Domain Controller (LDAPS) Load Balancing – NetScaler 12

Last Modified: Dec 25, 2017 @ 2:44 pm

Navigation

ūüí° = Recently Updated

Changelog

  • 2017 Dec 25 – updated entire article for 12.0 build 56. Monitor section has new build 56 instructions.

Overview

If you plan to use LDAP (Active Directory) for NetScaler Gateway, or NetScaler management authentication, then load balance the Domain Controllers that are used for authentication. A single LDAP Policy/Server points to the load balanced VIP.

Premature lockout – An alternative to load balancing is to bind multiple LDAP Policies, with each Policy pointing to a single Domain Controller in the same domain. However, NetScaler will try each authentication policy until it finds one that works. If the user enters a wrong password, and if you have three authentication policies pointing to different Domain Controllers in the same domain, then three different failure attempts will be recorded, thus causing premature account lockout. Use Load Balancing to avoid this behavior.

LDAPS and certificates РThis page details LDAPS, aka Secure LDAP. This protocol requires certificates to be installed on the Domain Controllers. When a user’s password expires, Active Directory does not allow password changes over clear text LDAP, so LDAPS must be used instead. Make sure you have certificates installed on your Domain Controllers. The easiest way to accomplish that is to deploy a Microsoft Certificate Authority in Enterprise Mode, which allows the Domain Controllers to request certificates automatically.

Monitor -An ldaps monitor can be used to verify that the Domain Controller is functional.

  • The ldaps monitor will login as an account, perform an LDAP query, and look for a successful response. The ldaps monitor uses a service account to login. Make sure the service account‚Äôs password does not expire. Domain User permissions are sufficient.
  • Since this monitor is a Perl script, it uses NSIP as the source IP. You can use RNAT to override this as described in¬†CTX217712¬†How to Force scriptable monitor to use SNIP in Netscaler in 10.5.

Multiple datacenters РIf you have Domain Controllers in multiple datacenters, you can create multiple load balancing Virtual Servers, and cascade them so that the local Domain Controllers are used first, and if they’re not available, then the Virtual Server fails over to Domain Controllers in remote datacenters.

Load Balancing Protocol – The Load Balancing Virtual Server for LDAPS can be TCP protocol or SSL_TCP protocol:

  • TCP – If the protocol is TCP, then SSL-encrypted LDAP traffic is not terminated on the NetScaler, and is simply forwarded to the LDAP servers. If your LDAP client (e.g. Linux machine) needs to verify the LDAP server certificate, then this Load Balancing configuration will not work, since each back-end LDAP server will have a different certificate.
  • SSL_TCP – If your Load Balancing Virtual Server is protocol SSL_TCP, then a certificate must be installed on the NetScaler and bound to the Load Balancing Virtual Server. SSL is terminated at the NetScaler and re-encrypted before sending it to the destination Domain Controller. The primary benefit of NetScaler SSL termination is that your LDAP clients can verify the Virtual Server SSL certificate.

Source IP – When NetScaler uses a local (same appliance) load balanced Virtual Server for LDAPS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a Domain Controller without going through a local Load Balancing Virtual Server, or if NetScaler uses a remote (different appliance) Load Balancing VIP, then the traffic is sourced from the NetScaler NSIP (NetScaler IP). Adjust firewall rules accordingly.

LDAPS Monitor

Note: Perl (scriptable) monitor uses NSIP as the source IP. You can use RNAT to override this as described in CTX217712 How to Force scriptable monitor to use SNIP in Netscaler in 10.5.

12.0 build 56 and newer

Instructions for creating the monitor changed in 12.0 build 56 and newer. If your build is older, skip to the older instructions.

  1. In the NetScaler Configuration Utility, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name the monitor ldaps-Corp or similar. The ldaps monitor logs into Active Directory, performs an LDAP query, and looks for a successful response. The monitor configuration has domain-specific information, so if you have multiple Active Directory domains, then you will need a separate ldaps monitor for each domain. Include the domain name in the monitor name.
  4. In the Type field, click where it says Click to select.
  5. Scroll down and click the circle next to LDAP.
  6. At the top of the window, click the blue Select button.
  7. Scroll down the Basic  Parameters section, and check the box next to Secure. This checkbox instructs the monitor to connect to the Domain Controllers using LDAPS instead of LDAP.
  8. Scroll back up, and configure the following:
    • In the Base DN field, enter your domain name in LDAP format (e.g. dc=company,dc=com).
    • In the Bind DN field, enter the UPN login (e.g. ctxsvc@company.com) of a service account in the domain that can browse all objects. Any normal Domain User should be sufficient. Just make sure the password doesn‚Äôt expire.
    • In the Filter field, enter cn=builtin. This limits the search results so it’s not returning the entire domain.
    • In the Password field (higher in the list), enter the password for the service account. Make sure there is no semicolon in the password or the Perl script will be unable to parse the parameters.
  9. Scroll down and click Create.

    add lb monitor LDAP-Corp LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Passw0rd -secure YES -baseDN "dc=corp,dc=local" -bindDN "corp\\ctxsvc" -filter cn=builtin
  10. If you have multiple domains, then create additional monitors: one for each domain.
  11. Jump to the Servers section.

12.0 older than build 56

  1. In the NetScaler Configuration Utility, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name the monitor ldaps-Corp or similar. The ldaps monitor logs into Active Directory, performs an LDAP query, and looks for a successful response. The monitor configuration has domain-specific information, so if you have multiple Active Directory domains, then you will need a separate ldaps monitor for each domain. Include the domain name in the monitor name.
  4. Change the Type drop-down to LDAP.
  5. Scroll down the Standard Parameters tab, and check the box next to Secure. This checkbox instructs the monitor to connect to the Domain Controllers using LDAPS instead of LDAP.
  6. Scroll back up, and switch to the Special Parameters tab.
  7. Configure the following on the Special Parameters tab:
    • Use the Script Name drop-down list to select the nsldap.pl file.
    • In the Base DN field, enter your domain name in LDAP format (e.g. dc=company,dc=com).
    • In the Bind DN field, enter the UPN login (e.g. ctxsvc@company.com) of a service account in the domain that can browse all objects. Any normal Domain User should be sufficient. Just make sure the password doesn‚Äôt expire.
    • In the Filter field, enter cn=builtin. This limits the search results so it’s not returning the entire domain.
    • In the Password field, enter the password for the service account. Make sure there is no semicolon in the password or the script will be unable to parse the parameters.
  8. Click Create.

    add lb monitor LDAP-Corp LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Passw0rd -secure YES -baseDN "dc=corp,dc=local" -bindDN "corp\\ctxsvc" -filter cn=builtin
  9. If you have multiple domains, then create additional monitors: one for each domain.

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter the following in the Create Server section.
    • In the Name field, enter a descriptive server name. Usually it matches the actual server name.
    • In the IPAddress field, enter the IP address of the server. Note: you can alternatively change the selection to¬†Domain Name and enter a FQDN. This requires the NetScaler the be able to resolve the FQDN.
    • Enter comments to describe the server.
  4. Click Create.

    add server AD01 10.2.2.11
    add server AD01 10.2.2.12
  5. Continue adding Domain Controllers. You usually want at least two per domain.

Service Groups

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, click Add
    .
  3. In the Basic Settings section, do the following:
    • In the Name field:¬†You will create one Service Group per datacenter. Enter a name reflecting the name of the data center. Also, you will create a set of service groups per Active Directory domain, so include the domain name.
    • Change the Protocol drop-down¬†to SSL_TCP.
  4. Scroll down, and click OK to close the Basic Settings section.

  5. On the left, in the Service Group Members section, click where it says No Service Group Member.

    1. If you did not create server objects, then leave the selection set to IP Based, and enter the IP address of a Domain Controller in this datacenter.
    2. If you previously created server objects, then change the selection to Server Based, and select the server objects.
    3. In the Port field, enter 636 (LDAPS). This assumes the Domain Controllers have certificates installed.
    4. Click Create.
  6. Click OK to close the Service Group Members section.
  7. On the right, in the Advanced Settings column, click Monitors.
  8. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.

    1. In the Select Monitor field, click where it says Click to select.
    2. Click the circle next to the LDAPS monitor you created earlier. The monitor might be on Page 2.
      1. The circle must be clicked exactly (no room for error). If you click outside the circle, then the monitor will open for editing. If this happens, click Close to return to the selection screen.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.
  9. To verify the members are up, click in the Service Group Members section.

    1. Right-click a member, and click Monitor Details.
    2. The Last Response field¬†should say Success – Probe succeeded.¬†Click Close. It’s too bad you can’t edit the monitor from here.

      • If the monitor doesn’t work, use¬†ldp.exe to verify the Domain Controller certificate.
  10. Click Close and Done to finish creating the Service Group.

    add serviceGroup svcgrp-LDAP-Corp SSL_TCP
    bind serviceGroup svcgrp-LDAP-Corp AD01 636
    bind serviceGroup svcgrp-LDAP-Corp AD02 636
    bind serviceGroup svcgrp-LDAP-Corp -monitorName LDAP-Corp
  11. Add additional service groups for Domain Controllers for each domain in each data center.

Load Balancing Virtual Server

  1. Create or import a certificate that matches the FQDN that resolves to the new Load Balancing VIP for LDAPS.
  2. On the left, expand Traffic Management, expand Load Balancing, and click Virtual Servers.
  3. On the right, click Add.
  4. In the Basic Settings section, do the following:
    • Name it LDAPS-Corp-HQ-LB or similar. You will create one Virtual Server per datacenter, so include the datacenter name. Also, each domain has a separate set of Virtual Servers, so include the domain name.
    • Change the Protocol¬†drop-down to SSL_TCP.
    • Enter a Virtual IP. This VIP cannot conflict with any other IP + Port already being used. You can use an existing VIP that is not already listening on TCP 636.
    • Enter 636 as the Port.
  5. Click OK to close the Basic Settings section.
  6. On the left, in the Service Group section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    1. Click where it says Click to select.
    2. Click the circle next to a previously created Service Group. It might be on page 2.
      1. The circle must be clicked exactly (no room for error). If you click outside the circle, then the Service Group will open for editing. If this happens, click the x on the top right, or the Done button on the bottom, to return to the selection screen.
    3. At top of the screen, click the blue Select button.
    4. Click Bind.
  7. Click Continue to close the Services and Service Groups section.
  8. On the left, in the Certificates section, click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the circle next to a certificate that matches the FQDN that resolves to this VIP. It might be on page 2.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.
  9. Click Continue to close the Certificates section.

    add lb vserver lbvip-LDAP-Corp SSL_TCP 10.2.2.210 636 -persistenceType NONE -cltTimeout 9000
    
    bind lb vserver lbvip-LDAP-Corp svcgrp-LDAP-Corp
  10. There’s no need to configure Persistence for LDAP.
  11. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, and bind an A+ Cipher Group.
  12. Click Done to finish creating the Virtual Server.
  13. The new Virtual Server should show as UP.

Backup Virtual Server

You can optionally configure this Load Balancing Virtual Server to failover to a different Load Balancing Virtual Server. This allows you to load balance Domain Controllers in this datacenter, and if down, failover to the other datacenter.

  1. Create additional Load Balancing Virtual Servers for each datacenter.
    • These additional Virtual Servers do not need a VIP, so change the IP Address Type to Non Addressable. Only the first Virtual Server will be directly accessible.

      add lb vserver lbvip-LDAP-Corp-Backup SSL_TCP 0.0.0.0 0
    • Notice that the additional datacenter Virtual Servers show up with an IP Address of 0.0.0.0 and port of 0.
  2. After you are done creating a Virtual Server for each datacenter, right-click the primary datacenter’s Virtual Server, and click Edit.
  3. On the right, in the Advanced Settings column, click Protection.
  4. On the left, in the Protection section, change the Backup Virtual Server to one of the other datacenter Virtual Servers. If all of the services in this datacenter are DOWN, the backup Virtual Server will be used instead. You can cascade multiple Virtual Servers using this method. Click OK and Done.

    set lb vserver lbvip-LDAP-Corp -backupVServer lbvip-LDAP-Corp-Backup

CLI Commands

Here is a list of CLI Commands for Domain Controller Load Balancing.

# SSL Global Parameters
# ---------------------
set ssl parameter -denySSLReneg NONSECURE
set ssl profile ns_default_ssl_profile_backend -sessReuse DISABLED

# Certs
# -----
add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "Passw0rd"

# SSL Profiles
# ------------
set ssl profile ns_default_ssl_profile_backend -sessReuse DISABLED


# Load Balancing Global Parameters
# --------------------------------
enable ns mode FR L3 Edge USNIP PMTUD ULFD
set lb parameter -sessionsThreshold 150000
set ns param -cookieversion 1 -timezone "GMT-06:00-CST-America/Chicago"
set dns parameter -dns64Timeout 1000
set ns tcpParam -WS ENABLED -SACK ENABLED
set ns httpParam -dropInvalReqs ON
set ns tcpbufParam -memLimit 390

# Monitors
# --------
add lb monitor ldaps-Corp LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Passw0rd -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -secure YES -baseDN "dc=corp,dc=local" -bindDN admin@corp.local -filter cn=builtin


# Servers
# -------
add server AD01 10.2.2.11

add server AD03 10.2.2.115


# Service Groups
# --------------
add serviceGroup svcgrp-LDAPS-Corp-HQ SSL_TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
bind serviceGroup svcgrp-LDAPS-Corp-HQ AD01 636
bind serviceGroup svcgrp-LDAPS-Corp-HQ AD03 636
bind serviceGroup svcgrp-LDAPS-Corp-HQ -monitorName ldaps-Corp
set ssl serviceGroup svcgrp-LDAPS-Corp-HQ -sslProfile ns_default_ssl_profile_backend


# Load Balancing Virtual Servers
# ------------------------------
add lb vserver LDAPS-Corp-DR-LB SSL_TCP 0.0.0.0 0 -persistenceType NONE -cltTimeout 9000
bind lb vserver LDAPS-Corp-DR-LB svcgrp-LDAPS-Corp-HQ

add lb vserver LDAPS-Corp-HQ-LB SSL_TCP 10.2.5.220 636 -persistenceType NONE -cltTimeout 9000 -backupVServer LDAPS-Corp-DR-LB
bind lb vserver LDAPS-Corp-HQ-LB svcgrp-LDAPS-Corp-HQ


# SSL Virtual Servers
# -------------------
set ssl vserver LDAPS-Corp-DR-LB -sslProfile ns_default_ssl_profile_frontend
bind ssl vserver LDAPS-Corp-DR-LB -certkeyName WildcardCorpCom
bind ssl vserver LDAPS-Corp-DR-LB -eccCurveName P_256
bind ssl vserver LDAPS-Corp-DR-LB -eccCurveName P_384
bind ssl vserver LDAPS-Corp-DR-LB -eccCurveName P_224
bind ssl vserver LDAPS-Corp-DR-LB -eccCurveName P_521

set ssl vserver LDAPS-Corp-HQ-LB -sslProfile ns_default_ssl_profile_frontend
bind ssl vserver LDAPS-Corp-HQ-LB -certkeyName WildcardCorpCom
bind ssl vserver LDAPS-Corp-HQ-LB -eccCurveName P_256
bind ssl vserver LDAPS-Corp-HQ-LB -eccCurveName P_384
bind ssl vserver LDAPS-Corp-HQ-LB -eccCurveName P_224
bind ssl vserver LDAPS-Corp-HQ-LB -eccCurveName P_521

Next Steps

You may now use this Virtual IP in your NetScaler Gateway LDAP authentication policies, or NetScaler management login.

2 thoughts on “Domain Controller (LDAPS) Load Balancing – NetScaler 12”

  1. Hi Carl, when configuring the certificate to use with SSL_TCP what does the common name need to be? I notice you use a wildcard for the domain but if that’s not possible is it the NetScaler or the DC’s that the common name should refer to?

    1. It should match whatever DNS name resolves to the VIP. The LDAP client initiates a SSL connection to the VIP, not the Domain Controller.

Leave a Reply