Citrix NetScaler Command Center 5.2 User manual

© 1999-2017 Citrix Systems, Inc. All rights reserved. p.1https://docs.citrix.com
About this Command Center Release
What's New?
Fixed Issues
Known Issues
Limitations
What's New in Previous 5.2 Builds
Fixed Issues in Previous 5.2 Builds
FAQs
Command Center Appliance
Introduction
Preparing for Installation
Installing the Hardware
Initial Configuration
Command Center Appliances in a High Availability Pair
Command Center Appliance Licenses
Upgrading Command Center
Performing Backup and Restore Operations
Installing Command Center Software
Before You Begin
Installing the Command Center Server on Windows
Installing the Command Center Server as a Windows Service
Installing the Command Center Server on Linux
Installing the Command Center Server as a Linux Startup Service
Setting the Command Center Communication Mode
Installing the Command Center Server in High Availability Mode
Installing Certificates for Secure Communication
Upgrading Command Center
Command Center 5.2
Nov 16, 2015

© 1999-2017 Citrix Systems, Inc. All rights reserved. p.2https://docs.citrix.com
Migrating MySQL Database
Installing the Service Pack
Getting Started with Command Center
Initial Configuration Wizard
Logging on to Command Center
Adding Devices
Understanding the Discovery Process
Provisioning NetScaler VPX Devices on XenServers
Provisioning NetScaler Instances on NetScaler SDX Platform
Configuring a NetScaler Cluster from Command Center
AutoConfiguration: Simplifying Remote CloudBridge Deployments
Viewing Inaccessible Devices
Configuring Maps
Monitoring Devices
Monitoring Your Network by Using the Home Page
Monitoring and Managing Events Generated on Citrix Devices
Monitoring SNMP Events and Alarms
Managing SNMP Events and Alarms
Monitoring Syslog Events
Configuring Event and Alarm Triggers
Threshold Instance Formats
Monitoring and Managing the Real-Time Status of Entities Conﬁgured on
NetScaler Devices
Monitoring Virtual Servers, Services, Servers, and Service Groups
Managing the Real-Time Status of Entities
Using Tasks to Conﬁgure Managed Devices
Managing Built-in Tasks
Configuring Custom Tasks
Customizing Built-in and Custom Tasks
Customizing the DeployMasterConfig Built-In Task

© 1999-2017 Citrix Systems, Inc. All rights reserved. p.3https://docs.citrix.com
Viewing the Execution Log for all Tasks
Executing Commands using Configuration Profiles
Using Deployment Automation to Migrate Configurations
Email Notifications for Executed Tasks
Monitoring and Managing SSL Certiﬁcates Conﬁgured on NetScaler Devices
Auditing Conﬁguration Changes Across NetScaler Devices
Using Performance Reports and Thresholds to Monitor Device Performance
Configuring Polled Counters
Running Quick Reports
Configuring Custom Reports
Configuring Thresholds to Monitor Devices
Monitoring the Status of CloudBridge Devices
Monitoring AppFirewall Syslog Events
Monitoring NetScaler Gateway Syslog Events
Administering Command Center
Configuring Discovery Settings
Configuring Device Profiles
Configuring Server Settings
Configuring Purge Settings
CloudBridge Registration
Configuring Inventory Settings
Configuring High Availability Settings
Configuring Mail Server Settings
Configuring Access Settings
Setting Up Command Center Agents
Configuring SNMP Trap Forwarding
Configuring Security Settings
Configuring Logs
Viewing Server Details, Logged-in User Information, and License Details
Changing the Database Password
Support for Applying XenServer Hotfixes on Command Center Appliance

Configuring Database Settings

NITRO API

Java SDK

.NET SDK

REST Web Service

What's New? - The enhancement and changes released in Build 44.11.

Fixed Issues - The issues addressed in Build 44.11.

Known Issues - The issues that exist in Build 44.11.

Limitations - The list of limitations available in Build 44.11.

What's New in Previous 5.2 Builds - The enhancements and changes that were available in Command Center 5.2

releases prior to Build 44.11. The build number provided below the issue description indicates the build in which this

enhancement or change was provided.

