Home Cloud & Networking Mastering NetScaler VPX

Mastering NetScaler VPX

By Marius Sandbu , Andy Paul
books-svg-icon Book
eBook $39.99 $27.98
Print $48.99
Subscription $15.99 $10 p/m for three months
$10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime!
What do you get with a Packt Subscription?
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
BUY NOW $10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime!
eBook $39.99 $27.98
Print $48.99
Subscription $15.99 $10 p/m for three months
What do you get with a Packt Subscription?
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
  1. Free Chapter
    Configuring the Standard Features of NetScaler
About this book
Citrix NetScaler is one of the best Application Delivery Controller products in the world. The Application Delivery Controllers are commonly used for load balancing purposes, to optimize traffic, and to perform extra security settings. This book will give you an insight into all the available features that the Citrix NetScaler appliance has to offer. The book will start with the commonly used NetScaler VPX features, such as load balancing and NetScaler Gateway functionality. Next, we cover features such as Responder, Rewrite, and the AppExpert templates, and how to configure these features. After that, you will learn more about the other available Citrix technologies that can interact with Citrix NetScaler. We also cover troubleshooting, optimizing traffic, caching, performing protection using Application Firewall, and denying HTTP DDoS attacks for web services. Finally, we will demonstrate the different configuration principles real-world Citrix NetScaler deployment scenarios.
Publication date:
November 2015
Publisher
Packt
Pages
218
ISBN
9781785281730

 

Chapter 1. Configuring the Standard Features of NetScaler®

Welcome to the first chapter of this book. Throughout the course of this book, we will cover how to master Citrix NetScaler. This chapter will cover the most commonly used features of Citrix NetScaler.

Throughout this book, we will be focusing mostly on how to use the most common features of Citrix NetScaler. These features make Citrix NetScaler one of the best Application Delivery Controller (ADC). The features will be available depending on the installed license. So, to sum it up, here's what we will cover throughout this chapter:

  • Load balancing

  • The NetScaler Gateway

  • StoreFront integration

  • Authentication

 

The basic features


During the installation, it's required to install the purchased license. Then, depending on the installed license, you will get the purchased functionality. The load balancing functionality is one of the most commonly used features in Citrix NetScaler. This is because of support from third-party vendors, which provide support and specific templates for particular services. These templates will be explained in the next chapter of this book. Besides load balancing, Citrix NetScaler is also capable of monitoring the backend that will be used to connect to, so you only connect to the backend machine if the system is healthy. This monitoring functionality is integrated in the load balancing feature. There are some monitoring configurations that are preconfigured. These can be adjusted if necessary. Also, uploading your own monitoring script is a possibility. Furthermore, the NetScaler Gateway is one of the commonly used features on Citrix NetScaler VPX. The NetScaler Gateway will be used to allow access to the Citrix XenApp/XenDesktop environment using an ICA proxy.

To configure Citrix NetScaler, it's necessary to understand the traffic flow in it. Citrix NetScaler uses a few IP addresses to operate:

  • NSIP: This is the NetScaler IP address

  • MIP: This is the Mapped IP address

  • SNIP: This is the Subnet IP address

  • VIP: This is the Virtual IP address

NSIP

The NetScaler IP address is the IP address for management purposes and is also used for authentication. So, it is used as the source IP against LDAP, RADIUS, WebForm, SAML, and so on. NSIP supports SSH, HTTP, and HTTPS by default. Disabling management is possible, if necessary.

MIP

The Mapped IP address is the IP address that is used for connectivity to the backend servers. This IP is still available but it's recommended to use the SNIP. The Subnet IP is preferred by Citrix because it allows you to have connectivity between different subnets. When receiving a packet, it replaces the source IP address with a MIP address before it sends the packet to the server. With the servers abstracted from the clients, the appliance manages connections more efficiently.

SNIP

The Subnet IP address is also an IP address that can be used for connectivity with the backend. A SNIP address is used in connection management and server monitoring. You can specify multiple SNIP addresses for each subnet. SNIP addresses can be bound to a VLAN. The latest firmware requires the use of SNIP during the installation wizard. Also, SNIP is used for DNS requires.

VIP

VIP is a Virtual IP address. This VIP address is used in every place where a client/server needs to communicate. The virtual IP is used in load balancing, AAA servers, access gateway virtual servers, and so on.

If you have multiple data centers that are geographically distributed, each data center can be identified by a unique GSLBIP.

Global Server Load Balancing Site IP Addresses (GSLBIPs) exist only on the NetScaler appliance.

IP set

An IP set is a set of IP addresses that are configured on the appliance as SNIP. An IP set is identified with a meaningful name that helps identify the usage of the IP addresses contained in it.

Net profile

A net profile (or network profile) contains an IP address or an IP set. A net profile can be bound to load balancing or content switching virtual servers, services, service groups, or monitors. During communication with physical servers or peers, the appliance uses the addresses specified in the profile as source IP addresses.

 

Load balancing


Load balancing is a feature that is implemented in most Citrix NetScaler environments. Load balancing allows you to load balance different backend servers with the same purpose, for example, a web shop. A large web shop requires more than one web server because of the heavy load from visiting users. With load balancing, Citrix NetScaler will load balance the traffic between the visiting servers and the several backend servers. Besides load balancing, Citrix NetScaler can also monitor the backend server if, for example, the web server responds with HTTP Error code 200.

In order to configure the load balancing service in Citrix NetScaler, you need the following:

  • Servers: This refers to the actually backend server that provides the information. In this case, it is an Apache web server.

    The IP address and server name are 10.0.10.234 for webserver01 and 10.0.10.125 for webserver02.

  • Service/service group: The service or service group is what provides the information to the user. A service is a particular server and a service group is a part of servers that provide the same information. Also, we bind a monitor to the service or service group. It checks the backend based on the configured monitor:

    • The service groups name is LB_SG_WebServer.

