TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.
CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch™ 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:
Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment.
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.
Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. Copyright © 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright 1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved. Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik Lindergren. All rights reserved.
Preface
About This Guide . . . i
New in This Release . . . iii
Audience . . . iv
Formatting Conventions . . . iv
Related Documentation. . . .v
Getting Service and Support. . . .v
Documentation Feedback . . . vi
Chapter 1
Introduction
What is the Application Firewall? . . . .1What the Application Firewall Does . . . .2
How the Application Firewall Works . . . .6
The Application Firewall Platform. . . .8
The Application Firewall on a Network. . . .8
The User Interfaces . . . .9
The Citrix NetScaler Command Line Interface . . . .10
The Citrix NetScaler Configuration Utility . . . .11
Chapter 2
Installation
Planning the Installation . . . .17Installing the Server . . . .19
The Citrix NetScaler 7000. . . .20
The Citrix NetScaler 9010. . . .22
The Citrix NetScaler 10010. . . .26
The Citrix NetScaler 12000. . . .30
The Citrix NetScaler MPX 15000. . . .33
The Citrix NetScaler MPX 17000. . . .36
Performing Initial Configuration . . . .39
Using the Configuration Utility. . . .40
Using the Citrix NetScaler Command Line Interface . . . .58
Chapter 3
Simple Configuration
Enabling the Application Firewall . . . .65Creating and Configuring a Profile . . . .66
Creating and Configuring Policies . . . .71
Chapter 4
Profiles
About Application Firewall Profiles . . . .84
The Built-In Profiles . . . .84
User-Created Profiles . . . .84
Creating, Configuring, and Deleting Profiles. . . .85
Configuring the Security Checks . . . .101
Common Security Checks. . . .101
HTML Security Checks . . . .102
XML Security Checks . . . .103
Configuring the Security Checks with the Configuration Utility. . . .104
Configuring the Security Checks at the NetScaler Command Line. . . .114
Configuring the Profile Settings . . . .122
Configuring the Profile Settings by Using the Configuration Utility . . . .122
Configuring the Profile Settings at the NetScaler Command Line . . . .126
Configuring the Learning Feature . . . .129
Chapter 5
Policies
An Overview of Policies. . . .135Configuring Policies . . . .136
Globally Binding a Policy. . . .149
Chapter 6
Imports
Creating a Custom Settings File . . . .154Exporting the Default Custom Settings File . . . .154
Editing the Custom Settings File. . . .155
Importing Configuration Files . . . .157
Chapter 7
Global Configuration
The Engine Settings . . . .161Cookie Name . . . .162
Session Timeout . . . .162
Maximum Session Lifetime . . . .163
Logging Header Name . . . .163
Undefined Profile . . . .164
Default Profile . . . .164
Import Size Limit. . . .165
Confidential Fields . . . .166
Chapter 8
The Common Security Checks
The Start URL Check . . . .175
Configuring the Start URL List. . . .179
The Deny URL Check . . . .182
Configuring the Deny URL List . . . .183
The Cookie Consistency Check . . . .186
Configuring the Cookie Consistency List. . . .188
The Buffer Overflow Check . . . .190
Configuring the Buffer Overflow Checks. . . .192
The Credit Card Check . . . .193
Configuring the Credit Card List . . . .195
The Safe Object Check . . . .196
Chapter 9
The HTML Security Checks
The Form Field Consistency Check . . . .201Configuring the Form Field Consistency List . . . .205
The Field Formats Check . . . .208
Configuring the Field Formats List. . . .212
The CSRF Form Tagging Check . . . .215
Configuring the CSRF Form Tagging List . . . .218
The HTML Cross-Site Scripting Check. . . .219
Configuring the HTML Cross-Site Scripting List . . . .223
The HTML SQL Injection Check . . . .226
Configuring the HTML SQL Injection List . . . .231
Chapter 10
The XML Security Checks
The XML Format Check . . . .235The XML Denial of Service Check . . . .237
Configuring the XML Denial of Service List. . . .239
The XML Cross-Site Scripting Check . . . .241
The XML SQL Injection Check . . . .243
The XML Attachment Check . . . .246
Configuring the XML Attachment Checks. . . .248
The Web Services Interoperability Check . . . .249
Configuring the Web Services Interoperability List. . . .251
The XML Message Validation Check . . . .252
Configuring the XML Message Validation Checks . . . .253
Chapter 11
The Application Firewall Reports
The PCI DSS Report. . . .257
The Application Firewall Configuration Report . . . .260
The PCI DSS Standard . . . .263
Chapter 12
Use Cases
Protecting a Shopping Cart Application. . . .267Creating and Configuring the Shopping Cart Profile . . . .268
Creating and Configuring a Shopping Cart Policy . . . .284
Protecting a Product Information Query Page . . . .289
Creating and Configuring a Product Query Profile . . . .290
Creating and Configuring a Product Query Policy. . . .299
Managing Learning. . . .303
Glossary
. . . 309
Index
. . . 323
Appendix A
PCRE Character Encoding Format
Representing UTF-8 Characters . . . .347Appendix B
PCI DSS Standard
Appendix C
Configuring for Large Files and Web Pages
Overview . . . .369Three Workarounds . . . .369
Appendix D
SQL Injection Check Keywords
Appendix E
Cross-Site Scripting: Allowed Tags and Attributes
Allowed Tags . . . .381Preface
Before you begin to configure the Citrix Application Firewall, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback.
In This Preface
About This Guide New in This Release Audience
Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback
About This Guide
The Citrix Application Firewall Guide provides an overview of two products: the standalone Citrix Application Firewall, and the Citrix NetScaler Application Firewall feature, an integrated part of the Citrix NetScaler Application Delivery System. Except for certain installation and basic configuration steps, these products are nearly identical. The guide explains what the Application Firewall is and does, and provides detailed instructions on installing, configuring, and managing it.
This guide provides the following information:
• Chapter 1, “Introduction.” Provides an overview of the Application Firewall, including what it does and how it works.
