Skip to content

PowerShell module for interacting with Citrix NetScaler via the Nitro API

License

Notifications You must be signed in to change notification settings

devblackops/NetScaler

Repository files navigation

Build status

NetScaler

PowerShell module for interacting with Citrix NetScaler via the Nitro API.

This module contains functions that abstract away the nitty-gritty aspects of the Nitro API. It provides a set of idiomatic PowerShell functions with parameter validation and inline documentation. The module can be used for both a better command line experience and writing scripts that automate NetScaler setup.

Getting started

Login into NetScaler

This script establishes a session with the NetScaler instance and sets its host name:

$Nsip, $Username, $Password = "1.2.3.4", "nsroot", "nsroot"

$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($Username, $SecurePassword)

$Session =  Connect-Netscaler -Hostname $Nsip -Credential $Credential -PassThru

Set-NSHostname -Hostname ns01 -Force -Session $Session

Initial setup

Once logged into a freshly installed NetScaler, the following script sets up the time zone, installs a license, saves the configuration and reboots:

Set-NSTimeZone -TimeZone 'GMT+01:00-CET-Europe/Zurich' -Session $Session -Force

Install-NSLicense -Path licenses/license.lic -Session $Session
Restart-NetScaler -WarmReboot -Wait -SaveConfig -Session $Session -Force

After reboot, a reconnection is required:

$Session =  Connect-Netscaler -Hostname $Nsip -Credential $Credential -PassThru

Basic tasks

Once initial setup is done, regular configuration can start. The following commands will set up a VIP and SNIP:

Add-NSIPResource -Type SNIP -IPAddress 172.16.124.11 -SubNetMask '255.255.255.0' -VServer -Session $Session

Add-NSIPResource -Type VIP  -IPAddress 172.16.124.12 -SubNetMask '255.255.255.0' -VServer -Session $Session

This will add a DNS server:

Add-NSDnsNameServer -IPAddress 1.2.3.10

The line below will enable the following features:

  • Authentication, Authorization and Auditing,
  • Load balancing,
  • Rewrite,
  • SSL offloading.
Enable-NSFeature -Session $Session -Force -Name "aaa", "lb", "rewrite", "ssl"

Setting up a reverse proxy

The above example deal with setting up the stage. However, to configure NetScaler for some real work, more complex set of commands is needed. Usually, this kind of work can be abstracted in a PowerShell function. For instance, the following function will create a very simple reverse proxy:

New-ReverseProxy -IPAddress 172.16.124.12 -ExternalFQDN www.extlab.local -InternalFQDN www.lab.local

The actual implementation could be:

function New-ReverseProxy {
    Param(
        [String]$IPAddress,
        [String]$ExternalFQDN,
        [String]$InternalFQDN,
        [String]$CertificateName = $ExternalFQDN
    )
    $VServerName = "vsrv-$ExternalFQDN"
    $ServerName = "srv-$InternalFQDN"

    New-NSLBServer -Name $ServerName -Domain $InternalFQDN
    Enable-NSLBServer -Name $ServerName -Force
    New-NSLBServiceGroup -Name svg-$ExternalFQDN -Protocol HTTP
    New-NSLBServiceGroupMember -Name svg-$ExternalFQDN -ServerName $ServerName

    New-NSLBVirtualServer -Name $VServerName -IPAddress $IPAddress -ServiceType SSL -Port 443
    Add-NSLBVirtualServerBinding -VirtualServerName $VServerName -ServiceGroupName svg-$ExternalFQDN
    Enable-NSLBVirtualServer -Name $VServerName -Force

    Add-NSLBSSLVirtualServerCertificateBinding -Certificate $CertificateName -VirtualServerName $VServerName

    New-NSRewriteAction -Name "act-proxy-host-$InternalFQDN" -Type Replace -Target 'HTTP.REQ.HOSTNAME' -Expression "`"$InternalFQDN`""
    New-NSRewritePolicy -Name "pol-proxy-host-$InternalFQDN" -ActionName "act-proxy-host-$InternalFQDN" -Rule "true"
    Add-NSLBVirtualServerRewritePolicyBinding -VirtualServerName $VServerName -PolicyName "pol-proxy-host-$InternalFQDN" `
        -BindPoint Request -Priority 100
}

Beyond the module

Although, the module is still a work in progress, there are already more than 140 functions implemented. Those functions cover most needs. However, you might occasionally need a Nitro resource that is not implemented. In that case you can rely on a simple call to Invoke-Nitro. For instance, the following call will set the nsroot user's session expiration time to 1 day (not recommended in production but very helpful in a development environment!):

Invoke-Nitro -Type systemuser -Method PUT -Payload @{
        username     = "nsroot"
        timeout      = "86400"
        logging      = "ENABLED"
        externalauth = "ENABLED"
    } -Action Add -Force

## Examples

For a more complete example you can take a look ad NSConfig.ps1

Similar work