Jump to content
Welcome to our new Citrix community!

Load Balancing Virtual Server to internal Layer 7 Load Balancer


Recommended Posts

Dear Citrix Community,

I'm pretty new to Netscaler Administration so maybe there is a simple way to resolve my issue but so far I haven't been able to find it.

This is the scenario I'm working on right now:

We're running version NS12.0 56.20.nc
We have web service running in the internal network. The service has to be accessed through an internal layer 7 load balancer. Let's call it loadbalancer.domain.local.
Based on the CNAME I use the load balancer knows which service I am trying to connect to. So I have a CNAME for the service. Let's call it servicecname.domain.local pointing to loadbalancer.domain.local.
When I have to access the service from the internal network I just use https://servicecname.domain.local and everything works fine.

 

This is where the Netscaler kicks in. My challenge is to publish the service to the Internet.
So I got a domain(let's call it service.domain.ext), a public IP address, a DNS record, NAT to a DMZ IP Address that I use as the IP address for a load balancing virtual server on the Netscaler.
Then I created a server under Traffic Management->Load Balancing->Servers
I created the service using the Domain Name servicecname.domain.local
In the next step I created a service based on the freshly created server under Traffic Management->Load Balancing->Services
I selected SSL as the protocol and 443 as the port. When I finished configuring the service I could already see that the service resolved the domain Name to an IP address.
The service comes up and I add it to a Load Balancing Virtual Server.

When I access the URL service.domain.ext I get redirected to the internal load balancer(I definitely reach the load balancer) but the load balancer doesn't know what to do with my request, most likely because the CNAME has been resolved to an IP address when creating the service.

So my first guess is that it's not working because the CNAME(servicecname.domain.local) has been resolved to the IP address of loadbalancer.domain.local. Which is kind of technically correct but of course the load balancer doesn't have the necessary information on where to redirect my request then.

 

Is it possible to connect a Load Balancing Virtual Server to an internal layer 7 load balancer that is based on CNAMEs?
Am I missing something in my configuration?

 

Thank you very much in advance!

Regards
Michael

 

PS: I was able to publish the service by bypassing the internal load balancer and addressing the service directly but this is just a workaround, using the internal load balancer would be much cleaner and is definitely preferred.

Link to comment
Share on other sites

There are two parts to this puzzle, the dns resolution part and the http part. 

 

From your description, the first part is working fine. Coming to the second part - if you access the internal lb using https://servicecname.domain.local this means the lb is seeing   servicecname.domain.local in the host header. 

 

When u access it externally using service.domain.ext and the request lands on the internal lb the host header it would see is service.domain.ext and it doesn't know what to do with it. You can try a rewrite on Netscaler to change the host header to servicename.domain.local to see if it helps. 

 

Rewrite Action and policy .

 

add rewrite action rewrite_host_hdr_act replace "HTTP.REQ.HEADER(\"Host\")" "\"servicecname.domain.local\""

 

add rewrite policy rewrite_host_hdr_pol "HTTP.REQ.HEADER(\"Host\").CONTAINS(\"service.domain.ext\")  "rewrite_host_hdr_act

 

Bind the above policy to the lb on Netscaler

 

 

Link to comment
Share on other sites

On 26.1.2019 at 8:05 PM, Siddhartha Sarmah said:

When u access it externally using service.domain.ext and the request lands on the internal lb the host header it would see is service.domain.ext and it doesn't know what to do with it. You can try a rewrite on Netscaler to change the host header to servicename.domain.local to see if it helps.

Okay there we go. I simply didn't think of that...

I haven't worked with Rewrite Policies yet, I'll tinker around with that and  give you an update as soon as possible. Unfortunately I ran into other issues in the meantime I have to fix first :D

 

Thank you so much for your reply!

Link to comment
Share on other sites

  • 1 month later...

Okay I'm sorry it took me so long to continue working on this but we sorted it out.

Thank you siddharthas for your help. I created the policy as you described and it manipulated the header exactly as you would expect but that lead to certificate issues and so on but it helped me a lot on my way to understand the problem.

While the internal Load balancer was expecting a local Domain in the Header my traffic had the external Domain in the Header. We ended up adding the external URL to the rule on the internal load balancer and got it to work without any traffic manipulation.

 

Thanks again siddharthas for your support!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...