• Chapter 2, “Installation.” Provides installation and configuration information for the standalone Citrix Application Firewall.
• Chapter 3, “Simple Configuration.” Provides instructions on how to create your first Application Firewall profile, your first Application Firewall
policy, and globally bind the policy. This process enables the Application Firewall to start protecting Web servers.
• Chapter 4, “Profiles.” Describes Application Firewall profiles and how to configure the security checks and other settings associated with profiles. • Chapter 5, “Policies.” Describes Application Firewall policies, how to
create a policy, and the structure of the expressions language used in creating policies.
• Chapter 6, “Imports.” Provides instructions on how to import HTML error pages, XML error pages, XML schemas, and WSDL pages into the Application Firewall configuration.
• Chapter 7, “Global Configuration.” Provides instructions on how to configure the global Engine settings, Confidential Field settings, and Field types.
• Chapter 8, “The Common Security Checks.” Describes each Application Firewall security check that is common to all types of profile.
• Chapter 9, “The HTML Security Checks.” Describes each Application Firewall security check that applies to HTML-based Web applications and HTML content.
• Chapter 10, “The XML Security Checks.” Describes each Application Firewall security check that applies to XML-based Web services and XML content.
• Chapter 11, The Application Firewall Reports.” Describes the PCI DSS report and the The Application Firewall Configuration report, and provides an overview of the PCI DSS standard.
• Chapter 12, “Use Cases.” Provides two use cases that describe how to configure the Application Firewall to protect a back-end SQL database, and scripted content that accesses and/or modifies information on other Web servers.
• Appendix A, “PCRE Character Encoding.” Provides a primer on using PCRE character encoding to represent non-ASCII characters in Application Firewall regular expressions.
• Appendix B, “PCI DSS Standard.” Provides a copy of the official Payment Card Industry (PCI) Data Security (DSS) Standard.
• Appendix C, “Configuring for Large Files and Web Pages.” Provides instructions on how to configure the Application Firewall to handle large uploaded files and large, complex Web pages with minimal impact on performance.
• Appendix D, “SQL Injection Check Keywords.” Lists the SQL keywords that the Application Firewall SQL Injection security check uses when examine requests.
• Appendix E, “Cross-Site Scripting: Allowed Tags and Attributes.” Lists the HTML tags and attributes that the Application Firewall Cross-Site
Scripting security check will allow in requests without blocking the request.
New in This Release
NetScaler nCore Technology uses multiple CPU cores for packet handling and greatly improves the performance of many NetScaler features. Release 9.2 adds nCore support for many additional features, including load balancing, virtual private networks (VPNs), and the Application Firewall.
In Release 9.2, the following new features are also supported in the Application Firewall:
• Built-in profiles. The Application Firewall now installs with four built-in profiles. These profiles provide tools to allow or block connections that do not require further filtering.
• Default and undefined profiles. You can now designate a default profile and an undefined profile on a per-profile basis. The default profile is used for connections that do not match any Application Firewall policy. The undefined profile is used when a connection evaluates as undefined. • Learning feature GUI changes. The Manage Learned Rules dialog box
has been simplified and streamlined, and the Learning Data Visualizer has been integrated more completely with the Learning feature.
• NetScaler advanced policies. You can now use advanced policies and expressions to configure the Application Firewall. Advanced expressions provide a rich set of expression elements along with options to control the flow of evaluation within a policy bank. These elements and options enable you to maximize the capabilities of the Application Firewall. Advanced policies, which comprise a set of rules and actions that use the advanced expression format, further enhance your ability to analyze data at various network layers and at different points along the flow of traffic. For more information about the benefits of using advanced policies and expressions, see the “Introduction to Policies and Expressions” chapter in the Citrix NetScaler Policy Configuration and Reference Guide.
• User-configurable SQL and XSS lists. Users can now modify the lists of SQL special characters, SQL keywords, cross-site scripting allowed tags, and cross-site scripting allowed attributes used by the HTML and XML SQL injection security check and the HTML and XML cross-site scripting check. Users can create and upload multiple different lists, and designate the list to be used on a per-profile basis.
For a summary of the new features and remaining unsupported features, see the
Audience
This guide is intended for the following audience:
• IT Managers. IT managers or other individuals responsible for managing your network.
• System Administrators. Any system administrators responsible for managing your standalone Citrix Application Firewall, or your Citrix NetScaler Application Accelerator or NetScaler appliance.
The concepts and tasks described in this guide require you to have a basic understanding of networking and firewall concepts and terminology, the HTTP protocol, HTML and XML Soap, and Web security.
Formatting Conventions
This documentation uses the following formatting conventions.
Formatting Conventions
Convention Meaning
Boldface Information that you type exactly as shown (user input); elements in the user interface.
<Angle Brackets> Placeholders for information or parameters that you provide. For example, <FileName> in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks).
%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows.
Monospace System output or characters in a command line. User input and placeholders also are formatted using monspace text. { braces } A series of items, one of which is required in command
statements. For example, { yes | no } means you must type
yes or no. Do not type the braces themselves.
[ brackets ] Optional items in command statements. For example, in the following command, [-range
positiveInteger] means that you have the option of entering a range, but it is not required:
add lb vserver name serviceType IPAddress port [-range positiveInteger]
Related Documentation
A complete set of documentation is available on the Documentation tab of your NetScaler and from http://support.citrix.com/. (Most of the documents require Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. From a Web browser, log on to the NetScaler. 2. Click the Documentation tab.
3. To view a short description of each document, hover your cursor over the title. To open a document, click the title.
Getting Service and Support
Citrix offers a variety of resources for support with your Citrix environment, including the following:
• The Knowledge Center is a self-service, Web-based technical support database that contains thousands of technical solutions, including access to the latest hotfixes, service packs, and security bulletins.
• Technical Support Programs for both software support and appliance maintenance are available at a variety of support levels.
• The Subscription Advantage program is a one-year membership that gives you an easy way to stay current with the latest product version upgrades and enhancements.
