Product Documentation

FAQs

Sep 27, 2017

This section provides the frequently asked questions on the following NetScaler MAS features. Click a feature name in the table below to view the list of FAQs for that feature.

Analytics Authentication Configuration Management
Certificate Management Event Management
Instance Management
Stylebook System Management
 

Analytics

How do I enable NetScaler MAS to monitor web-application and virtual-desktop traffic?

Navigate to Infrastructure > Instances, and select the NetScaler instance on which you want to enable analytics. Select Enable/Disable Insight from the Action drop-down list. In the Configure Insight page that opens, select all the virtual servers on which you want to enable analytics, and click Enable AppFlow. For more details, see How to Enable Analytics on Instances

Note: For NetScaler instances of 11.0 release, 65.30 build and above, there is no option on NetScaler MAS to enable Security Insight explicitly. Make sure that you configure the AppFlow parameters on the NetScaler instances, so that NetScaler MAS starts recieving the Security Insight traffic along with the Web Insight traffic. For more information on how to set the AppFlow parameters on NetScaler instances, see To set the AppFlow parameters by using the configuration utility.

After I add the NetScaler instances, does NetScaler MAS automatically start collecting analytical information? 

No. You must first enable analytics on the virtual servers hosted in NetScaler instances that are managed by NetScaler MAS. For more details, see How to Enable Analytics on Instances

Should I access the individual NetScaler appliance for enabling analytics? 

No. All configuration is done from the NetScaler MAS user interface, which lists the virtual servers hosted on the specific NetScaler instance. For more details, see How to Enable Analytics on Instances.

What are the types of virtual servers that can be listed on a NetScaler instance to enable analytics?

Currently, the NetScaler MAS user interface lists the following virtual servers for enabling analytics:

  • Load balancing virtual server
  • Content switching virtual server
  • VPN virtual server
  • Cache redirection virtual server 

How do I attach an additional disk to NetScaler MAS?

To attach an additional disk to NetScaler MAS:

1. Shut down the NetScaler MAS virtual machine.

2. In the hypervisor, attach an additional disk of the required disk size to NetScaler MAS virtual machine.

For example, for a NetScaler MAS virtual machine of 120 GB, if you want to increase its disk space to 200 GB, you then need to attach a disk space of 200 GB instead of 80 GB. Newly attached 200 GB of disk space will be used to store Database data, NetScaler MAS log files. The existing 120 GB disk space will be used to store core files, Operating system log files, and so on.

3. Start the NetScaler MAS virtual machine.

Authentication

What is load balancing of authentication requests?

The authentication-server load balancing feature enables NetScaler MAS to load balance the authentication requests that are directed to the external authentication servers. Load balancing the authentication servers ensures that the authentication load is split across multiple authentication servers and thus avoid an authentication server from being overloaded. You can create an authentication service to connect with and get user information from your existing external authentication server using the authentication protocols like LDAP, RADIUS, or TACACS.

Why do we need to cascade external authentication servers?

Cascaded external authentication servers provide uninterrupted authentication processing, allowing access to legitimate users if an authentication server fails. There is no limitation on which types of authentication servers you can cascade. You can have all RADIUS servers, or all LDAP servers, or a combination of RADIUS and LDAP servers.

How many external authentication servers can I cascade?

You can cascade up to 32 external authentication servers in NetScaler MAS.

Do I have an alternative when external authentication fails?

There could be a situation when external authentication completely fails, even when you have cascaded a number of servers. For example, the external servers could become unreachable, or a new user's credentials might not have been entered in any of the the external authentication servers. To prevent locking users out in such a situation, you can enable fallback local authentication. For more details, see Fallback Local Authentication.

What is fallback local authentication?

Fallback local authentication is an option to authenticate your users locally when external authentication fails. If external authentication fails, NetScaler MAS accesses the local user database to authenticate your users.

In NetScaler MAS, navigate to System > Authentication > Authentication Configuration. On this page, you can add multiple external authentication servers in a cascade, and you can select the Enable fallback local authentication option.

What is extraction of external user groups?

If you have added external servers for authenticating the users, you can import (extract) existing user groups into NetScaler MAS. You have to import user groups once and provide a group permission to a user group rather than importing individual users and giving them individual permissions. You do not have to recreate the users on NetScaler MAS.

Why do we need to assign group permissions?

