NetScaler_Workshop_Lab_guide

NetScaler 10 Workshop Learning Labs exercise guide July 2012 Table of Contents Table of Contents .............................................................................................................................................. 2 Overview............................................................................................................................................................. 3 Module 1 - Exercise 1: Initial Configuration ................................................................................................. 7 Module 2 - Exercise 1: Load Balancing........................................................................................................ 13 Module 3 - Exercise 1: Content Switching .................................................................................................. 17 Module 3 - Exercise 2: SSL Offload ............................................................................................................. 25 Module 5 - Exercise 1: HTTP header modification ................................................................................... 31 Module 5 - Exercise 2: HTTP to HTTPs redirection and URL body rewrite ....................................... 42 Module 5 - Exercise 3: URL Transformation ............................................................................................. 53 Module 6 - Exercise 1: MySQL Load Balancing and Content Switching ............................................... 61 Module 6 - Exercise 2: SQL Rate Limiting ................................................................................................. 71 Module 6 - Exercise 3: Database Responder .............................................................................................. 85 Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL ................................................ 88 Module 6 - Exercise 5: SQL Caching ......................................................................................................... 101 Module 1 - Exercise 1: Initial Configuration Page 2 Overview Hands-on Training Module This training module has the following details: Objective  This lab provides hands on training on the core NetScaler functionality Audience  Primary: Partners and customers Lab Environment Details Machine AD.training.lab NS10_HA1 NS10_HA2 NS10_node1 NS10_node2 NS10_node3 Vyatta-RTR Win7Client Apache_MySQL_1 Apache_MySQL_2 Apache_MySQL_2 SQLServer SQLServer2 WebBlue WebGreen WebRed XA1 XA2 XD VDA Module 1 - Exercise 1: Initial Configuration Details Domain controller, DHCP, DNS Virtual instance of a NetScaler appliance (HA node) Virtual instance of a NetScaler appliance (HA node) Virtual instance of a NetScaler appliance (Cluster node) Virtual instance of a NetScaler appliance (Cluster node) Virtual instance of a NetScaler appliance (Cluster node) Internal Vyatta router Administrative workstation Linux server with Apache, PHP, MySQL Linux server with Apache, PHP, MySQL Linux server with Apache, PHP, MySQL Microsoft SQL 2008 server and Microsoft Certificate Services Microsoft SQL 2008 server IIS server, PHP, WebGoat IIS server, PHP, WebGoat IIS server, PHP, WebGoat XenApp 6.5 XenApp 6.5 XenDesktop controller Virtual Desktop Agent Page 3 Lab Topology Diagram Public Network 192.168.10.X/24 172.16.1.0/24 NS10_HA1 INT-Win_7 SQLServer WebBlue Apache_1 NS10_node1 NS10_node2 NS10_HA2 SQLServer2 AD/DNS/CA WebGreen Apache_2 Internal Router EXT-Win_7 172.16.2.0/24 NS10_node3 Internal network Remote Network XA1 XD VDA WebRed Apache_3 XA1 NOTE: If prompted with a dialog to restart on any virtual machine, always select Restart Later. Module 1 - Exercise 1: Initial Configuration Page 4 Required Lab Credentials Below are the login credentials required to connect to the workshop system and complete the lab exercises. Machine AD.training.lab NS10_HA1 NS10_HA2 NS10_node1 NS10_node2 NS10_node3 Vyatta-RTR Win7Client Apache_MySQL_1 Apache_MySQL_2 Apache_MySQL_2 SQLServer SQLServer2 WebBlue WebGreen WebRed XA1 XA2 XD VDA IP Address 192.168.10.11 NSIP: 192.168.10.220 SNIP: 192.168.10.90 NSIP: 192.168.10.225 SNIP: 192.168.10.90 NSIP: 192.168.10.110 NSIP: 192.168.10.120 NSIP: 192.168.10.130 172.16.1.1 / 172.16.2.1 DHCP assigned 192.168.10.13 192.168.10.14 192.168.10.15 192.168.10.12 192.168.10.14 192.168.10.205 192.168.10.210 192.168.10.215 192.168.10.20 192.168.10.21 192.168.10.28 DHCP Assigned Module 1 - Exercise 1: Initial Configuration Username TRAINING\Administrator nsroot Password Citrix123 nsroot nsroot nsroot nsroot nsroot nsroot vyatta TRAINING\Administrator root root root TRAINING\Administrator TRAINING\Administrator TRAINING\Administrator TRAINING\Administrator TRAINING\Administrator TRAINING\Administrator TRAINING\Administrator TRAINING\Administrator TRAINING\Administrator nsroot nsroot nsroot vyatta Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Citrix123 Page 5 How to log into the lab environment The self-paced lab environment is hosted on a cloud-based Citrix XenServer. Connecting to your server from the portal page is as easy as 1-2-3. Step-by-step login instructions Step 1. Action Once logged in at the self-paced portal, click the Start lab button to launch a connection to published XenCenter. 2. When XenCenter loads, right-click the XenCenter node and select Add… 3. On the Add New Server screen enter the XenServer IP address provided on the portal and in the Password field enter the password provided on the portal. The user name will always be root. Module 1 - Exercise 1: Initial Configuration Page 6 Module 1 - Exercise 1: Initial Configuration Overview In this exercise you will configure the NetScaler with a management IP address, subnet IP and a DNS name server. Additionally you configure licensing and set up a high availability pair. Step-by-step guidance The lab environment required for this exercise is as follows: 1. NetScaler VPX appliance: (NS10_HA1) 2. NetScaler VPX appliance: (NS10_HA2) 3. Windows 7 Workstation: (Win7Client) Estimated time to complete this lab: 20 minutes. 1. In XenCenter, go to the networking tab of each NetScaler and confirm that the MAC address is correct since it determines licensing.  NS10_HA1: 06:e0:89:e0:b0:fd  NS10_HA2: 22:64:cc:9b:ea:aa 2. Go to the console of NS10_HA1 and NS10_HA2 and set networking information: For Initial Network Address Configuration set: o o o o NS10_HA1: NSIP: 192.168.10.220 Netmask: 255.255.255.0 Gateway: 192.168.10.1 Module 1 - Exercise 1: Initial Configuration Page 7 o o o o 3. NS10_HA2 NSIP: 192.168.10.225 Netmask: 255.255.255.0 Gateway: 192.168.10.1 Save and quit to confirm the changes. After the NetScalers reboot, log into the Win7Client VM as administrator and open Internet Explorer and login into the NetScaler Configuration GUI by going to http://192.168.10.220 using the default credentials nsroot/nsroot. Module 1 - Exercise 1: Initial Configuration Page 8 4. Install the required Add-on when prompted. 5. Run through Setup Wizard and enter the following, skip the remaining pages:  Change Host Name: NS10_HA1  Subnet IP (SNIP): 192.168.10.90  Netmask: 255.255.255.0 Save your configuration by clicking on the Save button: 6. 7. Repeat the previous steps for NS10_HA2 (192.168.10.225).  Change Host name: NS10_HA2  Subnet IP (SNIP): 192.168.10.90  Netmask: 255.255.255.0 On both nodes, use the CLI to copy the new license file to the /nsconfig/license directory: Module 1 - Exercise 1: Initial Configuration Page 9 NS10_HA1 > shell root@NS10_HA1 # cp /var/license_backup/VPX_1000.lic /nsconfig/license/ root@NS10_HA1 # exit NS10_HA1 > reboot -warm ... NS10_HA2 > shell root@NS10_HA2 # cp /var/license_backup/VPX_1000.lic /nsconfig/license/ root@NS10_HA2 # exit NS10_HA2 > reboot -warm 8. Close out your browser and log in to NS10_HA1 again and go to System > Licenses page and note all the licensed features. 9. Go to Systems > Settings > Configure basic features Enable all features except Content Filter and Integrated Caching. 10. Configure DNS Settings. DNS > Name Servers > Add (click yes when prompted for a Module 1 - Exercise 1: Initial Configuration Page 10 configuration refresh.) IP: 192.168.10.11 11. In XenCenter connect to the console (or use PuTTY) of NS10_HA1, log in and run the following commands: > show run > sh ns ip (note the NSIP and SNIP) > sh route > sh ns feature > sh ns mode > sh ha node > sh license > show (tab complete to see all the available options) > show ns (tab complete and check one or two options out) 12. 13. On the NS10_HA1 Configuration GUI, go to System > High Availability Click Add and enter the IP of the other VPX (192.168.10.225). Allow other defaults and enter nsroot /nsroot as the credentials. 14. Click Refresh until Synchronization State is ‘SUCCESS’ and save the configuration. Module 1 - Exercise 1: Initial Configuration Page 11 15. Connect to the NS10_HA1 console or SSH using Putty and run the following CLI command (hit enter a few times to get the CLI moving) > sh ha node | more Note Sync state Enabled. Note the Master State (Primary or Secondary) on which device. 16. Fail over to the secondary node. > force ha failover > sh ha node Note the master state switched. Force it back so NS10_HA1 is primary. Confirm that the enabled features such as SSL Offload and Load Balancing are enabled. END OF EXERCISE Module 1 - Exercise 1: Initial Configuration Page 12 Module 2 - Exercise 1: Load Balancing Overview You want to demonstrate NetScaler load balancing. You need to configure the NetScaler to load balance the Red, Blue and Green web servers. Create servers, services and virtual servers with persistence and protocol aware monitors. Step-by-step guidance The lab environment required for this exercise is as follows: 1. 2. 3. 4. 5. 6. NetScaler VPX appliance: (NS10_HA1) NetScaler VPX appliance: (NS10_HA2) Windows 7 Workstation: (Win7Client) IIS Web Server: (WebBlue) IIS Web Server: (WebGreen) IIS Web Server: (WebRed) Estimated time to complete this lab: 20 minutes. 1. On the NS10_HA1 Configuration GUI, go to Load Balancing > Servers and create server objects for the following servers:  Red_Server 192.168.10.215  Green_Server 192.168.10.210  Blue_Server 192.168.10.205 Page 13 2. Go to Load Balancing > Services and create service objects for the servers created in the previous step using Protocol HTTP and Port 80. 