Netscaler VPX - Citrix optimizations

Similar Messages

• App-V 5 Publishing Server + Load Balancing (NetScaler) issue

  All, 
  I have attempted to load balance my App-V 5.0 deployment, which includes two nodes (appv-1 and appv-2) on a Citrix NetScaler VPX appliance. 
  The management server is working fine, when browsing to the load balanced VIP DNS alias - pass-through authentication works great and the management console is displayed. 
  When I attempt to browse to the load balanced VIP DNS alias for the Publishing Server, it prompts for authentication credentials, then displays the following error:
  Method not allowed. Please see the service help page for constructing valid requests to the service.
  When I attempt to browse using the same internet explorer instance to http://appv-1.fqdn:8088 it displays the XML page after entering authentication credentials. 
  Here is my set-up & what I have done.... 
  Appv-1 Server
  Management Server installed on Port:8088
  Publishing Server installed on Port:8090
  SQL Cluster and Mirroring configured (tested and working)
  Appv-2 Server
  Management Server installed on Port:8088
  Publishing Server installed on Port:8090
  SQL Cluster and Mirroring configured (tested and working)
  NetScaler 
  Management VIP: 10.1.1.148
  Publishing VIP: 10.1.1.124 
  Both Appv-1 and Appv-2 are setup as services and bound to the corresponding Virtual Servers.
  Load balance alogrith - persistence - source IP: 255.255.255.255 - Least Connection
  DNS and AD Modifications
  host A record - appvmgmtsrv.fqdn = 10.1.1.148
  host A record - appvpubsrv.fqdn = 10.1.1.124
  computer object create in same domain for appvmgmtsrv and appvpubsrv
  SPN Modifications: 
  setspn –A http/appvmgmtsrv:8088 domain\appvmgmtsrv
  setspn –A http/appvpubsrv:8089 domain\appvpubsrv
  setspn –A http/appvmgmtsrv.domain.local:8088 domain\appvmgmtsrv
  setspn –A http/appvpubsrv.domain.local:8090 domain\appvpubsrv
  IIS Modifications:
  Appv-1 and Appv-2 - ApplicationHost.config - modified with below line for both Management and Publishing Server sections:
  <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
  Rebooted and IIS starts correctly.
  Testing 
  On Appv-1 if I browse to http://appvmgmtsrv.fqdn:8088/console.html it asks for authentication, when authentication is entered it fails. 
  On another other machine in the environment if I browse to http://appvmgmtsrv.fqdn:8088/console.html it automatically loads the console with the credentials of the logged on user. 
  Launching the Management Console via Load Balanced DNS name works on every other server except itself.... assume this is Kerberos modifications? (This only happens when I disable the appv-2 node on the load balancer, forcing all IIS connections to Appv-1). 
  The management server issue above is not a big one and can work around that easily. The major issue is with the Publishing Server. .. . 
  On Appv-2 if I browse to http://appvpubsrv.fqdn:8090 it will prompt for authentication, once enter it displays: Method not allowed. Please see the service help page for constructing valid requests to the service.
  in a new tab if I enter http://appv-1.fqdn:8090 it will prompt for authentication, once enter its displays the XML page with App-V meta-data. 
  Can anyone shed some light on this issue please.... When I update the App-V client with the load balanced publishing server VIP DNS it displays the following error in the event log: 
  Getting server publishing data failed.
  URL: http://appvpubsrv.fqdn:8090
  Error code: 0x45500D27 - 0x80190195
  Any help will be greatly appreciated. ....

  You could read
  https://blog.uvm.edu/jgm/2013/09/26/app-v-5-server-f5-load-balancers-and-kerberos/
  https://blog.uvm.edu/jgm/2013/09/27/app-v-server-configuration-load-balanced-configuration/
  http://social.technet.microsoft.com/Forums/en-US/2b39e2b8-aba1-4e96-b18f-c5bcb9f12687/load-balancing-two-appv-50-servers-the-publishing-service-is-not-able-to-contact-the-management?forum=mdopappv
  http://www.thinclient.net/blog/?p=344
  In fact I'm not sure if any of these really helps you, but they give some good advice
  Falko
  Twitter
  @kirk_tn   |   Blog
  kirxblog   |   Web
  kirx.org   |   Fireside
  appvbook.com

