TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.
CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch™ 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:
Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment.
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.
Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. Copyright © 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright 1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved. Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik Lindergren. All rights reserved.
Contents
Preface
About This Guide . . . vii
New in This Release . . . viii
Audience . . . viii
Formatting Conventions . . . ix
Related Documentation. . . ix
Getting Service and Support. . . .x
Knowledge Center . . . .x
Silver and Gold Maintenance . . . xi
Education and Training . . . xi
Documentation Feedback . . . xii
Chapter 1
Citrix NetScaler Authentication and Authorization
Defining Users . . . .1Defining Groups . . . .4
Command Policies . . . .5
Resetting the Default Administrator (nsroot) Password . . . .11
Examples of User Scenarios . . . .13
Chapter 2
SNMP
Importing MIB Files . . . .30Defining SNMP Managers . . . .31
Configuring SNMP V1 and V2 . . . .32
Adding an SNMP Community . . . .33
Removing an SNMP Community . . . .33
Configuring SNMP Traps and Alarms . . . .34
SNMP V3 . . . .42
Salient Features . . . .42
SNMPv3 Security Entities . . . .43
Chapter 3
Audit Server Logging
Configuring the Citrix NetScaler Audit Server Log . . . .50
Configuring Global Audit Server Parameters. . . .51
Configuring Audit Server Action and Policy . . . .52
Globally Binding the Audit Policies . . . .53
Installing the Audit Server Files . . . .54
Installing Audit Server on the Linux Operating System . . . .54
Uninstalling Audit Server on the Linux Operating System . . . .55
Installing Audit Server on the FreeBSD Operating System. . . .55
Uninstalling Audit Server on the FreeBSD Operating System . . . .56
Installing Audit Server on the Windows Operating System . . . .56
Uninstalling Audit Server on the Windows Operating System . . . .57
Audit Server Options. . . .57
Configuring Audit Server Logging on a Server system. . . .59
Defining Filters . . . .59
Defining Log Properties . . . .60
Default Settings for the Log Properties. . . .62
Adding the IP Addresses of the System . . . .63
Verifying Configuration . . . .64
Starting Audit Server Logging . . . .64
Stopping Audit Server Logging . . . .64
Sample Configuration File . . . .64
Checklist for Configuring Audit Server Logging. . . .65
Configuring Audit Server Logging for a Commonly Used Deployment Scenario.66
Chapter 4
Web Server Logging
How Web Server Logging Works . . . .71Configuring Web Server Logging Parameters. . . .72
Enabling or Disabling Web Server Logging. . . .72
Modifying the Default Buffer Size . . . .72
Displaying Web Server Logging Information . . . .73
Installing the NSWL files on the Logging System . . . .75
Installing NSWL on a Solaris Operating System . . . .75
Installing NSWL on a Linux Operating System. . . .76
Installing NSWL on a FreeBSD Operating System . . . .76
Installing NSWL on a MAC Operating System . . . .77
Installing NSWL on a Windows Operating System. . . .78
Installing NSWL on an AIX Operating System . . . .79
NSWL Options . . . .79
Configuring Web Server Logging on the Logging System . . . .80
Modifying the Web Server Log Configuration File . . . .81
Defining Log Properties . . . .83
Adding the IP Addresses of the NetScaler . . . .86
Verifying the Configuration . . . .87
Starting Web Server Logging . . . .87
Stopping Web Server Logging . . . .87
Sample Configuration File . . . .87
Log File Formats . . . .90
Custom Log Format. . . .95
Apache Log Formats . . . .100
Checklist for Configuring Web Server Logging . . . .100
Chapter 5
Advanced Configurations
Configuring Clock Synchronization. . . .103Configuring Clock Synchronization Manually. . . .103
Configuring Clock Synchronization Using the Configuration Utility or the CLI . 105 Path Maximum Transmission Unit Discovery. . . .108
The NetScaler in Transparent Mode . . . .108
The NetScaler in End-Point Mode . . . .108
Enabling or Disabling PMTU Discovery . . . .109
Configuring TCP Window Scaling . . . .109
Configuring Selective Acknowledgement . . . .111
Clearing the Configuration . . . .112
Chapter 6
Reporting Tool
Using the Reporting Tool . . . .115Working with Reports . . . .117
Working with Charts . . . .120
How Data Collection Works. . . .123 Stopping and Starting the Data Collection Utility . . . .124 Importing Data from the newnslog File . . . .125
Preface
Before you begin to manage and monitor your Citrix NetScaler, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback.
In This Preface
About This Guide New in This Release Audience
Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback
About This Guide
The Citrix NetScaler Administration Guide provides a conceptual reference and instructions for managing and monitoring the NetScaler using built-in features, such as command policies, SNMP, Audit server Logging, Web Server Logging, and NTP.
This guide provides the following information:
• Chapter 1, “Citrix NetScaler Authentication and Authorization.” Configure authentication and authorization to manage access to the NetScaler and different parts of the NetScaler configuration.
• Chapter 2, “SNMP.” Learn how SNMP works with NetScaler and how to configure SNMP V1, V2, and V3 on NetScaler.
• Chapter 3, “Audit Server Logging.” Configure the NetScaler audit server log to log and monitor the NetScaler states and status information. Also, learn how to configure audit server logging on a server system and for a deployment scenario.
• Chapter 4, “Web Server Logging.” Configure web server log to maintain a history of the page requests that originate from the NetScaler.
• Chapter 5, “Advanced Configurations.” Learn how to set advanced configurations, such as NTP, PMTU, and autodetected services, on the NetScaler.
• Chapter 6, “Reporting Tool.” Learn how to use the Reporting tool to view performance statistics as reports with graphs that are based on statistics collected by the nscollect utility.
New in This Release
Following is a list of the new features and enhancements in the 9.0 of Citrix NetScaler.
Note: The documentation has been reorganized. The information in this guide, “Citrix NetScaler Administration Guide,” was formerly located in the now obsolete Citrix Installation and Configuration Guide (ICG). Both Volume 1 and Volume 2 of the ICG have been divided into eight new guides. This breakdown into smaller guides was based on audience and task analysis and provides more efficient access to information. For more information about documentation, see “Related Documentation,” on page ix.
