Join Log in
Score:1
SScotti avatar Server

Deploying Citrix ADC CPX to Docker - Seems to be Running, Questions about Configuration, etc

cn flag
SScotti

I have a setup where I have an application that needs to communicate with a device on our intranet that does not have support for TLS connection built-in. It was suggested that we use Citrix ADC to perform load balancing and to provide the TLS interface between the WAN / Firewall and the receiving device. The setup is described here: Citrix ADC (Netscaler) TLS Termination Guide. If you browse down the page there a bit, you'll see a section that begin with "Citrix ADC TLS Termination Setup", and it looks like there is a GUI interface for performing the configuration.

I installed a Docker version of Citrix ADC CPX using a compose file similar to this:

  citrixadccpx:
    container_name: CPX_0
    image: store/citrix/citrixadccpx:xxxxxx
    privileged: true # needed for multi-core
    ports:
      -  9443:9443
      -  22
      -  9080:9080
      -  161/udp
      -  35021-35030
    tty: true
    cap_add:
      - NET_ADMIN
    ulimits:
      core: -1
    volumes:
      - ./citrix:/cpx
    environment:
      -  CPX_CORES=2
      -  EULA=yes
      # -  NS_NETMODE=”HOST”

The container is running and accessible via docker-exec, where I can run a command like:

# cli_script.sh "show ns config"
exec: show ns config
    NetScaler IP: 172.18.0.6  (mask: 255.255.0.0)
    Number of MappedIP(s): 0
    Node: Standalone
                       System Time: Thu Aug 19 11:08:51 2021
          Last Config Changed Time: Thu Aug 19 02:16:57 2021
    Config Changed since Last Saved Config: TRUE

and there is a connection via the web at: https://192.168.0.100:9443/nitro/v1/config/

that just shows a bunch of JSON. I was hoping that there would be a pretty GUI like shown in the referenced document to setup and manage NetScaler. That is apparently for the REST interface and API ?

So questions:

  1. Is there a GUI or a decent manual / instructions somewhere on how to setup and configure using "cli_script.sh" or maybe a config file ?

  2. Is there a GUI that can be used with Docker version ? See also: Deploying a Citrix ADC CPX Instance in Docker

  3. Could I just as easily use an NGINX instance specifically for proxying TLS requests to my other devices ? That would probably be easier since I have some experience with NGINX. Never used Citrix Netscalar before, but it would be nice to learn.

  4. Similarly, there is a Fortigate router / firewall at the WAN interface. I am not very knowledgeable about that, but perhaps that also could be used as a TLS interface for that connection, but again, would be nice to learn how to use Netscalar.

  5. Does the OS host version (non-Docker version) of Netscaler come with a GUI management interface ? That would be another option. My host OS is UBUNTU 20.x.

As an example, say we have incoming requests on port 11112 via a TLS connection. We would probably just have the Fortigate forward the incoming request to the server that is running the Docker Containers, to the external port 11112 for either NGINX or Citrix, and then they would proxy (within the container network) to the endpoint.

76
0 + 0
ssl
Score:1
avatar Server
us flag
Dwayne

I'm not aware of a pretty GUI wrapper for the CPX's, however everything can be done via CLI wrapping it in cli_script.sh

if you want a pretty gui you can use the freemium VPX on one of many popular hypervisors instead. or use them and capture the command line config they add.

Note ADM can manage CPX's so it can do a number of tasks for you if you are not cmdline savvy. I know when you login into the VPX via ADM it uses the std web interface (neo) and have not had a chance to see how any CPX's appear doing the same

just be aware of usage restrictions on free licenses.

most VPX setup doco include the command line equivalent so it isn't too hard to get one setup. From m y experience the doco for netscalers is far better than the forti* products.

ie setting up a load balanced vserver https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-setup.html

0 + 0
us flag
Dwayne
note if TLS is not HTTPS make sure the type of vserver is SSL_TCP so you can bind that certificate ADM can help with other tasks too like uploading certs, or using other style books to build stuff of of a template https://docs.citrix.com/en-us/citrix-application-delivery-management-service/stylebooks/how-to-create-custom-stylebooks/how-to-create-stylebook-to-upload-ssl-certificate-and-key-files.html otherwise drop it to the nsconfig folder (/nsconfig/ssl) that should be pointing at an external filesystem as part of setup.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.