• Lync 2013 mobile app does not work internally, SIP domain is Different than users UPN. not sure if that matters.

  using the lync client connectivity tester on a pc on the same lan as my mobile client everything is green and it says its ready for use.
  using my android galaxy s5 client on wifi on the same lan i get a screen with waiting to sign in spinning and an error at the top "we cant connect to the server check your network connection and server address, and try again."
  i have uploaded the full client log files
  here: client log file
  some errors that stand out from this log file are:
  1. ERROR HttpEngine: Certificate check fails: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
  2. <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
    <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
  i am using the correct creds, same creds i used on the analyzer tool.
  in the analyzer tool i did have to fill in the username field because my sip domain is different then my users UPN. which from what ive read its required to use the username field.
  i also filled in the username field in the mobile app with domain\username
  3. ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/platform/networkapis/privateandroid/CHttpConnection.cpp/295:CHttpConnection exception: java.lang.NullPointerException
  Jan 14, 2015 8:40:49 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/173:Received response of request(UcwaAutoDiscoveryRequest) with status = 0x22020001
  Jan 14, 2015 8:40:49 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/201:Request UcwaAutoDiscoveryRequest resulted in E_ConnectionError (E2-2-1). The retry
  counter is: 0
  4. Jan 14, 2015 8:40:50 AM ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/authenticationresolver/private/CAuthenticationResolver.cpp/431:Failing the original request as we weren't able to get the token
  this is the same type of error i was getting in the lync connectivity analyzer until i filled in the username field. but its filled in, in my client.
  again you can see the full log file is `HERE
  thank you in advance for any help. im trying to get internal working before i try external.

  Eric,
  I am trying to configure a reverseproxy on my netscaler which is in a 2 arm mode(dmz/internal) but I keep getting an error when configuring the monitor.
  i used this guide to configure it
  http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html
  but continue to get this error in the netscaler monitor "Failure - TCP connection successful, but application timed out"
  so the virtual server is never up, thinking about just changing it to tcp as a monitor so it stays up and i can at lesat get the vip up.
  Also your link to the diagram shows it going to the reverse  proxy but the one im using has it going directly to the front end servers.
  http://www.lync-solutions.com/Documents/Lync_2013_protocol_poster_v6_7.pdf
  I'm guessing Microsoft's is the correct one but wonder why the config differential?
  I see that your diagram says "mobility url", what is the mobility url? i though that was the lyncdiscoverinternal.internal.com
  current setup is
  2 fe servers on internal
  1 edge server on dmz
  1 almost done reverse proxy netscaler load balancer.
  also this ms link i used to configure dns entries, along with the pdf linked above.
  http://technet.microsoft.com/en-us/library/jj945644.aspx
  i currently have these external dns entries and they all point to the edge server on the dmz.
  dialin .external.com
  lync .external.com
  lyncweb .external.com
  lyncdiscover.external.com
  meet .external.com
  sip .external.com
  webconf .external.com
  av .external.com
  _autodiscover._tcp.external.com.
  the internal dns links point to 1 of the front end servers
  1. lyncdiscoverinternal.internal.com
  2. lyncdiscover.internal.com
  3. _sipinternaltls._tcp.internal.com
  4. _sipinternal._tcp.internal.com
  5. sipinternal.internal.com
  6. sip.internal.com
  thanks again for your help.

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Lync mobility and HTTP authentication test failed. Is reverse proxy required?

  I currently have the following setup.
  1 x 2013 edge server lync1.local.com
  has 3 dmz ips for external names 
  has 1 internal ip
  2 x 2013 std front end servers lync2 & lync3.local.com
  Ive read that in 2013 the mobility service is installed automatically on the front end servers and i do see it running on both.
  All my clients can connect from the windows and mac clients(internally and externally) but not from phone or windows app store client (internally or externally)
  running the exchangeconnectivity test on the website i get the following error
  Testing HTTP authentication methods for URL https://lyncdiscover.external.com/Autodiscover/AutodiscoverService.svc/root/user.
    HTTP authentication test failed.
  Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
  HTTP Response Headers:
  X-MS-Server-Fqdn: lync1.local.com
  Connection: close
  Content-Length: 64
  Content-Type: text/plain
  Server: RTC/5.0
  Elapsed Time: 427 ms.
  After some reading I notice that many people refer to a reverse proxy when dealing with mobility.
  I do not have a reverse proxy server installed. Is this required for the mobility to work correctly? I cant just use the edge server?
  Thanks in advance for any help.

