Monday, May 9, 2016

NetScaler VPX - Part 8 (export/import settings)

How can we export the configuration of one NetScaler appliance and import it into another appliance?

Why would we want to do this?

We may want to replace the existing appliance with a newer version. It would take a lot of time (and some accurate documentation) to configure the new appliance manually, setting by setting. It would be more efficient to export the configuration of the existing appliance (physical or virtual) and import it into the new appliance.

This Citrix document outlines the procedure:

How to Migrate the Configuration of an Existing NetScaler Appliance to Another Appliance

It appears that the only pre-requisite is that the two appliances run the same software.

Otherwise, reiterating the original question, how do we perform this action?

The document cited above enumerates the basic procedure. Besides identical OS versions on the two NetScalers, we should backup the ns.conf file on the existing NetScaler.

The document then refers to copying the configuration settings of the "ns.conf" file using notepad or a comparable tool. I was not sure how one would perform such a copy/paste operation and inquired if one could simply copy the ns.conf file from the "old" appliance and then overwrite (paste) the ns.conf file on the new appliance. It appears that this is possible and, in fact, I was able to execute such a operation as I will demonstrate below.

The number of items to copy depends on the features used:
  • The ns.conf file (this file contains the NetScaler configuration).
  • The SSL folder (if we use certificates for SSL offloading or other purposes).
  • The ZebOS.conf file (if we use the NetScaler for dynamic routing).

All these objects (and others) are located in the /flash/nsconfig folder of the NetScaler.

Note: the license file is in the license folder. We will not copy the license file to the new appliance. This is because the license file is associated with the MAC address of the NetScaler's NIC (or what I will call the "primary" NIC if there are several). In any event, since the MAC address(es) will be different, we have to obtain (and install) a separate license file for the new appliance. 

If we want to export and import files from the NetScaler, we have to use a tool like WinSCP (if we are managing the appliance from a Windows computer).

This is how I proceeded....

First of all, we must connect to the "old" NetScaler with WinSCP (or the equivalent) and copy the ns.conf file and the SSL folder to the local drive of the management workstation (in my case, a Windows 7 machine). For a visual representation, I will refer the reader to the screenshots below, where we copy the ns.conf file and SSL folder to the new NetScaler. The process is the same to copy from the "old" NetScaler to the local drive.

Second, I will complete the basic configuration of the new NetScaler so we can install the license and later establish a connection via WinSCP to copy the ns.conf file and the SSL folder to it.

Note: for directions on basic NetScaler configuration and license management, please consult my first blog post in this series on the NetScaler VPX:

NetScaler VPX - load balance Exchange - Part 1 (Installation and Configuration)

As for the initial network configuration, I start the new NetScaler and enter an IP address, a netmask and a default gateway when prompted (this will be directly at the console since we cannot use the web interface until we have (logically) configured an IP address):

This IP address can be different from that of the old NetScaler and must be different if the two devices are online at the same time.

This IP address is known as the "NSIP". When we logon to the web interface to install the license file, we will first have to configure a "SNIP" and some other settings. Once again, please refer to the link above for directions if you are not familiar with this process.

Once the initial configuration has been completed (and the license installed), we can use WinSCP to connect to the NSIP which is the NetScaler's "primary" IP address. In our case, it is the IP address entered above: As for WinSCP, we download and install the program on our management computer and then enter the values shown below (or those appropriate for your environment). In my case...

  • SFTP for the file protocol.
  • for the "host name" (yes, the IP address works just as well here)
  • 22 for the port number
  • nsroot for both the user name and password (unless you had changed the password during intial configuration, which would be an excellent idea in a production environment).

We then click on "Login":

At this prompt, we can click on Yes or No (your choice):

The authentication banner displays. We can opt to prevent the banner from showing in the future if we want:

In my "Documents" (left pane of the window below), I have the ns.conf file and SSL folder that I exported from the "old" NetScaler (among some other files):

In the right pane, I click on the single folder (the one shown in the screenshot above) and navigate to the /flash/nsconfig folder:

We then slide the ns.conf file from left to right and overwrite the ns.conf file (on the right) when prompted:

We do the same for the SSL folder and confirm the overwriting of each of the existing files:

We then disconnect the WinSCP session with the NetScaler:

At this point, we reboot the NetScaler. In my case, I restarted what is a VMware guest using the VMware "Restart Guest" option. In any case, do NOT save the running configuration of the new NetScaler or it will overwrite the (recently copied) settings in the ns.conf file with the running configuration.

Once the new NetScaler restarts, we can logon via the web management interface and observe (click on the "gear" icon) that the configuration of the old NetScaler has been imported. For example, the IP address is now (and not Likewise, the hostname is NSVPX1 (and not NSVPX2):

Note: remember to use the IP address of the "old" NetScaler and not the temporary address entered above for the initial configuration of the new NetScaler. Of course (as indicated in the Citrix link at the begining of this post), we cannot have both NetScalers online at the same time, since they share the same IP address(es). The old NetScaler must be turned off before the new NetScaler is restarted with the imported settings.

No comments:

Post a Comment