-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configure a NetScaler VPX on KVM hypervisor to use Intel QAT for SSL acceleration in SR-IOV mode
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Configure DNS resource records
-
Configure NetScaler as a non-validating security aware stub-resolver
-
Jumbo frames support for DNS to handle responses of large sizes
-
Caching of EDNS0 client subnet data when the NetScaler appliance is in proxy mode
-
Use case - configure the automatic DNSSEC key management feature
-
Use Case - configure the automatic DNSSEC key management on GSLB deployment
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
-
-
-
Authentication and authorization for System Users
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Configure DNSSEC
Perform the following steps to configure DNSSEC:
- Enable DNSSEC on the NetScaler appliance.
- Create a zone signing key and a key signing key for the zone.
- Add the two keys to the zone.
- Sign the zone with the keys.
The NetScaler appliance does not act as a DNSSEC resolver. DNSSEC on the ADC is supported only in the following deployment scenarios:
- ADNS—NetScaler is the ADNS and generates the signatures itself.
- Proxy—NetScaler acts as a DNSSEC proxy. It is assumed that the NetScaler is placed in front of the ADNS/LDNS servers in a trusted mode. The ADC acts only as a proxy caching entity and does not validate any signatures.
Enable and disable DNSSEC
Enable DNSSEC on the NetScaler for the ADC to respond to DNSSEC-aware clients. By default, DNSSEC is enabled.
You can disable the DNSSEC feature if you do not want the NetScaler to respond to clients with DNSSEC-specific information.
Enable or disable DNSSEC by using the CLI
At the command prompt, type the following commands to enable or disable DNSSEC and verify the configuration:
- set dns parameter -dnssec ( ENABLED | DISABLED )
- show dns parameter
<!--NeedCopy-->
Example:
> set dns parameter -dnssec ENABLED
Done
> show dns parameter
DNS parameters:
DNS retries: 5
.
.
.
DNSEC Extension: ENABLED
Max DNS Pipeline Requests: 255
Done
<!--NeedCopy-->
Enable or disable DNSSEC by using the GUI
- Navigate to Traffic Management > DNS.
- In the details pane, click Change DNS settings.
- In the Configure DNS Parameters dialog box, select or clear the Enable DNSSEC Extension check box.
Create DNS keys for a zone
For each DNS zone that you want to sign, you must create two pairs of asymmetric keys. One pair, called the zone signing key (ZSK), is used to sign all the resource record sets in the zone. The second pair is called the key signing key (KSK) and is used to sign only the DNSKEY resource records in the zone.
When the ZSK and the KSK are created, the suffix.key
is appended to the names of the public components of the keys. The suffix.private
is appended to the names of their private components. The appending happens automatically.
The NetScaler also creates a Delegation Signer (DS) record and appends the suffix .ds to the name of the record. If the parent zone is a signed zone, you must publish the DS record in the parent zone to establish the chain of trust.
When you create a key, the key is stored in the /nsconfig/dns/
directory, but it is not automatically published in the zone. After you create a key by using the create dns key
command, you must explicitly publish the key in the zone by using the add dns key
command. The process of generating a key is separate from the process of publishing the key in a zone to enable you to use alternative means to generate keys. For example, you can import keys generated by other key-generation programs (such as bind-keygen
) by using the Secure FTP (SFTP) and then publish the keys in the zone. For more information about publishing a key in a zone, see Publish a DNS key in a zone.
Perform the steps described in this topic to create a zone signing key and then repeat the steps to create a key signing key. The example that follows the command syntax first creates a zone signing key pair for the zone example.com. The example then uses the command to create a key signing key pair for the zone.
From release 13.0 build 61.x, the NetScaler appliance now supports stronger crypto algorithms, such as RSASHA256 and RSASHA512, to authenticate a DNS zone. Previously, only the RSASHA1 algorithm was supported.
Create a DNS key by using the CLI
At the command prompt, type:
create dns key -zoneName <string> -keyType <keyType> -algorithm <algorithm> -keySize <positive_integer> -fileNamePrefix <string>
Example:
> create dns key -zoneName example.com -keyType zsk -algorithm RSASHA256 -keySize 1024 -fileNamePrefix example.com.zsk.rsasha1.1024
File Name: /nsconfig/dns/example.com.zsk.rsasha1.1024.key (public); /nsconfig/dns/example.com.zsk.rsasha1.1024.private (private); /nsconfig/dns/example.com.zsk.rsasha1.1024.ds (ds)
This operation may take some time, Please wait...
