StoreFront Load Balancing – NetScaler 12

Last Modified: Aug 22, 2017 @ 5:49 pm

Navigation

Monitor

Note: This is a Perl monitor, which uses the NSIP as the source IP. You can use RNAT to override this as described in CTX217712 How to Force scriptable monitor to use SNIP in Netscaler in 10.5.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it StoreFront or similar.
  4. Change the Type drop-down to STORERONT.
  5. If you will use SSL/https to communicate with the StoreFront servers, then scroll down, and check the box next to Secure.
  6. Scroll up, and switch to the Special Parameters tab.
  7. In the Store Name field, enter the name of your store (e.g. MyStore) without spaces.
  8. Click Create.

    add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -storename Store

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding StoreFront servers.

    add server SF01 10.2.2.57
    add server SF02 10.2.2.58

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure that the StoreFront Monitor has Secure checked.
  5. Scroll down, and click OK.
  6. Click where it says No Service Group Member.

    1. If you did not create server objects, then enter the IP address of a StoreFront Server. If you previously created a server object, then change the selection to Server Based, and select the server objects.
    2. Enter 80 or 443 as the port. Then click Create.
    3. In the Service Group Members section, click OK.
  7. On the right, under Advanced Settings, click Monitors.
  8. On the left, scroll down to the Monitors section, and click where it says says No Service Group to Monitor Binding.

    1. Click where it says Click to select.
    2. Click the radio button next to your StoreFront monitor, and click Select.
    3. Then click Bind.
  9. To verify that the monitor is working, on the left, in the Service Group Members section, click the Service Group Members line.

    1. Right-click a member, and click Monitor Details.
    2. The Last Response should be Success – Probe succeeded. Click Close twice.
  10. On the left, if you see a Settings section, then click the pencil icon.

    1. If you don’t see the Settings section, then on the right, under Advanced Settings, click Settings.
  11. On the left, in the Settings section, check the box for Client IP, and enter X-Forwarded-For as the Header. Then click OK.
  12. Scroll down, and click Done.

    add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For
    
    bind serviceGroup svcgrp-StoreFront-SSL SF01 443
    bind serviceGroup svcgrp-StoreFront-SSL SF02 443
    bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
  13. If the Service Group is http, and if you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to enable loopback in StoreFront.
    1. In StoreFront 3.5 and newer, you enable it in the GUI console.
    2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.0.
      & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
      
      Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the SSL Load Balancing Virtual Server. This certificate must match the DNS name for the load balanced StoreFront servers.

    1. For email discovery in Citrix Receiver, the certificate must match discoverReceiver.email.suffix for each email suffix. This is typically done using Subject Alternative Names.
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  3. On the right, click Add.
  4. Name it lbvip-StoreFront-SSL or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.

    add lb vserver lbvip-StoreFront-SSL SSL 10.2.2.221 443 -persistenceType SOURCEIP -timeout 60
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    1. Click where it says Click to select.
    2. Click the radio button next to your StoreFront Service Group, and click Select.
    3. Click Bind.

      bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL
  10. In the Services and Service Groups section, click Continue.
  11. Click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the radio button next to the certificate for this StoreFront Load Balancing Virtual Server, and click Select.
    3. Click Bind.

      bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom
  12. In the Certificates section, click Continue.
  13. On the right, in the Advanced Settings column, click Persistence.
  14. On the left, in the Persistence section, select SOURCEIP. Do NOT use COOKIEINSERT persistence or Android devices will not function correctly.
  15. Set the timeout to match the timeout of Receiver for Web.
  16. The IPv4 Netmask should default to 32 bits.
  17. Click OK.
  18. If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload, which means SSL 443 on the client-side, and HTTP 80 on the server-side):
    1. If the default SSL Profile is not enabled, then you’ll need to edit the SSL Parameters section on the vServer, and at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web page will never display.

      set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED
    2. If you have enabled the Default SSL Profile, then you’ll either need to edit the Default SSL Profile to include the SSL Redirect option, or create a new custom SSL Profile with the SSL Redirect option enabled, and then bind the custom SSL Profile to this vServer.
  19. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.
    bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert
    
    set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
    
    unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL
    
    bind ssl vserver lbvip-StoreFront-SSL -cipherName custom-ssl-labs
    
    bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL
    
    bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

When connecting to StoreFront through load balancing, if you want to put the server name on the StoreFront webpage so you can identify the server, see Nicolas Ignoto Display server name with Citrix StoreFront 3.
Server name is displayed

SSL Redirect – SSL Load Balancing vServer Method

Users must enter https:// when navigating to the StoreFront website. To make it easier for the users, enable SSL Redirection.