Fixed Issues in Previous 5.2 Builds - The issues that were addressed in Command Center 5.2 releases prior to Build

44.11. The build number provided below the issue description indicates the build in which this issue was addressed.

About this Command Center Release

Oct 13, 2015

The release notes describe the changes or enhancements, ﬁxed issues, and known issues in Build 44.11. The list of known

issues is cumulative, that is, it includes issues that are newly found in this build and also issues from previous builds.

Note

Additional fixes in Build 49.11: 596501,603146,598053,600116

The complete description of these issues are listed in the Fixed section

Additional enhancement in Build 49.11: 600905

The complete description of this issue are listed in the What's New section

Note

This build includes fixes for 1 issues that were known issues in the previous build of the Command Center 5.2 release.

The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the NetScaler team.

These release notes do not document security related fixes. For a list of security related fixes and advisories, see the Citrix

security bulletin.

What's New?

Oct 13, 2015

The enhancement and changes released in Build 44.11.

Support for Administrator Base Domain Name for Active Directory/Open LDAP Authentications Servers

You can now specify the Administrator Base Domain Name if you conﬁgure either an Active Directory or an Open LDAP

authentication server. The Administrator Base Domain Name is the administrator user name that is used to bind to the

Active Directory or Open LDAP server. You can specify the Administrator Base Domain Name in the ﬁeld Administrator

Bind DN.

[#557589]

Support for Fallback Authentication User

This feature allows an external user to log on to Command Center even though the conﬁgured external authentication

server is down or unreachable. Command Center administrator must identify the users and enable Fallback

Authentication User for those users. By default, this option is disabled for all users. Note that the default password for

fallback users is public.

To enable Fallback Authentication User for multiple users, on the Administration tab, under Security, click Fallback

Authentication User, and select the user for whom you want to enable this setting.

To enable Fallback Authentication User for a user, on the Administration tab, navigate to Security > Users, select the user

and click Edit. In Conﬁgure User, select the Fallback Authentication User option.

[#537550]

Preview Master Conﬁguration Before Execution

You can now preview the master conﬁguration, which is generated from the conﬁguration template and the input ﬁle

provided by the user during DeployMasterConﬁg task execution, before it is executed on the selected device.

[#549991]

Downloading a Sample Conﬁguration Template from Built-in Tasks

You can now download the sample template ﬁle and the input ﬁle for the DeployMasterConﬁg task from the NetScaler

Built-in Tasks lists page.

On the Conﬁguration tab, navigate to Conﬁguration > Built-in Tasks, select DeployMasterConﬁg and click Download

Sample Template. A zip ﬁle containing both the sample template ﬁle and the input ﬁle is downloaded to your local

machine.

You can no longer download the sample template ﬁle and the input ﬁle from the Downloads section of Command

Center.

[#553617]

Restricted Access to Entities and its Bound Entities

If you restrict a user group to an entity, then all the users in that group can access only that entity and the entities that

are bound to that entity. For example, consider there are three virtual servers conﬁgured on a NetScaler device, V1, V2,

and V3, and virtual servers V1 and V2 are bound to service S1. If you restrict usergrp1 to only service S1, then all users in

the group usergrp1 can access only service S1 and virtual servers V1 and V2. Users in usergrp1 cannot access virtual server

V3.

To restrict a user group to only an entity and it's bound entities, on the Administration tab, navigate to Security > Groups,

select a group, and then click Advanced Settings. In the Property Name list, select an entity, and then select the Apply on

bound entities also option.

This functionality is applicable to the following entities:

-Virtual Server Name

-Service Name

-Service Group Name

-Server IP address

Note: If you select the Apply on bound entities also option for the entities services and service groups, the servers

abound to these entities might not be accessible.

[#535029]

Continue Task Execution af ter Failure

If you conﬁgure a task to be executed sequentially and select the Ignore and Continue option, you can now select

either of the following options:

-Execute on current device only. Execute the task on only the current device, even though the task has partially failed on

that device.

-Execute on all selected devices. Execute the task on all the selected devices, including the current device that

experiences a partial failure.

[#549686]

Support for SNMPv3 Traps for NetScaler Devcies

Command Center now supports SNMPv3 traps. Command Center receives SNMPv3 traps once a NetScaler device is

discovered with SNMPv3 credentials. SNMPv3 traps are supported for only NetScaler devices.

