How to Configure GSLB Setup with Both HTTP and SSL Access

How to Configure GSLB Setup with Both HTTP and SSL Access

book

Article ID: CTX130152

calendar_today

Updated On:

Description

This article describes how to access the resources in a Global Server Load Balancing (GSLB) setup by using HTTP and SSL.

Background

A common requirement in a GSLB setup is that you need both HTTP and SSL access to the same set of servers. However, there are some configuration requirements which might not be obvious that can cause problems.

There are more objects necessary in a GSLB environment with multiple objects that must be configured correctly.

The assumptions in this configuration are both secure and non-secure access and these are served by the same set of back end resources. Additionally, if either the HTTP or SSL access is not functional on a particular service, the service should be marked as DOWN. It is assumed that if a back end server in any of the GSLB sites processes a client request, then the subsequent client requests, both secure and non-secure are sent to the same server.

However, GSLB virtual servers and services have special requirements that are available in this article.

Instructions

GSLB Active-Active Setup

Complete the following procedure to set up a GLSB site in active-active mode:

  1. Create a load balancing virtual servers for HTTP and SSL network traffic.

  2. Create and bind appropriate services to both the load balancing virtual servers.

  3. Create the GSLB virtual server for HTTP network traffic on each site.
    Note: Do not create a GSLB SSL virtual server.

  4. Create both HTTP and SSL GSLB services, and bind the HTTP service to the GSLB HTTP virtual server.
    Note: The GSLB SSL services are not bound to server, but are necessary for site persistence.

  5. Bind both HTTP and SSL type of monitors to the GLSB service.

  6. Select the GSLB load balancing method based on proximity.
    Note: To have a balanced load distribution, it is best to specify the load balancing method based on proximity. If we have the load balancing method based on statistics such as least connection, then the service is selected based on the statistics for only the type of service that is bound to the GSLB virtual server. The other service type statistics that is not bound to the GSLB virtual server is not considered and could result in a load distribution that is not balanced. Therefore, it is recommended to select the GSLB load balancing method based on proximity.

  7. To maintain persistence to the same site and to the same server on that site, define persistence for both the GSLB and load balancing virtual server. Configure, Connection Proxy/HTTP Redirect as the persistence type at the GSLB service level to ensure that requests from one session is sent to the same GSLB site.
    Note: Experience in the field has shown that Source IP persistence at the GSLB virtual server could lead to a load distribution that is not balanced if most of the client requests are coming from a proxy. Connection Proxy/HTTP Redirect is the recommended persistence option in such scenarios.

After the client requests are sent to a particular site, then the persistence can be maintained to the same server regardless of the access port (HTTP/SSL) by using persistence groups at the load balancing virtual server.

Configuring Site A

Complete the following procedure to configure Site A:

  1. Run the following command to enable GSLB and load balancing features on the appliance:
    enable ns feature LB GSLB

  2. Add the Authoritative DNS (ADNS) service. ADNS service can be configured with any NetScaler owned IP address (MIP/SNIP).  After the ADNS service is configured NetScaler appliance is authoritative for that domain and responds to DNS queries. Run the following command to add ADNS service:
    add service adns_svc 192.168.251.205 adns 53

  3. Run the following command to add the local and remote GSLB site:
    add gslb site sitea LOCAL 192.168.251.201 -publicIP 192.168.251.201
    add gslb site siteb REMOTE 192.168.253.201 -publicIP 192.168.253.201
    Note: GSLB site hosted on a NetScaler appliance is local to that appliance and remote to a different NetScaler appliance.

  4. Run the following command to add the GSLB virtual server with the required load balancing method and service type for the kind of network traffic:
    add gslb vserver gvserver-http http -lbmethod RTT

  5. Run the following commands to add HTTP and SSL load balancing virtual servers and bind the services to this server:
    add service servera-http 192.168.152.10 HTTP 80
    add lb vserver vservera-http HTTP 192.168.251.202 80
    bind lb vserver vservera-http servera-http
    add service servera-ssl 192.168.152.10 SSL 443
    add lb vserver vservera-ssl SSL 192.168.251.202 443
    bind lb vserver vservera-ssl servera-ssl

  6. Run the following commands to add HTTP and SSL GSLB services for the local site A:
    add gslb service gslbsvca-http 192.168.251.202 HTTP 80 -siteName sitea
    add gslb service gslbsvca-ssl 192.168.251.202 SSL 443 -siteName sitea
    Note: The local GSLB service should have the same IP address as the load balancing virtual server added in Step 5 of this procedure.

  7. Run the following commands to add HTTP and SSL GSLB service for the remote site B:
    add gslb service gslbsvcb-http 192.168.253.202 HTTP 80 -publicIp 192.168.253.202 -publicPort 80 -siteName siteb
    add gslb service gslbsvcb-ssl 192.168.253.202 SSL 443 -publicIP 192.168.253.202 -publicPort 443 -siteName siteb

  8. Run the following commands to bind the local and remote HTTP GSLB services to the GSLB HTTP virtual server:
    bind gslb vserver gvserver-http -serviceName gslbsvcb-http
    bind gslb vserver gvserver-http -serviceName gslbsvca-http
    Note: Do not bind the SSL GSLB services.

