Beruflich Dokumente
Kultur Dokumente
C ONTENTS
Contents
Preface
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv
Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv
Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Knowledge Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Silver and Gold Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Education and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Chapter 1
Load Balancing
How Load Balancing Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Load Balancing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Use of Wildcards Instead of IP Addresses and Ports . . . . . . . . . . . . . . . . . . . . .27
Configuring Basic Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Configuring a Basic Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Modifying an Existing Load Balancing Configuration . . . . . . . . . . . . . . . . . . .43
Viewing a Load Balancing Vserver Configuration Using the Visualizer . . . . .49
Modifying a Load Balancing Configuration Using the Visualizer . . . . . . . . . .52
Customizing Load Balancing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Changing the Load Balancing Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Configuring Persistent Connections Between Clients and Servers . . . . . . . . . .97
Configuring Persistence Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Viewing Persistence Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Clearing Persistence Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Configuring the Redirection Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Assigning Weights to Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
iv
Contents
Chapter 2
Content Switching
How Content Switching Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Configuring Basic Content Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Understanding the Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Enabling Content Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Creating Content Switching Vservers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Configuring a Load Balancing Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Creating Content Switching Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Binding Policies to a Content Switching Vserver . . . . . . . . . . . . . . . . . . . . . .281
Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Viewing a Content Switching Vserver Configuration Using the Visualizer . .283
Modifying a Content Switching Configuration Using the Visualizer . . . . . . .284
Modifying the Basic Content Switching Configuration . . . . . . . . . . . . . . . . . . . .284
Managing Content Switching Vserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Managing Content Switching Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Customizing a Content Switching Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Setting Case Sensitivity for Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . .291
Setting the Precedence for Policy Evaluation. . . . . . . . . . . . . . . . . . . . . . . . . .292
Protecting the Content Switching Setup against Failure . . . . . . . . . . . . . . . . . . . .294
Configuring a URL for Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Configuring a Backup Vserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Diverting Excess Traffic to a Backup Vserver . . . . . . . . . . . . . . . . . . . . . . . . .297
Managing Client Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Redirecting Client Requests to a Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Enabling Delayed Cleanup of Vserver Connections . . . . . . . . . . . . . . . . . . . .301
Rewriting Ports and Protocols for Redirection . . . . . . . . . . . . . . . . . . . . . . . . .302
Inserting the IP Address and Port of a Vserver in the Request Header . . . . . .302
Setting a Timeout Value for Idle Client Connections . . . . . . . . . . . . . . . . . . .304
Chapter 3
vi
Chapter 4
HTML Injection
How HTML Injection Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Configuring HTML Injection to Insert Data in the HTTP Header . . . . . . . . . . . .338
Enabling the HTML Injection Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Injecting Data into the HTTP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Configuring HTML Injection to Insert Data into the HTTP Body . . . . . . . . . . . .345
Internal Variables used for HTML Injection . . . . . . . . . . . . . . . . . . . . . . . . . .345
Configuring Prebody Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Configuring Postbody Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Specifying Files to be used for Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Injecting Data into the HTTP Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Configuring the HTML Injection Feature for Commonly Used Applications . . .353
Measuring Application Performance Using a Citrix EdgeSight for NetScaler
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Enabling the HTML Injection Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Specifying Files to be used for Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Injecting Data into the HTTP Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Chapter 5
Contents
vii
viii
Chapter 6
FIPS
How FIPS Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Configuring a FIPS system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
Configuring the HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
Managing FIPS Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Creating FIPS Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Exporting FIPS Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Importing FIPS Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Importing External Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Configuring a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Configuring a High Availability (HA) FIPS system . . . . . . . . . . . . . . . . . . . . . . .464
Managing Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Chapter 7
Contents
ix
Chapter 8
Chapter 9
Contents
xi
Chapter 10
Chapter 11
Cache Redirection
How Cache Redirection Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692
About Transparent Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .694
About Reverse Proxy Redirection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696
About Forward Proxy Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .698
About Advanced Cache Redirection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .700
Configuring Cache Redirection and Load Balancing . . . . . . . . . . . . . . . . . . . . . .701
Enabling Cache Redirection and Load Balancing . . . . . . . . . . . . . . . . . . . . . .701
Viewing a Cache Redirection Virtual Server . . . . . . . . . . . . . . . . . . . . . . . . . .702
Configuring Transparent Cache Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703
Configuring Edge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .704
Configuring a Load Balancing Virtual Server for the Cache. . . . . . . . . . . . . .704
Configuring an HTTP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .705
Binding a Service to a Load Balancing Virtual Server. . . . . . . . . . . . . . . . . . .707
Configuring a Cache Redirection Virtual Server for Transparent Mode. . . . .707
Turning Off Caching for Particular Origin Servers . . . . . . . . . . . . . . . . . . . . .710
Configuring Reverse Proxy Cache Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . .711
Configuring a Load Balancing Virtual Server for the Cache. . . . . . . . . . . . . .713
Configuring a Load Balancer Virtual Server for the Origin. . . . . . . . . . . . . . .715
Configuring a Reverse Proxy Cache Redirection Virtual Server. . . . . . . . . . .716
Configuring a Mapping Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718
xii
Appendix A
Appendix B
Index
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
P REFACE
Preface
Before you begin to configure the features described in this document, take a few
minutes to review this chapter and learn about related documentation, other
support options, and ways to send us feedback.
In This Preface
About This Guide
New in This Release
Audience
Formatting Conventions
Related Documentation
Getting Service and Support
Documentation Feedback
Chapter 3, NetScaler Web 2.0 Push. Describes how you can use the
NetScaler Web 2.0 Push feature to offload the long-lived TCP connections
to the NetScaler and reduce the number of persistent client connections on
the server. With the NetScaler Web 2.0 Push feature, the NetScaler
xiv
Chapter 9, Link Load Balancing. Link load balancing (Link LB) balances
inbound and outbound traffic transparently across multiple Internet
connections. It enables an enterprise with more than one Internet
connection, or with a private network, to monitor and control traffic so that
users are routed over the best available Internet link. For example, an
organization can connect to the Internet through two different service
providers, such as Sprint and AT&T.
Preface
xv
Audience
This guide is intended for the following audience:
The concepts and tasks described in this guide require you to have a basic
understanding of NetScaler virtual IP address and virtual server configuration. It
is also helpful to have a basic understanding of NetScaler policies.
Formatting Conventions
This documentation uses the following formatting conventions.
Formatting Conventions
Convention
Meaning
Boldface
Italics
Monospace
xvi
Formatting Conventions
Convention
Meaning
[brackets]
(ellipsis)
Related Documentation
A complete set of documentation is available on the Documentation tab of your
NetScaler and from http://support.citrix.com/. (Most of the documents require
Adobe Reader, available at http://adobe.com/.)
To view the documentation
1.
2.
3.
To view a short description of each document, hover your cursor over the
title. To open a document, click the title.
Preface
xvii
You can also get support from Citrix Customer Service at http://citrix.com/. On
the Support menu, click Customer Service.
Knowledge Center
The Knowledge Center offers a variety of self-service, Web-based technical
support tools at http://support.citrix.com/.
Knowledge Center features include:
Security bulletins
Online problem reporting and tracking (for organizations with valid support
contracts)
xviii
North America, Latin America, and the Caribbean: 8 A.M. to 9 P.M. U.S.
Eastern Time, Monday through Friday
Subscription Advantage
Your product includes a one-year membership in the Subscription Advantage
program. The Citrix Subscription Advantage program gives you an easy way to
stay current with the latest software version and information for your Citrix
products. Not only do you get automatic access to download the latest feature
releases, software upgrades, and enhancements that become available during the
term of your membership, you also get priority access to important Citrix
technology information.
You can find more information on the Citrix Web site at http://www.citrix.com/
(on the Support menu, click Subscription Advantage).
You can also contact your sales representative, Citrix Customer Care, or a
member of the Citrix Solutions Advisors program for more information.
Preface
xix
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance
the documentation. You can send email to the following alias or aliases, as
appropriate. In the subject line, specify Documentation Feedback. Be sure to
include the document name, page number, and product release version.
You can also provide feedback from the Knowledge Center at http://
support.citrix.com/.
To provide feedback from the Knowledge Center home page
1.
2.
3.
On the Documentation tab, click the guide name, and then click Article
Feedback.
4.
xx
C HAPTER 1
Load Balancing
This chapter describes the load balancing (LB) feature of a Citrix NetScaler. Load
balancing allows a NetScaler to distribute the client requests across multiple
servers. Load balancing improves server fault tolerance and end-user response
time. This chapter lists the basic and a few advanced settings that you can
configure on a NetScaler.
In This Chapter
How Load Balancing Works
Configuring Basic Load Balancing
Customizing Load Balancing Configuration
Protecting the Load Balancing Configuration against Failure
Managing Client Traffic
Managing and Monitoring Servers
Managing a Large Scale Deployment
Configuring Load Balancing for Commonly Used Protocols
Configuring Load Balancing in Commonly Used Deployment Scenarios
Troubleshooting Common Problems
26
LB architecture
The entities that you must configure in a typical load balancing setup are:
Chapter 1
Load Balancing
27
Monitor. An entity that tracks the health of the services. The NetScaler
periodically probes the servers using the monitor bound to each service. If a
server does not respond within a specified response time-out, and the
specified number of probes fails, the service is marked DOWN. The
NetScaler then performs load balancing among the remaining services.
The vserver can use an Internet Protocol version 4 (IPv4) or an Internet Protocol
version 6 (IPv6) address, and the server object can represent a server with either
an IPv4 or IPv6 address. The load balancing feature supports configurations in
which the vserver and the server use different IP address types.
To configure load balancing, you must first create services. Then, you must create
vservers and bind services to the vservers. By default, the NetScaler binds a
monitor to each service. You can also assign weights to a service. The LB
methods use the assigned weight to select a service.
You can enable a NetScaler option to maintain persistent connections between
clients and servers. For instance, in e-commerce such as shopping cart usage, the
server needs to maintain the state of the connection to track the transaction. To
maintain the state of a connection, you must configure persistence on a vserver.
The NetScaler selects a server to process a client request and forwards all
subsequent requests to the selected server.
You can also specify persistence for a group of vservers. When you enable
persistence on the group, the client requests are directed to the same selected
server regardless of which vserver in the group receives the client request. When
the configured idle time for persistence elapses, any vserver in the group is
selected for the incoming client requests.
28
If you are reaching the limit for the number of IP addresses and ports that
you can configure on the NetScaler.
Port
Protocol
Description
TCP
TCP
address
Various,
including
HTTP, SSL,
SSL_TCP,
and TCP
port
SSL,
SSL_TCP
port
Not
applicable
Note that global HTTP ports are an exception in regards to wildcards. You do not
configure services or vservers for a global HTTP port. In this case, you can
configure a specific port using the following command:
set ns config httpPort port
Chapter 1
Load Balancing
29
After configuring this port, the NetScaler accepts all traffic that matches the port
number, and processes it as HTTP traffic. The NetScaler dynamically learns and
creates services for this traffic.
Note: If you have configured the NetScaler as a transparent pass through that
make use of global (wildcard) ports, you may want to turn on Edge mode. For
more information, see Configuring Edge Mode, on page 704.
2.
3.
4.
If the NetScaler is unable to select a vserver based on its IP address, it selects the
vserver based on the protocol used in a request, in the following order:
1.
HTTP
2.
TCP
3.
ANY
30
Chapter 1
Load Balancing
31
In the diagram, load balancing is used to manage traffic flow to the servers. The
vserver selects the service and assigns it to serve client requests. Consider a
scenario where the services Service-HTTP-1 and Service-HTTP-2 are created and
bound to the vserver named Vserver-LB-1. Vserver-LB-1 forwards the client
request to either Service-HTTP-1 or Service-HTTP-2. The NetScaler selects the
service for each request using the least connection LB method. The following
table lists the names and values of the basic entities that must be configured on
the NetScaler.
Sample Load Balancing Configuration
Entity Type
IP Address
Port
Protocol
Vserver
Vserver-LB-1
10.102.29.60
80
HTTP
Services
Service-HTTP-1
10.102.29.5
8083
HTTP
Service-HTTP-2
10.102.29.6
80
HTTP
Default
None
None
None
Monitors
The following diagram shows the load balancing sample values and mandatory
parameters that are described in the preceding table.
32
1.
2.
In the details pane, under Modes and Features, click Change basic
features.
3.
In the Configure Basic Features dialog box, select the Load Balancing
check box, and then click OK.
4.
Example
enable feature lb
Creating Services
You can add, modify, bind, and remove services. Once configured, services are in
the disabled state until the NetScaler can reach the server on the network and
monitor its status. To create services, use the mandatory parameters as described
in the following table.
Service Configuration Parameters
Parameter
Specifies
Name
(Name)
Service Type
(serviceType)
Chapter 1
Load Balancing
33
Specifies
Port
(Port)
Before you create a service, you need to understand the service types and the
usage of each type. NetScaler supports the following service types:
HTTP. For HTTP services and virtual servers. To enable the Layer 7
benefits for HTTP connections such as compression, content filtering,
caching, and Client Keep Alive, you can configure services and virtual
servers of type HTTP. Because HTTP is a TCP based application protocol,
you may alternatively use service type TCP, however, in this case, the
NetScaler will only perform Layer 4 load balancing and will not provide
the Layer 7 benefits listed above, as well as the following:
Push
Redirect URL
SSL. For HTTPS services and virtual servers. Select this service type to
configure the NetScaler to encrypt and decrypt (offload) SSL traffic.
Alternatively, you can use service types SSL_BRIDGE, SSL_TCP, or TCP,
however in these cases, the NetScaler performs only Layer 4 load
balancing, and the server must encrypt and decrypt the SSL traffic. Also,
with service type SSL_Bridge, SSL_TCP, and TCP no Layer 4-Layer 7
processing can be done, such as persistence based on HTTP information,
content switching, rewrite, etc., and the following options are not
supported:
Push
Redirect URL
FTP. For FTP services and virtual servers. This setting ensures that the
NetScaler takes care of the specifics of the FTP protocol. Alternatively, you
can use service type TCP with the appropriate additional service type ANY
virtual server.
TCP. For any TCP services or virtual servers for which a more specific
service type is not available. Alternatively, you can use service type ANY.
34
SSL_BRIDGE. For services and virtual servers using the SSL protocol
when you do not want the NetScaler to encrypt or decrypt the SSL traffic.
Alternatively, you can use SSL_TCP for the service type.
DNS. For Domain Name System services and virtual servers. With service
type DNS, the NetScaler will validate the packet format of the DNS
requests and responses, it can cache the DNS responses, and it will be
possible to apply DNS policies to the service or vserver. Alternatively, you
can use service type UDP, but in this case the NetScaler will only perform
Layer 4 load balancing and will not provide the other benefits possible with
the DNS service type.
ANY. For any TCP, UDP, and Internet control message protocol (ICMP)
services or virtual servers. The ANY parameter is used primarily with
firewall load balancing and link load balancing.
DNS-TCP. For enabling the NetScaler to act as a proxy for TCP traffic sent
to DNS severs. With service type DNS-TCP, the NetScaler will validate the
packet format of the DNS requests and responses, and it can cache the DNS
responses. Alternatively, you can use service type TCP, but, the NetScaler
will not parse DNS queries and it will only perform Layer 4 load balancing
of external DNS name servers.
RTSP. For Real Time Streaming Protocol services and virtual servers.
RTSP provides delivery of multimedia and other streaming data. Select this
type to support media streams, such as audio and video. Alternatively, you
can use service type TCP protocol, but in this case, the NetScaler will not
parse the RTSP traffic, it will perform Layer 4 load balancing only, and the
following options are not supported:
RTSPID persistence
Chapter 1
Load Balancing
35
RTSP Natting
Note: For more information about SSL and SSL TCP service types, see Chapter
5, Secure Sockets Layer (SSL) Acceleration.
1.
2.
3.
In the Create Service dialog box, in Service Name, type the name for the
service (for example, Service-HTTP-1).
4.
5.
6.
7.
Click Create and click Close. The service you created appears in the
Services page.
Example
add service Service-HTTP-1 10.102.29.5 HTTP 80
36
Specifies
Name
(Name)
Domain Name or
IP address
(serverName)
1.
In the navigation pane, expand Load Balancing, and then click Servers.
2.
3.
4.
Click Create and click Close. The server you created appears in the
Servers page.
Example
add server Server-1 10.102.29.18
Chapter 1
Load Balancing
37
Creating a Vserver
After you create a service, create a vserver and associate the service with the
vserver. You can add, modify, and remove vservers. The state of the vserver is
DOWN when you first create it because active services are not bound to it. To
create a vserver, use the parameters as described in the following table.
Vserver Configuration Parameters
Parameter
Specifies
Name
(Name)
IP address
(IPAddress)
Service Type
(serviceType)
Port
(Port)
1.
2.
3.
In the Create Virtual Server (Load Balancing) dialog box, in the Name,
IP Address, and Port text boxes, type the name, IP address, and port of the
vserver (for example, Vserver-LB-1, 10.102.29.60, and 80).
Note: If the vserver uses IPv6, select the IPv6 check box and enter the
address in IPv6 format (for example,
1000:0000:0000:0000:0005:0600:700a:888b).
4.
In the Protocol list, select the type of the vserver (for example, HTTP).
38
5.
Click Create and click Close. The vserver you created appears in the Load
Balancing Virtual Servers page, as shown in the following screen shot.
Example
add lb vserver Vserver-LB-1 HTTP 10.102.29.60 80
If state of one of the bound services is up or out of service, the state of the
vserver is UP.
To load balance the incoming traffic, you must bind the services to vserver. In
most cases, services are bound to vservers of the same type, but you can bind
different types of services and vservers. The following table shows the supported
cases.
Supported Mixtures of Vserver and Service Types for Load Balancing
Vserver type
Service type
Comment
HTTP
SSL
Back-end encryption
Chapter 1
Load Balancing
39
Service type
Comment
SSL
HTTP
SSL offloading
SSL_TCP
TCP
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-LB-1).
3.
Click Open.
4.
5.
Click OK.
Example
bind lb vserver Vserver-LB-1 Service-HTTP-1
40
In the navigation pane, expand Load Balancing, and then click Servers. The
details of the available servers appear on the Servers page.
To view the properties of server objects using the NetScaler command line
Example
show server server-1
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, click a virtual server to display its properties at the
bottom of the details pane.
3.
To view cache redirection and content switching virtual servers that are
bound to this virtual server, click Show CS/CR Bindings.
Chapter 1
Load Balancing
41
Example
show lb vserver Vserver-LB-1
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
In the details pane, select the vserver whose statistics you want to view (for
example, Vserver-LB-1).
3.
Example
stat lb vserver Vserver-LB-1
In the navigation pane, expand Load Balancing, and then click Services. The
details of the available services appear on the Services page.
To view the properties of services using the NetScaler command line
Example
show service Service-HTTP-1
42
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service whose statistics you want to view (for
example, Service-HTTP-1).
3.
Example
stat service Service-HTTP-1
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service whose binding information you want
to view (for example, Service-HTTP-1).
3.
Click Show Bindings. The bindings of the service you selected appear in
the Binding details for Service: ServiceName dialog box.
Example
show service bindings Service-HTTP-1
Chapter 1
Load Balancing
43
1.
In the navigation pane, expand Load Balancing, and then click Servers.
2.
In the details pane, select the server that you want to remove (for example,
10.102.29.5), and then click Remove.
3.
Example
rm server 10.102.29.5
44
Specifies
Wait Time
(delay)
1.
In the navigation pane, expand Load Balancing, and then click Servers.
2.
In the details pane, select the server that you want to enable (for example,
10.102.29.5), and then click Enable.
3.
Example
enable server 10.102.29.5
1.
In the navigation pane, expand Load Balancing, and then click Servers.
2.
In the details pane, select the server that you want to disable (for example,
10.102.29.5), and then click Disable.
3.
In the Wait Time dialog box, type the wait time after which the server is to
be disabled (for example 30).
4.
Click Enter.
Chapter 1
Load Balancing
45
Example
disable server 10.102.29.5 30
Managing Services
This section describes how to manage the services you created in a basic LB
setup. You can perform tasks such as enabling, disabling, and removing services.
Each task that you perform impacts on the basic LB setup as described in the
following sections.
Removing a Service
You can remove a service when it is no longer used. When you remove a service,
it is unbound from the vserver and deleted from the NetScaler.
To remove a service using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service that you want to remove (for example,
Service-HTTP-1), and then click Remove.
3.
Example
rm service Service-HTTP-1
Specifies
Wait Time
(delay)
46
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service that you want to enable (for example,
Service-HTTP-1), and click Enable.
3.
Example
enable service Service-HTTP-1
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service that you want to disable (for example,
Service-HTTP-1), and then click Disable.
3.
In the Wait Time dialog box, type the wait time after which the service is to
be disabled (for example, 30).
4.
Click Enter.
Example
disable service Service-HTTP-1 30
Managing an LB Vserver
This section describes how to manage the vservers you created during LB setup.
You can perform tasks such as enabling, disabling, and removing vservers. To
remove a vserver, you must first unbind the services from the vserver, and then
remove the vserver. Each task that you perform impacts on the basic LB setup, as
described in the following sections.
Chapter 1
Load Balancing
47
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver from which you want to unbind a
service (for example, Vserver-LB-1), and then click Open.
3.
4.
Click OK.
Example
unbind lb vserver Vserver-LB-1 Service-HTTP-1
Removing a Vserver
You need to remove a vserver only when you no longer require the vserver. After
you have unbound the services from the vserver, you can remove the vserver. If
you remove all the vservers from the NetScaler, the NetScaler does not accept any
new connections.
To remove a vserver using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to remove (for example,
Vserver-LB-1), and then click Remove.
3.
48
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to enable (for example,
Vserver-LB-1), and then click Enable.
3.
Example
enable lb vserver Vserver-LB-1
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to disable (for example,
Vserver-LB-1), and then click Disable.
3.
Example
disable lb vserver Vserver-LB-1
Chapter 1
Load Balancing
49
View the services and service groups that are bound to a vserver.
50
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to view, and then click
Visualizer.
3.
In the Load Balancing Visualizer window, you can adjust the viewable
area as follows:
Click the Zoom In and Zoom Out icons to increase or decrease the
size of the viewed objects. You can click and drag the viewable area
if an item that you want to see disappears from view after zooming in.
Click the Save Image icon to save the graph as an image file.
Click the image, hold down the mouse button, and drag the image to
pan the view.
In the Search in text field, type the name of the item you are looking
for to highlight its location on the visualizer. To restrict the search,
click the drop-down menu and select the type of element that you
want to search.
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to view, and then click
Visualizer.
3.
Chapter 1
Load Balancing
51
To view the details for a monitor, position the cursor over the icon or
click the icon for the monitor. For additional details, click the icon,
click the Related Tasks tab, and then click View Monitor.
To view configuration details for policies and policy labels using the
Visualizer in the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to view, and then click
Visualizer.
3.
To view policies that are bound to this vserver, in the tool bar at the
top of the dialog box select one or more policy icons. For example,
you can select Compression, Filter, Rewrite, and Responder. If
policy labels are configured, they appear in the main view area.
For bound policies that appear in the view pane of the Visualizer, to
view a policys expression and actions, position the cursor over the
policy icon. To view binding details, position the cursor over the line
that connects the policy to the vserver. To view these details, click the
policy. The details of the policy appears in the details pane.
To save configuration properties for any entity using the Visualizer in the
configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to view, and then click
Visualizer.
3.
4.
In the Related Tasks tab, click Copy Properties and then paste the
information into a document.
52
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure
bindings (for example, Vserver-LB-1), and then click Visualizer.
3.
Chapter 1
Load Balancing
53
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to unbind a
service, policy, or monitor (for example, Vserver-LB-1), and then click
Visualizer.
3.
4.
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to configure (for
example, Vserver-LB-1), and then click Visualizer.
3.
4.
In the modify dialog box, enter new settings for the resource.
54
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to configure (for
example, Vserver-LB-1), and then click Visualizer.
3.
In the Load Balancing Visualizer dialog box, right-click the icon for the
resource that you want to add, remove, or disable, and then select the
corresponding option from the menu. Alternatively, on the Available
Resources tab, click the resource type from the drop-down menu, and then
click Add to add an entity, or select the particular resource that you want to
configure, and then click Open.
Note: These options are not available for service groups or policies.
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to configure (for
example, Vserver-LB-1), and then click Visualizer.
3.
In the Load Balancing Visualizer dialog box, click the icon for a service
group, click the Related Tasks tab, and then click Show Member
Services.
4.
5.
Chapter 1
Load Balancing
55
Granularity Specifies
HTTP or HTTPS
Request
-based
TCP
Time-based
56
Within each type of load balancing, there are various load balancing methods. For
example, the least connection method selects the service with the least number of
active connections to ensure that the load of the active requests is balanced on the
services. You can change the load balancing algorithm using the procedures
described in this section. To configure a load balancing method, use the LB
method parameter as described in the following table.
Load Balancing Method Parameters
Parameter
Specifies
LB Method
(lbMethod)
ROUNDROBIN, LEASTCONNECTION,
LEASTRESPONSETIME, URLHASH, DOMAINHASH,
DESTINATIONIPHASH, SOURCEIPHASH,
SRCIPDESTIPHASH, LEASTBANDWIDTH,
LEASTPACKETS, TOKEN, SRCIPDESTIPHASH,
CUSTOMLOAD.
The default LB method is LEASTCONNECTION.
To set load balancing methods using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure an
LB method (for example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Method and Persistence tab.
4.
5.
Click OK.
Example
set lb vserver Vserver-LB-1 -lbMethod LeastConnection
Chapter 1
Load Balancing
57
To compute slow start, the number of services bound to the vserver is multiplied
by 100. For a new virtual server with the LB method determined by dynamic
traffic parameters, slow start allows time to collect a valid data sample before the
correct method is applied.
Note: When slow start is in operation, the output for the show lb vserver
<vserver name> command will specify the current method as Round Robin.
In GSLB setup, metric-based load balancing methods do not work correctly if
MEP is DOWN except Custom Load LB method, and they will operate only in
RoundRobin. For Custom Load if MEP is DOWN and custom load monitors that
use SNMP to get statistics are bound to service, Custom Load LB method is used
for load balancing. If local load monitors bound to service and MEP is DOWN,
then Round Robin is used. For more information about GSLB, see Chapter 8,
Global Server Load Balancing.
58
When a NetScaler uses the least connection method, it considers such waiting
connections as belonging to a service. Therefore, it does not open new
connections to the selected service in a timely manner.
For UDP services, the connections considered for the least connection method
include all sessions between the client and a service. These sessions are logical,
time-based entities and are created for the UDP packet that arrives first. When the
UDP packet arrives first, the session is created for the combination of the source
IP address and port and the destination IP address and port.
For Real-Time Streaming Protocol (RTSP) connections, NetScaler uses the
number of active control connections to determine the least number of
connections to an RTSP service.
Note: RTSP is not supported in NetScaler 9.1 nCore.
The following example shows how a NetScaler selects a service for load
balancing by using the least connections method. Consider the following three
services:
Chapter 1
Load Balancing
59
The following diagram illustrates how the NetScaler uses the least connection
method and forwards the requests to the three services.
Service-HTTP-3 receives the second and third requests because the service
has the next least number of active transactions.
60
Service selected
Current N
(Number of active
transaction) value
Remarks
Request-1
Service-HTTP-3
(N = 0)
N=1
Service-HTTP-3 has
the least N value.
Request-2
Service-HTTP-3
(N = 1)
N=2
Request-3
Service-HTTP-3
(N = 2)
N=3
Request-4
Service-HTTP-1
(N = 3)
N=4
Request-5
Service-HTTP-3
(N = 3)
N=4
Request-6
Service-HTTP-1
(N = 4)
N=5
Request-7
Service-HTTP-3
(N = 4)
N=5
Request-8
Service-HTTP-1
(N = 5)
N=6
Service-HTTP-1 and
Service-HTTP-3
have the same N
values.
Service-HTTP-2 is selected for load balancing when it completes the active transactions
or when the N value of other services (Service-HTTP-1 and Service-HTTP-3) is equal to
15.
Chapter 1
Load Balancing
61
Service-HTTP-3 receives the first because the service is not handling any
active transactions.
Note: If services are not handling any active transactions, NetScaler
selects them in a round robin manner regardless of the weights assigned to
them.
Service-HTTP-3 receives the second, third, fourth, fifth, sixth, and seventh
requests because the service has least Nw value.
Service selected
Current Nw
(Number of active
transactions) *
(10000 / weight)
value
Remarks
Request-1
Service-HTTP-3
(Nw = 0)
Nw = 2500
Service-HTTP-3 has
the least Nw value.
Request-2
Service-HTTP-3
(Nw = 2500)
Nw = 5000
Request-3
Service-HTTP-3
(Nw = 5000)
Nw = 7500
Request-4
Service-HTTP-3
(Nw = 7500)
Nw = 10000
Request-5
Service-HTTP-3
(Nw = 10000)
Nw = 12500
Request-6
Service-HTTP-3
(Nw = 12500)
Nw = 15000
Request-7
Service-HTTP-1
(Nw = 15000)
Nw = 20000
Request-8
Service-HTTP-3
(Nw = 15000)
Nw = 17500
Service-HTTP-1 and
Service-HTTP-3
have the same Nw
values.
62
Service selected
Current Nw
(Number of active
transactions) *
(10000 / weight)
value
Remarks
Service-HTTP-2 is selected for load balancing when it completes the active transactions
or when the Nw value of other services (Service-HTTP-1 and Service-HTTP-3) is equal
to 50000.
The following diagram illustrates how the NetScaler uses the least connection
method when weights are assigned to the services.
Chapter 1
Load Balancing
63
The following diagram illustrates how the NetScaler uses the round robin method
and forwards requests to the three services.
Note: You can configure weights on services to prevent multiple services from
using the same server and overloading the server.
64
A new cycle then begins, using the same pattern. The following diagram
illustrates the weighted round robin method.
Chapter 1
Load Balancing
65
The following diagram illustrates how the NetScaler uses the least response time
method and forward requests to the three services.
Service-HTTP-3 receives the second and third requests because the service
has the least N value.
Service-HTTP-2 receives the sixth request because the service has the least
N value.
66
Service selected
Current N
(Number of active
transaction *
TTFB) value
Remarks
Request-1
Service-HTTP-3
(N = 0)
N=2
Service-HTTP-3 has
the least N value.
Request-2
Service-HTTP-3
(N = 2)
N=4
Request-3
Service-HTTP-3
(N = 3)
N=6
Request-4
Service-HTTP-1
(N = 6)
N=8
Request-5
Service-HTTP-3
(N = 6)
N=8
Request-6
Service-HTTP-2
(N = 7)
N=8
Service-HTTP-2 has
the least N value.
Request-7
Service-HTTP-1
(N = 8)
N = 15
Request-8
Service-HTTP-2
(N = 8)
N=9
Service-HTTP-1,
Service-HTTP-2,
and Service-HTTP-3
have the same N
values.
Service-HTTP-1 and
Service-HTTP-3
have the same N
values.
Chapter 1
Load Balancing
67
Service-HTTP-2 receives the sixth request because the service has the least
Nw value.
Service-HTTP-3 receives the seventh request because the service has the
least Nw value.
Service-HTTP-2 receives the eighth request because the service has the
least Nw value.
Service-HTTP-1 has the least weight and the Nw value is the highest. Therefore,
the NetScaler does not select it for load balancing.
The manner in which a service receives requests based on the Nw value is
summarized in the following table.
Examples of Least Response Time Method: Nw
Request received
Service selected
Current Nw
(Number of active
transactions) *
(10000 / weight)
value
Remarks
Request-1
Service-HTTP-3
(Nw = 0)
Nw = 2500
Service-HTTP-3 has
the least Nw value.
Request-2
Service-HTTP-3
(Nw = 2500)
Nw = 5000
Request-3
Service-HTTP-3
(Nw = 5000)
Nw = 15000
Request-4
Service-HTTP-3
(Nw = 15000)
Nw = 20000
Request-5
Service-HTTP-3
(Nw = 20000)
Nw = 25000
Request-6
Service-HTTP-2
(Nw = 23333.34)
Nw = 26666.67
Service-HTTP-2 has
the least Nw value.
68
Service selected
Current Nw
(Number of active
transactions) *
(10000 / weight)
value
Remarks
Request-7
Service-HTTP-3
(Nw = 25000)
Nw = 30000
Service-HTTP-3 has
the least Nw value.
Request-8
Service-HTTP-2
(Nw = 26666.67)
Nw = 33333.34
Service-HTTP-2 has
the least Nw value.
Service-HTTP-1 is selected for load balancing when it completes the active transactions
or when the Nw value of other services (Service-HTTP-2 and Service-HTTP-3) is equal
to 105000.
The following diagram illustrates how the NetScaler uses the least response time
method when weights are assigned on the services.
Chapter 1
Load Balancing
69
PING
Time difference between the ICMP ECHO request and the ICMP
ECHO response.
TCP
HTTP
TCP-ENV
Time difference between the time the data send string is sent and
the data receive string is returned.
A tcp-ecv monitor without the send and receive strings is
considered to have an incorrect configuration.
HTTP-ECV
UDP-ECV
Time difference between the UDP send string and the UDP receive
string.
A udp-ecv monitor without the receive string is considered to have
an incorrect configuration.
DNS
TCPS
70
FTP
Time difference between the sending of the user name and the
completion of user authentication.
HTTPS (monitors
HTTPS requests)
HTTPS-ENV
(monitors HTTPS
requests)
USER
The following example shows how the NetScaler selects a service for load
balancing by using the least response time method with configured monitors.
Consider the following three services:
Chapter 1
Load Balancing
71
The following diagram illustrates how the NetScaler uses the least response time
method and forward requests to the three services when monitors are configured
to calculate the response time.
Service-HTTP-3 receives the second, third, and fourth requests because the
service has the least N value.
Service-HTTP-2 receives the fifth request because the service has the least
N value.
72
Service selected
Request-1
Service-HTTP-3
(N = 0)
N=2
Request-2
Service-HTTP-3
(N = 2)
N=4
Request-3
Service-HTTP-3
(N = 4)
N=6
Request-4
Service-HTTP-3
(N = 6)
N=8
Request-5
Service-HTTP-2
(N = 7)
N=8
Request-6
Service-HTTP-3
(N = 8)
N = 10
Request-7
Service-HTTP-2
(N = 8)
N=9
Request-8
Service-HTTP-1
(N = 9)
N = 10
Service-HTTP-3 has
the least N value.
Service-HTTP-1 and
Service-HTTP-3
have the same N
values.
Service-HTTP-2 has
the least N value.
Service-HTTP-1 is selected for load balancing when it completes the active transactions
or when the N value of other services (Service-HTTP-2 and Service-HTTP-3) is equal to
15.
Chapter 1
Load Balancing
73
Service-HTTP-3 receives the second, third, and fourth, requests because the
service has the least Nw value.
Service-HTTP-2 receives the fifth request because the service has the least
Nw value.
Service-HTTP-3 receives the sixth request because the service has the least
Nw value.
Service-HTTP-2 receives the seventh and the eighth requests because the
service has the least Nw value.
Service-HTTP-1 has the least weight and the highest Nw value. Therefore, the
NetScaler does not select it for load balancing.
74
Service selected
Current Nw
(Number of active
transactions) *
(10000 / weight)
value
Remarks
Request-1
Service-HTTP-3
(Nw = 0)
Nw = 5000
Service-HTTP-3 has
the least Nw value.
Request-2
Service-HTTP-3
(Nw = 5000)
Nw = 10000
Request-3
Service-HTTP-3
(Nw = 15000)
Nw = 20000
Request-4
Service-HTTP-3
(Nw = 20000)
Nw = 25000
Request-5
Service-HTTP-2
(Nw = 23333.34)
Nw = 26666.67
Service-HTTP-2 has
the least Nw value.
Request-6
Service-HTTP-3
(Nw = 25000)
Nw = 30000
Service-HTTP-3 has
the least Nw value.
Request-7
Service-HTTP-2
(Nw = 23333.34)
Nw = 26666.67
Service-HTTP-2 has
the least Nw value.
Request-8
Service-HTTP-2
(Nw = 25000)
Nw = 30000
Service-HTTP-2 has
the least Nw value.
Service-HTTP-1 is selected for load balancing when it completes the active transactions
or when the Nw value of other services (Service-HTTP-2 and Service-HTTP-3) is equal
to 75000.
Chapter 1
Load Balancing
75
The following diagram illustrates how the NetScaler uses the least response time
method when weights are assigned on the services.
Least response time mechanism using monitors when weights are assigned
To configure the least response time method using monitors, perform the steps
described in the section Changing the Load Balancing Algorithm, on page 55.
Under LB Method, select Least Response Time.
Token method
76
These hashing algorithms ensure minimal disruption when the services added and
deleted. When the NetScaler is configured to use the hashing methods, the
NetScaler lists the services used in the configuration and calculates two hash
values by using:
The NetScaler then generates a new hash value by using the preceding hash
values and forwards the request to the service with highest hash value. To traverse
the list of services and compute a hash value for every request, the NetScaler
populates a cache after selecting the service which processes the request. The
subsequent requests with the same hash value are sent to the same service as
shown in the following flow chart.
Chapter 1
Load Balancing
77
Hashing methods can be applied to IPv4 and IPv6 addresses. To understand how
the NetScaler distributes traffic when hashing methods are configured, consider a
scenario where three services are bound to a vserver and any hash method is
configured. The services are Service-HTTP-1, Service-HTTP-2, and
Service-HTTP-3, and the hash value is Hash1. When the configured services are
UP, Hash1 is sent to Service-HTTP-1 using the hashing result. If Service-HTTP-1
is down, the NetScaler calculates the hash value for the last log of the number of
services. The NetScaler selects the service with the highest hash value, for
example Service-HTTP-2 as shown in the following diagram.
78
URL hashing
If Service-HTTP-1 and Service-HTTP-2 are down, URL1 is sent to
Service-HTTP-3. If the services are then UP, URL1 is sent to the services in the
following ways:
To configure the URL hash method, use the Hash Length parameter as described
in the following table.
Hash Length Parameter
Parameter
Specifies
Hash Length
(hashLength)
To configure the URL hash method, perform the steps described in the section
Changing the Load Balancing Algorithm, on page 55. Under LB Method,
select URL Hash.
Chapter 1
Load Balancing
79
Specifies
Netmask
(netmask)
To configure the destination IP hash method, perform the steps described in the
section Changing the Load Balancing Algorithm, on page 55. Under LB
Method, select Destination IP Hash.
80
Chapter 1
Load Balancing
81
The following diagram illustrates how the NetScaler uses the least bandwidth
method to forward requests to the three services.
Service-HTTP-3 receives the first request because the service has the least
N value.
82
Service selected
Current N
(Number of active
transaction) value
Remarks
Request-1
Service-HTTP-3
(N = 2)
N=3
Service-HTTP-3 has
the least N value.
Request-2
Service-HTTP-1
(N = 3)
N=4
Request-3
Service-HTTP-3
(N = 3)
N=4
Service-HTTP-1 and
Service-HTTP-3
have the same N
values.
Request-4
Service-HTTP-1
(N = 4)
N=5
Request-5
Service-HTTP-3
(N = 4)
N=5
Request-6
Service-HTTP-1
(N = 5)
N=6
Request-7
Service-HTTP-2
(N = 5)
N=6
Request-8
Service-HTTP-3
(N = 5)
N=6
Service-HTTP-1,
Service-HTTP-2,
and Service-HTTP-3
have the same N
values.
Note: If you enable the RTSP NAT option on the vserver, the NetScaler uses the
number of data and control bytes exchanged to determine the bandwidth usage
for RTSP services. For more information about RTSP NAT option, see
Managing RTSP Connections, on page 140. RTSP is not supported in NetScaler
9.1 nCore.
Chapter 1
Load Balancing
83
Service-HTTP-3 receives the first second, third, fourth, and fifth requests
because the service has the least Nw value.
Service-HTTP-1 receives the sixth request because the service has the least
Nw value.
Service-HTTP-3 receives the seventh request because the service has the
least Nw value.
Service-HTTP-2 receives the eighth request because the service has the
least Nw value.
84
Service selected
Current Nw
(Number of active
transactions) *
(10000 / weight)
value
Remarks
Request-1
Service-HTTP-3
(Nw = 5000)
Nw = 5000
Service-HTTP-3 has
the least Nw value.
Request-2
Service-HTTP-3
(Nw = 5000)
Nw = 7500
Request-3
Service-HTTP-3
(Nw = 7500)
Nw = 10000
Request-4
Service-HTTP-3
(Nw = 10000)
Nw = 12500
Request-5
Service-HTTP-3
(Nw = 12500)
Nw = 15000
Request-6
Service-HTTP-1
(Nw = 15000)
Nw = 20000
Request-7
Service-HTTP-3
(Nw = 15000)
Nw = 17500
Request-8
Service-HTTP-2
(Nw = 16666.67)
Nw = 20000
Service-HTTP-1 and
Service-HTTP-3
have the same Nw
value.
Service-HTTP-2 has
the least Nw value.
Chapter 1
Load Balancing
The following diagram illustrates how the NetScaler uses the least bandwidth
method when weights are assigned on the services.
85
86
The following diagram illustrates how the NetScaler uses the least packets
method and forward requests to the three services.
Service-HTTP-3 receives the first request because the service has the least
N value.
Chapter 1
Load Balancing
87
Service selected
Current N
(Number of active
transaction) value
Remarks
Request-1
Service-HTTP-3
(N = 2)
N=3
Service-HTTP-3 has
the least N value.
Request-2
Service-HTTP-1
(N = 3)
N=4
Request-3
Service-HTTP-3
(N = 3)
N=4
Service-HTTP-1 and
Service-HTTP-3
have the same N
values.
Request-4
Service-HTTP-1
(N = 4)
N=5
Request-5
Service-HTTP-3
(N = 4)
N=5
Request-6
Service-HTTP-1
(N = 5)
N=6
Request-7
Service-HTTP-2
(N = 5)
N=6
Request-8
Service-HTTP-3
(N = 5)
N=6
Service-HTTP-1,
Service-HTTP-2,
and Service-HTTP-3
have the same N
values.
Note: If you enable the RTSP NAT option on the vserver, the NetScaler uses the
number of data and control packets to calculate the number of packets for RTSP
services. For more information about RTSP NAT option, see Managing RTSP
Connections, on page 140. RTSP is not supported in NetScaler 9.1 nCore.
88
Example:
In the preceding example, suppose Service-HTTP-1 is assigned a weight of 2,
Service-HTTP-2 is assigned a weight of 3, and Service-HTTP-3 is assigned a
weight of 4.
The NetScaler delivers the requests as follows:
Service-HTTP-3 receives the first second, third, fourth, and fifth requests
because the service has the least Nw value.
Service-HTTP-1 receives the sixth request because the service has the least
Nw value.
Service-HTTP-3 receives the seventh request because the service has the
least Nw value.
Service-HTTP-2 receives the eighth request because the service has the
least Nw value.
Service selected
Current Nw
(Number of active
transactions) *
(10000 / weight)
value
Remarks
Request-1
Service-HTTP-3
(Nw = 5000)
Nw = 5000
Service-HTTP-3 has
the least Nw value.
Request-2
Service-HTTP-3
(Nw = 5000)
Nw = 7500
Request-3
Service-HTTP-3
(Nw = 7500)
Nw = 10000
Request-4
Service-HTTP-3
(Nw = 10000)
Nw = 12500
Request-5
Service-HTTP-3
(Nw = 12500)
Nw = 15000
Request-6
Service-HTTP-1
(Nw = 15000)
Nw = 20000
Request-7
Service-HTTP-3
(Nw = 15000)
Nw = 17500
Request-8
Service-HTTP-2
(Nw = 16666.67)
Nw = 20000
Service-HTTP-1 and
Service-HTTP-3
have the same Nw
value.
Service-HTTP-2 has
the least Nw value.
Chapter 1
Load Balancing
89
The following diagram illustrates how the NetScaler uses the least packets
method when weights are assigned on the services.
Specifies
Rule
(rule)
90
Specifies
Data Length
(dataLength)
Data Offset
(dataOffset)
You can use this load balancing method across vservers of different types to make
sure that requests presenting the same token are directed to the services on the
same servers, regardless of the protocol used.
For example, consider server-1 has two services, Service-HTTP-1 and
Service-TCP-1, and server-2 has two services, Service-HTTP-2 and
Service-TCP-2. The TCP services are bound to Vserver-LB-2, and the HTTP
services are bound to Vserver-LB-1.
Chapter 1
Load Balancing
91
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, a vserver for which you want to configure a rule (for
example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Method and Persistence tab and under LB Method, select Token.
4.
5.
6.
92
7.
8.
9.
In the Create Expression dialog box, click Create. The expression you
created appears in the Rule text box.
10.
Click OK.
Chapter 1
Load Balancing
93
Metrics values retrieved through SNMP probes that exist as tables in the
NetScaler.
The following example shows how the NetScaler selects a service for load
balancing by using the custom load method.
Example:
Consider three services, Service-HTTP-1, Service-HTTP-2, and
Service-HTTP-3.
94
The servers can export metrics such as CPU and memory usage. The load monitor
sends an SNMP GET request containing the OIDs 1.3.6.1.4.1.5951.4.1.1.41.1.5,
1.3.6.1.4.1.5951.4.1.1.41.1.4, and 1.3.6.1.4.1.5951.4.1.1.41.1.3 to the servers.
The three services respond to the request. The NetScaler compares the exported
metrics to select Service-HTTP-1 because it has more memory for processing
requests. The following diagram illustrates how the NetScaler uses the custom
load method and forwards requests to the three services.
Service-HTTP-1 receives the first, second, third, fourth, and fifth requests
because the service has the least N value.
Chapter 1
Load Balancing
95
Service selected
Current N
(Number of active
transaction) value
Remarks
Request-1
Service-HTTP-1
(N = 20)
N = 30
Service-HTTP-3 has
the least N value.
Request-2
Service-HTTP-1
(N = 30)
N = 40
Request-3
Service-HTTP-1
(N = 40)
N = 50
Request-4
Service-HTTP-1
(N = 50)
N = 60
Request-5
Service-HTTP-1
(N = 60)
N = 70
Request-6
Service-HTTP-1
(N = 70)
N = 80
Request-7
Service-HTTP-2
(N = 70)
N = 80
Request-8
Service-HTTP-1
(N = 80)
N = 90
Service-HTTP-2 and
Service-HTTP-3
have the same N
values.
Service-HTTP-1,
Service-HTTP-2,
and Service-HTTP-3
have the same N
values.
96
Service-HTTP-2 receives the ninth request because the service has the least
Nw value.
Service-HTTP-3 has the highest Nw value and is not considered for load
balancing.
The manner in which a service receives requests based on the Nw value is
summarized in the following table.
Custom Load Balancing Method: Nw
Request received
Service selected
Request-1
Service-HTTP-1
(Nw = 50000)
Nw = 75000
Request-2
Service-HTTP-1
(Nw = 5000)
Nw = 100000
Request-3
Service-HTTP-1
(Nw = 15000)
Nw = 125000
Request-4
Service-HTTP-1
(Nw = 20000)
Nw = 150000
Request-5
Service-HTTP-1
(Nw = 23333.34)
Nw = 175000
Request-6
Service-HTTP-1
(Nw = 25000)
Nw = 200000
Request-7
Service-HTTP-1
(Nw = 23333.34)
Nw = 225000
Request-8
Service-HTTP-1
(Nw = 25000)
Nw = 250000
Request-9
Service-HTTP-2
(Nw = 233333.34)
Nw = 266666.67
Service-HTTP-1 has
the least Nw value.
Service-HTTP-2 has
the least Nw value.
Service-HTTP-1 is selected for load balancing when it completes the active transactions
or when the Nw value of other services (Service-HTTP-2 and Service-HTTP-3) is equal to
400000.
Chapter 1
Load Balancing
97
The following diagram illustrates how the NetScaler uses the custom load method
when weights are assigned on the services.
98
You can configure different types of persistence on the NetScaler. The following
table lists the persistence types and indicates if the persistence type consumes
resources.
Persistence types
Persistence type
Persistent connections
250 K
HTTP
HTTPS
TCP
User
SSL_Bridge
Datagram
Protocol
(UDP)/IP
Source IP
YES
YES
YES
YES
YES
CookieInsert
YES
YES
NO
NO
NO
SSL Session ID
NO
YES
NO
NO
YES
URL passive
YES
YES
NO
NO
NO
Custom Server ID
YES
YES
NO
NO
NO
Rule
YES
YES
NO
NO
NO
SRCIPDESTIP
NA
NA
YES
YES
NA
DESTIP
NA
NA
YES
YES
NA
Chapter 1
Load Balancing
99
Specifies
Persistence Type
Persistence type for the vserver. The valid options for this
parameter are:
(persistenceType)
Note: After configuring persistence for a vserver, you can view the persistence
type by viewing the virtual server from the configuration utility or using the
show lb vserver command. You can also use the show ns
persistencesession command to view persistence sessions.
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure
persistence (for example, Vserver-LB-1), and then click Open.
3.
4.
In the Time-out and Netmask text boxes type the time-out and netmask
values (for example, 2 and 255.255.255.255).
5.
Click OK.
