Overview:
For the third time in 2020 Citrix has released firmware updates to address Critical security vulnerabilities within NetScaler appliances. The latest is detailed in Citrix article CTX2281474 (previous vulnerabilities include CTX276688 and CTX267027).
Due to the frequency of these releases, Keno Kozie Associates has prepared instructions to help cut through some of the complexity. These instructions are designed for engineers and administrators familiar with Citrix NetScaler appliances, if you need any assistance with this process please contact us!
Prerequisites:
- Download firmware file from Citrix:
- https://www.citrix.com/downloads/citrix-adc/
- Make sure to check compatibility with your appliance before downloading.
- Download WinSCP Portable:
- Download Putty
- Backup NetScaler
- Follow Citrix’s documentation for specific files to backup
- VMWare allows snapshots for easy roll back if you have a VPX running on VMWare.
- Review the Status of all services the NetScaler is servicing. If anything is unavailable before you start, that may be ok, but then you can expect it to be unavailable when you have completed your upgrade.
- Locations to review on the NetScaler
- Authentication –>Authentication Dashboard
- Citrix Gateway –> Virtual servers
- Security –> AAA-Application Traffic –> Virtual Servers
- Traffic Management –> Load Balancing –> Virtual servers
- Traffic Management –> Load Balancing –> Services
- Traffic Management –> Load Balancing –> Service Groups
- Traffic Management –> Content Switching –> Virtual Servers
- Locations to review on the NetScaler
- Save the running config
Upgrade Process for a Single Node:
- Copy firmware file to NetScaler with WinSCP
- Connect with WinSCP to NetScaler
- Make a directory under /var/nsinstall/XX.XXnsinstall
- Upload the Firmware file to the directory you just created
- Using SSH Putty into NetScaler and complete the upgrade
- Drop to Shell Prompt
Shell
- Change Directory to the directory you created in Step 1
cd /var/nsinstall/XX.XXnsinstall
- Unpackage the firmware update
tar -zxvf build-XX.X-XX.XX_nc_64.tgz
- Install the firmware update
./installns
- When prompted Press Y for reboot
Y
- When system is online from reboot, log in and verify all services are online and that the firmware version reflects the one you applied.
- Drop to Shell Prompt
Upgrade Process for a HA Pair:
- Copy firmware file to both NetScalers with WinSCP
- Connect with WinSCP to NetScaler
- Make a directory under /var/nsinstall/XX.XXnsinstall
- Upload the Firmware file to the directory you just created
Upgrade the Standby Node:
- Using SSH Putty into NetScaler and complete the upgrade
- Drop to Shell Prompt
Shell
- Change Directory to the directory you created in Step 1
cd /var/nsinstall/XX.XXnsinstall
- Unpackage the firmware update
tar -zxvf build-XX.X-XX.XX_nc_64.tgz
- Install the firmware update
./installns
- When prompted Press Y for reboot
Y
- When system is online from reboot connect again with putty
- Run commands
- Review the HA status (your node should be standby)
show ha node
- If “Sync State” is not “AUTO DISABLED” run command to disable configuration sync
set ha node -hasync disabled
- Review Version to confirm update was successful
show version
- Force Failover so your upgraded node is active
force failover
- Log in to the GUI of the upgraded node and verify all services are online.
- If services are not online, fix them or fail back to the other node
- If services are online, proceed with upgrade to other node
- Review the HA status (your node should be standby)
- Drop to Shell Prompt
Upgrade the Previously Active Now Standby Node:
- Using SSH Putty into the NetScaler and complete the upgrade
- Drop to Shell Prompt
Shell
- Change Directory to the directory you created in Step 1
cd /var/nsinstall/XX.XXnsinstall
- Unpackage the firmware update
tar -zxvf build-XX.X-XX.XX_nc_64.tgz
- Install the firmware update
./installns
- When prompted Press Y for reboot
Y
- When system is online from reboot connect again with putty
- Run commands
- Review the HA status (your node should be standby)
show ha node
- Review Version to confirm update was successful
show version
- Force Failover so your upgraded node is active
force failover
- Log in to the GUI of the upgraded now active node and verify all services are online.
- If you previously manually disabled configuration sync on either node enable it again
set ha node -hasync disabled
- Save the running configuration
save config
- Confirm HA Sync was a Success
show ha node
- Review the HA status (your node should be standby)
- Drop to Shell Prompt