- Release Notes
- How-to Articles
- About NetScaler MAS
- NetScaler MAS Licensing
- Getting Started with NetScaler MAS
- System Requirements
Deploying NetScaler MAS
- NetScaler MAS with Citrix XenServer
- NetScaler MAS with Microsoft Hyper-V
- NetScaler MAS with VMware ESXi
- NetScaler MAS with Linux KVM server
- Deploy NetScaler MAS in high availability mode
- Migrate a single-server deployment to a high availability deployment
- Migrate from NetScaler Insight Center to NetScaler MAS
- Migrate Command Center configurations to NetScaler MAS
- Integrate NetScaler MAS with Citrix XenDesktop Director
- Attach an additional disk to NetScaler MAS
- Setting up NetScaler MAS
- Upgrading NetScaler MAS
- Managing NetScaler SD-WAN instances
Managing and Monitoring HAProxy instances
- Adding HAProxy instances to NetScaler MAS
- HAProxy Applications in Application Dashboard
- Third-party licensing
- Role Based Access Control in NetScaler MAS for HAProxy Instances
- How to Use the NetScaler MAS Dashboard to Monitor an HAProxy Instance
- How to Display the Details of the Frontends Configured on HAProxy Instances
- How to Display the Details of the Backends Configured on HAProxy Instances
- How to Display the Details of the Servers Configured on HAProxy Instances
- How to Use the Application Dashboard to View the HAProxy Instances That Have the Highest Number of Frontends or Servers
- How to Restart an HAProxy Instance From NetScaler MAS
- How to Back Up and Restore an HAProxy Instance by Using NetScaler MAS
- How to Edit the HAProxy Configuration File by Using NetScaler MAS
Application Analytics and Management
- Application Performance Analytics
- Application Security Analytics
- How to create an application definition in NetScaler MAS
- How to Enable or Disable Entities in NetScaler MAS
- How to Disable Entities in NetScaler MAS
- How to View the Effective State of a Virtual Server on NetScaler MAS
- How to Search for Entities in NetScaler MAS
- StyleBook groups
- Use default StyleBooks
- How to Create Your Own StyleBooks
- How to Use User-Defined StyleBooks in NetScaler MAS
- Use API to create configurations from StyleBooks
- Retrieve private StyleBooks
- Enable analytics and configure alarms on a virtual server defined in a StyleBook
- Create a StyleBook to upload files
- Create a StyleBook to upload SSL certificate and certificate key files
- SSO Google Apps StyleBook
- Microsoft Skype for Business StyleBook
- Microsoft Exchange StyleBook
- Microsoft SharePoint StyleBook
- How to use the SSO Office 365 StyleBook
- Import StyleBooks
- Parameters-Default-Sources Construct
- Helper Components
- Optional Properties
- Properties-Default-Sources Construct
- Nested Components
- Condition Construct
- Repeat Construct
- Repeat-Condition Construct
- Nested Repeats
- Parameter Reference
- Parent Reference
- Components Reference
- Substitutions Reference
- Variable Reference
- In-place Interpolations
- Built-in Functions
- Dependency Detection
- How to Monitor Globally Distributed Sites
- How to Manage Admin Partitions of NetScaler Instances
- How to Add Instances to NetScaler MAS
- How to Back Up and Restore NetScaler Instances Using NetScaler MAS
- How to Configure Sites for Geomaps in NetScaler MAS
- How to Force a Failover to the Secondary NetScaler Instance by Using NetScaler MAS
- How to Force a Secondary NetScaler Instance to Stay Secondary by Using NetScaler MAS
- How to Create Instance Groups on NetScaler MAS
- How to Rediscover Multiple NetScaler VPX Instances
- How to Poll NetScaler Instances and Entities in NetScaler MAS
- How to Unmanage an Instance on NetScaler MAS
- How to Trace the Route to an Instance from NetScaler MAS
- How to Set Event Age for Events on NetScaler MAS
- How to Schedule an Event Filter by Using NetScaler MAS
- How to Set Repeated Email Notifications for Events from NetScaler MAS
- How to Suppress Events by Using NetScaler MAS
- How to Use the Events Dashboard to Monitor Events
- Creating Event Rules
- How to Modify the Reported Severity of Events that Occur on NetScaler Instances
- How to View Events Summary in NetScaler MAS
- How to Display Event Severities and SNMP Traps Details on NetScaler MAS
- Using NetScaler MAS to Export Syslog Messages
