How to Upgrade NetScaler Firmware to 11 and FIPS Firmware to 2.2 in High Availability Setup

This article describes how to upgrade NetScaler firmware to 11 and FIPS firmware to 2.2 in high availability setup.

Points to Note Before Upgrading

• After the FIPS firmware is upgraded, it cannot be rolled back to previous version.
• Follow best practices and perform a complete back up of all certificates, keys, and configuration files before beginning the upgrade process. Depending upon how the system was originally set up there is a caveat/possibility to lose certificate bindings and/or certificates/keys, not only during the upgrade process but during a standard failover as well.

Summary of the Upgrade Procedure

Step1 – Upgrade NetScaler Firmware on the Secondary appliance in the HA pair.
Step2 – Upgrade the FIPS Firmware on the Secondary appliance in the HA pair.
Step3 – Force Failover.
Step4 – Upgrade NetScaler Firmware on the new Secondary appliance in the HA Pair.
Step5 – Upgrade the FIPS Firmware on the new Secondary?? appliance in the HA pair.
Step6 – Restore HA propagation and synchronization. Verify that configurations and certificate/keys are still fully present and validated.

Detailed Upgrade Procedure and Reference

1. Begin by following the best practices and upgrade procedure for upgrading an HA pair, ensuring that all configurations and certificates are backed up. You should also have physical access to appliances in the case of any unforeseen issues.
   Note: If upgrading from the 10.1 major branch, first upgrade to any 10.5 major branch revision (preferably the most recent) and then upgrade to major 11.0 branch. If you are already on 10.5 then you can upgrade directly to the 11 build.

2. After upgrading the secondary appliance’s OS firmware, follow best practices and upgrade procedures for upgrading FIPS firmware on the secondary appliance.

3. To download FIPS 2.2 firmware go to Citrix Downloads and scroll down to ‘Additional components’ and download both the 2.2 firmware and signature files.

4. Continue following best practices for upgrading HA pair with the upgrading of the original primary which should now be secondary at this point in the upgrade process.

5. After upgrading the OS firmware on new secondary appliance, follow best practices and continue upgrading the FIPS firmware on new secondary appliance.

6. Restore HA by ensuring that synchronization and propagation are enables. Verify that all configurations and certificate/keys are still present and validated.

There is a possibility that there will be a mismatch between the FIPS firmware reported in the GUI vs.CLI (1.1 vs. 2.2 respectively). This is a cosmetic issue which does not impede the performance or operation of the device and is under investigation presently. The CLI will show the correct version of the firmware. It should be noted that when viewing the CLI through the GUI from System > Diagnostics > Utilities> Command Line Interface option, this CLI will reflect the same version that the GUI does. An SSH session from a client such as Superputty will reflect the correct FIPS version.