• Use new SNMP traps and alarms. For more information, see “Configuring SNMP Traps and Alarms,” on page 34.
• Install the NSWL executable on the AIX platform. For more information, see “Installing NSWL on an AIX Operating System,” on page 79.
• Use new log format when defining log format in the NSWL. For more information, see “Manually Defining a Custom Log Format,” on page 96. • Configure NTP servers and enable NTP synchronization from the GUI and
the NetScaler CLI. For more information, see “Configuring Clock
Synchronization Using the Configuration Utility or the CLI,” on page 105.
Audience
This guide is intended for the following audience: • system administrators
The concepts and tasks described in this guide require you to have a basic understanding of network design, operation, and terminology.
Formatting Conventions
This documentation uses the following formatting conventions.
Related Documentation
A complete set of documentation is available on the Documentation tab of your NetScaler and from http://support.citrix.com/. (Most of the documents require Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. From a Web browser, log on to the NetScaler. Formatting Conventions
Convention Meaning
Boldface Information that you type exactly as shown (user input); elements in the user interface.
Italics Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks).
Monospace System output or characters in a command line. User input and placeholders also are formatted using monspace text. [ brackets ] Optional items in command statements. For example, in
the following command, [-range
positiveInteger] means that you have the option of entering a range, but it is not required:
add lb vserver name serviceType IPAddress port [-range positiveInteger]
Do not type the brackets themselves.
| (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods:
lbMethod = ( ROUNDROBIN | LEASTCONNECTION |
LEASTRESPONSETIME | URLHASH | DOMAINHASH |
DESTINATIONIPHASH | SOURCEIPHASH |
SRCIPDESTIPHASH | LEASTBANDWIDTH |
LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH |
2. Click the Documentation tab.
3. To view a short description of each document, hover your cursor over the title. To open a document, click the title.
Getting Service and Support
Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at http://support.citrix.com/.
You can also get support from Citrix Customer Service at http://citrix.com/. On the Support menu, click Customer Service.
Knowledge Center
The Knowledge Center offers a variety of self-service, Web-based technical support tools at http://support.citrix.com/.
Knowledge Center features include:
• A knowledge base containing thousands of technical solutions to support your Citrix environment
• An online product documentation library
• Interactive support forums for every Citrix product • Access to the latest hotfixes and service packs
• Knowledge Center Alerts that notify you when a topic is updated
Note: To set up an alert, sign in at http://support.citrix.com/ and, under
Products, select a specific product. In the upper-right section of the screen, under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and, under Tools, click Remove from your Hotfix Alerts.
• Security bulletins
• Online problem reporting and tracking (for organizations with valid support contracts)
Silver and Gold Maintenance
In addition to the standard support options, Silver and Gold maintenance options are available. If you purchase either of these options, you receive documentation with special Citrix Technical Support numbers you can call.
Silver Maintenance Option
The Silver maintenance option provides unlimited system support for one year. This option provides basic coverage hours, one assigned support account manager for nontechnical relations management, four named contacts, and advanced replacement for materials.
Technical support is available at the following times:
• North America, Latin America, and the Caribbean: 8 A.M. to 9 P.M. U.S. Eastern Time, Monday through Friday
• Asia (excluding Japan): 8 A.M. to 6 P.M. Hong Kong Time, Monday through Friday
• Australia and New Zealand: 8 A.M. to 6 P.M. Australian Eastern Standard Time (AEST), Monday through Friday
• Europe, Middle East, and Africa: 8 A.M. to 6 P.M. Coordinated Universal Time (Greenwich Mean Time), Monday through Friday
Gold Maintenance Option
The Gold maintenance option provides unlimited system support for one year. Support is available 24 hours a day, 7 days a week. There is one assigned support account manager for nontechnical relations management, and there are six named contacts.
You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information.
Education and Training
Citrix offers a variety of instructor-led and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.
Information about programs and courseware for Citrix training and certification is available at http://www.citrixtraining.com.
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify “Documentation Feedback.” Be sure to include the document name, page number, and product release version.
• For NetScaler documentation, send email to [email protected]. • For Command Center documentation, send email to
• For Access Gateway documentation, send email to [email protected].
You can also provide feedback from the Knowledge Center at http:// support.citrix.com/.
To provide feedback from the Knowledge Center home page
1. Go to the Knowledge Center home page at http://support.citrix.com/. 2. On the Knowledge Center home page, under Products, click NetScaler
Application Delivery, and click NetScaler Application Delivery Software 9.0.
3. On the Documentation tab, click the guide name, and then click Article Feedback.
4. On the Documentation Feedback page, complete the form, and then click
Citrix NetScaler Authentication and
Authorization
NetScaler authentication and authorization functions are of two basic types.The users and groups functions allow you to define who has access to the NetScaler. Command policies allow you to define what parts of the NetScaler configuration a user or group is permitted to access and modify. In other words, command policies regulate which commands, command groups, and other elements NetScaler users and groups are permitted to use.
To configure authentication and authorization, you first define the users who have access to the NetScaler. After you have defined the users, you can organize them into groups. You then configure command policies to define the types of access, and assign the policies to users and/or groups.
Defining Users Defining Groups Command Policies
Resetting the Default Administrator (nsroot) Password Examples of User Scenarios
Defining Users
Once you have changed the default password, no user can access the NetScaler until you create an account for that user. After you have defined your users by creating accounts for them, you might have to change passwords or remove user accounts.
Creating a User Account
To create a user account, you simply assign a user name and password. You use the parameters described in the following table.
To create a user account, use either of the following procedures. To add a user account using the configuration utility 1. In the navigation pane, expand System and click Users. 2. On the System Users page, Click Add.
3. In the Create System User dialog box, in the User Name text box, type a name for the user (for example, johnd).
4. In the Password text box, type a password to assign to the user.
5. In the Confirm Password text box, again type the password that you have typed in the Password text box.
6. Click Create and click Close.
To add a user account using the NetScaler command line At the NetScaler command prompt, type:
add system user userName
Example
add system user johnd
Changing a User Password
The following table describes the parameter you set to change a user password on the NetScaler.
