Select Page
Upgrade NetScaler VPX (Fresh) from 10.1 to 11.1

Upgrade NetScaler VPX (Fresh) from 10.1 to 11.1

I had done some testing on How to Upgrade a NetScaler VPX (Fresh) from 10.1 to 11.1

  1. Download NetScaler VPX 10.1 Virtual Appliance (OVF) from MyCitrix
  2. Import the OVF to vSphere 6.0 Host
  3. Power On the VPX 10.1 and configure only the NSIP with 10.1.1.221
sh ns version
  NetScaler NS10.1: Build 118.7.nc, Date: Jun 25 2013, 14:11:38

Go to Shell Mode, and Backup the nsconfig file

> shell
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
root@ns# cd /nsconfig
root@ns# cp ns
ns.conf          ns.conf.NS10.1-  nstemplates
root@ns# cp ns.conf ns.confNS10.1-Backup
root@ns#

Download the latest firmware for NetScaler VPX (build-11.1-47.14_nc.tgz) – Around 380MB from MyCitrix and save it to MyDocument

Transfer the downloaded file to NetScaler VPX via SCP using Mobaxterm installed on my Windows 10 machines by starting

[2016-07-29 21:29.44]  ~
[administrator.CITRIX-AD01] ➤ cd MyDocuments

[2016-07-29 17:36.25]  ~/MyDocuments
[administrator.CITRIX-AD01] ➤ scp build-11.1-47.14_nc.tgz nsroot@10.1.1.221:/var/nsinstall
build-11.1-47.14_nc.tgz                                                                          99%  372MB

Extract the build-11.1-47.14_nc.tgz using tar

root@ns# cd /var/nsinstall/
root@ns# ls
build-11.1-47.14_nc.tgz
root@ns# ls
build-11.1-47.14_nc.tgz
root@ns# tar -xvzf build-11.1-47.14_nc.tgz
.ns.version
ns-11.1-47.14.gz
ns-11.1-47.14.sha2
installns
bootloader.tgz
thales_dirs.tar
safenet_dirs.tar
help.tgz
help_cisco.tgz
BaltimoreCyberTrustRoot.cert
BaltimoreCyberTrustRoot_CH.cert
cis.citrix.com.pem
Citrix_Access_Gateway.dmg
macversion.txt
ns-11.1-47.14-gui.tar
ns-11.1-47.14-nitro-java.tgz
ns-11.1-47.14-nitro-csharp.tgz
ns-11.1-47.14-nitro-rest.tgz
ns-11.1-47.14-nitro-perl-samples.tgz
ns-11.1-47.14-nitro-python.tgz
open-vm-tools.tgz
bmc_releases
11k5_bmc.bin
19k_bmc.bin
22k_bmc.bin
8k2_bmc.bin
epaPackage.exe
version.xml
Citrix_Endpoint_Analysis.dmg
epamacversion.txt
LogonPoint.tgz
LoginSchema.tgz
README.txt
clientversions.xml
nsgclient32.deb
nsgclient32susesp1.rpm
nsgclient32susesp3.rpm
nsgclient64.deb
nsgclient64sled12.rpm
nsgclient64susesp1.rpm
nsgclient64susesp3.rpm
nsginstaller32.deb
nsginstaller32.rpm
nsginstaller64.deb
nsginstaller64.rpm
nsepa.deb
nsepa.rpm
nsepa32.deb
nsepa32.rpm
libvpath_if.so
Citrix_Netscaler_InBuilt_GeoIP_DB.csv.gz

Start the installation ./installns

root@ns# ./installns

installns version (11.1-47.14) kernel (ns-11.1-47.14.gz)

  The Netscaler version 11.1-47.14 checksum file is located on
  http://www.mycitrix.com under Support > Downloads > Citrix NetScaler.
  Select the Release 11.1-47.14 link and expand the "Show Documentation" link
  to view the SHA2 checksum file for build 11.1-47.14.

Warning: you are upgrading from "enhancement" to "maintenance" software version. Do you want to continue? [Y/N] y

  There may be a pause of up to 3 minutes while data is written to the flash.
  Do not interrupt the installation process once it has begun.

Installation will proceed in 5 seconds, CTRL-C to abort
Installation is starting ...
Unsupported VPX platform. Skipping CallHome checks.

Copying ns-11.1-47.14.gz to /flash/ns-11.1-47.14.gz ...
.....................................................................
sysctl: unknown oid 'netscaler.is_simple_gateway'
Installing online help...
Installing Cisco online help...
Installing Logon Point ...
Installing Login Schema files ...
Installing GUI...
Installing Mac binary and Mac version file...
Installing EPA Package ...
Installing Mac EPA and Mac EPA version file...
Installing Linux EPA and Linux EPA version file...

Installing NITRO...
Storing LOM firmware...
Installing Debian, RPM packages ...
Installing Jazz certificate ...
Installing Call Home certificate ...
Installing CIS server certificate ...
Installing Geo-IP DB...
Installing thales files...
Installing safenet files...
Creating before PE start upgrade script ...
Creating after upgrade script ...

