Transcription

WorkshopNetscaler VPXfrom Express(free) to PlatinumAll trademark names are property of their respective companies. Information contained in this publication has been obtained by Arrow ECS technical consultantsconsidered to be reliable but is not warranted by Arrow ECS. This publication may contain opinions of Arrow ECS or consultants from Arrow ECS, which are subject tochange over time without prior notice. References in this document to Arrow ECS brands and products or services do not imply that Arrow ECS intends to make themavailable in every country. Information is provided "AS IS" without warranty of any kind. Information concerning the mentioned products was obtained from a supplier ofthese products, published announcement material, or other publicly available sources and does not constitute an endorsement by Arrow ECS.

Citrix Netscaler VPXARROW ECSMokrane HellalKoen WarsonBelgiumIntroducing NetscalerNetscaler VPX overviewNetscaler Use CasesQ&A1

Introducing NetscalerNetscaler VPX overviewNetscaler Use CasesQ&AIntroducing Netscaler NetScaler Request Switching decouples eachapplication request/response flow from theunderlying transport Request Switching ensures the most efficient use oftransport protocols and resources The NetScaler system manages the complete lifecycle of the request/response transaction2

NetScaler Request Switching ArchitectureApplication 1Application 22. .Gap14InternetApplication 3Layer 7 Packet Engine3HTTP 1.0 Transaction without a NetScalerSystemClientServerSYNSYN ACKACKServer allocatesresources forconnectionGETDataServer sees elevenpacketsDataDataFINACKFINACKServer de-allocatesresources for theconnection3

TCP Transaction with a NetScalerSystemClientNetScalerServerSYNSYN ACKACKGETGETDataDataDataServer seesfour packetsDataDataDataFINACKFINACKGUI overview : Let’s take a look!4

Introducing NetscalerNetscaler VPX overviewNetscaler Use CasesContent-Aware Traffic CompressionServer Load-BalancingQ&AOverviewTopics covered in these slides include: Overview of the NetScaler VPX Performance Differences Between MPX and VPX VPX Architecture Pay As You Grow Licensing5

Overview of the NetScalerNetScaler VPX Is a 32-bit virtual NetScaler system Is hosted on a XenServer Distributes, optimizes and secures Layer 4 to Layer7 network traffic Performs application-specific traffic analysis Provides an effective execution of features, such as:–––––Load balancingCompressionSecure Sockets Layer (SSL) offloadApplication FirewallDynamic content cachingIdentifying the Benefits of NetScaler VPXNetScaler VPX can: Be deployed on-demand, anywhere Leverage dynamic data center processes Respond automatically to periods of high demandby dynamically provisioning more capacity for anexisting Web application and vice versa Provide flexibility in licensing programs that meetthe needs of the smallest business to the largestservice providers6

Identifying VPX Hardware SpecificationsThe recommended minimum hardwarespecifications to install NetScaler VPX on XenServerare:– CPU: One or more x86 CPU with virtualization assist (Intel-VTor AMD-V) enabled and a 64-bit architectureNote: It may be necessary to manually enable the CPUvirtualization feature through the system BIOS configuration– RAM: Minimum 2 GB– Network interface cards (NICs): A single one gigabit NIC is required Two NICs of one gigabit each is recommendedVPX PerformanceCitrix offers five performance-based offerings ofNetScaler VPXVPX OfferingVPX-1000 (1 Gbps)Standard Enterpri Platinumse VPX-200 (200 Mbps) VPX-10 (10 Mbps) VPX-Express (1 Mbps) NoNo7

Identifying VPX Performance BenchmarksPerformance benchmarks for NetScaler VPXNetScaler VPXPerformance*Maximum HTTP throughputMaximum compressionMaximum Application FirewallMaximum SSLtransactions/secondMaximum SSL throughput1 Gbps750 Mbps500 Mbps5001 Gbps*Max performance subject to server used and subject to changeDifferences Between MPX and VPX Two main differences exist between NetScaler MPXand VPX: System capacity Performance NetScaler VPX system capacity: Does not include hardware specifically designedto support SSL acceleration Can still terminate sessions but, unlike withNetScaler systems, the associated processing isnot offloaded to dedicated silicon8

Identifying When to Use a Physical or a Virtual NetScalerApplianceUsing VPX and MPX Together– NetScaler VPX and NetScaler MPX can be deployedtogether to create a comprehensive, centrallymanaged web application delivery fabric– NetScaler VPX instances can be deployed on anapp-by-app basis, optimized specifically for thedemands of each application– NetScaler MPX appliances can be deployed at thedatacenter edge to handle demanding networkwide tasks9

