Friday 27 February 2015

Citrix NetScaler 10.5 VPX Configuring Active Directory Authentication

It is possible to integrate the Netscaler with Active Directory for Administrator authentication, this means that administrators can use their dedicated admin account to login to the Netscaler and make configuration changes. This prevents organizations from having to manage a local user database on the Netscaler appliances. You should however always have at least one backup local "super user" account to hand in case the LDAP integration breaks for some reason.

Login to the Netscaler using local credentials, expand System and then Authentication, from there click on the LDAP option.

In the Name field enter something descriptive for the policy you are about to create, I have chosen "AD Connector" in my environment. Click the + button next to the Server field.

When the Create Authentication LDAP Server window opens you must populate it with details specific for your network. As this is only a test lab I do not have DNS setup correctly so I have used the IP of a Domain Controller. In addition to this I have chosen to use ordinary LDAP, not LDAP:S which you really should be using in a production network. By default LDAP uses TCP port 389 and LDAP:S uses TCP 636.

Scroll down within the same window until you get to Connection Settings. These settings again must be populated to match your infrastructure. The Base DN should be taken from the root of the Domain. This can be viewed if you enable the Advanced Features view from the View menu from ADCU. You click on Attribute Editor.

You can find the Administrators Bind DN in exactly the same way, the screenshots below show exactly where these details can be viewed. Click on the BindDN Password tick box and enter the password for the Administrator account you have used.

Scroll down further until you see the following properties, you should populate these to be the same as mine except the Group Attribute field, this should be set to the Active Directory group you are going to use to manage users that are authorized to access the Netscaler. Append "memberof=" before the CN path. Click OK.

When you are back on the Configure Authentication page you must add an expression, all this has to be set to is ns_true, click OK once this is in place.

From the Policies screen, you will notice that the policy is not bound to anything, for this to apply across the entire Netscaler it must be Globally Bound. Click the Policy once to highlight it and select Global Bindings.

Select the policy from the Policy Binding drop down, and leave the priority at 100. Click Bind.

The icon under Globally Bound? should not change to a green tick.

The next step is to create a Netscaler Security Group to map to the Active Directory Security group, from System expand User Administration and click Groups.

You must create a security group with EXACTLY THE SAME NAME AS THE ACTIVE DIRECTORY GROUP otherwise it will not work.

Scroll down to Policy Name and give the group "superuser" permissions. Click Create.

Save the settings. 

Now users who are in the Active Directory Security Group should be able to login to the Netscaler using DOMAIN\User with their Active Directory password.

GNS3 v1.2.3 Cisco ASA Firewall Emulation "Server error [-3200] from ASA-1: cpulimit could not be found, please install it or deactive CPU throttling"

I recently just installed the latest version of GNS3 (v1.2.3) onto a Windows 7 VM for Cisco Adapative Security Appliance  (ASA) testing, as there is usually some work required to get a Cisco ASA working in GNS3 I referred back to my older post to remind myself of the configuration and QEMU syntax. After I got used to the new GUI and made the configuration changes when I tried to launch an ASA instance it failed with "Server error [-3200] from ASA-1: cpulimit could not be found, please install it or deactive CPU throttling".

To fix, click Edit and then Preferences...

Expand QEMU and then QEMU VM's, highlight the QEMU VM in question and click Edit.

Click on the Advanced Settings tab and untick the Active CPU Throttling option. Click OK and then Apply

You should now be able to launch instances of the ASA firewall inside GNS3 v1.2.3.

Thursday 19 February 2015

Azure Active Directory Sync Tool “A constraint violation occurred.” during Active Directory Sync with Office 365

When you try to run the first sync of your on-premise Active Directory to the Office 365 Azure AD instance you are halted by the error “A constraint violation occurred”, and you can either Cancel the sync or Retry. Performing a Retry does not resolve the issue.

