Professional Documents
Culture Documents
Contents
Preface
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv
Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Chapter 6 FIPS
Configuring the HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476
Creating and Transferring FIPS Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Creating a FIPS Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Exporting a FIPS Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Importing an Existing FIPS Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Importing External Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483
Configuring FIPS Appliances in a High Availability Setup . . . . . . . . . . . . . . . . .487
Updating the Firmware Version on a FIPS Card . . . . . . . . . . . . . . . . . . . . . . . . . .490
Resetting a Locked HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
FIPS Approved Algorithms and Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
P REFACE
Preface
Before you begin to configure the features described in this document, take a few
minutes to review this chapter and learn about related documentation, other
support options, and ways to send us feedback.
In This Preface
About This Guide
New in This Release
Audience
Formatting Conventions
Related Documentation
Getting Service and Support
Documentation Feedback
Audience
This guide is intended for the following audience:
• NetScaler and network administrator who need configuration information.
• IT personnel who want to read about the advantages of traffic management.
xvi Citrix NetScaler Traffic Management Guide
The concepts and tasks described in this guide require you to have a basic
understanding of NetScaler virtual IP address and virtual server configuration. It
is also helpful to have a basic understanding of NetScaler policies.
Formatting Conventions
This documentation uses the following formatting conventions.
Formatting Conventions
Convention Meaning
Boldface Information that you type exactly as shown (user input);
elements in the user interface.
Italics Placeholders for information or parameters that you
provide. For example, FileName in a command means you
type the actual name of a file. Also, new terms, and words
referred to as words (which would otherwise be enclosed in
quotation marks).
Monospace Citrix NetScaler output or characters in a command line.
User input and placeholders also are formatted using
monspace text.
[brackets] Optional items in command statements. For example, in
the following command, [-range
positiveInteger] means that you have the option of
entering a range, but it is not required:
add lb vserver name serviceType IPAddress
port [-range positiveInteger]
Related Documentation
A complete set of documentation is available on the Documentation tab of your
NetScaler and from http://support.citrix.com/. (Most of the documents require
Adobe Reader, available at http://adobe.com/.)
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance
the documentation. You can send email to the following alias or aliases, as
appropriate. In the subject line, specify “Documentation Feedback.” Be sure to
include the document name, page number, and product release version.
• For NetScaler documentation, send email to nsdocs_feedback@citrix.com.
• For Command Center documentation, send email to
ccdocs_feedback@citrix.com.
• For Access Gateway documentation, send email to
agdocs_feedback@citrix.com.
You can also provide feedback from the Knowledge Center at http://
support.citrix.com/.
Load Balancing
This chapter describes the load balancing feature of a Citrix NetScaler. Load
balancing allows a NetScaler to distribute the client requests across multiple
servers. Load balancing improves server fault tolerance and end-user response
time. This chapter lists the basic and a few advanced settings that you can
configure on a NetScaler.
In This Chapter
How Load Balancing Works
Configuring Basic Load Balancing
Customizing a Load Balancing Configuration
Protecting the Load Balancing Configuration Against Failure
Managing Client Traffic
Managing and Monitoring Servers
Managing a Large Scale Deployment
Configuring Load Balancing for Commonly Used Protocols
Configuring Load Balancing in Commonly Used Deployment Scenarios
Troubleshooting Common Problems
The entities that you must configure in a typical load balancing setup are:
• Virtual Server. An entity that is represented by using an IP address, a port,
and a protocol. The virtual server IP address (VIP) is usually a public IP
address. The client sends connection requests to this IP address. The virtual
server represents a bank of servers.
Chapter 1 Load Balancing 27
You do not configure services or virtual servers for a global HTTP port. In this
case, you configure the port itself as described in .
Note: If you have configured the NetScaler as a transparent pass through that
make use of global (wildcard) ports, you may want to turn on Edge mode. For
more information, see “Configuring Edge Mode,” on page 740.
Example
set ns config –httpPort 80
After configuring this port, the NetScaler accepts all traffic that matches the port
number, and processes it as HTTP traffic. The NetScaler dynamically learns and
creates services for this traffic.
In the diagram, load balancing is used to manage traffic flow to the servers. The
virtual server selects the service and assigns it to serve client requests. Consider a
scenario where the services Service-HTTP-1 and Service-HTTP-2 are created and
bound to the virtual server named Vserver-LB-1. Vserver-LB-1 forwards the
client request to either Service-HTTP-1 or Service-HTTP-2. The NetScaler
selects the service for each request using the least connection load balancing
method. The following table lists the names and values of the basic entities that
must be configured on the NetScaler.
Sample Load Balancing Configuration
Entity Type Mandatory Parameters and Sample Values
Name IP Address Port Protocol
Virtual server Vserver-LB-1 10.102.29.60 80 HTTP
Services Service-HTTP-1 10.102.29.5 8083 HTTP
Service-HTTP-2 10.102.29.6 80 HTTP
Monitors Default None None None
The following diagram shows the load balancing sample values and mandatory
parameters that are described in the preceding table.
32 Citrix NetScaler Traffic Management Guide
Example
enable feature lb
Creating Services
You can add, modify, bind, and remove services. Once configured, services are in
the disabled state until the NetScaler can reach the server on the network and
monitor its status.
Chapter 1 Load Balancing 33
Example
add service Service-HTTP-1 10.102.29.5 HTTP 80
Before you create a service, you need to understand the service types and the
usage of each type. NetScaler supports the following service types:
• HTTP. For HTTP services and virtual servers. To enable the Layer 7
benefits for HTTP connections such as compression, content filtering,
caching, and Client Keep Alive, you can configure services and virtual
servers of type HTTP. Because HTTP is a TCP based application protocol,
you may alternatively use service type TCP, however, in this case, the
NetScaler will only perform Layer 4 load balancing and will not provide
the Layer 7 benefits listed above, as well as the following:
• Virtual server IP Port Insertion
• Redirect Port Rewrite
• Push
34 Citrix NetScaler Traffic Management Guide
• Redirect URL
• SSL. For HTTPS services and virtual servers. Select this service type to
configure the NetScaler to encrypt and decrypt (offload) SSL traffic.
Alternatively, you can use service types SSL_BRIDGE, SSL_TCP, or TCP,
however in these cases, the NetScaler performs only Layer 4 load
balancing, and the server must encrypt and decrypt the SSL traffic. Also,
with service type SSL_Bridge, SSL_TCP, and TCP no Layer 4-Layer 7
processing can be done, such as persistence based on HTTP information,
content switching, rewrite, etc., and the following options are not
supported:
• Virtual server IP Port Insertion
• Push
• Redirect URL
• FTP. For FTP services and virtual servers. This setting ensures that the
NetScaler takes care of the specifics of the FTP protocol. Alternatively, you
can use service type TCP with the appropriate additional service type ANY
virtual server.
• TCP. For any TCP services or virtual servers for which a more specific
service type is not available. Alternatively, you can use service type ANY.
• SSL_TCP. For non-HTTP-based SSL services and virtual servers.
Alternatively, you can use service type TCP, however in this case,
NetScaler performs Layer 4 load balancing, but not SSL offloading and the
server must encrypt and decrypt the SSL traffic.
• UDP. For User Datagram Protocol services and virtual servers.
Alternatively, you can use service type ANY.
• SSL_BRIDGE. For services and virtual servers using the SSL protocol
when you do not want the NetScaler to encrypt or decrypt the SSL traffic.
Alternatively, you can use SSL_TCP for the service type.
• NNTP. For Network News Transfer Protocol services or virtual servers,
typically used for Usenet.
• DNS. For Domain Name System services and virtual servers. With service
type DNS, the NetScaler will validate the packet format of the DNS
requests and responses, it can cache the DNS responses, and it will be
possible to apply DNS policies to the service or virtual server.
Alternatively, you can use service type UDP, but in this case the NetScaler
will only perform Layer 4 load balancing and will not provide the other
benefits possible with the DNS service type.
• ANY. For any TCP, UDP, and Internet control message protocol (ICMP)
services or virtual servers. The ANY parameter is used primarily with
firewall load balancing and link load balancing.
Chapter 1 Load Balancing 35
Note: For more information about SSL and SSL TCP service types, see Chapter
5, “Secure Sockets Layer (SSL) Acceleration.”
Example
add server Server-1 10.102.29.18
1. In the navigation pane, expand Load Balancing, and then click Servers.
2. In the details pane, click Add.
3. In the Create Server dialog box, in Name and
IP Address / Domain name, type the required information (for example,
Server-1 and 10.102.29.18).
Note: If the server is accessible using an IPv6 address, you can either
enter an IPv6 address in this field, or you can type a domain name and
select the IPv6 Domain check box.
4. Click Create, and then click Close. The server you created appears in the
Servers page.
Note: The state of the virtual server is DOWN when you first create it because
active services are not bound to it.
Example
add lb vserver Vserver-LB-1 HTTP 10.102.29.60 80
Note: There are many more configuration options for load balancing virtual
servers than are shown here. These are only the options needed to configure the
simplest load balancing setup.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, click Add.
3. In the Create Virtual Server (Load Balancing) dialog box, in the Name,
IP Address, and Port text boxes, type the name, IP address, and port of the
virtual server (for example, Vserver-LB-1, 10.102.29.60, and 80).
38 Citrix NetScaler Traffic Management Guide
Note: If the virtual server uses IPv6, select the IPv6 check box and enter
the address in IPv6 format (for example,
1000:0000:0000:0000:0005:0600:700a:888b).
4. In the Protocol list, select the type of the virtual server (for example,
HTTP).
5. Click Create, and then click Close. The virtual server you created appears
in the Load Balancing Virtual Servers page.
Example
bind lb vserver Vserver-LB-1 Service-HTTP-1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-LB-1).
3. Click Open.
4. In the Configure Virtual Server (Load Balancing) dialog box, on the
Services tab, select the Active check box next to the service that you want
to bind to the virtual server (for example, Service-HTTP-1).
5. Click OK.
Example
show server server-1
In the navigation pane, expand Load Balancing, and then click Servers. The
details of the available servers appear on the Servers page.
40 Citrix NetScaler Traffic Management Guide
Example
show lb vserver Vserver-LB-1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, click a virtual server to display its properties at the
bottom of the details pane.
3. To view cache redirection and content switching virtual servers that are
bound to this virtual server, click Show CS/CR Bindings.
Example
stat lb vserver Vserver-LB-1
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, select the virtual server whose statistics you want to
view (for example, Vserver-LB-1).
3. Click Statistics to view the statistics of the virtual server.
Example
show service Service-HTTP-1
In the navigation pane, expand Load Balancing, and then click Services. The
details of the available services appear on the Services page.
Example
stat service Service-HTTP-1
42 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service whose statistics you want to view (for
example, Service-HTTP-1).
3. Click Statistics. The statistics appear in a new window.
Example
show service bindings Service-HTTP-1
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service whose binding information you want
to view (for example, Service-HTTP-1).
3. Click Show Bindings. The bindings of the service you selected appear in
the Binding details for Service: ServiceName dialog box.
Example
rm server 10.102.29.5
1. In the navigation pane, expand Load Balancing, and then click Servers.
2. In the details pane, select the server that you want to remove (for example,
10.102.29.5), and then click Remove.
3. In the Remove dialog box, click Yes.
Example
enable server 10.102.29.5
1. In the navigation pane, expand Load Balancing, and then click Servers.
2. In the details pane, select the server that you want to enable (for example,
10.102.29.5), and then click Enable.
3. In the Enable dialog box, click Yes.
Example
disable server 10.102.29.5 30
1. In the navigation pane, expand Load Balancing, and then click Servers.
2. In the details pane, select the server that you want to disable (for example,
10.102.29.5), and then click Disable.
3. In the Wait Time dialog box, type the wait time after which the server is to
be disabled (for example 30).
4. Click Enter.
Managing Services
This section describes how to manage the services you created in a basic LB
setup. You can perform tasks such as enabling, disabling, and removing services.
Each task that you perform impacts on the basic LB setup as described in the
following sections.
Removing a Service
You can remove a service when it is no longer used. When you remove a service,
it is unbound from the virtual server and deleted from the NetScaler.
Example
rm service Service-HTTP-1
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service that you want to remove (for example,
Service-HTTP-1), and then click Remove.
Chapter 1 Load Balancing 45
Example
enable service Service-HTTP-1
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service that you want to enable (for example,
Service-HTTP-1), and click Enable.
3. In the Enable dialog box, click Yes.
Example
disable service Service-HTTP-1 30
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service that you want to disable (for example,
Service-HTTP-1), and then click Disable.
46 Citrix NetScaler Traffic Management Guide
3. In the Wait Time dialog box, type the wait time after which the service is to
be disabled (for example, 30).
4. Click Enter.
Example
unbind lb vserver Vserver-LB-1 Service-HTTP-1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server from which you want to unbind
a service (for example, Vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, in the
Services tab, clear the Active check box next to the service that you want to
unbind from the virtual server (for example, Service-HTTP-1).
4. Click OK.
Example
rm lb vserver Vserver-LB-1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to remove (for
example, Vserver-LB-1), and then click Remove.
3. In the Remove dialog box, click Yes.
Example
enable lb vserver Vserver-LB-1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to enable (for
example, Vserver-LB-1), and then click Enable.
3. In the Enable dialog box, click Yes.
Example
disable lb vserver Vserver-LB-1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to disable (for
example, Vserver-LB-1), and then click Disable.
3. In the Disable dialog box, click Yes.
Note: In the disabled state, a virtual server continues to exist on the network.
NetScaler continues to respond to address resolution protocol (ARP) and Internet
control message protocol (ICMP) requests directed to the IP address of the virtual
server.
To view basic load balancing virtual server properties using the Visualizer
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
50 Citrix NetScaler Traffic Management Guide
2. In the details pane, select the virtual server that you want to view, and then
click Visualizer.
3. In the Load Balancing Visualizer window, you can adjust the viewable
area as follows:
• Click the Zoom In and Zoom Out icons to increase or decrease the
size of the viewed objects. You can click and drag the viewable area
if an item that you want to see disappears from view after zooming in.
• Click the Best Fit icon to optimize the viewing area.
• Click the Save Image icon to save the graph as an image file.
• Click the image, hold down the mouse button, and drag the image to
pan the view.
• In the Search in text field, type the name of the item you are looking
for to highlight its location on the visualizer. To restrict the search,
click the drop-down menu and select the type of element that you
want to search.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to view, and then
click Visualizer.
3. In the Load Balancing Visualizer window, to view configuration details
for entities that are bound to this virtual server, you can do the following:
• To view a summary of bound services, position the cursor over the
virtual server icon.
• To view services in a service container, click the icon for a service
group, click the Related Tasks tab, click Show Member Services,
and then click the service group name. To view additional details
about the services click Open.
• To view common properties of services in a service group, click the
icon for the service group, click the Related Tasks tab, and view the
Details section of the tab.
• To view a comparative list of the parameters whose values either
differ or are not defined across service containers, click the icon for a
container, click the Related Tasks tab, and then click Service
Attributes Diff. To view monitor binding details for the services in a
container, in the Service Attributes Diff dialog box, in the Group
column for the container, click Details.
Chapter 1 Load Balancing 51
• To view the details for a monitor, position the cursor over the icon or
click the icon for the monitor. For additional details, click the icon,
click the Related Tasks tab, and then click View Monitor.
• To view binding details of a monitor, click the connecting line
between the monitor and its related service.
To view configuration details for policies and policy labels using the
Visualizer in the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to view, and then
click Visualizer.
3. In the Load Balancing Visualizer window, to view configuration details
for entities that are bound to this virtual server, you can do the following:
• To view policies that are bound to this virtual server, in the tool bar at
the top of the dialog box select one or more policy icons. For
example, you can select Compression, Filter, Rewrite, and
Responder. If policy labels are configured, they appear in the main
view area.
• For bound policies that appear in the view pane of the Visualizer, to
view a policy’s expression and actions, position the cursor over the
policy icon. To view binding details, position the cursor over the line
that connects the policy to the virtual server. To view these details,
click the policy. The details of the policy appears in the details pane.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to view, and then
click Visualizer.
3. In the Load Balancing Visualizer window, to view statistical information,
you can do the following:
• To view detailed statistics for the load balancing virtual server, click
the icon for the virtual server, click the Related Tasks tab, and then
click Statistics.
• To view the number of requests received per second at a given point
in time by the load balancing virtual server and the number of hits per
second at a given point in time for rewrite, responder, and cache
policies, click Show Stats. The statistical information is displayed on
the respective nodes in the Visualizer. This information is not updated
52 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to view, and then
click Visualizer.
3. To copy configuration details for an element to a document or spreadsheet,
click the icon for that element, click Related Tasks.
4. In the Related Tasks tab, click Copy Properties and then paste the
information into a document.
If the Visualizer displays more than one container for a particular virtual server, it
indicates that something is wrong with the configuration of these services. To
correct this configuration, you must first identify the container that has the
desired configuration. You can do this by using the Service Attributes Diff feature
that is described in “Viewing a Load Balancing Virtual Server Configuration
Using the Visualizer”. After you identify the container, you can right-click the
container and click Apply Configuration.
Note: The following procedures provide only basic steps for using the
Visualizer. Because the Visualizer duplicates functionality in other areas of the
Load Balancing feature, the settings in each dialog box within the Visualizer are
described elsewhere in this chapter.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
bindings (for example, Vserver-LB-1), and then click Visualizer.
3. In the Load Balancing Visualizer dialog box, click the Available
Resources tab, select a resource type in the drop-down menu, and do one or
more of the following:
• To bind a new monitor to a service, select Monitors, click a
particular monitor, and then drag it to the service container icon. Use
CONTROL + click to select multiple monitors and drag them to the
service.
• To bind a service or service group, select Services or Service
Groups, respectively, click a particular service or service group, and
then drag it to the virtual server icon. To bind multiple services or
service groups at one time, press CONTROL + click to select
multiple services and drag them over the virtual server.
• To bind a policy, select one of the policy groups, click a particular
policy, and then drag it to a virtual server. To bind multiple policies
(classic policies only) at one time, press CONTROL + policies and
drag them over the virtual server. For details on classic and advanced
policies, see the Citrix NetScaler Policy Configuration and Reference
Guide for release 9.2.e.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
54 Citrix NetScaler Traffic Management Guide
2. In the details pane, select the virtual server for which you want to unbind a
service, policy, or monitor (for example, Vserver-LB-1), and then click
Visualizer.
3. In the Load Balancing Visualizer dialog box, on the Visualizer image,
click the connecting line between the resources that you want to unbind,
and then click Unbind. For example, to unbind a monitor, you would click
the link between the monitor and its bound service and click Unbind.
4. In the Unbind dialog box, click Yes.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to configure (for
example, Vserver-LB-1), and then click Visualizer.
3. In the Load Balancing Visualizer dialog box, on the Visualizer image,
double-click the resource that you want to modify.
Note: Alternatively, on the Available Resources tab, select the resource
type from the drop-down menu, select the particular resource that you want
to configure, and then click Open.
4. In the modify dialog box, enter new settings for the resource.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to configure (for
example, Vserver-LB-1), and then click Visualizer.
3. In the Load Balancing Visualizer dialog box, right-click the icon for the
resource that you want to add, remove, or disable, and then select the
corresponding option from the menu. Alternatively, on the Available
Resources tab, click the resource type from the drop-down menu, and then
click Add to add an entity, or select the particular resource that you want to
configure, and then click Open.
Note: These options are not available for service groups or policies.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
Chapter 1 Load Balancing 55
2. In the details pane, select the virtual server that you want to configure (for
example, Vserver-LB-1), and then click Visualizer.
3. In the Load Balancing Visualizer dialog box, click the icon for a service
group, click the Related Tasks tab, and then click Show Member
Services.
4. In the Services/Service Groups Bound to LB Virtual Server dialog box,
click the service group name and then click Open.
5. In the Configure Service Group dialog box, configure member services.
Within each type of load balancing, there are various load balancing methods. For
example, the least connection method selects the service with the least number of
active connections to ensure that the load of the active requests is balanced on the
services. You can change the load balancing algorithm using the procedures
described in this section.
Example
set lb vserver Vserver-LB-1 -lbMethod LeastConnection
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
Chapter 1 Load Balancing 57
2. In the details pane, select the virtual server for which you want to configure
an LB method (for example, Vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Method and Persistence tab.
4. From the drop-down menu under LB Method, select a method,
(for example, Least Response Time).
5. Click OK.
Note: When slow start is in operation, the output for the show lb vserver
<vserver name> command will specify the current method as Round Robin.
58 Citrix NetScaler Traffic Management Guide
The NetScaler selects the service by using the value (N) of the following
expression:
N = Number of active transactions
The requests are delivered as follows:
• Service-HTTP-3 receives the first request because the service is not
handling any active transactions.
• Service-HTTP-3 receives the second and third requests because the service
has the next least number of active transactions.
• Service-HTTP-1 receives the fourth request. Because Service-HTTP-1 and
Service-HTTP-3 have same number of active transactions, NetScaler
performs load balancing in a round robin manner. Therefore,
Service-HTTP-3 receives the fifth request, Service-HTTP-1 receives the
60 Citrix NetScaler Traffic Management Guide
The following example shows how the NetScaler selects a service for load
balancing by using least connections method when the weights are assigned to
services.
In the preceding example, suppose Service-HTTP-1 is assigned a weight of 2,
Service-HTTP-2 is assigned a weight of 3, and Service-HTTP-3 is assigned a
weight of 4. The requests are delivered as follows:
• Service-HTTP-3 receives the first because the service is not handling any
active transactions.
• Service-HTTP-3 receives the second, third, fourth, fifth, sixth, and seventh
requests because the service has least Nw value.
• Service-HTTP-1 receives the eighth request. Because Service-HTTP-1 and
Service-HTTP-3 have same Nw value, the NetScaler performs load
balancing in a round robin manner. Therefore, Service-HTTP-3 receives the
ninth request.
The manner in which a service receives requests based on the Nw value is
summarized in the following table.
Example of Least Connection Method Service Selection: Nw
The following diagram illustrates how the NetScaler uses the least connection
method when weights are assigned to the services.
To configure the least connection method, perform the steps described in the
section “Changing the Load Balancing Algorithm,” on page 55. Under LB
Method, select Least Connection.
Chapter 1 Load Balancing 63
A NetScaler also performs weighted round robin if different weights are assigned
to the services. For example, Service-HTTP-1 is set to a weight of 2,
Service-HTTP-2 to a weight of 3, and Service-HTTP-3 to a weight of 4, and the
services are bound to Vserver-LB-1. The requests are delivered as follows:
• Service-HTTP-1 receives the first request.
• Service-HTTP-2 receives the second request.
• Service-HTTP-3 receives the third request.
• Service-HTTP-1 receives the fourth request.
• Service-HTTP-2 receives the fifth request.
• Service-HTTP-3 receives the sixth request.
• Service-HTTP-2 receives the seventh request.
• Service-HTTP-3 receives the eighth and ninth requests.
64 Citrix NetScaler Traffic Management Guide
Note: You can configure weights on services to prevent multiple services from
using the same server and overloading the server.
A new cycle then begins, using the same pattern. The following diagram
illustrates the weighted round robin method.
To configure the round robin method, perform the steps described in the section
“Changing the Load Balancing Algorithm,” on page 55. Under LB Method,
select Round Robin.
The NetScaler selects the service by using the value (N) of the following
expression:
N = Number of active transactions * TTFB
The NetScaler delivers the requests as follows:
• Service-HTTP-3 receives the first request because the service is not
handling any active transaction.
• Service-HTTP-3 receives the second and third requests because the service
has the least N value.
66 Citrix NetScaler Traffic Management Guide
The following example shows how the NetScaler selects a service for load
balancing by using the least response time method when weights are assigned on
the services. In the preceding example, suppose Service-HTTP-1 is assigned a
weight of 2, Service-HTTP-2 is assigned weight of 3, and Service-HTTP-3 is
assigned weight of 4.
The NetScaler delivers the requests as follows:
• Service-HTTP-3 receives the first request because it is not handling any
active transaction.
Note: If services are not handling any active transactions, the NetScaler
selects them regardless of the weights assigned to them.
The following diagram illustrates how the NetScaler uses the least response time
method when weights are assigned on the services.
Chapter 1 Load Balancing 69
To configure the least response time method, perform the steps described in the
section “Changing the Load Balancing Algorithm,” on page 55. Under LB
Method, select Least Response Time.
Least response time method with monitors can be used to select non-HTTP and
non-HTTPS services unlike the least response time method without monitors.
You can also use this method when several monitors are bound to a service. The
virtual server reads the response times of all monitors and calculates an average
response time for each service. Monitors determine response times according to
different protocols.
The following table summarizes how response times are calculated for various
monitors.
Monitor Response Time Calculations
Monitor Response time calculation
PING Time difference between the ICMP ECHO request and the ICMP
ECHO response.
TCP Time difference between the SYN request and the SYN+ACK
response.
HTTP Time difference between the HTTP request (after the TCP
connection is established) and the HTTP response.
TCP-ECV Time difference between the time the data send string is sent and
the data receive string is returned.
A tcp-ecv monitor without the send and receive strings is
considered to have an incorrect configuration.
HTTP-ECV Time difference between the HTTP request and the HTTP
response.
UDP-ECV Time difference between the UDP send string and the UDP receive
string.
A udp-ecv monitor without the receive string is considered to have
an incorrect configuration.
DNS Time difference between a DNS query and the DNS response.
TCPS Time difference between a SYN request and the SSL handshake
completion.
FTP Time difference between the sending of the user name and the
completion of user authentication.
HTTPS (monitors Time difference is same as the HTTP monitor.
HTTPS requests)
HTTPS-ECV Time difference is same as the HTTP-ECV monitor.
(monitors HTTPS
requests)
USER Time difference between the time when a request is sent to the
dispatcher and the time when the dispatcher responds.
Chapter 1 Load Balancing 71
The following example shows how the NetScaler selects a service for load
balancing by using the least response time method with configured monitors.
Consider the following three services:
• Service-HTTP-1 is handling 3 active transactions and the response time is
five seconds.
• Service-HTTP-2 is handling 7 active transactions and the response time is
one second.
• Service-HTTP-3 is not handling any active transactions and the response
time is two seconds.
The following diagram illustrates how the NetScaler uses the least response time
method and forward requests to the three services when monitors are configured
to calculate the response time.
Mechanism of the Least Response Time Load Balancing Method, using Monitors
The NetScaler selects the service by using the value (N) of the following
expression:
N = Number of active transactions * Response time that is determined by the
monitor
The NetScaler delivers the requests as follows:
• Service-HTTP-3 receives the first request because the service is not
handling any active transaction.
72 Citrix NetScaler Traffic Management Guide
• Service-HTTP-3 receives the second, third, and fourth requests because the
service has the least N value.
• Service-HTTP-2 receives the fifth request because the service has the least
N value.
• Now both Service-HTTP-2 and Service-HTTP-3 have the same N value, so
the NetScaler performs load balancing in a round robin manner. Therefore,
Service-HTTP-3 receives the sixth request.
• Service-HTTP-2 receives the seventh and eighth requests because the
service has the least N value.
Service-HTTP-1 is not considered for load balancing because it is loaded more
(the highest N value) as compared to the other two services. However, if
Service-HTTP-1 completes the active transactions, the NetScaler considers the
service for load balancing.
The manner in which a service receives requests based on the N value is
summarized in the following table.
Least Response Time Method Using Monitors: N
Request received Service selected Current N (Number Remarks
of active
transaction) value
Request-1 Service-HTTP-3 N=2 Service-HTTP-3 has
(N = 0) the least N value.
Request-2 Service-HTTP-3 N=4
(N = 2)
Request-3 Service-HTTP-3 N=6
(N = 4)
Request-4 Service-HTTP-3 N=8
(N = 6)
Request-5 Service-HTTP-2 N=8 Service-HTTP-1 and
(N = 7) Service-HTTP-3
have the same N
Request-6 Service-HTTP-3 N = 10 values.
(N = 8)
Request-7 Service-HTTP-2 N=9 Service-HTTP-2 has
(N = 8) the least N value.
Request-8 Service-HTTP-1 N = 10
(N = 9)
Chapter 1 Load Balancing 73
Note: If services are not handling any active transactions, the NetScaler
selects them regardless of the weights assigned to them.
• Service-HTTP-3 receives the second, third, and fourth, requests because the
service has the least Nw value.
• Service-HTTP-2 receives the fifth request because the service has the least
Nw value.
• Service-HTTP-3 receives the sixth request because the service has the least
Nw value.
• Service-HTTP-2 receives the seventh and the eighth requests because the
service has the least Nw value.
Service-HTTP-1 has the least weight and the highest Nw value. Therefore, the
NetScaler does not select it for load balancing.
74 Citrix NetScaler Traffic Management Guide
The following diagram illustrates how the NetScaler uses the least response time
method when weights are assigned on the services.
Chapter 1 Load Balancing 75
To configure the least response time method using monitors, perform the steps
described in the section “Changing the Load Balancing Algorithm,” on page 55.
Under LB Method, select Least Response Time.
These hashing algorithms ensure minimal disruption when the services added and
deleted. When the NetScaler is configured to use the hashing methods, the
NetScaler lists the services used in the configuration and calculates two hash
values by using:
• The service IP address and port.
• The incoming URL, domain name, or source and destination IP address,
based on the configured hash method.
The NetScaler then generates a new hash value by using the preceding hash
values and forwards the request to the service with highest hash value. To traverse
the list of services and compute a hash value for every request, the NetScaler
populates a cache after selecting the service which processes the request. The
subsequent requests with the same hash value are sent to the same service as
shown in the following flow chart.
Hashing methods can be applied to IPv4 and IPv6 addresses. To understand how
the NetScaler distributes traffic when hashing methods are configured, consider a
scenario where three services are bound to a virtual server and any hash method is
configured. The services are Service-HTTP-1, Service-HTTP-2, and
Service-HTTP-3, and the hash value is Hash1. When the configured services are
UP, Hash1 is sent to Service-HTTP-1 using the hashing result. If Service-HTTP-1
is down, the NetScaler calculates the hash value for the last log of the number of
services. The NetScaler selects the service with the highest hash value, for
example Service-HTTP-2 as shown in the following diagram.
Note: If NetScaler fails to select a service by using hash method it uses the least
connections method to select the service. It is recommended that when you adjust
server pools by removing services, you should adjust the pools during low traffic
periods to enable the caches to repopulate without impacting the performance.
URL value. If the NetScaler cannot accurately parse the incoming request, it uses
the round robin method for load balancing.
Consider a scenario where three services are bound to a virtual server, and the
URL hash method is configured. The services are Service-HTTP-1,
Service-HTTP-2, and Service-HTTP-3, and the hash value is URL1. When the
services are UP, URL1 is sent to Service-HTTP-1 using the hashing result. If
Service-HTTP-1 is down, the URL1 is sent to Service-HTTP-2 using the
secondary hash result, as shown in the following diagram.
To configure the URL hash method, perform the steps described in the section
“Changing the Load Balancing Algorithm,” on page 55. Under LB Method,
select URL Hash.
To configure the destination IP hash method, perform the steps described in the
section “Changing the Load Balancing Algorithm,” on page 55. Under LB
Method, select Destination IP Hash.
Note: Both the Netmask and the V6NetMaskLen parameters are described in
more detail in “IPv4 and IPv6 Netmask Parameters,” on page 80.
To configure the source IP hash method, perform the steps described in the
section “Changing the Load Balancing Algorithm,” on page 55. Under LB
Method, select Source IP Hash.
Note: Both the Netmask and the V6NetMaskLen parameters are described in
more detail in “IPv4 and IPv6 Netmask Parameters,” on page 80.
Note: Both the Netmask and the V6NetMaskLen parameters are described in
more detail in “IPv4 and IPv6 Netmask Parameters,” on page 80.
To configure the source IP source port hash method, perform the steps described
in the section “Changing the Load Balancing Algorithm,” on page 55. Under LB
Method, select Source IP Source Port Hash.
The NetScaler selects the service by using the bandwidth value (N) which is the
sum of the number of bytes transmitted and received per 14 second. If each
request requires 1 Mbps bandwidth, the NetScaler delivers the requests as
follows:
• Service-HTTP-3 receives the first request because the service has the least
N value.
Chapter 1 Load Balancing 83
Note: If you enable the RTSP NAT option on the virtual server, the NetScaler
uses the number of data and control bytes exchanged to determine the bandwidth
usage for RTSP services. For more information about RTSP NAT option, see
“Managing RTSP Connections,” on page 150.
84 Citrix NetScaler Traffic Management Guide
The following diagram illustrates how the NetScaler uses the least bandwidth
method when weights are assigned on the services.
86 Citrix NetScaler Traffic Management Guide
Mechanism of the Least Bandwidth Load Balancing Method when Weights are Assigned
To configure the least bandwidth method, perform the steps described in the
section “Changing the Load Balancing Algorithm,” on page 55. Under LB
Method, select Least Bandwidth.
The NetScaler selects the service by using the number of packets (N) which is the
sum of the number of packets transmitted and received in last 14 seconds.
The NetScaler delivers the requests as follows:
• Service-HTTP-3 receives the first request because the service has the least
N value.
• Now Service-HTTP-1 and Service-HTTP-3 have same N value and the
NetScaler performs load balancing in a round robin manner.
Service-HTTP-1 receives the second request, Service-HTTP-3 receives the
third request, Service-HTTP-1 receives the fourth request, Service-HTTP-3
receives the fifth request, Service-HTTP-1 receives the sixth request.
• Now Service-HTTP-1, Service-HTTP-2, and Service-HTTP-3 have same N
value and the NetScaler performs load balancing in a round robin manner.
So, Service-HTTP-2 receives the seventh request, and
Service-HTTP-3 receives the eighth request.
The manner in which a service receives requests based on the N value is
summarized in the following table.
88 Citrix NetScaler Traffic Management Guide
Note: If you enable the RTSP NAT option on the virtual server, the NetScaler
uses the number of data and control packets to calculate the number of packets for
RTSP services. For more information about RTSP NAT option, see “Managing
RTSP Connections,” on page 150.
Example:
In the preceding example, suppose Service-HTTP-1 is assigned a weight of 2,
Service-HTTP-2 is assigned a weight of 3, and Service-HTTP-3 is assigned a
weight of 4.
The NetScaler delivers the requests as follows:
• Service-HTTP-3 receives the first second, third, fourth, and fifth requests
because the service has the least Nw value.
• Service-HTTP-1 receives the sixth request because the service has the least
Nw value.
• Service-HTTP-3 receives the seventh request because the service has the
least Nw value.
• Service-HTTP-2 receives the eighth request because the service has the
least Nw value.
The manner in which a service receives requests based on the Nw value is
summarized in the following table.
Examples of Least Bandwidth Method: Nw
The following diagram illustrates how the NetScaler uses the least packets
method when weights are assigned on the services.
To configure the least packets method, perform the steps described in the section
“Changing the Load Balancing Algorithm,” on page 55. Under LB Method,
select Least Packets.
You can use this load balancing method across virtual servers of different types to
make sure that requests presenting the same token are directed to the services on
the same servers, regardless of the protocol used.
For example, consider Server-1 has two services, Service-HTTP-1 and
Service-TCP-1, and Server-2 has two services, Service-HTTP-2 and
Service-TCP-2. The TCP services are bound to Vserver-LB-2, and the HTTP
services are bound to Vserver-LB-1.
A request sent to Vserver-LB-1 with the token “AA” selects the service
Service-HTTP-1 (bound to server-1) to process the request. A different request
sent to Vserver-LB-2 with the same token “AA” directs this request to the
service Service-TCP-1, as shown in the following diagram.
92 Citrix NetScaler Traffic Management Guide
To configure the token method, perform the steps described in the section
“Changing the Load Balancing Algorithm,” on page 55. Under LB Method,
select Token. You must configure a rule to configure a token.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, a virtual server for which you want to configure a rule
(for example, Vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Method and Persistence tab and under LB Method, select Token.
4. Click Configure next to the Rule text box.
5. In the Create Expression dialog box, select Classic Syntax or Advanced
Syntax.
6. Under Expression, click Add.
7. In the Add Expression dialog box, enter an expression. For more
information about expressions, see the Citrix NetScaler Policy
Configuration and Reference Guide for release 9.2.e.
For example, if you are configuring a classic expression, you can select an
Expression Type of General, a Flow Type of REQ, a Protocol of HTTP,
Chapter 1 Load Balancing 93
• Metrics values retrieved through SNMP probes that exist as tables in the
NetScaler.
• Threshold value set for each metric.
• Weight assigned to each metric.
The following example shows how the NetScaler selects a service for load
balancing by using the custom load method.
Example:
Consider three services, Service-HTTP-1, Service-HTTP-2, and
Service-HTTP-3.
• Service-HTTP-1 is using 20 megabytes (MB) of memory.
• Service-HTTP-2 is using 70 MB of memory.
• Service-HTTP-3 is using 80 MB of memory.
The servers can export metrics such as CPU and memory usage. The load monitor
sends an SNMP GET request containing the OIDs 1.3.6.1.4.1.5951.4.1.1.41.1.5,
1.3.6.1.4.1.5951.4.1.1.41.1.4, and 1.3.6.1.4.1.5951.4.1.1.41.1.3 to the servers.
The three services respond to the request. The NetScaler compares the exported
metrics to select Service-HTTP-1 because it has more memory for processing
requests. The following diagram illustrates how the NetScaler uses the custom
load method and forwards requests to the three services.
The NetScaler selects the service by using the load (N). If each request uses 10
MB memory, the NetScaler delivers the requests as follows:
Chapter 1 Load Balancing 95
• Service-HTTP-1 receives the first, second, third, fourth, and fifth requests
because the service has the least N value.
• Now, Service-HTTP-1 and Service-HTTP-2 have same load and the
NetScaler selects the service in round robin manner. Therefore,
Service-HTTP-2 receives the sixth request and Service-HTTP-1 receives
the seventh request.
• Now, Service-HTTP-1, Service-HTTP-2, and Service-HTTP-3 have same
load and the NetScaler selects the service in round robin manner. Therefore,
Service-HTTP-1 receives the eighth request.
The manner in which a service receives requests based on the N value is
summarized in the following table.
Custom Load Balancing Method: N
Request received Service selected Current N Remarks
(Number of active
transaction) value
Request-1 Service-HTTP-1 N = 30 Service-HTTP-3 has
(N = 20) the least N value.
Request-2 Service-HTTP-1 N = 40
(N = 30)
Request-3 Service-HTTP-1 N = 50
(N = 40)
Request-4 Service-HTTP-1 N = 60
(N = 50)
Request-5 Service-HTTP-1 N = 70
(N = 60)
Request-6 Service-HTTP-1 N = 80 Service-HTTP-2 and
(N = 70) Service-HTTP-3
have the same N
Request-7 Service-HTTP-2 N = 80 values.
(N = 70)
Request-8 Service-HTTP-1 N = 90 Service-HTTP-1,
(N = 80) Service-HTTP-2,
and Service-HTTP-3
have the same N
values.
The following example shows how the NetScaler selects a service for load
balancing by using the custom load method when weights are assigned on the
services.
Example:
The following diagram illustrates how the NetScaler uses the custom load method
when weights are assigned on the services.
To configure the custom load method, perform the steps described in the section
“Changing the Load Balancing Algorithm,” on page 55. Under LB Method,
select Custom Load.
Example
add lb vserver Vserver-LB-vlan1 ANY * *
-listenpolicy "CLIENT.VLAN.ID.EQ(2)"
-listenpriority 10
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, do one of the following:
• To create a new virtual server, click Add.
• To modify an existing virtual server, select the virtual server, and then
click Open.
3. In the Create Virtual Server or Configure Virtual Server dialog box,
Services tab, type or select values for the following parameters. (An
Chapter 1 Load Balancing 99
Persistence types
Persistence type Persistent connections
Source IP, SSL Session ID, Rule, DESTIP, 250 K
SRCIPDESTIP
CookieInsert, URL passive, Custom Server Memory limit. In case of CookieInsert, if
ID time out is not 0, any number of
connections are allowed until limited by
memory.
Example
set lb vserver Vserver-LB-1 -persistenceType SOURCEIP
Chapter 1 Load Balancing 101
Persistence Parameters
Parameters Specifies
Persistence Type Persistence type for the virtual server. The valid options for
this parameter are:
(persistenceType)
SOURCEIP, COOKIEINSERT, SSLSESSION, RULE,
URLPASSIVE, CUSTOMSERVERID, DESTIP,
SRCIPDESTIP, CALLID, and NONE (default)
Persistence Mask Persistence Mask is used to specify if the persistence is
IP-based. The default value is 255.255.255.255. If you set 0
(persistMask) using this parameter the complete IP address is used for
persistence.
Time-out The time period for which persistence is in effect for a
specific client. The default value is 2 minutes, and the
(timeout) maximum value that can be configured is 1440 minutes.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
persistence (for example, Vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, on the
Method and Persistence tab, in the Persistence list, select the persistence
type you want to use (for example, SOURCEIP).
4. In the Time-out and Netmask text boxes type the time-out and netmask
values (for example, 2 and 255.255.255.255).
5. Click OK.
Note: After configuring persistence for a virtual server, you can view the
persistence type by viewing the virtual server from the configuration utility or
using the show lb vserver command. You can also use the show ns
persistencesession command to view persistence sessions.
102 Citrix NetScaler Traffic Management Guide
Note: If the client is not allowed to store the HTTP cookie, the subsequent
requests do not have the HTTP cookie and persistence is not honored.
You can configure a time-out value for persistence that is based on HTTP
cookies. Note the following:
• If HTTP cookie version 0 is used, the NetScaler inserts the absolute
Coordinated Universal Time (GMT) of the cookie expiration time (the
“expires” attribute of the HTTP cookie) that is calculated as the sum of the
current GMT time on the NetScaler and the time-out value.
• If an HTTP cookie version 1 is used, the NetScaler inserts a relative
expiration time (“Max-Age” attribute of the HTTP cookie). In this case, the
client software calculates the actual expiration time.
Note: Most client software currently installed (Microsoft Internet Explorer and
Firefox browsers) understand HTTP cookie version 0; however, some HTTP
proxies understand HTTP cookie version 1.
When you set the time-out value to 0, the NetScaler does not specify the
expiration time regardless of the HTTP cookie version used. The expiration time
depends on the client software and such cookies are not valid when the software
is shut down. This persistence type does not consume any NetScaler resources.
Therefore, it can accommodate an unlimited number of persistent clients.
To configure persistence based on HTTP Cookie, perform the steps described in
the section “Configuring Persistence Types,” on page 100. In the Persistence list,
select COOKIEINSERT.
Note: Before you configure a persistence type at the NetScaler command line,
you must perform the steps described in the section “Configuring Persistence
Types,” on page 100.
Examples
set lb vserver vsvr_name –rule
http.req.header("cookie").value(0).typecast_nvlist_t('=',';').value
("server")
set lb vserver vsvr_name –resrule
http.res.header("set-cookie").value(0).typecast_nvlist_t('=',';').v
alue("server")
Note: If the server ID cannot be extracted from the client requests, server
selection is based on the load balancing method.