Done
> create dns key -zoneName example.com -keyType ksk -algorithm RSASHA512 -keySize 4096 -fileNamePrefix example.com.ksk.rsasha1.4096
File Name: /nsconfig/dns/example.com.ksk.rsasha1.4096.key (public); /nsconfig/dns/example.com.ksk.rsasha1.4096.private (private); /nsconfig/dns/example.com.ksk.rsasha1.4096.ds (ds)
This operation may take some time, Please wait...
Done
<!--NeedCopy-->
Create a DNS key by using the GUI
- Navigate to Traffic Management > DNS.
- In the details area, click Create DNS Key.
-
Enter values for the different parameters and click Create.
Note: To modify the file name prefix of an existing key:
- Click the arrow next to the Browse button.
- Click either Local or Appliance (depending on whether the existing key is stored on your local computer or in the
/nsconfig/dns/
directory on the appliance) - Browse to the location of the key, and then double-click the key. The File Name Prefix box is populated with only the prefix of the existing key. Modify the prefix accordingly.
Publish a DNS key in a zone
A key (zone signing key or key signing key) is published in a zone by adding the key to NetScaler. A key must be published in a zone before you sign the zone.
Before you publish a key in a zone, the key must be available in the /nsconfig/dns/ directory. If you created the DNS key on another computer (for example, by using the bind-keygen
program), ensure that the key is added to the /nsconfig/dns/
directory. Then publish the key in the zone. Use the ADC GUI to add the key to the /nsconfig/dns/
directory. Or, use some other program to import the key to the directory, such as the Secure FTP (SFTP).
Use the add dns key
command for each public-private key pair that you want to publish in a given zone. If you created a ZSK pair and a KSK pair for a zone, use the add dns key
command to first publish one of the key pairs in the zone. Repeat the command to publish the other key pair. For each key that you publish in a zone, a DNSKEY resource record is created in the zone.
The example that follows the command syntax first publishes the zone signing key pair (that was created for the example.com zone) in the zone. The example then uses the command to publish the key signing key pair in the zone.
Publish a key in a zone by using the CLI
At the command prompt, type the following command to publish a key in a zone and verify the configuration:
- add dns key <keyName> <publickey> <privatekey> [-expires <positive_integer> [<units>]] [-notificationPeriod <positive_integer> [<units>]] [-TTL <secs>]
- show dns zone [<zoneName> | -type <type>]
<!--NeedCopy-->
Example:
> add dns key example.com.zsk example.com.zsk.rsasha1.1024.key example.com.zsk.rsasha1.1024.private -expires 121 -TTL 5
Done
> add dns key example.com.ksk example.com.ksk.rsasha1.4096.key example.com.ksk.rsasha1.4096.private -expires 121 -TTL 5
Done
> show dns zone example.com
Zone Name : example.com
Proxy Mode : NO
Domain Name : example.com
Record Types : NS SOA DNSKEY
Domain Name : ns1.example.com
Record Types : A
Domain Name : ns2.example.com
Record Types : A
Done
<!--NeedCopy-->
Publish a key in a DNS zone by using the GUI
Navigate to Traffic Management > DNS > Keys.
Note: For Public Key and Private Key, to add a key that is stored on your local computer, click the arrow next to the Browse button, click Local, browse to the location of the key, and then double-click the key.
Configure a DNS key
You can configure the parameters of a key that has been published in a zone. You can modify the key’s expiry time period, notification period, and time-to-live (TTL) parameters. If you change the expiry time period of a key, the appliance automatically re-signs all the resource records in the zone with the key. The re-signing happens if the zone is signed with the particular key.
Configure a key by using the CLI
At the command prompt, type the following command to configure a key and verify the configuration:
- set dns key <keyName> [-expires <positive_integer> [<units>]] [-notificationPeriod <positive_integer> [<units>]] [-TTL <secs>]
- show dns key [<keyName>]
<!--NeedCopy-->
Example:
> set dns key example.com.ksk -expires 30 DAYS -notificationPeriod 3 DAYS -TTL 3600
Done
> show dns key example.com.ksk
1) Key Name: example.com.ksk
Expires: 30 DAYS Notification: 3 DAYS TTL: 3600
Public Key File: example.com.ksk.rsasha1.4096.key
Private Key File: example.com.ksk.rsasha1.4096.private
Done
<!--NeedCopy-->
Configure a key by using the GUI
-
Navigate to Traffic Management > DNS > Keys.
