NetScaler Times newsletter for Week 52 - 2024

A New 14.1 build for both NetScaler and Console, including a new Next Gen API which is GA.

Hello Everyone

It’s Andrew again over at Cloud Software Group. This NetScaler Times update aims to keep you up-to-date! 🚀Why read this? The idea is to pull together events, firmware releases, support articles, and anything else I think is relevant into a single email. Some say, email is the future, others tell the truth! I have devoted much of this newsletter to some 14.1 updates..

High-level agenda according to Gemini, other AI tools are available too:-)

• The NetScaler Times newsletter provides updates on NetScaler firmware, including new features and fixes.

• The latest NetScaler build (14.1-38.53) includes 14 new items, such as RFC 5424 compliance for audit logs, hot swapping for location database, and support for IPv6 DNS query in the Forward proxy feature.

• The NetScaler Console build (14.1-38.53) includes 7 new features, such as an SSL widget in the custom dashboard and sort and search support in the custom dashboard.

• The newsletter also highlights recent security bulletins and upcoming events.

• Feedback, please drop me a note: Andrew.Scott@cloud.com

1. The latest firmware builds.

The details for the various builds have been listed below, as this helps plan for new releases in your environment. This support document has a lot more details on the various release cycles.

The NetScaler has multiple form factors to support different environments. NetScaler is built on a single operating system with a software-based architecture, so the behavior will be the same no matter which is used — hardware, virtual machine, bare metal, or container. Pick one that works for you…

Latest Build Versions:

There were new NetScaler and NetScaler Console builds released last week. The following two sections give a high-level summary and links to use docs pages.

NetScaler 14.1-38.53 Updates

There are 14 new items in this build, here is the top-level summary and the doc links to further reading(bedtime?)

1. RFC 5424 compliance for audit logs generated from syslog action, see Configuring NetScaler appliance for audit logging.

2. Ability to export custom headers with transaction records. see Export transaction logs directly from NetScaler to Splunk and Export transaction logs directly from NetScaler to Elasticsearch.

3. Migrate audit log policies from classic to advanced policy infrastructure. see Running the nspepi tool.

4. Hot swapping for location database. NetScaler can now use the existing location database file until the new location file is fully implemented. This enhancement ensures continuous service and minimizes potential disruptions. Previously, updating the location database could disrupt traffic for location-based load...see Add a location file to create a static proximity database.

5. Support for DF bit persistence over NetScaler Gateway

   The DF bit persistence feature preserves the original DF bit value of packets throughout the entire session. see PMTUD and DF bit propagation for EDT over NetScaler Gateway for more.

6. License expiry instantly restricts data traffic processing

   When the SDX license expires, the Management Service now restricts the data traffic processing capacity of associated VPXs by reducing throughput to 20 Mbps. This restriction is now applied immediately without requiring a restart of the Management Service. Previously, this restriction used to take effect..see SDX Licensing Overview.

7. Support for IPv6 DNS query in the Forward proxy feature

   NetScaler now supports IPv6 DNS queries in the forward proxy for the domain that is hosted only with IPv6 addresses. Use the following command to set the resolution order to first attempt an IPv4 (A) query, followed by an IPv6 (AAAA) query if the IPv4 query fails.

   `set dns parameter -resolutionOrder AThenAAAAQuery`

8. Support to dynamically expose a counter to SNMP

   You can now dynamically expose counters to SNMP queries by configuring the counter details in the `/nsconfig/custom_get.yaml` file. For more information, see Custom SNMP OIDs.

9. Support for binary signing and verification to enhance security

   NetScaler now supports binary signing and verification (BSV) on all FreeBSD-based platforms. see Binary signing and verification for enhanced system security.

10. Support for variables in non-TCP protocols

    NetScaler now extends the variables feature to support non-TCP protocols, enhancing its ability to dynamically manage and control traffic across a broader range of protocols. Previously, variables were limited to TCP-based traffic. With this enhancement, variables are applied to protocols such as UDP, DNS, RADIUS, and can be used in various use cases, such as:

    • DNS Tunneling Protection

    • UDP Traffic Management

11. OCSP stapling enhancement in TLS 1.3 handshakes

    Front-end virtual servers now include the requested OCSP status in all TLS handshakes when OCSP stapling is enabled, regardless of whether the status is cached, or the cache is disabled. see OCSP stapling.

12. Support for Heal-the-BREACH technique to enhance security

    NetScaler now supports Heal-the-BREACH (HTB) technique to mitigate the BREACH attack in its HTTP compression feature. This support improves security by preventing attackers from stealing sensitive data through BREACH attacks on compressed HTTP...see HTTP compression.