The time-out value for this type of persistence is as described in the section
“Configuring Persistence Based on Source IP Addresses,” on page 102. To
configure persistence based on source and destination IP addresses, perform the
steps described in the section “Configuring Persistence Types,” on page 100. In
the Persistence list, select SRCIPDESTIP.
Note: If the client sends multiple SETUP requests on one TCP connection, the
NetScaler sends the SETUP requests to the same server because the NetScaler
makes the load balancing decision for every TCP connection. In this case, the
NetScaler does not forward the SETUP requests to different servers based on the
session ID.
Chapter 1 Load Balancing 109
Note: If the traffic comes from behind a Network Address Translation (NAT)
device or proxy, the traffic appears to come from a single source IP address and
cannot be distributed evenly.
Backup persistence has a time-out value that you can set only when the primary
persistence type is set to COOKIEINSERT or RTSP session ID persistence, and
the backup persistence type is set to SOURCEIP.
Note: The NetScaler uses the backup persistence if the cookie or RTSP session
ID is missing in the header.
Example
set lb vserver Vserver-LB-1 -persistenceType CookieInsert
-persistenceBackup SourceIP
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
backup persistence (for example, Vserver-LB-1), and then click Open.
110 Citrix NetScaler Traffic Management Guide
3. The Configure Virtual Server (Load Balancing) dialog box, click the
Method and Persistence tab.
4. In the Persistence list, select COOKIEINSERT and in the Time-out text
box, type the time-out value (for example, 20).
5. In the Backup Persistence list, select the backup persistence that you want
to configure (for example, SOURCEIP).
6. In the Backup Time-out and Netmask text boxes type the backup time-out
value and netmask (for example, 20 and 255.255.255.255).
7. Click OK.
Note: When all virtual servers are removed from the group, the group is also
removed.
Note: If you set group persistence to NONE, the persistence on the individual
virtual servers is applied.
Chapter 1 Load Balancing 111
Example
bind lb group Vserver-Group-1 Vserver-LB-1 -persistenceType
CookieInsert
The following example describes the steps to create the virtual server group
Vserver-Group-1 and bind the virtual server Vserver-LB-1 to
Vserver-Group-1. The persistence type is Source IP, and the persistence mask is
255.255.255.255. The timeout is 2 minutes.
5. In the Persistence Mask and Time-out text boxes, type the persistence
mask and timeout values (for example, 255.255.255.255 and 2).
6. Under Virtual Server List, in the Available Virtual Server list box, select
the virtual server that you want to bind to the group (for example,
Vserver-LB-1), and then click Add.
7. Click Create and click Close. The virtual server group you created appears
in the Persistence Groups page, as shown in the following screen shot.
You can change the backup persistence, backup persistence time-out, and cookie
domain value.
Example
set lb group vserver-Group-1 -PersistenceBackup SourceIP
-persistMask 255.255.255.255
To configure RADIUS load balancing with persistence, you must first configure
RADIUS authentication for your VPN. For information and instructions, see the
Citrix NetScaler Application Security Guide, Authentication Authorization
Auditing (AAA) chapter. You must also choose either the Load Balancing or
Content Switching feature as the basis for your configuration, and make sure that
the feature you chose is enabled. The configuration process with either feature is
almost the same.
Then, you configure either two load balancing, or two content switching, virtual
servers, one to handle RADIUS authentication traffic and the other to handle
RADIUS accounting traffic. Next, you configure two services, one for each load
balancing virtual server, and bind each load balancing virtual server to its service.
Finally, you create a load balancing persistency group, and set the persistency
type to RULE.
Note: The instructions that follow assume familiarity with NetScaler load
balancing or content switching configuration. If you are not familiar with
configuring the NetScaler appliance, you should review the appropriate chapter
of the Citrix NetScaler Traffic Management Guide before attempting to configure
RADIUS load balancing with persistence.
To enable the load balancing feature by using the NetScaler command line
Important: You must create either a pair of load balancing virtual servers or a
pair of content switching virtual servers to use in your RADIUS persistence
configuration. You cannot mix virtual server types.
At the NetScaler command prompt type the following commands to create a new
load balancing virtual server and verify the configuration:
add lb vserver <name> RADIUS <IP> <port> -lbmethod TOKEN
-rule <rule>
show lb vserver <name>
116 Citrix NetScaler Traffic Management Guide
To configure an existing load balancing virtual server, replace the above add lb
virtual server command with the set lb vserver command, which takes
the same arguments.
At the NetScaler command prompt type the following commands to create a new
content switching virtual server and verify the configuration:
add cs vserver <name> RADIUS <IP> <port> -lbmethod TOKEN
-rule <rule>
show cs vserver <name>
To configure an existing content switching virtual server, replace the above add
cs vserver command with the set cs vserver command, which takes the
same arguments.
Examples
add lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812
-lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME
add lb vserver radius_acct_vs1 RADIUS 192.168.46.34 1813
-lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME
set lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812
-lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME
set lb vserver radius_auth_vs1 RADIUS 192.168.46.34 1813
-lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME
show lb vserver radius_auth_vs1
show lb vserver radius_acct_vs1
rm lb vserver radius_auth_vs1
rm lb vserver radius_acct_vs1
Chapter 1 Load Balancing 117
Argument Specifies
name A name for your new virtual server, or the name of the
existing virtual server you want to modify. The name can
begin with a letter, number, or the underscore symbol, and
can consist of from one to 127 letters, numbers, and the
hyphen (-), period (.) pound (#), space ( ), at sign (@),
equals (=), colon (:), and underscore (_) symbols.
protocol RADIUS
IP The IP address assigned to your virtual server. This is
normally an Internet-routable IP.
Note: Except for the GUI location where you create or configure the
virtual server, the process is the same.
Configuring Services
After configuring your virtual servers, you must next configure two services, one
for each of the virtual servers that you created. Once configured, these services
are in the DISABLED state until the NetScaler appliance can connect to your
RADIUS server’s authentication and accounting IPs and monitor their status.
At the NetScaler command prompt type the following commands to create a new
service and verify the configuration:
add service <name> <IP> <type> <port>
show service <name>
rm service <name>
Examples
add service radius_auth_s1 192.168.46.35 RADIUS 1812
add service radius_acct_s1 192.168.46.36 RADIUS 1813
set service radius_auth_s1 192.168.46.35 RADIUS 1812
set service radius_acct_s1 192.168.46.36 RADIUS 1813
show service radius_auth_s1
show service radius_acct_s1
rm service radius_auth_s1
creates
Argument Specifies
name A name for your new service, or the name of the existing
service you want to modify. The name can begin with a
letter, number, or the underscore symbol, and can consist of
from one to 127 letters, numbers, and the hyphen (-), period
(.) pound (#), space ( ), at sign (@), equals (=), colon (:),
and underscore (_) symbols.
IP The IP used to connect to the RADIUS for authentication
or accounting, as appropriate, in either IPv4 or IPv6 format.
When you provide the IP address of the service, the
NetScaler appliance automatically creates a server object
with this IP address as its name.
type The service type, always RADIUS when configuring
RADIUS load balancing with persistence.
port The port on which your service listens for connections.
• Protocol* (type)
• Server* (IP)
• Port (port)
4. Click Create or OK, depending on whether you are creating a new service
or modifying an existing service.
5. Click Close.
The service that you created now appears in the Services page.
6. To remove a service, in the Services page select the service, and then click
Remove.
At the NetScaler command prompt, type the following commands to bind a load
balancing virtual server to a service and verify the configuration:
bind lb vserver <name> <servicename>
stat lb vserver <name>
To unbind a load balancing virtual server from a service, replace the above bind
lb vserver command with the unbind lb vserver command, which takes
the same arguments.
To unbind a content switching virtual server from a service, replace the above
bind cs vserver command with the unbind cs vserver command, which
takes the same arguments.
Examples
bind lb vserver radius_auth_vs1 radius_auth_s1
bind lb vserver radius_acct_vs1 radius_acct_s1
bind cs vserver radius_auth_vs1 radius_auth_s1
Chapter 1 Load Balancing 121
Argument Specifies
name The name of the virtual server that you are binding. The
name can begin with a letter, number, or the underscore
symbol, and can consist of from one to 127 letters,
numbers, and the hyphen (-), period (.) pound (#), space ( ),
at sign (@), equals (=), colon (:), and underscore (_)
symbols.
servicename The name of the service that you are binding. The name
can have the same length and characteristics as the
previous name.
Note: Except for the GUI location where you bind the virtual server, the
process is the same.
2. In the details pane, select the virtual server to which you want to bind the
service.
3. Click Open.
4. In the Configure Virtual Server dialog box, in the Services tab, select the
Active check box next to the service that you want to bind to the virtual
server.
5. Click OK.
At the NetScaler command prompt, bind each virtual server to the load balancing
persistency group by typing the following command for each virtual server, using
the same value for <name> in each command:
bind lb group <name> <vservername>
Examples
bind lb group radius_grp radius_auth_vs1
bind lb group radius_grp radius_acct_vs1
set lb group radius_grp -persistenceType RULE
Argument Specifies
name The name of the load balancing persistency group that you
are setting or binding. The name can begin with a letter,
number, or the underscore symbol, and can consist of from
one to 127 letters, numbers, and the hyphen (-), period (.)
pound (#), space ( ), at sign (@), equals (=), colon (:), and
underscore (_) symbols.
Chapter 1 Load Balancing 123
Argument Specifies
vservername The name of the load balancing virtual server that you are
binding to the load balancing persistency group. The name
can have the same length and characteristics as the
previous name.
newname The new name of the load balancing persistency group that
you are renaming. The name can have the same length and
characteristics as the previous name.
persistenceType RULE
rule Which policy rule to use as the basis for persistence. The
two supported rules are:
• CLIENT.UDP.RADIUS.USERNAME. Use the client
login name.
• CLIENT.UDP.RADIUS.ATTR_TYPE(INT). Use
the specified RADIUS attribute type. For INT,
substitute the integer assigned to that attribute type as
specified in RFC4014.
6. Click Close.
The persistency group that you created now appears in the Persistency
Groups page.
7. To unbind and remove a persistency group, in the Persistency Groups
page select the persistency group, and then click Remove.
Example
show ns persistencesession myVserver
2. On the landing page for Load Balancing, click Virtual Server persistence
sessions.
Example
clear ns persistencesession -vserver myLBVserver
To set a virtual server for redirection by using the NetScaler command line
Example
set lb vserver Vserver-LB-1 -m MAC
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
the redirection mode (for example, Vserver-LB-1), and then click Open.
3. On the Advanced tab, under Redirection Mode, click MAC-Based.
4. Click OK.
Example
set lb vserver Vserver-LB-1 -weight 10 Service-HTTP-1
Weight Parameter
Parameter Specifies
Weights Weight for the specified service. The minimum value is 1
and the maximum value is 100.
(weight)
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server (for example, Vserver-LB-1),
and click Open.
3. On the Services tab, in the Weights spin box, type or select the weight of a
service (for example, 10) next to Service-HTTP-1.
4. Click OK.
128 Citrix NetScaler Traffic Management Guide
Note: If a load balancing virtual server is configured with both a backup virtual
server and a redirect URL, the backup virtual server takes precedence over the
redirect URL. A redirect is used when the primary and backup virtual servers are
down.
Example
set lb vserver Vserver-LB-1 -redirectURL
http://www.newdomain.com/mysite/maintenance
Chapter 1 Load Balancing 129
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
redirect URL (for example, Vserver-LB-1), and then click Open.
3. On the Advanced tab, in the Redirect URL text box, type the URL (for
example, http://www.newdomain.com/mysite/maintenance).
4. Click OK.
If you have multiple virtual servers that connect to two servers, you have a choice
of which virtual server takes over if the primary virtual server goes down and
then comes back up. The default behavior is for the primary virtual server to
resume its role as the primary. However, you may want to designate the backup
virtual server to remain in control in the event that it takes over. For example, you
may want to sync updates to the backup server to the primary server and then
manually force the original primary server to resume its role. In this case, you can
designate the backup virtual server to remain in control in the event that the
primary virtual server goes down.
If the backup virtual server does not exist, an error message appears.
You can use redirect URL on the primary when the primary and the backup
virtual servers are down or have reached their threshold for handling requests.
When a service bound to the virtual server is in an out of service state, use the
redirect URL on the virtual server.
Chapter 1 Load Balancing 131
Note: If you enable the Disable Primary When Down option, the backup
virtual server maintains control after the primary virtual server comes up. To
enable the primary virtual server to retake control, you must manually re-enable
it.
Example
set lb vserver Vserver-LB-1 -backupVserver Vserver-LB-2
-disablePrimaryOnDown
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
the backup virtual server (for example, Vserver-LB-1), and then click
Open.
3. On the Advanced tab, in the Backup Virtual Server list, select the backup
virtual server (for example, Vserver-LB-2).
4. If the primary server goes down and then comes back up, and you want the
backup virtual server to function as the primary server until you explicitly
reestablish the primary virtual server, select the Disable Primary When
Down check box.
5. Click OK.
132 Citrix NetScaler Traffic Management Guide
Note: With RTSP virtual servers, the NetScaler uses only data connections for
spillover. If the backup RTSP virtual server is not available, the requests are
redirected to an RTSP URL and an RTSP redirect message is sent to the client.
Example
set lb vserver Vserver-LB-1 -soMethod Connection -soThreshold 1000
-soPersistence enabled -soPersistenceTimeout 2
Chapter 1 Load Balancing 133
Spillover Parameter
Parameter Specifies
Method Type of spillover used to divert traffic to the backup virtual
server when the primary virtual server reaches the spillover
(soMethod) threshold. Possible values:
• CONNECTION. Causes spillover based on
connections.
• DYNAMICCONNECTION. Causes spillover based
on connections.
• BANDWIDTH. Causes spillover based on traffic rate.
• HEALTH. Causes spillover if bound and active
services and service groups fall below a threshold
relative to all bound elements.
• NONE.
Threshold The following are supported:
(soThreshold) • For the CONNECTION (or)
DYNAMICCONNECTION spillover type, the
Threshold value is the maximum number of
connections a virtual server can handle prior to
spillover.
• For the BANDWIDTH spillover type, the Threshold
value is the amount of incoming and outgoing traffic
(in kilobits per second) that a virtual server can handle
before spillover occurs. The minimum value is 1, and
the maximum value is 4,294,967,294.
• For HEALTH, this is a positive integer from 1 through
99. This integer represents a percentage of the sum of
the binding weights of all of the enabled, bound, and
active services and service groups relative to the
binding weights of all enabled bound services and
service groups (active and inactive).
Persistence Spillover persistence state. If you enable spillover
persistence, the NetScaler maintains source IP-based
(soPersistence) persistence over primary virtual server and backup virtual
servers. Possible values: ENABLED and DISABLED.
Default: DISABLED.
Persistence time-out Time-out for spillover persistence. The default value is 2
(minutes) minutes. The minimum value is 2 minutes, and the
maximum value is 1440 minutes.
(soPersistenceTime
Out)
134 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
the spillover (for example, Vserver-LB-1), and then click Open.
3. On the Advanced tab, in the Method list, select the type of spillover, and in
Threshold text box, type the threshold value (for example, Connection and
1000).
4. Under Spillover, select the Persistence check box, and in Persistence
Time-out (min) text box type the time-out (for example, 2).
5. Click OK.
Note: Global Server Load Balancing (GSLB) virtual servers do not support
connection-based spillover.
Note: To configure connection failover, you must first configure HA and set up
a primary and secondary NetScaler. For instructions on how to configure HA, see
the Citrix NetScaler Networking Guide, Chapter 7, “High Availability.”
Example
set lb vserver Vserver-LB-1 -connFailover stateful
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers page, select the virtual server for
which you want to configure connection failover (for example,
Vserver-LB-1), and click Open.
3. On the Advanced tab, in the Connection Failover drop-down list, select
Stateful.
4. Click OK.
Example
set lb vserver Vserver-LB-1 -connFailover disable
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers page, select the virtual server for
which you want to configure a connection failover (for example,
Vserver-LB-1), and click Open.
3. On the Advanced tab, in the Connection Failover drop-down list box,
select Disable.
4. Click OK.
• Sessionless load balancing can only be used for load balancing in a DSR
deployment, and in IDS load balancing.
• The least connection load balancing method cannot be used in sessionless
mode.
• A virtual server of type ANY or UDP can be configured as a sessionless
virtual server.
Example
set lb vserver Vserver-LB-1 -m MAC -sessionless enabled
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers page, select the virtual server for
which you want to configure sessionless load balancing (for example,
Vserver-LB-1), and then click Open.
3. On the Advanced tab, under Redirection Mode, click MAC Based.
4. Select the Sessionless check box, and click OK.
Example
set lb vserver Vserver-LB-1 -cacheable yes
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
cache redirection (for example, Vserver-LB-1), and click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. Select the Cache Redirection check box, and then click OK.
Example
set lb vserver Vserver-LB-1 -pq yes
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
priority queuing (for example, Vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. Select the PQ check box, and then click OK.
Note: You must set priority queuing globally for it to function correctly. For
more information on configuring priority queuing globally, see the Citrix
NetScaler Application Security Guide, Chapter 1, “Protection Features.”
Example
set lb vserver Vserver-LB-1 -sc yes
144 Citrix NetScaler Traffic Management Guide
SureConnect Parameter
Parameter Specifies
SureConnect Assurance of a response from an application despite
possible delays due to server capacity or processing speed.
(sc) Possible values: ON and OFF. Default: OFF.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane appears, select the virtual server for which you want to
configure SureConnect (for example, Vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. Select the SC check box, and then click OK.
Note: For SureConnect to function correctly, you must set it globally. For more
information about configuring SureConnect globally, see the Citrix NetScaler
Application Optimization Guide, Chapter 3, “Configuring SureConnect.”
Note: In case of HTTP services, the down state flush setting is effective only
when the client is connected to the server.
To set down state flush on a virtual server by using the NetScaler command
line
Example
set lb vserver Vserver-LB-1 -downStateFlush enabled
To set down state flush on a virtual server by using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
down state flush (for example, Vserver-LB-1), and click Open.
146 Citrix NetScaler Traffic Management Guide
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. Select the Down state flush check box, and then click OK.
When the requests are of type SSL and the services are of type HTTP, the
NetScaler rewrites the port of the SSL requests to that of HTTP and forwards the
requests to the HTTP services. Then, the NetScaler rewrites the port of the HTTP
responses to that of HTTPS and forwards them to the client.
When both requests and responses are of same type the NetScaler rewrites the
port using the same port value. For more information about SSL redirects, see
“Secure Sockets Layer (SSL) Acceleration,” on page 375.
Example
set lb vserver Vserver-LB-1 -redirectPortRewrite enabled
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
HTTP redirection (for example, Vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. Select the Redirect Port Rewrite check box, and then click OK.
This option is not supported for wildcard virtual servers or dummy virtual
servers. If the primary virtual server is down and the backup virtual server is up,
the configuration settings of the backup virtual server are added to the client
requests. If you want the same header tag to be added, regardless of whether the
requests are from the primary virtual server or backup virtual server, then you
must configure the required header tag on both virtual servers.
To insert the IP address and port of the virtual server in the client requests
by using the NetScaler command line
Example
set lb vserver Vserver-LB-1 -insertVserverIPPort VipAddr
To insert the IP address and port of the virtual server in the client requests
by using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
Chapter 1 Load Balancing 149
2. In the details pane, select the virtual server for which you want to configure
virtual server port insertion (for example, Vserver-LB-1), and then click
Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. In the Vserver IP Port Insertion list, select the VIPADDR or
V6TOV4MAPPING, and then type the port header in a text box next to
Vserver IP Port Insertion box.
5. Click OK.
To set a time-out value for idle client connections by using the NetScaler
command line
Example
set lb vserver Vserver-LB-1 -cltTimeout 100
To set a time-out value for idle client connections by using the configuration
utility
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, select the virtual server for which you want to configure
virtual server port insertion (for example, Vserver-LB-1), and then click
Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. In the Client Time-out (secs) text box, type the timeout value
(for example, 100).
5. Click OK.
Example
set lb vserver vserver-LB-1 –RTSPNAT enabled
RTSP Parameter
Parameter Specifies
RTSP Natting NAT for data connection packets. When the NetScaler
is configured for the NAT-on mode, you must enable
(rtspNat) the RTSP NAT option. When the NetScaler is
configured for NAT-off mode, you must disable the
RTSP NAT option. Possible values: ON and OFF.
Default value: OFF.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server (for example, Vserver-LB-1),
and then click Open.
3. In the Configure Virtual Server (Load balancing) dialog box, on the
Advanced tab, select the RTSP Natting check box, and then click OK.
Topics include:
• Configuring Services for Load Balancing
• Redirecting Client Requests to a Cache
• Configuring Monitors
• Monitoring Applications and Services Using Built-in Monitors
• Monitoring Applications and Services Using Customized Monitors
• Configuring Load Monitors
• Configuring Support for Third-Party Load Balancers Using SASP
To set surge protection on the service by using the NetScaler command line
Example
set service Service-HTTP-1 -sp on
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure surge
protection (for example, Service-HTTP-1), and then click Open.
3. The Configure Service dialog box, click the Advanced tab.
4. Scroll down, and under Others, select the Surge Protection check box.
5. Click OK.
Note: For surge protection to function correctly, you must enable it globally.
For more information about configuring surge protection globally, see the Citrix
NetScaler Application Security Guide.
Example
set service Service-HTTP-1 -sc on
SureConnect Parameter
Parameter Specifies
SureConnect State of SureConnect for the service. This parameter is
supported for legacy purposes only. It has no effect on the
(sc) NetScaler, and its only valid value is OFF. Possible values:
ON and OFF. Default: OFF.
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure
SureConnect (for example, Service-HTTP-1), and then click Open.
3. In the Configure Service dialog box, click the Advanced tab, scroll down,
and under Others, select the Sure Connect check box.
4. Click OK.
154 Citrix NetScaler Traffic Management Guide
Note: For SureConnect to function correctly, you must set it globally. For more
information about configuring SureConnect globally, see the Citrix NetScaler
Application Optimization Guide, Chapter 3, “Configuring SureConnect.”
To set down state flush on the service by using the NetScaler command line
Example
set service Service-HTTP-1 -downStateFlush enabled
To set down state flush on the service by using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure down
state flush (for example, Service-HTTP-1), and then click Open.
3. In the Configure Service dialog box, click the Advanced tab, scroll down,
and under Others, select the Down state flush check box.
4. Click OK.
Note: For the NetScaler to bridge the packets sent to the down services, enable
Layer 2 or Layer 3 modes with the access down parameter. For more information
about Layer 2 and Layer 3 modes, see the Citrix NetScaler Networking Guide,
Chapter 1, “IP Addressing.”
To set access down on the service by using the NetScaler command line
Example
set service Service-HTTP-1 -accessDown yes
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure
access down (for example, Service-HTTP-1), click Open.
3. In the Configure Service dialog box, click the Advanced tab.
4. Scroll down, and under Others, select the Access Down check box.
5. Click OK.
To set TCP Buffering on the service by using the NetScaler command line
Example
set service Service-HTTP-1 -TCPB yes
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure TCP
buffering (for example, Service-HTTP-1), and then click Open.
3. In the Configure Service dialog box, click the Advanced tab.
4. Scroll down, and under Settings, select the TCP Buffering check box.
5. Click OK.
Note: TCP buffering set at the service level takes precedence over the global
setting. For more information about configuring TCP buffering globally, see the
Citrix NetScaler Application Optimization Guide.
Enabling Compression
The NetScaler provides the compression option to transparently compress the
HTML and text files. The NetScaler has a set of built-in compression policies and
uses them to compress the files. The compression policies act on the service
bound to the virtual server and determine whether the response is compressible.
The compressible content is compressed and sent to the client.
Compression reduces the amount of data delivered to the browser and improves
client response time.
Example
set service Service-HTTP-1 -CMP yes
Chapter 1 Load Balancing 157
Compression Parameter
Parameter Specifies
Compression State of the HTTP compression feature for the service.
Possible values: YES and NO. Default: NO.
(CMP)
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure
compression (for example, Service-HTTP-1), and then click Open.
3. The Configure Service dialog box, click the Advanced tab.
4. Under Settings, select the Compression check box.
5. Click OK.
Note: For compression to function correctly, you must enable it globally. For
more information about configuring compression globally, see the Citrix
NetScaler Application Optimization Guide.
To set client keep-alive on the service by using the NetScaler command line
Example
set service Service-HTTP-1 -CKA yes
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure client
keep-alive (for example, Service-HTTP-1), and then click Open.
3. In the Configure Service dialog box, click the Advanced tab.
4. Under Settings, select the Client Keep-Alive check box.
5. Click OK.
Note: Client keep-alive set at the service level takes precedence over the global
setting. For more information about configuring Client keep-alive globally, see
the Citrix NetScaler Application Optimization Guide.
IP Header
When you enable the client IP setting, the NetScaler inserts the client IPv4 or
IPv6 address while forwarding the requests to the server. The server inserts this
client IP in the header of the responses. The server is thus aware of the client, as
shown in the following figure.
.
Example
set service Service-HTTP-1 -CIP enabled X-forwarded-for
160 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to add the client IP
address in the request (for example, Service-HTTP-1), and then click
Open.
3. In the Configure Service dialog box, click the Advanced tab.
4. Under Settings, select the Client IP check box.
5. In the Header text box, type the header tag
(for example, X-Forwarded-for).
6. Click OK.
To insert the server ID in the response from the server by using the
NetScaler command line
Example
set service Service-HTTP-1 -serverID 11
Chapter 1 Load Balancing 161
Server ID Parameter
Parameter Specifies
Server ID Identifier for the service. This is used when the persistence
type is set to Custom Server ID. The minimum value is 0 and
(serverID) the maximum value is 65535.
To insert the server ID in the response from the server by using the
configuration utility
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to set the server ID
(for example, Service-HTTP-1), click Open.
3. The Configure Service dialog box, click the Advanced tab.
4. Scroll down, and under Others, in the Server ID text box, type the ID of
the server (for example, 11).
5. Click OK.
To use the IP address of the client by using the NetScaler command line
Example
set service Service-HTTP-1 -usip yes
Note: USIP does not work when you bind an IPv6 service with USIP enabled to
an IPv4 virtual server, and when you bind an IPv4 service with USIP enabled to
an IPv6 virtual server.
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to use the source
IP address (for example, Service-HTTP-1), and then click Open.
3. The Configure Service dialog box, click the Advanced tab.
4. Under Settings, select Override Global, and then select the Use Source IP
check box.
5. Click OK.
• For the first client request and response, the NetScaler forwards the request
to Service-ANY-1 by using Vserver-ANY-1.
• For the second client request and response, the NetScaler forwards the
request to Service-ANY-1 by using Vserver-ANY-2.
• For the third request, the NetScaler forward the response to the client
through Vserver-ANY-1.
Such as scenario, generally, occurs when USIP is enabled on the service
regardless of the type of service configured.
To use the IP address of the client by using the NetScaler command line
Example
set service Service-ANY-1 -useProxyPort yes
When Use Proxy Port parameter is enabled for TCP-based services, the clients
can use more than 65,535 ports on the NetScaler.
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to use the source
IP address (for example, Service-ANY-1), and then click Open.
3. The Configure Service dialog box, click the Advanced tab.
4. Under Settings, select Override Global, and then select the Use Proxy
Port check box.
5. Click OK.
164 Citrix NetScaler Traffic Management Guide
Example
set service Service-HTTP-1 -maxClient 1000
Note: Connections that are closing are not considered for this limit.
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure the
maximum number of client connections (for example, Service-HTTP-1),
and then click Open.
3. In the Configure Service dialog box, click the Advanced tab.
4. Under Thresholds, in the Max Clients text box, type the maximum
number of client connections (for example, 100).
5. Click OK.
Chapter 1 Load Balancing 165
To limit the number of client requests by using the NetScaler command line
Example
set service Service-HTTP-1 -maxReq 100
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure the
maximum number of client requests (for example, Service-HTTP-1), click
Open.
3. In the Configure Service dialog box, click the Advanced tab.
4. Under Thresholds, in the Max Requests text box, type the maximum
number of client requests (for example, 100).
5. Click OK.
166 Citrix NetScaler Traffic Management Guide
Example
set service Service-HTTP-1 -monThreshold 100
To set a timeout value for idle client connections by using the NetScaler
command line
Example
set service Service-HTTP-1 -cltTimeout 100
To set a timeout value for idle client connections by using the configuration
utility
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure the
time-out value for client connections (for example, Service-HTTP-1), and
then click Open.
3. The Configure Service dialog box, click the Advanced tab.
4. Under Idle Time-out (secs), in the Client text box, type the timeout value
(for example, 100).
5. Click OK.
To set a timeout value for idle server connections by using the NetScaler
command line
Example
set service Service-HTTP-1 -svrTimeout 100
To set a timeout value for idle server connections by using the configuration
utility
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure the
timeout value for server connections (for example, Service-HTTP-1), and
click Open.
3. In the Configure Service dialog box, click the Advanced tab.
4. Under Idle Time-out (secs), in the Server text box, type a timeout value
(for example, 100).
5. Click OK.
Example
set service Service-HTTP-1 -maxBandwidth 100
Chapter 1 Load Balancing 169
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details page, select the service for which you want to configure
maximum bandwidth usage (for example, Service-HTTP-1), and then
click Open.
3. The Configure Service dialog box, click the Advanced tab.
4. Under Thresholds, in the Max Bandwidth (kbits) text box, type the
maximum bandwidth (for example, 100).
5. Click OK.
Example
set service Service-HTTP-1 -cacheable yes
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to configure cache
redirection (for example, Service-HTTP-1), and then click Open.
3. In the Configure Service dialog box, click the Advanced tab.
4. Scroll down, and under Cache Redirection Options, in Cache Type list,
select the type of cache (for example, Regular Server).
5. Select the Enable Cache Redirection check box.
6. Click OK.
Configuring Monitors
Monitors periodically check the state of a service. The NetScaler does not
consider services that are marked down for load balancing. A monitor allows the
NetScaler to accurately evaluate services. You can bind multiple monitors of any
type to a service to determine its state. Monitors specify the types of requests sent
to the server and the expected response from the server. Monitors periodically
probe the servers and check if they receive a response within the configured time.
If the monitor does not receive a response in the configured time, and if the
configured number of probes fail, it determines the server as DOWN.
Topics include:
• Configuring Monitors in a Load Balancing Setup
• Modifying Monitors
• Managing Monitors
The following diagram shows the monitors and how they operate.
Operation of Monitors
Creating Monitors
The NetScaler provides a set of built-in monitors. The NetScaler also allows you
to create custom monitors based on the default monitors.
Example
add lb mon monitor-HTTP-1 HTTP
172 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. On the Monitors page, click Add.
3. In the Create Monitor dialog box, in the Name and Interval text boxes
type the name and interval value of the monitor (for example,
monitor-HTTP-1 and 340).
4. In the Type list, select the type of the monitor (for example, HTTP).
5. In the list next to the Interval text box, select Seconds.
6. Click Create, and then click Close. The monitor you created appears in the
Monitors page, as shown in the following screen shot.
Chapter 1 Load Balancing 173
Monitors Pane
Example
bind mon monitor-HTTP-1 Service-HTTP-1
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service for which you want to bind the
monitor (for example, Service-HTTP-1), and then click Open.
3. On the Monitors tab, in the Available list box, select the monitor you want
to bind the service (for example, monitor-HTTP-1), and then click Add.
4. In the Configured box, click OK.
174 Citrix NetScaler Traffic Management Guide
Modifying Monitors
You can modify the configured monitors. If you change a monitor that is bound to
multiple services, monitoring of the bound services changes. You can modify a
monitor that you created using the parameters listed in this section. Two sets of
parameters apply to monitors:
• Parameters that apply to all monitors, regardless of type.
• Parameters that are specific to a monitor type.
This section describes the parameters that apply to all monitors.
Example
set mon monitor-HTTP-1 HTTP -interval 50 milli
-resptimeout 20 milli
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. In the details pane, select the monitor that you want to modify
(for example, monitor-HTTP-1), and then click Open.
3. On the Standard Parameters tab, in the Interval and Response Time-out
text boxes, type the interval and response timeout values (for example, 50
and 20).
4. In the list next to Interval text box, select the interval (for example, Milli
Seconds).
Chapter 1 Load Balancing 177
5. In the list next to Response Time-out text box, select the interval
(for example, Milli Seconds).
6. Click OK.
Managing Monitors
This section describes how to manage the monitors you create. You can change
the bindings of the monitors, or enable, disable, and remove monitors. You can
also unbind monitors from services and service groups.
Example
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. On the Monitors page, select the monitor that you want to enable (for
example, monitor-HTTP-1), and then click Enable.
3. In the Enable dialog box, click Yes.
Example
disable lb mon Service-HTTP-1
1. In the navigation pane, expand Load Balancing, and then click Monitors.
178 Citrix NetScaler Traffic Management Guide
2. On the Monitors page, select the monitor that you want to disable (for
example, monitor-HTTP-1), and then click Disable.
3. In the Disable dialog box, click Yes.
Unbinding Monitors
You can unbind monitors from a service and service group. When you unbind a
monitor from the service group, the monitors are unbound from the individual
services that constitute the service group. When you unbind a monitor from a
service or a service group, the monitor does not probe the service or the service
group. When you unbind the configured monitors from a service or a service
group, the default monitor is bound to the service and the service group. The
default monitors then probes the service or the service groups.
Example
unbind mon monitor-HTTP-1 Service-HTTP-1
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, select the service from that you want to unbind the
monitor (for example, Service-HTTP-1), click Open.
3. In the Configure Service dialog box, under Configured, select the monitor
that you want to unbind from the service (for example, monitor-HTTP-1),
and then click Remove.
4. Click OK.
Removing Monitors
You can remove a monitor that you have configured. If a monitor is bound to a
service, it cannot be removed. Therefore, you must first unbind the monitor from
the service and then remove it. When you remove monitors bound to a service,
the default monitor is bound to the service. You cannot remove default monitors.
The following example describes the steps to remove the monitor
monitor-HTTP-1.
Example
rm lb monitor monitor-HTTP-1 HTTP
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. On the Monitors page, select the monitor that you want to remove (for
example, monitor-HTTP-1), and then click Remove.
3. In the Remove dialog box, click Yes.
Viewing Monitors
You can view the services and service groups bound to the monitor. You can
verify the settings of the monitors to troubleshoot the configuration. The
following procedure describes the steps to view the bindings of a monitor to the
services and service groups.
Example
show lb monbindings monitor-HTTP-1
180 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. On the Monitors page, select the monitor for which you want to view the
binding information (for example, monitor-HTTP-1), and then click Show
Bindings. The binding information for the monitor that you selected
appears in the Binding Info for Monitor: monitor-HTTP-1 dialog box.
Example
show lb mon monitor-HTTP-1
In the navigation pane, expand Load Balancing, and then click Monitors. The
details of the available monitors appear on the Monitors page.
SIP messages can be transmitted over TCP or UDP. SIP messages are of two
types: request messages and response messages. The following table summarizes
the formats of these messages.
SIP Monitor Parameters
Message type Components Details
Request Method Invite, Ack, Options, Bye, Cancel, Register
Request URI Represents the subject, media type, or urgency of
sessions initiated. The common format is:
sip:user:password@host:port;uri-parameters?head
ers
SIP version The SIP version being used
Response SIP version The SIP version being used
Status code A 3-digit integer result code. The possible values
are:
1xx: Information Responses. For example: 180,
Ringing
2xx: Successful Responses. For example: 200, OK
3xx: Redirection Responses. For example: 302,
Moved Temporarily
4xx: Request Failures Responses. For example:
403, Forbidden
5xx: Server Failure Responses. For example: 504,
Gateway Time-out
6xx: Global Failure Responses. For example: 600,
Busy Everywhere
Reason-phrase Textual description of the status code
SIP Mechanism
User agent (UA) is the entity that initiates the call. The user agent can be an SIP
softphone (a PC-based application), or an SIP phone.
To initiate a call, the user agent sends an INVITE request to the previously
configured SIP proxy server. The INVITE request contains the details of the
destination, such as the destination uniform resource identifier (URI) and Call ID.
In the diagram, the Caller A (user agent) sends an INVITE request to Proxy A.
When the proxy server receives the INVITE request, it sends a 100 (Trying)
response to the user agent that initiated the Caller A. It also performs a DNS
lookup to locate the SIP proxy server of the destination domain. After the SIP
proxy server of the destination domain is located, the SIP proxy at the source
domain sends the INVITE request to it. Here, Proxy A sends a 100 (Trying)
response to Caller A and an INVITE request to Proxy B.
When the SIP proxy server of the destination domain receives the INVITE
request from the SIP proxy server of the source domain, it responds with a 100
(Trying) response. It then sends the INVITE request to the destination user agent.
In this case, Proxy B sends a 100 (Trying) response to Proxy A and an INVITE
request to Caller B.
When the destination user agent receives the INVITE request, it alerts Caller B
and responds with a 180 (ringing) response. This response is routed back to the
source user agent through the proxies.
Chapter 1 Load Balancing 187
When caller B accepts the call, the destination user agent responds with a 200
(OK) response. This signifies that caller B has answered the call. This response is
routed back to the source user agent through the proxies. After the call is set up,
the user agents communicate directly without the proxies.
The following table describes the entities of an SIP-based communication system
and their roles.
SIP System Entities
Entity Role
User Agent (UA) SIP user agents generate requests and respond to incoming
requests. A user agent that generates requests is known as a
User Agent Client (UAC). The user agent that responds to
requests is known as the User Agent Server (UAS). In the
preceding example, Caller A was the UAC and Caller B was
the UAS.
Proxy Server Proxies receive and route SIP requests based on the URI.
They can selectively rewrite parts of the request message
before forwarding it. They also handle registrations,
invitations to user agents, and apply call policies.
Redirect Server Redirect servers send routing information to the SIP proxy
servers.
Registrar Server Registrar servers provide location information to user agents
and proxy servers.
Back-to-Back User Back-to-Back User Agents (B2BUA) are combination of
Agent (B2BUA) UAS and UAC.
You can configure the NetScaler to load balance SIP requests to a group of SIP
proxy servers. To do this, you need to create a load balancing virtual server with
the LB method set to Call-ID hash, and then bind to it the services representing
the SIP proxies.
You must configure the SIP proxies so that they do not add private IP addresses or
private domains to the SIP header/payload. SIP proxies must add a domain name
to the SIP header that resolves to the IP address of the SIP virtual server. Also, the
SIP proxies must communicate with a common database to share registration
information.
This section describes the role of the NetScaler when configured to perform SIP
load balancing in the two most commonly used topologies:
• One-arm DSR mode
• Inline DSR mode
For more information about DSR mode, see the section “Configuring Load
Balancing in Direct Server Return Mode,” on page 260.
188 Citrix NetScaler Traffic Management Guide
To configure built-in monitors to check the state of SIP server, see “Configuring
Monitors in a Load Balancing Setup,” on page 170. You must provide values for
the required parameters to create a monitor of type SIP.
To configure built-in monitors to check the state of the DNS or DNS-TCP server,
see “Configuring Monitors in a Load Balancing Setup,” on page 170. You must
provide values for the required parameters to create a monitor of type DNS or
DNS-TCP.
LDAP Parameters
Parameter Specifies
Base DN Base name for the LDAP monitor from where the LDAP
search must start. If the LDAP server is running locally,
(baseDN) the default value of base is dc=netscaler, dc=com.
Bind DN BDN name for the LDAP monitor.
(bindDN)
Filter Filter for the LDAP monitor.
(filter)
Password Password used in monitoring LDAP servers.
(password)
Attribute Attribute for the LDAP monitor.
(attribute)
To configure built-in monitors to check the state of the LDAP server, see
“Configuring Monitors in a Load Balancing Setup,” on page 170. You must
provide values for the required parameters to create a monitor of type LDAP.
To configure built-in monitors to check the state of the MySQL server, see
“Configuring Monitors in a Load Balancing Setup,” on page 170. You must
provide values for the required parameters to create a monitor of type MySQL.
NNTP Parameters
Parameter Specifies
User Name User name on the
RADIUS/NNTP/FTP/FTP-EXTENDED/MYSQL/POP3
(userName) server. This user name is used in the probe.
Password Password used in monitoring RADIUS/NNTP/FTP/
FTP-EXTENDED/MYSQL/POP3/LDAP servers.
(password)
Group Group name to be queried for NNTP monitor.
(group)
The usage scenario of RTSP described in the following section illustrates the role
of the messages and entities in an RTSP-based communication system.
RTSP Mechanism
details of the media streams so that the client can start the appropriate
media applications.
2. The client sends a SETUP message to set up a session.
3. When a media server receives a SETUP message, it allocates resources
such as sockets (through which it sends the media) and bandwidth. The
server then responds with a session identifier.
4. The client specifies the URL, session identifier, and a time range in the
control messages to the server.
5. The server performs the appropriate action based on the control messages it
receives from the client.
6. When the client completes, it issues a TEARDOWN request to end the
session, and the server removes any allocated resources.
The following table describes the control messages of an RTSP-based
communication.
Control Messages for RTSP Communication
Control messages Description
DESCRIBE Returns a description of the media or a presentation by using the
Session Description Protocol. This message includes an RTSP
URL and the type of reply data that can be handled.
ANNOUNCE Registers a description of a presentation for a client or server.
OPTIONS Returns the list of supported methods and component streams.
SETUP Enables a server to allocate resources for a stream and starts an
RTSP session. The request contains the media stream URL and a
transport identifier. This identifier typically includes a port for
receiving RTP data (audio or video) and a port for receiving
RTCP data.
PLAY Starts data transmission on a stream.
RECORD Records an allocated stream.
PAUSE Pauses transmission of a stream without relinquishing server
resources.
TEARDOWN Relinquishes the server resources associated with a stream so
that the RTSP session ceases to exist.
GET_PARAMETER Placeholder methods that allow manipulation of presentation and
and session parameters.
SET_PARAMETER
REDIRECT Specifies a different server for presentation.
Chapter 1 Load Balancing 199
RTSP messages can be transmitted over TCP or UDP. When RTSP messages are
transmitted over TCP, the request connections can be transmitted in the following
ways:
• Multiple RTSP requests are transmitted over a single TCP connection
(referred as persistent connections).
• One RTSP request is transmitted per TCP connection (referred as
non-persistent connections).
RTSP messages can be request messages and response messages. The request
messages are sequenced to retransmit the messages if lost.
RTSP Request Message Components
Component Description
Sequence Specifies the sequence numbers. This field is specific to request
messages to arrange the request messages in sequence and
retransmit them in case of loss of the messages. All RTSP requests
and RTSP responses must contain this field value.
Session Identifies the session.
Transport Negotiates and sets parameters to send the media stream. This field
sets the port and multicast address for RTSP streams.
Time range Specifies the time range of the presentation.
Others Interacts with cache and other proxies.
This section describes the role of the NetScaler when configured to perform
RTSP load balancing in the two most commonly used topologies:
• NAT-on mode
• NAT-off mode
5. The client then uses the session ID to identify the session and send control
messages to the media server. The Media Server-1 performs the requested
action such as play, forward, and rewind.
