last update: November 14 /2017
Or: The power of the ANY service type
This is a work around for a well-known problem in NetScaler: Binding NetScaler Gateways to content switching vServers.
This solution does not follow Citrix best practices. Avoid using it, if you can!
My solution will work with NetScaler 10 upward. I didn’t test with 9.x as they are not considered to be secure any more.
Up to 11.0 it was impossible to bind a NetSaler Gateway to a Content Switching vServer. By now (firmware versions 12) this is limited to a single NetScaler Gateway. This limitation may be an obstacle to overcome in certain environments. Most companies nowadays suffer under a lack of public IPs. But mos of all: Users don’t like complex environments with tons of different URLs to handle, one for mobile devices, one for PCs, one for trusted, one for untrusted devices and so on. Instead they want to use a single URL for all use cases.
Content switching may mitigate this issue by hiding very different configurations behind a single URL. But this is not true for NetScaler Gateways. In days of old we could not bind any gateway to a content switching vServer at all, now (starting from version 11) we can bind a maximum of one gateway to it.
Why may one gateway not be enough? First of all, it is complexity. It may confuse you if you have to bind tons of different scenarios to one gateway. In my real world experience I see often buggy environments being buggy, as complexity may over work the admins. But there may also be technical reasons. One of my costumer would have to bind round about 50 LDAP sources of costumers and partners. All of them are geographical dispersed and some of them may even be misconfigured and therefore slow. Logon to the last ADs in the list would be painful. Splitting the gateway up into some gateways would speed up things very much.
This question came up in one of my NetScaler classes. We set up all needed NetScaler Gateways. They are addressable and use private addresses of a separate address space (this address space does not exist outside of NetScaler).
We set up a content switching vServer. I would prefer a SSL-bridge to avoid SSL offloading, however we needed something to base content switching on, so we used a SSL vServer. This is far from being a perfect solution, but it works.
How to bind them together?
My first thought was: pointing the services of the load balancing vServer to the NetScaler gateways. But this does not work, we faced an error stating this IP address is already in use.
That’s my trick: I create load balancing vServers of type ANY and point its services to the corresponding gateways. That’s why these gateway servers use private addresses that don’t exist in your environment. This traffic will never leave this NetScaler.
(graphic by courtesy of Andre Buck)
What’s wrong about this setup?
It does not follow Citrix best practices. So you should avoid using it. On the other hand: everything we do is fully supported: The content switching vServer, the load balancing vServers bound to it, load balancing vServers of type any, and last, not least, the gateways.
We won’t be able to log on to the NetScaler Gateways using smart cards (certificate based logon), if we use SSL-Offloading lb vServers, as these certificates won’t be visible to the NetScaler Gateway.
Why would you use it even though?
It’s currently the only chance to bind more than one NetScaler Gateway to a content switching vServer on a NetScaler.