    • The members are LB_SRV_WebServer01 and LB_SRV_WebServer02.

    • The used protocol is HTTP and the port is 80.

    • The configured monitor in this case is the HTTP monitor. This monitor checks of the WebServer responds with an HTTP 200 error.

  • Virtual server: The load balancing virtual server is the actual virtual server that will be used to connect to. So, the user connects to this virtual server. Citrix NetScaler connects to the selected backend server, which is configured in the service / service group, based on the configured persistence or load balancing method:

    • Virtual server name: The virtual server name is LB_VS_WebServer. This virtual server name is only for your own information; choose a virtual server name that recognizes the service it's providing.

    • VIP address: This is the listing address of the load balancing service. In this example, it's DNS record is: https://www.abc.com. The DNS record was IP address: 192.168.12.87.

    • Protocol and port: This is the responding protocol and port that the services respond to. Here, they are SSL and port 443.

    • Services or service groups: Select the proper service or service group responding with the load balancing service. This is the backend service that will be load-balanced. In the example, this would be service group LB_SG_WebServer.

    • Load balancing method: This option defines the load balancing method. There are a lot of options to select here. In this example, least bandwidth is used.

    • Persistence: This option defines the persistence. This persistence will be useful if you want the user to connect for a certain period of time to a particular backend server. In this case, it would be COOKIEINSERT.

Tip

Backup persistence

If the primary persistence can't be set, the backup persistence will be used, if configured. Use logical names for load balancing backend servers, services, service groups, and load balancing virtual servers. I prefer this so that it's always recognizable what the purpose of the item is. Some examples are LB_VS_ServiceName or LB_S_WebServer for a service, LB_SG_WebServers for service groups, and LB_SRV_ServerName for a backend server name.

So, in the default configuration, the user only has a web browser session with Citrix NetScaler, and Citrix NetScaler proxies the request to the backend server. Therefore, if the backend servers and Citrix NetScaler are in a demilitarized zone, the only firewall port from other networks should be the listen port of the load balancing virtual server.

Tip

When Citrix NetScaler is in the demilitarized zone, make sure that the MIP or SNIP has access to the backend. This is the source IP address that Citrix NetScaler uses to connect to the backend.

Active/active load balancing

With active/active, you load balance at least two backend machines with the same functionality. To configure active/active load balancing, it's necessary to create services or service groups for all backend servers that will be used for load balancing. While configuring active/active with different weights, I recommend that you use services instead of service groups, because you need to adjust the weight per service. Configuring active/active load balancing requires at least two services or service groups. Adjusting the weight while configuring the load balancing will change the percentage of traffic that will be sent to the backend server. Services or service groups with higher values can handle more requests; services or service groups with lower values can handle fewer requests. Assigning weights to services or service groups allows the Citrix NetScaler appliance to determine how much traffic each load-balanced server can handle and, therefore, balance the load more effectively.

In order to use active/active load balancing, it's necessary to configure the right persistence based on the requirement. In the following table, you can find all the persistence types available in Citrix NetScaler. This table also shows which persistence type will be available for a certain protocol:

Persistence type

HTTP

HTTPS

TCP

UDP/IP

SSL_Bridge

SSL_TCP

RTSP

SIP_UDP

SOURCEIP

YES

YES

YES

YES

YES

YES

NO

NO

COOKIEINSERT

YES

YES

NO

NO

NO

NO

NO

NO

SSLSESSION

NO

YES

NO

NO

YES

YES

NO

NO

URLPASSIVE

YES

YES

NO

NO

NO

NO

NO

NO

CUSTOMSERVERID

YES

YES

NO

NO

NO

NO

NO

NO

RULE

YES

YES

YES

NO

NO

YES

NO

NO

SRCIPDESTIP

YES

YES

YES

YES

YES

YES

NO

NO

DESTIP

YES

YES

YES

YES

YES

YES

NO

NO

CALLID

NO

NO

NO

NO

NO

NO

NO

YES

RTSPID

NO

NO

NO

NO

NO

NO

YES

NO

Setting a SOURCEIP persistence type for the load balancing vserver LB_VS_WebServer through the command line can be done using this command:

set lb vserver LB_VS_WebServer -persistenceType SOURCEIP

In order to use the load balancing feature in a proper way, you should always select the right load balancing algorithms. Citrix NetScaler has a lot of built-in load balancing algorithms. These algorithms can be configured during the configuration of the load balancing virtual server and could be different from other load balancing virtual servers. The default load balancing algorithm is least connection. The different algorithms have been explained here:

  • Least connection: This is the default algorithm. The backend service with the fewest active connections is used.

  • Round robin: The first session will be connected to the service that is at the top of the list, the second session will be connected to the second service on the list, the third session will be connected to the third service, and so on. After the last service is connected, the connections will be started at the top of the list.

  • Least response time: The service that has the fastest response will be used.

  • URL hash: Citrix NetScaler creates a hash for every destination URL that is created for the first time. This hash will be cached. So, when the destination URL is contacted, Citrix NetScaler connects to the backend, connection is made to a URL for the first time, Citrix NetScaler creates a hash to that URL and caches it.

  • Domain hash: Citrix NetScaler creates a hash for every first connecting domain. This hash will be cached. So, frequent connections to the same domain will contact the same service. The hash will be fetched from the HTTP header or from the URL.

  • Destination IP hash: The destination IP hash will be created when a connection is made to an IP address for the first time. All traffic after the first connection will be forwarded to the same service.

  • Source IP hash: This is same hash configuration as the destination IP; it's just that in this method the Source IP will be used.

  • Source destination IP hash: Citrix NetScaler creates a hash based on the source and destination IP.

  • Call ID hash: This creates a hash based on the call ID in the SIP header. This method makes sure that an SIP session is directed to the same backend server.

  • Source IP source port hash: Citrix NetScaler creates a hash based on the source and source port.

