Scribd
Upload
12 views42 pages

Citrix ADC MPX 8900/8910 Deployment Guide

The document is a deployment guide for the Citrix ADC MPX 8910, detailing the setup and configuration processes necessary for effective operation, including network diagrams, management interface settings, load balancing, and web application firewall implementation. It includes step-by-step instructions for adding DNS servers, configuring port channels, creating virtual MAC addresses, and generating certificate signing requests. The guide serves as a comprehensive resource for network engineers involved in the deployment of Citrix ADC solutions.

Uploaded by

Daniyal Khan
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
12 views42 pages

Citrix ADC MPX 8900/8910 Deployment Guide

The document is a deployment guide for the Citrix ADC MPX 8910, detailing the setup and configuration processes necessary for effective operation, including network diagrams, management interface settings, load balancing, and web application firewall implementation. It includes step-by-step instructions for adding DNS servers, configuring port channels, creating virtual MAC addresses, and generating certificate signing requests. The guide serves as a comprehensive resource for network engineers involved in the deployment of Citrix ADC solutions.

Uploaded by

Daniyal Khan
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Future Point Infrastructure Deployment Services

Project Handover Document

Citrix ADC MPX 8910 Deployment Guide


Version 1.0
Deployment Services
Future Point
Document History

Version Date Name Designation


Prepared By 1.0 14-November- Aezad Burhan Network Engineer
2022
Reviewed By 1.0 14- November- Kashif Kamal Manager Technical
2022
Deployment Services
Future Point

CITRIX ADC MPX 8900 Customer


Handover Document
Contents
Network Diagram............................................................................................................................................................6
1. Overview..................................................................................................................................................................6
2. Setting Up.................................................................................................................................................................7
2.1 Add DNS Server......................................................................................................................................................8
2.2 Enable PBR for Management Interface..................................................................................................................8
2.2.1 Configuration for Deny Rule for DNS...............................................................................................................9
2.2.2 Configuration for Management via PBR - Allow rule.....................................................................................10
2.3 Settings for Management Interface......................................................................................................................11
2.4 Configure Port Channel........................................................................................................................................12
2.5 Create a VLAN and Assign to a port channel........................................................................................................15
2.6 Create a Virtual MAC (VMAC) and bind to an interface........................................................................................16
2.7 IP Addressing........................................................................................................................................................17
2.7.1 Creating a Subnet IP (SNIP) Address..............................................................................................................18
2.7.2 Creating a Virtual IP Address.........................................................................................................................19
2.8 Routing................................................................................................................................................................. 20
3. Generate Certificate Signing Request (CSR)..........................................................................................................21
3.1 Create RSA key pair..............................................................................................................................................21
3.2 Generate a CSR.....................................................................................................................................................22
3.3 Configure Secure Management Access:...............................................................................................................23
4. Load Balancing.......................................................................................................................................................24
4.1 Backend Server.....................................................................................................................................................24
4.2 Service Group.......................................................................................................................................................24
4.3 Virtual Server........................................................................................................................................................26
4.4 Create a Network Profile......................................................................................................................................28
5. Web Application Firewall.......................................................................................................................................30
5.1 Creating Signature................................................................................................................................................30
5.2 Making a Firewall Profile......................................................................................................................................31
5.2.1 Profile Settings...............................................................................................................................................31
5.2.2 Enable Advanced Security Checks..................................................................................................................34
Deployment Services
Future Point
5.2.3 Learned Rules................................................................................................................................................34
5.2.4 Dynamic Profiling...........................................................................................................................................35
5.2.5 Relaxation Rules............................................................................................................................................37
5.3 Making Firewall Policy..........................................................................................................................................39
6. Logs........................................................................................................................................................................ 41
7. High Availability.....................................................................................................................................................42
7.1 Enable NSHTTPS and NSKRPCS.......................................................................................................................42
7.2 Make the Peer stay in Secondary mode.........................................................................................................43
Deployment Services
Future Point

Network Diagram
Given below is a Visio diagram for the Citrix ADC implementation.

