Binding many NetScaler Gateways to a content switching vServer on Citrix NetScaler, Method 1

B

last update: January 6 / 2021

It does work no more, at least since version 12.1.

Or: The power of the ANY service type

This is a workaround for a well-known problem in NetScaler: Binding NetScaler Gateways to content switching vServers.

This solution does not follow Citrix best practices. Avoid using it, if you can!

My solution will work with NetScaler 10 upward. I didn’t test with 9.x as they are not considered to be secure any more.

The Problem

Up to 11.0 it was impossible to bind a NetSaler Gateway to a Content Switching vServer. By now (firmware versions 12) this is limited to a single NetScaler Gateway. This limitation may be an obstacle to overcome in certain environments. Most companies nowadays suffer under a lack of public IPs. But mos of all: Users don’t like complex environments with tons of different URLs to handle, one for mobile devices, one for PCs, one for trusted, one for untrusted devices and so on. Instead they want to use a single URL for all use cases.

Content switching may mitigate this issue by hiding very different configurations behind a single URL. But this is not true for NetScaler Gateways. In days of old we could not bind any gateway to a content switching vServer at all, now (starting from version 11) we can bind a maximum of one gateway to it.

Why may one gateway not be enough? First of all, it is complexity. It may confuse you if you have to bind tons of different scenarios to one gateway. In my real world experience I see often buggy environments being buggy, as complexity may over work the admins. But there may also be technical reasons. One of my costumer would have to bind round about 50 LDAP sources of costumers and partners. All of them are geographical dispersed and some of them may even be misconfigured and therefore slow. Logon to the last ADs in the list would be painful. Splitting the gateway up into some gateways would speed up things very much.

The solution

This question came up in one of my NetScaler classes. We set up all needed NetScaler Gateways. They are addressable and use private addresses of a separate address space (this address space does not exist outside of NetScaler).

We set up a content switching vServer. I would prefer a SSL-bridge to avoid SSL offloading, however we needed something to base content switching on, so we used a SSL vServer. This is far from being a perfect solution, but it works.

How to bind them together?

My first thought was: pointing the services of the load balancing vServer to the NetScaler gateways. But this does not work, we faced an error stating this IP address is already in use.

That’s my trick: I create load balancing vServers of type ANY and point its services to the corresponding gateways. That’s why these gateway servers use private addresses that don’t exist in your environment. This traffic will never leave this NetScaler.

NetScaler CS-Vserver loadbalancing many NetScaler Gateways

(graphic by courtesy of Andre Buck)

What’s wrong about this setup?

It does not follow Citrix best practices. So you should avoid using it. On the other hand: everything we do is fully supported: The content switching vServer, the load balancing vServers bound to it, load balancing vServers of type any, and last, not least, the gateways.

We won’t be able to log on to the NetScaler Gateways using smart cards (certificate based logon), if we use SSL-Offloading lb vServers, as these certificates won’t be visible to the NetScaler Gateway.

Why would you use it even though?

It’s currently the only chance to bind more than one NetScaler Gateway to a content switching vServer on a NetScaler.

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

19 comments

  • Hi Johannes,
    I would love to get some more details on this setup, as im currently in need of exactly this.
    Pretty new to advanced NetScaler use, so having som trouble putting it all together.
    Any contact on email would be much appreciated.

  • Hi Johannes, can you sent me also some more information details on your solution. Need it too but could not get it working so far… ) Thank you in advance!

  • hi Johannes,
    Would you mind sending me details of the configuration please…I have tried setting it up as described above but now facing two issues:
    1 – authentication works and able to see the resources via both gateways behind the content switch, but ICA launch fails
    2 – displaying the login page for the gateway with the lower priority in the content switch confit takes considerably longer – say, 10-15 seconds.

    Thanks,
    Tolu

    • Oh. It’s hard to answer. We would need to do network traces to find out, what’s wrong about HDX connections (A), and where we loose time (B). It should not be like that. It seems like you did everything right when you are able to log on OK.

  • Do. You have an example click config that you can share? I”m trying to get this working short term until our Sdx appliances arrive…

    • Blake, I see it’s not that easy to do. It’s no solution for a short term, it’s a bit tricky to set up, and most of all: it’s not supported. I’d rather do some VPX if you will migrate to a SDX soon. It will be the same kind of setup, and you can just drop the virtual instances on your SDX in …

  • Hi Johannes.

    The problem with what I am in now, is exactly the configuration you propose, but I can not understand, how you make the connections between the different VS. Could you give me more detailed information on the configurations and how to do them?
    If you can send me an email with explanations, I would greatly appreciate it.
    Thank you very much in advance.

    • I don’t fully understand your question. It’s just IP communication. Traffic is flowing through the CS vServer, to lb vServers. The servers of the services of these lb vServers point to the IP of another lb vServer type any. This is possible. And these any services (their servers) point to the gateways.

      So it would be, for example:

      CS- vServer: 192.168.0.1 There are 10 services bound to it, their servers pointing to 192.168.1.1 to 192.1681.10

      There are 10 servers of type any. IPs: 192.168.1.1 to 10. Example:
      192.168.1.1 got a service bound to it. It’s server is pointing to 192.168.2.1
      Poit of these “any” loadbalancers: gluing these gateways to the cs- vserver

      There are 10 NetScaler Gateways, IP 192.168.2.1 to 192.168.2.10.

      I kept thinking about cs- policies: If you go with the server name (gateway.company1.com, gateway.company2.com, …) you could create SSL bridges and use the SNI information included in SSL Cient Hello.

  • Hi Joannes, I have a single Netscaler gateway setting with 2 gateway server, one for VPN and one for xendesktop, with 2 IPs respectively. I have created a content switching server based on the domain names to switch to different gateway because of lacking public IP address , and of course I failed. I only can bind 1 gateway. Can you give me more details how the setup of the trick,, I have no idea how to set “point it’s service to corresponding gateway”, your help is appreciated.

  • Hi Johannes,
    I tried yur setup with NS bits 12.0.57.24, but I cannot get the NS to accept the config. I have set up as follows:
    server: IP based 192.168.1.x
    service: lb_svc type any tcp/443
    lbvs: tpe any, tcp/443, service lb_svc (as above)

    so far so good, all is up.

    When I try to glue this to a content switch:
    action: loadbalancing virtual server, target lbvs: specified the one created earlier
    policy: action specified the one just above, expression hostname contains(“a.domain.nl”)

    Now when creating the virtual server things go wrong. I tried to use type ANY and SSL, but it keeps complaining about incompatibility with the load balanced virtual server, created in load balancing part.
    When using type SSL and when adding the policy it says:
    Either LB vserver or GotoPriorityExpression or Invoke must be provided while binding a Content Switching policy without action. (used pririty 100, Goto Expression END, LabelType None, Traget LBVS default)
    If I do the same as above, but do explicitly specify a LBVS, it says The target vserver is not compatible with the CS verver.
    If I create a CS VS of type ANY, and try to add the policy I can”t get it work either, Tried all kind of combinations, also with cs policy labels etc.
    If you could give me a hint, would be great!
    Thanks
    Ronald

    • There was a problem about the image. I hope it’s fixed by now and you can view it. if not, the URL is: https://blog.norz.at/wp-content/uploads/2016/10/cs_ng_solution.png

      I create 1 cs vServer. This one selects load balances lb vServers. Their services point to a load balancing vServer of type ANY (no port), loadbalancing 1 service of type ANY (no port). These services point to the NetScaler Gateway.

      So t’s a CS-Vserver with 2 cascaded lb-vServers behind pointing to the NetScaler Gateway.

  • Hi Johannes,
    We are using all type ANY here, so how can the content switch policy determine where to go to? What fields do we have available here?
    The target vserver is not compatible with the CS policy expression.
    Which kinda makes sense, because ANY does not contain those fields, the evaluator has only TCP information, which is kinda useless in this scenario.
    You need to give the content switch something to decide upon, right?
    Grtz,
    Ronald

  • Johannes — can you share any config details on getting this to work? I have tried both the use of non addressable vservers (type SSL) in front of the ANY LB vservers as well as tying with just a single set of LB vservers but I’m running into an issue with this bc I am trying to use an expression for checking the HTTP.REQ based on the URL which seems to be what is complicating things. How were you forming your expressions?

    • You are right. It does not work any more. At that time, 2017, it worked fine using some versions prior to 12.0. It does not work with 12.1 or 13.0. Don’t ask me why Citrix blocked this.

      I added a note at the beginning of this article. I’m sorry, I should have done 1-2 years ago.

By Johannes Norz

Recent Posts

Recent Comments