  • Least bandwidth: Least bandwidth will contact the service that uses the least bandwidth usage.

  • Least packets: This method is based on the service with the fewest packets.

  • Custom load: This method allows a user to create custom weights.

  • Token: This method contacts the service based on a value from the configured expression.

  • LRTM: This method contacts the service based on the least response time of the services.

So, after you have chosen the correct persistence type and algorithm, you can build the load balancing virtual server.

Active/passive load balancing

Citrix NetScaler also supports active/passive load balancing. This basically means that you have an active load balancing virtual server and another load balancing virtual server that will be used for passive load balancing. So, when all the services or service groups on the primary load balancing virtual server stop running, Citrix NetScaler will automatically will contact the backup load balancing virtual server. This functionality is widely used in environments with two different data centers, where one data center is passive. When the backend servers in the active load balancing virtual servers come back online, they will be the primary backend servers again instead the backend servers.

Load balancing StoreFront™

Citrix StoreFront is the replacement of Citrix Web Interface, which will end on June 30, 2018, if you have the software maintenance or subscription advantage. Otherwise, the end of life would be August 24, 2016. Besides, Citrix StoreFront allows you to work with the full-blown Citrix Receiver instead of only Receiver for Web. In order to load balance StoreFront, it is necessary that you install and configure Citrix StoreFront. To use the full-blown Citrix Receiver, it's necessary to configure Citrix StoreFront with an SSL certificate. This SSL certificate can be an internal certificate created by your own certificate authority, or it can be from a public certificate authority. When you are using your own certificate authority, for example, Microsoft, all clients will automatically trust the SSL certificate. Clients outside the Active Directory should install the root certificate to work with Citrix StoreFront and the full-blown Citrix Receiver.

In the following figure, you can find the most commonly used configuration for the load balancing of StoreFront:

Citrix NetScaler is a good load balancer for the Citrix StoreFront environment. It contains a monitor for checking whether the StoreFront store is running and fully functional. This monitor is way better than the regular HTTPS monitor, because Citrix NetScaler also verifies that StoreFront is healthy. A lot of other vendors / load balancers can't do this because they don't have the value that is needed. Also, make sure you use service groups instead of services. Because the StoreFront monitor isn't the default monitor, the first step in load balancing Citrix StoreFront is to create the monitor.

Go to Traffic Management | Load Balancing | Monitors, and click on Add. Select Type as STOREFRONT from the list, and go to the Special Parameters tab. Fill in the Store Name field, as shown in the following screenshot. The store name can be found in the StoreFront console under the Store menu. Also add the monitor name and click on Create, as shown here:

The monitor can also be created using a command-line interface. The command required would be as follows:

add lb monitor storefront_ssl STOREFRONT -storename myStore -storefrontacctservice YES -secure YES

Tip

Downloading the example code

You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.

The best way to create a load balancing environment is by starting from the bottom and going towards the top in the menu structure. In this way, you can create a decent name instead of the default names:

  1. First, we need to add the backend servers that are running StoreFront to the server list.

  2. The next step is to create a service group. This service group consists of the backend servers. Select the custom-made StoreFront monitor. This monitor will verify the StoreFront service even before the user connects to it. It's also possible to use the default monitor if you don't want any functionality checks. For troubleshooting or logging, it's very useful to have the client IP address. Because Citrix NetScaler operates as a load balancer, the source IP address to the backend servers will always be the SNIP. To have the client IP address as well, it's possible to insert the client IP into an HTTP header. This can be done while creating the service group. After you have added the backend servers, add the Settings menu on the right-hand side. Enable client IP and fill in the header box with X-Forwarded-For. Now, we are ready to create the load balancing virtual server.

  3. Go to Virtual Servers and click on Add. Enter an IP address, a port, and a protocol. After this step, add the service group that you created in the preceding step. Depending on the configuration and the user access, we configure the proper protocol. If we also need support for the Citrix Receiver, we should use the SSL protocol because the Citrix Receiver requires a trusted communication. If this not necessary, the SSL certificate isn't required and we can use the HTTP protocol.

  4. The regular deployments are SSL setups. After the members, protocol, IP address, and port are configured, we need to configure the persistence. This allows the user to stay connected to the same StoreFront server while working. The recommended settings are COOKIEINSERT and a timeout value from 0. The value 0 means that there is no expiry time. By configuring another timeout value, for example, 2 minutes, the user can connect to another StoreFront server. When this happens, the user needs to log in again, because there is no session available. As backup persistence, select SOURCEIP with the proper timeout. The timeout can't be zero and must be at least 2 minutes. When using the SSL protocol, we also need to add the certificate that is required for the load balancing virtual server.

  5. When using SSL as the protocol, you should also consider disabling SSLv3 and enabling TLS 1.1 and TLS 1.2 on the load balancing virtual server. Since NetScaler 10.5 build 57.7 and higher, Citrix NetScaler supports TLS 1.1 and TLS 1.2 on the virtual appliance (VPX) as well. SSLv3 is an non-secure SSL protocol and should be disabled. This SSLv3 vulnerability is called POODLE (https://en.wikipedia.org/wiki/POODLE).

  6. After creating the load balancing virtual server, the DNS record for the StoreFront base URL should be changed to the virtual IP from the load balancing virtual server.

Tip

When using Citrix StoreFront through SSL, configure the base URL and the load balancing virtual server, but bind the backend servers through HTTP. When you are using this deployment, Citrix NetScaler will be used as SSL offload functionality. However, please be aware that the credentials will be sent in plain text between Citrix NetScaler and the backend environment.

If you get the Cannot complete your request warning after connecting, there could be many reasons for it. For some explanations and fixes, refer to http://support.citrix.com/article/CTX133904.

