Blog

Upgrade Veeam Backup and Replication from version 11 to version 12

Reading Time: < 1 minute

I am sure you have heard of the V12 release of Veeam Backup and Replication. If you have a V11 Veeam Backup and Replication environment you will upgrade at some point. There are a lot of new features in V12, with more focus on Object Storage and also securing your backup data.

In this video I will show you how the upgrade of Veeam Backup and Replication from V11 to V12 looks like and some of the problems you can run into. The upgrade is pretty straight forward, but you need to make sure that you know exactly how your backup environment is setup and what components will need an upgrade. If you are able to test the upgrade in an isolated environment, this is the way.

Upgrade Veeam Backup and Replication from version 11 to version 12 Read More
featured_image_securevb365_with_vbr

Secure your Veeam Backup for Microsoft 365 backup on your Veeam Hardened Repository

Reading Time: < 1 minute

I’m sure a lot of you guys have a Veeam Backup and Replication server running with a Linux Hardened Repository. The advantage there is keeping you backups protected with immutability. In this vlog I will show you how to secure VB365 data with VBR Hardened Repository.

If you also have Veeam Backup for Microsoft 365 running you know it is not possible to use that Hardened Repository on the Veeam Backup and Replication server. Luckily there is a workaround to still use that Hardened Repository and keep the data from that Veeam Backup for Microsoft 365 server immutable and secure on your own infrastructure. In this video I will show you how.

At the time of making this vlog we are on version 11 on Veeam Backup and Replication and on version version 6 of Veeam Backup for Microsoft 365.

Secure your Veeam Backup for Microsoft 365 backup on your Veeam Hardened Repository Read More

Setup pfBlockerNG python mode with pfSense

Table of Contents

Reading Time: 10 minutes

In this blog post I will show you how to setup pfBlockerNG python mode with pfsense. Nearly a year ago I made a blog post here explaining why I was moving away from pfBlockerNG to Pihole. The main reason was that pfBlockerNG could not show all the blocked DNS requests. This made is difficult to troubleshoot why some app or (iot) device was not working properly. Read my blog post here for all the details.

In recent times, the developer of pfBlockerNG, BBcan177, has given a major update to pfBlockerNG. With the integration of python into pfBlockerNG, it is now possible to show all DNS requests that are blocked. I’ve always loved the combination pfSense and pfBlockerNG. I think it is a great setup for protecting your network and keeping all the ads and tracking away, making a beter and safer internet for all the users on your network (kumbaya-mode). Plus you only need one device for routing and adblocking.

Requirements

For this blogpost I used the following versions:

  • pfSense ce 2.4.5-RELEASE-p1
  • pfBlockerNG-devel 3.0.0_10

Install pfBlockerNG package

Before you start with configuring pfBlockerNG make sure you pfSense firewall runs fine and internet is working as expected for all the devices on your network. If this is the case then continue to make a backup of this running setup. Always a good idea of having a backup before making changes. To do this go to Backup -> Backup & Restore. Click on Download configuration as XML. Safe this file in a secure place.

Vikash.nl - Backup & Restore pfSense configuration
Backup & Restore pfSense configuration

Then go to System -> Package Manager -> Available Packages. Search for pfBlockerNG. This part is very important. You need to install pfBlockerNG-devel package. Click on the green Install button behind pfBlockerNG-devel to install the package. After installing the package it should be in the list of Installed Packages:

pfSense Installed Packages

Configuring pfBlockerNG-devel

Before you start you should know that using the new python mode you to disable some setting in Unbound DNS Resolver (if you are using that in pfSense). Disable the following options in Unbound Resolver:

  • DHCP Registration: Register DHCP leases in the DNS Resolver
  • OpenVPN Clients: Register connected OpenVPN clients in the DNS Resolver

pfBlockerNG has some checks to make sure that the options above are disabled when you enable python mode but I would strongly advise to disable them before starting to configure pfBlockerNG.