When you are using the load balancing feature of NetScaler, you can integrate NetScaler MAS with external authentication servers, and import user group information from the authentication servers. Log in to NetScaler MAS and manually create same group information in NetScaler MAS and assign permission to those groups. The user and user group permission is managed in NetScaler MAS and not in the external server. The users have different role-based access permissions on the external servers. Configure the same permissions for the users in NetScaler MAS also. Instead of configuring permissions individually for each user, you can configure a group-level permission so that the user-group members can access specific services on the load balanced virtual servers. The typical permissions that you can assign are permissions to manage NetScaler instances, NetScaler SDX instances, virtual servers, and so on, so that the users of that group can manage only those instances or virtual servers. You can later edit the permissions given to the users at the group level. You can even remove one or more user groups; other group users still function on NetScaler MAS.

Configuration Management

Can I perform configuration across multiple NetScaler instances simultaneously using NetScaler MAS?

Yes, you can use configuration jobs to perform configuration across multiple NetScaler instances. 

What are configuration jobs on NetScaler MAS?

A job is a set of configuration commands that you can create and run on one or more managed instances. You can create jobs to make configuration changes across instances, replicate configurations on multiple instances on your network, and record-and-play configuration tasks using the NetScaler MAS GUI. You can also convert the recorded tasks into CLI commands.

You can use the Configuration Jobs feature of NetScaler MAS to create a configuration job, send email notifications, and check execution logs of the jobs created.

Can I schedule jobs using built-in templates in NetScaler MAS?

Yes, you can schedule a job by using the built-in template option. A job is a set of configuration commands that you can run on one or more managed instances. For example, you can use the built-in template option to schedule a job to configure syslog servers. You can choose to execute the job immediately, or schedule the job to be executed later.

You can save the configuration of a job that was previously created, and run the job again after modifying the commands, the parameters, the configuration source, and targeted instances. This is useful when the same set of commands has to be executed on a different instance, or when the job encounters an error and stops further execution.

Certificate Management

Does the deletion of SSL certificates from NetScaler MAS lead to deletion of certificates from NetScaler instances?

No

Event Management

How can I keep track of all the events that have been generated on my managed NetScaler instances using NetScaler MAS?

As a network administrator, you can view details such as configuration changes, log on conditions, hardware failures, threshold violations, and entity state changes on your NetScaler instances, along with events and their severity on specific instances. You can use the NetScaler MAS events dashboard to view reports generated for critical event severity details on all your NetScaler instances.

What are event rules?

Using NetScaler MAS, you can configure rules to monitor specific events. Event Rules make it easier to monitor a large number of events generated across your NetScaler infrastructure.

You can filter a set of events by configuring rules with specific conditions and assigning actions to the rules. When the events generated meet the filter criteria in the rule, the action associated with the rule is executed. 

The conditions for which you can create filters are severity, NetScaler instances, category, and failure objects. The actions you can assign to the events are sending an email notifications, forwarding SNMP traps from managed NetScaler instances to the NetScaler MAS, and sending an SMS notification.

Instance Management

What are data centers in NetScaler MAS?

A NetScaler MAS data center is a logical grouping of the NetScaler instances in a specific geographical location. Each server can monitor and manage several NetScaler instances within a data center.  You can use the NetScaler MAS server to manage data such as syslog, application traffic flow, and SNMP traps from the managed instances. For more details on configuring data centers, see How to Configure Data Centers for Geomaps in NetScaler MAS.

What are the different Citrix Appliances that are supported by NetScaler MAS?

Instances are the Citrix appliances or virtual appliances that you want to discover, manage, and monitor from NetScaler MAS. You must add these instances to the NetScaler MAS server. You can add the following Citrix appliances and virtual appliances to NetScaler MAS:

  • NetScaler MPX
  • NetScaler VPX
  • NetScaler SDX
  • NetScaler CPX
  • NetScaler Gateway
  • NetScaler SD-WAN WO
  • NetScaler SD-WAN EE

You can add instances either while setting up the NetScaler MAS server for the first time or at a later time.

What is an instance profile?

An instance profile is used by NetScaler MAS to access a particular instance.

An instance profile contains the user name and password for access to one or more instances. A default profile is available for each instance type. For example, the ns-root-profile is the default profile for NetScaler instances. It contains the default NetScaler administrator credentials. When you change the credentials required for access to instances, you can define custom instance profiles for those instances.