- How to Suppress Syslog Messages in NetScaler MAS
- How to Configure Prune Settings for Instance Events
NetScaler Certificate Management
- How to Set Up Notifications for SSL Certificate Expiry from NetScaler MAS
- How to Install SSL Certificates on a NetScaler Instance
- How to Update an Installed Certificate from NetScaler MAS
- How to Link and Unlink SSL Certificates by Using NetScaler MAS
- How to Create a Certificate Signing Request (CSR) using NetScaler MAS
- How to Configure an Enterprise Policy on NetScaler MAS
- How to Use the SSL Dashboard on NetScaler MAS
- How to Poll SSL Certificates from NetScaler Instances
- How to Create a Configuration Job on NetScaler MAS
- How to Use Record-and-Play to Create Configuration Jobs
- How to Use Configuration Jobs to Replicate Configuration from One Instance to Multiple Instances
- How to Use Variables in Configuration Jobs on NetScaler MAS
- How to Create Configuration Jobs from Corrective Commands on NetScaler MAS
- How to Use Configuration Templates to Create Audit Templates on NetScaler MAS
- How to Create Configuration Jobs for SD-WAN WO Instances in NetScaler MAS
- How to Use the Master Configuration Template on NetScaler MAS
- How to Replicate Running and Saved Configuration Commands from One NetScaler Instance to Another on NetScaler MAS
- How to Upgrade NetScaler SDX Instances by Using NetScaler MAS
- How to Schedule Jobs Created by Using Built-in Templates in NetScaler MAS
- How to Reschedule Jobs That Were Configured by Using Built-in Templates in NetScaler MAS
- How to Reuse Executed Configuration Jobs
- How to Upgrade NetScaler Instances
- How to Use SCP (put) Command in Configuration Jobs
- How to Reuse Configuration Audit Templates in Configuration Jobs
- Creating Maintenance Tasks
- How to Import and Export Configuration Templates
- Configuration Audit
- Network Functions
- Network Reporting
- License requirements
- Understanding Logstream
- Web Insight
- HDX Insight
- Gateway Insight
- Security Insight
- SSL Insight
- TCP Insight
- WAN Insight
- Viewing the Type of Videos Streamed and the Data Volume Consumed from your Network
- Viewing the Peak Data Rate for a Particular Time Frame
- Comparing the Optimized and Un-Optimized Number of Plays of ABR Videos
- Compare the Optimized and Unoptimized Play Time of ABR Videos
- Comparing Bandwidth Consumption of Optimized and Un-Optimized ABR Videos
- Comparing the Data Volume Used by Optimized and Unoptimized ABR Videos
- Viewing the Network Efficiency
- Secure Web Gateway Analytics
Integrating NetScaler MAS with OpenStack Platform
- Pre-configuration tasks in NetScaler MAS and OpenStack
- Configure LBaaS V1 using Horizon
- Configure LBaaS V2 using command line
- Configure layer 7 content switching
- Manual provisioning of NetScaler VPX instance on OpenStack
- Shared VLAN support for admin partitions
- Trial licensing workflow
- Integrate with OpenStack Heat services
- Service package isolation policies
- Flexible policy-based device allotment
- Integrating NetScaler MAS with NSX Manager by Manual Provisioning
- Integrating NetScaler MAS with NSX Manager by Auto-provisioning
- NetScaler automation using NetScaler MAS in Cisco ACI hybrid mode
- NetScaler device package in Cisco ACI's cloud orchestrator mode
- Use NetScaler MAS as an Ingress Controller for the Kubernetes Environment
Authentication and Access Control
- Role-based Access Control in NetScaler MAS
- Configuring Authentication in NetScaler MAS
- Multi-Tenancy - Provide Exclusive Management Environment to Your Tenants
Managing NetScaler MAS System Settings
- Configure system backup settings
- Configure a NTP Server
- Upgrade NetScaler MAS
- Configure syslog purging interval
- Configure system prune settings
- Enable shell access for non-default users
- Recover inaccessible NetScaler MAS servers
- Assign a host name to a NetScaler MAS server
- Back up and restore your NetScaler MAS server in a single-server deployment
- View auditing information
- Configure SSL settings
- Monitor CPU, memory, and disk usage
- Configure system notification settings
- Generate a tech support file
- Diagnose and troubleshoot NetScaler instances
