Configuring a Citrix NetScaler for the First Time
Your new NetScaler is preconfigured with a default IP address (the NSIP) and associated subnet mask for management access. The default NSIP is 192.168.100.1 and the subnet mask (netmask) is 255.255.0.0. You can change these values to fit the addressing scheme for your network. For your initial configuration, you must also specify at least one MIP. Before saving your new configuration, you should change the administrator password.
If you are setting up two NetScaler appliances as a high availability pair, you configure one as primary and the other as secondary.
set ns config – ipaddress 10.102.29.60 – netmask 255.255.255.0
add ns ip 10.102.29.61 255.255.255.0 -type mip
add route 0.0.0.0 0.0.0.0 10.102.29.1
set system user nsroot administrator
save ns config
reboot
Configuring a High Availability Pair for the First Time
In one-arm configuration, both NS1 and NS2 and servers S1, S2, and S3 are connected to the switch.
In two-arm configuration, both NS1 and NS2 are connected to two switches. The servers S1, S2, and S3 are connected to the second switch. The traffic between client and the servers passes through either NS1 or NS2.
To set up a high availability environment, configure one NetScaler as primary and another as secondary. Perform the following tasks on each of the NetScalers:
- Add a node.
- Disable high availability monitoring for unused interfaces.
Configuring System Settings
To configure HTTP parameters by using the configuration utility
- In the navigation pane, expand System, and then click Settings.
- In the details pane, under Settings, click Change HTTP parameters.
- In the Configure HTTP parameters dialog box, specify values for some or all of the parameters that appear under the headings listed in the table above.
- Click OK.
To set the FTP port range by using the configuration utility
- In the left pane, expand System, and click Settings. The Settings page appears in the right pane.
- Under Settings, click Change Global System Settings. The Configure Global Settings dialog box appears.
- Under FTP Port Range, in the Start Port and End Port text boxes, type the lowest and highest port numbers, respectively, for the range you want to specify (for example, 5000 and 6000).
- Click OK.
Enabling and Disabling Layer 2 or 3 Mode
- enable ns mode <Mode>
- disable ns mode <Mode>
- show ns mode
Examples
> enable ns mode l3
Done
> show ns mode
Mode Acronym Status
——- ——- ——
1) Fast Ramp FR ON
2) Layer 2 mode L2 OFF
.
.
.
9) Layer 3 mode (ip forwarding) L3 ON
.
.
.
Done
>
> disable ns mode l3
Done
> show ns mode
Mode Acronym Status
——- ——- ——
1) Fast Ramp FR ON
2) Layer 2 mode L2 OFF
.
.
.
9) Layer 3 mode (ip forwarding) L3 OFF
.
.
.
Done
Enabling and Disabling MAC-Based Forwarding Mode
enable ns mode mbf Done > show ns mode Mode Acronym Status ------- ------- ------ 1) Fast Ramp FR ON 2) Layer 2 mode L2 OFF . . . 6) MAC-based forwarding MBF ON . . . Done > > disable ns mode mbf Done > show ns mode Mode Acronym Status ------- ------- ------ 1) Fast Ramp FR ON 2) Layer 2 mode L2 OFF . . . 6) MAC-based forwarding MBF OFF . . . Done >
Configuring Network Interfaces
set interface 1/8 -duplex full Done > show interface 1/8 Interface 1/8 (Gig Ethernet 10/100/1000 MBits) #2 flags=0x4000 <ENABLED, DOWN, down, autoneg, 802.1q> MTU=1514, native vlan=1, MAC=00:d0:68:15:fd:3d, downtime 162h01m03s Requested: media UTP, speed AUTO, duplex FULL, fctl OFF, throughput 0 RX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) TX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set. Done
To configure a VLAN by using the NetScaler command line
Type the following commands to create a VLAN, bind interfaces to it, verify the configuration, and display the statistics. If you have already created the VLAN, skip the first command.