After the service is down, the service remains in the down state for the configured
down time. After the down time, the configured URL is used to probe to check if
the service is up. If the probe succeeds, the state of the service is changed to up.
Traffic is directed to the service, and URL probes and traffic are sent to monitor
to check the state of the service, as needed. To configure inline monitors, see
“Configuring Monitors in a Load Balancing Setup,” on page 170.
User Monitors
Note: Communication between the monitor and the dispatcher can use HTTPS
if you enable the “secure” option on the monitor. However, the internal dispatcher
understands only HTTP and cannot use HTTPS.
In a HA setup, the dispatcher runs on both the primary and secondary NetScalers.
The dispatcher remains inactive on the secondary NetScaler.
208 Citrix NetScaler Traffic Management Guide
Script
The script is a program that sends out custom probes to the back-end entity and
returns the response code to the dispatcher. The NetScaler is bundled with sample
scripts for commonly used protocols. The scripts exist in the /nsconfig/monitors
directory. If you want to add a new script, add the script in the location /nsconfig/
monitors. If you want to customize an existing script, copy the script with a new
name and modify the script. For the scripts to function correctly, the name of the
script file must not exceed 63 characters, and the maximum number of script
arguments is 512. To debug the script, you must run it using the nsumon-debug.pl
on the Command Line Interface (CLI). You must use the script name (with its
arguments), IP address, and the port as the arguments of the nsumon-debug.pl
script. Users must use the script name, IP address, port, time-out, and the script
arguments for the nsumon-debug.pl script.
Operation of User Monitors
To track the status of the server, the monitor sends an HTTP POST request to the
configured dispatcher. This POST request contains the IP address and port of the
server, and the script that must be executed.
The dispatcher executes the script as a child process, with user-defined
parameters (if any). Then, the script sends a probe to the server. The script sends
the status of the probe (response code) to the dispatcher. The dispatcher converts
the response code to an HTTP response and sends it to the monitor. Based on the
HTTP response, the monitor marks the service as up or down.
The NetScaler logs the error messages to the /var/nslog/nsumond.log file
when user monitor probes fail. The following table lists the user monitors and the
possible reasons for failure.
User Monitors
User monitor type Probe failure reasons
SMTP Monitor fails to establish a connection to the server.
NNTP Monitor fails to establish a connection to the server.
Missing or invalid script arguments, which may include an
invalid number of arguments or argument format.
Monitor fails to find NNTP group.
LDAP Monitor fails to establish a connection to the server.
Missing or invalid script arguments, which may include an
invalid number of arguments or argument format.
Monitor fails to bind to the LDAP server.
Monitor fails to locate an entry for the target entity in the LDAP
server.
Chapter 1 Load Balancing 209
User Monitors
User monitor type Probe failure reasons
FTP The connection to the server times out.
Missing or invalid script arguments, which may include an
invalid number of arguments or argument format.
Login fails.
Monitor fails to find the file on the server.
POP3 Monitor fails to establish a connection to the database.
Missing or invalid script arguments, which may include an
invalid number of arguments or argument format.
Login fails.
MySQL Monitor fails to establish a connection to the database.
Missing or invalid script arguments, which may include an
invalid number of arguments or argument format.
Login fails.
Preparation of SQL query fails.
Execution of SQL query fails.
SNMP Monitor fails to establish a connection to the database.
Missing or invalid script arguments, which may include an
invalid number of arguments or argument format.
Login fails.
Monitor fails to create SNMP session.
Monitor fails to find the object identifier.
The monitor threshold value setting is greater than or equal to the
actual threshold of the monitor.
RDP (Windows Missing or invalid script arguments, which may include an
Terminal Server) invalid number of arguments or argument format.
Monitor fails to create a socket.
Mismatch in version.
Monitor fails to confirm connection.
At the NetScaler command prompt, type the following commands, pressing Enter
after each one:
210 Citrix NetScaler Traffic Management Guide
shell
cat /var/nslog/nsumond.log
exit
User monitors also have a time-out value and a retry count on failure of probes.
You can use user monitors with non-user monitors. During high CPU utilization,
a non-user monitor enables faster detection of a server failure. If the user monitor
probe times out during high CPU usage, the state of the service remains
unchanged.
The HTTP response codes are summarized in the following table.
HTTP Response Codes
HTTP response code Meaning
200 - success Probe success.
503 - service unavailable Probe failure.
404 - not found Script not found or cannot execute.
500 - Internal server error Internal error/resource constraints in dispatcher (out of
memory, too many connections, unexpected system error, or
too many processes). The service does not go down.
400 - bad request Error parsing HTTP request.
502 - bad gateway Error decoding script's response.
To monitor user service, use the parameters as described in the following table.
User Service Monitor Parameters
Parameter Specifies
Script Name The path and name of the script to execute.
(scriptName)
Script Arguments The strings that are added in the POST data. They are
copied to the request verbatim.
(scriptArgs)
Dispatcher IP Address The IP address of the dispatcher to which the probe is sent.
(dispatcherIP)
Dispatcher Port The port of the dispatcher to which the probe is sent.
(dispatcherPort)
Local File Name The name of a monitor script file on the local system.
(localfileName)
Destination Path A particular location on the NetScaler where the uploaded
local file is stored.
(destPath)
Chapter 1 Load Balancing 211
You can use a custom user monitor with the internal dispatcher. Consider a
scenario where you need to track the health of a server based on the presence of a
file on the server. The following diagram illustrates this scenario.
A possible solution can be to use a Perl script that initiates an FTP session with
the server and checks for the presence of the file. You can then create a user
monitor that uses the Perl script. The NetScaler includes such a Perl script
(nsftp.pl), located in the /nsconfig/monitors/ directory. [
You can use a user monitor with an external dispatcher. Consider a scenario
where you must track the health of a server based on the state of an SMTP service
on another server. This scenario is illustrated in the following diagram.
212 Citrix NetScaler Traffic Management Guide
A possible solution would be to create a Perl script that checks the state of the
SMTP service on the server. You can then create a user monitor that uses the Perl
script. To configure user monitors, see “Configuring Monitors in a Load
Balancing Setup,” on page 170.
Example
add monitor Monitor-User-1 USER -scriptname nsftp.pl –scriptargs
“file=/home/user/sample.txt;user=root;password=passwd"
Chapter 1 Load Balancing 213
Note: The load monitor does not determine the state of the service. It only
enables the NetScaler to consider the service for load balancing.
To configure the load monitor, use the metric table parameter as described in the
following table.
214 Citrix NetScaler Traffic Management Guide
You can set the threshold value for each metric. The threshold value enables the
NetScaler to select a service for load balancing, if the metric value for the service
is less than the threshold value. The threshold value also determines the load on
each service.
Weight for a Metric
To calculate the load for one or more metrics, you can assign a weight to each
metric. The default weight is 1. The weight represents the priority given to each
metric. If the weight is high, the priority is high. The NetScaler chooses a service
based on the SOURCEIPDESTIP hash algorithm.
Example
add metricTable Table-Custom-1
1. In the navigation pane, expand Load Balancing, and then click Metric
Tables.
2. In the details pane, click Add.
3. In the Create Metric Table dialog box, in the Metric Table Name text
box, type the name of the metric table (for example, Table-Custom-1).
4. Click Create, and then click Close. The metric table you created appears in
the Metric Tables page.
216 Citrix NetScaler Traffic Management Guide
Example
bind metricTable Table-Custom-1 1.3.6.1.4.1.5951.4.1.1.41.1.5 11
1. In the navigation pane, expand Load Balancing, and then click Metric
Tables.
2. In the details pane, select the metric table to which you want to bind the
metrics (for example, Table-Custom-1), and then click Open.
3. In the Configure Metric Table dialog box, in the Metric and SNMP OID
text boxes, type metric and SNMP OID for the metric table (for example,
1.3.6.1.4.1.5951.4.1.1.41.1.5 and 11).
4. Click Add, and then click OK.
Example
rm metricTable <Table-Custom-1>
1. In the navigation pane, expand Load Balancing, and then click Metric
Tables.
2. In the details pane, select the metric table that you want to remove (for
example, Table-Custom-1), and click Remove.
3. The Remove dialog box, and then click Yes.
Chapter 1 Load Balancing 217
To unbind metrics from a metric table by using the NetScaler command line
Example
unbind metricTable Table-Custom-1 1.3.6.1.4.1.5951.4.1.1.41.1.5
1. In the navigation pane, expand Load Balancing, and then click Metric
Tables.
2. In the details pane, select the metric table from which you want to unbind
the metrics (for example, Table-Custom-1), click Open.
3. In the Configure Metric Table dialog box, in the Bound Metrics list box,
select the metric that you want to unbind from the table (for example,
1.3.6.1.4.1.5951.4.1.1.41.1.5).
4. Click Remove, and then click OK.
Example
show metricTable Table-Custom-1
In the navigation pane, expand Load Balancing, and then click Metric Tables.
The details of the available metric table appear on the Metric Tables page.
218 Citrix NetScaler Traffic Management Guide
Example
add lb wlm wlm-1 10.102.29.30 -LBUID 11
1. In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2. On the Work Load Managers page, click Add.
3. In the Create Work Load Manager dialog box, in the Name, IP Address,
LB Unique Identifier, Port, and Keep Alive Time-out (minutes) text
boxes, type the corresponding values (for example, Wlm-1, 10.102.29.30,
11, 80, and 2).
4. Click Create, and then click Close.
The work load manager you created appears in the Work Load Managers
page, as shown in the following screen shot.
Example
bind lb wlm wlm-1 Vserver-LB-1
1. In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2. In the details pane, select the work load manager for which you want to
bind the virtual server (for example, Wlm-1), and then click Open.
3. In the Configure Work Load Manager dialog box, under Virtual
Servers, in the Available list box, select the virtual server that you want to
bind to the work load manager (for example, Vserver-LB-1).
4. Click Add, and then click OK.
Example
set lb wlm wlm-1 -KATimeout 20
Chapter 1 Load Balancing 223
1. In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2. In the details pane, select the workload manager that you want to modify
(for example, Wlm-1), and then click Open.
3. In the Configure Work Load Manager dialog box, in the Keep Alive
Time-out (minutes) text box, type the timeout value (for example, 20).
4. Click OK.
Example
rm lb wlm wlm-1
1. In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2. In the details pane, select the workload manager that you want to remove
(for example, Wlm-1), and then click Remove.
224 Citrix NetScaler Traffic Management Guide
To unbind a virtual server from a work load manager by using the NetScaler
command line
Example
unbind lb wlm wlm-1 vserver-LB-1
1. In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2. In the details pane, select the workload manager for which you want to
unbind a virtual server (for example, Wlm-1), and then click Open.
3. In the Configure Work Load Manager dialog box, under Virtual
Servers, in the Configured box, select the virtual server that you want to
unbind from the work load manager (for example, Vserver-LB-1).
4. Click Remove, and then click OK.
Example
show lb wlm wlm-1
Chapter 1 Load Balancing 225
1. In the navigation pane, expand Load Balancing, and then click Work
Load Managers.
2. In the details pane, view the details of the available work load managers.
The following are the types of ranges you can specify when adding services and
virtual servers to your configuration:
• Numeric ranges. Instead of typing a single number, you can specify a
range of consecutive numbers.
For example, you can create a range of virtual servers by specifying a
starting IP address, such as 10.102.29.30, and then typing a value for the
last byte that indicates the range, such as 35. In this example, five virtual
servers will be created with IP addresses that range between 10.102.29.30
and 10.102.29.35.
Example
add lb vserver Vserver-LB-2 http -range 5 10.102.29.30 80
or
add lb vserver Vserver-LB-[2-7] http 10.102.29.[30-35] 80
Chapter 1 Load Balancing 227
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, click Add Range.
3. In the Create Virtual Server (Load Balancing) - Range dialog box, in the
Name Prefix, IP Address Range, and Port text boxes, type the virtual
server name, IP address with which to begin the range, and port (for
example, vserver, 10.102.29.30, and 80).
4. Select the Network VServer check box, and in Range, type the last value
of the virtual server range (for example, 35).
5. In the Protocol drop-down list box, select the protocol type (for example,
HTTP).
6. Click Create, and then click Close. The range of virtual servers you created
appears in the Load Balancing Virtual Servers page.
Note: Do not use -range and the [ ] range operator in the same command.
Example
add lb service Service-HTTP-1 http -range 3 10.102.29.102 80
or
add lb vservice Service-HTTP-[1-5] http 10.102.29.[102-106] 80
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, click Add Range.
3. In the Create Service (Range) dialog box, in the IP Address Range and
Port text boxes, type the start value of the IP address range and the port (for
example, 10.102.29.102, and 80).
4. In the text box next to the IP Address Range text box, type the last value of
the last service (for example, 104).
5. In the Protocol drop-down list box, select the protocol type (for example,
HTTP).
228 Citrix NetScaler Traffic Management Guide
6. Click Create, and then click Close. The range of services you created
appears in the Services page.
Example
add servicegroup Service-Group-1 HTTP
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, click Add.
Chapter 1 Load Balancing 229
3. In the Create Service Group dialog box, in the Service Group Name text
box, type name of the service group (for example, Service-Group-1).
4. In the Protocol list, select the protocol type (for example, HTTP).
5. Click Create, and then click Close.
The service group you created appears in the Service Groups page, as
shown in the following screen shot.
Example
bind lb vserver Vserver-LB-1 Service-Group-1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server to which you want to bind the
service group (for example, Vserver-LB-1), and then click Open.
230 Citrix NetScaler Traffic Management Guide
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Services Groups tab.
4. In the Active column, select check box next to the service group that you
want to bind to the virtual server (for example, Service-Group-1), and then
click OK.
Examples
bind servicegroup Service-Group-1 10.102.29.30 80
bind servicegroup Service-Group-2
1000:0000:0000:0000:0005:0600:700a:888b 80
bind servicegroup Service-Group-2
1000:0000:0000:0000:0005:0600:700a::888b-888d 80
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, select the service group for which you want to bind
members (for example, Service-Group-1), and then click Open.
3. In the Configure Service Group dialog box, under Specify Member(s),
select IP Based.
4. In the IP Address text box, type the IP address (for example,
10.102.29.30). If the IP address uses IPv6 format, select the IPv6 check box
and then enter the address in the IP Address text box.
Chapter 1 Load Balancing 231
5. Click OK.
Example
bind servicegroup Service-Group-1 Server-50 80
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, select the service group for which you want to bind
members (for example, Service-Group-1), and click Open.
3. On the Members tab, under Specify Member(s), click the Server Based
radio button.
4. In the server name list, select one or more servers (for example, Server-50).
5. In the Port text box, type the port (for example, 80).
6. Click Add, and then click OK.
Example
bind mon monitor-HTTP-1 Service-Group-1
232 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, select the service group for which you want to bind
monitors (for example, Service-Group-1), and then click Open.
3. On the Monitors tab, under Available, select a monitor name (for example,
ping).
4. Click Add, and then click OK.
Example
set servicegroup Service-Group-1
Note: Any parameter you set on the service group is applied to the member
servers in the group and not to individual services.
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, select the service group that you want to modify (for
example, Service-Group-1), and then click Open.
3. Make the required changes to the service group, and then click OK.
Example
rm servicegroup Service-Group-1
Chapter 1 Load Balancing 235
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, select the service group that you want to remove (for
example, Service-Group-1), and then click Remove.
3. In the Remove dialog box, click Yes.
Example
unbind servicegroup Service-Group-1 10.102.29.30 80
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, select the service group from which you want to unbind
members (for example, Service-Group-1), and then click Open.
3. In the Configure Service Group dialog box, in the Configured Members
list box, select a service (for example, 10.102.29.30).
4. Click Remove, and then click OK.
Example
unbind lb vserver Vserver-LB-1 Service-Group-1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server from which you want to unbind
the service group (for example, Vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Services Groups tab.
4. Clear the Active check box next to the service group that you want to
unbind from the virtual server (for example, Service-Group-1).
5. Click OK.
Example
unbind mon monitor-HTTP-1 Service-Group-1
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, select the service group from which you want to unbind
the monitor (for example, Service-Group-1), click Open.
3. In the Configure Service Group dialog box, click the Monitors tab.
4. Under Configured, select the monitor that you want to unbind from the
service group (for example, monitor-HTTP-1), and then click Remove.
5. Click OK.
Chapter 1 Load Balancing 237
Example
disable servicegroup Service-Group-1
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the Service Groups page, select the service group that you want to
disable (for example, Service-Group-1), and then click Disable.
3. In the Wait Time dialog box type the wait time value (for example, 30).
4. Click Enter.
Example
enable servicegroup Service-Group-1
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, select the service group that you want to enable (for
example, Service-Group-1), and then click Enable.
3. In the Enable dialog box, click Yes.
238 Citrix NetScaler Traffic Management Guide
To view both the properties of the service group and its members, type:
show servicegroup <ServiceGroupName> -includemembers
Example
show servicegroup Service-Group-1
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
2. In the details pane, click the name of the service group whose properties
you want to view, and then click Open.
Example
stat servicegroup Service-Group-1
1. In the navigation pane, expand Load Balancing, and then click Service
Groups.
Chapter 1 Load Balancing 239
2. In the details pane, select the service group for which statistics you want to
view (for example, Service-Group-1), and then click Statistics. The
statistics of the service group you selected appears in a new window.
Translation IP Parameters
Parameter Specifies
IP Address / Domain Name Server's domain name (for example, www.example.com).
(IPAddress | Note that for IP address translation, the domain name is
Domain) required.
Translation IP Address IP address (relevant octets only) to which the resolved ip for
the server needs to be translated (for example, 11.12.0.0).
(translationIP)
Translation Mask Mask determines the number of bits in the translation IP
address that are to be considered when applying the
(translationMask) transformation.
For example, if you want an original server IP of
10.20.30.40 to be translated to 11.12.30.40, you could
specify the mask 255.255.0.0.
Example
add server myMaskedServer www.example.com -translationIp
10.10.10.10 -translationMask 255.255.0.0 -state ENABLED
1. In the navigation pane, expand Load Balancing, and then click Servers.
2. In the details pane, click Add.
3. In the Create Server dialog box, in the Server Name field, enter a name.
4. In the IP Address / Domain Name field, enter the server's domain name.
If a destination IP address matches the IP patterns in more than one virtual server,
the longest match takes precedence. The following is an example:
• Virtual Server 1: IP pattern 10.10.0.0, IP mask 255.255.0.0
• Virtual Server 2: IP pattern 10.10.10.0, IP mask 255.255.255.0
• Destination IP address in the packet: 10.10.10.45.
• Selected virtual server: Virtual Server 2. This virtual server has more bits
that are considered when compared to Virtual Server 1.
Note that ports are also considered if a tie-breaker is required.
Examples
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, click Add.
3. In the Create Virtual Server dialog box, in the Name field, enter a name.
4. In the Protocol field, select the protocol (for example, HTTP).
5. In the Port field, enter the listen port.
6. In the IP Pattern field, enter a pattern for an IP address (for example,
11.11.0.0). The fixed part of the pattern must be entered in contiguous
octets. Enter zeros for the pattern values that can vary in the IP address.
7. In the IP Mask field, enter a standard network mask (for example,
255.255.0.0). Use non-zero mask values for the portion of the IP address
that constitutes the fixed part of the pattern.
The following diagram shows the load balancing entities, and the values of the
parameters that need to be configured on the NetScaler.
To transfer a file, you must open a control connection to the FTP server. The
NetScaler selects an FTP server using the load balancing principle and opens a
control connection to the selected FTP server. The FTP server also opens a data
connection that you can use to access the required file. The NetScaler can also
provide a passive FTP option to access the FTP servers from outside a firewall.
When you use this option and initiate a control connection to the FTP server, the
FTP server also initiates a control connection. You can then initiate a data
connection to transfer a file through the firewall.
The following sections describe the tasks required to implement this scenario:
1. Configuring a basic load balancing setup to load balance the FTP servers.
2. Creating FTP monitors.
Example
add lb monitor monitor-FTP-1 FTP -interval 360 -userName User
-password User
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. In the details pane, click Add.
3. On the Standards Parameters tab, in the Name and Interval text boxes,
type monitor-FTP-1 and 340, respectively.
4. In the Type list, select FTP.
Chapter 1 Load Balancing 247
5. On the Special Parameters tab, in the User Name and Password text
boxes, type User.
6. Click Create, and then click Close. The monitor monitor-FTP-1 that you
created appears in the Monitors Page.
The following diagram shows the load balancing entities and the values of the
parameters that need to be configured on the NetScaler.
The following sections describe the tasks to implement this scenario. The tasks
include the following:
1. Configuring a basic load balancing setup to load balance DNS servers
2. Monitoring DNS Servers
Chapter 1 Load Balancing 249
Examples
add lb monitor monitor-DNS-1 DNS -query www.citrix.com
-queryType Address -IPAddress 10.102.29.66
add lb monitor monitor-DNS-2 DNS -query www.citrix2.com -queryType
Address -IPAddress 1000:0000:0000:0000:0005:0600:700a::888b-888d
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. In the Monitors page, click Add.
3. In the Create Monitor dialog box, in the Name and Interval text boxes,
type a monitor name and a monitoring interval (for example,
monitor-DNS-1 and 340, respectively).
4. Select the unit of time for the interval in the drop-down menu.
5. In the Type list, select DNS.
6. Click the Special Parameters tab, in the Query text box type the domain
name query to send to the DNS service (for example,
www.mycompany.com), and in the Query Type list box, select
ADDRESS or ZONE.
250 Citrix NetScaler Traffic Management Guide
7. In the text box below the Query Type list box, type an IP address that is to
be checked against the response to the DNS monitoring query (for example,
10.102.29.66), and click Add.
Note: If you want to enter an IPv6 address, select the IPv6 check box
before entering the address.
8. Click Create, and then click Close. The monitor that you created appears in
the Monitors page.
Note: When you change the IP address of the server, the corresponding service
is marked down for the first client request. The name server resolves the service
IP address to the changed IP address for the subsequent requests.
The following diagram shows the load balancing entities and the values of the
parameters that need to be configured on the NetScaler.
.
The following sections explain the procedures required to implement the scenario
described in the preceding section:
1. Configuring a basic load balancing setup to load balance domain
name-based servers
Chapter 1 Load Balancing 253
Example
add dns nameServer Vserver-LB-2
1. In the navigation pane, expand DNS, and then click Name Servers.
2. In the details pane, click Add.
3. In the Create Name Server dialog box, select DNS Virtual Server.
4. In the DNS Virtual Server drop-down list, select the server name (for
example, Vserver-LB-2).
Note: Click New if you want to create a new load balancing vserver. The
Create Virtual Server (Load Balancing) dialog box appears.
The following diagram shows the load balancing entities and the values of the
parameters to be configured on the NetScaler.
Configuring RNAT
The following procedure describes the steps to configure RNAT.
Example
add route 10.102.29.0 255.255.255.0 10.102.29.50
1. In the navigation pane expand Network, expand Routing, and then click
Routes.
2. In the details pane, click Add.
3. In the Create Route dialog box, in the Network, Netmask, and Gateway
IP text boxes type 10.102.29.0, 255.255.255.0, and 10.102.29.50,
respectively.
4. Click Create, and then click Close.
Example
set sipParameters -rnatSrcPort 5060
Example
add lb monitor Monitor-RTSP-1 RTSP
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. In the details pane, click Add.
3. In the Create Monitor dialog box, in the Name and Interval text boxes,
type the name and probing interval of a monitor (for example,
Monitor-RTSP-1 and 340).
4. In the Type list, select the type of the monitor (for example, RTSP).
5. Click Create, and then click Close.
The following diagram shows the load balancing entities and values of the
parameters to be configured on the NetScaler.
Chapter 1 Load Balancing 261
The following sections describe the tasks required to implement this scenario:
1. Enabling MAC based forwarding mode
2. Configuring a basic load balancing setup
3. Customizing the load balancing setup for DSR mode
Example
enable ns mode MAC
2. On the Settings page, under Modes and Features, click Change modes.
3. In the Configure Modes dialog box, select the MAC Based Forwarding
check box, and then click OK.
4. In the Enable/Disable Feature(s)? message, and then click Yes.
Example
set lb vserver Vserver-LB-1 -lbMethod SourceIPHash -m MAC
-sessionless enabled
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server (for example, Vserver-LB-1),
and then click Open.
3. On the Method and Persistence tab, under LB Method, select
SOURCE IP Hash.
4. On the Advanced tab, under Redirection Mode, select the MAC Based.
5. Select the Sessionless check box and click OK.
Example
set service Service-ANY-1 -usip yes
1. In the navigation pane, expand Load Balancing, and then click Services.
2. On the Services page, click Service-ANY-1, and then click Open.
3. On the Advanced tab, under Settings, select the Use Source IP check box,
and then click OK.
264 Citrix NetScaler Traffic Management Guide
Note: For USIP to function correctly, you must set it globally. For more
information about configuring USIP globally, see the Citrix NetScaler
Networking Guide, Chapter 1, “IP Addressing.”
Chapter 1 Load Balancing 265
1. Create a loop back interface with the NetScalers virtual server IP address
(VIP) (10.101.4.94) on all the servers participating in the DSR cluster.
2. At the Linux OS prompt, type the following commands:
ifconfig dummy0 up
ifconfig dummy0:0 inet 10.101.4.94 netmask 255.255.255.255 up
echo 1 > /proc/sys/net/ipv4/conf/dummy0/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/dummy0/arp_announce
The following sections describe the tasks required to implement this scenario:
1. Configuring a basic load balancing setup
2. Customizing the load balancing setup for DSR mode on Layer 3
A. Configuring the redirection mode
B. Configuring the monitor for TOS (Optional)
C. Configuring the servers for DSR mode
To configure the redirection mode for the virtual server by using the
NetScaler command line
Example
set lb vserver Vserver-LB-1 -m TOS -tosId 3
268 Citrix NetScaler Traffic Management Guide
To configure the redirection mode for the virtual server by using the
configuration utility
1. In the left navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers pane, select the virtual server (for
example, Vserver-LB-1) and click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, on the
Advanced tab, in Redirection Mode, click TOS Based.
4. In the TOS Id box, enter a value for the TOS ID, (for example, 3).
5. Click OK.
Example
add monitor mon1 PING -destip 10.102.33.91 -tos Yes -tosId 3
To create the transparent monitor for TOS by using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. On the Monitors pane, select the monitor (for example, tcp), and click
Add.
3. In the Create Monitor dialog box, in the Name and Destination IP boxes,
enter the monitor name and the destination IP address (for example, PING
and 10.102.33.91).
4. In the Type list, select the type of monitor (for example, PING).
5. To configure the monitor for TOS, select the TOS check box.
6. In the TOS Id box, enter the same TOS ID that you had entered for the
virtual server (for example, 3.)
7. Click OK.
Chapter 1 Load Balancing 269
1. Create a loop back interface with the NetScaler VIP (10.102.33.91) on all
the servers participating in the DSR cluster.
At the Linux OS prompt, type the following commands:
Note: Add the correct mappings to the software before running it. In the
preceding commands, the LINUX server uses eth0 to connect to the network.
When you use this command, type the name of the interface that your LINUX
server uses to connect to the network.
Note: The instructions that follow assume familiarity with basic NetScaler load
balancing or content switching configuration. If you are not familiar with
configuring the NetScaler appliance, you should review the first three sections of
this chapter and “Configuring Load Balancing in Direct Server Return Mode,” on
page 260 before attempting to configure DSR mode using IP over IP.
Example
enable ns mode MAC
Configuring Services
After enabling MAC-based forwarding, you must next configure one service for
each of your protected applications. The service handles traffic from the
NetScaler appliance to those applications, and allows the NetScaler appliance to
monitor the health of each protected application.
You assign a service type of ANY and a port of * to your new service, and
configure it for USIP mode. You can also bind a monitor to the service if you
want the NetScaler appliance to monitor the health of the application.
Note: If you are unfamiliar with the general process of creating services, you
can review “Creating Services,” on page 32.
To create and configure a service for IP over IP DSR by using the NetScaler
command line
At the NetScaler command prompt, type the following commands in this order:
add service <serviceName> <serverName> <serviceType> <port> -usip
<usip>
add monitor <monitorName> <monitorType> -destip <ip> -iptunnel
<iptunnel>
Example
add service Service-DSR-1 10.102.29.5 ANY * -usip yes
add monitor mon-1 PING -destip 10.102.33.91 -iptunnel yes
Note: If you are unfamiliar with the general process of creating virtual servers,
see “Creating a Virtual Server,” on page 36.
To create and configure a load balancing virtual server for IP over IP DSR by
using the NetScaler command line
Example
add lb vserver Vserver-LB-1 ANY 10.102.29.60 * -lbMethod
SourceIPHash -m IPTUNNEL -sessionless enabled
Example
bind lb vserver Vserver-LB-1 Service-DSR-1
Example
show lb vserver <name>
274 Citrix NetScaler Traffic Management Guide
Argument Specifies
Name A name for your new virtual server. The name can begin
with a letter, number, or the underscore symbol, and can
(name) consist of from one to 127 letters, numbers, and the hyphen
(-), period (.) pound (#), space ( ), at sign (@), equals (=),
colon (:), and underscore (_) symbols.
Protocol The protocol that your virtual server processes. For an IP
over IP DSR virtual server, set the protocol to ALL.
(serviceType)
IP The IP address assigned to your virtual server. This is
normally an Internet-routable IP.
(ip)
Port The port that your virtual server listens on for traffic. For an
IP over IP DSR virtual server, set the port to *.
(port)
Method The load balancing method to use for this load balancing
configuration. For information on the various load
(method) balancing types, see “Changing the Load Balancing
Algorithm,” on page 55.
IP Tunnel Tag Enables IP tunneling. For an IP over IP DSR virtual server,
set to IPTUNNEL.
(ipTunnelTag)
Sessionless Tag When set to sessionless, configures the virtual server to
operate in sessionless mode.
(sessionless)
To create and configure a load balancing virtual server for IP over IP DSR by
using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, click Add.
3. In the Create Virtual Server dialog box, type or select values for the
following parameters. (An asterisk indicates a required parameter. For a
term in parentheses, see the corresponding argument in the table above.)
• Name* (name)
• Protocol* (protocol)
• IP address* (IP)
• Port (port)
Chapter 1 Load Balancing 275
4. In the Services tab, select the check box beside the name of each service
that routes traffic to a server in your load balancing setup, and do any
additional configuration that is necessary.
• You can adjust the priority column by using the spin buttons to the
right of the priority number assigned to the service.
• You can modify the settings for any service by selecting it, and then
clicking Open to open the Configure Service dialog box for that
service.
• If you have not already created a service for each of your load
balancing servers, you can click Add to open the Create Service
dialog box and add a service.
5. In the Advanced tab, under Redirection Mode, select IP Tunnel Based.
6. Click Create.
7. Click Close.
The virtual server that you created now appears in the Virtual Servers
page.
Example
add iptunnel lb-dsr-tunnel-1 10.102.40.123 255.255.255.255
10.56.223.81
show iptunnel lb-dsr-tunnel-1
add route 10.102.40.123 255.255.255.255 lb-dsr-tunnel-1
show route 10.102.40.123 255.255.255.255
276 Citrix NetScaler Traffic Management Guide
To create and configure an IP tunnel on the load balanced server for IP over
IP DSR
Log on to the load balanced server, and at the Unix shell prompt type the
following command:
add iptunnel tun1 <remoteIp> <remoteSubnetMask> <localIp>/*
show iptunnel <name>
Example
add iptunnel lb-dsr-tunnel-1 10.102.40.123 255.255.255.255
10.56.223.81/*
show iptunnel lb-dsr-tunnel-1
Argument Specifies
Name A name for your new IP tunnel. The name can begin with a
letter, number, or the underscore symbol, and can consist of
(name) from one to 127 letters, numbers, and the hyphen (-), period
(.) pound (#), space ( ), at sign (@), equals (=), colon (:),
and underscore (_) symbols.
Remote IP The IP of the service that corresponds to the load-balanced
server that you are configuring.
(remoteIp)
Remote Subnet Mask The netmask of the subnet in which the remote IP is
located.
(remoteSubnetMask)
Local IP The VIP of the load balancing virtual server.
(localIP)
The following diagram shows the load balancing entities and values of the
parameters that need to be configured on the NetScaler.
278 Citrix NetScaler Traffic Management Guide
The configuration and the entity diagram for inline mode are the same as
described in the section, “Configuring Load Balancing in One-arm Mode,” on
page 276.
Currently, the NetScaler supports load balancing of passive IDS devices only. The
following section describes load balancing of IDS servers (illustrated in the
preceding diagram):
1. The client request is routed to the server. A switch with a mirroring port
enabled forwards these packets to the server. The source IP address is the IP
address of the client, and the destination IP address is the IP address of the
server. The source MAC address is the MAC address of the router, and the
destination MAC address is the MAC address of the server.
2. The traffic that flows through the switch is mirrored to the NetScaler. The
NetScaler uses the layer 3 information (source IP address and destination IP
address) to forward the packet for balancing the load on IDS servers. An
IDS server is selected and the packet is sent to the server without changing
the source IP address or destination IP address, but the source MAC address
and the destination MAC address are changed to the MAC address of the
selected IDS server.
Note: You can configure the NetScaler to balance the load on IDS servers in the
inline mode or in the one-arm mode.
The following diagram shows the load balancing entities and values of the
parameters to be configured on the NetScaler
The following sections describe the tasks required to implement this scenario:
282 Citrix NetScaler Traffic Management Guide
Note: You must disable the layer 2 and layer 3 modes on the NetScaler for the
IDS load balancing.
Example
enable ns mode MAC
Note: To configure the virtual server with * as its IP address and port use the
procedure described in the section “Configuring a Basic Setup,” on page 30 with
the step described in this section.
Chapter 1 Load Balancing 283
Example
set lb vserver Vserver-LB-1 -lbMethod SourceIPDestIPHash -m MAC
-sessionless enabled
1. In the left navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers page, click virtual server
Vserver-LB-1, and then click Open.
3. On the Method and Persistence tab, under LB Method, select Source IP
Destination IP Hash.
4. On the Advanced tab, under Redirection Mode, click MAC Based.
5. Select the Sessionless check box, and then click OK.
Example
set service Service-ANY-1 -usip yes
1. In the navigation pane, expand Load Balancing, and then click Services.
2. On the Services page, select the service, Service-ANY-1, and then click
Open.
3. On the Advanced tab, under Settings, select the Use Source IP check box.
4. Click OK.
5. Repeat steps 1-5 for the services Service-ANY-2 and Service-ANY-3.
Note: For USIP to function correctly, you must set it globally. For more
information about configuring USIP globally, see the Citrix NetScaler
Networking Guide, Chapter 1, “IP Addressing.”
custom load monitors, or if at least one of the custom load monitors is not
up.
• If you disable a load monitor bound to the service, and if the service is
bound to a virtual server, then the virtual server goes to round robin.
• If you disable a metric-based binding, and if this is the last active metric,
then the specific virtual server goes to round robin. A metric is disabled by
setting the metric threshold to zero.
• When a metric bound to a monitor crosses the threshold value, then that
particular service is not considered for load balancing.If all the services
have reached the threshold, then the virtual server goes into round robin and
an error message “5xx - server busy error” is received.
• All the services that are bound to a virtual server where the LB
method is CUSTOMLOAD must have load monitors bound to them.
• The OIDs must be scalar variables.
• For successful load balancing, the interval must be as low as possible.
If the interval is high, the time period for retrieving the load value
increases. As a result, load balancing takes place using improper
values.
• The CUSTOMLOAD load balancing method also follows startup
round robin.
• A user cannot modify the local table.
• A maximum of 10 metrics from a custom table can be bound to the
monitor.
286 Citrix NetScaler Traffic Management Guide
C HAPTER 2
Content Switching
This chapter describes the content switching (CS) feature of a Citrix NetScaler.
Content switching allows a NetScaler to distribute client requests across multiple
servers based on content that the client is requesting. This chapter lists the basic
and a few advanced settings that you can configure on a NetScaler.
In This Chapter
How Content Switching Works
Configuring Basic Content Switching
Modifying the Basic Content Switching Configuration
Customizing a Content Switching Setup
Protecting the Content Switching Setup against Failure
Managing Client Connections
Note: In addition to configuring policy priorities, you can manipulate the order
of policy evaluation by using Goto expressions and policy bank invocations. For
more details about advanced policy configuration, see the Citrix NetScaler Policy
Configuration and Reference Guide for release 9.2.e, Chapter 2, “Configuring
Advanced Policies.”
This section describes the topology of a basic content switching setup. It also
describes how to create the content switching virtual servers and bind policies to
them by using the basic topology. A basic content switching setup uses only the
mandatory parameters and serves as the first step in configuring the content
switching feature on a NetScaler. The basic content switching setup provides
simple and functional content switching configurations as described in the
following sections.
Content switching requires load balancing, and you need to know how to
configure a load balancing setup. For information about load balancing, see
Chapter 1, “Load Balancing.” In this example scenario, a content switching
virtual server Vserver-CS-1 is created and Vserver-CS-1 uses the load balancing
virtual server Vserver-LB-1 to balance the load on the services bound to
Vserver-LB-1. The following table lists the names and values of the basic entities
that must be configured on the NetScaler.
Sample Content Switching Configuration
Entity type Mandatory parameters and sample values
Name IP address Port Protocol
Virtual servers Vserver-CS-1 10.102.29.161 80 HTTP
Vserver-LB-1 10.102.29.60 80 HTTP
Services Service-HTTP-1 10.102.29.5 8083 HTTP
Service-HTTP-2 10.102.29.6 80 HTTP
Monitors Default None None None
The following diagram shows the content switching sample values and
mandatory parameters that are described in the preceding table.
Example
enable feature cs
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, click Add.
3. In the Create Virtual Server (Content Switching) dialog box, in the
Name, IP Address, and Port text boxes, type the name, IP address, and
port of the virtual server, (for example, Vserver-CS-1, 10.102.29.161, and
80).
Note: If you need to enter an IPv6 address, select the IPv6 check box
before you enter the address.
4. In the Protocol list, select the type of the virtual server (for example,
HTTP).
5. Click Create and click Close.
Example
add cs vserver Vserver-CS-1 HTTP 10.102.29.161 80
294 Citrix NetScaler Traffic Management Guide
Policy Parameters
Parameter Specifies
URL or Rule Method used to specify which content switching virtual server
receives client requests. For more information about policy
(URLValue or expressions, see the Citrix NetScaler Policy Configuration and
RULEValue) Reference Guide for release 9.2.e.
1. In the navigation pane, expand Content Switching, and then click Policies.
2. In the details pane, click Add.
3. In the Create Content Switching Policy dialog box, in the Name text box,
type the name of the policy (for example, Policy-CS-1), and then click
URL.
4. In the Value text box, type the string value (for example, /sports).
5. Click Create and click Close. The policy you created appears in the
Content Switching Policies page.
Example
add cs policy Policy-CS-1 -url /sports/*
1. In the navigation pane, expand Content Switching, and then click Policies.
2. In the details pane, click Add.
3. In the Create Content Switching Policy dialog box, in the Name text box,
type the name of the policy (for example, Policy-CS-1), and then click
Configure.
4. In the Create Expression dialog box, choose the expression syntax you
want to use.
• If you want to use classic syntax, accept the default and proceed to
the next step.
• If you want to use advanced syntax, select Advanced Syntax.
296 Citrix NetScaler Traffic Management Guide
Examples
add cs policy Policy-CS-1 -rule
"CLIENT.IP.SRC.SUBNET(24).EQ(10.217.84.0)"
add cs policy Policy-CS-2 -rule "SYS.TIME.BETWEEN(GMT 2009 Nov,GMT
2009 Dec)"
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, double-click the virtual server for which you want to
bind the policy (for example, Vserver-CS-1).
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Policies tab, in the Active column, select the Active check box next to the
policy that you want to bind to the virtual server (for example,
Policy-CS-1).
4. In the Target column next to the policy, select the load balancing virtual
server that you want to configure for the content switching virtual server
(for example, Vserver-LB-1).
5. Click OK.
Example
bind cs vserver Vserver-CS-1 Vserver-LB-1 -policyname Policy-CS-1
-priority 20
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
298 Citrix NetScaler Traffic Management Guide
2. In the details pane, click a virtual server to see the configuration details at
the bottom of this page.
3. Double-click the virtual server and click the Policies tab to see the policies
that are bound to it.
To list basic properties for all virtual servers, at the NetScaler command prompt,
type:
show cs vserver
To list detailed properties for all virtual servers, including policy bindings, at the
NetScaler command prompt, type:
show cs vserver csVirtualServerName
Example
show cs vserver Vserver-CS-1
1. In the navigation pane, expand Content Switching, and then click Policies.
2. In the details pane, double-click a policy to view the details.
Note: To view the policy labels and virtual servers that this policy is bound to,
on the Content Switching Policies page, click Show Bindings.
To list all content switching policies, at the NetScaler command prompt, type:
show cs policy
To view the bindings for particular policies, at the NetScaler command prompt,
type:
show cs policy PolicyName
Chapter 2 Content Switching 299
Example
show cs policy Policy-CS-1
1. In the navigation pane, expand Content Switching and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to view, and then
click Visualizer.
3. In the Content Switching Visualizer window, you can adjust the viewable
area as follows:
• Click the Zoom In and Zoom Out icons to increase or decrease the
viewable area.
• Click the Save Image icon to save the graph as an image file.
• In the Search in text field, type the name of the item you are looking
for to highlight its location on the visualizer. To restrict the search,
click the drop-down menu and select the type of element that you
want to search.
300 Citrix NetScaler Traffic Management Guide
4. To view configuration details for entities that are bound to this virtual
server, you can do the following:
• To view policies that are bound to the virtual server, in the tool bar at
the top of the dialog box select one or more feature-specific policy
icons. If policy labels are configured, they appear in the main view
area.
• To view the configuration details for a bound service or service
group, click the icon for the service, click the Related Tasks tab, and
then click Show Member Services.
• To view the configuration details for a monitor, click the icon for the
monitor, click the Related Tasks tab, and then click View Monitor.
5. To view detailed statistics for any virtual server in the content switching
configuration, click the virtual server for which you want to view statistics,
then click the Related Tasks tab, and then click Statistics.
6. To view a comparative list of the parameters whose values either differ or
are not defined across service containers for a load balancing [Is “load
balancing” correct, or should this say “content switching” or be left out? --
cah] virtual server, click the icon for a container, click the Related Tasks
tab, and then click Service Attributes Diff.
7. To view monitor binding details for the services in a container, in the
Service Attributes Diff dialog box, in the Group column for the container,
click Details.
This comparative list helps you determine which service container has the
configuration you want to apply to all the service containers.
8. To view the number of requests received per second at a given point in time
by the virtual servers in the configuration and the number of hits per second
at a given point in time for rewrite, responder, and cache policies, click
Show Stats. The statistical information is displayed on the respective nodes
in the Visualizer. This information is not updated in real time and has to be
refreshed manually. To refresh this information, click Refresh Stats.
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and click Open.
302 Citrix NetScaler Traffic Management Guide
Example
unbind cs vserver Vserver-CS-1 -policyname Policy-CS-1
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to remove (for
example, Vserver-CS-1), and then click Remove.
