last update: November 2020
Creating a Citrix NetScaler Test environment
Being a Citrix Certified Instructor I am very much aware of the Red/Green/Blue website used during official Citrix NetScaler training (CNS-220, CNS-222). I created my own test website. I usually use it during product demonstrations to present anything from basic load balancing to the web application firewall.
I am also aware of problems with the original Citrix labs: They sometimes seem to not load balance. Actually, they do, but, because this page is compromised of several files, it may appear to show the same colour all the time. I wanted to avoid this, so my pages don’t use external style-sheets, scripts and images, instead, I added everything into the HTML file (you may include images using base 64 encoding).
I discontinued developing these test-websites, as I am hosting a free to use online-version however nowadays, however, I will not stop distributing the current version. You may download my test website from here. I will update my page every now and then. You can download it as often as you like. The download will ask you for your name. I promise not to abuse it, instead, I’ll just count the numbers of downloads.
There are 3 servers:
My labs can be used together with official Citrix lab guides (but using my IP addresses instead) or using my great wonderkitchen tuturial.
Requirements and prerequisites
My environment is made of a single Windows server (I tested using 2012R2 Server) and a NetScaler VPX. You may very well use some entry-level virtualization solution like VMWare workstation or Hyper-V on your laptop computer, but professional environment like Xen-Server, KVM and similar may also be used of course.
My download does not include the machines, but the website only. There is no license included, however, you may request a demo license using your Citrix account)
I also provide files for Linux, requiring PHP. I tested using CentOS 7.4.1708. You may set up an apache web server, install php, add multiple IPs and configure apache to use several virtual instances. It should be easy. I currently don’t provide WAF-test files for Linux.
Import a Citrix NetScaler VPX into your virtualization solution. (www.citrix.com -> downloads -> NetScaler ADC -> Reliese xxx -> Virtual Appliances).
Install a Windows Server (I tested using 2012R2, but I guess it will work with any version from 2008). This server should have 4 GB RAM as a minimum
I used 192.168.0.100 as an NSIP, 192.168.0.110 as a SNIP, 192.168.200 ff for virtual servers
Windows machine used 192.168.0.20 to 24
Windows set up (sorry, no description for Linux setup, basically it’s very easy)
Roles and features
After setting up this windows machine you have to set up IIS. Start Server Manager (if it’s not already started) and click “Add roles and features”. Click Next 3 times.
Select Active Directory Certificate authority, Web Server IIS and DNS. If asked select following roll- services:
- .NET Extensibility 4.5
- ISAPI Extensions
- ISAPI Filters
- .NET Extensibility 3.5
- Certificate Authority
- Certificate enrolment web service
Setting up the Certificate Authority:
- stand-alone CA
- root CA
- create a new key
- SHA 256 (or higher)
- confirm all the rest of the questions
select your network adapter. Change the IP address. Set 192.168.0.20 255.255.255.0 as an IP address (you may use any other address range you like, but I use 192.168.0.x in my example). DNS should be 127.0.0.1, gateway depending on your settings.
Click advanced. add 4 more IP addresses (192.168.0.21 to 192.168.0.24).
Copy my files into c:\inetpub directory.
Open Internet Information Server Management.
Open your server and select sites. Right-click your server and select add website. Create 4 virtual websites:
Sitename: Sitie1 (2,3,4)
Site path: C:\inetpub\wwwroot1 (2,3,4)
IP address: 192.168.0.21 (22,23,24)
ASPx is just needed for the Citrix NetScaler Web Application Firewall test page. Check, if ASPX works correctly surfing to http://192.168.0.24/Allow.aspx. If it does not: follow these Microsoft instructions.
If you want to use this machine as a workstation as well install Google’s Chrome Browser together with Mozilla FireFox. Alternatively, you may create a dedicated work station or use your desktop work station.
in DNS manager create a new Forward lookup zone called workspacelabs.com.
- colours.workspacelabs.com 192.168.0.200
- cs-test.workspacelabs.com 192.168.0.201
- aaa.workspacelabs.com 192.168.0.202
1st lab: create a load balancing vServer
- srv_red -> 192.168.0.21
- srv_green -> 192.168.0.22
- srv_blue -> 192.168.0.23
- svc_red (HTTP/80)
- svc_green (HTTP/89)
- svc_blue (HTTP/80)
- lb_vsrv_colors (192.168.0.200/HTTP/80)
- add persistence (source IP, cookie-based, …)
- disable services and see what hapens (re-enable these)
- unbind red service, create an additional loadbalancing vServer (non addressable), called lb_vsrv_red. Set this one in protection as a backup virtual server. Disable service blue and green. Which status does lb_vsrv_colors have now? Does it work? Why? rebind red service.
2nd lab: certificates
- use the wizard to create a key and a CSR (hostname *.workspacelabs.com). Surf to 192.168.0.20/certsrv. Request a certificate. download this certificate as BASE 64. Install it into NetScaler
- create a lb vServer lb_vsrv_colors_secure (192.168.0.200/SSL/443). Bind the 3 services and your newly created certificate. Surf to https://colours.workspacelabs.com
3rd lab: content switching
- create a new content switching vServer cs_vsrv_browser 192.168.0.201/HTTP/80
- create two new cs-policies
- bind these policies to cs_vsrv_browser. The Trident policy should invoke the red, the Chrome policy the blue server. Surf to cs-test.workspacelabs.com using an MS- Internetexplorer, a Google Chrome and a FireFox.
4th lab: responding
- create a responder policy to forward users from http://colorsworkspacelabs.com/ to https://colors.workspacelabs.com/ and bind it to lb_vsrv_colours
- create a responder policy forwarding users from https://colorsworkspacelabs.com/ to https://colors.workspacelabs.com/home.htm
- unbind the responder policy from lb_vsrv_colours
5th lab: rewriting
- create a rewriting policy rewriting requests for http://colors.workspacelabs.com into http://colors.workspacelabs.com/home.htm and bind it to lb_vsrv_colours
- remove server header from HTTP-response and bind it to lb_vsrv_colours
- add a server header into HTTP response stating your server to be an Apache and bind it to lb_vsrv_colours