- add vlan <id>
- bind vlan <id> [-ifnum <interface_name>]
- show vlan [<id>]
Example
> add vlan 2 Done > bind vlan 2 -ifnum 1/8 Done > show vlan 2 1) VLAN ID: 2 Member Interfaces : 1/8 Tagged: None Done >
> stat vlan 2 VLAN ID 2Rate (/s) Total Packets received 0 0 Bytes received 0 0 Packets sent 0 0 Bytes sent 0 0 Packets dropped -- 0 Broadcast pkts sent & received -- 0 Done >
Configuring Link Aggregate Channels
> add channel LA/1 Done > bind channel LA/1 1/8 Done > show channel LA/1 1) Interface LA/1 (802.3ad Link Aggregate) #9 flags=0x1004000 <ENABLED, DOWN, AGGREGATE, down, HAMON, 802.1q> MTU=1514, native vlan=1, MAC=02:d0:68:15:fd:3b, downtime 0h00m00s Requested: media NONE, speed NONE, duplex NONE, fctl NONE, throughput 0 Actual: throughput 0 LA mode: MANUAL, distribution: Conn: ENABLED, MAC: BOTH 1/8: unknown DOWN 162h40m02s RX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) TX: Pkts(0) Bytes(0) Errs(0) Drops(0) Stalls(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Stalls(0) Hangs(0) Muted(0) Bandwidth thresholds are not set. Done >
To configure clock synchronization on your NetScaler
- Log on to the NetScaler command line and enter the shell command.
- At the shell prompt, copy the ntp.conf file from the /etc directory to the /nsconfig directory. If the file already exists in the /nsconfig directory, make sure that you remove the following entries from the ntp.conf file:
restrict localhost
restrict 127.0.0.2
These entries are required only if you want to run the device as a time server. However, this feature is not supported on the NetScaler.
- Edit /nsconfig/ntp.conf by typing the IP address for the desired NTP server under the file’s server and restrict entries.
- Create a file named rc.netscaler in the /nsconfig directory, if the file does not already exist in the directory.
- Edit /nsconfig/rc.netscaler by adding the following entry: /usr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/ntpd.log &
This entry starts the ntpd service, checks the ntp.conf file, and logs messages in the /var/log directory.
Note: If the time difference between the NetScaler and the time server is more than 1000 sec, the ntpd service terminates with a message to the NetScaler log. To avoid this, you need to start ntpd with the -g option,which forcibly syncs the time. Add the following entry in /nsconfig/rc.netscaler:
/usr/sbin/ntpd -g -c /nsconfig/ntp.conf -l /var/log/ntpd.log &
If you do not want to forcibly sync the time when there is a large difference, you can set the date manually and then start ntpd again. You can check the time difference between the NetScaler and the time server by executing the following command in the shell:
ntpdate -q <IP address or domain name of the NTP server>
- Reboot the NetScaler to enable clock synchronization.
Note: If you want to start time synchronization before you restart the NetScaler, you can enter the
/usr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/ ntpd.log &
command (which you added to the rc.netscaler file in step 5) at the shell prompt.
Configuring DNS
- add dns nameServer <IP>
- show dns nameServer <IP>
Example
> add dns nameServer 10.102.29.10
Done
> show dns nameServer 10.102.29.10
1) 10.102.29.10 - State: DOWN
Done
>
SNMP
- add snmp manager <IPAddress> … [-netmask <netmask>]
- show snmp manager <IPAddress>
Example
> add snmp manager 10.102.29.5 -netmask 255.255.255.255
Done
> show snmp manager 10.102.29.5
1) 10.102.29.5 255.255.255.255
Done
>
- add snmp trapspecific <IP>
- show snmp trap
Example
> add snmp trap specific 10.102.29.3
Done
> show snmp trap
Type DestinationIP DestinationPort Version SourceIP Min-Severity Community
—- ————- ————— ——- ——– ———— ———
generic 10.102.29.9 162 V2 NetScaler IP N/A public
generic 10.102.29.5 162 V2 NetScaler IP N/A public
generic 10.102.120.101 162 V2 NetScaler IP N/A public
.
.