• Citrix Education provides official training and certification programs on virtually all Citrix products and technologies.
| (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods:
lbMethod = ( ROUNDROBIN | LEASTCONNECTION | LEASTRESPONSETIME | URLHASH | DOMAINHASH | DESTINATIONIPHASH | SOURCEIPHASH |
SRCIPDESTIPHASH | LEASTBANDWIDTH |
LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH | LRTM | CALLIDHASH | CUSTOMLOAD )
Formatting Conventions
For detailed information about Citrix services and support, see the Citrix Systems Support Web site at
http://www.citrix.com/lang/English/support.asp.
You can also participate in and follow technical discussions offered by the experts on various Citrix products at the following sites:
• http://community.citrix.com
• http://twitter.com/citrixsupport
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify “Documentation Feedback.” Be sure to include the document name, page number, and product release version.
• For NetScaler documentation, send email to nsdoc_feedback@citrix.com. • For Command Center documentation, send email to
ccdocs_feedback@citrix.com.
• For Access Gateway documentation, send email to
agdocs_feedback@citrix.com.
You can also provide feedback from the Knowledge Center at http:// support.citrix.com/.
To provide feedback from the Knowledge Center home page
1. Go to the Knowledge Center home page at http://support.citrix.com/. 2. On the Knowledge Center home page, under Products, expand NetScaler,
and then click the NetScaler release for which you want to provide feedback.
3. On the Documentation tab, click the guide name, and then click Article Feedback.
4. On the Documentation Feedback page, complete the form, and then click
Introduction
The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business or customer information. It accomplishes this by filtering both requests and
responses, examining them for evidence of malicious activity and blocking those that exhibit it.
To use the Application Firewall, you must configure at least one profile to tell it what to do with the connections it filters, one policy to tell it which connections to filter, and then associate the profile with the policy. You can configure an arbitrary number of different profiles and policies to protect more complex Web sites. You can adjust how the Application Firewall operates on all connections in the Engine Settings. You can enable, disable, and adjust the setting of each security check separately. Finally, you can configure and use the included PCI-DSS report to assess your security configuration for compliance with PCI-PCI-DSS standard.
You can configure the Application Firewall using either the Citrix NetScaler Configuration Utility (configuration utility) or the Citrix NetScaler Command Line Interface (NetScaler command line).
What is the Application Firewall?
The Application Firewall is a filter that sits between Web applications and users, examining requests and responses and blocking dangerous or inappropriate traffic. The Application Firewall protects Web servers and Web sites from unauthorized access and misuse by hackers and malicious programs, such as viruses and trojans (or malware). It provides protection against security vulnerabilities in legacy CGI code or scripts, Web server software, and the underlying operating system.
The Application Firewall is available on two platforms. First, the Citrix Application Firewall is a standalone appliance based on the Citrix NetScaler Application Accelerator platform and Citrix NetScaler Application Delivery System operating system. Second, the Citrix NetScaler Application Firewall feature is part of the Citrix NetScaler Application Delivery System, which runs on all models of the Citrix NetScaler Application Accelerator or Citrix NetScaler appliance. Therefore, users who want a dedicated Application Firewall can purchase a standalone Citrix Application Firewall. Users who want the Application Firewall functionality in addition to other NetScaler operating system features can purchase a new Citrix NetScaler appliance, or upgrade to version 9.1 of the NetScaler operating system and install it on their existing appliance appliance.
Note: Citrix also supports the Citrix Application Firewall EX, which is built on a different hardware and operating system platform than the Application Firewall discussed in this manual. The Citrix Application Firewall EX has its own separate documentation set. This manual does not apply to the Citrix Application Firewall EX. If you need to obtain the Citrix Application Firewall EX documentation, contact Citrix Customer Support for further assistance.
What the Application Firewall Does
The Citrix Application Firewall protects Web servers and Web sites from misuse by hackers and malware, such as viruses and trojans, by filtering traffic between each protected Web server and users that connect to any Web site on that Web server. The Application Firewall examines all traffic for evidence of attacks on Web server security or misuse of Web server resources, and takes the appropriate action to prevent these attacks from succeeding.
Most types of attacks against Web servers and Web sites are launched to accomplish two overall goals. These are:
• Obtaining private information. The Application Firewall watches for attacks intended to obtain sensitive private information from your Web sites and the databases that your Web sites can access. This information can include customer names, addresses, phone numbers, social security num-bers, credit card numnum-bers, medical records, and other private information. The hacker or malware author can then use this information directly, sell it to others, or both.
Much of the information obtained by such attacks is protected by law, and all of it by custom and expectation. A breach of this type can have extremely serious consequences for customers whose private information was compromised. At best, these customers will have to exercise vigilance
to prevent others from abusing their credit cards, opening unauthorized credit accounts in their name, or appropriate the customer’s identity outright to commit criminal activities in their name (or identity theft). At worst, the customers may face ruined credit ratings or even be blamed for criminal activities in which they had no part.
If a hacker or malware author manages to obtain such information through your Web site and then misuses it, that can create an embarrassing situation at best, and may expose your company to legal consequences.
• Obtaining unauthorized access and control. The Application Firewall watches for attacks intended to give the attacker access to and control of your Web server without your knowledge or permission. This prevents hackers from using your Web server to host unauthorized content, act as a proxy for content hosted on another server, provide SMTP services to send unsolicited bulk email, or provide DNS services to support these activities on other compromised Web servers. Such activities constitute theft of your server capacity and bandwidth for purposes you did not authorize.
By preventing unauthorized access to and control of your Web servers, the Application Firewall also helps prevent the common practice of unautho-rized modifications of your home page or other pages on your Web site (or
Web site defacement).
Most Web sites that are hosted on hacked Web servers (or compromised Web servers) promote questionable or outright fraudulent businesses. For example, the majority of pharming Web sites, phishing Web sites, and child pornography Web sites (or CP Web sites) are hosted on compromised Web servers. So are many sites that sell prescription medications without a prescription, illegal OEM copies of copyrighted software, and untested and often worthless quack medical remedies.
