Jump to content
Welcome to our new Citrix community!
  • Citrix NetScaler and Content Switching Setup Guide


    cugcblogs

    dave-brett.png by David Brett, CTP

    Working in the technology industry lots of us have home labs to test and learn.  One of the major pitfalls of this is the fact that many of us only have a single public IP address. This is when hosting multiple internal services required externally can become a bit of an issue and very complex with more than often way too many port forwarding rules in place. This is also the case with many small businesses only having a single entry point to their network.

    How to get around this, Citrix NetScaler Content Switching.

    The purpose of this article is to provide a guide to setting up a simple Citrix NetScaler Content Switch to host multiple externally facing services from a single IP address.

    First – What is the content switch doing in this example?

    Essentially we will be setting up a content switch listening on port 443 on a single IP address accessible from the outside world (normally in a DMZ with a NAT rule in place!).  We will point 3 external fqdn records to the SAME address, allow port 443 through our firewall and forward traffic to our content switch.  Once there we will determine what fqdn the end user is using to get to the content switch and redirect their traffic to the relevant internal service based on the external fqdn.

    Now this is by no means everything that can be achieved from a NetScaler Content Switch but it is a great starting point and a common pain point for people running labs at home with 1 entry point.

    Setup

    • This article assumes you already have a NetScaler Gateway built
    • The 3 external fqdns we are going to use are mobile.bretty.me.uk, ug.bretty.me.uk and storefront.bretty.me.uk
    • ug.bretty.me.uk will redirect the user to a NetScaler Gateway
    • mobile.bretty.me.uk will redirect the user to a SSL offloaded Non-Addressable vServer hosted on the NetScaler pointing to a XenMobile 10.3 Appliance in the DMZ
    • storefront.bretty.me.uk will redirect the user to a SSL offloaded Addressable vServer hosted on the NetScaler pointing to a StoreFront Server (No Default Store Selected on StoreFront)

    Let's get going.

    First add 3 external DNS records to point to the public IP Address of your router.  In my case I am using ddns to dynamically update a hosting service with my public IP as it is not static.

    brett4291601.png.62349764bff249063e72d17874aba078.png

    Next pick a free internal IP Address (this will be your content switch IP) and add a firewall rule to direct all port 443 traffic to that address

    Ping all the external URLs to ensure that all resolve and all go to the same place

    brett4291602.png.4e5efb98cdafcbfe31b10bd26310c388.png

    Check that your NetScaler Gateway is up and running and verify that the other services you are about to load balance are all working.  I cannot tell you the number of times I have been setting up monitors and wondering why they are not working only to find that the actual service itself is down!

    brett4291603.png.3826f46681c3eb15edde10bc711b1fde.pngbrett4291604.png.1774f1e1624b8d68aa3530857fe94bc0.pngrett4291605.png.3fc5d1103f0d82f69aef6f782601ae72.png

    So, the first thing we will need to do is set up the load balancers on the NetScaler to handle the traffic for the Web Server and XenMobile.  In this example I am going to offload SSL to port 80 for both services.

    Navigate to Traffic Management – Load Balancing – Servers

    brett4291606.png.4b6331da9cfe360b8b9cc77fb4ee60e7.png

    Add a server record for each of the back end services you want to load balance

    brett4291645.png.904af6dcc5f40c57abe315c23e1be72e.png

    Next go to Services

    brett4291646.png.0a528fb3abaad1b5960d26c8292a66c1.png

    Click add and enter the details for the service you want to load balance – make sure to point it to the server you created earlier

    brett4291607.png.47a0a6bb02e69a82944f0f827fa788fc.png

    Once you click OK you can select a monitor.  This is a pretty important step as this is what binds the service you want to load balance and the back end server together.  It essentially probes the server in a certain way to ensure that the service you want to load balance is working as expected.

    Click to assign a monitor

    brett4291647.png.73c8ffca99db056e4d08982bf54fd13e.png

    NOTE: NetScaler assigns a default monitor to the service.  Click add to bind a more specific monitor to the service

    brett4291648.png.fc9ca3e7606b4afe6cb230795fc163a9.png

    You will see there are a bunch of built in monitors to choose from

    brett4291610.png.e19007f700385f22787095a931e683d4.png

    Click on Add to add a specific monitor

    brett4291611.png.99322c65e2dcc023353cb705ceb72326.png

    From the drop down list select STOREFRONT, click on special parameters and enter the name of your store.