.
specific 10.102.29.3 162 V2 NetScaler IP - public
Done
>
- set snmp alarm <trapName> [-state ENABLED | DISABLED ]
- show snmp alarm <trapName>
Example
> set snmp alarm LOGIN-FAILURE -state ENABLED
Done
> show snmp alarm LOGIN-FAILURE
Alarm Alarm Threshold Normal Threshold Time State Severity Logging
—– ————— —————- —- ——– ————- ——–
1) LOGIN-FAILURE N/A N/A N/A ENABLED - ENABLED
Done
>
- set snmp alarm <trapName> [-severity <severity>]
- show snmp alarm <trapName>
Example
> set snmp alarm LOGIN-FAILURE -severity Major
Done
> show snmp alarm LOGIN-FAILURE
Alarm Alarm Threshold Normal Threshold Time State Severity Logging
—– ————— —————- —- ——– ————- ——–
1) LOGIN-FAILURE N/A N/A N/A ENABLED Major ENABLED
Done
>
Enabling Load Balancing
- enable feature lb
- show feature
Example
> enable feature lb
Done
> show feature
Feature Acronym Status
——- ——- ——
1) Web Logging WL OFF
2) Surge Protection SP OFF
3) Load Balancing LB ON
.
.
.
9) SSL Offloading SSL ON
.
.
.
Done
Configuring Services and a Vserver
- add service <name> <IPaddress> <serviceType> <port>
- add lb vserver <vServerName> <serviceType> [<IPaddress> <port>]
- bind lb vserver <name> <serviceName>
- show service bindings <serviceName>
Example
> add service service-HTTP-1 10.102.29.5 HTTP 80
Done
> add lb vserver vserver-LB-1 HTTP 10.102.29.60 80
Done
> bind lb vserver vserver-LB-1 service-HTTP-1
Done
> show service bindings service-HTTP-1
service-HTTP-1 (10.102.29.5:80) – State : DOWN
1) vserver-LB-1 (10.102.29.60:80) – State : DOWN
Done
To configure persistence based on cookies by using the NetScaler command line
- set lb vserver <name> -persistenceType COOKIEINSERT
- show lb vserver <name>
Example
> set lb vserver vserver-LB-1 -persistenceType COOKIEINSERT
Done
> show lb vserver vserver-LB-1
vserver-LB-1 (10.102.29.60:80) – HTTP Type: ADDRESS
.
.
.
Persistence: COOKIEINSERT (version 0) Persistence Timeout: 2 min
.
.
.
Done
>
To configure persistence based on server IDs in URLs by using the NetScaler command line
- set lb vserver <name> -persistenceType URLPASSIVE
- show lb vserver <name>
Example
> set lb vserver vserver-LB-1 -persistenceType URLPASSIVE
Done
> show lb vserver vserver-LB-1
vserver-LB-1 (10.102.29.60:80) – HTTP Type: ADDRESS
.
.
.
Persistence: URLPASSIVE Persistence Timeout: 2 min
.
.
.
Done
>
Configuring Features to Protect the Load Balancing Configuration
Configuring URL Redirection
You can configure URL redirection to provide notifications of vserver malfunctions, and you can configure backup vservers to take over if a primary vserver becomes unavailable.
- set lb vserver <name> -redirectURL <URL>
- show lb vserver <name>
Example
> set lb vserver vserver-LB-1 -redirectURL http://www.newdomain.com/mysite/maint enance
Done
> show lb vserver vserver-LB-1
vserver-LB-1 (10.102.29.60:80) – HTTP Type: ADDRESS
State: DOWN
Last state change was at Wed Jun 17 08:56:34 2009 (+666 ms)
.
.
.
Redirect URL: http://www.newdomain.com/mysite/maintenance
.
.
.
Done
>
Configuring Backup Vservers
- set lb vserver <name> [-backupVserver <string>]
- show lb vserver <name>
Example
> set lb vserver vserver-LB-1 -backupVserver vserver-LB-2
Done
> show lb vserver vserver-LB-1
vserver-LB-1 (10.102.29.60:80) – HTTP Type: ADDRESS
State: DOWN
Last state change was at Wed Jun 17 08:56:34 2009 (+661 ms)
.
.
.
Backup: vserver-LB-2
.
.
.
Done
>
Enabling Compression
By default, compression is not enabled. You must enable the compression feature to allow compression of HTTP responses that are sent to the client.
- enable ns feature CMP
- show ns feature
Example
> enable ns feature CMP
Done
> show ns feature
Feature Acronym Status
——- ——- ——
1) Web Logging WL ON
2) Surge Protection SP OFF
.
7) Compression Control CMP ON
8) Priority Queuing PQ OFF
.
Done
Configuring Services to Compress Data
- set service <name> -CMP YES
- show service <name>
Example
> show service SVC_HTTP1
SVC_HTTP1 (10.102.29.18:80) – HTTP
State: UP
Last state change was at Tue Jun 16 06:19:14 2009 (+737 ms)
Time since last state change: 0 days, 03:03:37.200
Server Name: 10.102.29.18
Server ID : 0 Monitor Threshold : 0
Max Conn: 0 Max Req: 0 Max Bandwidth: 0 kbits
Use Source IP: NO
Client Keepalive(CKA): NO
Access Down Service: NO
TCP Buffering(TCPB): NO
HTTP Compression(CMP): YES
Idle timeout: Client: 180 sec Server: 360 sec
Client IP: DISABLED
Cacheable: NO
SC: OFF
SP: OFF
Down state flush: ENABLED
1) Monitor Name: tcp-default
State: DOWN Weight: 1
Probes: 1095 Failed [Total: 1095 Current: 1095]
Last response: Failure – TCP syn sent, reset received.
Response Time: N/A
Done
Binding a Compression Policy to a Vserver
To bind a compression policy to a vserver by using the NetScaler command line
At the NetScaler command prompt, type the following commands to bind a compression policy to an LB vserver and verify the configuration:
- bind lb vserver <name> -policyName <string>
- show lb vserver <name>
Example
> bind lb vserver lbvip -policyName ns_cmp_msapp Done > show lb vserver lbvip lbvip (8.7.6.6:80) - HTTP Type: ADDRESS State: UP Last state change was at Thu May 28 05:37:21 2009 (+685 ms) Time since last state change: 19 days, 04:26:50.470 Effective State: UP Client Idle Timeout: 180 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Port Rewrite : DISABLED No. of Bound Services : 1 (Total) 1 (Active) Configured Method: LEASTCONNECTION Current Method: Round Robin, Reason: Bound service's state changed to UP Mode: IP Persistence: NONE Vserver IP and Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NO Push Label Rule: Bound Service Groups: 1) Group Name: Service-Group-1 1) Service-Group-1 (10.102.29.252: 80) - HTTP State: UP Weight: 1 1) Policy : ns_cmp_msapp Priority:0 Done
Securing Load Balanced Traffic by Using SSL
- enable feature SSL
- show ns feature
Example
> enable feature ssl
Done
> show ns feature
Feature Acronym Status
——- ——- ——
1) Web Logging WL ON
2) SurgeProtection SP OFF
3) Load Balancing LB ON . . .
9) SSL Offloading SSL ON
10) Global Server Load Balancing GSLB ON . .
Done >
Creating HTTP Services
- add service <name> <IP> <port>
- show service name
> add service SVC_HTTP1 10.102.29.18 HTTP 80
Done
> show service SVC_HTTP1
SVC_HTTP1 (10.102.29.18:80) – HTTP
State: UP
Last state change was at Wed Jul 15 06:13:05 2009
Time since last state change: 0 days, 00:00:15.350
Server Name: 10.102.29.18
Server ID : 0 Monitor Threshold : 0
Max Conn: 0 Max Req: 0 Max Bandwidth: 0 kbits
Use Source IP: NO
Client Keepalive(CKA): NO
Access Down Service: NO
TCP Buffering(TCPB): NO
HTTP Compression(CMP): YES
Idle timeout: Client: 180 sec Server: 360 sec
Client IP: DISABLED
Cacheable: NO
SC: OFF
SP: OFF
Down state flush: ENABLED
1) Monitor Name: tcp-default
State: UP Weight: 1
Probes: 4 Failed [Total: 0 Current: 0]
Last response: Success – TCP syn+ack received.
Response Time: N/A
Done
Adding an SSL-Based Vserver
- add lb vserver <name> <serviceType> [<IPAddress> <port>]
- show lb vserver <name>
Example
> add lb vserver vserver-SSL-1 SSL 10.102.29.50 443
Done
> show lb vserver vserver-SSL-1
vserver-SSL-1 (10.102.29.50:443) – SSL Type: ADDRESS
State: DOWN[Certkey not bound] Last state change was at Tue Jun 16 06:33:08 2009 (+176 ms)
Time since last state change: 0 days, 00:03:44.120
Effective State: DOWN Client Idle Timeout: 180 sec
Down state flush: ENABLED
Disable Primary Vserver On Down : DISABLED
No. of Bound Services : 0 (Total) 0 (Active)
Configured Method: LEASTCONNECTION Mode: IP
Persistence: NONE
Vserver IP and Port insertion: OFF
Push: DISABLED Push VServer: Push Multi Clients: NO Push Label Rule: Done
Caution: To ensure secure connections, you must bind a valid SSL certificate to the SSL-based vserver before you enable it.
Binding Services to the SSL Vserver
- bind lb vserver <name> <serviceName>
- show lb vserver <name>
Example
> bind lb vserver vserver-SSL-1 SVC_HTTP1
Done
> show lb vserver vserver-SSL-1 vserver-SSL-1 (10.102.29.50:443) – SSL Type:
ADDRESS State: DOWN[Certkey not bound]
Last state change was at Tue Jun 16 06:33:08 2009 (+174 ms)
Time since last state change: 0 days, 00:31:53.70
Effective State: DOWN Client Idle
Timeout: 180 sec
Down state flush: ENABLED Disable Primary Vserver On Down :
DISABLED No. of Bound Services : 1 (Total) 0 (Active)
Configured Method: LEASTCONNECTION Mode: IP Persistence: NONE Vserver IP and
Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NO Push Label Rule:
1) SVC_HTTP1 (10.102.29.18: 80) – HTTP
State: DOWN Weight: 1
Done
Adding a Certificate Key Pair
- add ssl certKey <certkeyName> -cert <string> [-key <string>]
- show sslcertkey <name>
Example
> add ssl certKey CertKey-SSL-1 -cert ns-root.cert -key ns-root.key
Done
> show sslcertkey CertKey-SSL-1
Name: CertKey-SSL-1 Status: Valid,
Days to expiration:4811 Version: 3
Serial Number: 00 Signature Algorithm: md5WithRSAEncryption Issuer: C=US,ST=California,L=San
Jose,O=Citrix ANG,OU=NS Internal,CN=de fault
Validity Not Before: Oct 6 06:52:07 2006 GMT Not After : Aug 17 21:26:47 2022 GMT
Subject: C=US,ST=California,L=San Jose,O=Citrix ANG,OU=NS Internal,CN=d efault Public Key Algorithm: rsaEncryption Public Key
size: 1024
Done
Binding an SSL Certificate Key Pair to the Vserver
- bind ssl vserver <vServerName> -certkeyName <string>
- show ssl vserver <name>
Example
> bind ssl vserver Vserver-SSL-1 -certkeyName CertKey-SSL-1
Done
> show ssl vserver Vserver-SSL-1
Advanced SSL configuration for VServer Vserver-SSL-1:
DH: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: ENABLED
SSLv2 Redirect: ENABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED
1) CertKey Name: CertKey-SSL-1 Server Certificate
1) Cipher Name: DEFAULT
Description: Predefined Cipher Alias
Done
Creating an SSL Action to Enable OWA Support
- add ssl action <name> -OWASupport ENABLED
- show SSL action <name>
> add ssl action Action-SSL-OWA -OWASupport enabled
Done
> show SSL action Action-SSL-OWA
Name: Action-SSL-OWA
Data Insertion Action: OWA
Support: ENABLED
Done
Creating SSL Policies
- add ssl policy <name> -rule <expression> -reqAction <string>
- show ssl policy <name>
Example
> add ssl policy Policy-SSL-1 -rule ns_true -reqaction Action-SSL-OWA
Done
> show ssl policy Policy-SSL-1
Name: Policy-SSL-1 Rule: ns_true
Action: Action-SSL-OWA Hits: 0
Policy is bound to following entities
1) PRIORITY : 0
Done
Binding the SSL Policy to an SSL Vserver
- bind ssl vserver <vServerName> -policyName <string>
- show ssl vserver <name>
Example
> bind ssl vserver Vserver-SSL-1 -policyName Policy-SSL-1
Done
> show ssl vserver Vserver-SSL-1
Advanced SSL configuration for VServer Vserver-SSL-1:
DH: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: ENABLED
SSLv2 Redirect: ENABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED
1) CertKey Name: CertKey-SSL-1 Server Certificate
1) Policy Name: Policy-SSL-1
Priority: 0
1) Cipher Name: DEFAULT
Description: Predefined Cipher Alias
Done
>
Verifying the Configuration
After you finish configuring your system, complete the following checklists to verify your configuration.
Configuration Checklist
- The build running is:
- There are no incompatibility issues. (Incompatibility issues are documented in the build’s release notes.)
- The port settings (speed, duplex, flow control, monitoring) are the same as the switch’s port.
- Enough mapped IP addresses have been configured to support all server-side connections during peak times.
- The number of configured mapped IP addresses is: ____
- The expected number of simultaneous server connections is:
[ ] 62,000 [ ] 124,000 [ ] Other____
Topology Configuration Checklist
- The routes have been used to resolve servers on other subnets.
The routes entered are:
________________________________________________________________________________________________________________________________________________________________________
- If the NetScaler is in a public-private topology, reverse NAT has been configured.
- The failover (high availability) settings configured on the NetScaler resolve in a one arm or two-arm configuration. All unused network interfaces have been disabled: _________________________ ________________________________________________________
- If the NetScaler is placed behind an external load balancer, then the load balancing policy on the external load balancer is not “least connection.”
The load balancing policy configured on the external load balancer is: _______________________________________________________
- If the NetScaler is placed in front of a firewall, the session time-out on the firewall is set to a value greater than or equal to 300 seconds.
The value configured for the session time-out is: ___________________
Server Configuration Checklist
- “Keep-alive” has been enabled on all the servers.
The value configured for the keep-alive time-out is: ___________________
- The default gateway has been set to the correct value. (The default gateway should either be a NetScaler or upstream router.) The default gateway is: _________________________________________
- The server port settings (speed, duplex, flow control, monitoring) are the same as the switch port settings. ____________________________________________________________________________________________________________________________________________________________________________________
- If the Microsoft® Internet Information Server is used, buffering is enabled on the server.
- If an Apache Server is used, the MaxConn (maximum number of connections) parameter is configured on the server and on the NetScaler.
The MaxConn (maximum number of connections) value that has been set is: ____________________________________________________________
- If a NetScape® Enterprise Server™ is used, the maximum requests per connection parameter is set on the NetScaler.
The maximum requests per connection value that has been set is: ____________________________________________________________
Software Features Configuration Checklist
- Does the Layer 2 mode feature need to be disabled? (Disable if another Layer 2 device is working in parallel with a NetScaler.)
Reason for enabling or disabling: ________________________________________________________________________________________________________________________
- Does the MAC-based forwarding feature need to be disabled? (If the MAC address used by return traffic is different, it should be disabled.)
Reason for enabling or disabling: ________________________________________________________________________________________________________________________
- Does host-based reuse need to be disabled? (Is there virtual hosting on the servers?)
Reason for enabling or disabling: ________________________________________________________________________________________________________________________
- Do the default settings of the surge protection feature need to be changed?
Reason for changing or not changing: ________________________________________________________________________________________________________________________
Access Checklist
- The system IPs can be pinged from the client-side network.
- The system IPs can be pinged from the server-side network.
- The managed server(s) can be pinged through the NetScaler.
- Internet hosts can be pinged from the managed servers.
- The managed server(s) can be accessed through the browser.
- The Internet can be accessed from managed server(s) using the browser.
- The system can be accessed using SSH.
- Admin access to all managed server(s) is working.
Note: When you are using the ping utility, ensure that the pinged server has ICMP ECHO enabled, or your ping will not succeed.
Firewall Checklist
The following firewall requirements have been met:
- UDP 161 (SNMP)
- UDP 162 (SNMP trap)
- TCP/UDP 3010 (GUI)
- HTTP 80 (GUI)
- TCP 22 (SSH)
* Caution: To ensure secure connections, you must bind a valid SSL certificate to the SSL-based vserver before you enable it.