100
Example
set lb vserver Vserver-LB-1 -persistenceType SOURCEIP
ServiceIP and ServicePort are encrypted and inserted. When the NetScaler
receives a cookie, it decrypts the cookie.
Chapter 1
Load Balancing
101
Note: If the client is not allowed to store the HTTP cookie, the subsequent
requests do not have the HTTP cookie and persistence is not honored.
By default, the NetScaler sends an HTTP cookie with version 0, in compliance
with the Netscape specification. The NetScaler can also send HTTP cookies with
version 1, in compliance with RFC 2109.
You can configure a time-out value for persistence that is based on HTTP
cookies. Note the following:
Note: Most client software currently installed (Microsoft Internet Explorer and
Netscape browsers) understand HTTP cookie version 0; however, some HTTP
proxies understand HTTP cookie version 1.
When you set the time-out value to 0, the NetScaler does not specify the
expiration time regardless of the HTTP cookie version used. The expiration time
depends on the client software and such cookies are not valid when the software
is shut down. This persistence type does not consume any NetScaler resources.
Therefore, it can accommodate an unlimited number of persistent clients.
To configure persistence based on HTTP Cookie, perform the steps described in
the section Configuring Persistence Types, on page 98. In the Persistence list,
select COOKIEINSERT.
102
The time-out value for this type of persistence is as described in the section
Configuring Persistence Based on Source IP Addresses, on page 100. To
configure persistence based on SSL session IDs, perform the steps described in
the section Configuring Persistence Types, on page 98. In the Persistence list,
select SSLSESSION.
Specifies
Rule
Value used to set the RULE persistence type. The value can
be an existing rule name, or it can be a classic or advanced
expression. The default value is none. The maximum
length is 14999.
(rule)
Chapter 1
Load Balancing
103
1.
2.
3.
To configure a rule that analyzes requests, click the Configure button next
to the Rule field. To configure a rule that analyzes responses from the
server, click the Configure button next to the Response Rule field.
4.
Select Classic Syntax or Advanced Syntax, and configure the rule. For
more information, see the Citrix NetScaler Policy Configuration and
Reference Guide.
1.
2.
Examples
set lb vserver vsvr_name rule
http.req.header("cookie").value(0).typecast_nvlist_t('=',';').value
("server")
set lb vserver vsvr_name resrule
http.res.header("set-cookie").value(0).typecast_nvlist_t('=',';').v
alue("server")
104
Chapter 1
Load Balancing
105
106
The time-out value for this type of persistence is as described in the section
Configuring Persistence Based on Source IP Addresses, on page 100. To
configure persistence based on source and destination IP addresses, perform the
steps described in the section Configuring Persistence Types, on page 98. In the
Persistence list, select SRCIPDESTIP.
Specifies
Session ID Mapping
(session)
Note: If the client sends multiple SETUP requests on one TCP connection, the
NetScaler sends the SETUP requests to the same server because the NetScaler
makes the load balancing decision for every TCP connection. In this case, the
NetScaler does not forward the SETUP requests to different servers based on the
session ID.
Chapter 1
Load Balancing
107
Specifies
Backup Persistence
(persistenceBackup)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure
backup persistence (for example, Vserver-LB-1), and then click Open.
3.
The Configure Virtual Server (Load Balancing) dialog box, click the
Method and Persistence tab.
4.
5.
In the Backup Persistence list, select the backup persistence that you want
to configure (for example, SOURCEIP).
108
6.
In the Backup Time-out and Netmask text boxes type the backup time-out
value and netmask (for example, 20 and 255.255.255.255).
7.
Click OK.
To set backup persistence for a vserver using the NetScaler command line
Example
set lb vserver Vserver-LB-1 -persistenceType CookieInsert
-persistenceBackup SourceIP
SourceIP
CookieInsert
If you set CookieInsert persistence, the domain attribute of the HTTP cookie is
configured. This setting causes the client software to add the HTTP cookie into
client requests if different vservers have different public host names. For more
information about CookieInsert persistence type, see the section Configuring
Persistence Based on HTTP Cookies, on page 100.
After you set persistence for the entire group, you cannot change it for individual
vservers in the group. If you set persistence on the group of vservers, and a new
vserver is added to the group, the persistence of the new vserver is changed to
persistence of the group.
Chapter 1
Load Balancing
109
Note: If you set group persistence to NONE, the persistence on the individual
virtual servers is applied.
To create groups of virtual servers, use the parameters as described in the
following table.
Virtual Server Group Parameters
Parameter
Specifies
Name
(Name)
Persistence Type
(persistenceType)
Persistence Mask
(persistMask)
Time-out
(timeout)
The following example describes the steps to create the vserver group
Vserver-Group-1 and bind the vserver Vserver-LB-1 to Vserver-Group-1. The
persistence type is Source IP, and the persistence mask is 255.255.255.255. The
timeout is 2 minutes.
To create a vserver persistency group using the configuration utility
1.
2.
3.
In the Create Persistency Group dialog box, in the Group Name text box
type the name (for example, Vserver-Group-1).
4.
5.
In the Persistence Mask and Time-out text boxes, type the persistence
mask and timeout values (for example, 255.255.255.255 and 2).
110
6.
Under Virtual Server List, in the Available Virtual Server list box, select
the vserver that you want to bind to the group (for example,
Vserver-LB-1), and then click Add.
7.
Click Create and click Close. The vserver group you created appears in the
Persistence Groups page, as shown in the following screen shot.
Example
bind lb group Vserver-Group-1 Vserver-LB-1 -persistenceType
CookieInsert
Chapter 1
Load Balancing
111
You can change the backup persistence, backup persistence time-out, and cookie
domain value. To modify the persistence groups use the parameters as described
in the following table.
Backup Persistence Parameters
Parameter
Specifies
Persistence Backup
(PersistenceBackup)
Backup Persistence Time-out
(cookieDomain)
To modify a vserver group using the configuration utility
1.
2.
In the Persistence Groups page, select the vserver group that you want to
modify (for example, Vserver-Group-1), and click Open.
3.
4.
5.
In the Persistence Mask text box, type the subnet mask (for example,
255.255.255.255).
6.
Click OK.
Example
set lb group vserver-Group-1 -PersistenceBackup SourceIP
-persistMask 255.255.255.255
112
Specifies
Type
(type)
Source IP
(srcIP)
Source IP address.
Destination IP
(destIP)
Destination IP address.
Port
(port)
Time-out (secs)
(timeout)
Reference Count
(referenceCount)
Persistence Parameter
(persistenceParam)
1.
2.
On the landing page for Load Balancing, click Virtual Server persistence
sessions.
Example
show ns persistencesession myVserver
Chapter 1
Load Balancing
113
Specifies
Virtual Server
(vServerName)
1.
2.
3.
In the Clear persistence sessions dialog box, in Virtual Servers, select the
virtual server whose persistence sessions you want to clear.
4.
Click OK.
Example
clear ns persistencesession -vserver myLBVserver
MAC-Based forwarding
By default, the NetScaler uses IP-Based forwarding. You can set MAC-Based
forwarding in case of direct server return (DSR) topology, link load balancing,
and firewall load balancing.
114
Specifies
Redirection Mode
LB redirection mode.
(m)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure the
redirection mode (for example, Vserver-LB-1), and then click Open.
3.
4.
Click OK.
Example
set lb vserver Vserver-LB-1 -m MAC
Chapter 1
Load Balancing
115
Round Robin
Least Connections
Least Bandwidth
Least Packets
Least Load
Specifies
Weights
(weight)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver (for example, Vserver-LB-1), and
click Open.
116
3.
On the Services tab, in the Weights spin box, type or select the weight of a
service (for example, 10) next to Service-HTTP-1.
4.
Click OK.
Example
set lb vserver Vserver-LB-1 -weight 10 Service-HTTP-1
Chapter 1
Load Balancing
117
Note: If a load balancing vserver is configured with both a backup vserver and
a redirect URL, the backup vserver takes precedence over the redirect URL. A
redirect is used when the primary and backup vservers are down.
To configure a vserver to redirect client requests to a URL, use the Redirect URL
parameter as described in the following table.
Redirect URL Parameter
Parameter
Specifies
Redirect URL
(redirectURL)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure
redirect URL (for example, Vserver-LB-1), and then click Open.
3.
On the Advanced tab, in the Redirect URL text box, type the URL (for
example, http://www.newdomain.com/mysite/maintenance).
4.
Click OK.
Example
set lb vserver Vserver-LB-1 -redirectURL
http://www.newdomain.com/mysite/maintenance
118
Specifies
Name
(backupVServer)
Disable Primary When
Down
(disablePrimaryOn
Down)
Chapter 1
Load Balancing
119
Note: If you enable the Disable Primary When Down option, the backup
vserver maintains control after the primary vserver comes up. To enable the
primary vserver to retake control, you must manually re-enable it.
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure the
backup vserver (for example, Vserver-LB-1), and then click Open.
3.
On the Advanced tab, in the Backup Virtual Server list, select the backup
vserver (for example, Vserver-LB-2).
4.
If the primary server goes down and then comes back up, and you want the
backup vserver to function as the primary server until you explicitly
reestablish the primary virtual server, select the Disable Primary When
Down check box.
5.
Click OK.
120
Example
set lb vserver Vserver-LB-1 -backupVserver Vserver-LB-2
-disablePrimaryOnDown
Chapter 1
Load Balancing
121
Specifies
Method
(soMethod)
(soThreshold)
Persistence
(soPersistence)
Persistence time-out
(minutes)
(soPersistenceTime
Out)
122
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure the
spillover (for example, Vserver-LB-1), and then click Open.
3.
On the Advanced tab, in the Method list, select the type of spillover, and in
Threshold text box, type the threshold value (for example, Connection and
1000).
4.
5.
Click OK.
Example
set lb vserver Vserver-LB-1 -soMethod Connection -soThreshold 1000
-soPersistence enabled -soPersistenceTimeout 2
Chapter 1
Load Balancing
123
124
Note: To configure connection failover, you must first configure HA and set up
a primary and secondary NetScaler. For instructions on how to configure HA, see
the Citrix NetScaler Networking Guide, Chapter 7, High Availability.
Chapter 1
Load Balancing
125
Both stateless and stateful connection failover are configured on LB vservers, but
cannot be configured on content-switching vservers. Mapped subnet IP address
(SNIP) use Source IP and domain-based service configurations are supported
under both modes of connection failover.
A basic HA configuration with connection failover contains the entities described
in the following diagram.
SYN Protection
Surge Protection
126
Access server in DOWN state Access DOWN functionality takes precedence over
stateless connection failover, if it is enabled.
Chapter 1
Load Balancing
127
Reverse NAT
Transparent services
Compression
SSLVPN
SSL offload
Application firewall
TCP buffering
Specifies
Stateless
(connFailover)
Stateful
Disable
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the Load Balancing Virtual Servers page, select the vserver for which
you want to configure connection failover (for example, Vserver-LB-1),
and click Open.
128
3.
4.
Click OK.
Example
set lb vserver Vserver-LB-1 -connFailover stateful
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the Load Balancing Virtual Servers page, select the vserver for which
you want to configure a connection failover (for example, Vserver-LB-1),
and click Open.
3.
4.
Click OK.
Example
set lb vserver Vserver-LB-1 -connFailover disable
Chapter 1
Load Balancing
129
130
For sessionless load balancing to operate correctly, you must perform the
following tasks:
Enable USIP mode on services (because the IP address of the source is not
changed)
Specifies
Sessionless
(sessionless)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the Load Balancing Virtual Servers page, select the vserver for which
you want to configure sessionless load balancing (for example,
Vserver-LB-1), and then click Open.
3.
4.
Example
set lb vserver Vserver-LB-1 -m MAC -sessionless enabled
Chapter 1
Load Balancing
131
Specifies
Cache Redirection
(cacheable)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure cache
redirection (for example, Vserver-LB-1), and click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4.
Select the Cache Redirection check box, and then click OK.
132
Example
set lb vserver Vserver-LB-1 -cacheable yes
Specifies
Priority Queuing
(pq)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure
priority queuing (for example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4.
Chapter 1
Load Balancing
133
Example
set lb vserver Vserver-LB-1 -pq yes
Note: You must set priority queuing globally for it to function correctly. For
more information on configuring priority queuing globally, see the Citrix
NetScaler Application Security Guide, Chapter 1, Protection Features.
Specifies
SureConnect
(sc)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane appears, select the vserver for which you want to
configure SureConnect (for example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4.
134
Note: For SureConnect to function correctly, you must set it globally. For more
information about configuring SureConnect globally, see the Citrix NetScaler
Application Optimization Guide, Chapter 3, Configuring SureConnect.
Service-TCP-1
State of connections
Chapter 1
Load Balancing
135
Note: In case of HTTP services, the down state flush setting is effective only
when the client is connected to the server.
You can extend this logic to larger configurations. To configure down state flush,
use the down state flush parameter as described in the following table.
Down State Flush Parameter
Parameter
Specifies
(downStateFlush)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure down
state flush (for example, Vserver-LB-1), and click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4.
To set down state flush on a vserver using the NetScaler command line
Example
set lb vserver Vserver-LB-1 -downStateFlush enabled
136
The vserver is of type HTTP and the services are of type SSL.
The vserver is of type SSL and the services are of type HTTP.
When the requests are of type HTTP and the services are of type SSL, the
NetScaler rewrites the port of the HTTP requests to that of SSL and forwards the
requests to the SSL services. Then, the NetScaler rewrites the port of the HTTPS
responses to that of HTTP and forwards them to the client. This is summarized in
the following table.
Example of Port and URL Rewrite for HTTP Redirection
Redirect URL
http://domain.com/
http://domain.com:8080/
http://domain.com/
https://domain.com/
https://domain.com/
https://domain.com:444/
https://domain.com:444/
http://domain.com:8080/
http://domain.com:8080/
http://domain.com:8080/
https://domain.com/
https://domain.com/
https://domain.com:445/
https://domain.com:445/
When the requests are of type SSL and the services are of type HTTP, the
NetScaler rewrites the port of the SSL requests to that of HTTP and forwards the
requests to the HTTP services. Then, the NetScaler rewrites the port of the HTTP
responses to that of HTTPS and forwards them to the client.
Chapter 1
Load Balancing
137
When both requests and responses are of same type the NetScaler rewrites the
port using the same port value. For more information about SSL redirects, see
Secure Sockets Layer (SSL) Acceleration, on page 361. To configure a vserver
for HTTP redirection, you must use the redirect port rewrite parameter listed in
the following table.
Redirect Port Rewrite Parameter
Parameter
Specifies
(redirectPortRewrite)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure
HTTP redirection (for example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4.
Select the Redirect Port Rewrite check box, and then click OK.
Example
set lb vserver Vserver-LB-1 -redirectPortRewrite enabled
138
This option is not supported for wildcard vservers or dummy vservers. If the
primary vserver is down and the backup vserver is up, the configuration settings
of the backup vserver are added to the client requests. If you want the same
header tag to be added, regardless of whether the requests are from the primary
vserver or backup vserver, then you must configure the required header tag on
both vservers.
To configure a vserver to add the IP address and port to the client requests, use the
Vserver IP Port Insertion parameter as described in the following table.
Vserver IP Port Insertion Parameter
Parameter
Specifies
(insertVserverIPPort)
inserted.
V6TOV4MAPPING - If the vserver uses an IPv6
address and the server uses IPv4, this setting maps the
vserver address and port to the IPv4 address.
Possible values: OFF, VIPADDR, and
V6TOV4MAPPING. Default: OFF.
To insert the IP address and port of the vserver in the client requests using
the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure
vserver port insertion (for example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
Chapter 1
Load Balancing
4.
5.
Click OK.
139
To insert the IP address and port of the vserver in the client requests using
the NetScaler command line
Example
set lb vserver Vserver-LB-1 -insertVserverIPPort VipAddr
Specifies
(cltTimeout)
The following example describes the steps to set the time-out value for idle client
connections to 100 seconds.
To set a time-out value for idle client connections using the configuration
utility
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
In the details pane, select the vserver for which you want to configure
vserver port insertion (for example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4.
In the Client Time-out (secs) text box, type the timeout value
(for example, 100).
5.
Click OK.
140
Example
set lb vserver Vserver-LB-1 -cltTimeout 100
Specifies
RTSP Natting
(rtspNat)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver (for example, vserver-LB-1), and
then click Open.
3.
Chapter 1
Load Balancing
141
Example
set lb vserver vserver-LB-1 RTSPNAT enabled
Configuring Monitors
142
Specifies
Surge protection
(sp)
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure surge
protection (for example, Service-HTTP-1), and then click Open.
3.
4.
Scroll down, and under Others, select the Surge Protection check box.
5.
Click OK.
To set surge protection on the service using the NetScaler command line
Example
set service Service-HTTP-1 -sp on
Chapter 1
Load Balancing
143
Note: For surge protection to function correctly, you must enable it globally.
For more information about configuring surge protection globally, see the Citrix
NetScaler Application Security Guide.
Specifies
SureConnect
(sc)
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure
SureConnect (for example, Service-HTTP-1), and then click Open.
3.
In the Configure Service dialog box, click the Advanced tab, scroll down,
and under Others, select the Sure Connect check box.
4.
Click OK.
Example
set service Service-HTTP-1 -sc on
Note: For SureConnect to function correctly, you must set it globally. For more
information about configuring SureConnect globally, see the Citrix NetScaler
Application Optimization Guide, Chapter 3, Configuring SureConnect.
144
Specifies
(downStateFlush)
To set down state flush on the service using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure down
state flush (for example, Service-HTTP-1), and then click Open.
3.
In the Configure Service dialog box, click the Advanced tab, scroll down,
and under Others, select the Down state flush check box.
4.
Click OK.
To set down state flush on the service using the NetScaler command line
Example
set service Service-HTTP-1 -downStateFlush enabled
Chapter 1
Load Balancing
145
To configure access down, use the access down parameter as described in the
following table.
Access Down Parameter
Parameter
Specifies
Access Down
(accessDown)
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure
access down (for example, Service-HTTP-1), click Open.
3.
4.
Scroll down, and under Others, select the Access Down check box.
5.
Click OK.
To set access down on the service using the NetScaler command line
Example
set service Service-HTTP-1 -accessDown yes
Specifies
TCP Buffering
(TCPB)
146
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure TCP
buffering (for example, Service-HTTP-1), and then click Open.
3.
4.
Scroll down, and under Settings, select the TCP Buffering check box.
5.
Click OK.
To set TCP Buffering on the service using the NetScaler command line
Example
set service Service-HTTP-1 -TCPB yes
Note: TCP buffering set at the service level takes precedence over the global
setting. For more information about configuring TCP buffering globally, see the
Citrix NetScaler Application Optimization Guide.
Enabling Compression
The NetScaler provides the compression option to transparently compress the
HTML and text files. The NetScaler has a set of built-in compression policies and
uses them to compress the files. The compression policies act on the service
bound to the vserver and determine whether the response is compressible. The
compressible content is compressed and sent to the client.
Compression reduces the amount of data delivered to the browser and improves
client response time. To enable compression on a service, use the compression
parameter as described in the following table.
Compression Parameter
Parameter
Specifies
Compression
(CMP)
Chapter 1
Load Balancing
147
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure
compression (for example, Service-HTTP-1), and then click Open.
3.
4.
5.
Click OK.
Example
set service Service-HTTP-1 -CMP yes
Note: For compression to function correctly, you must enable it globally. For
more information about configuring compression globally, see the Citrix
NetScaler Application Optimization Guide.
Specifies
Client Keep-Alive
(CKA)
148
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure client
keep-alive (for example, Service-HTTP-1), and then click Open.
3.
4.
5.
Click OK.
To set client keep-alive on the service using the NetScaler command line
Example
set service Service-HTTP-1 -CKA yes
Note: Client keep-alive set at the service level takes precedence over the global
setting. For more information about configuring Client keep-alive globally, see
the Citrix NetScaler Application Optimization Guide.
Chapter 1
Load Balancing
149
IP header
When you enable the client IP setting, the NetScaler inserts the client IPv4 or
IPv6 address while forwarding the requests to the server. The server inserts this
client IP in the header of the responses. The server is thus aware of the client, as
shown in the following figure.
150
To insert the IP address of the client in the client request, use the parameters as
described in the following table.
Client IP Insertion Parameters
Parameter
Specifies
Client IP
(cip)
The name of the HTTP header that the NetScaler inserts and to
which it adds the IP address of the client as the header value. If
client IP insertion is enabled, and the client IP header is not
specified, then the NetScaler sets the client IP header. The
default is blank (NetScaler uses a blank HTTP header).
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to add the client IP
address in the request (for example, Service-HTTP-1), and then click
Open.
3.
4.
5.
6.
Click OK.
Example
set service Service-HTTP-1 -CIP enabled X-forwarded-for
Chapter 1
Load Balancing
151
Specifies
Server ID
(serverID)
To insert the server ID in the response from the server using the
configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to set the server ID
(for example, Service-HTTP-1), click Open.
3.
4.
Scroll down, and under Others, in the Server ID text box, type the ID of
the server (for example, 11).
5.
Click OK.
To insert the server ID in the response from the server using the NetScaler
command line
Example
set service Service-HTTP-1 -serverID 11
152
The USIP parameter permits this behavior. This parameter is described in the
following table.
Use Source IP Parameter
Parameter
Specifies
(usip)
Note: USIP does not work when you bind an IPv6 service with USIP enabled to
an IPv4 vserver, and when you bind an IPv4 service with USIP enabled to an
IPv6 vserver.
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to use the source
IP address (for example, Service-HTTP-1), and then click Open.
3.
4.
Under Settings, select Override Global, and then select the Use Source IP
check box.
5.
Click OK.
To use the IP address of the client using the NetScaler command line
Example
set service Service-HTTP-1 -usip yes
Chapter 1
Load Balancing
153
For the first client request and response, the NetScaler forwards the request
to Service-ANY-1 by using Vserver-ANY-1
For the second client request and response, the NetScaler forwards the
request to Service-ANY-1 by using Vserver-ANY-2.
For the third request, the NetScaler forward the response to the client
through Vserver-ANY-1.
154
Specifies
Enables the NetScaler to use the client port as the source port
when making server requests if USIP is enabled. Possible
values: YES, NO. For transmission control protocol-based
service types, such as TCP, HTTP, and SSL, the default value
is YES. For other user datagram protocol-based service types,
such as UDP and DNS, including ANY, the default value is
NO.
(useProxyPort)
When Use Proxy Port parameter is enabled for TCP-based services, the clients
can use more than 65,535 ports on the NetScaler.
To use the IP address of the client using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to use the source
IP address (for example, Service-ANY-1), and then click Open.
3.
4.
Under Settings, select Override Global, and then select the Use Proxy
Port check box.
5.
Click OK.
To use the IP address of the client using the NetScaler command line
Example
set service Service-ANY-1 -useProxyPort yes
Chapter 1
Load Balancing
155
Specifies
Maximum Clients
(maxClient)
Note: Connections that are closing are not considered for this limit.
For more information on Maximum Client, see the section Load Balancing with
Domain-Name Based Services, on page 243.
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure the
maximum number of client connections (for example, Service-HTTP-1),
and then click Open.
3.
4.
Under Thresholds, in the Max Clients text box, type the maximum
number of client connections (for example, 100).
5.
Click OK.
Example
set service Service-HTTP-1 -maxClient 1000
156
Specifies
Maximum Requests
(maxReq)
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure the
maximum number of client requests (for example, Service-HTTP-1), click
Open.
3.
4.
Under Thresholds, in the Max Requests text box, type the maximum
number of client requests (for example, 100).
5.
Click OK.
To limit the number of client requests using the NetScaler command line
Example
set service Service-HTTP-1 -maxReq 100
Chapter 1
Load Balancing
157
Monitor-HTTP-3 is UP.
To set the monitor threshold, use the monitor threshold parameter as described in
the following table.
Monitor Threshold Parameter
Parameter
Specifies
Monitor Threshold
(monThreshold)
1.
2.
In the details pane, select the service for which you want to configure
monitor threshold (for example, Service-HTTP-1), and then click Open.
3.
4.
5.
Click OK.
158
To set monitor threshold on the service using the NetScaler command line
Example
set service Service-HTTP-1 -monThreshold 100
Specifies
Client
(cltTimeout)
To set a timeout value for idle client connections using the configuration
utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure the
time-out value for client connections (for example, Service-HTTP-1), and
then click Open.
3.
4.
Under Idle Time-out (secs), in the Client text box, type the timeout value
(for example, 100).
5.
Click OK.
To set a timeout value for idle client connections using the NetScaler
command line
Chapter 1
Load Balancing
159
Example
set service Service-HTTP-1 -cltTimeout 100
Specifies
Server
(svrTimeout)
To set a timeout value for idle server connections using the configuration
utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure the
timeout value for server connections (for example, Service-HTTP-1), and
click Open.
3.
4.
Under Idle Time-out (secs), in the Server text box, type a timeout value
(for example, 100).
5.
Click OK.
To set a timeout value for idle server connections using the NetScaler
command line
Example
set service Service-HTTP-1 -svrTimeout 100
160
Note: Setting a limit on the bandwidth usage is not supported in NetScaler 9.1
nCore.
To set a limit on bandwidth, use the maximum bandwidth parameter as described
in the following table.
Maximum Bandwidth Parameter
Parameter
Specifies
Maximum Bandwidth
(maxBandwidth)
To set a limit bandwidth usage on the service using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details page, select the service for which you want to configure
maximum bandwidth usage (for example, Service-HTTP-1), and then
click Open.
3.
4.
Under Thresholds, in the Max Bandwidth (kbits) text box, type the
maximum bandwidth (for example, 100).
5.
Click OK.
To set a limit bandwidth usage on the service using the NetScaler command
line
Example
set service Service-HTTP-1 -maxBandwidth 100
Chapter 1
Load Balancing
161
Specifies
Cache Redirection
(cacheable)
Cache Type
(type)
The cache type option supported by the cache server. The valid
options for this parameter are: transparent, reverse, and
forward.
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to configure cache
redirection (for example, Service-HTTP-1), and then click Open.
3.
4.
Scroll down, and under Cache Redirection Options, in Cache Type list,
select the type of cache (for example, Regular Server).
5.
6.
Click OK.
To set cache redirection on the service using the NetScaler command line
Example
set service Service-HTTP-1 -cacheable yes
162
Configuring Monitors
Monitors periodically check the state of a service. The NetScaler does not
consider services that are marked down for load balancing. A monitor allows the
NetScaler to accurately evaluate services. You can bind multiple monitors of any
type to a service to determine its state. Monitors specify the types of requests sent
to the server and the expected response from the server. Monitors periodically
probe the servers and check if they receive a response within the configured time.
If the monitor does not receive a response in the configured time, and if the
configured number of probes fail, it determines the server as DOWN.
Topics include:
Modifying Monitors
Managing Monitors
Name
IP addresses
Port
Protocol
Vserver
Vserver-LB-1
10.102.29.60
80
HTTP
Services
Service-HTTP-1
10.102.29.5
80
HTTP
Service-HTTP-2
10.102.29.6
80
HTTP
Monitor-HTTP-1
None
None
HTTP
Monitors
Chapter 1
Load Balancing
163
The following diagram shows the monitors and how they operate.
Working of monitors
Creating Monitors
The NetScaler provides a set of built-in monitors. The NetScaler also allows you
to create custom monitors based on the default monitors. To create monitors, use
the parameters as described in the following table.
Monitor Configuration Parameters
Parameters
Specifies
Monitor Name
(monitorName)
Monitor Type
(type)
Interval
(interval)
164
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
3.
In the Create Monitor dialog box, in the Name and Interval text boxes
type the name and interval value of the monitor (for example,
monitor-HTTP-1 and 340).
4.
In the Type list, select the type of the monitor (for example, HTTP).
5.
6.
Click Create, and then click Close. The monitor you created appears in the
Monitors page, as shown in the following screen shot.
Monitors page
To create a monitor using the NetScaler command line
Example
add lb mon monitor-HTTP-1 HTTP
Chapter 1
Load Balancing
165
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service for which you want to bind the
monitor (for example, Service-HTTP-1), and then click Open.
3.
On the Monitors tab, in the Available list box, select the monitor you want
to bind the service (for example, monitor-HTTP-1), and then click Add.
4.
Example
bind mon monitor-HTTP-1 Service-HTTP-1
Modifying Monitors
You can modify the configured monitors. If you change a monitor that is bound to
multiple services, monitoring of the bound services changes. You can modify a
monitor that you created using the parameters listed in this section. Two sets of
parameters apply to monitors:
166
This section describes the parameters that apply to all monitors. To modify
monitors, you can use the parameters listed in the following table.
Modify Monitor Parameters
Parameter
Specifies
LRTM
(LRTM)
Deviation
(deviation)
Response time-out
(interval)
Response time-out
Threshold
(resptimeout)
Retries
(retries)
Success Retries
(successRetries)
Failure Retries
(failureRetries)
Chapter 1
Load Balancing
167
Specifies
Down Time
(downTime)
Destination IP Address
(destIP)
Destination Port
(destPort)
State
(state)
Reverse
(reverse)
Transparent
(transparent)
168
Specifies
Secure
(secure)
Application
(application)
Site Path
(sitePath)
To modify an existing monitor using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
In the details pane, select the monitor that you want to modify
(for example, monitor-HTTP-1), and then click Open.
3.
4.
In the list next to Interval text box, select the interval (for example, Milli
Seconds).
5.
In the list next to Response Time-out text box, select the interval
(for example, Milli Seconds).
6.
Click OK.
Example
set mon monitor-HTTP-1 HTTP -interval 50 milli
-resptimeout 20 milli
Managing Monitors
This section describes how to manage the monitors you create. You can change
the bindings of the monitors, or enable, disable, and remove monitors. You can
also unbind monitors from services and service groups.
Chapter 1
Load Balancing
169
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
On the Monitors page, select the monitor that you want to enable (for
example, monitor-HTTP-1), and then click Enable.
3.
Example
enable lb mon Service-HTTP-1
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
On the Monitors page, select the monitor that you want to disable (for
example, monitor-HTTP-1), and then click Disable.
3.
Example
disable lb mon Service-HTTP-1
170
Unbinding Monitors
You can unbind monitors from a service and service group. When you unbind a
monitor from the service group, the monitors are unbound from the individual
services that constitute the service group. When you unbind a monitor from a
service or a service group, the monitor does not probe the service or the service
group. When you unbind the configured monitors from a service or a service
group, the default monitor is bound to the service and the service group. The
default monitors then probes the service or the service groups.
To unbind a monitor from a service using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
In the details pane, select the service from that you want to unbind the
monitor (for example, Service-HTTP-1), click Open.
3.
In the Configure Service dialog box, under Configured, select the monitor
that you want to unbind from the service (for example, monitor-HTTP-1),
and then click Remove.
4.
Click OK.
Example
unbind mon monitor-HTTP-1 Service-HTTP-1
Removing Monitors
You can remove a monitor that you have configured. If a monitor is bound to a
service, it cannot be removed. Therefore, you must first unbind the monitor from
the service and then remove it. When you remove monitors bound to a service,
the default monitor is bound to the service. You cannot remove default monitors.
The following example describes the steps to remove the monitor
monitor-HTTP-1.
To remove a monitor using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
On the Monitors page, select the monitor that you want to remove (for
example, monitor-HTTP-1), and then click Remove.
3.
Chapter 1
Load Balancing
171
Example
rm lb monitor monitor-HTTP-1 HTTP
Viewing Monitors
You can view the services and service groups bound to the monitor. You can
verify the settings of the monitors to troubleshoot the configuration.The
following procedure describes the steps to view the bindings of a monitor to the
services and service groups.
172
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
On the Monitors page, select the monitor for which you want to view the
binding information (for example, monitor-HTTP-1), and then click Show
Bindings. The binding information for the monitor that you selected
appears in the Binding Info for Monitor: monitor-HTTP-1 dialog box.
Example
show lb monbindings monitor-HTTP-1
In the navigation pane, expand Load Balancing, and then click Monitors. The
details of the available monitors appear on the Monitors page.
To view monitors using the NetScaler command line
Example
show lb mon monitor-HTTP-1
Chapter 1
Load Balancing
173
You cannot delete, or modify default monitors. When you bind any monitor to the
service, the default monitor is unbound from the service. The following table
gives information about monitor types, parameters, and monitoring procedures.
The NetScaler provides a built-in monitor for each monitor type.
TCP Monitor Parameters
Monitor type Specific parameters
Procedure
TCP (tcp)
Not applicable
TCP-ECV
(tcp-ecv)
174
Procedure
HTTP-ECV
(http-ecv)
UDP-ECV
(udp-ecv)
Chapter 1
Load Balancing
175
Probe
TCP
TCP connection
SSL handshake
HTTP
TCP connection
SSL handshake
Encrypted HTTP request
TCP-ECV
TCP connection
SSL handshake
Data sent to a server is
encrypted
HTTP-ECV
TCP connection
SSL handshake
Encrypted HTTP request
176
Specifies
User Name
(userName)
Password
(password)
Specifies
File Name
(fileName)
Chapter 1
Load Balancing
177
SIP messages can be transmitted over TCP or UDP. SIP messages are of two
types: request messages and response messages. The following table summarizes
the formats of these messages.
SIP Monitor Parameters
Message type
Components
Details
Request
Method
Request URI
SIP version
SIP version
Status code
Response
178
One of the most common scenarios for SIP is VoIP, where SIP is used to set up
the session. The usage scenario described in the following section illustrates the
role of the messages and entities in an SIP-based communication system.
SIP mechanism
User agent (UA) is the entity that initiates the call. The user agent can be an SIP
softphone (a PC-based application), or an SIP phone.
To initiate a call, the user agent sends an INVITE request to the previously
configured SIP proxy server. The INVITE request contains the details of the
destination, such as the destination uniform resource identifier (URI) and Call ID.
In the diagram, the Caller A (user agent) sends an INVITE request to Proxy A.
When the proxy server receives the INVITE request, it sends a 100 (Trying)
response to the user agent that initiated the Caller A. It also performs a DNS
lookup to locate the SIP proxy server of the destination domain. After the SIP
proxy server of the destination domain is located, the SIP proxy at the source
domain sends the INVITE request to it. Here, Proxy A sends a 100 (Trying)
response to Caller A and an INVITE request to Proxy B.
When the SIP proxy server of the destination domain receives the INVITE
request from the SIP proxy server of the source domain, it responds with a 100
(Trying) response. It then sends the INVITE request to the destination user agent.
In this case, Proxy B sends a 100 (Trying) response to Proxy A and an INVITE
request to Caller B.
Chapter 1
Load Balancing
179
When the destination user agent receives the INVITE request, it alerts Caller B
and responds with a 180 (ringing) response. This response is routed back to the
source user agent through the proxies.
When caller B accepts the call, the destination user agent responds with a 200
(OK) response. This signifies that caller B has answered the call. This response is
routed back to the source user agent through the proxies. After the call is set up,
the user agents communicate directly without the proxies.
The following table describes the entities of an SIP-based communication system
and their roles.
SIP System Entities
Entity
Role
Proxy Server
Redirect Server
Registrar Server
Back-to-Back User
Agent (B2BUA)
You can configure the NetScaler to load balance SIP requests to a group of SIP
proxy servers. To do this, you need to create an LB vserver with the LB method
set to Call-ID hash, and then bind to it the services representing the SIP proxies.
You must configure the SIP proxies so that they do not add private IP addresses or
private domains to the SIP header/payload. SIP proxies must add a domain name
to the SIP header that resolves to the IP address of the SIP vserver. Also, the SIP
proxies must communicate with a common database to share registration
information.
180
This section describes the role of the NetScaler when configured to perform SIP
load balancing in the two most commonly used topologies:
For more information about DSR mode, see the section Configuring Load
Balancing in Direct Server Return Mode, on page 253.
The user agent, Caller A, sends an INVITE request to the NetScaler. The
NetScaler, using the LB method, routes the request to Proxy 2.
2.
Proxy 2 receives the INVITE request from the NetScaler and responds with
a 100 (Trying) message.
3.
4.
The destination proxy responds with a 100 (Trying) message and sends the
INVITE request to the destination user agent, Caller B. The destination user
agent, Caller B, begins to ring and responds with a 180 (Ringing) message.
Chapter 1
Load Balancing
181
This message is sent to Caller A through the NetScaler and the Proxy 2.
After the user accepts the call, Caller B responds with a 200 (OK) message
that is propagated to Caller A through the NetScaler and the Proxy 2.
5.
After Caller B accepts the call, the user agents (Caller A and Caller B)
communicate independently.
The user agent, Caller A, sends an INVITE request to the NetScaler. The
NetScaler, based on the LB method, routes the request to Proxy 2.
2.
Proxy 2 receives the INVITE request from the NetScaler and responds with
a 100 (Trying) message.
3.
4.
The NetScaler performs RNAT, and replaces the source IP address in the
INVITE request with the NAT IP address, and then forwards the INVITE
request to the destination SIP proxy.
182
5.
The destination proxy responds with a 100 (Trying) message and sends the
INVITE request to the destination user agent, Caller B. Caller B, begins to
ring and responds with a 180 (Ringing) message. This message is sent to
Caller A through the NetScaler and the Proxy 2. After the user accepts the
call, Caller B responds with a 200 (OK) message that is propagated to
Caller A through the NetScaler and the Proxy 2.
6.
After the user accepts the call, the user agents (Caller A and Caller B)
communicate independently.
To monitor SIP services, use the parameters as described in the following table.
SIP Service Parameters
Parameter
Specifies
Maximum Forwards
(maxForwards)
SIP Method
(sipMethod)
SIP URI
(sipURI)
SIP Register URI
(sipregURI)
To configure built-in monitors to check the state of SIP server, see Configuring
Monitors in a Load Balancing Setup, on page 162. You must provide values for
the required parameters to create a monitor of type SIP.
If the client and the server have a similar configuration, the server must
send an Access-Accept response. The response code for Access-Accept is
2. This is the default code that the NetScaler uses.
If there is a mismatch in the user name, password, or secret key, the server
sends an Access-Reject response. The response code for Access-Reject is 3.
Chapter 1
Load Balancing
183
Specifies
User Name
(userName)
Password
(password)
RADIUS Key
(radKey)
RADIUS NAS ID
(radNASid)
RADIUS NA SIP
(radNASip)
Add the user name and password of the client to the database where the
RADIUS daemon searches for authentication.
2.
Add the IP address and secret key of the client to the respective RADIUS
database.
3.
Add the IP addresses that originate from the RADIUS packets to the
RADIUS database. If the NetScaler has more than one mapped IP address,
or if subnet IP address (SNIP) is used, you must add the same secret key for
all of the IP addresses. If the client IP address is not added into the
database, the server discards the packets.
The RADIUS server can send an access-reject response for any mismatch in user
name, password, or secret key. To configure built-in monitors to check the state of
RADIUS server, see Configuring Monitors in a Load Balancing Setup, on page
162. You must provide values for the required parameters to create a monitor of
type RADIUS.
184
Specifies
Query
(query)
(IPAddress)
IPv6
To configure built-in monitors to check the state of the DNS or DNS-TCP server,
see Configuring Monitors in a Load Balancing Setup, on page 162. You must
provide values for the required parameters to create a monitor of type DNS or
DNS-TCP.
Chapter 1
Load Balancing
185
The LDAP monitors can specify a location (using the Base DN parameter) in the
directory hierarchy where the LDAP server starts the query. You can also specify
an attribute of the target entity. The LDAP server uses the fields that the monitor
provides to search for the target entity. If the search is successful, the health check
is considered good and the service is marked up. If the LDAP server does not
locate the entry, a failure message is sent to the LDAP monitors and the service is
marked down. To monitor LDAP services, use the parameters as described in the
following table.
LDAP Parameters
Parameter
Specifies
Base DN
(baseDN)
Base name for the LDAP monitor from where the LDAP
search must start. If the LDAP server is running locally,
the default value of base is dc=netscaler, dc=com.
Bind DN
(bindDN)
Filter
(filter)
Password
(password)
Attribute
(attribute)
To configure built-in monitors to check the state of the LDAP server, see
Configuring Monitors in a Load Balancing Setup, on page 162. You must
provide values for the required parameters to create a monitor of type LDAP.
186
Specifies
Database
(database)
SQL Query
(sqlQuery)
To configure built-in monitors to check the state of the MySQL server, see
Configuring Monitors in a Load Balancing Setup, on page 162. You must
provide values for the required parameters to create a monitor of type MySQL.
Specifies
SNMP OID
(snmpOID)
SNMP Community
(snmpCommunity)
SNMP Threshold
(snmpThreshold)
Chapter 1
Load Balancing
187
SNMP Parameters
Parameter
Specifies
SNMP Version
(snmpVersion)
Specifies
User Name
(userName)
Password
(password)
Group
(group)
188
To monitor POP3 services, use the parameters as described in the following table.
POP3 Parameters
Parameter
Specifies
User Name
(userName)
Password
(password)
Script Name
(scriptName)
Dispatcher IP Address
(dispatcherIP)
Dispatcher Port
(dispatcherPort)
Specifies
User Name
User name SMTP server. This user name is used in the probe.
(userName)
Password
(password)
Script Name
(scriptName)
Dispatcher IP Address
(dispatcherIP)
Chapter 1
Load Balancing
189
SMTP Parameters
Parameter
Specifies
Dispatcher Port
(dispatcherPort)
Role
Presentation
A set of one or more streams sent to the client. Usually, in the RTSP
context, a presentation controls the group of audio and video streams.
190
RTSP Entities
Entity
Role
Media server
Media streams
The usage scenario of RTSP described in the following section illustrates the role
of the messages and entities in an RTSP-based communication system.
RTSP mechanism
The RTSP setup can be described as following:
1.
The client uses the DESCRIBE method to request a media server for the
description of the presentation. The DESCRIBE method provides the
details of the media streams so that the client can start the appropriate
media applications.
2.
3.
4.
The client specifies the URL, session identifier, and a time range in the
control messages to the server.
5.
The server performs the appropriate action based on the control messages it
receives from the client.
6.
Chapter 1
Load Balancing
191
Description
DESCRIBE
ANNOUNCE
OPTIONS
SETUP
PLAY
RECORD
PAUSE
TEARDOWN
GET_PARAMETER
and
SET_PARAMETER
REDIRECT
RTSP messages can be transmitted over TCP or UDP. When RTSP messages are
transmitted over TCP, the request connections can be transmitted in the following
ways:
192
RTSP messages can be request messages and response messages. The request
messages are sequenced to retransmit the messages if lost.
RTSP Request Message Components
Component
Description
Sequence
Session
Transport
Negotiates and sets parameters to send the media stream. This field
sets the port and multicast address for RTSP streams.
Time range
Others
This section describes the role of the NetScaler when configured to perform
RTSP load balancing in the two most commonly used topologies:
NAT-on mode
NAT-off mode
Chapter 1
Load Balancing
193
2.
The client sends a SETUP request to the NetScaler. If the RTSP session ID
is exchanged in the DESCRIBE request, the NetScaler, using the RTSPSID
persistence, routes the request to Media Server-1. If the RTSP session ID is
exchanged in the SETUP request, the NetScaler performs one of the
following:
194
3.
Media Server-1 receives the SETUP request from the NetScaler and
allocates resources to process the RTSP request and sends the appropriate
session ID to the client.
4.
The NetScaler does not perform NAT to identify the RTSP connections,
because the RTSP connections bypass the NetScaler.
5.
The client then uses the session ID to identify the session and send control
messages to the media server. The Media Server-1 performs the requested
action such as play, forward, and rewind.
Chapter 1
Load Balancing
195
1.
2.
The client sends a SETUP request to the NetScaler. If the RTSP session ID
is exchanged in the DESCRIBE request, the NetScaler, using the RTSPSID
persistence, routes the request to Media Server-1. If the RTSP session ID is
exchanged in the SETUP request, the NetScaler performs one of the
following:
3.
Media Server-1 receives the SETUP request from the NetScaler and
allocates resources to process the RTSP request and sends the appropriate
session ID to the client.
4.
The NetScaler performs NAT to identify the RTSP data connections and the
RTSP connections pass through the NetScaler.
5.
The client then uses the session ID to identify the session and send control
messages to the NetScaler. The NetScaler, using the RTSPSID persistence,
routes the request to Media Server-1. The Media Server-1 performs the
requested action such as play, forward, and rewind.
The RTSP monitor uses the RTSP protocol to evaluate the state of the RTSP
services. The RTSP monitor connects to the RTSP server and conducts a
sequence of handshakes to ensure that the server is operating correctly. To
monitor RTSP services, use the parameters described in the following table.
RTSP Monitor Parameters
Parameter
Specifies
RTSP Request
RTSP request that is sent to the server (for example, OPTIONS *).
The default value is 07. The length of the request must not exceed
163 characters.
Response Codes
196
Specifies
Application Name
Site Path
Chapter 1
Load Balancing
197
Note that RSA SecurID authentication is not supported for this monitor. RSA
SecurID requires an RSA-generated token as a password, which is not supported
on the NetScaler.
Access Gateway Monitor Parameters
Parameter
Specifies
User Name
(userName)
Password
(password)
Secondary Password
(secondaryPassword)
198
The following are special parameters for the AAC Logon Agent Service
(AAC-LAS) monitor.
AAC-LAS Monitor Parameters
Parameter
Specifies
(logonpointNa
me)
Logon Agent
Service Version
(lasVersion)
Chapter 1
Load Balancing
199
The inline monitor is of type HTTP-INLINE and can only be configured to work
with HTTP and HTTPS services. Inline monitors cannot be bound to HTTP or
HTTPS Global Server Load Balancing (GSLB) remote or local services. These
services represent vservers.
Inline monitors also have a time-out value and a retry count on failure of probes.
You can select one of the following action types that the NetScaler takes when a
failure occurs:
NONE. No explicit action is taken. You can view the service and monitor,
and the monitor indicates the number of current contiguous error responses
and cumulative responses checked.
DOWN. Marks the service down and does not direct any traffic to the
service. This setting breaks any persistent connections to the service. This
action also logs the event and displays the counters.
After the service is down, the service remains in the down state for the configured
down time. After the down time, the configured URL is used to probe to check if
the service is up. If the probe succeeds, the state of the service is changed to up.
Traffic is directed to the service, and URL probes and traffic are sent to monitor
to check the state of the service, as needed. To configure inline monitors, see
Configuring Monitors in a Load Balancing Setup, on page 162.
200
User monitors
As illustrated in the diagram, a user monitor requires the following components.
Dispatcher
A dispatcher is a process on the NetScaler that listens to monitoring requests. It
can be on the loopback IP address (127.0.0.1) and port 3013. These dispatchers
are also known as internal dispatchers.
A dispatcher may also be a Web server that supports Common Gateway Interface
(CGI). Such dispatchers are also known as external dispatchers. They are used for
custom scripts that do not run on the FreeBSD environment, such as .NET scripts.
Note: Communication between the monitor and the dispatcher can use HTTPS
if you enable the secure option on the monitor. However, the internal dispatcher
understands only HTTP and cannot use HTTPS.
In a HA setup, the dispatcher runs on both the primary and secondary NetScalers.
The dispatcher remains inactive on the secondary NetScaler.
Chapter 1
Load Balancing
201
Script
The script is a program that sends out custom probes to the back-end entity and
returns the response code to the dispatcher. The NetScaler is bundled with sample
scripts for commonly used protocols. The scripts exist in the /nsconfig/monitors
directory. If you want to add a new script, add the script in the location /nsconfig/
monitors. If you want to customize an existing script, copy the script with a new
name and modify the script. For the scripts to function correctly, the name of the
script file must not exceed 63 characters, and the maximum number of script
arguments is 512. To debug the script, you must run it using the nsumon-debug.pl
on the Command Line Interface (CLI). You must use the script name (with its
arguments), IP address, and the port as the arguments of the nsumon-debug.pl
script. Users must use the script name, IP address, port, time-out, and the script
arguments for the nsumon-debug.pl script.
Working of User Monitors
To track the status of the server, the monitor sends an HTTP POST request to the
configured dispatcher. This POST request contains the IP address and port of the
server, and the script that must be executed.
The dispatcher executes the script as a child process, with user-defined
parameters (if any). Then, the script sends a probe to the server. The script sends
the status of the probe (response code) to the dispatcher. The dispatcher converts
the response code to an HTTP response and sends it to the monitor. Based on the
HTTP response, the monitor marks the service as up or down.
The NetScaler logs the error messages to the /var/nslog/nsumond.log file when
user monitor probes fail. The following table lists the user monitors and the
possible reasons for failure.
User Monitors
User monitor type
SMTP
NNTP
LDAP
202
User Monitors
User monitor type
FTP
POP3
MySQL
SNMP
RDP (Windows
Terminal Server)
Chapter 1
Load Balancing
203
exit
User monitors also have a time-out value and a retry count on failure of probes.
You can use user monitors with non-user monitors. During high CPU utilization,
a non-user monitor enables faster detection of a server failure. If the user monitor
probe times out during high CPU usage, the state of the service remains
unchanged.
The HTTP response codes are summarized in the following table.
HTTP Response Codes
HTTP response code
Meaning
200 - success
Probe success.
Probe failure.
To monitor user service, use the parameters as described in the following table.
