Citrix Command Center

Command Center can be used to monitor, alert, and report on the following devices:

• NetScaler
• NetScaler VPX
• NetScaler SDX
• NetScaler Gateway Enterprise Edition
• CloudBridge
• CloudBridge VPX
• Citrix Repeater

Command Center is free for all editions of NetScaler so there’s no excuse to not install it.

Citrix whitepaper – Citrix Command Center – Deployment Sizing Guide: database sizing for scalar counters, vector counters, and Syslog.

SQL Express

If using SQL Express to store the Command Center database, do the following to enable TCP/IP:

1. When downloading SQL Server 2012 Express, either select the option With Tools or download SQL Server Management Studio and install it separately.
   
2. When installing SQL Express, feel free to use the default instance instead of a named instance.
   
3. In SQL Server Configuration Manager, expand SQL Server Network Configuration and click the Protocols node.
4. On the right, right-click TCP/IP and enable it. Then double-click TCP/IP.
   
5. On the IP Addresses tab, scroll all the way down and in the IPAll section, remove any TCP Dynamic Ports and instead enter a static TCP Port. 1433 is the typical default port.
   
6. On the left, click SQL Server Services.
7. On the right, right-click SQL Server and click Restart.
   

Create SQL Database and SQL Account

SQL 2005, SQL 2008, and SQL 2012 are supported.

1. In SQL Server Management Studio, go to the Properties of the SQL server and ensure that SQL authentication is enabled.
   
   
2. Create a database and call it CitrixCommandCenter or similar. Configure the Recovery model as desired.
   
   
   
3. Create a SQL Login (SQL Server authentication) for Command Center. Set the default database to the Command Center database.
   
   
4. Add the SQL account to the db_owner database role in the Command Center database.
   

Install Command Center

1. Command Center is supported on Windows Server 2008 R2, and Windows Server 2012 R2.
2. On the Command Center server, run the downloaded Command Center 5.2.46.7CC_Setup_5.2_46_7.exe. 💡
   
3. If the installer refuses to launch without error then you’ll need to uninstall all previously installed Java. Command Center comes with its own Java.
   
4. In the Introduction page, click Next.
   
5. In the License Agreement page, select I accept the terms and click Next.
   
6. In the Choose Install Folder page, click Next.
   
7. In the Choose Installation Type page, select Typical and click Next.
   
8. In the Database Settings page, change the selection to MSSQL and fill in the details. Notice that SQL 2012 and SQL 2014 are now supported. Then click Test Connection.
   
9. Click OK to acknowledge that the connection is successful and then click Next.
   
10. In the Security Settings page, make your selection and click Next.
    
11. In the Pre-Installation Summary page, click Install.
    
12. In the Install Complete page, notice the URL. Click Done.
    

Windows Firewall

Windows Firewall must be configured to allow UDP 162 for SNMP Traps, UDP 514 for SYSLOG, and 8443 for the Command Center management console.

Weak Ciphers

1. Point your browser to https://:8443. If you see a message about weak ephemeral Diffie-Hellman then you’ll need to follow Citrix CTX202036 Error:”ssl_error_weak_server_ephemeral_dh_key” When Launching Citrix Command Center Website.
   
2. Go to C:\Program Files (x86)\Citrix\Citrix Command Center\apache\tomcat\conf\backup and edit the file server.xml. You want the one in the backup folder.
   
3. Near line 102, change the ciphers to the ones listed in the article.
   
4. Go to C:\Program Files (x86)\Citrix\Citrix Command Center\conf and edit the file transportProvider.conf.
   
5. Near line 45, change the ciphers to the ones listed in the article.
   
6. Go to Services and restart the Citrix Command Center service.
   

Welcome Wizard

1. Go to https://:8443 and login as root and public.
   
2. In the Change Command Center User Password section, enter a new root password and click Save.
   
3. In the Add Device section, enter the NSIP of a NetScaler device. For a High Availability pair, only enter the NSIP of the primary device.
4. Click the plus icon next to Device Profile.
   
5. Give the Device Profile a name. The device profile contains the nsroot password so name the profile something that reflects the team that manages the devices.
6. In the Device Login section, enter nsroot as the User Name and the password configured on the NetScaler appliances. Scroll down.
   
7. In the SNMP section, enter a SNMP community name. Command Center will configure this on the appliances. Click Create.
   
8. Back in the Add Device section, click Continue.
   
9. Command Center will then begin discovery for the device. If Discovery fails, see CTX200377 – Command Center is Unable to Discover NetScaler
   
10. After discovery is complete, click Continue.
    
11. Don’t click Done yet.
12. On the right, in the Advanced column, click Mail Server Settings.
    
13. Enter the mail server information and click Save.
    
14. On the right, in the Advanced column, click Disk Management.
    
15. Adjust the grooming settings as desired and click Save.
    
16. Then click Done.
    

Administration Configuration

1. Switch to the Administration tab.
   
2. Click Settings on the left. On the right, click Inventory Settings.
   
3. In the ConfigureInventory Settings window, decide if you want to Archive on “Save Config” trap. Click OK when done.
   
4. Click Server Settings.
   
5. Command Center defaults to displaying devices based on their IP address. This can be changed to Host Name. Click OK when done.
   
