StoreFront Load Balancing – NetScaler 11.1

Last Modified: Oct 18, 2016 @ 12:43 pm

Navigation

Monitor

Note: This is a Perl monitor, which uses the NSIP as the source IP. You can use RNAT to override this as described in CTX217712 How to Force scriptable monitor to use SNIP in Netscaler in 10.5.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it StoreFront or similar.
  4. Change the Type drop-down to STORERONT.
  5. If you will use SSL to communicate with the StoreFront servers, then scroll down, and check the box next to Secure.
  6. Scroll up, and switch to the Special Parameters tab.
  7. In the Store Name field, enter the name of your store (e.g. MyStore) without spaces.
  8. Click Create.

    add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -storename Store

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding StoreFront servers.

    add server SF01 10.2.2.57
    add server SF02 10.2.2.58

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.

  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure that the StoreFront Monitor has Secure checked.
  5. Scroll down and click OK.

  6. Click where it says No Service Group Member.
  7. If you did not create server objects then enter the IP address of a StoreFront Server. If you previously created a server object then change the selection to Server Based and select the server objects.
  8. Enter 80 or 443 as the port. Then click Create.
  9. Click OK.
  10. On the right, under Advanced Settings , click Monitors.
  11. Click where it says says No Service Group to Monitor Binding.
  12. Click the arrow next to Click to select.
  13. Select your StoreFront monitor and click Select.
  14. Then click Bind.
  15. To verify that the monitor is working, on the left, in the Service Group Members section, click the Service Group Members line.
  16. Click the ellipsis next to a member and click Monitor Details.
  17. The Last Response should be Success – Probe succeeded. Click Close twice.
  18. On the right, under Advanced Settings, click Settings.
  19. On the left, in the Settings section, check the box for Client IP and enter X-Forwarded-For as the Header. Then click OK.
  20. Then click Done.

    add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For
    
    bind serviceGroup svcgrp-StoreFront-SSL SF01 443
    bind serviceGroup svcgrp-StoreFront-SSL SF02 443
    bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
  21. If the Service Group is http and you don’t have certificates installed on your StoreFront servers (aka SSL Offload) then you’ll need to enable loopback in StoreFront.
    1. In StoreFront 3.5 and newer, you enable it in the GUI console.
    2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.0.
      & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
      
      Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the SSL Offload Virtual Server. This certificate must match the DNS name for the load balanced StoreFront servers. For email discovery in Citrix Receiver, the certificate must either be a wildcard (*.corp.local) or have a subject alternative name for discoverReceiver.domain.com (domain.com = email address suffix)
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  3. On the right click Add.
  4. Name it lbvip-StoreFront-SSL or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.

    add lb vserver lbvip-StoreFront-SSL SSL 10.2.2.221 443 -persistenceType SOURCEIP -timeout 60
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  10. Click the arrow next to Click to select.
  11. Select your StoreFront Service Group and click Select.
  12. Click Bind.

    bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL
  13. Click Continue.
  14. Click where it says No Server Certificate.
  15. Click the arrow next to Click to select.
  16. Select the certificate for this StoreFront Load Balancing Virtual Server and click Select.
  17. Click Bind.

    bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom
  18. Click Continue.
  19. On the right, in the Advanced Settings column, click Persistence.
  20. On the left, in the Persistence section, select SOURCEIP. Do NOT use COOKIEINSERT persistence or Android devices will not function correctly.
  21. Set the timeout to match the timeout of Receiver for Web.
  22. The IPv4 Netmask should default to 32 bits.
  23. Click OK.
  24. If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload – 443 on client-side, 80 on server-side), and if you have enabled the Default SSL Profile, then you’ll either need to edit the Default SSL Profile to include the SSL Redirect option, or create a new custom SSL Profile with the SSL Redirect option enabled, and then bind the custom SSL Profile to this vServer.
  25. If the default SSL Profile is not enabled, then you’ll need to edit the SSL Parameters section on the vServer, and at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web page will never display.
  26. set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED
  27. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.
    bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert
    
    set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
    
    unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL
    
    bind ssl vserver lbvip-StoreFront-SSL -cipherName Modern
    
    bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL
    
    bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

When connecting to StoreFront through load balancing, if you want to put the server name on the StoreFront webpage so you can identify the server, see Nicolas Ignoto Display server name with Citrix StoreFront 3.
Server name is displayed

SSL Redirect – SSL Load Balancing vServer Method

Users must enter https:// when navigating to the StoreFront website. To make it easier for the users, enable SSL Redirection.