3. In the Remove dialog box, click Yes.
Chapter 2 Content Switching 303
Example
rm cs vserver Vserver-CS-1
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to disable (for
example, Vserver-CS-1), and then click Disable.
3. In the Disable dialog box, click Yes.
Example
disable cs vserver Vserver-CS-1
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server that you want to enable (for
example, Vserver-CS-1), and then click Enable.
3. In the Enable dialog box, click Yes.
304 Citrix NetScaler Traffic Management Guide
Example
enable cs vserver Vserver-CS-1
You can create different policies based on the URL. URL-based policies can be of
different types as described in the following table.
Example of URL-Based Policies
Type of URL-based Specifies
policy
Domain and Exact URL Load balancing based on a domain name and URL match. The
incoming requests must match the configured domain name
and configured URL (an exact prefix match if only the prefix
is configured; or an exact match of the prefix and suffix if both
the prefix and suffix are configured).
Example:
add cs policy Policy-CS-1 -url /sports/
tennis/index.html -domain "www.domainxyz.com"
Chapter 2 Content Switching 305
Domain Only Load balancing based on domain name only matches. The
incoming requests must match the configured domain name.
Example:
add cs policy Policy-CS-1 -domain
"www.domainxyz.com"
Exact URL Load balancing based on whether the incoming URL matches
the configured URL policy rule. If only a URL prefix rule is
configured, then there should be an exact prefix match with
the incoming URL. If a URL prefix and suffix-based rule is
configured, there should be an exact match of the prefix and
suffix with the incoming URL. Below are two examples of
exact URL based policies.
Example:
add cs policy Policy-CS-1 -url
/sports/tennis/index.html
Prefix Only (Wild Card Load balancing group based on a match of the partial prefix of
URL) the URL. All the incoming URLs must start with the
configured prefix.
Example:
add cs policy Policy-CS-1 -url /sports*
1. In the navigation pane, expand Content Switching, and then click Policies.
2. In the details pane, select the policy that you want to modify (for example,
Policy-CS-1), and then click Open.
3. In the Configure Content Switching Policies dialog box, in the Domain
text box, type the domain name (for example, www.domainxyz.com).
4. Click OK.
Example
set cs policy Policy-CS-1 -domain “www.domainxyz.com”
Note: You can configure content switching using classical policy expressions
or using advanced policy expressions. The rule-based policies use the policy
expressions. For more information about configuring policy expressions, see the
Citrix NetScaler Policy Configuration and Reference Guide for release 9.2.e.
Chapter 2 Content Switching 307
1. In the navigation pane, expand Content Switching, and then click Policies.
2. In the details pane, select the policy that you want to remove (for example,
Policy-CS-1), and then click Remove.
3. In the Remove dialog box, click Yes.
Example
rm cs policy Policy-CS-1
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, select Case Sensitivity check box, and then click OK.
Example
set cs vserver Vserver-CS-1 -caseSensitive ON
• If you configure a default group for the content switching virtual server,
then the request is forwarded to the default group.
• If the configured default group is down or if no default group is configured,
then an “HTTP 404 Not Found” error message is sent to the client.
Note: Set URL-based precedence if the content type, for example, images, is
the same for all clients. However, if different types of content must be served
based on client attributes, such as, Accept-Language, you must use rule-based
precedence.
Note: Rule-based precedence can be set on any of the several client attributes,
for example, type of browser when different content must be served while all
other clients can be served from the content distributed among servers.
You can configure both URL-based policies and rule-based policies for the same
content switching virtual server. To set precedence, use the parameter described
in the following table.
Precedence Parameter
Parameter Specifies
Precedence Precedence for both RULE-based and URL-based policies on the
content switching virtual server. With the precedence set to
RULE, incoming requests are evaluated against the content
switching policies created with the -rule argument (by using
the add cs policy CLI command). If none of the rules
match, the URL in the request is evaluated against the content
switching policies created with the -url argument (by using the
add cs policy CLI command). The possible values are RULE and
URL. The default value is RULE
310 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service, (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, under Precedence, click Rule or URL, and then click OK.
Example
set cs vserver Vserver-CS-1 -Precedence [Rule | URL]
Redirect URLs can be absolute URLs or relative URLs. If the configured redirect
URL contains an absolute URL, the HTTP redirect is sent to the configured
location, regardless of the URL specified in the incoming HTTP request. If the
configured redirect URL contains only the domain name (relative URL), the
HTTP redirect is sent to a location after appending the incoming URL to the
domain configured in the redirect URL.
To configure a virtual server to redirect client requests to a URL, use the Redirect
URL parameter as described in the following table.
Redirect URL Parameter
Parameter Specifies
Redirect URL URL where traffic is redirected if the virtual server in the
NetScaler becomes unavailable. This value must not
exceed 127 characters. The domain specified in the URL
must not match the domain specified in the domain name
argument of a content switching policy. If the same domain
is specified in both arguments, the request is redirected
continuously to the same unavailable virtual server in the
NetScaler, and the user cannot get the requested content.
To configure a redirect URL for when the content switching virtual server is
unavailable by using the configuration utility
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, in the Redirect URL text box, type the redirect URL (for
example,
http://www.newdomain.com/mysite/maintenance).
4. Click OK.
To configure a redirect URL for when the content switching virtual server is
unavailable by using the NetScaler command line
Example
set cs vserver Vserver-CS-1 -redirectURL
http://www.newdomain.com/mysite/maintenance
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, click
the Advanced tab.
4. In the Backup Virtual Server list, select the backup virtual server (for
example, Vserver-CS-2).
5. If you want to configure the backup server to remain as the primary server
after the primary virtual server is brought back up, select the Disable
Primary When Down check box.
6. Click OK.
Example
set cs vserver Vserver-CS-1 -backupVserver Vserver-CS-2
-disablePrimaryOnDown
314 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
Chapter 2 Content Switching 315
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, under Spillover, in the Method list, select the type of
spillover, and in Threshold text box, type the threshold value (for example,
Connection and 1000).
4. Select the Persistence check box and in Persistence Time-out (min) text
box, type the timeout value (for example, 2).
5. Click OK.
Example
set cs vserver Vserver-CS-1 -soMethod Connection -soThreshold 1000
-soPersistence enabled -soPersistenceTimeout 2
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, select the Cacheable check box.
4. Click OK.
Example
set cs vserver Vserver-CS-1 -cacheable yes
Chapter 2 Content Switching 317
To set down state flush on a content switching virtual server by using the
configuration utility
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, select the Down state flush check box, and then click OK.
To set down state flush on a virtual server by using the NetScaler command
line
Example
set cs vserver Vserver-CS-1 -downStateFlush enabled
318 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, select the Redirect Port Rewrite check box, and then click
OK.
Example
set cs vserver Vserver-CS-1 -redirectPortRewrite enabled
Chapter 2 Content Switching 319
To insert the IP address and port of the virtual server in the client requests
by using the configuration utility
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, in the Vserver IP Port Insertion list, select VIPADDR or
V6TOV4MAPPING.
4. In the text box next to Vserver IP Port Insertion box, type the port header.
5. Click OK.
To insert the IP address and port of the virtual server in the client requests
by using the NetScaler command line
Example
set cs vserver Vserver-CS-1 -insertVserverIPPort VipAddr
To set a time-out value for idle client connections by using the configuration
utility
1. In the navigation pane, expand Content Switching, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to bind the
service (for example, Vserver-CS-1), and then click Open.
3. In the Configure Virtual Server (Content Switching) dialog box, on the
Advanced tab, in the Client Time-out (secs) text box, type the timeout
value (for example, 100).
4. Click OK.
To set a timeout value for idle client connections by using the NetScaler
command line
Example
set cs vserver Vserver-CS-1 -cltTimeout 100
322 Citrix NetScaler Traffic Management Guide
C HAPTER 3
For the server push technology, you can use the NetScaler Web 2.0 Push feature
to offload the long-lived TCP connections to the NetScaler and reduce the
number of persistent client connections on the server. With the NetScaler Web 2.0
Push feature, the NetScaler multiplexes and manages the exchange of data (server
push) reliably, securely, and in a scalable manner. For every HTTP, HTTPS, or
SSL transaction, the NetScaler can de-link and rebalance the server farm to
distribute client requests across multiple servers.
To configure NetScaler Web 2.0 Push, you need to create the push virtual server
and associate it with the load balancing or content switching virtual server. A
push virtual server enables the NetScaler to manage server-side connections.
Servers use the push virtual server to send updates for the deferred responses.
In This Chapter
How NetScaler Web 2.0 Push Works
Understanding the NetScaler Web 2.0 Push Deployment Scenario
Enabling NetScaler Web 2.0 Push
Creating a NetScaler Web 2.0 Push Virtual Server
Creating a Load Balancing or Content Switching Virtual Server for NetScaler
Web 2.0 Push
Verifying the NetScaler Web 2.0 Push Configuration
Monitoring the Configuration
Setting a Time-out Value for Idle Client Connections
Redirecting Client Requests to an Alternate URL
324 Citrix NetScaler Traffic Management Guide
Polling Technique
However, polling technique can overload the server if the client frequently polls
the server. For example, if you deploy the AJAX application on a Web server with
low resources and suppose a million users simultaneously poll the server for
updates, the network can become saturated with significant degradation in the
server performance. Also, if there is no update from the server, the client requests
overload the server for void response.
To overcome the preceding demerits, server push technology uses long polling
technique. Long polling enables the client application to open a persistent
connection to the server and wait for the server to push updates when available as
shown in the following diagram.
326 Citrix NetScaler Traffic Management Guide
To overcome the demerits of the above techniques and improve the server
performance, the NetScaler Web 2.0 Push feature enables the server to provide a
label for a client connection, and then identify and send data over the labeled
connection after an interval of time. Any client request at the NetScaler virtual IP
address (VIP) is forwarded to the server. Web servers use the connection labeling
protocol to a generate label and send the label to the NetScaler (called the
deferrable response). The NetScaler uses the label to push the messages (updates)
to the push virtual server and responses are sent on the corresponding client
connection. If the AJAX application uses HTTP streaming technique, the
NetScaler uses the label to push the chunks of updates to the client as shown in
the following diagram.
The NetScaler Web 2.0 Push feature enables the server to provide a label for a
client connection, and then identify and send data over the labeled connection
after an interval of time. When the NetScaler Web 2.0 Push is configured as
shown in the preceding diagram, the interaction between the client and the server
occurs as described in the following steps.
Step 1 - Connection Setup. The client establishes a TCP/IP connection and
connects to the NetScaler. The NetScaler uses the configured traffic management
policy and selects a Web server. The NetScaler starts a connection to the selected
server from the server farm.
Step 2 - Client Identification. The server interacts with the client and uses
authentication or a previously established cookie to identify the client. The client
identification technique is identical to the technique used in server push, except
that at the end of every HTTP transaction, the NetScaler can rebalance the server
farm.
Step 3 - Connection Labeling. When the NetScaler receives any request with
push enabled, it initiates the labeling protocol with the Web server. The protocol
enables the Web server to label the connection and defer the response. The
protocol also enables the server to process other requests without invoking push-
processing.
Step 4 - Server Push. The Web servers send updates (referred to as notification
servers) to clients through the NetScaler. The server uses the previously
established connection label and sends updates at a later time. Servers can choose
to push multiple updates over a single TCP connection or open one connection
per update.
Note: The set of Web servers that manage requests from the NetScaler can be
different from the notification servers (referred to as Updater in the preceding
diagram) that push updates to client.
NetScaler Web 2.0 Push enables the NetScaler to manage the idle client
connections and offload the server from maintaining a large number of concurrent
connections.
Important: For the NetScaler Web 2.0 Push feature to work correctly, you
must configure the NetScaler as a proxy for the traffic between the client and
servers. Additionally, you can use multiple NetScalers for the server farm to scale
up the connection management.
For more information on the entity model, protocols, and how they work, read the
following sections.
Chapter 3 NetScaler Web 2.0 Push 331
Transaction state machine for managing NetScaler Web 2.0 Push connections
As shown in the preceding diagram, the transaction state machine has the
following states.
• Waiting for Request State (Q). Represents that a connection is established
between the client and NetScaler. The NetScaler waits in this state for the
client to send a request.
• Waiting for Server Response State (R). Represents that a request is
received from the client, and the request is forwarded to a Web server. The
NetScaler waits in this state for the server to respond.
• Waiting for Asynchronous Messages State (A). Represents that the
NetScaler waits for asynchronous messages that the notification servers
push by by using the push virtual server.
The transition state machine diagram works as follows:
1. After the client establishes a connection to the NetScaler (load balancing or
content switching virtual server), the initial state of the transaction is Q.
2. When the NetScaler receives a request, it forwards the request to the server,
and the transaction moves to state R.
Chapter 3 NetScaler Web 2.0 Push 333
Note: For any update from the Web server, the NetScaler does not support
Rewrite and Compression.
A typical response with the required headers to initiate NetScaler Web 2.0 Push is
as follows:
Server Response Header
HTTP/1.0 200 OK
Server: TinyHTTPProxy/0.2.1 Python/2.5.1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: application/x-amr
Connection: Closed
X-NS-DEFERRABLE: YES
NSSERVERLABEL: 16318370962850900588694
Content-Length: 0
Note: If the NetScaler is aware of the content length, it may send the response
specifying the Content-Length, instead of chunked. This enables the NetScaler to
manage both HTTP streaming and long-polling responses.
The server uses the following responses to initiate NetScaler Web 2.0 Push.
• POST /CLIENT/V10/<id>?MSG_END=<val>
• PUT /CLIENT/V10/<id>?MSG_END=<val>
336 Citrix NetScaler Traffic Management Guide
Where:
• <val> is 1 or 0. If the value is 1, the response is complete or the response is
the last update for the request. If the value is 0, the server needs to send
more updates for the request.
• MSG_END=1, if the response is the complete or is the last update for the
request.
• MSG_END=0, if server needs to send more updates for the request.
• The post can be Content-Length or a Chunked-encoded.
A typical post request header with complete update (MSG_END=1) to the push
virtual server on NetScaler is as follows:
Post Request Header
POST /CLIENT/V10/16318370962850900588694?MSG_END=1 HTTP/1.1
Host: 10.217.6.64
Accept-Encoding: identity
Content-Length: 722
<722 bytes of update data>
The server uses the following request to inform the NetScaler to close the
outstanding labeled client connection.
• DELETE /CLIENT /V10/<id>
Where, <id> represents the label.
Chapter 3 NetScaler Web 2.0 Push 337
The server polls the NetScaler on the push virtual server by using the following
request.
• GET /CLIENTINFO/V10
If there are any GoneAway clients (client connections that are timed out), the
NetScaler sends the following response:
Get Response Header
GET /CLIENTINFO/V10 HTTP/1.1
Host: 10.217.6.64
Accept-Encoding: identity
The response from the push virtual server is an XML document. A typical
response to PUT/POST/DELETE is as follows:
Push Virtual Server Response to PUT/POST/DELETE Request
HTTP/1.1 200 OK
Content-Type: text/xml; charset="UTF-8"
Content-Length: 121
<?xml version="1.0" encoding="UTF-8"?><CLIENTINFO>
<CLIENT ID="16318370962850900588694" INFO="SUCCESS" />
<CLIENT ID="16318370962850937637753" INFO="FAILURE" />
</CLIENTINFO>
338 Citrix NetScaler Traffic Management Guide
The following diagram shows the sample values and mandatory parameters of the
NetScaler Web 2.0 Push setup that are described in the preceding table.
To enable NetScaler Web 2.0 Push by using the NetScaler command line
To create a NetScaler Web 2.0 Push virtual server by using the configuration
utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, click Add.
3. In the Name, Port, and IP Address text boxes, type a name for the push
virtual server, a port, and an IP address (for example, Vserver-Push-1, 80,
and 10.102.29.162).
4. In Protocol, select either SSL_PUSH or PUSH.
5. Click Create, and then click Close. The push virtual server you created
appears in the Load Balancing Virtual Servers pane.
To create a NetScaler Web 2.0 Push virtual server by using the NetScaler
command line
Example
add lb vserver Vserver-Push-1 PUSH 10.102.29.162 80
Important: For SSL_PUSH virtual server, you need to bind a cert-key. For
instructions on how to bind a cert-key to the virtual server, see Chapter 5, “Secure
Sockets Layer (SSL) Acceleration.”.
344 Citrix NetScaler Traffic Management Guide
Use the following procedure to create a load balancing virtual server with push
enabled and configure a push label.
To create a load balancing virtual server for NetScaler Web 2.0 Push by
using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the virtual server for which you want to configure
push virtual server (for example, Vserver-LB-1), and click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, select the
Enable Push check box and in the Push Virtual Server list, select the
push virtual server (for example, Vserver-Push-1) and click OK.
Chapter 3 NetScaler Web 2.0 Push 345
Note: To create a content switching virtual server for NetScaler Web 2.0 Push
by using the configuration utility, in the navigation pane, expand Content
Switching, and then click Virtual Servers. Then, follow the steps as described
previously in the section.
To create a load balancing virtual server for NetScaler Web 2.0 Push by
using the NetScaler command line
Example
add lb vserver Vserver-LB-1 HTTP 10.102.29.161 80 -push ENABLED -
pushVserver PushVserver1 -pushLabel
"HTTP.RES.HEADER(\"NSLABEL\").VALUE(0)" –pushMultiClients YES
Note: You can also associate the load balancing virtual server with the push
virtual server by using set lb vserver command. To associate the content
switching virtual server with the push virtual server, use the set cs vserver
command.
346 Citrix NetScaler Traffic Management Guide
To view the properties of the push virtual server by using the configuration
utility
In the navigation pane, expand Load Balancing, and then click Virtual Servers.
The details of the available virtual servers appear on the Load Balancing Virtual
Servers page.
To view the properties of the push virtual server by using the NetScaler
command line
Example
show lb vserver Vserver-Push-1
Chapter 3 NetScaler Web 2.0 Push 347
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, select the virtual server whose statistics you want to
view (for example, Vserver-Push-1).
3. Click Statistics to view the statistics of the virtual server.
Example
stat lb vserver Vserver-Push-1
To set a time-out value for idle client connections by using the configuration
utility
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, select the virtual server for which you want to configure
virtual server port insertion (for example, Vserver-Push-1), and then click
Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. In the Client Time-out (secs) text box, type the timeout value
(for example, 100).
5. Click OK.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select the push virtual server for which you want to
configure redirect URL (for example, Vserver-Push-1), and then click
Open.
3. On the Advanced tab, in the Redirect URL text box, type the URL (for
example, http://www.newdomain.com/mysite/maintenance).
4. Click OK.
Example
set lb vserver Vserver-Push-1 -redirectURL
http://www.newdomain.com/mysite/maintenance
350 Citrix NetScaler Traffic Management Guide
To set a time-out value for idle client connections by using the NetScaler
command line
Example
set lb vserver Vserver-Push-1 -cltTimeout 100
Note: You can ensure that authorized servers are connected to the push virtual
server. For instructions on how to configure SSL for client authentication, see
Chapter 5, “Secure Sockets Layer (SSL) Acceleration.”
C HAPTER 4
HTML Injection
This chapter describes the HTML Injection functionality of the Citrix NetScaler.
It explains what HTML Injection is and how to configure it. It addresses both
basic and advanced configuration procedures.
In This Chapter
How HTML Injection Works
Configuring HTML Injection to Insert Data in the HTTP Header
Configuring HTML Injection to Insert Data into the HTTP Body
Configuring the HTML Injection Feature for Commonly Used Applications
The following diagram illustrates how HTML Injection is used to insert data.
Note: Contact your Citrix customer service center to obtain licenses for the
HTML Injection feature.
Chapter 4 HTML Injection 353
To enable the HTML Injection feature using the NetScaler command line
The following sample procedure describes the steps to create a filter action,
Action-Filter-1 to insert the system variable %%HTTP.XID%% into the custom
HTTP header X-HTTP-REQ-ID.
The following sample procedure describes the steps to use the filter action,
Action-Filter-1, created in the previous section, to create the filter policy Policy-
Filter-1, which inserts the system variable into every successful HTTP response
Note: To insert data into the HTTP request header, in step 4, choose Request
Action.
Note: The ns_true general expression applies the policy to all successful
responses (200 OK) generated by the NetScaler. However, if you need to filter
specific responses, you can create policies with a higher level of detail. For
information on configuring granular policy expressions, see the Citrix NetScaler
Policy Configuration and Reference Guide for release 9.2.e.
6. Click OK, and then click Close. The filter policy that you created, Policy-
Filter-1, now appears in the Filter Policies page.
Note: You can bind filter policies to virtual servers, or to bind points on the
NetScaler, and also globally. For more information on binding filter policies, see
the Citrix NetScaler Policy Configuration and Reference Guide for release 9.2.e.
1. In the navigation pane, expand Protection Features, and then click Filter.
2. In the details pane, click the Actions tab.
3. Verify that the filter action Action-Filter-1 is displayed.
4. Select the filter policy Action-Filter-1 and in the Details section, verify the
qualifier and the value.
1. In the navigation pane, expand Protection Features, and then click Filter.
2. In the details pane, verify that the filter policy Policy-Filter-1 is displayed.
3. Select the filter policy Policy-Filter-1, and in the details pane, verify that
the rule ns_true is configured.
To verify that the filter policies are bound to the load balancing vserver
using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, from the list of virtual servers, select the virtual server
to which you want to bind the filter policy (for example, Vserver-LB-1),
and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Policies tab to view the policies configured on the NetScaler.
4. Verify that the check box corresponding to the filter policy to be bound to
the virtual server is selected.
To verify that the filter policies are bound to the load balancing vserver
using the NetScaler command line
Note: The prebody file name can have a maximum of 64 characters and can
have any extension.
Chapter 4 HTML Injection 361
Note: The postbody file name can have a maximum of 64 characters and can
have any extension.
The following is a sample postbody file created on the NetScaler that will be used
for postbody injection.
1. In the navigation pane, expand Protection Features, and then click Filter.
2. In the details pane, click the Actions tab, and then click Add.
3. In the Create Filter Action dialog box, in the Action Name text box, type
the name of the filter action (for example, Action-Filter-Prebody).
4. Under Qualifier, choose Add.
5. In the Value list, select Prebody.
6. Click Create. The filter action Action-Filter-Prebody is created.
1. In the navigation pane, expand Protection Features, and then click Filter.
2. In the details pane, click the Actions tab, and then click Add.
3. In the Create Filter Action dialog box, in the Action Name text box, type
the name of the filter action (for example, Action-Filter-Postbody).
4. Under Qualifier, choose Add.
5. In the Value list, select Postbody.
6. Click Create. The filter action Action-Filter-Postbody is created.
1. In the navigation pane, expand Protection Features, and then click Filter.
2. In the details pane, click Add.
3. In the Create Filter Policy dialog box, in the Filter Name text box, type
Policy-Filter-Prebody.
4. Under Response Action, choose the filter action, Action-Filter-Prebody,
to be associated with this policy.
5. Under General Named Expressions, select the built-in general expression
ns_true, and then click Add Expression.
6. Click OK and click Close. The new filter policy, Policy-Filter-Prebody,
appears in the Filter Policies page.
1. In the navigation pane, expand Protection Features, and then click Filter.
2. In the details pane, click Add.
3. In the Create Filter Policy dialog box, in the Filter Name text box, type
Policy-Filter-Postbody.
4. Under Response Action, choose the filter action, Action-Filter-Postbody,
to be associated with this policy.
5. Under General Named Expressions, select the built-in general expression
ns_true, then click Add Expression. The expression ns_true now appears
in the Expression text box.
6. Click OK, then click Close. The new filter policy Policy-Filter-Postbody,
appears in the Filter Policies page.
366 Citrix NetScaler Traffic Management Guide
Note: For details on setting up a Citrix EdgeSight for NetScaler server, refer to
the Citrix EdgeSight for NetScaler Installation Guide.
In order to configure the NetScaler for performance measurement using the Citrix
EdgeSight server, you must create specific prebody and postbody scripts, then
bind them on the NetScaler. Once the policies are bound, data is sent to the Citrix
EdgeSight for NetScaler server to enable performance analysis and measurement.
368 Citrix NetScaler Traffic Management Guide
In the following example, the client connects to a Citrix NetScaler that hosts the
site http://www.a.com. A Citrix EdgeSight for NetScaler server, http://ens.
citrix.com, is used to measure application performance for all traffic flowing
through the Citrix NetScaler. The following table lists the names and values of the
entities that must be configured on the NetScaler before you can set up
performance monitoring as described in the example.
Example Configuration for Measuring Application Performance
Entity type Name URL
Load Balancing Virtual Server Vserver-LB- http://www.a.com
ENS
Citrix EdgeSight for NetScaler http://ens.citrix.com
Server
You can also customize the Citrix EdgeSight-specific prebody and postbody
JavaScript files by including other NetScaler internal variables as required.
Once the prebody and postbody files are configured, you can create HTML
Injection policies, as described earlier, and use them to measure performance in
conjunction with the Citrix EdgeSight server.
1. In the navigation pane, expand Protection Features, and then click Filter.
2. In the details pane, click Add.
3. In the Create Filter Policy dialog box, in the Filter Name text box, type
Policy-Filter-Postbody.
4. Under Response Action, choose the filter action, Action-Filter-Postbody,
to be associated with this policy.
5. Under General Named Expressions, select the built-in general expression
ns_true, then click Add Expression. The expression ns_true now appears
in the Expression text box
6. Click OK, then click Close. The new filter policy Policy-Filter-Postbody,
appears in the Filter Policies page.
372 Citrix NetScaler Traffic Management Guide
To bind the prebody filter policy to the load balancing vserver using the
configuration utility
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, select Vserver-LB-ENS, and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Policies tab to view the policies configured on the NetScaler.
4. Select the check box next to Policy-Filter-Prebody.
5. Click OK. The filter policy Filter-Policy-Prebody is bound to the virtual
server Vserver-LB-ENS.
To bind the postbody filter policy to the load balancing vserver using the
configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, select Vserver-LB-ENS, and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, select the
Policies tab to view the policies configured on the NetScaler.
4. Select the check box next to Policy-Filter-Postbody.
5. Click OK. The filter policy Filter-Policy-Postbody is bound to the virtual
server Vserver-LB-ENS.
This chapter describes Secure Sockets Layer (SSL) acceleration on the NetScaler.
In This Chapter
How SSL Works
Configuring SSL Offloading
Managing Certificates
Configuring Client Authentication
Managing Certificate Revocation Lists
Monitoring Certificate Status with OCSP
Customizing the SSL Configuration
Managing SSL Actions and Policies
Configuring Some Commonly Used SSL Configurations
Configuring the SSL Feature for Commonly Used Deployment Scenarios
This section explains the procedures to configure basic SSL offloading on the
NetScaler. The following tasks are covered:
• Enabling Secure Sockets Layer (SSL)
• Configuring an SSL Virtual Server for Basic SSL Offloading
• Verifying the Configuration
Note: For TCP traffic, follow the procedures given later, but create TCP
services instead of HTTP services.
To configure basic SSL offloading, you need to set the parameters as described in
the sections that follow.
The procedures describe the steps to configure the SSL feature in a basic SSL
offload setup where an SSL virtual server Vserver-SSL-1 offloads SSL traffic
directed to two HTTP services, Service-HTTP-1 and Service-HTTP-2.
Adding Services
A service on the NetScaler represents a physical Web server in the network. Once
configured, services are in the disabled state until the NetScaler can reach the
server on the network and monitor its status.
To add a service
1. In the navigation pane, expand SSL Offload, and then click Services.
2. In the Services pane, click Add.
3. In the Service Name text box, type the name of the service being added
(for example, Service-HTTP-1).
4. In Server, type or select the IP address of the server to be associated with
this service (for example, 10.102.20.30).
5. In the Protocol list, select the protocol.
6. In Port, type the port number for the service to use (for example, port 80 is
used for HTTP-based services).
7. Click Create, then click Close. The HTTP service you configured appears
in the Services page.
Example
add service HTTP-1 10.102.20.30 HTTP 80
SSL processing is then carried out on the incoming traffic at the virtual server.
Therefore, before enabling the SSL virtual server on the NetScaler, you need to
bind a valid SSL certificate to the SSL virtual server.
1. In the navigation pane, expand SSL Offload, then click Virtual Servers.
2. In the SSL offload Virtual Servers pane, click Add.
3. In the Name text box, type the name of the virtual server to be created (for
example Vserver-SSL-1).
4. In the IP Address text box, type the IP address of the virtual server (for
example, 10.102.29.50).
5. Under Protocol, select SSL.
6. In the Port text box, type the port number for the virtual server to use (for
example, 443).
7. Click Create, then click Close. The virtual server you created appears in
the SSL Offload Virtual Servers page.
Note: The SSL virtual server you created is shown as down because a
certificate-key pair has not been bound to it, and there are no services bound to it.
Example
add lb vserver Vserver-SSL-1 SSL 10.102.29.50 443
380 Citrix NetScaler Traffic Management Guide
Note: If the data transfer between the NetScaler and the server is encrypted, the
entire transaction is secure from end-to-end. For details about configuring the
NetScaler for end-to-end security, refer to the section “Configuring SSL
Offloading with End-to-End Encryption,” on page 448.
1. In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
2. In the details pane, select a virtual server (for example, Vserver-SSL-1),
and then click Open.
3. On the Services tab, select the options next to the services (for example,
Service-HTTP-1 and Service-HTTP-2).
4. Click OK.
Note: The load balancing feature on the NetScaler should be enabled before
binding multiple services to a virtual server. For details on enabling features on
the NetScaler, see “Enabling Secure Sockets Layer (SSL),” on page 377.
Example
bind lb vserver Vserver-SSL-1 Service-HTTP-1
bind lb vserver Vserver-SSL-1 Service-HTTP-2
Chapter 5 Secure Sockets Layer (SSL) Acceleration 381
Note: Both the certificate and the key must be present in the same
location. To use a certificate present on the local system, in Step 4
preceding, select Local Computer.
Note: You will not be able to load the FIPS key from a local storage
device such as a hard disk or flash memory. FIPS keys should always be
loaded from the Hardware Security Module (HSM).
Note: To encrypt the key used in the certificate key pair, in the Password
text box, type the password to be used for encryption.
9. Click Install. The certificate key pair you created appears in the SSL
Certificates window.
382 Citrix NetScaler Traffic Management Guide
Example
add ssl certkey Certkey-SSL-1 -cert Cert-SSL-1 -key Key-SSL-1
Note: It is recommended that you use a valid SSL certificate that has been
issued by a trusted certificate authority. Invalid certificates and self-created
certificates will not be compatible with all client NetScalers.
1. In the navigation pane, expand SSL Offload and click Virtual Servers.
2. Select the virtual server to bind the certificate key to, and click Open.
3. In the Configure Virtual Server (SSL Offload) dialog box, click SSL
Settings.
4. In the Available pane, select a certificate.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 383
To bind an SSL certificate key pair to a virtual serverby using the NetScaler
command line
Example
bind ssl vserver Vserver-SSL-1 -certkeyName SSL-Certkey-1
Example
show service Service-HTTP-1
1. In the navigation pane, expand SSL Offload, then click Virtual Servers.
2. Verify that the configured virtual server Vserver-SSL-1 is displayed and is
Enabled.
3. Select the virtual server Vserver-SSL-1 and in the Details section, verify
that the parameters are accurately configured.
Example
show vserver Vserver-SSL-1
To view the properties of the configured certificate key pairs using the
configuration utility
To view the properties of the configured certificate key pairs using the
NetScaler command line
Example
show ssl certkey Certkey-SSL-1
Chapter 5 Secure Sockets Layer (SSL) Acceleration 385
Example
1. In the navigation pane, expand SSL Offload, and then click Virtual
Servers or Services.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 387
2. In the details pane, select the virtual server or service on which SNI is to be
enabled, and then click Open.
3. In the Configure Virtual Server (SSL Offload) or Configure Service
dialog box, on the SSL Settings tab, click SSL Parameters.
4. In the Configure SSL Params dialog box, under Others, select the SNI
Enable check box.
5. Click OK.
6. On the SSL Settings tab, under Available, select a certificate.
7. In the Add drop-down list select As SNI.
8. To add more certificates, repeat step 7.
9. Under Configured, verify that the certificate is added as a server certificate
for SNI.
10. Click OK.
Managing Certificates
To configure the SSL feature, you need a certificate and a private key for the Web
server. An SSL certificate is a digital data form (X509) that identifies a company
(domain) or an individual. An SSL key is the private component of the public-
private key pair used in asymmetric key encryption (public key encryption).
You can obtain the SSL certificate and key in one of three ways:
• From an authorized certificate authority (CA), such as VeriSign.
• Use an existing SSL certificate and key.
• Generate a new SSL certificate and key on the NetScaler.
Example
create ssl rsakey Key-RSA-1 1024
Note: SSL certificates and keys are stored by default in the /nsconfig/ssl
directory on the NetScaler. If you want to store them elsewhere, use the
browse button to navigate to the required location.
4. In the Key Size (Bits) text box, type the size in bits of the key (for example,
1024).
5. Click Create, and then click Close. The DSA key you created is saved on
the NetScaler.
Example
create ssl dsakey Key-DSA-1 1024
For added security, you can encrypt your SSL key using the Data Encryption
Standard (DES) or triple DES (3DES) algorithm. The DES and triple DES
options are valid only for keys stored in Privacy Enhanced Mail (PEM) format,
not for keys stored in DER format.
Caution: Make sure you limit access to your private key. Anyone who has
access to your private key can generate a new CSR and obtain a new certificate
using your identity.
The certificate that you receive from the CA is valid only with the private key
used to create the CSR. The private key is required to add the certificate on the
NetScaler.
Note: You can use the browse button to navigate to the saved key on the
NetScaler.
5. Select the format the key was saved in (for example, PEM).
6. In the PEM Passphrase (For Encrypted Key), type the password used to
encrypt the key.
7. Under Distinguished Name Fields, enter relevant information for each
parameter. The information you enter will form the Distinguished Name
(DN) of the company (Web site).
390 Citrix NetScaler Traffic Management Guide
8. Click Create, then click Close. The certificate signing request you created
is saved on the NetScaler in the specified location.
Example
create ssl certreq Certificate-Request-1 -keyFile Key-RSA-1
Next, you need to send the CSR to a CA for authentication and signing. Most
CAs accept certificate submissions by email. The CA will return a valid
certificate to the email address you used to submit the CSR.
Once you have obtained the signed certificate from a CA, install the certificate
and its corresponding private key on the NetScaler.
Note: For further instructions on exporting keys and certificates, refer to the
documentation of the server you are exporting from.
Key and certificate names cannot contain spaces or special characters other than
those supported by the UNIX file system. Be sure to follow the appropriate
naming convention when you save the exported key and certificate.
The NetScaler supports two encoding formats for keys and certificates: PEM and
DER. You must convert the certificate or key file to one of these formats before
you install them.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 391
Note: Use an FTP client to transfer the certificate and the key to the NetScaler
in binary mode.
Note: Use an FTP client to transfer the certificate and the key to the server in
binary mode.
Note: Use an FTP client to transfer the certificate and the key to the NetScaler
in binary mode.
392 Citrix NetScaler Traffic Management Guide
The following procedure describes the steps to export the certificate, mySite-
cert.db and the key, mySite-key.db, from an iPlanet Web server.
If the error message “Bad database error without -d option” appears, use the -d
switch to point to the directory where the certificate and key databases are
located.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 393
The default names for the certificate and key databases on an iPlanet server are
cert7.db and key3.db. iPlanet may prefix the server name with the full machine
name for the administrator server and any additional virtual servers that you have
defined. In this case, you must include the -P switch with the argument: https-
hostname.domain.com-hostname.
The exported certificate will be saved in PKCS#12 format and must be converted
to PEM or DER format before you install it on the NetScaler.
To export the certificate file and private key file from the WebLogic server
1. Identify the file where the certificate and key are stored. The path to this file
should be displayed in the weblogic.properties file, in the following fields:
• The weblogic.security.key.server property field contains the name of
the private key file.
• The weblogic.security.certificate.server property field contains the
name of the certificate file received from the CA.
2. Use an FTP client to transfer the certificate and key in binary mode to the
NetScaler.
The certificate and key file must be transferred to the NetScaler in the same
format. In some versions of BEA WebLogic Server (for example, version 5.0.1),
the server allows the key to be exported in DER format and the certificate in PEM
format. In such cases, you can convert the DER-encoded key to PEM format
using the following OpenSSL tool command:
openssl pkcs8 -in keyfile.der -inform DER -out keyfile.pem -outform
PEM
Once the certificate and key files are transferred to the NetScaler, install the
certificate key pair using the procedures described in the section “Adding a
Certificate Key Pair,” on page 381.
394 Citrix NetScaler Traffic Management Guide
Generating a Key
This section describes how to generate a key on the NetScaler that can be used for
creating certificates
Generating a DH Key
The DH key exchange feature enables support for Diffie-Hellman (DH) key
exchange for an SSL virtual server or SSL service on the NetScaler. By default,
this feature is disabled.
You need to enable this feature to support ciphers that use DH as the key
exchange algorithm.
The following procedure describes the steps to create a 512 bit DH key, Key-DH-
1 with its DH generator set to 2.
Example
create ssl dhparam Key-DH-1 512 -gen 2
Note: Instead of typing the certificate name, you can use the browse
button to launch the NetScaler file browser and select the file.
Example
create ssl cert Root-CA Certificate-Request-1 PEM ROOT_CERT
-keyFile Key-RSA-1 -keyForm PEM -days 365
Note: Instead of typing the filename, you can use the browse button to
launch the NetScaler file browser and select the file visually.
Example
create ssl cert Intermediate-CA Certificate-Request-2 PEM INTM_CERT
-CAcert Root-CA -CAcertForm PEM -days 365
Note: To create server and client certificates, in step 5, select the option next to
Server Certificate and Client Certificate and in step 10, select the
corresponding intermediate certificate instead of a root certificate.
398 Citrix NetScaler Traffic Management Guide
Example
link ssl certkey Cert-Server Cert-Intermediate-A
1. In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
400 Citrix NetScaler Traffic Management Guide
2. In the details pane, select the vserver for which you want to enable server
authentication (for example, Vserver-SSL-1), and then click Open.
3. In the Configure Virtual Server dialog box, on the SSL Settings tab, click
the down arrow next to the Install button, and then select Server Test
Certificate.
4. In the Create and Install Server Test Certificate dialog box, in the
Certificate File Name and Fully Qualified Domain Name boxes, type the
respective names of the server test certificate and the domain for which you
want to secure the connection (for example, Docs and mycompany.com).
5. In Country, select the country or region name (for example, INDIA), and
then click OK. The certificate appears in the Configured list.
6. Click OK. The server test certificate is now bound to the SSL vserver.
Note: Alternatively, you can create a server test certificate by clicking Create
and Install a Server Test Certificate on the SSL node in the navigation pane of
the configuration utility.
To update an existing certificate key pair using the NetScaler command line
Example
update ssl certkey Certkey-SSL-1 Certificate-SSL-New -key Key-SSL-
New
To disable domain check for a certificate using the NetScaler command line
Example
update ssl certkey Certkey-SSL-1 -noDomainCheck
4. In the Notification Period text box, type the required notification period
value (for example, 60).
Note: The notification period parameter can be set to any value between
10 and 100 days and the default notification period is 30 days.
Example
set ssl certkey Certkey-SSL-1 -expiryMonitor ENABLED -
notificationPeriod 60
After you configure an expiry monitor, reporting is carried out through the syslog
and nsaudit logs by default. If you want to create SNMP alerts for the same
scenario, you must configure them separately.
If the server certificate is a global site certificate, the server sends its certificate,
along with the accompanying intermediate-CA certificate. The browser first
validates the intermediate-CA certificate using the Root-CA certificates that
come installed in browsers. On successful validation of the intermediate-CA
certificate, the server certificate is validated using the intermediate-CA
certificate. On successful validation, the browsers renegotiate (upgrade) the SSL
connection to 128-bit encryption.
With Microsoft Server Gated Cryptography (SGC), if the Microsoft IIS server is
configured with an SGC certificate, export clients that receive the certificate
renegotiate to 128-bit encryption.
Note: For more instructions on exporting certificates and keys for your server
type, see “Exporting Existing Certificates and Keys,” on page 390.
1. Using a text editor, copy the server certificate and the accompanying
intermediate-CA certificate into two separate files.
The individual PEM encoded certificate will begin with the header -----
BEGIN CERTIFICATE----- and end with the trailer -----END
CERTIFICATE-----.
2. Use an FTP client to transfer the server certificate, intermediate-CA
certificate, and server-key to the NetScaler.
3. Use the following command to identify the server certificate and
intermediate-CA certificate from the split files. The NetScaler comes with
the open ssl tool installed in /usr/bin.
At the FreeBSD shell prompt, enter the following command:
openssl x509 –in cert.pem -text | more
If the CN field in the Subject matches the domain-name of your Web site,
then this is the server certificate and the other certificate is the
accompanying intermediate-CA certificate.
4. Add the server certificate (and its private key) on the NetScaler. For details
on creating a certificate key pair on the NetScaler, see “Adding a Certificate
Key Pair,” on page 381.
5. Add the intermediate-CA certificate on the NetScaler. Use the server
certificate you created in step 4 to sign this intermediate certificate. For
details on creating an Intermediate-CA certificate on the NetScaler, see
“Generating Self-Signed Certificates,” on page 395.
6. Bind the server certificate to the SSL virtual server. For details on binding
the server certificate to the SSL virtual server, see “Adding a Certificate
Key Pair,” on page 381.
Note: You can navigate the file system on the NetScaler using the
Browse button.
5. In the Import Password box, type the password that was used to create the
PKCS file.
6. Under Encoding Format, select the type of algorithm to be used to encrypt
the private key of the imported certificate (for example, DES).
7. In the PEM Passphrase text box, type the password, if any, used to encrypt
the key (for example, Import Passphrase).
Note: The PEM Passphrase option is displayed only if either the DES or
the DES3 encoding formats are chosen.
8. In the Verify PEM Passphrase text box, type the same passphrase again
for confirmation.
9. Click OK. The client certificate you imported is saved on the NetScaler.
Example
convert ssl pkcs12 Cert-Import-1.pem -import -pkcs12File Cert-
Import-1.pfx -des
4. In the Certificate File Name text box, type the name of the certificate to be
converted (for example Cert-Client-1).
5. In the Key File Name text box, type the name of the key file associated
with the certificate (for example, Key-Client-1).
6. In the Export Password text box, type the password to encrypt the
exported key with (for example, ExportPassword).
7. In the PEM Passphrase text box, type the password, if any, used to encrypt
the key (for example, PEMPassphrase).
8. Click OK. The client certificate you exported is saved on the NetScaler.
Example
convert ssl pkcs12 Cert-Client-1.pfx -export -certFile Cert-Client-
1 -keyFile Key-Client-1
Note: In order for the NetScaler to verify issuer signatures, the CA certificate
for the client certificate must be installed on the NetScaler.