Installation has completed.

Reboot NOW? [Y/N]

After Rebooted the NetScaler VPX, it is running on NS11.1 now

> sh ns version
        NetScaler NS11.1: Build 47.14.nc, Date: Jun 28 2016, 18:18:19
 Done

I will upgrade my 2 x VPX with HA configured from 11.0 to 11.1 soon, and will share on the steps

Reference link

  1. Official Citrix Documentation 
Move SQL 2014 System Databases to Different Drive

Move SQL 2014 System Databases to Different Drive

SQL 2014 SP1 Servers installed all System Databases in the following default location C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA

We had changed the User Database & Logs, TEMP DB, and Backup Directory during the SQL 2014 Installation for CITRIX-SQL01, but NOT the System Database Directory

CTX-SQL-01

Please refer to the following steps on how to move MSDB, Model & Master Database to D:\DATABASE\SYSTEM 

A. Move MSDB & Model System Databases 

Login to SQL Management Studio, and execute the following SQL Script to move the MSDB & MODEL Database to D:\DATABASE

USE master
ALTER DATABASE msdb
MODIFY FILE (NAME='MSDBData' , FILENAME='D:\DATABASE\SYSTEM\MSDBData.mdf')

ALTER DATABASE msdb
MODIFY FILE (NAME='MSDBLog' , FILENAME='D:\DATABASE\SYSTEM\MSDBLog.ldf')

ALTER DATABASE model
MODIFY FILE (NAME='modeldev' , FILENAME='D:\DATABASE\SYSTEM\model.mdf')

ALTER DATABASE model
MODIFY FILE (NAME='modellog' , FILENAME='D:\DATABASE\SYSTEM\modellog.ldf')

Stop the Services for MSSQLSERVER and copy MDF & LDF Files for MSDB & MODEL  to D:\DATABASE\SYSTEM and start the MSSQLSERVER Service back

Stop-Service MSSQLSERVER -force

Copy-Item "C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf" -Destination "D:\Database\System\MSDBData.mdf"
Copy-Item "C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf" -Destination "D:\Database\System\MSDBLog.ldf"
Copy-Item "C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA\model.mdf" -Destination "D:\Database\System\model.mdf"
Copy-Item "C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA\modellog.ldf" -Destination "D:\Database\System\modellog.ldf"

Start-Service MSSQLSERVER

Confirm MSDB & Model MDF & LDF had been moved to D:\DATABASE\SYSTEM successfully

SELECT name, physical_name AS current_file_location
FROM sys.master_files

CTX-SQL-02

B. Move MASTER System Databases 

Go to SQL Server Configuration Manager -> SQL Server (Properties) –> Update the Location for Master Database -dD:\DATABASE\SYSTEM & -lD:\DATABASE\SYSTEM

CTX-SQL-03

Stop MSSQLSERSERVER services and manually copy master.mdf & mastlog.ldf to D:\DATABASE\SYSTEM and start MSSQLSERVER back

Stop-Service MSSQLSERVER -force

Copy-Item "C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA\Master.mdf" -Destination D:\Database\System\Master.mdf
Copy-Item "C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA\Mastlog.ldf" -Destination D:\Database\System\Mastlog.ldf

Start-Service MSSQLSERVER 
Start-Service SQLSERVERAGENT

Confirm MASTER MDF & LDF had been moved to D:\DATABASE\SYSTEM successfully

SELECT name, physical_name AS current_file_location
FROM sys.master_files

CTX-SQL-04

I will applied the same to the 2nd Node of CITRIX-SQL02 Server

Citrix – Requirements of Firewall Ports

Citrix – Requirements of Firewall Ports

Please refer to the following lab prepared for Citrix XenDesktop 7.9 to understand further on the Requirements of Firewall Ports

CTX-FW-01

  1. All Virtual Machines (VMs) are running on a Single VMware vSphere 6 Host
  2. PfSense Firewall with the following Segments / Interface configured
    • WAN (10.1.1.x/24) – Accessing to Internet
    • LAN – (192.168.1.x/24) – Active Directory Domain Controller & Users’ Workstations
    • DMZ (172.16.1.x/24) – NetScaler VPX for External Users
    • Server Workload (172.20.18.x/24) – Citrix XenDesktop Management Servers
    • User Workload (172.20.17.x/24) – Citrix XenApp Server + Citrix PVS Server

A. Firewall Ports for Servers to Join to AD Domain 

The following Firewall Ports need to be open to allow Citrix Segment to LAN Segment where AD Domain Controllers located

Source

Destination

Protocols

Ports

Remarks

Citrix Segment (172.20.18.x/24)

(172.20.17.x/24)

AD Domain Controllers (192.168.1.x/24)