If a hacker or malware author manages to host such a Web site on your company’s Web server, or use your company’s Web server to provide spam support services, that can create an embarrassing incident at the very least. Many types of attacks can be used to obtain private information from or make unauthorized use of your Web servers. These attacks include:
• Buffer overflow attacks. Sending an extremely long URL, cookie, or other bit of information to a Web server in hopes of causing it or the underlying operating system to hang, crash, or behave in some manner useful to the attacker. A buffer overflow attack can be used to gain access to unautho-rized information, to compromise a Web server, or both.
• Cookie security attacks. Sending a modified cookie to a Web server, usu-ally in hopes of obtaining access to unauthorized content using falsified credentials.
• Forceful browsing. Accessing URLs on a Web site directly, without navi-gating to the URLs via hyperlinks on the home page or other common start URLs on the Web site. Individual instances of forceful browsing may sim-ply indicate a user who bookmarked a page on your Web site, but repeated attempts to access non-existent content or content that users should never access directly often represents an attack on Web site security. Forceful browsing is normally used to gain access to unauthorized information, but can also include a buffer overflow attack and be used to compromise your server.
• Web form security attacks. Sending inappropriate content to your Web site using a Web form. Inappropriate content can include modified hidden fields, HTML or code in a field intended for alphanumeric data only, a overly long string in a field that accepts only a short string, an alphanumeric string in a field that accepts only an integer, and a wide variety of other data that your Web site does not expect to receive in that Web form. A Web form security attack can be used either to obtain unauthorized information from your Web site or to compromise the Web site outright, usually when com-bined with a buffer overflow attack.
In addition to standard Web form security attacks, there are two specialized types of attacks on Web form security that deserve special mention: - SQL injection attacks. Sending an active SQL command or
commands using SQL special characters and keywords using a Web form, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information.
- Cross-site scripting attacks. Using a script on a web page to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different Web site. Since scripts can obtain information and modify files on your Web site, allowing a script access to content on a different Web site can provide an attacker the means to obtain unauthorized information, to compromise a Web server, or both.
• XML security attacks. Sending inappropriate content to an XML-based application, or attempting to breach security on your XML-based applica-tion. There are a number of special attacks that can be made against XML-based applications using XML requests that contain malicious code or objects. These include attacks based on badly-formed XML requests, or XML requests that do not conform to the W3C XML specification, XML requests used to stage a denial of service (DoS) attack, and on XML requests that contain attached files that can breach site security.
In addition to standard XML-based attacks, there are two specialized types of XML attacks that deserve special mention:
- SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords in a XML-based request, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information.
- Cross-site scripting attacks. Using a script included in an XML-based application to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different application. Since scripts can obtain information and modify files using your XML application, allowing a script access to content belonging to a different application can provide an attacker the means to obtain unauthorized information, to compromise the application, or both.
The Application Firewall has special filters, or checks, that look for each of these types of attack and prevent them from succeeding. The checks use a range of filters and techniques to detect each attack, and respond to different types of attacks or potential attacks differently. A potential attack that does not pose a significant threat may simply be logged. If the same pattern of activity does not reoccur, it probably was not a deliberate attack and no further action was needed. A series of potential attacks may require a different response, which may include blocking further requests from that source.
The greatest threat against Web sites and applications does not come from known attacks, however. It comes from new and unknown attacks, attacks for which the Application Firewall may not yet have a specific check. For this reason, the core Application Firewall methodology does not rely upon specific checks. It relies upon comparing requests and responses to a profile of normal use of a protected Web site or application. The user helps create the profile during initial
configuration and at intervals thereafter by providing certain information to the Application Firewall. The Application Firewall then generates the rest of this profile using its learning feature.
Thereafter, if a request or response falls outside of the profile for that Web site or application, either the threat in the request or response is neutralized, or the request or response is blocked. This is called a positive security model, and allows the Application Firewall to protect a Web site or application against attacks for which it may not yet have specific checks.
In summary, the Application Firewall prevents outsiders from misusing your Web sites and applications for their own purposes. It ensures that your Web sites and applications are used as you intended them to be used, for your benefit and that of your customers.
The following section explains in more detail how the Application Firewall performs these tasks.
How the Application Firewall Works
The Application Firewall protects your Web sites and applications by filtering traffic to and from them, and blocking or rendering harmless any attacks or threats that it detects. This subsection provides an outline of the filtering process it uses to accomplish this.
The platform on which the Application Firewall is built is the Citrix NetScaler Application Delivery product line, which can be installed as either a layer 3 network device or a layer 2 network bridge between your servers and your users, usually behind your company’s router or firewall. Depending on which
Application Firewall model you have and which other tasks it performs, you may install it in different locations and configure it differently. To function, however, an Application Firewall must be installed in a location where it can intercept traffic between the Web servers you want to protect and the hub or switch through which users access those Web servers. You then configure the network to send requests to the Application Firewall instead of directly to your Web servers, and responses to the Application Firewall instead of directly to your users.
The Application Firewall then filters that traffic before forwarding it to its final destination. It examines each request or response using both its internal rule set and your additions and modifications. In addition to profiling the Web servers it protects using its learning feature, the Application Firewall also profiles each specific user’s session in real time to determine if incoming traffic from that user to your Web server, and outgoing traffic from your Web server to that user, is appropriate in light of previous requests from the user during the current session. It then blocks or renders harmless any that trigger a specific check or that fail to match the Web site profile. The figure below provides an overview of the filtering process.
A Flowchart of Application Firewall Filtering
As the figure shows, when a user requests a URL on a protected Web server, the Application Firewall first examines the request to ensure that it violates no network security rules. These rules check for DoS attacks and other types of network attacks that are not specific to Web servers. Many of those attacks do not require the same level of analysis to detect as many Web site or application attacks do. Detecting and stopping these attacks before analyzing requests further reduces overall load on the Application Firewall.
If the request passes network security inspection, the Application Firewall checks to see if the request needs further filtering. Requests for certain types of content, such as image files, do not require further analysis. Requests for HTML-based web pages, XML-based applications, or active content do require further analysis, and are passed to the Application Firewall filtering engine.
