You can point your browser to the LOM and login to the see the firmware level. Or you can run ipmitool mc info from the XenServer shell.
If your LOM firmware is older than 3.0.2, follow the instructions at http://support.citrix.com/article/CTX137970 to upgrade the firmware.
If your LOM firmware is version 3.02 or later, follow the instructions at http://support.citrix.com/article/CTX140270 to upgrade the firmware. This procedure is shown below.
Now that the firmware is version 3.0.2 or later, you can upgrade to 3.39. Click the Maintenance menu and then click Firmware Update.
On the right, click Enter Update Mode.
Click OK when prompted to enter update mode.
Click Choose File, and browse to the extracted bin file.
After the file is uploaded, click Upload Firmware.
Click Start Upgrade.
The Upgrade progress will be displayed.
After upgrade is complete, click OK to acknowledge the 1 minute message.
The LOM will reboot.
After the reboot, login and notice that the LOM firmware is now 3.39.
SDX IP Configuration
Default IP for Management Service is 192.168.100.1/16 bound to interface 0/1. Use a laptop with crossover cable to reconfigure the IP. Point your browser to http://192.168.100.1. Default login is nsroot/nsroot.
Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot. Note: XenServer IP and Management Service IP must be on the same subnet.
There should be no need to connect to XenServer directly. Instead, all XenServer configuration (e.g. create new VM) is performed through the Management Service (SVM).
To change the XenServer IP, make the change through the SVM as detailed below:
Point a browser to http://192.168.100.1, and login as nsroot/nsroot.
When you first login to the SDX Management Service, the Welcome! Wizard appears. Click Management Network.
Configure the IP addresses.
Appliance Management IP = SVM (Management Service). This is the IP you’ll normally use to manage SDX.
Application supportability IP = XenServer. You’ll almost never connect to this IP.
The bottom has an Additional DNS checkbox that lets you enter more DNS servers.
You can change the nsroot password at this time, or change it later after LDAP is configured.
Click Done.
Click the System Settings box.
Enter a Host Name.
Select the time zone, and click Continue.
Click the Licenses box.
Click Add New License.
Allocate NetScaler SDX licenses normally.
The SDX license defines the number of instances you can create.
It also defines the amount of throughput available to the instances.
The SDX license is allocated to ANY, which means you can use the same license on all SDX hardware, assuming all of them are purchased with the same license model.
After uploading, click Finish and it should apply automatically.
Or you can click Apply Licenses.
Then click Continue.
Another way to change the Management Service IP address is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.
The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):
xe vm-list params=name-label,dom-id name-label="Management Service VM"
Then run /usr/lib64/xen/bin/xenconsole <dom-id>
SDX Platform Software Bundle
If your NetScaler SDX is not version 11 or newer, and if your NetScaler SDX is running 10.5 build 57 or later, then do the following:
Go to Management Service > Software Images, and upload the Single Bundle for 12.0. The single bundle is around 1.3 GB.
On the left, click System. On the right, click Upgrade Management Service. Select the Single Bundle upgrade file you already uploaded.
Management Service will upgrade and reboot. A few minutes after that, XenServer will be upgraded. Be patient as there’s no notification that the box will reboot again.
Starting with SDX 11.0, all updates are bundled together and installed at once.
Make sure your Management Service (SVM) is running SDX 11.0 or newer.
Download the latest SDX Platform Software bundle from Downloads > NetScaler ADC > Release 12.0 > Service Delivery Appliances.
Login to the SDX Management Service, go to Configuration > System.
On the right, in the right column, click Upgrade Appliance.
Browse to the build-sdx-12.0.tgz software bundle, and click OK.
It should show you the estimated installation time. Check boxes next to the instances that need configs saved. Click Upgrade.
Click Yes to continue with the upgrade.
The Management Service displays installation progress.
Once the upgrade is complete, click Login.
If you click the Configuration tab, the Information page will be displayed showing the version of XenServer, Management Service (Build), etc.
DNS Servers
Older versions of SDX only let you enter one DNS server. To add more, do the following:
In the Management Service, on the left, click System.
On the right, click Network Configuration.