Figure 1: Visio Diagram for Physical Topology

1. Overview

 Two Citrix MPX8900 are configured in high availability in the main Data Center.
 One Citrix MPX8900 is configured in the DR.
 NSIP: NetScaler Management IP is used for Management access of NetScaler.
 SNIP: Subnet IP; it belongs to the subnet which is used to communicate with the backend server’s.

Error! Not a valid link.


Deployment Services
Future Point

Port Mapping
Primary Data Center
Citrix Citrix Ports  Switch Ports
1 Po1 – 10/1  Nexus-1 Eth14
plraadc01 Po1 – 10/2  Nexus-2 Eth14
Po2 – 10/3  Catalyst-1 Eth 5
Po2 – 10/4  Catalyst-2 Eth 5
Po1 – 10/1  Nexus-1 Eth15
2 plraadc02 Po1 – 10/2  Nexus-2 Eth15
Po2 – 10/3  Catalyst-1 Eth 6
Po2 – 10/4  Catalyst-2 Eth 6
DR
1 plraadc03

References: [Link]
%20the,is%20destined%20for%20the%20VIP

2. Setting Up
On initial login, the opening page give you the prompt given below.

Enter preferred NSIP address.

Figure 2: First Login Prompt

For updating licenses, click licenses-> add new license -> upload license file. The license file maybe downloaded from
the URL: [Link]

Or [Link]
%3fuI6TQe5zNVzPOSQ1T0MtCg%3d%3d
Deployment Services
Future Point
2.1 Add DNS Server
For adding a DNS server navigate to Traffic Management -> DNS -> Name servers

Click “Add” and do not to check the “IS LOCAL” box.

Figure 3: Configuring DNS

2.2 Enable PBR for Management Interface


If the management interface needs to be accessed from a subnet that is not present in the routing table and also not
accessed via the default route, then PBR must be enabled. In our case we have used the management interface to
access it from the [Link]/24 subnet. But for DNS lookup it uses data interfaces and hence the routing table and
therefore no PBR. In this case, we will create two policies for the management network. Ensure the priority for the
DNS rule is lower than the other rule.

Figure 4: PBR for Management Traffic

2.2.1 Configuration for Deny Rule for DNS


The following rule denies the DNS packets to use management interface’s next hop and to use routing table instead.
Deployment Services
Future Point

Figure 5: Deny DNS packets for management's next hop (i)


Deployment Services
Future Point

Figure 6: Deny DNS packets for management's next hop (ii)

2.2.2 Configuration for Management via PBR - Allow rule


The following rule allows traffic other than DNS to use the dedicated next hop for management traffic originated by
the NSIP.

Figure 7: Add a Next Hop for Management Interface


Deployment Services
Future Point
In the source IP low and high enter the NSIP for ADC01 and ADC02 respectively.

2.3 Settings for Management Interface


Citrix uses interface 0/1 for Management, as well as for the HA. Ensure the following settings on interface 0/1. Leave
the other settings on default. HA monitoring is off so it will not failover due to management interface, and HA
heartbeat is on to enable HA.

Figure 8: Turn off HA Mon for MGMT Interface


Deployment Services
Future Point
2.4 Configure Port Channel
To configure Port channel (LACP based), select the desired interfaces that need to participate in the LACP channel
group and ensure to add the same LACP key ID on both the interfaces individually.

Interface 10/1 and 10/2 are in port channel1 towards Nexus and similarly interface 10/3 and 10/4 are in port channel
2 towards DMZ switch.
Deployment Services
Future Point

Figure 9: Interface 10/1 configuration (i)


Deployment Services
Future Point

Figure 10: Interface 10/1 configuration (ii)

Similar configuration exists including the LACP key ID on Interface 10/2

After you configure same LCAP key ID on both the interfaces (10/1 and 10/2), you will see a new entry created in
System -> Network -> Channels:

Figure 11: Port Channel Created

To tag the channel interface make sure to select Tag all VLANS
Deployment Services
Future Point

Figure 12: Channel LA0/1 configuration

2.5 Create a VLAN and Assign to a port channel


Navigate to System -> Network -> VLAN
Deployment Services
Future Point
Click Add and ensure following configurations. VLANs must be bound either to a channel or an interface but IP
Bindings are not mandatory. Binding an IP to a VLAN makes it a L3 interface which is not absolutely required.