The Application Firewall then examines the request, applying all relevant checks and comparing it to the profile it has of the protected Web site or XML
application. If the request passes the Application Firewall security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall passes the request on to the server.
The Web site or application sends its response back to the Application Firewall, which examines the response. If the response does not violate any security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall forwards the response to the user. This process is repeated for each request and response.
In summary, the Application Firewall filters HTTP traffic for security-related issues at two points in the HTTP request/response cycle: it filters requests before they are sent to the server, and responses before they are sent to the user. When it detects a problem, it either neutralizes the problem or, if it cannot, blocks the request or response.
The Application Firewall Platform
The Citrix Application Firewall is built on the NetScaler operating system (NetScaler operating system) platform. It is fully integrated into the appliance platform and interoperates cleanly with all other appliance features.
The appliance software runs on several types of hardware and a range of different servers optimized for different levels and types of network traffic. All are collectively referred to as the Citrix NetScaler Application Delivery product line. As of the NetScaler operating system 8.0 release, the Application Firewall has been available as a licensed feature. You can also purchase a standalone Citrix Application Firewall based on the same platform.
For more information about the hardware platforms in the Citrix NetScaler Application Delivery product line, see “Installing the Server” on page 19. For complete information about the Citrix NetScaler Application Delivery product line, see the Citrix NetScaler Installation and Configuration Guide.
The Application Firewall on a Network
To do its work properly, any Application Firewall model must be installed in the right place on your network. The location must allow traffic to and from your protected Web servers to be routed through the Application Firewall. You can ensure this by installing the Application Firewall in a location where traffic to and from your Web servers must pass through it, or you can use virtual LANs (VLANS) to ensure that your network can distinguish between packets that need to be routed to the Application Firewall, and packets that the Application Firewall has already filtered and that can be sent to the Web server or user, as appropriate.
Although the appliances in the Citrix NetScaler Application Delivery product line are normally installed as a layer 3 devices, none of them acts like a traditional layer 3 or layer 4 firewall when filtering traffic to and from your protected Web servers. The Application Firewall itself analyzes only HTTP requests and responses, and analyzes HTTP traffic at a different level than a traditional firewall does. Therefore, only requests to your Web sites or applications that might contain attacks are sent to the Application Firewall.
A NetScaler appliance must see and route other types of traffic than simply HTTP connections because it will have multiple appliance features licensed and enabled. Some of the other appliance features block DoS and DDoS attacks, accelerate throughput to and from your applications, and provide secure access to servers and applications. When installing a NetScaler appliance, you will therefore need to determine the best location in light of all the features you plan to use. The appliance OS then determines which packets need to be processed by the Application Firewall and routes only those packets to it.
If you are installing or already use a NetScaler appliance and have licensed the Application Firewall feature, you must first determine which other appliance features you will use in addition to the Application Firewall. You should then determine where on your network to install your NetScaler appliance so that it can intercept all incoming traffic that it must process, and as little additional traffic as possible.
The best solution will depend heavily on the configuration of your individual network. Because a NetScaler appliance is a multipurpose appliance, you probably will need to install it in a central location in your network, where it can intercept much (if not all) traffic entering your network from the outside. You may also not have the option of installing it within the same subnet as the servers that host your protected Web sites or applications.
These factors will require some additional configuration of your NetScaler appliance so that they can identify and properly route traffic to the Application Firewall.
The User Interfaces
All models in the Citrix NetScaler Application Delivery product line can be configured and managed from either of two different user interfaces: the command line-based Citrix NetScaler Command Line Interface (the NetScaler command line) and the web-based Citrix NetScaler Configuration Utility (the
The Citrix NetScaler Command Line Interface
The Citrix NetScaler Command Line Interface (NetScaler command line) is a modified UNIX shell based on the FreeBSD bash shell. To configure the Application Firewall using the NetScaler command line, you type commands at the prompt and press the Enter key, just as you do with any other Unix shell.
Note: The actual appearance of the NetScaler command line window varies somewhat depending on which SSH program you use to connect to the NetScaler command line.
The format of NetScaler command line commands is:
> action groupname entity <entityname> [-parameter]
For action, you substitute the action you want to perform. For groupname, you substitute the groupname associated with the feature or task. For entity, you substitute the specific type of object you are viewing or changing. For
<entityname>, you substitute the IP, hostname, or other specific name for the entity. Finally, for [-parameter], you substitute one or more parameters (if any) that your command requires.
For example, you use the add appfirewall profile command to create a profile named HTML with basic defaults, as shown below.
> add appfirewall profile HTML -defaults basic Done
>
In this command, add is the action; appfirewall is the groupname; profile is the entity; HTML is the <entityname>; and -defaults basic is the parameter. Since the command produces no output, the NetScaler command line simply informs you that it has performed the command by printing Done, and then returns to the prompt.
You use the show appfirewall profile command to review all profiles that currently exist on your Application Firewall, as shown below:
> show appfw profile
3) Name: HTML1 ErrorURL: / StripComments: ON DefaultCharSet: iso-8859-1 StartURLAction: block log stats StartURLClosure: OFF DenyURLAction: block log stats XSSAction: block log stats XSSTransformUnsafeHTML: OFF XSSCheckCompleteURLs: OFF SQLAction: block log stats SQLTransformSpecialChars: OFF SQLOnlyCheckFieldsWithSQLChars: ON FieldConsistencyAction: none
CookieConsistencyAction: none BufferOverflowAction: block log stats
BufferOverflowMaxURLLength: 1024 BufferOverflowMaxHeaderLength: 4096
FieldFormatAction: block log stats DefaultFieldFormatType: ""
DefaultFieldFormatMinLength: 0 DefaultFieldFormatMaxLength: 65535
CommerceAction: block log stats CommerceCard: CommerceMaxAllowed: 0 CommerceXOut: OFF
Done >
Unlike the add appfirewall profile command, this command has output, and that output is displayed beneath the line where you typed the command. The output terminates with Done, and beneath that, a new prompt is displayed. Another useful command, the show config command, lacks everything after the groupname. It has no entity or parameters, as shown below.