    This is a Citrix written monitor to specifically check that StoreFront is working on the server.  If you think about it it's way better than just a standard HTTP(s) probe.  The reason for this is that IIS could potentially be running on the server fine but your Store is broken / down / deleted etc.  This intelligent monitor will pick up on that and mark the service as down.

    brett4291612.png.631db7c45483ced351c53becc789f397.png

    If you are monitoring on a secure port be sure to check the Secure box at the bottom of the mail custom monitor page

    brett4291613.png.7021fb5190658a0a7e53ffd0cac92c3d.png

    Bind the monitor to the service

    brett4291614.png.35840b3cde9e56bcc16d41a0847ad058.png

    Once bound hit refresh on the Service Monitor binding page – it will show you on the right if the monitor you have configured is working as expected.  At this point you can shut down IIS on your web server and make sure the monitor goes down and is therefore doing its job correctly

    brett4291615.png.7900cb94e49335cd3e67378b25893717.png

    Click close and Done to add the monitor and service

    brett4291616.png.f262aec844c195715c0601b51b73fe8e.png

    Create another service on port 80 for XenMobile using the same steps as above.  However when setting up the monitor configure a TCP monitor to send a request directly to port 8443 of the XenMobile Appliance.  This will ensure that the XenMobile enrollment port is alive and hence XenMobile is working right rather than just checking port 80!

    brett4291617.png.4bb288ca5a3e7d5a5610039bd8564b74.png

    Once finished you will have 2 services now running

    brett4291618.png.6772e7a36d6f9121ee3397dcc8ac21c5.png

    Go to Virtual Servers

    brett4291619.png.5882307776ac2e178f0e5591f1af55d5.png

    Click Add to set up your Load Balancer for the Web Server

    brett4291620.png.333675c35b27c0ddbecbb757e81a952d.png

    Give the vServer a name, a free IP Address, select SSL as the protocol

    brett4291621.png.046a9adad74118d0cc8667f012b26728.png

    Click on No Load Balancing Service to bind and select your Web Server service from the list provided

    brett4291622.png.401bdc37246cc714bd108b9c04b3558b.png

    Click to bind a certificate (in this case my wildcard certificate) and click Done

    You will now see your Virtual Server ready to accept connections

    You can test this by going to the server in a browser

    brett4291623.png.386dbad85cc2f131b0cc66de4c41d531.png

    Click Add to set up your XenMobile Load Balancer.

    NOTE: In this case I am selecting SSL but setting up the Load Balancer as a Non Addressable vServer.  The NetScaler will send traffic to this vServer and hence the backend service on the users behalf.

    brett4291624.png.7173dab91273e1a44487d557104bb53c.png

    Select the Service to bind and add the certificate then click done.

    You will now have both vServers ready and running to accept Traffic.

    brett4291625.png.bbef615130978f4a2deda7579eec5662.png

    If you want to automate this then use the commands below to set up your NetScaler Load Balancers.  Be Sure to substitute the Server IP Addresses, Certificate Names and Store Names

    add server web.bretty.local 192.168.0.108add server xenmobile.bretty.local 192.168.0.60add service web_server_port_80 web.bretty.local HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NOadd service xenmobile_port_80 xenmobile.bretty.local HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NOadd ssl certKey wildcard.bretty.me.uk -cert wildcardchain.key -key wildcardchain.keyadd lb vserver web_vserver_port_443 SSL 192.168.0.65 443 -persistenceType NONE -cltTimeout 180add lb vserver xenmobile_vserver_port_443 SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180add lb monitor custom-storefront-monitor STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -storename brettyadd lb monitor custon-xenmobile-monitor TCP -LRTM DISABLED -destPort 8443 -secure YESbind service xenmobile_port_80 -monitorName custon-xenmobile-monitorbind service web_server_port_80 -monitorName custom-storefront-monitorbind ssl vserver web_vserver_port_443 -certkeyName wildcard.bretty.me.ukbind ssl vserver xenmobile_vserver_port_443 -certkeyName wildcard.bretty.me.ukbind lb vserver web_vserver_port_443 web_server_port_80bind lb vserver xenmobile_vserver_port_443 xenmobile_port_80

    So, onto the Content Switch, this is where the magic happens.