As the Azure Active Directory Sync Tool is actually Forefront Identity Manager 2010 under the covers I thought I would look to see if that was operating correctly. The miisclient.exe is the interface you can use to see and edit the FIM 2010 configurations, it can be found at C:\Program Files\Windows Azure Active Directory Sync/SYNCBUS\Synchronisation Service/UIShell

When I tried to launch miisclient.exe the following error appeared “Unable to connect to the Synchronisation Service”, it was noted this could be related to a service or group membership. As I had seen this issue before with a traditional instance of Forefront Identity Manager I knew this was because the user account I was using was not a member of the FIMSyncAdmins group.

I opened up ADUC and checked the FIMSyncAdmins group and my user account was in there, so I logged out and then in again and rerun the sync job and it worked perfectly.

Tuesday 10 February 2015

Configuring Citrix NetScaler v10.5 VPX High Availability to Load Balance HTTP Traffic

Citrix Netscaler is an Application Delivery Controller (ADC), by Citrix Systems. Netscaler is a widely deployed appliance that is available in three forms, the MPX (physical appliance), the VPX (virtual appliance) and the SPX, the physical appliance running XenServer that can host multiple virtual instances of Netscaler. If am using Netscaler to load balance ordinary HTTP traffic between two Windows Server 2008 R2 servers, with the IIS 7.5 role installed.
The topology that is being adopted is the “Two-armed mode, multi-subnet” model as show below, this is a Citrix recommended design when deploying Netscaler.
You can download a trial of the Citrix NetScaler 10.5 VPX from Citrix. It is available for XenServer, Hyper-V and VMware vSphere. In this example I am using vSphere, when you download the vSphere version of the VPX it comes as an OVF file that should be imported into vSphere. This can be done from the local machine you are using the vSphere Console from, so there is no need to upload the OVF to a vSphere datastore.
In Citrix Netscaler there is a significant difference between Clustering and High Availability, for one Clustering requires a special "clustering" license, where as traditional High Availability is provided as part of all the Netscaler editions.
In my example I am configuring two Netscaler VPX's in a HA pair, the following facts should be noted with HA and Citrix Netscaler;
·       Setup in Pairs (max 2 nodes)
·       Primary Node owns the VIP, SNIP (only one per pair)
·       Heartbeat every 200ms over UDP/3003 (3 second threshold for failover to initiate)
·       TCP port 3010, 3008 is used for node sync, file sync TCP 22
·       Configuration made on the primary are replicated over TCP 3011, 3009
As this is only a test environment I have created two new vSphere Standard Switches, with no adapter uplinks connected. The External vSwitch represents a DMZ, and the Internal my local area network.

My TCP/IP configuration(s) are as follows;
  • RB_Test_Internal (LAN Subnet) –
  • RB_Test_External (DMZ Subnet) –
  • NS01 (NSIP) is
  • NS02 (NSIP) is
  • HA Pair (SNIP) is
  • Web Server 1 is
  • Web Server 2 is
  • NS HA Pair VIP is
If you have reviewed the Citrix eDocs on Netscaler, the physical topology and logical subnet configuration I am doing in this example is referred to as a “mutli-armed, multi-subnet” deployment.
In a production environment you would probably have several dedicated uplinks from each of these vSwitches to provide connectivity to the physical networks. These uplinks would be either access ports or trunk ports depending where you are doing EST, or VGT for VLAN tagging.
Once the OVF appliance is imported, open a Console Connection to the VPX to set the initial configuration at this stage this will be the address that is used to manage the Netscaler VPX from your web browser.

Once the initial management IP is set, you can use a browser to connect to the Netscaler. It would suggest using Google Chrome as it seems to have the least amount of issues with Java when you are making administration changes.

When you login the first screen you will be presented with will have four options, the Netscaler (NSIP) should already be configured and show a green tick indicating this. 

The next part to configure is the Subnet IP Address (SNIP), this is an interface that is used to communicate with servers on the backend. Click on the Subnet IP Address option to begin configuring it. 

The SNIP address should be on the same subnet and VLAN that your internal servers that you are trying to load balance are. The wizard also provides a simplified break down of how the SNIP is used to communicate with the backend servers.