Unbound Resolver options to disable for python mode

After you’ve installed you will find it in the menu Firewall -> pfBlockerNG:

Menu Firewall -> pfBlockerNG

When you open pfBlockerNG for the first time you will be presented with a wizard. I just skip this because I like to setup pfBlockerNG manually with my own settings. Let me share them with you 🙂

Configure IP settings

I will share my production configuration with you so I will blur out some things. Let’s start by the following settings. In the General tab I enable the checkboxes for pfBlockerNG and Keep Settings. The Keep Settings option wil make sure that your pfBlockerNG configuration stays in place when upgrading or when you make a backup of your pfSense configuration. I also change the cron update settings here just be spread the cronjobs load. You can leave this default and everything will just run fine :).

pfBlockerNG General Tab settings

pfBlockerNG can be used for IP blocking (malicious IP’s) and DNSBL (DNS sinkhole). Let’s go over my settings for IP blocking. Go go the IP tab. The first section is IP Configuration. I pretty much the basic settings here. I have a couple of IP blocklists configured and the De-Duplication option will make sure that there are not duplicate IP’s in blocklist pfBlockerNG builds. Make sure that The Placeholder IP Address is not being used in your network. The default of 127.1.7.7 should be fine. Here are my settings:

pfBlockNG IP Configuration

Next is MaxMind GeoIP configuration. You need to register and get a valid license key and you can register here for free. I use MaxMind GeoIP to block certain countries. If you don’t host services behind your pfSense router (like a webserver) you probably don’t need the country blocking because pfSense will default block all inbound connections. Security is all about layers and having this option is another layer of security. Here are my settings:

pfBlockerNG MaxMind GeoIP configuration

Next is Inbound Firewall Rules. These apply to any interface which is used to get internet traffic to you network. Here you select your WAN interface and if you have VPN client connections going to your VPN provider, select those here too. I use several VPN connections to VPN providers and those interface names end with _WAN. The screenshot below shows what I have selected here:

pfBlockerNG Inbound Firewall Rules

Next is Outbound Firewall Rules. These apply to any interface which you have on your local network. I have several local networks like a guest and a testlab network. I am running a OpenVPN server on pfSense and I treat that network also as a local network. Here are my settings:

pfBlockerNG Outbound Firewall Rules

I have also enabled the Floating Rules option because I like it that I can find all the firewall rules in one place. Kill States is enabled because IP blocklists are being updated several times a day and you want pfBlockerNG to kill any state to a blocked IP immediately. Don’t forget to hit the Save IP settings when you are done here.

Enable some IP feeds

To let pfBlockerNG do block malicious IP’s you need to enable some IP feeds. pfBlockerNG has a nice selection of IP feeds you can enable. Go the Feeds tab and I would suggest to enable the PRI1 feed category and start from there. Remember the more feeds you enable the greater the chances are that you will break the internet :). Proceed with care is my advise and only enable extra feeds after doing extensive testing. This is not a set-and-forget approach! It’s more a set-test-monitor-forget approach. Check my screenshots here:

pfBlockerNG Feed Settings

You just have to click on the + sign and pfBlockerNG will add the feeds. Afterwards you can find the feeds you enabled in the IP -> IPv4 tab. I have done some renaming and sorting here. Feel free to make you own adjustments. Here’s what mine looks like:

pfBlockerNG IP -> IPv4 Summary

I have changed the Action here to Deny Both. This means that pfBlockerNG will block incoming and outgoing communication to a blacklisted IP. I have also changes the Frequency of the updates. The PRI1 category is being updated a few time a day and I want pfBlockerNG to be on top of the changes so I chose to update it every 4 hours. The others in my list have more to do with Public DNS servers and DNS-over-HTTP. In my experience they don’t change that much. I want to make clear that I don’t use IPv6 in my network. I have disabled it in pfSense and blocking it in my Firewall rules. I don’t have need for it at the moment and I don’t want to complicate things.

GeoIP blocking

While you are in the IP -> IPv4 tab click on the GeoIP tab if you want to block specific geographical regions or separate countries.

pfBlockerNG IP -> GeoIP

You will notice here that I have the Action set to Deny Both. But I don’t block the whole region. I block specific countries and you can choose which countries you want to block by clicking on the pencil icon. Then select the countries and enable List Action and Loggin and click on Save:

pfBlockerNG – GeoIP block specific countries

This is all I configure for the IP blocking part. Let’s move to the DNSBL part.

Configure DNSBL settings

I assume you know what DNSBL blocking does so I won’t go into the details here. It blocks malicious and/or unwanted adverts domains. Recently pfBlockgerNG got a huge update and DNSBL is now able to use python mode. This new python mode makes it a lot faster and also shows all the DNS requests which are being blocked! This is for me the major option to get rid of my Pihole setup. I want my pfSense doing everything in my network and adding pfBlockerNG to my setup gives me a single place to secure my network and keep ads and malicious traffic out of the door. You can read about all the changes in pfBlockerNG here.