TCP + UDP

389

LDAP

TCP

3268

LDAP GC

TCP + UDP

88

Kerberos

TCP + UDP

53

DNS

TCP + UDP

445

SMB, CIFS

TCP

135

RPC, EPM

TCP

5722

RPC, DFSR (SYSVOL)

UDP

123

Windows TIME

TCP + UDP

464

Kerberos Change / Set Password

UDP

138

DFSN, NetLogon, NetBIOS Datagram Service

UDP

137

NetLogon, NetBIOS Name Resolution

TCP

139

DFSN, NetBIOS Session Service, NetLogon

TCP + UDP

49152 – 65535

User and Computer Authentication, Group Policy

TCP

636

LDAP SSL

TCP

3269

LDAP GC SSL

TCP

25

SMTP

Without the high ports (49152 to 65535) open, Server can join to AD Domain and login successfully – (it will take few minutes to complete). However, it seem that Server is initial lot of high ports traffics to Windows 2012 R2 Domain and was dropped by firewall

Group Policy will NOT be applied if the high ports are not opened

To successfully apply Group Policy, Servers must be able to contact a domain controller over the Kerberos, LDAP, SMB, and RPC protocols.

Only allow one way traffics from Citrix Segment to LAN Segment is required – Stateful Firewall will allow traffic matching a known active connection to pass the firewall.

Results 

  1. All Servers are joined to AD Domain (Citrix-Lab.com) successfully
Import AD Root Certificate to OS X

Import AD Root Certificate to OS X

When I’m using my MacBook Air to launch the Application published in XenApp, I encounter the following message and please refer to the following steps on how to import AD Root Certificate to OS X to resolve this issues

Mac-01

Copy the Root.cer (My AD Root Certificate) on Desktop and double click to import it (ensure that select System 

Mac-02

Enter your Credential to confirm the changes and change When Using this Certificate : Always Trust 

Mac-03

The imported AD Root Certificate is trusted by the system now

Mac-04

I can launch my Application via XenApp successfully now

Mac-05

Configuring NetScaler VPX Active / Passive HA

Configuring NetScaler VPX Active / Passive HA

Please refer to the following steps on how to configure 2 x NetScaler VPX Active / Passive HA in my lab

  1. Ensure that the first node of NetScaler VPX is configured properly
  2. Only configure the following in 2nd Node of NetScaler VPX
    1. NetScaler IP (NSIP)
    2. Upload the license file

Login to 2nd Node of VPX (10.1.1.210) and add the 1st node of VPX (10.1.1.150)

add ha node 1 10.1.1.150

Login to 1st Node of VPX, and add the 2nd node of VPX

add ha node 1 10.1.1.210

Enter the following command to see the HA Status

sh ha node

VPX-HA-01

1st Node of VPX (10.1.1.150) is the Primary, while 2nd Node of VPX (10.1.1.210) is Secondary

When i shutdown 1st Node, or manually issue the following commands to test the fail-over

force ha failover
Please confirm whether you want force-failover (Y/N)? [N]:y
 Done

VPX-HA-02

2nd Node of VPX is become the Primary now, and tested users can still can login to Citrix StoreFront as usual

Start Up NetScaler VPX using Command

Start Up NetScaler VPX using Command

Please refer to the following command to start up the NetScaler VPX in my lab using Command Line

#Show NetScaler Management IP 
sh ns ip 
#Configure Subnet IP 
add ns ip 192.168.1.112 255.255.255.0 -type SNIP
#Add DNS 
add dns nameServer 8.8.8.8
#Add NTP Server 
add ntp server my.pool.ntp.org 
enable ntp sync 
#Set Hostname 
set ns hostname vpx 
#Set TimeZone
set ns param -timezone "GMT+08:00-MYT-Asia/Kuala_Lumpur"
save ns config

#Check Host ID - Mac Address
shell
root@citrix-vpx01# lmutil lmhostid<br>lmutil - Copyright (c) 1989-2013 Flexera Software LLC. All Rights Reserved.<br>The FlexNet host ID of this machine is "005056a79b36"

#SCP VPX License to NetScaler VPX from Mobaxterm 
scp VPX-00505688c880.lic nsroot@192.168.1.110:/nsconfig/license 
reboot -warm 

sh ns license
#Enable LB, SSL, SSLVPN, AAA, and AppFlow
enable ns feature LB SSL SSLVPN AAA AppFlow

#SCP VPX Universal to NetScaler VPX from Mobaxterm 
scp VPX-UniversalLicense.lic nsroot@192.168.1.110:/nsconfig/license 
reboot -warm 

Show ns license
 SSL VPN: YES (Maximum users = 55) (Maximum ICA users = Unlimited)

#Extend AAA Max Login - Default is 5 Only
set AAA parameter MaxAAAUsers 50
save nsconfig

Other Commands for reference

#Reset nsroot password 
set system user nsroot Passw0rd

#Change NSIP 
set ns config -ipaddress 10.1.1.152 -netmask 255.255.255.0 
save config 
Reboot