> show config
NetScaler IP: 192.168.100.42 (mask: 255.255.255.0) Number of MappedIP(s): 1
Node: Standalone
Global configuration settings:
HTTP port(s): (none) Max connections: 0 Max requests per connection: 0
Client IP insertion: DISABLED Cookie version: 0
Min Path MTU: 576 Path MTU entry timeout: 10
FTP Port Range: 0 Done
>
You use the show config command to determine the appliance IP and global configuration settings. To determine the settings for any specific configuration area, you use the show action with the appropriate groupname and entity, as you did above to view the Application Firewall profile settings.
There are an enormous number of commands and variations available at the NetScaler command line. A small number of these commands that you can use to configure various parts of the Application Firewall are described in this manual. For a complete description of the commands available at the NetScaler command line, see the Citrix NetScaler Command Reference Guide.
The Citrix NetScaler Configuration Utility
The configuration utility is a web-based interface used to configure the Application Firewall. You can perform almost any configuration task using the configuration utility. Less experienced users usually find the configuration utility the easiest interface to use.
The figure below shows the configuration utility’s System Overview screen.
The Citrix NetScaler Configuration Utility, System Overview
Note: The items displayed in the navigation tree on the left of the configuration utility window differ depending on which features are licensed on your NetScaler appliance.
The configuration utility screen has three areas that organize the work of configuring all the features you licensed on your Citrix NetScaler Application Accelerator or NetScaler appliance.
• Logo bar. The logo bar extends along the top of the configuration utility window. On the left the Citrix logo and “Access Gateway Enterprise Edi-tion” title appear. On the right is a horizontal row of global hyperlinks that allow you to control the look and feel of the configuration utility screen, save your settings, do a complete refresh of the entire configuration utility display, log out, and access the online help.
• Navigation tree. The navigation tree extends down the left side of the screen, and provides a collapsible menu that contains links to all screens in the configuration utility. To navigate to a screen within a category, you click the plus (+) sign to expand that category. When a submenu is open, the
plus sign changes to a minus (-) sign and all screens and subcategories within that category are displayed.
- To display a category or subcategory, you click the plus sign beside the category or subcategory title.
- To collapse a category or subcategory that has been displayed, you click the minus sign beside the title of that category.
• Page Title bar. The page title bar extends horizontally across the screen, directly beneath the logo bar and to the right of the navigation menu. It con-tains the title of the current page, and on the right a button that allows you to refresh just that page.
• Page Data area. The page data area contains the information for the page you have displayed at the time. If the data area contains more information that can easily be fit on one page, it may have multiple pages that you access by clicking tabs at the top of the data area. For example, the System Overview screen shown in the screen shot titled “The Citrix NetScaler Con-figuration Utility, System Overview” on page 12 has two tabs: the System Information and System Sessions tabs.
Note: The data area on most pages in the configuration utility is read-only. To add a configuration entry or modify an existing configuration entry, you normally click the appropriate button at the bottom of the data area and use the dialog box that appears to make your changes.
In addition to the main screens, the configuration utility makes considerable use of wizards and other types of dialog boxes. A dialog box is a standalone window that asks you a question or prompts you to fill in a form that asks for a set of related data points. You click a button at the bottom or the right of the dialog box to respond to the question (usually a Yes or No button) or to indicate that you’ve finished filling in the form (usually an OK or Cancel button).
Wizards organize a related set of tasks in a logical workflow, displaying each task on a separate page and prompting you to perform that task before you proceed to the next task. The pages within a wizard also contain short explanations of what each task is for and what it does.
To use the a wizard, you simply follow the instructions on each page, and when you have finished, click the Next > button to proceed to the next page and next task. If at any point, you need to change a setting you made on a previous page, you can click the < Back button to return to that page and modify your work. Then, you click the Next > button to return to the task you were completing previously.
You are likely to encounter two wizards quickly: the Setup Wizard and Upgrade Wizard. The figure below shows the first screen of the Setup Wizard.
The Setup Wizard, First Screen
The Setup Wizard takes you through the process of initial configuration of your NetScaler appliance, prompting you for the necessary information at each step. The Setup Wizard and other wizards in the configuration utility can make the sometimes-daunting job of configuring a new NetScaler appliance much easier. The figure below shows the first screen of the Upgrade Wizard.
The Upgrade Wizard, like the Setup Wizard, takes you through a set of screens. Instead of performing an initial configuration, however, it takes you through the process of upgrading your NetScaler appliance, prompting you for the necessary information at each step.
This concludes the current chapter.
• If you are installing a new Citrix NetScaler appliance, proceed to Chapter 2, “Installation,” on page 17.
• If you are upgrading the NetScaler operating system on a Citrix NetScaler appliance that you already own, and want to enable and configure the Citrix NetScaler Application Firewall feature, proceed directly to Chapter 3, “Simple Configuration,” on page 65.
Installation
This chapter contains basic installation instructions for two types of system: • The standalone Citrix Application Firewall, built on the Citrix NetScaler
platform.
• Any appliance in the Citrix NetScaler Application Delivery product line that runs the Citrix NetScaler Application Firewall feature.
Note: If you already have a NetScaler appliance installed on your network, have just upgraded to the NetScaler 9.1 release, and have licensed the Citrix NetScaler Application Firewall feature, you do not need to read this chapter. Your appliance is already installed and has already had initial configuration performed on it. Skip to Chapter 3, “Simple Configuration,” on page 65.
The first section provides a detailed look at all of the hardware platforms (or
appliances) on which the standalone or embedded Application Firewall runs, shows where ports and other important features are located on each unit, and explains what you must do to get the appliance properly installed on your network. The second section describes what you must do to perform initial configuration of the NetScaler operating system.
When you have finished installing the appliance and performing initial
configuration, your appliance will be ready for you to configure the Application Firewall itself.