    First Navigate to Traffic Management – Content Switching – Virtual Servers

    brett4291626.png.d3d61268f992ff8043714b644cc1beb7.png

    Click to add a new Content Switch, Select SSL as the protocol to listen on and give it an IP Address.  This will be the IP Address that you redirected your HTTPS traffic to on your firewall earlier.

    brett4291627.png.b2f2885fa107af3f37099fbfe553bfd0.png

    Don’t bind any policies to the Content Switch just yet but DO add a certificate to the vServer

    brett4291628.png.651d14d159092e61df6674f578e7f693.png

    Your Content Switch vServer will now be running waiting for incoming HTTPS connections.  We have not told it where to direct the traffic so at this point its pretty useless.

    brett4291629.png.a1bbb9447d9027b5425b9f2adb2fd008.png

    Open the Actions.  This is where we will define what to do with the traffic when a policy rule is hit.  For example where to send the traffic coming in on the URL ug.bretty.me.uk

    brett4291630.png.2286f1d57f2490e6beab696058b6b57c.png

    Click to add an action for the NetScaler Gateway

    Give it a name, select NetScaler Gateway Virtual Server from the drop down list then select your NetScaler Gateway from the Target vServer box then click done

    brett4291631.png.0e9638ec61b21b2827ba29bd89f149dc.png

    Click again to add an action for the XenMobile Service.  This time select Load Balancing Virtual Server from the drop down and select your XenMobile Load Balancing vServer from the Target Load Balancing Virtual Server selection box.

    brett4291632.png.8b80189c281010817f2c5221ba1c30de.png

    Repeat the XenMobile step for the Web Server.  You should then have 3 actions to cater for each of the URLs you will be handling.

    brett4291633.png.9e016d3ef6e5d41205b11abb386b6781.png

    Next navigate to policies.  This is where we will tell the Content Switch what URLs to listen for and what action to take if that URL is picked up in the incoming request hostname

    brett4291634.png.1197bbf6e35b8ecf6e9a3c498f215e4e.png

    Click to add a new Policy

    brett4291635.png.00a29c4cafb8ab888befca39cfdfb932.png

    Give it a name, select the relevant action, then in the expression add the following:

    HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("ug.bretty.me.uk")

    This is effectively telling the Content switch to redirect all traffic coming in on the URL ug.bretty.me.uk to be directed to the NetScaler Gateway.

    Repeat this step for the 3 external URLs editing the expression each time to the URL in question.

    brett4291636.png.e95cd843ba62af48c8e97487def3b008.png

    Next we need to bind these policies to the content switch so it knows about them.  Open the Content Switch and click where it says No Content Switching Policies Bound

    brett4291637.png.ce275a1259ae3df7b946c5c65d2c44e4.png

    Select your new policies to be bound to the Content Switch

    brett4291638.png.5ef9cc3999cf51bafa0359b5b82d755d.png

    Once all 3 are bound select done. Your Content Switch is now listening on port 443 for the 3 URLs you have specified and knows what to do with the traffic once it hits the Content Switch

    brett4291639.png.fafea12f7f9f326794c05e14060163c2.png

    You are ready to test now.  However if you want to automate the Content Switch set up then here is the script to do it, again substitute the IP addresses and names to suit your environment.

    add cs vserver content_switch_port_443 SSL 192.168.0.66 443 -cltTimeout 180add cs action cs_action_netscaler_gateway -targetVserver netscaler_gatewayadd cs action cs_action_xenmobile -targetLBVserver xenmobile_vserver_port_443add cs action cs_action_web_server -targetLBVserver web_vserver_port_443add cs policy cs_policy_netscaler_gateway -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"ug.bretty.me.uk\")" -action cs_action_netscaler_gatewayadd cs policy cs_policy_xenmobile -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"mobile.bretty.me.uk\")" -action cs_action_xenmobileadd cs policy cs_policy_web_server -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"storefront.bretty.me.uk\")" -action cs_action_web_serverbind cs vserver content_switch_port_443 -policyName cs_policy_web_server -priority 100bind cs vserver content_switch_port_443 -policyName cs_policy_xenmobile -priority 110bind cs vserver content_switch_port_443 -policyName cs_policy_netscaler_gateway -priority 120bind ssl vserver content_switch_port_443 -certkeyName wildcard.bretty.me.uk

    Test the URL StoreFront

    brett4291640.png.9cf2db7cd2d9167a508359f72cb77b2f.png

    If you navigate to Content Switch – Policies you will see what policy is servicing the request

    brett4291641.png.fb151ae662fcb9c0df77a002a010e71d.png

    Test XenMobile

    brett4291642.png.2c359d442a2beceb3172c945bb4b7f70.png

    Test NetScaler Gateway

    brett4291643.png.411f084a71b6de73af6a95e6323da00d.png

    You can see all 3 policies have been used to redirect incoming requests

    brett4261944.png.37ddc065cbe7857261b5730afa566094.png

    That’s it, hopefully this helps some of you out with your Single IP Address woes and gives you a basic understanding of Citrix NetScaler Content Switching.

    brett4291608.png.f7a1e5095ee941ce27cd0de778b8be7e.png

    brett4291609.png.cabb850185cd15674f8ae9633abb5b7b.png


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...