On the bottom, there’s a checkbox for Additional DNS that lets you put in more DNS servers.
Click OK when done.
Management Service NTP
On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
To add a new NTP server, in the right pane, click Add.
In the Create NTP Server dialog box, enter the NTP server name (e.g. pool.ntp.org), and click Create.
Click Yes when prompted to restart NTP Synchronization.
In the right pane, click NTP Synchronization.
In the NTP Synchronization dialog box, select Enable NTP Sync. Click OK.
Click Yes when asked to restart the Management Service. This only restarts the SVM. Other instances on the same box won’t be affected.
Management Service Alerting
Syslog
On the Configuration tab, expand System > Auditing, and click Syslog Servers.
In the right pane, click the Add button.
Enter a name for the Syslog server.
Enter the IP address of the Syslog server.
Change the Choose Log Level section to Custom, and select log levels.
Click Create.
On the right is Syslog Parameters.
You can configure the Date Format and Time Zone. Click OK.
Mail Notification
On the Configuration tab, expand System > Notifications, and click Email.
In the right pane, on the Email Servers tab, click Add.
Enter the DNS name of the mail server, and click Create.
In the right pane, switch to the Email Distribution List tab, and click Add.
In the Create Email Distribution List page:
Enter a name for the mail profile.
Select the Email Server to use.
Enter the destination email address (distribution list).
Click Create.
System SNMP
Go to System > SNMP.
On the right, click Configure SNMP MIB.
Enter asset information, and click OK. Your SNMP management software will read this information.
Under the SNMP node, configure normal SNMP including: Trap Destinations, Managers, Alarms, etc.
MIBs can be downloaded from the Downloads tab.
Instance SNMP
The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand NetScaler, expand Events, and click Event Rules.
On the right, click Add.
Give the rule a name.
Select the Major and Critical severities, and move them to the right.
Scroll down.
For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them, then only the configured entities will be alerted.
Scroll down.
Click Save.
Select an Email Distribution List, and click Done.
Management Service nsroot Password and AAA
Change nsroot password
On the Configuration tab, in the navigation pane, expand System, expand User Administration, and then click Users.
On the right, in the Users pane, right-click the nsroot user account, and then click Edit.
In the Configure System User dialog box, check the box next to Change Password.
In Password and Confirm Password, enter the password of your choice. Click OK.
AAA Authentication
To enable LDAP authentication for the Service VM:
Go to Configuration > System > Authentication > LDAP.
In the right pane, click Add.
This is configured identically to NetScaler.
Enter a Load Balancing VIP for LDAP servers.
Change the Security Type to SSL, and Port to 636.
Scroll down.
Note: if you want to Validate LDAP Certificate, then there are special instructions for installing the root certificate on the SVM. See Installing CA certificates to the SDX/SVM for LDAPS user authentication at Citrix Discussions for details.
Enter the Base DN in LDAP format.
Enter the bind account in UPN format, or Domain\Username format, or DN format.
Check the box for Enable Change Password.
Click Retrieve Attributes, and scroll down.
For Server Logon Attribute, select sAMAccountName.
For Group Attribute, select memberOf.
For Sub Attribute Name, select CN.
To prevent unauthorized users from logging in, configure a Search Filter as detailed in the LDAP post. Scroll down.
Click Create.
Expand System, expand User Administration, and click Groups.
On the right, click Add.
In the Create System Group page:
Enter the case sensitive name of the Active Directory group.
Check the box next to System Access.
Configure the Session Timeout.
Click Create.
On the left, under System, click User Administration.
On the right, click User Lockout Configuration.
If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
On the left, under System, click Authentication.
On the right, click Authentication Configuration.
Change the Server Type drop-down to EXTERNAL, and click Insert.
Select the LDAP server you created earlier, and click OK.
Make sure Enable fallback is enabled, and click OK.
SSL Certificate and Encryption
Replace SDX Management Service Certificate
To replace the Management Service certificate:
PEM format: The certificate must be in PEM format. The Management Service does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a NetScaler instance.
On the left, click System.
On the right, in the left column, in the Set Up Appliance section, click Install SSL Certificate.
