Factory reset Netscaler SDX

Log into the SDX and go to Configuration > Management Service > Backup Files > Action > Factory Reset

sdx_factoryreset

You will be presented with the following three options

sdx_factoryreset_options

Factory Rest Options Explained:

Reset (Without Network Configuration)—Retain the IP addresses of the Management Service and XenServer. This option destroys all VPX’s also wipes the licence file, certificates but keeps the current active firmware of SDX. It also keeps the SDX network configurations like LACP bondings

Reset (With Network Configuration)—Management Service and XenServer restart with the default IP addresses (192.168.100.1 for the SDX Management and 192.168.100.2 for Xenserver)  This option destroys all VPX’s also wipes the licence file, certificates but keeps the current active firmware of SDX.

Appliance Reset—Completely wipe out the device. Loose everything configured (network, certs, vpx’s, licenses etc) but also the appliance reverts its firmware to what it was delivered with.

Advertisements

Score A+ on SSLlabs.com the easy way

Change the following variables below to that of your NetScaler deployment

  • %vServer% to the VIP name of your access gateway
  • “VPX_Group %OR% MPX_Group” – Choose the cipher group to bind, either VPX or MPX

Copy and paste the script via a putty onto your NetScaler CLI

—————Start – Do Not Copy This Line—————
set ssl vserver %vServer% -ssl3 disabled -tls11 enabled -tls12 enabled

 

create ssl dhparam DH-Key 2048 -gen 2

set ssl vserver %vServer% -dh ENABLED -dhFile “/nsconfig/ssl/DH-Key” -dhCount 1000 -eRSA DISABLED

 

add ssl cipher “MPX_Group”

add ssl cipher “VPX_Group”

bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES128-GCM-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES256-GCM-SHA384

bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384

bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384

bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-256-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-AES-128-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-128-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1.2-DHE-RSA-AES-256-SHA256

bind ssl cipher “MPX_Group” -cipherName TLS1-AES-256-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName TLS1-AES-128-CBC-SHA

bind ssl cipher “MPX_Group” -cipherName SSL3-DES-CBC3-SHA

bind ssl cipher “VPX _Group” -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256

bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES256-SHA

bind ssl cipher “VPX_Group” -cipherName TLS1-ECDHE-RSA-AES128-SHA

bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

bind ssl cipher “VPX_Group” -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA

bind ssl cipher “VPX_Group” -cipherName TLS1-AES-128-CBC-SHA

bind ssl cipher “VPX_Group” -cipherName SSL3-DES-CBC3-SHA

 

unbind ssl vserver %vServer% -cipherName ALL

bind ssl vserver %vServer% -cipherName “VPX_Group %OR% MPX_Group”

bind ssl vs %vServer% -eccCurveName ALL

 

add rewrite action act_sts_header insert_http_header Strict-Transport-Security q/””max-age=157680000″”/

add rewrite policy pol_sts_force true act_sts_header

bind vpn vserver %vServer% -policy pol_sts_force -priority 100 -gotoPriorityExpression END -type RESPONSE

—————End – Do Not Copy This Line—————

Once the script has completed, Check you server status: Qualys SSL labs

 

 

Provisioning Service 7.7 Setup

In the last week of 2015 Citrix released Provisioning Services 7.7. One of the best new features is that it is now official supporting Windows 10 (Enterprise and Professional Edition) as target device. Another cool new feature is that you can do an in-place upgrade (from version 7.6.1 or higher) and thus reverse-imaging belongs to […]

Source: Installing and Configuring Citrix Provisioning Service 7.7 and creating a vDisk – RobinHobo.com

Sealing a XenApp 7.6 PVS vDisk

  1. Run chkdsk C: and reboot
  2. Clean-up event logs if they are not redirected to the cache disk :
    • Via PowerShell -> Get-EventLog -List |%{$_.clear()}
    • wevtutil cl system
  3. if vSphere is used, delete « ghost » NICs :
    • open elevated prompt
    • type : ” SET DEVMGR_SHOW_NONPRESENT_DEVICES=1 “ and validate
    • type : ” Start devmgmt.msc ” and validate
    • click on View and ” Show Hidden Devices “
    • delete « ghost » NICs
  4. run slmgr.vbs /dlv to ensure a proper KMS server and license configuration
  5. If MS Distributed Transaction Service is installed, run msdtc.exe -reset
  6. if MS Message Queuing is installed, clear its cache :
    • NET STOP MQAC
    • NET STOP MSMQ
  7. Run Disk Cleanup on C: drive as elevated administrator
  8. Delete local profiles that are not required
  9. Stop Citrix Profile Manager service
  10. If Citrix Profile Manager is configured via GPO, check that its INI in C:Program FilesCitrixUser Profile Manager has been renamed
  11. Delete Citrix Profile Manager logs from c:WindowsSystem32LogFilesUser Profile Manager if not redirected to the cache disk
  12. if using App-V or similar technology, check for updated App-V content to update the precache within the vDisk image
  13. Perform required “de-personalization” for your antivirus (refer to their KB, as the process will differ based on the vendor)
  14. Perform required “de-personalization” for your monitoring agent (SCOM, Tivoli..)
  15. Perform required “de-personalization” for your other agents (AppSense, RES, SCCM..)
  16. Perform a full antivirus scan on the virtual machine
  17. Stop Client DHCP service
  18. Run elevated : “regedit /s DHCP_clear.reg” (see Dave’s post)
  19. Perform a Defrag on the virtual machine
  20. PvD only: run inventory (with machine shutdown option ticked)
  21. Shutdown the machine if PvD is not used
  22. Perform a defrag of the VHD by mounting it in a WS2012R2 server