 

Configuring authentication


Citrix NetScaler supports authentication for load balancing and access gateway purposes. The load balancing authentication is called the authentication, authorization, and auditing (AAA) functionality in Citrix NetScaler. By enabling the AAA feature on the load balancing virtual server, you can provide an extra security layer. The load balancing feature is a good solution for reverse proxy deployments. Enabling AAA on load balancing provides the extra security that you prefer to use for some services. While implementing AAA, it's also possible to add extra security (for example, two-factor authentication) to services that support only active directory authentication. So, Outlook Web Access for Microsoft Exchange can be configured with Active Directory and two-factor authentication. The NetScaler AAA features will redirect a load balancing virtual server to the NetScaler AAA virtual server. After authentication, the client will be sent back to the load balancing virtual server and will show the configured backend environment. So, the client connects to the load balancing virtual server for the Microsoft Exchange; NetScaler will redirect the client to the NetScaler AAA virtual servers. The client needs to log in. After successful authentication, NetScaler sends the client back to the load balancing virtual server.

Citrix NetScaler supports a lot of different methods of authentication. These methods can be used for NetScaler Gateway authentication or for load balancing virtual servers. The most common authentication methods will be described in the following sections.

Tip

Authentication, Authorization, and Auditing (AAA) is available in the Enterprise and Platinum NetScaler license.

LDAP integration

LDAP integration is a commonly used method of authentication in deployments. Almost all companies are using LDAP authentication in some way. In order to use LDAP authentication, there are some prerequisites, as follows:

  • A user account for "reading" the LDAP attributes

  • The IP addresses from the LDAP servers

  • How the user needs to log in (by username or e-mail address)

  • Whether all users need access through LDAP authentication or any particular LDAP group

  • Whether the LDAP server is responding with SSL or in PLAINTEXT

After you have the answers to these question, you can start building the configuration.

Go to System | Authentication | LDAP | Servers, and click on Add. Fill in the correct information based on the following explanation:

  • Name: Select a decent name that responds to the LDAP server, for example, Pol_Srv-LDAP-LDAPS1.

  • Select Server Name or Server IP. Server Name needs the FQDN, and Server IP needs the IP address from the LDAP server.

  • Security Type: Select the available security type. It is preferable to use SSL because the credentials will not be sent in PLAINTEXT.

  • Server Type: Select AD for Microsoft Active Directory or NDS if you're using Novell.

  • Base DN: This box needs be filled in where Citrix NetScaler should look for users. If all the users are located in a particular organizational unit in Active Directory, it could be the Base DN. The less attributes needs be searched for the faster Citrix NetScaler will respond to the authentication questions. For example, a base DN for an organizational unit called Contoso Users in the contoso.com domain would look like CN=Contoso Users,DC=CONTOSO,DC=COM.

  • Administrator Bind DN: This is the username for the AD or NDS that can be used for query the domain. This user doesn't require any specific security; domain users are okay. The username can be written in the domain\username or the username@domain.suffix method.

  • BindDN Password: This will be the password from the configured administrator account, corresponding to the username that has filled in the Administrator Bind DN field.

  • Server Logon Name Attribute: Commonly, this value contains the sAMAccountName or UserPrincipalName Active Directory / NDS attribute. Using the UserPrincipalName value allows you to log in with the e-mail address. Otherwise, the username is required to log in.

  • Search Filter: This should be used if you'd like to allow access only for a particular Active Directory or NDS group. For example, you want to allow only the AAA_Allow group in the support OU to get the functionality to authenticate. The search filter would be memberOf=CN=AAA_Allow,OU=support,DC=contoso,DC=com. When a user is a member of this group, they will have access; otherwise, Citrix NetScaler will block the authentication. The source of this is http://support.citrix.com/article/CTX111079.

  • Group Attribute: This will be used for group extraction. It's also possible to bind NetScaler Gateway policies to user groups. This will be explained later in the book. The default group attribute in the Active Directory /NDS is memberOf.

  • Sub Attribute Name: This value is used to identify the subattribute name for group extraction.

  • SSO Name Attribute: This attribute is used when Single Sign On (SSO) is configured. Depending on the backend, it should be sAMAccountName or UserPrincipalName.

Tip

Use SSL as Security Type if possible. Besides, for security reasons, it always allows users to change their password remotely.

After creating the LDAP servers, it's time to configure the LDAP Policies. These policies are necessary in order to bind it to a service. Depending on the configuration, there are many ways to configure it. With expressions, it is possible to, for example, allow access for specific client for a particular service. This will be done based on the source IP of the client and the destination IP for the particular service that you'd like to allow access to. The policy would be REQ.IP.SOURCEIP == 122.122.123.123 && REQ.IP.DESTIP == 192.168.100.14. In this example, the client with IP address 122.122.123.123 will be able to log in with the service 192.168.100.14.

It's also possible to add more than one LDAP authentication policy and bind them to the AAA or NetScaler Gateway authentication. This can be done by assigning priorities to the different policies. The LDAP policy with the lowest priority will be checked first to see whether the expression is matching. Otherwise, Citrix NetScaler will keep going down the list until it finds a match. If the policy matches but the server isn't responding within the configured timeout, Citrix NetScaler will automatically fill try the other expression.

Two-factor integration

Citrix NetScaler allows you to support two-factor authentication in many ways. The most commonly used way of two-factor authentication is by using the RADIUS protocol.

Most two-factor authentication providers support the RADIUS protocol because it's a standard protocol.

The RADIUS protocol uses a few codes to indicate the authentication step, as follows:

Code

Assignment

1

Access-Request

2

Access-Accept

3

Access-Reject

4

Accounting-Request

5

Accounting-Response

11

Access-Challenge

Depending on what the RADIUS server sends back, Citrix NetScaler will allow or deny the access to log in.

Go to System | Authentication | RADIUS | Servers, and click on Add. Fill in the correct information based on the following explanation:

  • Name: Select a decent name that responds to the RADIUS server, for example, Pol_Srv-RADIUS-RADIUSS1.

