Installing Citrix NetScaler VPX into VMware Workstation

I hope I don’t need to explain that this is for testing/evaluating purposes only and is not at all supported by Citrix in any way.  The reason for me to create this how-to is because I am stumbling on a lot of forum posts asking if is at all possible to install Citrix NetScaler VPX into VMware Workstation and if it passes traffic when it is installed within VMware Workstation. Well, I’m doing this all the time for testing purposes with every new version of Citrix NetScaler VPX that comes out.

In this guide I will only show how to get a working Citrix NetScaler VPX into VMware Workstation VM.

Materials used for this:
- Citrix NetScaler VPX for ESX 10 Build 54.6 (link);
- VMware OVF Tool 2.1.0 (link);
- VMware Workstation 8;
- WinRAR.

Download Citrix NetScaler VPX for ESX 10 Build 54.6 from the Citrix download section on www.citrix.com, this requires an active MyCitrix login account.

The download will consist of a .ZIP file which will contain the Citrix NetScaler VPX files that you would normally import into a VMware ESX environment. We are going to extract these files into a temporary directory. You can delete the .ZIP file afterwards.

Then just right mouse click the .OVF file and click “Open with VMware Workstation” or click the button in Windows Explorer. This will migrate the .OVF to .VMX and copy the .VMDK to your default Virtual Machine path. If this works you’re done!

Should the above not work then you could always try and convert the .OVF manually. Do this by using the VMware OVF Tool.

Before running the conversion make sure you have created an output directory somewhere. In the below example my input directory is:
C:\Users\%username%\Desktop\Citrix NetScaler\
And my output directory is:
C:\Users\%username%\Desktop\Citrix NetScaler\Citrix NetScaler VPX

The downloaded Citrix NetScaler VPX for ESX are the input files, specifically the NSVPX-ESX-10.0-54.6_nc.ovf file. By now you should have downloaded and installed the VMware OVF tool, after you install this tool it can be found at C:\Program Files\VMware\VMware OVF Tool\ovftool.exe.

Use VMware OVF Tool to convert the OVF into a VMX. It is a command line tool and the syntax is as follows: C:\Program Files\VMware\VMware OVF Tool>ovftool "C:\Users\%username%\Desktop\Citrix NetScaler\NSVPX-ESX-10.0-54.6_nc.ovf" "C:\Users\%username%\Desktop\Citrix NetScaler\Citrix NetScaler VPX\NSVPX-ESX.vmx"

Remember to use quotes when you have spaces in your folder structure.

I’d recommend not using any version number in the output files since you maybe willing to update the Citrix NetScaler VPX to a later version and then you’d be stuck with old version numbers in you VMware files which are pretty hard to rename.

Now we have a Citrix NetScaler VPX folder with a “Citrix NetScaler VPX.vmx”" file which we can add to VMware Workstation. Maybe you would like to move/copy the folder first to your Virtual Machines default location. Open VMware Workstation, File, Open, open the “Citrix NetScaler VPX.vmx” file.

Dependent of the VMware Workstation version you are using you can choose “Upgrade this virtual machine”, in my case I am using VMware Workstation 8. I upgraded the VM to a VMware Workstation 8 level.

All right, let’s boot it up!

We’re up! Usually Citrix NetScaler starts an initial configuration wizard but there is a bug in version 10 for ESX  that is preventing this from happening, just logon as nsroot/nsroot and enter the command configns. There you can configure basic IP data, save and reboot.

Next step is to go to MyCitrix and acquire a license to get working on Citrix NetScaler! Happy testing all.

Citrix NetScaler 10: Apply Citrix Receiver Theme

You may have noticed in the Release Notes of Citrix NetScaler 10 that is possible to apply the new Citrix Receiver theme to the Access Gateway Enterprise logon page.

As per the Release notes:

Apply the Citrix Receiver theme to the logon page
You can use the command line to overwrite the original Access Gateway logon page with the Citrix Receiver theme

Only the how is nowhere to be found in the Citrix documentation. Update: the official Citrix product documentation on how to apply the Citrix Receiver theme to Citrix Access Gateway Enterprise 10 can be found here:
http://support.citrix.com/proddocs/topic/access-gateway-10/agee-client-connect-cr-new-theme-page-tsk.html
So, although the explanation below will work, I’d have to recommend using Citrix product documentation.

Well, Jarian Gibson found out how (So no credit for me), you can also go tot the forum post, it is the same task sequence.

