Fitting Citrix Netscaler with Ironport

Similar Messages

• Citrix Netscaler AppXpert with Sharepoint 2010 Page Edit Issue

  Posting this as a questions and discussion point.
  The issue is in using Citrix Netscaler with AppXpert with SharePoint 2010. I've seen this issue for two customers.
  Configurations:
  - Citrix Netscaler as the load Balancer
  - Netscaler AppXpert for SharePoint deployed on Netscaler (using either AppXpert version 1.1 or 2.0)
  - SharePoint 2010 Standard or Enterprise editions
  Issue:
  A SharePoint user with appropriate rights go to a SharePoint page. They choose Edit page, make changes and want to save changes. At this point all SharePoint ribbon options on the top are greyed out. End result, users are not able to make changes to their
  site pages. Issue happens for everyone including Farm Admins.
  Cases:
  a. The users are able to edit and save SharePoint wiki pages if I point user's PC to the SharePoint web server WFE by changing their local host file.
  b. On Citrix Netscaler, if I use the traditional load balancing i.e. without Citrix AppXpert, then the users are able to edit and save the pages. That is an option if the customer is using SharePoint 2010 Standard. That is not an option if a customer is
  using InfoPath forms. InfoPath is a feature of SharePoint 2010 Enterprise edition. Citrix AppXpert for SharePoint is needed to make the InfoPath work. Else the users get session errors when they use InfoPath Web forms.
  c. The issue happens on almost all combination of OS and browser. XP, vista, Win 7, Win8, Win8.1, IE8, 9, 10, 11 and other browsers like chrome etc as well.
  Please share your ideas and suggestions.

  Hi Faisal,
  As I understand, the issue will be solved when end users directly connect to SharePoint WFE servers. Since the issue is related to third party products, I'd recommend you contact their support engineer for sufficient resource and assistance. For your convenience:
  http://discussions.citrix.com/forum/150-support-forums/
  Should you need more assistance, let me know. Thanks for the understanding.
  Regards,
  Rebecca Tu
  TechNet Community Support

• Load Balancing Exchange 2010 with Citrix Netscaler

  Hi All,
  I have two exchange multirole server(cas/ht/mb) EXCH1 and EXCH2 both are configured in DAG (dag1.example.com) and also both are configured with CAS array (casarray.example.com)
  We have Cirtix Netscaller hardware load balancer. I have to configure Load balancing for CAS array, ActiveSync, OWA, Outlook Anywhere.
  Please guide me through the configuration for citrix netscaler as i am new with Citrix Netscaler.
  Regards,
  Pravin

  Hi,
  In order to resolve this issue more efficiently, I recommend you contact support from Citrix, you might get a better answer there. Thanks for your understanding.
  https://www.citrix.com/community.html
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• Citrix NetScaler Management Pack Account

  Hello,
  I read the documentation and noticed this:
  The Citrix NetScaler Management Pack requires log on credentials of the NetScaler systems it is managing to be able to take corrective actions when the virtual servers become unhealthy.
  I created the account in SCOM 2007, and associated it with the Profiles Citrix NetScaler PRO Authentication Account.
  1. What are the permissions needed in Active Directory for this account? Domain Users is enough or it needs specific privilege(s)?
  2. What are the permissions needed on the NetScaler Server needed? Local Administrators? Users? In the Application?
  Thanks,
  DOm
  System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

  Permissions needed in Active Directory for this account is domain user. permissions needed on the NetScaler Server is local administrator for this application to can monitor it.
  for configure monitoring Netscaler, you can refer below link
  http://msandbu.wordpress.com/2013/04/02/monitoring-netscaler-with-operations-manager-2012/
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical

• Page cannot be found when accessing Web Dypro on Citrix Netscaler.

  Hi Everyone,
  Has anyone tried using Web Dypro Web Application on Netscaler?
  We have a Web Dynpro application on SAP Enterprise portal that are being hosted by our SSL-VPN (Citrix Netscaler) but when we try accessing our Web Dynpro to our Safari Ipod it pop-up page cannot be displayed. But when accessing it to a normal browser all the pop-ups are accessible and working.
  Regards,
  Michael Mondelo.

