On Demand Citrix Nerds consulting services 24 hours a day!

Phone: 1-800-905-0005

Home > Documentation > Netscaler Quick Setup

Installation Documentation
Netscaler Quick Setup using CLI (Command Line Interface)

#Notes on getting started with Quick Setup using Netscaler version 12.1
#MAC address of 00:50:56:00:00:00 is used so that a pre-configured VPX 5 non-expiring free Netscaler license can be used
#SSL certificate file being used was exported with a private key to ssl.pfx with a password of test1 - change your password if you use something different
#SSL Certificate Authority is RapidSSL, but the Intermediate and Root certificates can easily be modified to work with other CA's
#The IP's used for the build were on a 192.168.1.0/24 network - change IP's to match your network
#NSIP (Management) = 192.168.1.20, SNIP = 192.168.1.21, Virtual Server VIP = 192.168.1.22
#Netscaler public access is for citrix.mycorp.com - change to match your FQDN
#Storefront is running via SSL at storefront.mycorp.com - change to match your FQDN
#Citrix Delivery Controller is running on storefront.mycorp.com which is referenced for the STA (Secure Ticket Authority) - change to match your FQDN
#Substitute your own Domain Controller IP address for what for what appears here as 192.168.1.10
#Substitute your own LDAP Base for what for what appears here as dc=mycorp,dc-com with for example dc=domain,dc=local
#Substitute your own LDAP Authentication account for what for what appears here as ldapserviceacct@mycorp.com (This is an Active Directory User service account that has a password that never expires)
#Substitute your own domain user password for what for what appears here as Password987
#Fast edits so that you can more or less paste in Steps 8-17 and have a fully functional Netscaler
#NSIP 192.168.1.20, SNIP: 192.168.1.21, VirtualServer: 192.168.1.22, LDAP Server: 192.168.1.10, LDAP Account: ldapserviceacct@mycorp.com
#LDAP Password: Password987, DNS: 192.168.1.10, LDAP: dc=mycorp,dc=com, Public FQDN: citrix.mycorp.com, Storefront FQDN: storefront.mycorp.com


#1. VMware - Deploy OVA file
#2. VMware - Change MAC to 005056000000
#3. VMware - Power on Netscaler
#4. VMware console - set IP address (NSIP), subnet mask, default gateway and save
#5. WinSCP to NSIP and copy license file to /nsconfig/license (Non-Expiring for MAC 005056000000)
#6. WinSCP to NSIP and copy ssl.pfx to /nsconfig/ssl
#7. WinSCP to NSIP and copy intermediate.cer to /nsconfig/ssl
#8. SSH to NSIP - Set SNIP, set hostname, DNS servers, NTP server and Time Zone
add ns ip 192.168.1.20 255.255.255.0 -vServer DISABLED
set ns hostName ns
add dns nameServer 192.168.1.10
add ntp server time.windows.com
#REM Additional DNS servers: add dns nameServer 192.168.1.11
set ns param -timezone "GMT-08:00-PST-America/Los_Angeles"
#REM Timezome New York: set ns param -timezone "GMT-05:00-EST-America/New_York"
#REM Timezome Chicago: set ns param -timezone "GMT-06:00-CST-America/Chicago"
save config
reboot
#9. Disable Callhome, Disable CUXIP, Enable SSL, Enable Netscaler Gateway, Add SSL cert from PFX and link to Intermediate
disable ns feature ch
set system parameter -doppler disabled
enable ns feature SSL SSLVPN
add ssl certKey SSL -cert ssl.pfx -key ssl.pfx -inform PFX -password test1
add ssl certKey Intermediate -cert intermediate.cer
link ssl certKey SSL Intermediate
#10. Create LDAP server and Policy
add authentication ldapAction LDAP_Server -serverIP 192.168.1.10 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType PlainText -passwdChange ENABLED
#REM To filter user accounts which are permitted to logon by Active Directory group named CitrixUsersExternal
#REM set authentication ldapAction LDAP_Server -searchFilter "memberOf=CN=CitrixUsersExternal,OU=Groups,DC=mycorp,DC=com"
add authentication ldapPolicy LDAP_Pol NS_TRUE LDAP_Server
#11. Redirect HTTP to HTTPS
enable feature lb
add lb vserver http_redirect_to_ssl HTTP 192.168.1.22 80 -persistenceType NONE -redirectURL "https://citrix.mycorp.com" -cltTimeout 180
#12. Create Virtual Server for Netscaler Gateway and set SSL protocols
add vpn vserver VirtualServer SSL 192.168.1.22 443 -icaOnly ON -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -vserverFqdn citrix.mycorp.com
set ssl vserver VirtualServer -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED -tls13 DISABLED -HSTS ENABLED -maxage 157680000
#13. Create Secure Cipher Suite
add ssl cipher SecureCiphers
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 1
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 2
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 3
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 4
bind ssl cipher SecureCiphers -cipherName TLS1-ECDHE-ECDSA-AES128-SHA -cipherPriority 5
bind ssl cipher SecureCiphers -cipherName TLS1-ECDHE-ECDSA-AES256-SHA -cipherPriority 6
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 7
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 8
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 9
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 10
bind ssl cipher SecureCiphers -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 11
bind ssl cipher SecureCiphers -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 12
bind ssl cipher SecureCiphers -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 13
bind ssl cipher SecureCiphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 14
bind ssl cipher SecureCiphers -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 15
bind ssl cipher SecureCiphers -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 16
#14. Bind vServer to Secure Cipher Suite
bind ssl vserver VirtualServer -cipherName SecureCiphers
unbind ssl vserver VirtualServer -cipherName DEFAULT
#15. Bind SSL to vServer
bind ssl vserver VirtualServer -certkeyName SSL
#16. Create Session Actions & Polices
add vpn sessionAction AC_OS_Receiver -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://storefront.mycorp.com/citrix/storeweb" -ClientChoices OFF -ntDomain mycorp.com -clientlessVpnMode OFF -storefronturl "https://storefront.mycorp.com" -sfGatewayAuthType domain
add vpn sessionAction AC_WB_Web -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://storefront.mycorp.com/citrix/storeweb" -ClientChoices OFF -ntDomain mycorp.com -clientlessVpnMode OFF -sfGatewayAuthType domain
add vpn sessionPolicy PL_OS_Receiver "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OS_Receiver
add vpn sessionPolicy PL_WB_Web "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_Web
#17. Bind STA, LDAP and Session Policies
bind vpn vserver VirtualServer -staServer "http://storefront.mycorp.com"
bind vpn vserver VirtualServer -policy LDAP_Pol
bind vpn vserver VirtualServer -policy PL_OS_Receiver -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver VirtualServer -policy PL_WB_Web -priority 110 -gotoPriorityExpression NEXT -type REQUEST