[#555734]

Enhanced Technical Support Bundle

You can now generate technical support bundles of the following types:

-Basic. A technical support bundle that includes log ﬁles, database information, and conﬁguration settings.

-Advanced. A technical support bundle that includes log ﬁles, database information, conﬁguration settings, thread dumps,

and crash logs.

Command Center now stores the last ten previously generated technical support bundles. You can delete the ones that

you no longer require.

Technical support bundles generated by Command Center appliances in a high availability conﬁguration include the

technical support ﬁles for both the primary and the secondary nodes.

To generate the technical support bundle by using the graphical user interface, on the Administration tab, under

Diagnostics, click Technical Support.

A technical support bundle can also be generated from the Command Center command line interface. The default type

is Advanced.

To generate the technical support bundle by using the command line interface, in the <CCHome>\\bin directory, execute

the generate_technical_support script.

On a Windows system, run the following command:

generate_technical_support.bat

Alternatively, you can double-click the generate_technical_support.bat ﬁle.

On a Linux system, run the following command:

sh generate_technical_support.sh

[#496921, 423211, 445750]

Def ault Read-Only Permissions for All Groups

All groups conﬁgured on Command Center now have read-only permissions by default. In earlier releases, the default

group "Users" had no permissions.

As part of this enhancement, the Users group now has read-only permissions. A new external user is automatically added

to the default Users group when that user is authenticated in Command Center. Since the Users group now has read-

only permissions, the new external user does not experience an authorization failure.

[#537546]

XML Schema ﬁle Included in the Sample Template Compressed File

The compressed ﬁle (.zip) of a sample template of built-in tasks now includes the XML schema ﬁle (.dtd) for the input

XML ﬁle.

[#583370]

Customizing the DeployMasterConﬁg Built-in Task

If you want to replicate the complete existing state of a NetScaler appliance on another NetScaler appliance, you must

replicate the conﬁguration, license, and certiﬁcate ﬁles. By executing the DeployMasterConﬁg built-in task without

customizing it, you can replicate only the conﬁguration ﬁle.

You can customize the DeployMasterConﬁg built-in task to add additional commands, so that you can replicate license

and certiﬁcate ﬁles to other NetScaler devices, and execute any other commands required for your conﬁguration.

You can customize the DeployMasterConﬁg built-in task to do the following:

-Add additional commands

-Modify existing commands

-Add variables to commands

-Delete commands

-Change the order of commands.

Caution: Be careful when changing the order of commands in the DeployMasterConﬁg built-in task.

[#586722]

Support for TLSv1.1 and TLSv1.2

Command Center now supports TLSv1.1 and T LSv1.2 protocols.

To enable TLSv1.1 and TLSv1.2 protocols

On the Administration tab, navigate to Settings > SSL Settings and select the Enable TLSv1.1 or Enable T LSv1.2 option.

Note that the SSLv3 protocol is no longer supported.

[#571448]

The Auto rollback on failure option under Deployment Automation is now unchecked by default.

[#600905]

Support for Enabling and Disabling Group Extraction

You now have the option to enable and disable group extraction for a RADIUS authentication server. In earlier releases,

group extraction could not be disabled.

[#556544]

Support for Resolving an Authentication Server by Using the Host Name

You can now specify either the host name or the IP address to resolve an authentication server. In earlier releases, you

could only specify the IP address.

[#586708]

Support for Deployment of RADIUS Authentication With Active Directory Server

Command Center now supports deployment of RADIUS authentication with an Active Directory server. You must enable

Group Extraction and specify the group vendor identiﬁer and the type of group attribute.

[#571655]

Support for Exporting Graphs and Tables of Application Firewall Violations

You can now export graphs and tables of Application Firewall violations from Command Center. You can choose to

export either a graph or a table (CSV ﬁle), or both.

[#577318]

Support for Reporting f or NetScaler Gateway

You can now view the following reports for NetScaler Gateway devices:

-Top users by sessions

-Top ICA applications by user access

-Top users by bandwidth

-Top client types

-Top users by EPA scan failures

-Top users by failed attempts

You can also export NetScaler Gateway reports from Command Center. You can export them as graphs, tables (CSV ﬁles),

or both. You can also schedule the Reports.

