Jump to content
Welcome to our new Citrix community!

Netscaler GSLB Active Active


Recommended Posts

Hello,

 

i am looking to to set up GSLB active active config between two datacenters

have one public ip alloted for gateway 145.x.x.x and one for Adns , in each datacenter, 

 

i have one subnet ip (private range) 10.x.x.xand a vip for local GSLB site 10.x.x.x 

 

I have firewall rules open from the company’s external DNS severs to the Adns public ip , created a delegated zone gslb.company.com on the external Adns server 

 

firewall rules are open from the  snip, gslb public ip ( adns public Ip) of Netscaler in DC1 to gslb public ip of dc2 for Mep 

Need your advice to confirm if my understanding is correct 

1) The NAme server host record on the external DNS servers resolve to the Adns public ip ... would this be correct or that needs to be a different public ip

2) domains created on GSLb would be gslb.company.com and company.com , company.com would resolve to internal DNS hosts

3) do I need a different set of private Ips for GsLb service or Do I need a distinct set of IPs and are there any firewall rules that would be needed for the service communication 

 

Many thanks

Prasad P

Link to comment
Share on other sites

Many thanks Mihai, that’s quite helpful 

 

The public IP address associated with Adns services on my netscalers are registered as namesevers on my company external DNS servers

 

have configured the Netscalers as SOA for the delegated zone gslb.company.com

 

the users would be accessing the url as citrix.company,com which is a Cname record mapped to citrix.egslb,company.com which again is a cname created on the netscalers that resolves to hostrecords for the netscaler Vpn gateways 

dc1gateway.gslb.company.com

dc2gateway.gslb.company.com

Have put in bidirectional firewall rules to enable DNS udp /tcp traffic  between external company dns and netscalers 

 

Would be grateful if you could help confirm this approach would work?

 

Have configured GSLB service IP using an internal IP , do I require any firewall rules for the GSLB service to communicate on SSL?  Looking at the firewall  requirements referring citrix , Carl Stalhood kB, couldn’t find any mention..

 

 

 

 

 

Link to comment
Share on other sites

Hi!

 

As far as i know the gslb services need to be the VIP's on your netscaler. One vip is on one device and the other is on the other.

you also need to have an domain name  on the netscaler, for example : 

 

bind gslb vserver gslb-citrix.egslb,company.com -domainName citrix.egslb,company.com -TTL 5

 

At this point this domain will resolve every 5 seconds to one of the vip ip's (gslb services)

You can have a cname pointing to this domain  on the  main DNS  zone.

 

I don't think you can have private ip's for these vips. They need to have public ip's.

 

Check this article by Carl, it explains everything : 

https://www.carlstalhood.com/global-server-load-balancing-gslb-netscaler-12/

 

 

 

 

 

Link to comment
Share on other sites

Here is a template for a gslb service named citrix.egslb.company.betfair:

 

 

 

add server gslb-citrix.egslb.company.com01 xx.xx.xx.xx
add server gslb-citrix.egslb.company.com02 yy.yy.yy.yy

 

# Add HTTP GSLB vserver

add gslb vserver gslb-citrix.egslb.company SSL -backupLBMethod ROUNDROBIN

 

# Define GSLB HTTP Services - RUN ONLY ON Netscaler1   

add gslb service gslb-443-citrix.egslb.company.com01 gslb-citrix.egslb.company.com01 SSL 443 -publicIP xx.xx.xx.xx -publicPort 443 -sitename gslb-Site1 -cltTimeout 180 -svrTimeout 360 -downStateFlush DISABLED

add gslb service gslb-443-citrix.egslb.company.com02 gslb-citrix.egslb.company.com02 SSL 443 -publicIP yy.yy.yy.yy -publicPort 443 -sitename gslb-Site2  -cltTimeout 180 -svrTimeout 360 -downStateFlush ENABLED

 

# Define GSLB HTTP Services  - RUN ONLY ON Netscaler2 

add gslb service gslb-443-citrix.egslb.company.com01 gslb-citrix.egslb.company.com01 SSL 443 -publicIP xx.xx.xx.xx -publicPort 443 -sitename gslb-Site1 -cltTimeout 180 -svrTimeout 360 -downStateFlush ENABLED

add gslb service gslb-443-citrix.egslb.company.com02 gslb-citrix.egslb.company.com02 SSL 443 -publicIP yy.yy.yy.yy -publicPort 443 -sitename gslb-Site2  -cltTimeout 180 -svrTimeout 360 -downStateFlush DISABLED

 

# Bind GSLB vservers to the VIP and give it the domain name.

bind gslb vserver gslb-citrix.egslb.company -serviceName gslb-443-citrix.egslb.company.com01
bind gslb vserver gslb-citrix.egslb.company -serviceName gslb-443-citrix.egslb.company.com02

bind gslb vserver gslb-citrix.egslb.company -domainName citrix.egslb.company.betfair -TTL 5

 

Link to comment
Share on other sites

Can I use the existing gateway IP ?

https://developer-docs.citrix.com/projects/netscaler-command-reference/en/12.0/gslb/gslb-service/gslb-service/

 

IP

IP address for the GSLB service. Should represent a load balancing, content switching, or VPN virtual server on the NetScaler appliance, or the IP address of another load balancing device.

Link to comment
Share on other sites

port 443 it should be used by the vip  and has public ip , so of course it needs to be opened.

For communication between the 2 Netscalers you need  tcp ports 3009 and 3011

 

"TCP Ports – MEP uses port TCP 3009 or TCP 3011 between the ADC pairs. TCP 3009 is encrypted.

Make sure only the MEP IPs can access this port on the other ADC . Do not allow any other device on the Internet to access this port. Port 3009 is encrypted."

 

"For external DNS, create a public IP for the ADNS Listener IP, and open UDP 53 and TCP 53, so Internet-based DNS servers can access it.

The ADNS IP address can be used as the MEP endpoint IP."

 

"GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 (secure) from the NSIP (management IP) to the remote public MEP IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP."

 

Link to comment
Share on other sites

Many thanks Mihai for all your help

 

i probably should have mentioned this earlier

we are looking to setup gslb to  load balance and direct traffic across data centers where the a netscaler gateway is configured on each dc netscalers 

 

am assuming we still need a separate VIP for the gslb service and should not be using the virtual gateway IPs for the gslb service ?

apologies for my rookie questions 

Link to comment
Share on other sites

Many thanks Mihai

 

Have the GSLB services created and bound them to the VIP

 However , the remote GSLB site MEtric Exchange appears to be down, Firewall rules from

local GSLBsite IP(SNIP) -- Remote GSLB Site IP (Public IP which is also the ADNS svcIP) on port 3009 (secure) is open

RPC for the public IPs is enabled for secure

Strangely , A TCP dump to port 3009 doesnt show any output

Please , could I ask your advice if theres anything further , running a trace now ...and once the Firewall guys are in , shall check for any traffic from the local Site IP to the public IP

 

Could you help advice if theres anything other than firewall that could be an issue here?

   

Link to comment
Share on other sites

"TCP Ports – MEP uses port TCP 3009 or TCP 3011 "  have you checked 3011?

 

 

"The ADNS listener IP is typically an existing SNIP on the appliance

MEP endpoint can be any IP – The MEP endpoint IP address can be any IP address and does not need to be a SNIP or ADNS.

GSLB Sites – On ADC, you create GSLB Sites. GSLB Sites are the endpoints for the MEP communication"

 

Citrix ADC Troubleshooting GSLB MEP and Sync Cheat Sheet:

https://support.citrix.com/article/CTX244517

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...