Before overwriting the Access Gateway original interface you could choose to make a backup of the current interface directory, if you like make an SCP (WinSCP) connection to NetScaler and backup the /netscaler/ns_gui directory entirely.

Log into Citrix NetScaler by using SSH (puTTY):
> shell
# cd /var/netscaler/gui/vpns/customization/receivertheme
# tar -xvzf receivertheme.tar.gz
# cp -r /var/netscaler/gui/vpns/customization/receivertheme/ns_gui/* /netscaler/ns_gui

To make sure your Citrix Receiver theme stays intact after NetScaler reboots, do the following (on every NetScaler appliance):

# mkdir /var/customizations
# cp -r /var/netscaler/gui/vpns/customization/receivertheme/ns_gui/* /var/customizations
# touch /nsconfig/rc.netscaler – (if rc.netscaler does not yet exist)

Add the line “cp -r /var/customizations/* /netscaler/ns_gui >> /nsconfig/rc.netscaler” (without the quotes) to the rc.netscaler file. This file is in the /nsconfig folder. If it does not exist you can create it by executing:

# touch /nsconfig/rc.netscaler

You can also add the line “cp -r /var/customizations/* /netscaler/ns_gui >> /nsconfig/rc.netscaler” (without the quotes) to the rc.netscaler file by executing:

# echo cp -r /var/customizations/* /netscaler/ns_gui >> /nsconfig/rc.netscaler

So, again, any thanks go to Jarian for finding this out!

Update: the official Citrix product documentation on how to apply the Citrix Receiver theme to Citrix Access Gateway Enterprise 10 can be found here:
http://support.citrix.com/proddocs/topic/access-gateway-10/agee-client-connect-cr-new-theme-page-tsk.html

Citrix NetScaler 10 is Calling Home

With the introduction of Citrix NetScaler 10 all kinds of brand new features are waiting to be explored, one of them is Citrix NetScaler Call Home. Call Home is actually a feature that needs to be enabled on the Citrix NetScaler just as we are used from other Citrix NetScaler features.

>enable feature ch

It was already possible to upload the data into https://taas.citrix.com manually, so this is pretty much the next step for automating this process. https://taas.citrix.com is still in beta.

Call Home is basically setup as follows:

Call Home requires that your Citrix NetScaler MPX appliance (VPX is not yet supported for this feature) is registered with Citrix Tech Support. When the problem cannot be resolved using the old methods, you can decide to push “Call Home” which will then upload all the data for troubleshooting to Citrix Tech Support (https://taas.citrix.com) and optionally create a support case. Off course you must have an active Technical Support Contract to make use of this feature. Not having an active Technical Support will result in a registration failure.

Check the status of your Call Home registration by issuing the following command:

>show callhome

The status of registration will be stored in memory.

Important: Call Home is not yet supported on the VPX platform. Although it is giving you all the signs that it’s there and can be enabled, it will say “ERROR: Operation not permitted” and in the /var/log/callhomedebug.log you will find the following entries:

Apr 11 16:28:28 <local2.debug> ns callhomed[375]: Callhomed invoked
Apr 11 16:28:28 <local2.debug> ns callhomed[375]: Callhome feature is currently not supported on VPX. Callhomed exiting…

Installing Citrix Branch Repeater into VMware Workstation

I hope I don’t need to explain that this is for testing/evaluating purposes only and is not at all supported by Citrix in any way.  You would have to be pretty creative to think of a network testing solution to get this working in a VMware Workstation setup. Basically you would need two of these VPX appliances and figure out how to flow the data between the two Citrix Branch Repeaters with on one end Citrix XenApp Servers or XenDesktop machines and some sort of client on the other.

But if you want get more acquainted with the Citrix Branch Repeater command line interface or the GUI this is a nice way of doing that.

In this guide I will only show how to get a working Citrix Branch Repeater VPX into VMware Workstation VM.

Materials used for this:
- Citrix Branch Repeater VPX 6.0.5;
- VMware OVF Tool 2.1.0;
- VMware Workstation 8;
- WinRAR.

Download Citrix Branch Repeater VPX 6.0.5 from the Citrix download section on www.citrix.com, this requires an active MyCitrix login account.

The download will consist of a .ZIP file which will contain a .OVA file. Extract the .OVA file into a temporary directory. After that you can delete the .ZIP file if you like.

See how nicely it says “Open with VMware Workstation” but it doesn’t, it will give you the below error statement.