  • Select Server Name or Server IP. Server Name needs the FQDN, and Server IP needs the IP address from the RADIUS server.

  • Port: This is the RADIUS port.

  • Time-out (seconds): This is the time that the RADIUS server has to respond to Citrix NetScaler.

  • Secret Key: On the RADIUS server, a RADIUS client should also be created. This RADIUS client configuration requires a shared key. This key will be created during the configuration at the RADIUS server. The secret key needs to be filled in this box.

  • NAS ID: By default, Citrix NetScaler will send the hostname from the device. With the NAS ID, Citrix NetScaler will send the identifier configured in this box.

  • Group Vendor Identifier: This is the RADIUS vendor ID attribute. It is used for RADIUS group extraction.

  • Group Prefix: This is the RADIUS group's prefix string. This group prefix precedes the group names within a RADIUS attribute for RADIUS group extraction.

  • Group Attribute Type: This is the attribute number that contains the group information.

  • Group Separator: This is the group separator string that delimits group names within a RADIUS attribute for RADIUS group extraction.

  • IP Address Vendor Identifier: This is the vendor ID of the Intranet IP attribute in the RADIUS response. The default value of 0 indicates that the attribute is not vendor encoded.

  • IP Address Attribute Type: This is the remote IP address attribute type in a RADIUS response.

  • Password Vendor Identifier: This is the vendor ID of the attribute in the RADIUS response. It is used to extract the user's password.

  • Password Attribute Type: This is the vendor-specific password attribute type in a RADIUS response.

  • Password Encoding: This is the encoding type for passwords in the RADIUS packets that the NetScaler appliance sends to the RADIUS server. Citrix NetScaler supports PAP, CHAP, MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is the most secure method.

  • Accounting: This allows Citrix NetScaler to support accounting. It can be ON or OFF.

  • Default Authentication Group: This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Tip

When using RADIUS authentication, it's necessary to create a RADIUS client on the RADIUS server. This RADIUS client will be Citrix NetScaler. The RADIUS client's IP address would be the NetScaler IP (NSIP).

After creating the RADIUS servers, it's time to configure the RADIUS Policies. These policies are necessary for binding it to services.

It's also possible to add more than one RADIUS authentication policy and bind them to the AAA or NetScaler Gateway authentication. This can be done by assigning priorities to the different policies. The way of configuring is the same as that for binding the LDAP authentication policy.

Tip

Citrix wrote an article on how to configure Citrix NetScaler with Microsoft NPS. Microsoft NPS is the RADIUS server from Microsoft. A lot of third-party vendors have written plugins for NPS server. An article that can be used is http://support.citrix.com/article/CTX126691.

 

Configuring NetScaler® AAA


To allow extra security with authentication on the load balancing features, we should use the Citrix NetScaler AAA feature. With the following steps, we can secure a load balancing virtual server with two-factor authentication based on Web Form authentication:

  1. Go to Security | AAA - Application Traffic | Policies | Sessions | Session Profiles, and click on Add.

    Fill in the correct information based on the following explanation:

    • Name: Select a decent name that responds to the AAA Session Profile, for example, AAA-Pro-Session.

    • Session Time-out (mins): The timeout before Citrix NetScaler kills the session.

    • Default Authorization Action: This can be ALLOW or DENY. Select ALLOW.

    • Single Sign-on to Web Applications: Enable this if you want SSON in the backend.

    • Credential Index: Use the primary or secondary authentication policy for SSON.

    • Single Sign-on Domain: This will be the internal domain name from the AD or NDS.

    • HTTPOnly Cookie: Allow only an HTTP session cookie, in which case the cookie cannot be accessed by scripts.

    • Enable Persistent Cookie: You can enable or disable persistent SSO cookies for the traffic management (TM) session. A persistent cookie remains on the user device and is sent with each HTTP request.

    • Persistent Cookie Validity: This is an integer specifying the number of minutes for which the persistent cookie remains valid.

    • KCD Account: Kerberos constrains the delegation account name when using Kerberos authentication.

    • Home Page: This is the web address of the home page that a user is displayed when the authentication vserver is bookmarked and used to log in.

  2. Go to Security | AAA - Application Traffic | Policies | Sessions | Session Policies, and click on Add:

    • Name: Select a decent name that responds to the AAA Session Policy, for example, AAA-Pol-Session.

    • Request Profile: Select the profile created in step 1.

    • Expression: You can bind an expression. In this case, we use ns_true.

  3. Go to Security | AAA - Application Traffic | Virtual Servers, and click on Add. Fill in the correct information based on this explanation:

    • Name: Again, select a decent name that responds to the AAA virtual server, for example, AAA-Srv-TwoFactor.

    • IP Address Type: Select IP address, or non addressable if you want to use the content switching method.

    • Port: This is the AAA virtual server port. The default is 443.

    • Authentication Domain: This would be the domain from the public site, for example, contoso.com.

  4. Bind the certificate.

  5. Bind the session policy created in step 2.

  6. Bind the Basic Authentication Policies, Add LDAP as Primary, and add the RADIUS as Secondary. Click on Continue.

  7. Go to Security | AAA - Application Traffic | Authentication Profile, and click on Add. Fill in the correct information based on the explanations given here:

    • Name: Select a decent name that responds to the AAA virtual server, for example, AAA-AuthPol-TwoFactor

    • Authentication Host: This would be the FQDN where the NetScaler AAA virtual server would respond to, for example, twofactor.contoso.com.

    • Choose Authentication Virtual Server Type: Choose Authentication Virtual Server

    • Authentication Virtual Server: Select the Authentication Virtual Server created in step 3

    • Authentication Domain: This would be the domain from the public site, for example, contoso.com

    • Authentication Level: Fill in the value as 1 if you are using one authentication method, and 2 if you are using two-factor authentication

  8. Open the Load Balancing Virtual Server that you want to protect. Add the Authentication from the right-hand side of the page.

