NetScaler Upgrade 10.5 to 11

This post will cover upgrading the NetScaler code from 10.5 to 11 – more specifically, this covers upgrading from NetScaler 10.5 build 55.8007.e as discussed in my previous post here. The upgrade process is fairly straight forward – download the firmware from Citrix, then login to the web GUI under System, and select ‘Upgrade Wizard’.

Let’s get started with the upgrade wizard:

NetScaler upgrade wizard

 

If you have performed a NetScaler upgrade before, this is nothing new – select the location for the firmware file:

Firmware

Next, verify the licenses you have already installed, and begin the upgrade. One important note since this upgrade is coming from an ‘e’ release to a standard, or ‘maintenance’ (non-e) release, you will see the following warning:

NetScaler upgrade warning

 

The upgrade went very smoothly and very quickly. Since I had been using some of the upcoming features in the ‘e’ release that ended up being named ‘unified gateway’, these settings were preserved in the form of an already configured Unified Gateway:

NetScaler Unified Gateway

Other key things to note – the upgrade has turned back on SSLv3 support on the Gateway vServer…however, it has enabled support for TLSv1.1 and TLSv1.2 which was missing from the 8007.e release. Nice!

SSL TLS

You will also notice in the Gateway vServer configuration some of the new features for NetScaler 11 including EULA and portal theme configuration (CSW policies already existed in the 8007.e build).

New features

 

Modifying the Access Gateway look and feel is FINALLY possible within the GUI:

NetScaler portal theme

NetScaler portal

The base ‘Green Bubble’ theme looks much the same, just with the different ‘Unified Gateway’ verbiage. Coming soon I will modify the theme to match the new StoreFront 3.0.

NetScaler Unified Gateway

 

10 thoughts on “NetScaler Upgrade 10.5 to 11”

    • Ollie-
      Unlike the other Citrix products, NetScaler code upgrades are not (currently) tied to an SA date – there is nothing in the NetScaler code that checks for a date on the license file. That said, the NetScaler 11 upgrade is available to you essentially for free!

      Reply
  1. Dennis-

    Thanks for that note – I’ve added that to the post. I would bet that the reason I was able to go from 10.5 55.x to 11 successfully was because it was an ‘e’ release.

    Reply
  2. This is similar to Ollie’s question but we have a couple FIPS-enabled MPX9700s running 10.5 59.9.nc. We have an Enterprise platform license on them but our maintenance has since lapsed. According to your reply to Ollie, we would still be able to upgrade to 11 without issue? I am concerned because Citrix makes it sound like maintenance is required in order to get firmware upgrades, but I appear to have access to download the v11 code from Mycitrix. I’m trying to convince my customer to put at least a bronze maint. package on the devices, but I’m also concerned that there are security vulnerabilities that have been resolved in the newer code that should probably be applied sooner rather than later. Thanks!

    Reply
    • JD- with physical appliances, the platform licenses don’t expire as they can with VPX virtual appliances. The documentation on this is beyond confusing – I do, however believe that Access Gateway Universal licenses acquired from XA\XD platinum licensing do expire with SA.

      Since you are already on 10.5 build 59.9 you’re in pretty good shape. 10.5 build 57.7 added TLS_FALLBACK_SCSV support. For security, I would disable SSLv3 and re-order your cipher suites to enable forward secrecy on all of your SSL vservers (CAG, SLB or CSW)- here’s a quick guide: https://blog.cjharms.info/2014/11/perfect-forward-secrecy-and-netscaler.html

      Reply
      • Hey Jacob,

        Thought I’d post an update in case anybody wanted to know the answers to my questions. From Citrix themselves, 1.) Security vulnerabilities apply the same to both FIPS and non-FIPS devices because they run the same code bases and 2.) Firmware upgrades can be done even with lapsed maintenance as full licenses are perpetual, even if maintenance has lapsed.

        This brings me to my current problem 🙁 I successfully upgraded 2 of my 3 MPX9700 devices from NS10.5 53.9.nc to NS10.5 59.11.nc, but on the third one (of course!) the firmware upgrade itself seemed to go through fine but after I answered Y to reboot, the device never came back up. It is now stuck at Booting on the LCD without any network connectivity. Tried power cycling a few times to no avail. Tried connecting up an RS232 cable from COM port on PC to COM port on Netscaler and connecting using hyperterminal with 9600 baud, 8 bits, 1 stop bit, No parity. Nothing would show up on the screen when power cycling with the COM port connected. Mind you the consoling attempt was being done by our datacenter admin who has never worked with Netscaler so I’m going to physically get a hold of the device to see if I can get anything from the console.

        Is there anything else I could possibly try to recover this device? Admittedly I’m not very experienced with this scenario as the other two devices took the same firmware upgrade without issue.

        Thx
        JD

        Reply
        • JD-

          Thats correct – the only real difference between the FIPS and non-FIPS appliances is the HSM and a slightly different Cavium card; otherwise, it’s the same code. Unfortunately, the MPX9700’s don’t have LOM, so I don’t know if there is much else you can do.

          Reply
  3. Thanks Jacob. Turns out I typo’d the version number, we’re actually running 10.5 53.9.nc which I believe is vulnerable. So if I upgrade to a newer 10.5 or v11 release, would it break the XA licensing?

    Reply
    • JD- If you are using appflow (NetScaler Insight) I would recommend 10.5 build 57.7 – otherwise, looking at build 59.11 that was released 9/9/2015, support was added for TLS 1.1 and 1.2 for backend resources – which may be of value depending on the environment.

      I don’t know if you are using SmartCards\CAC\PIV, but I have not done any work with them and NS build 11 (or any FIPS appliances on 11 for that matter) though I don’t imagine things are much different than the 10.5 firmware.

      Upgrading will have no effect on XenApp licensing specifically. I am not 100% sure if the CAG universal licenses will expire or not – if your SA is already expired, then the CAG universals may be expired as well, but if you’re using smart access, you would likely know this already.

      Here’s two good posts regarding NS licensing:
      http://blogs.citrix.com/2012/11/16/access-gateway-licensing-demystified/
      http://blogs.citrix.com/2012/11/22/access-gateway-licensing-demystified-part-2-ha/

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.