Jump to content
Welcome to our new Citrix community!

NetScaler ADC redirecting to the clients to the Service Group Port

Sadako Hattori

Recommended Posts

I have a web server with multiple web sites on the back end all on different ports. 

The clients come in to a content switching load balancer and based off the url get sent to the load balanced server. 

The web server listens on ports 8100-8125. The content switching virtual server is on port 443.

For some reason, the Netscaler keeps directing the clients to the port on the back end. that's obviously not working as it's not open on the firewall. 

I have this working in other environments using regular load balanced servers (not content switching). Any ideas why this would be? At this point, we are scrapping our migration scheduled for this weekend. 


I have an open case (well, 3 actually), but thus far no one has been able to help. 

Link to comment
Share on other sites

Hard to assess without 1) the config and 2) and example of what you are seeing.

It would help if you could share your cs vserver and policies (at least in part), the lb vserver (with listen policies) and the service bindings to see if there is something procedurally wrong in how you approached it.


Do you have any policies bound to the cs vserver or lb vserver that is relying on responder or redirects that would present an alternate port to the user (insteand of when you needed to do a rewrite or a cs policy instead.)


It could also be that the web servers on the backend are referencing specific ports or absolute urls assuming you are talking to the web servers directly and these are reaching the client and circumventing the cs entry point. Which may mean you need rewrites and/or url transform.


Link to comment
Share on other sites

My CS VServer policy states that if there's "/something" in the URL, to direct it to the SOMETHING-LBV server. 

the SOMETHING-LBV server's service groups connect to the web servers on port 8100, the CS virtual server listens on port 443.

What happens is the user goes to the /something URL, Firefox an Chrome display "ERR_INVALID_HTTP_RESPONSE" whereas Edge shows this in the address bar: 



I can verify in the firewall that the browser traffic is now trying to hit the server on port 8100, which is not open to the world. That's only open on the internal network. The client should never be directed to 8100.

None of the CS policies, responder policies, or anything else would  direct a user to that port. The only place that port is specified is in the service group, so why is the Netscaler directing the users to that port? 


Link to comment
Share on other sites

Well, its possible links in the response outbound from the servers are containing their ports and sending it to the user and you would need some sort of rewrite or url transform to keep this on 443 externally.  So look at the links in your response body content to see if this is what is being returned to the user which is then circumventing your cs vserver.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...