  Hi,
  I've tried to update the firmware but when connecting to Netgear it replies 'there is no firmware update available' so I guess it's up to date.  Just wondered if I should change any of the router settings from auto to manual?
  Although I'm not sure what I should change.
  It's a netgear n150 with adsl2+

• Network Discovery of Citrix Netscaler

  I am unable to discover a Citrix Netscaler as a network device.
  I've enabled tracing on the discovery and can see that the initial queries to the device are responding but then ther are timeouts attempting to access interface types.  The OID does timeout in a third party tool as well as there is no interface index
  but a query to OID  .1.3.6.1.2.1.2.2.1.3.1 (index 1 of the interface list) would return a value but I don't know if there's a way to work around this in the discovery.
  SNMP Message:
      0:  packet ->
          SEQUENCE (0x30), 203 bytes:
      3:    version ->
            INTEGER-32 (0x02), 1 byte == 1 <v2c>
      6:    community ->
            OCTET-STRING (0x04), 5 bytes == "*****"
     13:    Response ->  (0xa2), 190 bytes:
     16:      request-id ->
              INTEGER-32 (0x02), 2 bytes == 5003
     20:      error-status ->
              INTEGER-32 (0x02), 1 byte == 0 <noError>
     23:      error-index ->
              INTEGER-32 (0x02), 1 byte == 0
     26:      VarBindList ->
              SEQUENCE (0x30), 177 bytes:
     29:        VarBind -> SEQUENCE (0x30), 75 bytes:
     31:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.1.0"
     41:          OCTET-STRING (0x04), 63 bytes == "NetScaler NS10.1: Build 119.7.nc, Date: Jul 29 2013, 23:30:51  "
    106:        VarBind -> SEQUENCE (0x30), 20 bytes:
    108:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.2.0"
    118:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.4.1.5951.1"
    128:        VarBind -> SEQUENCE (0x30), 24 bytes:
    130:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.4.0"
    140:          OCTET-STRING (0x04), 12 bytes == "OpsMgr Admin"
    154:        VarBind -> SEQUENCE (0x30), 21 bytes:
    156:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.5.0"
    166:          OCTET-STRING (0x04), 9 bytes == "NetScaler"
    177:        VarBind -> SEQUENCE (0x30), 27 bytes:
    179:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.6.0"
    189:          OCTET-STRING (0x04), 15 bytes == "xxxx"
  [31/01/2014 13:10:05] t@15812 Discovery #20
  SWFE-W-ETIMEOUT-GET_NEXT request timed out for Agent : xx.xx.xx.xx, OID:
      .1.3.6.1.2.1.2.2.1.3
   SNMP-ERESPONSE-No response from xx.xx.xx.xx, port 161
   SNMP-ETIMEOUT-Timed out
  Regards,

  For Configure SCOM to monitor Citrix NetScaler, you can refer below link
  http://msandbu.wordpress.com/2013/04/02/monitoring-netscaler-with-operations-manager-2012/
  Also check below link
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/0ff29697-87d2-4a75-90fd-2d4bb73867fb/citrix-netscaler-mp-for-scom-2012-wrong-oids?forum=operationsmanagermgmtpacks
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer".

• Discovery of Citrix Netscaler devices fails

  I have two older Citrix Netscaler devices that is discovered fine, but 4 new'er devices (Netscaler NS10.5) is not discovered.
  We can see that SCOM connects to the devices but SCOM says "No Response SNMP". Using a MIB browser I can connect to the newer Netscalers  and do a SNMP GET to read data from the MIB, however if I use a SNMP GET NEXT, the request time out so
  now I get no data.
  If do the same with the older Netscaler devices i.e. a GET and then a GET NEXT then I get data in both cases.
  This actually corresponds to the Netscaler documentation that says that GET NEXT is no longer support on the newer Netscalers.
  This leads me to think that SCOM might uses a GET NEXT in the discovery process. I haven't used a sniffer yet to check this.
  If anyone has had the same problem and knows a workaround I'd be very happy to hear about it :)
  br
  Lars

