Automating Your NetScaler Configuration Using NetScaler Management and Analytics System 11.1

by David Brett, CTP

With the release of NetScaler 11.1 and NetScaler Management and Analytics System (NMAS) into beta at Citrix Synergy I have started to look at what we can achieve from the new versions of the NetScaler firmware and the NMAS appliance.

One of the features of NMAS that I think is really good is the Configuration Jobs.  This will allow you to automate tasks on a single NetScaler or a group of NetScalers and better still it will let you put variables into the script and gather user input prior to running the job.  This will allow you to generalize the script and run it on multiple instances!

In this article I will walk you through creating a Configuration job to build a StoreFront vServer running on port 443 and an http to https redirect server to ensure that traffic is always secure.

Before we start you need to ensure that your internal Root CA and StoreFront Certificates are pre-installed on the NetScaler.

So, once you have deployed and run the initial config on your NMAS appliance head over to the log in screen and log into the management interface.

If you want help deploying NMAS for the first time check the post in the SIG on Initial NMAS Deployment.

01 - log into nmas

Navigate to Instances on the Infrastructure tab and ensure you have an instance linked and showing as green.

02 - instance to run job on

Further down the list click on Configuration Jobs and then click Create Job.

03 - configuration jobs

When prompted enter the following commands.  There is a slight bug in the interface whereby you cannot copy and paste the entire script into the window as it will not split the lines out.

Copy each line into a new SSH command as shown below.

NOTE:  You will notice the variables in $dollars$ – make sure to paste these into the script window and we will re-define them later.

add server web.$domain-name$ $web-server-ip$
add server storefront.$domain-name$ $storefront-vip-ip$
add server localhost.$domain-name$ 127.0.0.1
add service svc.always.up localhost.$domain-netbios$.local HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED cip-header -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup svc.grp.$domain-netbios$.storefront.443 SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver vsvr.$domain-netbios$.storefront.443 SSL $storefront-vip-ip$ 443 -persistenceType NONE -cltTimeout 180
add lb vserver vsvr.$domain-netbios$.storefront.80 HTTP $storefront-vip-ip$ 80 -persistenceType NONE -cltTimeout 180
add responder action responder.act.http.to.https redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
add responder policy responder.pol.http.to.https HTTP.REQ.IS_VALID responder.act.http.to.https RESET
bind lb vserver vsvr.$domain-netbios$.storefront.80 svc.always.up
bind lb vserver vsvr.$domain-netbios$.storefront.443 svc.grp.$domain-netbios$.storefront.443
bind lb vserver vsvr.$domain-netbios$.storefront.80 -policyName responder.pol.http.to.https -priority 100 -gotoPriorityExpression END -type REQUEST
add lb monitor $domain-netbios$.storefront.secure STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -secure YES -storename $storefront-store-name$
add lb monitor $domain-netbios$.localhost PING -LRTM DISABLED -destIP 127.0.0.1
bind service svc.always.up -monitorName $domain-netbios$.localhost
bind serviceGroup svc.grp.$domain-netbios$.storefront.443 web.$domain-name$ 443
bind serviceGroup svc.grp.$domain-netbios$.storefront.443 -monitorName $domain-netbios$.storefront.secure
bind ssl vserver vsvr.$domain-netbios$.storefront.443 -certkeyName $ssl-cert$
bind ssl vserver vsvr.$domain-netbios$.storefront.443 -certkeyName $root-cert$ -CA -ocspCheck Optional
bind ssl vserver vsvr.$domain-netbios$.storefront -eccCurveName P_256
bind ssl vserver vsvr.$domain-netbios$.storefront -eccCurveName P_384
bind ssl vserver vsvr.$domain-netbios$.storefront -eccCurveName P_224
bind ssl vserver vsvr.$domain-netbios$.storefront -eccCurveName P_521
04 - add ssh commands

Once the script is pasted we need to define the variables – highlight the first variable.

05 - highlight text

Hover over the variable with your mouse and click Convert To Variable.

06 - convert to variable

When the variable is converted double click it to define the details for the variable.

07 - fill out variable info

In Display Name enter the text you want to show the user as a prompt.

08 - storefront server ip

Go though each variable in the script until it’s all complete.

09 - updated variables

Once done click the Save as Configuration Template.

10 - save as template

Give the template a name and click on Save.

11 - save details

You will notice that the Configuration Job is now available as a default template.  You can drag and drop this into the script windows for future deployments.

12 - template saved

Give your new job a name.

15 - give job a name

Select the NetScaler instance you want to run the job on.

16 - add instance

You will be prompted for values for all the variables you have defined in the script.

17 - blank variables

Fill the variables out, click next, review the detail, then run the job.

19 - review and complete

You will see the status of the job running.

20 - job running

Once complete you will see the Completed Status in the jobs window.

21 - job complete

If we switch back to our NetScaler you will see that the Virtual Servers have been created.

22 - vservers up

If you check the vServer for port 80 you will notice that it has a responder policy to redirect traffic to port 443.

23 - responder policy

That’s it, I have to say that I think this is a very powerful part of the NMAS appliance and can’t wait to get more and more of my NetScaler build into it.

Hope this helps you out!

Leave a Reply