cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Citrix Netscaler 1000V Load Balancing Config for ISE

5291
Views
2
Helpful
1
Comments
> show run
#NS10.5 Build 55.8
# Last modified Wed May 13 19:12:06 2015
set ns config -IPAddress 172.16.1.5 -netmask 255.255.255.128
enable ns feature WL SP LB
enable ns mode FR L3 Edge USNIP PMTUD
set system parameter -natPcbForceFlushLimit 4294967295
set system user nsroot 1addfdc41b00cb252e0424e3b657d146be91df7966a7e2ce8 -encrypted
add system user admin 1a5526692b0d4730850583887ecfd446e5470a61483327bfe -encrypted -timeout 900
set rsskeytype -rsstype ASYMMETRIC
set lacp -sysPriority 32768 -mac 00:50:56:bb:ac:bf
set ns hostName MID-NLB01
set interface 0/1 -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype "XEN Interface" -ifnum 0/1
set interface 1/1 -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype "XEN Interface" -ifnum 1/1
set interface LO/1 -haMonitor OFF -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype Loopback -ifnum LO/1
add ns ip6 fe80::250:56ff:febb:acbf/64 -scope link-local -type NSIP -vlan 1 -vServer DISABLED -mgmtAccess ENABLED -dynamicRouting ENABLED
add ns ip 172.16.0.6 255.255.255.128 -vServer DISABLED -mgmtAccess ENABLED
set ipsec parameter -lifetime 28800
set nd6RAvariables -vlan 1
set snmp alarm SYNFLOOD -timeout 1
set snmp alarm HA-VERSION-MISMATCH -time 86400 -timeout 86400
set snmp alarm HA-SYNC-FAILURE -time 86400 -timeout 86400
set snmp alarm HA-NO-HEARTBEATS -time 86400 -timeout 86400
set snmp alarm HA-BAD-SECONDARY-STATE -time 86400 -timeout 86400
set snmp alarm APPFW-START-URL -timeout 1
set snmp alarm APPFW-DENY-URL -timeout 1
set snmp alarm APPFW-REFERER-HEADER -timeout 1
set snmp alarm APPFW-CSRF-TAG -timeout 1
set snmp alarm APPFW-COOKIE -timeout 1
set snmp alarm APPFW-FIELD-CONSISTENCY -timeout 1
set snmp alarm APPFW-BUFFER-OVERFLOW -timeout 1
set snmp alarm APPFW-FIELD-FORMAT -timeout 1
set snmp alarm APPFW-SAFE-COMMERCE -timeout 1
set snmp alarm APPFW-SAFE-OBJECT -timeout 1
set snmp alarm APPFW-POLICY-HIT -timeout 1
set snmp alarm APPFW-VIOLATIONS-TYPE -timeout 1
set snmp alarm APPFW-XSS -timeout 1
set snmp alarm APPFW-XML-XSS -timeout 1
set snmp alarm APPFW-SQL -timeout 1
set snmp alarm APPFW-XML-SQL -timeout 1
set snmp alarm APPFW-XML-ATTACHMENT -timeout 1
set snmp alarm APPFW-XML-DOS -timeout 1
set snmp alarm APPFW-XML-VALIDATION -timeout 1
set snmp alarm APPFW-XML-WSI -timeout 1
set snmp alarm APPFW-XML-SCHEMA-COMPILE -timeout 1
set snmp alarm APPFW-XML-SOAP-FAULT -timeout 1
set snmp alarm DNSKEY-EXPIRY -timeout 1
set snmp alarm HA-LICENSE-MISMATCH -timeout 86400
set snmp alarm CLUSTER-NODE-HEALTH -time 86400 -timeout 86400
set snmp alarm CLUSTER-NODE-QUORUM -time 86400 -timeout 86400
set snmp alarm CLUSTER-VERSION-MISMATCH -time 86400 -timeout 86400
set snmp alarm PORT-ALLOC-FAILED -time 3600 -timeout 3600
add server ise-psn-5 172.16.0.17
add server ise-psn-6 172.16.0.18
add serviceGroup radius-auth RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO
add serviceGroup radius-acct RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO
add serviceGroup radius-auth-any ANY -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -state DISABLED
add serviceGroup radius-acct-any ANY -maxClient 0 -maxReq 0 -cacheable YES -cip DISABLED -usip YES -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -state DISABLED
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
set lb parameter -sessionsThreshold 150000
add lb vserver radius-auth RADIUS 172.16.0.16 1812 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" -cltTimeout 120