-
In the details pane, click the key that you want to configure, and then click Open.
-
In the Configure DNS Key dialog box, modify the values of the following parameters as shown:
- Expires—expires
- Notification Period—notificationPeriod
- TTL—TTL
-
Click OK.
Sign and unsign a DNS zone
To secure a DNS zone, you must sign the zone with the keys that have been published in the zone. When you sign a zone, the NetScaler creates a Next Secure (NSEC) resource record for each owner name. Then, it uses the key signing key to sign the DNSKEY resource record set. Finally, it uses the ZSK to sign all the resource record sets in the zone, including the DNSKEY resource record sets and NSEC resource record sets. Each sign operation results in a signature for the resource record sets in the zone. The signature is captured in a new resource record called the RRSIG resource record.
After you sign a zone, save the configuration.
Sign a zone by using the CLI
At the command prompt, type the following command to sign a zone and verify the configuration:
- sign dns zone <zoneName> [-keyName <string> ...]
- show dns zone [<zoneName> | -type (ADNS | PROXY | ALL)]
- save config
<!--NeedCopy-->
Example:
> sign dns zone example.com -keyName example.com.zsk example.com.ksk
Done
> show dns zone example.com
Zone Name : example.com
Proxy Mode : NO
Domain Name : example.com
Record Types : NS SOA DNSKEY RRSIG NSEC
Domain Name : ns1.example.com
Record Types : A RRSIG NSEC
Domain Name : ns2.example.com
Record Types : A RRSIG
Domain Name : ns2.example.com
Record Types : RRSIG NSEC
Done
> save config
Done
<!--NeedCopy-->
Unsign a zone by using the CLI
At the command prompt, type the following command to unsign a zone and verify the configuration:
- unsign dns zone <zoneName> [-keyName <string> ...]
- show dns zone [<zoneName> | -type (ADNS | PROXY | ALL)]
<!--NeedCopy-->
Example:
> unsign dns zone example.com -keyName example.com.zsk example.com.ksk
Done
> show dns zone example.com
Zone Name : example.com
Proxy Mode : NO
Domain Name : example.com
Record Types : NS SOA DNSKEY
Domain Name : ns1.example.com
Record Types : A
Domain Name : ns2.example.com
Record Types : A
Done
<!--NeedCopy-->
Sign or unsign a zone by using the GUI
- Navigate to Traffic Management > DNS > Zones.
- In the details pane, click the zone that you want to sign, and then click Sign/Unsign.
- In the Sign/Unsign DNS Zone dialog box, do one of the following:
-
To sign the zone, select the check boxes for the keys (zone signing key and key signing key) with which you want to sign the zone.
You can sign the zone with more than one zone signing key or key signing key pair.
-
To unsign the zone, clear the check boxes for the keys (zone signing key and key signing key) with which you want to unsign the zone.
You can unsign the zone with more than one zone signing key or key signing key pair.
-
- Click OK.
View the NSEC records for a given record in a zone
You can view the NSEC records that the NetScaler automatically creates for each owner name in the zone.
View the NSEC record for a given record in a zone by using the CLI
At the command prompt, type the following command to view the NSEC record for a given record in a zone:
show dns nsecRec [<hostName> | -type (ADNS | PROXY | ALL)]
Example:
> show dns nsecRec example.com
1) Domain Name : example.com
Next Nsec Name: ns1.example.com
Record Types : NS SOA DNSKEY RRSIG NSEC
Done
<!--NeedCopy-->
View the NSEC record for a given record in a zone by using the GUI
- Navigate to Traffic Management > DNS > Records > Next Secure Records.
- In the details pane, click the name of the record for which you want to view the NSEC record. The NSEC record for the record you select is displayed in the Details area.
Remove a DNS key
Remove a key from the zone in which it is published when the key has expired or if the key has been compromised. When you remove a key from the zone, the zone is automatically unsigned with the key. Removing the key with this command does not remove the key files present in the /nsconfig/dns/ directory. If the key files are no longer needed, they have to be explicitly removed from the directory.
Remove a key from the NetScaler by using the CLI
At the command prompt, type the following command to remove a key and verify the configuration:
- rm dns key <keyName>
- show dns key <keyName>
<!--NeedCopy-->
Example:
> rm dns key example.com.zsk
Done
> show dns key example.com.zsk
ERROR: No such resource [keyName, example.com.zsk]
<!--NeedCopy-->
Remove a key from the NetScaler by using the GUI
- Navigate to Traffic Management > DNS > Keys.