13. Flexed/Pooled license expiry notifications

    On the *System > Licenses > ADC License > Manage Licenses* page of the NetScaler GUI, you can now see the *Days to Expiration* field that specifies the number of days remaining until the license expires.

    You must review the "Days to Expiration" information and then configure NetScaler to display an alert in the GUI...see Configure NetScaler license expiry alerts.

14. General Availability (GA) of NetScaler Next-Gen API

    NetScaler Next-Gen API is now available for general use. For more information, see NetScaler Next-Gen API getting started guide.

NetScaler Console 14.1-38.53 updates

7 new features in Console on-Premise..

1. SSL widget in the custom dashboard

   In the custom dashboard (Overview > Custom dashboard), you can now create dashboards to view metrics related to SSL configuration. For more information on creating a custom dashboard, see:

   • NetScaler Console service: Create custom dashboards to view instance key metric...

2. Sort and search support in the custom dashboard

   In Custom Dashboard (Overview > Custom Dashboard), you can now use the:

   • Sort option to display the custom dashboards alphabetically.

   • Search options (both plain text and regular expression) to narrow down the search results.

3. Changes in Network Functions polling intervals

   The default NetScaler Console polling interval of NetScaler configuration changes is now changed to every 12 hours (720 minutes) from 1 hours (60 minutes). Navigate to Infrastructure > Network Functions, click Settings, and under Network Functions based on Configuration Change, specify the time in the Delay time for Network Functions text box (minimum 5 minutes and maximum 60 minutes), and click Save.

   After you specify the time, whenever the next configuration change event occurs, NetScaler Console polls after the configured duration.

4. Support to configure NetScaler Console in Nutanix hypervisor

   You can now configure NetScaler Console running 14.1-38.x or later build on Nutanix hypervisor (Acropolis) by using the existing Linux-KVM software image. For more information, see NetScaler Console on Nutanix hypervisor.

5. Option to delete SSL certificate from NetScaler

   You can now delete an SSL certificate from NetScaler. Earlier, when you deleted the file from Infrastructure > SSL Dashboard, it only removed it from the running configuration. The associated certificate file was not deleted from...

   For more information, see:
   For NetScaler Console on-prem: SSL Dashboard
   For NetScaler Console service: SSL Dashboard

6. Enhanced user experience in NetScaler Console GUI

   The NetScaler Console service now offers an improved Graphical User Interface (GUI) for a better user experience. Key improvements include:

   • Hover-to-Display menu: The primary menu tree structure is replaced with a hover-to-display feature for easier navigation. Secondary menu items appear when hovered over, displaying a submenu for quicker selection.

   • Streamlined menu hierarchy: The menu hierarchy is now limited to a maximum of three levels, simplifying access to key options.

   • Updated submenu labels: Submenu names are revised for options previously nested beyond the third level.

   • Collapsible menu: The entire menu can now be collapsed or expanded by clicking an icon in the pane, providing more screen space.

   • Sidebar toggle: A new toggle button on the breadcrumb allows you to hide or show the sidebar, optimizing the workspace.

   • Set home page: You can now set a displayed page as your homepage by clicking the icon next to the submenu name.

   • Pin favorite items: Easily pin your favorite menu items for faster access.

   For more information, see:

   • For NetScaler Console service: Enhanced GUI.

   • For NetScaler Console on-prem: Enhanced GUI.

7. Sharing configuration entities between migrated configurations

   You can now reuse configuration entities when migrating configurations using the Config Migration utility. Subsequent migrations successfully reuse existing configuration entities on the target ADC that were created by earlier migrations. Previously, the migration of configurations failed with an error Resource already For more information, see: Simplified migration using StyleBook

Which release should I use?

The release families are designed such that 14.1 has more elements changing with each update, hence the feature phase designation. There will be less change in 13.1, so unless you need a capability only available in the 14.1 release, the advice is to choose 13.1 for most production deployments.

2. Standouts from the updates?

As there are so many updates listed above, I thought I would pull out five for your attention!

There was a conversation earlier this year, where I was talking with a consultant in Germany who had something to say about GSLB db updates and how he disliked the process. Point 4 in the NetScaler updates, covers a new update process that allows for the smooth transfer between the old and new db. Maybe one for him?

Hitesh recently did a session where he talked about using counters and converting them to SNMP traps, Watch him and the team cover it on demand.

General Availability (GA) of NetScaler Next-Gen API is a big thing! The idea is that it: It is based on a declarative, desired state and application-centric interface, and aims to abstract away and simplify many of the low-level complexity of traditional NetScaler configurations, making it more suitable to application developers even those who are not networking or ADC experts.

