Manuals / Citrix Systems / Computer Equipment / Network Router

Citrix Systems CITRIX NETSCALER 9.3 manual Creating Custom Command Policies, Policy name, Allows

Models: CITRIX NETSCALER 9.3

1 195

Download 195 pages 43.21 Kb

Page 28

Chapter 1	Authentication and Authorization

	Table 1-1.Built-in Command Policies

	Policy name	Allows

	read-only	Read-only access to all show commands
		except show runningconfig, show
		ns.conf, and the show commands for
		the NetScaler command group.

	operator	Read-only access and access to
		commands to enable and disable services
		and servers or place them in
		ACCESSDOWN mode.

	network	Full access, except to the set and unset
		SSL commands, sh ns.conf, sh
		runningconfig, and sh gslb
		runningconfig commands.

	superuser	Full access. Same privileges as the
		nsroot user.

Creating Custom Command Policies

Regular expression support is offered for users with the resources to maintain more customized expressions, and for those deployments that require the flexibility that regular expressions offer. For most users, the built-in command policies are sufficient. Users who need additional levels of control but are unfamiliar with regular expressions may want to use only simple expressions, such as those in the examples provided in this section, to maintain policy readability.

When you use a regular expression to create a command policy, keep the following in mind.

wWhen you use regular expressions to define commands that will be affected by a command policy, you must enclose the commands in double quotation marks. For example, to create a command policy that includes all commands that begin with show, type the following:

"^show .*$"

To create a command policy that includes all commands that begin with rm, type the following:

"^rm .*$"

wRegular expressions used in command policies are not case sensitive.

The following table lists examples of regular expressions:

28

Image 28

Citrix Systems CITRIX NETSCALER 9.3 Creating Custom Command Policies, 1. Built-in Command Policies, Policy name, Allows