3. Go to Load Balancing > Virtual Server and create a virtual server named RBG1 using Protocol HTTP and port 80 and IP address 192.168.10.216. Bind all three services created in the previous steps. Page 14 4. Open another browser tab and go to http://192.168.10.216 and refresh multiple times. The Red Blue and Green web servers should be load balanced since no persistence is configured. 5. Go to Load Balancing > Services and disable two of the three services and test load balancing. Re-Enable the services when done. 6. On the NS Configuration GUI, open the RBG1 virtual server and go to the Method and Persistence tab and change the LB Method from the default of Least Connection to Round Robin Page 15 and set persistence to CookieInsert. Change the Time-Out value to 0 to make the cookie a session cookie. 7. 8. A DNS record was created for 192.168.10.216. Browse to http://web1.training.lab and refresh multiple times. This time you will notice that your session will persist to either the Red, Blue or Green server for the duration of the session. Configure each service to use a more protocol specific monitor. The HTTP monitor expects a 200 OK response code to consider the service state as UP. Ignore the warning as this only informs you that the default TCP monitor cannot be unbound. Since we are selecting a new HTTP monitor, the health-check is still performed: 9. Save the configuration. END OF EXERCISE Page 16 Module 3 - Exercise 1: Content Switching Overview You want to demonstrate NetScaler Content Switching. You need to configure NetScaler with a Content Switching virtual server to achieve the following:  HTTP requests to home.php should be switched to a load balancing virtual server with CookieInsert persistence and Round Robin load balancing.  HTTP requests for blue.php, red.php, and green.php should be switched to their own respective servers.  HTTP requests that meet no configured content switching policy should trigger the Default content switching policy and be switched to a load balancing virtual server with no persistence and Round Robin load balancing. In order to achieve this objective, the following must be configured     Server, services and load balancing virtual servers for each web server The three services (Red, Blue, Green) are bound to non-directly addressable load balancing virtual servers Multiple content switching policies (e.g. HTTP.REQ.URL.CONTAINS("blue.php")) A content switching virtual server with bound policies. Step-by-step guidance The lab environment required for this exercise is as follows: 1. 2. 3. 4. 5. 6. NetScaler VPX appliance: (NS10_HA1) NetScaler VPX appliance: (NS10_HA2) Windows 7 Workstation: (Win7Client) IIS Web Server: (WebBlue) IIS Web Server: (WebGreen) IIS Web Server: (WebRed) Page 17 Estimated time to complete this lab: 30 minutes. 1. Go to Load Balancing > Virtual Servers and delete the RBG1 virtual server. Create a new virtual server. Name the virtual server RBG_Default and uncheck the Directly Addressable box. Bind all services to this virtual server. 2. Change the Method and Persistence to Round Robin and None (No Persistence). 3. Create a new virtual server. Name the virtual server RBG_Home and uncheck the Directly Addressable box. Bind all services to this virtual server. Page 18 4. Change the Method and Persistence to Round Robin and CookieInsert with a time-out value of 0. 5. Create a new virtual server. Name the virtual server RBG_Red and uncheck the Directly Addressable box. Bind only the Red service to this virtual server. 6. Create a new virtual server. Name the virtual server RBG_Blue and uncheck the Directly Addressable box. Bind only the Blue service to this virtual server. Page 19 7. Create a new virtual server. Name the virtual server RBG_Green and uncheck the Directly Addressable box. Bind only the Green service to this virtual server. 8. You should have the following virtual servers configured: 9. Go to Content Switching > Policies and Add a policy for home.php called Home_Policy where the expression is HTTP.REQ.URL.CONTAINS(“home.php”) Page 20 10. Add a policy for red.php named Red_Policy where the expression is HTTP.REQ.URL.CONTAINS(“red.php”) 11. Add a policy for blue.php named Blue_Policy where the expression is HTTP.REQ.URL.CONTAINS(“blue.php”) 12. Add a policy for green.php named Green _Policy where the expression is HTTP.REQ.URL.CONTAINS(“green.php”) Page 21 13. Go to Content Switching > Virtual Servers and Add a new virtual server. Name the virtual server RBG_CSW and give it 192.168.10.217 as the IP address. Leave the port and protocol to 80/HTTP. 14. Note how the content switching virtual server’s state is UP although no policies have been bound and the service is unavailable when browsing to the address. 15. Open the RBG_CSW virtual server and bind the content switching policies as shown below: Page 22 16. 17. 18. A new DNS record was created for 192.168.10.217. Open another browser tab and go to http://web2.training.lab and refresh multiple times. The Red Blue and Green web servers should be load balanced in a round robin manner since your request hit the Default policy and was switched to RBG_Default which has no persistence is configured. Change the request URL to http://web2.training.lab/home.php and note that hitting refresh multiple times will keep you on the same server since your request was sent to the RBG_Home virtual server which has CookieInsert configured for persistence. Change the request URL to http://web2.training.lab/red.php and note that your request was sent to the RBG_Red virtual server. Repeat the request with http://web2.training.lab/blue.php and http://web2.training.lab/green.php Page 23 19. You can view the hit counts increase in the Content Switching > Policies node or when you open the content switching virtual server. END OF EXERCISE Page 24 Module 3 - Exercise 2: SSL Offload Overview You want to secure traffic to your web servers using SSL certificates. In this lab, you will create a certificate and configure NetScaler to offload the SSL transactions while load balancing the Red, Blue and Green Web servers. Step-by-step guidance The lab environment required for this exercise is as follows: 1. 2. 3. 4. 5. 6. 7. NetScaler VPX appliance: (NS10_HA1) NetScaler VPX appliance: (NS10_HA2) Windows 7 Workstation: (Win7Client) Microsoft SQL Server 2008: (SQLServer) IIS Web Server: (WebBlue) IIS Web Server: (WebGreen) IIS Web Server: (WebRed) Estimated time to complete this lab: 40 minutes. Page 25 1. Back on Win7Client, use the NS GUI to create a certificate we will use for the content switching virtual server. SSL > Create CSR (Certificate Signing Request File name: wildcard.req  Key File Name: (Browse > ns-root.key)  Format: PEM  Common name: *.training.lab  2. Fill all other required fields, but do not put a password. Use the NS GUI to copy web.req to your Win7Client. Using the GUI select Manage Certificates / Keys / CSR and save wildcard.req to your documents folder. Page 26 3. Browse to https://192.168.10.12/certsrv use the Domain Admin credentials: U: Administrator / P: Citrix123 Request a certificate > advanced cert request > Submit a certificate request by using a base-64… Copy contents of wildcard.req to Saved Request field Template: Web Server 4. Click Submit and download Base 64 encoded certificate (certnew.cer). Save to the documents folder. Page 27 5. Use the NS GUI to upload certnew.cer to /nsconfig/ssl folder Using the GUI select Manage Certificates / Keys / CSR and upload certnew.cer 6. In the NS GUI, install the certificate. SSL > Certificates > Install  Certificate-Key Pair Name: wildcard-cert  Certificate File Name: browse to certnew.cer  Private Key File Name: browse to ns-root.key 7. Go to Content Switching > Virtual Servers, open the RBG_CSW virtual server and unbind all the content switching policies. Page 28 8. Add a new virtual server named RBG_CSW_HTTPS. Give it the 192.168.10.217 IP address. Change the Protocol to SSL and bind the CSW policies as done below. 9. Note that the virtual server is in a down state since it has not certificate bound. 10. Open the virtual server, go to the SSL Settings tab and add the wildcard-cert to the configured column. Note the virtual server state is now UP after clicking OK. Page 29 11. Browse to https://web2.training.lab and confirm that you are connecting using HTTPs and the NetScaler is offloading the SSL transactions. END OF EXERCISE Page 30 Module 5 - Exercise 1: HTTP header modification Overview In today’s web, applications often require different responses or information sent to backend servers as part of the HTTP requests/response. For example, when the home page is requested, a different response is required depending upon the user’s location, or the language the browser accepts, or simple the type of browser it is being used to connect to the site. With the help of rewrite and responder, we can manipulate the parameters on the request or response and based on certain conditions take a different action. This is especially useful when you want to masquerade any information return by the server or simply redirect the client connection to a secure site. In this module, we will explore different examples on how to use the rewrite and responder feature to perform HTTP to HTTPs redirection, as well as changing the body of the response to ensure all links are displayed with the correct secure protocol. In addition, we will also configure a simple URL transformation to hide the application path and also garble some of the parameters returned by the backend server with the purpose to enhance application security. Step-by-step guidance The lab environment required for this exercise is as follows: 1. 2. 3. 4. 5. 6. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1) Linux Server 2 : Apache_MySQL_2 - (GENTOO_2) Linux Server 2 : Apache_MySQL_3 - (GENTOO_3) NetScaler VPX: (NS10_HA1) NetScaler VPX: (NS10_HA1) Windows 7 workstation: (Win7Client) Estimated time to complete this lab: 30 minutes. Page 31 1. In XenCenter, please make sure that the following VMs are powered on:        2. AD.training.lab Apache_MySQL_1 Apache_MySQL_2 Apache_MySQL_3 NS10_HA1 NS10_HA2 Win7Client Complete a simple load balancing configuration to be used in our rewrite examples. In this lab, we will configure additional servers/services for an Apache web server farm. From the Win7Client, access the management utility: http://192.168.10.220 Navigate to Load Balancing -> Servers and add the server objects for Server 3. Label it GENTOO_3 3. 