Container based AppDelivery Controller – NetScaler CPX – Part 1

Purpose of this post is to share my experience with running NetScaler CPX from a Docker Image. Our objective is to implement a NetScaler CPX test/development platform as a Docker container based app.

In this post we will look into installing and configuring Docker, NetScaler CPX and DVWA container as a web backend for security test purposes. DVWA should NEVER be deployed on a Production web server, it is solely for security testing (Damn Vulnerable Web Application).
In the end of this post I will show how you could use Portainer as web UI for managing Docker containers.

In this part we are using SSH CLI/Commandline to manage our NetScaler CPX instance.
Next parts will focusing on using NMAS and Nitro API calls to manage NetScaler CPX instances.
A few notes:

Netscaler CPX images are managed by following methods:
- CPX is configured by deploying configuration jobs from NMAS
- CPX is configured by NITRO API
- CPX is configured by Command Line (SSH CLI)

Table of Contents

Why Container based?

Security
- Segregration and isolation
- Management and Traffic flow control
Efficiency
- Rapid app deployment
- Portability across platforms (Platform independency – Build once, deploy anywhere)
- Leightweight footprint with minimal overhead
Standardization and productivity
- Consistency
- Repeatable development, build, test and production environments
Return on Investment and reducing cost
Multi-Cloud
- Microsoft Azure
- Amazon AWS
- Google Compute Platform GCP
- OpenStack

Requirements

Docker host:

Ubuntu Server 14.04 or later
1 vCPU, 4GB memory at least
Internet connectivity (Repository)
NetScaler CPX has been downloaded from Citrix and uploaded to the Docker Host

Traffic Flow in NetScaler CPX

When you provision a NetScaler CPX instance on a Docker host, the Docker engine creates a virtual interface, eth0, on the CPX instance. This eth0 interface is directly connected to a virtual interface (veth*) on the docker0 bridge. Docker also assigns an IP address to the NetScaler CPX instance in the network 172.17.0.0/16.

The default gateway for the CPX instance is the IP address of the docker0 bridge, which means that any communication with the NetScaler CPX instance is done through the Docker network. All incoming traffic received from the docker0 bridge is received by the eth0 interface on the NetScaler CPX instance and processed by the NetScaler CPX packet engine.

The following figure illustrates the architecture of a NetScaler CPX instance on a Docker host.

Reference:

CPX Architecture and Traffic Flow

NetScaler CPX Licensing

License a NetScaler VPX by NMAS Configuration Job or from the NetScaler CPX API, see link below.

Reference:
Docs Citrix NS CPX Licensing

Unlicensed CPX

Throughput = 20 Mpbs
SSL Connections = 250

Licensed CPX

Throughput = 1000 Mpbs
SSL Connections = 1500

Install Docker

Following method describes steps needed to install Docker CE (Community Edition) on Ubuntu Server:

Add Docker Repo:

sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

sudo add-apt-repository \

"deb [arch=amd64] https://download.docker.com/linux/ubuntu \

$(lsb_release -cs) \

stable"

Install Docker:

sudo apt-get update
sudo apt-get install docker-ce

1 2	sudo apt-get update sudo apt-get install docker-ce

Load CPX Docker image:

docker load -i cpx64-ns_12.0-41.22.gz

1	docker load -i cpx64-ns_12.0-41.22.gz

Verify images and running containers:

docker images
docker ps

1 2	docker images docker ps

Install and run CPX as Container:

docker run -dt -P -e CPX_CORES=1 --name NSCPXDEV12_v2 --ulimit core=-1 -e EULA=yes -v /var/cpx2:/cpx  --cap-add=NET_ADMIN cpx:12.0-41.22

1	docker run -dt -P -e CPX_CORES=1 --name NSCPXDEV12_v2 --ulimit core=-1 -e EULA=yes -v /var/cpx2:/cpx --cap-add=NET_ADMIN cpx:12.0-41.22

Run “docker ps”

This shows the port mappings

img-alternative-text

ssh root@127.0.0.1 -p 32770

Default login is root/linux.

Use cli_script.sh COMMAND when the CPX container is accessed from SSH CLI, eg.:

cli_script.sh “show ip” will show configured NSIP and SNIP adresses.

