Jump to content
Welcome to our new Citrix community!

GSLB Question


Chris Craddock

Recommended Posts

Community,

 

I have a question regarding GSLB. I will do my best to explain the scenario:

 

We have a service/FQDN/URL that runs on port 443 that is already set up in a GSLB scheme. The current Virtual Servers are listening on 443 and the back end servers in the service groups are also listening on 443. The GSLB Virtual Servers are using those Virtual Servers in their GSLB Service Group Binding.  What we would like to do is leverage the existing URL/FQDN (where the Netscalers are authoritative) but have a separate service on 8443. We created additional Virtual Servers using 8443 as well as Service Groups (with the same exact servers as the 443 group) but using 8443. They are the same back end server but just different ports, the servers will run both 443 and 8443 listeners. Is it possible to just add the new 8443 Virtual Servers to the existing GSLB VS Service Group Binding that already houses the two 443 Virtual Servers? Would that work? Again, we would like to leverage the existing GSLB set up but add an additional GSLB service group that uses TCP/8443 a long with the existing TCP/443. 

 

acme.company.com -> CNAME for acme.gslb.company.com (Netscalers are authoritative for this domain)

 

Existing Service: acme.company.com:443 (Globally Load Balanced)

 

Desired Service: acme.company.com:8443 (Utilizing existing GSLB setup. i.e not having to create a whole new URL or GSLB set up).

 

Please let me know if this is possible or how you would go about accomplishing this. 

 

Thank you. 

Link to comment
Share on other sites

15 hours ago, Carl Stalhood1709151912 said:

GSLB is DNS and doesn't care about service port numbers other than for monitoring.

 

One exception is active/active with cookie-based site persistence. See https://support.citrix.com/article/CTX130152

Carl,

 

Thank you. I am running into another issue. I am trying to set up GSLB for a service and keep getting an error when I go to create the GSLB Service. It says "Binding Entities have incompatible Traffic domains". Have you run into this issue before? What does this mean exactly? Im noticing that if the server object I reference is in TD0 it works, but if the Server object is in TD2, it throws the error. The actual VS is in TD2. Does GSLB not work when Servers or Virtual Servers are outside of TD0?

 

Any ideas?  Thank you.

Link to comment
Share on other sites

Carl,

 

After putting everything in Traffic Domain 0, the GSLB worked perfectly, so a lesson learned there. One other question for you. I have 2 GSLB services, one listening on 443 and another on 8443. I should be able to add these 2 separate services to the same GSLB VS right? How does the GSLB VS Load Balance between the services? My assumption is the 443 requests will go to the 443 Service and any request coming in on 8443 will go to the 8443 service. Is this a safe assumption?

 

Thank you. 

Link to comment
Share on other sites

Carl,

 

Thank you. I'm still slightly confused as to how the GSLB VS will make the service selection decision. Lets say I have a GSLB Virtual server with 4 services bound to it (all 4 use the SSL protocol). 2 of the services are listening on 443 while the other 2 are listening on 8443. Will the GSLB Virtual Server make the right decisions based on the destination port #s? So for instance if a request comes in on port 443, will the GSLB VS send those requests only to the Services listening on 443? or will it just load balance among the 4 bound services based on the LB method assigned, ignoring the port information altogether? This implies that some 443 requests could get sent to the 8443 services and vise versa. 

 

I hope this question makes sense. 

 

Thanks. 

Link to comment
Share on other sites

GSLB = DNS. DNS returns IP addresses and does not return port numbers. When GSLB replies, it is replying with the IP address of the GLSB Service, not the port number.

 

The Port number in GSLB Service does two things: monitoring, and cookie-based persistence. The port number is not used in the GSLB/DNS replies.

 

Link to comment
Share on other sites

Carl,

 

Thank you for the reply. I believe I understand that DNS doesn't care about port #s and does not include them in the reply. My question is when the client traffic finally reaches the GSLB VS (after the DNS query is resolved to an IP address), will the GSLB Virtual Server that receives the traffic take into account the Port # the client is attempting to reach? My goal is to be able to use a single GSLB VS for more than one service, in this case 443 and 8443 traffic. But my concern is that the GSLB VS isnt designed to parse the destination port # and send the traffic to the correct "service" and thus its possible that 443 traffic is getting sent to 8443 service and vice versa. 

 

For instance:

 

Two GSLB Virtual Servers:

 

GSLB-VS-Data_Center1

GSLB-VS-Data_Center2

 

Each of the 2 GSLB VS's has 4 services assigned to it:

 

ServiceA-Data_Center1: 443

ServiceA-Data_Center2: 443

ServiceB-Data_Center1: 8443

ServiceB-Data_Center2: 8443

 

Once the client URL query is resolved by DNS, that traffic will reach one of the 2 GSLB VS's. At THAT point, does the GSLB VS make a decision as to which "service" (Service A or B, 443 or 8443) it will send the traffic to based on destination port? Or does it just send it to any of the services bound to it based on its own load balancing algorithm? Thereby possibly sending 443 traffic to an 8443 service and vice versa. 

 

I sincerely apologize if I am not explaining this correctly. I really appreciate your help. 

 

 

Link to comment
Share on other sites

Carl,

 

OHHH! I think I am understanding now. So once the ADNS service responds to the DNS Query for the IP address (In this case an external IP address) The traffic then gets routed to that particular external IP address and then gets NAT'ed to the appropriate Load Balancing Virtual Server? In this case the 443 and 8443 services are using 2 different LB VS's but with the same IP address, just different port #s, so Im assuming the traffic will then go to the appropriate VS depending on the destination port #? 

 

If this is the case, then adding the "8443 GSLB service" to the existing GSLB VS is pointless since the all traffic is going to go to the same internal IP address anyway. 

 

Does this seem right?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...