If the certificate is valid, the NetScaler allows the client to access all secure
resources. But if the certificate is found to be expired, corrupt, or absent, the
NetScaler drops the client request during the SSL handshake. However, an
administrator can configure the NetScaler to proceed with the handshake even if
the client does not provide a valid certificate.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 407
The NetScaler verifies the client certificate by first forming a chain of certificates,
starting with the client certificate and ending with the root CA certificate for the
client (for example, VeriSign). This chain includes the client certificate. The root
CA certificate may contain one or more intermediate CA certificates (if the client
certificate is not directly issued by the root CA).
In order for the client authentication feature to work properly The CA certificates
used in client certificate verification (root CA and any intermediate CA
certificates) must be installed in the NetScaler and bound to the SSL virtual
server
This section describes the procedures involved in configuring client
authentication on the NetScaler.
Before changing the client certificate check to Optional, be sure to define proper
access control policies.
Note: This command does not enable client authentication globally for all SSL
virtual servers.
1. In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
2. Select the virtual server for which you want to configure client certificate-
based authentication, and then click Open.
3. Click the SSL Settings tab and click SSL Parameters.
4. In the Others group, select the Client Authentication check box.
5. In Client Certificate, select Mandatory.
6. Click OK, and in the Configure Virtual Server (SSL Offload) dialog box,
click OK. The virtual server is now configured for client authentication.
Example
set ssl vserver Vserver-SSL-1 -clientAuth ENABLED -clientCert
MANDATORY
Chapter 5 Secure Sockets Layer (SSL) Acceleration 409
1. In the navigation pane, expand SSL Offload, and then click Services.
2. Select the service for which you want to enable server authentication for
(for example, Service-SSL-1), and then click Open.
3. In Configure Service dialog box, on the SSL Settings tab, click SSL
Parameters.
4. In the Others group, select the Server Authentication option.
5. Click OK. Server authentication is now enabled for the service.
Example
set ssl service Service-SSL-1 -serverAuth ENABLED
2. Select the service for which you want to enable server authentication (for
example, Service-SSL-1), then click Open.
3. In Configure Service dialog box, under Available Certificates, select the
CA certificate you want to bind (for example Cert-CA-1), and then click
Add as CA.
4. Click OK. The CA certificate is now bound to the SSL service.
To bind the CA certificate to the service using the NetScaler command line
Example
bind ssl service Service-SSL-1 -certkeyName Cert-CA-1 -CA
Note: To select an existing file on the NetScaler, click the Browse button
and navigate to the required file.
5. Select the Format option of the CRL file being added (for example, PEM).
6. Under CA Certificate, select the CA certificate next to the CRL file.
Example
add ssl crl CRL-1 SSL_CRL.pem -inform PEM
When you specify refresh parameters and an LDAP server, the CRL does not
have to be present on the local hard disk drive at the time you execute the
command. The first refresh will store a copy on the local hard disk drive, in the
path specified by the CRL File parameter. The default path for storing the CRL is
/var/netscaler/ssl.
To configure CRL auto refresh using LDAP using the configuration utility
Note: If the new CRL has been refreshed in the external repository before
its actual update time as specified by the LastUpdate field of the CRL, you
should immediately refresh the CRL on the NetScaler.
9. Click Create. The CRL for which you configured refresh parameters
appears in the CRL page.
To configure CRL auto refresh using LDAP using the NetScaler command
line
Example
set ssl crl CRL-1 -refresh ENABLED -server 10.217.130.2 -method
LDAP -port 389 -baseDN “dc=flyers, dc=ctxs” -interval NOW
To configure CRL auto refresh using HTTP using the configuration utility
Note: If the new CRL has been refreshed in the external repository before
its actual update time as specified by the LastUpdate field of the CRL, you
should refresh it immediately on the NetScaler.
8. Click Create. The CRL for which you configured refresh parameters
appears in the CRL page.
416 Citrix NetScaler Traffic Management Guide
To configure CRL auto refresh using HTTP using the NetScaler command
line
Example
set ssl crl CRL-1 -refresh ENABLED -url http://10.102.19.190/
CA1.crl -method HTTP -port 80 -interval NOW
Synchronizing CRLs
When the NetScaler performs SSL acceleration, it uses the most recently
distributed CRL to prevent clients with revoked certificates from accessing secure
resources.
If CRLs are updated often, the NetScaler needs an automated mechanism to fetch
the latest CRLs from the repository. You can configure the NetScaler to update
CRLs automatically at a specified refresh interval or time
The NetScaler maintains an internal list of CRLs that need to be updated at
regular intervals. At these specified intervals, it scans the list for CRLs that need
to be updated, then connects to the remote LDAP server or HTTP server and
retrieves the latest CRLs. It then replaces the local CRL list with the new CRLs.
Note: If the initial CRL refresh fails, all client-authentication connections with
the same issuer as the CRL are rejected as REVOKED until the CRL is
successfully refreshed.
To synchronize the CRL at a specific time, use the intervals in the following table.
Intervals to Synchronize the CRL
Interval Days
Monthly Set the day of the month the CRL refresh will be done.
For example, if you want the refresh to be done on the 15th of
every month, under Days, select 15.
Weekly Set the day of the week the CRL refresh will be done.
(Sunday=1, Monday=2, Tuesday=3, Wednesday=4, Thursday=5,
Friday=6 and Saturday=7)
For example, if you want the refresh to be done on tuesday every
week, under Days, select 3.
Daily Set the Daily argument if you want the CRL refresh to be carried
out every day.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 417
Note: If you provide an invalid number for the day of the month or day of the
week, the NetScaler adjusts it to the nearest valid value and performs the refresh
on that day.
You can set the exact time of day the CRL is refreshed, using the parameters
under the Time group. Specify time in 24-hour format (HH:MM).
Example
create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -revoke Cert-
Invalid-1
Example
create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -genCRL CRL-1
Example
sh ocspResponder ocsp_responder1
1)Name: ocsp_responder1
URL: http://www.myCA.org:80/ocsp/, IP: 192.128.22.22
Caching: Enabled Timeout: 30 minutes
Batching: 5 Timeout: 100 mS
HTTP Request Timeout: 100mS
Request Signing Certificate: sign_cert
Response Verification: Full, Certificate:
responder_cert
422 Citrix NetScaler Traffic Management Guide
sh ssl vs vs1
Advanced SSL configuration for VServer vs1:
DH: DISABLED
…
1) CertKey Name: ca_cert CA Certificate OCSPCheck:
Mandatory
1) Cipher Name: DEFAULT
Description: Predefined Cipher Alias
Done
You cannot modify the responder name. All other parameters can be changed
using the set ssl ocspResponder command.
At a NetScaler command prompt, type the following commands to set the
parameters and verify the configuration:
Chapter 5 Secure Sockets Layer (SSL) Acceleration 423
Note: When both OCSP and CRL check are set to optional, OCSP check is
used by default. However, if a usable OCSP responder is not available, CRL
check is used.
• Batching Delay-batchingDelay
• Trust Responses-To disable signature checks by the OCSP
responder, select this check box.
• Certificate-responderCert.
• Produced At Time Skew-producedAtTimeSkew.
• Request Time-out-resptimeout
• Signing Certificate-signingCert
• Nonce-useNonce
4. Click Create or OK, and then click Close.
5. In the OCSP Responder pane, click the responder that you just configured
and verify that the settings displayed at the bottom of the screen are correct.
6. In the navigation pane, click Certificates.
7. In the details pane, select a certificate and click OCSP Bindings.
8. In the OCSP Binding Details for certificate:certkey dialog box, specify
values for the parameters. The contents of the dialog box correspond to the
parameters described in "Parameters for binding a certificate-key pair to an
OCSP responder" as follows:
• OCSP Responder Name-ocspResponder. If an OCSP responder is
not already bound to the certificate-key pair, click Insert OCSP
Responder and select a name from the OCSP Responder Name
drop-down list.
• Priority-priority.
9. To bind a different certificate-key pair, click Unbind OCSP Responder,
and then click Insert OCSP Responder and select a name from the OCSP
Responder Name drop-down list.
10. Verify that the settings displayed at the bottom of the screen are correct.
11. Click OK.
12. In the navigation pane, expand SSL Offload and click Virtual Servers.
13. Select the virtual server to bind the certificate key to, and click Open.
14. In the Configure Virtual Server (SSL Offload) dialog box, click SSL
Settings.
15. In the Available pane, select a certificate.
16. In the Add drop-down list select As CA.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 427
17. To make OCSP check mandatory, in the Configured pane, in the Check
drop-down list, select OCSP Mandatory.
18. Click OK.
Note: The customizations described in this section are for an SSL virtual server,
or an individual SSL service, but not for global SSL system settings.
To customize the SSL configuration for an SSL virtual server, first launch the
Configure SSL Params dialog box as described later.
To customize the SSL configuration for an SSL virtual server using the
configuration utility
1. In the navigation pane, expand SSL Offload, then click Virtual Servers.
2. Select the virtual server for which you want to customize SSL settings (for
example, Vserver-SSL-1), and then click Open.
3. On the SSL Settings tab, click SSL Parameters.
4. In the Configure SSL Params dialog box, specify changed values for the
parameters.
To customize the SSL configuration for an SSL virtual server using the
NetScaler command line
Example
set ssl vserver Vserver-SSL-1
To customize the SSL configuration for an SSL service, first launch the
Configure SSL Params dialog box as described later.
1. In the navigation pane, expand SSL Offload, and then click Services.
428 Citrix NetScaler Traffic Management Guide
2. Select the service for which you want to customize SSL settings (for
example, Service-SSL-1), and then click Open.
3. On the SSL Settings tab, click SSL Parameters.
4. In the Configure SSL Params dialog box, specify changed values for the
parameters.
To customize the SSL configuration for an SSL service using the NetScaler
command line
Example
set ssl service Service-SSL-1
4. Click OK. The DH parameters are now configured to refresh the DH key
after every 1000 sessions.
Example
set ssl vserver Vserver-SSL-1 -dh ENABLED -dhCount 1000
Note: The ephemeral RSA key is automatically generated when you bind an
export cipher to an SSL or TCP-based SSL vserver or service. When you remove
the export cipher, the eRSA key is not deleted but reused at a later date when
another export cipher is bound to an SSL or TCP-based SSL vserver or service.
The eRSA key is deleted when the system restarts.
Example
set ssl vserver Vserver-SSL-1 -eRSA ENABLED -eRSACount 1000
3. In the Time-out text box, type the timeout value in seconds (for example,
600).
4. Click OK. The NetScaler is now configured to reuse SSL sessions for 600
seconds.
Example
set ssl vserver Vserver-SSL-1 -sessReuse ENABLED -sessTimeout 600
Note: You can configure cipher redirection only for SSL virtual servers, not for
SSL services.
Example
set ssl vserver Vserver-SSL-1 -cipherRedirect ENABLED -cipherURL
http://redirectURL
Example
set ssl vserver Vserver-SSL-1 -sslv2Redirect ENABLED -sslv2URL
http://sslv2URL
Example
set ssl vserver Vserver-SSL-1 -tlsv1 ENABLED
Chapter 5 Secure Sockets Layer (SSL) Acceleration 435
Example
set ssl vserver Vserver-SSL-1 -sslRedirect ENABLED
Example
sync HA files SSL
To launch the Create SSL Action dialog box using the configuration utility
To launch the Create SSL Action dialog box using the Netscaler command
line
Example
add ssl action
2. In the Name text box, type a name for the SSL action (for example, Action-
SSL-ClientAuth).
3. In the Client Authentication group, select Enabled.
4. Click Create, then click Close.
Example
add ssl action -clientAuth DOCLIENTAUTH
Note: You can only enable Outlook Web Access support for HTTP-based SSL
vservers and services. You cannot apply it for TCP-based SSL vservers and
services.
The following procedure describes the steps to create an SSL action, Action-SSL-
OWA that enables support for outlook Web access on the NetScaler.
Note: Outlook Web Access support is applicable only for SSL virtual server
based configurations and transparent SSL service based configurations and not
for SSL configurations with back-end encryption.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 439
Example
add ssl action Action-SSL-OWA -OWASupport ENABLED
Configuring Insertion
Because the NetScaler offloads all SSL-related processing from the servers, the
servers only receive HTTP traffic. The NetScaler receives and processes all SSL
data and does not pass it to the servers.
Under certain circumstances, a user may want certain SSL information to be
passed on to the servers. For example, security audits of recent SSL transactions
require the client subject name (contained in an X509 certificate) to be logged at
the server. This data is inserted into the HTTP header as a name-value pair and
sent to the server.
The entire client certificate can be inserted into the HTTP header, if required, or
only the specific fields from the certificate can be inserted, such as subject, and
issuer.
Note: Before client certificate insertion can be carried out, client authentication
must be enabled.
To insert the client certificate serial number using the configuration utility
To insert the client certificate serial number using the NetScaler command
line
Example
add ssl action Action-SSL-SerialNumber -clientcertSerialNumber
ENABLED -certSerialHeader “X-SERIAL-NUMBER”
Chapter 5 Secure Sockets Layer (SSL) Acceleration 441
To insert the client certificate subject name using the configuration utility
To insert the client certificate subject name using the NetScaler command
line
Example
add ssl action Action-SSL-SubName -clientcertSubject ENABLED
-certSubjectHeader “X-SUBJECT-NAME”
To insert the client certificate hash using the NetScaler command line
Example
add ssl action Action-SSL-CertHash -clientcertHash ENABLED
-certHashHeader “X-CERT-HASH”
To insert the client certificate issuer tag using the configuration utility
To insert the client certificate issuer tag using the NetScaler command line
Example
add ssl action Action-SSL-Issuer -clientCertIssuer ENABLED
-certIssuerHeader “X-ISSUER-NAME”
Example
add ssl action Action-SSL-SessionID -sessionID ENABLED
-sessionIDHeader “X-SESSION-ID”
You can only enable this insertion for HTTP-based SSL vservers and services.
You cannot apply it for other TCP-based SSL vservers and services.
The following procedure describes the steps to create an SSL action Action-SSL-
Cipher that inserts a new header X-CIPHER-SUITE into the HTTP header whose
value contains the cipher suite negotiated during the SSL handshake.
Example
add ssl action Action-SSL-Cipher -cipher ENABLED -cipherHeader “X-
CIPHER-SUITE”
3. In the Client Certificate Not Before Date group, select Enabled from the
drop-down list.
4. In the Not Before Tag text box, type a tag name (for example,
X-NOT-BEFORE).
5. Click Create, and then click Close.
To insert the client certificate not before date using the NetScaler command
line
Example
add ssl action Action-SSL-NotBefore -clientCertNotBefore ENABLED
-certNotBeforeHeader X-NOT-BEFORE
The following procedure describes the steps to create an SSL action Action-SSL-
NotAfter is created that inserts a new header X-NOT-AFTER into the HTTP
header whose value contains the client certificate's not-after date.
To insert the client certificate not after date using the NetScaler command
line
Example
add ssl action Action-SSL-NotAfter -clientCertNotAfter ENABLED
-certNotBeforeHeader X-NOT-AFTER
Note: The ns_true general expression applies the policy to all successful
(200 OK) responses generated by the NetScaler. However, if you need to
filter specific responses, you can create policies with a higher level of
detail. For information about configuring granular policy expressions, see
the Citrix NetScaler Policy Configuration and Reference Guide for release
9.2.e.
Example
add ssl policy Policy-SSL-1 -rule ns_true -reqAction Action-SSL-1
1. In the navigation pane, expand SSL Offload and click Virtual Servers.
2. From the list of virtual servers, select the virtual server that you want to
bind the responder policy to (for example, select Vserver-SSL-1), and then
click Open
3. On the Policies tab, in the Active column, select the check box next to the
policy you want to bind to the vserver (for example, Policy-SSL-1).
4. Click OK.
To bind an SSL policy to a virtual server using the NetScaler command line
Example
bind ssl vserver Vserver-SSL-1 -policyName Policy-SSL-1
448 Citrix NetScaler Traffic Management Guide
Note: You can bind SSL policies globally or to custom bind points on the
NetScaler. For more information about binding policies on the NetScaler, see the
Citrix NetScaler Policy Configuration and Reference Guide for release 9.2.e.
• When Netscaler receives the HTTPS request, it decrypts the request and
applies layer 4-7 content switching techniques and load-balancing policies,
and then selects the best back-end Web server to serve the request.
• The NetScaler opens an SSL session with the selected server.
• After establishing the SSL session, the NetScaler encrypts the client's
request and sends it securely through the SSL session to the Web server.
• The NetScaler decrypts all encrypted response packets from the Web
server, then re-encrypts the response data using the client-side SSL session
and sends it to the client.
The SSL session multiplexing technique reuses the existing SSL sessions with the
back-end Web servers, thus avoiding CPU-intensive key exchange (full
handshake) operations. This reduces the overall number of SSL sessions on the
server, while maintaining end-to-end security.
Note: For TCP traffic, follow the procedures given in the sections that follow,
but create SSL_TCP services instead of SSL services.
6. In Port, type the port number for the SSL service to use (for example, 443).
7. Click Create, and then click Close.
To create the second service, repeat the procedure, but use the service name
Service-SSL-2 and IP address 10.102.20.31.
Example
add service Service-SSL-1 10.102.20.30 SSL 443
1. In the navigation pane, expand SSL Offload, then click Virtual Servers.
2. Select the virtual server Vserver-SSL-2, then click Open.
3. On the Services tab, in the Active column, select the check boxes next to
the services Service-SSL-1 and Service-SSL-2.
4. Click OK. The services Service-SSL-1 and Service-SSL-2 are bound to the
virtual server Vserver-SSL-2.
Example
bind lb vserver Vsever-SSL-2 Service-SSL-1
Chapter 5 Secure Sockets Layer (SSL) Acceleration 451
Note: SSL_TCP service is used for non-HTTPS services (for example SMTPS,
and IMAPS).
Note: The following example sets the clear text port for HTTP-based data. To
set the clear text port for non-HTTP data, choose the appropriate protocol in the
corresponding steps of the procedure.
1. In the navigation pane, expand SSL Offload, and then click Services.
2. From the list of configured services, select the service to which you want to
bind the certificate key pair (for example, Service-SSL-Transparent), then
click Open.
454 Citrix NetScaler Traffic Management Guide
3. Select the SSL Settings tab. The configured certificate key pairs configured
on the NetScaler are listed in the Available area.
4. Select the certificate key pair that you want to bind to the service and click
Add. The certificate key pair appears in the Configured area.
5. Click OK. The certificate pair is bound to the SSL service.
Example
bind certkey Service-SSL-Transparent Certkey-SSL-1 -service
The configured wildcard server will automatically learn the servers configured on
the NetScaler; therefore, you do not need to configure services for a wildcard
virtual server.
To configure transparent virtual server-based SSL acceleration for secure HTTP-
based data, set the parameters as described in the following sections.
The following procedure describes the steps to configure a wild card virtual
server Vserver-SSL-WildCard with its clear text port set to 8080.
1. In the navigation pane, expand SSL Offload, and then click Virtual
Servers.
2. In the details pane, click Add.
3. In the Name text box, type the name of the virtual server to be created (for
example, Vserver-SSL-WildCard).
4. In the IP Address text box, type *.
5. Under Protocol, select SSL.
6. In the Port text box, type the port number for the virtual server to use (for
example, type 443).
7. Click Create, and then click Close. The virtual server you created appears
in the SSL Offload Virtual Servers page.
Example
add lb vserver Vserver-SSL-WildCard SSL * 443
456 Citrix NetScaler Traffic Management Guide
Setting the Clear text Port for the Wildcard Virtual Server
Set the clear text port of the wildcard virtual server Vserver-SSL-WildCard to
8080.
For instructions on setting the clear text port on an SSL virtual server, see
“Configuring Advanced SSL Settings,” on page 435.
Note: This example describes the procedure to set the clear text port for HTTP-
based data. To set the clear text port for non-HTTP data, substitute the appropriate
choices in the procedure.
Note: In this scenario, the SSL acceleration feature runs at the back-end using
the default configuration, with all 34 ciphers available.
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, click Add.
3. In the Name, IP Address, and Port text boxes, type Vserver-HTTP-1,
192.168.1.100, and 80.
458 Citrix NetScaler Traffic Management Guide
Example
add lb vserver Vserver-LB-1 HTTP 192.168.1.100 80
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. Select Vserver-HTTP-1 and click Open.
3. In the Active column, select the check box next to Service-SSL-1 and click
OK. The SSL service is bound to the HTTP virtual server.
Example
bind lb vserver Vserver-HTTP-1 Service-SSL-1
Note: To bind the SSL service Service-SSL-2 to the virtual server, repeat the
procedure, but in step 3, select the option next to Service-SSL-2.
Chapter 5 Secure Sockets Layer (SSL) Acceleration 459
In an SSL bridge setup, the NetScaler is configured to load balance and maintain
server persistency for secure requests. Other features, such as content switching,
SureConnect, and cache redirection do not work because the traffic passing
through the SSL accelerator is encrypted.
The following diagram illustrates this configuration.
The sections that follow describe how to configure SSL bridging. The procedures
explain the steps to configure SSL bridging on a NetScaler with two
SSL_BRIDGE services (Service-SSL_Bridge-1 and Service-SSL_Bridge-2 with
IP addresses 192.168.1.100 and 192.168.1.101) and to bind them to an
SSL_BRIDGE virtual server Vserver-SSL_Bridge-1 with IP address
192.168.1.10.
1. In the navigation pane, expand System, then click Settings. The Settings
page appears in the right pane.
2. Under Modes and Features, click Basic Features. The Configure Basic
Features dialog box appears.
3. Select the Load Balancing check box, then click OK. When the Enable/
Disable Feature(s)? message appears, Click Yes.The Load Balancing
feature is enabled on the NetScaler.
To enable the load balancing feature using the NetScaler command line
Example
enable ns feature lb Yes
1. In the navigation pane, expand SSL Offload, and then click Services.
2. In details pane, click Add.
3. In the Service Name, Server and Port text boxes, type Service-
SSL_Bridge-1, 192.168.1.100 and 443.
462 Citrix NetScaler Traffic Management Guide
Example
add service Service-SSL_Bridge-1 192.168.1.100 SSL_BRIDGE 443
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, click Add.
3. In the Name, IP Address, and Port text boxes, type Vserver-SSL_Bridge-
1, 192.168.1.10, and 443.
4. Under Protocol select SSL_BRIDGE.
5. Click Create and click Close. The virtual server you created appears in the
Load Balancing Virtual Servers page.
Example
add lb vserver Vserver-SSL_Bridge-1 SSL_BRIDGE 192.168.1.10 443
Chapter 5 Secure Sockets Layer (SSL) Acceleration 463
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. Select Vserver-SSL_Bridge-1 and click Open.
Example
bind lb vserver Vserver-SSL_Bridge-1 Sevice-SSL_Bridge-1
The following table summarizes the names and values of the entities that you
must configure on the NetScaler.
Example of Content Switching Configuration with an SSL Vserver
Entity type Name Value
HTTP Service Service-HTTP-1 192.168.1.100:80
Service-HTTP-2 192.168.1.101:80
Service-HTTP-3 192.168.1.102:80
Service-HTTP-4 192.168.1.103:80
Load Balancing Vserver-LB-HTML 192.168.1.10:80
Virtual Server
Vserver-LB-Image 192.168.1.20:80
SSL based CS Vserver-SSL-CS 10.102.1.100:443
Virtual Server
Certificate Certkey-1
For instructions on creating HTTP services, see “Adding Services,” on page 378.
468 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, click Add.
3. In the Name, IP Address, and Port text boxes, type Vserver-LB-HTML,
192.168.1.10, and 80 respectively.
4. Under Protocol, select HTTP.
5. Click Create and click Close. The virtual server that you have created,
appears in the Load Balancing Virtual Servers page.
To create a load balancing virtual server using the NetScaler command line
Example
add lb vserver Vserver-LB-HTML HTTP 192.168.1.10 80
Note: To create the Vserver-LB-Image virtual server, repeat the procedure, but
in step 3, type Vserver-LB-Image, 192.168.1.20, and 80.
Example
add cs vserver Vserver-CS-SSL 10.102.1.100 443
Note: In the preceding configuration, the cache devices are configured to send
all cache-misses to the HTTP virtual server configured on the NetScaler. The
NetScaler re-encrypts the requests and sends them using the secure SSL session
to the SSL services bound to the HTTP virtual server.
Authentication
Authentication
Key Exchange
Cipher Name
Encryption
(Key Size)
Message
Key Size
Protocol
SSL3-RC4-MD5 SSLv3 RSA RSA RC4(128) MD5
Authentication
Key Exchange
Cipher Name
Encryption
(Key Size)
Message
Key Size
Protocol
Authentication
Key Exchange
Cipher Name
Encryption
(Key Size)
Message
Key Size
Protocol
FIPS
The only non-FIPS cipher supported on the NetScaler 9010 and 9950 FIPS
appliances is SSL3-RC4-SHA.
476 Citrix NetScaler Traffic Management Guide
Important: Due to security constraints, the appliance does not provide a means
for retrieving the SO password. Store a copy of the password safely. Should you
need to reinitialize the HSM, you will need to specify this password as the old SO
password.
Chapter 6 FIPS 477
Before initializing the HSM, you can upgrade to the latest build of the software.
To upgrade to the latest build, see “Upgrading to a Later Build within Release
9.2” at http://edocs.citrix.com.
To configure the HSM on a 9010 FIPS or 9950 FIPS appliance by using the
NetScaler command line
After logging on to the appliance as the superuser and completing the initial
configuration, at the NetScaler command prompt, type the following commands
to configure the HSM and verify the configuration:
set ssl fips -initHSM Level-2 <new SO password> <old SO password>
<user password> [-hsmLabel <string>]
show ssl fips
Example
set ssl fips -initHSM Level-2 fipssso123 sopin123 userpin123 -
hsmLabel FIPS-140-2
This command will erase all data on the FIPS card. You must save the
configuration (saveconfig) after executing this command.
Do you want to continue? (Y/N) y
show ssl fips
FIPS HSM Info:
HSM Label : FIPS-140-2
Initialization : FIPS-140-2 Level-2
HSM Serial Number : 8007376
Firmware Version : 4.6.1
Total Flash Memory : 14286412
Free Flash Memory : 14281588
Total SRAM Memory : 17036680
Free SRAM Memory : 17035240
Parameters for configuring the HSM
Parameter Specifies
initHSM The FIPS initialization level. The appliance currently supports
Level-2 (FIPS 140-2 Level-2). Possible value: Level 2.
hsmLabel The label to identify the Hardware Security Module (HSM).
Maximum Length: 31.
newSOpassword The security officer password that will be in effect after you have
configured the HSM.
478 Citrix NetScaler Traffic Management Guide
To configure the HSM on a 9010 FIPS or 9950 FIPS appliance by using the
configuration utility
Note: Citrix recommends that you store the SO password in a secure location.
You will need to specify this password as the old SO password to re-initialize the
HSM.
Chapter 6 FIPS 479
Important: If you want to upgrade to the latest software release, see the Citrix
NetScaler Migration Guide. In the installation steps, use the ./installns -F
command to install FIPS.
Note: If you are planning an HA setup, make sure that the FIPS appliances are
configured in an HA setup before creating a FIPS key.
Example
create fipskey Key-FIPS-1 -modulus 2048 -exponent 3
show ssl fipsKey Key-FIPS-1
FIPS Key Name: Key-FIPS-1 Modulus: 2048 Public Exponent: 3 (Hex:
0x3)
Parameters for creating a FIPS key
Parameter Specifies
fipsKeyName The object name for the FIPS key. Maximum Length: 31.
480 Citrix NetScaler Traffic Management Guide
Example
export fipskey Key-FIPS-1 -key Key-FIPS-1.key
Parameters for exporting a FIPS key
Parameter Specifies
fipsKeyName The name of the FIPS key to be exported. Maximum Length:
31.
key The path and file name in which to store the exported key.
Maximum Length: 63. Default path: /nsconfig/ssl/.
Note: To avoid errors when importing a FIPS key, make sure that the name of
the key imported is the same as the original key name when it was created.
482 Citrix NetScaler Traffic Management Guide
To import a FIPS key on the 9010 FIPS and 9950 FIPS by using the NetScaler
command line
Example
import fipskey Key-FIPS-1 -key Key-FIPS-1.key -inform SIM
show ssl fipskey key-FIPS-1
FIPS Key Name: Key-FIPS-1 Modulus: 2048 Public Exponent: 3 (Hex:
0x3)
Parameters for importing an existing FIPS key
Parameter Specifies
fipsKeyName The name of the FIPS key to be imported. Maximum Length:
31.
key The name of the key file. By default, the file is placed in the /
nsconfig/ssl/ directory. If you want to put the file in a different
location, include the complete path.
Example
create wrapkey Key-Wrap-1 -password wrapkey123 -salt wrapsalt123
show ssl wrapkey
1) WRAP Key Name: Key-Wrap-1
Parameters for generating a wrap key
Parameter Specifies
wrapKeyName The object name for the wrap key. Maximum Length: 31.
password The password string for the wrap key. Maximum Length: 31.
salt The salt string for the wrap key. Maximum Length: 31.
• Password*—password
• Salt*—salt
*A required parameter
4. Click Create, and then click Close.
5. On the Wrap Keys tab, verify that the settings displayed for the wrap key
that you just created are correct.
To convert an external key to the PKCS8 format and import it into the HSM
by using the NetScaler command line
At the NetScaler command prompt, type the following commands to convert and
import a FIPS key and verify the settings:
convert ssl pkcs8 <pkcs8File> <keyFile> [-keyform ( DER | PEM )]
import ssl fipsKey <fipsKeyName> -key <string> [-inform ( SIM | DER
)] [-wrapKeyName <string>] [-iv <string>]
show ssl fipskey <fipsKeyName>
Note: When you specify the keyform as PEM, and the PEM key is encrypted,
you are prompted for a password.
Example
convert ssl pkcs8 Key-PKCS8-1 Key-External-1.pem -keyform PEM
Enter PEM pass phrase:
Done
import fipskey Key-Pkcs8-1 -key Key-Pkcs8-1.key -inform DER -
wrapKeyName Key-Wrap-1 -iv wrapkey123
show ssl fipskey Key-Pkcs8-1
Chapter 6 FIPS 485
To convert the external key into the PKCS8 format and import it into the
HSM by using the configuration utility
4. In the Convert private key to PKCS8 format dialog box, specify values
for the following parameters, which correspond to parameters described in
“Parameters for converting an external key into PKCS8 format” as shown:
• Key Name (pkcs8 format)*—pkcs8File (To select an existing output
file, click the Browse button and select from the default location or
navigate to a location.)
• Private Key Path*—keyFile (To select an existing input file, click the
Browse button and select from the default location or navigate to a
location.)
• Key Format—keyform
• Password—pass phrase
*A required parameter
5. Click Convert, and then click Close.
6. In the Import as a FIPS Key dialog box, specify values for the following
parameters, which correspond to parameters described in “Parameters for
importing an external key into the HSM” as shown:
• FIPS Key Name*—fipsKeyName
• File Name*—key
• Input Format*—inform
• Wrap Key Name*—wrapKeyName
• IV*—iv
*A required parameter
7. Click Import, and then click Close.
8. In the FIPS Keys tab, verify that the settings displayed for the external key
that you just converted and imported are correct.
Note: For security reasons, delete the external private key from the hard disk
after you import it into the HSM.
Chapter 6 FIPS 487
On machine A
On machine B
On machine A
On machine B
If you use the command line interface to configure a high availability (HA) setup,
the create fipskey command is not propagated to the secondary node. This
is because, when you execute the command with the same input values for
modulus size and exponent on two different FIPS appliances, the keys generated
are not identical.
Note: If the FIPS appliances are in an HA setup and you create a FIPS key by
using the configuration utility on the primary node, the FIPS keys are
automatically transferred to the secondary node when the next synchronization
takes place between the primary and secondary nodes.
When using the CLI to configure an HA setup, you need to create the FIPS key on
one of the nodes and then transfer it to the other node. The process of managing
and transferring the FIPS keys is known as secure information management
(SIM).
On machine A
1. After creating the FIPS key, export the FIPS key to the appliance’s hard
disk, as described in “Exporting a FIPS Key,” on page 480.
2. Copy this key to the hard disk of the secondary appliance by using a file
transfer utility, such as FTP.
On machine B
3. Import the FIPS key from the hard disk into the HSM of the appliance, as
described in “Importing an Existing FIPS Key,” on page 481.
6. In the Source Secret File Name text box, type the location for storing the
secret data on the source appliance.
7. Click OK. The FIPS appliances are now configured in HA mode.
8. Create a FIPS key, as described in “Creating a FIPS Key,” on page 479. The
FIPS key is automatically transferred from the primary to the secondary
when the next synchronization between the primary and secondary nodes
takes place.
Example
Copy this key into the hard disk of the target appliance.
On the target appliance
import fipskey fips1 -key /nsconfig/ssl/fips1.key
490 Citrix NetScaler Traffic Management Guide
,QLWLDOL]HWKHWDUJHWDSSOLDQFH
,QLWLDOL]HWKHVRXUFHDSSOLDQFH
VRXUFHFHUW ,QLWILSV6,0WDUJHWQVFRQILJVVOVRXUFHFHUW
LQLWILSV6,0VRXUFHQVFRQILJVVOVRXUFHFHUW
QVFRQILJVVOWDUJHWNH\QVFRQILJVVO
WDUJHWVHFUHW
W
HFUH
HWV
WDUJ
(QDEOHWKHVRXUFHDSSOLDQFH (QDEOHWKHWDUJHWDSSOLDQFH
HQDEOHILSV6,0VRXUFHQVFRQILJVVO VRXUFHVHFUHW (QDEOHILSV6,0WDUJHWQVFRQILJVVOWDUJHWNH\
WDUJHWVHFUHWQVFRQILJVVOVRXUFHVHFUHW QVFRQILJVVOVRXUFHVHFUHW
&UHDWHD),36NH\
FUHDWHILSVNH\ILSVPRGXOXVH[SRQHQW
I
([SRUWWKH),36NH\ ,PSRUWWKH),36NH\
H[SRUWILSVNH\ILSVNH\QVFRQILJVVO ILSVNH\ LPSRUWILSVNH\ILSVNH\QVFRQILJVVO
ILSVNH\ ILSVNH\LQIRUP6,0
Precautions
Before executing the firmware update command, review the following list of
cautions:
• This process is only for updating from Cavium firmware version 4.6.0 to
version 4.6.1. It is NOT possible to update from an earlier firmware
version, such as version 4.3.5.
Chapter 6 FIPS 491
• The firmware update is possible on NetScaler 9.1 build 9.1_98.5 and above,
and on all NetScaler 9.2 builds.
• The update fips -fipsFW 4.6.1 command can be successfully
executed only once. After the firmware has been upgraded, subsequent
attempts to issue the command do not have any effect.
• When the update is complete, the firmware cannot be downgraded to an
earlier version.
• The update must be performed when the appliance is offline and network
traffic is not passing through the appliance.
• Citrix recommends executing the update command through the serial
console. If the command is executed from a Telnet or PuTTY session, the
session might time out before command execution is complete.
3. Disable any monitors and save the configuration. At the prompt, type:
disable lb mon <servicename>
save config
Restart the appliance and reissue the update fips -fipsFW 4.6.1
command.
7. Enable the monitors that were disabled in step 3. At the prompt, type:
enable lb mon <servicename>
1. Log on to the secondary node and perform the update as described in “To
update the FIPS firmware version on a standalone NetScaler,” on page 491.
Force the secondary node to become primary. At the prompt, type:
force failover
2. Log on to the new secondary node (old primary) and perform the update as
described in “To update the FIPS firmware version on a standalone
NetScaler,” on page 491.
3. Force the new secondary node to become primary again. At the prompt,
type:
force failover
Important: To avoid this situation, save the configuration after initializing the
HSM.
If the HSM is locked, you must reset the HSM to restore the default passwords.
You can then use the default passwords to access the HSM and configure it with
new passwords. When finished, you must save the configuration.
At the NetScaler command prompt, type the following commands to reset and re-
initialize a locked HSM:
reset fips
set ssl fips -initHSM Level-2 <new SO password> <old SO password>
<user password> [-hsmLabel <string>]
saveconfig
494 Citrix NetScaler Traffic Management Guide
Example
reset fips
set fips -initHSM Level-2 newsopin123 sopin123 userpin123 -hsmLabel
NSFIPS
saveconfig
SSL virtual server is marked UP only when default ciphers (FIPS) are configured.
On the 9010 FIPS and 9950 FIPS appliances, to enable other ciphers on an SSL
virtual server, use the following command:
set ssl vserver [-nonfipscipher (ENABLE|DISABLE)]
This chapter describes the Domain Name System (DNS) features supported by
the Citrix NetScaler. It explains the procedures to configure the NetScaler as an
authoritative DNS (ADNS) server and DNS proxy server, and describes the
available configuration options and procedures.
In This Chapter
How DNS Works
Configuring DNS Resource Records
Configuring the NetScaler as an ADNS Server
Configuring the NetScaler as a DNS Proxy Server
Configuring the NetScaler as an End Resolver
Configuring the NetScaler as a Forwarder
Configuring DNS Suffixes
DNS ANY Query
To configure the NetScaler as an ADNS server, you must add an ADNS service,
then configure the zone file for a domain. To do this, you add valid SOA and NS
records for the domain. When a client sends a DNS request, DNS queries the
NetScaler to map the domain name to its resource record. You can configure the
ADNS service to be used with the NetScaler Global Server Load Balancing
(GSLB) feature.
You can delegate a subdomain, by adding NS records for the subdomain to the
zone file of the parent domain. You can then make the NetScaler authoritative for
the subdomain, by adding a "glue record" for each of the subdomain name
servers. When the NetScaler is made authoritative, any DNS request for the
domain reaches the NetScaler. If GSLB is configured, the NetScaler makes a
GSLB load balancing decision based on its configuration and replies with the IP
address of the selected virtual server. The following figure shows the entities of
an ADNS and DNS proxy setup.
The NetScaler provides two options, minimum time to live (TTL) and maximum
TTL for configuring the lifetime of the cached data. The cached data times out
based on your settings for these two options. The NetScaler checks the TTL of the
DNS record coming from the back-end server. If the TTL is less than the
configured minimum TTL, it is replaced with the configured minimum TTL. If
the TTL is greater than the configured maximum TTL, it is replaced with the
configured maximum TTL.
The NetScaler also allows caching of negative responses for a domain. A
negative response indicates that information about a requested domain does not
exist, or that the server cannot provide an answer for the query. The storage of
this information is called negative caching. Negative caching helps speed up
responses to queries on a domain, and can optionally provide the record type.
A negative response can be one of the following:
• NXDOMAIN error message - If a negative response is present in the local
cache, the NetScaler returns an error message (NXDOMAIN). If the
response is absent in the local cache, the query is forwarded to the back-end
server, and the back-end server returns an NXDOMAIN error to the
NetScaler. The NetScaler caches the response locally, then returns the error
message to the client.
• NODATA error message - The NetScaler sends a NODATA error message,
if the domain name in query is valid, but records of the given type are not
available.
The NetScaler supports recursive resolution of DNS requests. In recursive
resolution, the resolver (DNS client) sends a recursive query to a name server for
a domain name. If the queried name server is authoritative for the domain, it
responds with the requested domain name. Otherwise, the NetScaler queries the
name servers recursively until the requested domain name is found.
Before you can apply the recursive query option, you must first enable it. You can
also set the number of times the DNS resolver must send a resolution request
(DNS retries) if a DNS lookup fails.
You can configure the NetScaler as a DNS forwarder. A forwarder passes DNS
requests to external name servers. The NetScaler allows you to add external name
servers and provides name resolution for domains outside the network. The
NetScaler also allows you to set the name lookup priority to DNS or Windows
Internet Name Service (WINS).
The following sections provide instructions to add DNS resource records and
configure the appropriate operating modes on the NetScaler.
500 Citrix NetScaler Traffic Management Guide
Functional Overview
If the NetScaler is configured as an ADNS server, it returns the DNS records in
the order in which the records are configured. If the NetScaler is configured as a
DNS proxy, it returns the DNS records in the order in which it receives the record
from the back-end server. The order of the records present in the cache matches
the order in which records are received from the back-end server.
The NetScaler then changes the order in which records are sent in the DNS
response in a round robin method. The first response contains the first record in
sequence, the second response contains the second record in sequence, the third
response contains the third record in sequence, and the order continues in the
same sequence. Thus, clients requesting the same name can connect to different
IP addresses.
When the NetScaler receives a query for the NS record of abc.com, the address
records are served in a round robin method as follows. In the first DNS response,
1.1.1.1 is served as the first record:
ns1. 1H IN A 1.1.1.1
ns1. 1H IN A 1.1.1.2
Chapter 7 Domain Name System 501
ns1. 1H IN A 1.1.1.3
ns1. 1H IN A 1.1.1.4
In the second DNS response, the second IP address, 1.1.1.2 is served as the first
record:
ns1. 1H IN A 1.1.1.2
ns1. 1H IN A 1.1.1.3
ns1. 1H IN A 1.1.1.4
ns1. 1H IN A 1.1.1.1
In the third DNS response, the third IP address, 1.1.1.2 is served as the first
record:
ns1. 1H IN A 1.1.1.3
ns1. 1H IN A 1.1.1.4
ns1. 1H IN A 1.1.1.1
ns1. 1H IN A 1.1.1.2
The following table lists the record types and the number of records (per record
type) that you can configure for a domain on the NetScaler.
Record Type and Number Configurable
Record Type Number of Records
Address (A) 25
IPv6 (AAAA) 5
Mail exchange (MX) 12
Name server (NS) 16
Service (SVR) 8
Pointer (PRT) 20
Canonical name (CNAME) 1
Start of Authority (SOA)
1. In the navigation pane, expand DNS, expand Records, and then click SRV
Records.
2. In the details pane, click Add.
3. In the Domain Name text box, type the name of the service (for example,
http.tcp.abc.com).
4. In the Target drop-down list, select the host on which you want to host the
service, or click New to create a target host.
A. In the Host Name text box, type the domain name for the DNS
address record (for example, g.root-servers.net).
B. In the IP Address text box, type the IP address for the domain name.
C. Click Create and click Close.
5. In Priority, Weight, and Port, specify the appropriate values (for example,
2, 3, and 80, respectively).
6. Click Create and click Close. The SRV record you created appears on the
SRV Records page.
Example
add dns srvRec http.tcp.abc.com g.root-servers.net
1. In the navigation pane, expand DNS, expand Records, and then click
AAAA Records.
2. In the details pane, click Add.
3. In the Host Name text box, type the host name for the AAAA record (for
example, www.mynw.com).
4. In the IPv6 Address text box, type the IPv6 address (for example,
2001:0db8:0000:0000:0000:0000: 1428:57ab).
5. Click Add. The added IPv6 address appears in the IP box.
6. Click Create and click Close.
Example
add dns aaaaRec www.mynw.com
2001:0db8:0000:0000:0000:0000:1428:57ab
1. In the navigation pane, expand DNS, expand Records, and click Address
Records.
2. In the details pane, click Add.
3. In the HostName text box, type the domain name for the DNS address
record (for example, ns1.abc.com).
4. In the IP Address text box, type the IP address for the domain name (for
example, 10.100.100.3).
