jmbrinkman

Posts Tagged ‘Citrix Systems’

Netscaler/Citrix Access Gateway and Active Directory nested groups

In Active Directory, Citrix, Netscaler on May 11, 2012 at 21:21

We recently adapted RBAC based on MS Active Directory to manage our infrastructure. We already used AD groups to authenticate and authorize administrators on our Netscaler appliances,  however admins where direct members of the groups defined in the Netscalers. ( Have a look over here to see configure this )

Our new RBAC system uses nested groups – an admin is a member of a role group which is a member of a group authorizing access to a resource. Not every non-MS system is able to “understand” nested groups ( such as Cisco Ironport anti-spam appliances) so you are forced to use some sort of iterative\recursive query to make it work but luckily the Netscalers have a feature called “nested group extraction”.

You can enable nested group extraction when you define a Authentication server. After you choose LDAP as the authentication server type the option is somewhat hidden in the bottom of the dialogue window – but if you flip it open and enter:

  • The nesting level ( default is 2)
  • The group name identifier ( simply the attribute defining the unique name for the group object) which in most situations would be the samAccountName attribute
  • The group search attribute: memberOf
  • And the sub search attribute – here the documentation suggest using the common name – just as in the general server configuration

you will be able to use nested groups to authorize your administrators to perform management tasks on the Netscalers.

You could use an existing LDAP server/policy pair to achieve this – but I would strongly advise to create a separate server/policy pair. The main reason is that when you enable nested group extraction for an authentication server  all users authenticating through that policy/server pair seem to be checked for nested group memberships – even if you don’t use group membership as a factor to authorize your users to access resources…

We found out about that one the hard way – after enabling nested group extraction on our default LDAP policy/server pair certain users where unable to log onto our Citrix environment. This was caused by the fact that they were a member of a group that had “illegal characters” in their common name ( a forward slash “/”) – and with nested group extraction enabled they got an access denied message…

We solved this by using a different policy/server pair for admin authentication/authorization.

Monitoring Citrix Netscaler Load Balancers with SCOM 2007 R2 Part III.

In Citrix, Netscaler, Operations Manager on October 21, 2011 at 20:28

This is part three of my series on monitoring Citrix Netscalers with SCOM 2007 R2 ( Part I and Part II).

Now, does it work? And how? As said in my previous post the way the information is presented is a little bit different then with other MP’s. For each SNMP trap sent the pack will raise an alert – and the alert will tell nothing more then the fact that the SNMP trap has been sent 😉 If you make a config change you’ll get an alert that it has been changed..but not what has been changed. That information is shown elsewhere.

To give an example, in the picture below you can see two alerts:

I changed the configuration and saved the running config. This is the information as shown in the config change alert:

To see what has been changed we need to head over to the Events node, here two events are shown:

If you look at the details of the event we can see that a SNMP community reference was added to the Netscalers with “public” as a community string:

Then there is the Health Roll-up of the entity. The health monitored health categories are Availability and Performance. Performance is  based on some SNMP GET based performance metrics of both the appliance and the vservers. Availability is based on the state of the appliance alone and so if a vserver is down the Netscaler Device entity will still be healthy.

And last but not least – the Netscalers themselves also allow you to tune what SCOM will report because you can enable/disable and configure its SNMP traps. You can do this from the GUI by opening System\SNMP\Alarms.

Depending on the type of alarm you can define the alarm and normal thresholds, the time interval and the alarm’s severity. Whatever you configure here will direct influence the way SCOM will report about these events. Of course its also possible to override the rules and or alerts in SCOM but personally I prefer to do this at the source.

I hope this guide will help others to get this MP running in their environment and possibly even convince others to choose this method of monitoring Netscalers.

Monitoring Citrix Netscaler Load Balancers with SCOM 2007 R2 Part II.

In Citrix, Netscaler, Operations Manager on October 20, 2011 at 22:07

This is part two of my series on monitoring Citrix Netscalers with SCOM 2007 R2 ( Part I ).

In the previous post I discussed why we decided to use SCOM to monitor the Netscalers, the MP’s installation and the Netscaler’s configuration. In this post I will discuss discovering the Netscalers in SCOM and the general usage of the MP.