- In the details pane, click the name of the key that you want to remove from the ADC, and then click Remove.
Revoke a DNS key
Although the key rollover is usually scheduled in advance, sometimes it becomes necessary to roll over the key immediately if the key is suspected to be compromised. In such cases, the compromised key must be phased out quickly before the new key can be activated. To ensure a smooth transition, it is recommended to keep a secondary key in a ready state, which can be activated immediately in case the key is compromised. By using the revoke key method, you can save time in activating the secondary key and removing the compromised key.
Note:
If you revoke the key it will remain in the system unless you explicitly delete it. Since the auto-rollover option is set, the system will auto-rollover the key after the configured expiration date if you do not delete it manually. During the auto-rollover process, a new key will be created for you to use based on your needs.
Enable revoke using CLI
At the command prompt type:
set dns key <keyName> [-revoke]
Example:
Set dns key secure.example.zsk -revoke
Enable revoke using GUI
- Navigate to Traffic Management > DNS > Keys.
- In the details pane, click the key that you want to configure, and then click Open.
- In the Configure DNS Key page, select or clear Revoke.
- Click Ok.
Automatic key rollover
In NetScaler, you can automate the key rollover process based on the configured frequency period. By automating the rollover process, you can rule out the chances of missing the rollover of keys. NetScaler takes care of creating keys, publishing, activating, signing, and un-signing the key, and removing the old key automatically if the automatic rollover option is enabled. Also, SNMP notification about the addition, activation, and removal of the old key is sent.
Note:
If the zone transfer parameter is enabled in GSLB sites, the rollover keys are transferred to all the GSLB sites.
If you are upgrading from a build that doesn’t support the zone transfer to one that supports it, enable the rollover feature for an existing key. Before enabling the key rollover option, ensure that the key has not expired.
Configure automatic key rollover using CLI
At the command prompt, type:
set dns key <keyName> [-autoRollover (ENABLED | DISABLED)] [-RolloverMethod <PrePublication | DoubleSignature | DoubleRRset>]
<!--NeedCopy-->
Example:
Set dns key secure.example.zsk – autoRollover Enabled -RolloverMethod Prepublication
Configure automatic key rollover using GUI
- Navigate to Traffic Management > DNS > Keys.
- In the details pane, click the key that you want to configure, and then click Open.
- In the Configure DNS Key page, update the following parameters:
- Auto Rollover - Enable the option to automate the key rollover.
- Rollover Method - Select a rollover method.
- Click Ok.
SNMP Alarm
you can enable the SNMP alarm for the DNSSEC keys events when auto-rollover is enabled. When you enable an SNMP alarm, NetScaler generates a corresponding alarm (DNSSEC-KEY-AUTOMGMT-STATUS-SUCCESS or DNSSEC-KEY-AUTOMGMT-STATUS-FAILURE) based on whether the event is successful or a failure. For example, when you create a DNSSEC Key and the create event is successful, a DNSSEC-KEY-AUTOMGMT-STATUS-SUCCESS alarm is generated.
For more information on SNMP alarm, see [Configuring the NetScaler to generate SNMP traps] (/en-us/citrix-adc/current-release/system/snmp/generating-snmp-traps-on-citrix-adc.html)
DNS Zone Transfer
To synchronize the DNSSEC keys with other DNS servers, you must enable the Zone Transfer parameter. Synchronizing the keys from one DNS server to other DNS servers in the GSLB site is possible only if the AutomaticConfigSync option is enabled. For more information on real-time synchronization, see Real-time synchronization between sites participating in GSLB. The DNS zone transfer is possible in Netscaler where GSLB is configured for each DNS server in a different location.
For more information on synchronization, see Synchronize the configuration in a GSLB setup.
The DNS zone transfer is possible in NetScaler where GSLB is configured. Ensure you configure GSLB for each DNS server in a different location.
Enable or disable zone transfer using CLI
At the command prompt, type:
set dns parameter - ZoneTransfer (ENABLED | DISABLED)
Example:
set dns parameter - ZoneTransfer ENABLED
Done
<!--NeedCopy-->
Enable or disable zone transfer using GUI
- Navigate to Traffic Management > DNS.
- In the details pane, under Settings, click Change DNS settings.
- In the Configure DNS Parameters page, select or clear Zone Transfer.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.