Tuesday, November 26, 2013

NetScaler - Logging Audit Messages

I was asked today if there was a way to get alerts from the NetScaler about a policy being hit for one of our external facing websites from an external source. I started to look into doing this but have decided that it would be quite the effort, at least for my first time. I did a bit of research and came up with a few sources which may help put the whole alerting system together. If I get a chance to configure this I will update this with how I completed it.

This solution requires:
  • NetScaler
    • Auditing
      • Auditing Message Actions
    • VServers
    • Responder/Rewrite policies
  • Citrix Command Center
    • Alarm Trigger

Resources for creating custom logging:
Quick template of how to setup message actions from Citrix.com.
http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-ag-al-confrng-policy-based-logging-tsk.html.

This shows how to log an HTTP header using policy-based logging.
http://support.citrix.com/article/CTX125466

This shows how to setup the message action and how to bind that policy to a responder policy.
http://blogs.citrix.com/2011/08/25/log-what-and-when-you-want-%E2%80%93-all-the-way-from-layer-2-to-layer-7/

This shows how to configure email alerts on Citrix Command Center
http://support.citrix.com/article/CTX133137
Posted by at No comments:
Labels: , , , ,

Tuesday, November 19, 2013

NetScaler - Use Source IP

The NetScaler can be a wonderful tool with all of its capabilities, but sometimes that can be a double-edged sword. The ever changing demands that IT personnel go through each day can be exciting and rewarding but sometimes leads to confusion. Today was a perfect example of this for me.

I have been attempting to get a SharePoint site externally available. I am doing this using the NetScaler and its SSL features. I have added the Server, Service, and Server in to the Load Balancing feature. After checking to make sure my responder policies/action were correct, I attempted to test the setup using my host file. I got the forever annoying, "Internet Explorer cannot display the webpage" message.

This is when I remembered the "Use Source IP" check box of the Load Balancing Service. This check box has singled markedly cause me hours of frustration and confusion. It forces the client's response to come from the Client's IP address rather than responding back to the NetScaler. I unchecked this and the Client no longer goes directly to the server when it responds, which fixed my problem.

tl;dr
Uncheck the "Use Source IP" check box which can be found in the Service configuration screen.

Uncheck "Use Source IP"


More info from Citrix below:
http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-nw-ipaddrssng-enabling-use-src-ip-mode-tsk.html
Posted by at No comments:
Labels: , , ,

Thursday, November 14, 2013

Citrix(NetScaler) Command Center

I have had my first foray into the Citrix Command Center 5.1 and let me tell you, it has been pretty positive. NetScalers are a multi-faceted tool so management of this device is not always easy if only using the given interface. Command Center expands upon the toolset offered by the NetScaler by giving you a set of tools to monitor the NetScalers. This includes all forms of alerting and logging! I have not dug much into the Command Center yet, but I fully intend to soon and will definitely post my findings (good and bad).
Posted by at No comments:
Labels: , ,

Wednesday, November 6, 2013

Error Text 10551 BPA Server

Recently I had been working on a workflow that inputs records into a SQL database through stored procedures. We tried to implement this functionality into our Production environment but we had been having some issues. We get an error, "Error Text: (10551) Expecting a constant, var name or function name." (Shown below, Fig. 1) whenever we ran the workflow. That error and an accompanying one, which is completely blank, is all the information that we had to go by.

After some deliberation and LOTS of test emails, we determined that an evaluation was causing the problem. We looked into the evaluation to see that the shared variable that we were looking at was named incorrectly. Once we changed it to the correct name, all went well.



Fig. 1

Posted by at No comments:
Labels: , , ,

Tuesday, October 29, 2013

Reset UI Preferences - BPA

Your UI preferences can get all out of wack if you accidentally close or move something.​ The easiest way to reset the preferences for your Workflow Designer/SMC/Task Builder is to just delete the xml files in the folder below.

C:\Users\(Desired User)\AppData\Roaming\Network Automation\AutoMate BPA Server 9

Deleting these files will remove your preferences and BPA will then recreate them from scratch.
Network Automation Forum for WFD/SMC Reset:
http://forums.networkautomation.com/forum/messageview.cfm?catid=42&threadid=9806

Network Automation How to for Task Builder Reset:
http://www.networkautomation.com/automate/urc/resources/livedocs/am/8/Task_Builder/Customizing_Task_Builder/Viewing_and_Hiding_Panes_in_Task_Builder.htm


The last resort for resetting your Task Builder UI is to remove the Registry item. We do this following Network Automation's support directions shown below.


Posted by at No comments:
Labels: , ,

File Path with Space in Email - BPA

A common request from our user base is to have email alerts sent to them. We do this from BPA, Sharepoint, in house dev, etc. Many times the email that we are sending contains a file path pointing to documents or folders containing documents that need visibility. The problem then ensues.
Emails, sent/received using Exchange, with file paths containing a space in them will have broken hyperlinks. This is not a major issue but it looks unprofessional and is quite annoying.

Fix:
Encapsulate the path in quotation marks "" to keep the entire path one unit. I show an example of this below.

The first path will not properly keep the hyperlink to the folder "No Quotes". It will stop at \No and cut off the Quotes\ portion of the file path.
\\server1\No Quotes\

The second path will properly keep the hyperlink to the folder "Yes Quotes".
"\\server1\Yes Quotes\"

Posted by at No comments:
Labels: , , ,

Tuesday, October 8, 2013

NetScaler - Mobile Redirect

Previously I was asked to make our intranet site more accessible for our users by creating a mobile redirect on the NetScaler. We previously did it on the web server but the mobile redirect would only take effect after the entire desktop version loaded. This obviously created a bad user experience and extremely long load times.

As we got more into the redirect we found that there were other features that we could add to improve the redirect. I will summarize what the below code does in order to select what traffic to redirect.

The traffic cannot have a path/query with /mobi, it means that the URL does not contain the mobile path which may or may not be intentional. The traffic must not have the mobile=false query string which we use to designate that the user has chosen to use the full version of the site. The traffic cannot have the /lib/ path because this is used for the pdfs and other documents and redirect this traffic will not allow those to be downloaded. The last requirement is that the HTTP Request contains a User-Agent that is for a mobile device. (Android, iPhone, iPod, BlackBerry, Windows Phone, IEMobile, webOS)

Responder Action for All Mobile Redirects
HTTP.REQ.URL.PATH_AND_QUERY.TO_LOWER.CONTAINS("/mobi").NOT && HTTP.REQ.URL.PATH_AND_QUERY.TO_LOWER.CONTAINS("mobile=false").NOT && HTTP.REQ.URL.PATH_AND_QUERY.CONTAINS("/lib/").NOT && (HTTP.REQ.HEADER("User-Agent").CONTAINS("Android") || HTTP.REQ.HEADER("User-Agent").CONTAINS("iPhone") || HTTP.REQ.HEADER("User-Agent").CONTAINS("iPod") || HTTP.REQ.HEADER("User-Agent").CONTAINS("BlackBerry") || HTTP.REQ.HEADER("User-Agent").CONTAINS("Windows Phone") || HTTP.REQ.HEADER("User-Agent").CONTAINS("IEMobile") || HTTP.REQ.HEADER("User-Agent").CONTAINS("webOS"))
TL;DR Traffic that gets switched meets the below conditions
  • Does not contain /mobi in the path and query
  • Does not contain the mobile=false querystring
  • Does not contain /lib/ in the path.
  • Does not contain a mobile device User-Agent
WARNING: Referer is spelled incorrectly because it is part of the HTTP protocol spelled incorrectly. DO NOT FIX THAT.

 Responder Action for All Mobile Redirects:
Type: Redirect
http://www.intranet.com/mobile (Dummy link)


Responder Policy for Maintaining Full Version:
HTTP.REQ.HEADER("Referer").TO_LOWER.CONTAINS("mobile=false") && HTTP.REQ.URL.PATH_AND_QUERY.TO_LOWER.CONTAINS("mobile=false").NOT

 If the referer contains mobile=false and the request URL does NOT contain mobile=false, we add &mobile=false to the end of the path and query. This maintains the Full Version status that was requested.

Responder Action for Maintaining Full Versions:
Type: Redirect
"http://" + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + "&mobile=false"
Responder Policy for new Full Version Requests:
HTTP.REQ.HEADER("Referer").TO_LOWER.CONTAINS("mobile=false") && HTTP.REQ.URL.PATH_AND_QUERY.CONTAINS("?").NOT

 If the user clicks the hyperlink (containing mobile=false) and they did not have a ? in the path and query, they get moved to the Full Version by adding a ?mobile=false to the path and query.

 Responder Action for new Full Version Requests:
Type: Redirect
"http://" + HTTP.REQ.HOSTNAME+ HTTP.REQ.URL.PATH_AND_QUERY + "?mobile=false"
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)