4. Then create the service, select GENTOO_3, and bind a TCP monitor. Create an HTTP vserver labeled HTTP_vserver and bind the service we created on step 3 to it. For Page 32 the IP address, Protocol and port use 192.168.10.218, HTTP, and 80. Page 33 5. Apache_MySQL_3 has been provisioned with a simple PHP page that outputs all the server variables and headers included in the HTTP request and this page is served as the default 404 not found HTML. For this lab, we will use this server to visually inspect the information the backend server received after the traffic is processed by the NetScaler appliance. On the Win7 workstation (Win7Client), open a browser and navigate to a nonexisting URL on the new HTTP_vserver. http://192.168.10.218/nonexiste nturl/ Inspect the headers and variables to familiarize with the output. 6. First, we will start with a header insertion to include the CLIENT-IP address in the HTTP request. This can be accomplished in two different ways:   Using the CLIENT-IP option in the service advanced properties Using a rewrite rule to insert a new HTTP header. Page 34 7. We will start with option 1. Open the “Advanced Properties” of the GENTOO_3_HTTP_TCP_80 service and check the Client IP header option. Fill in the desired header name. 8. From the Win7Client, open a new browser instance and attempt your request again: http://192.168.10.218/nonexist enturl/ You should be able to see the “Client-IP” being inserted in the request. Page 35 9. Now, we will attempt to use a rewrite policy to insert the same information. Remove the CLIENT-IP insertion configuration. 10. Open a browser and navigate to the same URL to ensure the header is not inserted. http://192.168.10.218/nonexistenturl/ Make sure the rewrite feature is enabled. Using the NetScaler GUI, navigate to System -> Settings -> Configure Basic Features. 11. 12. Next, create the rewrite action. Navigate to Rewrite -> Actions and click on Add. Select the INSERT_HTTP_HEADER option and fill in the header name. Use the following expression to insert the Client-IP address: CLIENT.IP.SRC Page 36 13. Then, we need to create a new policy and bind it to the rewrite action. Navigate to the Rewrite policy node and click on “Add”. Give the policy a name, select the action, and use a true expression, then hit “Create”. 14. As a final step, we need to bind the policy to the HTTP_vserver. Open the vserver properties and bind the Request Rewrite policy with the default priority. Click OK to commit the changes. NOTE: If the rewrite policy does not show up when attempting to bind, close the Configure Virtual Server window and perform a Refresh. Then attempt the binding again. Page 37 15. Open a new browser instance and navigate to: http://192.168.10.217/nonexist enturl Verify that the client IP was inserted. 16. 17. Next, we will work on a Response Rewrite policy to obscure some of the information sent by the backend server. To visualize the request and response headers received, open a new IE instance and enable the ieHTTPHeader add-on available in the Tools -> Explorer Bars menu. Page 38 18. In IE, navigate to the virtual server. You should see the request and response headers. http://192.168.10.218 19. Take a closer look at the response headers. Since this backend server runs Apache, it includes a Server header in its response. A common practice is to masquerade this information and include a generic response. 20. Let’s create a rewrite action to replace an HTTP header. Using the GUI, navigate to Rewrite -> Actions and click on Add. 21. Assign a name to the action and select REPLACE as the type. For the expression to target, use: HTTP.RES.HEADER(“Server”) and for replacement text use a generic name such as “MyWebServer” including the quotes. Click “Create” to commit. Page 39 22. Next, create a rewrite policy. Since we need to perform the action on every response, use a true expression. 23. Bind this rewrite policy to the HTTP_vserver. Make sure you select the RESPONSE rewrite; otherwise, the policy will not be listed. Page 40 24. 25. Open a new browser instance and attempt a new request to the VIP: http://192.168.10.218 Inspect the response headers. Verify the server header value was replaced. END OF EXERCISE Summary Key Takeaways The key takeaways for this exercise are:  Rewrite and responder can be used in conjunction to manipulate the data and enhance application security.  Rewrite policies can modify data on the request and/or response. Page 41 Module 5 - Exercise 2: HTTP to HTTPs redirection and URL body rewrite Overview Certain applications require specific requests to occur over a secure connection. Leveraging the responder module, the NetScaler can issue a redirect to a secure site, ensuring a seamless user experience. Additionally, the rewrite module can be used to rewrite any HTLM content containing any reference to an HTTP URI, forcing the connecting client to navigate the site using HTTPs only. In this exercise, we will configure a responder policy that redirects requests to an alternate URL and continue to setup a rewrite policy that rewrites any HTTP URIs to force secure browsing. Step-by-step guidance The lab environment required for this exercise is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1) Linux Server 2 : Apache_MySQL_2 - (GENTOO_2) Linux Server 2 : Apache_MySQL_3 - (GENTOO_3) Web Server Blue: (WebBlue) Web Server Green: (WebGreen) Web Server Red: (WebRed) SQLServer NetScaler VPX: (NS10_HA1) NetScaler VPX: (NS10_HA1) Windows 7 workstation: (Win7Client) Estimated time to complete this lab: 40 minutes. Step 1. Action The first step in securing an application is to ensure all requests occur over an encrypted channel. For this example, we will use a pre-installed web application (PHPMyAdmin) available on the Linux web server (Apache_MySQL_3). Since this application lives in the “/phpmyadmin” subdirectory, we will configure a responder action to redirect all request to HTTPs. Page 42 Step 2. 3. 4. Action From the Win7Client, and using the NetScaler GUI, navigate to System -> Settings -> Configure Advanced Features and enable the Responder option. Expand the responder module, select Actions, and then Add. Create a responder action that redirects to a secure URL. Give the action a name and select Redirect for the type. In order to ensure that any hostname is redirected regardless of the host header, use the following dynamic expression: “https://” + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY Since this expression could potentially create a redirect loop, make sure that you select the “Bypass Safety Check” option to allow the action to be created. Page 43 Step 5. Action Next, create a responder policy to trigger the action. Since this will be bound to HTTP_vserver, use a “true” expression. 6. Then, open the properties of the HTTP_vserver and bind this policy using the default priority. 7. Open a browser instance and navigate to the VIP. http://192.168.10.218 Use the ieHTTPHeaders to verify the redirect is triggered. Why is the page not displayed? 8. Since we do not have a Virtual server listening on port 443, the redirect does not complete properly. Let’s proceed to create a new SSL vserver. Navigate to Load Balancing -> Virtual Server and click on Add. Page 44 Step 9. Action Choose a name, select SSL as the protocol type, reuse the same address (192.168.10.218), and select port 443. Also, make sure that you bind the same backend server: GENTOO_3_HTTP_TCP_80. 10. Since this is an SSL vserver, we need to bind a server certificate. Select the SSL settings tab, and select the wildcard-cert. Click “Create” to complete the configuration. Page 45 Step 11. Action Attempt to test the responder policy by navigating to the HTTP URL. http://192.168.10.218/phpm yadmin Since we are not using an FQDN, a warning is displayed. Proceed to accept the warning. The default content should be displayed over a secure channel. (https://...) 12. To avoid this SSL warning, let’s re-issue the request using the FQDN that resolves to the VIP: http://web3.training.lab/php myadmin The redirect should complete without any warning message. 13. This responder policy will redirect any request to port 80 to 443; however, some applications hardcode absolute URLs or require special Host headers to serve content. This is especially troublesome when the application is SSL Offloaded as it could render all the links inaccessible or the application fails to work. Page 46 Step 14. Action Attempt to login to the phpMyAdmin application using the following credentials: Username: root Password: Citrix123 Did the login request work? 15. You should see that a redirect diverts traffic directly to the backend server, effectively bypassing the load balancer. In order to get through the initial login, we need to rewrite the redirect request the backend server is sending to include the FQDN for the VIP. For this, we will use a Rewrite Response policy. Observe the “header trace” captured. The Location header has the wrong information. Page 47 Step 16. Action Proceed to create a Rewrite Policy that looks for the Location Header value in the response and changes the hardcoded IP address for the VIP FQDN. For this navigate to Rewrite -> Actions -> Add and configure the policy as shown in the screenshot. Use the following expression: “https://web3.training.lab” + HTTP.RES.HEADER(“Location”).TYPECAST_HTTP_URL.T.PATH_AND_QUERY Page 48 Step 17. Action Next, define the rewrite policy. Select the action created before and use a true expression. 18. Proceed to bind the rewrite policy to the HTTPs_vserver response queue using the default priority. Don’t forget to select the Response queue, otherwise the policy will not show up in the list. 19. Attempt to login to the application. http://web3.training.lab/php myadmin/ Is the request redirected to HTTPs? Does the application complete the login request? After binding the previous policies, the application works as intended. Navigate a few links to verify correct behavior. Observe the links on the page. Page 49 Step 20. 