  Take a look at Georg Thomas' blog: http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html also the Citrix official documentation: http://www.citrix.com/global-partners/microsoft/netscaler.html 
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• AVS and ACE

  I am having some trouble getting the difference of the AVS Appliance vs. the ACE Modul for the Cat6K.
  Our ACE Moduls are already about to be shipped so i am looking forward to get my hands on those. Checking the Application Solution Section there is also the "new aquired" AVS Appliance listed.
  A: Is the AVS a Supplement to the ACE Modul in Areas of HTTP,SSL Compression etc. and more granular Payload Inspection?
  B: Is the AVS a "rival" product with different features?
  We have some discussions regarding the enhancement of our Portal-Infrastructure and some guys are always putting Netscaler from Citrix on the Agenda. I am sure it is a nice product but i like to keep my Enviroment as far Cisco as i can.
  That's why it would be nice to get some advice on how to rate, position or compare the ACE,AVS vs. the Netscaler Solution. I have the feeling some of the features which are in the mentioned Netscaler are splitted into two Cisco products.
  Points of interest are...
  +Payload/Packet-Inspection
  +Compression
  Thanks for reading...

  Can anyone Comment on my impressions listed below and also on my problems in the above Posting?
  AVS: Security, TCP Multiplexing, Compression and NO Loadblancing.
  ACE: Security, Loadbalancing, Virtualization and TCP Multiplexing but NO Compression? Could Compression be added in future SW Releases?
  vs.
  Netscaler: Security, TCP Multiplexing, Compression and Loadbalancing
  C: If you would combine the ACE and AVS are you supposed to put the AVS behind the ACE for the use of its security features or in Front of a Cat6K with ACE Modul?
  D: If you put it behind the ACE is the Idea of running it transparent as more less IDS with App-Accelration and Caching an approach?
  E: If you use the Security features of both devices you have more or less a double inspection of the Payload with the AVS going into more depth than the ACE?
  Would be great if someone had any experience or advice.
  Roble

• Exchange management tools error "reboot from a previous installation pending"

  I am trying to install the Exchange 2010 Management Tools onto a client. We have Exchange 2010 running already elsewhere, but have been doing RDP to the server in order to add mailboxes, etc., need to have more administrators on their own Windows 7 client
  computers doing remote management.
  Windows 7 Enterprise (64bit) client computer in same domain as Exchange servers, UAC disabled, logged in as a domain administrator. Fresh restart. No updates pending. Noticed article
  http://technet.microsoft.com/en-us/library/cc164360(v=exchg.80).aspx "A Restart from a Previous Installation is Pending" and numerous posts that indicated I should
  clear "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile" or clear "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" - but neither of these keys
  exist on my computer!
  Downloaded and unzipped Exchange2010-SP3-x64.exe to C:\Temp
  Ran C:\Temp\setup.exe
  Checked off the options:  a) Error Reporting - Yes (Recommended). b) Custom Exchange Server Installation. c) Select "Management Tools". d) LEAVE UNSELECTED "Automatically install Windows Server roles and features required for Exchange". 
  Get the following errors
  Summary: 3 item(s). 1 succeeded, 2 failed.
  Elapsed time: 00:00:22
  Configuring Prerequisites
  Completed
  Elapsed Time: 00:00:01
  Management Tools Prerequisites
  Failed
  Error:
  A reboot from a previous installation is pending. Please restart the system and rerun setup.
  Click here for help...
  http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex28883C&l=0&cl=cp
  Warning:
  Setup cannot contact the primary DNS server (172.17.253.51) using TCP port 53. Check that the IP address of the DNS server is correct and that the DNS server is reachable.
  Elapsed Time: 00:00:17
  Languages Prerequisites
  Failed
  Error:
  A reboot from a previous installation is pending. Please restart the system and rerun setup.
  Click here for help...
  http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex28883C&l=0&cl=cp
  Warning:
  Setup cannot contact the primary DNS server (172.17.253.51) using TCP port 53. Check that the IP address of the DNS server is correct and that the DNS server is reachable.
  Elapsed Time: 00:00:03
  Already have reviewed many articles on this topic, none seem to apply to my situation. I am going crazy trying to solve it.

