Purpose of this post is to share my experience with running NetScaler CPX from a Docker Image. Our objective is to implement a NetScaler CPX test/development platform as a Docker container based app.
In this post we will look into installing and configuring Docker, NetScaler CPX and DVWA container as a web backend for security test purposes. DVWA should NEVER be deployed on a Production web server, it is solely for security testing (Damn Vulnerable Web Application).
In the end of this post I will show how you could use Portainer as web UI for managing Docker containers.
In this part we are using SSH CLI/Commandline to manage our NetScaler CPX instance.
Next parts will focusing on using NMAS and Nitro API calls to manage NetScaler CPX instances.
A few notes:
- Netscaler CPX images are managed by following methods:
- CPX is configured by deploying configuration jobs from NMAS
- CPX is configured by NITRO API
- CPX is configured by Command Line (SSH CLI)
Table of Contents
Why Container based?
- Security
- Segregration and isolation
- Management and Traffic flow control
- Efficiency
- Rapid app deployment
- Portability across platforms (Platform independency – Build once, deploy anywhere)
- Leightweight footprint with minimal overhead
- Standardization and productivity
- Consistency
- Repeatable development, build, test and production environments
- Return on Investment and reducing cost
- Multi-Cloud
- Microsoft Azure
- Amazon AWS
- Google Compute Platform GCP
- OpenStack
Requirements
Docker host:
- Ubuntu Server 14.04 or later
- 1 vCPU, 4GB memory at least
- Internet connectivity (Repository)
- NetScaler CPX has been downloaded from Citrix and uploaded to the Docker Host
Traffic Flow in NetScaler CPX
When you provision a NetScaler CPX instance on a Docker host, the Docker engine creates a virtual interface, eth0, on the CPX instance. This eth0 interface is directly connected to a virtual interface (veth*) on the docker0 bridge. Docker also assigns an IP address to the NetScaler CPX instance in the network 172.17.0.0/16.
The default gateway for the CPX instance is the IP address of the docker0 bridge, which means that any communication with the NetScaler CPX instance is done through the Docker network. All incoming traffic received from the docker0 bridge is received by the eth0 interface on the NetScaler CPX instance and processed by the NetScaler CPX packet engine.
The following figure illustrates the architecture of a NetScaler CPX instance on a Docker host.
Reference:
CPX Architecture and Traffic Flow
NetScaler CPX Licensing
License a NetScaler VPX by NMAS Configuration Job or from the NetScaler CPX API, see link below.
Reference:
Docs Citrix NS CPX Licensing
Unlicensed CPX
Throughput = 20 Mpbs
SSL Connections = 250
Licensed CPX
Throughput = 1000 Mpbs
SSL Connections = 1500
Install Docker
Following method describes steps needed to install Docker CE (Community Edition) on Ubuntu Server:
Add Docker Repo:
1 2 3 4 |
sudo add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" |
Install Docker:
1 2 |
sudo apt-get update sudo apt-get install docker-ce |
Load CPX Docker image:
1 |
docker load -i cpx64-ns_12.0-41.22.gz |
Verify images and running containers:
1 2 |
docker images docker ps |
Install and run CPX as Container:
1 |
docker run -dt -P -e CPX_CORES=1 --name NSCPXDEV12_v2 --ulimit core=-1 -e EULA=yes -v /var/cpx2:/cpx --cap-add=NET_ADMIN cpx:12.0-41.22 |
Run “docker ps”
This shows the port mappings
Login with SSH :
ssh root@127.0.0.1 -p 32770
Default login is root/linux.
Use cli_script.sh COMMAND when the CPX container is accessed from SSH CLI, eg.:
cli_script.sh “show ip” will show configured NSIP and SNIP adresses.
Add additional IP at Docker Host:
ip addr add 10.40.0.115/24 dev eth0
NAT rules with IP Tables
Create NAT Rule on Docker Host:
1 2 3 4 5 |
iptables -t nat -A PREROUTING -p ip -d 10.40.0.115 -j DNAT --to-destination 172.17.4.100 iptables -t nat -A PREROUTING -p tcp -d 10.40.0.115 -m addrtype --dst-type LOCAL -m tcp --dport 80 -j DNAT --to-destination 172.17.0.4:80 iptables -t nat -A PREROUTING -p tcp -m addrtype --dst-type LOCAL -m tcp --dport 50000 -j DNAT --to-destination 172.17.0.4:80 |
Restart container
Restart Docker Container:
1 |
docker restart "contain-id" |
Commit container changes
Commit changes made in Docker container:
docker commit CONTAINER-ID cpx:12.0-41.22
Start NetScaler CPX with access to host network
1 |
docker run -dt -P -p 22 -p 80 -p 161/udp -p 8080:8080 -p 80:80 --name NSCPXDEV12_v2 --ulimit core=-1 -e EULA=yes -v /var/cpx2:/cpx --privileged=true cpx:12.0-41.22 |
Use NetScaler CPX together with another Docker Container App
Deploy DVWA as a Docker Container
DVWA is a Security Test Web platform, primarily for Security Professionals. We use this as a basic web server here for testing Load Balancing and WAF functions in NetScaler CPX.
Use following command to download Damn Vulnerable Web App (DVWA) as a docker container.
Docker pull citizenstig/dvwa
docker run -d -p 80:80 citizenstig/dvwa
Configure NetScaler CPX with SSH
Login with with SSH:
ssh root@127.0.0.1 -p 32770
1 |
cli_script.sh "add service svc-dvwa-80 10.40.0.103 HTTP 80" |
Verify State is UP
1 |
cli_script.sh "sh service" |
Add non-addressable Load Balancer VIP as we will use a Content Switch in front:
1 2 3 |
cli_script.sh "add lb vserver lb-vs-dvwa-80 HTTP" cli_script.sh "bind lb vserver lb-vs-dvwa-80 svc-dvwa-80" |
Verify LB UP State:
1 |
cli_script.sh "sh lb vserver" |
Add Content Switch vServer:
1 2 |
cli_script.sh "enable feature cs" cli_script.sh "add cs vserver cs-vs-http HTTP 172.17.0.4 80" |
1 |
cli_script.sh ""add cs policy cs_pol_dvwa -rule "HTTP.REQ.HOSTNAME.EQ("docker-dvwa")” |
Bind Policy to Content Switch vServer:
1 |
cli_script.sh ""bind cs vserver cs-vs-http -policyName cs_pol_dvwa -targetLBVserver lb-vs-dvwa-80 -priority 100"” |
iptables -t nat -A PREROUTING -p ip -d 10.40.0.115 -j DNAT –to-destination 172.17.0.4
Portainer as UI for Docker containers
Portainer is a simple lightweight management UI which allows you to easily manage your different Docker environments.
Portainer consists of a single container that can run on any Docker engine (deployed as Linux container or a Windows native container)
sudo docker run -d -p 9000:9000 –restart always -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer:/data portainer/portainer
In this example I run NetScaler CPX inside Portainer.
Insert variable “EULA=yes” into CPX Container
Monitor simple performance stats:
Overview of containers: