testwebsite

testwebsite

------------------------------------------------------------------

Creating Test environment

https://blog.norz.at/creating-a-citrix-netscaler-test-environment/

Being a Citrix Certified Instructor I am very much aware of the Red/Green/Blue website used during official Citrix NetScaler training (CNS-220, CNS-222). I created my own test website. I usually use it during product demonstrations to present anything from basic load balancing to web application firewall.

I am also aware about problems with the original Citrix labs: They sometimes seem to not load balance. Actually they do, but, because this page is compromised of several files, it may appear to show the same colour all the time. I wanted to avoid this, so my pages don’t use external style-sheets, scripts and images, instead I added everything into the HTML file (you may include images using base 64 encoding).

You may download my test website from here. I will update my page every now and then. You can download it as often as you like. The download will ask you for your name. I promise not to abuse it, instead I’ll just count the numbers of downloads.

Requirements and prerequisites

Windows

My environment is made of a single Windows server (I tested using 2012R2 Server) and a NetScaler VPX. You may very well use some entry level virtualization solution like VMWare workstation or Hyper-V on your laptop computer, but professional environment like Xen-Server, KVM and simmilar may also be used of course.

My download does not include the machines, but the website only. There is no license included, however you may request a demo license using your Citrix account)

Linux

I also provide files for Linux, requiring PHP. I tested using CentOS 7.4.1708. You may set up an apache, install php, add multiple IPs and configure apache to use several virtual instances. It should be easy. I currently don’t provide WAF-test files for Linux.

Installation procedure

Import a Citrix NetScaler VPX into your virtualization solution. (www.citrix.com -> downloads -> NetScaler ADC -> Reliese xxx -> Virtual Appliances).

Install a Windows Server (I tested using 2012R2, but I guess it will work with any version from 2008). This server should have 4 GB RAM as a minimum

IP addressing

I used 192.168.0.100 as a NSIP, 192.168.0.110 as a SNIP, 192.168.200 ff for virtual servers

Windows machine used 192.168.0.20 to 24

Windows set up (sorry, no description for linux setup, basically it’s very easy)

Roles and features

After setting up this windows machine you have to set up IIS. Start Server Manager (if it’s not already started) and click “add roles and features”. Click Next 3 times.

Select Active Directory Certificate authority,  Web Server IIS and DNS. If asked select following roll- services:

• .NET Extensibility 4.5
• ISAPI Extensions
• ISAPI Filters
• .NET Extensibility 3.5
• Certificate Authority
• Certificate enrolment web service

Setingt up the Certificate Authority:

• stand alone CA
• root CA
• create a new key
• SHA 256 (or highter)
• confirm all the rest of the questions

IP configuration

select your network adapter. Change IP address. Set 192.168.0.20 255.255.255.0 as an IP address (you may use any other address range you like, but I use 192.168.0.x in my example). DNS should be 127.0.0.1, gateway depending on your settings.

Click advanced. add 4 more IP addresses (192.168.0.21 to 192.168.0.24).

IIS settings

Copy my files into c:\inetpub directory.

Open Internet Information Server Management.

Open your server and select sites. Right click your server and select add website. Create 4 virtual websites:

Sitename: Sitie1 (2,3,4)
Site path: C:\inetpub\wwwroot1 (2,3,4)
type: http
IP address: 192.168.0.21 (22,23,24)
hostname: (empty)

ASPx is just needed for the Citrix NetScaler Web Application Firewall test page. Check, if ASPX works correctly surfing to http://192.168.0.24/Allow.aspx. If it does not: follow this Microsoft instructions.

additional software

If you want to use this machina as a workstation as well install Google’s chrome Browser and Mozilla FireFox. Alternatively you may create a dedicated work station or use your desktop work station.

You’ll very likely need the SSH terminal putty, the secure copy tool WinSCP and the network monitor WireShark. They can be considered to be the tools used by a NetScaler admin during his daily work.

Labs:

Prerequisites

in DNS manager create a new Forward lookup zone called test.lab.

Create hosts:

• colours.training.lab 192.168.0.200
• cs-test.training.lab 192.168.0.201
• aaa.training.lab 192.168.0.202

1st lab: create a load balancing vServer

Server:

• srv_red -> 192.168.0.21
• srv_green -> 192.168.0.22
• srv_blue -> 192.168.0.23

Services:

• svc_red (HTTP/80)
• svc_green (HTTP/89)
• svc_blue (HTTP/80)

Loadbalancing vServer

• lb_vsrv_colors (192.168.0.200/HTTP/80)

additional labs:

• add persistence (source IP, cookie based, …)
• disable services and see what hapens (re-enable these)
• unbind red service, create an additional loadbalancing vServer (non addressable), called lb_vsrv_red. Set this one in protection as a backup virtual server. Disable service blue and green. Which status does lb_vsrv_colors have now? Does it work? Why? rebind red service.

2nd lab: certificates

• use the wizard to create a key and a CSR (hostname *.training.lab). Surf to 192.168.0.20/certsrv. Request a certificate. download this certiticate as BASE 64. Install it into NetScaler
• create a lb vServer lb_vsrv_colors_secure (192.168.0.200/SSL/443). Bind the 3 services and your newly created certificate. Surf to https://colours.training.lab

3rd lab: content switching

• create a new content switching vServer cs_vsrv_browser 192.168.0.201/HTTP/80
• create two new cs-policies
  • HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Trident”)
  • HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Chrome”)
• bind these policies to cs_vsrv_browser. The Trident policy should invoke the red, the Chrome policy the blue server. Surf to cs-test.training.lab using an MS- Internetexplorer, a Google Chrome and a FireFox.

4th lab: responding

• create a responder policy to forward users from http://colors.training.lab/ to https://colors.training.lab/ and bind it to lb_vsrv_colours
• create a responder policy forwarding users from https://colors.training.lab/ to https://colors.training.lab/home.htm
• unbind the responder policy from lb_vsrv_colours

5th lab: rewriting

• create a rewriting policy rewriting requests for http://colors.training.lab into http://colors.training.lab/home.htm and bind it to lb_vsrv_colours
• remove server header from HTTP-response and bind it to lb_vsrv_colours
• add a server header into http response stating your server to be an Apache and bind it to lb_vsrv_colours

===================== End