This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. An alternative is to use the Responder method.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right, find the SSL Virtual Server you’ve already created, click the ellipsis next to it and click Edit.
  3. In the Basic Settings section, click the pencil icon.
  4. Click the More link.
  5. In the Redirect from Port field, enter 80.
  6. In the HTTPS Redirect URL field, enter your StoreFront Load Balancing URL (e.g. https://storefront.corp.com).
  7. Scroll down and click Continue twice.

    set lb vserver lbvip-StoreFront-SSL -redirectFromPort 80 -httpsRedirectUrl https://storefront.corp.com
  8. This method does not add any new vServers to the list so it’s not easy to see if this is configured.

StoreFront Base URL

  1. Create a DNS Host record that resolves to the new VIP.
  2. The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler Gateway. Unless you are following the Single FQDN procedure.

  3. In the Citrix StoreFront console, right-click Server Group and click Change Base URL.
  4. Enter the new Base URL in https://storefront.corp.com format. This must match the certificate that is installed on the load balancer. Click OK.

Subscription Replication Load Balancing

If you have multiple StoreFront clusters (separate datacenters), you might want to replicate subscriptions between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this service, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at Citrix Docs for more information.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.

  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SubRepl).
  4. Change the Protocol to TCP.
  5. Scroll down and click OK.
  6. Click where it says No Service Group Member.
  7. Change the selection to Server Based and select the StoreFront servers.
  8. Enter 808 as the port. Then click Create.

  9. Click OK.
  10. On the right, under Advanced Settings, click Monitors.
  11. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
  12. Click the arrow next to Click to select.
  13. Select the tcp monitor and click Select.
  14. Then click Bind and click Done.

    add serviceGroup svcgrp-StoreFront-FavRepl TCP
    bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808
    bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808
  15. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  16. On the right, click the ellipsis next to the existing StoreFront Load Balancing vServer, and click Add.
  17. Name it lbvip-StoreFront-SubRepl or similar.
  18. Change the Protocol to TCP.
  19. Specify the same VIP that you used for SSL Load Balancing of StoreFront.
  20. Enter 808 as the Port.
  21. Click OK.
  22. Click where it says No Load Balancing Virtual Server ServiceGroup Binding.

  23. Click the arrow next to Click to select.
  24. Select your StoreFront Subscription Replication Service Group and click Select.
  25. Click Bind.
  26. Click Continue.
  27. Then click Done.

    add lb vserver lbvip-StoreFront-FavRepl TCP 10.2.2.201 808 -persistenceType NONE
    
    bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl

Related Posts

21 thoughts on “StoreFront Load Balancing – NetScaler 11.1”

  1. I am following these steps to configure LB for StoreFront. Since I am totally new to NetScaler, I need to cross check if my actions are correct.

    As to configuring the SSL-Certificate for “Virtual Server”, same Certificate as the StoreFront was use. Meaning exported from StoreFront and imported into NetScaler. The Certificate entails all required DNS name for the load balanced StoreFront servers.

    Is this procedure appropriate?

    Thanks

  2. Hi Carl, Do you believe that we will have issues and if we leave the sourceip timeout to the default value 2 min. if so what kind of issues could be ?

    Regards
    Chris

      1. If leave persistence timeout 2 minutes and web session is 20+ minutes i can reproduce the following scenario that seems to be abnormal and i would like your opinion for the bellow case.

        Access Gateway + NS Loadbalance -> group of 2 storefront

        1) A User logged on through Access Gateway and the LB redirects the connection to Storefront1. New session created on Storefront1 and the client receives a csrftoken=1xxxxxx

        2)After 3mins the user tries to open an application the LB redirects the connection to Storefront2. The user gets the message “your session has expired …please press ok” and user press click to OK button. So a new session is created to Storefront2 and the client receives a new csrftoken=2XXXXX.

        3)After 3 mins the user tries to open an other application the LB redirects back to Storefront1 and gets the error “Cannot complete your request” in HTTP level the response from storefront1 is “403 Frorbiden. Access Denied. ” and I realized that the client has sent the csrftoken=2XXXXX which is not the same with session on Storefront1. (See csrftoken on step 1. )
        Thanks

  3. Hi Carl,

    I noticed you have persistence set to SOURCEIP. If most users are accessing Storefront through Gateway, wouldn’t the persistence just see the SNIP for the gateway Netscalers as the source ip and send all traffic through a single Storefront server?

    1. There are issues with Cookie Insert in Android devices. You’re welcome to try Cookie and make sure your Android devices still work.

  4. I am using 443 in front and 80 to connect to storefont. I have enable SSL-rediect in storefront vsever. After logon to netscaler vserver, a error CTX134123 occurs while launch the xendesktop. Any suggestion on that?