Parameter Specifies
User Name Name that the user enters to request access.
Password Password that the user enters to request access.
Parameter Specifies
Password The password you assign for the user account.
To change a user password, use either of the following procedures. To change the user password using the configuration utility 1. In the navigation pane, expand System and click Users.
2. On the System Users page, select the user account for which you want to change the password (for example, johnd) and click Change Password.
3. In the Password text box, type the new password.
4. In the Confirm Password text box, type the new password again. 5. Click OK.
To change the user password using the NetScaler command line At the NetScaler command prompt, type:
set system user userName newpassword
Example
set system user johnd johnd1
Removing User Accounts
You can remove user accounts if the policy assigned to your account allows you to do so, or if you log in to the nsroot account. The nsroot account cannot be removed.
To remove a user account, use either of the following procedures. To remove a user account using the configuration utility 1. In the navigation pane, expand System and click Users.
2. On the System Users page, select the user account that you want to remove. For example, johnd.
3. Click Remove. The Remove pop-up window appears. 4. Click Yes.
To remove a user using the NetScaler command line At the NetScaler command prompt, type:
rm system user userName
Example
Defining Groups
To define a group, you first create the group, then bind users to the group.
Adding Groups
The following table describes the parameter you set to create a group.
Use either of the following procedures to add a group. To add a group using the configuration utility
1. In the navigation pane, expand System and click Groups. 2. On the System Groups page, click Add.
3. In the Create System Group dialog box, in the Group Name text box, type a name for the group (for example, Managers).
4. Click Create, and click Close.
To add a group using the NetScaler command line At the NetScaler command prompt, type:
add system group groupName
Example
add system group Managers
Binding a User to a Group
You can bind each user account to more than one group. Binding user accounts to multiple groups may allow more flexibility when applying command policies. The following table describes the parameter you set to bind a user to a group.
To bind a user to a group, use either of the following procedures.
Parameter Specifies
Group Name Name for the group of NetScaler users..
Parameter Specifies
User Name Name for the NetScaler user to be bound to the group.
To bind a user to a group using the configuration utility 1. In the navigation pane, expand System and click Groups. 2. On the System Groups page, select a group and click Open.
3. In the Configure System Group dialog box, under Members section, select a user you want to bind to the group, from the Available Users list and click Add.
To bind a user to a group using the NetScaler command line At the NetScaler command prompt, type:
bind system group groupName userName
Example
bind system group Managers johnd
Removing Groups
All the users and command policies that are currently bound to the group should be unbound before removing a group.
To remove a group using the configuration utility
1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, select the group that you want to remove. (for example, Managers).
3. Click Remove.
4. In the Remove pop-up, click Yes.
To remove a group using the NetScaler command line
rm system group groupName
Example
rm system group Managers
Command Policies
Command policies regulate which commands, command groups, vservers, and other elements NetScaler users and user groups are permitted to use.
The NetScaler provides a set of built-in command policies, and you can configure custom policies. To apply the policies, you bind them to user and/or groups.
Here are the key points to keep in mind when defining and applying command policies.
• No global command policies may be created on the NetScaler. Command policies must be bound directly to NetScaler users and groups.
• Users or groups with no associated command policies are subject to the default DENY -ALL command policy, and will therefore be unable to execute any commands until the proper command policies are bound their accounts.
• All users inherit the policies of the groups to which they belong.
• You must assign a priority to a command policy when you bind it to a user account or group account. This enables the NetScaler to determine which policy has priority when two or more conflicting policies apply to the same user or group.
• The following commands are available by default to any any user and are unaffected by any command policies you specify:
help cli, show cli attribute, clear cli prompt,
alias, unalias, batch, source, help, history, man,
quit, exit, whoami, config, set cli mode, unset cli mode, show cli mode, set cli prompt, and show cli prompt.
Built-in Command Policies
Four default command policies are available on the NetScaler. The following table describes them.
Policy Name Allows
read-only Read-only access to all show commands except show
runningconfig, show ns.conf, and the show commands for the NetScaler command group.
operator Read-only access and access to commands to enable and disable services and servers or place them in ACCESSDOWN mode.
network Full access except to NetScaler commands, the shell command, and the
show ns.conf and sh runningconfig commands.
Creating Custom Command Policies
Regular expression support is offered for users with the resources to maintain more customized expressions and those deployments that require the flexibility that regular expressions offer. For most users, the built-in command policies should be sufficient. Users who need additional levels of control, but are unfamiliar with regular expressions, may want to use only simple expressions, such as those in the examples provided in this section, to maintain policy readability.
When you use a regular expression to create a command policy, keep the following in mind.
• When you use regular expressions to define commands that will be affected by a command policy, you must enclose the commands in double quotes. For example, if you want to create a command policy named allowShow
that includes all commands that begin with show, you should type the following:
“^show .*$”
If you want to create a command policy that includes all commands that being with rm, you should type the following:
DENY “^rm .*$”
• Regular expressions used in command policies are case insensitive. The following table gives examples of regular expressions:
Command Specification Matches these Commands
“^rm\s+.*$” All remove actions, because all remove actions begin with the rm string, followed by a space and
additional parameters and flags.
“^show\s+.*$” All show commands, because all show actions begin with the show string, followed by a space and additional parameters and flags.
“^shell$” The shell command alone, but not combined with any other parameters or flags.
“^add\s+vserver\s+.*$” All create a vserver actions, which consist of the add vserver command followed by a space and additional parameters and flags.
“^add\s+(lb\s+vserver)\s+ .*”
All create an lb vserver actions, which consist of the add lb vserver command followed by a space and additional parameters and flags.
“^set\s+lb\s+.*$” All commands that configure load balancing settings at the command group level.
The following table shows the command specifications for each of the built-in command policies:
The following table describes the parameters you set to create a command policy.
To create a command policy, use either of the following procedures. To create a command policy using the configuration utility
1. In the navigation pane, expand System and click Command Policies. 2. On the Command Policies page, click Add.
3. In the Create Command Policy dialog box, in the Policy Name text box, type a name for the command policy (for example, read_all).