6. In the Settings node, click Email Server Settings.
   
7. Fill out the mail server information so you can receive email alerts and click OK.
   
8. In the Settings section is Access Settings.
   
9. You can change the Session Timeout.
   
10. On the left, click Database Management. On the right, notice the Purge Settings links. Use those links to control the size of the database.
    
11. In the Database Management node, click Database Monitor Settings.
    
12. Specify a database size threshold. If your database automatically grows, then it’s probably best to configure an absolute database size instead of a size percentage.
13. When the Threshold is reached, you can configure it to automatically purge data.
    
14. You can also receive an email notification when the size limit is reached. Click OK when done.
    
15. On the left, expand Authentication and click LDAP.
16. On the right, click Add.
    
17. Enter the IP Address of load balanced LDAP (or one Domain Controller).
18. Change the Security Type to SSL.
    
19. To support SSL and/or TLS, you need to install the LDAP root certificate on Command Center. Copy the root cert to C:\Program Files (x86)\Citrix\Citrix Command Center\Certs.
    
20. Open an elevated command prompt and cd to C:\Program Files (x86)\Citrix\Citrix Command Center\bin.
21. Run importLDAPSCertificate.bat. The first parameter is the name of the root certificate file. The second parameter is commandcenter, which is the password to the trust store.
    
22. After importing the root cert, restart the Citrix Command Center service.
    
23. Back in Command Center adding an LDAP server, enter a Base DN and Bind DN.
24. Check the box next to Enable Group Extraction. This will cause more fields to appear.
25. Enter the fields shown below. Use the question mark to see examples. Click Create.
    
26. On the left, click the Authentication node. On the right, click Authentication Settings.
    
27. Change the Authentication Server to External.
    
28. Move your LDAP server to the right by clicking the plus icon or the right-arrow icon.
    
29. Ensure Enable fallback local authentication is enabled and click OK..
    
30. On the left, expand Security, and click Groups. On the right, click Add.
    
31. Type in the case sensitive group name.
32. Use the checkboxes to grant your desired permissions and click OK.
    
33. Once the group is added to Command Center, you can right-click it and click Advanced Settings to restrict the entities that are accessible to the user.
    
    
34. The Apply on bound entities also checkbox lets the group see the entities that are bound to the restricted object (e.g. services bound to a Virtual Server).
    
35. On the left, expand Security and click Syslog Servers. On the right, click Add.
    
36. Enter information for your syslog server and click Add.
    
37. On the right, click Syslog Parameters.
    
38. Set your desired parameters and click Modify.
    
39. On the left, under Security, cilck SNMP Agent Configuration. On the right, click Add.
    
40. Enter your SNMP information and click Create.
    

Command Center Certificate

1. Use IIS or the certificates snap-in to create a certificate that matches the FQDN of the Command Center server.
2. Export the certificate including private key to a .pfx file.
3. In the Command Center console, on the Administration tab, click Tools on the left.
4. On the right, click Install Certificate.
   
5. Click Choose File to and browse to the PFX file.
6. Enter the PFX password and click OK.
   
7. Click OK
   
   
8. Restart the Citrix Command Center service.
   

Discover Devices

Command Center to/from appliance communication:

• Command Center uses SNMP and SSH to communicate with an appliance.
• Appliances use SNMP traps to communicate with Command Center.
• After Command Center discovers an appliance, it will configure the appliance with the correct SNMP settings. You can also configure the SNMP Traps on the appliance manually.
• SFTP is used for file transfer.
• Devices can be configured to send Syslog to Command Center.

The Command Center server supports two types of devices:

• Standalone: A standalone device functions independently and is not configured in an HA setup.
• HA pair: This represents a pair of devices configured in an HA setup. The primary device in an HA setup processes the traffic. The secondary device monitors the primary and takes over the functions of the primary device if that device is unable to continue processing traffic.

You can add devices by specifying the host names of the devices, the IP addresses of each device, a range of IP addresses, and NAT HA devices. You can also add devices by importing the device names from a file. Note that when you specify a range, the first three octets of the low and high addresses must be the same. Command Center can discover only 254 devices in an IP address range.

