NetworkingTechnicalArchitectureVirtualizationVMware

Setting up NetScaler lab environment from the scratch

Environment:

  1. You have existing Dev QA lab networked with 172.22.1.0/16 (255.255.0.0) IP addressing. 
  2. Your Dev QA network has access to public internet and it runs the Firewall that is going to be your Default Gateway both of your labs.
  3. You want to setup a NetScaler lab environment for your client systems in 172.22.1.0/16 and allow them to access web servers running in a test DMZ network under 192.168.1.0/24 through NetScaler.

 

Pre-requisites:

  1. Download VMware ESXi Hypervisor software from VMware. I’ve used the current latest version vSphere Hypervisor which is a free bare-metal hypervisor. It ships with ESXi 6.0 along with vSphere client version 6.0.0-2502222.
  2. Make a bootable disk with VMware ESXi Hypervisor.  In Windows 7/8, you can simply right click the downloaded ESXi ISO file and select Open with and select “Windows Disc Image Burner”.  This will create a bootable ESXi disk for you.
  3. Download the NetScaler VPX Platinum Evaluation  software from Try NetScaler Application Delivery Controller. I’ve used the current latest version of NetScaler 10.5-55.8.
  4. Extract the downloaded NSVPX-ESX-10.5-55.8_nc.zip to locate the .OVF and .VMDK files.
  5. Prepare the hardware system to serve as the host for VMware ESXi. I’ve used HP ProLiant ML110 G6 equipped with Intel(R) Xeon(R) CPU X3430  @ 2.40GHz processor.
  6. Enabled Intel Virtualization Technology under the BIOS options of the system.

 

Setting up the lab:

Installing and Configuring VMware ESXi:

  1. Using the Bootable ESXi disk, install the ESXi on your hardware system.
    1. Specify the password for the root user.
    2. Select the local disk partition as installation drive for ESXi. We’ll convert any additional/external drives a separate Stores in ESXi Storage options.
  2. Once the system comes up, Press <F2> Customize System/View logs, provide your root user credentials at the login page. Then you’ll see all the options to customize your ESXi installation.
  3. Configure the ESXi Host with Hostname, IPv4 address that corresponds to your Dev QA lab network, I used 172.22.1.101 for this example.  Below are the steps to achieve this:
    1. Click on Configure Management Network
    2. Select IPv4 Configuration > select option “Set static IPv4 address and network configuration:” specify the values as given below
      1. IPv4 Address:              [172.22.1.101]
      2. Subnet Mask:               [255.255.0.0]
      3. Default Gateway:         [172.22.1.1]
    3. Select IPv6 Configuration > select option “Disable IPv6 (restart required)”
    4. Select DNS Configuration and specify DNS of your Dev QA network. Say 172.22.1.10 and  172.22.1.11
      1. Primary DNS Server:             [172.22.1.10]
      2. Alternate DNS Server:          [172.22.1.11]
      3. Hostname:                            [NS-VM-HOST]
    5. Let you ESXi restart to take the IPv6 disable change.
  4. Connect to your ESXi host 172.22.1.101 from any of your Dev QA system using browser: https://172.22.1.101/.  Then have the vSphere client installed to remote manage your ESXi host.
  5. At the SSL prompt during connecting from vSphere, select “View certificate” and then have it installed on your system so to avoid the SSL certificate prompts during later connection attempts
  6. By default VMware hypervisor ESXi runs in 60 days Trial mode and you’ll be prompted with the evaluation days left and to assign the license.

Configure ESXi Networking for NetScaler lab environment:  This involves setting up a Private network to host the test DMZ in separate network and a Public network that connects your NetScaler to your Dev QA systems and to the Internet.

  1. Once you are connected to the host through vSphere client, go to Configuration > Networking > Click Add Networking
    1. Create NSlab Public Network:
      1. Select Connection Types to be: Virtual Machine
      2. Select Use vSwitch0 that is connected to vmnic0
      3. Specify Network Label as NSLab Public Network
    2. Create NSlab Private Network:
      1. Select Connection Types to be: Virtual Machine
      2. Select Create a vSphere standard switch which do not have any adapters attached. Thus systems in this network become part of a private network which do not have internet access.
      3. Specify Network Label as NSLab Private Network
    3. Following is a quick screenshot of the setup I have done.image
  2. On the ESXi host add up any additional disks as the datastores, go to Configuration > Storage > Add Storage > select Disk/LUN > Select the disk that you would like to attach to ESXi as a datastore. Say yes to formatting which acknowledges that all your existing data on that disk will be wiped off.
    1. Upon successful addition of new datastore, you’ll see it listed in Datastores view.