5. Click Add.
6. Click Create and click Close.
Example
add dns addRec ns1.abc.com 10.100.100.3
MX Record Parameters
Parameter Specifies
TTL Time to live, measured in seconds. The default value is 3600 seconds.
The minimum value is 0 seconds and the maximum value is
2147483647 seconds.
1. In the navigation pane, expand DNS, expand Records, and click Mail
Exchange Records.
2. In the details pane, click Add.
3. In the Domain Name text box, type the domain name for the DNS address
record (for example, www.abc.com).
4. In the Mail Exchange drop-down list, select an alias for the domain name
(for example, mail.abc.com). The Mail Exchange drop-down list appears
and displays all of the configured host names for the address records.
5. In the Preference No text box, type the route priority number
(for example, 2).
6. Click Create and click Close.
Example
add dns mxRec www.abc.com -mx mail.abc.com -pref 2
The following procedure describes the steps to add an NS record ns1.abc.com for
the domain www.abc.com.
1. In the navigation pane, expand DNS, expand Records, and click Name
Server Records.
2. In the details pane, click Add.
3. In the Domain Name text box, type the domain name for the DNS address
record (for example, www.abc.com).
4. In the Name Server drop-down list, select the primary authoritative name
server (for example, ns1.abc.com).
5. Click Create and click Close.
Example
add dns nsRec www.abc.com ns1.abc.com
1. In the navigation pane, expand DNS, expand Records, and click Canonical
Records.
2. In the details pane, click Add.
508 Citrix NetScaler Traffic Management Guide
3. In the Alias Name text box, type the domain name for the defined alias (for
example, www.wxyz.com).
4. In the Canonical Server drop-down list, select an alias name for the
specified domain (for example, www.xyz.com).
5. Click Create and click Close.
Example
add dns cnameRec www.wxyz.com www.xyz.com
1. In the navigation pane, expand DNS, expand Records, and click PTR
Records.
2. In the details pane, click Add.
3. In the Reverse Domain text box, type the reverse domain that the PTR
record must point to (for example, 16.3.0.122).
Chapter 7 Domain Name System 509
4. In the Domain text box, type the domain name that you want to reverse
map (for example, mynw1.com.)
5. Click Add.
6. Click Create and click Close.
Example
add dns ptrrec 1.1.1.in-addr.arpa. abc.com
1. In the navigation pane, expand DNS, expand Records, and click SOA
Records.
2. In the details pane, click Add.
3. In the Domain Name text box, type the domain name for which you want
to add the SOA record (for example, www.abc.com).
4. In the Origin Server drop-down list, select the name of the origin server
for the given domain (for example, ns1.abc.com).
5. In the Contact and Serial No text boxes, type the name of the contact
person for the ADNS server, and the serial number that a secondary server
uses to determine if it requires a zone transfer from the primary server (for
example, root.abc.com and 20020121).
6. Click Create and click Close.
Example
add dns soaRec www.abc.com -originServer ns1.abc.com
-contact root.abc.com -serial 20020121
Chapter 7 Domain Name System 511
1. In the navigation pane, expand DNS, expand Records, and click name of
record.
2. In the details pane, view the values.
At the NetScaler command prompt, type the appropriate syntax for the resource
record:
For SRV record:
sh dns srvRec ServiceName
For MX record:
sh dns mxRec DNSDomainName
For NS record:
sh dns nsRec NameServerRecord
Examples
For MX record:
sh dns mxRec www.abc.com
For NS record:
sh dns nsRec www.abc.com
1. In the navigation pane, expand DNS, expand Records, and then click the
resource record type you want to remove.
2. In the details pane, right-click the resource record you want to remove, and
then click Remove.
3. Click Yes to remove.
At the NetScaler command prompt, type the appropriate syntax for the resource
record:
For SRV record:
rm dns srvRec ServiceName DNSDomainName
For MX record:
rm dns mxRec DNSDomainName DomainName
For NS record:
rm dns nsRec DNSDoaminName NameServerRecord
Chapter 7 Domain Name System 513
Examples
For MX record:
rm dns mxRec www.abc.com mail.abc.com
For NS record:
rm dns nsRec www.abc.com ns1.abc.com
Example
stat dns DomainName
NetScaler as an ADNS
The following table shows the name and value of the ADNS service that is
configured on the NetScaler.
Example of ADNS Service Configuration
Entity type Name IP address Type Port
ADNS Service Service-ADNS-1 10.102.29.51 ADNS 53
Chapter 7 Domain Name System 515
To configure an ADNS setup, you must configure the ADNS service. For
instructions on configuring the ADNS service, see Chapter 1, “Load Balancing.”
During DNS resolution, the ADNS server directs the DNS proxy or local DNS
server to query the NetScaler for the IP address of the domain. As the NetScaler is
authoritative for the domain, it sends the IP address to the DNS proxy or local
DNS server. The following diagram describes the placement and role of the
ADNS server in a GSLB configuration.
Note: In ADNS mode, if you remove SOA and ADNS records, the following
do not function for the domain hosted by the NetScaler: ANY query (for more
information about the ANY query, see the section “DNS ANY Query,” on page
533), and negative responses such as NODATA and NXDOMAIN
Note: You can configure the ADNS service to use MIP, SNIP, or any new IP
address.
516 Citrix NetScaler Traffic Management Guide
When you create an ADNS service, the NetScaler responds to DNS queries on the
configured ADNS IP, and port. When an ADNS service is configured, the
NetScaler can handle a large number of DNS requests per second.
Important: To configure the NetScaler to use UDP for DNS and use TCP only
when the payload length of UDP exceeds 512 bytes, you need to configure the
ADNS and ADNS_TCP services. However, the IP address of the ADNS_TCP
service must be same as the ADNS service.
A record on the NetScaler is discarded when the time to live (TTL) value of the
record reaches the configured value. The client has to wait until the NetScaler
retrieves the records from the server and updates the cache. To avoid this delay at
the client, the NetScaler retrieves the record from the server prior to the endpoint
of the TTL value and proactively updates the cache.
The following table summarizes the names and the values of the entities that need
to be configured on the NetScaler.
Example of DNS Proxy Entity Configuration
Entity type Name IP address Type Port
LB vserver Vserver-DNS-1 10.102.29.40 DNS 53
Services Service-DNS-1 10.102.29.50 DNS 53
Service-DNS-2 10.102.29.51 DNS 53
The following diagram shows the entities of a DNS Proxy and values of the
parameters to be configured on the NetScaler.
Note: To configure DNS proxy, you need to know how to configure load
balancing services and vservers. For information about configuring load
balancing services and vservers, read Chapter 1, “Load Balancing,” and then
configure DNS proxy setup.
Important: To configure the NetScaler to use UDP for DNS and use TCP only
when the payload length of UDP exceeds 512 bytes, you need to configure DNS
and DNS_TCP services. However, the IP address of the DNS_TCP service must
be same as the DNS service.
Chapter 7 Domain Name System 521
Example
set dns parameter -cacheRecords Yes
To specify the minimum and maximum TTL using the configuration utility
To specify the minimum and maximum TTL using the NetScaler command
line
Example
set dns parameter -minTTL 500
set dns parameter -maxTTL 500
Note: When the TTL expires, the record is deleted from the cache. The
NetScaler proactively contacts the back-end servers and obtains the DNS record
just before the DNS record’s TTL expires.
1. In the navigation pane, expand DNS, expand Records, and click Address
Records.
2. Click Flush Proxy Records.
Example
flush dns proxyRecords
At the NetScaler command prompt, type the following commands to specify the
maximum number of concurrent DNS requests allowed on a single client
connection and verify the configuration:
• set dns parameter -maxPipeline <positive_integer>
• show dns parameter
Example
> set dns parameter -maxPipeline 1000
Done
> show dns parameter
DNS parameters:
DNS retries: 5
.
524 Citrix NetScaler Traffic Management Guide
.
.
Max DNS Pipeline Requests: 1000
Done
>
When you start the NetScaler for the first time, 13 root name servers are added to
the ns.conf file. The NS and Address records for the 13 root servers are also
added. You can modify the ns.conf file but the NetScaler does not allow you to
delete all 13 records; at least one name server entry is required for the resolution
to occur. The following diagram illustrates this process.
Recursive resolution
When the name server receives a query for the address of s1.s2.s3.com, it first
checks the root name servers for s1.s2.s3.com. The root name server reports back
with the address of the .com name server. If the address of s1.s2.s3.com is found
in the name server, it responds with a suitable IP address. Otherwise, it queries
other name servers for s3.com, then for s2.s3.com to retrieve the address of
s1.s2.s3.com. In this way, resolution always starts from root name servers and
ends with the domain’s authoritative name server.
Example
set dns parameter -recursion enabled
Example
set dns parameter -retries 5
Example
set dns parameter -recursion disabled
• Click DNS Virtual Server, and select a DNS virtual server. Click
New if you want to create a new load balancing vserver. The Create
Virtual Server (Load Balancing) dialog box appears.
4. Click Create and click Close.
Example
add dns nameserver 10.102.29.10
Note: When name servers are added in the Forwarder mode, the LOCAL option
must be cleared. When name servers are added in the End Resolver mode, the
LOCAL option must be selected.
Note: If the DNS vserver that you have configured is DOWN and if the you set
the -namelookuppriority to DNS then the NetScaler does not attempt
WINS lookup. Therefore, if a DNS vserver is not configured or is disabled then
set the -namelookuppriority to WINS.
In the navigation pane, expand DNS and click Name Servers. The Name
Servers page appears in the details pane. The configured name servers and their
values appear in the Details pane.
Example
rm dns nameserver 10.102.29.10
Example
enable dns nameserver 10.102.29.10
3. In the DNS Suffix text box, type the suffix (for example, citrix.com).
4. Click Create and click Close.
In the navigation pane, expand DNS and click DNS Suffix. The DNS Suffix page
appears in the details pane. The configured suffixes appear in the details pane.
Note: If records for a domain are distributed between the NetScaler and a back-
end server, only records configured on the NetScaler are returned.
The NetScaler provides the option to configure DNS views and DNS policies.
These are used for performing global server load balancing. For more
information, see Chapter 8, “Global Server Load Balancing.”
534 Citrix NetScaler Traffic Management Guide
C HAPTER 8
This chapter describes the global server load balancing (GSLB) feature of a Citrix
NetScaler. Learn how global server load balancing works and how to configure
both basic and advanced features. To understand global server load balancing,
you must be familiar with the principles of standard load balancing and the
process for configuring it. For more information about standard load balancing,
see Chapter 1, “Load Balancing.”
In This Chapter
How Global Server Load Balancing Works
Configuring Global Server Load Balancing (GSLB)
Customizing the GSLB Configuration
Protecting the GSLB Setup against Failure
Managing Client Connections
Improving Manageability of GSLB Using DNS Views
Configuring GSLB in Commonly Used Deployment Scenarios
Global server load balancing integrates load balancing with DNS and provides
link load balancing for inbound requests. For more information about link load
balancing, see “Link Load Balancing,” on page 549. When you configure global
server load balancing on the NetScaler, the NetScaler evaluates the resolved list
of IP addresses and selects the data center. The NetScaler keeps track of the
location, performance, load, and availability of each data center and uses these
factors to determine which data center to send the client requests.
GSLB architecture
As illustrated in the preceding diagram, a GSLB setup requires the following
entities.
Chapter 8 Global Server Load Balancing 539
Working of MEP
As shown in the preceding diagram, the data centers use the public IP address to
communicate with the firewall. Remote data centers exchange MEP information
using the public IP address. MEP uses IP address 200.5.33.17 and port 3011 to
obtain statistics of Site-GSLB-North-America. The NetScaler performs network
address translation (NAT) and uses 200.5.33.17 and 3011 to start a
communication session with Firewall-1. The public IP address is required only if
the virtual server is in a private address space and has a public IP hosted on an
external firewall or NAT device.
Alternatively, you can use the NetScaler to bind monitors to a remote service.
When monitors are bound, metric exchange does not control the state of the
remote service. If a monitor assigned to a remote service and metric exchange is
enabled, the monitor controls the health status. Binding the monitors to the
remote service allows the NetScaler to interact with a non-NetScaler load
balancing device. The NetScaler can monitor non-NetScaler devices but cannot
perform load balancing on them.
Chapter 8 Global Server Load Balancing 541
Connection proxy is required while mirroring the connections across data centers.
Connection proxy does not work for non-HTTP traffic. However, with the data
centers being geographically distant, it is beneficial to redirect the client requests
to the original data center. HTTP redirect is preferred for large downloads (for
example, hundreds of megabytes) or when cookies are structured. The working of
HTTP redirect persistence is shown in the following diagram.
Example
add service Service-ADNS-1 10.14.39.21 ADNS 53
Note: For the NetScaler to be authoritative, you must also create SOA and NS
records. For more information about SOA and NS records, see Chapter 7,
“Domain Name System.”
Example
add gslb site Site-GSLB-East-Coast 10.14.39.21
After you have created a GSLB site, create a GSLB service as described in the
following section.
You can add, remove, modify, enable, and disable GSLB services. To create
services, use the parameters in the following table.
GSLB Service Parameters
Parameter Specifies
Name Name of the service. This alphanumeric string is required
and cannot be changed after the service is created. The
(Name) name must not exceed 127 characters, and the leading
character must be a number or letter. The following
characters are also allowed: @ _ - . (period) : (colon) #
and space ( ).
Service Type Type of service that is being added. The possible values
are: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE,
(serviceType) SSL_TCP, NNTP, ANY, SIP_UDP.
Port Port on which the service is running. The minimum value
is 1.
(port)
Public IP Public IP address that remote sites use to access the site.
The MEP uses this address to obtain statistics and this
(IPAddress) address is returned by the DNS system as a result of a
DNS resolution. This IP address is required only if the
virtual server is in a private address space and has a
public IP hosted on an external firewall or NAT device.
You only need to set this IP address for a local site,
because the IP address of a remote site is publicly
routable.
Site Name Name of the GSLB site. This parameter is mandatory.
The maximum length is 31.
(siteName)
Example
add service Service-GSLB-1 10.14.39.14 HTTP 80
After you have created a GSLB service, create a GSLB virtual server as described
in the following section.
Examples
add gslb vserver Vserver-GSLB-1 HTTP -ipType IPv4
add gslb vserver Vserver-GSLB-2 HTTP -ipType IPv6
After you have created a GSLB virtual server, you must bind the GSLB service to
the GSLB virtual server as described in the following section.
Virtual Server Parameters
Parameter Specifies
Name Name of the GSLB virtual server. This alphanumeric
string is required and cannot be changed after the virtual
(name) server is created. The name must not exceed 127
characters, and the leading character must be a number or
letter. The following characters are also allowed: @ _ - .
(period) : (colon) # and space ( ).
Service Type Service type of the virtual server. Possible values: HTTP,
FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP,
(serviceType) ANY.
IP Type Whether this virtual server supports services that use
IPv4 or IPv6. Possible values: IPv4, IPv6. Default: IPv4.
(iptype)
(for example, HTTP), and the IP type of GSLB services supported on this
virtual server. (for example, IPv4).
4. Click Create, and then click Close. The GSLB virtual server you created
appears in the GSLB Virtual Servers pane.
Example
bind gslb vserver Vserver-GSLB-1 -serviceName Service-GSLB-1
After you have bound the GSLB service to a GSLB virtual server, bind a domain
to the GSLB virtual server as described in the following section.
To create or bind a domain to a GSLB virtual server, use the parameter in the
following table.
Parameter for Binding a Domain to a GSLB Virtual Server
Parameter Specifies
Domain Name Name of the domain for which TTL and/or the backup IP
address needs to be changed.
(domainName)
Example
bind gslb vserver Vserver-GSLB-1 -domainName www.mycompany.com
For more information about Address, SOA, and NS records, see Chapter 7,
“Domain Name System.”
554 Citrix NetScaler Traffic Management Guide
Delegating a Subdomain
The NetScaler must receive the DNS requests so that it can resolve the domain or
host name to the IP address. In a real-time scenario, any DNS server may receive
the DNS requests and they must be redirected to the NetScaler that resolves the IP
address. To redirect the DNS requests to the NetScaler, you can delegate a
subdomain to the NetScaler. Domain delegation is the process of assigning
responsibility for a domain to another subdomain. After delegating a domain, you
can make the NetScaler the authority for the subdomain. When the NetScaler
becomes authoritative for a sub-domain, a DNS request for this domain reaches
the NetScaler, so that the NetScaler can load balance the request across
geographically dispersed data centers.
To delegate a subdomain, you must create an NS record and an Address record.
For more information about NS records and the procedure for domain delegation,
see Chapter 7, “Domain Name System.”
In the navigation pane, expand GSLB and click Sites. All of the parameters and
configured values of this site appear in the details pane.
To view the statistics of a GSLB site by using the NetScaler command line
In the navigation pane, expand GSLB and click Virtual Servers. All of the
parameters and configured values of the virtual server appear in the details pane.
In the navigation pane, expand GSLB and click Services. All the parameters and
configured values for the service appear in the details pane.
2. In GSLB Virtual Servers pane, select the GSLB Virtual Server whose
domain statistics you want to view and click Open.
3. In the Configure GSLB Virtual Server dialog box, on the Domains tab,
select the domain whose statistics you want to view.
4. Click Statistics.
Example
set gslb site Site-GSLB-East-Coast -sessionExchange ENABLED
Chapter 8 Global Server Load Balancing 559
Example
set gslb site Site-GSLB-East-Coast -metricExchange ENABLED
Example
set gslb site Site-GSLB-East-Coast -metricExchange DISABLED
Example
rm gslb site Site-GSLB-East-Coast
2. In GSLB Services pane, select the GSLB service that you want to modify
(for example, Service-GSLB-1) and click Open.
3. On the Basic tab, in the Max Bandwidth text box, type the maximum
bandwidth (for example, 100).
4. Click OK.
Example
set gslb service Service-GSLB-1 -maxBandwidth 100
Example
enable gslb service Service-GSLB-1
Example
disable gslb service Service-GSLB-1
Example
rm gslb service Service-GSLB-1
2. Select the GSLB virtual server that you want to enable (for example,
Vserver-GSLB-1).
3. Click Enable to enable the virtual server.
Example
enable gslb vserver Vserver-GSLB-1
Example
disable gslb vserver Vserver-GSLB-1
4. On the Services tab, in the Active column, clear the check box next to the
GSLB services that you want to unbind.
5. Click OK.
Example
unbind gslb vserver Vserver-GSLB-1 -serviceName Service-GSLB-1
Example
unbind gslb vserver Vserver-GSLB-1 -domainName www.mycompany.com
Example
rm gslb vserver Vserver-GSLB-1
• For all GSLB sites, the GSLB site IP address must be added and the
Management Access setting must be enabled on the GSLB site IP address.
For more information about adding the GSLB site IP addresses and
enabling Management Access, see Citrix NetScaler Networking Guide.
• The GSLB configuration is complete on the NetScaler that synchronizes
the configuration.
• Synchronization occurs only across GSLB sites. LB sites are aware of their
parent GSLB sites configuration only. For more information about LB sites,
see “Configuring a GSLB Hierarchy,” on page 674.
You need to use the procedure described in this section to enable the local site to
synchronize its GSLB configuration with the remote sites that are involved in the
GSLB setup.
Note: If you want to save the output of this command to your local
system, click Save output text to a file.
3. Click Close.
Note: If you want to save the output of this command to your local
system, click Save output text to a file.
3. Click Close.
Chapter 8 Global Server Load Balancing 567
2. In the details pane, under Getting Started, click GSLB Visualizer, and then
do the following.
• To pan the view of the displayed image, click as blank area of the
image, hold down the mouse button, and drag the image.
• To adjust the viewable area click Zoom In to increase or Zoom Out
to decrease the size of the objects. You can readjust the viewable area
by clicking Best Fit.
• To locate a specific item, begin typing the item's name in the Search
field. Entities whose names match the typed characters are
highlighted. Continue typing until the item is uniquely identified. To
clear the Search field, click the x adjacent to the field.
To add a GSLB domain and configure GSLB services and sites for the
domain by using the Visualizer
1. Open the GSLB Visualizer and click the entity whose binding information
you want to view.
2. In Related Tasks, click Show Bindings.
Alternatively, right-click the entity, and then click Show Bindings.
To view the Visualizer for load balancing and content switching virtual
servers from the GSLB Visualizer
1. Open the GSLB Visualizer and click the load balancing or content
switching virtual server whose Visualizer you want to view.
2. In Related Tasks, click Visualizer.
Alternatively, right-click the virtual server, and then click Visualizer.
To view statistics for a GSLB service, site, ADNS service, or virtual server
1. Open the GSLB Visualizer and click the entity whose statistics you want to
view.
2. In Related Tasks, click Statistics.
Alternatively, right-click the entity for whose statistics you want to view,
and then click Statistics. The context-sensitive menu, however, is not
available for GSLB sites.
1. Open the GSLB Visualizer and click the entity whose properties you want
to copy.
570 Citrix NetScaler Traffic Management Guide
1. Open the GSLB Visualizer and click the domain that you want to remove.
2. In Related Tasks, click Remove.
Alternatively, right-click the domain, and then click Remove.
Entity diagram
572 Citrix NetScaler Traffic Management Guide
Example
add gslb service -cnameEntry Service-GSLB-1 transport.mycompany.com
-siteName Site-GSLB-East-Coast
Limitations:
Following are the limitations of CNAME-based GSLB services:
• Site persistence is not supported as the service referred by a CNAME can
be present at any third-party location.
• Multiple IP address response and empty address record features are not
supported as one domain cannot have multiple CNAME entries.
• An IP-based service cannot be bound to a CNAME based GSLB virtual
server. A CNAME-based GSLB virtual server can have only
CNAME-based GSLB services bound to it. (When you bind a CNAME
GSLB service to a GSLB virtual server, the GSLB virtual server becomes a
CNAME-based GSLB virtual server. You can bind an IP-based GSLB
Chapter 8 Global Server Load Balancing 573
service to the GSLB virtual server after you unbind all CNAME-based
services.)
• Only static GSLB methods such as static proximity, hash, and round robin
are supported.
5. Click OK.
Example
set gslb vserver Vserver-GSLB-1 -lbMethod ROUNDROBIN
For GSLB methods to function, either MEP must be enabled, or explicit monitors
need to be bound to the remote services. The following table shows the
dependencies between MEP and GSLB methods.
Chapter 8 Global Server Load Balancing 575
The working of the static proximity method that the NetScaler uses in the data
center selection process is summarized in the following steps:
Step 1. A client sends a query for a domain to access an application by using
resources such as Web, email, and VPN. In the diagram, the client requests
www.mycompany.com using the browser. The content for this Web site is
supported at two different data centers (Site-GSLB-North-America and
Site-GSLB-Asia). If the IP address for the domain is not found in the local cache,
the browser sends a request to the local client DNS server.
Step 2. If the local DNS server does not have an IP address for a requested
domain, it sends a query to the NetScaler (that is configured as the authoritative
DNS server for the domain).
Step 3. The NetScaler uses the static proximity database (Example Database-1) to
get the IP addresses of the site. The NetScaler provides two ways of adding
location entries to the Static Proximity database:
• Static entries
• Custom entries
In this example, the NetScaler uses Example DataBase-1 to determine that the IP
address of the client exists within the IP address range specified for
Site-GSLB-North-America.
Step 4. The NetScaler then forwards the IP address of Site-GSLB-North-America
to the client and the client browser displays the Web page. Global server load
balancing using the static proximity method is complete and the subsequent client
requests are directed to Site-GSLB-North-America. Similarly, the NetScaler
forwards requests from Client 2 to the Site-GSLB-Asia data center.
The following procedure describes the steps to set the GSLB algorithm to static
proximity.
Example
set gslb vserver vserver-GSLB-1 -lbMethod STATICPROXIMITY
For the static proximity method to work as described in the preceding section,
you need to either configure the NetScaler to use an existing static proximity
database or add custom entries to the static proximity database, as described in
the following section.
578 Citrix NetScaler Traffic Management Guide
Note: In a high availability (HA) setup, an identical copy of the file must be
present in the same location on both NetScalers.
The static proximity database is an ASCII file with UNIX style. Only one
location file can be loaded on the NetScaler. Adding a new location file overrides
the existing file. The number of entries in the static proximity database is limited
by the configured memory in the NetScaler.
The static proximity database can include the default format and other formats
derived from commercially configured third party databases (such as
www.maxmind.com and www.ip2location.com).
Each of these databases is different in the details it provides. There is no strict
enforcement of the database file format, except that the default file has format
tags. The database files are ASCII files that use a comma as the field delimiter.
There are differences in the structure of fields and the representation of IP
addresses in the locations. The format parameter describes the structure of the file
to the NetScaler. Specifying an incorrect value for the format option can corrupt
the internal data. The following abbreviations are used in this section.
Abbreviations for Location Parameters
Abbreviation Description
CSHN Short name of a country based on the country code
standard of ISO-3166.
LCN Long name of a country.
RC Region code based on ISO-3166-2 (for US and Canada).
The region code “FIPS-10-4” is used for the other regions.
Note: Some databases provide short country names according to ISO-3166 and
long country names as well. The NetScaler uses short names when storing and
matching qualifiers.
• ip-country-isp
• ip-country-region-city
• ip-country-region-city-isp
• geoip-country
• geoip-region
• geoip-city
• geoip-country-organization
• geoip-country-isp
• geoip-city-isp-organization
Note: To create the static proximity database, you need to login to the shell and
create a file with the location details in one of the formats described below.
IP-Country Format
This database format is derived from a third party. It helps you determine the
country of an IP address.
Format: “IP from (decimal #)”, “IP to (decimal #)”, “CSHN”, “LCN”
The following table shows the qualifier assignments of this format.
Qualifier Assignments for IP-Country Format
Qualifier Database field
Qualifier1 Geographic context – Derived from
Qualifier2
Custom context Not assigned
Qualifier2 CSHN
Qualifier3 Not assigned
Qualifier 4 Not assigned
Qualifier 5 Not assigned
Qualifier 6 Not assigned
IP-Country-ISP Format
This database format is derived from the IP-Country-ISP database at
ip2location.com. It enables you to determine the country that the IP address
belongs to.
Format: “IP from (decimal #)”, “IP to (decimal #)”, “CSHN”, “LCN”, “ISP”
The following table shows the qualifier assignments of this format.
Qualifier Assignments for IP-Country-ISP Format
Qualifier Database field
Qualifier1 Geographic context – Derived from
Qualifier2
Custom context – Not assigned
Qualifier2 CSHN
Qualifier3 Not assigned
Qualifier 4 Not assigned
Qualifier 5 ISP
Qualifier 6 Not assigned
Chapter 8 Global Server Load Balancing 581
IP-Country-Region-City Format
This database format is derived from ip2location.com. This database enables you
to determine the country, region or state, and city of an IP address.
Format: “IP from (decimal #)”, “IP to (decimal #)”, “CSHN”, “LCN”, “Region”,
“City”
The following table shows the qualifier assignments of this format.
Qualifier Assignments for IP-Country-Region-City Format
Qualifier Database field
Qualifier1 Geographic context – Derived from Qualifier2
Custom context – Not assigned
Qualifier2 CSHN
Qualifier3 Region
Qualifier 4 City
Qualifier 5 Not assigned
Qualifier 6 Not assigned
IP-Country-Region-City-ISP Format
This database format is derived from ip2location.com. It enables you to
determine the country, region or state, city and ISP of an IP address.
Format: “IP from (decimal #)”, “IP to (decimal #)”, “CSHN”, “LCN”, “Region”,
“City”, “ISP”
The following table shows the qualifier assignments of this format.
Qualifier Assignments for IP-Country-Region-City-ISP Format
Qualifier Database field
Qualifier1 Geographic context – Derived from
Qualifier2
Custom context – Not assigned
Qualifier2 CSHN
Qualifier3 Region
Qualifier 4 City
Qualifier 5 ISP
Qualifier 6 Not assigned
582 Citrix NetScaler Traffic Management Guide
GeoIP-Country Format
This database format is derived from GeoIP Country Edition database of
maxmind.com. It helps you to determine the geographical country location of an
IP address.
Format: “IP from (dot notation)”, “IP to (dot notation)”, “IP from (decimal #)”,
“IP to (decimal #)”, “CSHN”, “LCN”
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-Country Format
Qualifier Database field
Qualifier1 Geographic context – Derived from
Qualifier2
Custom context – Not assigned
Qualifier2 CSHN
Qualifier3 Not assigned
Qualifier 4 Not assigned
Qualifier 5 Not assigned
Qualifier 6 Not assigned
GeoIP-Region Format
This format is derived from the GeoIP Region Edition database of maxmind.com.
It enables you to determine the state/province for US/Canadian IP addresses, and
the country of any other IP address.
Format: “IP from (dot notation)”, “IP to (dot notation)”, “IP from (decimal #)”,
“IP to (decimal #)”,”CSHN”, “RC”
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-Region Format
Qualifier Database field
Qualifier1 Geographic context – Derived from Qualifier2
Custom context – Not assigned
Qualifier2 CSHN
Qualifier3 RC
Qualifier 4 Not assigned
Qualifier 5 Not assigned
Qualifier 6 Not assigned
Chapter 8 Global Server Load Balancing 583
GeoIP-City Format
This format is derived from the GeoIP City Edition database of maxmind.com. In
addition to country and state/region, you can determine the city, US area code,
metro code, latitude, and longitude information of an IP address.
Format: “IP from (decimal #)”, “IP to (decimal #)”, “Location ID”, “CSHN”,
“RC”, “City”
Location ID is an internal code in this format. It is used to connect to different
databases and is not used by the NetScaler. The following table shows the
qualifier assignments of this format.
Qualifier Assignments for GeoIP-City Format
Qualifier Database field
Qualifier1 Geographic context – Derived from Qualifier2
Custom context – Not assigned
Qualifier2 CSHN
Qualifier3 RC
Qualifier 4 City
Qualifier 5 Not assigned
Qualifier 6 Not assigned
GeoIP-Country-Organization Format
This format is derived from the GeoIP Country Edition with Organizations
database of maxmind.com. It enables you to determine the organization of
corporate networks and the ISP for home users.
Format: “IP from (dot notation)”, “IP to (dot notation)”, “CSHN”,
“Organization”
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-Country-Organization Format
Qualifier Database field
Qualifier1 Geographic context – Derived from Qualifier2
Custom context – Not assigned
Qualifier2 CSHN
Qualifier3 Not assigned
Qualifier 4 Not assigned
Qualifier 5 Not assigned
584 Citrix NetScaler Traffic Management Guide
GeoIP-Country-ISP Format
This format is derived from the GeoIP Country Edition with ISP database of
maxmind.com. It enables you to determine the ISP of an IP address.
Format: “IP from (dot notation)”, “IP to (dot notation)”, “CSHN”, “ISP name”
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-Country-ISP Format
Qualifier Database field
Qualifier1 Geographic context – Derived from Qualifier2
Custom context – Not assigned
Qualifier2 CSHN
Qualifier3 Not assigned
Qualifier 4 Not assigned
Qualifier 5 ISP
Qualifier 6 Not assigned
GeoIP-City-ISP-Organization Format
This format is derived from the GeoIP Premium City Edition with ISP, and
Organization database of maxmind.com. It helps you determine the city, ISP and
organization of an IP address.
Format: “IP from (decimal #)”, “IP to (decimal #)”,”Location ID”, “CSHN”,
“RC”, “City”, “Postal code”, “Latitude”, “Longitude”, “ISP”, “Organization”,
“DMA code”, “Area Code”
The NetScaler does not use the following fields: Location ID, Postal code,
Latitude, Longitude, DMA code, and Area Code.
The following table shows the qualifier assignments of this format.
Qualifier Assignments for GeoIP-City-ISP-Organization Format
Qualifier Database field
Qualifier1 Geographic context – Derived from Qualifier2
Custom context Not assigned
Qualifier2 CSHN
Chapter 8 Global Server Load Balancing 585
You can add and remove a static location file. To add a static location file, use the
parameters in the following table.
Parameters for Adding a Static Location File
Parameter Specifies
Location file Name of the location file. The file name must include the
full path. If the full path is not given, the default path is
(locationFile) used: /var/netscaler/locdb. In high-availability mode, the
static proximity database should be stored in the same
location on both NetScalers.
Location Format Format of the location file. This optional argument is
used to tell the NetScaler how to understand the file. The
(format) allowable values are: netscaler, ip-country,
ip-country-isp, ip-country-region-city,
ip-country-region-city-isp, geoip-country, geoip-region,
geoip-city, geoip-country-org, geoip-country-isp,
geoip-city-isp-org. Possible values: netscaler, ip-country,
ip-country-isp, ip-country-region-city,
ip-country-region-city-isp, geoip-country, geoip-region,
geoip-city, geoip-country-org, geoip-country-isp, and
geoip-city-isp-org. The default value is:
NSMAP_FORMAT_NETSCALER.
4. In the Location Format box, select the format of the location (for example,
netscaler).
5. Click Create and click Close.
586 Citrix NetScaler Traffic Management Guide
Example
add locationfile /var/nsmap/locationdb -format netscaler
You can view an imported location file database by using the View Database
dialog box in the configuration utility. There is no comparable NetScaler
command line equivalent.
4. Click Create and Click Close. The custom entry that you have created
appears on the Custom Entries tab.
Example
add location 192.168.100.1 192.168.100.100 *.us.ca.mycity
In the navigation pane, expand GSLB and click Location. All the parameters and
configured values of this entry appears in the details pane.
588 Citrix NetScaler Traffic Management Guide
• Qualifier 4 – “Qualifier 4”
• Qualifier 5 – “Qualifier 5”
• Qualifier 6 – “Qualifier 6”
When the geographic context is set, the continent qualifier is derived from the
country qualifier, if it is not provided explicitly. Even the built-in qualifier labels
are based on the context, and the labels can be changed. These qualifier labels
specify the locations mapped with the IP addresses used to make static proximity
decisions. To set the location qualifiers, use the parameters in the following table.
Parameters to Set Location Qualifiers
Parameter Specifies
context The context in which a static proximity decision is made. Possible
values: geographic, custom
(context)
q1label The label for the 1st qualifier.
(q1label)
q2label The label for the 2nd qualifier.
(q2label)
q3label The label for the 3rd qualifier.
(q3label)
q4label The label for the 4th qualifier.
(q4label)
q5label The label for the 5th qualifier.
(q5label)
q6label The label for the 6th qualifier.
(q6label)
Example
set locationparameter -context custom -q1label asia
Chapter 8 Global Server Load Balancing 591
Step 2. If the local DNS server does not have an IP address for the requested
domain, it sends a query to the NetScaler that is configured as the authoritative
name server for the domain. The NetScaler offloads the site selection process
from the DNS server. The client’s local DNS server queries the NetScaler for the
IP address of www.mycompany.com.
Step 3. The NetScaler uses the RTT value to select the IP addresses of the “best”
performing sites. The NetScaler uses different mechanisms, such as ICMP echo
Request/Reply (PING), TCP, and UDP to receive the RTT metrics between the
local DNS server and participating sites.
• First, a ping probe is sent to obtain the RTT.
• If the ping probe fails, a DNS (TCP) probe is used to calculate the RTT.
• If the DNS (TCP) probe also fails, the NetScaler uses DNS (UDP) probe.
The NetScaler performs UDP probing on port 53 and TCP probing on port 80.
The NetScaler uses the proprietary metrics exchange protocol (MEP) to exchange
RTT values between participating sites. If RTT information is not available on the
NetScaler (when a local DNS server of the client accesses the site for the first
time), the GSLB virtual server selects a site using the round robin method and
directs the client to the site.
Step 4. After calculating RTT metrics, the NetScaler sorts the RTT values to
identify the “best” (smallest) RTT metric. The NetScaler determines the data
center with the smallest RTT metric as the best site. In the example, although
Site-GSLB-North-America is geographically closer to the local DNS server of
Client 1, the RTT value is larger than the Site-GSLB-Asia data center. Therefore,
the NetScaler selects Site-GSLB-Asia as the “best” performing site.
Step 5. The NetScaler returns one or more IP address records (DNS “A” resource
records) of the most proximate server to the local DNS server of client. In the
example, the NetScaler returns the IP address of Site-GSLB-Asia to the local
DNS server of Client 1.
Step 6. The local DNS server of the client returns the IP address to the client that
originated the request. In the example, the IP address of Site-GSLB-Asia is
returned to Client-1 The client then connects to the server in Site-GSLB-Asia for
www.mycompany.com.
The following procedure describes the steps to configure the dynamic RTT
method.
Example
set gslb vserver vserver-GSLB-1 -lbMethod RTT
As described earlier in this section, the NetScaler uses different mechanisms such
as ICMP echo Request/Reply (PING), TCP, and UDP to receive the RTT metrics
between the local DNS server and participating sites. You can change the probing
interval to accommodate configuration. In addition, you can also configure the
RTT tolerance factor. The RTT tolerance factor enables the NetScaler to validate
the timing information after the configured latency elapses. For information about
how to configure these settings, see the following sections.
Example
set gslb vserver vserver-GSLB-1 -lbMethod RTT -tolerance 10
Example
set mon monitor-HTTP-1 HTTP -interval 10 sec
-resptimeout 5 sec
Chapter 8 Global Server Load Balancing 595
• If the entry does not exist, the best server is selected on the basis of the
GSLB policy and is sent as the DNS response. A session entry is created for
this local DNS server with the selected server IP address, and the session
entry is sent to other sites as part of the MEP. If this local DNS server, or
another local DNS server from the same network, sends a request for the
site, the NetScaler sends the response with the IP address of the same site.
This response is based on the persistence information exchanged between
the GSLB sites. This is performed until the persistence TTL value expires.
For persistence to function across sites, the same persistence identifier must be
configured on the GSLB virtual servers on all sites. The persistence identifier is a
number used to identify the GSLB virtual server on all sites. The cookie contains
the persistence identifier that enables the NetScaler to identify the domain and
forward the requests to the same domain.
To set a virtual server for persistence using the source IP address, use the
parameters in the following table.
Parameters for Configuring Virtual Server Persistence Using Source IP
Parameter Specifies
Persistence Persistence type for the virtual server. This parameter has
two options: SOURCEIP and NONE.
(persistenceType)
Timeout Time period for which the persistence is in effect for a
specific client. The value ranges from 2 through 1440
(timeout) minutes. Default value is 2 minutes.
PersistMask Netmask to be used while SOURCEIP-based persistence
is ENABLED. This is an optional argument. Default
(persistMask) value: 0xFFFFFFFF. Minimum value: 128.0.0.0.
Persistence ID A positive integer used to identify the GSLB VIP on all
sites. This is a required argument if SOURCEIP- based
(persistenceId) persistence is enabled. Minimum value: 1. Maximum
value: 65535.
6. Click OK.
Example
set gslb vserver vserver-GSLB-1 -persistenceType SOURCEIP
-persistenceId 23 -persistMask 255.255.255.255
• Requests are sent from a local GSLB service whose public IP address
matches the public IP address of an active service bound to the GSLB
virtual server.
• The local GSLB service has connection proxy enabled.
• A valid cookie exists and contains the IP address of an active remote GSLB
service.
In the following situations, connection proxy does not occur, and the site cookie
is added:
• When the connection proxy is enabled for the local GSLB service; AND,
• When a cookie is not supplied; OR,
• When the cookie exists and refers to a different IP address, and is not an
active GSLB remote service; OR,
• When the cookie exists and refers to the IP address of the virtual server on
which the request is received.
The following are the limitations of using connection proxy site cookies:
• By definition, it does not work for non-HTTP(S) protocols.
• If an HTTP request is sent to a back-up virtual server, it does not add a
cookie.
• It does not work in cases where SSL client authentication is required.
• When local and remote GSLB services are configured, the statistics of a
GSLB service on the remote site are not the same as in the service on its
local site. The statistics of the remote GSLB service on the local site are
slightly higher than the statistics of the service on the remote site.
To set a virtual server for persistence using HTTP cookies, use the parameter in
the following table.
Parameter to Set Virtual Server Persistence Using HTTP Cookies
Parameter Specifies
Site Persistence Type State of cookie-based site persistency.
(sitePersistence) NONE. Disables site persistence.
ConnectionProxy. Enables ConnectionProxy-based site
persistence. When this type of persistence is enabled,
requests from a client are proxied by a site to another
appropriate site based on the site cookie.
2. The GSLB Services pane, select the service that you want to configure for
site persistence (for example, service-GSLB-1).
3. Click Open.
4. On the Advanced tab, under Site Persistence type, select Connection
Proxy.
5. Click OK.
Example
set gslb service service-GSLB-1 -sitePersistence ConnectionProxy
To set a GSLB service for site persistence by using the configuration utility
To set a GSLB service for site persistence by using the NetScaler command
line
Example
set gslb service service-GSLB-1 -sitePersistence HTTPRedirect
-sitePrefix vserver-GSLB-1
Note: If you set both of these options for a GSLB virtual server, the backup
session timeout takes precedence over the disablePrimaryOnDown option.
Chapter 8 Global Server Load Balancing 605
Based on the configuration, the backup server handles the traffic until you
manually enable the primary server. To set a GSLB virtual server for backup site
persistence, use the parameter in the following table.
Parameter to Set a GSLB Virtual Server for Backup Site Persistence
Parameter Specifies
Backup Virtual Server Virtual server that serves as a backup to the GSLB virtual
server.
(backupVServer)
Example
set gslb vserver vserver-GSLB-1 -backupVServer vserver-GSLB-2
-backupSessionTimeout 3 -disablePrimaryOnDown ENABLED
606 Citrix NetScaler Traffic Management Guide
Dynamic weights
Case 1 - Dynamic Weights Disabled
Weight of GSLB Service = 3
Dynamic weight = 0
Cumulative weight (Weight X Dynamic weight) = 3
Note: When the dynamic weight is disabled, the numerical value is set to 1.
This ensures that the cumulative weight is always a nonzero integer.
Chapter 8 Global Server Load Balancing 607
Note: Dynamic weights are not applicable to content switching virtual servers.
Note: You cannot assign weights if the source IP hash, static proximity, and
dynamic method GSLB methods are selected.
To set GSLB virtual server to use dynamic weights by using the NetScaler
command line
Example
set gslb vserver vserver-GSLB-1 -dynamicWeight SERVICECOUNT
Chapter 8 Global Server Load Balancing 609
To set GSLB virtual server to use dynamic weights by using the NetScaler
command line
Example
set gslb vserver vserver-GSLB-1 -dynamicWeight SERVICEWEIGHT
Note: When the dynamic weight is disabled, the numerical value is set to one.
This ensures that the cumulative weight is always a non-zero integer.
The NetScaler periodically evaluates the states of the remote GSLB services by
using:
• MEP
• Monitors that are explicitly bound to remote services
Binding explicit monitors to services is not required, because MEP updates the
state of the GSLB service by default. However, you can bind explicit monitors to
a remote service. When monitors are explicitly bound, the state of the remote
service is not controlled by the metric exchange. The following table summarizes
how the monitors evaluate the state of the remote services.
How Monitors Evaluate the State of Remote Services
Monitor scenarios State of remote service
The monitor probe succeeds, and the remote service is disabled UP
after a specified delay time.
The consecutive number of retries fail, and the remote service is DOWN
disabled after a specified delay time.
612 Citrix NetScaler Traffic Management Guide
If an external monitor is bound to the remote service that is DOWN, the round
robin load balancing method is used for load balancing between the sites until the
remote site comes up. If an explicit monitor is assigned to a remote service and
metric exchange is enabled, the health status is controlled by the monitor. The
following table lists the dependencies between MEP and monitoring.
Dependencies Between MEP and Monitoring
Monitoring MEP enabled MEP disabled
Explicit monitors Health status controlled Health status controlled
by monitoring. by monitoring.
No Explicit monitors Health status controlled All services belonging to
by MEP. the site are marked
down.
The following table summarizes how the states of the remote services are
determined when a monitor is bound to a service and when MEP is used.
How Remote Service States are Determined When MEP Is Used
State of Remote Services Monitors Are Bound to MEP Is Used (Monitors are
Remote Service not bound to remote
service.)
UP Monitors evaluate the state of NetScaler uses MEP to
remote service as UP if the evaluate the state and
monitor probe succeeds. effective states from remote
site as UP.
DOWN Monitors evaluate the state of NetScaler uses MEP to
remote service as DOWN if evaluate the state and
the monitor probe fails. effective states from remote
site as DOWN.
OUT OF SERVICEs (The Monitors stop probing the NetScaler uses MEP to
service is disabled without remote service. evaluate the state and
any delay time specified or effective states from the
when delay time expires) remote site.
By default, when you bind a monitor to a remote GSLB service, the NetScaler,
uses the state of service that the monitor evaluates. However, you can optionally
configure the NetScaler to use monitors to evaluate services in the following
situations:
• Always use monitors (default setting).
• MEP is DOWN.
• Remote services and MEP are DOWN.
Chapter 8 Global Server Load Balancing 613
This optional setting enables the NetScaler to stop monitoring when MEP is UP.
For example, in a hierarchical GSLB setup, a GSLB site provides the MEP
information about its child sites to its parent site. Such an intermediate site may
evaluate the state of the child site as DOWN because of network issues though
the actual state of the site is UP. In this case, you can bind monitors to the services
of the parent site and disable MEP to determine the actual state of the remote
service. This option enables you to control the manner in which the states of the
remote services are determined. For more information about hierarchical GSLB,
see “Configuring a GSLB Hierarchy,” on page 674.
Creating Monitors
You can create, modify, disable, and enable monitors. The restrictions on
monitoring are:
• Services of type HTTP must be configured with HTTP monitoring
• Services of type SSL must be configured with HTTPS monitoring
To create a monitor, use the parameters in the following table.
Monitor Configuration Parameters
Parameter Specifies
Name Name of the monitor. This alphanumeric string is
required and cannot be changed after the monitor is
(monitorName) created. The name must not exceed 31 characters, and the
leading character must be a number or letter. The
following characters are also allowed: @ _ - . (period) :
(colon) # and space ( ).
614 Citrix NetScaler Traffic Management Guide
4. In the Type box, select the type of the monitor (for example, HTTP).
5. On the Standard Parameters tab, in the Destination Port text box, type
the destination port number (for example, 443).
6. Click Create and click Close.
Example
add lb monitor monitor-HTTP-1 -type HTTP -destPort 443
Binding Monitors
The following procedure describes the steps to bind a monitor to a GSLB service.
When you bind a monitor to a GSLB service, you can specify a weight for the
monitor. After binding one or more weighted monitors, you can configure a
monitor threshold for the service. This threshold takes the service down if the
grand sum of the bound monitor weights falls below the threshold value. For
example, suppose that you bind the following monitors to Service A:
• TCP monitor, weight 1
• Ping monitor, weight 2
• HTTP monitor, weight 3.
Suppose also that the monitor threshold for Service A is 6. If any of the monitors
cannot reach their target, Service A is taken down.
Note: In the configuration utility, you set the monitor weight and the
monitoring threshold in the same service configuration dialog box. When using
the command line, you issue separate commands to set the monitor’s weight and
the service’s monitoring threshold.
To bind the monitor to the GSLB service by using the configuration utility
4. In the Configure GSLB Service dialog box, on the Monitoring tab, select
the monitor that you want to bind to the service (for example,
monitor-HTTP-1).
5. Click Add.
6. In the Configured table, click the Weight cell and enter a value for the
weight.
7. To enable the monitor, ensure the State check box is selected.
8. Repeat the preceding steps to add more monitors.
9. In the Monitor Threshold check box, enter a threshold.
10. Click OK.
To bind the Monitor to the GSLB service by using the NetScaler command
line
Example
bind monitor monitor-HTTP-1 service-GSLB-1 -state enabled -weight 2
To set the monitoring threshold for a GSLB service by using the NetScaler
command line
Example
set gslb service service-GSLB-1 -monThreshold 8
Removing Monitors
The following procedure describes the steps to delete a monitor. When a monitor
is removed, the exchange of metric exchange using MEP resumes.
Example
rm monitor monitor-HTTP-1
Example
set gslb site Site-GSLB-North-America –triggerMonitor Always
The following example shows the steps to configure the GSLB virtual server as
the backup virtual server. If the primary virtual server experiences a failover, the
backup or standby virtual server takes over as the active virtual server.
To set a backup GSLB virtual server by using the NetScaler command line
When a DNS request is sent to a GSLB domain, if the GSLB VIP is up, the
NetScaler selects the best service bound to the VIP and, by default, returns that
service in the response. If multiple IP response (MIR) is enabled, the NetScaler
adds the best service as the first record in the response, and then adds the
remaining active services as subsequent records. If MIR is disabled, the
NetScaler adds the best service as the first record, and this is the only record in
the response.
To set up a GSLB virtual server to respond using multiple IP addresses, use the
parameters in the following table.
Parameter to Set Up a GSLB Virtual Server to Respond with Multiple IP Addresses
Parameter Specifies
When this virtual server is MIR mode. When enabled, the NetScaler sends multiple
“Up” IP addresses in the DNS response, with the best IP as the
first IP.
(MIR)
Example
set gslb vserver vserver-GSLB-1 -MIR ENABLED
Chapter 8 Global Server Load Balancing 621
To set a GSLB virtual server for empty down responses by using the
configuration utility
To set a GSLB virtual server for empty down responses by using the
NetScaler command line
Example
set gslb vserver vserver-GSLB-1 -EDR ENABLED
622 Citrix NetScaler Traffic Management Guide
Example
set gslb vserver vserver-GSLB-1 -domainName www.abc.com
-backupIP 10.102.29.66
To set up a backup GSLB site, use the parameter in the following table.
Backup IP Address Parameter
Parameter Specifies
Backup IP IP address of the backup service. This IP address is used
when all services bound to the domain are down, or when
(backup) the backup chain is down.
Note: The NetScaler uses the backup IP address only during DNS resolution.
For HTTP redirects, the backup IP address is not used.
The following procedure describes the steps to set a backup IP for a domain
bound to the GSLB virtual server.
2. In the GSLB Virtual Servers pane, select the GSLB virtual server to
which you want to bind the domain (for example, vserver-GSLB-1).
3. Click Open.
4. On the Domains tab, select a domain and click Open.
5. In the Backup IP box, type the IP address of the backup domain.
6. Click OK, and then click Close.
Example
set gslb vserver Vserver-GSLB-1 -soMethod Connection -soThreshold
1000 -soPersistence enabled -soPersistenceTimeout 2
624 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand GSLB, and then click Virtual Servers.
2. In the details pane, select the virtual server for which you want to configure
the spillover (for example, Vserver-LB-1), and then click Open.
3. On the Advanced tab, in the Method list, select the type of spillover, and in
Threshold text box, type the threshold value (for example, Connection and
1000).
4. Under Spillover, select the Persistence check box, and in Persistence
Time-out (min) text box type the time-out (for example, 2).
5. Click OK.
Example
set gslb service service-GSLB-1 -downStateFlush ENABLED
Example
add dns policy policy-GSLB-1
“CLIENT.UDP.DNS.DOMAIN.EQ(\“domainname\”)” -view private
Note: GSLB policies are evaluated in the order they are configured. Therefore,
the policy that matches first is executed first.
1. Click the icon next to the Expression text box. Click Add. (Leave the Flow
Type and Protocol drop-down list boxes empty.) Follow these steps to
create a rule.
2. In the Qualifier box, select a qualifier (for example, LOCATION).
3. In the Operator box, select an operator (for example, ==).
4. In the Value box, type a value (for example, Asia.Japan....)
630 Citrix NetScaler Traffic Management Guide
5. Click OK. Click Create and click Close. The rule is created.
6. Click OK.
Example
add dns policy policy-redirect-1
“CLIENT.LOCATION.EQ(“Asia.Japan.*.*.*”)”
Example
set dns policy policy-GSLB-1 -preferredLocation
“NorthAmerica.US.*.*.*.*”
Example
bind dns global policy-GSLB-1 10
Example
rm dns policy policy-GSLB-1
In the navigation pane, expand DNS and click Policies. All parameters and
configured values of this policy appear in the details pane.
Example
add dns view privatesubnet
Example
add dns policy policy-GSLB-1 "CLIENT.IP.SRC.IN_SUBNET(10.102.29.0/
24)" -view privatesubnet
Example
show dns view privatesubnet
Next, the example adds a DNS policy that identifies an internal client. The DNS
policy named policy-GSLB-1 checks whether the client source IP address is in
the 10.102.29.0/24 subnet and uses the view DNS, privatesubnet, for the chosen
service. If the policy does not match, the NetScaler provides the public IP address
to the client. If the source IP address for the client does not match any of the
policies, the NetScaler returns the public IP address of the chosen service.
The steps to configure this example are:
1. Create the DNS view. For information about configuring DNS views, see
the “Creating DNS Views,” on page 633.
2. Create the DNS policy. For information about configuring DNS policies,
see the “Creating DNS Policies,” on page 629.
3. Bind the policy globally. For information about configuring DNS policies,
see the “Binding and Unbinding a DNS Policy,” on page 631.
4. Associate the GSLB service with the view. This section describes steps to
bind the GSLB service with the DNS view.
In the following procedure, the DNS view, privatesubnet, is linked with the
GSLB service, service-GSLB-10.
To associate the GSLB service with the view by using the configuration
utility
To associate the GSLB service with the view by using the NetScaler
command line
Example
bind gslb service service-GSLB-1 -viewname privatesubnet
10.102.29.103
Chapter 8 Global Server Load Balancing 639
If the user queries for www.domain.com, the NetScaler makes a DNS policy
check for the domain. If the client falls in the 10.102.29/24 subnet, the NetScaler
returns the IP address corresponding to the private subnet. If the client does not
fall in the subnet 10.102.29.103 and IP address 1.1.1.1 is returned. For example,
if service-GSLB-10 is chosen and 10.102.29.103 is returned.
To associate DNS policy with DNS view by using the configuration utility
To associate DNS policy with DNS view by using the NetScaler command
line
Example
set dns policy policy-GSLB-1 -view privatesubnet
Interface Throughput
This example illustrates how to configure DNS views on the NetScaler based on
throughput. The NetScaler returns a true message to the client if the throughput is
greater than zero, and a false message if the throughput is less than zero.
The next procedure in the example scenario adds a DNS policy named
CLIENT.INTERFACE.RXTHROUGHPUT>=0 to the NetScaler. If the value of
the throughput is greater than zero, the private IP address 1.1.1.1 is returned. If
the value of the throughput is less than 0, the IP address 10.102.4.153 is returned.
The steps to configure the sample scenario are:
1. Create the DNS policy. For information about configuring DNS policies,
see the “Creating DNS Policies,” on page 629.
2. Bind the policy globally. For information about binding the policy globally,
see the “Binding and Unbinding a DNS Policy,” on page 631.
3. Create a GSLB service. For information about creating a GSLB service, see
the “Creating a GSLB Service,” on page 549.
4. Create a GSLB virtual server. For information about binding the GSLB
service to the GSLB virtual server, see the “Creating a GSLB Virtual
Server,” on page 551.
5. Bind the GSLB service to the GSLB virtual server. For information about
binding the GSLB service to the GSLB virtual server, see the “Binding the
GSLB Service to the GSLB Virtual Server,” on page 552.
6. Bind a domain to the GSLB virtual server. For information about binding
the domain to the GSLB virtual server, see the “Binding a Domain to a
GSLB Virtual Server,” on page 552.
7. Associate the DNS policy and GSLB service with the DNS view. The
following procedure describes steps to bind the DNS policy and GSLB
service to the view.
Chapter 8 Global Server Load Balancing 641
To associate DNS policy with DNS view by using the configuration utility
To associate DNS policy with DNS view by using the NetScaler command
line
Example
set dns policy policy-GSLB-1 -view private
In the following procedure, the DNS view, private is linked to the configured
GSLB service, service-GSLB-20.
To associate GSLB service with DNS view by using the configuration utility
To associate GSLB service with DNS view by using the NetScaler command
line
Example
bind gslb service service-GSLB-20 -viewname private 1.1.1.1
642 Citrix NetScaler Traffic Management Guide
The following diagram describes the entities that need to be configured for this
scenario.
644 Citrix NetScaler Traffic Management Guide
The following table summarizes the names and values of the entities that you
must configure on the NetScaler.
Example Entities for a Basic GSLB Setup
Site name Entity type Name IP address Protocol Port
site-1 GSLB virtual vserver-GSLB-1 NA NA NA
(Local) server
GSLB Service service-GSLB-1 NA NA NA
Load vserver-LB-1 10.102.29.62 HTTP 80
Balancing
virtual server
Services service-HTTP-1 10.102.29.3 HTTP 80
service-HTTP-2 10.102.29.70 HTTP 80
service-ADNS-1 10.102.29.61 ADNS 53
Domain www.abc.com NA NA NA
site-2 GSLB virtual vserver-GSLB-2 NA NA NA
(Remote) server
GSLB Service service-GSLB-2 NA NA NA
Load vserver-LB-2 10.102.29.172 HTTP 80
Balancing
virtual server
Services service-HTTP-3 10.102.29.8 HTTP 80
service-HTTP-4 10.102.29.9 HTTP 80
service-ADNS-2 10.102.29.171 ADNS 53
Example
set gslb vserver vserver-GSLB-1 -backupVServer vserver-GSLB-2
If you want the traffic to be directed to the backup virtual server even after Site-1
becomes active, select the Disable Primary When down check box in the
Configure GSLB Virtual Server dialog box.
The following diagram describes the entities that need to be configured for this
scenario.
For detailed instructions to create these entities, see the section, “Configuring a
Basic Setup,” on page 544. The following table summarizes the names and values
of the entities that you must configure on the NetScaler.
Example Entities for Active-Active Disaster Recovery
Site name Entity type Name IP address Protocol Port
site-1 GSLB virtual vserver-GSLB-1 NA NA NA
(Local) server
GSLB Service service-GSLB-1 NA NA NA
Load vserver-LB-1 10.102.29.62 HTTP 80
Balancing
virtual server
Services service-HTTP-1 10.102.29.3 HTTP 80
service-HTTP-2 10.102.29.70 HTTP 80
service-ADNS-1 10.102.29.61 ADNS 53
Domain www.abc.com NA NA NA
site-2 GSLB virtual vserver-GSLB-2 NA NA NA
(Remote) server
GSLB Service service-GSLB-2 NA NA NA
Load vserver-LB-2 10.102.29.172 HTTP 80
Balancing
virtual server
Services service-HTTP-3 10.102.29.8 HTTP 80
service-HTTP-4 10.102.29.9 HTTP 80
service-ADNS-2 10.102.29.171 ADNS 53
Domain www.abc.com NA NA NA
Chapter 8 Global Server Load Balancing 649
The following diagram describes the entities that need to be configured for this
scenario.
Entity diagram
The steps to implement this scenario are:
1. Configuring the basic GSLB setup
2. Configuring weighted round robin
For complete instructions to create these entities, see the section “Configuring a
Basic Setup,” on page 544. The following table summarizes the names and values
of the entities that you need to configure on the NetScaler.
Example Entities for Weighted Round Robin Recovery
Site name Entity type Name IP address Protocol Port
site-1 GSLB virtual vserver-GSLB-1 NA NA NA
(Local) server
GSLB Service service-GSLB-1 NA NA NA
Load vserver-LB-1 10.102.29.62 HTTP 80
Balancing
virtual server
Services service-HTTP-1 10.102.29.3 HTTP 80
service-HTTP-2 10.102.29.70 HTTP 80
service-ADNS-1 10.102.29.61 ADNS 53
Domain www.abc.com NA NA NA
site-2 GSLB virtual vserver-GSLB-2 NA NA NA
(Remote) server
GSLB Service service-GSLB-2 NA NA NA
Load vserver-LB-2 10.102.29.172 HTTP 80
Balancing
virtual server
Services service-HTTP-3 10.102.29.8 HTTP 80
service-HTTP-4 10.102.29.9 HTTP 80
service-ADNS-2 10.102.29.171 ADNS 53
Domain www.abc.com NA NA NA
The following procedure describes the steps to set the weights of load balancing
services to two.
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. Select the virtual server (for example, Vserver-LB-1) and click Open.
3. In the Weights spin box, type or select the weight of a service (for example,
4 next to Service-HTTP-1).
4. Click OK.
Example
set lb vserver Vserver-LB-1 -weight 4 Service-HTTP-1
The following procedure describes the steps to set the weights of GSLB services
to 4.
To add weights to the GSLB services by using the NetScaler command line
Example
set gslb vserver Vserver-GSLB-1 -serviceName Service-GSLB-1
-weight 1
Chapter 8 Global Server Load Balancing 653
In the following procedure, dynamic weights are configured on the GSLB virtual
server.
Example
set gslb vserver Vserver-GSLB-1 -dynamicWeight ServiceWeight
654 Citrix NetScaler Traffic Management Guide
The following diagram describes the entities that need to be configured for this
scenario.
The following table summarizes the names and values of the entities that you
need to configure on the NetScaler.
Example Entities for Recovery Using Data Center Persistence
Site Name Entity Type Name IP address Protocol Port
site-1 GSLB virtual vserver-GSLB-1 NA NA NA
(Local) server
GSLB Service service-GSLB-1 NA NA NA
Load vserver-LB-1 10.102.29.62 HTTP 80
Balancing
virtual server
Services service-HTTP-1 10.102.29.3 HTTP 80
service-HTTP-2 10.102.29.70 HTTP 80
service-ADNS-1 10.102.29.61 ADNS 53
Domain www.abc.com NA NA NA
site-2 GSLB virtual vserver-GSLB-2 NA NA NA
(Remote) server
GSLB Service service-GSLB-2 NA NA NA
Load vserver-LB-2 10.102.29.172 HTTP 80
Balancing
virtual server
Services service-HTTP-3 10.102.29.8 HTTP 80
service-HTTP-4 10.102.29.9 HTTP 80
service-ADNS-2 10.102.29.171 ADNS 53
Domain www.abc.com NA NA NA
Example
set gslb service service-GSLB-1 -sitePersistence HTTPRedirect
-sitePrefix vserver-GSLB-1
The following diagram describes the entities that need to be configured for this
scenario.
The following table summarizes the names and values of the entities that you
need to configure on the NetScaler.
Examples of Entities for GSLB Using Dynamic Method
Site name Entity type Name IP address Protocol Port
site-1 GSLB virtual vserver-GSLB-1 NA NA NA
(Local) server
GSLB Service service-GSLB-1 NA NA NA
Load vserver-LB-1 10.102.29.62 HTTP 80
Balancing
virtual server
Services service-HTTP-1 10.102.29.3 HTTP 80
service-HTTP-2 10.102.29.70 HTTP 80
service-ADNS-1 10.102.29.61 ADNS 53
Domain www.abc.com NA NA NA
site-2 GSLB virtual vserver-GSLB-2 NA NA NA
(Remote) server
GSLB Service service-GSLB-2 NA NA NA
Load vserver-LB-2 10.102.29.172 HTTP 80
Balancing
virtual server
Services service-HTTP-3 10.102.29.8 HTTP 80
service-HTTP-4 10.102.29.9 HTTP 80
service-ADNS-2 10.102.29.171 ADNS 53
Domain www.abc.com NA NA NA
Example
set gslb vserver vserver-GSLB-1 -lbMethod RTT
The following diagram describes the entities that need to be configured for this
scenario.
The following table summarizes the names and values of the entities that you
need to configure on the NetScaler.
Examples of Entities for GSLB Using Static Proximity
Site name Entity type Name IP address Protocol Port
site-1 GSLB virtual vserver-GSLB-1 NA NA NA
(Local) server
GSLB Service service-GSLB-1 NA NA NA
Load vserver-LB-1 10.102.29.62 HTTP 80
Balancing
virtual server
Services service-HTTP-1 10.102.29.3 HTTP 80
service-HTTP-2 10.102.29.70 HTTP 80
service-ADNS-1 10.102.29.61 ADNS 53
Domain www.abc.com NA NA NA
site-2 GSLB virtual vserver-GSLB-2 NA NA NA
(Remote) server
GSLB Service service-GSLB-2 NA NA NA
Load vserver-LB-2 10.102.29.172 HTTP 80
Balancing
virtual server
Services service-HTTP-3 10.102.29.8 HTTP 80
service-HTTP-4 10.102.29.9 HTTP 80
service-ADNS-2 10.102.29.171 ADNS 53
Domain www.abc.com NA NA NA
Example
add location 192.168.100.1 192.168.100.10 *.us.ca.mycity
Example
set gslb vserver vserver-GSLB-1 -lbMethod StaticProximity
Chapter 8 Global Server Load Balancing 665
The following diagram describes the entities that need to be configured for this
scenario.
Example
add location 1.1.1.1 1.1.1.10 *.us.ca.mycity
The following procedure sets the GSLB algorithm to static proximity. This is
configured on Site-1.
Example
set gslb vserver vserver-GSLB-1 -lbMethod StaticProximity
Example
set gslb vserver vserver-GSLB-1 -lbMethod RTT
If the configuration consists of a single aggregator, you need not configure any
borders. The following diagram shows the GSLB mesh configuration.
In this scenario, Aggregator 1 represents the GSLB sites, site 1 and site 2. In
addition, aggregator and border sites serve as remote GSLB sites for the GSLB
sites they represent. As a result, the propagation of MEP messages is limited to
the border and this reduces configuration overhead. This is illustrated in the
following diagram.
Topology Diagram
The steps to implement this scenario are:
1. Configuring the border site
2. Configuring the Location 1 Aggregator
670 Citrix NetScaler Traffic Management Guide
In this configuration, the load balancing service are bound to the load balancing
virtual server, and all the GSLB services are bound to the GSLB virtual server.
Chapter 8 Global Server Load Balancing 671
The following procedure describes the steps to configure the required settings for
the GSLB virtual server.
To configure the GSLB virtual server by using the NetScaler command line
Example
add gslb vserver vserver-GSLB-1 HTTP -lbMethod RoundRobin -EDR
enabled -MIR enabled
The following procedure describes the steps to bind a domain to the GSLB virtual
server.
To bind the domain to the GSLB virtual server by using the configuration
utility
Example
bind gslb vserver vserver-GSLB-1 -domainName www.mycompany.com
This configuration requires that you bind the load balancing service to the load
balancing virtual server. Therefore, while configuring the GSLB virtual server,
you need to select the following check boxes: Do not send any service’s IP
Address in Response (EDR) and Send all “active” service IP’s in response
(MIP).
Chapter 8 Global Server Load Balancing 673
In this configuration, bind the load balancing service to the load balancing virtual
server. Select Do not send any service’s IP Address in Response (EDR) and
Send all “active” service IP’s in response (MIP) check boxes while configuring
the GSLB virtual server.
The following table summarizes the names and values of the entities that must be
configured on the NetScaler for site-2.
Example of Entities for Configuring Site 2
Site name Entity type Name IP address Protocol Port
site-2 Load vserver-HTTP-22 10.102.29.222 HTTP 80
Balancing
virtual server
Service service-HTTP- 22 10.102.29.193 HTTP 80
GSLB Site site-GSLB-21 10.102.29.202 NA NA
(local)
site-GSLB-22 10.102.29.76 NA NA
(remote)
The following table summarizes the names and values of the entities that must be
configured on the NetScaler for site-3.
Example of Entities for Configuring Site 3
Site name Entity type Name IP address Protocol Port
site-2 Load vserver-HTTP-33 10.102.29.222 HTTP 80
Balancing
virtual server
Service service-HTTP- 33 10.102.29.193 HTTP 80
GSLB Site site-GSLB-31 10.102.29.202 NA NA
(local)
site-GSLB-32 10.102.29.76 NA NA
(remote)
In his configuration, in each site, you need to bind the load balancing service to
the load balancing virtual server. Also, you need to disable session exchange and
metric exchange on all the local GSLB sites.
In the GSLB hierarchy, the load balancing site does not have a GSLB virtual
server configured, and the NetScaler on the load balancing site requests the
GSLB information from the parent site though MEP. The GSLB information
provides information such as cookie timeout, and persistence type. In addition,
the parent sites exchange GSLB information for all the GSLB sites in the GSLB
hierarchy through MEP. In the diagram, Parent-Site-1 receives the load balancing
statistics from the Child-Site-1, and Child-Site-1 receives GSLB information,
persistence ID, and domain name from Parent-Site-1. Similarly, Parent-Site-2
receives the load balancing statistics from the Child-Site-2, and Child-Site-2
receives GSLB information, persistence ID, and domain name from
Parent-Site-2.
The following steps correspond to the arrows in the diagram, “Flow of HTTP
redirect in GSLB hierarchy,” on page 677.
678 Citrix NetScaler Traffic Management Guide
Step 1. The client sends an HTTP request to the data center. While responding to
the request, the NetScaler at the data center inserts a site cookie in the response
header.
Step 2. When the browser cache on the client expires, the client sends a fresh
DNS request. This time, the NetScaler resolves the request to a different data
center. The client sends an HTTP request to the different data center with the site
cookie in the header. In the diagram, Child-Site-2 receives the client request with
the cookie of Child-Site-1.
Step 3. The NetScaler on the load balancing site requests for the redirect URL
from the parent site though MEP. In the diagram, Child-Site-2 requests
Parent-Site-2 for redirect URL (domain and GSLB virtual server name of
Child-Site-1)
Step 4. The NetScaler on the load balancing site then redirects the client to the
original data center if the GSLB service and the GSLB virtual server
corresponding to the site cookie and the domain are available and UP. In the
diagram, Child-Site-2 redirects the client to Child-Site-1.
Step 5. The client then sends an HTTP request to the original data center.
Chapter 8 Global Server Load Balancing 679
The topology and MEP exchange is similar to HTTP redirect persistence type.
The following steps correspond to the arrows in the diagram, “Flow of connection
proxy in GSLB hierarchy,” on page 679.
Step 1. The client sends an HTTP request to the data center. While responding to
the request, the NetScaler at the data center inserts a site cookie in the response
header.
Step 2. When the browser cache on the client expires, the client sends a fresh
DNS request. This time, the NetScaler resolves the request to a different data
center. The client sends an HTTP request to the different data center with the site
cookie in the header. In the diagram, Child-Site-2 receives the client request with
the cookie of Child-Site-1.
680 Citrix NetScaler Traffic Management Guide
Step 3. The NetScaler on the load balancing site requests the remote service
information from the parent site though MEP. In the diagram, Child-Site-2
requests a site cookie from Parent-Site-2.
Step 4. The NetScaler on the load balancing site opens a connection to the
original data center and then works as a proxy for the original data center if the
GSLB service and the GSLB virtual server corresponding to the site cookie and
domain are UP and available. In the diagram, Child-Site-2 opens a connection to
Child-Site-1 and functions as a proxy.
Step 5. The subsequent client requests are forwarded to the original data center.
To create the parent GSLB site by using the NetScaler command line
Example
add GSLB site Site-GSLB-1 190.100.21.1
add GSLB site Site-LB-3 192.168.10.1 –parentSite Site-GSLB-1
After you configure local parent site, you need to configure the remote parent and
child sites. To configure the remote parent site, you can simply copy the
configurations from the GSLB Running Configuration dialog box of the local site
and paste them into the Batch Configuration dialog box of the remote parent site.
1. In the navigation pane, click System, expand Settings, and then click
Diagnostics.
2. On the Diagnostics page, under View Configurations, click Running
Configuration.
3. In the GSLB Running Configuration dialog box, select and copy all the
commands.
4. Click Close.
Example
show gslb runningConfig
Select and copy the output of this command. After copying the commands from
the local NetScaler, use the configuration utility of the remote NetScaler and
paste the configurations onto the remote NetScaler.
Important: You can copy and paste only parent site configurations. You must
configure the child sites manually.
682 Citrix NetScaler Traffic Management Guide
Note: The service level settings (such as client IP and SSL settings) are not
exchanged through MEP. Therefore, you need to configure the remote GSLB
services locally on the load balancing site and apply the required settings.
In the sample topology, the NetScaler uses the current VPN users to perform
GSLB.
684 Citrix NetScaler Traffic Management Guide
The following diagram shows the sample of the GSLB entities that need to be
configured for this scenario.
To create Access Gateway virtual servers, you must perform the following
procedures:
1. Enable Access Gateway
2. Create Access Gateway virtual servers
For more information about Access Gateway configuration, see the Citrix Access
Gateway Enterprise Edition Administrator’s Guide.
Example
enable ns feature sslvpn
1. In the navigation pane, expand Access Gateway and click Virtual Servers.
2. In the details pane, click Add.
3. In the Create Access Gateway Virtual Server dialog box, in the Name,
IP Address, and Port text boxes, type the name of the virtual server, IP
address, and port (for example, Vserver-VPN-1, 10.102.29.100, and 443).
4. In the Protocol list, click an appropriate protocol (for example, SSL).
5. Click Create, and then click Close.
686 Citrix NetScaler Traffic Management Guide
Example
add vpn vserver Vserver-VPN-1 SSL 10.102.29.100 443
To create a metric table and bind metrics to the metric table by using the
configuration utility
1. In the navigation pane, expand Load Balancing and click Metric Tables.
2. In the details pane, click Add.
3. In the Create Metric Table dialog box, in the Metric Table Name,
Metrics, and SNMP OID text boxes, type the appropriate name of the
metric table, metrics, and SNMP OID (for example, Table-Custom-1,
CountVPNUsers, and 1.3.6.1.4.1.5951.4.1.3.1.1.49.5.8.20.20.16.22).
4. Click Create, and then click Close.
To create a metric table and bind metrics to the metric table by using the
NetScaler command line
Example
add metricTable Table-Custom-1
bind metricTable Table-Custom-1 CountVPNUsers
1.3.6.1.4.1.5951.4.1.3.1.1.49.5.8.20.20.16.22
Chapter 8 Global Server Load Balancing 687
Example
add lb mon Monitor-Load-1 Load –SNMPCommunity Community-1
bind lb mon Monitor-Load-1–metric Metric-Table-1 –MetricThreshold 5
To bind the monitor to the GSLB service by using the configuration utility
To bind the monitor to the GSLB service by using the NetScaler command
line
Example
bind monitor Monitor-Load-1 Service-GSLB-1
Example
set gslb vserver Vserver-GSLB-1 –lbMethod Custom Load
Chapter 8 Global Server Load Balancing 689
Important: If one NetScaler uses MEP version 2.4 or later and the second
NetScaler uses an MEP version earlier than 2.4, then you cannot use MEP for
GSLB based on load monitors. In such cases, use SNMP-based load monitors.
Example
add lb mon Monitor-Load-1 Load
690 Citrix NetScaler Traffic Management Guide
To bind metrics to the load monitor by using the NetScaler command line
Example
bind monitor Monitor-Load-1 –metric AAAUsers –metricThreshold 5
To bind the monitor to the GSLB service by using the configuration utility
To bind the monitor to the GSLB service by using the NetScaler command
line
Example
bind monitor Monitor-Load-1 Service-GSLB-1
Requirements
Before you begin the configuration:
• Upgrade Citrix Access Gateway to Citrix NetScaler in your existing
configuration.
• Make sure that the GSLB and Access Gateway licenses are available on
your Citrix NetScaler. If these licenses are not available on your NetScaler,
please contact your Citrix sales representative or Citrix Customer Service at
http://citrix.com/. On the Support menu, click Customer Service.
• Enable the Load Balancing, GSLB, and Access Gateway features on the
NetScaler.
Components Used
Configurations in this document use the following NetScaler and XenDesktop
components:
• Citrix NetScaler 9.0, 9.1, and 9.2 only
692 Citrix NetScaler Traffic Management Guide
• Citrix XenDesktop
• Web Interface server
• Desktop Delivery Controller server
Note: You can alternatively use Access Gateway Standard Edition (AGSE),
Access Gateway Advanced Edition (AGAE), or Access Gateway Enterprise
Edition (AGEE) for the Access Gateway feature. NetScaler provides monitoring
support for these components too.
Chapter 8 Global Server Load Balancing 693
The following five steps summarize how GSLB works in this example. The
numbers in the diagram provide a visual aid for tracing the data flow through the
five steps.
Step 1. A user enters a query for a domain hosting a particular virtual desktop. If
the user’s browser does not find an IP address for the domain in its local cache, it
sends a request to the client DNS server.
Step 2. If the local DNS server does not have an IP address for the requested
domain, it sends a query to a NetScaler configured as an authoritative name
server for the domain. In the diagram, this could be either NetScaler, but in this
case the query is sent to the NetScaler at Data Center 1.
Step 3. By default, the NetScaler uses the dynamic proximity method (RTT
method) to select the best performing data center. In using this method, the
NetScaler uses the proprietary Metric Exchange Protocol (MEP) to exchange
RTT values between participating sites and determine the data center with the
smallest round trip time (RTT) metric. Alternatively, you can configure the
NetScaler to select the data center by using the round robin method. To prevent a
client from being directed to a data center that hosts unavailable components, the
NetScaler selects the data center only if the Web Interface server, Desktop
Delivery Controller server, and Access Gateway virtual server are available. In
the diagram, the NetScaler at Data Center 1 selects Data Center 2 as the best
performing site. It then sends the client the IP address of the VPN virtual server at
Data Center 2 (192.168.22.1), and a connection is established from the client
system to the NetScaler at Data Center 2.
Step 4. The client uses HTTPS to request an application through the tunnel. The
NetScaler uses an optimal load balancing method to select a Web Interface server
and sends the HTTP request to the Web Interface server. If the selected server is
unavailable or sends an invalid response, the NetScaler selects a different Web
Interface server (unless none is available, in which case the NetScaler does not
select the site for GSLB).
Step 5. After the Web Interface server provides a valid response, the NetScaler
uses a load balancing method to select a Desktop Delivery Controller server and
sends an HTTP request to the Desktop Delivery Controller server. If the selected
server is unavailable or sends an invalid response, the NetScaler selects a
different Desktop Delivery Controller server (unless none is available, in which
case the NetScaler does not select the site for GSLB). The Desktop Delivery
Controller server dynamically pools and assigns virtual desktops to the client
on-demand, based on appropriate policies, roles, or other criteria. The NetScaler
provides the virtual desktop to the client through the VPN tunnel. The NetScaler
then maintains persistent connections from the client to the virtual desktop and
forwards all subsequent requests to the same server.
Chapter 8 Global Server Load Balancing 695
Important: The NetScaler performs load balancing and Global Server Load
Balancing only on the Web Interface and Desktop Delivery Controller
components. After the desktop session is established through Independent
Computing Architecture (ICA) tunnel, the client traffic bypasses Web Interface
and Desktop Delivery Controller components and the NetScaler.
Topology Diagram
The following diagram shows a typical GSLB setup for XenDesktop.
Important: When you configure Web Interface, specify the IP address of the
Desktop Delivery Controller virtual server. For information about installing the
Web Interface and creating sites, see the Web Interface Administrator’s Guide.
Note: Alternatively, if you have not configured the virtual servers using the
Load Balancing Wizard for XenDesktop, you can specify the IP address and port
(in IPAddress:Port format) of the servers in the wizard.
After you configure GSLB on a local site, you need to configure the remote site.
To configure the remote site, you can simply copy the configurations from the
GSLB Running Configuration dialog box of the local site and paste them into the
Batch Configuration dialog box of the remote site.
1. In the GSLB wizard for XenDesktop, on the Summary page, click View
GSLB running configurations.
2. In the GSLB Running Configuration dialog box, select and copy all the
commands.
3. Click Close.
After copying the commands from the local NetScaler, use the configuration
utility of the remote NetScaler and paste the configurations onto the remote
NetScaler.
The virtual server is DOWN because the service groups bound to it are DOWN. If
one of the services bound to the virtual server is UP, the virtual server is UP. The
service groups could be DOWN for the following reasons:
• The application is unavailable on the server.
• The monitor probes have failed.
• The link has failed.
1. In the navigation pane, expand Load Balancing and click Service Groups.
2. In the details pane, select the service group and click Open.
3. In the Configure Service Groups dialog box, in Configured Members,
select the member service and click Monitor Details.
Chapter 8 Global Server Load Balancing 699
Troubleshooting
The following table explains some of the common error messages.
Error messages - Causes and Actions
Error message text Likely cause User Action
Error in GSLB site: A A site is already configured Create a site with a
GSLB site with the same IP on the NetScaler and you different configuration or
address exists tried to create another site select the existing site for
with the same IP address. your configuration.
Error in TCP monitor: You cleared the existing site Remove the monitors and
Resource already exists configurations without then use the wizard to
removing the monitors configure GSLB.
bound to the service.
Error on page Load You removed the virtual Clear the existing load
Balance WI servers. server, but not the monitors balancing configuration
bound to the services. (virtual server, service
Error in Monitor: Resource groups, and monitor) and
already exists then use the wizard to
configure GSLB. (You can
get a similar error for a
Desktop Delivery
Controller virtual server.)
Error on page Load Using the Load Balancing Create a virtual server with
Balance WI servers. Wizard for XenDesktop to a different configuration,
create a new Web Interface or clear the existing virtual
Error in Virtual Server: virtual server, you are server configuration and
Resource already exists duplicating the then create a virtual server.
configuration of an existing (You can get similar error
Web Interface virtual server. for a Desktop Delivery
Controller virtual server.)
Selected “Desktop Delivery You have selected an Select an appropriate
Controller Virtual Server” inappropriate virtual server virtual server or type the IP
does not have any monitor as a Desktop Delivery address and port of the
for monitoring health. Controller virtual server for server in IPAddress:Port
a GSLB site. The monitor format.
bound to the service group
of the virtual server cannot
probe the Desktop Delivery
Controller server.
Error on page Specify Using the GSLB for Use a different domain
domain. XenDesktop wizard, you name, or remove the virtual
have chosen a domain server and then use the
The domain is already bound to an already existing wizard.
bound to GSLB virtual virtual server.
server.
700 Citrix NetScaler Traffic Management Guide
Link load balancing (LLB) balances inbound and outbound traffic transparently
across multiple Internet connections. It enables an enterprise with more than one
Internet connection, or with a private network, to monitor and control traffic so
that users are routed over the best available Internet link. For example, an
organization can connect to the Internet through two different service providers,
such as Sprint and AT&T.
In This Chapter
Monitoring Routers
Destination IP-Based Persistence
Load Balancing Policy
Implementing RNAT with Link Load Balancing
Configuring Link Load Balancing
Configuring the Backup Router
Configuring RNAT with Link Load Balancing
Monitoring Routers
The NetScaler monitors configured routers and services bound to the load
balancing route virtual IP address (VIP), assigning a default monitor if none is
configured. The default monitor type is PING, which is also the recommended
monitor type. The NetScaler supports transparent monitoring, which means that
monitored devices can be upstream of the routers.
If the preferred router is up, server statistics are updated and return the server
structure to the selected router. If the preferred server is not available, ideal router
is selected based on the load balancing policy from the VIP server list. Link load
balancing does not support the least connections load balancing method.
Link load balancing supports the following load balancing methods:
• ROUNDROBIN
• DESTINATIONIPHASH
• LEASTBANDWIDTH
• LEASTPACKETS
Link LB supports the following persistence type:
• DESTINATION IP
Note: The hosts on an enterprise network must have the NetScaler designated
as their gateway.
Parameter Specifies
Netmask Subnet mask to which the route belongs.
Gateway Name Name of the route.
Directly Addressable Specifies that the virtual server can be directly addressable
externally. If selected, the IP address and Port fields are
required; otherwise, they are optional.
Transparent Monitor uses other network device to access the
destination.
The following table summarizes sample names and values of the entities used for
configuring the NetScaler.
Sample Configuration for Link Load Balancing
Entity type Name Value
Monitor monitor-HTTP-1 10.10.10.11
Service service-ANY-1 10.102.29.50
LB Vserver vserver-LB-1 NA
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. In the Monitors pane, click Add.
3. In the Create Monitor dialog box, in Name, type the name of the monitor
(for example, monitor-HTTP-1).
4. In the Type drop-down list box, select the type of the monitor (for example,
HTTP).
5. On Standard Parameters, tab, in Destination IP (for example,
10.10.10.11), specify the IP address, and select the Transparent check box.
6. Click Create and click Close.
Chapter 9 Link Load Balancing 705
Example
add monitor monitor-HTTP-1 HTTP -destip 10.10.10.11 -transparent
YES
To create a service and bind the monitor to it using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Services.
2. On the Services pane, click Add.
3. In the Create Service dialog box, in the Service Name, Server, and Port
text boxes type the name, IP address, and port of the service (for example,
service-ANY-1, 10.102.29.50, and *).
4. In the Protocol drop-down list box, select the type of the service (for
example, ANY).
5. On the Monitors tab, under Available, select the monitor that you want to
bind to the service (for example, monitor-HTTP-1, and then click Add).
6. Click Create and click Close.
To create a service and bind the monitor to it using the NetScaler command
line
Example
add service service-ANY-1 10.102.29.50 ANY *
To create a load balancing vserver and bind the service to it using the
configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers pane, click Add.
3. In the Create Virtual Servers (Load Balancing) dialog box, in the Name
text box, type the name of the vserver (for example, vserver-LB-1).
4. In the Protocol drop-down list box, select the type of the vserver (for
example, ANY).
706 Citrix NetScaler Traffic Management Guide
To create a load balancing vserver and bind the service to it using the
NetScaler command line
Example
bind lb vserver vserver-LB-1 service-ANY-1
To set the load balancing method and persistence using the configuration
utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. On the Load Balancing Virtual Servers page, select the vserver for which
you want to configure Load Balancing method and persistence (for
example, vserver-LB-1), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, on the
Method and Persistence tab, under LB Method, select Round Robin.
4. Under Persistence, in the Persistence drop-down list box, select DESTIP.
5. In the Time-out and NetMask text boxes, type the subnet mask and time-
out values (for example, 2 and 225.225.225.225).
6. Click OK.
To set the load balancing method and persistence using the NetScaler
command line
Example
set lb vserver vserver-LB-1 -persistenceType DESTIP -lbmethod
roundrobin
Chapter 9 Link Load Balancing 707
1. In the navigation pane, expand Network, expand Routing, and then click
Routes.
2. In the Routes pane, on the LLB tab, click Add.
3. In the Configure LB Route dialog box, in the Network and Netmask text
boxes, type the network and the subnet mask that you want to configure (for
example, 1.1.10.0 and 255.255.255.0).