add lb vserver radius-acct RADIUS 172.16.0.16 1813 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" -cltTimeout 120
add lb vserver ISE-CoA-UDP1700 UDP 172.16.0.16 1700 -persistenceType NONE -state DISABLED -cltTimeout 120
set cache parameter -via "NS-CACHE-10.0:   5"
set ns rpcNode 172.16.1.5 -password 8a7b474124957776a0cd31b862cbe4d72b5cbd59868a136d4bdeb56cf03b28 -encrypted -srcIP 172.16.1.5
bind cmp global ns_adv_nocmp_xml_ie -priority 8700 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global ns_adv_nocmp_mozilla_47 -priority 8800 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global ns_adv_cmp_mscss -priority 8900 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global ns_adv_cmp_msapp -priority 9000 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global ns_adv_cmp_content_type -priority 10000 -gotoPriorityExpression END -type RES_DEFAULT
set responder param -undefAction NOOP
add ca action NOOP_CA -type noop
add cache contentGroup DEFAULT
set cache contentGroup NSFEO -maxResSize 1994752
add cache contentGroup BASEFILE -relExpiry 86000 -weakNegRelExpiry 600 -maxResSize 256 -memLimit 2
add cache contentGroup DELTAJS -relExpiry 86000 -weakNegRelExpiry 600 -insertAge NO -maxResSize 256 -memLimit 1 -pinned YES
add cache contentGroup ctx_cg_poc -relExpiry 86000 -weakNegRelExpiry 600 -insertAge NO -maxResSize 500 -memLimit 256 -pinned YES
add cache policy _nonGetReq -rule "!HTTP.REQ.METHOD.eq(GET)" -action NOCACHE
add cache policy _advancedConditionalReq -rule "HTTP.REQ.HEADER(\"If-Match\").EXISTS || HTTP.REQ.HEADER(\"If-Unmodified-Since\").EXISTS" -action NOCACHE
add cache policy _personalizedReq -rule "HTTP.REQ.HEADER(\"Cookie\").EXISTS || HTTP.REQ.HEADER(\"Authorization\").EXISTS || HTTP.REQ.HEADER(\"Proxy-Authorization\").EXISTS || HTTP.REQ.IS_NTLM_OR_NEGOTIATE" -action MAY_NOCACHE
add cache policy _uncacheableStatusRes -rule "! ((HTTP.RES.STATUS.EQ(200)) || (HTTP.RES.STATUS.EQ(304)) || (HTTP.RES.STATUS.BETWEEN(400,499)) || (HTTP.RES.STATUS.BETWEEN(300, 302)) || (HTTP.RES.STATUS.EQ(307))|| (HTTP.RES.STATUS.EQ(203)))" -action NOCACHE
add cache policy _uncacheableCacheControlRes -rule "((HTTP.RES.CACHE_CONTROL.IS_PRIVATE) || (HTTP.RES.CACHE_CONTROL.IS_NO_CACHE) || (HTTP.RES.CACHE_CONTROL.IS_NO_STORE) || (HTTP.RES.CACHE_CONTROL.IS_INVALID))" -action NOCACHE
add cache policy _cacheableCacheControlRes -rule "((HTTP.RES.CACHE_CONTROL.IS_PUBLIC) || (HTTP.RES.CACHE_CONTROL.IS_MAX_AGE) || (HTTP.RES.CACHE_CONTROL.IS_MUST_REVALIDATE) || (HTTP.RES.CACHE_CONTROL.IS_PROXY_REVALIDATE) || (HTTP.RES.CACHE_CONTROL.IS_S_MAXAGE))" -action CACHE -storeInGroup DEFAULT
add cache policy _uncacheableVaryRes -rule "((HTTP.RES.HEADER(\"Vary\").EXISTS) && ((HTTP.RES.HEADER(\"Vary\").INSTANCE(1).LENGTH > 0) || (!HTTP.RES.HEADER(\"Vary\").STRIP_END_WS.SET_TEXT_MODE(IGNORECASE).eq(\"Accept-Encoding\"))))" -action NOCACHE
add cache policy _uncacheablePragmaRes -rule "HTTP.RES.HEADER(\"Pragma\").EXISTS" -action NOCACHE
add cache policy _cacheableExpiryRes -rule "HTTP.RES.HEADER(\"Expires\").EXISTS" -action CACHE -storeInGroup DEFAULT
add cache policy _imageRes -rule "HTTP.RES.HEADER(\"Content-Type\").SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"image/\")" -action CACHE -storeInGroup DEFAULT
add cache policy _personalizedRes -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS || HTTP.RES.HEADER(\"Set-Cookie2\").EXISTS" -action NOCACHE