Planning the Installation
The Citrix NetScaler Application Delivery product line supports a wide range of installation modes, depending on which NetScaler features you will use and how your network is set up. This section provides instructions for installing a
standalone Citrix Application Firewall, or for performing a simple installation of a single Citrix NetScaler appliance. For more detailed information about a wider range of available configurations, including high availability (HA) pairs and SSL VPN, see the Installation and Configuration Guide, Volume 1, Chapter 2, “Installing the Application Switch.”
The NetScaler appliance can be installed with a single connection via one hub or switch to your network (called one-arm mode), or with two connections to different hubs or switches to two different subnets (called two-arm mode). The following figure provides a conceptual illustration of both modes.
Citrix NetScaler appliance Installation Modes
Each installation mode has its advantages. With a one-arm mode installation, you do not have to worry about complex webs of connections. You simply connect the appliance and the Web servers it protects to a single layer 2 switch, and set up VLANs to handle routing. With a two-arm mode installation, however, the appliance is physically located between the Web servers it protects and your users. Connections must pass through it, minimizing chances that a route can be found around it. This may enhance security.
You must also consider whether to install the appliance on the same subnet as the Web servers it protects, or on a different subnet from some or all of them. In a single subnet networking environment, the appliance’s IP address, mapped IP address (MIP) and the IP address of all servers the Application Firewall manages are on the same subnet. Installation on a single subnet is easier to configure, but may require more work overall if the Web servers you want to protect are currently on different subnets or are installed on a subnet which cannot accommodate the appliance.
Router
Application Firewall Protected
Web Servers Protected
Web Servers Application Firewall Layer 2 Switch Layer 2 Switch Layer 2 Switch
One-Arm Mode Two-Arm Mode
In a multiple subnet networking environment, the appliance’s IP address, mapped IP address (MIP), and the IP addresses of the servers it connects to are on two or more subnets. Installation on multiple subnets may require that you add static routes and make other configuration adjustments to ensure that the appliance and the servers it manages are able to connect to each other correctly, and that incoming traffic to a managed server goes through the NetScaler appliance before being sent to the managed server.
There is no single right configuration for installations. You should review your network and decide where to install your appliance based on which features you will enable and which servers it will manage. Once you have decided where to install your appliance and how to connect it to your net, you can proceed with the installation.
Installing the Server
This section describes how to install your NetScaler appliance in your server room. It describes the hardware platforms on which these servers are built, and tells you how to operate each unit properly.
As of the current release, the hardware platforms on which all models in the Citrix NetScaler Application Delivery product line are available are the Citrix NetScaler 7000, the Citrix NetScaler 9000, the Citrix NetScaler 9010, the Citrix NetScaler 10000, the Citrix NetScaler 10010, the Citrix NetScaler 12000, the Citrix NetScaler MPX 15000, and the Citrix NetScaler MPX 17000. The Application Firewall can be licensed on any of these hardware platforms as part of any model of the NetScaler appliance. The standalone Citrix Application Firewall is available on the Citrix NetScaler 7000 and the Citrix NetScaler 12000 platforms.
Before installing your appliance, you must first determine which hardware platform your Application Firewall uses.
• Citrix NetScaler 7000. If you are installing unit built on the 7000 platform, proceed to “The Citrix NetScaler 7000” on page 20.
• Citrix NetScaler 9010. If you are installing a unit built on the 9010 plat-form, proceed to “The Citrix NetScaler 9010” on page 22.
• Citrix NetScaler 10010. If you are installing a unit built on the 10010 plat-form, proceed to “The Citrix NetScaler 10010” on page 26.
• Citrix NetScaler 12000. If you are installing a unit built on the 12000 plat-form, proceed to “The Citrix NetScaler 12000” on page 30.
• Citrix NetScaler MPX 15000. If you are installing a unit built on the 15000 platform, proceed to “The Citrix NetScaler MPX 15000” on page 33.
• Citrix NetScaler MPX 17000. If you are installing a unit built on the 17000 platform, proceed to “The Citrix NetScaler MPX 15000” on page 33.
The Citrix NetScaler 7000
The Citrix NetScaler 7000 model is a single processor, 1U unit that supports both Fast Ethernet and copper Gigabit Ethernet. The unit ships with 1 GB of memory by default. The 7000 handles up to 50,000 HTTP requests per second and up to 4,400 SSL transactions per second. It has a system throughput of 600 Mbps, and SSL and compression throughputs of 150 Mbps.
The figure below contains a drawing of the 7000 as seen from the front, with ports and important features labeled.
The Citrix NetScaler 7000, From the Front
You use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws. The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit’s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Citrix NetScaler Hardware Installation and Setup Guide. The Citrix NetScaler 7000 has the following ports on the front of the unit: • Four 10/100Base-T network interfaces (labeled 1/1, 1/2, 1/3, and 1/4) • Two 10/100/1000Base-T network interfaces (labeled 1/5 and 1/6) • Serial port (9600 baud, 8 bits, 1 stop bit, No parity)
You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable, as described in “Using the Configuration Utility,” on page 40.
The figure below shows a drawing of the 7000 from the back, with important features labeled.
The Citrix NetScaler 7000, From the Back
To plug in the 7000, simply insert the supplied power cord into the power supply, and plug the other end into an appropriately grounded outlet. To power down the 7000, you should first execute a controlled shutdown via the CLI or GUI. Then, press the main power supply switch on the rear right-hand side of the unit to switch the unit off.
Before you install the 7000, ensure that you have the following items available: • The power cord and serial cable, which are supplied with the 7000. • One to four ethernet cables, which are not supplied with the unit. • Four rack screws and a screwdriver.
You are now ready to install the 7000.
To install the Citrix NetScaler 7000 in your server room
1. Open the packing box the appliance arrive d in, and lift the appliance carefully out of the box.
Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another. 2. Place the appliance on an open rack in your server room, or in a temporary
location with easy access for initial configuration.
If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance.
Use four rack screws to secure the unit to the rack.
