Netscaler – Eugen Kolbik

NS Initial Konfiguration
Lizenz ID MAC
Netzwerk
Hostname vom NetScaler ändern
Hochverfügbarkeit für Netscaler aktivieren

Netscaler Initial Konfiguration

configns

Lizenz ID

shell
lmutil lmhostid

Netzwerk

VLAN an Interface und IP Subnetz an VLAN zuweisen

add vlan 48
bind vlan 48 -ifnum 1/1 –tagged
bind vlan 48 -ipAddress 10.10.48.0 255.255.255.0

Hostname voon NetScaler ändern

shell
cd /nsconfig
vi rc.conf
cd /etc 
vi hosts

High Availability Pair on NetScaler

set ha node -hastatus STAYPRIMARY 
set ha node -hastatus STAYSECONDARY

disable interface <interface_num> 
add node <id> <ipAddress>
set ns rpcnode <ipAddress> -password <string>

show ns rpcnode
show ha node

sync ha files all
sync HA files ssl 

set ha node -hastatus ENABLED
force HA failover

Zeit Synchtonisation ohne neustrat

add ntp server 10.10.10.10 -minpoll 6 -maxpoll 11
rm /etc/ntp.conf
ln -s /nsconfig/ntp.conf /etc/ntp.conf
/bin/sh /etc/ntpd_ctl full_start

HSTS – CTX224172

add ssl vserver <NAME> –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES
add sslProfile <NAME> –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES

oder

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy enforce_STS true insert_STS_header

SSL-Profile

Deny SSL Renegotation ALL
set ssl parameter -denySSLReneg FRONTEND_CLIENT

add ssl cipher SSLLABS-PROF
bind ssl cipher SSLLABS-PROF -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher SSLLABS-PROF -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher SSLLABS-PROF -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher SSLLABS-PROF -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher SSLLABS-PROF -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher SSLLABS-PROF -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher SSLLABS-PROF -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher SSLLABS-PROF -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher SSLLABS-PROF -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher SSLLABS-PROF -cipherName TLS1-AES-128-CBC-SHA

IOS Geräte bekommen Fehler "Error Number 183", wenn diese Cipher gebunden sind:

bind ssl cipher SSLLABS-PROF -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher SSLLABS-PROF -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384

Direct Server Return

netsh interface ipv4 set interface "Your production network adaptor name" weakhostreceive=enabled
netsh interface ipv4 set interface "Your loopback network adaptor name" weakhostreceive=enabled
netsh interface ipv4 set interface "Your loopback network adaptor name" weakhostsend=enabled

Links:

How to Allocate NetScaler VPX Licenses

How to Associate an IP Subnet with a NetScaler Interface by Using VLANs

High Availability Pair on NetScaler

Zurück

Authentifizierung LDAP|RADIUS usw.

shell 
cat /tmp/aaad.debug

EAP Login Error

shell
cat /var/ns.log | grep <Case ID>

Trace

start nstrace -filter "CONNECTION.SRCIP.EQ(IP-Adress)" -time 10 -fileName sample_trace
nstcpdump.sh -X dst host <IP-Adress> and port <80>

HA Konfiguration pürfen

ps –aux | grep nsfsyncd (ist HA Dienst gestartet)
shell
nsfsyncd -d (HA Dienst Starten)
/var/log/nsfsyncd.log (Logs HA Fehler)

AAA Benutzer entsperren

unlock aaa user <username> 
Security > AAA > Application Traffic > Users > Action > Unlock

Links:

Troubleshoot Authentication Issues Through NetScaler CTX114999
Basic UNIX Commands for NetScaler CTX109262
Capture an nstrace from the Command Line CTX120941

Kategorie: Netscaler

Netscaler GUI

Netscaler Installation

NETSCALER FEHLERANALYSE