Admin partitions is one of the new features in NetScaler; it allows an appliance to be partitioned into logical entities called admin partitions, where each partition can be configured and used as a separate NetScaler appliance; we can then allow superusers to access and configure their own partition.
This allows for separated partitions to, for instance, Microsoft Exchange, SQL, SharePoint and web application owners, and so on.
Each partition has its own file structure where it stores configuration files for that partition, located under /nsconfig/partitions/<partitionName>. SSL certificates are stored under /var/partitions/<partitionName>/netscaler/ssl.
Also each partition has its own set of resources that is defined during setup.
Note
There are still some limits on what features that can be configured in admin partitions; this includes the application firewall, NetScaler gateway, AAA-TM, Load balancing for FTP, SIP, RADIUS, RDP, VXLAN, Cluster, DNS, GSLB, and so on. You can view the non-supported features here: https://docs.citrix.com/en-us/netscaler/11/system/admin-partition/admin-partition-config-types.html.
In order to segregate network traffic, we can bind a partition either to a particular VLAN or a Bridge Group.
To create a new partition, go to System | Partition Administrator | Partitions | Add, from there give the partition a name and define the amount of resources that this partition should have access to.
Then afterwards we should bind it to a VLAN, which is again either bound to an IP or interface. If we have an MPX with multiple interfaces it is common to bind a particular VLAN to an interface that is then bound to a partition. It is important to note that a VLAN can only be bound to one partition at a time.
Then we need to add a user with access to this partition. As of now in version 11 we cannot use external user access to a partition; this needs to be a local user on NetScaler.
When creating the new user, we can either define the user rights directly using system command policy or we can bind the user to an existing NetScaler group if we have one. Shown in the following screenshot are the different built-in user roles that define what kind of access/commands a user has:
By clicking on a role and choosing Edit, we can see which command sets a role has access to. We can also define our own user role by clicking Add and then going into Command Spec Editor. Here we can define custom access roles based upon features, which can then be bound to a partition. It is important to note here that, if we choose the non-partition user roles, they will have access to switching between partitions. If we want to define a user as having admin privileges only on the partition, we can use the partition-admin role.
Now, after we have defined a user role and bound it to a user, we can click Done. In order to switch partitions, we have a quick-switch option in the top menu, as shown in the next screenshot. This option is available for superusers/sysadmins:
Partition-administrators can access their partition using the same web management URL or using CLI. When they connect to their partition, they will have the name of the partition they are on set as the title.