- Back Up and restore a NetScaler MAS configuration in an HA pair
- Configure a cipher group
- Create SNMP traps, managers, and users
- Configure and view system alarms
- NetScaler MAS as an API Proxy Server
NetScaler Pooled Capacity
- Configure NetScaler pooled capacity
- Upgrade a perpetual license in NetScaler VPX to NetScaler pooled capacity
- Upgrading a Perpetual License in NetScaler MPX to NetScaler Pooled Capacity
- Upgrade a perpetual license in NetScaler SDX to NetScaler pooled capacity
- NetScaler pooled capacity on NetScaler instances in cluster mode
- Health monitoring
- Expected behaviors when issues arise
- Configure expiry checks for pooled capacity licenses
- NetScaler VPX Check-In and Check-Out licensing
Configuring Authentication in NetScaler MAS
Users can be authenticated either internally by NetScaler MAS, externally by an authenticating server, or both. If local authentication is used, the user must be in the NetScaler MAS security database. If the user is authenticated externally, the user’s “external name” should match the external user identity registered with the authenticating server, depending on the selected authentication protocol.
NetScaler MAS supports external authentication by means of RADIUS, LDAP and TACACS protocols. This unified support provides a common interface to authenticate and authorize all the local and external authentication, authorization and accounting (AAA) server users who are accessing the system. NetScaler MAS can authenticate users regardless of the actual protocols they use to communicate with the system. When a user attempts to access a NetScaler MAS implementation that is configured for external authentication, the requested application server sends the user name and password to the RADIUS, LDAP or TACACS server for authentication. If the authentication is successful, the corresponding protocol is used to identify the user in NetScaler MAS.
You can authenticate your users in NetScaler MAS in two ways:
By using NetScaler MAS local servers
By using external authentication servers
The following flow chart shows the workflow to follow when you are authenticating local or external users:
NetScaler MAS supports various protocols to provide external Authentication, Authorization, and Accounting (AAA) services.
NetScaler MAS sends all authentication, authorization, and accounting (AAA) service requests to the remote RADIUS, LDAP, or TACACS+ server. The remote AAA server receives the request, validates the request, and sends a response back to NetScaler MAS. When configured to use a remote RADIUS, TACACS+, or LDAP server for authentication, NetScaler MAS becomes a RADIUS, TACACS+, or LDAP client. In any of these configurations, authentication records are stored in the remote host server database. Login and logout account name, assigned permissions, and time-accounting records are also stored on the AAA server for each user.
Additionally, you can use the internal database of NetScaler MAS to authenticate users locally. You create entries in the database for users and their passwords and default roles. You can also create groups of servers for specific types of authentication. The list of servers in a server group is an ordered list. The first server in the list is always used unless it is unavailable, in which case the next server in the list is used. You can configure servers of different types in a group, and you can also include the internal database as a fallback authentication backup to the configured list of AAA servers.
You can configure NetScaler MAS to authenticate user access with one or more RADIUS servers. Your configuration might require using a network access server IP (NAS IP) address or a network access server identifier (NAS ID). When configuring NetScaler MAS to use a RADIUS authentication server, use the following guidelines:If you enable use of the NAS IP address, the appliance sends its configured IP address to the RADIUS server, rather than sending the source IP address used in establishing the RADIUS connection.
If you configure the NAS ID, the appliance sends the identifier to the RADIUS server. If you do not configure the NAS ID, the appliance sends its host name to the RADIUS server.