User Service Monitor Parameters
Parameter
Specifies
Script Name
(scriptName)
Script Arguments
(scriptArgs)
Dispatcher IP Address
The strings that are added in the POST data. They are
copied to the request verbatim.
The IP address of the dispatcher to which the probe is sent.
(dispatcherIP)
Dispatcher Port
(dispatcherPort)
Local File Name
(localfileName)
Destination Path
(destPath)
204
You can use a custom user monitor with the internal dispatcher. Consider a
scenario where you need to track the health of a server based on the presence of a
file on the server. The following diagram illustrates this scenario.
Chapter 1
Load Balancing
205
You can use a user monitor with an external dispatcher. Consider a scenario
where you must track the health of a server based on the state of an SMTP service
on another server. This scenario is illustrated in the following diagram.
Example
add monitor Monitor-User-1 USER -scriptname nsftp.pl scriptargs
file=/home/user/sample.txt;user=root;password=passwd"
206
Specifies
Metric Table
Metric table to use for the metrics that must be bound. The
maximum value is 99.
(metricTable)
Chapter 1
Load Balancing
207
NetScaler
RADWARE
CISCO-CSS
LOCAL
FOUNDRY
ALTEON
You can either add the NetScaler-generated metric tables, or you can add tables of
your own choosing, as shown in the following table. The values in the metric
table are provided only as examples. In an actual scenario, consider the real
values for the metrics.
Example of Metrics for Load Assessments
Metric name
OIDs
Weight
Threshold
CPU
1.2.3.4
70
Memory
4.5.6.7
80
Connections
5.6.7.8
90
208
Specifies
(metric)
1.
In the navigation pane, expand Load Balancing, and then click Metric
Tables.
2.
3.
In the Create Metric Table dialog box, in the Metric Table Name text
box, type the name of the metric table (for example, Table-Custom-1).
4.
Click Create, and then click Close. The metric table you created appears in
the Metric Tables page.
Example
add metricTable Table-Custom-1
Chapter 1
Load Balancing
209
1.
In the navigation pane, expand Load Balancing, and then click Metric
Tables.
2.
In the details pane, select the metric table to which you want to bind the
metrics (for example, Table-Custom-1), and then click Open.
3.
In the Configure Metric Table dialog box, in the Metric and SNMP OID
text boxes, type metric and SNMP OID for the metric table (for example,
1.3.6.1.4.1.5951.4.1.1.41.1.5 and 11).
4.
Example
bind metricTable Table-Custom-1 1.3.6.1.4.1.5951.4.1.1.41.1.5 11
1.
In the navigation pane, expand Load Balancing, and then click Metric
Tables.
2.
In the details pane, select the metric table that you want to remove (for
example, Table-Custom-1), and click Remove.
3.
Example
rm metricTable Table-Custom-1
1.
In the navigation pane, expand Load Balancing, and then click Metric
Tables.
2.
In the details pane, select the metric table from which you want to unbind
the metrics (for example, Table-Custom-1), click Open.
210
3.
In the Configure Metric Table dialog box, in the Bound Metrics list box,
select the metric that you want to unbind from the table (for example,
1.3.6.1.4.1.5951.4.1.1.41.1.5).
4.
To unbind metrics from a metric table using the NetScaler command line
Example
unbind metricTable Table-Custom-1 1.3.6.1.4.1.5951.4.1.1.41.1.5
In the navigation pane, expand Load Balancing, and then click Metric Tables.
The details of the available metric table appear on the Metric Tables page.
To view the metric tables using the NetScaler command line
Example
show metricTable Table-Custom-1
Chapter 1
Load Balancing
211
The following diagram shows how SASP facilitates load balancing decisions
using the Group Workload Manager:
212
The NetScaler waits for two minutes (default wait time) to receive the weight
message from the EWLM. If the NetScaler receives the weight message within
two minutes, the weight is dynamically calculated from the incoming weight
message. If not, the NetScaler considers the user configured weights for making
load balancing decisions.
If a service is disabled in the NetScaler, a setmemberstate message is sent to
the EWLM conveying that the disabled service is not considered for load
balancing. The NetScaler sends a deregistration message to the EWLM to
deregister or remove the disabled service. The EWLM responds with a
deregistration success or failure message.
The following example describes the steps to bind the services Service-HTTP-1
and Service-HTTP-2 to the vserver Vserver-LB-1. Vserver-LB-1 forwards the
client request to either of the two services Service-HTTP-1 or Service-HTTP-2.
The NetScaler selects the service for each request using the least connections LB
method. A workload manager Wlm-1 is created and bound to Vserver-LB-1. The
following diagram shows the LB entities and the values of the parameters.
Chapter 1
Load Balancing
213
Specifies
Name
(Name)
IP Address
(IPAddress)
LB unique identifier
(LBUID)
Port
(port)
1.
In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2.
214
3.
In the Create Work Load Manager dialog box, in the Name, IP Address,
LB Unique Identifier, Port, and Keep Alive Time-out (minutes) text
boxes, type the corresponding values (for example, Wlm-1, 10.102.29.30,
11, 80, and 2).
4.
Click Create, and then click Close. The work load manager you created
appears in the Work Load Managers page, as shown in the following
screen shot.
Example
add lb wlm wlm-1 10.102.29.30 -LBUID 11
1.
In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2.
In the details pane, select the work load manager for which you want to
bind the vserver (for example, Wlm-1), and then click Open.
Chapter 1
Load Balancing
215
3.
4.
To bind a vserver to a work load manager using the NetScaler command line
Example
bind lb wlm wlm-1 Vserver-LB-1
Specifies
The idle time period after which the NetScaler probes the
work load manager. The value ranges from 2 to 1440
minutes. The default value is 2 minutes and the maximum
value is 1440 minutes.
(KATimeout)
1.
In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2.
In the details pane, select the workload manager that you want to modify
(for example, Wlm-1), and then click Open.
3.
In the Configure Work Load Manager dialog box, in the Keep Alive
Time-out (minutes) text box, type the timeout value (for example, 20).
4.
Click OK.
216
Example
set lb wlm wlm-1 -KATimeout 20
1.
In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2.
In the details pane, select the workload manager that you want to remove
(for example, Wlm-1), and then click Remove.
3.
Example
rm lb wlm wlm-1
Chapter 1
Load Balancing
217
1.
In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2.
In the details pane, select the workload manager for which you want to
unbind a vserver (for example, Wlm-1), and then click Open.
3.
4.
Example
unbind lb wlm wlm-1 vservre-LB-1
In the navigation pane, expand Load Balancing, and then click Work Load
Managers. The details of the available work load managers appear in the Work
Load Managers page.
To view work load managers using the NetScaler command line
Example
show lb wlm wlm-1
218
Chapter 1
Load Balancing
219
To create a range of vservers and services, use the parameters as described in the
following table.
Vserver and Service Range Parameters
Parameter
Specifies
Name
(Name)
IP address range
(range)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
In the Create Virtual Server (Load Balancing) - Range dialog box, in the
Name Prefix, IP Address Range, and Port text boxes, type the vserver
name, IP address with which to begin the range, and port (for example,
vserver, 10.102.29.30, and 80).
4.
Select the Network VServer check box, and in Range, type the last value
of the vserver range (for example, 35).
5.
In the Protocol drop-down list box, select the protocol type (for example,
HTTP).
6.
Click Create, and then click Close. The range of vservers you created
appears in the Load Balancing Virtual Servers page.
220
Example
add lb vserver Vserver-LB-2 http -range 5 10.102.29.30 80
or
add lb vserver Vserver-LB-[2-7] http 10.102.29.[30-35] 80
Note: Do not use -range and the [ ] range operator in the same command.
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
3.
In the Create Service (Range) dialog box, in the IP Address Range and
Port text boxes, type the start value of the IP address range and the port (for
example, 10.102.29.102, and 80).
4.
In the text box next to the IP Address Range text box, type the last value of
the last service (for example, 104).
5.
In the Protocol drop-down list box, select the protocol type (for example,
HTTP).
6.
Click Create, and then click Close. The range of services you created
appears in the Services page.
Example
add lb service Service-HTTP-1 http -range 3 10.102.29.102 80
or
add lb vservice Service-HTTP-[1-5] http 10.102.29.[102-106] 80
Chapter 1
Load Balancing
221
Specifies
Name
(Name)
Service Type
(serviceType)
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
3.
In the Create Service Group dialog box, in the Service Group Name text
box, type name of the service group (for example, Service-Group-1).
4.
In the Protocol list, select the protocol type (for example, HTTP).
222
5.
Click Create, and then click Close. The service group you created appears
in the Service Groups page, as shown in the following screen shot.
Example
add servicegroup Service-Group-1 HTTP
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver to which you want to bind the service
group (for example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Services Groups tab.
4.
In the Active column, select check box next to the service group that you
want to bind to the vserver (for example, Service-Group-1), and then click
OK.
Chapter 1
Load Balancing
223
Example
bind lb vserver Vserver-LB-1 Service-Group-1
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group for which you want to bind
members (for example, Service-Group-1), and then click Open.
3.
4.
5.
Click OK.
224
Examples
bind servicegroup Service-Group-1 10.102.29.30 80
bind servicegroup Service-Group-2
1000:0000:0000:0000:0005:0600:700a:888b 80
bind servicegroup Service-Group-2
1000:0000:0000:0000:0005:0600:700a::888b-888d 80
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group for which you want to bind
members (for example, Service-Group-1), and click Open.
3.
On the Members tab, under Specify Member(s), click the Server Based
radio button.
4.
In the server name list, select one or more servers (for example, Server-50).
5.
In the Port text box, type the port (for example, 80).
6.
Example
bind servicegroup Service-Group-1 Server-50 80
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group for which you want to bind
monitors (for example, Service-Group-1), and then click Open.
Chapter 1
Load Balancing
225
3.
On the Monitors tab, under Available, select a monitor name (for example,
ping).
4.
Example
bind mon monitor-HTTP-1 Service-Group-1
Specifies
Cache Type
(type)
Maximum Client
(maxClient)
Maximum Requests
(maxReq)
Cacheable
(cacheable)
Client IP
(cip)
226
Specifies
Client IP Header
(cipHeader)
Use Source IP
(usip)
SC
(sc)
SP
(sp)
Client Time-out
(cltTimeout)
Server Time-out
(svrTimeout)
CKA
(CKA)
TCPB
(TCPB)
CMP
(CMP)
Maximum Bandwidth
(maxBandwidth)
Monitor Threshold
(maxThreshold)
State
(state)
DownStateFlush
(downStateFlush)
Chapter 1
Load Balancing
227
Note: Any parameter you set on the service group is applied to the member
servers in the group and not to individual services.
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group that you want to modify (for
example, Service-Group-1), and then click Open.
3.
Make the required changes to the service group, and then click OK.
Example
set servicegroup Service-Group-1
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group that you want to remove (for
example, Service-Group-1), and then click Remove.
3.
228
rm servicegroup ServiceGroupName
Example
rm servicegroup Service-Group-1
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group from which you want to unbind
members (for example, Service-Group-1), and then click Open.
3.
4.
To unbind members from a service group using the NetScaler command line
Example
unbind servicegroup Service-Group-1 10.102.29.30 80
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver from which you want to unbind the
service group (for example, Vserver-LB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Services Groups tab.
Chapter 1
Load Balancing
4.
Clear the Active check box next to the service group that you want to
unbind from the vserver (for example, Service-Group-1).
5.
Click OK.
229
To unbind a service group from a vserver using the NetScaler command line
Example
unbind lb vserver Vserver-LB-1 Service-Group-1
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group from which you want to unbind
the monitor (for example, Service-Group-1), click Open.
3.
In the Configure Service Group dialog box, click the Monitors tab.
4.
Under Configured, select the monitor that you want to unbind from the
service group (for example, monitor-HTTP-1), and then click Remove.
5.
Click OK.
Example
unbind mon monitor-HTTP-1 Service-Group-1
230
After disabling an enabled service, you view the service using the configuration
utility or the command line to see the amount of time that remains before the
service goes down.
To disable a service group using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the Service Groups page, select the service group that you want to
disable (for example, Service-Group-1), and then click Disable.
3.
In the Wait Time dialog box type the wait time value (for example, 30).
4.
Click Enter.
Example
disable servicegroup Service-Group-1
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group that you want to enable (for
example, Service-Group-1), and then click Enable.
3.
Example
enable servicegroup Service-Group-1
Chapter 1
Load Balancing
231
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, click the name of the service group whose properties
you want to view, and then click Open.
To view the properties of a service group using the NetScaler command line
To view both the properties of the service group and its members, type:
show servicegroup -includemembers
Example
show servicegroup Service-Group-1
1.
In the navigation pane, expand Load Balancing, and then click Service
Groups.
2.
In the details pane, select the service group for which statistics you want to
view (for example, Service-Group-1), and then click Statistics. The
statistics of the service group you selected appears in a new window.
To view the statistics of a service group using the NetScaler command line
Example
stat servicegroup Service-Group-1
232
Specifies
Server Name
(Name)
IP Address / Domain Name Server's domain name (for example, www.example.com).
(IPAddress |
Domain)
Chapter 1
Load Balancing
233
Translation IP Parameters
Parameter
Specifies
Translation IP Address
(translationIP)
Translation Mask
(translationMask)
1.
In the navigation pane, expand Load Balancing, and then click Servers.
2.
3.
In the Create Server dialog box, in the Server Name field, enter a name.
4.
In the IP Address / Domain Name field, enter the server's domain name.
Note: Do not enter an IP address if you are entering a mask.
5.
6.
7.
Click Create.
234
IP mask: 255.255.0.0
Chapter 1
Load Balancing
235
If a destination IP address matches the IP patterns in more than one virtual server,
the longest match takes precedence. The following is an example:
Selected virtual server: Virtual Server 2. This virtual server has more bits
that are considered when compared to Virtual Server 1.
Specifies
Name
(name)
Protocol
Value of HTTP.
(http)
Port
(port)
Pattern Based
IP Pattern
IP address pattern for the virtual server. You must supply either the
initial or the trailing octets (for example, 11.11.00.00).
(ipPattern)
IP Mask
(ipMask)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
236
3.
In the Create Virtual Server dialog box, in the Name field, enter a name.
4.
5.
6.
7.
Examples
Chapter 1
Load Balancing
237
238
The following table lists the names and values of the basic entities configured on
the NetScaler.
Sample FTP Server Topology
Entity type
Name
IP address
Port
Protocol
Vserver
Vserver-LB-1
10.102.29.25
21
FTP
Services
Service-FTP-1
10.102.29.21
21
FTP
Service-FTP-2
10.102.29.22
21
FTP
Service-FTP-3
10.102.29.23
21
FTP
FTP
None
None
None
Monitors
The following diagram shows the LB entities, and the values of the parameters
that need to be configured on the NetScaler.
Chapter 1
Load Balancing
239
The following sections describe the tasks required to implement this scenario:
1.
2.
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
3.
On the Standards Parameters tab, in the Name and Interval text boxes,
type monitor-FTP-1 and 340, respectively.
4.
5.
On the Special Parameters tab, in the User Name and Password text
boxes, type User.
6.
Click Create, and then click Close. The monitor monitor-FTP-1 that you
created appears in the Monitors Page.
Example
add lb monitor monitor-FTP-1 FTP -interval 360 -userName User
-password User
240
Chapter 1
Load Balancing
241
Name
IP address
Port
Protocol
Vserver
Vserver-LB-1
10.102.29.13
53
DNS
Services
Service-DNS-1
10.102.29.14
53
DNS
Service-DNS-2
10.102.29.15
53
DNS
Service-DNS-3
10.102.29.16
53
DNS
monitor-DNS-1
None
None
None
Monitors
The following diagram shows the LB entities and the values of the parameters
that need to be configured on the NetScaler.
2.
242
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
3.
In the Create Monitor dialog box, in the Name and Interval text boxes,
type a monitor name and a monitoring interval (for example,
monitor-DNS-1 and 340, respectively).
4.
Select the unit of time for the interval in the drop-down menu.
5.
6.
Click the Special Parameters tab, in the Query text box type the domain
name query to send to the DNS service (for example,
www.mycompany.com), and in the Query Type list box, select
ADDRESS or ZONE.
7.
In the text box below the Query Type list box, type an IP address that is to
be checked against the response to the DNS monitoring query (for example,
10.102.29.66), and click Add.
Note: If you want to enter an IPv6 address, select the IPv6 check box
before entering the address.
8.
Click Create, and then click Close. The monitor that you created appears in
the Monitors page.
Chapter 1
Load Balancing
243
Examples
add lb monitor monitor-DNS-1 DNS -query www.citrix.com
-queryType Address -IPAddress 10.102.29.66
add lb monitor monitor-DNS-2 DNS -query www.citrix2.com -queryType
Address -IPAddress 1000:0000:0000:0000:0005:0600:700a::888b-888d
244
If the domain name resolution fails due to a timeout, the NetScaler uses the
old information (IP address).
Statistics are collected on a service and are not reset when the IP address
changes.
If a DNS resolution returns a code of name error (3), the NetScaler marks
the service down and changes the IP address to zero.
The NetScaler distributes client requests across the domain name-based services
to balance the load on the servers. When the NetScaler receives a request for a
service, it selects the target service. This way, the NetScaler balances the load on
the services. The following diagram describes the topology of a load balancing
configuration that load balances a group of domain-name based servers (DBS).
Chapter 1
Load Balancing
245
The following table lists the names and values of the basic entities configured on
the NetScaler.
Example DNS-Based Load Balancing Configuration
Entity type
Name
IP address
Port
Protocol
Vserver
Vserver-LB-1
10.102.29.17
80
HTTP
Vserver-LB-2
10.102.29.20
53
DNS
server-1
10.102.29.18
80
HTTP
server-2
www.citrix.com
80
HTTP
Service-HTTP-1
server-1
80
HTTP
Service-HTTP-2
server-2
80
HTTP
Service-HTTP-2
10.102.29.19
80
HTTP
Monitors
Default
None
None
None
Name Server
None
10.102.29.19
None
None
Servers
Services
The following diagram shows the LB entities and the values of the parameters
that need to be configured on the NetScaler.
246
The following sections explain the procedures required to implement the scenario
described in the preceding section:
1.
2.
1.
In the navigation pane, expand DNS, and then click Name Servers.
2.
3.
In the Create Name Server dialog box, select DNS Virtual Server.
4.
In the DNS Virtual Server drop-down list, select the server name (for
example, Vserver-LB-2).
Note: Click New if you want to create a new load balancing vserver. The
Create Virtual Server (Load Balancing) dialog box appears.
5.
Example
add dns nameServer Vserver-LB-2
You can also add an authoritative name server that resolves the domain name to
an IP address. For more information about configuring name servers, see
Domain Name System, on page 467.
Chapter 1
Load Balancing
247
Name
IP address
Port
Protocol
Vserver
Vserver-LB-1
10.102.29.65
80
SIP
Services
Service-SIP-1
10.102.29.10
80
SIP
Service-SIP-2
10.102.29.20
80
SIP
Default
None
80
SIP
Monitors
248
The following diagram shows the LB entities and the values of the parameters to
be configured on the NetScaler.
2.
Configuring RNAT
3.
Configuring RNAT
The following procedure describes the steps to configure RNAT.
To configure RNAT using the configuration utility
1.
In the navigation pane expand Network, expand Routing, and then click
Routes.
2.
Chapter 1
Load Balancing
249
3.
In the Create Route dialog box, in the Network, Netmask, and Gateway
IP text boxes type 10.102.29.0, 255.255.255.0, and 10.102.29.50,
respectively.
4.
Example
add route 10.102.29.0 255.255.255.0 10.102.29.50
1.
2.
On the Load Balancing landing page, under Settings, click Change SIP
settings.
3.
In the Set SIP Parameters dialog box, in RNAT source port text box, type
5060.
4.
Select the Enable Add RPort VIP check box, and click OK.
Example
set sipParameters -rnatSrcPort 5060
250
Name
IP address
Port
Protocol
Vserver
Vserver-LB-1
10.102.29.100
554
RTSP
Services
Service-RTSP-1
10.102.29.101
554
RTSP
Service-RTSP-2
10.102.29.102
554
RTSP
Service-RTSP-3
10.102.29.103
554
RTSP
Chapter 1
Load Balancing
251
Name
IP address
Port
Protocol
Monitors
Monitor-RTSP-1
None
554
RTSP
2.
252
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
3.
In the Create Monitor dialog box, in the Name and Interval text boxes,
type the name and probing interval of a monitor (for example,
Monitor-RTSP-1 and 340).
4.
In the Type list, select the type of the monitor (for example, RTSP).
5.
Example
add lb monitor Monitor-RTSP-1 RTSP
Topics include:
Chapter 1
Load Balancing
253
The following sections describe the topology and configuration of one-arm and
two-arm modes. Note the following:
Because the NetScaler does not proxy TCP connection (that is it does not
send SYN-ACK to the client), it does not completely shut out syn-attack.
By using the SYN packet rate filter, you can control the rate of SYNs to the
server. To control the rate of SYNs, set a threshold for the rate of SYNs. To
get protection from SYN attack, configure the NetScaler to proxy TCP
connection but that would require the reverse traffic to flow through the
NetScaler.
Name
IP address
Protocol
Vserver
Vserver-LB-1
10.102.29.94
ANY
Services
Service-ANY-1
10.102.29.91
ANY
Service-ANY-2
10.102.29.92
ANY
Service-ANY-3
10.102.29.93
ANY
TCP
None
None
Monitors
254
The following diagram shows the LB entities and values of the parameters to be
configured on the NetScaler.
2.
3.
1.
2.
On the Settings page, under Modes and Features, click Change modes.
3.
In the Configure Modes dialog box, select the MAC Based Forwarding
check box, and then click OK.
4.
Chapter 1
Load Balancing
255
Example
enable ns mode MAC
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver (for example, Vserver-LB-1), and
then click Open.
3.
4.
On the Advanced tab, under Redirection Mode, select the MAC Based.
5.
256
Example
set lb vserver Vserver-LB-1 -lbMethod SourceIPHash -m MAC
-sessionless enabled
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
3.
On the Advanced tab, under Settings, select the Use Source IP check box,
and then click OK.
4.
To set a service to use source IP address using the NetScaler command line
Example
set service Service-ANY-1 -usip yes
Note: For USIP to function correctly, you must set it globally. For more
information about configuring USIP globally, see the Citrix NetScaler
Networking Guide, Chapter 1, IP Addressing.
Chapter 1
Load Balancing
257
1.
Create a loop back interface with the NetScalers vserver IP address (VIP)
(10.101.4.94) on all the servers participating in the DSR cluster.
2.
258
Differentiated services (DS), also known as TOS (Type of Service), is a field that
is part of the packet header and is used by upper layer protocols for optimizing
the path for a packet. The differentiated services information is used by the
back-end servers to derive the VIP from the encoded VIP. In this scenario, the
NetScaler adds the additional differentiated services information to the packet
and sends it to the server. The servers then respond directly to the client bypassing
the NetScaler, as illustrated in the diagram.
The environment must not have any stateful devices, such as stateful
firewall and TCP gateways in the path between the NetScaler and the
servers.
Routers at all the entry points of the network must remove the differentiated
services field from all incoming packets to make sure that the server does
not confuse other traffic with a value in the differentiated services field.
Care must be taken to make sure that the intermediate router does not send
out an ICMP error message regarding fragmentation. The client will not
understand the message as the source IP address will be the IP address of
the back-end server and not the VIP of the NetScaler.
Chapter 1
Load Balancing
259
In the example, the services, Service-ANY-1, is created and bound to the vserver,
Vserver-LB-1. The vserver load balances the client request to the service, and the
service responds to clients directly, bypassing the NetScaler. The following table
lists the names and values of the entities configured on the NetScaler in DSR
mode.
Entity Type
Name
IP Address
Protocol
Vserver
Vserver-LB-1
10.102.33.91
ANY
Services
Service-ANY-1
10.102.100.44
ANY
Monitors
PING
None
None
The following sections describe the tasks required to implement this scenario:
1.
2.
B.
C.
260
1.
In the left navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the Load Balancing Virtual Servers pane, select the vserver (for
example, Vserver-LB-1) and click Open.
3.
4.
In the TOS Id box, enter a value for the TOS ID, (for example, 3).
5.
Click OK.
To configure the redirection mode for the vserver using the NetScaler
command line
Example
set lb vserver Vserver-LB-1 -m TOS -tosId 3
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
On the Monitors pane, select the monitor (for example, tcp), and click
Add.
3.
In the Create Monitor dialog box, in the Name and Destination IP boxes,
enter the monitor name and the destination IP address (for example, PING
and 10.102.33.91).
4.
In the Type list, select the type of monitor (for example, PING).
5.
To configure the monitor for TOS, select the TOS check box.
6.
In the TOS Id box, enter the same TOS ID that you had entered for the
vserver (for example, 3.)
7.
Click OK.
Chapter 1
Load Balancing
261
To configure the transparent monitor for TOS using the NetScaler command
line
Example
add monitor mon1 PING -destip 10.102.33.91 -tos Yes
-tosId 3
1.
Create a loop back interface with the NetScaler VIP (10.102.33.91) on all
the servers participating in the DSR cluster.
At the Linux OS prompt, type the following commands:
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce
route add -host 10.102.33.91 gw 10.102.100.44
2.
Note: Add the correct mappings to the software before running it. In the
preceding commands, the LINUX server uses eth0 to connect to the network.
When you use this command, type the name of the interface that your LINUX
server uses to connect to the network.
262
Name
IP address
Protocol
Vserver
Vserver-LB-1
10.102.29.94
ANY
Services
Service-ANY-1
10.102.29.91
ANY
Service-ANY-2
10.102.29.92
ANY
Service-ANY-3
10.102.29.93
ANY
TCP
None
None
Monitors
Chapter 1
Load Balancing
263
The following diagram shows the LB entities and values of the parameters that
need to be configured on the NetScaler.
264
Chapter 1
Load Balancing
265
The client request is routed to the server. A switch with a mirroring port
enabled forwards these packets to the server. The source IP address is the IP
address of the client, and the destination IP address is the IP address of the
server. The source MAC address is the MAC address of the router, and the
destination MAC address is the MAC address of the server.
2.
The traffic that flows through the switch is mirrored to the NetScaler. The
NetScaler uses the layer 3 information (source IP address and destination IP
address) to forward the packet for balancing the load on IDS servers. An
IDS server is selected and the packet is sent to the server without changing
the source IP address or destination IP address, but the source MAC address
266
and the destination MAC address are changed to the MAC address of the
selected IDS server.
Note: You can configure the SRCIPHASH, DESTIPHASH, or
SRCIPDESTIPHASH load balancing methods. It is recommended to use the
SRCIPDESTIPHASH method because the packets flowing from the client to a
service on the NetScaler must go to a single IDS server.
Suppose, Service-ANY-1, Service-ANY-2, and Service-ANY-3 are created and
bound to Vserver-LB-1. The vserver balances the load on the services. The
following table lists the names and values of the entities configured on the
NetScaler.
Example Load Balancing Intrusion Detection System Configuration
Entity type
Name
IP address
Port
Protocol
Vserver
Vserver-LB-1
ANY
Services
Service-ANY-1
10.102.29.101
ANY
Service-ANY-2
10.102.29.102
ANY
Service-ANY-3
10.102.29.103
ANY
Ping
None
None
None
Monitors
Note: You can configure the NetScaler to balance the load on IDS servers in the
inline mode or in the one-arm mode.
Chapter 1
Load Balancing
267
The following diagram shows the LB entities and values of the parameters to be
configured on the NetScaler.
2.
3.
1.
2.
On the Settings landing page, under Modes and Features, click modes.
3.
In the Configure Modes dialog box, select the MAC Based Forwarding
check box, and then click OK.
4.
268
Example
enable ns mode MAC
1.
In the left navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
4.
5.
Chapter 1
Load Balancing
269
Example
set lb vserver Vserver-LB-1 -lbMethod SourceIPDestIPHash -m MAC
-sessionless enabled
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
On the Services page, select the service, Service-ANY-1, and then click
Open.
3.
On the Advanced tab, under Settings, select the Use Source IP check box.
4.
Click OK.
5.
To set a service to use source IP address using the NetScaler command line
Example
set service Service-ANY-1 -usip yes
Note: For USIP to function correctly, you must set it globally. For more
information about configuring USIP globally, see the Citrix NetScaler
Networking Guide, Chapter 1, IP Addressing.
270
When a metric bound to the monitor is present in the local and custom
metric tables, add the local prefix to the metric name if the metric is chosen
from the local metric table. If the metric is chosen from the custom table, no
prefix needs to be added.
If the metric table is modified (for example, if the OID for the metric is
changed), the change is reflected in the monitoring table. SNMP queries
originating from the monitor then use the new OID.
Load monitors cannot decide the state of the service. Therefore, setting a
weight on the load monitors is inappropriate.
If multiple load monitors are bound to a service, then the load on the service
is the sum of all the values on the load monitors bound to it. For load
balancing to work properly, you must bind the same set of monitors to all
the services.
If you disable a load monitor bound to the service, and if the service is
bound to a vserver, then the vserver goes to round robin.
If you disable a metric-based binding, and if this is the last active metric,
then the specific vserver goes to round robin. A metric is disabled by setting
the metric threshold to zero.
When a metric bound to a monitor crosses the threshold value, then that
particular service is not considered for load balancing.If all the services
have reached the threshold, then the vserver goes into round robin and an
error message 5xx - server busy error is received.
All the services that are bound to a vserver where the LB method is
CUSTOMLOAD must have load monitors bound to them.
Chapter 1
Load Balancing
271
272
C HAPTER 2
Content Switching
This chapter describes the content switching (CS) feature of a Citrix NetScaler.
Content switching allows a NetScaler to distribute client requests across multiple
servers based on content that the client is requesting. This chapter lists the basic
and a few advanced settings that you can configure on a NetScaler.
In This Chapter
How Content Switching Works
Configuring Basic Content Switching
Modifying the Basic Content Switching Configuration
Customizing a Content Switching Setup
Protecting the Content Switching Setup against Failure
Managing Client Connections
Device Type. The NetScaler examines the user agent or custom HTTP
header in the client request for the type of device from which the request is
originated. Based on the device type, it directs the request to a specific Web
server. For example, if the request came from a cell phone, the request is
directed to a server that is capable of serving content that the user can view
on his or her cell phone. A request from a computer is directed to a different
server that is capable of serving content that a computer user can view.
274
HTTP Method. The NetScaler examines the HTTP header for the method
used, and sends the client request to the right server. For example, GET
requests for images can be directed to an image server, while POST
requests can be directed to a faster server that handles dynamic content.
Chapter 2
Content Switching
275
Content switching is only applicable to HTTP, HTTPS, and TCP transactions. For
HTTPS transactions, you must enable SSL Offload.
When a request reaches the content switching vserver, it applies the associated
content switching policies to that request. The content switching vserver routes
the request to the load balancing vserver. The load balancing vserver sends it to
the service. When binding a policy to the content switching vserver, you assign a
priority to it, at minimum. The priority of the policy defines the order in which
the policy is evaluated.
Content switching vservers can only send requests to other vservers. If you are
using an external load balancer, you must create a load balancing vserver for it,
and bind its vserver as a service to the content switching vserver.
Content switching is handled between virtual servers. You create a virtual server,
the content switching virtual server (CS vserver), which routes client requests to
LB vservers.
Note: In addition to configuring policy priorities, you can manipulate the order
of policy evaluation by using Goto expressions and policy bank invocations. For
more details about advanced policy configuration, see the Citrix NetScaler Policy
Configuration and Reference Guide, Chapter 2, Configuring Advanced
Policies.
276
Vserver
Services
IP address
Port
Protocol
Vserver-CS-1
10.102.29.161
80
HTTP
Vserver-LB-1
10.102.29.60
80
HTTP
Service-HTTP-1
10.102.29.5
8083
HTTP
Service-HTTP-2
10.102.29.6
80
HTTP
Chapter 2
Content Switching
277
Monitors
IP address
Port
Protocol
Default
None
None
None
The following diagram shows the content switching sample values and
mandatory parameters that are described in the preceding table.
1.
2.
In the details pane, under the Modes and Features group, click Change
basic features.
3.
In the Configure Basic Features dialog box, select the Content Switching
check box, and then click OK.
4.
278
Example
enable feature cs
Specifies
Name
(vServerName)
IP address
(ipAddress)
Port
(port)
Protocol
(protocol)
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
Chapter 2
3.
Content Switching
279
4.
In the Protocol list, select the type of the vserver (for example, HTTP).
5.
Example
add cs vserver Vserver-CS-1 HTTP 10.102.29.161 80
Create services
280
Specifies
Policy Name
(PolicyName)
URL or Rule
(URLValue)
1.
In the navigation pane, expand Content Switching, and then click Policies.
2.
3.
In the Create Content Switching Policy dialog box, in the Name text box,
type the name of the policy (for example, Policy-CS-1), and then click
URL.
4.
In the Value text box, type the string value (for example, /sports).
5.
Click Create and click Close. The policy you created appears in the
Content Switching Policies page.
Chapter 2
Content Switching
281
Example
add cs policy Policy-CS-1 -url /sports/*
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, double-click the vserver for which you want to bind the
policy (for example, Vserver-CS-1).
3.
4.
In the Target column next to the policy, select the load balancing vserver
that you want to configure for the content switching vserver (for example,
Vserver-LB-1).
5.
Click OK.
Example
bind cs vserver Vserver-CS-1 Vserver-LB-1 -policyname Policy-CS-1
-priority 20
282
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, click a virtual server to see the configuration details at
the bottom of this page.
3.
Double-click the virtual server and click the Policies tab to see the policies
that are bound to it.
To list basic properties for all virtual servers, at the NetScaler command prompt,
type:
show cs vserver
To list detailed properties for all virtual servers, including policy bindings, at the
NetScaler command prompt, type:
show cs vserver csVirtualServerName
Example
show cs vserver Vserver-CS-1
Chapter 2
Content Switching
283
1.
In the navigation pane, expand Content Switching, and then click Policies.
2.
Note: To view the policy labels and virtual servers that this policy is bound to,
on the Content Switching Policies page, click Show Bindings.
To list all content switching policies, at the NetScaler command prompt, type:
show cs policy
To view the bindings for particular policies, at the NetScaler command prompt,
type:
show cs policy PolicyName
Example
show cs policy Policy-CS-1
1.
In the navigation pane, expand Content Switching and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to view, and then click
Visualizer.
3.
In the Content Switching Visualizer window, you can adjust the viewable
area as follows:
284
4.
5.
Click the Zoom In and Zoom Out icons to increase or decrease the
viewable area.
Click the Save Image icon to save the graph as an image file.
In the Search in text field, type the name of the item you are looking
for to highlight its location on the visualizer. To restrict the search,
click the drop-down menu and select the type of element that you
want to search.
To view configuration details for entities that are bound to this vserver, you
can do the following:
To view the configuration details for a monitor, click the icon for the
monitor, click the Related Tasks tab, and then click View Monitor.
Chapter 2
Content Switching
285
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and click Open.
3.
4.
Click OK.
Example
unbind cs vserver Vserver-CS-1 -policyname Policy-CS-1
286
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to remove (for example,
Vserver-CS-1), and then click Remove.
3.
Chapter 2
Content Switching
287
Example
rm cs vserver Vserver-CS-1
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to disable (for example,
Vserver-CS-1), and then click Disable.
3.
Example
disable cs vserver Vserver-CS-1
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver that you want to enable (for example,
Vserver-CS-1), and then click Enable.
3.
288
Specifies
URL
Rule
Domain
You can create different policies based on the URL. URL-based policies can be of
different types as described in the following table.
Example of URL-Based Policies
Type of URL-based
policy
Specifies
Chapter 2
Content Switching
289
Specifies
Domain Only
Exact URL
290
1.
In the navigation pane, expand Content Switching, and then click Policies.
2.
In the details pane, select the policy that you want to modify (for example,
Policy-CS-1), and then click Open.
3.
4.
Click OK.
To modify the URL of a URL-based policy using the NetScaler command line
Example
set cs policy Policy-CS-1 -domain www.domainxyz.com
Note: You can configure content switching using classical policy expressions
or using advanced policy expressions. The rule-based policies use the policy
expressions. For more information about configuring policy expressions, see the
Citrix NetScaler Policy Configuration and Reference Guide.
1.
In the navigation pane, expand Content Switching, and then click Policies.
2.
In the details pane, select the policy that you want to remove (for example,
Policy-CS-1), and then click Remove.
3.
Chapter 2
Content Switching
291
Example
rm cs policy Policy-CS-1
Specifies
Case Sensitive
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
292
Example
set cs vserver Vserver-CS-1 -caseSensitive ON
2.
3.
4.
5.
Domain only
6.
Exact URL
7.
8.
Suffix only
9.
Prefix only
10.
Default
If you configure precedence based on URL, the request URL is compared to the
configured URLs. If none of the configured URLs match the request URL, then
rule-based policies are checked. If the request URL does not match any
rule-based policies, or if the content group selected for the request is down, then
the request is processed as follows:
If you configure a default group for the content switching vserver, then the
request is forwarded to the default group.
Chapter 2
Content Switching
293
Note: Set URL-based precedence if the content type, for example, images, is
the same for all clients. However, if different types of content must be served
based on client attributes, such as, Accept-Language, you must use rule-based
precedence.
Note: Rule-based precedence can be set on any of the several client attributes,
for example, type of browser when different content must be served while all
other clients can be served from the content distributed among servers.
You can configure both URL-based policies and rule-based policies for the same
content switching vserver. To set precedence, use the parameter described in the
following table.
Precedence Parameter
Parameter
Specifies
Precedence
294
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the
service, (for example, Vserver-CS-1), and then click Open.
3.
Example
set cs vserver Vserver-CS-1 -Precedence [Rule | URL]
Chapter 2
Content Switching
295
Redirect URLs can be absolute URLs or relative URLs. If the configured redirect
URL contains an absolute URL, the HTTP redirect is sent to the configured
location, regardless of the URL specified in the incoming HTTP request. If the
configured redirect URL contains only the domain name (relative URL), the
HTTP redirect is sent to a location after appending the incoming URL to the
domain configured in the redirect URL.
Note: If a content switching vserver is configured with both a backup vserver
and a redirect URL, the backup vserver takes precedence over the redirect URL.
A redirect URL is used when the primary and backup vservers are down.
To configure a vserver to redirect client requests to a URL, use the Redirect URL
parameter as described in the following table.
Redirect URL Parameter
Parameter
Specifies
Redirect URL
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
4.
Click OK.
296
Specifies
Name
(backupVserverName)
Chapter 2
Content Switching
297
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
4.
In the Backup Virtual Server list, select the backup vserver (for example,
Vserver-CS-2).
5.
If you want to configure the backup server to remain as the primary server
after the primary vserver is brought back up, select the Disable Primary
When Down check box.
6.
Click OK.
Example
set cs vserver Vserver-CS-1 -backupVserver Vserver-CS-2
-disablePrimaryOnDown
298
If the backup content switching vservers reach the configured threshold and are
unable to take the load, the primary content switching vserver diverts all requests
to the redirect URL. If a redirect URL is not configured on the primary content
switching vserver, subsequent requests are dropped. To configure spillover, use
the parameters described in the following table.
Spillover Parameters
Parameter
Specifies
Method
(MethodType)
Threshold
(ThresholdValue)
Persistence
(PersistenceValue)
Persistence
Time-out (minutes)
This value sets the timeout for spillover persistence. The default
value is 2 minutes. The minimum value is 2 minutes, and the
maximum value is 1440 minutes.
(TimeoutValue)
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
4.
Select the Persistence check box and in Persistence Time-out (min) text
box, type the timeout value (for example, 2).
5.
Click OK.
Chapter 2
Content Switching
299
Example
set cs vserver Vserver-CS-1 -soMethod Connection -soThreshold 1000
-soPersistence enabled -soPersistenceTimeout 2
300
Specifies
Cacheable
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
4.
Click OK.
Example
set cs vserver Vserver-CS-1 -cacheable yes
Chapter 2
Content Switching
301
Specifies
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
To set down state flush on a vserver using the NetScaler command line
Example
set cs vserver Vserver-CS-1 -downStateFlush enabled
302
Specifies
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
Example
set cs vserver Vserver-CS-1 -redirectPortRewrite enabled
Chapter 2
Content Switching
303
This option is not supported for wildcard vservers or dummy vservers. If the
primary content switching vserver is down and the backup content switching
vserver is up, the configuration settings of the backup content switching vserver
are added to the client requests. If you want the same header tag to be added
regardless of whether the requests are from the primary content switching vserver
or backup content switching vserver, then you must configure the required header
tag on both vservers.
To configure a vserver to add the IP address and port to the client requests, use the
Vserver IP Port Insertion parameter as described in the following table.
Vserver IP Port Insertion Parameter
Parameter
Specifies
To insert the IP address and port of the vserver in the client requests using
the configuration utility
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
4.
In the text box next to Vserver IP Port Insertion box, type the port header.
304
5.
Click OK.
To insert the IP address and port of the vserver in the client requests using
the NetScaler command line
Example
set cs vserver Vserver-CS-1 -insertVserverIPPort VipAddr
Specifies
To set a time-out value for idle client connections using the configuration
utility
1.
In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to bind the service
(for example, Vserver-CS-1), and then click Open.
3.
4.
Click OK.
Chapter 2
Content Switching
To set a timeout value for idle client connections using the NetScaler
command line
Example
set cs vserver Vserver-CS-1 -cltTimeout 100
305
306
C HAPTER 3
For the server push technology, you can use the NetScaler Web 2.0 Push feature
to offload the long-lived TCP connections to the NetScaler and reduce the
number of persistent client connections on the server. With the NetScaler Web 2.0
Push feature, the NetScaler multiplexes and manages the exchange of data (server
push) reliably, securely, and in a scalable manner. For every HTTP, HTTPS, or
SSL transaction, the NetScaler can de-link and rebalance the server farm to
distribute client requests across multiple servers.
Note: NetScaler Web 2.0 Push is not supported in NetScaler 9.1 nCore.
To configure NetScaler Web 2.0 Push, you need to create the push virtual server
and associate it with the load balancing or content switching virtual server. A
push virtual server enables the NetScaler to manage server-side connections.
Servers use the push virtual server to send updates for the deferred responses.
In This Chapter
How NetScaler Web 2.0 Push Works
Understanding the NetScaler Web 2.0 Push Deployment Scenario
Enabling NetScaler Web 2.0 Push
Creating a NetScaler Web 2.0 Push Vserver
Creating a Load Balancing or Content Switching Vserver for NetScaler Web 2.0
Push
Verifying the NetScaler Web 2.0 Push Configuration
Monitoring the Configuration
Setting a Time-out Value for Idle Client Connections
Redirecting Client Requests to an Alternate URL
308
Application Agnostic. NetScaler Web 2.0 Push can be used for all Web 2.0
applications.
Chapter 3
309
Polling Technique
However, polling technique can overload the server if the client frequently polls
the server. For example, if you deploy the AJAX application on a Web server with
low resources and suppose a million users simultaneously poll the server for
updates, the network can become saturated with significant degradation in the
server performance. Also, if there is no update from the server, the client requests
overload the server for void response.
310
To overcome the preceding demerits, server push technology uses long polling
technique. Long polling enables the client application to open a persistent
connection to the server and wait for the server to push updates when available as
shown in the following diagram.
Chapter 3
311
The third technique, called HTTP streaming, is identical to the long polling
technique except the connection is never closed, after the server pushes the
updates as shown in the following diagram.
312
To overcome the demerits of the above techniques and improve the server
performance, the NetScaler Web 2.0 Push feature enables the server to provide a
label for a client connection, and then identify and send data over the labeled
connection after an interval of time. Any client request at the NetScaler virtual IP
address (VIP) is forwarded to the server. Web servers use the connection labeling
protocol to a generate label and send the label to the NetScaler (called the
deferrable response). The NetScaler uses the label to push the messages (updates)
to the push vserver and responses are sent on the corresponding client connection.
If the AJAX application uses HTTP streaming technique, the NetScaler uses the
label to push the chunks of updates to the client as shown in the following
diagram.
Chapter 3
313
If the AJAX application uses long polling technique, the NetScaler uses the label
to push the updates to the client as shown in the following diagram.
314
Chapter 3
315
Step 3 - Connection Labeling. When the NetScaler receives any request with
push enabled, it initiates the labeling protocol with the Web server. The protocol
enables the Web server to label the connection and defer the response. The
protocol also enables the server to process other requests without invoking pushprocessing.
Step 4 - Server Push. The Web servers send updates (referred to as notification
servers) to clients through the NetScaler. The server uses the previously
established connection label and sends updates at a later time. Servers can choose
to push multiple updates over a single TCP connection or open one connection
per update.
Note: The set of Web servers that manage requests from the NetScaler can be
different from the notification servers (referred to as Updater in the preceding
diagram) that push updates to client.
NetScaler Web 2.0 Push enables the NetScaler to manage the idle client
connections and offload the server from maintaining a large number of concurrent
connections.
Important: For the NetScaler Web 2.0 Push feature to work correctly, you
must configure the NetScaler as a proxy for the traffic between the client and
servers. Additionally, you can use multiple NetScalers for the server farm to scale
up the connection management.
For more information on the entity model, protocols, and how they work, read the
following sections.
316
The NetScaler Web 2.0 Push setup includes the following entities: Push vservers,
load balancing or content switching vservers, and services. The NetScaler uses
the load balancing or content switching criteria and directs incoming client
requests to the service. Then, the NetScaler uses a push vserver to connect to the
server and the server pushes the asynchronous messages to connected push
vserver. A typical NetScaler Web 2.0 Push setup for the application traffic
consists of the entities displayed in the following diagram.
Push vserver. A load balancing vserver with service types: PUSH and
SSL_PUSH. The NetScaler uses the push vserver to exposes the Message
Push Protocol to the Web servers. The server uses the protocol to push
asynchronous messages to connected clients. A push vserver exposes a
simple REST interface for posting updates.
Chapter 3
317
Transaction state machine for managing NetScaler Web 2.0 Push connections
As shown in the preceding diagram, the transaction state machine has the
following states.
2.
When the NetScaler receives a request, it forwards the request to the server,
and the transaction moves to state R.
318
3.
The push vserver can manage long-polling and streaming responses from the
server. Each update that the server sends to the push vserver has a flag (with the
query parameters) that indicates if there are updates from the server. When the
flag indicates that the updates from the server are unavailable, the NetScaler
performs the following functions:
1.
If the client uses HTTP 1.1, the NetScaler sends the zero-chunk at the end
of the response to the client.
2.
If the client uses HTTP 1.0, the NetScaler sends the finished or terminated
response to client.
3.
The protocols used to identify the client and the server connections provide the
basic functionality of the NetScaler Web 2.0 Push feature.
Connection Labeling Protocol. The protocol used between the server and
the NetScaler to label the client connection. After a label is negotiated, the
Web servers refer to the label and send the push messages (updates) to the
client.
Chapter 3
319
When the NetScaler forwards the request to the server, it uses the X-NSPUSHVSERVER header to send the IP address and port information of the
push vserver to the server.
2.
The server either responds to this request with an HTTP response or may
defer the response. If the server defers the response, it labels the
connection. To label the connection, the server sends the X-NSDEFERRABLE header. This header indicates that the response is deferred.
3.
4.
The label is set up on the NetScaler when this response is received from the
server. Using the label, the NetScaler sends the push messages (updates) to
the push vserver and responses are sent on the corresponding client
connection.
Note: For any update from the Web server, the NetScaler does not support
Rewrite and Compression.
When a server receives a request that it is deferrable, it sends an HTTP 200 OK
response with the X-NS-DEFERRABLE header, which indicates to the NetScaler
that the Push feature should be applied to the request. The NetScaler excludes the
X-NS-DEFERRABLE header, sends the headers to the client, and waits on
updates.
320
A typical response with the required headers to initiate NetScaler Web 2.0 Push is
as follows:
Server Response Header
HTTP/1.0 200 OK
Server: TinyHTTPProxy/0.2.1 Python/2.5.1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: application/x-amr
Connection: Closed
X-NS-DEFERRABLE: YES
NSSERVERLABEL: 16318370962850900588694
Content-Length: 0
When the NetScaler receives the deferred response from the server, it sends the
response to the client as a single HTTP chunk and sends a 200 OK response with
the XML information to the server. If the message is marked as the last message
of the response, the NetScaler also closes the HTTP response on the server.
Note: If the NetScaler is aware of the content length, it may send the response
specifying the Content-Length, instead of chunked. This enables the NetScaler to
manage both HTTP streaming and long-polling responses.
The server uses the following responses to initiate NetScaler Web 2.0 Push.
POST /CLIENT/V10/<id>?MSG_END=<val>
PUT /CLIENT/V10/<id>?MSG_END=<val>
Chapter 3
321
Where:
MSG_END=1, if the response is the complete or is the last update for the
request.
A typical post request header with complete update (MSG_END=1) to the push
vserver on NetScaler is as follows:
Post Request Header
POST /CLIENT/V10/16318370962850900588694?MSG_END=1 HTTP/1.1
Host: 10.217.6.64
Accept-Encoding: identity
Content-Length: 722
<722 bytes of update data>
The server uses the following request to inform the NetScaler to close the
outstanding labeled client connection.