Can we add unlimited SD-WAN instances in NetScaler MAS? Can NetScaler MAS handle all scalar and vector counters for SD-WAN?

Currently, there is no license limit on SD-WAN instances that can be added to NetScaler MAS. NetScaler MAS has a set of built-in reports that internally polls both scalar and vector counters.

Can I rediscover multiple NetScaler VPX instances in NetScaler MAS?

Yes, you can rediscover multiple NetScaler VPX instances in NetScaler MAS to learn the latest states and configurations of the instances.

Navigate to Networks > Instances > NetScaler VPX, select the instances that you want to rediscover, and in the Action drop-down list click Rediscover. For more information, see  How to Rediscover Multiple VPX Instances.

Can NetScaler MAS be installed on NetScaler SDX?

No

Stylebooks

Can stylebooks be used to configure different NetScaler instances running on different versions of the NetScaler software?

Yes, you can use stylebooks to configure different NetScaler instances running on different versions if there is no discrepancy between the commands across different versions.

When a stylebook is used to configure multiple NetScaler instances at the same time, and configuration of one NetScaler instance fails, what happens?

If applying the configuration to a NetScaler instance fails, the configuration is not applied not any more instances, and already-applied configurations are rolled back.

Do NetScaler backups made through NetScaler MAS include configurations applied through Stylebooks?

Yes

System Management

Can I assign a host name to my NetScaler MAS server?

Yes, you can assign a host name to identify your NetScaler MAS server. To assign a host name, navigate to SystemSystem Administration > System Settings, and click Change Hostname.

The host name is displayed on the Universal license for NetScaler MAS. For more information, see How to Assign a Host Name to a NetScaler MAS Server.

Can I back up and restore my NetScaler MAS configuration?

Yes, you can back up configuration files (NTP files and SSL certificates), system data, infrastructure and application data, and all your SNMP settings. If your NetScaler MAS ever becomes unstable, you can use the backed up files to restore your NetScaler MAS to a stable state. 

To back up and restore your NetScaler MAS’s configuration, navigate to System Advanced Settings > Backup Files, and click Back Up or Restore as the case may be. For more information, see How to Back Up and Restore Configuration on NetScaler MAS.

Citrix recommends that you use this feature before performing an upgrade or for precautionary reasons.

What are Thresholds and Alerts on NetScaler MAS?

You can set thresholds and alerts to monitor the state of a NetScaler instance and monitor entities on managed instances.

When the value of a counter exceeds the threshold, NetScaler MAS generates an alert to signify a performance-related issue. When the counter value returns to the clear value specified in the threshold, the event is cleared.

Can I generate a technical support file for NetScaler MAS?

Yes. Citrix recommends that you generate an archive of NetScaler MAS data and statistics before contacting technical support for debugging an issue. The archive is a TAR file that you can send to the technical support team.

You can generate a technical support file that contains debug logs, duration for which debug logs were collected, and distinct and diverse logs from the NetScaler MAS database.

To configure and send a technical support file, navigate to System Diagnostics Technical Support, and then, click Generate Technical Support File. For more information, see How to Generate a Tech Support File for NetScaler MAS.

What is syslog purging?

Syslog is a standard protocol for logging. Syslog enables isolation of the system that generates information and the system that stores the information. You can consolidate logging information and derive insights from the collected data. You can also configure syslog to log different types of events.

To limit the amount of syslog data stored in the database, you can specify the interval at which you want to purge syslog data.  You can specify the number of days after which all Generic Syslog data, AppFirewall data, and NetScaler Gateway data will be deleted from NetScaler MAS.

Can I configure NTP server on NetScaler MAS?

You can configure a Network Time Protocol (NTP) server in NetScaler MAS to synchronize the NetScaler MAS clock with the NTP server. Configuring an NTP server ensures that the NetScaler MAS clock has the same date and time settings as the other servers on the network. 

To configure an NTP server, navigate to System NTP Servers, and then click Add. For more information, see How to Configure NTP Server on NetScaler MAS.

From which version is the NetScaler MAS active-passive HA deployment supported?

The NetScaler MAS active-passive HA deployment mode is supported from NetScaler MAS version 12.0 build 51.24.

I had a NetScaler MAS active-active HA setup and had configured a NetScaler appliance with load balancing virtual server on it for unified GUI access. How do I update this configuration?