Instead rename the .OVA extension to .TAR and open the .TAR file with a compression tool like WinRAR.

Extract the files and delete the .TAR file if you like, you will not need it anymore.

Make sure you have the VMware OVF Tool installed (http://www.vmware.com/support/developer/ovf/), you will need an active VMware account to download this tool. We will use the Citrix Branch Repeater VPX.ovf as input file so make sure you create a directory for the output files. In my example I will create a subfolder called “Citrix Branch Repeater VPX” for my output files.

Important: Rename the “Citrix Branch Repeater VPX.cert” to “Citrix Branch Repeater VPX.cer” and install it (DoubleClick => Install Certificate => Next => Next => Finish).

Use VMware OVF Tool to convert the OVF into a VMX. It is a command line tool and the syntax is as follows: C:\Program Files\VMware\VMware OVF Tool>ovftool.exe "C:\Users\HeLo\Desktop\CitrixBranchRepeaterVPX-RC-6.0.5.44\Citrix Branch Repeater VPX.ovf" "C:\Users\HeLo\Desktop\CitrixBranchRepeaterVPX-RC-6.0.5.44\Citrix Branch Repeater VPX\Citrix Branch Repeater VPX.vmx"

Remember to use quotes when you have spaces in your folder structure.

If you do not import the certificate the command line will present an error message as follows:
Error: Verification of Citrix Branch Repeater VPX.cert failed

Now we have a Citrix Branch Repeater VPX folder with a “Citrix Branch Repeater VPX.vmx”" file which we can add to VMware Workstation. Open VMware Workstation, File, Open, open the “Citrix Branch Repeater VPX.vmx” file.

Dependent of the VMware Workstation version you are using you can choose “Upgrade this virtual machine”, in my case I am using VMware Workstation 8. I upgraded the VM to a VMware Workstation 8 level.

Make sure the two network adapters attached are on different networks, or else you will have the known bridging loop problem of Citrix Branch Repeater. See the Citrix Branch Repeater User Guide for more information on avoiding bridging loop problems.

All right, let’s boot it up!

Logon using username admin, password password.

Set the Citrix Branch Repeater an IP-Address by issuing the following command:
set adapter apA –ip < IP-Address >

Set the Citrix Branch Repeater apA a Subnet mask by issuing the following command:
set adapter apA –subnet < subnet mask >

Set the Citrix Branch Repeater a Gateway IP-Address by issuing the following command
set adapter apA –gateway < IP-Address >

Initiate a reboot by entering the command: restart.

When the Citrix Branch Repeater is reboot you can logon through the browser, just enter the IP-Address you given the apA adapter earlier. Logon using username admin and password password.

Install a Citrix Branch Repeater license to enable Traffic Processing. No, I’m not going to help you get a license, you are on your own.

You can connect to the CLI using puTTY (or any other SSH tool you like), remember to first logon with the username “cli”.

Happy Easter everyone!

Security bug: Users can change Citrix WI Site by changing path in URL

At first I thought I was going out of my mind, fortunately Citrix Tech Support has confirmed this bug and are working on a solution.

Installing a brand new pair of Citrix NetScaler MPX 5500 with the latest Citrix NetScaler build (9.3-55.6).

The Citrix NetScaler security design was made so to create 9 Access Gateway Virtual Servers all with their own Citrix Web Interface site so that all the traffic could be isolated and different kinds of security measures could be applied to the different Access Gateway Virtual Servers. There are multiple Citrix XenApp Farms in de backend where the different users would land depending of the target audience.

So, done installing 9 Citrix Access Gateway virtual servers and 9 Citrix Web Interface sites (Web Interface for Citrix NetScaler). So the setup is like this:

portal1.domain.com (Access Gateway) => /Citrix/XenApp1 (Web Interface) => XenApp Farm 1
portal2.domain.com (Access Gateway) => /Citrix/XenApp2 (Web Interface) => XenApp Farm 2
etc.

When users successfully logon portal1.domain.com and see the Published Applications of XenApp Farm 1, you can see the URL in the address bar pointing to Citrix Web Interface 1 /Citrix/XenApp1. If the user simply replaces the 1 with a 2 it can see and start  the Published Applications of XenApp Farm 2 without re-authenticating or any other effort . Granted, a user must have permissions on the published applications to access them.

At first I thought this was a problem of Web Interface for Citrix NetScaler because it basically uses 127.0.0.1:8080 for all Web Interface publications so I tried the same on Web Interface for Windows thinking to bypass the problem using Web Interface for Windows for the time being, unfortunately, same issue.