  As I've said this workstation meets the requirements for installation of the Management Tools. It is 64bit.
  Thanks for the link to the exchangeserverpro.com installation instructions blog. It is something I had already reviewed. There are many comments with problems, so many in fact it is confusing what finally worked for people who ran into snags.
  Many also reported the "reboot from a previous installation is pending" problem (that I am getting), but their solution to that problem is not obvious, since, as I originally posted, the Microsoft answer to that error message is contained in "http://technet.microsoft.com/en-us/library/cc164360(v=exchg.80).aspx"
  and the registry keys do not exist on my Win7 client. The other solution in the comments seemed to be to exclude the "Automatically install Windows Server roles and features required for Exchange" during install (but so far Ed and Rajith want
  me to include that option). The blog is quite old, and so I hoped the SP3 for Exchange 2010 would have fixed the installer issues identified in the comments on that blog... but apparently not!
  DNS is working in our environment. The IP address in the error message points to a network load balancer (NetScaler by Citrix) and does not respond on telnet using port 53... It is our standard DHCP-provided configuration for client DNS. (Does the
  Exchange installer for Management Tools have some unique DNS requirements beyond normal name resolution? If so, does the Exchange admin need DNS admin rights?) Just to remove the load balancer from the equation, I changed my Win7 client network adapter settings
  to use two real, physical actual Microsoft AD domain controllers to resolve DNS. I performed an IPCONFIG /FLUSHDNS. Then re-ran the Exchange 2010 installer. The specific error for DNS has gone away now that I am not using our enterprise's standard load balancer
  DNS client configuation. I really need to know why this is an Exchange management tools requirement. Any ideas?
  But still no-go on getting the Exchange 2010 Management Tools to install. Here are the latest errors on the Readiness Checks:
  Summary: 3 item(s). 0 succeeded, 3 failed.
  Elapsed time: 00:00:25
  Configuring Prerequisites
  Failed
  Error:
  The following error was generated when "$error.Clear();
            if($RoleInstallWindowsComponents)
              # Install any Windows Roles or Features required for the Management Tools role
              if ($RoleIsWindows8OrHigher)
                if($RoleADToolsNeeded)
                  $ADToolsNeeded = 1
                else
                  $ADToolsNeeded = 0
                Invoke-Expression " Powershell -Command {& $RoleBinPath\InstallWindowsComponent.ps1 -ShortNameForRole AdminTools -ADToolsNeeded $ADToolsNeeded} "
              else
                Install-WindowsComponent -ShortNameForRole "AdminTools" -ADToolsNeeded $RoleADToolsNeeded
          " was run: "The system cannot find the file specified".
  The system cannot find the file specified
  Click here for help...
  http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex88D115&l=0&cl=cp
  Elapsed Time: 00:00:01
  Management Tools Prerequisites
  Failed
  Error:
  A reboot from a previous installation is pending. Please restart the system and rerun setup.
  Click here for help...
  http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex28883C&l=0&cl=cp
  Elapsed Time: 00:00:20
  Languages Prerequisites
  Failed
  Error:
  A reboot from a previous installation is pending. Please restart the system and rerun setup.
  Click here for help...
  http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex28883C&l=0&cl=cp
  Elapsed Time: 00:00:03
  If I remove the "Automatically install Windows Server roles and features required for Exchange" on the installer, I do not get the PowerShell error, just the "installation is pending" errors:
  Summary: 3 item(s). 1 succeeded, 2 failed.
  Elapsed time: 00:00:39
  Configuring Prerequisites
  Completed
  Elapsed Time: 00:00:00
  Management Tools Prerequisites
  Failed
  Error:
  A reboot from a previous installation is pending. Please restart the system and rerun setup.
  Click here for help...
  http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex28883C&l=0&cl=cp
  Elapsed Time: 00:00:12
  Languages Prerequisites
  Failed
  Error:
  A reboot from a previous installation is pending. Please restart the system and rerun setup.
  Click here for help...
  http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex28883C&l=0&cl=cp
  Elapsed Time: 00:00:02
  Which puts me right back to where I started in this thread. 