322
The server polls the NetScaler on the push vserver using the following request.
GET /CLIENTINFO/V10
If there are any GoneAway clients (client connections that are timed out), the
NetScaler sends the following response:
Get Response Header
GET /CLIENTINFO/V10 HTTP/1.1
Host: 10.217.6.64
Accept-Encoding: identity
The response from the push vserver is an XML document. A typical response to
PUT/POST/DELETE is as follows:
Push Vserver Response to PUT/POST/DELETE Request
HTTP/1.1 200 OK
Content-Type: text/xml; charset="UTF-8"
Content-Length: 121
<?xml version="1.0" encoding="UTF-8"?><CLIENTINFO>
<CLIENT ID="16318370962850900588694" INFO="SUCCESS" />
<CLIENT ID="16318370962850937637753" INFO="FAILURE" />
</CLIENTINFO>
Chapter 3
323
324
Chapter 3
325
326
Vserver
Services
Mandatory Parameters
Name
IP Address
Port
Protocol
Vserver-LB-1
10.102.29.161
80
HTTP
Vserver-Push-1
10.102.29.162
80
HTTP
Service-HTTP-1
10.216.134.58
80
HTTP
The following diagram shows the sample values and mandatory parameters of the
NetScaler Web 2.0 Push setup that are described in the preceding table.
Chapter 3
327
1.
2.
In the details pane, under Modes and Features, click Change advanced
features.
3.
In the Configure advanced features dialog box, select the Netscaler Push
check box, and then click OK.
4.
To enable NetScaler Web 2.0 Push using the NetScaler command line
Specifies
Name
(Name)
IP Address
(IPAddress)
328
Specifies
Service type
(ServiceType)
Port
(Port)
To create a NetScaler Web 2.0 Push vserver using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
In the Name, Port, and IP Address text boxes, type a name for the push
virtual server, a port, and an IP address (for example, Vserver-Push-1, 80,
and 10.102.29.162).
4.
5.
Click Create, and then click Close. The push vserver you created appears
in the Load Balancing Virtual Servers pane.
To create a NetScaler Web 2.0 Push vserver using the NetScaler command
line
Example
add lb vserver Vserver-Push-1 PUSH 10.102.29.162 80
Chapter 3
329
Specifies
Push
(push)
Push Vserver
(pushVserver)
Push Label Rule
(pushLabel)
Push Multiple
Clients
Specifies the multiple Web 2.0 connections from the same client
that can connect to this vserver and expect updates. Possible
values: YES, NO. Default value: NO.
(pushMultiClients)
Use the following procedure to create a load balancing vserver with push enabled
and configure a push label.
To create a load balancing virtual server for NetScaler Web 2.0 Push using
the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to configure push
vserver (for example, Vserver-LB-1), and click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, select the
Enable Push check box and in the Push Virtual Server list, select the
push virtual server (for example, Vserver-Push-1) and click OK.
330
Note: To create a content switching virtual server for NetScaler Web 2.0 Push
using the configuration utility, in the navigation pane, expand Content
Switching, and then click Virtual Servers. Then, follow the steps as described
previously in the section.
To create a load balancing virtual server for NetScaler Web 2.0 Push using
the NetScaler command line
Example
add lb vserver Vserver-LB-1 HTTP 10.102.29.161 80 -push ENABLED pushVserver PushVserver1 -pushLabel
"HTTP.RES.HEADER(\"NSLABEL\").VALUE(0)" pushMultiClients YES
Note: You can also associate the load balancing vserver with the push vserver
by using set lb vserver command. To associate the content switching
vserver with the push vserver, use the set cs vserver command.
Chapter 3
331
Description
State
To view the properties of the push vserver using the configuration utility
In the navigation pane, expand Load Balancing, and then click Virtual Servers.
The details of the available vservers appear on the Load Balancing Virtual
Servers page.
To view the properties of the push vserver using the NetScaler command
line
Example
show lb vserver Vserver-Push-1
332
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
In the details pane, select the vserver whose statistics you want to view (for
example, Vserver-Push-1).
3.
To view the statistics of a push vserver using the NetScaler command line
Example
stat lb vserver Vserver-Push-1
Specifies
(cltTimeout)
Chapter 3
333
To set a time-out value for idle client connections using the configuration
utility
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
In the details pane, select the vserver for which you want to configure
vserver port insertion (for example, Vserver-Push-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4.
In the Client Time-out (secs) text box, type the timeout value
(for example, 100).
5.
Click OK.
Specifies
Redirect URL
(redirectURL)
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
334
2.
In the details pane, select the push vserver for which you want to configure
redirect URL (for example, Vserver-Push-1), and then click Open.
3.
On the Advanced tab, in the Redirect URL text box, type the URL (for
example, http://www.newdomain.com/mysite/maintenance).
4.
Click OK.
Example
set lb vserver Vserver-Push-1 -redirectURL
http://www.newdomain.com/mysite/maintenance
Chapter 3
335
To set a time-out value for idle client connections using the NetScaler
command line
Example
set lb vserver Vserver-Push-1 -cltTimeout 100
Note: You can ensure that authorized servers are connected to the push vserver.
For instructions on how to configure SSL for client authentication, see Chapter 5,
Secure Sockets Layer (SSL) Acceleration.
336
C HAPTER 4
HTML Injection
This chapter describes the HTML Injection functionality of the Citrix NetScaler.
It explains what HTML Injection is and how to configure it. It addresses both
basic and advanced configuration procedures.
In This Chapter
How HTML Injection Works
Configuring HTML Injection to Insert Data in the HTTP Header
Configuring HTML Injection to Insert Data into the HTTP Body
Configuring the HTML Injection Feature for Commonly Used Applications
338
The following diagram illustrates how HTML Injection is used to insert data.
Chapter 4
HTML Injection
339
1.
2.
In the details pane, under Modes and Features, click Change advanced
features.
3.
Choose HTML Injection and click OK. Click Yes on the Enable/Disable
Feature(s)? confirmation message that appears.
Specifies
Action Name
Qualifier
Reset
Add
Corrupt
Forward
ErrorCode
Drop
340
Specifies
Value
HTTP Header
The following sample procedure describes the steps to create a filter action,
Action-Filter-1 to insert the system variable %%HTTP.XID%% into the custom
HTTP header X-HTTP-REQ-ID.
To add a filter action using the configuration utility
1.
2.
3.
Click Add.
4.
In the Create Filter Action dialog box, in the Action Name text box, type
the name of the Filter Action (for example, Action-Filter-1).
5.
6.
In the HTTP Header text box, name of the custom header, followed by a
colon, then the system variable that will insert text in the HTTP header (for
example, X-HTTP-REQ-ID:%%HTTP.XID%%).
7.
Click Create, and then click Close. The filter action Action-Filter-1 that
you created now appears in the Filter Actions page.
Chapter 4
HTML Injection
341
Specifies
Filter Namer
Request Action
Response Action
The following sample procedure describes the steps to use the filter action,
Action-Filter-1, created in the previous section, to create the filter policy PolicyFilter-1, which inserts the system variable into every successful HTTP response
To add a filter policy using the configuration utility
1.
2.
3.
In the Create Filter Policy dialog box, in the Filter Name text box, type
the name of the filter policy (for example, Policy-Filter-1).
4.
Click Response Action and in the Response Action list, choose the filter
action, Action-Filter-1, to be associated with this policy.
Note: To insert data into the HTTP request header, in step 4, choose Request
Action.
5.
342
Note: The ns_true general expression applies the policy to all successful
responses (200 OK) generated by the NetScaler. However, if you need to filter
specific responses, you can create policies with a higher level of detail. For
information on configuring granular policy expressions, see the Citrix NetScaler
Policy Configuration and Reference Guide.
6.
Click OK, and then click Close. The filter policy that you created, PolicyFilter-1, now appears in the Filter Policies page.
1.
2.
In the details pane, from the list of virtual servers, select the virtual server
to which you want to bind the filter policy (for example, choose VserverLB-1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, select the
Policies tab to view the policies configured on the NetScaler.
4.
5.
Click OK and click Close. The filter policy Policy-Filter-1 is bound to the
virtual server Vserver-LB-1.
Chapter 4
HTML Injection
343
Note: You can bind filter policies to virtual servers, or to bind points on the
NetScaler, and also globally. For more information on binding filter policies, see
the Citrix NetScaler Policy Configuration and Reference Guide.
1.
In the navigation pane, expand Protection Features, and then click Filter.
2.
3.
4.
Select the filter policy Action-Filter-1 and in the Details section, verify the
qualifier and the value.
344
1.
In the navigation pane, expand Protection Features, and then click Filter.
2.
In the details pane, verify that the filter policy Policy-Filter-1 is displayed.
3.
Select the filter policy Policy-Filter-1, and in the details pane, verify that
the rule ns_true is configured.
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the details pane, from the list of virtual servers, select the virtual server
to which you want to bind the filter policy (for example, Vserver-LB-1),
and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Policies tab to view the policies configured on the NetScaler.
4.
Verify that the check box corresponding to the filter policy to be bound to
the virtual server is selected.
To verify that the filter policies are bound to the load balancing vserver
using the NetScaler command line
At the NetScaler command prompt, type:
show lb vserver Vserver-LB-1
Chapter 4
HTML Injection
345
Type
JavaScript
type
Comment
SYS.IID
128-bit GUID
structure
Windows
format
GUID
HTTP.XID
128-bit GUID
structure
Windows
format
GUID
SYS.UPTIME
32-bit integer
10 - digit
number
HTTP.REQ.
RECEIVE_TIME_
BEG
64-bit integer
20 - digit
number
HTTP.REQ.
RECEIVE_TIME_
END
64-bit integer
20 - digit
number
346
Type
JavaScript
type
Comment
HTTP.REQ.SEND_
TIME_BEG
64-bit integer
20 - digit
number
HTTP.REQ.SEND_
TIME_END
64-bit integer
20 - digit
number
HTTP.RES.
RECEIVE_TIME_
BEG
64-bit integer
20 - digit
number
HTTP.RES.
RECEIVE_TIME_
END
64-bit integer
20 - digit
number
HTTP.RES.SEND_
TIME_BEG
64-bit integer
20 - digit
number
HTTP.RES.SEND_
TIME_END
64-bit integer
20 - digit
number
Chapter 4
HTML Injection
347
348
Note: The postbody file name can have a maximum of 64 characters and can
have any extension.
The following is a sample postbody file created on the NetScaler that will be used
for postbody injection.
Chapter 4
HTML Injection
349
1.
2.
In the details pane, under Settings, click Change HTML Injection global
settings.
3.
In the Configure HTML Injection dialog box, click Browse next to the
Prebody text box. The contents of the /netscaler/
htmlinjection/ens directory are displayed by default.
4.
1.
2.
In the details pane, under Settings, click Change HTML Injection global
settings.
3.
In the Configure HTML Injection dialog box, click Browse next to the
Postbody text box. The contents of the /netscaler/
htmlinjection/ens directory are displayed by default.
4.
350
1.
In the navigation pane, expand Protection Features, and then click Filter.
2.
In the details pane, click the Actions tab, and then click Add.
3.
In the Create Filter Action dialog box, in the Action Name text box, type
the name of the filter action (for example, Action-Filter-Prebody).
4.
5.
6.
1.
In the navigation pane, expand Protection Features, and then click Filter.
2.
In the details pane, click the Actions tab, and then click Add.
3.
In the Create Filter Action dialog box, in the Action Name text box, type
the name of the filter action (for example, Action-Filter-Postbody).
4.
5.
6.
Chapter 4
HTML Injection
351
1.
In the navigation pane, expand Protection Features, and then click Filter.
2.
3.
In the Create Filter Policy dialog box, in the Filter Name text box, type
Policy-Filter-Prebody.
4.
5.
6.
1.
In the navigation pane, expand Protection Features, and then click Filter.
2.
3.
In the Create Filter Policy dialog box, in the Filter Name text box, type
Policy-Filter-Postbody.
4.
5.
6.
Click OK, then click Close. The new filter policy Policy-Filter-Postbody,
appears in the Filter Policies page.
352
1.
2.
In the details pane, from the list of virtual servers, select the virtual server
you want to bind the filter policy to (for example, select Vserver-LB-2),
and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Policies tab to view the policies presently configured on the NetScaler.
4.
5.
1.
2.
In the details pane, from the list of virtual servers, select the virtual server
you want to bind the filter policy to (for example, select Vserver-LB-2),
and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Policies tab to view the policies presently configured on the NetScaler.
Chapter 4
HTML Injection
353
4.
5.
354
In the following example, the client connects to a Citrix NetScaler that hosts the
site http://www.a.com. A Citrix EdgeSight for NetScaler server, http://ens.
citrix.com, is used to measure application performance for all traffic flowing
through the Citrix NetScaler. The following table lists the names and values of
the entities that must be configured on the NetScaler before you can set up
performance monitoring as described in the example.
Example Configuration for Measuring Application Performance
Entity type
Name
URL
Vserver-LBENS
http://www.a.com
http://ens.citrix.com
1.
2.
In the details pane, in the Modes and Features, click Change advanced
features.
3.
4.
Chapter 4
HTML Injection
355
1.
2.
In the details pane, under Settings, click Change HTML Injection global
settings.
3.
In the Configure HTML Injection dialog box, click Browse next to the
Prebody text box. The contents of the /netscaler/htmlinjection
folder appear by default.
4.
Double-click the ens folder. The contents of the ens folder appear.
5.
356
1.
2.
In the details pane, under Settings, click Change HTML Injection global
settings.
3.
In the Configure HTML Injection dialog box, click Browse next to the
Postbody text box. The contents of the /netscaler/htmlinjection
folder appear by default.
4.
Double-click the ens folder. The contents of the ens folder appear.
5.
1.
2.
3.
4.
In the Action Name text box, type the name of the filter action (for
example, Action-Filter-Prebody).
5.
6.
7.
1.
2.
In the details pane, click the Actions tab, and then click Add.
3.
In the Create Filter Action dialog box, in the Action Name text box, type
Action-Filter-Postbody.
4.
Chapter 4
HTML Injection
5.
6.
357
1.
2.
3.
In the Create Filter Policy dialog box, in the Filter Name text box, type
Policy-Filter-Prebody.
4.
5.
6.
Click OK, then click Close. The new filter policy Policy-Filter-Prebody,
appears in the Filter Policies page.
1.
In the navigation pane, expand Protection Features, and then click Filter.
2.
3.
In the Create Filter Policy dialog box, in the Filter Name text box, type
Policy-Filter-Postbody.
4.
5.
6.
Click OK, then click Close. The new filter policy Policy-Filter-Postbody,
appears in the Filter Policies page.
358
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Policies tab to view the policies configured on the NetScaler.
4.
5.
To bind the postbody filter policy to the load balancing vserver using the
configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
In the Configure Virtual Server (Load Balancing) dialog box, select the
Policies tab to view the policies configured on the NetScaler.
4.
5.
Chapter 4
HTML Injection
359
360
C HAPTER 5
This chapter describes Secure Sockets Layer (SSL) acceleration on the NetScaler.
In This Chapter
How SSL Works
Configuring SSL Offloading
Managing Certificates
Configuring Client Authentication
Managing Certificate Revocation Lists
Customizing the SSL Configuration
Managing SSL Actions and Policies
Configuring Some Commonly Used SSL Configurations
Configuring the SSL Feature for Commonly Used Deployment Scenarios
362
Chapter 5
363
This section explains the procedures to configure basic SSL offloading on the
NetScaler. The following tasks are covered:
1.
2.
3.
4.
364
Note: For TCP traffic, follow the procedures given later, but create TCP
services instead of HTTP services.
To configure basic SSL offloading, you need to set the parameters as described in
the sections that follow.
The procedures describe the steps to configure the SSL feature in a basic SSL
offload setup where an SSL virtual server Vserver-SSL-1 offloads SSL traffic
directed to two HTTP services, Service-HTTP-1 and Service-HTTP-2.
1.
In the navigation pane, expand SSL Offload, and then click Services.
2.
3.
In the Service Name text box, type the name of the service being added
(for example, Service-HTTP-1).
4.
5.
6.
In Port, type the port number for the HTTP service to use (for example,
80).
7.
Click Create, then click Close. The HTTP service you configured appears
in the Services page.
Example
add service HTTP-1 10.102.20.30 and HTTP 80
Chapter 5
365
1.
In the navigation pane, expand SSL Offload, then click Virtual Servers.
2.
3.
In the Name text box, type the name of the virtual server to be created (for
example Vserver-SSL-1).
4.
In the IP Address text box, type the IP address of the virtual server (for
example, 10.102.29.50).
5.
6.
In the Port text box, type the port number for the virtual server to use (for
example, 443).
7.
Click Create, then click Close. The virtual server you created appears in
the SSL Offload Virtual Servers page.
Note: The SSL virtual server you created is shown as down because a
certificate-key pair has not been bound to it, and there are no services bound to it.
Example
add vserver Vserver-SSL-1 SSL 10.102.29.50 443
366
1.
In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
2.
3.
On the Services tab, select the options next to the services (for example,
Service-HTTP-1 and Service-HTTP-2).
4.
Click OK.
Note: The load balancing feature on the NetScaler should be enabled before
binding multiple services to a virtual server. For details on enabling features on
the NetScaler, see Enabling Secure Sockets Layer (SSL), on page 363.
Example
bind lb vserver Vserver-SSL-1 Service-HTTP-1
bind lb vserver Vserver-SSL-1 Service-HTTP-2
Chapter 5
367
To bind an SSL certificate key pair to a virtual server using the configuration
utility
1.
In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
2.
In the details pane, select the virtual server you want to bind the certificate
key pair to (for example, select Vserver-SSL-1) and click Open.
3.
On the SSL Settings tab, in the Available area, select the certificate key
pair that you want to bind to the virtual server (for example, select SSLCertkey-1) and click Add. The certificate key pair appears in the
Configured area.
4.
To bind an SSL certificate key pair to a virtual server using the NetScaler
command line
Example
bind ssl certkey SSL-Certkey-1 Vserver-SSL-1
368
1.
2.
3.
In the Certificate-Key Pair Name text box, type the name of the certificate
key pair you want to add (for example, Certkey-SSL-1).
4.
5.
6.
7.
In Private Key File Name, select Browse to locate the private key file.
8.
9.
Click Install. The certificate key pair you created appears in the SSL
Certificates window.
Chapter 5
369
Example
add ssl certkey Certkey-SSL-1 -cert Cert-SSL-1 -key Key-SSL-1
Cert-SSL-Fips.pem -fipskey
1.
2.
3.
Select the service Service-HTTP-1 and in the Details section, verify that
the parameters are accurately configured.
Example
show service Service-HTTP-1
370
1.
In the navigation pane, expand SSL Offload, then click Virtual Servers.
2.
3.
Select the virtual server Vserver-SSL-1 and in the Details section, verify
that the parameters are accurately configured.
Example
show vserver Vserver-SSL-1
1.
2.
Verify that the configured certificate key pair (for example, Certkey-SSL1) is displayed.
3.
Select the certificate key pair (for example, Certkey-SSL-1) and in the
Details section, verify that the parameters are accurately configured.
To view the properties of the configured certificate key pairs using the
NetScaler command line
Example
show ssl certkey Certkey-SSL-1
Chapter 5
371
Managing Certificates
To configure the SSL feature, you need a certificate and a private key for the Web
server. An SSL certificate is a digital data form (X509) that identifies a company
(domain) or an individual. An SSL key is the private component of the publicprivate key pair used in asymmetric key encryption (public key encryption).
Note: The NetScaler supports a certificate size of up to 2,048 bits (RSA/DSA).
You can obtain the SSL certificate and key in one of three ways:
1.
2.
3.
In the Key Filename text box, type the name of the RSA key (for example,
Key-RSA-1).
Note: By default, SSL certificates and keys are stored in the /nsconfig/ssl
directory on the NetScaler. If you want to store them elsewhere, use the
browse button to navigate to the desired location.
372
4.
In the Key Size (Bits) text box, type the size in bits of the key (for example,
1024).
5.
Click Create, and then click Close. The RSA key you created is saved on
the NetScaler.
Example
create ssl rsakey Key-RSA-1 1024
1.
2.
3.
In the Key Filename text box, type the name of the DSA key (for example,
Key-DSA-1).
Note: SSL certificates and keys are stored by default in the /nsconfig/ssl
directory on the NetScaler. If you want to store them elsewhere, use the
browse button to navigate to the required location.
4.
In the Key Size (Bits) text box, type the size in bits of the key (for example,
1024).
5.
Click Create, and then click Close. The DSA key you created is saved on
the NetScaler.
Example
create ssl dsakey Key-DSA-1 1024
For added security, you can encrypt your SSL key using the Data Encryption
Standard (DES) or triple DES (3DES) algorithm. The DES and triple DES
options are valid only for keys stored in Privacy Enhanced Mail (PEM) format,
not for keys stored in DER format.
Chapter 5
373
Caution: Make sure you limit access to your private key. Anyone who has
access to your private key can generate a new CSR and obtain a new certificate
using your identity.
The certificate that you receive from the CA is valid only with the private key
used to create the CSR. The private key is required to add the certificate on the
NetScaler.
1.
2.
3.
In the Request File Name text box, type the name of the CSR (for example
Certificate-Request-1).
4.
In the Key File Name text box, type the name of the key to be used to
create the CSR (for example, Key-RSA-1).
Note: You can use the browse button to navigate to the saved key on the
NetScaler.
5.
Select the format the key was saved in (for example, PEM).
6.
In the PEM Passphrase (For Encrypted Key), type the password used to
encrypt the key.
7.
8.
Click Create, then click Close. The certificate signing request you created
is saved on the NetScaler in the specified location.
374
Example
create ssl certreq Certificate-Request-1 -keyFile Key-RSA-1
Next, you need to send the CSR to a CA for authentication and signing. Most
CAs accept certificate submissions by email. The CA will return a valid
certificate to the email address you used to submit the CSR.
Once you have obtained the signed certificate from a CA, install the certificate
and its corresponding private key on the NetScaler.
Note: For information on configuring a chain of certificates that to be sent on
behalf of an SSL virtual server, see Creating a Chain of Certificates, on page
384.
Chapter 5
375
Transfer the certificate and key to the NetScaler and follow the installation
procedure as described earlier.
Note: Use an FTP client to transfer the certificate and the key to the NetScaler
in binary mode.
376
1.
Double-click the certificate file to open the viewer, then click the Details
tab.
2.
3.
4.
Click Next. Type the File Name and Location to store the certificate in the
DER format.
5.
6.
7.
8.
1.
On the Start menu, click Programs > Windows NT 4.0 Option Pack >
Microsoft Internet Information Server > Internet Service Manager.
2.
In the Microsoft Management Console, navigate to the Web site using the
object list.
3.
Right-click the Web site object and click Properties in the shortcut menu.
4.
5.
6.
7.
On the Key menu, point to Export Key, then click Backup File.
8.
9.
Select a file name and location to store the key, then click Save.
10.
The key and certificate file are exported from an IIS server in PKCS#12 (.PFX)
format. Convert these to either the PEM or DER format, and install them on the
NetScaler as described in the section Binding an SSL Certificate Key Pair to the
Virtual Server, on page 367.
Chapter 5
377
Note: For more information on converting the certificate from the PKCS#12
format to the DER or PEM format, see Importing SSL Certificates, on page
391.
1.
or
2.
Right-click the Web site object, then click Properties in the shortcut menu.
3.
4.
5.
6.
In the Certificate Export wizard, click Next. The Export Private Key
screen appears.
7.
Select Yes to export the private key, then click Next. The Export File
Format screen appears.
8.
9.
In the Password and Confirm Password text boxes, type the password,
then click Next.
10.
The File to Export screen, type the complete path and file name to the
location where you want to save the certificate and key files, and then click
Next. The Completing the Certificate Export Wizard screen appears.
378
Note: Alternatively, click the browse button and use the Windows
Explorer controls to navigate to the folder and file.
11.
The key and certificate file exported from IIS 5 are in PKCS#12 (.PFX) format
and must be converted to PEM or DER format before being loaded on the
NetScaler. For more information on converting the certificate format, refer to the
section Importing SSL Certificates, on page 391.
Determine the name of the certificate and/or key pairs you wish to extract
(export). The default name is Server-Cert.
Write down the password that was used to protect the database. You will
need to provide this password to access the contents of the databases.
Locate the folder where following certificate and key databases are stored:
server_root/alias/<serverid-hostname>-key3.db for the key file, and
server_root/alias/<serverid-hostname>-cert7.db for the certificate
The following procedure describes the steps to export the certificate, mySitecert.db and the key, mySite-key.db, from an iPlanet Web server.
To export a certificate and key from the Sun iPlanet server
1.
2.
3.
At the prompt (enter output password), type the password for the PKCS12
file.
4.
Chapter 5
379
You must provide the complete path to the pk12util binary in the command line
interface search path. Also put the lib directory ($WEBSERVER_ROOT/bin/
https/lib by default) in front of the LD_LIBRARY_PATH environment
variable.
For a Solaris server using the Bourne shell, the command to be used is:
export LD_LIBRARY_PATH=${WEBSERVER_ROOT}/bin/https/
lib:$LD_LIBRARY_PATH
If the error message Bad database error without -d option appears, use the -d
switch to point to the directory where the certificate and key databases are
located.
The default names for the certificate and key databases on an iPlanet server are
cert7.db and key3.db. iPlanet may prefix the server name with the full machine
name for the administrator server and any additional virtual servers that you have
defined. In this case, you must include the -P switch with the argument: httpshostname.domain.com-hostname.
The exported certificate will be saved in PKCS#12 format and must be converted
to PEM or DER format before you install it on the NetScaler.
1.
2.
Identify the file where the certificate and key are stored. The path to this file
should be displayed in the weblogic.properties file, in the following fields:
Use an FTP client to transfer the certificate and key in binary mode to the
NetScaler.
The certificate and key file must be transferred to the NetScaler in the same
format. In some versions of BEA WebLogic Server (for example, version 5.0.1),
the server allows the key to be exported in DER format and the certificate in PEM
format. In such cases, you can convert the DER-encoded key to PEM format
using the following OpenSSL tool command:
380
Once the certificate and key files are transferred to the NetScaler, install the
certificate key pair using the procedures described in the section Binding an SSL
Certificate Key Pair to the Virtual Server, on page 367.
Generating a Key
This section describes how to generate a key on the NetScaler that can be used for
creating certificates
Generating a DH Key
The DH key exchange feature enables support for Diffie-Hellman (DH) key
exchange for an SSL virtual server or SSL service on the NetScaler. By default,
this feature is disabled.
You need to enable this feature to support ciphers that use DH as the key
exchange algorithm.
The following procedure describes the steps to create a 512 bit DH key, Key-DH1 with its DH generator set to 2.
To generate a DH key using the configuration utility
1.
2.
Chapter 5
381
3.
In the DH Filename (with path) text box, type the name of the DH key file
being created (for example, type Key-DH-1).
4.
In the DH Parameter Size (Bits) text box, type the size, in bits of the DH
parameter being configured (for example, type 512).
Note: The DH key size ranges from 512 to 2048 bits.
5.
Example
create ssl dhparam Key-DH-1 512 -gen 2
Root-CA Certificates
Intermediate CA Certificates
Server Certificates
Client Certificates
1.
2.
382
3.
In the Certificate File Name text box, type the name of the certificate
being created (for example, Cert-RootCA-1).
Note: Instead of typing the certificate name, you can use the browse
button to launch the NetScaler file browser and select the file.
4.
5.
6.
In the Certificate Request File Name text box, type the name of CSR
created for the certificate (for example, type Certificate-Request-1).
7.
In the Key File Name text box, type the name of the key next to the CSR
(for example, Key-RSA-1).
8.
9.
In the PEM Passphrase (For Encrypted Key) text box, type the password
used to encrypt the key.
10.
In the Validity Period (Number of Days) text box, type the duration in
days the certificate is valid for (for example, 365).
11.
Click Create, and then click Close. The Root-CA certificate you created is
saved on the NetScaler.
Example
create ssl cert Root-CA Certificate-Request-1 PEM ROOT_CERT
-keyFile Key-RSA-1 -keyForm PEM -days 365
1.
2.
3.
In the Certificate File Name text box, type the name of the certificate
being created (for example, Cert-IntermediateCA-1).
Chapter 5
383
Note: Instead of typing the filename, you can use the browse button to
launch the NetScaler file browser and select the file visually.
4.
5.
6.
In the Certificate Request File Name text box, type the name of CSR
created for the certificate (for example, Certificate-Request-2).
7.
In the Validity Period (Number of Days) text box, type the duration in
days the certificate is valid for (for example, 365).
8.
In the CA-Certificate File Name text box, type the name of the CA
certificate that will issue this intermediate certificate (for example, CertRootCA-1).
9.
10.
In the CA Key File Name text box, type the name of the key corresponding
to the CA certificate, (for example, Key-RSA-1).
11.
12.
In the PEM Passphrase (For Encrypted CA Key) text box, type the
password used to encrypt the key.
13.
In the CA Serial Number File text box, type the name of the file to store
the serial number of the CA certificate in, (for example, Serial-CA-1).
14.
Example
create ssl cert Intermediate-CA Certificate-Request-2 PEM INTM_CERT
-CAcert Root-CA -CAcertForm PEM -days 365
384
Note: To create server and client certificates, in step 5, select the option next to
Server Certificate and Client Certificate and in step 10, select the
corresponding intermediate certificate instead of a root certificate.
1.
2.
Select the server certificate you want to link (for example, Cert-Server),
then click Link.
Chapter 5
3.
4.
385
Example
link ssl certkey Cert-Server Cert-Intermediate-A
Repeat this procedure for intermediate certificates Cert-Intermediate-A and CertIntermediate-B where Cert-Intermediate-A is linked to Cert-Intermediate-B and
Cert-Intermediate-B is linked to Cert-Intermediate-C.
386
Specifies
Country
1.
In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
2.
In the details pane, select the vserver for which you want to enable server
authentication (for example, Vserver-SSL-1), and then click Open.
3.
In the Configure Virtual Server dialog box, on the SSL Settings tab, click
the down arrow next to the Install button, and then select Server Test
Certificate.
4.
In the Create and Install Server Test Certificate dialog box, in the
Certificate File Name and Fully Qualified Domain Name boxes, type the
respective names of the server test certificate and the domain for which you
want to secure the connection (for example, Docs and mycompany.com).
5.
In Country, select the country or region name (for example, INDIA), and
then click OK. The certificate appears in the Configured list.
Chapter 5
6.
387
Click OK. The server test certificate is now bound to the SSL vserver.
Note: Alternatively, you can create a server test certificate by clicking Create
and Install a Server Test Certificate on the SSL node in the navigation pane of
the configuration utility.
1.
2.
3.
Use the Browse button next to the Certificate File name and the Key File
name and select the new certificate and key files respectively.
4.
In the Password text box, type the password used to encrypt the new key.
5.
Click OK. The server certificate Certkey-SSL-1 is now updated with the
new certificate and key files.
To update an existing certificate key pair using the NetScaler command line
Example
update ssl certkey Certkey-SSL-1 Certificate-SSL-New -key Key-SSLNew
388
1.
2.
3.
4.
In the Notification Period text box, type the required notification period
value (for example, 60).
Note: The notification period parameter can be set to any value between
10 and 100 days and the default notification period is 30 days.
5.
Example
set ssl certkey -expiryMonitor ENABLED -notificationPeriod 60
After you configure an expiry monitor, reporting is carried out through the syslog
and nsaudit logs by default. If you want to create SNMP alerts for the same
scenario, you must configure them separately.
1.
Chapter 5
389
2.
Select the certificate you want to update (for example Certkey-SSL-1), and
then click Update.
3.
Select the No Domain Check check box, then click OK. The domain check
for the certificate is now disabled.
To disable domain check for a certificate using the NetScaler command line
Example
update ssl certkey -noDomainCheck
If the server certificate is a global site certificate (and if the export client
feature is supported by the browser), the export client automatically
upgrades to 128-bit encryption for data transfer.
If the server certificate is a global site certificate, the server sends its certificate,
along with the accompanying intermediate-CA certificate. The browser first
validates the intermediate-CA certificate using the Root-CA certificates that
come installed in browsers. On successful validation of the intermediate-CA
certificate, the server certificate is validated using the intermediate-CA
certificate. On successful validation, the browsers renegotiate (upgrade) the SSL
connection to 128-bit encryption.
With Microsoft Server Gated Cryptography (SGC), if the Microsoft IIS server is
configured with an SGC certificate, export clients that receive the certificate
renegotiate to 128-bit encryption.
390
1.
Using a text editor, copy the server certificate and the accompanying
intermediate-CA certificate into two separate files.
The individual PEM encoded certificate will begin with the header ----BEGIN CERTIFICATE----- and end with the trailer -----END
CERTIFICATE-----.
2.
3.
Add the server certificate (and its private key) on the NetScaler. For details
on creating a certificate key pair on the NetScaler, see Adding a Certificate
Key Pair, on page 368.
5.
Chapter 5
391
Bind the server certificate to the SSL virtual server. For details on binding
the server certificate to the SSL virtual server, see Binding an SSL
Certificate Key Pair to the Virtual Server, on page 367.
1.
2.
3.
In the Output File Name text box, type the name of the file to be created
(for example, Cert-Import-1.pem).
4.
In the PKCS12 File Name text box, type the name of the certificate file to
be imported (for example, Cert-Import-1.pfx).
Note: You can navigate the file system on the NetScaler using the
Browse button.
5.
In the Import Password box, type the password that was used to create the
PKCS file.
6.
392
7.
In the PEM Passphrase text box, type the password, if any, used to encrypt
the key (for example, Import Passphrase).
Note: The PEM Passphrase option is displayed only if either the DES or
the DES3 encoding formats are chosen.
8.
In the Verify PEM Passphrase text box, type the same passphrase again
for confirmation.
9.
Click OK. The client certificate you imported is saved on the NetScaler.
Example
convert ssl pkcs12 Cert-Import-1.pem -import -pkcs12File CertImport-1.pfx -des
1.
2.
3.
In the PKCS12 File Name text box, type the name of the PKCS file to be
created (for example, Cert-Client-1.pfx).
Note: To select an existing file on the NetScaler, click Browse and
navigate to the required file.
4.
In the Certificate File Name text box, type the name of the certificate to be
converted (for example Cert-Client-1).
5.
In the Key File Name text box, type the name of the key file associated
with the certificate (for example, Key-Client-1).
Chapter 5
393
6.
In the Export Password text box, type the password to encrypt the
exported key with (for example, ExportPassword).
7.
In the PEM Passphrase text box, type the password, if any, used to encrypt
the key (for example, PEMPassphrase).
8.
Click OK. The client certificate you exported is saved on the NetScaler.
Example
convert ssl pkcs12 Cert-Client-1.pfx -export -certFile Cert-Client1 -keyFile Key-Client-1
394
1.
In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
Chapter 5
395
2.
Select the virtual server for which you want to configure client certificatebased authentication, and then click Open.
3.
4.
5.
6.
Click OK, and in the Configure Virtual Server (SSL Offload) dialog box,
click OK. The virtual server is now configured for client authentication.
Example
set ssl vserver Vserver-SSL-1 -clientAuth ENABLED -clientCert
MANDATORY
396
During client authentication, the client certificate issued by Cert-CA-A, or CertCA-B, or the root CA is properly verified.
1.
2.
Launch Internet Explorer and navigate to Tools > Internet Options. The
Internet Options dialog box appears.
3.
Click the Content tab, then in the Certificates group, click Certificates.
4.
Chapter 5
5.
6.
7.
397
1.
2.
3.
4.
5.
In Certificate Manager dialog box, click the Your Certificates tab, then
click the Import button.
6.
Select the client certificate, then click Open. The imported client certificate
appears in the Your Certificates list.
7.
Click OK. The client certificate is now installed in the Mozilla Firefox
browser.
1.
In the navigation pane, expand SSL Offload, and then click Services.
2.
Select the service for which you want to enable server authentication for
(for example, Service-SSL-1), and then click Open.
3.
In Configure Service dialog box, on the SSL Settings tab, click SSL
Parameters.
398
4.
5.
Example
set ssl service Service-SSL-1 -serverAuth ENABLED
1.
2.
Select the service for which you want to enable server authentication (for
example, Service-SSL-1), then click Open.
3.
4.
To bind the CA certificate to the service using the NetScaler command line
Example
bind ssl service Service-SSL-1 -certkeyName Cert-CA-1
Chapter 5
399
Certificate authorities issue CRLs on a regular basis. You can configure the
NetScaler to use a CRL to block client requests that present invalid certificates.
Note: By default, CRLs are stored in the /var/netscaler/ssl directory on the
NetScaler.
1.
2.
3.
In the CRL Name text box, type the name of the CRL being added (for
example, CRL-1).
4.
In the CRL File text box, type the name of the CRL file being added (for
example, SSL_CRL.pem).
Note: To select an existing file on the NetScaler, click the Browse button
and navigate to the required file.
5.
Select the Format option of the CRL file being added (for example, PEM).
6.
Example
add ssl crl CRL-1 SSL_CRL.pem -inform PEM
400
Specifies
Method
Binary
Server IP
Port
URL
The URL of the CRL file on the HTTP server used for CRL refresh.
This parameter is only used for CRL refresh with the HTTP method.
Base DN
Scope
The level below the Base DN where the CRL file should be
searched.
If the scope is set to One, the CRL file search is carried out up to one
level lower than the Base DN in the LDAP file structure.
If the scope is set to Base, the CRL file search is carried out at the
level of the Base DN in the LDAP file structure.
Bind DN
Password
When you specify refresh parameters and an LDAP server, the CRL does not
have to be present on the local hard disk drive at the time you execute the
command. The first refresh will store a copy on the local hard disk drive, in the
path specified by the CRL File parameter. The default path for storing the CRL is
/var/netscaler/ssl.
To configure CRL auto refresh using LDAP using the configuration utility
1.
2.
Select the configured CRL for which you want to update refresh
parameters, and then click Open.
3.
Chapter 5
4.
5.
6.
In the Port text box, type the port number (for example, 389).
7.
In the Base DN text box, type the path to the CRL file (for example,
dc=flyers, dc=ctxs).
8.
401
Note: If the new CRL has been refreshed in the external repository before
its actual update time as specified by the LastUpdate field of the CRL, you
should immediately refresh the CRL on the NetScaler.
9.
Click Create. The CRL for which you configured refresh parameters
appears in the CRL page.
To configure CRL auto refresh using LDAP using the NetScaler command
line
Example
set ssl crl CRL-1 -refresh ENABLED -server 10.217.130.2 -method
LDAP -port 389 -baseDN dc=flyers, dc=ctxs -interval NOW
To configure CRL auto refresh using HTTP using the configuration utility
1.
2.
In the details pane, select the configured CRL for which you want to update
refresh parameters, then click Open.
3.
4.
5.
In the URL text box, type the URL of the CRL file (for example, http://
10.102.19.190/CA1.crl).
6.
In the Port text box, type the port number (for example, 80).
7.
402
Note: If the new CRL has been refreshed in the external repository before
its actual update time as specified by the LastUpdate field of the CRL, you
should refresh it immediately on the NetScaler.
8.
Click Create. The CRL for which you configured refresh parameters
appears in the CRL page.
To configure CRL auto refresh using HTTP using the NetScaler command
line
Example
set ssl crl CRL-1 -refresh ENABLED -url http://10.102.19.190/
CA1.crl -method HTTP -port 80 -interval NOW
Synchronizing CRLs
When the NetScaler performs SSL acceleration, it uses the most recently
distributed CRL to prevent clients with revoked certificates from accessing secure
resources.
If CRLs are updated often, the NetScaler needs an automated mechanism to fetch
the latest CRLs from the repository. You can configure the NetScaler to update
CRLs automatically at a specified refresh interval or time
The NetScaler maintains an internal list of CRLs that need to be updated at
regular intervals. At these specified intervals, it scans the list for CRLs that need
to be updated, then connects to the remote LDAP server or HTTP server and
retrieves the latest CRLs. It then replaces the local CRL list with the new CRLs.
Note: If the initial CRL refresh fails, all client-authentication connections with
the same issuer as the CRL are rejected as REVOKED until the CRL is
successfully refreshed.
Chapter 5
403
To synchronize the CRL at a specific time, use the intervals in the following
table.
Intervals to Synchronize the CRL
Interval
Monthly
Days
Set the day of the month the CRL refresh will be done.
For example, if you want the refresh to be done on the 15th of
every month, under Days, select 15.
Weekly
Set the day of the week the CRL refresh will be done.
(Sunday=1, Monday=2, Tuesday=3, Wednesday=4,
Thursday=5, Friday=6 and Saturday=7)
For example, if you want the refresh to be done on tuesday every
week, under Days, select 3.
Daily
Set the Daily argument if you want the CRL refresh to be carried
out every day.
Now
Use the Now argument when a CRL has been refreshed in the
LDAP repository before the update time specified in the
LastUpdate field of the CRL. The Now argument forces an
immediate refresh of the CRL on the NetScaler
Never
Note: If you provide an invalid number for the day of the month or day of the
week, the NetScaler adjusts it to the nearest valid value and performs the refresh
on that day.
You can set the exact time of day the CRL is refreshed, using the parameters
under the Time group. Specify time in 24-hour format (HH:MM).
Create a CRL
The NetScaler stores the serial number of revoked certificates in an index file.
The file is updated for each certificate that is revoked by the CA. The NetScaler
creates the index file the first time you revoke a certificate.
404
To revoke a certificate and create a CRL, use the parameters in the following
table.
Parameters to Revoke a Certificate and Create a CRL
Parameter
Specifies
CA Certificate
File Name
CA Key Name
CA Key
Password
The name of the index file that stores the serial number of all
revoked certificates.
This file is created on the NetScaler (if not present) when the first
certificate is revoked.
Choose
Operation
Certificate File
Name
The name of the CRL file being created. This file is specific to the
CA certificate named in the CA Certificate File Name field. This
file only contains details of certificates issued by the specified CA
certificate.
1.
2.
3.
In the CA Certificate File Name text box, type the name of the CA
certificate to be revoked (for example, Cert-CA-1).
4.
In the CA Key File Name text box, type the name of the key corresponding
to the CA certificate (for example, Key-CA-1).
5.
In the Index File Name text box, type the name of the index file (for
example, File-Index-1).
6.
Chapter 5
405
7.
In the Certificate File Name text box, type the name of the invalid
certificate to be revoked (for example, Cert-Invalid-1).
8.
Click Create. The invalid certificate Cert-Invalid-1 is now revoked and its
serial number updated in the specified index file.
Example
create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -revoke CertInvalid-1
1.
2.
3.
In the CA Certificate File Name text box, type the name of the CA
certificate to be revoked (for example, Cert-CA-1).
4.
In the CA Key File Name text box, type the name of the key corresponding
to the CA certificate (for example, Key-CA-1).
5.
In the Index File Name text box, type the name of the index file (for
example, File-Index-1).
6.
7.
In the CRL File Name text box, type the name of the invalid certificate to
be revoked (for example, Cert-Invalid-1).
8.
Example
create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -genCRL CRL-1
406
1.
In the navigation pane, expand SSL Offload, then click Virtual Servers.
2.
Select the virtual server for which you want to customize SSL settings (for
example, Vserver-SSL-1), and then click Open.
3.
To customize the SSL configuration for an SSL virtual server using the
NetScaler command line
Example
set ssl vserver Vserver-SSL-1
To customize the SSL configuration for an SSL service, first launch the
Configure SSL Params dialog box as described later.
To customize the SSL configuration for an SSL service using the
configuration utility
1.
In the navigation pane, expand SSL Offload, and then click Services.
2.
Select the service for which you want to customize SSL settings (for
example, Service-SSL-1), and then click Open.
3.
On the SSL Settings tab, click SSL Parameters. The Configure SSL
Params dialog box appears.
Chapter 5
407
To customize the SSL configuration for an SSL service using the NetScaler
command line
Example
set ssl service Service-SSL-1
Specifies
DH
Refresh Count
File Path
1.
2.
3.
4.
Click OK. The DH parameters are now configured to refresh the DH key
after every 1000 sessions.
408
Example
set ssl vserver Vserver-SSL-1 -dh ENABLED -dhCount 1000
Specifies
eRSA
Refresh Count
The refresh count for regeneration of the RSA privatepublic key pair. The default value is zero (0), which
specifies infinite use (no refresh).
If the refresh count is set, the eRSA key is regenerated after the usage count for the key pair
reaches the configured refresh count.
The refresh count is a positive integer whose value can
either be 0 or any other number greater than 500.
1.
2.
3.
In the Refresh Count text box, type the count after which the eRSA key
will be refreshed (for example, 1000).
4.
Click OK. The ephemeral RSA parameters are now configured to refresh
the eRSA key after every 1000 sessions.
Chapter 5
409
Example
set ssl vserver Vserver-SSL-1 -eRSA ENABLED -eRSACount 1000
Specifies
Reuse
Time-out
1.
2.
3.
In the Time-out text box, type the timeout value in seconds (for example,
600).
4.
Click OK. The NetScaler is now configured to reuse SSL sessions for 600
seconds.
410
Example
set ssl vserver Vserver-SSL-1 -sessReuse ENABLED -sessTimeout 600
Specifies
Enable
Redirect URL
1.
2.
Chapter 5
411
3.
In the Redirect URL text box, type the URL where the client should be
redirected in case of a cipher suite mismatch (for example, http://
redirectURL).
4.
Example
set ssl vserver Vserver-SSL-1 -cipherRedirect ENABLED -cipherURL
http://redirectURL
Specifies
Enable
SSLv2 URL URL where the client is redirected in case of a protocol mismatch.
The target IP address must not be the same as the SSL VIP for which the
SSLv2 redirect feature is enabled, or the client will go into an infinite loop
of redirects.
For example, if you have configured SSLv2 redirection for the secure
domain
https://www.mycompany.com, you should not have the redirect URL
configured as:
https://www.mycompany.com/error.html
The preferred way is to redirect to a dummy SSL VIP or an HTTP VIP.
412
1.
2.
3.
In the SSLv2 URL text box, type the URL where the client should be
redirected in case of a protocol mismatch (for example, http://sslv2URL).
4.
Click OK. The NetScaler is now configured to redirect clients that only
support the SSLv2 protocol.
Example
set ssl vserver Vserver-SSL-1 -sslv2Redirect ENABLED -sslv2URL
http://sslv2URL
Specifies
SSLv3
TLSv1
SSLv2
1.
2.
3.
Chapter 5
Example
set ssl vserver Vserver-SSL-1 -tlsv1 ENABLED
413
414
Specifies
SSL Redirect
Client Authentication
Client Certificate
Server Authentication
1.
2.
3.
Chapter 5
415
Example
set ssl vserver Vserver-SSL-1 -sslRedirect ENABLED
1.
2.
3.
In the Start file synchronization dialog box, in the Mode drop-down list,
select the appropriate type of synchronization (for example, SSL
certificates and Keys), and then click OK.
416
1.
2.
On the Actions tab, click Add. The Create SSL Action dialog box
appears.
To launch the Create SSL Action dialog box using the Netscaler command
line
Example
add ssl action
1.
Chapter 5
417
2.
In the Name text box, type a name for the SSL action (for example, ActionSSL-ClientAuth).
3.
4.
Example
add ssl action -clientAuth DOCLIENTAUTH
1.
2.
In the Name text box, type a name for the SSL action (for example, ActionSSL-OWA).
3.
In the Outlook Web Access group, select Enabled from the drop-down
list.
4.
Note: Outlook Web Access support is applicable only for SSL virtual server
based configurations and transparent SSL service based configurations and not
for SSL configurations with back-end encryption.
418
Example
add ssl action -OWASupport ENABLED
Configuring Insertion
Because the NetScaler offloads all SSL-related processing from the servers, the
servers only receive HTTP traffic. The NetScaler receives and processes all SSL
data and does not pass it to the servers.
Under certain circumstances, a user may want certain SSL information to be
passed on to the servers. For example, security audits of recent SSL transactions
require the client subject name (contained in an X509 certificate) to be logged at
the server. This data is inserted into the HTTP header as a name-value pair and
sent to the server.
The entire client certificate can be inserted into the HTTP header, if required, or
only the specific fields from the certificate can be inserted, such as subject, and
issuer.
1.
2.
In the Name text box, type a name for the SSL action (for example, ActionSSL-ClientCert).
3.
In the Client Certificate group, select Enabled from the drop-down list.
4.
In the Certificate Tag text box, type the certificate tag (for example,
X-CLIENT-CERT).
5.
Chapter 5
419
To insert the client certificate serial number using the configuration utility
1.
2.
In the Name text box, type a name for the SSL action (for example, ActionSSL-SerialNumber).
3.
In the Client Certificate Serial Number group, select Enabled from the
drop down list.
4.
In the Serial Number Tag text box, type the serial number tag (for
example, X-SERIAL-NUMBER).
5.
To insert the client certificate serial number using the NetScaler command
line
Example
add ssl action Action-SSL-SerialNumber -clientcertSerialNumber
ENABLED -certSerialHeader X-SERIAL-NUMBER
420
To insert the client certificate subject name using the configuration utility
1.
2.
In the Name text box, type a name for the SSL action (for example, ActionSSL-SubName).