Using VLANS on VPX NetScaler VPX supports port VLANs (Layer 2) VLAN configurations are useful when you need torestrict traffic to certain groups of stations When configured VLANs are bound to IP subnetsand the VPX is the default router for thesesubnets, the NetScaler VPX performs IPforwarding between the VLANsUsing Tagged VLANS NetScaler tagged VLANs are not supported onNetScaler VPX Administrators need to configure tagged VLANsat the Hypervisor level10

Example: Physical NetScaler in Two-ArmModeServersClientL2/L3NetScaler1/1L2 ample: NetScaler VPX in Two-Arm eth11/4vifN.31/3vifN.21/1vifN.0N dom IDServersxenbr0L2 1

Pay As You Grow Licensing for NetScalerVPX The “pay as you grow” is based upon the ability toupgrade from one license to another NetScaler VPX is sold by bandwidth Customers are able to buy VPX licenses providing 10Mbps, 200 Mbps or 1 Gbps of throughput For example, if a customer initially buys the 200 Mbpslicense, and then needs a 1 Gbps license, thecustomer can upgrade the license, and does not needto buy a 1 Gbps license “from scratch”LAB TIME !!12

Introducing NetscalerNetscaler VPX overviewNetscaler Use CasesQ&AChallenge Example I Deliver SharePoint Applications towardusers– Optimize?– Secure?– Availability?13

NetScaler in Sharepoint Environment Server Load Balancing HTTP Compression SSL Offload Integrated CachingLAB TIME !!14

Challenge example II Secure Access to XenApp Applications––––Control of User?Control of Device?Control of Location?Availability?NetScaler Access Gatewaywith Smart Access Full AccessAll AccessMethodsAll Applications& VirtualChannelsICA Proxy AccessReducedApplications& VirtualChannels ok WebAccessMinimalapplications15

DEMO TIME !Challenge Example III Protect your Web server from hacking– Secure?– Inspecte?– Availability?16

The Application Firewall SolutionPositive Security Model17

WAF Security checksOne More Thing18

Simplified Installation & Configuration ISV Partners/Citrix Deployment Guides-optimized settings NetScaler App Templates: import/export completeconfigurations AppExpert Community: freely share with colleaguesDeployment GuidesApplication TemplatesAppExpert CommunityNetscaler VPX 9.2 coming XML Attachment Checks EnhancementsEntity Expansion Attack ProtectionSoap Fault FilteringWSDL Scanning PreventionXPath Injection ProtectionLearningMonitoring Web ServicesXPATHJSONAnd more 19

DEMO/LAB TIME ! Let’s hack mybankQ&A20

Thank you and stay tuned for our next Workshops athttp://www.arrowecs.be21

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’sPage: 1/18Date document :26/02/2010Réf. document :v.0.2IntroductionIn this workshop we will like to give the attendees a brief overview of Netscaler functionality.Of course this is only a basic overview and introduction to the Netscaler’s features andcapabilities.EnvironmentConnect to XenApp using http://xenapp5Login :xxxxxxPassword :xxxxxxStart a XenApp Desktop SessionThe Netscaler VPX’s run on a XenServer Hypervisor infrastructure :XenServer IP’s192.168.1.23 for Netscaler VPX 1,2 & 3192.168.1.24 for Netscaler VPX 4,5 & 6192.168.1.25 for Netscaler VPX 7,8 & 9Login :Password :xxxxxxxxxxxx

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’sPage: 2/18Date document :26/02/2010Réf. document :v.0.2Netscaler IPsNetscaler VPX1Netscaler VPX2Netscaler VPX3Netscaler VPX4Netscaler VPX5Netscaler VPX6Netscaler VPX7Netscaler VPX8Netscaler VPX9NSIP :Hostname :IP :VIP1:Other IPs :NSIP :Hostname :MIP :VIP1 :Other IPs :NSIP :Hostname :MIP :VIP1:Other IPs :NSIP :Hostname :MIP :VIP1:Other IPs :NSIP :Hostname :MIP :VIP1:Other IPs :NSIP :Hostname :MIP :VIP1:Other IPs :NSIP :Hostname :MIP :VIP1:Other IPs :NSIP :Hostname :MIP :VIP1:Other IPs :NSIP :Hostname :MIP :VIP1:Other IPs .12192.168.3.13 (for OWA SSL Offload) VIP1 FQDN :192.168.3.14 .3.22192.168.3.23 (for OWA SSL Offload) VIP1 FQDN :192.168.3.24 8.3.32192.168.3.33 (for OWA SSL Offload) VIP1 FQDN :192.168.3.34 8.3.42192.168.3.43 (for OWA SSL Offload) VIP1 FQDN :192.168.3.44 8.3.52192.168.3.53 (for OWA SSL Offload) VIP1 FQDN :192.168.3.54 8.3.62192.168.3.63 (for OWA SSL Offload) VIP1 FQDN :192.168.3.64 8.3.72192.168.3.73 (for OWA SSL Offload) VIP1 FQDN :192.168.3.74 8.3.82192.168.3.83 (for OWA SSL Offload) VIP1 FQDN :192.168.3.84 8.3.92192.168.3.93 (for OWA SSL Offload) VIP1 FQDN :192.168.3.94 labs.local