What products does this affect?

Well, not sure. At least a combination of the the following:
- Citrix NetScaler 9.3-55.6
- Citrix Web Interface for NetScaler 1.3
- Citrix web Interface for Windows 5.4.

Resolution (Workaround)

What you could for a workaround is don’t create obvious following up numbers within Citrix Web Interface. So for portal1, do no create /Citrix/XenApp1 but create something like /Citrix/wohrtg079e4jd8jkw02 instead. The longer the better.

Another workaround or add-on workaround would be to carefully set permissions on published applications in the different environments, not use just Domain Users.

I do not think a lot of customers will run into trouble with this since you need to be authenticated anyway, so the only thread that you could have are from your trusted users. And we all trust our users right?

You are not logged in. Please login. (Citrix NetScaler)

Got this error message when trying to logon Citrix NetScaler using Internet Explorer, normally I’d switch to using Firefox where I do not have this problem. So, I had the issue before but never paid any attention to it since I mostly use FF anyway. In this case the customer is using dedicated management servers where switching to, upgrading or downgrading the browser was not an option since it was a company policy version (IE 8). The NetScaler are located in the DMZ and only reachable through these management servers.

Resolution was quite simple but it took me some time to figure it out (delete IE cache, delete Java cache, delete profile, IE compatibility mode, console session, etc), under Internet Option => Security, the setting for Cookies were set to “Block All Cookies”, setting this to the default “Medium” resolved the issue.

So, no biggy this time but it may help you out sometime.

Citrix NetScaler with SSD (first impression)

The Citrix NetScaler MPX 5500-7500 and 9500 appliance models now ship with Solid State Drives and says (good?)bye to the platter disk for these particulair models. This was anounced by Citrix back in februari this year: http://blogs.citrix.com/2012/02/09/citrix-netscaler-moves-to-solid-state-drives-for-future-mpx-5500-7500-and-9500-shipments/

Citrix has been using Solid State Drives in the MPX 17500/19500/21500 platforms for a longer time but they are only used for mounting the /flash volume. In the MPX 5500/7500/9500 the /flash volume is mounted on a CompactFlash Card. The (platter) Hard Disk Drive which is now being replaced by an SSD is used for the /var volume, this is where all the data and logs files are kept.

I now have a set of Citrix NetScaler MPX 5500 series which has been delivered with such Solid State Drives. The SSD in question is a Samsung 2.5” 128GB SSD (SATA3.0Gbps) which is known as a Samsung 470 series. This particulair SSD can perform sequential reads up to 250 MB/sec and sequential writes at 220 MB/sec. In comparison to the latest releases of Solid State Drives those numbers are not amazing. More information of the SSD : http://www.samsung.com/us/computer/memory-storage/MZ-5PA128/US-specs

As you can see on the Samsung website this is not a high-end SSD for servers but merely a Desktop drive with mediocre specifications.

Copying files to the appliance.

Granted, not a real good test of the performance of an SSD, but I’m doing some basic setup stuff on these newly delivered appliances. Copying large files to the Citrix NetScaler is somewhat faster then it used to be. In the below example I’m copying the latest firmware to the appliance which is about 165MB in size.

Upgrading the firmware.

Upgrading the appliance to a newer firmware build is somewhat faster then it was before.

Updating Citrix NetScaler to version 9.3-55.6

Booting the appliance

I am under the impression the appliance boots faster then the platter disk version, it takes the SSD Citrix NetScaler roughly about 3 and a half minutes to boot. In the below boot video there is little to none configuration in the Citrix NetScaler. When I come across a platter version of the Citrix NetScaler MPX 5500 series I will post the video’s side-by-side for comparison.

Booting the Citrix NetScaler MPX 5500 on SSD

Accessing the interface.

What I’d find pleasently noticable is that the normally sluggish Java interface is bit faster to respond. But offcourse it is still Java slow.

Conclusion.

Time will tell if moving from from the (finally) stable platter disks to SSD was a good decision made by Citrix. The NetScaler MPX line is good when it comes to stability of the platter disks, with the older Citrix NetScaler (7000, etc) series we had a relatively large amount of disk failures. Citrix NetScaler MPX did not seem to have that problem anymore.

The (relatively small) performance gain of the SSD shows when booting the appliance or doing maintenance on the machine (updating firmware, booting, extracting, etc) but how often do you such a task? That’’s right, as least as possible. I for one prefer stability of the Citrix NetScaler over a minimalistic boot time gain.