• Citrix NetScaler Management Pack Account

  Hello,
  I read the documentation and noticed this:
  The Citrix NetScaler Management Pack requires log on credentials of the NetScaler systems it is managing to be able to take corrective actions when the virtual servers become unhealthy.
  I created the account in SCOM 2007, and associated it with the Profiles Citrix NetScaler PRO Authentication Account.
  1. What are the permissions needed in Active Directory for this account? Domain Users is enough or it needs specific privilege(s)?
  2. What are the permissions needed on the NetScaler Server needed? Local Administrators? Users? In the Application?
  Thanks,
  DOm
  System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

  Permissions needed in Active Directory for this account is domain user. permissions needed on the NetScaler Server is local administrator for this application to can monitor it.
  for configure monitoring Netscaler, you can refer below link
  http://msandbu.wordpress.com/2013/04/02/monitoring-netscaler-with-operations-manager-2012/
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical

• Citrix Netscaler AppXpert with Sharepoint 2010 Page Edit Issue

  Posting this as a questions and discussion point.
  The issue is in using Citrix Netscaler with AppXpert with SharePoint 2010. I've seen this issue for two customers.
  Configurations:
  - Citrix Netscaler as the load Balancer
  - Netscaler AppXpert for SharePoint deployed on Netscaler (using either AppXpert version 1.1 or 2.0)
  - SharePoint 2010 Standard or Enterprise editions
  Issue:
  A SharePoint user with appropriate rights go to a SharePoint page. They choose Edit page, make changes and want to save changes. At this point all SharePoint ribbon options on the top are greyed out. End result, users are not able to make changes to their
  site pages. Issue happens for everyone including Farm Admins.
  Cases:
  a. The users are able to edit and save SharePoint wiki pages if I point user's PC to the SharePoint web server WFE by changing their local host file.
  b. On Citrix Netscaler, if I use the traditional load balancing i.e. without Citrix AppXpert, then the users are able to edit and save the pages. That is an option if the customer is using SharePoint 2010 Standard. That is not an option if a customer is
  using InfoPath forms. InfoPath is a feature of SharePoint 2010 Enterprise edition. Citrix AppXpert for SharePoint is needed to make the InfoPath work. Else the users get session errors when they use InfoPath Web forms.
  c. The issue happens on almost all combination of OS and browser. XP, vista, Win 7, Win8, Win8.1, IE8, 9, 10, 11 and other browsers like chrome etc as well.
  Please share your ideas and suggestions.

  Hi Faisal,
  As I understand, the issue will be solved when end users directly connect to SharePoint WFE servers. Since the issue is related to third party products, I'd recommend you contact their support engineer for sufficient resource and assistance. For your convenience:
  http://discussions.citrix.com/forum/150-support-forums/
  Should you need more assistance, let me know. Thanks for the understanding.
  Regards,
  Rebecca Tu
  TechNet Community Support

• ISE and Citrix Netscaler for LB

  I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.
  Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?
  Load Balancing guidelines.
  No NAT.
  Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
  Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)
  Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address
  Session-ID is recommended if load balancer is capable (ACE is not).
  VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
  Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
  If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
  Load Balancers get listed as NADs in ISE so their test authentications may be answered.
  ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.

  Does anyone have a working configuration for this?  I'm getting successful authentications from the supplicant, but CoA fails. When I perform a CoA I get two of each of the following messages:
  1) Event & Failure reason "5436 RADIUS packet already in the process"
  then
  2) Event "5417 Dynamic Authorization failed" / Failure reason "11215 No response has been received from Dynamic Authorization Client in ISE"
  The policy nodes are not physically located behind the NetScaler, so I have them pointing to the NetScaler as the default GW.  I'm not sure if we have the policy on the NS configured correctly though, because I had to add the NetScaler as a Network Device and I was under the impression that the switch and PSN should continue to talk directly to each other.
  Any help would be greatly appreciated!
  Cheers!
  Ken

• Page cannot be found when accessing Web Dypro on Citrix Netscaler.

  Hi Everyone,
  Has anyone tried using Web Dypro Web Application on Netscaler?
  We have a Web Dynpro application on SAP Enterprise portal that are being hosted by our SSL-VPN (Citrix Netscaler) but when we try accessing our Web Dynpro to our Safari Ipod it pop-up page cannot be displayed. But when accessing it to a normal browser all the pop-ups are accessible and working.
  Regards,
  Michael Mondelo.