    1. Are you intentionally trying to use HTML5 Receiver? If not, in Chrome, click your name on the top right and click Change Receiver. Then click the big blue button to detect Receiver on your machine.

  5. Hi Carl,

    I’ve setup StoreFront Load Balancing and when loading the site continually loads. It does not ever seem to give an error just spins. Each storefront server is accessible fine through the server FQDN however not when accessing through the LB VIP

    the LB VIP is in a DMZ segment however all traffic is open and not seeing any traffic blocked on the firewall when hitting the site from our internal lan

    any thoughts?

    XD7.11 new install with new Netscaler VPX 11.1

    Thanks,

    Pete

    1. Are you doing 443 on the front end and 80 on the back end? If so, edit the SSL vServer, go to SSL Parameters, and check the box next to SSL Redirect.

      1. Hi Carl, 443 on front and back with the same cert on nscaler and SF server. Hitting https://SF-FQDN/Citrix/StoreWeb works fine on both SF servers. Service group on 443 with Storefront monitor is up. it must be something to do with the cert on the nscaler … i’ll post what I find

        great site … very imformative

        pete

  6. Hi Carl,

    I have Netscaler vpx 10.5 build 57.7 and I have done the load balancing for SF 2.5 using the storefront monitor. I upgraded my storefront from 2.5 to 3.8 and immediately my service group went down, When checked found that the monitor is not working, I changed the monitor to ping and service group came up. I tried to recreate the monitor and service group for 3.8, but still no luck. Could you please help.

    Thank you!!

    Regards,
    Nivesh Pankaj

  7. Any way to get pass-through authentication for Storefront via the netscaler load balancer?
    I have setup Storefront servers 3.6 with an HTTP store and netscaler 11.1 (no gateway) just basic HTTP load balancer. Is there a way to get the Domain pass through authentication working ?
    The domain Pass-through works fine when connected to the Storefront servers individually, however when connected via the LB, it fails to perform Pass through.

    Regards,
    Kedar

  8. We used the instructions from this great post to loadbalance across two StoreFront servers.
    We also included the ACL and RNAT statements to overcome the Perl monitor script limitation of using the NSIP instead of a SNIP. Everything works as expected, but I was curious if it would fail when removing the ACL and RNAT statements. And it kept working which should not be the case if the NSIP is used as source IP by the perl Monitor script.
    In our setup, the Netscaler VPX (NS11.1: Build 48.10.nc) has three logical interfaces:
    0/1: Management, VLAN1, contains the NSIP and a management SNIP
    1/1: Frontend: VLAN X, contains the client facing VIPs and a SNIP
    1/2: Backend: VLAN Y, the StoreFront servers are also in this subnet (no L3 in between). A SNIP is configured

    When performing a tcpdump it looks like NAT is still in place. I want to understand this; is it changed in 11.1 that the SNIP is used? If so, the remark on top of the page can be adjusted 🙂

    A snip from the tcpdump:

    10:20:09.671482 IP NSIP.50488 > STOREFRONT1.80: Flags [S], seq 1083469940, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 692992689 ecr 0], length 0
    10:20:09.671489 IP SNIP.5835 > STOREFRONT1.80: Flags [S], seq 1083469940, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 692992689 ecr 0], length 0
    10:20:09.671981 IP STOREFRONT1.80 > SNIP.5835: Flags [S.], seq 3478389325, ack 1083469941, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 100439748 ecr 692992689], length 0
    10:20:09.671982 IP STOREFRONT1.80 > NSIP.50488: Flags [S.], seq 3478389325, ack 1083469941, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 100439748 ecr 692992689], length 0

    When performing a netstat from the Shell, it shows connections in TIME_WAIT state between the NSIP and the STOREFRONT1 server. From the shell, the IP addresses of the other interfaces are not present so I think I cannot trust what I see there.

    I am working with Netscaler for a few months now and I really want to try to understand its behavior, thanks!

    1. If NSIP does not have a route to the destination, I believe it will try to use a SNIP. However, you’ll want to do a real network trace on the NetScaler to verify that the SNIP was used as the source IP because I’ve seen asymmetric routing when depending on this behavior.

      1. I’ll try to perform a real network trace since asymmetric routing is exactly what might be going on here (but requires different department to help me out ;).

        The StoreFront servers are connected directly in the Backend Subnet so no routing is required. However, there is a route via the Backend network gateway for a larger network range; the backend subnet is a small part of that range (route for a /16, and the backend subnet is a /27 within this range)

        Regards,
        Marco

Leave a Reply