3.
In the Client Certificate Subject (DN) group, select Enabled from the
drop-down list.
4.
In the Subject Tag text box, type the subject tag name (for example,
X-SUBJECT-NAME).
5.
To insert the client certificate subject name using the NetScaler command
line
Example
add ssl action Action-SSL-SubName -clientcertSubject ENABLED
-certSubjectHeader X-SUBJECT-NAME
Chapter 5
421
1.
2.
In the Name text box, type a name for the SSL action (for example, ActionSSL-CertHash).
3.
In the Client Certificate Hash group, select Enabled from the drop-down
list.
4.
In the Hash Tag text box, type the hash tag name (for example, X-CERTHASH).
5.
To insert the client certificate hash using the NetScaler command line
Example
add ssl action Action-SSL-CertHash -clientcertHash ENABLED
-certHashHeader X-CERT-HASH
To insert the client certificate issuer tag using the configuration utility
1.
2.
In the Name text box, type a name for the SSL action (for example, ActionSSL-Issuer).
3.
In the Client Certificate Issuer group, select Enabled from the drop down
list.
4.
In the Issuer Tag text box, type the issuer tag name (for example,
X-ISSUER-NAME).
5.
422
Example
add ssl action Action-SSL-Issuer -clientCertIssuer ENABLED
-certIssuerHeader X-ISSUER-NAME
1.
2.
In the Name text box, type a name for the SSL action (for example,
Action-SSL-SessionID).
3.
In the Session-ID group, select Enabled from the drop down list.
4.
In the Session ID Tag text box, type the session ID tag name (for example,
X-SESSION-ID).
5.
Example
add ssl action Action-SSL-SessionID -sessionID ENABLED
-sessionIDHeader X-SESSION-ID
Chapter 5
423
You can only enable this insertion for HTTP-based SSL vservers and services.
You cannot apply it for other TCP-based SSL vservers and services.
The following procedure describes the steps to create an SSL action Action-SSLCipher that inserts a new header X-CIPHER-SUITE into the HTTP header whose
value contains the cipher suite negotiated during the SSL handshake.
To insert the cipher suite using the configuration utility
1.
2.
In the Name text box, type a name for the SSL action (for example,
Action-SSL-Cipher).
3.
In the Cipher Suite group, select Enabled from the drop-down list.
4.
In the Cipher Tag text box, type the cipher tag name (for example,
X-CIPHER-SUITE).
5.
Example
add ssl action Action-SSL-Cipher -cipher ENABLED -cipherHeader XCIPHER-SUITE
1.
2.
In the Name text box, type a name for the SSL action (for example,
Action-SSL-NotBefore).
424
3.
In the Client Certificate Not Before Date group, select Enabled from the
drop-down list.
4.
In the Not Before Tag text box, type a tag name (for example,
X-NOT-BEFORE).
5.
To insert the client certificate not before date using the NetScaler command
line
Example
add ssl action Action-SSL-NotBefore -clientCertNotBefore ENABLED
-certNotBeforeHeader X-NOT-BEFORE
1.
2.
In the Name text box, type a name (for the SSL action, Action-SSLNotAfter).
3.
In the Client Certificate Not After Date group, select Enabled from the
drop-down list.
4.
In the Not After Tag text box, type a tag name (for example, X-NOTAFTER).
5.
Chapter 5
425
To insert the client certificate not after date using the NetScaler command
line
Example
add ssl action Action-SSL-NotAfter -clientCertNotAfter ENABLED
-certNotBeforeHeader X-NOT-AFTER
Specifies
Name
Rule / Expression
Request Action
1.
2.
3.
In the Name text box, type the name of the SSL Policy (for example,
Policy-SSL-1).
4.
Under Request Action, select the configured SSL action that you want to
associate with this policy (for example, Action-SSL-1).
5.
426
Note: The ns_true general expression applies the policy to all successful
(200 OK) responses generated by the NetScaler. However, if you need to
filter specific responses, you can create policies with a higher level of
detail. For information about configuring granular policy expressions, see
the Citrix NetScaler Policy Configuration and Reference Guide.
6.
Example
add ssl policy Policy-SSL-1 -rule ns_true -reqAction Action-SSL-1
1.
In the navigation pane, expand SSL Offload and click Virtual Servers.
2.
From the list of virtual servers, select the virtual server that you want to
bind the responder policy to (for example, select Vserver-SSL-1), and then
click Open
3.
On the Policies tab, in the Active column, select the check box next to the
policy you want to bind to the vserver (for example, Policy-SSL-1).
4.
Click OK.
To bind an SSL policy to a virtual server using the NetScaler command line
Example
bind ssl vserver Vserver-SSL-1 -policyName Policy-SSL-1
Chapter 5
427
Note: You can bind SSL policies globally or to custom bind points on the
NetScaler. For more information about binding policies on the NetScaler, see the
Citrix NetScaler Policy Configuration and Reference Guide.
428
When Netscaler receives the HTTPS request, it decrypts the request and
applies layer 4-7 content switching techniques and load-balancing policies,
and then selects the best back-end Web server to serve the request.
After establishing the SSL session, the NetScaler encrypts the client's
request and sends it securely through the SSL session to the Web server.
The NetScaler decrypts all encrypted response packets from the Web
server, then re-encrypts the response data using the client-side SSL session
and sends it to the client.
The SSL session multiplexing technique reuses the existing SSL sessions with the
back-end Web servers, thus avoiding CPU-intensive key exchange (full
handshake) operations. This reduces the overall number of SSL sessions on the
server, while maintaining end-to-end security.
Note: For TCP traffic, follow the procedures given in the sections that follow,
but create SSL_TCP services instead of SSL services.
To configure SSL with end-to-end encryption, set the parameters as described in
the following sections.
The following procedure describes the steps to configure the SSL feature in a
basic SSL offload set up where an SSL virtual server Vserver-SSL-2 offloads
SSL traffic directed to two SSL services, Service-SSL-1 and Service-SSL-2.
1.
2.
3.
In the Service Name text box, type the name of the service being added (for
example, Service-SSL-1).
4.
In the Server text box, type or select the IP address of the server to be
associated with this service (for example, 10.102.20.30).
5.
Chapter 5
429
In Port, type the port number for the SSL service to use (for example, 443).
7.
To create the second service, repeat the procedure, but use the service name
Service-SSL-2 and IP address 10.102.20.31.
To add an SSL-based service using the NetScaler command line
Example
add service Service-SSL-1 10.102.20.30 SSL 443
1.
In the navigation pane, expand SSL Offload, then click Virtual Servers.
2.
3.
On the Services tab, in the Active column, select the check boxes next to
the services Service-SSL-1 and Service-SSL-2.
4.
Click OK. The services Service-SSL-1 and Service-SSL-2 are bound to the
virtual server Vserver-SSL-2.
Example
bind lb vserver Vsever-SSL-2 Service-SSL-1
430
Note: SSL_TCP service is used for non-HTTPS services (for example SMTPS,
and IMAPS).
Individual service
Chapter 5
431
No limit
No limit
Back-end encryption
Not supported
Supported
One-arm mode
Not supported
Not supported
N/A
Not supported
432
You can apply service-based transparent SSL acceleration to data that use
different protocols. Set the clear text port of the SSL service to the port on which
the clear text data transfer between the SSL service and the server will occur.
To configure service-based transparent SSL acceleration for secure HTTP-based
data, configure the parameters as described in the following sections.
The following procedure describes the steps to configure the SSL feature in a
service-based transparent SSL setup. An SSL service, Service-SSL-Transparent,
is created that offloads SSL traffic directed to the Web server 192.168.1.100. The
clear text data between the SSL service and the Web server is transferred using
port 8080.
1.
In the navigation pane, expand SSL Offload, and then click Services.
Chapter 5
433
2.
From the list of configured services, select the service to which you want to
bind the certificate key pair (for example, Service-SSL-Transparent),
then click Open.
3.
Select the SSL Settings tab. The configured certificate key pairs configured
on the NetScaler are listed in the Available area.
4.
Select the certificate key pair that you want to bind to the service and click
Add. The certificate key pair appears in the Configured area.
5.
Example
bind certkey Service-SSL-Transparent Certkey-SSL-1 -service
434
1.
In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
2.
3.
In the Name text box, type the name of the virtual server to be created (for
example, Vserver-SSL-WildCard).
4.
5.
Chapter 5
435
6.
In the Port text box, type the port number for the virtual server to use (for
example, type 443).
7.
Click Create, and then click Close. The virtual server you created appears
in the SSL Offload Virtual Servers page.
Example
add vserver Vserver-SSL-WildCard SSL * 443
Setting the Clear text Port for the Wildcard Virtual Server
Set the clear text port of the wildcard virtual server Vserver-SSL-WildCard to
8080.
For instructions on setting the clear text port on an SSL virtual server, see
Configuring Advanced SSL Settings, on page 414.
Note: This example describes the procedure to set the clear text port for HTTPbased data. To set the clear text port for non-HTTP data, substitute the
appropriate choices in the procedure.
436
Chapter 5
437
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
3.
4.
5.
Click Create and click Close. The vserver you created appears in the Load
Balancing Virtual Servers page.
Example
add lb vserver Vserver-LB-1 HTTP 192.168.1.100 80
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
3.
In the Active column, select the check box next to Service-SSL-1 and click
OK. The SSL service is bound to the HTTP virtual server.
438
Example
bind lb vserver Vserver-HTTP-1 Service-SSL-1
Note: To bind the SSL service Service-SSL-2 to the virtual server, repeat the
procedure, but in step 3, select the option next to Service-SSL-2.
Chapter 5
439
440
1.
In the navigation pane, expand System, then click Settings. The Settings
page appears in the right pane.
2.
Under Modes and Features, click Basic Features. The Configure Basic
Features dialog box appears.
3.
Select the Load Balancing check box, then click OK. When the Enable/
Disable Feature(s)? message appears, Click Yes.The Load Balancing
feature is enabled on the NetScaler.
To enable the load balancing feature using the NetScaler command line
Example
enable ns feature lb Yes
Chapter 5
441
1.
In the navigation pane, expand SSL Offload, and then click Services.
2.
3.
In the Service Name, Server and Port text boxes, type ServiceSSL_Bridge-1, 192.168.1.100 and 443.
Note: If the server is already configured, under Server, select the
configured server associated with the service.
4.
5.
Click Create, and then click Close. The SSL_BRIDGE service you
configured appears in the Services page.
Example
add service Service-SSL_Bridge-1 192.168.1.100 SSL_BRIDGE 443
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
3.
In the Name, IP Address, and Port text boxes, type Vserver-SSL_Bridge1, 192.168.1.10, and 443.
442
4.
5.
Click Create and click Close. The virtual server you created appears in the
Load Balancing Virtual Servers page.
Example
add vserver Vserver-SSL_Bridge-1 SSL_BRIDGE 192.168.1.10 443
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
Chapter 5
443
Example
bind lb vserver Vserver-SSL_Bridge-1 Sevice-SSL_Bridge-1
The NetScaler chooses a Web server, based on the load balancing policies
you have configured.
The request is then sent to the server IP address, based on the NetScaler's
mapped IP address.
444
Name
Value
Vserver-SSL-LB
192.168.1.10:443
HTTP Service
Service-HTTP-1
192.168.1.100:80
Service-HTTP-2
192.168.1.101:80
SSL Certificate
Certkey-1
Chapter 5
445
446
Name
Value
HTTP Service
Service-HTTP-1
192.168.1.100:80
Service-HTTP-2
192.168.1.101:80
Service-HTTP-3
192.168.1.102:80
Service-HTTP-4
192.168.1.103:80
Vserver-LB-HTML
192.168.1.10:80
Vserver-LB-Image
192.168.1.20:80
SSL based CS
Virtual Server
Vserver-SSL-CS
10.102.1.100:443
Certificate
Certkey-1
Load Balancing
Virtual Server
Chapter 5
447
IP Address: Port
Service-HTTP-1
192.168.1.100:80
Service-HTTP-2
192.168.1.101:80
Service-HTTP-3
192.168.1.102:80
Service-HTTP-4
192.168.1.103:80
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
3.
4.
5.
Click Create and click Close. The virtual server that you have created,
appears in the Load Balancing Virtual Servers page.
448
Example
add lb vserver Vserver-LB-HTML HTTP 192.168.1.10 80
Note: To create the Vserver-LB-Image virtual server, repeat the procedure, but
in step 3, type Vserver-LB-Image, 192.168.1.20, and 80.
1.
2.
3.
4.
5.
6.
7.
Click Create and click Close. The virtual server that you have created
appears in the Content Switching Virtual Servers page.
Chapter 5
449
Example
add cs vserver Vserver-CS-SSL 10.102.1.100 443
450
Note: In the preceding configuration, the cache devices are configured to send
all cache-misses to the HTTP virtual server configured on the NetScaler. The
NetScaler re-encrypts the requests and sends them using the secure SSL session
to the SSL services bound to the HTTP virtual server.
Authentication
Encryption
(Key Size)
Message
Authentication
SSLv3
RSA
RSA
RC4(128)
MD5
SSL3-RC4-SHA
SSLv3
RSA
RSA
RC4(128)
SHA1
SSL3-DES-CBC3-SHA
SSLv3
RSA
RSA
3DES(168)
SHA1
TLS1-AES-256-CBC-SHA
TLSv1
RSA
RSA
AES(256)
SHA1
TLS1-AES-128-CBC-SHA
TLSv1
RSA
RSA
AES(128)
SHA1
SSL3-EDH-DSS-DES-CBC3-SHA
SSLv3
DH
DSS
3DES(168)
SHA1
TLS1-DHE-DSS-RC4-SHA
TLSv1
DH
DSS
RC4(128)
SHA1
TLS1-DHE-DSS-AES-256-CBC-SHA
TLSv1
DH
DSS
AES(256)
SHA1
TLS1-DHE-DSS-AES-128-CBC-SHA
TLSv1
DH
DSS
AES(128)
SHA1
SSL3-EDH-RSA-DES-CBC3-SHA
SSLv3
DH
RSA
3DES(168)
SHA1
TLS1-DHE-RSA-AES-256-CBC-SHA
TLSv1
DH
RSA
AES(256)
SHA1
TLS1-DHE-RSA-AES-128-CBC-SHA
TLSv1
DH
RSA
AES(128)
SHA1
Protocol
SSL3-RC4-MD5
Cipher Name
Key Exchange
Key Size
Chapter 5
Cipher Name
Protocol
Key Exchange
Key Size
Authentication
Encryption
(Key Size)
Message
Authentication
SSL3-RC4-MD5
SSLv3
RSA
RSA
RC4(128)
MD5
SSL3-RC4-SHA
SSLv3
RSA
RSA
RC4(128)
SHA1
SSL3-DES-CBC3-SHA
SSLv3
RSA
RSA
3DES(168)
SHA1
SSL3-DES-CBC-SHA
SSLv3
RSA
RSA
DES(56)
SHA1
TLS1-EXP1024-RC4-SHA
TLSv1
RSA(1024)
RSA
RC4(56)
SHA1
Export
TLS1-EXP1024-DES-CBC-SHA
TLSv1
RSA(1024)
RSA
DES(56)
SHA1
Export
TLS1-AES-256-CBC-SHA
TLSv1
RSA
RSA
AES(256)
SHA1
TLS1-AES-128-CBC-SHA
TLSv1
RSA
RSA
AES(128)
SHA1
SSL3-EXP-RC4-MD5
SSLv3
RSA(512)
RSA
RC4(40)
MD5
Export
SSL3-EXP-DES-CBC-SHA
SSLv3
RSA(512)
RSA
DES(40)
SHA1
Export
SSL3-EXP-RC2-CBC-MD5
SSLv3
RSA(512)
RSA
RC2(40)
MD5
Export
SSL2-RC4-MD5
SSLv2
RSA
RSA
RC4(128)
MD5
SSL2-DES-CBC3-MD5
SSLv2
RSA
RSA
3DES(168)
MD5
SSL2-RC2-CBC-MD5
SSLv2
RSA
RSA
RC2(128)
MD5
SSL2-DES-CBC-MD5
SSLv2
RSA
RSA
DES(56)
MD5
SSL2-RC4-64-MD5
SSLv2
RSA
RSA
RC4(64)
MD5
SSL2-EXP-RC4-MD5
SSLv2
RSA(512)
RSA
RC4(40)
MD5
Export
SSL3-EDH-DSS-DES-CBC3-SHA
SSLv3
DH
DSS
3DES(168)
SHA1
SSL3-EDH-DSS-DES-CBC-SHA
SSLv3
DH
DSS
DES(56)
SHA1
TLS1-EXP1024-DHE-DSS-DESCBC-SHA
TLSv1
DH(1024)
DSS
DES(56)
SHA1
Export
TLS1-DHE-DSS-RC4-SHA
TLSv1
DH
DSS
RC4(128)
SHA1
451
452
TLS1-EXP1024-DHE-DSS-RC4SHA
TLSv1
DH(1024)
DSS
RC4(56)
SHA1
Export
TLS1-DHE-DSS-AES-256-CBCSHA
TLSv1
DH
DSS
AES(256)
SHA1
SSL3-EXP-EDH-DSS-DES-CBCSHA
SSLv3
DH(512)
DSS
DES(40)
SHA1
Export
TLS1-DHE-DSS-AES-128-CBCSHA
TLSv1
DH
DSS
AES(128)
SHA1
SSL3-EDH-RSA-DES-CBC-SHA
SSLv3
DH
RSA
DES(56)
SHA1
SSL3-EDH-RSA-DES-CBC3-SHA
SSLv3
DH
RSA
3DES(168)
SHA1
SSL3-EXP-EDH-RSA-DES-CBCSHA
SSLv3
DH(512)
RSA
DES(40)
DES(40)
TLS1-DHE-RSA-AES-256-CBCSHA
TLSv1
DH
RSA
AES(256)
SHA1
TLS1-DHE-RSA-AES-128-CBCSHA
TLSv1
DH
RSA
AES(128)
SHA1
TLS1-EXP1024-RC4-MD5
TLSv1
RSA(1024)
RSA
RC4(56)
MD5
Export
TLS1-EXP1024-RC2-CBC-MD5
TLSv1
RSA(1024)
RSA
RC2(56)
MD5
Export
SSL2-EXP-RC2-CBC-MD5
SSLv2
RSA(512)
RSA
RC2(40)
MD5
Export
SSL3-ADH-RC4-MD5
SSLv3
DH
None
RC4(128)
MD5
SSL3-ADH-DES-CBC-SHA
SSLv3
DH
None
DES(56)
SHA1
SSL3-ADH-DES-CBC3-SHA
SSLv3
DH
None
3DES(168)
SHA1
TLS1-ADH-AES-128-CBC-SHA
TLSv1
DH
None
AES(128)
SHA1
TLS1-ADH-AES-256-CBC-SHA
TLSv1
DH
None
AES(256)
SHA1
SSL3-EXP-ADH-RC4-MD5
SSLv3
DH(512)
None
RC4(40)
MD5
Export
SSL3-EXP-ADH-DES-CBC-SHA
SSLv3
DH(512)
None
DES(40)
SHA1
Export
Chapter 5
Cipher Name
Protocol
Key Exchange
Key Size
Authentication
Encryption
(Key Size)
Message
Authentication
SSL3-NULL-MD5
SSLv3
RSA
RSA
None
MD5
SSL3-NULL-SHA
SSLv3
RSA
RSA
None
SHA1
453
454
C HAPTER 6
FIPS
456
The FIPS system adheres to the FIPS-140-2 Level 2 norms. The FIPS system is
equipped with a tamper-proof (tamper-evident) cryptographic module. This
cryptographic module is a Cavium CN1120-NFB card, designed to comply with
the FIPS 140-2 Level-2 and Level-3 norms. The Critical Security Parameters
(CSPs), primarily the server's private-key, are securely stored and generated
inside the cryptographic module (also referred to as the Hardware Security
Module /HSM). The CSPs are never accessed outside the boundaries of the HSM.
Only the super user on the system (nsroot) can to perform operations on the keys
stored inside the HSM.
The following table summarizes the differences between the NetScaler and the
FIPS-enabled NetScaler.
Setting
FIPS
Key storage
Cipher support
All ciphers
Accessing Keys
Not accessible
The following sections have been arranged in the order in which a user might
typically configure and use the FIPS system. However, certain sections have been
added to make the guide more comprehensive.
Chapter 6
FIPS
457
Note: When changing the SO password and the user password for the first time,
specify sopin123 as the old SO password.
While the FIPS system can be used with these values, it is advisable to modify
them on the HSM before using it. The HSM can be configured only by the
systems super user (nsroot) and should be configured before you run the FIPS
system for the first time.
Configuring the HSM allows you to specify the HSM-specific passwords. It also
erases all the existing data on the HSM.
Note: Due to security constraints, the system does not provide a means for
retrieving this password. Store a copy of the password safely. In the event of a
need to re-initialize the HSM, you will need to specify this password as the old
SO password.
The following sample procedure describes the steps to initialize the HSM and
change the Security Officer password from sopin123 to fipsso123.
To configure the HSM
1.
In the left pane, expand SSL, then click FIPS. The FIPS page appears in the
right pane.
2.
Click the Initialize HSM button. The Initialize HSM dialog box appears.
3.
4.
5.
6.
7.
458
Note: After the HSM is initialized, the current configuration of the system
needs to be saved. (If this is not done, the card will not function after a system
reboot.) Any subsequent attempt to change the SO password will cause the card
to be locked.
1.
In the left pane, expand SSL, then click FIPS. The FIPS page appears in the
right pane.
2.
Click the FIPS Keys tab. The list of configured FIPS keys appear in the
FIPS keys page.
3.
Click the Add button. The Create FIPS Key dialog box appears.
4.
5.
6.
7.
Click Create. The FIPS key you just created is stored in the HSM of the
system.
Chapter 6
FIPS
459
1.
In the left pane, expand SSL, then click FIPS. The FIPS page appears in the
right pane.
2.
Click the FIPS Keys tab. The FIPS keys page appears.
3.
Click the Export button. The Export FIPS key to a file dialog box
appears.
4.
Under FIPS Key Name, select the key you want to export, for example,
Key-FIPS-1.
5.
In the File Name text box, type the name of the file to be exported to, for
example, Key-FIPS-1.key.
Note: The exported file is stored in the /nsconfig/ssl directory by default.
If you choose to use any other directory, you must specify the complete
path to the location. You can also use the browse button to launch the file
explorer to navigate any location on the system.
6.
Click Export. The FIPS key you exported is saved in the location you
specified.
Note: To avoid errors when importing a FIPS key, wen you export the FIPS
key, you need to ensure that the name of the key exported is the same as the
original key name when it was created.
It is recommended that you create a backup of any key created on the FIPS HSM,
because, once any key on the HSM is deleted, all of the certificates associated
with it are rendered useless. Also, once deleted, there is no way to create the same
key again.
460
1.
In the left pane, expand SSL, then click FIPS. The FIPS page appears in the
right pane.
2.
Click the FIPS Keys tab. The FIPS keys page appears.
3.
Click the Import button. The Import as a FIPS Key dialog box appears.
4.
5.
In the FIPS Key Name text box, type the name of the FIPS key to be
created, for example, Key-FIPS-1.
6.
In the Key File Name text box, type the name of the FIPS key to be
imported, for example, Key-FIPS-1.key.
Note: The default location is the /nsconfig/ssl directory. If the file is
located in another directory, you must specify the complete path to the
location. You can use also the browse button to launch the file explorer and
navigate to any location on the system.
7.
Click Import. The FIPS key is now imported into the system.
1.
In the left pane, expand SSL, then click FIPS. The FIPS page appears in
the right pane.
Chapter 6
FIPS
461
2.
Click the Wrap Keys tab. The list of configured wrap keys appears in the
Wrap Key page.
3.
Click the Add button. The Create Wrap Key dialog box appears.
4.
In the Wrap Key Name text box, type the name of the wrap key being
created, for example, Key-Wrap-1.
5.
In the Password text box, type the password to be used for the wrap key,
for example wrapkey123.
6.
In the Salt text box, type the salt string to be used for the wrap key, for
example wrapsalt123.
7.
Click Create. The wrap key you created now appears in the Wrap Keys
page.
1.
In the left pane, expand SSL, then click FIPS. The FIPS page appears in
the right pane.
2.
Click the FIPS Keys tab. The FIPS keys page appears.
3.
Click the Import button. The Import as a FIPS Key dialog box appears.
4.
5.
6.
In the Key Name (PKCS8 Format) text box, type the name of the file
where the converted key should be stored, for example, Key-PKCS8-1.
7.
In the Private Key Path text box, type the path of the external key to be
converted, for example, Key-External-1.pem.
8.
Under Key Format, select the format in which the external key is saved,
for example, PEM.
9.
In the Password text box, type the password used to encrypt the key, for
example, FIPS-Password.
462
10.
Click Convert. The external key is now converted to the PKCS8 format.
1.
In the left pane, expand SSL, then click FIPS. The FIPS page appears in
the right pane.
2.
Click the FIPS Keys tab. The FIPS keys page appears.
3.
Click the Import button. The Import as a FIPS Key dialog box appears.
4.
5.
In the FIPS Key Name text box, type the name of the FIPS key to be
created, for example, Key-Pkcs8-1.
6.
In the Key File Name text box, type the name of the FIPS key to be
imported, for example, Key-Pkcs8-1.key.
7.
Under Wrap Key Name, select the wrap key to be used for the import, for
example, Key-Wrap-1.
8.
In the IV text box, type the initialization vector to be used for importing the
key, for example, wrapkey123.
9.
Click Create. The wrap key you created appears in the Wrap Keys page.
Note: For security reasons, delete the external private key from the hard disk
after you import it into the HSM.
Chapter 6
FIPS
463
1.
In the left pane, expand SSL, then click CA Tools. The CA Tools page
appears in the right pane.
2.
3.
In the Request File Name text box, type the name of the CSR, for example
Certificate-Request-1.
4.
In the Key File Name text box, type the name of the FIPS key to be used to
create the CSR, for example, Key-FIPS-1.
Note: You can use the browse button to navigate to the saved key on the
system.
5.
Select the format the key was saved in, for example, PEM.
6.
In the PEM Passphrase (For Encrypted Key), type the password used to
encrypt the key.
7.
8.
Click Create, then click Close. The certificate signing request you created
is saved on the system in the location you specified.
Now send the CSR to a CA for authentication and signing. Most CAs accept
certificate submissions by email. The CA will return a valid certificate to the
email address you used to submit the CSR.
Once you have obtained the signed certificate from a CA, install the certificate
and its corresponding private key on the system.
464
1.
In the left pane, expand SSL, then click FIPS. The FIPS page appears in
the right pane.
1.
Select the FIPS Info tab, then click the Enable SIM button. The Enable
HA Pair for SIM dialog box appears.
2.
In the Certificate File Name text box, type the file name, name and path on
the source system where the FIPS certificate should be stored, for example,
3.
In the Key Vector File Name text box, type the file name and path on the
source system where the FIPS key vector should be stored.
4.
In the Target Secret File Name text box, type the location for storing the
secret data on the target system.
5.
In the Source Secret File Name text box, type the location for storing the
secret data on the target system.
6.
Click OK. The FIPS systems are now configured in the HA mode.
Note: The secret file on the source and target system is the file on the system
where the FIPS key is copied to before it is transferred or received.
Managing Certificates
When a non-FIPS system is started, the default certificate namely ns-servercertificate is loaded automatically. The certificate-key pair is used from the
default certificate-key files that are created when the build is installed. However,
on a FIPS system, a key cannot be loaded from HDD, and therefore, the default
ns-server-certificate is not configured on the NetScaler.
To configure a certificate on the internal services for FIPS system, you need to
perform the one of the following:
Chapter 6
FIPS
465
Create a fipskey and a certificate. Then, load the certificate and associate it
with the fipskey as ns-server-certificate. The FIPS key is
automatically bound to the internal services. For information on how to
create FIPS key, see Creating FIPS Keys, on page 458.
Import an external key as fipskey. Then, load the certificate and associate it
with the fipskey as ns-server-certificate. For information on
how to import an external key, see Importing FIPS Keys, on page 459.
1.
In the left pane, expand SSL and click Certificates. The SSL Certificates
page appears in the right pane.
2.
3.
In the Name text box, type the name of the certificate key pair you want to
add.
4.
5.
Select the Browse button next to Certificate Filename. The system file
browser appears.
6.
7.
Select the Browse button next to Key Filename. The system file browser
appears.
8.
9.
Click Install. The certificate key pair you created appears in the SSL
Certificates window.
466
Note:
The FIPS system does not support external keys. As a result, on a FIPS
system, you will not be able to load keys from a local storage device such as a
hard disk or flash memory.
The
1.
In the left pane, expand SSL Offload, then click Virtual Servers. The SSL
Offload Virtual Servers page appears in the right pane.
2.
From the list of virtual servers, select the virtual server you want to bind the
certificate key pair to. For example, select Vserver-SSL-1, then click
Open. The Configure Virtual Server (SSL Offload ) appears.
3.
Select the SSL Settings tab. The list of configured certificate key pairs
configured on the system are displayed in the Available area.
4.
Select the certificate key pair that you want to bind to the virtual server and
click Add. The certificate key pair appears in the Configured area.
5.
To bind an SSL certificate key pair to a virtual server using the NetScaler
command line
C HAPTER 7
This chapter describes the Domain Name System (DNS) features supported by
the Citrix NetScaler. It explains the procedures to configure the NetScaler as an
authoritative DNS (ADNS) server and DNS proxy server, and describes the
available configuration options and procedures.
In This Chapter
How DNS Works
Configuring DNS Resource Records
Configuring the NetScaler as an ADNS Server
Configuring the NetScaler as a DNS Proxy Server
Configuring the NetScaler as an End Resolver
Configuring the NetScaler as a Forwarder
Configuring DNS Suffixes
DNS ANY Query
468
To configure the NetScaler as an ADNS server, you must add an ADNS service,
then configure the zone file for a domain. To do this, you add valid SOA and NS
records for the domain. When a client sends a DNS request, DNS queries the
NetScaler to map the domain name to its resource record. You can configure the
ADNS service to be used with the NetScaler Global Server Load Balancing
(GSLB) feature.
You can delegate a subdomain, by adding NS records for the subdomain to the
zone file of the parent domain. You can then make the NetScaler authoritative for
the subdomain, by adding a "glue record" for each of the subdomain name
servers. When the NetScaler is made authoritative, any DNS request for the
domain reaches the NetScaler. If GSLB is configured, the NetScaler makes a
GSLB load balancing decision based on its configuration and replies with the IP
address of the selected virtual server. The following figure shows the entities of
an ADNS and DNS proxy setup.
Note: The ADNS server is configured in a GSLB setup.
Chapter 7
469
The NetScaler provides two options, minimum time to live (TTL) and maximum
TTL for configuring the lifetime of the cached data. The cached data times out
based on your settings for these two options. The NetScaler checks the TTL of the
DNS record coming from the back-end server. If the TTL is less than the
configured minimum TTL, it is replaced with the configured minimum TTL. If
the TTL is greater than the configured maximum TTL, it is replaced with the
configured maximum TTL.
The NetScaler also allows caching of negative responses for a domain. A
negative response indicates that information about a requested domain does not
exist, or that the server cannot provide an answer for the query. The storage of
this information is called negative caching. Negative caching helps speed up
responses to queries on a domain, and can optionally provide the record type.
A negative response can be one of the following:
470
Functional Overview
If the NetScaler is configured as an ADNS server, it returns the DNS records in
the order in which the records are configured. If the NetScaler is configured as a
DNS proxy, it returns the DNS records in the order in which it receives the record
from the back-end server. The order of the records present in the cache matches
the order in which records are received from the back-end server.
The NetScaler then changes the order in which records are sent in the DNS
response in a round robin method. The first response contains the first record in
sequence, the second response contains the second record in sequence, the third
response contains the third record in sequence, and the order continues in the
same sequence. Thus, clients requesting the same name can connect to different
IP addresses.
When the NetScaler receives a query for the NS record of abc.com, the address
records are served in a round robin method as follows. In the first DNS response,
1.1.1.1 is served as the first record:
ns1.
1H IN A
1.1.1.1
ns1.
1H IN A
1.1.1.2
Chapter 7
ns1.
1H IN A
1.1.1.3
ns1.
1H IN A
1.1.1.4
471
In the second DNS response, the second IP address, 1.1.1.2 is served as the first
record:
ns1.
1H IN A
1.1.1.2
ns1.
1H IN A
1.1.1.3
ns1.
1H IN A
1.1.1.4
ns1.
1H IN A
1.1.1.1
In the third DNS response, the third IP address, 1.1.1.2 is served as the first
record:
ns1.
1H IN A
1.1.1.3
ns1.
1H IN A
1.1.1.4
ns1.
1H IN A
1.1.1.1
ns1.
1H IN A
1.1.1.2
Service records
AAAA records
Address records
Canonical records
Pointer records
472
The following table lists the record types and the number of records (per record
type) that you can configure for a domain on the NetScaler.
Record Type and Number Configurable
Record Type
Number of Records
Address (A)
25
IPv6 (AAAA)
12
16
Service (SVR)
Pointer (PRT)
20
Specifies
Domain name
Target
HostName
IP Address
Priority
Weight
Port
Chapter 7
473
1.
In the navigation pane, expand DNS, expand Records, and then click SRV
Records.
2.
3.
In the Domain Name text box, type the name of the service (for example,
http.tcp.abc.com).
4.
In the Target drop-down list, select the host on which you want to host the
service, or click New to create a target host.
A.
In the Host Name text box, type the domain name for the DNS
address record (for example, g.root-servers.net).
B.
In the IP Address text box, type the IP address for the domain name.
C.
5.
In Priority, Weight, and Port, specify the appropriate values (for example,
2, 3, and 80, respectively).
6.
Click Create and click Close. The SRV record you created appears on the
SRV Records page.
Example
add dns srvRec http.tcp.abc.com g.root-servers.net
Specifies
Host Name
IPv6 Address
474
1.
In the navigation pane, expand DNS, expand Records, and then click
AAAA Records.
2.
3.
In the Host Name text box, type the host name for the AAAA record (for
example, www.mynw.com).
4.
In the IPv6 Address text box, type the IPv6 address (for example,
2001:0db8:0000:0000:0000:0000: 1428:57ab).
5.
6.
Example
add dns aaaaRec www.mynw.com
2001:0db8:0000:0000:0000:0000:1428:57ab
Specifies
Host Name
IP Address
Chapter 7
475
1.
In the navigation pane, expand DNS, expand Records, and click Address
Records.
2.
3.
In the HostName text box, type the domain name for the DNS address
record (for example, ns1.abc.com).
4.
In the IP Address text box, type the IP address for the domain name (for
example, 10.100.100.3).
5.
Click Add.
6.
Example
add dns addRec ns1.abc.com 10.100.100.3
Specifies
Domain Name
Mail Exchange
Preference No
476
MX Record Parameters
Parameter
Specifies
TTL
1.
In the navigation pane, expand DNS, expand Records, and click Mail
Exchange Records.
2.
3.
In the Domain Name text box, type the domain name for the DNS address
record (for example, www.abc.com).
4.
In the Mail Exchange drop-down list, select an alias for the domain name
(for example, mail.abc.com). The Mail Exchange drop-down list appears
and displays all of the configured host names for the address records.
5.
6.
Example
add dns mxRec www.abc.com -mx mail.abc.com -pref 2
Specifies
Domain Name
Name Server
Chapter 7
477
The following procedure describes the steps to add an NS record ns1.abc.com for
the domain www.abc.com.
To create an NS record using the configuration utility
1.
In the navigation pane, expand DNS, expand Records, and click Name
Server Records.
2.
3.
In the Domain Name text box, type the domain name for the DNS address
record (for example, www.abc.com).
4.
In the Name Server drop-down list, select the primary authoritative name
server (for example, ns1.abc.com).
5.
Example
add dns nsRec www.abc.com ns1.abc.com
Specifies
Alias Name
Canonical Server
1.
In the navigation pane, expand DNS, expand Records, and click Canonical
Records.
2.
478
3.
In the Alias Name text box, type the domain name for the defined alias (for
example, www.wxyz.com).
4.
In the Canonical Server drop-down list, select an alias name for the
specified domain (for example, www.xyz.com).
5.
Example
add dns cnameRec www.wxyz.com www.xyz.com
Specifies
Reverse Domain
Domain
1.
In the navigation pane, expand DNS, expand Records, and click PTR
Records.
2.
3.
In the Reverse Domain text box, type the reverse domain that the PTR
record must point to (for example, 16.3.0.122).
Chapter 7
4.
In the Domain text box, type the domain name that you want to reverse
map (for example, mynw1.com.)
5.
Click Add.
6.
479
Example
add dns ptrrec 1.1.1.in-addr.arpa. abc.com
Specifies
Domain Name
Origin Server
Contact
Serial No
480
Specifies
Refresh (secs)
Retry
Expires (secs)
Expiry time in seconds. If the refresh and retry attempts fail after
this many seconds, the server stops serving the zone. The typical
value is one week. This parameter is not used by a primary
server.
Minimum (secs)
Default TTL for every record in the zone. Can be overridden for
any particular record. Typical values range from eight hours to
four days. When changes are being made to a zone, often set at 10
minutes or less.
TTL (secs)
1.
In the navigation pane, expand DNS, expand Records, and click SOA
Records.
2.
3.
In the Domain Name text box, type the domain name for which you want
to add the SOA record (for example, www.abc.com).
4.
In the Origin Server drop-down list, select the name of the origin server
for the given domain (for example, ns1.abc.com).
5.
In the Contact and Serial No text boxes, type the name of the contact
person for the ADNS server, and the serial number that a secondary server
uses to determine if it requires a zone transfer from the primary server (for
example, root.abc.com and 20020121).
6.
Example
add dns soaRec www.abc.com -originServer ns1.abc.com
-contact root.abc.com -serial 20020121
Chapter 7
481
1.
In the navigation pane, expand DNS, expand Records, and click name of
record.
2.
At the NetScaler command prompt, type the appropriate syntax for the resource
record:
For SRV record:
sh dns srvRec ServiceName
For MX record:
sh dns mxRec DNSDomainName
For NS record:
sh dns nsRec NameServerRecord
Examples
482
For MX record:
sh dns mxRec www.abc.com
For NS record:
sh dns nsRec www.abc.com
1.
In the navigation pane, expand DNS, expand Records, and then click the
resource record type you want to remove.
2.
In the details pane, right-click the resource record you want to remove, and
then click Remove.
3.
At the NetScaler command prompt, type the appropriate syntax for the resource
record:
For SRV record:
rm dns srvRec ServiceName DNSDomainName
For MX record:
rm dns mxRec DNSDomainName DomainName
For NS record:
rm dns nsRec DNSDoaminName NameServerRecord
Chapter 7
483
Examples
For MX record:
rm dns mxRec www.abc.com mail.abc.com
For NS record:
rm dns nsRec www.abc.com ns1.abc.com
1.
2.
In the details pane, click Statistics. The statistics dialog box appear.
484
Example
stat dns DomainName
NetScaler as an ADNS
The following table shows the name and value of the ADNS service that is
configured on the NetScaler.
Example of ADNS Service Configuration
Entity type
Name
IP address
Type
Port
ADNS Service
Service-ADNS-1
10.102.29.51
ADNS
53
Chapter 7
485
To configure an ADNS setup, you must configure the ADNS service. For
instructions on configuring the ADNS service, see Chapter 1, Load Balancing.
During DNS resolution, the ADNS server directs the DNS proxy or local DNS
server to query the NetScaler for the IP address of the domain. As the NetScaler is
authoritative for the domain, it sends the IP address to the DNS proxy or local
DNS server. The following diagram describes the placement and role of the
ADNS server in a GSLB configuration.
486
When you create an ADNS service, the NetScaler responds to DNS queries on the
configured ADNS IP, and port. When an ADNS service is configured, the
NetScaler can handle a large number of DNS requests per second.
Chapter 7
487
2.
3.
4.
5.
For instructions on configuring SOA, NS, and address records, see Configuring
DNS Resource Records, on page 471.
488
Chapter 7
489
A record on the NetScaler is discarded when the time to live (TTL) value of the
record reaches the configured value. The client has to wait until the NetScaler
retrieves the records from the server and updates the cache. To avoid this delay at
the client, the NetScaler retrieves the record from the server prior to the endpoint
of the TTL value and proactively updates the cache.
The following table summarizes the names and the values of the entities that need
to be configured on the NetScaler.
Example of DNS Proxy Entity Configuration
Entity type
Name
IP address
Type
Port
LB vserver
Vserver-DNS-1
10.102.29.40
DNS
53
Services
Service-DNS-1
10.102.29.50
DNS
53
Service-DNS-2
10.102.29.51
DNS
53
The following diagram shows the entities of a DNS Proxy and values of the
parameters to be configured on the NetScaler.
490
Chapter 7
491
Specifies
Maximum TTL
Minimum TTL
1.
2.
3.
4.
Click OK.
Example
set dns parameter -cacheRecords Yes
1.
2.
3.
Under TTL frame, in the Minimum text box, type the minimum time to
live (in seconds).
4.
Click OK.
492
Example
set dns parameter -minTTL 500
set dns parameter -maxTTL 500
Note: When the TTL expires, the record is deleted from the cache. The
NetScaler proactively contacts the back-end servers and obtains the DNS record
just before the DNS records TTL expires.
1.
In the navigation pane, expand DNS, expand Records, and click Address
Records.
2.
Example
flush dns proxyRecords
Chapter 7
493
Recursive resolution
494
When the name server receives a query for the address of s1.s2.s3.com, it first
checks the root name servers for s1.s2.s3.com. The root name server reports back
with the address of the .com name server. If the address of s1.s2.s3.com is found
in the name server, it responds with a suitable IP address. Otherwise, it queries
other name servers for s3.com, then for s2.s3.com to retrieve the address of
s1.s2.s3.com. In this way, resolution always starts from root name servers and
ends with the domains authoritative name server.
Note: For recursive resolution to function correctly, it is recommended to
enable caching.
Specifies
Enable recursion
DNS Retries
Retry count.
1.
2.
3.
4.
Click OK.
Example
set dns parameter -recursion enabled
Chapter 7
495
1.
2.
3.
In the DNS Retries text box, type the DNS resolver request retry count.
4.
Click OK.
Example
set dns parameter -retries 5
1.
2.
3.
4.
Click Close.
496
1.
2.
3.
4.
Click OK.
Example
set dns parameter -recursion disabled
Chapter 7
497
While adding name servers, you can provide an IP address or a virtual IP address
(VIP). If you add an IP address, the NetScaler load balances requests to the
configured name servers in round robin method. If you add a VIP, you can
configure any load balancing method. To add a name server, use the parameters in
the following table.
Parameters to Add a Name Server
Parameter
Specifies
IP Address
1.
2.
3.
4.
Click DNS Virtual Server, and select a DNS virtual server. Click
New if you want to create a new load balancing vserver. The Create
Virtual Server (Load Balancing) dialog box appears.
Example
add dns nameserver 10.102.29.10
Note: When name servers are added in the Forwarder mode, the LOCAL option
must be cleared. When name servers are added in the End Resolver mode, the
LOCAL option must be selected.
498
Specifies
1.
2.
3.
4.
Click OK.
Note: If the DNS vserver that you have configured is DOWN and if the you set
the -namelookuppriority to DNS then the NetScaler does not attempt
WINS lookup. Therefore, if a DNS vserver is not configured or is disabled then
set the -namelookuppriority to WINS.
In the navigation pane, expand DNS and click Name Servers. The Name
Servers page appears in the details pane. The configured name servers and their
values appear in the Details pane.
To view a name server using the NetScaler command line
Chapter 7
499
1.
2.
3.
Click Remove.
4.
Example
rm dns nameserver 10.102.29.10
1.
2.
3.
Click Enable or Disable. (If a name server is enabled, the Disable option is
available. If a name server is disabled, the Enable option is available.)
500
1.
2.
3.
In the DNS Suffix text box, type the suffix (for example, citrix.com).
4.
In the navigation pane, expand DNS and click DNS Suffix. The DNS Suffix page
appears in the details pane. The configured suffixes appear in the details pane.
To view the configuration using the NetScaler command line
Chapter 7
501
Example
show dns suffix citrix.com
1.
2.
In the DNS Suffix pane, select the DNS suffix (for example, citrix.com).
3.
Click Remove.
4.
502
C HAPTER 8
This chapter describes the global server load balancing (GSLB) feature of a Citrix
NetScaler. Learn how global server load balancing works and how to configure
both basic and advanced features. To understand global server load balancing,
you must be familiar with the principles of standard load balancing and the
process for configuring it. For more information about standard load balancing,
see Chapter 1, Load Balancing.
Note: GSLB is not supported in NetScaler 9.1 nCore.
In This Chapter
How Global Server Load Balancing Works
Configuring Global Server Load Balancing (GSLB)
Customizing the GSLB Configuration
Protecting the GSLB Setup against Failure
Managing Client Connections
Improving Manageability of GSLB Using DNS Views
Configuring GSLB in Commonly Used Deployment Scenarios
504
When a client sends a Domain Name System (DNS) request, it receives a list of
IP addresses of the domain or service. Generally, the client chooses the first IP
address in the list. The DNS server uses a technique called DNS round robin to
sort the order of the list. The DNS round robin technique moves a different IP
address to the top of the list each time it resolves the client request, so that the
load is equally distributed among the data centers. DNS round robin does not
support disaster recovery, load balancing based on load or proximity of servers, or
persistence.
Global server load balancing integrates load balancing with DNS and provides
link load balancing for inbound requests. For more information about link load
balancing, see Link Load Balancing, on page 549. When you configure global
server load balancing on the NetScaler, the NetScaler evaluates the resolved list
of IP addresses and selects the data center. The NetScaler keeps track of the
location, performance, load, and availability of each data center and uses these
factors to determine which data center to send the client requests.
Uses the DNS infrastructure to connect the client to the data center that is
best performing.
Continuously monitors the load and availability of the data centers to select
the server that can support the new client.
Chapter 8
505
The following diagram illustrates how global server load balancing selects the
data center.
506
The NetScaler uses the GSLB algorithms to determine the IP address of the
data center and sends the IP address of the data center. The NetScaler uses a
number of algorithms, called GSLB methods, to determine how to distribute
the load among the data centers. GSLB methods are criteria that the
NetScaler uses to load balance client requests across distributed data
centers. The default GSLB method is the least connection method.
Continuously monitors the data centers and does not send the IP address to
the local DNS server if the data center is unavailable or overloaded.
Step 5. After the NetScaler determines the IP address of the data center, the
NetScaler forwards the IP address to the client and the client browser displays the
Web page. The global server load balancing process is complete and the
subsequent client requests are directed to the NetScaler at respective data centers.
You can also configure global server load balancing for disaster recovery. Some
of the configurations that support disaster recovery are:
Chapter 8
507
The setup includes a data center consisting of GSLB vservers. A GSLB vserver is
an entity the NetScaler uses to identify a GSLB service. The NetScaler uses the
load balancing criteria and directs incoming client requests to the GSLB service.
A typical GSLB setup consists of the entities displayed in the following diagram.
GSLB architecture
As illustrated in the preceding diagram, a GSLB setup requires the following
entities.
Entities in a GSLB setup
Entity type
Description
GSLB site
GSLB service
508
Description
GSLB vserver
Enables the NetScaler to select the data center and forwards the client
requests to it. A GSLB vserver holds one or more GSLB services and
load balances the traffic among them. It evaluates the configured
methods or algorithms to select a service. Usually, GSLB services must
be bound to GSLB vservers. The domain for which global server load
balancing is configured must be bound to the GSLB vserver, because
one or more services bound to the vserver serve the requests.
Load balancing
or content
switching
vservers
ADNS service
Chapter 8
509
Working of MEP
As shown in the preceding diagram, the data centers use the public IP address to
communicate with the firewall. Remote data centers exchange MEP information
using the public IP address. MEP uses IP address 200.5.33.17 and port 3011 to
obtain statistics of Site-GSLB-North-America. The NetScaler performs network
address translation (NAT) and uses 200.5.33.17 and 3011 to start a
communication session with Firewall-1. The public IP address is required only if
the vserver is in a private address space and has a public IP hosted on an external
firewall or NAT device.
Alternatively, you can use the NetScaler to bind monitors to a remote service.
When monitors are bound, metric exchange does not control the state of the
remote service. If a monitor assigned to a remote service and metric exchange is
enabled, the monitor controls the health status. Binding the monitors to the
remote service allows the NetScaler to interact with a non-NetScaler load
balancing device. The NetScaler can monitor non-NetScaler devices but cannot
perform load balancing on them.
510
Chapter 8
511
512
Connection proxy is required while mirroring the connections across data centers.
Connection proxy does not work for non-HTTP traffic. However, with the data
centers being geographically distant, it is beneficial to redirect the client requests
to the original data center. HTTP redirect is preferred for large downloads (for
example, hundreds of megabytes) or when cookies are structured. The working of
HTTP redirect persistence is shown in the following diagram.
Chapter 8
513
514
Global server load balancing is used to manage traffic flow to a Web site hosted
on two separate server farms. This is illustrated in the following diagram.