21. Action There is one more problem with this configuration. Unfortunately, some of the links are hardcoded by the application and the URL includes the backend server IP. We need to configure a rewrite policy to modify the response body and replace this static value for the correct FQDN. Let’s configure another rewrite policy to adjust the body. First, start with the rewrite action. Select REPLACE_ALL as the type. Choose the response body as the target text reference. For the body argument, use 100000 characters. This should be plenty to catch all instances of the pattern to replace. For the replacement text, select https://web3.training.lab and for the pattern http://192.168.10.15 Page 50 Step 22. Action Proceed to create the policy. Use a TRUE expression to trigger the action on every instance that matches the pattern. 23. Next, bind the policy to HTTPs_vserver response queue using the default priority. 24. Make sure that you select NEXT for the “Goto Expression” on the first policy, otherwise the policy with lower priority will not be evaluated. From the Win7Client, test the application one more time by refreshing the PHPMyAdmin page. The URL should now be rewritten and the web application was correctly SSL offloaded through NetScaler. END OF EXERCISE Summary Page 51 Key Takeaways  Rewrite policies can be string together to manipulate the request or response data sequentially.  For some web-apps, deeper knowledge of the application logic is required to successfully configure the necessary rewrite policies. Additional information can be inherited from header/network traces and log analysis. Page 52 Module 5 - Exercise 3: URL Transformation Overview The URL Transformation feature allows an external URL path to be transformed into an internal URL scheme effectively hiding the site structure to outside users. In this lab, we will configure a URL transformation policy to masquerade an internal path to outside users to allow seamless access to the application. Step-by-step guidance The lab environment required for this exercise is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1) Linux Server 2 : Apache_MySQL_2 - (GENTOO_2) Linux Server 2 : Apache_MySQL_3 - (GENTOO_3) Web Server Blue: (WebBlue) Web Server Green: (WebGreen) Web Server Red: (WebRed) NetScaler VPX: (NS10_HA1) NetScaler VPX: (NS10_HA1) Windows 7 workstation: (Win7Client) Estimated time to complete this lab: 20 minutes. Step 1. Action An alternative to the rewrite policies configured previously is to use a URL transformation to hide the application path. Since the URL transformation feature requires the rewrite engine, we need to ensure the rewrite feature is enabled. Page 53 Step 2. 3. 4. Action To show the benefit of URL transform, we will use the same virtual server previously created. However, we will create a new service and bind this new service to the HTTPs_vserver. First, let’s create the server object for Apache_MySQL_2. Navigate to Load Balancing > Servers and click on Add. Fill in the name (GENTOO_2) and IP address (192.168.10.14) and click Create. Then create the HTTP service for server 2. Navigate to Load Balancing -> Services and click Add. Fill in the service name field, select HTTP as the protocol, and port 80. Bind a TCP monitor. Click on Create to finish. 5. Go back to the HTTPs_vserver properties and unbind GENTOO_3_HTTP_TCP_80 and bind GENTOO_2_HTTP_TCP_80 instead. Page 54 Step 6. Action Next, in the same vserver properties window (HTTPs_vserver), switch to the Policies tab and unbind the rewrite policies previously bound as we will use a URL transformation policy instead. Make sure you inspect all policy types (Responder, Rewrite Request, Rewrite Response, etc…) Use the unbind policy button. Click OK to commit the changes. 7. At this point, when accessing the VIP, the application still responds to the /phpmyadmin path. Our goal is to hide this path in order for external users to be unaware of the directory structure. Attempt to access the VIP to make sure the load balancing setup is working as expected. Page 55 Step 8. 9. Action We need to create our URL transformation configuration. To begin, navigate to Rewrite -> URL Transformation -> Profile and click on Add. Give a name to the profile and select Create. After the profile was created, double-click on this object to bring up its properties. Then, click on the Add button, to create a new URL transformation action. Page 56 Step 10. Action Configure the action with the appropriate paths for Request and Response URL. Give it a priority of 1, and Enable the Transformation action. Click Create when finished. 11. You should be back in the transformation profile window. Click OK to commit the changes. Page 57 Step 12. Action We are ready to create a new URL transformation policy and bind it to the new profile created. Navigate to Rewrite > URL Transformation -> Policies and click Add. Choose a name and select the profile previously created from the list. 13. Since we are going to apply this transformation to all requests that land on the virtual server, use a TRUE expression. Go back to the virtual server properties (HTTPs_vserver) and bind the URL transformation policy using the default priority. Click OK to commit the changes. Page 58 Step 14. Action Open a new browser instance and navigate to http://web3.training.lab/ Since we still have our responder policy bound to the HTTP vserver, this should redirect the request to the HTTPs_vserver and at this point the URL transformation policy obscure the URL path. Page 59 Step 15. Action Attempt to login to ensure the URL transformation policy is working for all site paths. Notice that the /phpmyadmin path is hidden for every link. Username: root Password: Citrix123 END OF EXERCISE Summary Key Takeaways URL transformation uses the rewrite engine to apply bi-directional rewrites to requests and responses. Contrary to a rewrite policy, a URL transformation rule processes the entire request/response, applying multiple changes. Page 60 Module 6 - Exercise 1: MySQL Load Balancing and Content Switching Overview NetScaler DataStream Technology provides native database protocol and SQL intelligence by inspecting real-time traffic and applying protocol aware policies for both Microsoft SQL Server and MySQL databases. By performing native SQL load-balancing, it offers a cost-effective solution to offload database server connections considerably reducing the number of SQL connections to the backend servers, while providing an infrastructure to monitor, optimize, and secure a database deployment. You want to demonstrate NetScaler load balancing and content switching. There are three MySQL database servers with the parts of the same database spread amongst the servers. You need to configure the NetScaler to access send traffic to specific servers based on the request. You need to configure NetScaler with a Content Switching virtual server to achieve the following:  MySQL requests for training (red), sales (green), and support (blue) should be switched to their own respective servers In order to achieve this objective, the following must be configured     The three MySQL (3306) services (Red, Blue, Green) are bound to non-directly addressable LB vservers Multiple content switching policies (e.g. MYSQL.REQ.QUERY.TEXT.CONTAINS("training")) A database user must be added to authenticate to the MySQL databases. Preconfigure on the backend servers as “nsuser / citrix” Create a MySQL-ECV monitor using a query to probe the health of the databases Step-by-step guidance The lab environment required for this exercise is as follows: 1. 2. 3. 4. 5. 6. 7. NetScaler VPX appliance: (NS10_HA1) NetScaler VPX appliance: (NS10_HA2) Windows 7 Workstation: (Win7Client) Microsoft SQL Server 2008: (SQLServer) IIS Web and MySQL Server: (WebBlue) IIS Web and MySQL Server: (WebGreen) IIS Web and MySQL Server: (WebRed) Estimated time to complete this lab: 40 minutes. Page 61 1. As a prerequisite step, add a content switching policy as seen below named MYSQL_Policy. The expression is a compound expression using HTTP.REQ.URL.CONTAINS(“inputsqlip.php”) || HTTP.REQ.URL.CONTAINS(“mysql.php”) 2. Bind the MYSQL_Policy to the RBG_CSW_HTTPS content switching virtual server as seen below with the target as the RBG_Home virtual server. The purpose of this step is to ensure HTTP session persistence for the following lab since persistence is disabled on the RBG_Default virtual server. 3. Go to Load Balancing > Services and create service objects for the Red, Blue and Green servers step using Protocol MySQL and Port 3306. Name the services  Support_mysql_Blue_Service  Sales_mysql_Green_Service  Training_mysql_Red_Service Page 62 4. Go to Load Balancing > Virtual Servers and create a new virtual server. Name the virtual server RBG_MYSQL_Default_Vserver and uncheck the Directly Addressable box. Change the Protocol to MYSQL. Bind all MySQL services to this virtual server. Page 63 5. Confirm that Method and Persistence are set to Least Connection and None (No Persistence). 6. Create a new virtual server, name it Training_mysql_Red_Vserver and uncheck the Directly Addressable box. Bind the Training_mysql_Red_Service to this virtual server. 7. Confirm that Method and Persistence are set to Least Connection and None (No Persistence). Page 64 8. Create a new virtual server, name it Support_mysql_Blue_Vserver and uncheck the Directly Addressable box. Bind the Support_mysql_Blue_Service to this virtual server. 9. Create a new virtual server, name it Sales_mysql_Green_Vserver and uncheck the Directly Addressable box. Bind the Sales_mysql_Green_Service to this virtual server 10. You should have the following virtual servers configured: Page 65 11. Go to Content Switching > Policies and Add a policy for Training called Training_Policy where the expression is MYSQL.REQ.QUERY.TEXT.CONTAINS(“training”) 12. Add a policy for Support named Support_Policy where the expression is MYSQL.REQ.QUERY.TEXT.CONTAINS(“support”) 13. Add a policy for Support named Sales_Policy where the expression is MYSQL.REQ.QUERY.TEXT.CONTAINS(“sales”) 14. Go to Content Switching > Virtual Servers and Add a new virtual server. Name the virtual server RBG_MYSQL_CSW and give it 192.168.10.217 as the IP address and 3306 as the Port. Change the Protocol to MYSQL and bind the content switching policies as shown below: Page 66 15. Go to System > Database Users and add a user named “nsuser” with password “citrix”. 