To configure the DNSBL settings click on the DNSBL tab. There are a lot of options here and this can be overwhelming. These are the settings I have enabled or configured and I think this should give you a good starting point:

  • Enable DNSBL: checked (otherwise DNSBL will not be enabled :P)
  • DNSBL Mode: Unbound python mode. This is the major new option! We need this.
  • DNS Reply Logging: checked. This will show you all the DNS queries which are answered by Unbound.
  • DNSBL Blocking: checked. This option must be selected as soon as you choose Unbound python mode.
  • CNAME Validation checked: This option to make sure that an ad domain cannot “bypass” DNSBL by using a different dns name.
pfBlockerNG – DNSBL options

Scroll down to the DNSBL Configuration section and check Permit Firewall Rules. This will create rules in the Floating in your Firewall. I like having these in one place :). Also select all your internal networks here. This will enable pfBlockerNG for those networks. Here are my settings:

DNSBL Configuration – Permit Firewall Rules

As you can see I have several internal networks (LAN, Guest, DMZ, TestLAB) and I want pfBlockerNG to be enabled on all of those.

DNSBL Whitelist

Click on the + sign to open this section. In this section you can add domains you don’t want to be blocked. Like when you have a lot of Apple devices in your network you want to whitelist *.apple.com. Adding domains in the whitelist makes sure that even when these domains are in some DNSBL feed you have enabled (see next section) they will still be allowed (whitelisted) by pfBlockerNG. You can add domains here manually or using the Reports tab in pfBlockerNG. In the screenshot below you can see some examples I have added to my whitelist:

pfBlockerNG – DNSBL whitelist

Those are all the options I have set for DNSBL. Scroll to the bottom of this page and click on Save DNSBL settings.

Enable some DNSBL feeds

Now go to the Feeds tab and scroll down to the DNSBL category. Here you can enable different DNSBL feeds by clicking on the + sign:

DNSBL category – Enable feeds

I want to remind you again that the more feeds you enable the bigger the chance is that you will break the internet for users on your network :). And you will find that for some services to work you will have to whitelist certain domain names like I explained above. The feeds you enable are listed in the DNSBL Groups section. Here you can review what feeds you have enabled or disable and remove an enabled feed.

pfBlockerNG – DNSBL Groups

By clicking on the pencil icon and the end of the line you can edit those specific groups. The names of the groups will be different for you, I just renamed them for my ease:

pfBlockerNG – Enable or disable individual feeds

DNS over HTTPS/TLS Blocking

This version of pfBlockerNG also has a very extensive list with known public DNS servers who are supporting DNS over HTTPS. DNS over HTTPS is a serious privacy and security risk so you want to enable this because you don’t want devices in your network using these DNS servers and bypassing pfBlockerNG’s adblocking and pfSense’s DNS server. Go to the DNSBL SafeSearch and enable DoH/DoT Blocking. Then select all the DNS servers from the list you want to block and click on Safe:

pfBlockerNG – DNS over HTTPS/TLS Blocking

The Reports tab in pfBlockerNG

The Reports tab is very important. It will give you an overview of what IP’s or DNS names are blocked by pfBlockerNG. It will also tell you the source device of the DNS or IP request thus making troubleshooting easy. Here you can investigate if pfBlockerNG is the reason why a certain app or website is not working properly for devices on you network:

pfBlockerNG – Reports tab blocked IP overview

The fist section shows you the IP’s being blocked and the section below that will show you DNS requests being blocked. Whitelisting an IP or DNS is simply a matter of clicking on the + sign before the DNS name or IP:

pfBlockerNG – Reports tab blocked DNS overview

When you click on the + sign pfBlockerNG will ask you if you know for sure you want to whitelist this domain. Click OK:

pfBlockerNG – whitelisting DNS example

Then it will ask you if you want to whitelist this domain only or add a wildcard for the domain:

pfBlockerNG – Wildcard whitelisting

After that you will have the option to add a description. If you don’t want a description just click on No and that’s it. The pfBlockerNG will no longer block that domain:

pfBlockerNG – Whitelist description

If you want to review the domains you have whitelisted you can just review them in the DNSBL Whitelist section in the DNSBL tab like I explained above.

With the settings and configuration options explained in this blog you should be off to a great start in keeping those ads, trackers and malicious websites out of your network. This is all you need to setup pfBlockerNG python mode with pfSense. pfBlockerNG has a lot more options but I don’t think you need all the features to be safe. The Reports tab is your friend for troubleshooting. Thank you for reading and good luck!

