- Release notes
- All how to articles
- System requirements
- Get started
- NetScaler MAS with Citrix XenServer
- NetScaler MAS with Microsoft Hyper-V
- NetScaler MAS with VMware ESXi
- NetScaler MAS with Linux KVM server
- Configure high availability deployment
- Configure disaster recovery for high availability
- Configure on-prem agents for multisite deployment
- Migrate from NetScaler Insight Center to NetScaler MAS
- Migrate Command Center configurations to NetScaler MAS
- Integrate NetScaler MAS with Citrix XenDesktop Director
- Attach an additional disk to NetScaler MAS
- Access control
- StyleBook groups
- Use default StyleBooks
- Business application StyleBooks
Create and use custom StyleBooks
- StyleBook to create a load balancing virtual server
- StyleBook to create a basic load balancing configuration
- Create a composite StyleBook
- Use GUI attributes in a custom StyleBook
- Use custom StyleBooks
- Create a StyleBook to upload files to NetScaler MAS
- Create a StyleBook to upload SSL certificate and certificate key files to NetScaler MAS
- Enable analytics and configure alarms on a virtual server defined in a StyleBook
- Create a Stylebook to perform non-CRUD operations
- Use API to create configurations from StyleBooks
- Import StyleBooks
- Parameters-default-sources construct
- Helper components
- Optional properties
- Properties-default-sources construct
- Nested components
- Condition construct
- Repeat construct
- Repeat-condition construct
- Nested repeats
- Parameter reference
- Parent reference
- Components reference
- Substitutions reference
- Variable reference
- In-place interpolations
- Built-in functions
- Dependency detection
- Monitor globally distributed sites
- Manage admin partitions of NetScaler instances
- Back up and restore NetScaler instances
- Force a failover to the secondary NetScaler instance
- Force a secondary NetScaler instance to stay secondary
- Create instance groups
- Rediscover multiple NetScaler VPX instances
- Poll NetScaler instances and entities
- Unmanage an instance
- Trace the route to an instance
- Use events dashboard
- Set event age for events
- Schedule an event filter
- Set repeated email notifications for events
- Suppress events
- Create event rules
- Modify the reported severity of events that occur on NetScaler instances
- View events summary
- Display event severities and SNMP trap details
- Export syslog messages
- Suppress syslog messages
- Configure prune settings for instance events
- Use the SSL dashboard
- Set up notifications for SSL certificate expiry
- Update an installed certificate
- Install SSL certificates on a NetScaler instance
- Create a Certificate Signing Request (CSR)
- Link and unlink SSL certificates
- Configure an enterprise policy
- Poll SSL certificates from NetScaler instances
- Create a configuration job
- Use record-and-play to create configuration jobs
- Use configuration jobs to replicate configuration from one instance to multiple instances
- Use variables in configuration jobs
- Create configuration jobs from corrective commands
- Replicate running and saved configuration from one NetScaler instance to another
- Reuse executed configuration jobs
- Schedule jobs created by using built in templates
- Use maintenance jobs to upgrade NetScaler SDX instances
- Create configuration jobs for NetScaler SD-WAN WO instances
- Use the master configuration template
- Use jobs to upgrade NetScaler instances
- Use configuration templates to create audit templates
- Use SCP (put) command in configuration jobs
- Reschedule jobs configured by using built in templates
- Reuse configuration audit templates in configuration jobs
- Import and export configuration templates
- Maintenance jobs
- Configuration audit
- Network functions
- Network reporting
- Instance management
- License requirements
- Logstream overview
- Web Insight
- HDX Insight
- Gateway Insight
- Security Insight
- SSL Insight
- TCP Insight
- WAN Insight
- View network efficiency
- Compare the data volume used by optimized and unoptimized ABR videos
- View the type of videos streamed and data volume consumed from your network
- Compare optimized and unoptimized play time of ABR videos
- Compare bandwidth consumption of optimized and unoptimized ABR videos
- Compare optimized and unoptimized number of plays of ABR videos
- View peak data rate for a specific time frame
- Secure Web Gateway Analytics
OpenStack - integrating NetScaler instances
- Service package isolation policies
- Manual provisioning of NetScaler VPX instance on OpenStack
- Configure layer 7 content switching
- Configure LBaaS V1 using Horizon
- Configure LBaaS V2 using command line
- Shared VLAN support for admin partitions
- Pre-configuration tasks in NetScaler MAS and OpenStack
- Trial licensing workflow
- Integrate with OpenStack Heat services