Discovery

The Netscalers need to be discovered as generic network devices. After they’ve been discovered a scheduled discovery will discover them as Netscaler devices based on their SNMP OID. After that another discovery runs to identify the installed features and modes.

  • Open the SCOM console, choose Administration and start the Discovery wizard.
  • Choose Network Devices
  • Specify an ip range that includes both your NSIP’s.
  • Select SNMP v2, specify your community string and Management Server

  • Now start the discovery, if you’ve configured the Netscaler correctly the wizard will detect two network devices. You will be able to see them both listed under Administration/Network Devices

The discoveries that are ran automatically against all network devices run every 21600 seconds. So you can either wait until it start or override the discovery. The discovery simply discovers all SNMP devices with a certain OID (if included a screenshot of the xml as a reference):

After the Netscalers have been identified as Netscaler Devices they will show up under Monitoring/Citrix Netscaler Devices/All Devices and the following discoveries which are ttargeted at the Citrix NetScaler Device class will start to discover additional classes and some properties to the Citrix Netscaler Device class:

  • Citrix Netscaler Feature Discovery – this will detect all features and their state ( Load Balancing, Access Gateway etc)
  • Citrix Netscaler Mode Discovery – this will detect all modes and their state (L2 versus L3 etc)
  • Citrix Netscaler Device Discovery – this will add the Node State ( Primary/Secondary), Host Name, HA Peer IP and hardware version

This is the point where we ran into some issues. Discovering the Citrix Netscaler Device class went fine but the other classes weren’t discovered at all and the extra attributes weren’t populated. Looking at the evenlogs on the management server I discovered an event with the following error message:

Error Message: 91\2600\Citrix.NetScaler.VirtualServerState.vbs(44, 9) Microsoft VBScript runtime error: ActiveX component can’t create object: ‘SScripting.SNMPManager’

This leads me to the Citrix Knowledge Center article I mentioned earlier ( Case Study: When installing…Error Message ). I downloaded the MP from the Citrix Community page and installed that over the version I had downloaded from MyCitrix and after a reboot the discoveries did identify the modes, features and attributes.

Configuring the MP

When we look at the Monitoring view – the Netscaler MP has 4 main nodes:

  • The root node – this contains an alerts view, a config changes view and events view and a Network Diagram.
  • The Device state node – this shows has two views: Active Devices which lists all the primary nodes and All Devices which shows all nodes.
  • The License & Modes node – this give a state view of all the features and modes as they are configured on each appliance
  • The Performance node – this has a rather large number of performance views

Alerts seems pretty self-explanatory however it is important to note that the alerts contain little information. You’ll know  a rule has triggered an alert but not why. Same goes for the Config Changes. Both will tell you there has been a alert or a config change, but the actual data is in the events view. Here all events (be it triggered alerts or snmp traps or config saves, changes, reboot etc) are logged with all the data provided by the SNMP GET or trap.

The network Diagram was a bit of a disappointment, I would have hoped to see the Vservers and the services in there as well.

License and mode views aren’t to pretty but they do the job, Licenses:

Unfortunatly you’ll need to select a row to see to which appliance it belongs when looking at licenses. The modes view is much better:

The performance views are grouped into several categories, ACL, IP, SSL etc. None of the rules and monitors are enabled by default. Which brings me to a point of criticism – why are all rules and monitor disabled by default and then overidden with an override that’s stored in main Citirx Netscaler MP? Again something that goes against Best Pratices.

Actually most performance counters aren’t active (or have an override by default)when you install the pack – you’ll need to override them one-by-one to be able to get that data into SCOM. This is where a tool such as OverrideExplorer ( I used v3.3. ) can prove to be invaluable, since for each category there are several snmp get rules and in order to fully populate the performance views you’ll need to override all of them.

One clue – when you open the authoring pane in SCOM and limit to the scope to include only the Netscalers you can find the rules needed to each catergory by looking at their name. They will start with the name of the performance view in the monitoring pane and start with a capital. In the picture below you can see all the TCP rules, and if you look at the Override Management Pack you can see I used a custom override pack which means they weren’t enabled by default:

Using this information you can override the performance rules in bulk using Override Explorer.

Then you are ready to go. In the next part I will show the MP in action and show how you can configure and enable/disable the SNMP traps sent by the Netscalers.