Chapter 8
515
Name
IP address
Port
Protocol
GSLB Site
Site-GSLB-East-Coast
10.14.39.21
NA
NA
Site-GSLB-West-Coast 192.168.100.101
NA
NA
Vserver-GSLB-1
NA
80
HTTP
Vserver-GSLB-11
NA
80
HTTP
Service-GSLB-1
10.14.39.14
80
HTTP
Service-GSLB-12
192.168.100.103
80
HTTP
GSLB Vserver
GSLB Service
516
Name
IP address
Port
Protocol
ADNS Service
Service-ADNS-1
10.14.39.21
53
ADNS
Service-ADNS-2
192.168.100.101
53
ADNS
Domain
www.mycompany.com
NA
NA
NA
LB Vserver
Vserver-LB-1
10.14.39.14
80
HTTP
Vserver-LB-12
192.168.100.103
80
HTTP
Service-HTTP-1
10.14.39.1
80
HTTP
Service-HTTP-2
10.14.39.2
80
HTTP
Service-HTTP-13
192.168.100.1
80
HTTP
Service-HTTP-14
192.168.100.2
80
HTTP
Services
Specifies
Service Name
(serviceName)
Server
(IPAddress)
IP address of the server that the service represents. You can configure
the ADNS service to use mapped IP address (MIP), subnet IP
address (SNIP), or any new NetScaler-owned IP address.
Protocol
(ADNS)
Chapter 8
517
ADNS Parameters
Parameter
Specifies
Port
(Port)
1.
2.
3.
In the Service Name, Server, and Port boxes, type the name of the service,
the IP address of the service, and the port number (for example,
Service-ADNS-1, 10.14.39.21, and 53).
4.
5.
Click Create and click Close. The server that you created appears in the
GSLB Services page.
Example
add service Service-ADNS-1 10.14.39.21 ADNS 53
Note: For the NetScaler to be authoritative, you must also create SOA and NS
records. For more information about SOA and NS records, see Chapter 7,
Domain Name System.
518
Specifies
Name
(siteName)
Site IP Address
(siteIPAddress)
1.
2.
3.
In the Name and Site IP Address text boxes, type the name of the GSLB
site and the IP address (for example, Site-GSLB-East-Coast and
10.14.39.21).
4.
Click Create and click Close. The GSLB site you created appears in the
GSLB Sites pane.
Chapter 8
519
Example
add gslb site Site-GSLB-East-Coast 10.14.39.21
After you have created a GSLB site, create a GSLB service as described in the
following section.
Specifies
Name
(Name)
Service Type
(serviceType)
Port
(port)
Public IP
(IPAddress)
Site Name
(siteName)
520
1.
2.
3.
In the Service Name and Site Name, specify the name of the GSLB service
and the site name (for example, Service-GSLB-1 and
Site-GSLB-East-Coast).
4.
On the Basic tab, in Service Type, Port, and Public IP, specify the
required information (for example, HTTP, 80, and 10.14.39.14).
5.
Click Create and click Close. The GSLB service you created appears in the
GSLB Services pane.
Example
add service Service-GSLB-1 10.14.39.14 HTTP 80
After you have created a GSLB service, create a GSLB vserver as described in
the following section.
Specifies
Name
(name)
Service Type
(serviceType)
1.
Chapter 8
521
2.
3.
In the Name and Service Type text boxes, type the name of the GSLB
Virtual Server and the type of GSLB service (for example,
Vserver-GSLB-1 and HTTP).
4.
Click Create and click Close. The GSLB vserver you created appears in
the GSLB Virtual Servers pane.
Example
add gslb vserver Vserver-GSLB-1 HTTP
After you have created a GSLB vserver, bind the GSLB service to the GSLB
vserver as described in the following section.
1.
2.
In GSLB Virtual Servers pane, select the GSLB vserver to which you
want to bind the service (for example, Vserver-GSLB-1) and click Open.
3.
On the Services tab, in the Active column, select the check box next to the
GSLB service to bind (for example, Service-GSLB-1).
4.
Click OK.
Example
bind gslb vserver Vserver-GSLB-1 -serviceName Service-GSLB-1
After you have bound the GSLB service to a GSLB vserver, bind a domain to the
GSLB vserver as described in the following section.
522
Specifies
Domain Name
(domainName)
1.
2.
In GSLB Virtual Servers pane, select the GSLB Virtual Server which you
want to bind the domain (for example, Vserver-GSLB-1) and click Open.
3.
In the Configure GSLB Virtual Server dialog box, on the Domains tab,
click Add.
4.
5.
Click Create.
Example
bind gslb vserver Vserver-GSLB-1 -domainName www.mycompany.com
Chapter 8
523
For more information about Address, SOA, and NS records, see Chapter 7,
Domain Name System.
Delegating a Subdomain
The NetScaler must receive the DNS requests so that it can resolve the domain or
host name to the IP address. In a real-time scenario, any DNS server may receive
the DNS requests and they must be redirected to the NetScaler that resolves the IP
address. To redirect the DNS requests to the NetScaler, you can delegate a
subdomain to the NetScaler. Domain delegation is the process of assigning
responsibility for a domain to another subdomain. After delegating a domain, you
can make the NetScaler the authority for the subdomain. When the NetScaler
becomes authoritative for a sub-domain, a DNS request for this domain reaches
the NetScaler, so that the NetScaler can load balance the request across
geographically dispersed data centers.
To delegate a subdomain, you must create an NS record and an Address record.
For more information about NS records and the procedure for domain delegation,
see Chapter 7, Domain Name System.
In the navigation pane, expand GSLB and click Sites. All of the parameters and
configured values of this site appear in the details pane.
To view GSLB sites using the NetScaler command line
524
1.
2.
In the GSLB Sites pane, select the GSLB site whose statistics you want to
view.
3.
Click Statistics.
To view the statistics of a GSLB site using the NetScaler command line
In the navigation pane, expand GSLB and click Virtual Servers. All of the
parameters and configured values of the vserver appear in the details pane.
To view GSLB vservers using the NetScaler command line
1.
2.
In the GSLB Virtual Servers pane, select the GSLB vserver whose
statistics you want to view.
3.
Click Statistics.
Chapter 8
525
To view the statistics of a GSLB vserver using the NetScaler command line
In the navigation pane, expand GSLB and click Services. All the parameters and
configured values for the service appear in the details pane.
To view GSLB services using the NetScaler command line
1.
2.
In GSLB Services pane, select the GSLB service whose statistics are
required.
3.
Click Statistics.
To view the statistics of a GSLB service using the NetScaler command line
526
1.
2.
In GSLB Virtual Servers pane, select the GSLB Virtual Server whose
domain statistics you want to view and click Open.
3.
In the Configure GSLB Virtual Server dialog box, on the Domains tab,
select the domain whose statistics you want to view.
4.
Click Statistics.
Chapter 8
527
Specifies
Persistence Information
1.
2.
In GSLB Sites pane, select the GSLB site that you want to modify (for
example, Site-GSLB-East-Coast), and click Open.
3.
4.
Click OK.
Example
set gslb site Site-GSLB-East-Coast -sessionExchange ENABLED
528
1.
2.
In GSLB Sites pane, select the GSLB site for which you want metric
information to be exchanged (for example, Site-GSLB-East-Coast).
3.
Click Enable.
Example
set gslb site Site-GSLB-East-Coast -metricExchange ENABLED
1.
2.
In GSLB Sites pane, select the GSLB site for which you do not want metric
information to be exchanged (for example, Site-GSLB-East-Coast).
3.
Click Disable.
Example
set gslb site Site-GSLB-East-Coast -metricExchange DISABLED
Chapter 8
529
1.
2.
In GSLB Sites pane, select the GSLB site that you want to remove (for
example, Site-GSLB-East-Coast).
3.
Example
rm gslb site Site-GSLB-East-Coast
Specifies
maxClient
(maxClient)
maxBandwidth
Maximum bandwidth.
(maxBandwidth)
To modify bandwidth of a GSLB service using the configuration utility
1.
2.
In GSLB Services pane, select the GSLB service that you want to modify
(for example, Service-GSLB-1) and click Open.
530
3.
On the Basic tab, in the Max Bandwidth text box, type the maximum
bandwidth (for example, 100).
4.
Click OK.
Example
set gslb service Service-GSLB-1 -maxBandwidth 100
1.
2.
In GSLB Services pane, select the service that you want to enable (for
example, Service-GSLB-1).
3.
Example
enable gslb service Service-GSLB-1
1.
2.
In GSLB Services pane, select the service that you want to disable (for
example, Service-GSLB-1).
3.
Chapter 8
531
Example
disable gslb service Service-GSLB-1
1.
2.
In GSLB Services pane, select the GSLB service that you want to remove
(for example, Service-GSLB-1).
3.
Click Remove.
4.
Click Yes.
Example
rm gslb service Service-GSLB-1
1.
532
2.
Select the GSLB vserver that you want to enable (for example,
Vserver-GSLB-1).
3.
Example
enable gslb vserver Vserver-GSLB-1
1.
2.
Select the GSLB vserver that you want to disable (for example,
Vserver-GSLB-1).
3.
Example
disable gslb vserver Vserver-GSLB-1
1.
2.
In the GSLB Virtual Servers pane, select the GSLB Virtual Server from
which you want to unbind the service (for example, Vserver-GSLB-1).
3.
Click Open.
Chapter 8
533
4.
On the Services tab, in the Active column, clear the check box next to the
GSLB services that you want to unbind.
5.
Click OK.
Example
unbind gslb vserver Vserver-GSLB-1 -serviceName Service-GSLB-1
1.
2.
In the GSLB Virtual Servers pane, select the GSLB Virtual Server from
which you want to unbind the service (for example, Vserver-GSLB-1).
3.
4.
On the Domains tab, select the domain to be removed, and then click
Remove.
5.
Example
unbind gslb vserver Vserver-GSLB-1 -domainName www.mycompany.com
1.
2.
In the GSLB Virtual Servers pane, select the GSLB vserver you want to
remove (for example, Vserver-GSLB-1).
3.
Click Remove.
4.
Click Yes.
534
Example
rm gslb vserver Vserver-GSLB-1
For all GSLB sites, the GSLB site IP address must be added and the
Management Access setting must be enabled on the GSLB site IP address.
For more information about adding the GSLB site IP addresses and
enabling Management Access, see Citrix NetScaler Networking Guide.
Synchronization occurs only across GSLB sites. LB sites are aware of their
parent GSLB sites configuration only. For more information about LB sites,
see Configuring a GSLB Hierarchy, on page 637.
You need to use the procedure described in this section to enable the local site to
synchronize its GSLB configuration with the remote sites that are involved in the
GSLB setup.
To synchronize GSLB configuration using the configuration utility
1.
2.
Chapter 8
535
Note: If you want to save the output of this command to your local
system, click Save output text to a file.
3.
Click Close.
After synchronizing the configuration, you can view the synchronization status
using the following procedure. You can view whether the GSLB configuration
commands were executed successfully.
To view the synchronization status using the configuration utility
1.
2.
3.
Click Close.
536
Chapter 8
537
CNAME-based GSLB services are set to the UP state by default. A virtual server
IP address (VIP) or metric exchange protocol (MEP) is not required to set the
state UP or DOWN. If desktop-based monitors are bound, the state of the
CNAME-based GSLB service is dependent on the monitor. Following are some
of the features supported by CNAME-based GSLB service:
The following diagram shows the entities in a typical GSLB setup with
CNAME-based GSLB services. The domains transport.mycompany.com and
facility.mycompany.com are CNAME domains for www.mycompany.com. When
a query is sent for www.mycompany.com, one of the CNAMEs is returned.
Entity diagram
1.
2.
3.
In the Service Name text box, type the name of the GSLB service (for
example, Service-GSLB-1).
538
4.
In the Site Name drop-down list boxes, select the GSLB site (for example,
Site-GSLB-East-Coast).
5.
6.
In the DNS Canonical name text box, type the canonical name for the
domain (for example, transport.mycompany.com).
7.
Example
add gslb service -cnameEntry Service-GSLB-1 transport.mycompany.com
-siteName Site-GSLB-East-Coast
Limitations:
Following are the limitations of CNAME-based GSLB services:
Multiple IP address response and empty address record features are not
supported as one domain cannot have multiple CNAME entries.
Only static GSLB methods such as static proximity, hash, and round robin
are supported.
Chapter 8
539
GSLB methods are algorithms that the GSLB vserver uses to select the
best-performing GSLB site. When the host name in the Web address is resolved,
all traffic from the client is sent directly to the resolved site.
The NetScaler provides the following GSLB methods:
Round Robin
Least Connections
Least Bandwidth
Least Packets
Source IP Hash
Custom Load
Static Proximity
Dynamic (RTT) and static proximity load balancing methods are specific to
global server load balancing. For more information about how the other methods
work, see Chapter 1, Load Balancing.
The following procedure describes how to change the GSLB method to meet your
specific requirements.
To change the GSLB method using the configuration utility
1.
2.
In the GSLB Virtual Servers pane, select the GSLB vserver whose
method you want to change (for example, Vserver-GSLB-1).
3.
Click Open.
4.
5.
Click OK.
Example
set gslb vserver Vserver-GSLB-1 -lbMethod ROUNDROBIN
540
For GSLB methods to function, either MEP must be enabled, or explicit monitors
need to be bound to the remote services. The following table shows the
dependencies between MEP and GSLB methods.
Dependencies Between MEP and GSLB Methods
GSLB methods
Round Robin
Works as defined
Works as defined
Static Proximity
Works as defined
Works as defined
Source IP Hashing
Works as defined
Works as defined
Dynamic (RTT)
Works as defined
Round Robin
Least Connections
Works as defined
Round Robin
Least Packets
Works as defined
Round Robin
Least Bandwidth
Works as defined
Round Robin
Works as defined
Round Robin
Chapter 8
541
542
Static entries
Custom entries
In this example, the NetScaler uses Example DataBase-1 to determine that the IP
address of the client exists within the IP address range specified for
Site-GSLB-North-America.
Step 4. The NetScaler then forwards the IP address of Site-GSLB-North-America
to the client and the client browser displays the Web page. Global server load
balancing using the static proximity method is complete and the subsequent client
requests are directed to Site-GSLB-North-America. Similarly, the NetScaler
forwards requests from Client 2 to the Site-GSLB-Asia data center.
The following procedure describes the steps to set the GSLB algorithm to static
proximity.
To configure static proximity using the configuration utility
1.
2.
In the GSLB Virtual Servers pane, select the GSLB Virtual Server that
you want to set to static proximity (for example, vserver-GSLB-1).
3.
Click Open.
4.
5.
Click OK.
Example
set gslb vserver vserver-GSLB-1 -lbMethod STATICPROXIMITY
For the static proximity method to work as described in the preceding section,
you need to either configure the NetScaler to use an existing static proximity
database or add custom entries to the static proximity database, as described in
the following section.
Chapter 8
543
Description
CSHN
LCN
RC
Note: Some databases provide short country names according to ISO-3166 and
long country names as well. The NetScaler uses short names when storing and
matching qualifiers.
The NetScaler supports the following static location file formats:
Citrix NetScaler
ip-country
544
ip-country-isp
ip-country-region-city
ip-country-region-city-isp
geoip-country
geoip-region
geoip-city
geoip-country-organization
geoip-country-isp
geoip-city-isp-organization
Note: To create the static proximity database, you need to login to the shell and
create a file with the location details in one of the formats described below.
Chapter 8
IP-Country Format
This database format is derived from a third party. It helps you determine the
country of an IP address.
Format: IP from (decimal #), IP to (decimal #), CSHN, LCN
The following table shows the qualifier assignments of this format.
Qualifier Assignments for IP-Country Format
Qualifier
Database field
Qualifier1
Custom context
Not assigned
Qualifier2
CSHN
Qualifier3
Not assigned
Qualifier 4
Not assigned
Qualifier 5
Not assigned
Qualifier 6
Not assigned
IP-Country-ISP Format
This database format is derived from the IP-Country-ISP database at
ip2location.com. It enables you to determine the country that the IP address
belongs to.
Format: IP from (decimal #), IP to (decimal #), CSHN, LCN, ISP
The following table shows the qualifier assignments of this format.
Qualifier Assignments for IP-Country-ISP Format
Qualifier
Database field
Qualifier1
CSHN
Qualifier3
Not assigned
Qualifier 4
Not assigned
Qualifier 5
ISP
Qualifier 6
Not assigned
545
546
IP-Country-Region-City Format
This database format is derived from ip2location.com. This database enables you
to determine the country, region or state, and city of an IP address.
Format: IP from (decimal #), IP to (decimal #), CSHN, LCN, Region,
City
The following table shows the qualifier assignments of this format.
Qualifier Assignments for IP-Country-Region-City Format
Qualifier
Database field
Qualifier1
CSHN
Qualifier3
Region
Qualifier 4
City
Qualifier 5
Not assigned
Qualifier 6
Not assigned
IP-Country-Region-City-ISP Format
This database format is derived from ip2location.com. It enables you to
determine the country, region or state, city and ISP of an IP address.
Format: IP from (decimal #), IP to (decimal #), CSHN, LCN, Region,
City, ISP
The following table shows the qualifier assignments of this format.
Qualifier Assignments for IP-Country-Region-City-ISP Format
Qualifier
Database field
Qualifier1
CSHN
Qualifier3
Region
Qualifier 4
City
Qualifier 5
ISP
Qualifier 6
Not assigned
Chapter 8
547
GeoIP-Country Format
This database format is derived from GeoIP Country Edition database of
maxmind.com. It helps you to determine the geographical country location of an
IP address.
Format: IP from (dot notation), IP to (dot notation), IP from (decimal #),
IP to (decimal #), CSHN, LCN
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-Country Format
Qualifier
Database field
Qualifier1
CSHN
Qualifier3
Not assigned
Qualifier 4
Not assigned
Qualifier 5
Not assigned
Qualifier 6
Not assigned
GeoIP-Region Format
This format is derived from the GeoIP Region Edition database of maxmind.com.
It enables you to determine the state/province for US/Canadian IP addresses, and
the country of any other IP address.
Format: IP from (dot notation), IP to (dot notation), IP from (decimal #),
IP to (decimal #),CSHN, RC
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-Region Format
Qualifier
Database field
Qualifier1
Qualifier2
CSHN
Qualifier3
RC
Qualifier 4
Not assigned
Qualifier 5
Not assigned
Qualifier 6
Not assigned
548
GeoIP-City Format
This format is derived from the GeoIP City Edition database of maxmind.com. In
addition to country and state/region, you can determine the city, US area code,
metro code, latitude, and longitude information of an IP address.
Format: IP from (decimal #), IP to (decimal #), Location ID, CSHN,
RC, City
Location ID is an internal code in this format. It is used to connect to different
databases and is not used by the NetScaler. The following table shows the
qualifier assignments of this format.
Qualifier Assignments for GeoIP-City Format
Qualifier
Database field
Qualifier1
CSHN
Qualifier3
RC
Qualifier 4
City
Qualifier 5
Not assigned
Qualifier 6
Not assigned
GeoIP-Country-Organization Format
This format is derived from the GeoIP Country Edition with Organizations
database of maxmind.com. It enables you to determine the organization of
corporate networks and the ISP for home users.
Format: IP from (dot notation), IP to (dot notation), CSHN,
Organization
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-Country-Organization Format
Qualifier
Database field
Qualifier1
Qualifier2
CSHN
Qualifier3
Not assigned
Qualifier 4
Not assigned
Qualifier 5
Not assigned
Chapter 8
549
Database field
Qualifier 6
Organization
GeoIP-Country-ISP Format
This format is derived from the GeoIP Country Edition with ISP database of
maxmind.com. It enables you to determine the ISP of an IP address.
Format: IP from (dot notation), IP to (dot notation), CSHN, ISP name
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-Country-ISP Format
Qualifier
Database field
Qualifier1
Qualifier2
CSHN
Qualifier3
Not assigned
Qualifier 4
Not assigned
Qualifier 5
ISP
Qualifier 6
Not assigned
GeoIP-City-ISP-Organization Format
This format is derived from the GeoIP Premium City Edition with ISP, and
Organization database of maxmind.com. It helps you determine the city, ISP and
organization of an IP address.
Format: IP from (decimal #), IP to (decimal #),Location ID, CSHN,
RC, City, Postal code, Latitude, Longitude, ISP, Organization,
DMA code, Area Code
The NetScaler does not use the following fields: Location ID, Postal code,
Latitude, Longitude, DMA code, and Area Code.
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-City-ISP-Organization Format
Qualifier
Database field
Qualifier1
Custom context
Not assigned
Qualifier2
CSHN
550
Database field
Qualifier3
RC
Qualifier 4
City
Qualifier 5
ISP
Qualifier 6
Organization
You can add and remove a static location file. To add a static location file, use the
parameters in the following table.
Parameters for Adding a Static Location File
Parameter
Specifies
Location file
Name of the location file. The file name must include the
full path. If the full path is not given, the default path is
used: /var/netscaler/locdb. In high-availability mode, the
static proximity database should be stored in the same
location on both NetScalers.
(locationFile)
Location Format
(format)
1.
2.
3.
In the Location filename text box, type the name of the location file, or
click Browse to select the location file (for example, type or select /var/
nsmap/locationdb).
Note: The file /var/nsmap/locationdb must exist on the NetScaler.
4.
In the Location Format box, select the format of the location (for example,
netscaler).
5.
Chapter 8
551
Example
add locationfile /var/nsmap/locationdb -format netscaler
Specifies
From IP Address
To IP Address
Location Name
1.
2.
3.
4.
Click Create and Click Close. The custom entry that you have created
appears on the Custom Entries tab.
552
Example
add location 192.168.100.1 192.168.100.100 *.us.ca.mycity
In the navigation pane, expand GSLB and click Location. All the parameters and
configured values of this entry appears in the details pane.
To view custom entries using the NetScaler command line
1.
2.
3.
Chapter 8
553
Qualifier 1 Continent
Qualifier 2 Country
Qualifier 3 State
Qualifier 4 City
Qualifier 5 ISP
Qualifier 6 Organization
Qualifier 1 Qualifier 1
Qualifier 2 Qualifier 2
Qualifier 3 Qualifier 3
Qualifier 4 Qualifier 4
Qualifier 5 Qualifier 5
Qualifier 6 Qualifier 6
When the geographic context is set, the continent qualifier is derived from the
country qualifier, if it is not provided explicitly. Even the built-in qualifier labels
are based on the context, and the labels can be changed. These qualifier labels
specify the locations mapped with the IP addresses used to make static proximity
decisions. To set the location qualifiers, use the parameters in the following table.
Parameters to Set Location Qualifiers
Parameter
Specifies
context
(context)
q1label
(q1label)
554
Specifies
q2label
(q2label)
q3label
(q3label)
q4label
(q4label)
q5label
(q5label)
q6label
(q6label)
Action
One match
Multiple matches
No match
1.
2.
3.
In the Context drop-down list, select the appropriate context (for example,
Custom).
4.
In the Qualifier Label -1 text box, type the qualifier (for example asia).
5.
Click OK.
Chapter 8
555
Example
set locationparameter -context custom -q1label asia
556
The working of the dynamic RTT method that the NetScaler uses in the data
center selection process is summarized in the following steps:
Step 1. A client sends an HTTP request for www.mycompany.com. The content
for this Web site is supported at two different data centers
(Site-GSLB-North-America and Site-GSLB-Asia). If the IP address for the
domain is not found in the local cache, the browser sends a request to the clients
local DNS server.
Step 2. If the local DNS server does not have an IP address for the requested
domain, it sends a query to the NetScaler that is configured as the authoritative
name server for the domain. The NetScaler offloads the site selection process
from the DNS server. The clients local DNS server queries the NetScaler for the
IP address of www.mycompany.com.
Step 3. The NetScaler uses the RTT value to select the IP addresses of the best
performing sites. The NetScaler uses different mechanisms, such as ICMP echo
Request/Reply (PING), TCP, and UDP to receive the RTT metrics between the
local DNS server and participating sites.
If the ping probe fails, a DNS (TCP) probe is used to calculate the RTT.
If the DNS (TCP) probe also fails, the NetScaler uses DNS (UDP) probe.
The NetScaler performs UDP probing on port 53 and TCP probing on port 80.
The NetScaler uses the proprietary metrics exchange protocol (MEP) to exchange
RTT values between participating sites. If RTT information is not available on the
NetScaler (when a local DNS server of the client accesses the site for the first
time), the GSLB vserver selects a site using the round robin method and directs
the client to the site.
Step 4. After calculating RTT metrics, the NetScaler sorts the RTT values to
identify the best (smallest) RTT metric. The NetScaler determines the data
center with the smallest RTT metric as the best site. In the example, although
Site-GSLB-North-America is geographically closer to the local DNS server of
Client 1, the RTT value is larger than the Site-GSLB-Asia data center. Therefore,
the NetScaler selects Site-GSLB-Asia as the best performing site.
Step 5. The NetScaler returns one or more IP address records (DNS A resource
records) of the most proximate server to the local DNS server of client. In the
example, the NetScaler returns the IP address of Site-GSLB-Asia to the local
DNS server of Client 1.
Step 6. The local DNS server of the client returns the IP address to the client that
originated the request. In the example, the IP address of Site-GSLB-Asia is
returned to Client-1 The client then connects to the server in Site-GSLB-Asia for
www.mycompany.com.
Chapter 8
557
The following procedure describes the steps to configure the dynamic RTT
method.
To configure dynamic RTT using the configuration utility
1.
2.
In the GSLB Virtual Servers pane, select the GSLB Virtual server that you
want to set to dynamic RTT (for example, vserver-GSLB-1).
3.
Click Open.
4.
5.
Click OK.
Example
set gslb vserver vserver-GSLB-1 -lbMethod RTT
As described earlier in this section, the NetScaler uses different mechanisms such
as ICMP echo Request/Reply (PING), TCP, and UDP to receive the RTT metrics
between the local DNS server and participating sites. You can change the probing
interval to accommodate configuration. In addition, you can also configure the
RTT tolerance factor. The RTT tolerance factor enables the NetScaler to validate
the timing information after the configured latency elapses. For information about
how to configure these settings, see the following sections.
1.
558
2.
In the GSLB Virtual Servers pane, select the GSLB Virtual server whose
RTT tolerance value you want to set (for example, vserver-GSLB-1).
3.
Click Open.
4.
5.
Click OK.
Example
set gslb vserver vserver-GSLB-1 -lbMethod RTT -tolerance 10
1.
2.
Select the monitor that you want to modify (for example, ping).
3.
Click Open.
4.
5.
In the list next to Interval text box, select a value (for example, Seconds).
6.
In the list next to Response Time-out text box, select a value (for example,
Seconds).
7.
Click OK.
Chapter 8
559
Example
set mon monitor-HTTP-1 HTTP -interval 10 sec
-resptimeout 5 sec
560
If an entry for the local DNS server exists, and if the server mentioned in
the entry is configured, the DNS response is sent with the IP address of the
same server.
Chapter 8
561
If the entry does not exist, the best server is selected on the basis of the
GSLB policy and is sent as the DNS response. A session entry is created for
this local DNS server with the selected server IP address, and the session
entry is sent to other sites as part of the MEP. If this local DNS server, or
another local DNS server from the same network, sends a request for the
site, the NetScaler sends the response with the IP address of the same site.
This response is based on the persistence information exchanged between
the GSLB sites. This is performed until the persistence TTL value expires.
For persistence to function across sites, the same persistence identifier must be
configured on the GSLB vservers on all sites. The persistence identifier is a
number used to identify the GSLB vserver on all sites. The cookie contains the
persistence identifier that enables the NetScaler to identify the domain and
forward the requests to the same domain.
To set a vserver for persistence using the source IP address, use the parameters in
the following table.
Parameters for Configuring Vserver Persistence Using Source IP
Parameter
Specifies
Persistence
(persistenceType)
Timeout
(timeout)
PersistMask
(persistMask)
Persistence ID
(persistenceId)
1.
2.
In the GSLB Virtual Servers pane, select the GSLB vserver whose
method you want to change (for example, vserver-GSLB-1).
3.
Click Open.
4.
562
5.
6.
Click OK.
Example
set gslb vserver vserver-GSLB-1 -persistenceType SOURCEIP
-persistenceId 23 -persistMask 255.255.255.255
Chapter 8
563
564
Requests are sent from a local GSLB service whose public IP address
matches the public IP address of an active service bound to the GSLB
vserver.
A valid cookie exists and contains the IP address of an active remote GSLB
service.
In the following situations, connection proxy does not occur, and the site cookie
is added:
When the connection proxy is enabled for the local GSLB service; AND,
When the cookie exists and refers to a different IP address, and is not an
active GSLB remote service; OR,
When the cookie exists and refers to the IP address of the vserver on which
the request is received.
The following are the limitations of using connection proxy site cookies:
When local and remote GSLB services are configured, the statistics of a
GSLB service on the remote site are not the same as in the service on its
local site. The statistics of the remote GSLB service on the local site are
slightly higher than the statistics of the service on the remote site.
Chapter 8
565
To set a vserver for persistence using HTTP cookies, use the parameter in the
following table.
Parameter to Set Vserver Persistence Using HTTP Cookies
Parameter
Specifies
(sitePersistence)
1.
2.
The GSLB Services pane, select the service that you want to configure for
site persistence (for example, service-GSLB-1).
3.
Click Open.
4.
5.
Click OK.
Example
set gslb service service-GSLB-1 -sitePersistence ConnectionProxy
566
Chapter 8
567
If the domain name is present in the request (either in the URL or in the
HOST header), and the domain is a GSLB domain.
When the request is received on a backup VIP or a GSLB local service that
is in the down state.
For a deployment scenario using HTTP redirect persistence, see the section
Configuring GSLB for Disaster Recovery, on page 605. To set a GSLB service
for site persistence using HTTP redirect persistence, use the parameters in the
following table.
Parameters for Setting HTTP Redirect Persistence
Parameter
Specifies
(sitePersistence)
site Prefix
(sitePrefix)
1.
2.
The GSLB Services pane, select the service which you want to configure
for site persistence (for example, service-GSLB-1).
3.
Click Open.
4.
5.
In the Site Prefix box, type the site prefix (for example, vserver-GSLB-1).
6.
Click OK.
568
Example
set gslb service service-GSLB-1 -sitePersistence HTTPRedirect
-sitePrefix vserver-GSLB-1
If you set a backup session timeout for the primary GSLB vserver, the
primary GSLB vserver takes over after the backup session timeout expires.
However, it handles all new DNS requests.
Note: If you set both of these options for a GSLB vserver, the backup session
timeout takes precedence over the disablePrimaryOnDown option.
Chapter 8
569
Based on the configuration, the backup server handles the traffic until you
manually enable the primary server. To set a GSLB vserver for backup site
persistence, use the parameter in the following table.
Parameter to Set a GSLB Vserver for Backup Site Persistence
Parameter
Specifies
Backup VServer
(backupVServer)
To set GSLB vserver as a backup vserver for persistence using the
configuration utility
1.
2.
In the GSLB Virtual Servers pane, select the GSLB vserver for which you
want to configure a backup vserver (for example, vserver-GSLB-1).
3.
Click Open.
4.
5.
In the Backup Session Time-out (mins) box, type the backup session
timeout (for example, 3).
6.
7.
Click OK.
Example
set gslb vserver vserver-GSLB-1 -backupVServer vserver-GSLB-2
-backupSessionTimeout 3 -disablePrimaryOnDown ENABLED
570
Dynamic weights can mean either the total weight of the services, or the total
number of services bound to the load balancing vserver. When configured on the
GSLB vservers, requests are distributed based on the load balancing method, the
weight of the GSLB service, and the dynamic weight. The product of the weight
of the GSLB service and the dynamic weight is known as the cumulative weight.
Therefore, when dynamic weight is configured on the GSLB vserver, requests are
distributed on the basis of the load balancing method and the cumulative weight.
This is illustrated in the following diagram.
Dynamic weights
Case 1 - Dynamic Weights Disabled
Weight of GSLB Service = 3
Dynamic weight = 0
Cumulative weight (Weight X Dynamic weight) = 3
Chapter 8
Note: When the dynamic weight is disabled, the numerical value is set to 1.
This ensures that the cumulative weight is always a nonzero integer.
Case 2 - Dynamic Weights Enabled (SERVICECOUNT)
Weight of GSLB Service = 3
Dynamic weight = 2 (because two services are bound to the Load Balancing
vserver)
Cumulative weight (Weight X Dynamic weight) = 6
Case 3 - Dynamic Weights Enabled (SERVICEWEIGHT)
Weight of GSLB Service = 3
Dynamic weight = 4 (sum of the individual weights of the services)
Cumulative weight (Weight X Dynamic weight) = 12
Note: Dynamic weights are not applicable to content switching vservers.
571
572
Chapter 8
573
To configure a GSLB vserver to use dynamic weights, use the parameter in the
following table.
Parameter to Configure a GSLB Vserver to Use Dynamic Weights
Parameter
Specifies
Dynamic Weight
(dynamicWeight)
Note: You cannot assign weights if the source IP hash, static proximity, and
dynamic method GSLB methods are selected.
To set GSLB vserver to use dynamic weights using the configuration utility
1.
2.
In the GSLB Virtual Servers pane, select the GSLB Virtual Server to
which you want to set dynamic weights (for example, vserver-GSLB-1).
3.
Click Open.
4.
5.
Click OK.
To set GSLB vserver to use dynamic weights using the NetScaler command
line
Example
set gslb vserver vserver-GSLB-1 -dynamicWeight SERVICECOUNT
574
Chapter 8
575
To set GSLB vserver to use dynamic weights using the configuration utility
1.
2.
In the GSLB Virtual Servers pane, select the GSLB server for which you
want to set dynamic weights (for example, vserver-GSLB-1).
3.
Click Open.
4.
5.
Click OK.
To set GSLB vserver to use dynamic weights using the NetScaler command
line
Example
set gslb vserver vserver-GSLB-1 -dynamicWeight SERVICEWEIGHT
Note: When the dynamic weight is disabled, the numerical value is set to one.
This ensures that the cumulative weight is always a non-zero integer.
576
State of remote
services
UP
Disabled
DOWN or Disabled
The NetScaler periodically evaluates the states of the remote GSLB services by
using:
MEP
Binding explicit monitors to services is not required, because MEP updates the
state of the GSLB service by default. However, you can bind explicit monitors to
a remote service. When monitors are explicitly bound, the state of the remote
service is not controlled by the metric exchange. The following table summarizes
how the monitors evaluate the state of the remote services.
How Monitors Evaluate the State of Remote Services
Monitor scenarios
UP
DOWN
Chapter 8
577
If an external monitor is bound to the remote service that is DOWN, the round
robin load balancing method is used for load balancing between the sites until the
remote site comes up. If an explicit monitor is assigned to a remote service and
metric exchange is enabled, the health status is controlled by the monitor. The
following table lists the dependencies between MEP and monitoring.
Dependencies Between MEP and Monitoring
Monitoring
MEP enabled
MEP disabled
Explicit monitors
No Explicit monitors
The following table summarizes how the states of the remote services are
determined when a monitor is bound to a service and when MEP is used.
How Remote Service States are Determined When MEP Is Used
State of Remote Services
UP
DOWN
By default, when you bind a monitor to a remote GSLB service, the NetScaler,
uses the state of service that the monitor evaluates. However, you can optionally
configure the NetScaler to use monitors to evaluate services in the following
situations:
MEP is DOWN.
578
This optional setting enables the NetScaler to stop monitoring when MEP is UP.
For example, in a hierarchical GSLB setup, a GSLB site provides the MEP
information about its child sites to its parent site. Such an intermediate site may
evaluate the state of the child site as DOWN because of network issues though
the actual state of the site is UP. In this case, you can bind monitors to the services
of the parent site and disable MEP to determine the actual state of the remote
service. This option enables you to control the manner in which the states of the
remote services are determined. For more information about hierarchical GSLB,
see Configuring a GSLB Hierarchy, on page 637.
Creating Monitors
You can create, modify, disable, and enable monitors. The restrictions on
monitoring are:
Specifies
Name
(monitorName)
Chapter 8
579
Specifies
Type
(type)
Destination Port
(destPort)
1.
2.
3.
In the Name text box, type the name of the monitor (for example,
monitor-HTTP-1).
580
4.
In the Type box, select the type of the monitor (for example, HTTP).
5.
On the Standard Parameters tab, in the Destination Port text box, type
the destination port number (for example, 443).
6.
Example
add lb monitor monitor-HTTP-1 -type HTTP -destPort 443
Binding Monitors
The following procedure describes the steps to bind a monitor to a GSLB service.
When you bind a monitor to a GSLB service, you can specify a weight for the
monitor. After binding one or more weighted monitors, you can configure a
monitor threshold for the service. This threshold takes the service down if the
grand sum of the bound monitor weights falls below the threshold value. For
example, suppose that you bind the following monitors to Service A:
Suppose also that the monitor threshold for Service A is 6. If any of the monitors
cannot reach their target, Service A is taken down.
Note: In the configuration utility, you set the monitor weight and the
monitoring threshold in the same service configuration dialog box. When using
the command line, you issue separate commands to set the monitors weight and
the services monitoring threshold.
To bind the monitor to the GSLB service using the configuration utility
1.
2.
The GSLB Services pane, select the service to which you want to bind the
monitor (for example, select service-GSLB-1).
3.
Click Open.
Chapter 8
581
4.
In the Configure GSLB Service dialog box, on the Monitoring tab, select
the monitor that you want to bind to the service (for example,
monitor-HTTP-1).
5.
Click Add.
6.
In the Configured table, click the Weight cell and enter a value for the
weight.
7.
8.
9.
10.
Click OK.
To bind the Monitor to the GSLB service using the NetScaler command line
Example
bind monitor monitor-HTTP-1 service-GSLB-1 -state enabled -weight 2
To set the monitoring threshold for a GSLB service using the NetScaler
command line
Example
set gslb service service-GSLB-1 -monThreshold 8
Removing Monitors
The following procedure describes the steps to delete a monitor. When a monitor
is removed, the exchange of metric exchange using MEP resumes.
To remove a monitor using the configuration utility
1.
2.
3.
Click Remove.
582
Example
rm monitor monitor-HTTP-1
MEP is DOWN.
The NetScaler stops monitoring when MEP is UP. The following table describes
the parameter that you can configure on the site to control the monitoring of the
remote services belonging to the site.
Parameter for Controlling the Monitoring of a Remote Service for a Site
Parameter
Specifies
Trigger Monitor
(triggerMonitor)
Chapter 8
583
1.
2.
3.
In the Modify GSLB Sites dialog box, in the Trigger Monitor list box,
select ALWAYS and click OK.
To configure the site to trigger monitor using the NetScaler command line
set gslb site NameOfSite triggerMonitor TiggerMontiorOption
Example
set gslb site Site-GSLB-North-America triggerMonitor Always
584
Specifies
Backup VServer
(backupVserver)
The following example shows the steps to configure the GSLB vserver as the
backup vserver. If the primary vserver experiences a failover, the backup or
standby vserver takes over as the active vserver.
To set a backup GSLB vserver using the configuration utility
1.
2.
In the GSLB Virtual Servers pane, select the GSLB vserver for which you
want to configure a backup vserver (for example, vserver-GSLB-1).
3.
Click Open.
4.
5.
Click OK.
Chapter 8
585
When a DNS request is sent to a GSLB domain, if the GSLB VIP is up, the
NetScaler selects the best service bound to the VIP and, by default, returns that
service in the response. If multiple IP response (MIR) is enabled, the NetScaler
adds the best service as the first record in the response, and then adds the
remaining active services as subsequent records. If MIR is disabled, the
NetScaler adds the best service as the first record, and this is the only record in
the response.
To set up a GSLB vserver to respond using multiple IP addresses, use the
parameters in the following table.
Parameter to Set Up a GSLB Vserver to Respond with Multiple IP Addresses
Parameter
Specifies
(MIR)
1.
2.
In the GSLB Virtual Servers pane, select the GSLB vserver for which you
want to configure a backup vserver (for example, vserver-GSLB-1).
3.
Click Open.
4.
On the Advanced tab, under When this VServer is UP, select the Send
all active service IP in response (MIR) check box.
5.
Click OK.
Example
set gslb vserver vserver-GSLB-1 -MIR ENABLED
586
Specifies
(EDR)
To set a GSLB vserver for empty down responses using the configuration
utility
1.
2.
Select the GSLB Virtual Server for which you want to configure a backup
vserver (for example, vserver-GSLB-1).
3.
Click Open. The Configure GSLB Virtual Server dialog box appears.
4.
On the Advanced tab, under When this VServer is DOWN, select the
Do not send any service's IP address in response (EDR) check box.
5.
Click OK.
To set a GSLB vserver for empty down responses using the NetScaler
command line
Example
set gslb vserver vserver-GSLB-1 -EDR ENABLED
Chapter 8
587
Specifies
Backup IP
(backup)
Note: The NetScaler uses backup IP address only during DNS resolution. For
HTTP redirect, backup IP address is not used.
The following procedure describes the steps to set a backup IP for a domain
bound to the GSLB vserver.
To set a backup IP address for a domain using the configuration utility
1.
2.
In the GSLB Virtual Servers pane, select the GSLB vserver to which you
want to bind the domain (for example, vserver-GSLB-1).
3.
Click Open.
4.
5.
6.
To set a backup IP address for a domain using the NetScaler command line
588
If the primary VIP has reached its saturation and the backup VIP(s) is
absent or down, the effective state is set to DOWN.
If there is no backup VIP to the primary VIP and the primary VIP has
reached its threshold, the effective state is set to DOWN.
Chapter 8
589
Specifies
(downStateFlush)
1.
2.
The GSLB Services pane, select the service to which you want to set down
state flush (for example, service-GSLB-1).
3.
Click Open.
4.
On the Advanced tab, select the Down state flush check box.
5.
Click OK.
590
Example
set gslb service service-GSLB-1 -downStateFlush ENABLED
CLIENT.UDP.DNS.DOMAIN.EQ(domainname)
CLIENT.UDP.DNS.IS_AREC
CLIENT.UDP.DNS.IS_AAAAREC
CLIENT.UDP.DNS.IS_SRVREC
CLIENT.UDP.DNS.IS_MXREC
CLIENT.UDP.DNS.IS_SOAREC
CLIENT.UDP.DNS.IS_PTRREC
CLIENT.UDP.DNS.IS_CNAME
CLIENT.UDP.DNS.IS_NSREC
CLIENT.UDP.DNS.IS_ANYREC
Chapter 8
591
1.
2.
3.
In the Policy Name box, type a name for the DNS policy (for example,
policy-GSLB-1).
4.
Select View Name and in the text box next to View Name, type private or
click New to create a view.
5.
6.
In the first drop-down box, select CLIENT. In the second drop-down list
box, select UDP. In the next drop-down list box, select DNS. In the next
drop-down list box, select DOMAIN. In the next drop-down list box, select
EQ(String). In the next text box, type the domain name (for example,
abc.com).
7.
8.
Example
add dns policy policy-GSLB-1
CLIENT.UDP.DNS.DOMAIN.EQ(\domainname\) -view private
592
If an entry for the LDNS is found, the characteristics of the LDNS are
evaluated against the configured policies. If they match, an appropriate
action (site affinity) is executed. If the LDNS characteristics match more
than one site, the request is load balanced between the sites that match the
LDNS characteristics.
If the entry is not found in the custom database, the static IP address
database is queried for an entry, and if there is a match, the above policy
evaluation is repeated.
If the entry is not found in either the custom or static databases, the best site
is selected and sent in the DNS response on the basis of the configured load
balancing method.
For example, a global enterprise has two sites, one in Japan and the other in the
United States. By default, the proximity RTT method directs all clients from
Japan to the Japan site, and clients from United States to the United States site.
All other clients (originating from other countries) are load balanced between the
Japanese and United States sites. You can use GSLB policies to direct clients that
match a certain IP address range to a specific site. For example, you can direct all
clients whose IP address is between 203.124.153.145 and 203.124.153.161, and
who would otherwise have been directed to the Japan site, to the United States
site.
1.
Click the icon next to the Expression text box. Click Add. (Leave the Flow
Type and Protocol drop-down list boxes empty.) Follow these steps to
create a rule.
2.
Chapter 8
3.
4.
5.
Click OK. Click Create and click Close. The rule is created.
6.
Click OK.
593
1.
2.
Click Add.
3.
In the Policy Name box, type a name for the DNS policy (for example,
policy-redirect-1) and click Add.
4.
5.
6.
Example
add dns policy policy-redirect-1
CLIENT.LOCATION.EQ(Asia.Japan.*.*.*)
Specifies
Preferred Location
(preferredLocation)
Drop
(drop)
1.
594
2.
In the Policies pane, select the DNS policy for which you want to create an
action (for example, policy-redirect-1) and click Open.
3.
Click Preferred Location. In the text box, type the preferred location (for
example, NorthAmerica.US).
4.
Click OK.
Example
set dns policy policy-GSLB-1 -preferredLocation
NorthAmerica.US.*.*.*.*
1.
2.
3.
In the Active column, select the check box next to the DNS policy you want
to bind globally (activate).
4.
In the Priority column, specify the priority for the DNS policy (for
example, 10).
5.
Click OK.
Example
bind dns global policy-GSLB-1 10
Chapter 8
595
1.
2.
3.
Click Remove.
4.
In the Remove dialog box, click Yes. The selected DNS policy is removed.
Example
rm dns policy policy-GSLB-1
In the navigation pane, expand DNS and click Policies. All parameters and
configured values of this policy appear in the details pane.
To view a DNS policy using the NetScaler command line
1.
2.
In the details pane, click Global Bindings. The global bindings of all DNS
policies appear in this dialog box.
To view the global bindings of a DNS policy using the NetScaler command
line
596
Specifies
Name
(viewName)
1.
2.
3.
In the Name text box, type the name of the DNS view (for example,
privatesubnet).
4.
Chapter 8
597
Example
add dns view privatesubnet
1.
2.
In the Views pane, select the view you want to remove (for example,
privatesubnet).
3.
Click Remove.
4.
Click Yes.
Specifies
Policy Name
(name)
View Name
(viewName)
598
1.
2.
3.
In the Policy Name text box, type a name for the DNS policy (for example,
policy-GSLB-1).
4.
In the View Name box, select a DNS view (for example, privatesubnet).
5.
6.
In the first box, select the required value (for example, CLIENT). In the
consecutive boxes, select the required values to build the expression (for
example, select CLIENT, IP, SRC, IN_SUBNET and type
(10.102.29.0/24)).
7.
Click OK.
8.
Example
add dns policy policy-GSLB-1 "CLIENT.IP.SRC.IN_SUBNET(10.102.29.0/
24)" -view privatesubnet
Chapter 8
599
1.
2.
3.
Click Close.
Example
show dns view privatesubnet
Interface throughput
600
When the NetScaler receives a request for a GSLB domain, the NetScaler checks
the request against the configured DNS policies. If the NetScaler finds a matching
policy, it selects the corresponding view. For internal clients, the NetScaler
selects the internal view, and provides the internal view IP that corresponds to the
GSLB service.
For external clients, the NetScaler selects the external view, and provides the
external view IP address that corresponds to the GSLB service. The NetScaler
associates each service with an internal and external IP address.
The first step is to configure a DNS view as a placeholder for associating policies
and IP address, as described below.
After configuring the initial placeholder view, you can add a GSLB service and
obtain a view-specific IP address by binding a view to a service with a specific IP
address. You can then add the DNS policy that helps identify the view that the
NetScaler will choose for requests arriving from the client.
The following example illustrates the steps to configure DNS views for a GSLB
service by providing a private IP address for internal clients and a public IP
address for external clients. The sample GSLB setup consists of two sites, Site-1
and Site-2.
Each site has the following features:
Chapter 8
601
Create the DNS view. For information about configuring DNS views, see
the Creating DNS Views, on page 596.
2.
Create the DNS policy. For information about configuring DNS policies,
see the Creating DNS Policies, on page 592.
3.
Bind the policy globally. For information about configuring DNS policies,
see the Binding and Unbinding a DNS Policy, on page 594.
4.
Associate the GSLB service with the view. This section describes steps to
bind the GSLB service with the DNS view.
In the following procedure, the DNS view, privatesubnet, is linked with the
GSLB service, service-GSLB-10.
To associate the GSLB service with the view using the configuration utility
1.
2.
In the details pane, select the service (for example, GSLB-10), and then
click Open.
3.
In the Configure GSLB Service dialog box, click the Views tab.
4.
5.
Click Add.
6.
Click OK.
To associate the GSLB service with the view using the NetScaler command
line
Example
bind gslb service service-GSLB-1 -viewname privatesubnet
10.102.29.103
If the user queries for www.domain.com, the NetScaler makes a DNS policy
check for the domain. If the client falls in the 10.102.29/24 subnet, the NetScaler
returns the IP address corresponding to the private subnet. If the client does not
fall in the subnet 10.102.29.103 and IP address 1.1.1.1 is returned. For example,
if service-GSLB-10 is chosen and 10.102.29.103 is returned.
602
Create the DNS policy. For information about configuring DNS policies,
see the Creating DNS Policies, on page 592.
2.
Bind the policy globally. For information about binding the policy globally,
see the Binding and Unbinding a DNS Policy, on page 594.
3.
Create a GSLB service. For information about creating a GSLB service, see
the Creating a GSLB Service, on page 519.