- Flexible policy-based device allotment
- NSX Manager - manual provisioning of NetScaler instances
- NSX Manager - auto provisioning of NetScaler instances
- NetScaler automation using NetScaler MAS in Cisco ACI hybrid mode
- NetScaler device package in Cisco ACI's cloud orchestrator mode
- OpenStack - integrating NetScaler instances
NetScaler pooled capacity
- Configure NetScaler pooled capacity
- Upgrade a perpetual license in NetScaler VPX to NetScaler pooled capacity
- Upgrading a Perpetual License in NetScaler MPX to NetScaler Pooled Capacity
- Upgrade a perpetual license in NetScaler SDX to NetScaler pooled capacity
- NetScaler pooled capacity on NetScaler instances in cluster mode
- Health monitoring
- Expected behaviors when issues arise
- Configure expiry checks for pooled capacity licenses
- NetScaler VPX check-in and check-out licensing
- NetScaler virtual CPU licensing
- NetScaler pooled capacity
- Manage NetScaler SD-WAN instances
Manage HAProxy instances
- Add HAProxy instances to NetScaler MAS
- HAProxy app dashboard
- Third-party licensing
- Role-based access control for HAProxy instances
- Monitor HAProxy instances
- View the details of frontends configured on HAProxy instances
- View the details of backends configured on HAProxy instances
- View the details of servers configured on HAProxy instances
- View the HAProxy Instances with the highest number of frontends or servers
- Restart an HAProxy instance
- Back up and restore an HAProxy instance
- Edit the HAProxy configuration file
Manage system settings
- Configure system backup settings
- Configure a NTP Server
- Upgrade NetScaler MAS
- Configure syslog purging interval
- Configure system prune settings
- Enable shell access for non-default users
- Recover inaccessible NetScaler MAS servers
- Assign a host name to a NetScaler MAS server
- Back up and restore your NetScaler MAS server in a single-server deployment
- View auditing information
- Configure SSL settings
- Monitor CPU, memory, and disk usage
- Configure system notification settings
- Generate a tech support file
- Diagnose and troubleshoot NetScaler instances
- Back Up and restore a NetScaler MAS configuration in an HA pair
- Configure a cipher group
- Create SNMP traps, managers, and users
- Configure and view system alarms
- NetScaler MAS as an API proxy server
Microsoft ADFS proxy StyleBook
Microsoft™ ADFS proxy plays a significant role by giving single sign-on access for both internal federation-enabled resources and cloud resources. One such example of cloud resources is Office 365. The purpose of the ADFS proxy server is to receive and forward requests to ADFS servers that are not accessible from the internet. ADFS proxy is a reverse proxy and typically resides in your organization’s perimeter network (DMZ). The ADFS proxy plays a critical role in remote user connectivity and application access.
NetScaler has the precise technology to enable secure connectivity, authentication, and handling of federated identity. Using NetScaler as ADFS proxy avoids the need to deploy an extra component in the DMZ.
The Microsoft ADFS Proxy StyleBook in NetScaler MAS allows you to configure an ADFS proxy server on a NetScaler instance.
The following image shows the deployment of a NetScaler instance as an ADFS proxy server in the enterprise DMZ.
- Caters to both load balancing and ADFS proxy needs
- Supports both internal and external user access scenarios
- Supports rich methods for pre-authentication
- Provides a single sign-on experience for users
- Supports both active and passive protocols
- Examples of active protocol apps are – Microsoft Outlook, Microsoft Skype for Business
- Examples of passive protocol apps are –Microsoft Outlook web app, web browsers
- Hardened device for DMZ-based deployment
- Adds value by using additional core NetScaler ADC features
- Content Switching
- SSL offload
- Security (NetScaler AAA)
For active protocol-based scenarios, you can connect to Office 365 and provide your credentials. Microsoft Federation Gateway contacts the ADFS service (through ADFS Proxy) on behalf of the active protocol client. The gateway then submits the credentials using basic authentication (401). NetScaler handles the client authentication before access to ADFS service. Post authentication, the ADFS service provides a SAML token to the Federation Gateway. The Federation Gateway, in turn, submits the token to Office 365 to provide client access.
For passive clients, the ADFS Proxy StyleBook creates Kerberos Constrained Delegation (KCD) user account. The KCD account is necessary for Kerberos SSO authentication to connect to the ADFS servers. The StyleBook also generates an LDAP policy and a session policy. These policies are later bound to the NetScaler AAA virtual server that handles the authentication for passive clients.