Currently we have created four VLANs

5 and 67 for traffic from Nexus switch

163 and 170 for traffic from DMZ switch

Figure 13: VLAN Configuration (i)

Figure 14: VLAN Configuration (ii)

2.6 Create a Virtual MAC (VMAC) and bind to an interface


Creating a Virtual MAC is important in a HA environment since the gratuitous ARP packets are sent from the peer
MAC address against the same IP addresses but with different MAC address after a failover occurs. To resolve this
issue VMAC are used which keep the MAC address unchanged and for upstream network devices no conflicts in the
ARP tables occur.

Navigate to System ->Network ->VMAC

Click ADD
Deployment Services
Future Point
Enter the Virtual Router ID and associate an interface to the newly created VMAC.

Figure 15: VMAC Configuration (i)

Figure 16: VMAC configuration

2.7 IP Addressing
Deployment Services
Future Point

Figure 17: IP Addressing

2.7.1 Creating a Subnet IP (SNIP) Address


A subnet IP address communicates with the backend servers and can be bound to a particular service group as
mentioned in the section of creating a Network Profile.

Navigate to System -> Network -> IPs and select the type as subnet IP.
Deployment Services
Future Point

Figure 18: Create a SNIP

2.7.2 Creating a Virtual IP Address


A VIP will be used by the clients that will access the services from the outside; It’s the outside IP for accessing the
load balancing Servers.

To create a VIP, navigate to System -> Network -> IPs

Select the type Virtual IP leave the rest as defaults.


Deployment Services
Future Point

Figure 19: Create a VIP

2.8 Routing

 Default route is configured for Internet traffic


 Direct routes are system generated based on the SNIP and NSIP configured
Deployment Services
Future Point

Figure 20: IP Routes

3. Generate Certificate Signing Request (CSR)


Certificate is required for secure Management access as well as SSL for backend servers mentioned in section 4.3. To
generate a Certificate Signing Request, you need to import the CA as well.

3.1 Create RSA key pair


Navigate to Traffic management -> SSL -> SSL Files -> Keys and click create RSA key.

Figure 21: Create an RSA key pair

Fill the particulars as desired filename and other parameters. Following specifications were used during deployment
Deployment Services
Future Point

Figure 22: Create RSA key

3.2 Generate a CSR


Navigate to Traffic management -> SSL -> SSL Files ->CSRs and click create a CSR.

Figure 23: Generate a CSR

Use the key pair generated in step in section 3.1 and fill in the particulars for the CSR
Deployment Services
Future Point

Figure 24: Generate A CSR

Download the generated CSR and get it signed by the Certificate Authority (CA) and then upload the certificate
bundle in SSL Files -> Certificates and install. Use the installed certificates i.e., Server and the CA certificate to bind
with the Load Balancing Virtual servers or the internal services such as NSIP for secure management access.

3.3 Configure Secure Management Access:


Bind the certificates to the internal service running on NSIP in our case it is [Link] using protocol SSL

Figure 25: Configure secure Management Access


Deployment Services
Future Point
After that enable secure access on NSIP, in System -> Network -> IP

Figure 26: Enable secure Management Access

4. Load Balancing
Below are the steps to configure load balancing.

Step-1: Add the backend servers. Traffic Management -> Load Balancing -> Servers

Step-2: Add service or service group (if you have multiple servers running same service)

Step-3: Add a virtual server.

4.1 Backend Server

For step 1: To configure the backend Original servers

Navigate to Traffic Management -> Load Balancing -> Servers and click Add.

4.2 Service Group

For step 2: Navigate to Traffic Management -> Load Balancing -> Service Group and add a service group.
Deployment Services
Future Point
Use protocol SSL for HTTPS servers and click continue.

Figure 27: Add a service group

Then select desired service group members (Backend Servers) by clicking Add service group members -> Add ->
Server Based, and check the required servers and click on select.

Figure 28: Add server based service group Members


Deployment Services
Future Point

Figure 29: Select desired servers

Select the server you wish to add then click bind.

