Base Configuring an F5 Big-IP with LTM Module Device

You can get a trial of the F5 Big-IP device from their website, it provides a full Big-IP device (with the LTM module) for up to 90 days from the date of activation. I am looking to load balance Exchange 2016 and VMware View through a pair of Big-IP's with the LTM module so I thought I would spin it up and get it working in my lab prior to doing it for real. The Big-IP is much like Citrix NetScaler in the sense that it's an Application Delivery Controller, therefore many of the concepts are the same. I am using VMware Workstation, the Virtual Appliance is available for VMware, Citrix and Hyper-V. I have found the OVA hardware spec is a little low, the box seems to be pretty slow if you leave it at 2Gb of memory, I would recommend upping it to 4Gb.

Import the OVA into either vSphere or VMware Workstation.

Configure the Network Interfaces

·        vmnet0 - bridged (mgmt)

·        vmnet1 - host only (int)

·        vmnet2 - host only (ext)

·        vmnet 3 - host only (ha)

Your network topology could of course be different, I am choosing to build a topology close to the one I will be deploying the devices into in live. Obviously if you are deploying physical appliances instead of putting interfaces on to logical networks in VMware, you would have each of your interfaces in the corresponding VLAN's.

The default credentials for the vAppliance are root/default.

Type "config" at the initial prompt to launch the initial configuration utility. You can use native Linux commands such as ifconfig to set the mgmt address etc, but this way is easier.

In VMware I have found that the F5 sometimes screws up the order of the vnic's that are attached to the VM. Therefore I would recommend attaching a single vnic to the appliance, configuring your mgmt address then attaching the other vnics when you know what interface the F5 is interpreting as it's mgmt interface.

If you are having issues with the order of your network interfaces use the netstat -i to display all the physical interfaces that F5 has. In F5 TMOS mgmt IP's are also known as Self IP's, these are the much like NSIP's on the NetScaler platform.

The web interface has a different set of credentials admin/admin out of the box.

Before you can do anything you have to license the F5. Under Setup Utility and click Next.

Select the method of activation that suits you best. My F5 did not have a route to the Internet at this stage so I opted for the manual method. The Registration Key is the code F5 provide to you within an e-mail at the time you download a trial.

After a minute of so the verification will complete and you are free to start configuring some of the F5 features. The trial license comes with the Local Traffic (LTM) and Application Visibility and Reporting modules.

Problem

After bouncing my F5 a couple of times I started getting this when I logged in via the web interface "The Big-IP system has encountered a configuration problem that may prevent the configuration utility from functioning properly". I never managed to work out why, other that the F5 was shut down incorrectly. I just re provisioned another F5 device.

Configuring Citrix NetScaler to Load Balance ADFS v3.0

Configuring Citrix NetScaler to Load Balance ADFS v3.0

The link below is broken, I also do not have a copy of the full document I created in July 2015. Do not e-mail me directly asking for a copy.

To ensure ADFS and the WAP servers are highly available a hardware load balance is recommended. In this example I have outlined how to configure Citrix NetScalers to do this. If you are deploying ADFS for Office 365, it is important that the service is highly available otherwise users will not be able to authenticate to ADFS. 

Microsoft supports NetScaler as a hardware load balance but there is lack of documentation around how to deploy the two solutions together.

Some of the configuration settings such as MAC based forwarding, SSL bridging, session persistence and Client IP header are some of the settings that are not obviously required.

Although the full guide I created no longer exists, I have summarised how to configure the NetScaler to load balance ADFS 3.0 below. This is not a full and conclusive guide. I won't be re-doing the guide until I am asked to do it for a customer. 

Although this diagram is for MS Lync, it's similar for ADFS. Imagine you have 2 x WAP in the DMZ and 2 x ADFS in your LAN. 

Most places won't have two separate physical NetScaler pairs. The above topology can be achieved using a single pair of Netscalers, with network interfaces on each of the DMZ/LAN networks. Netscaler vServers can then be used to load balance each component. If your security requirements state you must have a physical break then it's different.

High level steps (from memory)

• Base configure the Netscalers (NSIP, SIP, routes, default gateways etc)
• at this point it's important to have an interface on each network. If you are deploying the ADFS WAP servers, these should be in your DMZ. Therefore an interface from the NS is required on each of the separate Layer 2 networks. 
• if you have problems research "Mac based forwarding"

• Configure high availability of the Netscalers
• Easy to do, Google it. I normally set my HA configuration to Active/Passive.