add cache policy ctx_images -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS_INDEX(\"ctx_file_extensions\").BETWEEN(101,150)" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_web_css -rule "HTTP.REQ.URL.ENDSWITH(\".css\")" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_doc_pdf -rule "HTTP.REQ.URL.ENDSWITH(\".pdf\")" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_web_JavaScript -rule "HTTP.REQ.URL.ENDSWITH(\".js\")" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_web_JavaScript-Res -rule "HTTP.RES.HEADER(\"Content-Type\").CONTAINS(\"application/x-javascript\")" -action CACHE -storeInGroup ctx_cg_poc
add cache policy ctx_NOCACHE_Cleanup -rule TRUE -action NOCACHE
add cache policylabel _reqBuiltinDefaults -evaluates REQ
add cache policylabel _resBuiltinDefaults -evaluates RES
bind cache policylabel _reqBuiltinDefaults -policyName _nonGetReq -priority 100 -gotoPriorityExpression END
bind cache policylabel _reqBuiltinDefaults -policyName _advancedConditionalReq -priority 200 -gotoPriorityExpression END
bind cache policylabel _reqBuiltinDefaults -policyName _personalizedReq -priority 300 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableStatusRes -priority 100 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableVaryRes -priority 200 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheableCacheControlRes -priority 300 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _cacheableCacheControlRes -priority 400 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _uncacheablePragmaRes -priority 500 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _cacheableExpiryRes -priority 600 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _imageRes -priority 700 -gotoPriorityExpression END
bind cache policylabel _resBuiltinDefaults -policyName _personalizedRes -priority 800 -gotoPriorityExpression END
bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel _reqBuiltinDefaults
bind cache global NOPOLICY -priority 185883 -gotoPriorityExpression USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel _resBuiltinDefaults
bind lb vserver radius-auth radius-auth
bind lb vserver radius-acct radius-acct
bind lb group RADIUS-Calling-Station-ID radius-auth
bind lb group RADIUS-Calling-Station-ID radius-acct
set lb group RADIUS-Calling-Station-ID -persistenceType RULE -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)"
add dns nameServer 10.100.0.10
set ns diameter -identity netscaler.com -realm com
set ns tcpbufParam -memLimit 200
set dns parameter -dns64Timeout 1000
add dns nsRec . a.root-servers.net -TTL 3600000
add dns nsRec . b.root-servers.net -TTL 3600000
add dns nsRec . c.root-servers.net -TTL 3600000
add dns nsRec . d.root-servers.net -TTL 3600000
add dns nsRec . e.root-servers.net -TTL 3600000
add dns nsRec . f.root-servers.net -TTL 3600000
add dns nsRec . g.root-servers.net -TTL 3600000
add dns nsRec . h.root-servers.net -TTL 3600000
add dns nsRec . i.root-servers.net -TTL 3600000
add dns nsRec . j.root-servers.net -TTL 3600000
add dns nsRec . k.root-servers.net -TTL 3600000
add dns nsRec . l.root-servers.net -TTL 3600000
add dns nsRec . m.root-servers.net -TTL 3600000
add dns addRec l.root-servers.net 199.7.83.42 -TTL 3600000
add dns addRec b.root-servers.net 192.228.79.201 -TTL 3600000
add dns addRec d.root-servers.net 199.7.91.13 -TTL 3600000
add dns addRec j.root-servers.net 192.58.128.30 -TTL 3600000
add dns addRec h.root-servers.net 128.63.2.53 -TTL 3600000
add dns addRec f.root-servers.net 192.5.5.241 -TTL 3600000
add dns addRec k.root-servers.net 193.0.14.129 -TTL 3600000
add dns addRec a.root-servers.net 198.41.0.4 -TTL 3600000
add dns addRec c.root-servers.net 192.33.4.12 -TTL 3600000
add dns addRec m.root-servers.net 202.12.27.33 -TTL 3600000