  Hi,
  I've tried to update the firmware but when connecting to Netgear it replies 'there is no firmware update available' so I guess it's up to date.  Just wondered if I should change any of the router settings from auto to manual?
  Although I'm not sure what I should change.
  It's a netgear n150 with adsl2+

• Network Discovery of Citrix Netscaler

  I am unable to discover a Citrix Netscaler as a network device.
  I've enabled tracing on the discovery and can see that the initial queries to the device are responding but then ther are timeouts attempting to access interface types.  The OID does timeout in a third party tool as well as there is no interface index
  but a query to OID  .1.3.6.1.2.1.2.2.1.3.1 (index 1 of the interface list) would return a value but I don't know if there's a way to work around this in the discovery.
  SNMP Message:
      0:  packet ->
          SEQUENCE (0x30), 203 bytes:
      3:    version ->
            INTEGER-32 (0x02), 1 byte == 1 <v2c>
      6:    community ->
            OCTET-STRING (0x04), 5 bytes == "*****"
     13:    Response ->  (0xa2), 190 bytes:
     16:      request-id ->
              INTEGER-32 (0x02), 2 bytes == 5003
     20:      error-status ->
              INTEGER-32 (0x02), 1 byte == 0 <noError>
     23:      error-index ->
              INTEGER-32 (0x02), 1 byte == 0
     26:      VarBindList ->
              SEQUENCE (0x30), 177 bytes:
     29:        VarBind -> SEQUENCE (0x30), 75 bytes:
     31:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.1.0"
     41:          OCTET-STRING (0x04), 63 bytes == "NetScaler NS10.1: Build 119.7.nc, Date: Jul 29 2013, 23:30:51  "
    106:        VarBind -> SEQUENCE (0x30), 20 bytes:
    108:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.2.0"
    118:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.4.1.5951.1"
    128:        VarBind -> SEQUENCE (0x30), 24 bytes:
    130:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.4.0"
    140:          OCTET-STRING (0x04), 12 bytes == "OpsMgr Admin"
    154:        VarBind -> SEQUENCE (0x30), 21 bytes:
    156:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.5.0"
    166:          OCTET-STRING (0x04), 9 bytes == "NetScaler"
    177:        VarBind -> SEQUENCE (0x30), 27 bytes:
    179:          OBJ-ID (0x06), 8 bytes == ".1.3.6.1.2.1.1.6.0"
    189:          OCTET-STRING (0x04), 15 bytes == "xxxx"
  [31/01/2014 13:10:05] t@15812 Discovery #20
  SWFE-W-ETIMEOUT-GET_NEXT request timed out for Agent : xx.xx.xx.xx, OID:
      .1.3.6.1.2.1.2.2.1.3
   SNMP-ERESPONSE-No response from xx.xx.xx.xx, port 161
   SNMP-ETIMEOUT-Timed out
  Regards,

  For Configure SCOM to monitor Citrix NetScaler, you can refer below link
  http://msandbu.wordpress.com/2013/04/02/monitoring-netscaler-with-operations-manager-2012/
  Also check below link
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/0ff29697-87d2-4a75-90fd-2d4bb73867fb/citrix-netscaler-mp-for-scom-2012-wrong-oids?forum=operationsmanagermgmtpacks
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer".

• Fitting Citrix Netscaler with Ironport

  Hello,
  Currently we have Exchange 2010 environment and mail flow as below;
  1 CAS
  2 MBX
  Internet --> Ironport --> CAS --> MBX
  We are planning for Exchange 2010 to 2013 upgrade and I am preparing a plan for it.
  We already have Internet facing Ironport as mentioned above.
  We also have Citrix Netscaler as internet facing for accessing citrix applications.
  Exchange 2013 plan
  2 CAS
  2 MBX
  I want to load balance CAS servers with Citrix Netscaler. 
  How should I fit in Netscaler in the design.
  Please suggest
  Thanks,
  Mihir

