Citrix ADC MPX

Migrate the configuration of an existing Citrix ADC appliance to another Citrix ADC appliance

Before migrating to a new appliance, you must make some changes to the configuration of the old appliance before you copy the configuration to the new appliance.

Note: The following procedure does not apply to Citrix ADC FIPS appliances.

Migrate a configuration

  1. On the old appliance, create a backup copy of the configuration file (ns.conf).
  2. Use a vi editor to edit the configuration file that you backed up. For example, you might want to change the user name, host name, and password. Note: Remove all interface-related configuration, such as set interface, bind vlan, add channel, bind channel, and set channel.
  3. Shut down the old appliance.
  4. Perform initial configuration on the new appliance. Connect to the serial console, and at the command prompt type config ns to run the Citrix ADC configuration script. Enter parameter values, such as Citrix ADC IP address (NSIP) and subnet mask. For information about performing initial configuration by using the configuration utility (GUI) or the LCD keypad, see Initial Configuration.
  5. Restart the new appliance.
  6. Add a route on the new appliance. At the command prompt, type: add route <network> <netmask> <gateway>
  7. Copy the edited configuration file to the new appliance.
  8. Copy other relevant files, such as bookmarks, SSL certificates, and CRLs, to the new appliance. Return your feature license to the Citrix licensing portal and reallocate it on the new appliance. For more info about returning your licenses, see http://support.citrix.com/article/CTX131110. Note: The platform license is different for a new appliance.
  9. Restart the new appliance.
  10. Add the interface-related configuration specific to your new appliance, switch, and router, and save the configuration.

If you have a high-availability setup, you must perform the preceding procedure on both the nodes.

Migrate the configuration of a FIPS appliance

In the following steps, appliance A is the source appliance and appliance B is the target appliance.

  1. Initialize the FIPS card on appliance B. At the command prompt, type the following commands:

    reset fips
    Done
    
    reboot
    
    set fips -initHSM Level-2 so12345 so12345 user123 -hsmLabel NSFIPS
    
    This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command. Do you want to continue?(Y/N)y
    
    Done
    

    Note: The following message appears when you run the set fips command:

    This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command. [Note: On MPX/SDX 14xxx FIPS platform, the FIPS security is at Level-3 by default, and the -initHSM Level-2 option is internally converted to Level-3]  Do you want to continue?(Y/N)y
    
    saveconfig
    Done
    
    reboot
    
    reboot
    
  2. On appliance A, open an SSH connection to the appliance by using an SSH client, such as PuTTY.

  3. Log on to the appliance, using the administrator credentials.

  4. Initialize appliance A as the source appliance. At the command prompt, type:

    init ssl fipsSIMsource <certFile>
    

    Example:

    init fipsSIMsource /nsconfig/ssl/nodeA.cert

  5. Copy this <certFile> file to appliance B, in the /nconfig/ssl folder.

    Example:

    scp /nsconfig/ssl/nodeA.cert nsroot@198.51.100.10:/nsconfig/ssl

  6. On appliance B, open an SSH connection to the appliance by using an SSH client, such as PuTTY.

  7. Log on to the appliance, using the administrator credentials.

  8. Initialize appliance B as the target appliance. At the command prompt, type:

    init ssl fipsSIMtarget <certFile> <keyVector> <targetSecret>
    

    Example:

    init fipsSIMtarget /nsconfig/ssl/nodeA.cert /nsconfig/ssl/nodeB.key /nsconfig/ssl/nodeB.secret

  9. Copy this <targetSecret> file to appliance A.

    Example:

    scp /nsconfig/ssl/fipslbdal0801b.secret nsroot@198.51.100.20:/nsconfig/ssl

  10. On appliance A, enable appliance A as the source appliance. At the command prompt, type:

    enable ssl fipsSIMSource <targetSecret> <sourceSecret>
    

    Example: enable fipsSIMsource /nsconfig/ssl/nodeB.secret /nsconfig/ssl/nodeA.secret

  11. Copy this <sourceSecret> file to appliance B.

    Example: scp /nsconfig/ssl/fipslbdal0801b.secret nsroot@198.51.100.10:/nsconfig/ssl

  12. On appliance B, enable appliance B as the target appliance. At the command prompt, type:

    enable ssl fipsSIMtarget <keyVector> <sourceSecret>
    

    Example: enable fipsSIMtarget /nsconfig/ssl/nodeB.key /nsconfig/ssl/nodeA.secret

  13. Export the FIPS keys on appliance A.

    Example:

    export fipskey Key-FIPS-1 -key Key-FIPS-1.key

  14. Copy the key file to appliance B, in the /nconfig/ssl folder.

    Example:

    scp /nsconfig/ssl/nodeA.key nsroot@198.51.100.10:/nsconfig/ssl

  15. Import the FIPS keys on appliance B.

    Example:

    import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform SIM -exponent F4

  16. Copy the certificate files to appliance B, in the /nconfig/ssl folder.

    Example:

    scp /nsconfig/ssl/nodeA.cert nsroot@198.51.100.10:/nsconfig/ssl

  17. Copy the rest of the configuration from appliance A to appliance B.

Migrate the configuration of an existing Citrix ADC appliance to another Citrix ADC appliance