  9. Select Form Based Authentication or 401 Based Authentication. In this case, we're using Form Based Authentication. This is because we wish to use two-factor authentication:

  10. Authentication FQDN: This is the FQDN from the NetScaler AAA virtual server, for example, twofactor.contoso.com.

    • Choose Authentication Virtual Server Type: Choose Authentication Virtual Server

    • Authentication Virtual Server: Select the Authentication Virtual Server created in step 3

    • Authentication Profile: Select the Authentication Policy created in step 7

  11. Now your Load Balancing Virtual Server is protected with the NetScaler AAA security:

 

Citrix Receiver™ authentication


If you want to use the Citrix Receiver functionality and Receiver for Web with the NetScaler Gateway environment as well, some changes should be made to the LDAP and RADIUS policies. You should make some adjustments to the expressions.

When a user contacts the NetScaler Gateway through the web browser, they will see three fields that need to be filled in.

The first box requires the username, the second requires the password, and the third requires the RADIUS code. This means that the LDAP authentication is primary and RADIUS is the secondary authentication. You can see this in the following screenshot:

When the user connects with Citrix Receiver, the authentication is different because Citrix Receiver verifies the RADIUS authentication as primary and the LDAP authentication as secondary.

In order to arrange this, we should create two different LDAP and RADIUS policies. The LDAP policies could bind to the same LDAP server. The RADIUS policies could be bind to the same RADIUS server as well.

Follow these steps to arrange authentication through Citrix Receiver when using two-factor authentication:

  1. Create two LDAP policies:

    • Policy 1:

      Name: CitrixReceiver-DC1 (where DC1 is the domain controller name)

      Expression: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

      Server: DC1

    • Policy 2:

      Name: NonCitrixReceiver-DC1 (where DC1 is the domain controller name)

      Expression: REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

      Server: DC1

  2. Create two RADIUS policies:

    • Policy 1:

      Name: CitrixReceiver-RADIUS1 (where RADIUS1 is the RADIUS server)

      Expression: REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

      Server: RADIUS1

      Policy 2:

      Name: NonCitrixReceiver-RADIUS1 (where RADIUS1 is the RADIUS server)

      Expression: REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

      Server: RADIUS1

  3. Bind the NonCitrixReceiver-DC1 LDAP policy and the CitrixReceiver-RADIUS1 RADIUS policy as the primary authentication.

  4. Bind the CitrixReceiver-DC1 LDAP policy and the NonCitrixReceiver-RADIUS1 RADIUS policy as the secondary authentication.

When the user connects through Citrix Receiver, the authentication flow would first be CitrixReceiver-RADIUS1 as primary and CitrixReceiver-DC1 as secondary, because Citrix Receiver contains the User-Agent header with the CitrixReceiver value. All other non-Citrix Receiver users will authenticate with NonCitrixReceiver-DC1 as primary authentication and NonCitrixReceiver-RADIUS1 as secondary authentication.

Troubleshooting

For troubleshooting authentication, Citrix NetScaler provides a built-in tool that can be run from the CLI. Connect to the CLI with an SSH tool (PuTTY, for example). After logging in, type shell and then jump to the tmp location using cd /tmp. Run the following command after switching to the tmp location:

cat aaaa.debug

This built-in tool will give us information about what's going wrong during authentication.

Besides the built-in tool, Citrix also provides troubleshoot logging according to authentication in the GUI since NetScaler firmware release 11. So, if you are using Citrix NetScaler 11, troubleshooting through CLI isn't necessary.

 

NetScaler Gateway™


NetScaler Gateway is the new name for the Citrix Access Gateway. Citrix changed the name because the access gateway is a feature from NetScaler. The NetScaler Gateway can be used for ICA Proxy. Also, Citrix released the functionality of using the NetScaler as an RDP Proxy in NetScaler 11. The RDP Proxy is available with Enterprise and Platinum licensing. Also, the NetScaler Gateway supports the secure browser-only access (CVPN) functionality. The NetScaler Gateway will be installed most of the time in the demilitarized zone, because this VIP will be used through the Internet.

Session policies

Session policies will be used after the authentication, if successful. Based on the configuration in the session policy, the connected user will get to see the resources, for example, the StoreFront web page or a connection through VPN. A session policy always contains two parts: the session policy and the session profile. The session profile indicates what NetScaler needs to show. The session policy is the policy that needs to match to display what is configured in the session profile.

The session profile contains a lot of options and can handle multiple configurations. So, based on screenshots, we will explain the options.

Tip

The Citrix NetScaler Gateway session settings can be configured on the global level and based on session policies. When settings are made on the global level, all configured settings will be set for all available NetScaler Gateway virtual servers. Using session policies, we can define settings that are different for every available NetScaler Gateway virtual server. So, while creating a session profile / session policy, make sure that the Override Global setting is selected to make adjustments for this particular setting.

The Network Configuration pane will not be used most of the time, so in this case, we will skip this part. Under the Client Experience pane, we have multiple settings that we can define. All of these settings will be explained next. Some of these settings are necessary for ICA Proxy, and some of them are used for VPN. The available settings under the Client Experience pane are as follows:

  • Home Page: This is used while connecting through a VPN setting. Configuring this setting will show the home page that is entered here.

  • URL for Web-Based Email: This setting is for users to log in to web-based e-mail solutions, for example, OWA.

  • Split Tunnel: With this setting, we can define whether all client traffic or only the traffic meant for destined servers in the network should go through the gateway in a VPN connection.

  • Session Time-out (mins): This configures how long Citrix NetScaler keeps the session active when there is no network traffic. This applies to ICA Proxy and VPN as well. Default time-out is 30 minutes.

  • Client Idle Time-out (mins): This defines how long NetScaler waits before it disconnects the session when there is no user activity. This only applies to NetScaler Gateway plugins.

