Connect with us

Hi, what are you looking for?

Citrix NetScaler

Using NetScaler MA Service in Citrix Cloud to monitor and manage all your NetScalers easily

If people don’t like to do something, they simply won’t do it and find another way. Technology has given us the choice to help find these other ways easily. The culture of the world is again changing, much like the industrial revolution brought change to how people lived 250 years ago. Doesn’t mean we’re becoming lazy, it’s just a sign of progress. We can now prioritize the things in life we want to do and let other things with less priority to us get taken care of with just a few swipes on our phones. It’s the time-value of money translated into time-value of quality of life, people want convenience and are willing to pay for it. There are certain services within Citrix Cloud that can make your life as an engineer easier and I’d like to cover one of them today, NetScaler Management and Analytics Service (or NetScaler MA Service for short).

Making life easier

  • Transportation – If I’m traveling, I no longer need to park a car in some mass parking lot in the sun at the airport and get an expensive rental at my destination. Uber and Lyft has given people convenient on-demand rides.
  • Shopping – Amazon Prime gets you everything you can think of at your doorstep in 2 days. Prime Now can get you things in under an hour. I’ve forgotten things and ordered on Prime Now at the airport while boarding and it’s waiting for me at the destination before I even land.
  • Groceries – Groceries can be ordered online and picked up in the parking lot. Just pop your trunk and an attendant will place them in your vehicle. Some grocery stores even deliver right to your front door.
  • Food – DoorDash, Favor, and UberEATS can get you things from your favorite restaurants anywhere in town. Sit on your patio in your pajamas and enjoy your favorite meal as if the chef just cooked it up in your kitchen.
  • Cars – Cars can be negotiated and purchased online. Then delivered to your driveway straight from port. A technician can do an orientation right then and there in your driveway. Gone is the stress of a dealership visit and endless waiting on people to get around to you.
  • Work – And of course, you can work from anywhere on demand and often times around the more important things in your life, thanks to Citrix enabled workspaces.

I could go on and on about the multitude of on-demand services that empower us to improve the quality of our lives. These services are driven by technology that has pretty much disrupted and reshaped their respective industries. Honestly, you really don’t need to leave your home for much these days as long as you are willing to pay for the convenience. If you do a cost analysis, sure some of these services I just mentioned are slightly more expensive than if you took care of these items using a traditional approach yourself. But examine your life as you use these services. You have more time to live, to spend time with your family, to take up new hobbies, to read a book or watch a movie…it’s the little things worth living life you are now able to do more of. Less stress for you overall and a better quality of life.

I don’t want to be a monitoring expert

Much earlier in my career I loved monitoring. This was back in the day when you had to figure out how to monitor things yourself using scripts you wrote because no vendor could monitor things to the level you wanted back then. It was a challenge and I was up for it, I found it fun actually. It was a brave new world, unconquered. These days software monitoring vendors have caught up and there’s so many different ways to monitor things, many products even overlap in features so you might end up with multiple monitoring products in your environment.

In that same time, my career has progressed as well. I have more important duties to the organization to tackle like designing mobile workspaces, security, identity management, laying the path for the company’s hybrid cloud journey, etc. I just don’t have the time to sit there and write monitoring scripts like in the early days. These topics are the “new” brave new world for me. I don’t have time to be a monitoring expert nor become an administrator of the monitoring solution’s infrastructure, I have enough systems to take care of already. This I think is the case for most every IT engineer out there these days. You want to focus on what you’re good at and what you enjoy. For some it may be very well be monitoring. Just don’t ever feel trapped by it. You do have a choice here to make your work life easier just like your personal life.

So do it another way…

Back to that mantra: If people don’t like to do something, they simply won’t do it and find another way.

NetScaler MA Service is the cloud hosted version of NetScaler MAS. For those of you using NetScaler MAS on premises, you probably already know the “MAS” part stands for Management and Analytics Server. For the cloud version the “MA” part is the same but the “S” for Server is removed since you don’t need to stand up anything yourself except for the MA Service Agents which I’ll get to a bit later. That leaves “Service” which means Citrix takes care of running it for you. I’ve been using NetScaler MA Service for several months now and I thought I’d write up a little intro to it for those that haven’t had a chance to try it yet.