Add additional IP at Docker Host:

ip addr add 10.40.0.115/24 dev eth0

NAT rules with IP Tables

Create NAT Rule on Docker Host:

iptables -t nat -A PREROUTING -p ip -d 10.40.0.115 -j DNAT --to-destination 172.17.4.100

iptables -t nat -A PREROUTING -p tcp -d 10.40.0.115 -m addrtype --dst-type LOCAL -m tcp --dport 80 -j DNAT --to-destination 172.17.0.4:80

iptables -t nat -A PREROUTING -p tcp -m addrtype --dst-type LOCAL -m tcp --dport 50000 -j DNAT --to-destination 172.17.0.4:80

iptables -t nat -A PREROUTING -p ip -d 10.40.0.115 -j DNAT --to-destination 172.17.4.100

iptables -t nat -A PREROUTING -p tcp -d 10.40.0.115 -m addrtype --dst-type LOCAL -m tcp --dport 80 -j DNAT --to-destination 172.17.0.4:80

iptables -t nat -A PREROUTING -p tcp -m addrtype --dst-type LOCAL -m tcp --dport 50000 -j DNAT --to-destination 172.17.0.4:80

Restart container

Restart Docker Container:

docker restart "contain-id"

1	docker restart "contain-id"

Commit container changes

Commit changes made in Docker container:

docker commit CONTAINER-ID cpx:12.0-41.22

Start NetScaler CPX with access to host network

docker run -dt -P -p 22 -p 80 -p 161/udp -p 8080:8080 -p 80:80 --name NSCPXDEV12_v2 --ulimit core=-1 -e EULA=yes -v /var/cpx2:/cpx --privileged=true cpx:12.0-41.22

1	docker run -dt -P -p 22 -p 80 -p 161/udp -p 8080:8080 -p 80:80 --name NSCPXDEV12_v2 --ulimit core=-1 -e EULA=yes -v /var/cpx2:/cpx --privileged=true cpx:12.0-41.22

Use NetScaler CPX together with another Docker Container App

Deploy DVWA as a Docker Container

DVWA is a Security Test Web platform, primarily for Security Professionals. We use this as a basic web server here for testing Load Balancing and WAF functions in NetScaler CPX.

Use following command to download Damn Vulnerable Web App (DVWA) as a docker container.

Docker pull citizenstig/dvwa
docker run -d -p 80:80 citizenstig/dvwa

Configure NetScaler CPX with SSH

ssh root@127.0.0.1 -p 32770

cli_script.sh "add service svc-dvwa-80 10.40.0.103 HTTP 80"

1	cli_script.sh "add service svc-dvwa-80 10.40.0.103 HTTP 80"

Verify State is UP

cli_script.sh "sh service"

1	cli_script.sh "sh service"

Add non-addressable Load Balancer VIP as we will use a Content Switch in front:

cli_script.sh "add lb vserver lb-vs-dvwa-80 HTTP"

cli_script.sh "bind lb vserver lb-vs-dvwa-80 svc-dvwa-80"

cli_script.sh "add lb vserver lb-vs-dvwa-80 HTTP"

cli_script.sh "bind lb vserver lb-vs-dvwa-80 svc-dvwa-80"

Verify LB UP State:

cli_script.sh "sh lb vserver"

1	cli_script.sh "sh lb vserver"

Add Content Switch vServer:

cli_script.sh "enable feature cs"
cli_script.sh "add cs vserver cs-vs-http HTTP 172.17.0.4 80"

1 2	cli_script.sh "enable feature cs" cli_script.sh "add cs vserver cs-vs-http HTTP 172.17.0.4 80"

cli_script.sh ""add cs policy cs_pol_dvwa -rule "HTTP.REQ.HOSTNAME.EQ("docker-dvwa")”

1	cli_script.sh ""add cs policy cs_pol_dvwa -rule "HTTP.REQ.HOSTNAME.EQ("docker-dvwa")”

Bind Policy to Content Switch vServer:

cli_script.sh ""bind cs vserver cs-vs-http -policyName cs_pol_dvwa -targetLBVserver lb-vs-dvwa-80 -priority 100"”

1	cli_script.sh ""bind cs vserver cs-vs-http -policyName cs_pol_dvwa -targetLBVserver lb-vs-dvwa-80 -priority 100"”

iptables -t nat -A PREROUTING -p ip -d 10.40.0.115 -j DNAT –to-destination 172.17.0.4

Portainer as UI for Docker containers

Portainer is a simple lightweight management UI which allows you to easily manage your different Docker environments.

Portainer consists of a single container that can run on any Docker engine (deployed as Linux container or a Windows native container)

sudo docker run -d -p 9000:9000 –restart always -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer:/data portainer/portainer

In this example I run NetScaler CPX inside Portainer.

Insert variable “EULA=yes” into CPX Container

Monitor simple performance stats:

Overview of containers:

Ref:
docs.docker
https://portainer.io/
https://docs.citrix.com