Jump to content
Welcome to our new Citrix community!

Netscaler ADC - Prevent Load balancing and Redirection from a specific set of IP's


Rowlins Thomas

Recommended Posts

Hello there,

 

I have a requirement that i am trying to accomplish where all users would access a url say, https://abc.com which is redirected to https://abc.com/xyz/org. This is done within the Netscaler ADC. How can i prevent from this redirection and load balancing to happen from a specific set of IP's but work this out for all others.

 

A little background of my user access is as follows

ClientIP1 <-->Netscaler VIP <--> Netscaler SNIP <--> ServerA, ServerB

Client IP2 <-->Netscaler VIP <--> Netscaler SNIP <--> ServerA, ServerB

 

If an administrator is logged into the ServerA or Server B, its from these Server IP's that i don't want load balancing or Redirection to work if they call https://abc.com

Link to comment
Share on other sites

In the responder policy that does the redirect, exclude IPs using one of these expressions

!client.ip.src.in_subnet(x.x.x.x/yy) && http.req.url.path.eq("/")   # subnet worth of ips

-alternate-

!(client.ip.src.eq(x.x.x.x) || client.ip.src.eq(x.x.x.x)) && http.req.url.path.eq("/")     ...  # specific IPs

This would redirect any user NOT from the bad ip but still going to "/"

 

You can't really prevent load balancing if you are hitting a load balancing vserver, but if requests went to a CS vserver and you identified the excluded IP range and directed them to a different lb tier (that pointed to a single service for example) vs the regular traffic that sorted to your regular lb vserver, then you might also have an option.

 

I'm not exactly clear on your example: If the admin is on ServerA, and makes a connection to its own lbvserver you want o bypass the redirect and lb function?

Depending on exactly what you are doing, the responder policy expression will stop the redirect from certain ips. Whether you also need content switching or not, depends.

 

 

 

Edited by Rhonda Rowland
fixed type in expression
  • Like 2
Link to comment
Share on other sites

Thanks Rhonda,

 

Allright, I hope i get this right in writing 

 

Infact i actually have a set of Vmware VRA servers ( Server A, Server B in my above example) which themselves are load balanced using the same VIP on various ports for their internal operations and which needs to function as is.

 

abc.com gets resolved to a VIP say, 10.10.10.10 which is the same VIP used for everything in here.

 

https://abc.com is something that displays a sort of an admin panel and more of administrative options but this must be available from the  servers ONLY and to NOT the end users AND from these servers https://abc.com shouldn't get redirected.

 

For the users who would be accessing from some other random ip's, https://abc.com must be redirected to the users tenant which would be https://abc.com/xyz/org

 

The responder policy is something that i did give a try; no luck but with the usage of CLIENT.IP.SRC.NE

 

Link to comment
Share on other sites

Hello,

 

What version of NetScaler are you using ? II was about to post the same answer than Rhonda before reading his.

In the Responder policy configured, instead of "true" for example, you should exclude every IP not coming from your VRA servers.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...