16. Open another browser and go to https://web2.training.lab. You will be presented with the RBG page. On the bottom of the page click on the link for the MySQL demo. 17. Change the IP address in the field to point to the MYSQL content switching virtual server 192.168.10.217. Page 67 18. Select the Sales radial button and hit Submit. This will modify the MYSQL query to look for the Sales department. 19. Click the “Click here to Content Switch” link on the bottom half of the screen to send the request. You can see that the SQL Query used. 20. 21. Repeat for the Training and Support departments. The last step is to create a proper service monitor for MYSQL. Go to Load Balancing > Page 68 Monitors and Add a new monitor and name it mysql_monitor. Select MYSQL_ECV from the Type dropdown.On the Special parameters, enter the following details: Database: synergy Query: select department from application_users; User name: nsuser Rule: MYSQL.RES.ATLEAST_ROWS_COUNT(2) 22. Bind the mysql_monitor to all the MYSQL services. 23. After binding, wait a few seconds and reopen the properties of each MySQL service. Click on the mysql_monitor and check the status. The service should be UP and the pattern should be found in the response. Page 69 END OF EXERCISE Page 70 Module 6 - Exercise 2: SQL Rate Limiting Overview NetScaler 10 enforces limits depending on the license platform installed on the system by measuring the rate of requests per second. If the data rate exceeds the pre-configured limit, the NetScaler will send an error message to the connecting client indicating the system limit has been reached. Additionally, the administrator can configure an SNMP trap in order to have visibility when this condition occurs. In this exercise, we will attempt to install a web application that populates a database with sample data using a MYSQL virtual server to provide access to the database tier. Since many SQL requests will be sent to the virtual server, the rate limiting mechanism is triggered and the operation will fail. To complete the exercise, we will upgrade the platform license on the NetScaler VPX appliance which lifts the rate limit restriction and attempt the install operation once again. Step-by-step guidance The lab environment required for this exercise is as follows: 10. Linux Server 1 : Apache_MySQL_1 - (GENTOO_1) 11. NetScaler VPX: (NS10_HA1) 12. Windows 7 workstation: (Win7Client) Estimated time to complete this lab: 30 minutes. Page 71 Step 1. Action In XenCenter, please make sure that following VMs are powered on:        2. AD.training.lab Apache_MySQL_1 Apache_MySQL_2 Apache_MySQL_3 NS10_HA1 NS10_HA2 Win7Client For this exercise, we will use the CLI > enable ns feature LB Using the console or SSH via putty, logon to the primary node (NS10_HA1) and verify the following features are enabled on the NetScaler appliance: 3. 4. Load balancing Verify the license installed on both nodes. Since a VPX_1000 license is installed, it should read Model Number ID: 1000 Create server objects for all Linux servers. In previous labs, we created entries for Server 2 and 3, therefore, just create a new server entry for:  > show license | grep Model Model Number ID: 1000 > > add server GENTOO_1 192.168.10.13 Apache_MySQL_1 (GENTOO_1) Page 72 Step 5. 6. 7. Action Create service objects for the MYSQL service running on all three servers (TCP port 3306). Create a MYSQL vserver and bind the MYSQL service for Apache_MySQL_1 (GENTOO_1) Verify that the vserver and services created are in an UP state. > add service GENTOO_1_MYSQL_TCP_3306 GENTOO_1 MYSQL 3306 > add service GENTOO_2_MYSQL_TCP_3306 GENTOO_2 MYSQL 3306 > add service GENTOO_3_MYSQL_TCP_3306 GENTOO_3 MYSQL 3306 > bind lb monitor TCP GENTOO_1_MYSQL_TCP_3306 > bind lb monitor TCP GENTOO_2_MYSQL_TCP_3306 > bind lb monitor TCP GENTOO_3_MYSQL_TCP_3306 > add lb vserver MYSQL_vserver MYSQL 192.168.10.218 3306 > bind lb vserver MYSQL_vserver GENTOO_1_MYSQL_TCP_3306 > show lb vserver MYSQL_vserver > stat lb vserver MYSQL_vserver 8. All 3 MYSQL servers in the lab already have a set of sample databases loaded. The user “netscalersql” has been granted all privileges locally on each server. The password for this user is “netscaler”. 9. Before we can connect to the database, we define the account the NetScaler will use to connect to the SQL backend. Create the NetScaler DB user. > add db user netscalersql -password netscaler Page 73 Step 10. Action Using the console or SSH, Login to Apache_MySQL_3 (GENTOO_3), attempt to connect to the MYSQL virtual server using the following credentials: gentoo_3 ~ # mysql -h 192.168.10.218 -u netscalersql -p Enter password: netscaler mysql> U: netscalersql P: netscaler Note: Use the –h, –u, and –p flags to specify the hostname, username, and prompt for a password. You should be able to login through the VIP. 11. List the databases to verify you have access to the DB server. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | imdb | | mysql | | test | +--------------------+ 8 rows in set (0.07 sec) mysql> Page 74 Step 12. Action Execute a simple query to verify access to one of the databases: mysql> use imdb; mysql> select * from actors where actors.first_name = "Al" and actors.last_name = "Pacino"; +--------+------------+-----------+--------+ | id | first_name | last_name | gender | +--------+------------+-----------+--------+ | 358968 | Al | Pacino | M | +--------+------------+-----------+--------+ 1 row in set (0.11 sec) mysql> 13. 14. 15. 16. Since we will be installing a web application, create an HTTP virtual server and corresponding services > add service GENTOO_1_HTTP_TCP_80 GENTOO_1 On the NetScaler, create HTTP 80 HTTP services for Linux server 1. NOTE: The configuration for Apache_MySQL_3 and Apache_MySQL_2 was configured in a previous exercise. Please refer to Module 5 – Exercise 1, step 24. The HTTP_vserver was created in a previous exercise. Proceed to unbind any service from the vserver and bind only the Apache_MySQL_1 service (GENTOO_1) to it. Unbind any responder policies currently bound to the HTTP_vserver. > bind lb monitor tcp GENTOO_1_HTTP_TCP_80 > unbind lb vserver HTTP_vserver GENTOO_3_HTTP_TCP_80 > bind lb vserver HTTP_vserver GENTOO_1_HTTP_TCP_80 > unbind lb vserver HTTP_vserver -policyName RedirectToSecureSite_pol Page 75 Step 17. 18. Action The web application used in this exercise is an open source CRM application (SugarCRM). The necessary files to complete the install are located in the apache webserver root. From the Win7Client, use Internet Explorer to browse the HTTP virtual server previously created. Browse to the sugarcrm directory to begin the install: http://192.168.10.218/sugarc rm/install.php Page 76 Step 19. Action OPTIONAL: If you receive an error message indicating that the installer is “locked”, please run the following command on Apache_MySQL_1 server and refresh the install page : gentoo_1 ~ # cp /var/sugarcrm_config/config.php /var/www/localhost/htdocs/sugarcrm/ 20. Go through the initial system check and accept the license agreement. Perform a typical install and accept the defaults. Page 77 Step 21. Action During the database configuration, use “sugarcrm” as the database name and select the virtual server IP as the hostname. For the database administrator username and password, use the NetScaler DB user configured before: Username: netscalersql Password: netscaler Select the option to populate the database with demo data in order to trigger the SQL rate limiting mechanism: 22. Pick a password for the sugarcrm admin user. For consistency you can use “netscaler” as your password. Page 78 Step 23. Action Accept the warning and select install 24. The install operation will fail due to a database error. 25. Login to Apache_MySQL_1 (GENTOO_1) using either the console or SSH, and inspect the installation log file for SugarCRM. We can see that the rate limiting mechanism was triggered: gentoo_1 ~ # tail /var/www/localhost/htdocs/sugarcrm/sugarcrm.log Fri Mar 16 19:00:59 2012 [17401][-none-][FATAL] Query Failed: INSERT into relationships (id,relationship_name,lhs_module,lhs_table,lhs_key,rhs_module,rhs_table,rhs_key,rela tionship_type) values ('5a4ff504-2206-7bf6-59d64f638d8f997f','projects_modified_user','Users','users','id','Project','project','mod ified_user_id','one-to-many'): MySQL error 6002: NetScaler DataStream rate limits hit gentoo_1 ~ # Page 79 Step 26. Action Go back to the NetScaler NS10_HA1 CLI. To verify the logging capabilities for DataStream, set up the SNMP alarm for the DataStream rate limit hit. In order for the trap to be sent (and appear in syslog), define a generic and specific trap destination. 27. > set alarm DATASTREAM-RATE-LIMIT-HIT logging ENABLED -state ENABLED -severity Informational > add snmp trap generic 192.168.10.15 communityName public -srcIP 192.168.10.90 > add snmp trap specific 192.168.10.15 communityName public -srcIP 192.168.10.90 severity Informational > save ns config Save your configuration. From the Windows 7 workstation, close any browser instances and run the web application installer again. (http://192.168.10.218/sugarcrm/install.php). Refer to steps 18-23. IMPORTANT: Before you can run the installer again, the config.php file needs to be modified to allow the installer process to run. To avoid making manual changes to the configuration file, an already modified copy is stored in: /var/sugarcrm_config/config.php On Apache_MySQL_1 (GENTOO_1), copy this file to the Apache webroot sugarcrm directory with the command provided: gentoo_1 ~ # cp /var/sugarcrm_config/config.php /var/www/localhost/htdocs/sugarcrm/ NOTE: If you receive any warnings to remove the existing tables and populate the data, click on the accept button. Page 80 Step 28. Action Switch to the primary node (NS10_HA1) and inspect the NetScaler syslog to verify the trap was sent. > shell root@NS10_HA1# cat /var/log/ns.log | grep –i DataStream Mar 21 19:45:10 <local0.info> 192.168.10.220 03/21/2012:19:45:10 GMT NS10_HA1 0-PPE-0 : SNMP TRAP_SENT 192 0 : DataStreamRateLimitHit (alarmHighThreshold = 200, sysIpAddress = 192.168.10.220) 29. The SQL rate limits per platform are as follows:     Up to VPX1000 200 RPS VPX3000 – 8000 No limit MPX5500 – 9500 1000 RPS MPX/SDX 10500 and higher No limit In order to avoid the limit imposed to our VPX 1000, upgrade the license. A new VPX_3000 license is located in /var/license_backup. On both nodes of the HA pair, copy the new license file to the /nsconfig/license directory: root@NS10_HA1 # cp /var/license_backup/VPX_3000.lic /nsconfig/license/ root@NS10_HA1 # exit ... root@NS10_HA2 # cp /var/license_backup/VPX_3000.lic /nsconfig/license/ root@NS10_HA2 # exit Page 81 Step 30. 