Setup pfBlockerNG python mode with pfSense Read More

ProtonMail Bridge SMTP config with Apple Mail on macOS Big Sur

Table of Contents

Reading Time: 4 minutes

ProtonMail with ProtonMail bridge

In this post I will show you how to properly configure ProtonMail Bridge SMTP config with Apple Mail on macOS Big Sur. Online privacy is something I am very concerned with and that’s why it was a logical move for me to switch to ProtonMail. You can argue why not self host? Well for my personal situation I think setting up and maintaining a mailserver is just not worth my time. I am happy to pay ProtonMail and have my mind at ease.

If you found this post you most likely already know what ProtonMail Bridge is. Let me quote them because it basically explains it all:

ProtonMail Bridge is an application available to all paid users that enables the integration of your ProtonMail account with popular email clients, such as Microsoft Outlook, Mozilla Thunderbird, or Apple Mail. Bridge runs in the background by seamlessly encrypting and decrypting messages as they enter and leave your computer. The app is compatible with most email clients supporting IMAP and SMTP protocols.

The situation at hand

I must say I love their webmail solution but I still prefer using a dedicated mail app on my MacBook. Since I am on macOS I use Apple Mail because I fulfils my every need for a simple straight-forward mail client. I am hoping that they eventually develop a dedicated app for macOS just like the app on iOS (I hope you read this ProtonMail :)). Anyway, after installing the ProtonMail Bridge app I followed their manuals for setting up Apple Mail. You can find their manuals here. Basically ProtonMail Bridge creates a profile which you have to accept and install. This profile then automatically configures Apple Mail. Great!

To make sure that everything works I rebooted my MacBook before starting Apple Mail. Immediately my ProtonMail mails and folders started to show up in Apple Mail. Very nice! Then I wanted to test if I could send emails from Apple Mail but I just got an error that there was no SMTP server configured….what now?

Manual setup SMTP server settings

So it turns out that the profile which is created with the ProtonMail Bridge app on your MacBook does not install a SMTP server configuration for Apple Mail. I then went to the website of ProtonMail to check their knowledge base. I did not find any articles there on how to setup a manual configuration on Apple Mail. They do have a article which you can use here but no SMTP configuration in there.

BUT if you open up ProtonMail bridge and click on your account you will see a Mailbox configuration option:

ProtonMail Bridge SMTP config with Apple Mail on macOS Big Sur - ProtonMail Bridge main window
ProtonMail Bridge main window

Click on Mailbox configuration to reveal the SMTP information required for Apple Mail:

ProtonMail Bridge SMTP config with Apple Mail on macOS Big Sur - ProtonMail Bridge Mailbox Configuration window
ProtonMail Bridge Mailbox Configuration window

What is this error?

So if you just get the information from the window as described above and enter it in Apple Mail you will get the following error “Unable to verify account name or password.”:

Apple Mail SMTP server error with ProtonMail Bridge
Apple Mail SMTP server error with ProtonMail Bridge

This happens because ProtonMail bridge creates a local SMTP server with default settings for ProtonMail. These defaults are:

  • Hostname 127.0.0.1
  • SMTP port 1025
  • Username <generated during account setup>
  • Password <generated during account setup>
  • Security STARTTLS

Manually entering this information in Apple Mail did not work and just shows the error you see in the image above: Unable to verify account name or password.

Proper setup for SMTP in ProtonMail Bridge

I did try reinstall of the profile and also reboot. This does not work. Also when I reboot my MacBook I get an error from ProtonMail Bridge telling me port 1025 is in use. Clearly this is not a working setup.

Then the troubleshooting started and I found out what configuration will work! Open the ProtonMail Bridge and click on Settings. Then click on Change IMAP & SMTP settings:

ProtonMail Bridge change server settings
ProtonMail Bridge change server settings

Change the following things:

  • SMTP port: change this to 2025
  • SMTP connection mode: change this to SSL

Click on Okay.

ProtonMail Bridge change server and SSL
ProtonMail Bridge change server and SSL

After changing these settings it is very important to reboot you MacBook. I found that only restarting the ProtonMail Bridge app is not enough.

Proper setup for ProtonMail SMTP server in Apple Mail

Now that your Mac is rebooted is time to setup SMTP with the new settings in Apple Mail.

Open Apple Mail and then go to Preferences. The go to the Accounts Tab. In the left column select your ProtonMail account and then click on the Server Settings tab.