4. In the Action list, select the action (for example, Allow). 5. In the Command Spec text box, enter a command, such as
“(^show\s+(?!system)(?!ns ns.conf)(?!ns runningConfig).*)|(^stat.*)”
(you can use the Policy Components to expedite entry). 6. Click Create.
Policy Name Command Specification Regular Expression
read-only (^man.*)|(^show\s+(?!system)(?!ns ns.conf)(?!ns runningConfig).*)|(^stat.*)
operator (^man.*)|(^show\s+(?!system)(?!ns ns.conf)(?!ns
runningConfig).*)|(^stat.*)|(^set.*-accessdown.*)|(^(enable|disable) (server|service).*) network ^(?!shell)\S+\s+(?!system)(?!ns ns.conf)(?!ns
runningConfig).* superuser .*
Parameter Specifies
User Name Name of the command policy.
Command Spec Rule expression that the policy uses to pattern match.
Action The action the policy need to apply when the command specification pattern matches. Possible values: ALLOW and DENY
To create a command policy using the NetScaler command line At the NetScaler command prompt, type:
add system cmdPolicy policyname action cmdspec
Example
add system cmdPolicy read_all ALLOW (^show\s+(?!system)(?!ns ns.conf)(?!ns runningConfig).*)|(^stat.*)
Binding Command Policies to Users and Groups
Once you have defined your command policies, you must bind them to the appropriate user accounts and groups.When you bind a policy, you must assign it a priority so that the NetScaler can determine which command policy to follow when two or more applicable command policies are in conflict.
The order in which command policies are evaluated is:
• Command policies bound directly to users and the corresponding groups are evaluated based on the priority number. A command policy with a lower priority number is evaluated before one with a higher priority number. Therefore, any privileges the lower-numbered command policy explicitly grants or denies are not overridden by a higher-numbered command policy. • When two command policies one bound to an user account and other bound to a group have the same priority number then the command policy bound directly to the user account is evaluated first.
Binding Command Policies to a user
The following table describes the parameters you set to bind command policies to a user.
To bind a policy to a user, use either of the following procedures. To bind command policies to a user using the configuration utility 1. In the navigation pane, expand System and click Users.
2. On the System Users page, select a user (for example, johnd)
Parameter Specifies
User Name The user account
Policy Name Name of the command policy bind to the user.
3. Click Open.
4. In the Configure System User dialog box, under Command Policies, in the Active column, select one or more check boxes for policies to bind to this user.
5. In the Priority list box, for each active policy, enter a priority number for the policy (for example, 1), or adjust the number.
6. Click OK.
To bind command policies to a user using the NetScaler command line At the NetScaler command prompt, type:
bind system user userName policyName priority
Example
bind system user johnd johnd_pol 1
Binding Command Policies to a Group
The following table
describes the parameters you set to bind a policy to a
group.
To bind command policies to a group, use either of the following procedures To bind command policies to a group using the configuration utility 1. In the navigation pane, expand System and click Groups.
2. On the System Groups page, select a group (for example, Managers) 3. Click Open.
4. In the Configure System Group dialog box, under Command Policies, in the Active column, select one or more check boxes for policies to bind to this group.
5. In the Priority list box, for each active policy, enter a priority number for the policy (for example, 2), or adjust the number.
6. Click OK.
Parameter Specifies
Group Name Name of the group.
Policy Name Name of the command policy to bind to the user group.
To bind command policies to a group using the NetScaler command line At the NetScaler command prompt, type:
bind system group groupName -policyName policyName priority
Example
bind system group Managers -policyName Managers_pol 2
Removing Command Policies
The built-in command policies cannot be removed. If your user account is assigned the right to remove a command policy, you can use either of the following procedures to remove command policies.
To remove a command policy using the configuration utility
1. In the navigation pane, expand System and click Command Policies. 2. On the Command Policies page, select the command policy to be removed
(for example, Managers_pol). 3. Click Remove.
4. In the Remove pop-up window, click Yes.
To remove a comand policy using the NetScaler command line At the NetScaler command prompt, type:
rm system cmdPolicy PolicyName
Example
rm system cmdPolicy Managers_pol
Resetting the Default Administrator (nsroot) Password
The nsroot account provides complete access to all features of the NetScaler. Therefore, to preserve security, the nsroot account should be used only when necessary, and only individuals whose duties require full access should know the nsroot account password. Also for security, it is advisable to change the nsroot password frequently. If you lose the password, you can reset it as described here. To reset the nsroot password, you must boot the NetScaler into single user mode, mount the file systems in read/write mode, and remove the set NetScaler user nsroot entry from the ns.conf file. This process does not actually recover your nsroot password, but it does allow you to reset it to the default setting, nsroot. You can then choose a new password.
To reset the nsroot password
1. Connect a computer to the NetScaler serial port and log on.
Note: You cannot log on via ssh to perform this procedure; you must connect directly to the NetScaler.
As the operating system starts, it displays the following message:
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [kernel] in # seconds.
2. Press CTRL+C.
The following message appears:
Type ‘?’ for a list of commands, ‘help’ for more detailed help.
ok
3. Type boot -s, and press the Enter key to start the NetScaler in single user mode.
After the NetScaler boots, it displays the following message:
Enter full pathname of shell or RETURN for /bin/sh:
4. Press the Enter key to display the # prompt, and type the following commands to mount the file systems:
fsck /dev/ad0s1a
mount /dev/ad0s1a /flash
5. Using a text editor of your choice, edit the /flash/nsconfig/ ns.conf file and remove the set system user nsroot entry. 6. Save the file and exit the text editor.
7. Type reboot and press the Enter key to reboot the NetScaler.
When the NetScaler completes rebooting, it prompts for username and password.
8. Log on as nsroot, with the password nsroot.
Once logged in to the NetScaler, you will be required to enter a new nsroot user password.
9. Follow the prompts to change the password. 10. Exit the config ns menu.
Examples of User Scenarios
The following example shows how to create a complete set of user accounts, groups, and command policies and bind each policy to the appropriate groups and users. The company, Example Manufacturing, Inc., has three users who will access the NetScaler:
• John Doe. The IT manager. John needs to be able to see all parts of the NetScaler configuration but does not need to modify anything.