The StyleBook can also ensure that the DNS servers on the NetScaler are configured for ADFS.
The configuration section below describes how to set up NetScaler for handling both active and passive protocol-based client authentication.
The table below lists the minimum required software versions for this integration to be deployed successfully.
|Product||Minimum Required Version|
|NetScaler||11.0, Enterprise/Platinum License|
The following instructions assume that you have already created the appropriate external and internal DNS entries.
Deploying Microsoft ADFS proxy StyleBook configurations from NetScaler MAS
The following instructions assist you when implementing the Microsoft ADFS proxy StyleBook in your business network.
To deploy Microsoft ADFS proxy StyleBook
In NetScaler MAS, navigate to Applications > StyleBooks. The StyleBooks page displays all the StyleBooks available for your use in NetScaler MAS.
Scroll down and find the Microsoft ADFS proxy StyleBook. Click Create Configuration. The StyleBook opens as a user interface page on which you can type the values for all the parameters defined in this StyleBook.
- Type values for the following parameters:
- ADFS Proxy Deployment Name. Select a name for the ADFS proxy configuration deployed in your network.
- ADFS Servers FQDNs or IPs. Type the IP addresses or FQDNs (domain names) of all ADFS servers in the network.
- ADFS Proxy Public VIP IP. Type the public virtual IP address on the NetScaler that performs as an ADFS proxy server.
In the ADFS Proxy Certificates section, type the details of the SSL certificate and the certificate key.
This SSL certificate is bound to all the virtual servers created on the NetScaler instance.
Select the respective files from your local storage folder. You can also type in the private key password to load encrypted private keys in .pem format.
You can also enable Advanced Certificate Settings check box. Here you can type details such as certificate expiry notification period, enable, or disable the certificate expiry monitor.
Optionally, you can select SSL CA Certificate check box if the SSL certificate requires a CA public certificate to be installed on NetScaler. Ensure that you select “Is a CA Certificate” in the Advanced Certificate Settings section.
Enable authentication for active and passive clients. Type the DNS Domain Name used in Active Directory for user authentication. You can then configure authentication either for active or passive clients, or both.
Type the following details to enable authentication for active clients:
Note: It is optional to configure support for active clients.
ADFS Proxy Active Authentication VIP. Type the virtual IP address of the virtual authentication server on the NetScaler instance where the active clients are redirected for authentication.
Service Account Username. Type the service account user name used by NetScaler to authenticate your users to the active directory.
Service Account Password. Type the password used by NetScaler to authenticate your users to the active directory.
Configure authentication for passive clients by enabling the corresponding option and configuring the LDAP settings.
Note: It is optional to configure support for passive clients.
Type the following details to enable authentication for passive clients:
LDAP (Active Directory) Base. Type the base domain name for the domain in which the user accounts reside within the active directory (AD) to allow authentication. For example, dc=netscaler,dc=com
LDAP (Active Directory) Bind DN. Add a domain account (using an email address for ease of configuration) that has privileges to browse the AD tree. For example, cn=Manager,dc=netscaler,dc=com
LDAP (Active Directory) Bind DN Password. Type the password of the domain account for authentication.
A few other fields that you must type in the values in this section are as follows:
LDAP Server (Active Directory) IP. Type the IP address of the active directory server for AD authentication to work correctly.
LDAP Server FQDN name. Type the FQDN name of the active directory server. FQDN name is optional. Provide the IP address as in step 1 or the FQDN name.
LDAP Server Active Directory port. By default, the TCP and UDP ports for LDAP protocol are 389, whereas the TCP port for Secure LDAP is 636.
LDAP (Active Directory) login username. Type the username as “sAMAccountName.”
ADFS Proxy Passive Authentication VIP. Type the IP address of the ADFS proxy virtual server for passive clients.
Note: The fields marked with “*” are mandatory.
Optionally, you can also configure a DNS VIP for your DNS servers.
Click Target Instances and select the NetScaler instances to deploy this Microsoft ADFS proxy configuration. Click Create to create the configuration and deploy the configuration on the selected NetScaler instances.
Note: Citrix recommends that before executing the actual configuration, you select Dry Run. You can first view the configuration objects that are created on the target NetScaler instances by the StyleBook. You can then click Create to deploy the configuration on the selected instances.
Several configuration objects are created when the ADFS proxy configuration is deployed on the NetScaler instance. The following image displays the list of objects created.