 

How to back up and restore NetScaler

CTX200418

How to Back Up and Restore NetScaler Appliance

Objective

This article explains how to back up and restore NetScaler appliance.

Background

You can back up the current state of a NetScaler appliance, and later use the backed up files to restore the appliance to the same state. You must use this feature before performing an upgrade or for precautionary reasons. A backup of a stable system enables you to restore the system to a stable point in the event that it becomes unstable.

Points to remember

  • You cannot use the backup file taken from one appliance to restore a different appliance.
  • You can back up and restore appliances in an HA setup, but ensure that you restore to the same appliance from which the backup file was created. For example, if the backup was taken from the primary appliance of the HA pair, when restoring ensure that the appliance you are restoring is the same appliance, even if it is no longer the primary appliance.
  • You cannot perform the back up and restore operation on a NetScaler cluster.

Instructions

Backing Up a NetScaler Appliance

Depending on the type of data to be backed up and the frequency at which you will create a backup, you can take a basic backup or a full backup.

  • Basic backup: Backs up only the configuration files. You might want to perform this type of backup frequently, because files it backs up change constantly. The files that are backed up are as follows:
    Directory Sub-Directory or Files

    /nsconfig/

    • ns.conf
    • ZebOS.conf
    • rc.netscaler
    • snmpd.conf
    • nsbefore.sh
    • nsafter.sh
    • monitors

    /var/

    • download/*
    • log/wicmd.log
    • wi/tomcat/webapps/*
    • wi/tomcat/logs/*
    • wi/tomcat/conf/catalina/localhost/*
    • nslw.bin/etc/krb.conf
    • nslw.bin/etc/krb.keytab
    • netscaler/locdb/*
    • lib/likewise/db/*
    • vpn/bookmark/*
    • netscaler/crl
    • nstemplates/*
    • learnt_data/*

    /netscaler/

    • custom.html
    • vsr.htm
  • Full backup: In addition to the files that are backed up by a basic backup, a full backup backs up some less frequently updated files. The files that are backed up when using the full backup are as follows:

    Directory Sub-Directory or Files

    /nsconfig/

    • ssl/*
    • license/*
    • fips/*

    /var/

    • netscaler/ssl/*
    • wi/java_home/jre/lib/security/cacerts/*
    • wi/java_home/lib/security/cacerts/*

The backup is stored as a compressed TAR file in the /var/ns_sys_backup/ directory. To avoid issues because of non-availability of disk space, you can store a maximum of 50 backup files in this directory. You can use the rm system backup command to delete existing backup files so that you can create more backups.

Notes:

  • While the backup operation is in progress, do not execute commands that affect the configuration.

  • If a file that is required to be backed up is not available, the operation skips that file.

To back up the NetScaler by using the command line interface

At the command prompt, do the following:

  1. Save the NetScaler configurations using:
    save ns config

  2. Create the backup file using:
    create system backup [<fileName>] -level <basic | full> -comment <string>

    Note: If the file name is not specified, the appliance creates a TAR file with the following naming convention:

    backup_<level>_<nsip_address>_<date-timestamp>.tgz.

    For example, to back up the full appliance using the default naming convention for the backup file use:
    create system backup -level full

  3. Verify that the backup file was created using:
    show system backup

    You can view properties of a specific backup file by using the fileName parameter.

To back up the NetScaler by using the configuration utility

  1. Navigate to System > Backup and Restore.
  2. On the Details pane, click Backup.
  3. On the Backup screen, specify the details required to backup the appliance.
  4. Click Backup.

Restoring the NetScaler Appliance

When you restore the appliance from a backup file, the restore operation untars the backup file into the /var/ns_sys_backup/directory. Once the untar operation is complete, the files are copied to their respective directories.
Note: The restore operation does not succeed if the backup file is renamed or if the contents of the file are modified.

To restore the NetScaler by using the command line interface

At the command prompt, do the following:

  1. Obtain a list of the backup files available on the appliance:
    show system backup

  2. Restore the appliance by specifying one of the backup files:
    restore system backup
    <filename>

    For example, to restore by using a full backup of an appliance.
    > restore system backup backup_full_<nsip_address>_<date-timestamp>.tgz

  3. Reboot the appliance:
    reboot

To restore the NetScaler by using the configuration utility

Navigate to System > Backup and Restore, right-click the backup file to be restored and click Restore.