Another thing that I’m thinking of is Wear leveling, there is really not much known about wear leveling of SSD’s over a longer period of time, they have not proven themselfs yet to withstand years of read/write production.

As far as I know there is no TRIM functionality within Citrix NetScaler or FreeBSD, so I wonder what the performance will be like 6 months down the road. NetScaler still uses an old FreeBSD version which does not have this functionality built-in.

Another very valid reason for moving to SSD is simply consuming less power and be more green. This Solid State Drive consumes 0.24 Watts when active and about 0.14 Watts in Idle state, so that’s not bad. Since the performance is not that much different from the platter disk version, I think this has been the primary reason for Citrix to move to SSD.

Again, I will post an update as soon as I have more info on this.

Copy webcontent to Citrix NS/AG from FTP site through a Cron job

I have a customer who would like the Citrix NetScaler (Access Gateway and AAA website) website to dynamically retrieve files to show customized content without web developers entering the Citrix NetScaler on a frequent basis.

One thing you do have to remember is that over-customizing the Citrix Access Gateway portal page is in fact not supported by Citrix. I do not think there are a lot of people out there who actually know this. Now, they will not act very difficult if you alter a picture here or there or customize a little text, but be aware of over-customizing. Next to support issues, you can run into trouble when new Citrix NetScaler updates come out that are not going to be aware of your customizations.

Now, this particulair customer over-customizes a lot! What they wanted is to have an iFrame in the Access Gateway (and AAA) page which showed visitors updated news, links, RSS Feeds etc. This iFrame showed the content of a Microsoft Sharepoint environment (please, don’t ask why). We tried publishing this iFrame through Citrix Netcaler but did not work (long story short, it was because of Microsoft Sharepoint). So now we came up with the idea to copy this content periodially to the Citrix NetScaler through the use of a Cron job and FTP. (See image below).

Set up an FTP Site

Set up an FTP site with the file structure as you need it on the Citrix NetScaler. This can be any type of FTP, it doesn’t matter. Make sure the FTP site is in Read mode, no writes nessecary because we are going to get those files from Citrix NetScaler. In our case we have the following folder/file basic structure:
/RSS/index.html
/RSS/Images/picture1.png
/RSS/Images/picture2.png
/RSS/Images/picture3.png

Create the script on NetScaler

Create a script (in our example: rssftp.sh) on the Citrix NetScaler and place it in /var/tmp (vi rssftp.sh).

The below script will create an RSS and an Images folder in the /netscaler/ns_gui/vpn/ folder if it does not exist. Pretty basic FTP stuff in there. I’m sure there a guys out there who have much better suggestions for this. If you have, let me know.

#!/bin/sh lcd /netscaler/ns_gui/vpn/RSS ftp -n –i <put ftp IP-Address here> <<EOF user ftp_user ftp_password !mkdir /netscaler/ns_gui/vpn/RSS lcd /netscaler/ns_gui/vpn/RSS bin cd RSS mget -f * !mkdir /netscaler/ns_gui/vpn/RSS/Images lcd /netscaler/ns_gui/vpn/RSS/Images cd Images mget -f * quit EOF

Give the script file execute permission:

root@ns# chmod +x rssftp.sh

Add the following lines to the /nsconfig/rc.netscaler (create if not exist) file:

cp /var/tmp/rssftp.sh /usr/bin/rssftp.sh echo "0-59/15 *       *       *       *       root    rssftp.sh" >> /etc/crontab chmod a+x /etc/crontab

The manual entries created in the Crontab file are not retained after a Citrix NetScaler reboot, that’s why they need to be added to the rc.netscaler file which is a script that will run on every boot. Same goes for copying the rssftp.sh file from /var/tmp to /usr/bin. /usr/bin is not retained.

Note: in the above line this script (cron job) will run every 15 minutes, more information on the cron job scheduler can be found here:
http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/

Execute the following line:

echo "0-59/15 * * * * root rssftp.sh" >> /etc/crontab

Verify if the /etc/crontab file has the entry we created in the previous step by executing command “cat /etc/crontab”:

root@ns# cat /etc/crontab SHELL=/bin/sh PATH=/netscaler:/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/var/log #minute hour    mday    month   wday    who     command 0       *       *       *       *       root    newsyslog # # time zone change adjustment for wall cmos clock, # does nothing, if you have UTC cmos clock. # See adjkerntz(8) for details. 1,31    0-5     *       *       *       root    adjkerntz -a *       *       *       *       *       root    nsfsyncd -p 0-59/15 *       *       *       *       root    rssftp.sh

Now, as a result, every 15 minutes the content of /netscaler/ns_gui/vpn/RSS and /netscaler/ns_gui_vpn/RSS/Images will be overwritten by the FTP Cron Job.