Select the certificate and key files in PEM format. If the key file is encrypted, enter the password. Then click OK.
The Management Service will restart. Only the SVM restarts; the NetScaler instances do not restart.
Force HTTPS to the Management Service
Connect to the SVM using HTTPS. You can’t make this upcoming change if you are connected using HTTP.
On the Configuration tab, click System.
On the right, click Change System Settings.
Check the box next to Secure Access Only, and click OK. This forces you to use HTTPS to connect to the Management Service.
SSL Encrypt Management Service to NetScaler Communication
From http://support.citrix.com/article/CTX134973: Communication from the Management Service to the NetScaler VPX instances is HTTP by default. If you want to configure HTTPS access for the NetScaler VPX instances, then you have to secure the network traffic between the Management Service and NetScaler VPX instances. If you do not secure the network traffic from the Management Service configuration, then the NetScaler VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.
Log on to the Management Service .
On the Configuration tab, click System.
On the right, click Change System Settings.
Change the Communication with NetScaler Instance drop-down to https, as shown in the following screen shot:
Run the following command on the NetScaler VPX instance, to change the Management Access (-gui) to SECUREONLY:
set ns ip ipaddress -gui SECUREONLY
Or in the NetScaler instance management GUI, go to Network > IPs, edit the NSIP, and then check the box next to Secure access only.
SDX/XenServer LACP Channels
For an overview of NetScaler SDX networking, see Citrix CTX226732 Introduction to Citrix NetScaler SDX
To use LACP, configure Channels in the Management Service, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel.
In the Management Service, on the Configuration tab, expand System, and click Channels.
On the right, click Add.
In the Create Channel page:
Select a Channel ID.
For Type, select LACP or STATIC. If using Cisco vPC, then LACP is required. The other two options are for switch independent load balancing.
In the Interfaces section, move the Channel Member interfaces to the right by clicking the plus icon.
In the Settings section, for LACP you can select Long or Short, depending on switch configuration. Long is the default.
Click Create when done.
Click Yes when asked to proceed.
The channel will then be created on XenServer.
VPX Instances – Provision
Admin profile
Admin profiles specify the nsroot user credentials for the instances. Management Service uses these nsroot credentials later when communicating with the instances to retrieve configuration data.
The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. To specify a different nsroot password, create a new admin profile.
You can create a single admin profile that is used by all instances. To delegate administration, don’t give out the nsroot password to the instance administrators. One option is to enable LDAP inside the instance before granting access to a different department.
When creating an instance, there’s an option to create a non-nsroot account, which has almost the same permissions as nsroot, but leaves out some SDX specific features (e.g interfaces). This is another option for delegating administration to a different team.
Or you can create different admin profiles for different instances, which allows you to inform the different departments the nsroot password for their VPX instances.
Important: Do not change the password directly on the NetScaler VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.
On the Configuration tab, in the navigation pane, expand NetScaler, and then click Admin Profiles.
In the Admin Profiles pane, click Add.
In the Create Admin Profile dialog box, set the following parameters:
Profile Name*—Name of the admin profile.
User Name—User name used to log on to the NetScaler instances. The user name of the default profile is nsroot and cannot be changed.
Password*—The password used to log on to the NetScaler instance. Maximum length: 31 characters.
Confirm Password*—The password used to log on to the NetScaler instance.
Use global settings for NetScaler communication – you can uncheck this box and change the protocol to https.
Click Create. The admin profile you created appears in the Admin Profiles pane.
Upload a NetScaler VPX .xva file
You must upload a NetScaler VPX .xva file to the SDX appliance before provisioning the NetScaler VPX instances. XVA files are only used when creating a new instance. Once the instance is created, use normal firmware upgrade procedures.
Download the NetScaler XVA (for XenServer) from the SDX Software Bundle Download Page. It’s in the Virtual Appliance section.
After downloading, extract the .gz file (use 7-zip). You can’t upload the .gz file to SVM. You must extract it first.
On the Configuration tab, in the navigation pane, expand NetScaler, and then click Software Images.
On the right, switch to the XVA Files tab, and then click Upload.
In the Upload NetScaler Instance XVA dialog box, click Browse, and select the