• Maria Ramirez. The lead IT administrator. Maria needs to be able to see and modify all parts of the NetScaler configuration except for NetScaler commands (which local policy dictates must be performed while logged on as nsroot).
• Michael Baldrock. The IT administrator in charge of load balancing. Michael needs to be able to see all parts of the NetScaler configuration, but needs to modify only the load balancing functions.
The following table shows the breakdown of network information, user account names, group names, and command policies for the sample company:
The following description walks you through the process of creating a complete set of user accounts, groups, and command policies on the NetScaler
ns01.example.net.
The description includes procedures for binding the appropriate user accounts and groups to one another, and binding appropriate command policies to the user accounts and groups.
This example illustrates how you can use prioritization to grant precise access and privileges to each user in the IT department.
Field Value Note
NetScaler hostname
ns01.example.net User accounts johnd
mariar michaelb
John Doe, IT manager
Maria Ramirez, IT administrator Michael Baldrock, IT administrator
Groups Managers SysOps All managers All IT administrators Command Policies read_all modify_lb modify_all
Allow complete read-only access Allow modify access to load balancing Allow nearly complete modify access
The example assumes that initial installation and configuration have already been performed on the NetScaler.
To create johnd, mariar, and michaelb user accounts 1. In the navigation pane, expand System and click Users. 2. On the System Users page, Click Add.
3. In the Create System User dialog box, in the User Name text box, type
johnd.
4. In the Password text box, type a password to assign to the user.
5. In the Confirm Password text box, again type the password that you have typed in the Password text box.
6. Click Create.
7. Repeat steps 2–6 to create user accounts and passwords for Maria Ramirez and Michael Baldrock.
To create groups Managers and SysOps
1. In the navigation pane, expand System and click Groups. 2. On the System Groups page, click Add.
3. In the Create System Group dialog box, in the Group Name text box, type Managers.
4. Click Create, and click Close.
5. Repeat steps 1–4 to create a group named SysOps.
To bind users to a group
1. In the navigation pane, expand System and click Groups.
2. On System Groups page, select the Managers group and click Open. 3. In the Configure SystemGroup dialog box, under Members, select johnd
in the Available Users list.
4. Click Add to move johnd to the Configured Users list. 5. Click OK, and click Close.
6. Repeat steps 1–4 to bind users mariar and michaelbto the group SysOps.
To add command policies
1. In the navigation pane, expand System and click Command Policies. 2. On the Command Policies page, click Add.
3. In the Create Command Policy dialog box, in the Policy Name text box, type read_all.
4. In the Action list, select Allow.
5. In the Command Spec text box, enter “(^show\s+(?!system)(?!ns ns.conf)(?!ns runningConfig).*)|(^stat.*)” (you can use the Policy Components to expedite entry).
6. Click Create.
7. Repeat steps 1–6, to create a command policy named modify_lb with action as Allow and the command spec “^set\s+lb\s+.*$”
8. Repeat steps 1–6, to create a command policy named modify_all with action as Allow and the command spec “^\S+\s+(?!system).*”
To bind a command policy to a group
1. In the navigation pane, expand System and click Groups. 2. On the System Groups page, select the Managers group. 3. Click Open.
4. In the Configure System Group dialog box, under Command Policies, in the Active column, select the read_all policy and change the Priority list box to 1.
5. Click OK.
6. Repeat steps 1–5 to bind the read_all command policy to the SysOps
group, also assigning it a priority of 1. To bind a command policy to a user
1. In the navigation pane, expand System and click Users. 2. On the System Users page, select the michaelb user account. 3. Click Open.
4. In the Configure System User dialog box, under Command Policies, in the Active column, select the modify_lb policy and change the Priority list box to 5.
5. Click OK.
The configuration you've just created results in the following:
• John Doe, the IT manager, has read-only access to the entire NetScaler, but cannot make modifications.
• Maria Ramirez, the IT lead, has near-complete access to all areas of the NetScaler configuration, having to log on only to perform NetScaler-level commands.
• Michael Baldrock, the IT administrator responsible for load balancing, has read-only access to the NetScaler configuration, and can modify the configuration options for load balancing.
As mentioned earlier, the set of command policies that applies to a specific user is a combination of command policies applied directly to the user's account and command policies applied to the group(s) of which the user is a member. Each time a user enters a command, the operating system searches the command policies for that user until it finds a policy with an explicit ALLOW or DENY action that matches the command. When it finds a match, the operating system stops its command policy search and allows or denies access to the command. If the operating system finds no matching command policy, it denies the user access to the command, in accordance with the NetScaler’s default deny policy.
Note: When placing a user into multiple groups, take care not to cause unintended user command restrictions or privileges. To avoid these conflicts, when organizing your users in groups, it's good to bear in mind the NetScaler's command policy search procedure and policy ordering rules.
SNMP
The NetScaler supports Simple Network Management Protocol (SNMP) functionality, as illustrated in the following diagram. This diagram shows a network with a NetScaler that has SNMP enabled and configured. In the diagram, each SNMP network management application uses SNMP to communicate with the SNMP agent on the NetScaler. The SNMP agent searches its management information base ( MIB) to collect the data requested by the network management application, and provides the information to the application.
The SNMP agent on the NetScaler supports SNMP version 1 (SNMPv1), SNMP version 2 (SNMPv2), and SNMP version 3 (SNMPv3). The SNMP agent handles queries, such as SNMPv2 Get-Bulk, from the SNMP manager. The SNMP agent also sends out traps compliant with SNMPv2. It also supports SNMPv2 data-types, such as counter64.
In This Chapter: Importing MIB Files Defining SNMP Managers Configuring SNMP V1 and V2 SNMP V3
Importing MIB Files
SNMPv1 managers (programs on computers that request SNMP information from the NetScaler) use the NS-MIB-smiv1.mib file when processing SNMP queries. SNMPv2 and SNMPv3 managers use the NS-MIB-smiv2.mib file. The NetScaler supports enterprise-specific MIBs. They are:
• A subset of standard MIB-2 groups. Provides the MIB-2 groups SYSTEM, IF, ICMP, UDP, and SNMP.