If you enable the NAS IP address, the appliance ignores any NAS ID that is configured, and uses the NAS IP to communicate with the RADIUS server.
To configure a RADIUS authentication server:
In NetScaler MAS, navigate to System > Authentication > RADIUS.
On the RADIUS page, click Add.
On the Create RADIUS Server page, set the parameters and click Create to add the server to the list of RADIUS authentication servers. The following parameters are mandatory:
Name. Name of the RADIUS server.
IP Address. IP address of the RADIUS server.
Port. By default, port 1812 is used for RADIUS authentication. You can specify a different port number if necessary.
Time-out (seconds). Time, in seconds, that the NetScaler MAS system waits for a response from the RADIUS server.
Secret Key. Any alphanumeric expression. This is the key that is shared between NetScaler MAS and the RADIUS server to enable communication.
Click Details to expand the section and set the additional parameters, and then click Create.
You can configure the NetScaler MAS to authenticate user access with one or more LDAP servers. LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on NetScaler MAS. The characters and case must also match.
To configure an LDAP authentication server:
In NetScaler MAS, navigate to System > Authentication > LDAP.
On the LDAP page, click Add.
On the Create LDAP Server page, set the parameters and click Create to add the server to the list of LDAP authentication servers. The following parameters are mandatory:
Name. Name of the LDAP server.
IP Address. IP address of the LDAP server.
Security Type. Type of communication required between the system and the LDAP server. Select from the drop-down list. If plain text communication is inadequate, you can choose encrypted communication by selecting either Transport Layer Security (TLS) or SSL.
Port. By default, port 389 is used for LDAP authentication. You can specify a different port numberif necessary.
Server Type. Select Active Directory (AD) or Novell Directory Service (NDS) as the type of LDAP server.
Time-out (seconds). Time, in secondsfor which the NetScaler MAS system waits for a response from the LDAP server.
You can provide additional details. You can also validate the LDAP certificate by selecting the Validate LDAP Certificate check box and specifying the host name to be entered on the certificate. Some of the additional parameters you can add are Domain Nameserver (DN) details for queries against a directory service, default authentication group, group attributes, and other attributes.
The base DN is usually derived from the Bind DN by removing the user name and specifying the group to which the users belong. In Administrator Bind DN text box, type the administrator bind DN for queries to the LDAP directory.
Examples of syntax for base DN are:
Examples of syntax for bind DN are:
email@example.com (for Active Directory)
The group name and the name of the users that you define in NetScaler MAS must be similar to those configured on the LDAP server.
Note: While configuring a RADIUS or LDAP server, in the Details section, you can enter the name of a default authentication group. This default group is chosen to authorize the user when the authentication succeeds irrespective of the fact that the user is tied to a group or not. The user then receives a combination of permissions configured on this default group and the other groups whether the user is assigned to the group or not.
TACACS, like RADIUS and LDAP, handles remote authentication services for network access.
To configure a TACACS authentication server:
In NetScaler MAS, navigate to System > Authentication > TACACS.
On the TACACS page, click Add.
On the Create TACACS Server page, enter the following details:
Name of the TACACS server
IP address of the TACACS server
Port and timeout (in seconds)
The key that is shared by the system and the TACACS server for communication.
If you are using local authentication, create users and then add them to groups that you create on NetScaler MAS. After configuring users and groups, you can apply authorization and session policies, create bookmarks, specify applications, and specify the IP address of file shares and servers to which users have access.
To configure local authentication in NetScaler MAS:
In NetScaler MAS, navigate to System > Authentication, and click Authentication Configuration.
On the Authentication Configuration page, select LOCAL from the Server Type drop-down box, and click OK.
When you configure external authentication servers in NetScaler MAS, the user groups that are authenticated on those external servers are imported into NetScaler MAS. You do not need to create users on NetScaler MAS. The users are managed on the external servers from NetScaler MAS. But you must ensure that the permission levels that the user groups have on the external authentication servers are maintained in NetScaler MAS. NetScaler MAS performs the authorization of users by assigning group permissions for access to specific load balancing virtual servers and to specific applications on the system. If an authentication server is later removed from the system, the groups and users will be automatically removed from the system.