In the Server Settings tab you need to enter the following information in the Outgoing Mail Server (SMTP):

  • Account: select your ProtonMail account
  • Username: <yourProtonUserName>
  • Password: this is the password shown in ProtonMail Bridge Mailbox configuration window
  • Hostname: 127.0.0.1
  • Automatically manage connection settings unchecked
  • Port: 2025
  • Use TLS/SSL: checked
  • Authentication: Password

The screen should like this:

Proper SMTP settings for ProtonMail in Apple Mail on macOS Big Sur
Proper SMTP settings for ProtonMail in Apple Mail on macOS Big Sur

With the settings above and the adjustments in ProtonMail Bridge app you should now be able to send mails using ProtonMail in Apple Mail! ProtonMail is already amazing and with this little addition I hope you can enjoy it much more :). This is everything you need to setup ProtonMail Bridge SMTP config with Apple Mail on macOS Big Sur.

ProtonMail Bridge SMTP config with Apple Mail on macOS Big Sur Read More

Apply security update to Citrix ADC (CTX276688)

Table of Contents

Reading Time: 4 minutes

At the time of writing this blog post Citrix released information about 11 new vulnerabilities discovered in their NetScaler line of products including Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP. As sysadmins we want to keep our infrastructure secure and in this blog post I will show you how to apply the security update to the Citrix ADC (CTX276688) and mitigate for these vulnerabilities.

What to do now? Simple, upgrade to the latest version of Citrix ADC firmware. At the time of writing that is NS13.0 Build 58.32. Let me show you how.

If you followed my recent post Upgrade Citrix ADC firmware using CLI and you upgraded your Citrix ADC to version 13.0-58.30 according to my blog post then you should already be fine! Yay! The newly discovered vulnerabilities are documented in the Citrix Support Knowledge Center and is know by the number CTX276688. According to Citrix these vulnerabilities can only be exploited in very unique situations and circumstances and as far as they know, they are not yet used in the wild. I will show you how to upgrade Citrix ADC to the patched firmware and keep hackers at bay.

Preparation

We will use the same steps from my blog post Upgrade Citrix ADC firmware using CLI. The difference now is that I will do the upgrade from version 13.0 Build 58.30 to the latest release version 13.0 Build 58.32.

Download the latest firmware

According to Citrix we need to upgrade our ADC with version 13.0 Build 58.32. You can find that firmware here. If you open up that page you will see the important message regarding CTX276688:

Download the firmware and safe it to your computer. We will upload this file to the ADC and then start the upgrade.

Backup your current configuration

Before we start the upgrade process we need to backup the current configuration. You can do that using the steps I described here.

Start the upgrade

I am a big fan of CLI when it comes to upgrading these NetScaler appliances. But first we need to upload the new firmware to ADC. You can use the steps described here.

Start the upgrade script

Login to the ADC using SSH. I use Putty for this. After login in you need to go to the directory where you uploaded the new firmware file. If you followed my post that should be somewhere in /var/nsinstall/<directory_name>. I have uploaded my firmware to the directory /var/nsinstall/vikash.nl:

We can see the new firmware there. Now extract it using the following command:

tar –xvzf  build-13.0-58.32_nc_64.tgz

The tar -xvzf is the command you need to extract the file with name build-13.0-58.32_nc_64.tgz. Remember to replace the filename with the correct one. After the firmware is extracted you will have a lot of files there. The one we need is names installns. In your SSH / Putty session enter the following command to start the upgrade process:

./installns

The command start with a . yes. After typing in the command you will see the a similar screen like the one below indicating that the upgrade has started:

The update process will take a while. When the upgrade is finished you will be prompted to reboot the ADC. Enter Y and hit enter:

After the reboot let’s check the version and make sure everything went well. Open the management page (webgui) and check the firmware version:

You can check it using CLI. Login using SSH / Putty and enter the following command:

show ns version

You should get the following output displaying the firmware version of ADC:

If the version displays NS13.0 Build 58.32 then your ADC is protected from the vulnerabilities as described in CTX276688.

Steps for updating a Citrix ADC High Availability pair (HA)

The steps described in this blogpost apply in general for the ADC nodes which are running in a High Availability pair configuration. Every node can be upgraded using the same method I described in this post. Make sure you to upgrade the individual nodes in the following order:

  • Upgrade the secondary node first.
  • Reboot the secondary node.
  • Disable HA-sync on the secondary node using cli: set ha node -hasync disabled.
  • Upgrade the primary node.
  • Reboot the primary node.
  • Check that all the config is still there after the reboot of the primary node.
  • Enable HA-sync on the secondary node using cli: set ha node -hasync enabled.
Apply security update to Citrix ADC (CTX276688) Read More

Upgrade Citrix ADC firmware using CLI

Table of Contents

Reading Time: 5 minutes

When running Citrix ADC it is vital to keep the ADC up-to-date. Usually Citrix ADC is very secure but every now and then they will discover bugs. That is when you need to update the firmware of the system. In this blog post I will show you how to upgrade Citrix ADC firmware using Command Line Interface (CLI).