Importing NetScaler VPX VM image into ESXi:

  1. Logon to ESXi > File > Deploy OVF templates..
  2. On the Source tab, click on Browse button and point it to the .OVF file that we have downloaded and extracted from Citrix
  3. Specify a Name, I used NS1
  4. Select the datastore whichever is appropriate for you. I used my external HD datastore to place the VM images of my ESXi.
  5. Select Disk format to be Thin Provision
  6. On the Network mapping, Configure
    1. VM Network to NSLab Public Network
    2. NS_NC_1_1 Network to NSLab Private Network as shown below:
    3.  image
  7. Review the changes and click Finish.
  8. Power on the VM

 

Configuring NetScaler VPX NSIP (NetScalerIP) address and logging into the NetScaler:

  1. In vSphere, go to NS1 > Console > On the screen, you’ll be presented with prompt for “Enter NetScaler’s IPv4 address []:  “, as shown below.  Provide an IPv4 address for your NetScaler device. This IP address is also referred as NSIP. This IP-address should be in network that is accessible for your admin staff systems from where you will administer your NetScaler device remotely.  In our case, I wanted to administer my NS from systems in Dev QA network. So, I assign an IP address 172.22.111 from 172.22.1.0/16 network.
    1. Enter NetScaler’s IPv4 address [ ]:   172.22.1.111
    2. Enter Netmask [ ]:   255.255.0.0
    3. Enter Gateway IPv4 address [ ]: 172.22.1.1
  2. In confirmation prompt, Press enter  or type 4 and press enter as shown below to save the IPv4 address details that we provided.
    1. “Select item (1-4) [4]: 4
    2. image
  3. NetScaler service will restart for new NSIP address changes to reflect. Once services are back, you’ll be prompted to login to the device. Use below credentials to login to the NetScaler
    1. username: nsroot (this is the default username)
    2. password: nsroot (this is the default password)
    3. image
  4. Once you are logged into the NetScaler, type command shell, to launch the Shell
  5. You can now get more into NetScaler backend OS  used and its version using the ‘uname –a’ command as shown above. You notice that NetScaler runs on FreeBSD.
  6. At the FreeBSD shell, you can run through all of regular FreeBSD/Linux commands as supported.

 

Configuring NetScaler VPX SNIP (SubNetIP) address:

  1. To further configure and administer your NetScaler device, you need to access it remotely via web browser on its NSIP (172.22.111). 
  2. Launch browser and connect to http://172.22.1.111/ and Login using nsroot credentials as shown below:image
  3. Upon logon, you’ll be taken to the “Configuration” tab with Welcome message indicating that you have successfully configured the step 1: “NetScaler IP Address” as shown below:  image
  4. Click on the Step 2: “Subnet IP Address”, and provide an IP address that will connect the NetScaler to the subnet where you have servers rendering services. In our case, we have our web services running in DMZ network 192.168.1.0/24.  So, I pick my SNIP to be 192.168.1.10 with Netmask being auto-populated to 255.255.255.0.image
  5. Click Done. Then you will be taken back to the Configuration tab indicating Step 2 has been configured successfully, as shown below:  image
  6.  

 

Configure NetScaler’s Host Name, DNS IP Address, and Time Zone:

  1. Click on step 3:  Host Name, DNS IP Address, and Time Zone
  2. Specify the Host Name, DNS IP Address and Time Zone values as appropriate.  For this example, I used
    1. Host Name:  NS1
    2. DNS IP Address:  left blank (as I don’t required a DNS lookup and resolution to my NetScaler)
    3. Time Zone:  your time zone (If you are going to have NetScaler devices located across multiple data centres and geographical locations, its a usual practice to use GMT as a time zone across all the devices so they all run same time and it becomes easier to troubleshoot the logs)
    4. image
  3. Press Done.
  4. Click Yes to the reboot prompt (as shown below) to save the configuration.image
  5. This will do a warm reboot of the NetScaler device. Once the device is rebooted, you’ll see green mark indication for Step 3, showing that Host Name, DNS IP Address, and Time Zone are successfully configured.image

 

Assign evaluation license and install license file on the NetScaler:

  1. Know the Mac Address to your NetScaler NS1 VM. This is required while generating the license file for your device.
    1. You can find it from your NS1 device. by logging into the Console as nsroot > Shell and then type below command
      1. lmutil lmhostid –ether
      2. image
    2. You can find it from your NetScaler VM properties. Right click on your NS1 VM > Edit Settings > Network Adapter 1 > MAC Address
      1. image 
  2. Now before clicking on step 4, you need to assign and download the license files for your NetScaler installed system.  Follow below steps to accomplish this;
    1. Login to Citrix MyAccount: https://www.citrix.com/welcome.html
    2. Click on Activate and Allocate Licenses under Licensing section as shown below:
    3. image
    4. Click on Single Allocation, on the next page which will prompt you to: Enter license code.  Provide the evaluation license code that you would have received during NetScaler Trial download. Then press Continue.
    5. The page will fetch the associated license and show up for you to select. Select the license and click Continue
    6. On the next screen, specify the MAC address that you have noted in the above step under Host ID. and then press Continue.  image
    7. Then click on Confirm on the next page.
    8. Click OK for prompt to download the license file.  Use Download button on the page to re-download the file. image
    9. A .lic file will be downloaded to your local system.  The .lic is a text file using UTF-8 format.  You can open and read through it.
  3. Now, Click on step 4:  Licenses
  4. Select the default option “Upload license files from a local computer”
  5. Click on Browse button and navigate to the .lic file that you have downloaded in above steps.
  6. Upon successful upload of license file, you will see “1 License(s) Updated Successfully” message as shown belowimage
  7. Then click on Reboot, to restart the NetScaler for the licenses to be effective.
  8. Your NetScaler will be warm rebooted.
  9. Upon logon to NetScaler after the reboot, You’ll be presented with
    1. A License pop-up message indicating what all features of NetScaler are licensed on your device as shown below.
    2. image
    3. You’ll also notice that on the top let corner of the page, the label now reads NetScaler VPX (1000) which before reads as NetScaler VPX (1). The label NetScaler VPX (1)  indicates that your device is not licensed whereas NetScaler VPX (1000) indicates presence of a valid license on the NetScaler device.
    4. Then you’ll be taken to the Configuration section with complete options to configure. On the System Information  tab, you can verify the NSIP, Netmask, Time Zone details as shown below.
    5. image
    6. Also from the top right corner, You can find the NetScaler version details from Info drop down menu item as shown below. In my case, I am running NetScaler Version “NS10.5: Build 55.8.nc, Date: Jan 26 2015”
    7. image

 

Update the default NetScaler user nsroot password:

  1. As obvious, its always recommended to reset the default password that ship with any product. We’ll as well update the NetScaler default root/admin user nsroot account password. To do this, logon to NS via NSIP web page as nsroot user, in my case http://172.22.1.111/
  2. In the Configuration section > System > User Administration > Users > highlight/select nsroot > click on Change Password button as shown belowimage
  3. Then Logout and login back as nsroot user with the new updated password.

 

Create separate NetScaler administrator user: 

  1. You may require to create separate admin user accounts to manage your NetScaler devices for below possible reasons. 
    1. In a strict and secured environments use the default user name is not intended
    2. To build better auditing of changes to NetScaler, you may want to create separate admin account corresponding to each of your NS administrators staff.
  2. Before creating an admin user, you require to create a group for holding all of the NS administrator accounts. 
    1. Navigate to Configuration section > System > User Administration > Groups and click on Add button
    2. Specify the values appropriate for you. I used
      1. Group Name :  NSAdmins
      2. CLI Prompt: <left blank>
      3. Idle Session Timeout (secs): 900 (left to default value)
    3. Under Command Policies > Click on Insert > In the resulting pane options > select superuser and click on Insert button
    4. image
    5. Now click on Create button as shown below:image
  3. Now Create a new user account and make it member of the newly created administrators group NSAdmins as detailed here:
    1. Navigate to Configuration section > System > User Administration > Users  and click on Add button
    2. Specify the values appropriate for you. I used
      1. User Name :  govardhan
      2. Password and Confirm Password: a hint is to use not high complex passwords.
        1. If you use highly complex passwords, you’ll be taken to do_login page presenting the text file.
      3. Idle Session Timeout (secs): 900 (left to default value)
      4. Leave “Enable External Authentication” option selected
      5. Under Member Of tab > Click on Add > Select NSAdmins from the Available groups and Press arrow button to move it to the Configured groups
      6. Under Command Policies > you may click on Insert to configure the user rights directly but here we are instead using the existing groups to assign the admin rights to the user.
      7. Click on Create button as shown below
      8. image
    3. Now logout as nsroot and login back as govardhan

 

 

That’s all is required for you to take off implementing NetScaler features in your environment.

Advertisements