Contents

Citrix NetScaler Administration Guide Citrix NetScalerCopyright and Trademark Notice All rights reserved Last Updated March Document code May 21 Page 1 Authentication and Authorization ContentsPreface Contents 2 SNMPCitrix NetScaler Administration Guide Enabling Unconditional SNMP Trap LoggingContents viii3 Audit Logging Citrix NetScaler Administration Guide 4 Web Server LoggingContents Installing and Configuring the Client System for Web Server Logging. . . . . . . . . . . . . . . . . . . . . 96 Installing NSWL Client on a Solaris Operating System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 To install the NSWL client package on a Solaris operating system. . . . . . . . . . . . . . 97 To uninstall the NSWL client package on a Solaris operating systemCitrix NetScaler Administration Guide Configuring TCP Window Scaling xi5 Advanced Configurations Contents Specifying the MSS Value in a TCP Profile xiiiCitrix NetScaler Administration Guide 6 Web InterfaceEnabling AppFlow for Virtual Servers 179 xivContents 7 AppFlowCitrix NetScaler Administration Guide 8 Reporting ToolContents Preface Formatting Conventions for NetScaler DocumentationIn This Preface Table 1. Formatting ConventionsDocumentation Available on the NetScaler Appliance PrefaceTo view the documentation ConventionNetScaler Documentation Feedback Getting Service and SupportTo provide feedback at the Knowledge Center home page Preface Authentication and Authorization Configuring Users and Groups Configuring Command PoliciesResetting the Default Administrator nsroot Password Example of a User Scenario Configuring External User AuthenticationConfiguring Users and Groups Configuring User AccountsTo create a user account by using the NetScaler command line w show system user ExampleParameters for configuring a user account password Passwordtimeout CLI Idle Session Timeout Secs userName User NameConfiguring User Groups To configure a user account by using the configuration utilityTo create a user group by using the NetScaler command line Password Confirm Password CLI Prompt CLI Idle Session Timeout SecsTo modify or remove a user group by using the NetScaler command line To bind a user to a group by using the NetScaler command lineTo unbind a user from a group by using the NetScaler command line w show system group groupName ExampleParameters for configuring a user group To configure a user group by using the configuration utilityw show system group groupName groupName Group NameBuilt-in Command Policies Configuring Command PoliciesCLI Prompt CLI Idle Session Timeout Secs Creating Custom Command Policies Table 1-1. Built-in Command Policiesexcept show runningconfig, show runningconfig, and sh gslbTable 1-2. Examples of Regular Expressions for Command Policies Command specificationMatches these commands Table 1-3. Expressions Used in the Built-in Command PoliciesTo create a command policy by using the NetScaler command line Parameters for configuring a command policyw sh system cmdPolicy Example policynameBinding Command Policies to Users and Groups To configure a command policy by using the configuration utilityParameters for binding a command policy to a user To bind command policies to a user by using the configuration utilityw sh system user userName Example w sh system user userNameParameters for binding a command policy to a group Resetting the Default Administrator nsroot Password To reset the nsroot passwordExample of a User Scenario fsck /dev/ad0s1a mount /dev/ad0s1a /flashConfiguration steps modifyall with action as Allow and the command spec \S+\s+?!systemTable 1-4. Sample Values for Creating Entities FieldConfiguring External User Authentication Configuring LDAP Authentication Table 1-5. User Attribute Fields for LDAP Servers LDAP serverUser attribute Case sensitive?To configure LDAP authentication by using the configuration utility 4. In Authentication Type, select LDAP. Next to Server, click NewLDAP server Bind DNDetermining attributes in the LDAP directory Configuring RADIUS Authentication To configure RADIUS authentication by using the configuration utilityChoosing RADIUS authentication protocols 4. In Authentication Type, select RADIUSTo configure IP address extraction by using the configuration utility Configuring IP address extraction4. Under Details, in Group Vendor Identifier, type the value Configuring NT4 Authentication Configuring TACACS+ Authentication4. In Authentication Type, select TACACS Binding the Authentication Policies to the System Global Entity To configure NT4 authentication by using the configuration utilityChapter 1 Authentication and Authorization 2. On the Policies tab, click Global BindingsConfiguring the NetScaler to Generate SNMPv1 and SNMPv2 Traps Configuring the NetScaler for SNMP v1 and v2 QueriesConfiguring SNMP Alarms for Rate Limiting Configuring the NetScaler for SNMPv3 QueriesImporting MIB Files to the SNMP Manager and Trap Listener Configuring the NetScaler to Generate SNMPv1 and SNMPv2 TrapsTo import the MIB files to the SNMP manager and trap listener Enabling or Disabling an SNMP Alarm To enable or disable an SNMP alarm by using the command lineTo enable or disable an SNMP alarm by using the configuration utility w enable snmp alarm alarm name w sh snmp alarm alarm nameConfiguring Alarms To configure an SNMP alarm by using the command lineParameters for configuring SNMP alarms w sh snmp alarm alarm NameTo configure SNMP alarms by using the configuration utility Configuring TrapsTo add an SNMP trap by using the NetScaler command line Parameters for configuring SNMP traps To configure SNMP Traps by