cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Netscaler cookie - Grouping Attributes or other place?

tarjei_utnes
Organizer

Hi,

One of our customer uses a netscaler load balancer in front of 6 web servers.

The cookie is formatet as such:

NSC_wt_tlpmf.wjtnb.dpn=ffffffff093f540d45525d5f4f58455e445a4a423660

And it is a hash of the Virtual server name, Server IP, and Server Port.

https://github.com/catalyst256/Netscaler-Cookie-Decryptor

So my question is two parts

  1. Is there a better place than Grouping attributes to place it?
  2. Is there a possibility of transforming them to something humanly readable?

netsclaer.JPG

 

3 REPLIES 3

adam_piotrowicz
Dynatrace Pro
Dynatrace Pro

Tarjei,

Nice case (smile)

Many places are good for extracting particular cookie value and transforming to human readable by default looks to be impossible.

But under few conditions I believe we could achieve it ...

We need to confirm that:

  1. The AMD is sniffing the traffic between end users and Netscaler,
  2. There is finitive number of values of NSC_wt_tlpmf.wjtnb.dpn cookie (I believe it's 1 LB x 6 web server x number of ports, so it should not be many),
  3. Your final goal is to extract particular end-user-to-web-server session.

If so I would propose:

  1. Extract this cookie value as a username,
  2. Configure CAS to read it not as a username but as a Client Group DMI dimension, because then we can,
  3. Configure static mapping of recognized Client Group=ffffffff093f540d45525d5f4f58455e445a4a423660 to Client Group= 192.168.0.1
  4. Make DMI dimension aliases: Server IP address = Netscaler Server IP address and Client Group = Server IP address

This way you will fully workaround the lack of ability to decrypt the cookie and replace Netscaler IP with it in zdata that is read by CAS.

Let me know your thoughts.

tarjei_utnes
Organizer
Hi Adam,
Well to be exact, what I would like to do is to "tag" each operation with a server id.
Usually one can do this in similar scenarios with a X-forwarded-for header.
In this case we are listening to the traffic between end users and the netscaler, and therefore we are only seeing the "vip-adress" of the netscaler and not the 6 servers behind it. This however is possible do get from the aformentioned cookie, and therefore I was wondering whether another place to put it that Group attribute, and hopefully a place where I could rename / transform the cookie from the "gibberish" value to the actual IP adress of the node adress behind the netscaler.

And Client Group is perfect place for this as it's the only that meets all your requirements.