• A NetScaler enterprise MIB. Provides NetScaler-specific configuration and statistics.
Before you start configuring SNMP, you must import the appropriate SNMP MIB files to the network management application, as follows:
• If the HP OpenView SNMP manager is installed on your computer, copy the NS-MIB-smiv2.mib file from the NetScaler Product CD, /Utilities/ SNMP/HP_OpenView directory, or download it from the FTP site ftp.netscaler.com.
• If the WhatsUpGold SNMP manager is installed on your computer, copy the traps.txt and mib.txt files from the NetScaler Product CD, /Utilities/ SNMP/WhatsUpGold directory, or download it from the FTP site ftp.netscaler.com.
Note: For information about the user name and password used to connect to the FTP site, contact the NetScaler product support group.
Defining SNMP Managers
You need to configure the management application, which complies with SNMP version1, SNMP version 2, or SNMP version 3, to access the NetScaler. You can add upto a maximum of 100 SNMP manager or networks.
Note: If you do not configure at least one SNMP manager, the NetScaler accepts and responds to SNMP queries from all IPs on the network. If you configure one or more SNMP managers, it accepts and responds only to SNMP queries from those specific IPs.
Adding an SNMP Manager
The following table describes the parameters you set to add an SNMP Manager:
To add an SNMP manager, use either of the following procedures: To add an SNMP manager using the configuration utility
1. In the navigation pane, expand System, click SNMP,and click Managers. 2. In the Add SNMP Manager dialog box, click Add.
3. In the Create Manager dialog box, in the IP Address text box, type the IP address of the computer running the management application (for example, 10.102.29.5).
4. Click Add.
To add an SNMP manager using the NetScaler command line At the NetScaler command prompt, type:
add snmp manager IPaddress
Example
add snmp manager 10.102.29.5
Parameter Specifies
IP Address IP/Network address of the management station.
Netmask Subnet of management stations. Used to
grant access from entire subnets to the NetScaler.
Removing SNMP Managers
When you remove a SNMP manager from the NetScaler, that manager can no longer query the NetScaler.
Note: If there is no SNMP manager configured on the NetScaler, network management applications from any host computer can access the NetScaler.
To remove an SNMP manager, use either of the following procedures: To remove an SNMP manager using the configuration utility
1. In the navigation pane, expand System, click SNMP, and then click
Managers.
2. On the SNMPManagers page, select the manager which you want to remove.
3. Click Remove.
4. In the Remove dialog box, click Yes.
To remove an SNMP manager using the NetScaler command line At the NetScaler command prompt, type:
rm snmp manager IPAddress
Example
rm snmp manager 10.102.29.5
Configuring SNMP V1 and V2
Before you can use SNMP in the NetScaler, you must configure the NetScaler to allow the appropriate SNMP managers to access it. You must also provide the SNMP manager with the required NetScaler-specific information. The configuration process consists of the following tasks:
• Set the SNMP community, which defines access privileges (Read operation).
• Set traps and alarms to send SNMP trap notifications to the SNMP manager for any asynchronous events generated by the agent to indicate the state of the NetScaler.
Adding an SNMP Community
You add an SNMP community string to grant access to an SNMP network management application to manage the NetScaler. The community also defines the specific management tasks that you can perform.
The following table describes the parameters you set to add an SNMP community:
To add an SNMP community string
1. In the navigation pane, expand System, click SNMP, and then click Community.
2. On the SNMPCommunity page, click Add.
3. In the Add SNMP Community dialog box, in the Community String text box, type a name for the community to be added (for example, Com_All). 4. In Permission, select the ALL option.
5. Click Create.
Removing an SNMP Community
When you remove a community string, no SNMP managers can use this community string to manage or access the NetScaler.
To remove a community string, use either of the following procedures: To remove an SNMP community string
1. In the navigation pane, expand System, click SNMP, andthen click
Community.
2. On the SNMPCommunity page, select the community that you want to remove (for example, Com_All).
3. Click Remove.
4. In the Remove dialog box, click Yes.
Parameter Specifies
Community Name SNMP community string.
Permissions Access privileges. Possible
values: GET, GET NEXT, GET BULK, ALL.
Configuring SNMP Traps and Alarms
In addition to providing information in response to specific requests, the NetScaler can display an alarm, or notification message, in a window on a designated computer or computers whenever a particular type of event occurs. This type of notification is called an SNMP trap, and it helps administrators monitor the NetScaler and respond promptly to any issues.s
SNMP traps are asynchronous events generated by the agent to indicate the state of the NetScaler. The trap listener receives traps on the trap destination port. If this port is not configured correctly, the traps do not reach the SNMP manager. You can configure the NetScaler to send traps to the SNMP manager when specific events generate alarms at specific severity levels. There are 5 severity levels: Critical, Major, Minor, Warning, and Informational.
You can configure the NetScaler to send SNMP traps with source IP other than the NSIP. You can set the source IP of an SNMP trap to either a MIP or a SNIP. The NetScaler supports four types of generic SNMP traps and 65 types of enterprise-specific traps. You can specify maximum of five IP addresses as destinations for either type. If more than 10 authentication traps messages are generated within 20 seconds, no traps messages will be generated for the next 60 seconds.
The following table describes the generic traps that the NetScaler supports.
The following table describes the specific SNMP traps that the NetScaler supports.
Generic trap Indicates
authenticationFailure An SNMP management application without access privileges has attempted to access the NetScaler. coldStart An SNMP entity configured as an agent has reinitialized
itself. Its configuration may have been altered. linkUp The sending protocol entity recognizes that one of the
communication links represented in the agent's configuration has come up.
linkDown The sending protocol entity recognizes a failure in one of the communication links represented in the agent's configuration.
