Automating Your NetScaler 11.1 vServer Config Using NetScaler Management and Analytics System

This post has already been read 18653 times!

With the release of NetScaler 11.1 and NetScaler Management and Analytics System (NMAS) into beta at Citrix Synergy I have started to look at what we can achieve from the new versions of the NetScaler firmware and the NMAS appliance.

One of the features of NMAS that I think is really good is the Configuration Jobs.  This will allow you to automate tasks on a single NetScaler or a group of NetScalers and better still it will let you put variables into the script and gather user input prior to running the job.  This will allow you to generalize the script and run it on multiple instances!

In this article I will walk you through creating a Configuration job to build a StoreFront vServer running on port 443 and an http to https redirect server to ensure that traffic is always secure.

Before we start you need to ensure that your internal Root CA and StoreFront Certificates are pre-installed on the NetScaler

Pre Installed SSL Certificates

No existing Virtual Servers

So, once you have deployed and run the initial config on your NMAS appliance head over to the log in screen and log into the management interface

If you want help deploying NMAS for the first time check my post here

https://bretty.me.uk/netscaler-11-1-management-and-analytics-system-initial-setup-guide/

Navigate to Instances on the Infrastructure tab and ensure you have an instance linked and showing as green.

Further down the list click on Configuration Jobs and then click Create Job

When prompted enter the following commands.  There is a slight bug in the interface where by you cannot copy and paste the entire script into the window as it will not split the lines out.

Cope each line into a new SSH command as shown below

NOTE:  You will notice the variables in $dollars$ – make sure to paste these into the script window and we will re-define them later

add server web.$domain-name$ $web-server-ip$
add server storefront.$domain-name$ $storefront-vip-ip$
add server localhost.$domain-name$ 127.0.0.1
add service svc.always.up localhost.$domain-netbios$.local HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED cip-header -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add serviceGroup svc.grp.$domain-netbios$.storefront.443 SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver vsvr.$domain-netbios$.storefront.443 SSL $storefront-vip-ip$ 443 -persistenceType NONE -cltTimeout 180
add lb vserver vsvr.$domain-netbios$.storefront.80 HTTP $storefront-vip-ip$ 80 -persistenceType NONE -cltTimeout 180
add responder action responder.act.http.to.https redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302
add responder policy responder.pol.http.to.https HTTP.REQ.IS_VALID responder.act.http.to.https RESET
bind lb vserver vsvr.$domain-netbios$.storefront.80 svc.always.up
bind lb vserver vsvr.$domain-netbios$.storefront.443 svc.grp.$domain-netbios$.storefront.443
bind lb vserver vsvr.$domain-netbios$.storefront.80 -policyName responder.pol.http.to.https -priority 100 -gotoPriorityExpression END -type REQUEST
add lb monitor $domain-netbios$.storefront.secure STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -secure YES -storename $storefront-store-name$
add lb monitor $domain-netbios$.localhost PING -LRTM DISABLED -destIP 127.0.0.1
bind service svc.always.up -monitorName $domain-netbios$.localhost
bind serviceGroup svc.grp.$domain-netbios$.storefront.443 web.$domain-name$ 443
bind serviceGroup svc.grp.$domain-netbios$.storefront.443 -monitorName $domain-netbios$.storefront.secure
bind ssl vserver vsvr.$domain-netbios$.storefront.443 -certkeyName $ssl-cert$
bind ssl vserver vsvr.$domain-netbios$.storefront.443 -certkeyName $root-cert$ -CA -ocspCheck Optional
bind ssl vserver vsvr.$domain-netbios$.storefront -eccCurveName P_256
bind ssl vserver vsvr.$domain-netbios$.storefront -eccCurveName P_384
bind ssl vserver vsvr.$domain-netbios$.storefront -eccCurveName P_224
bind ssl vserver vsvr.$domain-netbios$.storefront -eccCurveName P_521

Once the script is pasted we need to define the variables – highlight the first variable

hover over the variable with your mouse and click Convert To Variable

When the variable is converted double click it to define the details for the variable.

In Display Name enter the text you want to show the user as a prompt

Go though each variable in the script until its all complete

Once done click the Save as Configuration Template

Give the template a name and click on Save

You will notice that the Configuration Job is now available as a default template.  You can drag and drop this into the script windows for future deployments

Give your new job a name

Select the NetScaler instance you want to run the job on

You will be prompted for values for all the variables you have defined in the script

Fill the variables out

Click next, review the detail then run the job

You will see the status of the job running

Once complete you will see the Completed Status in the jobs window

If we switch back to our NetScaler you will see that the Virtual Servers have been created

If you check the vServer for port 80 you will notice that it has a responder policy to redirect traffic to port 443

That’s it, I have to say that I think this is a very powerful part of the NMAS appliance and cant wait to get more and more of my NetScaler build into it.

Hope this helps you out

Laters,

b@m