4.3 Virtual Server

VIP is used as a load balancing outside IP address

For step 3: Navigate to Traffic Management -> Load Balancing -> Virtual Servers

Add desired VIP IP address port and SSL (for HTTPS servers)

Figure 30: Add a LB-VServer

The server will come up only if valid CA and Server certificates are bound to the virtual server. So select the options
highlighted below and attach the correct certificates.
Deployment Services
Future Point

Figure 31: Attach server Certificates

Currently the CA and the server certificates are as follow

Figure 32: Current Certs

Choose persistence (persistence on a virtual server if you want to maintain the states of connections on the servers
represented by that virtual server), method (this is load balancing algorithm), and policy (such as WAF policy) as
desired. Current we use cookie named as ‘persistence’ as a persistence method and backup persistence none. The
load balancing algorithm is ‘LeastConnection’.
Deployment Services
Future Point

Figure 33: Persistence and Load Balancing Algorithm

Also if you want to use a particular SNIP for communication with a particular service group you may select profile and
attach Network Profile to this virtual server.

Figure 34: Use a specific SNIP for backend communication

4.4 Create a Network Profile


This is an optional step because by default SNIP will communicate with backend servers, in case of multiple SNIPs in a
single subnet we can use network profile to select a particular SNIP for a service/service group communication.

To create a Net Profile, go to System -> Network -> Net profile. Enter the IP address that you want to use (this IP
address should already be defined as an SNIP)
Deployment Services
Future Point

Figure 35: SNIP configuration


Deployment Services
Future Point

5. Web Application Firewall


Implementation of Web Application Firewall has three major components listed below

i- Signatures
ii- Policy
iii- Profile

5.1 Creating Signature


A recommended way is to copy the signature from the “default” signature file and into a new signature file.

Select the signature that you want to copy and click the three dots on the left hand side of the check mark, click
“copy” then click “Add”. Rename the signature as desired.

Figure 36: Copying Signature File

After copying click Add and give the new signatures file a new name. Make sure to Block all, Stats all, log all and
enable all.
Deployment Services
Future Point

Figure 37: Enable all blocks in Signature

Click OK.

Enable Auto Update for signatures under “select action”.

5.2 Making a Firewall Profile

5.2.1 Profile Settings


A firewall profile is the most important part of configuring the Web Application Firewall (WAF). This component
includes attaching the signature set earlier created and the advanced checks to be implemented. This may be
configured from the “profile settings” of the profile being created. You can see that each profile has a signature and a
policy bound to it.
Deployment Services
Future Point

Figure 38: Making WAF Profile

You may expand the section on the right to edit the profile settings. Citrix recommends most of the profile settings to
be left as default.

Figure 39: Profile Settings (i)

Major changes in the profile settings include, attaching a HTML error object for displaying exception message to the
clients when WAF has blocked a particular request. As well as a signature file shown below
Deployment Services
Future Point

Figure 40: Profile Settings (ii)

Select the signature file already created. This action will bind that signature file to the WAF profile.

Figure 41: Profile Settings (iii) Binding Signatures


Deployment Services
Future Point
5.2.2 Enable Advanced Security Checks
The next step would be to enable the desired security checks, (select “security checks” on the right side options in the
profile settings) you can either enable block for the desired security or deploy it in learning mode only. Both of them
can also be deployed together. In any case logs and stats should always be enabled for all the security checks.

Figure 42: Enable Advanced Security Checks

5.2.3 Learned Rules

You can see the rules being learnt in the “learned rules” section on the right hand side as shown below
Deployment Services
Future Point

Figure 43: Learned Rules (i)

Then you can select a particular rule and then deploy it either immediately or edit and deploy if a particular edit is
needed.

Figure 44: Learned Rules (ii)

5.2.4 Dynamic Profiling

You can enable dynamic profiling for some of the security checks, enable this will auto deploy the learned rule
according to the settings defined for examples rules learned only from a trusted client maybe deployed after 1 hour
of learning.

You can see all of the possible checks that can be dynamically deployed are enabled in the example below.
Deployment Services
Future Point

Figure 45: Dynamic Profiling

Following are the settings used that deploy the learnt rules after 12 hours of being learnt.