  Hi Mihir,
  Unlike previous versions of Exchange, Exchange 2013 no longer requires session affinity at the load balancing layer.
  Generally, there are four scenarios for load balance in Exchange 2013:
  1. Single Namespace / Layer 4 (No Session Affinity)
  2. Single Namespace / Layer 7 (No Session Affinity)
  3. Single Namespace / Session Affinity
  4. Multiple Namespaces / No Session Affinity
  For more information about these, please refer to:
  http://blogs.technet.com/b/exchange/archive/2014/03/05/load-balancing-in-exchange-2013.aspx
  Additionally, there is a reference about Microsoft Exchange 2013
  Citrix NetScaler Deployment Guide:
  http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-citrix-netscaler-deployment-guide.pdf
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Regards,
  Winnie Liang
  TechNet Community Support

• SAP Mobile Documents and Citrix NetScaler

  Hi all,
  we're aiming to implement a secure Mobile Documents server that is protected from the Internet via a solution in the DMZ. We are eschewing a reverse proxy and are going for a Citrix NetScaler instead. Has anyone tried this combination before and if yes do you have any recommendations? I'm grateful for any tips in this direction.
  Best regards,
  Daniel

  Hello Daniel,
  Happy to hear you are going to implement Mobile Documents. There are for sure certain advantages Citrix NetScaler brings. Below I am not going to argue against or pro this product.
  Beside the bunch of features you may enable to secure and monitor the traffic and prevent attacks, let me enumerate some you may want to pay attention to.
  - Content Streaming. A domain where some proxy come short due to the fact that not only do not support streaming but use also the main memory for caching.
  - URL rewriting. If you get problems here you can configure the URL rewriting directly in Mobile documents
  - Compressing. If this already happens on the NetWeaver stack, make sure you don't do it twice.
  - Security protections. We already have protections in place against SQL injection and cross-site scripting (XSS) attacks for example, make sure that you don't kill the response times by throwing everything at hand.
  - Authentication. If no VPN is configured or a second factor is used for the authentication, make a trust between the systems to avoid double authentication.
  Good Luck and please share your experience.
  Regards,
  Corneliu

• Discovery of Citrix Netscaler devices fails

  I have two older Citrix Netscaler devices that is discovered fine, but 4 new'er devices (Netscaler NS10.5) is not discovered.
  We can see that SCOM connects to the devices but SCOM says "No Response SNMP". Using a MIB browser I can connect to the newer Netscalers  and do a SNMP GET to read data from the MIB, however if I use a SNMP GET NEXT, the request time out so
  now I get no data.
  If do the same with the older Netscaler devices i.e. a GET and then a GET NEXT then I get data in both cases.
  This actually corresponds to the Netscaler documentation that says that GET NEXT is no longer support on the newer Netscalers.
  This leads me to think that SCOM might uses a GET NEXT in the discovery process. I haven't used a sniffer yet to check this.
  If anyone has had the same problem and knows a workaround I'd be very happy to hear about it :)
  br
  Lars

  Hi Ivan,
  thanks for your reply.
  The problem I have is the discovery via the SCOM 2012 network device discovery rule, which has to work before the Netscaler MP will see the device.  As I understand your reply it was the Commtrade Netscaler MP that didn't see the NS 10.5 devices right?
  But I have not even tested the Netscaler yet.
  I'm don't have access the the NS 10.5 device so I can't see how it's configured but I have found this information on the Citrix web site
  http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-ag-config-ns-snmp-vo-vt-query-con.html. I think the problem is that the new NS 10.5
  by default does not accept Get-Next request and that this has to be configured first by configuring a community string and associate this string with both Get AND Get-Next, before the device will accept the Get-Next request that the SCOM discovery
  rule sends after the initial Get request. Am I on the right track ?
  Configuring the NetScaler for SNMP v1 and v2 Queries
  You can query the NetScaler SNMP agent for system-specific information from a remote device called SNMP managers. The agent then searches the management information base (MIB) for the data requested and sends the data to the SNMP manager.
  The following types of SNMP v1 and v2 queries are supported by the SNMP agent:
  GET
  GET NEXT
  ALL
  GET BULK
  You can create strings called <var class="keyword varname">community strings</var> and associate each of these to query types. You can associate one or more community strings to each query type. Community string
  are passwords and used to authenticate SNMP queries from SNMP managers.
  For example, if you associate two community strings, such as abc and
  bcd, to the query type GET NEXT, the SNMP agent on the NetScaler appliance considers only those GET NEXT SNMP query packets that contain
  abc or bcd as the community string.
  thanks again
  br
  Lars