add dns addRec i.root-servers.net 192.36.148.17 -TTL 3600000
add dns addRec g.root-servers.net 192.112.36.4 -TTL 3600000
add dns addRec e.root-servers.net 192.203.230.10 -TTL 3600000
set lb monitor ldns-dns LDNS-DNS -query . -queryType Address
add lb monitor radius RADIUS -respCode 2 -userName radius-probe -password f71c354424ca7262 -encrypted -radKey f71c354424ca7262 -encrypted -radNASid 172.16.0.6 -radNASip 172.16.0.6 -LRTM DISABLED -interval 5 MIN
add lb monitor udp-radius-acct UDP-ECV -send "RADIUS Accounting" -LRTM DISABLED -interval 5 MIN -destPort 1813
bind serviceGroup radius-auth ise-psn-5 1812
bind serviceGroup radius-auth ise-psn-6 1812
bind serviceGroup radius-auth -monitorName radius
bind serviceGroup radius-acct ise-psn-5 1813
bind serviceGroup radius-acct ise-psn-6 1813
bind serviceGroup radius-auth-any ise-psn-5 1812 -state DISABLED
bind serviceGroup radius-auth-any ise-psn-6 1812 -state DISABLED
bind serviceGroup radius-acct-any ise-psn-5 1813 -state DISABLED
bind serviceGroup radius-acct-any ise-psn-6 1813 -state DISABLED
add route 0.0.0.0 0.0.0.0 172.16.0.1
set ssl service nshttps-172.16.0.6-443 -eRSA ENABLED -sessReuse DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl service nsrpcs-172.16.0.6-3008 -eRSA ENABLED -sessReuse DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl service nshttps-::1l-443 -eRSA ENABLED -sessReuse DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl service nsrpcs-::1l-3008 -eRSA ENABLED -sessReuse DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl service nskrpcs-127.0.0.1-3009 -eRSA ENABLED -sessReuse DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl service nshttps-127.0.0.1-443 -eRSA ENABLED -sessReuse DISABLED -tls11 DISABLED -tls12 DISABLED
set ssl service nsrpcs-127.0.0.1-3008 -eRSA ENABLED -sessReuse DISABLED -tls11 DISABLED -tls12 DISABLED
set vpn parameter -forceCleanup none -clientOptions all -clientConfiguration all
bind system user admin superuser 100
add ns acl RNAT-1 ALLOW -srcIP = 172.16.0.17-172.16.0.18 -destPort = 1700 -protocol UDP -priority 10 -kernelstate SFAPPLIED61
apply ns acls
set rnat RNAT-1 -natIP 172.16.0.16
bind ssl service nshttps-172.16.0.6-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-172.16.0.6-3008 -certkeyName ns-server-certificate
bind ssl service nshttps-::1l-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-::1l-3008 -certkeyName ns-server-certificate
bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate
bind ssl service nshttps-127.0.0.1-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName ns-server-certificate
bind ssl service nshttps-172.16.0.6-443 -eccCurveName P_256
bind ssl service nshttps-172.16.0.6-443 -eccCurveName P_384
bind ssl service nshttps-172.16.0.6-443 -eccCurveName P_224
bind ssl service nshttps-172.16.0.6-443 -eccCurveName P_521
bind ssl service nsrpcs-172.16.0.6-3008 -eccCurveName P_256
bind ssl service nsrpcs-172.16.0.6-3008 -eccCurveName P_384
bind ssl service nsrpcs-172.16.0.6-3008 -eccCurveName P_224
bind ssl service nsrpcs-172.16.0.6-3008 -eccCurveName P_521
set ns encryptionParams -method AES256 -keyValue ff0e316156e61520f5ae61ef6b8f9c8a7d499b7ffdff6b471e93b049fe227f03c1ae824623de120ab22aa86da7420a8c78e712b8 -encrypted
add appfw JSONContentType "^application/json$" -isRegex REGEX
add appfw XMLContentType ".*/xml" -isRegex REGEX
add appfw XMLContentType ".*/.*\\+xml" -isRegex REGEX
add appfw XMLContentType ".*/xml-.*" -isRegex REGEX
set ip6TunnelParam -srcIP ::
set ptp -state ENABLE
 Done
Comments
Community Member

What is recommended to be persistent for Netscalers?