  • Clientless Access: This defines whether the SSL-based VPN should be enabled or disabled.

  • Clientless Access URL Encoding: This setting allows us to change the visibility of the URL from internal web applications. The options are obscured, encrypted, or in clear text.

  • Clientless Access Persistent Cookie: This is needed for access to certain features when using clientless VPN.

  • Plug-in Type: This setting defines the kind of plugin offered to the user—whether it is Windows/Mac-based or Java-based. It is used for VPN connections.

  • Single Sign-on to Web Applications: This setting allows NetScaler Gateway to perform Single Sign-on to the configured web interface address.

  • Credential Index: This setting allows us to choose which authentication credentials are to be forwarded to the web application. Here, we can choose from the primary or the secondary authentication set.

  • Single Sign-on with Windows: This setting allows the NetScaler Gateway plug-in to authenticate using the Windows credentials.

  • Client Cleanup Prompt: This is a prompt for client-side cache cleanup when a client-initiated session closes. This feature is not available for mobile devices.

In the Security pane, all that we need to do is make sure that the Default Authorization Action option is set to Allow. This ensures that the users are actually allowed to log in and access the resources. The Secure Browse option will be used in combination with Citrix XenMobile only. This option allows users to connect through NetScaler Gateway to network resources from iOS and Android mobile devices with Citrix Receiver. Users do not need to establish a full VPN tunnel to access the resources in the secure network. The Smartgroup option will be used for Endpoint Analysis (EPA). This option contains the group in which the user is placed when the session policy associated with this session action succeeds. The VPN session policy will do the post-auth EPA check, and if the check succeeds, the user will be placed in the group specified with smartgroup.

Next, we have the Published Applications pane. This is where we enter the information needed to access our Citrix environment. The following are the settings:

  • ICA Proxy: This setting allows us to define whether the virtual server should be used as ICA Proxy through SSL or not.

  • Web Interface Address: This box contains the URL to the Citrix Web Interface or the Citrix StoreFront Receiver for Web URL.

  • Web Interface Portal Mode: This setting allows you to define whether the configured web interface should appear with full graphical experience or in compact view.

  • Single Sign-on Domain: This setting defines the AD or NDS domain that will be used for single sign-on.

  • Citrix Receiver Homepage: This setting will be used for a client's connection to a Citrix Receiver that doesn't support Citrix StoreFront. This box contains another URL for the client to connect to.

  • Account Services Address: This setting will be used for e-mail-based account discovery for Citrix Receiver. The URL must be in the form of https://<StoreFront/AppController URL>/Citrix/Roaming/Accounts. This requires that the DNS be properly configured because there should be some SRV DNS records created, and it requires a wildcard certificate, or a certificate that contains discoverReceiver.domain in the Subject or Subject Alternative Name entry. For more information, refer to https://www.citrix.com/blogs/2013/04/01/configuring-email-based-account-discovery-for-citrix-receiver/

After creating the session profiles, there should also be a session policy created in order to bind this to a NetScaler Gateway virtual server. As we want all users to be bound to this policy, we use the ns_true general expression, as shown in the following screenshot:

After the session policies have been created, the NetScaler Gateway virtual server can be created. Follow these steps to create a NetScaler Gateway virtual server based:

  1. Go to NetScaler Gateway | Virtual Server, and click on Add.

    Fill in the correct information based on the following explanation:

    • Name: Select a decent name that responds to the NetScaler Gateway virtual server, for example, VS_CAG_Server1.

    • IP Address Type: Select the corresponding IP address.

    • Port: Select the proper port. The default is 443.

    • Select ICA Only if you're using only ICA traffic. Otherwise leave this unselected. If you are not using the ICA Only mode, it's necessary to have the Citrix Universal Gateway license installed on Citrix NetScaler.

  2. Bind the proper certificate.

  3. Configure the proper authentication methods.

  4. Then bind the session policies.

  5. Configure the published application.

After these steps, we will have a fully configured NetScaler Gateway function on Citrix NetScaler. Citrix StoreFront needs to be configured as well in order to user pass-through authentication through the NetScaler Gateway.

Tip

Disable SSLv3 and enable TLS1.1 and TLS1.2 for security purposes. Also make sure that the RC4 SSL ciphers are removed. RC4 and SSLv3 are security leaks and need to be disabled right away.

If we wish to use the HTML5 Citrix Receiver, it's necessary to enable the Enable WebSocket connections in the HTTP profile in Citrix NetScaler.

Integration StoreFront™

To use Citrix StoreFront with the NetScaler Gateway, we need to create session policies on the NetScaler Gateway and configure Citrix StoreFront for pass-through authentication through it. We will start by creating session profiles / session policies on the NetScaler Gateway.

Tip

Citrix StoreFront always wants to use pass-through for Citrix NetScaler, even when the authentication method is disabled. To disable pass-through authentication in Citrix StoreFront, we need to disable requireTokenConsistency in inetpub\wwwroot\<storename>\web.config.

Citrix Receiver™

One of the benefits of the Citrix Receiver configuration with Citrix StoreFront is their integration with each other. The Citrix Receiver automatically detects whether the user is an internal user or an external user. When it detects an external connection, it will connect through the NetScaler Gateway; otherwise, it will use the Citrix StoreFront authentication. This detecting will be done by the configured beacons in the Citrix StoreFront configuration. During the configuration of the Citrix Receiver, the beacons will be configured.

Now it's time to configure the Citrix Receiver session policy and profile in the NetScaler Gateway.

Create a new session policy and go to the Client experience pane. Change Clientless Access to Allow, change the Plug-in Type to Java, and enable Single Sign-on to Web Applications. If we are using two-factor authentication, we also need to change Credential Index to Secondary. As explained before, the Citrix Receiver authenticates in a different way; in order to support single sign-on, it's necessary to use the LDAP authentication for single sign-on authentication.