using the configuration utilityw show snmp trap trapClassw set snmp option -snmpTrapLogging ENABLED DISABLED Enabling Unconditional SNMP Trap LoggingDestination IP Address*-trapDestination Destination Port-destPort Source IP Address-srcIP Minimum Severity-severityConfiguring the NetScaler for SNMP v1 and v2 Queries Specifying an SNMP ManagerParameters for unconditional SNMP trap logging SnmpTrapLogging SNMP Trap Loggingw show snmp manager To add an SNMP manager by using the NetScaler command linew show snmp manager IPAddress Parameters for configuring an SNMP managerw show snmp manager To add an SNMP manager by using the configuration utility netmaskdomainResolveRetry IP Address*-IPAddressTo specify an SNMP community by using the NetScaler command line Parameters for configuring an SNMP community stringSpecifying an SNMP Community w sh snmp communityConfiguring SNMP Alarms for Rate Limiting Configuring an SNMP Alarm for Throughput or PPSTo remove an SNMP community string by using the configuration utility Community String*-communityNamew show snmp alarm PF-RL-RATE-THRESHOLD Parameters for configuring an SNMP alarm for throughput or PPS w show snmp alarm PF-RL-PPS-THRESHOLDthresholdValue normalValueConfiguring SNMP Alarm for Dropped Packets Configuring the NetScaler for SNMPv3 Queries Parameters for configuring an SNMP alarm for dropped packetsstate severitySetting the Engine ID Configuring a View To set the engine ID by using the NetScaler command lineParameters for setting the engine ID To set the engine ID by using configuration utilityConfiguring a Group Parameters for configuring an SNMP viewTo configure an SNMP view by using the configuration utility To add an SNMP group by using the NetScaler command lineConfiguring a User Parameters for configuring an SNMP groupTo configure an SNMP group by using the configuration utility To configure a user by using the NetScaler command lineParameters for configuring an SNMP user To configure an SNMP user by using the configuration utilityName*-name Group Name*-group Authentication Type-authType Authentication Password-authPasswd Privacy Type-privTypeCitrix NetScaler Administration Guide A required parameter 4. Click Create or OK, and then click CloseChapter 2 SNMP Configuring the NetScaler Appliance for Audit Logging Installing and Configuring the NSLOG Server Running the NSLOG ServerDefault Settings for the Log Properties Sample Configuration File audit.confChapter 3 Audit Logging Configuring the NetScaler Appliance for Audit Logging Configuring Audit ServersTo configure a SYSLOG server action by using the command line w show audit syslogAction nameTo configure an NSLOG server action by using the command line Parameters for configuring auditing serversw show audit nslogAction name serverIPERROR Log levels defineddateFormat logFacilityConfiguring Audit Policies To configure an auditing server actionTo configure a SYSLOG policy by using the command line User Configurable Log Messages-userDefinedAuditlogTo configure an NSLOG policy by using the command line Parameters for configuring audit policiesw add audit syslogPolicy name rule action w show audit syslogPolicy nameTo configure an audit server policy Binding the Audit Policies GloballyParameters for binding the audit policies globally Name* name Server* actionConfiguring Policy-Based Logging Configuring an Audit Message ActionTo create an audit message action by using the NetScaler command line To globally bind the audit policyParameters for configuring an audit message action bypassSafetyCheckExample stringBuilderExprBinding Audit Message Action to a Policy Installing and Configuring the NSLOG ServerName*-name Log Level*-logLevel Installing NSLOG Server on the Linux Operating System To install the NSLOG server package on a Linux operating systemTable 3-1. Supported Platforms for the NSLOG Server Operating systemInstalling NSLOG Server on the FreeBSD Operating System To uninstall the NSLOG server package on a Linux operating systemInstalling NSLOG Server Files on the Windows Operating System To install the NSLOG server package on a FreeBSD operating systemTo uninstall the NSLOG server package on a FreeBSD operating system pkgadd audserverbsd-release number-build number.tgz ExampleTo install NSLOG server on a Windows operating system Citrix NetScaler Administration GuideNSLOG Server Command Options To uninstall the NSLOG server on a Windows operating systemAudit server commands audserver -removeAdding the NetScaler Appliance IP Addresses on the NSLOG Server To add the IP addresses of the NetScaler applianceAudit server commands audserver -removeVerifying the NSLOG Server Configuration File To stop audit server logging that starts as a service in WindowsRunning the NSLOG Server To start audit server loggingCreating Filters Customizing Logging on the NSLOG ServerTo create a filter Example Specifying Log PropertiesExample Default Settings for the Log Properties ExampleExample ExampleExample Sample Configuration File audit.confExample Configuring the NetScaler Appliance for Web Server Logging Installing and Configuring the Client System for Web Server LoggingSample Configuration File Arguments for Defining a Custom Log Format Web Server LoggingConfiguring the NetScaler Appliance for Web Server Logging w enable ns feature WL w disable ns feature WL w sh ns featureEnabling or Disabling Web Server Logging Web LoggingModifying the Default Buffer Size To modify the buffer size by using the NetScaler command lineParameter for modifying the buffer size w sh weblogparam ExampleInstalling and Configuring the Client System for Web Server