Power Supply
Fan
Hard Disk Power Switch
Second Power Switch
Compact Flash Drive and Release Button
3. Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet.
Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations.
4. Turn on the appliance by tapping the power switch quickly, and then letting up.
The appliance will perform a series of power-on tests that take approximately a minute as it comes up.
You have now successfully installed your Citrix NetScaler 7000. Proceed to “Performing Initial Configuration,” on page 39 to configure it.
The Citrix NetScaler 9010
The Citrix NetScaler 9010 is a single processor, 2U unit that ships with 2 GB of memory. The user can specify either four fiber Gigabit 1000Base-X optical ethernet ports (fiber version) or four 10/100/1000Base-T copper ethernet ports (copper version) when ordering the unit. The 9010 can process up to 125,000 HTTP requests per second and 4,400 SSL requests per second. It has 2,000 Mbps system throughput, 500 Mbps SSL throughput, and 400 Mbps compression throughput.
The figure below shows a drawing of the 9010 (fiber version) as seen from the front, with ports and important features labeled clearly.
The Citrix NetScaler 9010 (fiber version), From the Front
The 9010 (fiber version) has the following ports on the front: Four Optical 1000base-X Ethernet Ports RS232 Serial Port LCD Display Rack mounts Handle to carry the unit. Handle to carry the unit.
• Four fiber Gigabit 1000-Base-X optical network interfaces, labeled 1/1, 1/ 2, 1/3, and 1/4.
• Serial port (9600 baud, 8 bits, 1 stop bit, No parity)
When facing the bezel, the upper LEDs to the left of each port inset represent connectivity. They are lit and amber in color when active. The lower LEDs represent throughput. They are lit and green when active.
The figure below shows a drawing of the 9010 (copper version) as seen from the front, with ports and important features labeled clearly.
The Citrix NetScaler 9010 (copper version), From the Front
The 9010 (copper version) has the following ports on the front:
• Four 10/100/1000-Base-T copper ethernet network interfaces, labeled 1/1, 1/2, 1/3, and 1/4.
• Serial port (9600 baud, 8 bits, 1 stop bit, No parity)
For both 9010 versions, you use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws.
The LCD display on both versions consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit’s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Citrix NetScaler Hardware Installation and Setup Guide.
You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable. The figure below shows the 9010 from the back, with ports and important features clearly labeled.
Four 10/100/1000base-T Copper Ethernet Ports RS232 Serial Port LCD Display Rack mounts Handle to carry the unit. Handle to carry the unit.
The Citrix NetScaler 9010, From the Back
To power the unit off, you press the left side of the power switch until it clicks down. To power it on, you press the right side until it clicks down.
You can use the 10/100/1000Base-T copper ethernet port to connect the unit to a secure control network that you then use to configure and manage the unit. The compact flash drive contains the NetScaler operating system (OS) software. The hard disk can be used to store logs and backups.
The appliance has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution.
In the event that one power supply fails, or if you choose to connect only one power cord to the unit, an alarm sounds. You push the Disable Alarm button to silence the alarm.
Caution: If you choose to continue operating the 9010 with only one functioning or one connected power supply, you forfeit the built-in fail-safe protection.
Before you install the 9010, ensure that you have the following items available: • The power cord and serial cable, which are supplied with the 9010. • One to four ethernet cables, which are not supplied with the unit.
• If you are installing a 9010 (fiber version), four Finisar Active Copper SFP transceivers, which are also supplied with the appliance.
• Four rack screws and a screwdriver. You are now ready to install the 9010.
Two removable power supplies Hard disk Power switch Non-maskeable interrupt (NMI) button Compact flash drive and release button 10/100Base-T
copper Ethernet port
1. Open the packing box the appliance arrived in, and lift the appliance carefully out of the box.
Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another. 2. Place the appliance on an open rack in your server room, or in a temporary
location with easy access for initial configuration.
If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance.
Use four rack screws to secure the unit to the rack.
Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet.
Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations.
3. Turn on the appliance by tapping the power switch quickly, and then letting up.
The appliance will perform a series of power-on tests that take approximately a minute as it comes up.
4. Take an ethernet cable, connect one end to interface number 1/4 and connect the other end to the switch or hub that leads to your WAN or the internet.
If you want, you can use a different interface number. The appliance detects which interfaces are in use and which networks they are connected to automatically.
5. If you are installing your appliance in two-arm mode, take another ethernet cable, connect one end to interface number 1/3, and connect the other end to the switch or hub that leads to your LAN.
Again, if you want, you can use a different interface number.
You have now successfully installed your Citrix NetScaler 9010. Proceed to “Performing Initial Configuration,” on page 39 to configure it.
The Citrix NetScaler 10010
The Citrix NetScaler 10010 is a single processor, 2U unit that ships with 2 GB of memory, four fiber Gigabit 1000Base-X optical ethernet ports, and four 10/100/ 1000Base-T copper ethernet ports by default. The unit can process up to 255,000 HTTP requests per second and 8,800 SSL requests per second. It has 4,800 Mbps system throughput, 760 Mbps SSL throughput, and 555 Mbps compression throughput.
The following figure shows a drawing of the 10010 as seen from the front, with ports and other important features clearly labeled.
The Citrix NetScaler 10010, From the Front
The 10010 has the following ports on the front:
• Four fiber Gigabit 1000-Base-X optical network interfaces, labeled 1/1, 1/ 2, 1/3, and 1/4.
• Four 10/100/1000-Base-T copper ethernet network interfaces, labeled 1/5, 1/6, 1/7, and 1/8.
• Serial port (9600 baud, 8 bits, 1 stop bit, No parity).
When facing the bezel, the upper LEDs to the left of each fiber port represent connectivity. They are lit and amber in color when active. The lower LEDs represent throughput. They are lit and green when active.
You use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws. The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit’s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Citrix NetScaler Hardware Installation and Setup Guide.
Four gigabit SFP ports Four
10/100/1000Base-T copper Ethernet ports RS232 serial console port LCD display Rack mounts Handle to carry the unit Handle to carry the unit