  9. Run the following command to bind the GSLB virtual server to a domain:
    bind gslb vserver gvserver-http -domainName www.example.com

  10. Run the following commands to bind both HTTP and SSL monitors to the local and remote GSLB services. This ensures that if one of the service type is marked as DOWN, then the other service type for the same server is also marked as DOWN. This ensures that HTTP and SSL requests are sent to the same service:
    bind lb monitor https gslbsvca-http
    bind lb monitor http gslbsvca-http
    bind lb monitor http gslbsvca-ssl
    bind lb monitor https gslbsvca-ssl
    bind lb monitor https gslbsvcb-http
    bind lb monitor http gslbsvcb-http
    bind lb monitor http gslbsvcb-ssl
    bind lb monitor https gslbsvcb-ssl

    Note:     Monitors are not required for LOCAL site load balancing virtual servers. GSLB is notified of a load balancing virtual server with the status as DOWN for its own virtual servers and services. But due to a different use case in this scenario we are binding the monitors to the local GSLB service.

    http://support.citrix.com/article/CTX111081

  11. Run the following commands to configure Connection Proxy/HTTP Redirect persistence on the GSLB service:
    set gslb service gslbsvca-http -sitePersistence ConnectionProxy
    set gslb service gslbsvcb-http -sitePersistence ConnectionProxy
    set gslb service gslbsvca-ssl -sitePersistence ConnectionProxy
    set gslb service gslbsvcb-ssl -sitePersistence ConnectionProxy
    Note: This ensures that the client requests are sent to the same site.

  12. After the requests are sent to a GSLB site, persistence can be maintained to the same server regardless of the HTTP or SSL access port by binding the persistence groups to the load balancing virtual server. Run the following commands to bind the persistence groups to the load balancing virtual server:
    bind lb group company vservera-http
    bind lb group company vservera-ssl

Configuring Site B

Note: Site B has the same GSLB configuration as site A, the only difference is in the load balancing related configuration.

Complete the following procedure to configure Site B:

  1. Run the following command to enable GSLB and load balancing features on the appliance:
    enable ns feature LB GSLB

  2. Run the following command to add ADNS service:
    add service adns_svc 192.168.251.205 adns 53

  3. Run the following commands to add remote and local GSLB sites:
    add gslb site sitea REMOTE 192.168.251.201 -publicIP 192.168.251.201
    add gslb site siteb LOCAL 192.168.253.201 -publicIP 192.168.253.201

  4. Run the following command to add the GSLB virtual server with a load balancing method that is not based on statistics but on the proximity methods:
    add gslb vserver gvserver-http http -lbmethod RTT

  5. Run the following commands to add the virtual servers for both HTTP and SSL for load balancing the services at site B and to bind the service to virtual server:
    add service serverb-http 192.168.152.11 HTTP 80
    add lb vserver vserverb-http HTTP 192.168.253.202 80
    bind lb vserver vserverb-http serverb-http
    add service serverb-ssl 192.168.152.11 SSL 443
    add lb vserver vserverb-ssl SSL 192.168.253.202 443
    bind lb vserver vserverb-ssl serverb-ssl

  6. Run the following commands to add HTTP and SSL GSLB services for the local site B as a local GSLB service:
    add gslb service gslbsvcb-http 192.168.253.202 HTTP 80 -siteName siteb
    add gslb service gslbsvcb-ssl 192.168.253.202 SSL 443 -siteName siteb
    Note: The local GSLB service should have the same IP as the load balancing virtual servers added in the Step 5 of this procedure.

  7. Run the following commands to add HTTP and SSL GSLB service for the remote site B:
    add gslb service gslbsvca-http 192.168.251.202 HTTP 80 -publicIP 192.168.251.202 -publicPort 80 -siteName sitea
    add gslb service gslbsvca-ssl 192.168.251.202 SSL 443 -publicIP 192.168.251.202 -publicPort 443 -siteName sitea

  8. Run the following commands to bind the local and remote HTTP GSLB service to the GSLB HTTP virtual server.
    bind gslb vserver gvserver-http -serviceName gslbsvcb-http
    bind gslb vserver gvserver-http -serviceName gslbsvca-http
    Note: Do not bind the SSL GSLB services.

  9. Run the following command to bind the GSLB virtual server to a domain:
    bind gslb vserver gvserver-http -domainName www.example.com

  10. Run the following commands to bind HTTP and SSL monitors to the local and remote GSLB services. This ensures that if one of the service type is marked as DOWN, then the other service type for the same server is also marked as DOWN. This ensures that HTTP and SSL requests are sent to the same service:
    bind lb monitor https gslbsvca-http
    bind lb monitor http gslbsvca-http
    bind lb monitor http gslbsvca-ssl
    bind lb monitor https gslbsvca-ssl
    bind lb monitor https gslbsvcb-http
    bind lb monitor http gslbsvcb-http
    bind lb monitor http gslbsvcb-ssl
    bind lb monitor https gslbsvcb-ssl

  11. Run the following commands to configure Connection Proxy/HTTP Redirect persistence on the GSLB service:
    set gslb service gslbsvca-http -sitePersistence ConnectionProxy
    set gslb service gslbsvcb-http -sitePersistence ConnectionProxy
    set gslb service gslbsvca-ssl -sitePersistence ConnectionProxy
    set gslb service gslbsvcb-ssl -sitePersistence ConnectionProxy
    Note: This ensures that the client requests are sent to the same site.

  12. After the requests are sent to a GSLB site, persistence can be maintained to the same server regardless of the HTTP or SSL access port by binding the persistence groups to the load balancing virtual server. Run the following commands to bind the persistence groups to the load balancing virtual server:
    bind lb group company vserverb-http
    bind lb group company vserverb-ssl

Persistence should be configured to ensure that a series of client requests for a particular domain name is sent to the same data center instead of being load balanced. For information on persistent connections, see Citrix eDocs - Configuring Persistent Connections.

Issue/Introduction

This article describes how to access the resources in a Global Server Load Balancing setup by using HTTP and SSL.

Additional Information

CTX122619 - DNS and GSLB Primer

CTX110348 - How to Configure Global Server Load Balancing with NetScaler Appliances

Powered by Wolken Software