It is significant with regard to licensing, some of the changes include an immediate reduction in the ability to process traffic on SDX instances after expiry. In most cases, this won’t be a problem. That said, there are some cases where customers forget the renewal. In this case the other alerting update should help trigger a warning when you are getting close.

The console has a new GUI, I think it is great, not as ‘jumpy’ as the old one..

3. Recent security bulletin

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2024-8534 and CVE-2024-8535 is the most recent I can see on the support portal.

CTX Number: CTX691608

Article Type: Security Bulletin: Created Date: 12/Nov/2024

Last Modified Date: 14/Nov/2024: Severity: High

Pre-requisites for CVE-2024-8534

The appliance must be configured as a Gateway (VPN Vserver) with RDP Feature enabled OR The appliance must be configured as a Gateway (VPN Vserver) and RDP Proxy Server Profile is created and set to Gateway (VPN Vserver) OR The appliance must be configured as an Auth Server (AAA Vserver) with RDP Feature enabled

Pre-requisites for CVE-2024-8535

The appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) with KCDAccount configuration for Kerberos SSO to access backend resources OR The appliance must be configured as an Auth Server (AAA Vserver)  with KCDAccount configuration for Kerberos SSO to access backend resources

NetScaler WAF Signatures Update v142

NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate several CVEs with varying CVSS scores.

Link to details

4. Events

It looks like there are five webinars for Dec. I have added a Citrix Cloud one too..

Dec Events

Community Live Demo: Proactive Monitoring with customized SNMP traps in NetScaler

05 December 2024, 4:00 PM      4:30 PM

Discover how to optimize your NetScaler monitoring strategy with customized SNMP traps. This session will empower you to configure SNMP traps tailored to your unique use cases. Learn how to select and monitor critical NetScaler counters, set thresholds, and receive timely alerts to ensure proactive system management. Whether you're monitoring traffic spikes, server health, or other critical metrics, this webinar will provide you with actionable steps to enhance your alerting capabilities.

In this live demo, the NetScaler experts will cover :

• Why Customized SNMP Traps Are Essential in Network Performance Monitoring

• Overview of SNMP traps and their role in network monitoring

• Custom SNMP Trap framework

• Live Demo: Configuring SNMP Traps in NetScaler

Event page

Community Live Demo: What's new with Citrix | Citrix Cloud experience revamped

11 December 2024, 4:00 PM  5.00 PM

Earlier this year we introduced the Citrix platform and a commitment to you to build a simplified, unified platform to deliver and manage secure application access to any device and any user. We are now delivering on this promise and introducing wide-ranging product changes from the new Citrix Cloud home page to uniform navigation across all our products.

In this webinar, Citrix experts will highlight

• Why are we making these changes

• What are the changes - new Citrix Cloud home page and navigation changes across all products

• Demo

The event page is here

Community Live Demo: Simplifying NetScaler VPX HA deployment on Azure without an Azure Load Balancer

12 December 2024, 4:00 PM      4:30 PM

Setting up NetScaler VPX in High Availability (HA) mode on Azure often requires an Azure Load Balancer (ALB), which adds complexity and increases costs for customers. In this live demo, we’ll show you a new, optimized solution that allows VPX HA deployment without relying on ALB. This approach reduces deployment steps, simplifies network configurations, and lowers the cost of running your workloads on Azure, all while maintaining seamless failover and application availability. If you're a cloud architect, network engineer, or IT admin looking for a more efficient and cost-effective way to deploy NetScaler VPX on Azure, this demo is for you. Don’t miss it!

In this live demo, the NetScaler experts will deep dive onto

• Overview of the existing NetScaler HA deployment options on Azure

• Deep dive into the simplified NetScaler HA solution on Azure, including the pre-requisites

• Live demo showcasing the new and improved NetScaler HA solution

Event page

Community Live | What's new with NetScaler-APJ/EMEA | Dec 19

Community Live | What's new with NetScaler-Americas | Dec 19

19 December 2024, 8:30 AM      9:30 AM

19 December 2024, 4:00 PM      5:00 PM

In this monthly webinar, the NetScaler experts will cover:

1. Support Assist: Troubleshooting and best practices on common NetScaler use cases

2. NetScaler Next-Gen API new features updates

3. What’s new in Cloud Native

EMEA/APJ page

Americas page

Labs

Go here for the hands-on labs. Link

5. Feedback for this newsletter

Naturally, if something you feel should be added/removed or called out, drop me a note; Andrew.Scott@cloud.com. All mistakes are mine.

I would happily get feedback on what you could do with seeing more of or what you find hard to set up. You can get all the previous newsletters plus other articles here:

Have a great week!