After you upgrade the NetScaler MAS HA pair to active-passive mode, you have to run the following command on the NetScaler appliance to update the load balancing configuration:

add lb monitor MAS_Monitor TCP-ECV -send "GET /mas_health HTTP/1.1\r\nAccept-Encoding: identity\r\nUser-Agent: NetScaler-Monitor\r\nConnection: close\r\n\r\n\"" -recv "{\"statuscode\":0, \"is_passive\":0}" -LRTM DISABLED

Can I configure load balancing of the NetScaler MAS HA pair on a Netscaler Instance using port 443?

No, you cannot configure load balancing of the NetScaler MAS HA pair on a NetScaler Instance using port 443.

When you configure the http-ecv and https-ecv monitors on NetScaler, it does not monitor the NetScaler MAS HA nodes correctly.

Can a NetScaler MAS server backup file be used to restore the configuration of another NetScaler MAS server?

Yes

After NetScaler MAS backs up a NetScaler instance, can that backup file be used to restore the configuration of another NetScaler instance through NetScaler MAS?

Yes. Download the NetScaler MAS backup file, upload it into another NetScaler instance’s backup repository, and restore that instance. Make sure that the network information and authentication information do not conflict. For example, check for IP-address or port conflicts, mismatched password profiles. Also make sure that the restored VPX instance has the same NSIP address and NetScaler license as the one that was backed up.

Before restoring an instance in a high availability pair, make sure the IP addresses and state (primary or secondary) stored in the backup file match those of the original HA configuration. Also verify that the new primary and secondary have the same type of NetScaler license.

Can we force NetScaler MAS to use a SNIP address to communicate with the NetScaler instances, instead of using the NSIP address of the NetScaler MAS server?

Yes, you can add a SNIP address (with management enabled) in NetScaler MAS for communication with NetScaler instances.

When I back up NetScaler Instances in NetScaler MAS, is the result a full back-up or a basic back-up?

Backups of NetScaler instances by NetScaler MAS are full backups.

Is there a troubleshooting guide for NetScaler MAS?

Yes. See https://support.citrix.com/article/CTX224502.

How are NetScaler instances managed when a NetScaler MAS HA failover occurs?

If the heartbeat and SSH based check fails, the primary node is considered to be down and the secondary node takes over as the primary node. All the NetScaler instances are updated with the latest primary node details as their SNMP trap destination by default.

The new primary (active) NetScaler MAS node checks to determine whether the previously active node was configured as AppFlow collector or syslog server, if it was, the new primary adds the AppFlow collector or syslog server details to the information sent to the instances.

For syslog it replaces the old server details.

What happens when the NetScaler MAS HA node that went down comes back up?

After returning to service, the NetScaler MAS node remains passive unless the active node fails over

How are NetScaler instances distributed across NetScaler MAS HA nodes?

All the NetScaler instances are managed by the primary NetScaler MAS node.

How are virtual server licenses managed in case of NetScaler MAS HA failover?

If the NetScaler MAS primary node on which vServer licenses are applied goes down, the new primary node manages the vServer licenses for a grace period of 30 days. The licenses have to be reapplied on the new primary by the end of the grace period. For alternatives, contact Citrix support.

Is a load balancer mandatory for a NetScaler MAS HA setup?

No, but if there is no load balancer, NetScaler MAS nodes must be accessed through their own IP addresses. The passive node is marked with the tag “Passive,” and Citrix recommends not to create any configurations on the passive node.

localized image

Does NetScaler MAS support an external database?

No

Can a NetScaler instance that is being managed by NetScaler MAS be used as a Load balancer for NetScaler MAS HA?

Yes

What data is synchronized between NetScaler MAS HA nodes?

Complete NetScaler MAS database is synchronized, and the following folders are synchronized:

  • /var/mps/tenants/root/
  • /var/mps/ns_images/
  • /var/mps/sdx_images/
  • /var/mps/xen_nsvpx_images/
  • /var/mps/cbwanopt_images/
  • /var/mps/sdwanvw_images/
  • /var/mps/mps_images/
  • /var/mps/ssl_certs/
  • /var/mps/ssl_keys/
  • /mpsconfig/ssl/
  • /var/mps/backup/
  • /var/mps/esx_nsvpx_images/
  • /var/mps/locdb/