• Define the server's both ADFS and WAP
• Traffic Management/Load Balancing/Server
• Create a new server object for each of the ADFS/WAP's. Set the protocol to SSL Bridge
• Create a new service one for the WAP's and one for the ADFS's. Traffic Management/Load Balancing/Services
• service 1 = "adfs_https" protocol SSL Bridge
• service 2 = "wap_https" protocol SSL Bridge
• It's important the protocol type matches on the servers/services.

At this point, if you servers are listening on TCP 443 (https) and you have configured the networking correctly the server/services will show as "up" and the light will be green. If not there is some kind of networking problem (remember your WAP servers don't listen on 443 until you have them successfully paired with the ADFS servers)

• You should configure SSL session persistence (I cant remember the exactly menu, you either do this in the service configuration or on the vServer, check eDocs)
• Now create a new vServer for each the WAP's and the ADFS's
• vserver1 = "adfs" give the vserver an IP on the network the backend servers sit on
• vserver2 = "wap" same as above
• When you create the vserver, bind them to the corresponding service (adfs - adfs etc), and set the load balancing method to round robin.

DNS 

Now you have the NS configured, on the WAP servers create a hosts file entry to point your ADFS service name i.e sso.domain.com to the NS vServer for the ADFS servers. Try to run the WAP-ADFS pairing. If you get an error check out the bindings.

http://blog.ryanbetts.co.uk/2015/12/adfs-wap-unable-to-retrieve-proxy.html

Citrix NetScaler High Availability Configuration "Remote Node x.x.x.x PARTIAL_FAIL" & "Remote Node x.x.x.x COMPLETE_FAIL" HA Relationship Fails to Form

You have two identical NetScaler MPX 5560's, and they both have Management interfaces (NSIP's) using the 0/1 interface on each appliance which are configured on VLAN 8. When you try to configure High Availability between the two appliances, you recieve the following "Node State - Not Up" on the secondary appliance.

Firstly I clicked on the Dashboard, to see from the System Log if there were any clues to why the HA relationship was failing to form correctly, the System Log was stamped with "remote node x.x.x.x PARTIAL_FAIL" and "remote node x.x.x.x COMPLETE_FAIL".

The next step was to take a closer look at the /var/nslog/newnslog log file which can be accessed through the Web GUI from Configuration>Diagnostics>View Events.

Not much more information was listed in this log but my attention soon drifted towards the number of interfaces that were reporting "No heartbeats since HA startup".

More of the same referencing the "PARTIAL_FAIL" error message that was present in the System Log.

The first thing I tried was to disabled all of the NetScalers interfaces with the exception of the 0/1 interface which was the NSIP address on each appliance. You will receive an error if you try to disabled the Loopback interface.

Once all of the interfaces were in the "disabled" state, I tried to run the High Availability wizard again and this time it worked. It was obvious the issue was around a setting on the enabled interfaces.

For good practice I only enabled the two additional interfaces that were currently in use on the appliances anyway, which were 1/1 and 1/2.

I left most of the settings at defaults with the exception of "HA Monitoring", which I changed to the OFF state. This appeared to fix the original issue.

The next stage was to re-configure the NetScaler High Availability pair, to do this click System>High Availability. In my deployment I want the first appliance to always remain the Primary node unless a failure occurs, therefore I highlighted the appliance and clicked Edit.

From the Configure HA Node menu, the High Availability Status can be configured for each of the NetScaler nodes, I set the first appliance to STAY PRIMARY.

And the second appliance to STAY SECONDARY.

Once I have completed all of the above configuration I saved the NetScaler running config. I then run through the HA pairing wizard again, which completed successfully.

Citrix NetScaler Firmware Upgrade - 10.1 Build 127.11 to 10.5 Build 56.15 with the Web GUI

To upgrade the firmware of a Citrix NetScaler is a very easy thing to do, I have documented the steps for anyone who has never done it before, or has limited exposure to the NetScaler platform. Please do not contact me asking for the NetScaler firmware, as I cannot provide this for you. Login to your Citrix account for the latest firmwares. 

The easiest way to do it, is to download the new firmware to your local device. The wizard then allows you to upload it to the device, it can be sourced from the flash of the device.

Open the Web GUI, and login. From the Configuration screen, click Upgrade Wizard...

Click Next, on the Introduction screen.

Select Local Computer, and click Browse, then search for the firmware file that you have downloaded from Citrix.

If you have a license file currently configured on your it should show here, I am actually not sure if it lets your upgrade the firmware if you don't have a license file imported.

I prefer to disable the Automatically move file to create space in flash, as this will basically delete the old firmware. For safety I would rather have that firmware image available in case the upgrade does not work for some reason, or if it needs rolled back. Select Reboot after successful installation and click Next.

Click Finish.

The wizard will upload the new firmware image from your local device to the NetScaler appliance.