To view NetScaler Gateway reports

On the Reporting tab, navigate to NetScaler Gateway > Reports, select the report you want to view and then click View

Graph.

To schedule NetScaler Gateway reports

On the Reporting tab, navigate to NetScaler Gateway > Notiﬁcation Settings, and then click Schedule Report.

[#584651]

Single Option to Conﬁgure Active Directory and Open LDAP Authentication Servers

You now have a single option, LDAP, for conﬁguring either an Active Directory or an Open LDAP authentication server.

On the Administration tab, navigate to Security > Authentication Settings, and select LDAP. In the Server Type list, select

either Active Directory or Open LDAP, and then conﬁgure the rest of the ﬁelds as required for the authentication server

you selected.

[#571443]

Support for Monitoring the Command Center Database

You can now receive an SNMP trap if the size of the Command Center database reaches a conﬁgured threshold value.

You can also receive an email notiﬁcation.

By default, the size of the Command Center database is checked once an hour. You can specify the threshold value in

MB, or as a percentage (%) of the disk space allocated to the database.

If you have conﬁgured the threshold value as a percentage, then the percentage of the used size is compared against

the allocated database size and the notiﬁcation is generated if the percentage exceeds the conﬁgured threshold value.

If you have conﬁgured the threshold value as a size (MB), then the used database size is compared against the

conﬁgured threshold size and the notiﬁcation is generated if the database size exceeds the conﬁgured threshold value.

This feature is supported for the following database servers:

-MSSQL

-MySQL

-Oracle

Note that this feature is not supported for the PostgreSQL database server.

To conﬁgure database monitoring

1. On the Administration tab, navigate to Settings > Database Monitor Settings.

2. Select the Enable Database Monitoring option and specify the threshold value as a percentage or as a size (MB).

3. If you also want to receive an email notiﬁcation, select the Enable Email Notiﬁcation option and then conﬁgure the

email server from which to send email notiﬁcations.

[#449211, 446452]

Support for Viewing up to 40 Top Violations in Application Firewall Reports

You can now view a graph of up to 40 top violations in Application Firewall reports. You can also schedule an Application

Firewall report of up to 40 top violations.

[#547522]

Support for Exporting Syslogs

You can now export syslogs from Command Center. For Application Firewall and NetScaler Gateway syslogs, you can

export the recent syslogs that appear under Logs, and you can export syslogs for the views that you have conﬁgured

under Views. You can also export the syslogs that appear on the Fault tab, under Logs and Views.

You can specify the criteria for exporting syslogs that appear under Logs. Different criteria apply to NetScaler Gateway

and Application Firewall syslogs. You can limit the number of rows to be exported depending on your need. The default

limit for the number of rows to be exported is 1000, and the maximum is 10000.

You can now export all graphs (image ﬁles) and data in tabular format (CSV ﬁle) from the Application Firewall dashboard.

[#403149]

Changes in the Command Center Graphical User Interface

Note the following changes in the Command Center graphical user interface:

1. Fault > Syslogs

- "Complete View" has been renamed to "Logs."

- "Filters" has been renamed to "Suppress Logs."

2. Reporting > AppFirewall

- "Filters" has been renamed to "Suppress Logs."

- "Recent Logs" has been renamed to "Logs."

- "Views" was under "Recent Logs" which is now under "AppFirewall."

- "Schedule Report" was under "Reports" which is now under "Notiﬁcation Settings."

3. Reporting > NetScaler Gateway

- "Filters" has been renamed to "Suppress Logs."

- "Recent Logs" has been renamed to "Logs."

- "Views" was under "Recent Logs" which is now under "NetScaler Gateway."

[#577325]

Updated Management Service Backup

The Management Service backup now contains only the Management Service conﬁguration backup. This backup no

longer includes the image of the NetScaler SDX appliance and NetScaler VPX instances, nor the conﬁguration

information for NetScaler VPX instances running on the NetScaler SDX appliance.

[#526020, 526024]

Fixed Issues

Oct 13, 2015

The issues addressed in Build 44.11.

If a NetScaler device is enabled with Common Event Format (CEF) logging for Application Firewall, Command Center fails

to retrieve views for an alarm.