A word on naming, I like many used to refer to NetScaler MAS as “NMAS” but I found out from the product team that you shouldn’t call it this. It’s hard to do in a casual conversation, the full name has a lot of syllables. Now with NetScaler MA Service, that could also fit the acronym “NMAS” so I have stopped using this acronym all together and call them by their full names now or say “MAS” vs. “MA Service”.

Why choose NetScaler MA Service over NetScaler MAS?

There are several reasons why I personally like using the cloud based NetScaler MA Service over my on premises NetScaler MAS deployment. It’s still rather new and being polished but I still really like what I’ve been able to test so far. If you already have on premises NetScaler MAS, you still need to be keeping an eye on NetScaler MA Service and in my opinion, consider it in your Citrix budget for next year. There are also some licensing changes coming that gives you the ability to use either cloud based or on premises, or even both in a hybrid model. Your choice based on your environments needs.

NetScaler MAS is meant to be used on premises in your datacenter and is a combination of 2 products you might have used in the past, Command Center and Insight Center. When it first came out last year it was kind of an unknown for most folks on how much data it would consume. The guidance for sizing has changed considerably as more and more features are added to NetScaler MAS. As a result it uses more storage and fills up the drive from when you initially deployed the virtual appliance. This can cause the appliance to freeze up and crash, services won’t start anymore. Then you have to basically run a bunch of command line syntax to get it back up again after adding storage. I had personally had to do it twice last year and I have some customers that have had to do it even more. For something that is constantly evolving and adding features like MAS, it is an administrative headache to have to monitor the monitoring system. For those of you familiar with or have been an administrator of Splunk, Solarwinds, etc. you know what I’m talking about. The infrastructure to keep those running well as more and more teams use your monitoring system is a chore in itself. It’s 2017 and I don’t want to have to think about this, I’d rather spend cycles on improving my environment than having an additional thing to maintain and monitor. Thus NetScaler MA Service is the perfect answer for this in my opinion.

NetScaler MA Service puts the burden of storage on Citrix themselves as part of their Citrix Cloud services offering. You don’t have to deploy a MAS appliance in each of your datacenters and chew up expensive SAN storage. You chew up Citrix’s storage instead. 🙂 Additionally for global NetScaler deployments, the current advice from Citrix is to put a MAS appliance in each datacenter. Depending on what the resources and even the local laws and change process looks like in each datacenter, this may or may not be an easy task and can quickly turn into a major project for your company. When you put the burden of infrastructure on Citrix, you instantly get a global deployment. The NetScaler MA Service in Citrix Cloud is backed by Amazon AWS behind ELB (elastic load balancing) so every single one of those POPs (point of presence) that companies like Netflix, Hulu, Spotify, Adobe, NASA, SAP, LexisNexis etc. use are all available to you as well. That means your data will always be sent to the closet AWS datacenter to your own datacenter in that region.

The next point I want to cover is AppFlow data. We all know how AppFlow can be. It has been a UDP based protocol (essentially IPFIX) for many years and just recently got the ability to do TCP using LogStream in 12.0 but it is currently beta and Citrix does not recommend using it for prod environments at the time of this article. Most people are still using UDP which means if you have a network blip, the flow is lost and you’ll have a gap in your monitoring graphs. It is also a ton of data for your NetScalers to crunch and send out so any latency between your NetScalers and NetScaler MAS could possible mean lost flows if you have underlying network issues. That’s just the nature of UDP which is why the new TCP based LogStream is what most people will be switching to as it transitions to a generally available feature. It makes sense for the NetScalers to send the data as close as possible to a NetScaler MA Service Agent and let that act as proxy before sending data optimized to the MA Service. There’s less chance of gaps in your monitoring this way.

The other big benefit to NetScaler MA Service over NetScaler MAS is firmware updates. With MA Service you are always up to date because the team is constantly making web releases. In the time it was released and I first started playing with it to the time I am publishing this article there have been 9 web releases and each one has improved the service:

http://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/release-notes.html

Now imagine if you needed a change window for getting 9 updates in your environment? That could be a several month process in some environments. 9 updates may be more than you do in even a year. For some people that’s a few years worth of network infrastructure updates right there represented in those 9 updates. Most of my customers have enough trouble maintaining a NetScaler firmware update policy and adding MAS into the mix is just more administrative overhead in my opinion. Why create more work for yourself?