Go to the Published Application pane. Switch ICA Proxy to ON. Web Interface Address should be StoreFront URL. Change Web Interface Address Type to IPv4, change Single Sign-on Domain to the AD or NDS domain name, and at least fill in Account Services Address with the https://<StoreFront/Citrix/Roaming/Accounts value.

After these settings, the session profile is done. Now it's time to create the session policy. The expression would be REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver in this case.

The session policy is explained in this chapter, under the NetScaler Gateway section, Session policies.

Receiver for Web

Create a new session policy and go to the Client experience pane. Change Clientless Access to ON and enable Single Sign-on to Web Applications.

Go to the Published Application pane. Switch ICA Proxy to ON. Web Interface Address should be StoreFront Receiver For Web URL. Change Web Interface Address Type to IPv4, and then change Single Sign-on Domain to the AD or NDS domain name.

After these settings, the session profile is done. Now it's time to create the session policy. The expression would be REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver in this case.

Citrix® StoreFront™

First, we need to add a gateway to StoreFront. This can be done from the GUI by navigating to StoreFront Administration Console | NetScaler Gateways. On the right-hand side here, click on Add NetScaler Gateway Appliance and then add the information as shown in the following screenshot:

  • Display name: Use NetScaler Gateway.

  • NetScaler Gateway URL: Fill in the box with the proper NetScaler Gateway URL. Citrix StoreFront requires this URL to verify that this configuration matches the NetScaler Gateway URL.

  • Subnet IP address: This box is optional and should be left empty if possible. It can be filled in if we are using more than one Citrix NetScaler Gateway on one Citrix NetScaler pointing to the same Citrix StoreFront environment.

  • Logon type: Select the proper log-on type. Use Domain and security token if you are using two-factor authentication and Domain only if you are using single-factor authentication.

  • Callback URL: The Callback URL field needs to point to the VIP address of NetScaler Gateway. This is needed so that Citrix StoreFront can send the validation back to the NetScaler Gateway authentication service.

Now, for the final part in Citrix StoreFront. The configured NetScaler Gateway appliance needs to be connected to a particular Citrix StoreFront store for external authentication. Navigate to the Store menu and click on the right-hand side of the console, on the Enable Remote Access button. Now, we have to specify whether the store will be available for external usage. The following are the settings:

  • None: This means that the store can't be used for external users.

  • No VPN Tunnel: This option makes the store available through Citrix NetScaler Gateway without the NetScaler Gateway plugin.

  • Full VPN Tunnel: This option makes the store available through an SSL VPN only. It requires the NetScaler Gateway plugin.

As long as we don't need the VPN tunnel support, we select NO VPN Tunnel. We mark the Citrix NetScaler appliance that we added earlier. Propagate the changes to the other Citrix StoreFront if you have more than one Citrix StoreFront server.

Group policies

Citrix NetScaler provides support to bind sessions, traffic, authorization, bookmarks, Intranet IP addresses, and Intranet applications based on groups. When the authentication policies are configured correctly, it's possible to extract Active Directory groups from the connecting users. If we want to bind an authorization policy to an Active Directory, it's necessary to add the group in the NetScaler Gateway. This can be done in AAA Groups in the User Administration menu under the NetScaler Gateway pane. Please be aware that this group name is exactly the same as the group name in Active Directory; it's key sensitive.

SmartAccess filters

Citrix NetScaler 11 supports SmartAccess in NetScaler itself. Citrix calls this feature SmartAccess 2.0. These policies can be bound to the NetScaler Gateway virtual servers and allow you to disable or enable features. These features are called ICA Policies in NetScaler 11.

 

Summary


This chapter described the basic features of the NetScaler ADC, the different load balancing functionalities, the NetScaler AAA feature, the NetScaler Gateway, and how to configure the Citrix NetScaler Gateway with Citrix StoreFront.

It's not possible to explain all the possible deployments from the NetScaler Gateway from the load balancing features in just one chapter. There are a lot of other deployments available. For example, it's possible to use the NetScaler Gateway as an RDP gateway.

Note

For more information about the possible deployments, see the Citrix documentation. The URL is http://docs.citrix.com/en-us/netscaler-gateway/11/deploy-xenmobile.html.

In the next chapter, we will explain the use of the Citrix NetScaler AppExpert features.

About the Authors
  • Marius Sandbu

    Marius Sandbu is a Cloud Evangelist and architect working at Sopra Steria in Norway with over 17 years in the IT industry. Marius has a wide range of technical experience across different technologies such as identity, networking, virtualization, endpoint management, infrastructure, and with a special focus on the public cloud. He is an avid blogger, co-hosts the CloudFirst Podcast, and is also an international speaker at events such as Microsoft Ignite and Citrix Synergy. He has previously worked at TietoEVRY where he was the technical lead for the Public Cloud unit and has also worked at the University of Oslo as a system administrator and at Microsoft as a Technical Advisor.

    Browse publications by this author
  • Andy Paul

    Andy Paul is an accomplished virtualization architect, instructor, and speaker. He has designed and delivered virtualization projects for Fortune 500 companies, public and private health care organizations, and higher education institutions. He has also served as a lead technical trainer, adjunct professor, and guest speaker for multiple organizations. He is a leading industry consultant. He currently manages multiple delivery teams, oversees project architecture, assists large enterprise customers across various industries, and is a global VDI subject matter expert. Visit his blog at www.paultechnologies.com/blog.

    Browse publications by this author
Latest Reviews (4 reviews total)
Haven't read the content yet though I did read the table of contents and skimmed for a general layout. Looks like it will be really good.
Not yet finished to read nut the first impression is very good. the book is written well with some sample case scenario that's usefull for anyone who want to try to exercise.
Mastering NetScaler VPX
Unlock this book and the full library FREE for 7 days
Start now