Figure 46: Dynamic profiling settings


Deployment Services
Future Point
5.2.5 Relaxation Rules

Rules maybe relaxed for an application context for specific URLs and for specific characters as seen in the headers,
cookies, or form fields. URLs hence relaxed will be bypassed from advanced security checks for the particular fields
and value expressions defined in the security checks.

These rule(s) will be visible in the relaxation rules section. Referring to the learnt rule in the above section you may
select “CSRF form tagging” (example in our case) and verify if the deployed rule is present.

Figure 47: Relaxation rule deployed from the learnt rules

There may also be a case where you may want to deploy rule that wasn’t being learnt for example HTML SQL
Injection may block a wild card character for a particular URL but you may want to bypass that character for all the
URLs of the application; a global bypass of that character for all URLs of that application. Looking at the log below we
see the following syslog output as an example and will bypass this manually.

Following is the breakdown of the log message


Deployment Services
Future Point

Figure 48: Breakdown of syslog

Fill In the relaxation rule with the values mentioned above, but instead of the URL we can wildcard the URL using a
regular expression ^.*$. This way is particularly helpful once the testing environment has to be moved to the
Production environment where the same application may have a different URL.

Navigate to Web App Firewall -> Profile -> select desired profile -> Relaxation Rules -> HTML SQL injection click three
dots on the right hand side of it to edit and fill the fields as shown below

Figure 49: HTML SQL injection relaxation rule

After creating this rule, the aforementioned syslog will not be blocked anymore.

5.3 Making Firewall Policy


A policy would be applied to a Virtual Server and it will be responsible for filtering particular type of traffic by making
use of regular expressions. In most cases since we would want all the traffic hitting the Load Balancing Virtual Server
(LB-VServer) to be filtered and checked for any threat. So in that case we would use the expression value “true” as
shown below. Here you will also attach a profile to the policy being created.
Deployment Services
Future Point

Figure 50: WAF Policy creation

There are two ways to attach a created policy to the LB-VServer. Option one is to open the policy section of the WAF
and go to policy manager.

Figure 51: Attaching a policy to LB VServer (i)

Use the “Load Balancing Virtual Server” for the bind point and then select the desired load balancing virtual server.
Click continue -> add binding -> select policy. This will attach a particular policy with the desired virtual server. You
may add multiple policies to the virtual server bindings, the policy have lowest priority is matched first.

Figure 52: Attaching a policy to LB VServer (ii)


Deployment Services
Future Point

The other option is to attach the policy from the LB-VServer. Go to Traffic Management -> Load Balancing -> Virtual
server, and open the desired LB-VServer, on the right hand side select “policies” and attached the desired policy.

Figure 53: Attaching a policy to LB VServer (iii)

6. Logs
Logs may also be seen in the System -> Auditing -> syslog messages, logs for particular module may be seen by
selecting filter parameters on the right hand side of the page as highlighted below.
Deployment Services
Future Point

Figure 54: Viewing [Link] file

A better way to see the logs while troubleshooting for particular client is to use the CLI and filter the [Link] file using
the source IP address. The command is given below: tail -f [Link] | grep [Link] | grep "act=blocked".

7. High Availability
To setup high availability make sure the peers are reachable from both nodes on management port 0/1.

Navigate to system -> High availability -> Nodes

As a prerequisite to HA pairing

7.1 Enable NSHTTPS and NSKRPCS

Navigate to Traffic Management -> Load Balancing -> Services-> Internal services and make sure the highlighted
services for NSIP are shown as “UP”.
Deployment Services
Future Point

Figure 55: Required Services for HA

7.2 Make the Peer stay in Secondary mode


Open the secondary node and make sure its HIGH AVAILABILITY STATUS is selected as STAY SECONDARY (Remain in
Listen Mode).

Figure 56: Stay Secondary for the Peer Node

On the first/primary node Navigate to system -> high availability -> nodes. Click Add and enter the NSIP for the
secondary node. The second node has been added to the nodes hierarchy.

Then open the secondary node and change its high availability status from stay secondary to “actively participate in
HA”

After successfully creating HA pair you will notice that RPC entry for secondary node will be created in System ->
Network -> RPC. You don’t have to manually create it will be created automatically.
Deployment Services
Future Point

Figure 57: Observing RPC after HA pair configuration

You might also like