NetScaler MAS and Multi-tenancy

By | December 19, 2016

If you’re a large enterprise and have multiple NetScaler instances for different purposes such as a VPX for Exchange or SharePoint and another one to NetScaler Gateway and even a cluster for front-end eCommerce webshops, and with mulitple locations in the mix as well there are a couple of things you want to have place to ensure that things operate smootly, first of being able to delegate access to different groups and make sure that they get their events/alerts for their systems but still have limited control of the appliances itselves.

Now NetScaler have different ways to seperate control, such as Admin partitions which allows us to split up Instances into different logical partitions, and we also have the SDX appliance where we can delegate a VPX instance (as its own virtual instance) for a specific purpose for instance, but from a centralized management point of view, Command Center was lacking in functionality there to ensure multi-tenancy access.

MAS however has tried to bridge that gap, and has a multi-tenacy feature which allows for centralized management, but still having a way to delegate access for different users/group/customers to their own instances or admin partitions.image

So let us consider the following, we have different tenants or departments who we wish have access to manage their own instance from MAS, but we still want to have an helpdesk group which will have the ability to monitor all the applications across the different tenant instances.

First of we can add all the instances to our MAS deployment, then we can define owner access to those by creating our own tenants. NOTE: Tenant is specified as a user. Go into System –> Tenants –> Add

image

The tenant name will reflect what is going to be used infront of the username when login, for instance if the tenant name is C1 the user will need to login with C1\username. When you create a tenant, two groups will be created automatically, c2_admin_group and c2_readonly_group

Go in and modify c2_admin_group and specify which instances the tenant should have access note, note that also partitions will appear in the list if there are any.

image

Select all applications and click Finish.

image

So now the user needs to login with their crendetials using the form of C2\username

image

Now they have all the access to their own instance

image

Now we need to repeat this for each tenant to have access to their instance, now lastly we need to create an helpdesk group which has access to all instances but just monitoring part of it to see status of applications.

Go into System –> User Administration –> Groups and click Add. Create a new group named “something” and select the permission readonly and make sure to select all instances.

image

Click next and specify, “allow access to application monitoring only” and click Finish.

image

Now we need to create a user and add it to this group.  System –> User Administration –> User and click add
Create a new system user and add it to the group which we’ve created.

image

Now since this is not a tenant user but a regular system user they can login with just their username and password. When they now login they can see all instances and virtual servers regardless of tenant.
But they only have access to see the applications .

image

And based upon their access rights they are not allowed to disable virtual servers.

image

They can also look at precreated applications on the list

image

This is a great addon to MAS, but I think that Citrix can add a bit more to the multi tenancy feature to allow more granular approach to allow admins define rights based upon single vServers instead of leaving it at the NetScaler instance level.

Leave a Reply

Your email address will not be published. Required fields are marked *