[#570148]

When OpenLDAP is used for Command Center authentication, a logon attempt with valid credentials fails.

[#546717]

Command center might display same host names for different devices.

[#549935]

User deﬁned rollback commands are not displayed in the preview screen before task execution.

[#550461]

The default value of Event Cleanup Interval is now 30 days. In earlier releases, the default value was 180 days. If you had

conﬁgured this value to anything other than 30 days before upgrading to the latest release, you must again set it to the

value as per your need.

[#596685]

The arrow icon indicates that the records displayed in the Command Center graphical user interface are sorted in

ascending order, but they are actually sorted in descending order.

[#555476]

The DeployMasterConﬁg task fails if the input XML ﬁle contains standard comments.

[#581317]

Command Center service fails to start, because of JRE corruption.

[#555113]

You can now specify the device group in the input ﬁle to deploy the master conﬁguration on a NetScaler device.The

variable values deﬁned in the devicegroup tag take precedence over the global variable values and the variable values

deﬁned in the device tag take precedence over the devicegroup variable values.

[#557664]

All entities bound to an entity might not be displayed if you restrict a user to that entity by using Advanced Settings.

[#583763]

The Command Center logon page might take a long time to load.

[#556218]

Appropriate error messages are not displayed in the execution logs if the DeployMasterConﬁg task fails.

[#575339]

After you install or upgrade Command Center, the ﬁrst attempt to connect to the MSSQL database fails.

[#566928]

Appropriate error messages might not be logged in the task execution logs if there is an error in the input XML ﬁle.

[#563326]

The browse button to search users from Active Directory is now changed to a search icon.

[#557658]

If Command Center is conﬁgured with a custom certiﬁcate that does not have a default password, the Command

Center service fails to start during an upgrade.

[#558984]

The DeployMasterConﬁg task fails if the conﬁguration template ﬁle contains HTML tags, because Command Center

uses the characters "<" and ">" to enclose the variable name. You can now use the "$" character to enclose the variables

(for example, $NS_IP$).

[#563404]

Command Center now supports using the NITRO API to fetch a device list on the basis of device type.

[#583472]

In the NetScaler Gateway dashboard, the "Top 10 users by EPA scan failures" report displays invalid data.

[#565270]

The CLI commands to generate the technical support bundle have been updated as below:

On a windows system:

generate_technical_support.bat basic

generate_technical_support.bat advanced

On a linux system:

sh generate_technical_support.sh basic

sh generate_technical_support.sh advanced

[#586717]

If an Active Directory user that is a member of a group is reassigned to another group, the Command Center graphical

user interface lists the user as part of the original group.

[#589898]

On the Monitoring tab, the search functionality fails if the user belongs to two groups and advanced authorization

settings are conﬁgured.

[#594366, 590655]

If a scheduled report generates the "Too many data points to plot" error at the same time for two different charts,

graphs are not attached in the email sent to the user.

[#594726]

In an HA setup of a Command Center server, SSLv3 status change operations (enable or disable) are not propagated to

the secondary appliance

Workaround:

Enable or disable SSLv3 when the secondary appliance is UP.

[#552307]

Command Center connections become stale because they are not refreshed.

[#586925]

If the Command Center logon password is longer than 15 characters, an attempt to log on to the Command Center GUI

fails.

[#600116]

The Linux script EncryptPassword.sh throws a bad interpreter error because the script contains ^M characters.

[#521956]

The help text on the custom task creation screen now appears as a tool tip.

[#583216]

Known Issues

Oct 13, 2015

The issues that exist in Build 44.11.

Rollback of commands in the DeployMasterConﬁg built-in task fails.

[#596682, 595304]

If you conﬁgure an alarm or event trigger for a Send Trap action to send SNMP traps to an SNMP manager, SNMPv3

traps are forwarded to the manager as SNMPv2 traps.

[#582423]

The NetScaler dashboard always displays the CPU Usage (%) value as 0 for a NetScaler cluster.

[#437641]

The restore conﬁguration option on the details page for a device does not display the log information.

[#370810]

When creating views for SNMP alarms and events on the Faults tab, selecting a device type on the Create View page

does not load the ﬁlter criteria associated with the device type.

