I have a setup where I have an application that needs to communicate with a device on our intranet that does not have support for TLS connection built-in. It was suggested that we use Citrix ADC to perform load balancing and to provide the TLS interface between the WAN / Firewall and the receiving device. The setup is described here: Citrix ADC (Netscaler) TLS Termination Guide. If you browse down the page there a bit, you'll see a section that begin with "Citrix ADC TLS Termination Setup", and it looks like there is a GUI interface for performing the configuration.
I installed a Docker version of Citrix ADC CPX using a compose file similar to this:
citrixadccpx:
container_name: CPX_0
image: store/citrix/citrixadccpx:xxxxxx
privileged: true # needed for multi-core
ports:
- 9443:9443
- 22
- 9080:9080
- 161/udp
- 35021-35030
tty: true
cap_add:
- NET_ADMIN
ulimits:
core: -1
volumes:
- ./citrix:/cpx
environment:
- CPX_CORES=2
- EULA=yes
# - NS_NETMODE=”HOST”
The container is running and accessible via docker-exec, where I can run a command like:
# cli_script.sh "show ns config"
exec: show ns config
NetScaler IP: 172.18.0.6 (mask: 255.255.0.0)
Number of MappedIP(s): 0
Node: Standalone
System Time: Thu Aug 19 11:08:51 2021
Last Config Changed Time: Thu Aug 19 02:16:57 2021
Config Changed since Last Saved Config: TRUE
and there is a connection via the web at: https://192.168.0.100:9443/nitro/v1/config/
that just shows a bunch of JSON. I was hoping that there would be a pretty GUI like shown in the referenced document to setup and manage NetScaler. That is apparently for the REST interface and API ?
So questions:
-
Is there a GUI or a decent manual / instructions somewhere on how to setup and configure using "cli_script.sh" or maybe a config file ?
-
Is there a GUI that can be used with Docker version ? See also: Deploying a Citrix ADC CPX Instance in Docker
-
Could I just as easily use an NGINX instance specifically for proxying TLS requests to my other devices ? That would probably be easier since I have some experience with NGINX. Never used Citrix Netscalar before, but it would be nice to learn.
-
Similarly, there is a Fortigate router / firewall at the WAN interface. I am not very knowledgeable about that, but perhaps that also could be used as a TLS interface for that connection, but again, would be nice to learn how to use Netscalar.
-
Does the OS host version (non-Docker version) of Netscaler come with a GUI management interface ? That would be another option. My host OS is UBUNTU 20.x.
As an example, say we have incoming requests on port 11112 via a TLS connection. We would probably just have the Fortigate forward the incoming request to the server that is running the Docker Containers, to the external port 11112 for either NGINX or Citrix, and then they would proxy (within the container network) to the endpoint.
Best Answer
I'm not aware of a pretty GUI wrapper for the CPX's, however everything can be done via CLI wrapping it in cli_script.sh
if you want a pretty gui you can use the freemium VPX on one of many popular hypervisors instead. or use them and capture the command line config they add.
Note ADM can manage CPX's so it can do a number of tasks for you if you are not cmdline savvy. I know when you login into the VPX via ADM it uses the std web interface (neo) and have not had a chance to see how any CPX's appear doing the same
just be aware of usage restrictions on free licenses.
most VPX setup doco include the command line equivalent so it isn't too hard to get one setup. From m y experience the doco for netscalers is far better than the forti* products.
ie setting up a load balanced vserver https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-setup.html