I am aware that this blog will probably not happen very much at customer’s sites, but it may come in handy when you might need bits and pieces of this solution.

Resources I used for inspiration:
Thread: Nightly Automated Backups with Cron – SCP config
http://forums.citrix.com/thread.jspa?threadID=295867&tstart=0

HowTo: Add Jobs To cron Under Linux or UNIX?
http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/

[BUG] “Unexpected Response” Access Gateway Enterprise in NetScaler build 9.3-53.5

If you are using Citrix Receiver on iOS or Android to access pulished applications on Citrix Access Gateway Enterprise (NetScaler) do not upgrade to the latest firmware which is 9.3-53.5.

Users will get an “Unexpected Response” on an iOS device when they try to login to a Citrix Access Gateway environment. On Android the error statement is “The Citrix Access Gateway you are connecting to is not configured for this device. Please contact your administrator."

On the Citrix Forum there is a post where more users are reporting this issue: http://forums.citrix.com/thread.jspa?threadID=297625

Citrix is aware of the issue and are working on it.

Update: Problem is resolved as of build 9.3-54.4 or newer.

Configure RSA RADIUS monitoring on NetScaler

Ok, so this one is pretty easy and speaks for itself for the most part but can have some pitfalls while configuring.

In this example we are going to assume that the RSA backend is already in place and functioning properly.

Why

A good question is why would you want to. When you leave the monitoring to default which would be tcp-default it marks the server up as it response to a tcp connection. That would simply not be enough, we need to make sure that the RSA RADIUS Service is actually up and ready to accept connections.

Prerequisites

Make sure you have an account configured in RSA Authentication Manager that is authorized to send the response that you want to retrieve from the RSA Radius service. More on the RADIUS Response codes later on and why you would like to use a valid account.

Next to the account we are assuming that authentication is working properly and the Citrix NetScaler IP is added in RSA as a host that is allowed the use RSA Radius Authentication.

The Basics (load balancing)

Create a load balanced Virtual Server where the (in our case) two RSA Servers reside (The IP addresses mentioned is off course to be adjusted accordingly).

add server rsa01.domain.local 192.168.0.1
add server rsa02.domain.local 192.168.0.2

add serviceGroup sg_radius_rsa_001 RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED

add lb vserver lb_vs_rsa_001 RADIUS 192.168.0.3 1812 -persistenceType NONE -cltTimeout 120

bind serviceGroup sg_radius_rsa_001 rsa01.domain.local 1812
bind serviceGroup sg_radius_rsa_001 rsa02.domain.local 1812

Creating the Monitor (Standard Parameters)

Create a monitor as displayed below. Important things to configure is the Type (RADIUS) and Destination Port (1812) on the Standard Parameters tab.

Note: I had to change the Response Time-out setting to 4 (default is 2) since the response took longer then 2 seconds to be received by Citrix NetScaler (This something to check).

In the screenshot below you can see that the response takes a bit more then 2 seconds to be received meaning we had to adjust the Response time-out within Monitor => Standard Parameters.

Creating the Monitor (Special Parameters)

Under the Special Parameters put in the account credentials that is created within RSA Authentication Manager that will pass the proper response. As a Response Code we have chosen to go with 2 which is Access-Accept.

add lb monitor radius-rsa RADIUS -respCode 2 -userName netscaler_monitoring -password dc0b445466e821 -encrypted -radKey e93d11543846hf963ef -encrypted -LRTM ENABLED -resptimeout 4 -destPort 1812

RADIUS Response Codes

There are different types of RADIUS Response Codes, see the table below. When you cannot or don’t want to create a user account within RSA Authentication Manager then you will not be able to receive a Code 2 (Access-Accept) response code and are not able to verify if the entire Authentication chain is actually working. That would mean Citrix NetScaler will just send Authentication Requests to the RSA Service even though the database is down but RADIUS still receives Access-Reject so according to Citrix NetScaler the server is up and running and ready to accept Authentication requests.

More information on RADIUS: http://en.wikipedia.org/wiki/RADIUS