You will be prompted if you want to enable Citrix Call Home, this allows the appliance to report issues directly to Citrix, this is entirely up to you if you enable this.

Once the device (or vAppliance) reboot, the Web GUI interface changes to darker colours. 

You should note that if you are going to configure services such as High Availability, both the NetScalers have to be exactly the same. This includes the platform, so you cannot mix VPX's with MPX's for example, the firmware and network interfaces used has to also match on neighboring devices.

Citrix NetScaler 10.1 MPX, throws the following error when you try to run certain operations from the Web GUI "Cannot load Applet, Java Applet could not be loaded Details Possible reasons: JRE(Java Runtime Environment) not installed. JRE is installed but not running."

Disclaimer: Many people have blogged about this issue with NetScaler and Java Runtime, the reason I have done it again is because although there are blogs documenting similar fixes, none of these fixes resolved the problem for me alone. Therefore I have consolidated a single post, documenting all of the steps it took me to fix the problem in my environment. I have referenced the articles I used below to give the original contributors the credit. 

Citrix NetScaler, throws the following error when you try to run certain operations from the Web GUI "Cannot load Applet, Java Applet could not be loaded Details Possible reasons: JRE(Java Runtime Environment) not installed. JRE is installed but not running." I came across the issue trying to upgrade the firmware and enabling HA on two physical appliances.

In this environment I have the latest Java Runtime installed (April 2015) which is version 8 update 45. Open Control Panel, and then open the Java control panel. Click on the General Tab, and ensure the Keep Temporary Files on my Computer is disabled.

Then click Security and then Edit Site List..., and put an entry in for your problem NetScaler device here. 

Click on the Advanced tab, and set Mixed Code (sandboxed vs. trusted) security verification to Disable verification (not recommended) and Perform signed code certificate revocation checks on and Do not check (not recommneded).

References:

http://terenceluk.blogspot.co.uk/2015/01/citrix-netscaler-upgrade-wizard-fails.html

http://discussions.citrix.com/topic/338689-java-upgrade-to-latest-version-causes-gui-issues-netscaler-vpx200-100/

http://danielruiz.org/2014/02/04/netscaler-10-1-unable-to-load-applet/

Citrix NetScaler 10.5 VPX Configuring Active Directory Authentication

It is possible to integrate the Netscaler with Active Directory for Administrator authentication, this means that administrators can use their dedicated admin account to login to the Netscaler and make configuration changes. This prevents organizations from having to manage a local user database on the Netscaler appliances. You should however always have at least one backup local "super user" account to hand in case the LDAP integration breaks for some reason.

Login to the Netscaler using local credentials, expand System and then Authentication, from there click on the LDAP option.

In the Name field enter something descriptive for the policy you are about to create, I have chosen "AD Connector" in my environment. Click the + button next to the Server field.

When the Create Authentication LDAP Server window opens you must populate it with details specific for your network. As this is only a test lab I do not have DNS setup correctly so I have used the IP of a Domain Controller. In addition to this I have chosen to use ordinary LDAP, not LDAP:S which you really should be using in a production network. By default LDAP uses TCP port 389 and LDAP:S uses TCP 636.

Scroll down within the same window until you get to Connection Settings. These settings again must be populated to match your infrastructure. The Base DN should be taken from the root of the Domain. This can be viewed if you enable the Advanced Features view from the View menu from ADCU. You click on Attribute Editor.

You can find the Administrators Bind DN in exactly the same way, the screenshots below show exactly where these details can be viewed. Click on the BindDN Password tick box and enter the password for the Administrator account you have used.

Scroll down further until you see the following properties, you should populate these to be the same as mine except the Group Attribute field, this should be set to the Active Directory group you are going to use to manage users that are authorized to access the Netscaler. Append "memberof=" before the CN path. Click OK.

When you are back on the Configure Authentication page you must add an expression, all this has to be set to is ns_true, click OK once this is in place.

From the Policies screen, you will notice that the policy is not bound to anything, for this to apply across the entire Netscaler it must be Globally Bound. Click the Policy once to highlight it and select Global Bindings.

Select the policy from the Policy Binding drop down, and leave the priority at 100. Click Bind.

The icon under Globally Bound? should not change to a green tick.

The next step is to create a Netscaler Security Group to map to the Active Directory Security group, from System expand User Administration and click Groups.

You must create a security group with EXACTLY THE SAME NAME AS THE ACTIVE DIRECTORY GROUP otherwise it will not work.

Scroll down to Policy Name and give the group "superuser" permissions. Click Create.

Save the settings. 

Now users who are in the Active Directory Security Group should be able to login to the Netscaler using DOMAIN\User with their Active Directory password.