Jump to content
Welcome to our new Citrix community!

Local Balancing based on AD User ID and AD Group membership

Recommended Posts

I had a request from one of our management team to add AD authentication at the 

load balancer and to send traffic for users in a specific group to preferred backend

servers. Is this possible? 


Currently I had SSL bridging just forwarding traffic to a web server and users authenticate

there. Can I move the authentication to the load balancer and would that obviate the 

need to login a second time? 


Then based on AD group membership could I direct some users to one group of 

services and users in another AD group be directed to another?


Thank you.

Link to comment
Share on other sites

NS doesn't load balance based on group membership, but if you implement content switching with AAA integration, you can get the cs vserver to do authentication.


Then use the http.req.user.is_member_of() policy to direct GroupA to lb_vsrv_A and GroupB to lb_vsrv_B behind the cs vserver.

lb_vsrv_A would then point to your GroupA services 

lb_vsrv_B would point to your groupB services.


So Content Switching with authentication via AAA for App Traffic (aka authentication vserver), then cs policies based on group membership to separate lb vserver tiers.







  • Like 2
Link to comment
Share on other sites

When you say AAA server - are you referring to perhaps Windows NPS RADIUS? But then I don't see where 
groups would come into play there. Are you referring to AD groups or some other group? I've worked with

Cisco ISE in the past and I think I could have TACACS hook into AD groups for device authentication. Any 

more reference on the type of AAA infrastructure it would take to make this work would be appreciated.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...