31. 32. Action > save ns config Before rebooting, save your configuration and reboot both > reboot -warm nodes. NOTE: You can safely ignore any warnings regarding the configuration not being changed. When both NetScaler come back online, verify the correct license was applied on both nodes. From the windows 7 workstation, run the web-app installer again. The installation will now complete successfully. > show license | grep Model Model Number ID: 3000 > IMPORTANT: Remember to overwrite the config.php for the installer to run again. Please refer to step 27. Page 82 Step 33. Action After completing the install, skip the registration process and test the web-app. Remember to use the Admin credentials supplied before: U: admin P: netscaler END OF EXERCISE Page 83 Summary Key Takeaways The key takeaways for this exercise are:  Depending on the platform license installed on the system, different SQL rate limits will apply to DataStream connections. The following table summarizes the different limits applied:  Up to VPX1000 200 RPS VPX3000 – VPX8000 No limit MPX5500 – MPX 9500 1000 RPS MPX/SDX 10500 and higher No limit The system log will include additional information when this error condition occurs. Additionally, SNMP alerts can be configured to notify the administrator when the limit is reached. Page 84 Module 6 - Exercise 3: Database Responder Overview DataStream is a new feature introduced in NetScaler version 9.3. It allows the NetScaler to operate as a proxy between the application and database servers to provide load balancing and content switching functionality. In this exercise, we will cover the new database responder configuration. The student will learn how to leverage this feature to provide an additional layer of control for SQL server deployments. Using database responder, the NetScaler can act on certain conditions and generate a custom response to the connecting client. These responses can be user defined (OK packet, Error packet) or a connection reset. Step-by-step guidance The lab environment required for this exercise is as follows: 8. 9. 10. 11. Apache_MySQL_1: (GENTOO_1) NetScaler VPX appliance: (NS10_HA1) NetScaler VPX appliance: (NS10_HA2) Windows 7 Workstation: (Win7Client) Estimated time to complete this lab: 20 minutes. Step Action 4. Logon to the primary node (NS10_HA1) and verify the following features are enabled on the NetScaler appliance: - > enable ns feature Responder Responder 5. Create a responder action and policy to prevent someone from deleting a database. > add responder action prevent_drop_database sqlresponse_error "This is a destructive operation. Database was NOT modified" > add responder policy prevent_drop_database_pol "MYSQL.REQ.QUERY.COMMAND.CONTAINS(\"drop\")" prevent_drop_database 6. Bind it to the virtual server Module 6 - Exercise 3: Database Responder > bind lb vserver MYSQL_vserver -policyName prevent_drop_database_pol -priority 100 Page 85 Step Action 7. Save your configuration 8. OPTIONAL: If an existing connection to MySQL is present, please make sure that you exit. 9. From Apache_MySQL_3 (GENTOO_3), connect to the MYSQL virtual server and attempt to drop a database: Reminder: The NetScaler db user credentials are: U: netscalersql P: netscaler 10. Since no direct access to the database server is allowed, dropping a database is not permitted. Attempting to connect to the backend MYSQL server (GENTOO_1) directly will fail as only the SNIP has access. > save ns config mysql> exit Bye gentoo_3 ~ # gentoo_3 ~ # mysql -h 192.168.10.218 -u netscalersql -p Enter password: mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | imdb | | mysql | | sugarcrm | | test | +--------------------+ 8 rows in set (0.00 sec) mysql> drop database test; ERROR 6001 (RESAC): This is a destructive operation. Database was NOT modified mysql> mysql> exit Bye gentoo_3 ~ # mysql -h 192.168.10.13 -u netscalersql -p Enter password: ERROR 1130 (HY000): Host ‘192.168.10.15’ is not allowed to connect to this MySQL server gentoo_3 ~ # Reminder: The NetScaler db user credentials are: U: netscalersql P: netscaler END OF EXERCISE Module 6 - Exercise 3: Database Responder Page 86 Summary Key Takeaways The key takeaways for this exercise are:  Database responder can be used to enforce certain database operations  NOTES OK/Error packets or connection resets are the possible actions that can be configured DB responder policies can also be used in conjunction with SQL auditing or Stream Analytics to collect information about the operations or traffic flows traversing the NetScaler. We will look at SQL auditing and Stream Analytics for SQL in a later exercise. Module 6 - Exercise 3: Database Responder Page 87 Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Overview The new NetScaler 10 release extends the power and capabilities of DataStream with token-based load balancing of SQL queries for more flexible scaling strategies, and with advanced caching of SQL responses to improve database server efficiency and increase application responsiveness. NetScaler 10 also adds full AppFlow support for DataStream traffic so that performance monitoring and business intelligence tools now have visibility deep into the application stack for richer monitoring, tracking and troubleshooting of both web and data based traffic. In this exercise we will explore the new load balancing options for SQL traffic. With NetScaler 10, it is now possible to load balance SQL requests based on parameters found in SQL traffic. By introducing the Token LB method, the load balancing decisions can be based on SQL attributes, such as database name, connecting user, query type, character set, and other. In this exercise, we will configure a few example rules for token load balancing. We will verify how traffic flows to backend services depending on SQL traffic attributes included in the request. Additionally, we will use the SQL audit log to understand why certain operations fail and take appropiate corrective actions. Step-by-step guidance The lab environment required for this exercise is as follows: 1. 2. 3. 4. 5. Linux Server 1: Apache_MySQL_1 (GENTOO_1) Linux Server 2: Apache_MySQL_2 (GENTOO_1) NetScaler VPX appliance: (NS10_HA1) NetScaler VPX appliance: (NS10_HA2) Windows 7 Workstation: (Win7Client) Estimated time to complete this lab: 30 minutes. Step Action Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 88 Step 1. 2. Action Connect to the NetScaler primary node (NS10_HA1) > show lb vserver MYSQL_vserver and verify the services bound to the MYSQL virtual server. If you have completed the previous exercises, one service should be bound. In order to illustrate SQL token load balancing, proceed to bind a second MYSQL service to the virtual server. Make sure the corresponding MYSQL services for Apache_MySQL_1 (GENTOO_1) and Apache_MySQL_2 (GENTOO_2) are bound to the virtual server. 3. > bind lb vserver MYSQL_vserver GENTOO_2_MYSQL_TCP_3306 > set lb vserver MYSQL_vserver -lbMethod Set the load balancing method to TOKEN on the TOKEN -rule MYSQL.CLIENT.DATABASE MYSQL virtual server. Specify a rule to load balance on the database name requested by the client. Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 89 Step 4. Action The “imdb” and “test” databases as well as sample data have been replicated to Apache_MySQL_1 (GENTOO_1 and Apache_MySQL_2 (GENTOO_2). This is common in master/slave scale-out deployments where multiple backend servers have the same database set. On Apache_MySQL_1 and Apache_MySQL_2, connect to the localhost using the MYSQL client. Verify that the databases are present on each server. Since only the root account has access locally, use the following credentials for the localhost connection: U: root P: Citrix123 gentoo_1 ~ # mysql -u root -p Enter password: mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | imdb | | mysql | | test | +--------------------+ 4 rows in set (0.00 sec) mysql> quit gentoo_1 ~ # gentoo_2 ~ # mysql -u root -p Enter password: mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | imdb | | mysql | | test | +--------------------+ 4 rows in set (0.00 sec) mysql> quit gentoo_2 ~ # Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 90 Step 5. Action Switch to NS10_HA1 in order to verify if connections are correctly load balanced using the TOKEN (in our example, TOKEN = DB name), before attempting to connect to the MYSQL virtual server, complete the following three items: 1. Record the number of requests serviced by each MYSQL service currently bound to the MYSQL virtual server (see command on the next column). 2. To avoid monitor traffic from being captured, change the bound monitor to each MYSQL service to PING. (see command on the next column) 3. On the NetScaler, start a TCPDUMP capture using a filter where only traffic to Server 1 OR 2 AND TCP port 3306 is displayed. (see command on the next column) 1. > stat lb vserver MYSQL_vserver 2. > bind lb monitor ping GENTOO_1_MYSQL_TCP_3306 > unbind lb monitor TCP GENTOO_1_MYSQL_TCP_3306 > bind lb monitor ping GENTOO_2_MYSQL_TCP_3306 > unbind lb monitor TCP GENTOO_2_MYSQL_TCP_3306 3. > shell # nstcpdump.sh "(host 192.168.10.13 or host 192.168.10.14) and tcp port 3306" Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 91 Step 6. Action Using the MYSQL client on Server 3 (GENTOO_3), connect to the MYSQL virtual server and specify IMDB as the initial database on the connection string (use the –D flag). Upon connecting, show the tables to generate additional traffic. Reminder: The NetScaler database user credentials are: 7. U: netscalersql P: netscaler Go back to the NetScaler and observe the traffic generated. Record the destination IP the NetScaler selected for this database connection (IMDB). gentoo_3 ~ # mysql -h 192.168.10.218 -u netscalersql -p -D imdb Enter password: mysql> show tables; +------------------+ | Tables_in_imdb | +------------------+ | actors | | directors | | directors_genres | | movies | | movies_directors | | movies_genres | | roles | +------------------+ 7 rows in set (0.00 sec) mysql> ... 15:06:06.606675 IP 192.168.10.90.13528 > 192.168.10.14.3306: S 2713304997:2713304997(0) win 8190 <mss 1460> 15:06:06.607145 IP 192.168.10.14.3306 > 192.168.10.90.13528: S 4113526022:4113526022(0) ack 2713304998 win 14600 <mss 1460> 15:06:06.607152 IP 192.168.10.90.13528 > 192.168.10.14.3306: . ack 1 win 8190 ... Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 92 Step 8. Action Switch to the Windows 7 workstation (Win7Client) and open an SSH session using Putty to 192.168.10.220 as nsroot / nsroot. Execute the same STAT command as in step 5.1. > stat lb vserver MYSQL_vserver Record the number of hits. Which counters were incremented? 9. Does it correspond to the service the NetScaler selected as shown in the TCPDUMP? From Server 3 (GENTOO_3), exit the current MYSQL session and attempt a new connection. mysql> quit Bye gentoo_3 ~ # gentoo_3 ~ # mysql -h 192.168.10.218 -u netscalersql -p -D test Enter password: This time, specify a different database: (Use the –D flag to select the “test” mysql> show tables; database). Empty set (0.00 sec) In order to generate traffic, execute a “show tables” command. mysql> Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 93 Step 10. Action Go back to the running TCPDUMP on the NetScaler. Was a new destination IP selected? ... 15:36:07.661822 IP 192.168.10.90.27186 > 192.168.10.13.3306: S 2774921287:2774921287(0) win 8190 <mss 1460> 15:36:07.662289 IP 192.168.10.13.3306 > 192.168.10.90.27186: S 2062305485:2062305485(0) ack 2774921288 win 14600 <mss 1460> 15:36:07.662298 IP 192.168.10.90.27186 > 192.168.10.13.3306: . ack 1 win 8190 ... 11. Go back to Server 3 and disconnect and reconnect using the same database. mysql> quit Bye gentoo_3 ~ # gentoo_3 ~ # mysql -h 192.168.10.218 -u netscalersql -p -D test Enter password: mysql> show tables; Empty set (0.00 sec) mysql> 12. 13. Go back to the NetScaler and inspect the TCPDUMP Was the connection sent to the same backend service? > stat lb vserver MYSQL_vserver Go back to the Windows 7 workstation and execute the same STAT command as in step 5.1. Record the number of hits. Which counters where incremented? Does it correspond to the service the NetScaler selected as shown in the TCPDUMP? Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 94 Step 14. 15. 16. 17. Action On the MYSQL virtual server, change the TOKEN rule to MYSQL.CLIENT.USER Create a new DB user for the “root” account From Server 3 (GENTOO_3), attempt to connect to the MYSQL virtual server using the “root” account From the same session on Server 3, attempt to display the tables for the selected database. Why is it failing? > set lb vserver MYSQL_vserver -rule "MYSQL.CLIENT.USER" > add db user root -password Citrix123 gentoo_3 ~ # mysql -h 192.168.10.218 -u root -p -D test Enter password: mysql> gentoo_3 ~ # mysql -h 192.168.10.218 -u root -p -D imdb Enter password: mysql> show tables; ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... Connection id: 99 Current database: test ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... Connection id: 100 Current database: test ERROR 2006 (HY000): MySQL server has gone away mysql> Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 95 Step 18. Action Inspect the NetScaler syslog. Are there any relevant messages for the failed connection? What is likely the problem? 19. On Apache_MySQL_1 (GENTOO_1) and Apache_MySQL_2 (GENTOO_2), grant the root user ALL privileges to login from any host. (Use the query on the next column) NOTE: Perform this operation on Server 1 AND Server 2. > shell NS10_HA1 # tail –f /var/log/ns.log ... Mar 18 16:00:46 <local0.info> 192.168.10.220 03/18/2012:16:00:46 GMT NS10_HA1 0-PPE-0 : DB Message 1355 0 : "MYSQL_CS_CONN_ESTD: Username:root DBname:test ConnID:258863 Src_ip: 192.168.10.15 Dst_ip: 192.168.10.217" Mar 18 16:00:46 <local0.info> 192.168.10.220 03/18/2012:16:00:46 GMT NS10_HA1 0-PPE-0 : DB Message 1356 0 : "MYSQL_SS_LOGIN_REQ_SENT: Username:root DBname:test ConnID:258873 Src_ip: 192.168.10.90 Dst_ip: 192.168.10.14" Mar 18 16:00:46 <local0.err> 192.168.10.220 03/18/2012:16:00:46 GMT NS10_HA1 0-PPE-0 : DB Message 1357 0 : "MYSQL_CS_CONN_RESET: SERVERSIDE_LOGIN_FAILED ConnID:258873" Mar 18 16:00:46 <local0.err> 192.168.10.220 03/18/2012:16:00:46 GMT NS10_HA1 0-PPE-0 : DB Message 1358 0 : "MYSQL_SS_LOGIN_ERR: SERVERSIDE_LOGIN_FAILED ConnID:258873 Src_ip: 192.168.10.90 Dst_ip: 192.168.10.14" ... gentoo_1 ~ # mysql –p Enter password: mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.10.90' IDENTIFIED BY 'Citrix123' WITH GRANT OPTION; Query OK, 0 rows affected (0.00 sec) mysql> quit Bye Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 96 Step 20. Action From Apache_MySQL_3 (GENTOO_3), exit from the previous MySQL session and establish a new connection to the MYSQL virtual server using the “root” account and the database IMDB mysql> quit Bye gentoo_3 ~ # mysql -h 192.168.10.218 -u root -p -D imdb Enter password: mysql> show tables; +------------------+ | Tables_in_imdb | +------------------+ | actors | | directors | | directors_genres | | movies | | movies_directors | | movies_genres | | roles | +------------------+ 7 rows in set (0.00 sec) mysql> 21. Inspect the NetScaler syslog. Are there any messages relevant to the new connection request? Was it successful? ... 03/18/2012:16:09:33 GMT NS10_HA1 0-PPE-0 : DB Message 1368 0 : "MYSQL_CS_CONN_ESTD: Username:root DBname:imdb ConnID:259618 Src_ip: 192.168.10.15 Dst_ip: 192.168.10.217" Mar 18 16:09:33 <local0.info> 192.168.10.220 03/18/2012:16:09:33 GMT NS10_HA1 0-PPE-0 : DB Message 1369 0 : "MYSQL_SS_LOGIN_REQ_SENT: Username:root DBname:imdb ConnID:259617 Src_ip: 192.168.10.90 Dst_ip: 192.168.10.14" Mar 18 16:09:33 <local0.info> 192.168.10.220 03/18/2012:16:09:33 GMT NS10_HA1 0-PPE-0 : DB Message 1370 0 : "MYSQL_SS_CONN_ESTD: Username:root DBname:imdb ConnID:259617 Src_ip: 192.168.10.90 Dst_ip: 192.168.10.14" ... Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 97 Step 22. 23. Action Stop any existing TCPDUMP process with CTRL + C. Refer to step 5.3. In order to verify the new TOKEN load balancing rule, start a TCPDUMP capture on the NetScaler using the previously used filter (see next column for command) From Apache_MySQL_3, quit any MySQL session and reconnect to the MYSQL virtual server using the “root” user. U: root P: Citrix123 # nstcpdump.sh "(host 192.168.10.13 or host 192.168.10.14) and tcp port 3306" mysql> quit Bye gentoo_3 ~ # mysql -h 192.168.10.218 -u root -p Enter password: mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | imdb | | mysql | | test | +--------------------+ 4 rows in set (0.00 sec) mysql> 24. On the NetScaler record the destination IP for the service selected. ... 16:52:59.895522 IP 192.168.10.90.11151 > 192.168.10.13.3306: P 1334893306:1334893343(37) ack 2712746205 win 14600 16:52:59.895989 IP 192.168.10.13.3306 > 192.168.10.90.11151: P 1:97(96) ack 37 win 14600 16:53:00.136004 IP 192.168.10.90.11151 > 192.168.10.13.3306: . ack 97 win 8190 ... Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 98 Step 25. 26. 27. Action On Apache_MySQL_3 (GENTOO_3) quit the existing connection. Start a new one using the netscalersql user. mysql> quit gentoo_3 ~ # mysql -h 192.168.10.218 -u netscalersql -p U: netscalersql P: netscaler mysql> quit On the same server (GENTOO_3), start a new gentoo_3 ~ # mysql -h 192.168.10.217 -u root -p connection to the MYSQL virtual server using the root user. Compare the destination IP on the TCPDUMP output for both connections. Mar 18 17:25:28 <local0.info> 192.168.10.220 Inspect the ns.log for the 03/18/2012:17:25:28 GMT NS10_HA1 0-PPE-0 : DB Message relevant entries generated by 385 0 : "MYSQL_SS_LOGIN_REQ_SENT: the two previous Username:netscalersql DBname:test ConnID:12579 Src_ip: 192.168.10.90 Dst_ip: 192.168.10.13" connections. Does the information correlates to what was observed in the TCPDUMP output? Mar 18 17:25:28 <local0.info> 192.168.10.220 03/18/2012:17:25:28 GMT NS10_HA1 0-PPE-0 : DB Message 386 0 : "MYSQL_SS_CONN_ESTD: Username:netscalersql DBname:test ConnID:12579 Src_ip: 192.168.10.90 Dst_ip: 192.168.10.13" ... Mar 18 17:30:45 <local0.info> 192.168.10.220 03/18/2012:17:30:45 GMT NS10_HA1 0-PPE-0 : DB Message 388 0 : "MYSQL_SS_LOGIN_REQ_SENT: Username:root DBname:test ConnID:13049 Src_ip: 192.168.10.90 Dst_ip: 192.168.10.14" Mar 18 17:30:45 <local0.info> 192.168.10.220 03/18/2012:17:30:45 GMT NS10_HA1 0-PPE-0 : DB Message 389 0 : "MYSQL_SS_CONN_ESTD: Username:root DBname:test ConnID:13049 Src_ip: 192.168.10.90 Dst_ip: 192.168.10.14" END OF EXERCISE Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 99 Summary Key Takeaways NOTES The key takeaways for this exercise are:  NetScaler 10 offers a new TOKEN load balancing method for MYSQL virtual servers.  Multiple rules can be used to distribute the load between bound services depending on certain connection attributes.  