Now it seems like I’m banging on the NetScaler MAS on premises version a bit here but I’m just being practical and talking about my personal experience and with working with customers. It works freaking great and I have personally used it for some heavy security related analytics and it succeeded with flying colors. It’s just that a lot of my customers and even myself, we have enough systems and just don’t want to maintain more systems unless we really have to. I really don’t want to have to maintain firmware updates. I’d rather just pay for a subscription and have it to work without the administration hassle. This is why I believe NetScaler MA Service is what a lot of people will be migrating to in the coming months. There’s a lot of pros to subscribing to it vs. trying to manage it yourself on premises.

Getting started with NetScaler MA Service

If you want to try NetScaler MA Service yourself, you can for 30 days for free right here by signing up for the trial:

https://netscalermas.cloud.com/

After the 30 days you don’t get any free vservers like the on prem NetScaler MAS to continue unfortunately. I wish there was a free tier like NetScaler MAS that allowed you some level of indefinite monitoring. Even if it was limited vservers/storage/bandwidth to help keep the hosting costs down I would love it, but unfortunately there is no such tier available. My advice to you is to only begin the trial if you are truly ready to set it up with your NetScaler. Otherwise you’ll be scrambling because the countdown starts as soon as you start the trial. If you have change requests and CAB meetings to make this happen I advise you to get them out of the way first before proceeding with the trial.

The architecture of NetScaler MA Service is that everything the on premises appliance does is now in the cloud. But how do you get AppFlow data from your on premises NetScaler to the NetScaler MA Service? This is where the MA Service Agent comes in. You deploy this on your hypervisor of choice just like you would have the on premises appliance. This is just a lighweight FreeBSD based appliance that connects to the web via SSL. No VPN tunel or anything required. Just simple HTTPS like you would use in your browser to use Twitter, Amazon, Facebook, etc. For those of you using other Citrix Cloud based services, you may have deployed the Citrix Cloud Connector which is a lightweight agent talking back to Citrix Cloud. The NetScaler MAS Agent is basically the same concept. After doing this and you bring up the MAS Agent appliance, you activate it using a code that is displayed to you in the NetScaler MA Service web GUI. That’s it. Then you go into NetScaler MA Service just like you would NetScaler MAS and start adding your NetScalers. Simple as that.

Here’s a diagram from the documentation (http://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service.html) showing the traffic flow, it’s just HTTPS 443 traffic that leaves your environment to the MA Service:

For global deployments, just deploy a MAS Agent wherever you have NetScalers and you’re done. Can be in your own datacenter or a public cloud provider like Azure, AWS, etc. It’s going to do the AppFlow proxying locally and then send the data up to the nearest POP for processing.

Now let me walk you through how easy it is to setup. Please note since the MA Service gets updated often, my screenshots can be out of date very quickly. It should not too be different but if you do spot a difference, that is the reason why. That’s a good thing! 😀

1. To get started go to https://netscalermas.cloud.com/ and login with your Citrix Cloud account. Then start the trial. Click Get Started:

2. Download the agent for the hypervisor of your choice.

3. Hit “Generate Activation Code”:

4. I’m using ESXi here so I this is what it looks like for me. Import the appliance to vCenter using the .ovf file:

5. In the vSphere web client, it’s the Deploy OVF Template option:

6. Hit Browse under Local file:

7. Now make sure you hit Ctrl + click to select all 3 files. If you select jsut the .ovf only it will fail to import. It should look like this before you hit the Open button:

8. The OVF template wizard should say you have 3 files selected. Hit Next:

9. I initially started with MAS Agent 12.0 45.18 and the name will reflect the version. This is bad practice for your environment, you can’t keep changing the name everytime you update it. So call it something relevant to your environment that fits your naming scheme:

10. Hit Next:

11. Hit Next on the Review details section:

12. Choose a datastore and hit Next:

13. Choose a VM Network and hit Next:

14. Hit Finish to deploy the MA Service Agent:

15. Under recent tasks it should show the deployment completed:

16. It will get imported as VM version 4 from the ESXi 3.5 days, likely to ensure compatibility with older hypervisor environments I’m guessing. If you are using ESXi 6.0 or 6.5 as in my case, if you hit Power On it won’t be able to power on:

17. In the recent tasks it will say “The guest operating system ‘freebsd64Guest’ is not supported”:

18. Right click on the VM > Compatibility > Upgrade VM Compatibility:

19. Hit Yes to upgrade:

20. Since I’m using ESXi 6.5, I choose the ESXi 6.5 and later option:

21. Now I’m at VM version 13:

22. And I can power it on successfully:

Configuring the MA Service Agent

23. Hit the VM console and you’ll see the “NetScaler MAS intitial configuration” wizard:

24. Give it all the proper values and hit 7 to save:

25. Now type in the MA Service URL for the agent which is:

agent.netscalermgmt.net

and then enter the activation code from the web console from earlier that you had generated. Yeah there’s no copy past for the console so you’ll need to be really careful when typing it in:

If for whatever reason it fails or you restart the appliance or something, The default credentials for the MA Agent are:

Username: nsrecover
Password: nsroot

Then you can type “networkconfig” to rerun the network settings configuration wizard. You can also type “deployment_type.py” to rerun the MA Service Agent registration configuration wizard if needed. You can also use:

cat /etc/passwd

to see all users on the appliance. If you need to fully remove your Agent config and rerun the wizard you can type these commands in one at a time to do that:

masd stop

ctrl+c to break, then:

rm -rf /mpsconfig/agent.conf

cd /mps

deployment_type.py

26. Once registration is successful, you should see a screen like this saying that and the agent process will restart:

27. Now in the web console the MA Service Agent will show up checking in and have a green dot next to it. This means that your datacenter and the MA Service in AWS are now talking to each other:

28. Now you can add NetScaler instances. Choose the Agent that will be talking in that particular datacenter and then add your NetScaler’s NSIP. You can create an nsroot profile for the login credentials. Hit OK when done:

29. Now you’ll see your 1 NetScaler instance you just added:

30. If an HA pair, wait a bit and another instance will pop in there. You don’t have to wait for it and can hit Done early if you like:

31. Congrats! Your intial setup of MA Service was complete. Hit OK:

32. You’ll land on the Application Dashboard first. Hit Get Started:

33. I prefer the Networks view myself to check the status of my NetScalers. You can my NetScaler is showing up and there are actually 2 IPs which means it sees the HA pair.

34. MA Service Agents automatically update themselves now. Back when I was originally working with it when the trial first came out you had to do it manually which was a big pain. If for whatever reason you do need to do a manual update the option is still in there under Settings. I took a bunch of screenshots on this process but since it’s really no longer necessary I’m not going to post all of them here and confuse you.

35. Now if your MA Service Agent is out of date, it will actually say it right along the top like this:

36. You can see in my case here I had turned off my MA Service Agent appliance for a while and it’s still reporting back an old build:

37. As soon as I go to the vSphere client and power the VM back on, it starts checking in to the MA Service and sees that it is out of date. Then it initiates an upgrade by itself. Then you’ll be up to date on the current version. Auto updates only works with Agent version 12.0 build 501.117 and greater so I had to perform a manual upgrade here:

38. If you want to check your subscription you can always go to Settings > Subscriptions. By default the auto-select of virtual servers is on and it will randomly go pick vservers which will put you over your limit. You’ll want to switch that to OFF and then manually select the vservers you want to manage. Then you can go enable Insight and AppFlow settings on them like normal:

Well there you have it, simple as that! I hope this intro helps. There is also a great FAQ on MA Service available here: https://docs.citrix.com/en-us/netscaler-mas/netscaler-management-and-analytics-service/faq.html. Common questions that I have personally received are answered here like Agent sizing, HA, is adding additional disks like MAS necessary, and what version of NetScaler firmware is compatible to use with MA Service.

1 Comment

1 Comment

  1. John Carmody

    February 21, 2018 at 4:52 AM

    Hi Jason i presume the MA Service agent will need to be able to communicate to the various Netscaler VPX instances we have deployed ? do the standard MAS firewall rules apply to the MA service aganet? MAS to NSIP on the standard ports 22,80,443 and NSIPS to MAS 4739 (Appflow), NSIPS to MAS 161,162 SNMP, MAS to SMTP server 25 etc i also presume the MA service agent will need connectivity to the Citrix cloud service URL on 443 via internet?

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Apache

In a worst case scenario and all your web servers have failed, what do you do? You could have a standby group of servers...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com