Specific trap Indicates
averageCpuUtilization Average CPU usage in the multi-processor NetScaler has exceeded the high threshold.
averageCpuUtilizationNormal Average CPU usage in the multi-processor NetScaler has come back to normal after exceeding the predefined threshold .
changeToPrimary The NetScaler has become the primary node in a High Availability configuration.
changeToSecondary The NetScaler has become the secondary node in a High Availability configuration.
cpuUtilization CPU utilization has exceeded the threshold. cpuUtilizationNormal CPU utilization has returned to normal after
exceeding the threshold and generating a cpuUtilization trap.
diskUsageHigh Disk usage has exceeded the threshold. diskUsageNormal Disk usage has returned to normal.
entityup State of the interface, vserver, or physical service has changed to UP.
entitydown State of the interface, vserver, or physical service has changed to DOWN.
fanSpeedLow A fan speed has fallen below an alarm threshold.
Note: Fan speed varies from 4000 through 6500 on all platforms. An alarm threshold of 25% of the minimum is recommended.
fanSpeedNormal A fan speed has returned to normal.
interfaceThroughputLow Interface throughput has fallen below an alarm threshold.
interfaceThroughputNormal Interface throughput has returned to normal. maxClients Number of clients for a service has reached the
maximum allowed for that service.
maxClientsNormal Number of clients for a service has fallen below 70% of maximum number allowed for that service, after causing a maxClient trap.
memoryUtilization Memory utilization has exceeded the predefined threshold.
memoryUtilizationNormal Memory utilization has returned to normal after a memoryUtilization trap.
monRespTimeoutAboveThresh Response time for a monitor probe has exceeded the configured threshold.
monRespTimeoutBelowThresh Response time for a monitor probe is below the threshold, indicating that response time has returned to normal.
netscalerLoginFailure A user 's atempt to log in to the NetScaler has failed.
NetScalerConfigChange Your NetScaler configuration has changed.
Note: This trap is not generated when the configuration is restored from the ns.conf file.
netScalerConfigSave The NetScaler configuration has been saved. serviceRequestRate Request rate on a service has exceeded the
threshold.
serviceRequestRateNormal Request rate on a service has returned to normal. serviceRxBytesRate Request bytes/s of a service has exceeded a
threshold value.
serviceRxBytesRateNormal Request bytes/s of a service has returned to normal.
serviceTxBytesRate Response bytes/s of a service exceeded a threshold value.
serviceTxBytesRateNormal Response bytes/s of a service has returned to normal.
serviceSynfloodRate The number of unacknowledged syns for a service has exceeded a threshold value. serviceSynfloodNormal The number of unacknowledged syns for a
service has returned to normal. sslCertificateExpiry A SSL certificate is due to expire.
svcGrpMemberRequestRate Request rate on a service group member has exceeded a threshold value.
svcGrpMemberRequestRateNormal Request rate on a service group member has returned to normal.
svcGrpMemberRxBytesRate Request bytes per second of a service group has exceeded a threshold value.
svcGrpMemberRxBytesRateNormal Request bytes per second of a service group has returned to normal.
svcGrpMemberTxBytesRate Response bytes per second of a service group has exceeded a threshold value.
svcGrpMemberTxBytesRateNormal Response bytes per second of a service group has returned to normal.
svcGrpMemberSynfloodRate Number of unacknowledged SYN packets for a service group has exceeded a threshold value. svcGrpMemberSynfloodNormal Number of unacknowledged SYN packets for a
service group has returned to normal.
svcGrpMemberMaxClients Number of clients has reached the maxClients value for a service group member.
svcGrpMemberMaxClientsNormal Number of clients has fallen below 70% of maxClients value for a service group member. synflood Rate at which unacknowledged SYN packets are
received has exceeded the threshold.
synfloodNormal Rate at which unacknowledged SYN packets are received has returned to normal.
temperatureHigh Temperature has gone high. The temperature is measured in degree centigrade (0C).
temperatureNormal Temperature has returned to normal. vServerRequestRate Request rate on a vserver has exceeded the
predefined threshold.
vServerRequestRateNormal Request rate on a vserver has returned to normal. vserverRxBytesRate Request bytes/s of a vserver has exceeded the
threshold value.
vserverRxBytesRateNormal Request bytes/s of a vServer has returned to normal.
vserverTxBytesRate Response bytes/s of a vserver has exceeded a threshold value.
vserverTxBytesRateNormal Response bytes/s of a vServer has returned to normal.
vserverSynfloodRate Number of unacknowledged syns for a vserver has exceeded a threshold value.
vserverSynfloodNormal Number of unacknowledged syns for a vserver has returned to normal.
voltageLow A voltage has fallen below the threshold value. voltageNormal A voltage has returned to normal.
Note: SNMP manager to listen for traps with this community name. The default community name is “public”.
The following table describes the parameters you set to add an SNMP trap:
voltageHigh A voltage has exceeded the threshold value.
Note: The three traps voltageLow,
voltageNormal, and voltageHigh are based on v33main and v33stby (mV). The normal value ranges from 2970mV through 3630mV.
haVersionMismatch OS versions of the NetScalers in a High Availability configuration do not match. haSyncFailure Configuration synchronization has failed on
secondary node.
haNoHeartbeats High Availability heartbeats are not received by the primary node from the secondary.
haBadSecState State of the secondary node has changed to DOWN, UNKNOWN, or STAY SECONDARY . powerSupplyFailed Power supply has failed.
powerSupplyNormal The power supply has returned to service. interfaceBWUseHigh Bandwidth usage of any of the interfaces of the
NetScaler has exceeded the threshold value. interfaceBWUseNormal Bandwidth usage of any of the interfaces of the
NetScaler has returned to normal
aggregateBWUseHigh Aggregate bandwidth usage of the NetScaler has exceeded the threshold value.
aggregateBWUseNormal Aggregate bandwidth usage of the NetScaler has returned to normal.
Parameter Specifies
Trap Class The Trap type. Possible values: generic and specific.
Version SNMP version of the trap PDU to be
sent.
To add an SNMP Trap, use either of the following procedures: To add an SNMP Trap using the configuration utility
1. In the navigation pane, expand System, click SNMP, and click Traps. 2. On the Traps page, click Add.
3. In Version, select an SNMP Version (for example, V1).
4. In the Destination IP Address text box, type the IP address that is to receive the trap (for example, 10.102.29.3).
5. In the Destination Port text box, type the destination port (for example, 163).
6. In the Source IP text box, type the source IP address of the trap (for example, 10.102.29.54).
7. In Minimum Severity, select a severity option (for example, Major). 8. In the Community Name text box, type the name of the SNMP string that
you want to include in the trap (for example, com1). 9. Click Add.