Logging To modify the buffer size by using the configuration utilityTable 4-1. Supported Platforms for the NSWL Client VersionInstalling NSWL Client on a Solaris Operating System To install the NSWL client package on a Solaris operating systemHardware requirements cp pathtocd/Utilities/weblog/Solaris/NSweblog.tar /tmpInstalling NSWL Client on a Linux Operating System To uninstall the NSWL client package on a Solaris operating systemTo install the NSWL client package on a Linux operating system cd /tmpInstalling NSWL Client on a FreeBSD Operating System To uninstall the NSWL client package on a Linux operating systemTo view the installed Web server logging files To install the NSWL client package on a FreeBSD operating systemInstalling NSWL Client on a Mac OS Operating System To uninstall the NSWL client package on a FreeBSD operating systemTo install the NSWL client package on a Mac OS operating system pkgdelete NSweblogInstalling NSWL Client on a Windows Operating System To uninstall the NSWL client package on a Mac OS operating systemTo install the NSWL client on a Windows system pkgdelete NSweblogInstalling NSWL Client on an AIX Operating System To uninstall the NSWL client on a Windows systemTo install the NSWL client package on an AIX operating system To uninstall the NSWL client package on an AIX operating systemNSWL Client Command Options Table 4-3. NSWL Command OptionsNSWL command To view the installed Web server logging filesAdding the IP Addresses of the NetScaler Appliance To add the NSIP address of the NetScaler appliancenswl -addns -f directorypath \log.conf NSWL commandVerifying the NSWL Configuration File To verify the configuration in the NSWL configuration fileRunning the NSWL Client Customizing Logging on the NSWL Client SystemTable 4-4. Parameters for Creating a Filter ParameterCreating Filters SpecifiesTo create a filter for a virtual server To create a filter, enter the following command in the log.conf fileSpecifying Log Properties To create a filterExample Chapter 4 Web Server LoggingExample Understanding the NCSA and W3C Log Formats NCSA Common Log FormatExample ExampleW3C Extended Log Format Table 4-5. NCSA Common Log FormatArgument SpecifiesEntries DirectivesTable 4-6. Directive Descriptions DirectiveFields IdentifiersTable 4-7. Prefix Descriptions PrefixTable 4-8. W3C Extended Log Format Identifiers No Prefix Required IdentifierTable 4-9. W3C Extended Log Format Identifiers Requires a Prefix Table 4-10. W3C Extended Log File Format Allows Log FieldsCreating a Custom Log Format by Using the NSWL Library Creating a Custom Log FormatField DescriptionCreating a Custom Log Format Manually To create the custom log format by using the NSWL LibraryExample Sample Configuration File Creating Apache Log FormatsCitrix NetScaler Administration Guide Arguments for Defining a Custom Log Format Table 4-11. Custom Log FormatArgument Specifiesb d g h H Foobari j J l m M Foobaro p q ArgumentSpecifies r s t formatt T u U v V V6 ArgumentSpecifies Time Format Definition Table 4-12. Time Format DefinitionArgument SpecifiesArgument Chapter 4 Web Server LoggingSpecifies Citrix NetScaler Administration Guide Chapter 4 Web Server Logging Advanced Configurations Configuring Clock Synchronization Viewing the System Date and TimeConfiguring TCP Window Scaling Configuring Selective Acknowledgment Clearing the Configuration Viewing the HTTP Band StatisticsTo add an NTP server by using the NetScaler command line Configuring Clock Synchronizationw show ntp server Example To modify or remove NTP servers by using the NetScaler command line Parameters for configuring an NTP serverTo configure an NTP server by using the configuration utility serverNamew enable ntp sync w disable ntp sync Configuring Clock Synchronization ManuallyStarting or Stopping the NTP Daemon To view the system date and time by using the NetScaler command line usr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/ntpd.logshow ns config Example Viewing the System Date and TimeTo view the system date and time by using the configuration utility Configuring TCP Window ScalingSystem Time Tue Feb 165044 To configure window scaling by using the NetScaler command line Parameters for configuring window scalingw show ns tcpParam Example WSValConfiguring Selective Acknowledgment To configure window scaling by using the configuration utilityENABLED SACK statusTo enable SACK by using the Configuration Utility Clearing the ConfigurationTo clear a configuration by using the NetScaler command line Parameters for clearing a configuration To clear a configuration by using the configuration utilityViewing the HTTP Band Statistics levelTo modify the band range by using the NetScaler command line Configuring HTTP Profiles To modify the band range by using the configuration utilityTo add an HTTP profile by using the NetScaler command line Table 5-1. Built-in HTTP ProfilesENABLED DISABLED w sh ns httpProfile Example Parameters for adding an HTTP profilename Name maxReusePool Max Connection in reusepoolConfiguring TCP Profiles To add an HTTP profile by using the configuration utilityTable 5-2. Built-in TCP Profiles Built-in profileBuilt-in profile To add a TCP profile by using the NetScaler command lineDescription Parameters for creating a TCP profile w sh ns tcpProfile ExampleWS Window Scaling WSVal FactorTo add a TCP profile by using the configuration utility pktPerRetx Maximum Packets per RetransmissionminRTO Minimum RTO in millisec slowStartIncr Slow Start IncrementSpecifying a TCP Buffer Size Use Nagles Algorithm Immediate ACK on Receiving Packet with PUSHw set ns tcpProfile