  Hi Ivan,
  thanks for your reply.
  The problem I have is the discovery via the SCOM 2012 network device discovery rule, which has to work before the Netscaler MP will see the device.  As I understand your reply it was the Commtrade Netscaler MP that didn't see the NS 10.5 devices right?
  But I have not even tested the Netscaler yet.
  I'm don't have access the the NS 10.5 device so I can't see how it's configured but I have found this information on the Citrix web site
  http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-ag-config-ns-snmp-vo-vt-query-con.html. I think the problem is that the new NS 10.5
  by default does not accept Get-Next request and that this has to be configured first by configuring a community string and associate this string with both Get AND Get-Next, before the device will accept the Get-Next request that the SCOM discovery
  rule sends after the initial Get request. Am I on the right track ?
  Configuring the NetScaler for SNMP v1 and v2 Queries
  You can query the NetScaler SNMP agent for system-specific information from a remote device called SNMP managers. The agent then searches the management information base (MIB) for the data requested and sends the data to the SNMP manager.
  The following types of SNMP v1 and v2 queries are supported by the SNMP agent:
  GET
  GET NEXT
  ALL
  GET BULK
  You can create strings called <var class="keyword varname">community strings</var> and associate each of these to query types. You can associate one or more community strings to each query type. Community string
  are passwords and used to authenticate SNMP queries from SNMP managers.
  For example, if you associate two community strings, such as abc and
  bcd, to the query type GET NEXT, the SNMP agent on the NetScaler appliance considers only those GET NEXT SNMP query packets that contain
  abc or bcd as the community string.
  thanks again
  br
  Lars

• Looking for a vertical holster that will fit an iphone with a silicone case on it

  As above..I had ordered a vertical leather holster ahead of time. It's nice but it won't fit the iphone with the case on it. I had to use the case as I get dropped calls without it..Any suggestions appreciated..thx

  I got the Splash Alpha II, check it out.

• Accessing Citrix network with Intel iMac

  Has anyone had any luck accessing a Citrix network with their Mac? I followed the directions provided by IT, downloaded the Citrix software, but cannot access the office network, which is Windows and PC-based. Will I have any more luck if I load Windows onto my iMac? Or will I just have to keep using my Dell laptop to access email at work? I telecommute 3 days a week so I need to be in touch with the office.

  It works fine for me. In fact, I was just doing it a few minutes ago from home on my iMac. All the apps I use via Citrix are on a Windows 2008 server. What exactly happens when you try to access your Citrix network via your iMac?

• SAP Mobile Documents and Citrix NetScaler

  Hi all,
  we're aiming to implement a secure Mobile Documents server that is protected from the Internet via a solution in the DMZ. We are eschewing a reverse proxy and are going for a Citrix NetScaler instead. Has anyone tried this combination before and if yes do you have any recommendations? I'm grateful for any tips in this direction.
  Best regards,
  Daniel

  Hello Daniel,
  Happy to hear you are going to implement Mobile Documents. There are for sure certain advantages Citrix NetScaler brings. Below I am not going to argue against or pro this product.
  Beside the bunch of features you may enable to secure and monitor the traffic and prevent attacks, let me enumerate some you may want to pay attention to.
  - Content Streaming. A domain where some proxy come short due to the fact that not only do not support streaming but use also the main memory for caching.
  - URL rewriting. If you get problems here you can configure the URL rewriting directly in Mobile documents
  - Compressing. If this already happens on the NetWeaver stack, make sure you don't do it twice.
  - Security protections. We already have protections in place against SQL injection and cross-site scripting (XSS) attacks for example, make sure that you don't kill the response times by throwing everything at hand.
  - Authentication. If no VPN is configured or a second factor is used for the authentication, make a trust between the systems to avoid double authentication.
  Good Luck and please share your experience.
  Regards,
  Corneliu

