Overview:

For the third time in 2020 Citrix has released firmware updates to address Critical security vulnerabilities within NetScaler appliances. The latest is detailed in Citrix article CTX2281474 (previous vulnerabilities include CTX276688 and CTX267027).

Due to the frequency of these releases, Keno Kozie Associates has prepared instructions to help cut through some of the complexity. These instructions are designed for engineers and administrators familiar with Citrix NetScaler appliances, if you need any assistance with this process please contact us!

Prerequisites:

  1. Download firmware file from Citrix:
  2. Download WinSCP Portable:
  3. Download Putty
  4. Backup NetScaler
    • Follow Citrix’s documentation for specific files to backup
    • VMWare allows snapshots for easy roll back if you have a VPX running on VMWare.
  5. Review the Status of all services the NetScaler is servicing. If anything is unavailable before you start, that may be ok, but then you can expect it to be unavailable when you have completed your upgrade.
    • Locations to review on the NetScaler
      • Authentication –>Authentication Dashboard
      • Citrix Gateway –> Virtual servers
      • Security –> AAA-Application Traffic –> Virtual Servers
      • Traffic Management –> Load Balancing –> Virtual servers
      • Traffic Management –> Load Balancing –> Services
      • Traffic Management –> Load Balancing –> Service Groups
      • Traffic Management –> Content Switching –> Virtual Servers
  6. Save the running config

Upgrade Process for a Single Node:

  1. Copy firmware file to NetScaler with WinSCP
    • Connect with WinSCP to NetScaler
    • Make a directory under /var/nsinstall/XX.XXnsinstall
    • Upload the Firmware file to the directory you just created
  2. Using SSH Putty into NetScaler and complete the upgrade
    1. Drop to Shell Prompt
      Shell
    2. Change Directory to the directory you created in Step 1
      cd /var/nsinstall/XX.XXnsinstall
    3. Unpackage the firmware update
      tar -zxvf build-XX.X-XX.XX_nc_64.tgz 
    4. Install the firmware update
      ./installns
    5. When prompted Press Y for reboot
      Y
    6. When system is online from reboot, log in and verify all services are online and that the firmware version reflects the one you applied.

Upgrade Process for a HA Pair:

  1. Copy firmware file to both NetScalers with WinSCP
    • Connect with WinSCP to NetScaler
    • Make a directory under /var/nsinstall/XX.XXnsinstall
    • Upload the Firmware file to the directory you just created

Upgrade the Standby Node:

  1. Using SSH Putty into NetScaler and complete the upgrade
    1. Drop to Shell Prompt
      Shell
    2. Change Directory to the directory you created in Step 1
      cd /var/nsinstall/XX.XXnsinstall
    3. Unpackage the firmware update
      tar -zxvf build-XX.X-XX.XX_nc_64.tgz
    4. Install the firmware update
      ./installns
    5. When prompted Press Y for reboot
      Y
    6. When system is online from reboot connect again with putty
    7. Run commands
      1. Review the HA status (your node should be standby)
        show ha node
      2. If “Sync State” is not “AUTO DISABLED” run command to disable configuration sync
        set ha node -hasync disabled
      3. Review Version to confirm update was successful
        show version
      4. Force Failover so your upgraded node is active
        force failover
      5. Log in to the GUI of the upgraded node and verify all services are online.
        1. If services are not online, fix them or fail back to the other node
        2. If services are online, proceed with upgrade to other node

Upgrade the Previously Active Now Standby Node:

  1. Using SSH Putty into the NetScaler and complete the upgrade
    1. Drop to Shell Prompt
      Shell
    2. Change Directory to the directory you created in Step 1
      cd /var/nsinstall/XX.XXnsinstall
    3. Unpackage the firmware update
      tar -zxvf build-XX.X-XX.XX_nc_64.tgz
    4. Install the firmware update
      ./installns
    5. When prompted Press Y for reboot
      Y
    6. When system is online from reboot connect again with putty
    7. Run commands
      1. Review the HA status (your node should be standby)
        show ha node
      2. Review Version to confirm update was successful
        show version
      3. Force Failover so your upgraded node is active
        force failover
      4. Log in to the GUI of the upgraded now active node and verify all services are online.
      5. If you previously manually disabled configuration sync on either node enable it again
        set ha node -hasync disabled
      6. Save the running configuration
        save config
      7. Confirm HA Sync was a Success
        show ha node

Reference Documentation:

Andrew Phebus

Author Andrew Phebus

More posts by Andrew Phebus