name -bufferSize positiveinteger w show ns tcpProfile namew set ns tcpProfile nstcpdefaultprofile -bufferSize positiveinteger w show ns tcpProfile nstcpdefaultprofileExample 12000bufferSize Parameters for setting the TCP buffer size in a TCP profilename Specifying the MSS Value in a TCP Profile Parameters for specifying the MSS value in a TCP profileConfiguring the NetScaler to Learn the MSS Value from Bound Services w set ns tcpParam -learnVsvrMSS ENABLEDDISABLED w show ns tcpParamLearn MSS for VServer ENABLEDlearnVsvrMSS Chapter 5 Advanced Configurations How Web Interface Works Prerequisites Installing the Web Interface Configuring the Web InterfaceWeb Interface ChapterPrerequisites How Web Interface WorksFigure 6-1. A Basic Web Interface Session Installing the Web Interface ExampleConfiguring the Web Interface Parameters for installing the Web interface and JRE tar filesWeb Interface tar file path JRE tar file pathParameters for configuring Web interface sites Site TypeSite Path Published Resource TypeAuthentication Point Access Gateway URLPort Gateway Direct ModeConfiguring a Web Interface Site for LAN Users Using HTTP XML Service AddressesXML Service Port TransportFigure 6-2. A Web Interface Site Configured for LAN Users Using HTTP Site Type Published Resource Type Kiosk ModeXML Service Addresses XML Service Port Transport Load Balance Virtual Server Protocol select HTTPS IP Address PortExample ExampleExample ExampleConfiguring a Web Interface Site for LAN Users Using HTTPS Figure 6-3. A Web Interface Site Configured for LAN Users Using HTTPSSite Type Published Resource Type Kiosk Mode Chapter 6 Web InterfaceVirtual Server Protocol select HTTPS IP Address Port XML Service Addresses XML Service Port Transport Load Balance ExampleExample ExampleExample ExampleExample ExampleExample Configuring a Web Interface Site for Remote Users Using AGEEExample Site Type Published Resource Type Kiosk Mode Authentication Point Access Gateway URL Add DNS Entry Trust SSL Certificate STA Server URL STA Server URLSession Reliability Use two STA Servers XML Service Addresses XML Service Port Transport Load BalanceExample Chapter 6 Web InterfaceExample How AppFlow Works Configuring the AppFlow Feature AppFlowChapter TopicsHow AppFlow Works Figure 7-1. NetScaler Flow SequenceFlow Records TemplatestransactionID connectionIDConfiguring the AppFlow Feature httpRequestSizehttpRequestURL httpUserAgentEnabling or Disabling the AppFlow Feature To enable the AppFlow feature by using the configuration utilityTo specify a collector by using the NetScaler command line w enable ns feature appflow w disable ns feature appflowConfiguring an AppFlow Action To remove a collector by using the NetScaler command lineTo specify a collector by using the configuration utility To configure an AppFlow action by using the NetScaler command lineParameters for configuring an AppFlow action Done show appflow action 1 Name apfl-act-collector-1Collectors collecter-1 Hits Action Reference Count 2 Name apfl-act-collector-2-and-3 Collectors collector-2, collecter-3Configuring an AppFlow Policy To configure an AppFlow action by using the configuration utilityTo configure an AppFlow policy by using the NetScaler command line w show appflow policy nameParameters for configuring an AppFlow policy namerule actionTo configure an AppFlow policy by using the configuration utility To add an expression by using the Add Expression dialog boxHTTP commentCLIENT Binding an AppFlow Policyw show appflow global To globally bind an AppFlow policy by using the configuration utility Parameters for binding an AppFlow policygotoPriorityExpression invoke Invoke flag labelTypeTo enable AppFlow for a virtual server by using the NetScaler command lineEnabling AppFlow for Virtual Servers 6. Click Apply ChangesEnabling AppFlow for a Service Setting the AppFlow ParametersTo enable AppFlow for a service by using the NetScaler command line To enable AppFlow for a service by using the configuration utilityAppFlow Parameters w show appflowParamtemplateRefresh appnameRefreshTo set the AppFlow parameters by using the configuration utility httpCookiehttpReferer httpMethodUsing the Reporting Tool Reporting ToolStopping and Starting the Data Collection Utility ChapterUsing the Reporting Tool Figure 8-1. Report Toolbar Figure 8-2. Chart ToolbarTo invoke the Reporting tool Working with ReportsUsing Built-in Reports Creating and Deleting ReportsTo display a built-in report To create a custom reportModifying the Time Interval To delete a custom reportTable 8-1. Time Intervals Time intervalSetting the Data Source and Time Zone Exporting and Importing Custom ReportsTo modify the time interval To set the data source and time zoneWorking with Charts Adding a ChartModifying a Chart To add a chart to a reportTo change the graph type of a chart Viewing a ChartTo refocus a chart with detailed data To scroll through time in a chart To change the background color and text color of a chartTo customize the axes of a chart To view numeric data for a graphTo change the color and graph type of a data set Exporting Chart Data to ExcelCitrix NetScaler Administration Guide Deleting a Chart To delete a chartTo export chart data to Excel ExamplesTable 8-2. Limits on Entity Numbers Retrieved by nscollect Entity nameLimit Stopping and Starting the Data Collection UtilityTo stop nscollect To start nscollect on the local systemnetscaler/nscollect stop Entity namenetscaler/nscollect start -U 10.102.29.170nsrootnsroot -ds default To start nscollect on the remote systemnetscaler/nscollect start Citrix NetScaler Administration Guide