• Exchange 2007 edge server with ironport

  I currently have a frontend exch 2003 and backend exch 2003 server with ironport. my mx record is the ironport which then forwards into the backend server. The frontend server was only used for owa and using outlook with https connection to exchange.
  With 2007 it has more functionality and the front end server is now called an edge server. Should I have mx go there then to ironport or vice versa? I'm thinking ironport to edge server to hub transport server. Is that correct? will it work?
  anyone have exchange 2007 edge server with ironport? what are you doing?

  well that wouldve been nice to know a little earlier. anyway I have ironport successfully sending mail to the edge server who sends it on to the hub transport server. right now the client access server is on the same as the hub but can be easily moved later. this is for very few people so its not like I need to off load anything as its a powerful dual core server. anyway now with the edge server I can test how effective it is versus the ironport. I'll let everyone know when you can ditch the ironport for msft's edge server. (Don't hold your breath).

• Does fit bit work with iphone 5C

  does fit bit work with iphone 5 C

  Teresamaries wrote:
  does fit bit work with iphone 5 C
  Yes.
  Do you mean the FitBit application or the FitBit devices?
  They do all work with iPhone 4S and newer. (4S, 5, 5S, 5C, 6 & 6 Plus).

• Dmarc - few emails with ironport hostname

  Hi,
  We have published SPF, DKIM and DMARC and now we start getting DMARC Reports. What is strange is that there are few messages that are send with email Ironport hostname? We have some situations when we return mail reject custome message but that message is sent as [email protected] not as ironport.hostname.local. How can we find what message is send with ironport hostname because if we search in message tracking “sender contains ironport.hostname – nothing is found”.
  Example:
  <record>
    <row>
       <source_ip>XXX.XXX.XXX.XXX</source_ip> [this is legit IP adress of MTA]
       <count>3</count>
       <policy_evaluated>
          <disposition>none</disposition>
          <dkim>fail</dkim>
           <spf>fail</spf>
        </policy_evaluated>
      </row>
      <identifiers>
         <header_from>domain.com</header_from>
      </identifiers>
      <auth_results>
        <spf>
           <domain>ironport.hostname.local</domain>
           <result>neutral</result>
         </spf>
     </auth_results>
  </record>
  Beside that do you have some experience with DMARC and when some other companies have some auto forwarder rule - then forwarder does not rewrite sender and then you get DMARC fail results?

  We have this problem as well. 
  I see lines like this from the ironport log:
  Delayed: DCID XXXXXX MID YYYYYY to RID 0 - 4.1.0 - Unknown address error ('450', ['4.1.8 <[email protected]>: Sender address rejected: Domain not found']) []
  I'm guessing from timing and frequency that this is actually the Ironport delivering its DMARC reports to other domains.
  The only place in the config where that name is found is the Ironport host name.

• Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?

  Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
  Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
  How does WSA handle complex protocols (such as ftp) through the proxy server?

  We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
  We have several apps that make use the MS firewall client.
  The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
  These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
  Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have  specific ISA rules setup for them too.
  I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
  Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
  Thanks again for your input.

• ISE and Citrix Netscaler for LB

  I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.
  Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?
  Load Balancing guidelines.
  No NAT.
  Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
  Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)
  Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address
  Session-ID is recommended if load balancer is capable (ACE is not).
  VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
  Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
  If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
  Load Balancers get listed as NADs in ISE so their test authentications may be answered.
  ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.

  Does anyone have a working configuration for this?  I'm getting successful authentications from the supplicant, but CoA fails. When I perform a CoA I get two of each of the following messages:
  1) Event & Failure reason "5436 RADIUS packet already in the process"
  then
  2) Event "5417 Dynamic Authorization failed" / Failure reason "11215 No response has been received from Dynamic Authorization Client in ISE"
  The policy nodes are not physically located behind the NetScaler, so I have them pointing to the NetScaler as the default GW.  I'm not sure if we have the policy on the NS configured correctly though, because I had to add the NetScaler as a Network Device and I was under the impression that the switch and PSN should continue to talk directly to each other.
  Any help would be greatly appreciated!
  Cheers!
  Ken