Page: 3/18WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’sDate document :26/02/2010Réf. document :v.0.2Lab 1 : Netscaler VPX Initial Configuration and SetupUpload Netscaler VPX to your Hypervisor (ESX or XenServer)1. Download Netscaler VPX from the Citrix site s.asp?productID 21679There are 2 versions : 1 for vSphere 4 or ESX 3.5 and 1 for XenServer2. Using this link you can also get a evaluation license3. Uploading the Netscaler VPX to your hypervisor :a. For XenServer http://www.citrix.com/tv/#videos/535b. For ESX 3.5http://www.citrix.com/tv/#videos/1718c. For ESXihttp://www.citrix.com/tv/#videos/1284Configure Mgmt IP address1. Login to your hypervisor and take over the console of your Netscaler VPX.a. Open a session to the XenApp5 server (http://XenApp5)b. Login with your credentials (see separate page)c. Launch Desktop Session on XenApp5(ICA-client/Citrix Online Plug-in is results.asp?productID 186&c1 sot27552. Open Citrix XenServer 5.5 Mgmt tool on the desktopa. Add your XenServer (see separate page for credentials andNSIP NetScaler IP-address)3. Go to the console of the virtual machine which runs your Netscaler and follow thewizard to configure the virtual appliance IP-addressGo through the initial setup wizard1. Use a webbrowser and launch a HTTP or HTTPS session to your Netscaler VPX(for IP-address you will use the NSIP)Login : nsrootPassword : nsroot2. Once logged in you will automatically get a setup wizard screen, if it will not comeor afterwards you want to re-run it by clicking System 3. Click “Next” and check the Mgmt interface(SNIP) configuration.

Page: 4/18WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane Hellal4.5.6.7.8.Customer (BP) :-Sent to :Attendee’sDate document :26/02/2010Réf. document :v.0.2Add a FQDN-hostname to the Netscaler (see separate page)Add a SNIP or MIP (in this example use MIP see separate page)Click “Next”, choose “Skip”, click “Next”Double check the entered data in the summary page an click “Finish”Click “Exit”Configure NTP Server and Time Zone1. Login to the Web based Mgmt interface2. Open hive “System” and click “Settings”3. Click “Change Time Zone ”4. Select “GMT 2:00-CEST-Europe/Brussels”5. Click “Save”6. Open hive “System” and click “NTP Servers”7. Click “Add ”8. NTP server : 192.168.1.29. Click “Create”10. change NTP server to : 192.168.1.311. Click “Create”12. Click “Close”13. Click “NTP Syncronisation OFF”14. Click “Save”Configure Licensing1. Login to the Web based Mgmt interface2. Open hive “System” and click “Licensing” and see which features are licensed.3. Get License procedure :How to obtain a license : http://www.citrix.com/tv/#videos/1463using SSH : shell lmutil lmhostid4. Upload license5. Reboot6. See the difference

Page: 5/18WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’sDate document :26/02/2010Réf. document :v.0.2CertificatesCreate CertificatesIf you create a certificate using a Windows CA you might need to convert it ti the correctformat. The next document describes how this works /support.citrix.com/article/ctx106631You might need the OpenSSL toolkit for Windows for this htmUpload CertificatesOn the XenApp5 server desktop SSL certificates are stored for each Netscaler VPX.There are several ways on how to upload the certificates one of them is mentioned below: Login to the Web based Mgmt interfaceRight click and select “Enable SSL feature” Click “Manage Certificates / Keys / CSRs” on the SSL configuration pageUpload your Certificate files :o Private Key (which is normally generated locally on the box) :owavpx1 9.key (you can find it on the XenApp desktop)o Public Keyowavpx1.9.cer (you can find it on the XenApp desktop)Open hive “SSL” and click on “Certificates”

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’s Click “Add ” and match the .key-file with the .cer-file. Click “Install” and closePage: 6/18Date document :26/02/2010Réf. document :v.0.2

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’sPage: 7/18Date document :26/02/2010Réf. document :v.0.2Lab 2 : Make SSL Offload configuration for Outlook Web Accessusing AppExpertAppExpert TemplatesAppExpert Templates are templates that define the way a web application works and how theloadbalancing, rewrite, cs, waf, compression, should be configured.You can make a AppExpert Template Definition and export it, which you can share so otherusers can re-use it without the need to analyse the application themselves.You can find existing Citrix Netscaler AppExpert Templates here :http://community.citrix.com/display/ns/AppExpert TemplatesOWA, Sharepoint, SAP Enterprise SOA, Oracle EBS, Siebel, JD Edwards, More documentation about the AppExpert functionality can be found here :http://support.citrix.com/article/ctx121835In the next little lab we will use an AppExpert template to SSL offload an Outlook WebAccess .Import AppExpert Template Run batch (this step is not always needed but for OWA it is)o Open hive “System” and click “Diagnostics”o Click “Batch configuration”o Click “Browse Local”o Browse to the desktop folder “Netscaler Workshop” and open “AppExpertOWA”o Select “OWAvpx1 9.batch (make sure you have the matching number)o And click “Run”o If you would like to see the output, you can browse to “System” “Diagnostics” and click “Download core files ”o Your batch-output-logfile can be downloaded from there. Import templateo Go to “AppExpert” “Applications”o Click “Import”

Page: 8/18WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’sDate document :26/02/2010Réf. document :v.0.2o Select the “OutlookWebAccessNS9.1.gz” file on the XenApp Desktop“Netscaler Workshop” foldero Click “OK” Configure Endpoints : Configure Endpoints (listener)This is the listener that will take the SSL-connectionsfrom the users.Configure Services :This is the configuration link to the back-end servers(in this case the Exchange Servers)Configure Service Groups : This is the configuration link Not needed in this configo Click “Add ”o Name :owavpx1 9.arrowlabs.localIP :192.168.3.x3Port :443Go to SSL Settings and link the correct certificate

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’sClick “OK” Configure Services (back-end)o Click “Services”o Click “Add ”o Service Name : owaback-endServer :192.168.1.122 (IP of our Exchange server)Page: 9/18Date document :26/02/2010Réf. document :v.0.2

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Port :Add Monitor :Sent to :Attendee’sPage:10/18Date document :26/02/2010Réf. document :v.0.280http-ecv (This is a monitor which does more then just open aconnection an port 80 but it checks for a proper http reponse,configurable in more detail)o Click “Create” and you get the screen belowo Service Groups is not needed in this configuration.o Click “OK”

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’so If you get a question to refresh, please do so by clicking “yes”.Page:11/18Date document :26/02/2010Réf. document :v.0.2

Page:12/18WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’sDate document :26/02/2010Réf. document :v.0.2Lab 3 : Web Application FirewallHack my bank siteIn this lab we will show how to hack a badly protected website.It is a demo-website : http://demo.testfire.netThe key example of a website full of vulnerabilities.Let’s hack it with a SQL-injection Use your browser to go to : http://demo.testfire.net/Click “Sign-in”Type Username : “jsmith”Type Password : “test’ OR ‘1’ ’1”Thanks to this SQL injection you will see you can login without a password.Let’s protect Use your web browser to go to the MgMt GUI of your NetscalerCreate the web service for the so-called back-end which is http://demo.testfire.neto Open hive “Load Balancing”o Click “Services”o Click “Add ”o Servicename : demo.testfire.netServer : 65.61.137.117Port : 80

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Monitor : http-ecvo Click “Create”o Click “Close” Create the LB-listenero Open hive “Load Balancing”o Click “Virtual Servers”Sent to :Attendee’sPage:13/18Date document :26/02/2010Réf. document :v.0.2

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-o Click “Add ”o Click “Create”o Click “Close” Create WAF – Profileo Open hive “Application Firewall”o Click “Profiles”Sent to :Attendee’sPage:14/18Date document :26/02/2010Réf. document :v.0.2

WORKSHOPTopic : Netscaler VPX from Express(free) to PlatinumConsultant(s) :Koen WarsonMokrane HellalCustomer (BP) :-Sent to :Attendee’so Click “Add ”o Fill in the dialog box and click “Create” and “Close”Page:15/18Date document :26/02/2010Réf. document :v.0.2

WORKSHOPTopic : Netscaler VPX from Express(free)