To add an SNMP Trap using the NetScaler command line At the NetScaler command prompt, type:
add snmp trap trapClass trapDestination -version ( V1 | V2 ) -destPort port -communityName string -srcIP ip_addr -severity severity
Example
add snmp trap specific 10.102.29.3 -version V2
-destPort 163 -communityName com1 -srcIP 10.102.29.54 -severity Major
Destination IP Address
IP address of the trap destination. Destination Port Destination port of the trap. Default:
162. Minimum value: 1 Source IP Address Source IP of the traps.
Severity Minimum severity of the alarm
resulting in this trap. Default: Informational (any alarm).
Community Name The community string. Default: public.
Removing an SNMP Trap
When you remove a trap, trap messages are no longer sent to the destination specified.
To remove an SNMP trap, use either of the following procedures: To remove an SNMP trap
1. In the navigation pane, expand System, click SNMP, and then click Traps. 2. On the SNMPTraps page, select the trap that you want to remove.
3. Click Remove.
4. In the Remove dialog box, click Yes.
Configuring SNMP Alarms
The NetScaler generates traps only for SNMP alarms that are enabled. Some alarms are enabled by default, but you can disable them. You can assign severity levels to alarms.
Enabling or Disabling an SNMP Alarm
When you enable a SNMP alarm, the NetScaler will generate corresponding trap messages when some events occur. Some NetScaler alarms are enabled by default.
To enable or disable an SNMP alarm
1. In the navigation pane, expand System, expand SNMP, and click Alarms. 2. On the SNMP Alarms page, select an alarm (for example, Login-Failure). 3. To enable a disabled alarm, click Enable, or, to disable an enabled alarm,
click Disable.
Setting the Severity of SNMP Alarms
There are 5 levels of severity for alarms: Critical, Major, Minor, Warning, and Informational. A trap is sent only when the severity of the alarm matches the severity configured in the trap. The following table describes the parameter you set to configure the severity of SNMP alarm:
Parameter Specifies
Severity Severity level of this alarm. Possible values: Critical, Major, Minor, Warning, Informational. Default: Informational.
To set the severity of SNMP alarm
1. In the navigation pane, expand System, expand SNMP, and click Alarms. 2. Click Open.
3. In the Configure SNMP Alarm dialog box, in Severity, select a severity option (for example, Major).
4. Click Ok.
Logging of SNMP Traps
The logging of trap messages is enabled by default. For alarms that need threshold values, however, the logging state is unknown. Once thresholds are configured, logging is automatically enabled.
If logging of an alarm has been disabled, you can enable it by setting the parameter in the following table.:
The following procedure includes examples for enabling or modifying the logging of trap messages for the alarm LOGIN-FAILURE. When this alarm is enabled, a trap message is generated and sent to the trap destination whenever there is a login failure on the NetScaler. This message is logged.
To enable or disable logging of SNMP traps using configuration utility 1. In the navigation pane, expand System, expand SNMP, and then click
Alarms. 2. Click Open.
3. In the Configure SNMP Alarm dialog box, in Logging, select ENABLED
to enable the logging of SNMP trap messages generated or select
DISABLED to disable logging of SNMP trap messages. 4. Click Ok.
To enable or disable logging of SNMP traps using the NetScaler command line
At the NetScaler command prompt, type:
set snmp alarm AlarmType -logging Status
Parameter Specifies
Logging Enable logging of SNMP trap messages by Syslog. Possible values : ENABLED and DISABLED.
Example
set snmp alarm LOGIN-FAILURE -logging ENABLED
or
set snmp alarm LOGIN-FAILURE -logging DISABLED
SNMP V3
Simple Network Management Protocol Version 3 (SNMPv3) is based on the basic structure and architecture of SNMPv1 and SNMPv2. However, SNMPv3 enhances the basic architecture to incorporate administration and security capabilities such as authentication, access control, data integrity check, data origin verification, message timeliness check, and data confidentiality.
Salient Features
SNMPv3 provides security features such as message-level security and access control. To implement these features, SNMPv3 introduces the user-based security model (USM) and the view-based access control model (VACM).
User-based Security Model
The user-based security model (USM) provides message-level security. It enables you to configure users and security parameters at the agent and the manager to ensure:
• Data integrity: To protect messages from being modified during transmission through the network.
• Data origin verification: To authenticate the user who sent the message request.
• Message timeliness: To protect against message delays or replays. • Data confidentiality: To protect the content of messages from being
disclosed to unauthorized entities or individuals.
View-Based Access Control Model
View-based access control model (VACM) enables you to configure access rights to a specific subtree of the MIB based on various parameters, such as security level, security model, user name, and view type. It enables you to configure agents to provide different levels of access to the MIB to different managers.
SNMPv3 Security Entities
The Citrix NetScaler supports the following entities that enable you to implement the security features of SNMPv3:
• SNMP Engines • SNMP Views • SNMP Groups • SNMP Users
SNMP Engines
SNMP engines are service providers that reside in the SNMP agent. They provide services such as sending or receiving and authenticating messages. SNMP engines are uniquely identified using engine IDs.
SNMP Views
SNMP views restrict user access to specific portions of the MIB. SNMP views are used to implement access control.
SNMP Groups
SNMP groups are logical aggregations of SNMP users.They are used to
implement access control and to define the security levels. You can configure an SNMP group to set access rights for users assigned to that group, thereby restricting the users to specific views.
SNMP Users
SNMP users are the SNMP managers that the agents allow to access the MIBs. Each SNMP user is assigned to an SNMP group.
These entities function together to implement the SNMPv3 security features. Views are created to allow access to subtrees of the MIB. Then, groups are created with the required security level and access to the defined views. Finally, users are created and assigned to the groups.
Configuring SNMP V3
To implement message authentication and access control, you need to: • Set the Engine ID
• Configure Views • Configure Groups