The Command Center discovery process involves the following steps:

1. SNMP ping:The Command Center server sends a Simple Network Management Protocol (SNMP) GET request to a Citrix system-specific object identifier (OID) (for example, 1.3.6.1.4.1.5951.1.1). If the server successfully pings the device, it sets the status of step 2 to SUCCESS and proceeds to step 3. If the GET request fails, the device is not a Citrix device, or it is a Citrix device but SNMP is disabled on it. In either fail case, the Command Center server proceeds to step 2.
2. Find Citrix device: The Command Center server attempts to open an SSH session to the device based on the user credentials configured when adding a map. If the SSH session fails, the device is discarded as a non-Citrix device. If the SSH session succeeds, the server issues a CLI command to check whether the device is a Citrix device. A positive result moves the device to the next step. Otherwise, Command Center discards the device as a non-Citrix device. To check the cause of failure of this step, on the Citrix Networktab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page.
3. Enable SNMP:On the discovered Citrix device, Command Center executes a command to configure an SNMP community based on the details entered when configuring the map or when adding a device. This step may fail for various reasons, such as network issues or if another SNMP manager is already configured on the device. To check the cause of failure, on the Citrix Network tab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page.
4. Add trap destination: Devices communicate with Command Center by sending trap notifications. The Command Center server adds its IP address to the list of trap destinations on the discovered device. This allows Command Center to receive all events/traps generated on the Citrix device. However, this step may fail if the number of trap destinations exceeds the maximum limit of trap destinations on the Citrix device. The limit on Citrix NetScaler devices is 10. If an error occurs you must take corrective measures before you initiate rediscovery of this device. To check the cause of failure, on the Citrix Networktab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page.
5. Collect inventory:The Command Center server collects the basic system information for the discovered devices using SNMP. You can view this information on the Device Properties page. For more information, see “Viewing Device Properties” in the Citrix Command Center Online Help. This step may fail if the SNMP manager configured on the Citrix device is not that of the server. It may also fail because of network issues or because the SNMP ports are not configured properly on the firewall. To check the cause of failure, on the Citrix Network tab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page. If an error occurs you must take corrective measures, and then initiate rediscovery of the device.
6. Download files: The Command Center server initiates a Secure File Transfer Protocol (SFTP) session based on the user credentials defined while configuring the map. Then, it downloads the configuration and license files of the device. For Repeater devices, it downloads only the configuration files. The Command Center server stores these files in the database. This step may fail because of the following reasons:
   • Incorrectly specified user credentials
   • Incorrectly configured SFTP ports in the firewall
   • Network issues

To check the cause of failure, on the Citrix Network tab, click the >>> icon next to the device, and select Status. You can also view the cause of failure on the Device Status page. If an error occurs, you must take corrective measures, and then initiate rediscovery of this device.

Upon successful discovery, the devices appear on the corresponding maps as icons with their IP addresses or device names. If the server is unable to successfully discover the devices, it marks the devices as inaccessible, generates an event, and groups the devices under the Inaccessible Systems node.

To add more devices to Command Center:

1. Click the Citrix Network
2. Under Device Inventory, click NetScaler and on the right click Add.
   
3. Enter the NSIP of the NetScalers, select a device profile and click Continue.
   
4. You can click Discovery Status on the left of the page to check the status of the discovery.
   
5. Click the Refresh button on the top right to update the display. If Discovery fails, see CTX200377 – Command Center is Unable to Discover NetScaler
   
6. Once discovery is complete, you’ll see the devices on the Citrix Network tab in the DeviceInventory node. Consult docs.citrix.com (http://docs.citrix.com/en-us/command-center/5-2.html) for more info on what you can do in Command Center.
   

Configure Device Syslog

By default, a discovered device is only configured for SNMP. Additional reporting can be enabled by configuring the devices to send Syslog to Command Center.

1. In Command Center, switch to the Configuration
2. On the left, under Configuration, click Built-in Tasks.
3. On the right, select the NSConfigureSyslogServer task and click Execute.
   
4. In the Devices page, move the devices to the right and click Next.
   
5. In the User Input page, enter the IP address of the Command Center server and enter an Annotation. Click Next.
   
6. In the Summary page, click Finish.
   
7. Click OK to acknowledge that Task execution in progress.
   
8. Review the Execution Log to ensure configuration was completed successfully.
   
9. Or you can configure Syslog directly on the NetScaler appliance. Configure a Syslog action, a Syslog policy, and bind the Syslog policy globally. The Syslog action should point to the Command Center IP address on port UDP 514.
   

Alerts

1. Switch to the Fault tab.
2. On the left, expand SNMP, expand Alarms, and click Triggers. On the right, click Add.
   
3. Give the filter a name. Indicate the alarms for which you wish to receive an email. For example, check the boxes next to Critical and Major. You can restrict the alarms to specific devices.
4. Click Add Action.
   
5. Enter a name for the action.
6. Enter the email information including From and To addresses and the mail server name. You can click Test Email. Click OK when done.
   
7. Click OK when done adding actions.
   
8. If you have scheduled maintenance, you can schedule the triggers to disable and re-enable. Select the trigger and then click Schedule a Filter. 💡
   
9. Uncheck the Enable Filter box and set the time you want the trigger to be disabled.
   
10. Create another trigger schedule to re-enable the filter.
    
11. Click the Scheduled Filters button to view the schedules. For more info see CTX211879 How Do I Suppress Command Center Alarm Related Actions For a Particular Time Period?
    

Use Command Center

See CTX211875 How Do I Monitor and Manage Changes on NetScaler Using Command Center? for an overview of Audit Templates and Audit Policies.

See docs.citrix.com for information on how to use Command Center to monitor and configure your appliances.