Citrix Director Load Balancing – NetScaler 12 / Citrix ADC 12.1

Last Modified: Dec 20, 2018 @ 9:51 am

Navigation

Change Log

  • 2018 Dec 20 – updated screenshots for ADC 12.1 build 50.
  • 2017 Dec 25 – updated entire article for 12.0 build 56. Monitor section has new 12.0 build 56 instructions.

Monitor

12.0 build 56 and newer

Instructions for creating the monitor changed in 12.0 build 56 and newer. If your build is older, skip to the older instructions.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it Director or similar.
  4. In the Type field, click where it says Click to select.
  5. Scroll down and click the circle next to HTTP.
  6. At the top of the window, click the blue Select button.
  7. Scroll down the Basic  Parameters section, and check the box next to Secure. This checkbox instructs the monitor to connect to the Director Servers using https/SSL/TLS instead of http.
  8. In the HTTP Request box, enter GET /Director/LogOn.aspx?cc=true.
  9. If Single Sign-on (Windows Integrated Authentication) is enabled on Director, then you might have to add 302 as a Response Code.
  10. Scroll down, and click Create.
  11. Jump to the Servers section.

12.0 older than build 56

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it Director or similar.
  4. Change the Type drop-down to HTTP.
  5. If you will use SSL to communicate with the Director servers, then on the Standard Parameters tab, scroll down, and check the box next to Secure.
  6. Scroll up, and switch to the Special Parameters tab.
  7. In the HTTP Request field, enter GET /Director/LogOn.aspx?cc=true
    1. If Single Sign-on is enabled on Director, then you might have to add 302 as a Response Code.
  8. Scroll down, and click Create.

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name. Usually it matches the actual server name.
  4. Enter the IP address of the Director server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding Director servers.

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-Director-SSL).
  4. Change the Protocol to HTTP or SSL, depending on if IIS on the Director server is enabled for https or not.
    • If the protocol is SSL, ensure the Monitor for Director has Secure enabled, as detailed earlier.
  5. Scroll down, and click OK.

  6. On the left, in the Service Group Members section, click where it says No Service Group Member.

    1. Change the selection to Server Based, and then Click to select the Director server objects.

    2. Enter 80 or 443 as the port. Then click Create.
  7. Click OK to close the Service Group Members section.
  8. On the right, under Advanced Settings, click Monitors.
  9. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.

    1. Click where it says to Click to select.
    2. Click the circle next to the Director monitor you created earlier. The monitor might be on Page 2.
      • The circle must be clicked exactly (no room for error). If you click outside the circle, then the monitor will open for editing. If this happens, click Close to return to the selection screen.
    3. At the top of the window, click the blue Select button.
    4. Then click Bind.
  10. To verify that the monitor is working, on the left, in the Service Group Members section, click the Service Group Members line.
  11. Right-click a member, and click Monitor Details.
  12. The Last Response should be Success – HTTP response code 200 received. Click Close twice.
  13. Then click Done.

Responder

Create a Responder policy to redirect users from the root page to /Director.

  1. Go to AppExpert > Responder, and enable the feature if it isn’t already enabled.
  2. Go to AppExpert > Responder > Actions.
  3. On the right, click Add.

    1. Give the Action a name (e.g. Director_Redirect).
    2. Change the Type to Redirect.
    3. In the Expression box, enter "/Director", including the quotes.
  4. On the bottom, click Create.
  5. Go to AppExpert > Responder > Policies.
  6. On the right, click Add.

    1. Give the Policy a name (e.g. Director_Redirect).
    2. Select the previously created Action.
    3. In the Expression box, enter HTTP.REQ.URL.PATH.EQ("/")
  7. On the bottom, click Create.

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the SSL Virtual Server. This certificate must match the DNS name for the load balanced Director servers.
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
  3. On the right, click Add.
  4. Do the following in the Basic Settings section:
    1. Name it lbvip-Director-SSL or similar.
    2. Change the Protocol to SSL.
    3. Specify a new internal VIP.
    4. Enter 443 as the Port.
    5. Click OK to close the Basic Settings section.
  5. On the left, in the Services and Service section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.

    1. Click where it says Click to select.
    2. Click the circle next to a previously created Service Group. It might be on page 2.
      • The circle must be clicked exactly (no room for error). If you click outside the circle, then the Service Group will open for editing. If this happens, click the x on the top right, or the Done button on the bottom, to return to the selection screen.
    3. At top of the screen, click the blue Select button.
    4. Click Bind.
  6. Click Continue to close the Services and Service Groups section.
  7. Click where it says No Server Certificate.

    1. Click where it says Click to select.
    2. Click the circle next to a certificate that matches the FQDN that resolves to this VIP. It might be on page 2.
    3. At the top of the window, click the blue Select button.
    4. Click Bind.
  8. Click Continue to close the Certificate section.
  9. On the right, in the Advanced Settings column, click Persistence.
  10. On the left, in the Persistence section, do the following:
    1. Change the Persistence drop-down to COOKIEINSERT. The Persistence section in 12.0 build 56 and newer is slightly different than older builds.
    2. Set the Time-out to 0 minutes. This makes it a session cookie instead of a persistent cookie.
    3. Set the Backup Persistence to SOURCEIP.
    4. Set the Backup Time-out to match the timeout of Director. The default timeout for Director is 245 minutes.
    5. The IPv4 Netmask should default to 32 bits.
    6. Click OK to close the Persistence section.
  11. On the right, in the Advanced Settings section, add the Policies section.
  12. On the left, in the Policies section, click the plus icon.

    1. Change the Choose Policy drop-down to Responder, and click Continue.
    2. Click to select the previously created Director_Redirect policy.

      • The circle next to the Responder policy must be clicked exactly (no room for error). If you click outside the circle, then the policy will open for editing. If this happens, click Close to return to the selection screen.
    3. After selecting, click Bind.
  13. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern A+ Cipher Group, and enable Strict Transport Security.

SSL Redirect

Do one of the following to configure a redirect from HTTP to HTTPS:

SSL Warning

  1. If you are doing SSL Offload (SSL on front end, HTTP on back end), when connecting to Director, it might complain about “You are not using a secure connection”.
  2. To turn off this warning, login to the Director servers, and run IIS Manager.
  3. On the left, navigate to Server > Sites > Default Web Site > Director.
  4. In the middle, double-click Application Settings.
  5. Change UI.EnableSslCheck to false.

CLI Commands

Here is a list of NetScaler CLI commands for Director Load Balancing:

# SSL Global Parameters
set ssl parameter -denySSLReneg NONSECURE

# Certs
add ssl certKey WildcardCorpLocal -cert WildcardCorpLocal.pfx -key WildcardCorpLocal.pfx -inform PFX -passcrypt "Passw0rd"

# SSL Cipher Group
add ssl cipher custom-ssllabs-cipher
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 2
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 3
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 4
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 5
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 6
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 7
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 8
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 9
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 10
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 11
bind ssl cipher custom-ssllabs-cipher -cipherName TLS1-AES-128-CBC-SHA -cipherPriority 12

# Responder Actions
add responder action Director_Redirect redirect "\"/Director\"" -responseStatusCode 302

# Responder Policies
add responder policy Director_Redirect "HTTP.REQ.URL.PATH.EQ(\"/\")" Director_Redirect

# Load Balancing Global Parameters
enable ns mode FR L3 Edge USNIP PMTUD ULFD
set ns param -cookieversion 1
set ns tcpParam -WS ENABLED -SACK ENABLED
set ns httpParam -dropInvalReqs ON

# Monitors
add lb monitor Director HTTP -respCode 200 302 -httpRequest "GET /Director/LogOn.aspx?cc=true" -LRTM DISABLED -secure YES

# Servers
add server Director01 xdc01.corp.local
add server Director02 xdc02.corp.local

# Service Groups
add serviceGroup svcgrp-Director-SSL SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
bind serviceGroup svcgrp-Director-SSL Director01 443
bind serviceGroup svcgrp-Director-SSL Director02 443
bind serviceGroup svcgrp-Director-SSL -monitorName Director

# Load Balancing Virtual Servers
add lb vserver lbvip-Director-SSL SSL 10.2.5.210 443 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 245 -cltTimeout 180 -redirectFromPort 80 -httpsRedirectUrl "https://director.corp.com"
bind lb vserver lbvip-Director-SSL svcgrp-Director-SSL
bind lb vserver lbvip-Director-SSL -policyName Director_Redirect -priority 100 -gotoPriorityExpression END -type REQUEST

# SSL Virtual Servers
set ssl vserver lbvip-Director-SSL -ssl3 DISABLED -HSTS ENABLED -maxage 157680000
unbind ssl vserver lbvip-Director-SSL -cipherName ALL
bind ssl vserver lbvip-Director-SSL -cipherName custom-ssllabs-cipher
bind ssl vserver lbvip-Director-SSL -certkeyName WildcardCorpLocal
bind ssl vserver lbvip-Director-SSL -eccCurveName P_256
bind ssl vserver lbvip-Director-SSL -eccCurveName P_384
bind ssl vserver lbvip-Director-SSL -eccCurveName P_224
bind ssl vserver lbvip-Director-SSL -eccCurveName P_521

21 thoughts on “Citrix Director Load Balancing – NetScaler 12 / Citrix ADC 12.1”

  1. Hi Carl, We are load balncing ctx director and have an SSL VIP with source IP persistence set, problem is once the user logs in and after a minute or so session gets timed out and returns back to the login page. I changed the persistence to cookie insert and still didn’t work. Any suggestions on this, I can take a pcap and see but anything to do with configuration

      1. Hi Carl, yes it does work if I disable one service. I suspect this to be a Load Balancing method chosen combined with the persistence. Does that sound right ?

          1. 15 minutes seems low. How long will users stay connected to Director? Persistence timeout should be at least that long.

          2. Well, users are getting timed out even before 15 minutes and this happens intermittently. When they login to the director after a couple of minutes they get timed out and they get back to the login screen.

          3. When users connect to the VIP, are they going through a proxy server or NAT? Or is the connection directly to the VIP without any IP translation?

            You can view the NetScaler persistence table by clicking Traffic Management on the left and there’s a link on the right.

            You can also do a network trace on the NetScaler to see the client’s source IP.

          4. Hi Carl, users won’t come via firewall or a proxy so no nat. I have already checked the persistence table and I could see the original IP of the client, and when they are browsing I could see them get timed out in spite of the connection still in the persistence table.

          5. Is it actually sending them to a different server? If so, and if persistence table shows it should not be doing that, then that sounds like a bug.

  2. Hi Carl, i have followed your guide to setup a Director pair and load balanced them successfully. This director pair points to 5 other DDCs pairs in different regions. Works well, but is there a way for me to connect this setup to NMAS/HDX Insight devices in each region so it appears in the network tab of each site in Director? I’m think we can only add one, which is a bummer. Unless their is another way you can suggest?

    Thanks again for the articles, always appreciated.
    Erk

      1. I think you can only add one MAS appliance per Director server. You might have to call Citrix Support and submit an enhancement request.

    1. What configurations? Most are in Application Settings, which are stored in /Director/web.config. I assume you can just copy that file to the new server, but I don’t think I’ve tried that.

  3. Hi Carl, in the v11 guide you use a different method for persistency than v12 , is the v12 a better method than v11 ?

    v11:
    Select SOURCEIP persistence.
    Set the timeout to match the timeout of Director. The default timeout for Director is 245 minutes.
    v12:
    Change the Persistence drop-down to COOKIEINSERT. The Persistence section in 12.0 build 56 and newer is slightly different than older builds.
    Set the Time-out to 0 minutes. This makes it a session cookie instead of a persistent cookie.

    keep up the great work!

    1. Cookie is usually preferred for HTTP websites since it handles proxy connections and NAT connections. But it depends on the app.

      1. I agree with you on that, Carl.

        Would it be possible to update the 11.1 article with the same persistence? Or would there be a reason not to use it on NS ADC 11.1 when load balancing Citrix Director?

Leave a Reply to Jan Jonker Cancel reply