[#315632, 350773]

Rediscovery of a cluster device with an SNMP v3 proﬁle fails after the Conﬁguration Coordinator node restarts.

[#390280, 413918]

You might be unable to log onto Command Center after a fresh installation, because of a corrupted security

conﬁguration.

Workaround: After a fresh installation, reset the Command Center conﬁguration by re-initializing it. To do so, run the

reinitialize_nms.bat or reinitialize_nms.sh script, which is located in the CCHome/bin/ folder

[#358712]

If you install Command Center servers in a high availability (HA) pair or upgrade Command Center servers in an HA pair to

new build, one of the servers might not start.

Workaround: Restart the server that failed to start.

[#596501, #603146]

You cannot generate a report by using the "RunningVsSavedconﬁguration" audit policy on a NetScaler device if the

device password contains a hash (#).

Workaround: Modify the device password.

[#443175]

On the Citrix Network > Device Inventory > NetScaler screen, the Command Center server does not sort the System

Uptime column by date but by the string value.

[#534042]

The Device Inventory screen does not display the IP address, platform and hostname for the CloudBridge 800 platform.

[#551110]

If you access the Command Center server through an Internet Explorer 8 browser, the virtual servers screen (Monitoring>

NetScaler> Virtual Servers) displays an error message.

[#515061]

Because of security vulnerabilities in the TLSv1 SSL protocol, the default settings for Command Center no longer support

TLSv1. However, CloudBridge devices currently do not support TLSv1.1 or TLSv1.2. After you upgrade to this release,

Command Center's ability to discover and connect to CloudBridge models 400, 800, 1000WS, 2000, 2000WS, 3000, 4000,

and 5000 is lost.

Workaround: To discover CloudBridge devices, on the Administration tab, under settings, click SSL Settings and then

select the Enable TLSv1 option.

[#598053]

Command Center accesses unknown DNS IP addresses.

Workaround:

Update the /var/cache/yum/addons/mirrorlist.txt ﬁle to remove the invalid DNS entries.

[#598040]

Alarms are not purged if a huge number of incoming traps (around 10,000 requests per second) arrive for processing on

the Command Center server.

[#538161]

If you add a device to Command Center, sometimes, the discovery process might not proceed.

Workaround: Restart the Command Center server.

[#380961]

You cannot search for an execution log by specifying the status message that appeared when the task was executed.

[#552902]

Limitations

Oct 13, 2015

The list of limitations available in Build 44.11.

The details of a security violation of type APPFW_CSRF_TAG, displayed in AppFirewall log messages, are incorrect for

NetScaler devices running release 10.0.

[From Build 44.11] [#347274]

In the Authentication settings for Active Directory Group extraction, the option to retrieve the attributes from the

Active Directory server and select the attributes from the retrieved list is not available in Command Center release 5.1 or

later.

[From Build 44.11] [#347208]

AES based encryption is not applicable for USMTable in SNMPv3 discovery.

[From Build 44.11] [#450079]

The counter values for Transmit Link utilization and Receive link Utilization are incorrect.

[From Build 44.11] [#398919]

When you replicate a conﬁguration on a NetScaler device, the L2 and L3 conﬁgurations are also replicated.

[From Build 44.11] [#371907]

The advanced search and ﬁnd device features, formerly on the Home page, are not available in the Command Center

release 5.2, because of migration to the new user interface framework.

[From Build 44.11] [#290553, 337222, 353906]

The Replicate Conﬁguration feature is not supported for a NetScaler cluster or for NetScaler devices in a high availability

pair.

[From Build 44.11] [#370232]

The option to export the details in the custom views of Events and Alarms is not available in Command Center release

5.2.

The following export options are not available in Command Center release 5.2:

* Export entire custom view data

* Export displayed data

* Export Annotations

[From Build 44.11] [#354869]

If the number of failure objects in Command Center is high and you create or modify custom views in Events and Alarms,

a script error occurs.

[From Build 44.11] [#377592]

Command Center does not support Windows authentication mode for an MSSQL database. It only supports SQL

authentication mode.

[From Build 44.11] [#531252]

Citrix NetScaler Command Center 5.2 User manual

Related papers

Other documents