Product Documentation

Enabling Data Collection for NetScaler Gateway Appliances Deployed in Double-Hop Mode

Oct 30, 2015

Enabling Data Collection on NetScaler Insight Center

If you enable NetScaler Insight Center to start collecting the ICA details from both the appliances, the details collected are redundant. That is both the appliances report the same metrics. To overcome this situation, you must enable AppFlow for ICA on one of the first NetScaler Gateway appliance, and then enable AppFlow for TCP on the second appliance. By doing so, one of the appliances export ICA AppFlow records and the other appliance exports TCP AppFlow records. This also saves the processing time on parsing the ICA traffic.

To enable data collection for ICA traffic

  1. On the Configuration tab, click Inventory.
  2. From the inventory list, select the IP address of the appliance on which you want to enable data collection.
  3. On the NetScaler Insight Center Inventory Setup screen, in the Application List pane, from the View drop-down list, select VPN. A list of the SSL VPN virtual servers configured on the appliance populates a table with the following information about each virtual server:
    • IP Address—IP address of the virtual server
    • Name—Name of the virtual server
    • State—Current operational state of the virtual server. Can be UP or DOWN.
    • Type—Service type of the virtual server.
    • Insight—Data-collection status of the virtual server (ENABLED or DISABLED).
  4. Select the SSL VPN virtual server for which you want to enable data collection.
    Note: You can enable data collection on a virtual server only if the operational state of the virtual server is UP.
  5. From the Action drop-down list, select Enable Appflow.
  6. In the Enable AppFlow dialog box, from the Select Expression drop-down list, specify the traffic to be filtered.
    Note: Currently, the only expression supported is true.

    For more information on expressions, see Policies and Expressions.

  7. From the Export Option drop-down list, select ICA.
  8. Click OK to save the configuration. If data collection is enabled, the Insight column in the Application List table displays as enabled.
    Note: If AppFlow logging is not enabled for the respective services or service groups on the NetScaler appliance, the NetScaler Insight Center dashboard does not display the records, even if the Insight column shows Enabled.
  9. To return to the inventory list, from the Action drop-down, select Return to Inventory list.
 

To enable data collection for TCP traffic

  1. On the Configuration tab, click Inventory.
  2. From the inventory list, select the IP address of the appliance on which you want to enable data collection.
  3. On the NetScaler Insight Center Inventory Setup screen, in the Application List pane, from the View drop-down list, select VPN. A list of the SSL VPN virtual servers configured on the appliance populates a table with the following information about each virtual server:
    • IP Address—IP address of the virtual server
    • Name—Name of the virtual server
    • State—Current operational state of the virtual server. Can be UP or DOWN.
    • Type—Service type of the virtual server.
    • Insight—Data-collection status of the virtual server (ENABLED or DISABLED).
  4. Select the SSL VPN virtual server for which you want to enable data collection.
    Note: You can enable data collection on a virtual server only if the operational state of the virtual server is UP.
  5. From the Action drop-down list, select Enable Appflow.
  6. In the Enable AppFlow dialog box, from the Select Expression drop-down list, specify the traffic to be filtered.
    Note: Currently, the only expression supported is true.

    For more information on expressions, see Policies and Expressions.

  7. From the Export Option drop-down list, select TCP.
  8. Click OK to save the configuration. If data collection is enabled, the Insight column in the Application List table displays as enabled.
    Note: If AppFlow logging is not enabled for the respective services or service groups on the NetScaler appliance, the NetScaler Insight Center dashboard does not display the records, even if the Insight column shows Enabled.
  9. To return to the inventory list, from the Action drop-down, select Return to Inventory list.

Configuring NetScaler Gateway Appliances to Export Data

After you install the NetScaler Gateway appliances, you must configure the following settings on the NetScaler gateway appliances to export the reports to NetScaler Insight Center:

  • Configure virtual servers of the NetScaler Gateway appliances in the first and second DMZ to communicate with each other.
  • Bind the NetScaler Gateway virtual server in the second DMZ to the NetScaler Gateway virtual server in the first DMZ.
  • Enable double hop on the NetScaler Gateway in the second DMZ.
  • Disable authentication on the NetScaler Gateway virtual server in the second DMZ.
  • Enable one of the NetScaler Gateway appliances to export ICA records
  • Enable the other NetScaler Gateway appliance to export TCP records:
  • Enable connection chaining on both the NetScaler Gateway appliances.

Configuring NetScaler Gateway Using the command line interface

  1. Configure the NetScaler Gateway virtual server in the first DMZ to communicate with the NetScaler Gateway virtual server in the second DMZ.

    add vpn nextHopServer <name> <nextHopIP> <nextHopPort> [-secure (ON|OFF)] [-imgGifToPng] ...

    add vpn nextHopServer	nh1 10.102.2.33 8443 –secure ON	
    
  2. Bind the NetScaler Gateway virtual server in the second DMZ to the NetScaler Gateway virtual server in the first DMZ. Run the following command on the NetScaler Gateway in the first DMZ:

    bind vpn vserver <name> -nextHopServer <name>

     bind vpn vserver vs1 -nextHopServer nh1
    
  3. Enable double hop and AppFlow on the NetScaler Gateway in the second DMZ.

    set vpn vserver <name> [- doubleHop ( ENABLED |DISABLED )] [- appflowLog ( ENABLED |DISABLED )]

    set vpn vserver vpnhop2 –doubleHop ENABLED –appFlowLog ENABLED
    
  4. Disable authentication on the NetScaler Gateway virtual server in the second DMZ.

    set vpn vserver <name> [-authentication (ON|OFF)]

    set vpn vserver vs -authentication OFF
    
  5. Enable one of the NetScaler Gateway appliances to export TCP records.

    bind vpn vserver <name> [-policy <string> -priority <positive_integer>] [-type <type>]

    bind vpn vserver vpn1 -policy appflowpol1 -priority 101 –type OTHERTCP_REQUEST
    
  6. Enable the other NetScaler Gateway appliance to export ICA records:

    bind vpn vserver <name> [-policy <string> -priority <positive_integer>] [-type <type>]

    bind vpn vserver vpn2 -policy appflowpol1 -priority 101 -type ICA_REQUEST
    
  7. Enable connection chaining on both the NetScaler Gateway appliances:

    set appFlow param [-connectionChaining (ENABLED|DISABLED)]

    set appflow param -connectionChaining ENABLED
    

Configuring NetScaler Gateway Using the configuration utility

 

  1. Configure the NetScaler Gateway in the first DMZ to communicate with the NetScaler Gateway in the second DMZ and bind the NetScaler Gateway in the second DMZ to the NetScaler Gateway in the first DMZ.
    1. On the Configuration tab expand NetScaler Gateway and click Virtual Servers.
    2. In the right pane, double- click the virtual server, and in the Advanced group, expand Published Applications.
    3. Click Next Hop Server and bind a next hop server to the second NetScaler Gateway appliance.
  2. Enable double hop on the NetScaler Gateway in the second DMZ.
    1. On the Configuration tab expand NetScaler Gateway and click Virtual Servers.
    2. In the right pane, double- click the virtual server, and in the Basic Settings group, click the edit icon.
    3. Expand More , select Double Hop and click OK.
  3. Disable authentication on the virtual server on the NetScaler Gateway in the second DMZ.
    1. On the Configuration tab expand NetScaler Gateway and click Virtual Servers.
    2. In the right pane, double- click the virtual server, and in the Basic Settings group, click the edit icon.
    3. Expand More, and uncheck Enable Authentication.
  4. Enable one of the NetScaler Gateway appliance to export TCP records.
    1. On the Configuration tab expand NetScaler Gateway and click Virtual Servers.
    2. In the right pane, double- click the virtual server, and in the Advanced group, expand Policies.
    3. Click the + icon and in the from the Choose Policy drop-down list, select AppFlow and from the Choose Type drop-down list, select Other TCP Request.
    4. Click Continue.
    5. Add a policy binding, and click Close.
  5. Enable the other NetScaler Gateway appliance to export ICA records:
    1. On the Configuration tab expand NetScaler Gateway and click Virtual Servers.
    2. In the right pane, double- click the virtual server, and in the Advanced group, expand Policies.
    3. Click the + icon and in the from the Choose Policy drop-down list, select AppFlow and from the Choose Type drop-down list, select Other TCP Request.
    4. Click Continue.
    5. Add a policy binding, and click Close.
  6. Enable connection chaining on both the NetScaler Gateway appliances.
    1. On the Configuration tab, navigate to System > Appflow.
    2. In the right Pane, in the Settings group, click on Change Appflow Settings.
    3. Select Connection Chaining and Click OK.