4.
Bind the GSLB service to the GSLB vserver. For information about binding
the GSLB service to the GSLB vserver, see the Binding the GSLB Service
to the GSLB Vserver, on page 521.
5.
Bind a domain to the GSLB vserver. For information about binding the
domain to the GSLB vserver, see the Binding a Domain to a GSLB
Vserver, on page 522.
6.
Associate DNS policy with DNS view. The following procedure describes
steps to bind the DNS policy to the view. In the following procedure, a
DNS view called private is created and the configured DNS policy,
policy-GSLB-1 is linked to it.
To associate DNS policy with DNS view using the configuration utility
1.
2.
3.
4.
5.
Chapter 8
603
To associate DNS policy with DNS view using the NetScaler command line
Example
set dns policy policy-GSLB-1 -view privatesubnet
Interface Throughput
This example illustrates how to configure DNS views on the NetScaler based on
throughput. The NetScaler returns a true message to the client if the throughput is
greater than zero, and a false message if the throughput is less than zero.
The next procedure in the example scenario adds a DNS policy named
CLIENT.INTERFACE.RXTHROUGHPUT>=0 to the NetScaler. If the value of
the throughput is greater than zero, the private IP address 1.1.1.1 is returned. If
the value of the throughput is less than 0, the IP address 10.102.4.153 is returned.
The steps to configure the sample scenario are:
1.
Create the DNS policy. For information about configuring DNS policies,
see the Creating DNS Policies, on page 592.
2.
Bind the policy globally. For information about binding the policy globally,
see the Binding and Unbinding a DNS Policy, on page 594.
3.
Create a GSLB service. For information about creating a GSLB service, see
the Creating a GSLB Service, on page 519.
4.
Create a GSLB vserver. For information about binding the GSLB service to
the GSLB vserver, see the Creating a GSLB Vserver, on page 520.
5.
Bind the GSLB service to the GSLB vserver. For information about binding
the GSLB service to the GSLB vserver, see the Binding the GSLB Service
to the GSLB Vserver, on page 521.
6.
Bind a domain to the GSLB vserver. For information about binding the
domain to the GSLB vserver, see the Binding a Domain to a GSLB
Vserver, on page 522.
7.
Associate the DNS policy and GSLB service with the DNS view. The
following procedure describes steps to bind the DNS policy and GSLB
service to the view.
604
1.
2.
3.
4.
5.
To associate DNS policy with DNS view using the NetScaler command line
Example
set dns policy policy-GSLB-1 -view private
In the following procedure, the DNS view, private is linked to the configured
GSLB service, service-GSLB-20.
To associate GSLB service with DNS view using the configuration utility
1.
2.
In the Configure GSLB Service dialog box, click the Views tab.
3.
4.
To associate GSLB service with DNS view using the NetScaler command
line
Example
bind gslb service service-GSLB-20 -viewname private 1.1.1.1
Chapter 8
605
606
Chapter 8
607
2.
Create two sites (local and remote) as shown in the entity diagram.
2.
3.
4.
Create the ADNS services and bind www.abc.com to the GSLB vserver in
the local site.
5.
Create a load balancing setup with the same VIP as the GSLB service.
To review the instructions for creating these entities, see Configuring a Basic
Setup, on page 513.
608
The following table summarizes the names and values of the entities that you
must configure on the NetScaler.
Example Entities for a Basic GSLB Setup
Site name
Entity type
site-1
(Local)
IP address
Protocol Port
NA
NA
NA
GSLB Service
service-GSLB-1
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-1
10.102.29.62
HTTP
80
Services
service-HTTP-1
10.102.29.3
HTTP
80
service-HTTP-2
10.102.29.70
HTTP
80
service-ADNS-1
10.102.29.61
ADNS
53
www.abc.com
NA
NA
NA
NA
NA
NA
GSLB Service
service-GSLB-2
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-2
10.102.29.172
HTTP
80
Services
service-HTTP-3
10.102.29.8
HTTP
80
service-HTTP-4
10.102.29.9
HTTP
80
service-ADNS-2
10.102.29.171
ADNS
53
Domain
site-2
(Remote)
Name
1.
2.
3.
On the Advanced tab, in the Backup VServer drop-down list box, select
vserver-GSLB-2.
4.
Click OK.
Chapter 8
609
Example
set gslb vserver vserver-GSLB-1 -backupVServer vserver-GSLB-2
If you want the traffic to be directed to the backup vserver even after Site-1
becomes active, select the Disable Primary When down check box in the
Configure GSLB Virtual Server dialog box.
610
The following diagram describes the entities that need to be configured for this
scenario.
2.
3.
4.
5.
In this setup, both Site-1 and Site-2 are active and host the domain
www.abc.com. Create a load balancing setup with the same VIP as the
GSLB service.
Chapter 8
611
For detailed instructions to create these entities, see the section, Configuring a
Basic Setup, on page 513. The following table summarizes the names and values
of the entities that you must configure on the NetScaler.
Example Entities for Active-Active Disaster Recovery
Site name
Entity type
site-1
(Local)
IP address
Protocol Port
NA
NA
NA
GSLB Service
service-GSLB-1
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-1
10.102.29.62
HTTP
80
Services
service-HTTP-1
10.102.29.3
HTTP
80
service-HTTP-2
10.102.29.70
HTTP
80
service-ADNS-1
10.102.29.61
ADNS
53
www.abc.com
NA
NA
NA
NA
NA
NA
GSLB Service
service-GSLB-2
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-2
10.102.29.172
HTTP
80
Services
service-HTTP-3
10.102.29.8
HTTP
80
service-HTTP-4
10.102.29.9
HTTP
80
service-ADNS-2
10.102.29.171
ADNS
53
www.abc.com
NA
NA
NA
Domain
site-2
(Remote)
Domain
Name
612
Chapter 8
613
The following diagram describes the entities that need to be configured for this
scenario.
Entity diagram
The steps to implement this scenario are:
1.
2.
Create two sites (local and remote) as shown in the entity diagram.
2.
3.
4.
5.
Create the ADNS services and bind www.abc.com to the GSLB vserver in
the local and remote site.
6.
Create a load balancing setup with the same VIP as the GSLB service.
614
For complete instructions to create these entities, see the section Configuring a
Basic Setup, on page 513. The following table summarizes the names and values
of the entities that you need to configure on the NetScaler.
Example Entities for Weighted Round Robin Recovery
Site name
Entity type
site-1
(Local)
IP address
Protocol Port
NA
NA
NA
GSLB Service
service-GSLB-1
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-1
10.102.29.62
HTTP
80
Services
service-HTTP-1
10.102.29.3
HTTP
80
service-HTTP-2
10.102.29.70
HTTP
80
service-ADNS-1
10.102.29.61
ADNS
53
www.abc.com
NA
NA
NA
NA
NA
NA
GSLB Service
service-GSLB-2
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-2
10.102.29.172
HTTP
80
Services
service-HTTP-3
10.102.29.8
HTTP
80
service-HTTP-4
10.102.29.9
HTTP
80
service-ADNS-2
10.102.29.171
ADNS
53
www.abc.com
NA
NA
NA
Domain
site-2
(Remote)
Domain
Name
2.
3.
Chapter 8
615
The following procedure describes the steps to set the weights of load balancing
services to two.
To set a vserver to assign weights to services using the configuration utility
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
3.
In the Weights spin box, type or select the weight of a service (for example,
4 next to Service-HTTP-1).
4.
Click OK.
Example
set lb vserver Vserver-LB-1 -weight 4 Service-HTTP-1
The following procedure describes the steps to set the weights of GSLB services
to 4.
To add weights to the GSLB services using the configuration utility
1.
2.
3.
4.
To add weights to the GSLB services using the NetScaler command line
Example
set gslb vserver Vserver-GSLB-1 -serviceName Service-GSLB-1
-weight 1
616
1.
2.
3.
4.
Click OK.
5.
Example
set gslb vserver Vserver-GSLB-1 -dynamicWeight ServiceWeight
Chapter 8
617
618
The following diagram describes the entities that need to be configured for this
scenario.
2.
Create two sites (local and remote) as shown in the entity diagram.
2.
3.
4.
5.
Create the ADNS services and bind www.abc.com to the GSLB vserver in
the local and remote site.
6.
Create an load balancing setup with the same VIP as the GSLB service.
For detailed instructions to create these entities, see the section Configuring a
Basic Setup.
Chapter 8
619
The following table summarizes the names and values of the entities that you
need to configure on the NetScaler.
Example Entities for Recovery Using Data Center Persistence
Site Name
Entity Type
site-1
(Local)
IP address
Protocol Port
NA
NA
NA
GSLB Service
service-GSLB-1
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-1
10.102.29.62
HTTP
80
Services
service-HTTP-1
10.102.29.3
HTTP
80
service-HTTP-2
10.102.29.70
HTTP
80
service-ADNS-1
10.102.29.61
ADNS
53
www.abc.com
NA
NA
NA
NA
NA
NA
GSLB Service
service-GSLB-2
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-2
10.102.29.172
HTTP
80
Services
service-HTTP-3
10.102.29.8
HTTP
80
service-HTTP-4
10.102.29.9
HTTP
80
service-ADNS-2
10.102.29.171
ADNS
53
www.abc.com
NA
NA
NA
Domain
site-2
(Remote)
Domain
Name
1.
2.
3.
4.
5.
6.
Click OK.
620
Example
set gslb service service-GSLB-1 -sitePersistence HTTPRedirect
-sitePrefix vserver-GSLB-1
Chapter 8
621
622
The following diagram describes the entities that need to be configured for this
scenario.
2.
Chapter 8
The following table summarizes the names and values of the entities that you
need to configure on the NetScaler.
Examples of Entities for GSLB Using Dynamic Method
Site name
Entity type
site-1
(Local)
IP address
Protocol Port
NA
NA
NA
GSLB Service
service-GSLB-1
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-1
10.102.29.62
HTTP
80
Services
service-HTTP-1
10.102.29.3
HTTP
80
service-HTTP-2
10.102.29.70
HTTP
80
service-ADNS-1
10.102.29.61
ADNS
53
www.abc.com
NA
NA
NA
NA
NA
NA
GSLB Service
service-GSLB-2
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-2
10.102.29.172
HTTP
80
Services
service-HTTP-3
10.102.29.8
HTTP
80
service-HTTP-4
10.102.29.9
HTTP
80
service-ADNS-2
10.102.29.171
ADNS
53
www.abc.com
NA
NA
NA
Domain
site-2
(Remote)
Domain
Name
1.
2.
3.
4.
Click OK.
5.
623
624
Example
set gslb vserver vserver-GSLB-1 -lbMethod RTT
Chapter 8
625
The following diagram describes the entities that need to be configured for this
scenario.
2.
626
The following table summarizes the names and values of the entities that you
need to configure on the NetScaler.
Examples of Entities for GSLB Using Static Proximity
Site name
Entity type
site-1
(Local)
IP address
Protocol Port
NA
NA
NA
GSLB Service
service-GSLB-1
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-1
10.102.29.62
HTTP
80
Services
service-HTTP-1
10.102.29.3
HTTP
80
service-HTTP-2
10.102.29.70
HTTP
80
service-ADNS-1
10.102.29.61
ADNS
53
www.abc.com
NA
NA
NA
NA
NA
NA
GSLB Service
service-GSLB-2
NA
NA
NA
Load
Balancing
Vserver
vserver-LB-2
10.102.29.172
HTTP
80
Services
service-HTTP-3
10.102.29.8
HTTP
80
service-HTTP-4
10.102.29.9
HTTP
80
service-ADNS-2
10.102.29.171
ADNS
53
www.abc.com
NA
NA
NA
Domain
site-2
(Remote)
Domain
Name
1.
2.
3.
4.
5.
6.
Chapter 8
627
Example
add location 192.168.100.1 192.168.100.10 *.us.ca.mycity
1.
2.
3.
Click Open. The Configure GSLB Virtual Server dialog box appears.
4.
On the Method and Persistence tab, under Choose Method, select Static
Proximity.
5.
Click OK.
Example
set gslb vserver vserver-GSLB-1 -lbMethod StaticProximity
628
Chapter 8
629
The following diagram describes the entities that need to be configured for this
scenario.
2.
3.
630
1.
2.
3.
4.
5.
6.
Example
add location 1.1.1.1 1.1.1.10 *.us.ca.mycity
The following procedure sets the GSLB algorithm to static proximity. This is
configured on Site-1.
To configure static proximity using the configuration utility
1.
2.
3.
On the Method and Persistence tab, under Choose Method, select Static
Proximity.
4.
Click OK.
Example
set gslb vserver vserver-GSLB-1 -lbMethod StaticProximity
Chapter 8
631
1.
2.
3.
4.
Click OK.
5.
Repeat steps 2-4 to set the virtual server vserver-GSLB-3 to dynamic RTT
method.
Example
set gslb vserver vserver-GSLB-1 -lbMethod RTT
632
If the configuration consists of a single aggregator, you need not configure any
borders. The following diagram shows the GSLB mesh configuration.
In this scenario, Aggregator 1 represents the GSLB sites, site 1 and site 2. In
addition, aggregator and border sites serve as remote GSLB sites for the GSLB
sites they represent. As a result, the propagation of MEP messages is limited to
the border and this reduces configuration overhead. This is illustrated in the
following diagram.
Topology Diagram
The steps to implement this scenario are:
1.
2.
Chapter 8
3.
4.
633
For detailed instructions and an entity diagram to create the border site,
aggregator, and sites, see Configuring a Basic Setup, on page 513.
IP address
Protocol
Port
Border
site
ADNS
Service
service-ADNS-1
10.102.29.51
ADNS
53
Load
Balancing
Vserver
vserver-HTTP-1
10.102.29.222
HTTP
80
Service
service-HTTP- 1
10.102.29.193
HTTP
80
GSLB Site
site-AGG-1 (remote)
10.102.29.202
NA
NA
site-AGG-2 (remote)
10.102.29.76
NA
NA
GSLB Site
site-border-1 (local)
10.102.29.40
NA
NA
GSLB
Vserver
vserver-GSLB-1
NA
HTTP
NA
Domain
www.mycompany.co
m
NA
NA
NA
GSLB
Service
service-AGG1-1
10.102.29.60
NA
NA
service-AGG1-2
10.102.29.61
NA
NA
service-AGG1-2
10.102.29.62
NA
NA
service-AGG2-1
10.102.29.63
NA
NA
service-AGG2-2
10.102.29.64
NA
NA
service-AGG2-3
10.102.29.65
NA
NA
service-border-1
10.102.29.66
NA
NA
In this configuration, the load balancing service are bound to the load balancing
vserver, and all the GSLB services are bound to the GSLB vserver.
634
The following procedure describes the steps to configure the required settings for
the GSLB vserver.
To configure the GSLB vserver using the configuration utility
1.
2.
3.
4.
5.
On the Method and Persistence tab, under Choose Method, select Round
Robin.
6.
On the Advanced tab, select the Do not send any services IP Address in
Response (EDR) and Send all active service IPs in response (MIP)
check boxes.
7.
Example
add gslb vserver vserver-GSLB-1 HTTP -lbMethod RoundRobin -EDR
enabled -MIR enabled
The following procedure describes the steps to bind a domain to the GSLB
vserver.
To bind the domain to the GSLB vserver using the configuration utility
1.
2.
3.
In the Configure GSLB Virtual Server dialog box, on the Domains tab,
click Add.
4.
5.
Click Create.
6.
Chapter 8
635
Example
bind gslb vserver vserver-GSLB-1 -domainName www.mycompany.com
Name
IP address
Protocol
Port
Border
site
Load
Balancing
Vserver
vserver-HTTP-1
10.102.29.222
HTTP
80
Service
service-HTTP- 1
10.102.29.193
HTTP
80
GSLB Site
site-1 (remote)
10.102.29.195
NA
NA
site-2 (remote)
10.102.29.70
NA
NA
site-border-2
(remote)
NA
NA
NA
site-AGG-1
(local)
10.102.29.202
NA
NA
GSLB
Vserver
vserver-GSLB-1
NA
NA
NA
GSLB
Service
service-AGG1-3
NA
NA
NA
service-AGG1-4
NA
NA
NA
This configuration requires that you bind the load balancing service to the load
balancing vserver. Therefore, while configuring the GSLB vserver, you need to
select the following check boxes: Do not send any services IP Address in
Response (EDR) and Send all active service IPs in response (MIP).
636
Name
IP address
Protocol
Port
Border
site
Load
Balancing
Vserver
vserver-HTTP-1
10.102.29.222
HTTP
80
Service
service-HTTP- 1
10.102.29.193
HTTP
80
GSLB Site
site-3 (remote)
10.102.29.5
NA
NA
site-AGG-6
(remote)
10.102.29.76
NA
NA
site-borde NA
r-3
(remote)
NA
NA
NA
NA
site-AGG
-2 (local)
Site
None
10.102.29.76
NA
NA
GSLB
Vserver
vserver-GSLB-3
NA
NA
NA
GSLB
Service
service-AGG1-5
NA
NA
NA
In this configuration, bind the load balancing service to the load balancing
vserver. Select Do not send any services IP Address in Response (EDR) and
Send all active service IPs in response (MIP) check boxes while configuring
the GSLB vserver.
Name
IP address
Protocol
Port
site-1
Load
Balancing
Vserver
vserver-HTTP-11
10.102.29.222
HTTP
80
Service
service-HTTP- 11 10.102.29.193
HTTP
80
GSLB Site
site-GSLB-1
(local)
10.102.29.202
NA
NA
site-GSLB-2
(remote)
10.102.29.76
NA
NA
Chapter 8
637
The following table summarizes the names and values of the entities that must be
configured on the NetScaler for site-2.
Example of Entities for Configuring Site 2
Site name Entity type
Name
IP address
Protocol
Port
site-2
Load
Balancing
Vserver
vserver-HTTP-22
10.102.29.222
HTTP
80
Service
service-HTTP- 22 10.102.29.193
HTTP
80
GSLB Site
site-GSLB-21
(local)
10.102.29.202
NA
NA
site-GSLB-22
(remote)
10.102.29.76
NA
NA
The following table summarizes the names and values of the entities that must be
configured on the NetScaler for site-3.
Example of Entities for Configuring Site 3
Site name Entity type
Name
IP address
Protocol
Port
site-2
Load
Balancing
Vserver
vserver-HTTP-33
10.102.29.222
HTTP
80
Service
service-HTTP- 33 10.102.29.193
HTTP
80
GSLB Site
site-GSLB-31
(local)
10.102.29.202
NA
NA
site-GSLB-32
(remote)
10.102.29.76
NA
NA
In his configuration, in each site, you need to bind the load balancing service to
the load balancing vserver. Also, you need to disable session exchange and metric
exchange on all the local GSLB sites.
638
DNS configuration
Optional
Optional
Chapter 8
639
Load Balancing
configuration
Optional
Required
GSLB configuration
Required
Basic configuration
required
Required
Required
640
Chapter 8
641
Step 2. When the browser cache on the client expires, the client sends a fresh
DNS request. This time, the NetScaler resolves the request to a different data
center. The client sends an HTTP request to the different data center with the site
cookie in the header. In the diagram, Child-Site-2 receives the client request with
the cookie of Child-Site-1.
Step 3. The NetScaler on the load balancing site requests for the redirect URL
from the parent site though MEP. In the diagram, Child-Site-2 requests
Parent-Site-2 for redirect URL (domain and GSLB vserver name of Child-Site-1)
Step 4. The NetScaler on the load balancing site then redirects the client to the
original data center if the GSLB service and the GSLB vserver corresponding to
the site cookie and the domain are available and UP. In the diagram, Child-Site-2
redirects the client to Child-Site-1.
Step 5. The client then sends an HTTP request to the original data center.
642
The topology and MEP exchange is similar to HTTP redirect persistence type.
The following steps correspond to the arrows in the diagram, Flow of connection
proxy in GSLB hierarchy, on page 641.
Step 1. The client sends an HTTP request to the data center. While responding to
the request, the NetScaler at the data center inserts a site cookie in the response
header.
Step 2. When the browser cache on the client expires, the client sends a fresh
DNS request. This time, the NetScaler resolves the request to a different data
center. The client sends an HTTP request to the different data center with the site
cookie in the header. In the diagram, Child-Site-2 receives the client request with
the cookie of Child-Site-1.
Step 3. The NetScaler on the load balancing site requests the remote service
information from the parent site though MEP. In the diagram, Child-Site-2
requests a site cookie from Parent-Site-2.
Step 4. The NetScaler on the load balancing site opens a connection to the
original data center and then works as a proxy for the original data center if the
GSLB service and the GSLB vserver corresponding to the site cookie and domain
are UP and available. In the diagram, Child-Site-2 opens a connection to
Child-Site-1 and functions as a proxy.
Step 5. The subsequent client requests are forwarded to the original data center.
1.
2.
In the details pane, click Add. In the Name and Site IP address text boxes,
type the name and IP address of the GSLB site (for example, Site-LB-3 and
192.168.10.1).
3.
In the Parent Site list box, select the parent GSLB site (for example,
Site-GSLB-1) and click OK.
Chapter 8
643
To create the parent GSLB site using the NetScaler command line
Example
add GSLB site Site-GSLB-1 190.100.21.1
add GSLB site Site-LB-3 192.168.10.1 parentSite Site-GSLB-1
1.
In the navigation pane, click System, expand Settings, and then click
Diagnostics.
2.
3.
In the GSLB Running Configuration dialog box, select and copy all the
commands.
4.
Click Close.
Example
show gslb runningConfig
Select and copy the output of this command. After copying the commands from
the local NetScaler, use the configuration utility of the remote NetScaler and
paste the configurations onto the remote NetScaler.
644
1.
2.
3.
In the Batch Configuration dialog box, select Paste Commands and paste
the commands into the text area.
4.
Enable MEP
Ensure that the local site is a GSLB site and the remote site is an load
balancing site that is a child of the local GSLB site.
Note: The service level settings (such as client IP and SSL settings) are not
exchanged through MEP. Therefore, you need to configure the remote GSLB
services locally on the load balancing site and apply the required settings.
1.
2.
In the details pane, select the service on which you want to configure
persistence (for example, Service-GSLB-1) and click Open.
Chapter 8
3.
In the Configure GSLB Service dialog box, click the Advanced tab.
4.
Under Site Persistence Type, select Connection Proxy and click OK.
645
For more information about load monitors and metric tables, see Chapter 1,
Load Balancing.
The topology for GSLB based on number of Access Gateway users is described
in the following diagram.
646
Chapter 8
647
The following diagram shows the sample of the GSLB entities that need to be
configured for this scenario.
Create two sites (local and remote) as shown in the entity diagram.
2.
3.
For instructions on configuring the above steps, see Configuring a Basic Setup,
on page 513. Then, you must create Access Gateway vservers for Access
Gateway usage.
648
To create Access Gateway vservers, you must perform the following procedures:
1.
2.
For more information about Access Gateway configuration, see the Citrix Access
Gateway Enterprise Edition Administrators Guide.
1.
2.
In the details pane, under Modes and Features, click Change basic
features.
3.
In the Configure Basic Features dialog box, select the Access Gateway
check box, and then click OK.
Example
enable ns feature sslvpn
1.
In the navigation pane, expand Access Gateway and click Virtual Servers.
2.
3.
In the Create Access Gateway Virtual Server dialog box, in the Name,
IP Address, and Port text boxes, type the name of the vserver, IP address,
and port (for example, Vserver-VPN-1, 10.102.29.100, and 443).
4.
5.
Chapter 8
649
Example
add vpn vserver Vserver-VPN-1 SSL 10.102.29.100 443
1.
In the navigation pane, expand Load Balancing and click Metric Tables.
2.
3.
In the Create Metric Table dialog box, in the Metric Table Name,
Metrics, and SNMP OID text boxes, type the appropriate name of the
metric table, metrics, and SNMP OID (for example, Table-Custom-1,
CountVPNUsers, and 1.3.6.1.4.1.5951.4.1.3.1.1.49.5.8.20.20.16.22).
4.
To create a metric table and bind metrics to the metric table using the
NetScaler command line
Example
add metricTable Table-Custom-1
bind metricTable Table-Custom-1 CountVPNUsers
1.3.6.1.4.1.5951.4.1.3.1.1.49.5.8.20.20.16.22
650
1.
2.
In the details pane, click Add. In the Create Monitor dialog box, in the
Name and Interval text boxes type the name and interval value of the
monitor (for example, Monitor-Load-1 and 340).
3.
In the Type list and list next to the Interval text box, select the type of the
monitor and units of time (for example, Load and Seconds).
4.
On the Special Parameters tab, in the Metric Table drop-down list, select
the appropriate metric table (for example, Metric-Table-1).
5.
In the SNMP Community text box, type name of the community (for
example, Community-1) and click Add.
6.
In the Available Metrics list select the metric table (for example,
Metric-Table-1) and click Add. In the Configured Metrics list, double
click Threshold box and type 5.
7.
Example
add lb mon Monitor-Load-1 Load SNMPCommunity Community-1
bind lb mon Monitor-Load-1metric Metric-Table-1 MetricThreshold 5
Chapter 8
651
To bind the monitor to the GSLB service using the configuration utility
1.
2.
In the Configure GSLB Service dialog box, on the Monitoring tab, under
Available Monitors, click the monitor you want to bind to the service (for
example, Monitor-Load-1), and then click Add.
3.
Click OK.
To bind the monitor to the GSLB service using the NetScaler command line
Example
bind monitor Monitor-Load-1 Service-GSLB-1
1.
2.
In the details pane, click the name of the virtual server you want to
configure (for example, Vserver-GSLB-1), and then click Open.
3.
In the Configure GSLB Virtual Server dialog box, on the Method and
Persistence tab, under Choose Method, click Custom Load.
4.
Click OK.
To configure the custom load LB method using the NetScaler command line
Example
set gslb vserver Vserver-GSLB-1 lbMethod Custom Load
652
1.
2.
3.
In the Create Monitor dialog box, in the Name and Interval text boxes
type the name and interval value of the monitor (for example,
Monitor-Load-1 and 340).
4.
In the Type list and list next to the Interval text box, select the type of the
monitor and units of time (for example, Load and Seconds).
5.
Example
add lb mon Monitor-Load-1 Load
Chapter 8
653
1.
2.
In the details pane, select the monitor (for example, Monitor-Load-1), and
then click Open.
3.
4.
Under Available Metrics, click AAAUsers, and then click Add. In the
Configured Metrics list, double-click Threshold box, and type the
threshold (for example, 5).
5.
Click OK.
To bind metrics to the load monitor using the NetScaler command line
Example
bind monitor Monitor-Load-1 metric AAAUsers metricThreshold 5
1.
2.
In the details pane, click the service to which you want to bind the monitor
(for example, Service-GSLB-1), and then click Open.
3.
In the Configure GSLB Service dialog box, on the Monitoring tab, under
Available Monitors, click the monitor you want to bind to the service (for
example, Monitor-Load-1), and then click Add.
4.
Click OK.
654
Example
bind monitor Monitor-Load-1 Service-GSLB-1
Requirements
Before you begin the configuration:
Make sure that the GSLB and Access Gateway licenses are available on
your Citrix NetScaler. If these licenses are not available on your NetScaler,
please contact your Citrix sales representative or Citrix Customer Service at
http://citrix.com/. On the Support menu, click Customer Service.
Enable the Load Balancing, GSLB, and Access Gateway features on the
NetScaler.
Components Used
Configurations in this document use the following NetScaler and XenDesktop
components:
Chapter 8
Citrix XenDesktop
655
Note: You can alternatively use Access Gateway Standard Edition (AGSE),
Access Gateway Advanced Edition (AGAE), or Access Gateway Enterprise
Edition (AGEE) for the Access Gateway feature. NetScaler provides monitoring
support for these components too.
656
Chapter 8
657
The following five steps summarize how GSLB works in this example. The
numbers in the diagram provide a visual aid for tracing the data flow through the
five steps.
Step 1. A user enters a query for a domain hosting a particular virtual desktop. If
the users browser does not find an IP address for the domain in its local cache, it
sends a request to the client DNS server.
Step 2. If the local DNS server does not have an IP address for the requested
domain, it sends a query to a NetScaler configured as an authoritative name
server for the domain. In the diagram, this could be either NetScaler, but in this
case the query is sent to the NetScaler at Data Center 1.
Step 3. By default, the NetScaler uses the dynamic proximity method (RTT
method) to select the best performing data center. In using this method, the
NetScaler uses the proprietary Metric Exchange Protocol (MEP) to exchange
RTT values between participating sites and determine the data center with the
smallest round trip time (RTT) metric. Alternatively, you can configure the
NetScaler to select the data center by using the round robin method. To prevent a
client from being directed to a data center that hosts unavailable components, the
NetScaler selects the data center only if the Web Interface server, Desktop
Delivery Controller server, and Access Gateway vserver are available. In the
diagram, the NetScaler at Data Center 1 selects Data Center 2 as the best
performing site. It then sends the client the IP address of the VPN vserver at Data
Center 2 (192.168.22.1), and a connection is established from the client system to
the NetScaler at Data Center 2.
Step 4. The client uses HTTPS to request an application through the tunnel. The
NetScaler uses an optimal load balancing method to select a Web Interface server
and sends the HTTP request to the Web Interface server. If the selected server is
unavailable or sends an invalid response, the NetScaler selects a different Web
Interface server (unless none is available, in which case the NetScaler does not
select the site for GSLB).
Step 5. After the Web Interface server provides a valid response, the NetScaler
uses a load balancing method to select a Desktop Delivery Controller server and
sends an HTTP request to the Desktop Delivery Controller server. If the selected
server is unavailable or sends an invalid response, the NetScaler selects a
different Desktop Delivery Controller server (unless none is available, in which
case the NetScaler does not select the site for GSLB). The Desktop Delivery
Controller server dynamically pools and assigns virtual desktops to the client
on-demand, based on appropriate policies, roles, or other criteria. The NetScaler
provides the virtual desktop to the client through the VPN tunnel. The NetScaler
then maintains persistent connections from the client to the virtual desktop and
forwards all subsequent requests to the same server.
658
Important: The NetScaler performs load balancing and Global Server Load
Balancing only on the Web Interface and Desktop Delivery Controller
components. After the desktop session is established through Independent
Computing Architecture (ICA) tunnel, the client traffic bypasses Web Interface
and Desktop Delivery Controller components and the NetScaler.
Topology Diagram
The following diagram shows a typical GSLB setup for XenDesktop.
Chapter 8
659
1.
2.
3.
4.
1.
2.
3.
660
4.
Note: Alternatively, if you have not configured the vservers using the Load
Balancing Wizard for XenDesktop, you can specify the IP address and port (in
IPAddress:Port format) of the servers in the wizard.
After you configure GSLB on a local site, you need to configure the remote site.
To configure the remote site, you can simply copy the configurations from the
GSLB Running Configuration dialog box of the local site and paste them into the
Batch Configuration dialog box of the remote site.
To copy the NetScaler configurations using the configuration utility
1.
In the GSLB wizard for XenDesktop, on the Summary page, click View
GSLB running configurations.
2.
In the GSLB Running Configuration dialog box, select and copy all the
commands.
3.
Click Close.
After copying the commands from the local NetScaler, use the configuration
utility of the remote NetScaler and paste the configurations onto the remote
NetScaler.
To paste the NetScaler configurations using the configuration utility
1.
2.
3.
In the Batch Configuration dialog box, select Paste Commands and paste
the commands into the text area.
4.
1.
2.
Click Close.
Chapter 8
661
The vserver is DOWN because the service groups bound to it are DOWN. If one
of the services bound to the vserver is UP, the vserver is UP. The service groups
could be DOWN for the following reasons:
1.
In the navigation pane, expand Load Balancing and click Service Groups.
2.
In the details pane, select the service group and click Open.
3.
662
Troubleshooting
The following table explains some of the common error messages.
Error messages - Causes and Actions
Error message text
Likely cause
User Action
Select an appropriate
vserver or type the IP
address and port of the
server in IPAddress:Port
format.
Chapter 8
663
664
C HAPTER 9
Link load balancing (LLB) balances inbound and outbound traffic transparently
across multiple Internet connections. It enables an enterprise with more than one
Internet connection, or with a private network, to monitor and control traffic so
that users are routed over the best available Internet link. For example, an
organization can connect to the Internet through two different service providers,
such as Sprint and AT&T.
Note: Link load balancing is not supported in nCore.
In This Chapter
Monitoring Routers
Destination IP-Based Persistence
Load Balancing Policy
Implementing RNAT with Link Load Balancing
Configuring Link Load Balancing
Configuring the Backup Router
Configuring RNAT with Link Load Balancing
Monitoring Routers
The NetScaler monitors configured routers and services bound to the load
balancing route virtual IP address (VIP), assigning a default monitor if none is
configured. The default monitor type is PING, which is also the recommended
monitor type. The NetScaler supports transparent monitoring, which means that
monitored devices can be upstream of the routers.
Note: There is no limit to the number of routers that can be configured.
666
Specifies
Chapter 9
667
If the preferred router is up, server statistics are updated and return the server
structure to the selected router. If the preferred server is not available, ideal router
is selected based on the load balancing policy from the VIP server list. Link load
balancing does not support the least connections load balancing method.
Link load balancing supports the following load balancing methods:
ROUNDROBIN
DESTINATIONIPHASH
LEASTBANDWIDTH
LEASTPACKETS
DESTINATION IP
2.
3.
Note: The hosts on an enterprise network must have the NetScaler designated
as their gateway.
Specifies
Network
668
Parameter
Specifies
Netmask
Gateway Name
Directly Addressable
Transparent
The following table summarizes sample names and values of the entities used for
configuring the NetScaler.
Sample Configuration for Link Load Balancing
Entity type
Name
Value
Monitor
monitor-HTTP-1
10.10.10.11
Service
service-ANY-1
10.102.29.50
LB Vserver
vserver-LB-1
NA
1.
2.
3.
Create a directly addressable load balancing vserver and bind the service to
the vserver.
4.
5.
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
3.
In the Create Monitor dialog box, in Name, type the name of the monitor
(for example, monitor-HTTP-1).
4.
In the Type drop-down list box, select the type of the monitor (for example,
HTTP).
5.
6.
Chapter 9
669
Example
add monitor monitor-HTTP-1 HTTP -destip 10.10.10.11 -transparent
YES
To create a service and bind the monitor to it using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
3.
In the Create Service dialog box, in the Service Name, Server, and Port
text boxes type the name, IP address, and port of the service (for example,
service-ANY-1, 10.102.29.50, and *).
4.
In the Protocol drop-down list box, select the type of the service (for
example, ANY).
5.
On the Monitors tab, under Available, select the monitor that you want to
bind to the service (for example, monitor-HTTP-1, and then click Add).
6.
To create a service and bind the monitor to it using the NetScaler command
line
Example
add service service-ANY-1 10.102.29.50 ANY *
To create a load balancing vserver and bind the service to it using the
configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
In the Create Virtual Servers (Load Balancing) dialog box, in the Name
text box, type the name of the vserver (for example, vserver-LB-1).
4.
In the Protocol drop-down list box, select the type of the vserver (for
example, ANY).
670
5.
6.
Under the Services tab, in the Active column, select the check box
corresponding to the service that you want to bind to the vserver (for
example, service-ANY-1).
7.
To create a load balancing vserver and bind the service to it using the
NetScaler command line
Example
bind lb vserver vserver-LB-1 service-ANY-1
To set the load balancing method and persistence using the configuration
utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
On the Load Balancing Virtual Servers page, select the vserver for which
you want to configure Load Balancing method and persistence (for
example, vserver-LB-1), and then click Open.
3.
4.
5.
In the Time-out and NetMask text boxes, type the subnet mask and timeout values (for example, 2 and 225.225.225.225).
6.
Click OK.
To set the load balancing method and persistence using the NetScaler
command line
Example
set lb vserver vserver-LB-1 -persistenceType DESTIP -lbmethod
roundrobin
Chapter 9
671
1.
In the navigation pane, expand Network, expand Routing, and then click
Routes.
2.
3.
In the Configure LB Route dialog box, in the Network and Netmask text
boxes, type the network and the subnet mask that you want to configure (for
example, 1.1.10.0 and 255.255.255.0).
4.
In the Gateway Name drop-down list box, select the vserver (for example,
vserver-LB-1).
5.
Example
add lb route 1.1.10.0 255.255.255.0 vserver-LB-1
Name
Value
LB Service
R1
10.102.29.4
R2
10.102.29.5
vserver-LB-Pri-1
NA
vserver-LB-Sec-1
NA
LB Vserver
1.
Create services.
2.
3.
672
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
3.
In the Create Service dialog box, in the Service Name, Server, and Port
text boxes, type the name, IP address, and port of the service (for example,
R1, 10.102.29.4, and *).
4.
In the Protocol drop-down list box, select the type of the service (for
example, ANY).
5.
6.
Repeat Steps 1-5 to create another service with name, IP address, port, and
protocol as R2, 10.102.29.5, *, and ANY.
Examples
add service R1 10.102.29.4 ANY *
add service R2 10.102.29.5 ANY *
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
In the Create Virtual Servers (Load Balancing) dialog box, in the Name
text box, type the name of the vserver (for example, vserver-LB-Pri-1),
and select the Directly Addressable check box.
4.
In the IP Address and Port text boxes, type the IP address and port of the
vserver (for example, 10.102.23.77 and *).
5.
In the Protocol drop-down list box, select the type of the vserver (for
example, ANY).
6.
On the Services tab, in the Active column, select the check box
corresponding to the service that you want to bind to the vserver (for
example, R1).
7.
8.
Chapter 9
673
Example
add lb vserver vserver-LB-Pri-1 any 10.102.1.10 *
-lbmethod roundrobin
bind lb vserver vserver-LB-Pri-1 R1
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
In the Create Virtual Servers (Load Balancing) dialog box, in the Name
text box, type the name of the vserver (for example, vserver-LB-sec-1).
4.
5.
In the IP Address and Port text boxes, type the IP address and port of the
vserver (for example, 10.102.07.78 and *).
6.
In the Protocol drop-down list box, select the type of the vserver (for
example, ANY).
7.
On the Services tab, in the Active column, select the check box
corresponding to the service that you want to bind to the vserver (for
example, R2).
8.
9.
674
Example
add lbserver vserver-LB-Sec-1 any 10.102.07.78 *
-lbmethod roundrobin
bind lb vserver vserver-LB-Sec-1 R2
To set the secondary router as the backup router using the configuration
utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the Load Balancing Virtual Servers pane, select the vserver for which
you want to configure the backup vserver (for example, vserver-LB-Pri1), and then click Open.
3.
In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4.
In the Backup Virtual Server drop-down list box, select the backup
vserver (for example, vserver-LB-Sec-1), and then click OK.
To set the secondary router as the backup router using the NetScaler
command line
Example
set lb vserver vserver-LB-Pri-1 -backupVserver vserver-LB-Sec-1
1.
In the navigation pane, expand Network, expand Routing, and then click
Routes.
2.
In the Routes pane, click the LLB tab, and then click Add.
3.
In the Configure LB Route dialog box, in the Network and Netmask text
boxes, type the network and the subnet mask that you want to configure (for
example, 10.102.29.0 and 255.255.255.0).
Chapter 9
675
4.
In the Gateway Name drop-down list box, select the vserver that you want
(for example, vserver-LB-Pri-1).
5.
Example
add lb route 10.102.29.0 255.255.255.0 vserver-LB-Pri-1
Name
Value
Monitor
monitor-HTTP-1
NA
LB Service
route1
10.102.29.5
LB Vserver
vserver-LB-3
NA
1.
2.
3.
Create a directly addressable Load Balancing vserver and bind the service
to the vserver.
4.
5.
6.
Configure RNAT.
7.
1.
In the navigation pane, expand Load Balancing, and then click Monitors.
2.
676
3.
In the Create Monitor dialog box, in the Name text box, type the name of
the monitor (for example, monitor-HTTP-1).
4.
In the Type drop-down list box, select the type of the monitor (for example,
HTTP).
5.
6.
Example
add monitor monitor-HTTP-1 HTTP -destip 10.10.10.11 -transparent
YES
To create a service and bind the monitor to it using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
3.
In the Create Service dialog box, in the Service Name, Server, and Port
text boxes, type the name, IP address, and port of the service (for example,
route1, 10.102.29.5, and *).
4.
In the Protocol drop-down list box, select the type of the service (for
example, ANY).
5.
On the Monitors tab, under Available, select the monitor that you want to
bind to the service (for example, monitor-HTTP-1), and then click Add.
6.
To create a service and bind the monitor to it using the NetScaler command
line
Example
add service route1 10.102.29.5 ANY *
Chapter 9
677
To create a load balancing vserver and bind the service to it using the
configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
3.
In the Create Virtual Servers (Load Balancing) dialog box, in the Name
text box, type the name of the vserver (for example, vserver-LB-3).
4.
5.
In the Protocol drop-down list box, select the type of the vserver (for
example, ANY).
6.
On the Services tab, in the Active column, select the check box
corresponding to the service that you want to bind to the vserver (for
example, route1).
7.
To create a load balancing server and bind the service to it using the
NetScaler command line
Example
bind lb vserver vserver-LB-3 any route1
To set the load balancing method and persistence using the configuration
utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
In the Load Balancing Virtual Servers pane, select the vserver for which
you want to configure the load balancing (LB) method and persistence (for
example, vserver-LB-3), and then click Open.
3.
4.
5.
In the Time-out and Netmask text boxes, type the time-out and subnet
mask values (for example, 2 and 225.225.225.225).
6.
Click OK.
678
Example
set lb vserver vserver-LB-3 -persistenceType DESTIP -lbmethod round
robin
1.
In the navigation pane, expand Networks, expand Routing, and then click
Routes.
2.
In the Routes pane, on the LLB tab, and then click Add.
3.
In the Configure LB Route dialog box, in the Network and Netmask text
boxes, type the network and the subnet mask that you want to configure (for
example, 1.10.10.0 and 255.255.255.0).
4.
In the Gateway Name drop-down list box, select the vserver (for example,
vserver-LB-3).
5.
Example
add lbroute 1.10.10.0 255.255.255.0 vserver-LB-3
1.
In the navigation pane, expand Network, expand Routing, and then click
Routes.
2.
In the Routes pane, on the RNAT tab, select the RNAT network for which
you want to configure the NAT IP address (for example, 10.102.29.0).
3.
4.
In the Available NAT IP (s) list box, select the NAT IP address that you
want to configure (for example, 10.102.29.61).
5.
Click Add. The NAT IP you selected in Step 5 appears in the Configured
NAT IP (s) list box.
Chapter 9
6.
679
Click OK.
Example
set rnat 10.102.29.0 -natip 10.102.29.61
1.
2.
In the Settings pane, under Modes and Features, click Change modes.
3.
In the Configure Modes dialog box, select the Use Subnet IP check box,
and then click OK.
4.
Example
enable ns mode USNIP
680
C HAPTER 10
Dividing the load between the firewalls, which eliminates the single point
of failure problem and allows the network to scale.
Acting as the first line of defense with features such as surge protection and
SYN attack protection.
682
Chapter 10
683
table to route the traffic instead of sending the traffic to the load balancing
vserver.
Least Connections
Round Robin
Least Packet
Least Bandwidth
SOURCEIP Hashing
For more information about load balancing policies, see Changing the Load
Balancing Algorithm, on page 55.
Firewall Persistence
Only SOURCEIP-based persistence is supported for firewall load balancing.
For more information about SOURCEIP-based persistence, see Configuring
Persistent Connections Between Clients and Servers, on page 97.
684
Restrictions
The NetScaler firewall load balancing feature has these restrictions:
Because the FTP protocol requires special processing, the NetScaler should
be configured for *.21 and the service type FTP. In this case, the NetScaler
manages the FTP protocol by accepting the FTP control connection,
modifying the payload, and managing the data connection, all through the
same firewall.
Environments
You can set two types of environments on the NetScaler. They are:
Sandwich
Enterprise
Sandwich
In this setup, a NetScaler is located on each side of a set of firewalls. The
NetScaler placed between the firewalls and the Internet, called the external
NetScaler selects the best firewall, based on the configured method. The
NetScaler between the firewalls and the private network, called the internal
NetScaler tracks the firewall from which the initial packet for a session is
received. It then ensures that all subsequent packets for that session are sent to the
same firewall.
The internal NetScaler can be configured as a regular traffic manager to load
balance traffic across the private network servers. This configuration also allows
traffic originating from the private network to be load balanced across the
firewalls.
Chapter 10
685
The following diagram shows the sandwich firewall load balancing environment.
686
External NetScaler
Enable the NetScalers load balancing by entering the
enable ns feature LB command, and then enter the following commands
on the external NetScaler:
1.
2.
3.
Define a wildcard virtual server for traffic coming from the Internet:
add lb vserver VIP1 ANY * *
set lb vserver VIP1 -m MAC
4.
5.
Internal NetScaler
Enable the NetScalers load balancing feature by entering the
enable ns feature LB command, and then enter the following commands
on the internal NetScaler:
1.
2.
3.
Chapter 10
687
4.
Define a wildcard virtual server to load balance the traffic being sent to the
firewalls:
add lb vserver VIP2 ANY * *
set lb vserver VIP2 -m MAC
5.
6.
7.
8.
The service type ANY configures the NetScaler in passive mode, so that it load
balances based on the first packet (TCP or UDP) received for the session.
If you want the NetScaler to terminate a TCP connection, configure the service
and vserver with type TCP.
If you want the NetScaler to terminate a TCP connection and perform connection
multiplexing for HTTP protocols, configure the service and vserver with type
HTTP.
Enterprise
In this setup, the NetScaler is placed between the firewalls connecting to the
public Internet and the internal private network. The NetScaler selects the best
firewall based on the configured load balancing policy.
688
The following figure shows the enterprise firewall load balancing environment.
2.
Chapter 10
689
3.
Define a wildcard virtual server to load balance the traffic being sent to the
firewalls:
add lb vserver Enterprise_VIP ANY * *
set lb vserver Enterprise_VIP -m MAC
4.
5.
The service type ANY configures the NetScaler in passive mode, so that it load
balances based on the first packet (TCP or UDP) received for the session.
If you want the NetScaler to terminate a TCP connection, configure the service
and vserver with type TCP.
If you want the NetScaler to terminate a TCP connection and perform connection
multiplexing for HTTP protocols, configure the service and vserver with type
HTTP.
690
C HAPTER 11
Cache Redirection
The NetScaler can redirect cacheable requests to cache servers and send noncacheable or dynamic requests to origin servers. Cache servers store frequently
requested Web content and serve this content to a client on behalf of an origin
server. This lightens the load on the origin server farm.
This chapter assumes that you have obtained a list of available virtual IP
addresses from the administrator who installed and set up the NetScaler that you
are configuring.
In This Chapter
How Cache Redirection Works
Configuring Cache Redirection and Load Balancing
Configuring Transparent Cache Redirection
Configuring Reverse Proxy Cache Redirection
Configuring Forward Proxy Cache Redirection
Redirecting to Different Servers Based on Content Type
Administering a Cache Redirection Virtual Server
Configuring Policies for Cache Redirection
Note: The NetScaler also provides an in-memory cache that stores both static
and dynamic HTTP responses. For more information, see the chapter on
integrated caching in the Citrix NetScaler Application Optimization Guide.
This chapter assumes that you are familiar with load balancing and content
switching. For more information, see Load Balancing, on page 25 and Content
Switching, on page 273. Also, this chapter does not go into the details of
configuration for HTTPS. For information on configuration settings for HTTPS,
see Secure Sockets Layer (SSL) Acceleration, on page 361.
692
To the origin server. You can configure the NetScaler to forward all
requests to the origin server.
This type of redirection can be useful when performing maintenance on
your cache servers. If you take down all of the cache servers, you can direct
all traffic to the origin server. Sending all traffic to the origin server may
also be necessary if all the cache servers are functioning at their maximum
number of connections.
To the cache server. You can configure the NetScaler to forward all
requests to a cache server.
This type of redirection is useful for testing. You can direct all traffic to the
cache servers to analyze what data is best served from the cache.
Chapter 11
Cache Redirection
693
694
In forward proxy mode, the cache redirection virtual server sends noncacheable requests to a DNS load balancing virtual server, which selects the
destination of the origin server.
As noted in the preceding paragraphs, you can configure cache redirection at the
origin side or at the edge of a network. Caching at the origin saves processing for
the origin server. You configure cache redirection at the origin in transparent or
reverse proxy mode.
Caching at the edge of the network reduces bandwidth cost and improves
response time for users. Edge deployments are common at Internet Service
Providers (ISPs), cable companies, content delivery distribution networks, and
enterprise networks. You configure cache redirection at the edge in transparent or
forward proxy mode.
Chapter 11
Cache Redirection
695
1.
2.
3.
By default, if the request does not match any policy, it is cacheable and the
following occurs:
696
By default, if the request does match a policy, the NetScaler forwards the
request to the origin server that appears in the request.
Chapter 11
Cache Redirection
697
1.
2.
The cache redirection virtual server compares the request with caching
policies.
3.
698
After mapping the destination domain and URL, it sends the request
to a load balancing virtual server that services the origin server.
Chapter 11
Cache Redirection
699
1.
2.