To configure external authentication in NetScaler MAS:
In NetScaler MAS, navigate to System > Authentication > Authentication Configuration.
On the Authentication Configuration page, select EXTERNAL from the Server Type drop-down list.
On the External Servers page select an authentication server. Optionally, you can select multiple authentication servers to cascade.
Note: Only external servers can be cascaded.
Click OK to close the page.
The selected servers are displayed on the Authentication Servers page.
You can also specify the order of authentication by using the icon next to the server names to move servers up or down the list.
NetScaler MAS allows you to authenticate and authorize your users by creating groups and adding the users to the groups. A group can have either “admin” or “read-only” permissions and all users in that group will receive equal permissions.
In NetScaler MAS, a group is defined as a collection of users having similar permissions. A group can have one or multiple roles. A user is defined as an entity that can have access based on the permissions assigned. A user can belong to one or more groups.
You can create local groups in NetScaler MAS and use local authentication for the users in the groups. If you are using external servers for authentication, configure the groups on NetScaler MAS to match the groups configured on authentication servers in the internal network. When a user logs on and is authenticated, if a group name matches a group on an authentication server, the user inherits the settings for the group on NetScaler MAS.
After you configure groups, you can apply authorization and session policies, create bookmarks, specify applications, and specify the IP addresses of file shares and servers to which the user has access.
If you are using local authentication, create users and add them to groups that are configured on NetScaler MAS. The users then inherit the settings for those groups.
Note: If the users are members of an Active Directory group, the name of the group and the names of the users on NetScaler MAS must be the same as in the Active Directory group.
To configure user groups in NetScaler MAS:
In NetScaler MAS, navigate to System > User Administration > Groups.
On the Groups page, click Add to create a group. By default, two groups are created in NetScaler MAS, with permissions set to admin and read only. You can add your users to these groups, or you can create other groups for your users.
On the Create System Group page, type the name of the group, and set permissions either as admin or read-only.
Note: Make sure that the name of the user group created on NetScaler MAS is the same as as on the external authentication servers. If not, the system will not recognize the group, and the group members will not be extracted into the system.
In the Users table, select the users that you want to add to the group. The users are added to this table when you configure users in Configuring Users in NetScaler MAS.
Another option that you can configure is Session Timeout, for which you can set a timeout limit for the sessions logged in the users of that group. You can also set the VM instances that can be accessed by the group members.
On the next screen, you can provide permissions to a particular NetScaler instance. This allows the users to access only that instance. But the users can still create a new instance in the system and manage that instance.
When you finish creating a group in the system, all the users in the external authentication server are extracted into the system. If the group name matches the group name on the external authentication server, the user inherits all the authorization definitions when logged on to the system.
You can create user accounts locally on NetScaler MAS to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such as consultants or visitors, without creating an entry for those users on the authentication server. If you are locally authenticating users that are present on external authentication servers, make sure that the same users are present on both the authenticating servers and NetScaler MAS.
To configure users in NetScaler MAS:
In NetScaler MAS, navigate to System > User Administration > Users.
On the Users page, click Add to add users to NetScaler MAS.
On the Create System User page, set the following parameters:
User Name. Name of the user.
Password. Password that the user will use to log on to NetScaler MAS.
Enable External Authentication. Enable external authentication. if this is not enabled, the user will be authenticated as a local user.
Configure Session Timeout. Time for which a user can remain active. This time period can be set in minutes or hours.
In the Groups table, select the group to which to add the user. The group members are added to this table when you configure groups in Configuring User Groups in NetScaler MAS.
Note: If the users are on Active Directory, make sure that the group name in NetScaler MAS is same as the one for the Active Directory group on the external server.
Configuring Authentication in NetScaler MAS
In this article
- Configuring External Authentication Servers
- Configuring a RADIUS Authentication Server
- Configuring an LDAP Authentication Server
- Configuring TACACS Authentication Servers
- Configuring Local Authentication of Users in NetScaler MAS
- Configuring External Authentication in NetScaler MAS
- Configuring Groups in NetScaler MAS
- Configuring Users in NetScaler MAS