We often encounter customers with business continuity goals which require XenDesktop user VMs to be available to users in the event of a full site failure. A passive disaster recovery failover configuration is often not desirable because customers want to be able to leverage their hardware investment in a secondary data center.

Instructions

Approach

The approach outlined in this article can be used with or without ICA proxy through the NetScaler Gateway.  For the purposes of this document, the configuration will assume ICA proxy is desired; however, if this was an internal deployment without ICA Proxy, nothing would fundamentally change with the design as NetScaler Gateway would still be used as the entry point. If ICA Proxy is not desired, then simply configure the Web Interfaces sites as Direct for the access method but still keep the authentication at Access Gateway. Additionally, because we are going to direct users to a “preferred” or “home” data center based on group membership, NetScaler needs to know who the user is and what groups they are a member of.  Therefore, authentication must be performed at the NetScaler and group extraction will be used to determine the user group memberships. Explicit authentication of users to Active Directory (single domain) is also assumed; however, multiple domains and Smart Card authentication will also work as well. Finally, this approach will not work with Web Interface Services sites (PNAgent functionality).

Building Blocks

The following configuration items will be used:

• There are two separate data centers with separate and independent XenDesktop Sites in each data center; DC1, DC2.
• Users are assigned to an active directory group “homing” them to DC1 or DC2.
• There is an HA pair of NetScaler Enterprise or Platinum in each data center with GSLB where the NetScaler is configured as authoritative for a GSLB sub domain.
• Three NetScaler Gateway GSLB vservers are configured as follows on the HA pairs in each data center:
  • desktop.company.com: This is the NetScaler Gateway vserver providing the URL/FQDN that users enter into their browser in order to locate their desktop.  This URL is configured for active/active GSLB across both DC1 and DC2.  Load balancing will be based upon health monitoring and fastest response time.
  • dc1-desktop.company.com: This is a vserver that specifically refers to a NetScaler Gateway instance hosted in DC1.  This vserver will be used to route ICA Proxy traffic to the DC1 NetScalers regardless of user location. This vserver will be configured in an active/passive GSLB configuration across both data centers where traffic will only be routed to DC2 in the event that DC1 is inaccessible.
  • dc2-desktop.company.com: This is a vserver that specifically refers to a NetScaler Gateway instance hosted in DC2.  This vserver will be used to route ICA Proxy traffic to the DC2 NetScalers regardless of user location.  This vserver will be configured in an active/passive GSLB configuration across both data centers where traffic will only be routed to DC1 in the event that DC2 is inaccessible.
• An additional vserver will be created on each HA pair of NetScalers at each data center so that the originating NetScaler can be located for Web Interface callback authentication. Since each call back authentication must go back to the original NetScaler, GSLB will not be used on these vservers.
  • dc1-callback.company.com (HA pair in DC1)
  • dc2-callback.company.com (HA pair in DC2)
• At least one pair of Web Interface / StoreFront servers at each data center
  • Multiple NetScaler load balancing vservers will be created to provide access to the Web Interface servers.
  • All Web Interface sites are created with authentication “At Access Gateway”.
• At least one XenDesktop site per data center (Note: If using Web Interface, this configuration can be used in conjunction with Dan Allen’s XenDesktop – High Availability & Load Balancing Add On for Web Interface!  Using this add-on allows for multiple XenDesktop sites to be created and intelligently load balanced within each data center.)
• XenDesktop sites, Web Interface sites, Provisioning Services, etc. are all only site or data center specific.  In other words, Web Interface in Data Center 1 only directs users to desktops in Data Center 1; Provisioning Services Farm in Data Center 1 will only serve desktops in Data Center 1, etc.

Architecture

The following diagram illustrates the high-level architecture and main components (right-click and save image for a high-res version):

Important Note:  NetScalers participating in a GSLB configuration do not share/replicate user authentication information.  However, multiple NetScaler Gateway vservers on a single NetScaler appliance will have access to user authentication information.  As the user access flow traverses the architecture illustrated above, it is important that any and all processes needing to verify user authentication be directed back to the same NetScaler appliance / HA pair that authenticated the user.  This includes desktop enumeration and desktop launch processes. This is the reason for multiple NetScaler Gateway vservers and multiple Web Interface sites that differ only by which Callback vserver they use.
Any version of Xen desktop 7 and above with NetScaler 12.1 +

For more information refer to Citrix Blog - Active/Active GSLB for XenDesktop – A Practical Approach (Part 1)