The forward proxy cache redirection virtual server compares the request
with a policy to determine if the request should be directed to the origin
server or a cache server.
3.
700
By default, if the request does not match a policy, it is cacheable, and the
NetScaler sends it to the cache as follows:
The load balancing virtual server for the cache forwards the request
to a service, that, in turn, sends the request to the cache server.
Chapter 11
Cache Redirection
701
1.
2.
3.
If the request does not match a cache redirection policy, the request is
cacheable, and is processed as follows:
1.
2.
In the details pane, under Modes and Features, click Change advanced
features.
3.
Select the Cache Redirection check box, click OK, and then click Yes on
the Enable/Disable Feature(s)? message box.
702
4.
5.
In the Configure Basic Features dialog box, select the Load Balancing,
click OK, and then click Yes on the Enable/Disable Feature(s)? message
box.
6.
Click Save to prevent discarding the changes when you reboot the
NetScaler.
To enable cache redirection and load balancing using the command line
1.
In the navigation pane, expand Load Balancing and then click Virtual
Servers.
2.
Double-click the load balancing virtual server that you want to use for
cache redirection.
3.
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2.
In the details pane, click the name of the virtual server that you want to
view.
The configuration details of this virtual server appear in the Details section
at the bottom of the page.
Chapter 11
Cache Redirection
703
A load balancing virtual server to receive client requests from the cache
redirection virtual server.
The following task overview summarizes the main steps for configuring
transparent cache redirection. The rest of this section provides details on each of
the steps in the overview.
Task overview: Configuring transparent cache redirection
1.
2.
3.
Configure a load balancing virtual server that can forward requests to one
or more cache servers.
For more information, see Configuring a Load Balancing Virtual Server
for the Cache, on page 704.
4.
5.
Define a cache redirection virtual server and associate it with the load
balancing virtual server.
For more information, see Configuring a Cache Redirection Virtual Server
for Transparent Mode, on page 707.
6.
Configure policies for cache redirection and bind these policies to the cache
redirection virtual server.
704
These policies enable the NetScaler to identify requests that should be sent
to the origin server instead of the cache. For more information, see
Configuring Policies for Cache Redirection, on page 741.
Specifies
Name
(name)
Service Type
(serviceType)
Protocol for the service. Possible values are: HTTP, SSL, and
NNTP. The typical value is HTTP.
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
Chapter 11
Cache Redirection
705
3.
In Name, enter a name for the load balancing virtual server. For cache
redirection, you do not need an IP address or a port number.
4.
5.
To enable cache redirection for this load balancing virtual server, click the
Advanced tab, and select Cache Redirection.
6.
Click Create, and then click Close. The load balancing virtual server is
added to the Load Balancing Virtual Servers page.
7.
Click Save to prevent discarding the changes when you reboot the
NetScaler.
Specifies
Name
(name)
IP address
(IP)
Port
(port)
Service Type
IP address of the target server for this service. The usual value is
HTTP.
Port on which the service listens. The port number must be a
positive number not greater than 65535. The minimum value is 1.
(serviceType)
Cache Type
(cacheType)
706
1.
In the navigation pane, expand Load Balancing, and then click Services.
2.
3.
In the Service Name text box, enter a unique name for the service.
4.
In the Server text box, enter and the IP address of the physical origin server
that this service refers to.
5.
In the Port text box, type a port number, (for example, 80).
Each server can have multiple services. Each service must have a unique
port number.
6.
7.
8.
Click Create, and then click Close. The service that you have created
appears on the Services page.
Chapter 11
Cache Redirection
707
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
Click the name of the load balancing virtual server that you want to
configure, and then click Open.
3.
In the Services tab, in the Active column, select the check box next to the
service that you want to bind to the virtual server.
4.
Click OK.
To bind a service to a load balancing virtual server using the command line
Example
bind lb vserver Vserver-LB-1 Service-HTTP-1
708
Specifies
Name
(name)
IP address
(IP)
Port
(port)
Protocol
(protocol)
Cache Type
(cacheType)
Redirect Type
(redirect)
Cache Server
(cacheVserver)
Name of a load balancing virtual server for the cache to which this
redirection virtual server sends requests. The cache redirection
virtual server forwards cacheable requests from the client to this
load balancing virtual server. This load balancing virtual server, in
turn, forwards the request to the cache server by means of a service.
Redirect To
(onPolicyMatc
h)
Redirect URL
(redirectURL)
Chapter 11
Cache Redirection
709
Note: The following procedures describe associating built-in policies with the
cache redirection virtual server. You can also configure custom policies. For more
information, see Using Built-in Cache Redirection Policies, on page 742 and
Configuring User-Defined Policies, on page 743.
1.
In the navigation pane, click Cache Redirection, and then click Virtual
Servers.
2.
Click Add.
3.
4.
5.
6.
Click Create. The Cache Redirection virtual server appears on the Cache
Redirection Virtual Servers page.
1.
In the navigation pane, click Cache Redirection, and then click Virtual
Servers. The Cache Redirection Virtual Servers page appears in the right
pane.
2.
In the Cache Redirection Virtual Servers page, click the virtual server to
which you want to bind the built-in policies.
3.
4.
On the Policies tab, in the Active column, select the check box next to the
built-in cache redirection policies and click OK. The policies are bound to
the cache redirection virtual server.
710
Example
add cr vserver Vserver-CRD-1 HTTP * 80 -cacheType TRANSPARENT redirect POLICY -cacheVserver Vserver-LB-1
Examples
bind cr vserver Vserver-CRD-1 -policyName bypass-cache-control
bind cr vserver Vserver-CRD-1 -policyName bypass-dynamic-url
bind cr vserver Vserver-CRD-2 -policyName bypass-urltokens
bind cr vserver Vserver-CRD-2 -policyName bypass-cookie
1.
In the navigation pane, click Load Balancing and click Virtual Servers.
2.
Double-click the load balancing virtual sever that you want to modify.
3.
4.
Click OK, and then click Close. The load balancing virtual server is added
to the Load Balancing Virtual Servers page.
Chapter 11
Cache Redirection
711
To turn off caching for a load balancing virtual server using the command
line
Example
set lb vserver Vserver-LB-1 -cacheable NO
If the request is not cacheable, the NetScaler matches the request with a
mapping policy that determines the destination domain and URL, and then
sends the request to a load balancing virtual server that, in turn, sends the
request to the origin server.
The following table summarizes the parameters for cache redirection in reverse
proxy mode.
Parameters for Reverse Proxy Cache Redirection
Reverse Proxy Cache
Redirection Entity
712
Policies to determine if a
response is non-cacheable
1.
on page 701.
Chapter 11
2.
Cache Redirection
713
Configure a load balancing virtual server and associated services for the
origin servers.
For more information, see Configuring a Load Balancer Virtual Server for
the Origin, on page 715.
4.
Configure mapping policies, and bind them to the reverse proxy cache
redirection virtual server.
The mapping policies have an associated action that enables the cache
redirection policy to forward any non-cacheable request to the load
balancing virtual server for the origin.
For more information, see Configuring a Mapping Policy, on page 718.
6.
Ensure that you have created the default cache server destination.
1.
In the navigation pane, click Load Balancing and click Virtual Servers.
2.
3.
In the Name text box, type the name of the load balancing virtual server for
the cache server.
4.
5.
714
6.
On the Method and Persistence tab, in the Method list, choose URL
Hash.
7.
To enable cache redirection for this load balancing virtual server, click the
Advanced tab, and select Cache Redirection.
8.
9.
Configure an HTTP service that points to the cache server for this load
balancing virtual server.
For more information, see To configure an HTTP service using the
configuration utility, on page 706. Note that in step 7. of this procedure, in
the Cache Type list, choose Reverse Cache or Transparent Cache,
depending on the cache servers you are using.
10.
Bind the service to the virtual server that you just created.
For more information, see Binding a Service to a Load Balancing Virtual
Server, on page 707.
11.
Click Save to prevent discarding the changes when you reboot the
NetScaler.
To configure a load balancing virtual server for the reverse proxy cache
using the command line
1.
Example
Chapter 11
Cache Redirection
715
1.
In the navigation pane, expand Load Balancing and click Virtual Servers.
2.
3.
In the Name and Port text boxes, type the name of the virtual server and
the port number.
4.
5.
6.
To enable cache redirection for this load balancing virtual server, on the
Advanced tab, click the Cache Redirection check box.
7.
Click Create. The load balancing virtual server appears on the Load
Balancing Virtual Servers page.
8.
9.
716
1.
Where serviceName is a unique name for the service that you want to bind
to the load balancing virtual server and originIPAddress and originPort are
the IP address and port of the origin server.
3.
Example
add lb vserver Vserver-LB-3 HTTP 10.102.29.210 90
add service Service-HTTP-3 10.102.29.81 HTTP 80 -cacheType
REVERSE
bind lb vserver Vserver-LB-3 Service-HTTP-3
For more information, see Configuring a Cache Redirection Virtual Server for
Transparent Mode, on page 707.
Chapter 11
Cache Redirection
717
1.
2.
3.
In the Name and Port text boxes, type the name of the virtual server and
the port number.
4.
In the IP Address text box, type the IP address of the cache redirection
virtual server.
5.
6.
On the Advanced tab, in the Cache Type list, choose REVERSE, and in
the Redirect list, choose the redirection type (for example, POLICY).
7.
On the Advanced tab, in the Cache Server list, choose a load balancing
virtual server that you have configured as the cache server. Also select the
Via check box. A reverse proxy must insert Via headers to indicate
intermediate protocols and recipients between the user agent and the sever
on requests, and between the server and the client on responses.
8.
Click Create. The cache redirection virtual server appears on the Cache
Redirection Virtual Servers page.
9.
1.
Where:
cacheRedirectionVirtualServerName
protocol
server.
ipAddress port
718
loadBalancingVirtualServerNSame
2.
Second action: Pass the request to the origin load balancing virtual server.
A mapping policy can map a domain, a URL prefix, and a URL suffix, as follows:
Chapter 11
Cache Redirection
719
You can map domains plus URL suffixes, (for example, you can map
www.mydomain.com and /index.html to www.myrealdomain.com and /
index.html).
If you specify an exact URL from the source, the target URL must also be
an exact URL.
1.
In the navigation pane, expand Cache Redirection, and then click Map.
2.
3.
In the Name text box, enter the name of the mapping policy.
4.
Under Source, in the Source Domain text box, enter the domain as
specified in the client request (for example, www.mycompany.com).
5.
Under Target, in the Target Domain text box, enter the domain of the
target (for example, www.myrealcompany.com).
6.
7.
To bind the mapping policy to the cache redirection virtual server, in the
navigation pane, expand Cache Redirection, and then click Virtual
Servers.
8.
Click the virtual server to which you want to bind the policy, and then click
Open.
9.
On the Policies tab, in the Active column, select the check box next to the
map policy that you want to bind to the virtual server.
10.
In the Target column, corresponding to the policy, and, from the list,
choose the name of the origin load balancing virtual server.
11.
When you are done, click OK. The mapping policy is bound to the cache
redirection virtual server, and the action is set to forward requests that are
not cacheable to the origin load balancing virtual server.
To configure a mapping policy for reverse proxy mode using the command
line
1.
Where:
720
2.
mappingPolicyName
sourceDomain
sourceURL
destinationDomain
destinationURL
Chapter 11
Cache Redirection
721
The following table summarizes the entities that you configure for forward proxy
cache redirection.
Parameters for Forward Proxy Cache Redirection
Forward Proxy Cache
Redirection Entity
Policies to determine if a
request is cacheable
722
1.
2.
3.
4.
Configure a forward proxy cache redirection virtual server and bind the
DNS and load balancing virtual servers to it.
For more information, see Configuring a Forward Proxy Cache
Redirection Virtual Server, on page 724.
5.
6.
1.
2.
3.
In the Service Name and Server text boxes, enter the name of the service
and the IP address.
4.
5.
6.
Click Create.
Chapter 11
Cache Redirection
723
7.
To configure the DNS virtual server, in the navigation pane, expand Load
Balancing, and then expand Virtual Servers.
8.
9.
In the Name text box, enter the name of the virtual server.
10.
11.
On the Services tab, select the Active option corresponding to the service
you want to bind.
Note: IP address and port are not needed for cache redirection.
12.
Click Create.
To configure a DNS load balancing virtual server and service using the
command line
1.
At the NetScaler command line, add the load balancing virtual server, as
follows:
add lb vserver dnsVirtualServerName DNS
2.
3.
Example
add lb vserver Vserver-DNS-1 DNS
add service Service-DNS-1 10.102.29.41 DNS 53
bind lb vserver Vserver-DNS-1 Service-DNS-1
724
1.
2.
3.
In the Name and Port text boxes, enter the name of the cache redirection
virtual server and the port number.
4.
5.
6.
In the Advanced tab, in the Cache Type list, choose FORWARD and in
the Redirect list, choose POLICY. Also, select the Via check box. A
forward proxy must insert Via headers to indicate intermediate protocols
and recipients between the user agent and the server on requests, and
between the server and the client on responses.
7.
On the Advanced tab, in the DNS VServer list, choose a DNS virtual
server that you want to associate with this cache redirection virtual server.
8.
9.
Click Create.
Where:
name is the name that you want to assign to this cache redirection virtual
server.
Chapter 11
Cache Redirection
cacheRedirectionVirtualServerIPAddress
725
dnsVirtualServerName
loadBalancingVirtualServerForTheCache
1.
2.
3.
Under Proxy server, select the Use a proxy server for your LAN check
box.
4.
In the Address and Port text boxes, enter the IP address and port number of
the forward proxy virtual server.
5.
Click OK.
6.
Click Save to prevent discarding the changes when you reboot the
NetScaler.
726
Cache redirection policies and content switching policies are evaluated in the
following order:
The NetScaler first evaluates the cache redirection policies that are bound
to the cache redirection virtual server.
If a request matches a cache redirection policy, the cache redirection virtual
server sends the request to a load balancing virtual server for the origin.
Chapter 11
Cache Redirection
727
1.
2.
Configure a load balancing virtual server for the cache and an associated
HTTP service.
For more information, see Configuring a Load Balancing Virtual Server
for Content-Based Cache Redirection, on page 728 and Configuring a
Load Balancing Virtual Server for Content-Based Cache Redirection, on
page 728.
728
3.
4.
1.
2.
Chapter 11
Cache Redirection
729
3.
Example
add lb vs lbCachedCefault http
add service httpDefault 11.12.13.14 http 80 -cacheType TRANSPARENT
bind lb vserver lbCacheDefault httpDefault
add lb vs lbCacheJpeg http
add service httpJpeg 11.12.13.15 http 80 -cacheType TRANSPARENT
bind lb vserver lbCacheJpeg httpJpeg
add lb vserver lbCacheGif http
add service httpGif 11.12.13.16 http 80 -cacheType TRANSPARENT
bind lb vserver lbCacheGif httpGif
Where:
is the name of a cache redirection virtual server.
virtualServerName
ipAddress
port
loadBalancingVirtualServerName
730
advanced redirection, the default load balancing virtual server is only used
if a cacheable request does not match a content switching policy.
Example
add cr vserver Vserver-CRD HTTP 0.0.0.0 80 -cacheType TRANSPARENT redirect POLICY -cacheVserver lbcachedefault
Where:
policyName
expression
virtualServerName
server.
Example
add cr policy Policy-CRD -rule REQ.HTTP.URL != /*.jpeg ||
REQ.HTTP.URL != /*.gif
bind cr vserver Vserver-CRD -policyName Policy-CRD
Chapter 11
Cache Redirection
731
1.
2.
Example
add cs policy myContentSwitchingPolicyJpeg -rule REQ.HTTP.URL == /
*.jpeg
bind cs vserver Vserver-CRD lbcachejpeg -policyName
myContentSwitchingPolicyJpeg
add cs policy myContentSwitchingPolicyGif -rule REQ.HTTP.URL == /
*.gif
bind cs vserver Vserver-CRD -policyName myContentSwitchingPolicyGif
lbcachegif
732
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2.
Click the virtual server whose properties you want to view. Basic properties
of this virtual server appear at the bottom of the details pane.
3.
At the NetScaler command line, to view basic properties for all cache redirection
virtual servers, type:
show cr vserver
At the NetScaler command line, to view basic properties and policy bindings for a
specific cache redirection virtual servers, type:
show cr vserver virtualServerName
To view cache redirection policies that are bound to load balancing virtual
servers using the configuration utility
1.
In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2.
Click the virtual server whose policy bindings you want to view.
3.
To view a cache redirection policies that are bound to load balancing virtual
servers using the command line
Chapter 11
Cache Redirection
733
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers. The Cache Redirection Virtual Servers page appears in the right
pane.
2.
To view statistics for the virtual server, including the number and size of
requests and responses sent through it, click the virtual server that you are
interested in, and then click the Statistics button at the bottom of the pane.
To view statistics for a cache redirection virtual servers using the command
line
At the NetScaler command line, to view basic statistics for all cache redirection
virtual servers type:
stat cr vserver
At the NetScaler command line, to view detailed statistics for a cache redirection
virtual server, including number and size of requests and responses that pass
through the virtual server, type:
stat cr vserver virtualServerName
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2.
Click the virtual server you want to enable or disable, and then click
Enable or Disable.
3.
In the Enable or Disable message box, click Yes. The cache redirection
virtual server is enabled or disabled.
734
Example
enable cr vserver Vserver-CRD-1
disable cr vserver Vserver-CRD-1
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2.
Click the virtual server you want to enable or disable, and then click Open.
3.
In the Configure Cache Virtual Server dialog box, on the Advanced tab,
in the Redirect drop-down menu, select either CACHE or ORIGIN, as
needed.
To change the destination for a policy hit to the origin or the cache using the
command line
Chapter 11
Cache Redirection
735
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2.
Click the cache redirection virtual server that contains the policy that you
want to remove from the virtual server definition, and click Open.
3.
On the Policies tab, in the Active column, select the check box next to the
policy you want to unbind, and click OK.
The policy still exists, but it is no longer associated with the cache
redirection virtual server.
Example
unbind cr vserver Vserver-CRD-1 -policyName bypass-non-get
1.
2.
Click the virtual server that you want to modify and click Open.
3.
On the Advanced tab, in the Redirect list, choose the cache redirect mode
you want to use (for example, CACHE, ORIGIN, or POLICY).
4.
Click OK.
736
Example
set cr vserver Vserver-CRD-1 -redirect CACHE
1.
2.
Click the virtual server that you want to remove and click Remove.
3.
In the Remove message box, click Yes. The virtual server is deleted.
Example
rm cr vserver Vserver-CRD-1
Chapter 11
Cache Redirection
737
1.
2.
Select the virtual server that you want to view and click the Statistics link
at the bottom of the page.
Statistics for the virtual server appear in the Content Switching Statistics
window.
1.
2.
3.
4.
5.
738
1.
2.
Click the virtual server that you want to configure and click Open.
3.
On the Advanced tab, and enter a timeout value in the Client Time-out
(secs) text box.
4.
Click OK.
Example
set cr vserver Vserver-CRD-1 -cltTimeout 6000
Chapter 11
Cache Redirection
739
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2.
Click the virtual server for which you want to set the Via option, and click
Open.
3.
4.
Click OK.
Example
set cr vserver Vserver-CRD-1 -via ON
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers. The Cache Redirection Virtual Servers page appears in the right
pane.
2.
Click the virtual server for which you want to set the reuse option, and then
click Open. The Configure Virtual Server (Cache Redirection) dialog
box appears.
3.
4.
Click OK.
740
Example
set cr vserver Vserver-CRD-1 -reuse ON
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2.
Click the virtual server for which you want to set the down state flush
option, and then click Open.
3.
On the Advanced tab, select or clear the Down state flush check box.
4.
Click OK.
To set the down state flush option using the command line
Example
set cr vserver Vserver-CRD-1 -downStateFlush ENABLED
Chapter 11
Cache Redirection
741
1.
In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2.
Click the virtual server that you want to configure as the backup virtual
server and click Open.
3.
On the Advanced tab, in the Backup Virtual Server list, choose the virtual
server you want to specify as the backup virtual server.
4.
Click OK.
To set a backup cache redirection virtual server using the command line
Example
set cr vserver Vserver-CRD-1 -backupVServer Vserver-CRD-2
HTTP methods
URL
URL tokens
HTTP version
742
Description
bypass-non-get
bypass-cache-control
bypass-dynamic-url
bypass-urltokens
bypass-cookie
Chapter 11
Cache Redirection
743
Note: The default policies are not automatically bound to a cache redirection
virtual server. You must bind them to make them effective. For more information,
see Binding a Policy to a Cache Redirection Virtual Server, on page 749.
In the navigation pane, expand Cache Redirection, and then click Policies. The
Cache Redirection Policies page appears.
To bind the default policies to a cache redirection virtual server using the
command line
Example
bind cr vserver my_cache_redirection_vip -pol bypass-cookie
URL length
744
When configuring an expression, you combine the object with an operator. The
following are valid operators:
= =: Equals
NOT CONTAINS: No subset of the target string is equal to the string in the
expression
Description
HTTP client
Chapter 11
Cache Redirection
745
The following table summarizes the different types of expression you can
configure.
Types of user-defined expressions that you can include in a policy
User-defined expression
type
Description
Method
URL
Tokens in the URL
Version
Header name and value
URL length
URL query string contents
URL query string length
Existence of a certificate
Certificate subject
Issuer
Version
Validity period
Signature algorithm
Serial number
Cipher type or bits
SSL version
IP address in a request
IP address in a response
Note: You can build complex expressions by using AND (&&) and OR (||)
operators. You can configure nesting by using parentheses, as described in the
following sections. For more information, see the Citrix NetScaler Policy
Configuration and Reference Guide.
746
Specifies
Name
Expression
Note: You do not explicitly configure actions on a cache redirection policy. The
NetScaler considers any request that matches a policy to be non-cacheable, and
the implied action is to direct the request to the origin server instead of the cache.
1.
In the navigation pane, expand Cache Redirection, and then click Policies.
2.
3.
In the Name text box, type the name of the policy, and then in the
Expression area, click Add
4.
Protocol: HTTP
Qualifier: URL
Operator: !=
Value: /*.jpeg
Chapter 11
Cache Redirection
747
5.
Protocol: HTTP
Qualifier: HEADER
Operator: EXISTS
When you are done entering the expression, click OK, and then click
Close.
1.
2.
3.
4.
To configure a complex rule, from the main Policies page, click the Match
Any Expression list and choose an expression format.
5.
6.
Protocol: HTTP
Qualifier: METHOD
Operator: ==
Value: POST
After entering the first expression, click OK and enter the second
expression, as shown in the following example:
748
7.
Protocol: HTTP
Qualifier: URL
Operator: ==
Value: /*.cgi
Protocol: HTTP
Qualifier: URL
Operator: !=
Value: /*.gif
8.
When you are done entering expressions, click OK, and then click Close.
9.
To determine the order of evaluation for the expression, from the main
policy configuration dialog box, do the following:
Select an expression.
Select the final expression in the group and close the parentheses.
Chapter 11
10.
Cache Redirection
749
Click Save to prevent discarding the changes when you reboot the
NetScaler.
750
1.
2.
Click the virtual server that you want to configure and click Open.
3.
On the Policies tab, in the Active column, select the check box next to for
the policies that you want to bind.
4.
Click OK.
Note that you can bind more than one policy to the virtual server.
Examples
bind cr vserver Vserver-CRD-1 -policyName Policy-CRD-1
bind cr vserver Vserver-CRD-1 -policyName Policy-CRD-2
1.
2.
Click the policy that you want to modify and click Open.
3.
page 741.
4.
Click OK and click Close. The expression you selected appears in the
Expression box.
5.
6.
Chapter 11
Cache Redirection
751
Example
set cr policy Policy-CRD-1 -rule REQ.HTTP.URL != /*.jpeg &&
REQ.HTTP.METHOD != GET
1.
2.
3.
Click Remove, and then click Yes in the Remove message box. The policy
is deleted.
Example
rm cr policy Policy-CRD-1
752
A PPENDIX A
RSA
Cipher algorithms
AES
DES
3ES
Note: RC4 (ARC4) is not a FIPS approved algorithm, and will be disabled on
an SSL virtual server, if a FIPS certificate-key pair is bound to it.
SSL virtual server is marked UP only when default ciphers (FIPS) are configured.
To enable other ciphers on an SSL virtual server, use the following command:
set ssl Vserver [-nonfipscipher (ENABLE|DISABLE)]
The following are the FIPS approved ciphers supported by the system
SSL3-DES-CBC3-SHA
SSL3-DES-CBC-SHA
TLS1-AES-256-CBC-SHA
TLS1-AES-128-CBC-SHA
754
A PPENDIX B
As mentioned in the previous section, the HSM is locked after three unsuccessful
login attempts. This is a security measure that is aimed at preventing
unauthorized access attempts and changes to the HSM settings. This implies that
once the card gets locked, you will not be allowed to log on to the HSM and alter
its configuration. Moreover, the HSM will cease to be operational.
Note: FIPS is not supported in NetScaler 9.1 nCore.
To avoid this situation, you are strongly advised to follow these directions:
1.
2.
3.
Store the super user password in a secure location. You will need it to
initialize the HSM. Moreover, you need to specify this password as the old
SO password when re-initializing the HSM.
Despite these precautions, if your HSM gets locked, you need to reset it to use it
again. Use the reset fips command to reset the HSM. This command clears
the HSM and resets the SO password and the User passwords to their default
values, i.e., sopin123 and userpin123 respectively.
The usage of the command is as follows:
reset fips
WarningDo not use the command as an alternative to the set fips initHSM command, or when you have forgotten the passwords.
This commend must be used only on a locked HSM.
After executing the reset fips command, use the set fips -initHSM
command to change the default passwords. Use the save configuration
command to save the running configuration.
756
In the following example, the HSM gets locked after three unsuccessful login
attempts. The reset fips command is then used to reset the card. Finally, the
set fips -initHSM command is used to change the default SO and User
passwords. This change is saved using the save configuration command.
> set fips -initHSM Level-2 newsopin123 newsopin123 newuserpin123 hsmLabel NSFIPS
This command will erase all data on the FIPS card. You must save the
configuration (saveconfig) after executing this command. Do you
want to continue?(Y/N)y
ERROR: Internal Error
> set fips -initHSM Level-2 fipssopin123 sopin123 fipsuserpin123 hsmLabel NSFIPS
This command will erase all data on the FIPS card. You must save the
configuration (saveconfig) after executing this command. Do you
want to continue?(Y/N)y
Done
> saveconfig
NetScaler saved the configuration
Done
>
Appendix B
757
758
I NDEX
Index
A
AAAA records
managing, 473
viewing configuration, 474
AAC Login Page
monitoring 197
AAC Login Page, monitoring 197
Access Gateway
alerts xvii
monitoring 196
accessdown on services
enabling, 144
actions
SSL 416
adding
name servers, 496
name server, 246
adding custom entries
static proximity database, 551
adding location file
static proximity database, 543
adding records
DNS resource records, 486, 492
address records
configuring, 474
creating, 487
ADNS mode
DNS ANY query behavior, 501
ADNS server
configuring, 484
ADNS service
creating, 485, 516
removing, 486
viewing configuration, 486
alerts
Knowledge Center xvii
Application Resolution Protocol, monitoring 196
architecture
load balancing, 26
ARP
monitoring 196
assigning
service weights, 115
B
backup GSLB vserver
configuring, 584
backup persistence
configuring, 107
backup router
configuring, 671
backup vserver
configuring, 296
backup vserver persistence
configuring, 568
bandwidth-based spillover
configuring, 123
basic configuration
load balancing, 2930
basic content switching
configuring, 275
basic load balancing setup
configuring, 30
basic setup
configuring GSLB, 513
basic SSL offloading
configuring virtual server 363
binding
DNS policy, 594
HTTP services 366
LB vserver, 490
metrics to metric tables, 208
monitors to services, 165
vserver to work load manager, 214
binding domain
GSLB vserver, 522
binding GSLB service
vserver, 521
760
binding policies
vservers, 281
binding to service
monitors, 165
binding to service group
IP addresses, 223
monitor, 224
binding to vserver
service group, 222
services, 38
border site
creating, 633
C
cache redirection
about 691692
administering a cache redirection vserver 731
advanced redirection
about 700
about configuration 726
cache redirection vserver, configure 729
configuration overview 727
configure cache redirection vserver using
command line 729
configure load balancing vserver 728
configure load balancing vserver using
command line 728
configure policies from the command line
730
configuring content switching policies from
the command line 731
content switching policies, about 731
content switching, enabling 728
edge mode, enabling 704
load balancing vserver, configuring 728
parameters for 726
policies, configuring 730
process overview 701
topology example 700
backing up a cache redirection vserver 740
bind load balancing vserver to cache redirection
vserver 709
bind policies to cache redirection vserver 709
bind service to load balancing vserver 707
cache redirection virtual server
deleting 736
cache redirection vserver
administration overview 731
backing up 740
bind policies to 749
changing the type of redirection 735
client connections 738
deleting 736
deleting using the command line 736
disabling 733
enabling 733
modifying 733
policies, binding 749
policies, remove from command line 735
policies, removing 734
viewing 732
client connections for a vserver 738
client timeout 738
configuring
advanced cache redirection 725
cache redirection policies 709
cache redirection policy for particular content
type 730
cache redirection virtual server for advanced
redirection 729
cache redirection vserver 707
client browser for forward proxy mode 725
content switching 728
content switching policy 731
DNS load balancing virtual server 722
edge deployment 728
forward proxy cache redirection 720
forward proxy cache redirection virtual
server 724
HTTP service 705
load balancing virtual server 713, 715
load balancing virtual server for advanced
redirection 728
mapping policy 718
reverse proxy cache redirection virtual server
Index
716
reverse proxy redirection 711
transparent redirection 703
configuring on services, 161
configuring, 131
connection cleanup 740
content switching policies 731
content switching vserver, 300
delayed connection cleanup 740
disable caching for an origin server 710
edge versus origin 694
enabling
using the command line 702
using the GUI 701
expressions
configuring complex expressions 747
configuring simple expressions 746
general 744
in a policy, about 744
user-defined 745
forward proxy redirection
about 698
cache redirection vserver 724
client Web browsers 725
configuration parameters 721
configure cache redirection vserver 724
configure cache redirection vserver using
command line 724
configure DNS load balancing vserver 722
configure DNS load balancing vserver using
761
762
origin 715
configure load balancing vserver for the
origin using command line 716
configure reverse proxy cache redirection
vserver 717
configuring a cache redirection vserver using
the command line 717
configuring mapping policies 719
load balancing vserver for the cache 713
load balancing vserver for the origin 715
mapping policies, about 718
mapping policies, configuring 719
process overview 697
sample topology 696
task overview 712
simplified topology 693
statistics 736
basic 737
dashboard 737
monitor 737
viewing using the command line 738
supported protocols 692
TCP connections, reusing 739
timeout for clients 738
to either the origin or the cache 692
to the cache server 692
to the origin 692
topology, simplified 693
transparent redirection
about 694
about configuring 707
bind policies to cache redirection vserver 709
bind service to load balancing vserver 707
cache redirection vserver parameters 708
configure cache redirection vserver using
command line 710
configure load balancing vserver using
command line 705
configuring 703, 709
configuring the HTTP service 705
configuring the load balancing vserver 704
HTTP service, configure using command line
706
parameters for the load balancing vserver 704
sample topology 695
task overview 703
turning off caching for an origin server 710
Via header, inserting in a request 739
viewing cache redirection statistics 736
viewing the vservers for 702
virtual servers, viewing 702
caching
DNS records, 491
calculating
response time for monitors, 69
call ID hash method
configuring, 80
case sensitivity
setting, 291
certificate authority
obtaining certificate 371
changing GSLB
method, 538
Citrix NetScaler against failure
protecting, 294
Citrix Presentation Server component
monitoring, 196
client connections
managing, 589
client IP address
insertion, 149
client keep-alive
configuring, 147
client traffic
managing, 129
CNAME records
managing, 477
viewing configuration, 478
CNAME-based GSLB services
creating, 537
limitations, 538
compression
enabling on service, 146
concepts
CNAME-based GSLB services, 536
connection failover, 124
DNS ANY query, 501
DNS round robin, 470
DNS, 308, 467
load balancing, 25
Configuring 399400
Index
configuring
ADNS server, 484
backup vserver, 296
basic content switching, 275
basic load balancing setup, 30
body insertion 345
content switching, 273
DNS proxy server, 488
domain delegation, 487
dynamic proximity, 555
end resolver, 493
forwarder, 496
GSLB, 512
link load balancing, 667
load balancing setup, 279
metrics, 207
persistence, 97
persistent connections, 559
postbody files 347
prebody files 346
RNAT, 248
RTT tolerance factor, 557
services for load balancing, 142
spillover, 297
SSL 400, 407412, 414
static proximity, 541
URL for redirection, 294
configuring backup
GSLB vserver, 584
configuring backup IP
GSLB domain, 587
configuring CNAME
GSLB services, 536
configuring content switching
how content switching works, 273
configuring DNS
expression, 590
views, 596
configuring DNS views
external clients, 599
internal clients, 599
throughput, 603
configuring dynamic proximity
deployment scenario, 621
configuring dynamic weights
number of services, 572
services, 570
weights of individual services, 574
configuring GSLB
basic setup, 513
deployment scenario, 513, 605
disaster recovery, 605
empty address record, 586
multiple IP addresses, 584
proximity, 620
scalability, 631
TROFS, 568
configuring load balancing
SASP, 210
configuring load balancing methods
call ID hash method, 80
custom load method, 92
destination IP hash method, 79
domain hash method, 79
hash methods, 75
least bandwidth method, 81
least connection method, 58
least packets method, 85
least response time method, 64
LRTM using monitors, 69
round robin method, 62
source IP destination IP hash method, 80
source IP hash method, 80
source IP source port hash method, 80
token method, 89
URL hash method, 77
weighted round robin, 63
configuring metrics
load assessments, 207
configuring monitors
inline, 198
load, 206
user, 200
configuring persistence
backup persistence, 107
backup vserver, 568
connection proxy, 563
HTTP cookies, 562
HTTP redirect, 566
source IP address, 559
vserver groups, 108
763
764
Index
creating records
address, 487
glue, 488
NS, 487
SOA, 487
creating service
ADNS, 485, 516
DNS, 490
creating vserver
load balancing, 489
CRL
configuring 399
custom load method
configuring, 92
customizing
content switching setup, 291
load balancing configuration, 54
monitors, 198
D
datacenter persistence
deployment scenario for disaster recovery, 617
delayed cleanup of vserver connections
enabling, 301
delegating
sub-domain, 523
deleting records from cache
DNS, 492
deployment scenario
configuring dynamic proximity, 621
configuring GSLB, 513, 605
configuring static and dynamic proximity, 628
load balancing DNS servers, 240
load balancing domain-name based services, 243
load balancing FTP servers, 237
load balancing in direct server return mode, 253
load balancing in inline mode, 264
load balancing in one-arm mode, 262
load balancing SIP servers, 247
load balancing, 252
deployment scenario for disaster recovery
datacenter persistence, 617
describing
spillover parameters, 121, 298
destination IP
routing persistence, 666
destination IP based persistence
configuring, 105
destination IP hash method
configuring, 79
765
766
DNS servers
load balancing, 240
monitoring, 242
DNS service
creating, 490
monitoring, 183
DNS statistics
viewing, 483
DNS views
configuring, 596, 599
creating, 596
improving manageability, 596
removing, 597
domain delegation
configuring, 487
creating NS resource records, 487
domain hash method
configuring, 79
domain-name based service
load balancing, 243
downstateflush
enabling on service, 144
enabling on vserver, 134
dynamic proximity
configuring, 555
dynamic spillover
configuring, 123
E
empty address record GSLB
configuring, 586
enabling
accessdown on services, 144
content switching, 277
delayed cleanup of vserver connections, 301
HTML Injection 338
load balancing, 31
MEP, 528
name servers, 499
recursive resolution, 494
use proxy port, 153
use source IP address, 151
enabling and disabling
content switching vserver, 287
monitors, 169
servers, 44
service group, 229
services, 45
vservers, 48
F
filter policies
binding 342
forwarder
configuring, 496
FTP monitors
configuring, 239
FTP servers
load balancing, 237
FTP service
monitoring, 176
G
global bindings
viewing, 595
global bindings configuration
viewing, 599
glue records
creating, 488
GSLB
configuring, 512
protecting, 583
GSLB actions
creating, 593
Index
GSLB configuration
modifying, 526
viewing, 523
GSLB domain
viewing statistics, 525
GSLB domain backup IP
configuring, 587
GSLB domain behavior
DNS ANY query, 502
GSLB domain vserver
unbinding, 532
GSLB mesh
configuring, 631
GSLB method
changing, 538
GSLB policy
modifying, 595
viewing, 595
GSLB proximity
configuring, 620
GSLB scalability
configuring, 631
GSLB service
creating, 519
disabling, 530
enabling, 530
managing, 529
modifying, 529
removing, 531
viewing properties, 525
viewing statistics, 525
GSLB service vserver
unbinding, 532
GSLB services
configuring CNAME, 536
monitoring, 575
GSLB services backup vserver
considering, 588
GSLB site
creating, 518
managing, 526
modifying, 527
removing, 529
viewing properties, 523
GSLB site statistics
viewing, 524
767
GSLB vserver
binding domain, 522
creating, 520
disabling, 531
enabling, 531
managing, 531
removing, 533
viewing properties, 524
viewing statistics, 524
H
hash methods
configuring, 75
how content switching works
configuring content switching, 273
how it works
HTML Injection 337
SSL 361
HTML Injection
body insertion 349
configuring for commonly used applications 353
configuring header insertion 338
internal variables 345
HTTP cookies persistence
configuring, 562
HTTP redirect persistence
configuring, 566
HTTP redirection
configuring, 136
I
idle client connections
setting timeout, 304
setting time-out, 139, 158
idle server connections
setting time-out, 159
implementing
RNAT with link load balancing, 667
improving manageability
DNS views, 596
inline mode
configuring, 264
inline monitors
configuring, 198
inserting
client IP address in requests, 149
IP address and port, 137, 302
interface throughput
configuring DNS views, 603
768
internal clients
configuring DNS views, 599
IP address and port
inserting, 137, 302
K
Knowledge Center
alerts xvii
L
large scale deployment
managing, 218
LB configuration
modifying, 43
LB method
load balancing DSR mode, 255, 268
LB setup
configuring, 516
LB vserver
binding, 490
LDAP service
monitoring, 184
LDNS
managing, 590
least bandwidth method
configuring, 81
least connection method
configuring, 58
least packets method
configuring, 85
least response time method
configuring, 64
limitations
CNAME-based GSLB services, 538
link load balancing
configuring, 667
RNAT, 675
load balancing
architecture, 26
basic configuration, 2930
common protocols, 236
concepts, 25
creating vserver, 489
deployment scenarios, 252
enabling, 31
redirection mode, 113
removing DNS server, 493
sessionless vservers, 129
SIP in inline DSR mode, 181
SIP in one-arm DSR mode, 180
spillover, 120
SSL 443
SSL servers, 240
topology, 30
troubleshooting problems, 270
verifying configuration, 39
Visualizer 49, 52
load balancing configuration
customizing, 54
protecting, 116
viewing, 282
load balancing DSR mode
enabling MAC-based forwarding, 254, 267
LB method and redirection mode, 255, 268
USIP mode, 256, 269
load balancing policy
routing, 666
load balancing setup
configuring, 279
load balancing using SASP
configuring, 210
load balancing, configuration
using the Visualizer 52
load monitors
configuring, 206
location 1 aggregator
configuring, 635
location 2 aggregator
configuring, 636
LRTM using monitors
configuring, 69
M
MAC-based forwarding
enabling, 254, 267
maintaining
client connections, 147
Index
managing
client connections, 589
client traffic, 129
content switching policy, 288
DNS policies, 591
GSLB service, 529
GSLB site, 526
GSLB vserver, 531
large scale deployment, 218
LDNS, 590
monitors, 168
servers, 43
service groups, 227
services, 45
vservers, 46
work load manager, 216
managing and monitoring
servers, 141
managing records
AAAA, 473
CNAME, 477
NS, 476
managing servers
name, 499
maximum bandwidth usage
setting, 159
maximum entries
session, 666
maximum number of client connections
setting, 155
maximum number of requests
setting, 156
measuring
application performance 353
MEP
disabling, 528
enabling, 528
merging
DNS and GSLB policies, 590
metric table
creating, 208
unbinding, 209
metric tables
removing, 209
viewing properties, 210
metrics
binding to metric tables, 208
configuring, 207
modifying
content switching policies, 288
GSLB configuration, 526
GSLB policy, 595
GSLB service, 529
GSLB site, 527
LB configuration, 43
monitors, 165
service groups, 225
work load manager, 215
modifying records
MX, 476
SOA, 483
SRV, 473
monitor
enabling and disabling, 169
managing, 168
modifying, 165
removing, 170
monitoring
AAC Login Page 197
Access gateway servers 196
ARP requests 196
Citrix Presentation Server component, 196
DNS servers, 242
GSLB services, 575
routers, 665
services, 162
monitoring services
DNS, 183
FTP, 176, 239
LDAP, 184
MySQL, 186
NNTP, 187
POP3, 187
RADIUS, 182
SIP, 176
SMTP, 188
SNMP, 186
SSL, 174
monitors
binding to a service group, 224
binding to services, 165
configuring, 162
creating, 163
customizing, 198
unbinding from service, 170
viewing, 171
multiple IP addresses GSLB
configuring, 584
769
770
MX records
configuring, 475
modifying, 476
viewing configuration, 476
MySQL service
monitoring, 186
N
name server
adding, 246
name servers
adding, 496
disabling, 499
enabling, 499
managing, 499
removing, 499
viewing configuration, 498
NNTP service
monitoring, 187
NS records
creating, 487
managing, 476
viewing configuration, 477
number of services
configuring dynamic weights, 572
O
one-arm mode
configuring, 262
P
persistence
configuring, 97
persistence groups
configuring, 108
persistent connections
configuring, 559
policy
GSLB removing, 594
POP3 service
monitoring, 187
ports and protocols
rewriting, 302
precedence of evaluation
setting, 292
priority queuing
configuring, 132
product alerts xvii
protecting
Citrix NetScaler against failure, 294
GSLB, 583
load balancing configuration, 116
traffic surge, 142
protocols
load balancing, 236
proxy mode
DNS ANY query behavior, 501
PTR records
configuring, 478
viewing configuration, 479
R
RADIUS service
monitoring, 182
range of vservers and services
creating, 218
recursive resolution
enabling, 494
viewing configuration, 495
recursive resolution retries
setting, 495
recursive resolution settings
removing, 496
redirecting
client requests, 116, 333
HTTP requests to cache, 131
requests to cache, 161
redirecting requests
cache, 300
redirection mode
configuring, 113
load balancing DSR mode, 255, 268
removing
content switching policies, 290
content switching vservers, 285
GSLB policies, 594
GSLB service, 531
GSLB site, 529
GSLB vserver, 533
metric tables, 209
monitors, 170
name servers, 499
server, 43
service groups, 227
service, 45
vserver, 47
work load manager, 216
Index
removing DNS
views, 597
removing DNS server
load balancing, 493
removing service
ADNS, 486
removing settings
recursive resolution, 496
response time
calculating, 69
rewriting
ports and protocols, 302
rewriting ports and protocols
HTTP redirection, 136
RNAT
configuring, 248
RNAT with link load balancing
implementing, 667
round robin method
configuring, 62
routers
monitoring, 665
routing
load balancing policy, 666
routing persistence
destination IP, 666
RTT tolerance factor
configuring, 557
rule based persistence
configuring, 102
S
sample scenario
configuring GSLB mesh, 631
configuring static proximity, 624
server
creating, 35
enabling and disabling, 44
managing, 43
removing, 43
server IDs
setting, 151
server parameters
usage, 36
Server-IDs based persistence
configuring, 104
servers
managing and monitoring 141
service
binding to vservers, 38
creating, 32
enabling and disabling, 45
managing, 45
removing, 45
unbinding from a vserver, 47
viewing bindings, 42
viewing properties, 41
viewing statistics, 42
service group
binding an IP address, 223
binding to a vserver, 222
configuring, 221
creating, 221
enabling and disabling, 229
managing, 227
modifying, 225
removing, 227
unbinding a member, 228
unbinding from a vserver, 228
unbinding monitors, 229
viewing properties, 230
viewing statistics, 231
service parameters
usage, 32
service weight
configuring, 115
session
entry time-out, 666
maximum entries, 666
sessionless vservers
configuring, 129
setting
case sensitivity, 291
maximum bandwidth usage, 159
maximum number of client connections, 155
maximum number of requests, 156
precedence of evaluation, 292
recursive resolution retries, 495
server IDs, 151
SIP parameters, 249
threshold value for monitors, 157
setting idle time-out
client connections, 139, 158
server connections, 159
setting priority
DNS lookup, 498
setting timeout
idle client connections, 304
771
772
setting up
connection failover, 123, 127
monitors, 162
service groups, 221
SIP
working, 178
SIP in inline DSR mode
concepts, 181
SIP in one-arm DSR mode
concepts, 180
SIP parameters
configuring, 249
SIP servers
load balancing, 247
SIP service
monitoring, 176
SMTP service
monitoring, 188
SNMP service
monitoring, 186
SOA records
configuring, 479
creating, 487
modifying, 483
viewing configuration, 500
source and destination IP persistence
configuring, 105
source IP address persistence
configuring, 559
source IP destination IP hash method
configuring, 80
source IP hash method
configuring, 80
source IP persistence
configuring, 100
source IP source port hash method
configuring, 80
specifying files
HTML Injection 349
spillover
configuring, 120, 297
SRV
configuring records, 472
viewing configuration, 473
SRV records
modifying, 473
SSL
actions 416
certificate key pair 367
certificate revocation lists 398
client authentication 393394, 416
configurations 427, 430, 438439, 443, 445
configuring 414
configuring SSL offloading 362
CRL 402403
customizing configuration 406
deployment scenarios 443
enabling 363
insertion 418
managing certificates 371
outlook web access 417
overview 361
policies 425
server authentication 397
verifying configuration 369
virtual server 370
SSL Acceleration
Exporting Certificates and Keys
IIS 5 on Windows 2000 377
Sun iPlanet 378
SSL certificate
exporting 374
self signed 381
SSL certificates
chain 384
client certificates 394
converting 394
exporting 374375, 377379
global site certificates 389
importing 391
managing 387
server 387
SSL servers
load balancing, 240
SSL service
monitoring, 174
SSL session IDs based persistence
configuring, 101
static proximity
adding custom entries, 551
adding location file, 543
configuring, 541
sub-domain
delegating, 523
SureConnect
configuring 133
configuring, 143
Index
surge protection
configuring, 142
T
TCP buffering
enabling on service, 145
threshold value for monitors
setting, 157
token method
configuring, 89
topology
content switching, 276
load balancing, 30
TROFS GSLB
configuring, 568
troubleshooting
load balancing problems, 270
U
unbinding
DNS policy, 594
GSLB domain from vserver, 532
metric tables, 209
monitors from service groups, 229
monitors, 170
service groups, 222, 228
work load manager, 216
unbinding content switching policies
content switching vservers, 285
unbinding from a vserver
service group, 228
services, 47
unbinding from service
monitors, 170
unbinding from service group
member, 228
monitors, 229
unbinding GSLB service
vserver, 532
understanding
basic LB topology, 30, 276
DNS round robin, 470
LB entity model 31, 277
SIP in inline DSR mode, 181
SIP in one-arm DSR mode, 180
URL for redirection
configuring, 294
URL hash method
configuring, 77
V
verifying
content switching configuration, 282
load balancing configuration, 39
verifying configuration
HTML Injection 343
viewing
content switching policies, 282
filter actions 343
filter policies 344
global bindings, 595
load balancing configuration, 282
monitors, 171
service bindings, 42
virtual server 344
vserver properties, 39
work load manager, 217
viewing configuration
ADNS service, 486
DNS views, 599
global bindings, 599
GSLB, 523
name servers, 498
recursive resolution, 495
viewing GSLB
policy, 595
viewing GSLB statistics
site, 524
viewing properties
content switching vservers, 282
GSLB service, 525
GSLB site, 523
GSLB vserver, 524
metric tables, 210
service group, 230
service, 41
vserver, 40
773
774
viewing records
AAAA, 474
CNAME, 478
MX, 476
NS, 477
PTR, 479
SOA, 500
SRV, 473
viewing statistics
DNS, 483
GSLB domain, 525
GSLB service, 525
GSLB vserver, 524
service group, 231
service, 42
vserver, 41
Visualizer 49, 52
vserver
binding GSLB service, 521
creating, 37
managing, 46
removing, 47
viewing statistics, 41
vserver connections delayed cleanup
enabling, 589
vserver parameters
usage, 37, 278
vservers
binding policies, 281
binding to work load manager, 214
viewing properties, 3940
W
weighted round robin
configuring, 63
weights of individual services
configuring dynamic weights, 574
work load manager
creating, 213
entity model, 212
managing, 216
modifying, 215
removing, 216
unbinding, 216
viewing, 217
working
SIP, 178
Z
338339, 341347, 349, 353, 361367, 369371, 374