Step 3 is to configure a hostname for the device along with a DNS server, call this whatever you want a point it to your local DNS server, which will typically be a Domain Controller. You should also remember to manually create an (A) record for the Netscaler pointing to the correct IP in your DNS Forward Lookup Zones. This is usually forgotten as Microsoft devices use Dynamic DNS to do this automatically.

You will be prompted to restart the VPX appliance once your click on done. Step 4 is where you configure the license for the VPX appliance, you can get a 90 trial from Citrix that should be ample for testing. The following blog post here covers licensing the Netscaler VPX in detail.

Once the reboot is completed you should be able to log back into the VPX, and you will be taken to the Configuration window. To ensure your license file has been imported correct click on Licenses, the trial license should allow Load Balancing, Content Switching and SSL Offloading. 

The next step is to configure the High Availability between the two Netscaler VPX's, to do this click System, High Availability, from there you should see the first node in the state UP. Click the Add button. 

You should now enter the NSIP of the secondary node into the Node IP field. The username and password to login to the Netscaler should be the same on both these devices, I have left these as there default nsroot/nsroot.

When you click Create the Netscaler will prompt you to restart the running configuration and reboot the device.

Once the restart has completed, under the High Availability section you should see both nodes. As heart beating should be operating between the devices the first Netscaler VPX should still be operating as the Primary. 

The Actions menu can be used to show details, Force Synchronization and Force Failover between the two devices. 

The next step is to define the Services (or Servers, that you want to load balance between), to do this expand Traffic Management, then Load Balancing and click on Services. Click on Add to launch the wizard.

Configure the settings to be in line with your environment, I have two Web Servers ( & 51) that are inside the local area network. You must create a Service for each of these servers. 

The servers are still offline for me at the moment therefore they appear as DOWN. This will automatically change when the Netscaler can communicate using the SNIP over ICMP.

Once I brought the servers online and there was connectivity between the Netscaler and the Web Servers the State changed to UP, and the lights went green. It would be a good time to save the running configuration.

Also from the Load Balancing menu, click on Virtual Servers, a Virtual Server in NetScaler is a Netscaler entity that external clients can use to access applications hosted on the servers. A Virtual Server is represented by a hostname, Virtual IP (VIP), port and protocol. Click Add to begin creating a new Virtual Server.

The name of the Netscaler Virtual Server is only locally relevant, therefore it does not make much difference what this is called here. I have configured my Virtual Server with the IP address of, which is the subnet that is in use on my DMZ side of the network. The Netscaler VPX's have two NIC's, one on each side of the two networks, LAN and DMZ.

Once you click OK, you will be prompted to enable the feature "LB", click Yes to this.

After this completes you will see under Services and Service Groups, no Virtual Server Service Bindings, click on the arrow to begin configuring this.

This is where we bind the services (or servers to be load balanced) to the Netscaler Virtual Server, click the Plus button to open the console.

Select both of the services that you created in the previous steps, in my example I have named both of my web servers "iisx". Click OK once this has been done.

Click Bind.

Click Done.

You must now click on the Method button from under the Advanced menu, this will expand the configuration screen and allow you to choose a High Availability method. Netscaler supports a number of different load balancing algorithms, the most common ones being;
  • LEASTCONNECTION (Which service currently has the fewest client connections. This is the default load balancing algorithm.)
  • ROUNDROBIN (Which service is at the top of a list of services. After that service is selected for a connection, it moves to the bottom of the list.)
  • LEASTRESPONSETIME (Which load balanced server currently has the quickest response time.)
  • URLHASH (A hash of the destination URL.)
A full list of the supported algorithms can be found at the following Citrix eDocs article

I am going to configure LEAST CONNECTION at this stage, once done click OK. You should review the eDocs page to determine which algorithm will suit your needs the best.

The Virtual Server still appears to be “DOWN”, this will come online when the configuration is applied and saved to the memory. Click Done.

Once a refresh has occurred, click the Save icon.

Click Yes to confirm.

Now if you browse to the external VIP IP address, you should be connected to one of the web servers, I changed the default IIS landing page to ensure it was working correctly.