4. In the Gateway Name drop-down list box, select the vserver (for example,
vserver-LB-1).
5. Click Create, and then click Close.
Example
add lb route 1.1.10.0 255.255.255.0 vserver-LB-1
1. Create services.
2. Create a primary and secondary router.
3. Set the secondary router as the backup router.
708 Citrix NetScaler Traffic Management Guide
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the Services pane, click Add.
3. In the Create Service dialog box, in the Service Name, Server, and Port
text boxes, type the name, IP address, and port of the service (for example,
R1, 10.102.29.4, and *).
4. In the Protocol drop-down list box, select the type of the service (for
example, ANY).
5. Click Create and click Close.
6. Repeat Steps 1-5 to create another service with name, IP address, port, and
protocol as R2, 10.102.29.5, *, and ANY.
Examples
add service R1 10.102.29.4 ANY *
add service R2 10.102.29.5 ANY *
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers pane, click Add.
3. In the Create Virtual Servers (Load Balancing) dialog box, in the Name
text box, type the name of the vserver (for example, vserver-LB-Pri-1),
and select the Directly Addressable check box.
4. In the IP Address and Port text boxes, type the IP address and port of the
vserver (for example, 10.102.23.77 and *).
5. In the Protocol drop-down list box, select the type of the vserver (for
example, ANY).
6. On the Services tab, in the Active column, select the check box
corresponding to the service that you want to bind to the vserver (for
example, R1).
7. On the Method and Persistence tab, under LB Method, select Round
Robin.
8. Click Create, and then click Close.
Chapter 9 Link Load Balancing 709
Example
add lb vserver vserver-LB-Pri-1 any 10.102.1.10 *
-lbmethod roundrobin
bind lb vserver vserver-LB-Pri-1 R1
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers pane, click Add.
3. In the Create Virtual Servers (Load Balancing) dialog box, in the Name
text box, type the name of the vserver (for example, vserver-LB-sec-1).
4. Select the Directly Addressable check box.
5. In the IP Address and Port text boxes, type the IP address and port of the
vserver (for example, 10.102.07.78 and *).
6. In the Protocol drop-down list box, select the type of the vserver (for
example, ANY).
7. On the Services tab, in the Active column, select the check box
corresponding to the service that you want to bind to the vserver (for
example, R2).
8. On the Method and Persistence tab, under LB Method, select Round
Robin.
9. Click Create, and then click Close.
710 Citrix NetScaler Traffic Management Guide
Example
add lbserver vserver-LB-Sec-1 any 10.102.07.78 *
-lbmethod roundrobin
bind lb vserver vserver-LB-Sec-1 R2
To set the secondary router as the backup router using the configuration
utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers pane, select the vserver for which
you want to configure the backup vserver (for example, vserver-LB-Pri-1),
and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, click the
Advanced tab.
4. In the Backup Virtual Server drop-down list box, select the backup
vserver (for example, vserver-LB-Sec-1), and then click OK.
To set the secondary router as the backup router using the NetScaler
command line
Example
set lb vserver vserver-LB-Pri-1 -backupVserver vserver-LB-Sec-1
4. In the Gateway Name drop-down list box, select the vserver that you want
(for example, vserver-LB-Pri-1).
5. Click Create, and then click Close.
Example
add lb route 10.102.29.0 255.255.255.0 vserver-LB-Pri-1
1. In the navigation pane, expand Load Balancing, and then click Monitors.
2. In the Monitors pane, click Add.
712 Citrix NetScaler Traffic Management Guide
3. In the Create Monitor dialog box, in the Name text box, type the name of
the monitor (for example, monitor-HTTP-1).
4. In the Type drop-down list box, select the type of the monitor (for example,
HTTP).
5. On the Standard Parameters tab, in Destination IP, type the destination
IP address of the monitor (for example, monitor-HTTP-1) and then, select
the Transparent check box.
6. Click Create and click Close.
Example
add monitor monitor-HTTP-1 HTTP -destip 10.10.10.11 -transparent
YES
To create a service and bind the monitor to it using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the Services pane, click Add.
3. In the Create Service dialog box, in the Service Name, Server, and Port
text boxes, type the name, IP address, and port of the service (for example,
route1, 10.102.29.5, and *).
4. In the Protocol drop-down list box, select the type of the service (for
example, ANY).
5. On the Monitors tab, under Available, select the monitor that you want to
bind to the service (for example, monitor-HTTP-1), and then click Add.
6. Click Create and click Close.
To create a service and bind the monitor to it using the NetScaler command
line
Example
add service route1 10.102.29.5 ANY *
Chapter 9 Link Load Balancing 713
To create a load balancing vserver and bind the service to it using the
configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers pane, click Add.
3. In the Create Virtual Servers (Load Balancing) dialog box, in the Name
text box, type the name of the vserver (for example, vserver-LB-3).
4. Select the Directly Addressable check box.
5. In the Protocol drop-down list box, select the type of the vserver (for
example, ANY).
6. On the Services tab, in the Active column, select the check box
corresponding to the service that you want to bind to the vserver (for
example, route1).
7. Click Create, and then click Close.
To create a load balancing server and bind the service to it using the
NetScaler command line
Example
bind lb vserver vserver-LB-3 any route1
To set the load balancing method and persistence using the configuration
utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the Load Balancing Virtual Servers pane, select the vserver for which
you want to configure the load balancing (LB) method and persistence (for
example, vserver-LB-3), and then click Open.
3. In the Configure Virtual Server (Load Balancing) dialog box, on the
Method and Persistence tab, under LB Method, in the drop-down list
box, select Round Robin.
4. Under Persistence, in the Persistence drop-down list box, select DESTIP.
5. In the Time-out and Netmask text boxes, type the time-out and subnet
mask values (for example, 2 and 225.225.225.225).
6. Click OK.
714 Citrix NetScaler Traffic Management Guide
To set the load balancing method and persistence using the NetScaler
command line
Example
set lb vserver vserver-LB-3 -persistenceType DESTIP -lbmethod round
robin
1. In the navigation pane, expand Networks, expand Routing, and then click
Routes.
2. In the Routes pane, on the LLB tab, and then click Add.
3. In the Configure LB Route dialog box, in the Network and Netmask text
boxes, type the network and the subnet mask that you want to configure (for
example, 1.10.10.0 and 255.255.255.0).
4. In the Gateway Name drop-down list box, select the vserver (for example,
vserver-LB-3).
5. Click Create, and then click Close.
Example
add lbroute 1.10.10.0 255.255.255.0 vserver-LB-3
1. In the navigation pane, expand Network, expand Routing, and then click
Routes.
2. In the Routes pane, on the RNAT tab, select the RNAT network for which
you want to configure the NAT IP address (for example, 10.102.29.0).
3. Click Configure RNAT. The Configure RNAT dialog box appears.
4. In the Available NAT IP (s) list box, select the NAT IP address that you
want to configure (for example, 10.102.29.61).
5. Click Add. The NAT IP you selected in Step 5 appears in the Configured
NAT IP (s) list box.
Chapter 9 Link Load Balancing 715
6. Click OK.
Example
set rnat 10.102.29.0 -natip 10.102.29.61
Example
enable ns mode USNIP
716 Citrix NetScaler Traffic Management Guide
C HAPTER 10
table to route the traffic instead of sending the traffic to the load balancing
vserver.
Firewall Persistence
Only SOURCEIP-based persistence is supported for firewall load balancing.
For more information about SOURCEIP-based persistence, see “Configuring
Persistent Connections Between Clients and Servers,” on page 99.
Restrictions
The NetScaler firewall load balancing feature has these restrictions:
• MAC-based forwarding feature must be enabled. For more information, see
the Citrix NetScaler Policy Configuration and Reference Guide for release
9.2.e.
Managing the NetScaler (for example, running Telnet or FTP) on the
trusted side of the firewall in a sandwich topology works properly if the
NetScaler's default router (typically one of the firewalls in the farm) is
reachable.
This restriction is limited to managing the NetScaler units; traffic to servers
or virtual servers defined on the NetScaler works even if NetScaler’s
default router is DOWN.
• Because the FTP protocol requires special processing, the NetScaler should
be configured for *.21 and the service type FTP. In this case, the NetScaler
manages the FTP protocol by accepting the FTP control connection,
modifying the payload, and managing the data connection, all through the
same firewall.
Environments
You can set two types of environments on the NetScaler. They are:
• Sandwich
• Enterprise
Sandwich
In this setup, a NetScaler is located on each side of a set of firewalls. The
NetScaler placed between the firewalls and the Internet, called the external
NetScaler selects the best firewall, based on the configured method. The
NetScaler between the firewalls and the private network, called the internal
NetScaler tracks the firewall from which the initial packet for a session is
received. It then ensures that all subsequent packets for that session are sent to the
same firewall.
The internal NetScaler can be configured as a regular traffic manager to load
balance traffic across the private network servers. This configuration also allows
traffic originating from the private network to be load balanced across the
firewalls.
Chapter 10 Firewall Load Balancing 721
The following diagram shows the sandwich firewall load balancing environment.
Note: For detailed descriptions of CLI commands, see the Citrix NetScaler
Command Reference Guide.
722 Citrix NetScaler Traffic Management Guide
External NetScaler
Enable the NetScaler’s load balancing by entering the
enable ns feature LB command, and then enter the following commands
on the external NetScaler:
1. Define the wildcard service for each firewall:
add service fw-ext-svc1 216.136.137.10 ANY *
add service fw-ext-svc2 216.136.137.20 ANY *
add service fw-ext-svc3 216.136.137.30 ANY *
3. Define a wildcard virtual server for traffic coming from the Internet:
add lb vserver VIP1 ANY * *
set lb vserver VIP1 -m MAC
Internal NetScaler
Enable the NetScaler’s load balancing feature by entering the
enable ns feature LB command, and then enter the following commands
on the internal NetScaler:
1. Define a wildcard service for each firewall:
add service fw-int-svc1 192.168.100.10 ANY *
add service fw-int-svc2 192.168.100.20 ANY *
add service fw-int-svc3 192.168.100.30 ANY *
4. Define a wildcard virtual server to load balance the traffic being sent to the
firewalls:
add lb vserver VIP2 ANY * *
set lb vserver VIP2 -m MAC
The service type ANY configures the NetScaler in passive mode, so that it load
balances based on the first packet (TCP or UDP) received for the session.
If you want the NetScaler to terminate a TCP connection, configure the service
and vserver with type TCP.
If you want the NetScaler to terminate a TCP connection and perform connection
multiplexing for HTTP protocols, configure the service and vserver with type
HTTP.
Enterprise
In this setup, the NetScaler is placed between the firewalls connecting to the
public Internet and the internal private network. The NetScaler selects the best
firewall based on the configured load balancing policy.
724 Citrix NetScaler Traffic Management Guide
The following figure shows the enterprise firewall load balancing environment.
Note: For detailed descriptions of CLI commands, see the Citrix NetScaler
Command Reference Guide.
3. Define a wildcard virtual server to load balance the traffic being sent to the
firewalls:
add lb vserver Enterprise_VIP ANY * *
set lb vserver Enterprise_VIP -m MAC
The service type ANY configures the NetScaler in passive mode, so that it load
balances based on the first packet (TCP or UDP) received for the session.
If you want the NetScaler to terminate a TCP connection, configure the service
and vserver with type TCP.
If you want the NetScaler to terminate a TCP connection and perform connection
multiplexing for HTTP protocols, configure the service and vserver with type
HTTP.
726 Citrix NetScaler Traffic Management Guide
C HAPTER 11
Cache Redirection
The NetScaler can redirect cacheable requests to cache servers and send non-
cacheable or dynamic requests to origin servers. Cache servers store frequently
requested Web content and serve this content to a client on behalf of an origin
server. This lightens the load on the origin server farm.
This chapter assumes that you have obtained a list of available virtual IP
addresses from the administrator who installed and set up the NetScaler that you
are configuring.
In This Chapter
How Cache Redirection Works
Configuring Cache Redirection and Load Balancing
Configuring Transparent Cache Redirection
Configuring Reverse Proxy Cache Redirection
Configuring Forward Proxy Cache Redirection
Redirecting to Different Servers Based on Content Type
Administering a Cache Redirection Virtual Server
Configuring Policies for Cache Redirection
Note: The NetScaler also provides an in-memory cache that stores both static
and dynamic HTTP responses. For more information, see the chapter on
integrated caching in the Citrix NetScaler Application Optimization Guide.
This chapter assumes that you are familiar with load balancing and content
switching. For more information, see “Load Balancing,” on page 25 and “Content
Switching,” on page 287. Also, this chapter does not go into the details of
configuration for HTTPS. For information on configuration settings for HTTPS,
see “Secure Sockets Layer (SSL) Acceleration,” on page 375.
728 Citrix Netscaler Traffic Management Guide
In forward proxy mode, the cache redirection virtual server sends non-
cacheable requests to a DNS load balancing virtual server, which selects the
destination of the origin server.
As noted in the preceding paragraphs, you can configure cache redirection at the
origin side or at the edge of a network. Caching at the origin saves processing for
the origin server. You configure cache redirection at the origin in transparent or
reverse proxy mode.
Caching at the edge of the network reduces bandwidth cost and improves
response time for users. Edge deployments are common at Internet Service
Providers (ISPs), cable companies, content delivery distribution networks, and
enterprise networks. You configure cache redirection at the edge in transparent or
forward proxy mode.
By default, if the request does not match a policy, it is cacheable, and the
NetScaler sends it to the cache as follows:
• If the cache server is a forward proxy cache or a transparent cache,
the NetScaler sends the request to a load balancing virtual server for
the cache.
• The load balancing virtual server for the cache forwards the request
to a service, that, in turn, sends the request to the cache server.
1. In the navigation pane, expand Load Balancing and then click Virtual
Servers.
2. Double-click the load balancing virtual server that you want to use for
cache redirection.
3. In the Configure Virtual Server (Load Balancing) dialog box, on the
Advanced tab, and select the Cache Redirection check box.
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2. In the details pane, click the name of the virtual server that you want to
view.
The configuration details of this virtual server appear in the Details section
at the bottom of the page.
Chapter 11 Cache Redirection 739
These policies enable the NetScaler to identify requests that should be sent
to the origin server instead of the cache. For more information, see
“Configuring Policies for Cache Redirection,” on page 777.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. In the details pane, click Add.
Chapter 11 Cache Redirection 741
3. In Name, enter a name for the load balancing virtual server. For cache
redirection, you do not need an IP address or a port number.
4. In the Protocol list, choose the protocol (for example, HTTP).
5. To enable cache redirection for this load balancing virtual server, click the
Advanced tab, and select Cache Redirection.
6. Click Create, and then click Close. The load balancing virtual server is
added to the Load Balancing Virtual Servers page.
7. Click Save to prevent discarding the changes when you reboot the
NetScaler.
1. In the navigation pane, expand Load Balancing, and then click Services.
2. In the details pane, click Add.
3. In the Service Name text box, enter a unique name for the service.
4. In the Server text box, enter and the IP address of the physical origin server
that this service refers to.
5. In the Port text box, type a port number, (for example, 80).
Each server can have multiple services. Each service must have a unique
port number.
6. In the Protocol list, choose HTTP.
7. On the Advanced tab, scroll down to locate Cache Redirection Options.
In the Cache Type list, choose a cache type (for example, Transparent
Cache).
8. Click Create, and then click Close. The service that you have created
appears on the Services page.
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. Click the name of the load balancing virtual server that you want to
configure, and then click Open.
3. In the Services tab, in the Active column, select the check box next to the
service that you want to bind to the virtual server.
4. Click OK.
Example
bind lb vserver Vserver-LB-1 Service-HTTP-1
Note: The following procedures describe associating built-in policies with the
cache redirection virtual server. You can also configure custom policies. For more
information, see “Using Built-in Cache Redirection Policies,” on page 777 and
“Configuring User-Defined Policies,” on page 779.
1. In the navigation pane, click Cache Redirection, and then click Virtual
Servers.
2. Click Add.
3. In the Create Virtual Server (Cache Redirection) dialog box, enter
appropriate values in the Name, IP Address, and Port text boxes.
Note: If the IP address is in IPv6 format, select the IPv6 check box before
entering the IP address.
1. In the navigation pane, click Cache Redirection, and then click Virtual
Servers. The Cache Redirection Virtual Servers page appears in the right
pane.
2. In the Cache Redirection Virtual Servers page, click the virtual server to
which you want to bind the built-in policies.
3. Click Open. The Configure Virtual Server (Cache Redirection) dialog
box appears.
4. On the Policies tab, in the Active column, select the check box next to the
built-in cache redirection policies and click OK. The policies are bound to
the cache redirection virtual server.
746 Citrix Netscaler Traffic Management Guide
Example
add cr vserver Vserver-CRD-1 HTTP * 80 -cacheType TRANSPARENT -
redirect POLICY -cacheVserver Vserver-LB-1
Examples
bind cr vserver Vserver-CRD-1 -policyName bypass-cache-control
bind cr vserver Vserver-CRD-1 -policyName bypass-dynamic-url
bind cr vserver Vserver-CRD-2 -policyName bypass-urltokens
bind cr vserver Vserver-CRD-2 -policyName bypass-cookie
To turn off caching for a load balancing virtual server by using the
configuration utility
1. In the navigation pane, click Load Balancing and click Virtual Servers.
2. Double-click the load balancing virtual sever that you want to modify.
3. On Advanced tab, clear the Cache Redirection check box.
4. Click OK, and then click Close. The load balancing virtual server is added
to the Load Balancing Virtual Servers page.
Chapter 11 Cache Redirection 747
To turn off caching for a load balancing virtual server by using the NetScaler
command line
Example
set lb vserver Vserver-LB-1 -cacheable NO
To configure a load balancing virtual server for the reverse proxy cache by
using the configuration utility
1. In the navigation pane, click Load Balancing and click Virtual Servers.
2. In the details pane, click Add.
3. In the Name text box, type the name of the load balancing virtual server for
the cache server.
4. In the Protocol list, choose HTTP.
5. Clear the Directly Addressable check box.
750 Citrix Netscaler Traffic Management Guide
6. On the Method and Persistence tab, in the Method list, choose URL
Hash.
7. To enable cache redirection for this load balancing virtual server, click the
Advanced tab, and select Cache Redirection.
8. Click Create and then click Close.
The load balancing virtual server that you created appears on the Load
Balancing Virtual Servers page.
9. Configure an HTTP service that points to the cache server for this load
balancing virtual server.
For more information, see “To configure an HTTP service by using the
configuration utility,” on page 742. Note that in step 7. of this procedure, in
the Cache Type list, choose Reverse Cache or Transparent Cache,
depending on the cache servers you are using.
10. Bind the service to the virtual server that you just created.
For more information, see “Binding a Service to a Load Balancing Virtual
Server,” on page 743.
11. Click Save to prevent discarding the changes when you reboot the
NetScaler.
To configure a load balancing virtual server for the reverse proxy cache by
using the NetScaler command line
Example
Chapter 11 Cache Redirection 751
To configure a load balancing virtual server for the origin by using the
configuration utility
1. In the navigation pane, expand Load Balancing and click Virtual Servers.
2. In the details pane, click Add.
3. In the Name and Port text boxes, type the name of the virtual server and
the port number.
4. In the IP Address text box, type the IP address of the server.
5. In the Protocol list, choose a protocol (for example, HTTP).
6. To enable cache redirection for this load balancing virtual server, on the
Advanced tab, click the Cache Redirection check box.
7. Click Create. The load balancing virtual server appears on the Load
Balancing Virtual Servers page.
8. Configure an HTTP Service for the load balancing virtual server.
For more information, see “To configure an HTTP service by using the
configuration utility,” on page 742.
This HTTP service should represent the origin server.
9. Bind the service to the load balancing virtual server.
For more information, see “To bind a service to a load balancing virtual
server by using the configuration utility,” on page 743.
752 Citrix Netscaler Traffic Management Guide
To configure a load balancing virtual server for the origin by using the
NetScaler command line
Where serviceName is a unique name for the service that you want to bind
to the load balancing virtual server and originIPAddress and originPort are
the IP address and port of the origin server.
3. Bind the server to the service, as follows:
bind lb vserver loadBalancingVirtualServerName serviceName
Example
add lb vserver Vserver-LB-3 HTTP 10.102.29.210 90
add service Service-HTTP-3 10.102.29.81 HTTP 80 -cacheType
REVERSE
bind lb vserver Vserver-LB-3 Service-HTTP-3
For more information, see “Configuring a Cache Redirection Virtual Server for
Transparent Mode,” on page 743.
Where:
• cacheRedirectionVirtualServerName is a name for this cache
redirection virtual server.
• protocol is the protocol (HTTP, SSL, or NNTP) for this virtual
server.
• ipAddress port are the IP address and port for this virtual server.
754 Citrix Netscaler Traffic Management Guide
• You can map domains plus URL suffixes, (for example, you can map
www.mydomain.com and /index.html to www.myrealdomain.com and /
index.html).
• If you specify a source domain, you must specify a destination domain.
• If you specify a source suffix, you must specify a destination suffix.
• If you specify an exact URL from the source, the target URL must also be
an exact URL.
1. In the navigation pane, expand Cache Redirection, and then click Map.
2. In the details pane, click Add.
3. In the Name text box, enter the name of the mapping policy.
4. Under Source, in the Source Domain text box, enter the domain as
specified in the client request (for example, www.mycompany.com).
5. Under Target, in the Target Domain text box, enter the domain of the
target (for example, www.myrealcompany.com).
6. Click Create. The map policy appears on the Map page.
7. To bind the mapping policy to the cache redirection virtual server, in the
navigation pane, expand Cache Redirection, and then click Virtual
Servers.
8. Click the virtual server to which you want to bind the policy, and then click
Open.
9. On the Policies tab, in the Active column, select the check box next to the
map policy that you want to bind to the virtual server.
10. In the Target column, corresponding to the policy, and, from the list,
choose the name of the origin load balancing virtual server.
11. When you are done, click OK. The mapping policy is bound to the cache
redirection virtual server, and the action is set to forward requests that are
not cacheable to the origin load balancing virtual server.
Where:
756 Citrix Netscaler Traffic Management Guide
The following table summarizes the entities that you configure for forward proxy
cache redirection.
Parameters for Forward Proxy Cache Redirection
Forward Proxy Cache Parameters and Values
Redirection Entity
A DNS load balancing virtual Parameters for the virtual server include the following:
server and associated services
• Name: a unique name, 127 characters, maximum,
(for example, MyDNSVServer)
• IP address: an IP address, (for example,
10.222.22.111).
• Port: a listen port, (for example, 53).
• Service Type: DNS
Parameters for the service that you bind to the virtual
server include the following:
• Name: a unique name, (for example,
MyDNSService).
• IP address for the physical DNS server: an IP
address in IPv4 or IPv6 format, (for example,
10.102.29.41).
• Port: a listen port, (for example, 53).
• Service Type: DNS
A load balancing virtual server This is the same as configuring a load balancing virtual
for a forward proxy cache or a server for the cache for any other mode. For more
transparent cache. information, see “Configuring a Load Balancing
Virtual Server for the Cache,” on page 740.
A cache redirection virtual The forward proxy cache redirection virtual server is
server bound to the DNS and load balancing virtual server for
the cache.
• Name: a unique name, 127 characters, maximum,
(for example, Vserver-CRD-3).
• IP address: an IP address in IPv4 or IPv6 format,
(for example, 10.102.29.140).
• Port: a listen port, (for example, 80).
• Service Type: HTTP
• Cache Type: FORWARD
• Redirect: POLICY
• Via: selected
• DNS virtual server: the name of the DNS virtual
server that is queried when sending requests to the
origin server
• Load balancing virtual server for the cache: the
name of the load balancing virtual server that is
used when sending requests to a cache server.
Policies to determine if a For more information, see “Configuring Policies for
request is cacheable Cache Redirection,” on page 777.
758 Citrix Netscaler Traffic Management Guide
To configure a DNS load balancing virtual server and service by using the
configuration utility
7. To configure the DNS virtual server, in the navigation pane, expand Load
Balancing, and then expand Virtual Servers.
8. In the details pane, click Add.
9. In the Name text box, enter the name of the virtual server.
10. In the Protocol list, choose DNS.
11. On the Services tab, select the Active option corresponding to the service
you want to bind.
Note: IP address and port are not needed for cache redirection.
To configure a DNS load balancing virtual server and service by using the
NetScaler command line
1. At the NetScaler command line, add the load balancing virtual server, as
follows:
add lb vserver dnsVirtualServerName DNS
Example
add lb vserver Vserver-DNS-1 DNS
add service Service-DNS-1 10.102.29.41 DNS 53
bind lb vserver Vserver-DNS-1 Service-DNS-1
760 Citrix Netscaler Traffic Management Guide
Where:
• name is the name that you want to assign to this cache redirection virtual
server.
Chapter 11 Cache Redirection 761
Cache redirection policies and content switching policies are evaluated in the
following order:
• The NetScaler first evaluates the cache redirection policies that are bound
to the cache redirection virtual server.
If a request matches a cache redirection policy, the cache redirection virtual
server sends the request to a load balancing virtual server for the origin.
• If no cache redirection policies match the request, the NetScaler evaluates
content switching policies.
If a content switching policy matches the request, the cache redirection
virtual server redirects the request to a load balancing virtual server for the
cache.
This section describes how to configure advanced cache redirection, using an
example of a transparent mode configuration in an edge deployment topology. In
this example, the NetScaler sends all cacheable HTTP traffic to a transparent
cache farm. The NetScaler is configured as a Layer 4 switch that receives traffic
on port 80. The NetScaler is deployed on the edge of a network, and clients
access the Internet through the NetScaler.
In this example, you configure the NetScaler to direct image content, (for
example, .gif and .jpg files), to one cache server in the farm. The other servers in
the farm cache serve all other static content. You configure content switching
policies to send images to the image cache and send all other cacheable content to
a default cache.
The following table summarizes the parameters and values of the entities that you
configure.
Parameters for Cache Redirection with Content Switching
Advanced Cache Redirection Parameters and Values
Entity
Cache redirection virtual server • Name: a unique name, 127 characters, maximum,
(for example, myContentSwitchingCRVServer).
• Port: a listen port, (for example, 80).
• Service Type: HTTP
• Cache Type: TRANSPARENT
• Redirect: POLICY
• Cache Server: the name of the load balancing virtual
server for the cache, (for example,
myLBCacheVSvr).
Note that the Cache Type can be TRANSPARENT,
REVERSE, or FORWARD.
Chapter 11 Cache Redirection 763
Note: For this release, you can only configure advanced content switching from
the command line.
To configure a load balancing virtual server and HTTP service for content-
based cache redirection by using the NetScaler command line
Example
add lb vs lbCachedCefault http
add service httpDefault 11.12.13.14 http 80 -cacheType TRANSPARENT
bind lb vserver lbCacheDefault httpDefault
add lb vs lbCacheJpeg http
add service httpJpeg 11.12.13.15 http 80 -cacheType TRANSPARENT
bind lb vserver lbCacheJpeg httpJpeg
add lb vserver lbCacheGif http
add service httpGif 11.12.13.16 http 80 -cacheType TRANSPARENT
bind lb vserver lbCacheGif httpGif
Where:
• virtualServerName is the name of a cache redirection virtual server.
• ipAddress is the IP address for the virtual server. This can be an actual IP
address or an asterisk (*).
• port is the listen port for the virtual server.
• loadBalancingVirtualServerName is the name of the default load
balancing virtual server that redirects to a cache server. Note that for
766 Citrix Netscaler Traffic Management Guide
advanced redirection, the default load balancing virtual server is only used
if a cacheable request does not match a content switching policy.
Example
add cr vserver Vserver-CRD HTTP 0.0.0.0 80 -cacheType TRANSPARENT -
redirect POLICY -cacheVserver lbcachedefault
Where:
• policyName is the name for this cache redirection policy.
• expression is a simple or compound expression for the policy rule.
• virtualServerName is the name of an existing cache redirection virtual
server.
Example
add cr policy Policy-CRD -rule “REQ.HTTP.URL != /*.jpeg ||
REQ.HTTP.URL != /*.gif”
bind cr vserver Vserver-CRD -policyName Policy-CRD
Chapter 11 Cache Redirection 767
Note: This guide contains a chapter on content switching that provides more
details on this topic. For more information, see “Content Switching,” on page
287.
Example
add cs policy myContentSwitchingPolicyJpeg -rule “REQ.HTTP.URL == /
*.jpeg”
bind cs vserver Vserver-CRD lbcachejpeg -policyName
myContentSwitchingPolicyJpeg
add cs policy myContentSwitchingPolicyGif -rule “ REQ.HTTP.URL == /
*.gif”
bind cs vserver Vserver-CRD -policyName myContentSwitchingPolicyGif
lbcachegif
You can also manage client connections, including client timeouts, client
connection cleanup, and TCP connection reuse.
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2. Click the virtual server whose properties you want to view. Basic properties
of this virtual server appear at the bottom of the details pane.
3. To see detailed properties of this virtual server, including its policy
bindings, double-click it.
At the NetScaler command line, to view basic properties for all cache redirection
virtual servers, type:
show cr vserver
At the NetScaler command line, to view basic properties and policy bindings for a
specific cache redirection virtual servers, type:
show cr vserver virtualServerName
To view cache redirection policies that are bound to load balancing virtual
servers by using the configuration utility
1. In the navigation pane, expand Load Balancing, and then click Virtual
Servers.
2. Click the virtual server whose policy bindings you want to view.
3. Click Show CS/CR Bindings.
To view a cache redirection policies that are bound to load balancing virtual
servers by using the NetScaler command line
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers. The Cache Redirection Virtual Servers page appears in the right
pane.
2. To view statistics for the virtual server, including the number and size of
requests and responses sent through it, click the virtual server that you are
interested in, and then click the Statistics button at the bottom of the pane.
At the NetScaler command line, to view basic statistics for all cache redirection
virtual servers type:
stat cr vserver
At the NetScaler command line, to view detailed statistics for a cache redirection
virtual server, including number and size of requests and responses that pass
through the virtual server, type:
stat cr vserver virtualServerName
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2. Click the virtual server you want to enable or disable, and then click
Enable or Disable.
3. In the Enable or Disable message box, click Yes. The cache redirection
virtual server is enabled or disabled.
770 Citrix Netscaler Traffic Management Guide
Example
enable cr vserver Vserver-CRD-1
disable cr vserver Vserver-CRD-1
To change the default destination for a policy hit to the origin or the cache
by using the configuration utility
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2. Click the virtual server you want to enable or disable, and then click Open.
3. In the Configure Cache Virtual Server dialog box, on the Advanced tab,
in the Redirect drop-down menu, select either CACHE or ORIGIN, as
needed.
To change the destination for a policy hit to the origin or the cache by using
the NetScaler command line
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2. Click the cache redirection virtual server that contains the policy that you
want to remove from the virtual server definition, and click Open.
3. On the Policies tab, in the Active column, select the check box next to the
policy you want to unbind, and click OK.
The policy still exists, but it is no longer associated with the cache
redirection virtual server.
Example
unbind cr vserver Vserver-CRD-1 -policyName bypass-non-get
To change the mode of a cache redirect virtual server by using the NetScaler
command line
Example
set cr vserver Vserver-CRD-1 -redirect CACHE
Example
rm cr vserver Vserver-CRD-1
To view the statistics of a cache redirection virtual server using the monitor
and dashboard
Example
set cr vserver Vserver-CRD-1 -cltTimeout 6000
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
Chapter 11 Cache Redirection 775
2. Click the virtual server for which you want to set the Via option, and click
Open.
3. On the Advanced tab, select or clear the Via check box.
4. Click OK.
Example
set cr vserver Vserver-CRD-1 -via ON
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers. The Cache Redirection Virtual Servers page appears in the right
pane.
2. Click the virtual server for which you want to set the reuse option, and then
click Open. The Configure Virtual Server (Cache Redirection) dialog
box appears.
3. On the Advanced tab, select or clear the Reuse check box.
4. Click OK.
Example
set cr vserver Vserver-CRD-1 -reuse ON
776 Citrix Netscaler Traffic Management Guide
To set the down state flush option in a cache redirection virtual server by
using the configuration utility
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2. Click the virtual server for which you want to set the down state flush
option, and then click Open.
3. On the Advanced tab, select or clear the Down state flush check box.
4. Click OK.
To set the down state flush option by using the NetScaler command line
Example
set cr vserver Vserver-CRD-1 -downStateFlush ENABLED
1. In the navigation pane, expand Cache Redirection, and then click Virtual
Servers.
2. Click the virtual server that you want to configure as the backup virtual
server and click Open.
3. On the Advanced tab, in the Backup Virtual Server list, choose the virtual
server you want to specify as the backup virtual server.
4. Click OK.
Chapter 11 Cache Redirection 777
Example
set cr vserver Vserver-CRD-1 -backupVServer Vserver-CRD-2
Note: The default policies are not automatically bound to a cache redirection
virtual server. You must bind them to make them effective. For more information,
see “Binding a Policy to a Cache Redirection Virtual Server,” on page 785.
In the navigation pane, expand Cache Redirection, and then click Policies. The
Cache Redirection Policies page appears.
To bind the default policies to a cache redirection virtual server by using the
NetScaler command line
Example
bind cr vserver my_cache_redirection_vip -pol bypass-cookie
The following table summarizes the different types of expression you can
configure.
Types of user-defined expressions that you can include in a policy
User-defined expression Description
type
HTTP request type Check for one of the following items in the request, and
compare it to a particular value:
• Method
• URL
• Tokens in the URL
• Version
• Header name and value
• URL length
• URL query string contents
• URL query string length
Chapter 11 Cache Redirection 781
Note: You can build complex expressions by using AND (&&) and OR (||)
operators. You can configure nesting by using parentheses, as described in the
following sections. For more information, see the Citrix NetScaler Policy
Configuration and Reference Guide for release 9.2.e.
Note: You do not explicitly configure actions on a cache redirection policy. The
NetScaler considers any request that matches a policy to be non-cacheable, and
the implied action is to direct the request to the origin server instead of the cache.
1. In the navigation pane, expand Cache Redirection, and then click Policies.
2. In the details pane, click Add.
3. In the Name text box, type the name of the policy, and then in the
Expression area, click Add
4. To configure a simple expression, enter the expression.
The following is an example of an expression that checks for a .jpeg
extension in a URL:
• Expression Type: General
• Flow Type: REQ
• Protocol: HTTP
• Qualifier: URL
• Operator: !=
• Value: /*.jpeg
5. When you are done entering the expression, click OK, and then click
Close.
4. To configure a complex rule, from the main Policies page, click the Match
Any Expression list and choose an expression format.
5. Click Add and enter the first expression.
The following is an example of a policy that redirects to the cache if the
method is POST and the URL contains a .cgi or .gif extension. This policy
has three expressions. The following is the first expression:
• Main Policies page Match Any Expression list: Tabular
Expressions
• Expression Type: General
• Flow Type: REQ
• Protocol: HTTP
• Qualifier: METHOD
• Operator: ==
• Value: POST
6. After entering the first expression, click OK and enter the second
expression, as shown in the following example:
• Expression Type: General
• Flow Type: REQ
784 Citrix Netscaler Traffic Management Guide
• Protocol: HTTP
• Qualifier: URL
• Operator: ==
• Value: /*.cgi
7. After entering the second expression, click OK and enter additional
expressions, as needed, as shown in the following example:
• Expression Type: General
• Flow Type: REQ
• Protocol: HTTP
• Qualifier: URL
• Operator: !=
• Value: /*.gif
8. When you are done entering expressions, click OK, and then click Close.
9. To determine the order of evaluation for the expression, from the main
policy configuration dialog box, do the following:
• Select an expression.
• Select parentheses to begin a grouping for multiple expressions.
• Select the final expression in the group and close the parentheses.
Select an expression and click AND or OR to determine if any or all of the
expressions must match the request.
See screen shot and the sample expression provided in the previous steps.
Chapter 11 Cache Redirection 785
10. Click Save to prevent discarding the changes when you reboot the
NetScaler.
Note that you can bind more than one policy to the virtual server.
Examples
bind cr vserver Vserver-CRD-1 -policyName Policy-CRD-1
bind cr vserver Vserver-CRD-1 -policyName Policy-CRD-2
Example
set cr policy Policy-CRD-1 -rule “REQ.HTTP.URL != /*.jpeg &&
REQ.HTTP.METHOD != GET”
Example
rm cr policy Policy-CRD-1
788 Citrix Netscaler Traffic Management Guide
I NDEX
Index
A assigning
service weights, 126
AAAA records
managing, 503
viewing configuration, 504
B
AAC Login Page backup GSLB vserver
monitoring 204 configuring, 619
AAC Login Page, monitoring 204 backup persistence
Access Gateway configuring, 109
monitoring 203 backup router
accessdown on services configuring, 707
enabling, 154 backup vserver
actions configuring, 312
SSL 437 backup vserver persistence
adding configuring, 604
name servers, 528 bandwidth-based spillover
name server, 253 configuring, 135
adding custom entries basic configuration
static proximity database, 586 load balancing, 30
adding location file basic content switching
static proximity database, 578 configuring, 289
adding records basic load balancing setup
DNS resource records, 516, 522 configuring, 30
address records basic setup
configuring, 504 configuring GSLB, 544
creating, 517 basic SSL offloading
ADNS mode configuring virtual server 377
DNS ANY query behavior, 533 binding
ADNS server DNS policy, 631
configuring, 514 HTTP services 380
ADNS service LB vserver, 520
creating, 515, 547 metrics to metric tables, 216
removing, 516 monitors to services, 173
viewing configuration, 516 vserver to work load manager, 222
Application Resolution Protocol, monitoring 203 binding domain
architecture GSLB vserver, 552
load balancing, 26 binding GSLB service
ARP vserver, 552
monitoring 203 binding policies
vservers, 296
790 Citrix NetScaler Traffic Management Guide
maintaining modifying
client connections, 157 content switching policies, 304
managing GSLB configuration, 557
client connections, 626 GSLB policy, 632
client traffic, 139 GSLB service, 560
content switching policy, 304 GSLB site, 558
DNS policies, 628 LB configuration, 42
GSLB service, 560 monitors, 174
GSLB site, 557 service groups, 232
GSLB vserver, 562 work load manager, 222
large scale deployment, 225 modifying records
LDNS, 627 MX, 506
monitors, 177 SOA, 513
servers, 42 SRV, 503
service groups, 234 monitor
services, 44 enabling and disabling, 177
vservers, 46 managing, 177
work load manager, 223 modifying, 174
managing and monitoring removing, 178
servers, 151 monitoring
managing records AAC Login Page 204
AAAA, 503 Access gateway servers 203
CNAME, 507 ARP requests 203
NS, 506 Citrix Presentation Server component, 202
managing servers DNS servers, 249
name, 530 GSLB services, 610
maximum bandwidth usage routers, 701
setting, 168 services, 170
maximum entries monitoring services
session, 702 DNS, 191
maximum number of client connections FTP, 184, 246
setting, 164 LDAP, 192
maximum number of requests MySQL, 193
setting, 165 NNTP, 194
measuring POP3, 195
application performance 367 RADIUS, 190
MEP SIP, 184
disabling, 559 SMTP, 196
enabling, 559 SNMP, 194
merging SSL, 182
DNS and GSLB policies, 627 monitors
metric table binding to a service group, 231
creating, 215 binding to services, 173
unbinding, 217 configuring, 170
metric tables creating, 171
removing, 216 customizing, 205
viewing properties, 217 unbinding from service, 178
metrics viewing, 179
binding to metric tables, 216 multiple IP addresses GSLB
configuring, 214 configuring, 619
800 Citrix NetScaler Traffic Management Guide
MX records protecting
configuring, 505 Citrix NetScaler against failure, 310
modifying, 506 GSLB, 618
viewing configuration, 506 load balancing configuration, 128
MySQL service traffic surge, 152
monitoring, 193 protocols
load balancing, 243
N proxy mode
DNS ANY query behavior, 533
name server PTR records
adding, 253 configuring, 508
name servers viewing configuration, 509
adding, 528
disabling, 531
enabling, 531
R
managing, 530 RADIUS load balancing with persistence. See RADIUS
removing, 530 + persistence.
viewing configuration, 530 RADIUS service
NNTP service monitoring, 190
monitoring, 194 RADIUS + persistence
NS records about 113–114
creating, 517 binding vservers examples 120
managing, 506 binding vservers to services 120–121
viewing configuration, 507 configuration overview 114
number of services configuring lb persistence groups 122–123
configuring dynamic weights, 607 configuring lb persistence groups examples 122
configuring services 118–119
O configuring services examples 119
configuring vservers 115–123
one-arm mode configuring vservers examples 116
configuring, 276 content switching virtual servers 115
either lb vserver or cs vserver, but not both 115
P enabling feature 114–115
load balancing virtual servers 115
persistence
virtual servers 115
configuring, 99
range of vservers and services
persistence groups
creating, 225
configuring, 110
recursive resolution
persistent connections
enabling, 526
configuring, 595
viewing configuration, 527
policy
recursive resolution retries
GSLB removing, 632
setting, 526
POP3 service
recursive resolution settings
monitoring, 195
removing, 527
ports and protocols
redirecting
rewriting, 318
client requests, 128, 348
precedence of evaluation
HTTP requests to cache, 141
setting, 308
requests to cache, 169
priority queuing
redirecting requests
configuring, 142
cache, 316
Index 801
redirection mode S
configuring, 125
load balancing DSR mode, 262, 283 sample scenario
removing configuring GSLB mesh, 668
content switching policies, 307 configuring static proximity, 661
content switching vservers, 302 server
GSLB policies, 632 creating, 36
GSLB service, 562 enabling and disabling, 43
GSLB site, 560 managing, 42
GSLB vserver, 564 removing, 43
metric tables, 216 server IDs
monitors, 178 setting, 160
name servers, 530 server parameters
server, 43 usage, 36
service groups, 234 Server-IDs based persistence
service, 44 configuring, 106
vserver, 46 servers
work load manager, 223 managing and monitoring 151
removing DNS service
views, 634 binding to vservers, 38
removing DNS server creating, 32
load balancing, 523 enabling and disabling, 45
removing service managing, 44
ADNS, 516 removing, 44
removing settings unbinding from a vserver, 46
recursive resolution, 527 viewing bindings, 42
response time viewing properties, 41
calculating, 70 viewing statistics, 41
rewriting service group
ports and protocols, 318 binding an IP address, 230
rewriting ports and protocols binding to a vserver, 229
HTTP redirection, 146 configuring, 228
RNAT creating, 228
configuring, 255 enabling and disabling, 237
RNAT with link load balancing managing, 234
implementing, 703 modifying, 232
round robin method removing, 234
configuring, 63 unbinding a member, 235
routers unbinding from a vserver, 235
monitoring, 701 unbinding monitors, 236
routing viewing properties, 238
load balancing policy, 702 viewing statistics, 238
routing persistence service parameters
destination IP, 702 usage, 33, 271
RTT tolerance factor service weight
configuring, 593 configuring, 126
rule based persistence Services 271
configuring, 104 session
entry time-out, 702
maximum entries, 702
802 Citrix NetScaler Traffic Management Guide