This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. An alternative is to use the Responder method.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  2. On the right, find the SSL Virtual Server you’ve already created, right-click it, and click Edit.
  3. In the Basic Settings section, click the pencil icon.
  4. Click the More link.
  5. In the Redirect from Port field, enter 80.
  6. In the HTTPS Redirect URL field, enter your StoreFront Load Balancing URL (e.g. https://storefront.corp.com).
  7. Scroll down, and click Continue twice.

    set lb vserver lbvip-StoreFront-SSL -redirectFromPort 80 -httpsRedirectUrl https://storefront.corp.com
  8. Note: this method does not show you that it’s listening on port 80.

StoreFront Base URL

  1. Create a DNS Host record that resolves to the new VIP.
  2. The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler Gateway. Unless you are following the Single FQDN procedure.

  3. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
  4. Enter the new Base URL in https://storefront.corp.com format. This must match the certificate that is installed on the load balancer. Click OK.
  5. Right-click your store, and click Manage Receiver for Web Sites.
  6. Click Configure.
  7. On the Advanced Settings page, change Enable loopback communication to OnUsingHttp. This tells StoreFront to not use the load balancer for inter-server communication.

Subscription Replication Load Balancing

If you have multiple StoreFront Server Groups (usually in separate datacenters), you might want to replicate subscriptions (favorites) between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this port number, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at Citrix Docs for more information.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, right-click your existing StoreFront service group, and click Add.

    1. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SubRepl).
    2. Change the Protocol to TCP.
    3. Scroll down, and click OK.
    4. In the Service Group Members section, click where it says No Service Group Member.
    5. Change the selection to Server Based, and select the StoreFront servers.
    6. Enter 808 as the port. Then click Create.
    7. Click OK to close the Service Group Members section.
    8. On the right, under Advanced Settings, click Monitors.
    9. On the left, scroll down, and in the Monitors section, click where it says No Service Group to Monitor Binding.
    10. Click where it says Click to select.
    11. Click the radio button next to the tcp monitor, and click Select.
    12. Click Bind.
    13. Click Done to close the Service Group.

      add serviceGroup svcgrp-StoreFront-FavRepl TCP
      bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808
      bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808
  3. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  4. On the right, right-click the existing StoreFront Load Balancing vServer, and click Add.

    1. Name it lbvip-StoreFront-SubRepl or similar.
    2. Change the Protocol to TCP.
    3. Specify the same VIP that you used for SSL Load Balancing of StoreFront.
    4. Enter 808 as the Port.
    5. Click OK.
    6. In the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    7. Click where it says Click to select.
    8. Click the radio button next to your StoreFront Subscription Replication Service Group, and click Select.
    9. Click Bind.
    10. In the Services and Service Groups section, click Continue.
    11. Scroll down, and click Done to close the Virtual Server. There’s no need for persistence or redirects.

      add lb vserver lbvip-StoreFront-FavRepl TCP 10.2.2.201 808 -persistenceType NONE
      
      bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl

Related Posts

2 thoughts on “StoreFront Load Balancing – NetScaler 12”

  1. Hi Carl,

    I have 3 StoreFront servers on 7.12 that are load balanced using a Stingray appliance. Can these be rebooted one at a time during production without dropping any user connections to XenApp or XenDesktop users?

    1. ICA connections don’t go through StoreFront. ICA goes directly from Receiver to VDA, or is proxied by NetScaler Gateway. Rebooting StoreFront would only reset a user’s web session in RfWeb.

Leave a Reply