Why do it using the CLI of there is a nice option in the webgui? In my experience doing it using the CLI is the most reliable way of getting the job done. The webgui is just not stable enough because on numerous occasions I have seen an upgrade fail when doing it using the webgui. And when such a system is running a crucial part of your infrastructure you don’t want to end up with a broken ADC. The CLI way has been rocksolid and delivers every time. It is not hard to do it if you follow the steps in this blog post.

Preparation

I will perform the upgrade on my ADC running in my lab environment. The version I am running here is 13.0 52.24. I will upgrade to the latest version. At the time of writing this post the latest version is 13.0 58.30.

Download the latest firmware

Download the latest firmware from the Citrix website. When you visit the website choose for the Firmware option:

Then on the next page scroll down to the Build section and download the latest firmware:

Backup the Citrix ADC configuration

I’m sure you already know this but often this step is still overlooked. Backing up the components in your network infrastructure is a vital part of running an IT-infrastructure. Your backup strategy for Citrix ADC depends in the platform you are running it on. I have mine running on Windows Hyper-V 2019 so making a snapshot before starting the upgrade is pretty handy. I will also show you how to make a backup of the ADC configuration from the webgui. Making a backup using the webgui has always worked in me experience so no need for CLI here.

Login to the webgui and in the left menu expand System and click on Backup:

Then click on Backup/Import button. You will be presented with several options. Enter a file name for the backup and something in the description that makes is easy to see why this backup was made. The most important part here is to select the Full backup level. Then click on Backup:

Now that the backup is made we need to download it from the ADC and keep is somewhere safe. Do this in case the upgrade does fail and you are not able to access the ADC using webgui of ssh. You will see an overview of all backups available on the appliance once you clicked on the Backup button as seen in the screenshot above. Select the backup you just made and from the action menu select Download to save the backup file to your local computer:

Start the upgrade

We have done our preperations and now we need to get the firmware we downloaded on the ADC and start the upgrade process.

Upload the new firmware

I use WinSCP to upload the new firmware to my ADC. Start WinSCP and login to your ADC using the option SFTP option:

After loggin in go to the /nsinstall directory and create a new directory there:

Upload the firmware using WinSCP:

Start the upgrade script

Login to the ADC using SSH. I use Putty for this. After login in you need to go to the directory where you uploaded the new firmware file. First enter the command shell to enter a shell:

Go to the directory where you uploaded the firmware file using WinSCP. On my ADC that is /var/nsinstall/vikash.nl:

We can see the new firmware there. Now extract it using the following command:

tar –xvzf build-13.0-58.30_nc_64.tgz

The tar -xvzf is the command you need to extract the file with name build-13.0-58.30_nc_64.tgz. Remember to replace the filename with the correct one. After the firmware is extracted you will have a lot of files there. The one we need is names installns. In your SSH / Putty session enter the following command to start the upgrade process:

./installns

The command start with a . yes. After typing in the command you will see the a similar screen like the one below indicating that the upgrade has started:

The update process will take a while. When the upgrade is finished you will be prompted to reboot the ADC. Enter Y and hit enter:

After the ADC has rebooted login using the webgui and check the firmware version to make sure the upgrade was successful:

How do I do it for ADC’s in a High Availability pair?

The steps described in this blogpost apply in general for the ADC nodes which are running in a High Availability pair configuration. Every node can be upgraded using the same method I described in this post. Make sure you to upgrade the individual nodes in the following order:

  • Upgrade the secondary node.
  • Reboot the secondary node.
  • Disable HA-sync on the secondary node using cli: set ha node -hasync disabled.
  • Upgrade the primary node.
  • Reboot the primary node.
  • Check that all the config is still there after the reboot of the primary node.
  • Enable HA-sync on the secondary node using cli: set ha node -hasync enabled.

Upgrade Citrix ADC firmware using CLI is not that hard if you prepare beforehand and make sure that you have backups. Even upgrading nodes in a High Availability configuration is easy once you follow the steps in the same order as I described above. Good luck and stay safe!

Upgrade Citrix ADC firmware using CLI Read More