The audit log can be used to troubleshoot SQL connectivity issues. Leveraging TOKEN load balancing for SQL traffic, the administrator can now tailor the load balancing rules to closely resemble the traffic type carried by the virtual server. Using more specific connection attributes for the SQL connections, the administrator has now more control on the traffic distribution. Module 6 - Exercise 4: Token Load Balancing and Audit Log for SQL Page 100 Module 6 - Exercise 5: SQL Caching Overview NetScaler 10 extends the integrated caching feature set to include support for SQL traffic. In conjunction with the new DataStream capabilities included in NetScaler 9.3, the integrated caching engine now has the ability to cache result sets and served from memory instantly. Similar to HTTP caching, SQL caching provides mechanisms to cache or invalidate result sets depending on certain conditions. In this exercise, we will explore the different options for caching common SQL queries. We will measure the before and after effects of caching result sets for these CPU intensive operations and visually observe the improvement of the SQL tier when using web applications that rely on such data. Additionally, we will explore common methods for invalidating existing cached objects if the result set is modified, ensuring data integrity at all times. Step-by-step guidance The lab environment required for this exercise is as follows: 1. Linux Server 1: Apache_MySQL_1 (GENTOO_1) 2. NetScaler VPX appliance: NS10_HA1 3. Windows 7 Workstation: (Win7Client) Estimated time to complete this lab: 20 minutes. Step Action > sh lb vserver MYSQL_vserver 1. From the Windows 7 workstation, connect via SSH (Putty) to the > unbind lb vserver MYSQL_vserver NetScaler primary node GENTOO_2_MYSQL_TCP_3306 (NS10_HA1). To simplify the configuration, verify that only 1 service is bound to the MYSQL virtual server. If more than 1 service is bound, please proceed to unbind the necessary services so that only the binding is present: GENTOO_1_MYSQL_TCP_3306 Page 101 Step 2. Action From the same workstation (Win7Client), open another SSH (Putty) session to Apache_MySQL_3 (GENTOO_3). Connect to the MYSQL virtual server using the following credentials: U: netscalersql P: netscaler Display the tables in the IMDB database to verify connectivity. gentoo_3 ~ # mysql -h 192.168.10.218 -u netscalersql -p -D imdb Enter password: mysql> show tables; +------------------+ | Tables_in_imdb | +------------------+ | actors | | directors | | directors_genres | | movies | | movies_directors | | movies_genres | | roles | +------------------+ 7 rows in set (0.00 sec) mysql> 3. Execute a CPU intensive query. You can use the following example: The IMDB database contains a SQL dump of the information available in the International Movie database. As an exercise, write a query to find the movies where the director also played an acting role. mysql> select distinct a.first_name, a.last_name, m.name FROM actors AS a INNER JOIN roles AS r ON a.id = r.actor_id INNER JOIN movies AS m ON r.movie_id = m.id INNER JOIN movies_directors AS md ON m.id = md.movie_id INNER JOIN directors AS d ON md.director_id = d.id WHERE CONCAT(a.first_name,a.last_name) = CONCAT(d.first_name,d.last_name); Use the query provided in the next column. This step will take a long time to execute. Please continue to step 3. Page 102 Step 4. 5. 6. 7. 8. 9. Action While the query executes, logon to Apache_MySQL_1 (GENTOO_1) using the console or SSH, and inspect the CPU utilization. Note the value for the MYSQL daemon. You can use the command “top” to display this information. On Apache_MySQL_3, inspect the amount of time the query took to execute: In our example, “SELECT” queries are perfect candidates for caching as they only display information contained in the database. We will configure the NetScaler to cache all responses for SELECT queries. > enable ns feature IC First enable the Integrated Caching feature. > set cache parameter -memLimit 1024 Set a memory limit for the caching module. In our example, we will allocated 1 GB of memory for caching. > add cache contentGroup MYSQL Then create a MYSQL content relExpiry 500 -minResSize 500 group and define the minimum and maxResSize 1024 -type MYSQL maximum response size to 500 and 1024 KB respectively. Create a cache policy for SELECT statements with a CACHE action. > add cache policy cache_select_queries -rule "MYSQL.REQ.QUERY.COMMAND.CONTAINS(\"select\")" -action CACHE storeInGroup MYSQL Page 103 Step 10. 11. 12. 13. 14. 15. 16. Action Bind to the MYSQL virtual server. Did it succeed? What is likely the problem? Since SQL cache policies require a HIT selector to successfully cache objects, define a HIT selector that looks for the SQL query text. Select this cache selector in the MYSQL content group hit selector list. Then bind the cache policy previously created. Verify there are no objects cached in the content group. Nothing should be displayed. On the SSH session to Apache_MySQL_3 (GENTOO_3), run the same query as in step 3. Go back to the NS10_HA1. Since this is the first time we execute this query after creating the IC configuration, the amount of time for this query to execute should be similar as before. Display the cached objects to verify the result set has been cached. > bind lb vserver MYSQL_vserver policyName cache_select_queries priority 100 -type REQUEST > add cache selector cache_selector1 MYSQL.REQ.QUERY.TEXT > set contentGroup MYSQL -hitSelector cache_selector1 > bind lb vserver MYSQL_vserver policyName cache_select_queries priority 100 -type REQUEST > show cacheObjects mysql> select distinct a.first_name, a.last_name, m.name FROM actors AS a INNER JOIN roles AS r ON a.id = r.actor_id INNER JOIN movies AS m ON r.movie_id = m.id INNER JOIN movies_directors AS md ON m.id = md.movie_id INNER JOIN directors AS d ON md.director_id = d.id WHERE CONCAT(a.first_name,a.last_name) = CONCAT(d.first_name,d.last_name); > show cacheObjects 0x0000000999bb00000000 MYSQL SQL ?_1=select distinct a.first_name, a.last_name, m.name FROM actors AS a INNER JOIN roles AS r ON a.id = r.actor_id INNER JOIN movies AS m ON r.movie_id = m.id INNER JOIN movies_directors AS md ON m.id = md.movie_id INNER JOIN directors AS d ON md.director_id = Done > Page 104 Step 17. 18. Action Note the time it took to execute. Now run the query again. The results should start appearing instantly. Note the execution time. 19. There is one problem with this configuration: The content group has been defined to cache objects for 500 seconds. If the data is modified, the cached result set is incorrect. 20. 21. To illustrate this, we will alter one of the tables in the database. First, modify the minimum response size to 0 KB (to cache ALL responses). In practice, avoid setting the content group to 0 as this caches empty result sets. On Apache_MySQL_3, execute a simple select statement for it to be cached. > show contentgroup MYSQL Name: MYSQL Type: MYSQL Relative expiry time: 500 secs > set contentGroup MYSQL -minResSize 0 mysql> select * from actors where actors.last_name = "Stooge"; Empty set (0.00 sec) mysql> Page 105 Step 22. Action Next, insert some values into the actors table. mysql> insert into actors values ("999999","Moe","Stooge","M"); Query OK, 1 row affected (0.00 sec) mysql> insert into actors values ("999998","Larry","Stooge","M"); Query OK, 1 row affected (0.04 sec) 23. 24. Execute the same select query. (Refer to step 20) mysql> select * from actors where actors.last_name = "Stooge"; Empty set (0.00 sec) Since the cached object is empty and mysql> it is still valid, the NetScaler serves the result from cache. Return to the NS10_HA1. To alleviate this problem, we can configure an INVAL policy. Anytime a modification is requested, the NetScaler can invalidate the objects in the content group. Create a new cache policy to identify any modification operation and use an INVAL action to the objects in the content group. > add cache policy invalidate_when_modified -rule "MYSQL.REQ.QUERY.COMMAND.CONTAINS(\"insert\") || MYSQL.REQ.QUERY.COMMAND.CONTAINS(\"delete\") || MYSQL.REQ.QUERY.COMMAND.CONTAINS(\"alter\")" -action INVAL -invalObjects MYSQL 25. Bind this policy to the MYSQL virtual server. > bind lb vserver MYSQL_vserver -policyName invalidate_when_modified -priority 110 -type REQUEST 26. Flush the objects in cache > flush contentGroup MYSQL Page 106 Step 27. Action Since objects in the content group are flushed after the policy set is modified, on Apache_MySQL_3 (GENTOO_3), perform the same “select” statement as on step 22 to ensure it caches the new result. The previous 2 entries should now appear. 28. Insert a new object into the actors table. 29. Repeat the select query. The cached objects should be flushed and the new result set should be fetched from the backend server, effectively caching the new data for the next request. mysql> select * from actors where actors.last_name = "Stooge"; +--------+------------+-----------+--------+ | id | first_name | last_name | gender | +--------+------------+-----------+--------+ | 999999 | Moe | Stooge | M | | 999998 | Larry | Stooge | M | +--------+------------+-----------+--------+ 2 rows in set (0.00 sec) mysql> mysql> insert into actors values ("999997","Curly","Stooge","M"); Query OK, 1 row affected (0.03 sec) mysql> select * from actors where actors.last_name = "Stooge"; +--------+------------+-----------+--------+ | id | first_name | last_name | gender | +--------+------------+-----------+--------+ | 999999 | Moe | Stooge | M | | 999998 | Larry | Stooge | M | | 999997 | Curly | Stooge | M | +--------+------------+-----------+--------+ 3 rows in set (0.00 sec) mysql> 30. IMPORTANT! This is the last exercise for this lab. Please go back to the Self-paced Learning Lab portal site and click the “Logout” link towards the bottom right to close out your lab session. Key Takeaways END OF EXERCISE The key takeaways for this exercise are:  The Integrated Caching engine is now able to cache SQL responses.  Hit selectors and invalidate policies can be used to enforce data integrity. Revision History Revision 1.0 Change Description Updated By Date Original Version David Jimenez and June 2012 Florin Lazurca Page 107 About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Services product families radically simplify computing for millions of users, delivering applications as an on-demand service to any user, in any location on any device. Citrix customers include the world’s largest Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2008 was $1.6 billion. http://www.citrix.com © 2012 Citrix Systems, Inc. All rights reserved. Citrix®, Citrix Delivery Center™, Citrix Cloud Center™, XenApp™, XenServer™, NetScaler®, XenDesktop™, Citrix Repeater™, Citrix Receiver™, Citrix Workflow Studio™, GoToMyPC®, GoToAssist®, GoToMeeting®, GoToWebinar®, GoView™ and HiDef Corporate™ are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners. Page 108

NetScaler_Workshop_Lab_guide

Related documents

Products

Support

NetScaler_Workshop_Lab_guide

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib