Jump to content
Welcome to our new Citrix community!

Netscaler URL Direction and Storefront Load Balancing.


Jitendra Kumar

Recommended Posts

HI All,

 

I have setup a Netscaler in HA and configured the Gateway along with Storefront loadbalancing. I am having 4 Storefront server and have added into the storefront loadbalancing and a vServer with a VIP. Now I want to distribute the connection among the 4 storefront server I added in Server under Load Balancing. Please can someone help me what setting I need to do in vserver configuration so that it can distribute the session among all the storefront server. like 10 session from SF01, 5 from SF02, 15 from SF03 10 from SF04.

 

Also I have configure a new External URL on Netscaler and the users are not aware of this New URL, users are still using old URL and I do not want to tell all users to do the configuration of new URL.  so I want  to redirect the OLD URL to new URL . Means when the users put their old URL on web browser its automatically redirect that OLD URL to new URL which is on Net Netscaler. Please help me.

Link to comment
Share on other sites

First, storefront load balancing:

You can create 4 services: svc_stf1 - svc_stf4

bind them the lb vserver (lb_vsrv_storefront)

- load balancing method is usually leastconnections and persistence is usuall sourceip with an appropriate timeout

- use the http monitor, or the storefront monitor for up/down detection of each service

 

To send your traffic to different storefronts at different capacities, then you would use weighted load balancing, to match the ratios you have above.  Weights are set when binding services to lb vservers OR when binding members to servicegroups.

 

You can use the ratios in units of 1 or units of 5 as described.  There really isn't a need for weighted load balancing as you can also just configure connection limits at lower thresholds for "smaller" servers. But if you want to do weighted load balance you can.

svc_stf1:  weight 2  (or 10)

svc_stf2:  weight 1  (or 5)

svc_stf3:  weight 3 (or 15)

svc_stf4:  weight 2 (or 10)

 

The question is do you really need weighted load balancing as you describe it; or just to load balance across the 4 services and tune for max load if it is reached. StoreFront servers are really very scalable and so this type of weighted config feels like an unnecessary complication.

 

Example:  

add service svc_stf1 <ip1> ssl 443

add service svc_stf2 <ip1> ssl 443

add service svc_stf3 <ip1> ssl 443

add service svc_stf4 <ip1> ssl 443

 

add lb vserver lb_vsrv_storefront SSL <VIP1> 443 -lbmethod leastconnection -persistencetype sourceip -persistencetimeout 20

bind ssl vserver lb_vsrv_storefront -certkey <sslcertkey name>

 

# bind with weights as listed OR omit weights to keep things simple...

# In gui, this is set when binding service to lb vserver; again with service groups is set when binding the member to the service group.

bind lb vserver lb_vsrv_storefront svc_stf1 -weight 2

bind lb vserver lb_vsrv_storefront svc_stf2 -weight 1

bind lb vserver lb_vsrv_storefront svc_stf3 -weight 3

bind lb vserver lb_vsrv_storefront svc_stf4 -weight 2

 

Second, this part:

34 minutes ago, Jitendra Kumar said:

Also I have configure a new External URL on Netscaler and the users are not aware of this New URL, users are still using old URL and I do not want to tell all users to do the configuration of new URL.  so I want  to redirect the OLD URL to new URL . Means when the users put their old URL on web browser its automatically redirect that OLD URL to new URL which is on Net Netscaler. Please help me.

 

You described moving external users from old storefront fqdn to new storefront fqdn with a redirect.  But you fail to mention if the gateway is involved in this scenario.

Normally, you wouldn't directly access storefront externally. If there's more to this scenario, feel free to elaborate.

 

If you actually meant you are changing external access from old gateway to new gateway, or you want to change which storefront fqdn the gateway directs traffic to, the results would be different then what I use below. Feel free to clarify and we can adjust.  If you are using one fqdn for external connections to gateway and the same fqnd resolves internally to storefront, then that would need to be handled differently as well.

 

The below is just a change from one storefront fqdn to new storefront fqdn with a responder policy to redirect.  This may not be in fact what you are trying to do.  

 

If users do go to the OLD fqdn in the browser, you can use a responder policy to direct them to the NEW fqdn. The user will then see the connection to the new fqdn, when done as  a redirect. If this is being done by the ADC (netscaler) then the OLD fqdn has to resolve to a lb vserver VIP on the ADC too. So, you might need to clarify if your old fqdn is going to resolve to the current VIP or a different resource.  So the recommendation for how to do this might change.

 

For this example, I have to make some assumptions.

Your old fqdn (oldstf.demo.com) is resolving to a previous vserver lb_vsrv_oldstf on <VIP1> on this adc.

Your new fqdn (newstf.demo.com) is resolving to the new vserver lb_vsrv_newstf on <VIP2> on this adc. 

And you want a responder policy to resolve old fqdn to new one.

If the details are different or your only changing store and not fqdn, this would be handled differently. If old storefront is not on this adc it is also going to be a different discussion.

You still need dns resolving fqdns to proper ips.

 

# replace fqdn and storename with actual path....and assuming all oldfqdn traffic goes to new place...

add responder action rs_act_sendto_newstf redirect "https://newstf.demo.com/Citrix/StoreWeb" -respstatuscode 302

add responder policy rs_pol_sendto_newstf http.req.header("host").set_text_mode(ignorecase).eq("oldstf.demo.com") rs_act_sendto_oldstf

 

bind lb vserver lb_vsrv_oldstf -policyName rs_pol_sendtonewstf -priority 100 -gotopriorityexpression end -type request

 

 

 

 

 

Link to comment
Share on other sites

Hi Rhonda,

 

In my environment I have done loading balancing using this article https://www.carlstalhood.com/storefront-load-balancing-citrix-adc/ . I did created a monitor and then added the SF servers and then created a Services group and added the SF  Servers members into the service group and added the monitor into the monitors under the service group config. And then after that I created a Load balancing vserver and bind with  service group.

 

So you mean to say that while adding the servers member into the service group I need to add all 4 server one by one not to select them all and I need to define the Weight their as 1 or 10 or 5 ?

And in this way the server which has weight 5, only 5 connections will redirect to there but is this something it will not redirect more then 5/10/15 connections to that particular server which has weight 5 or 10 or 15?

image.thumb.png.e8b64f7881b617795c8a1c3f5837d1d0.pngimage.thumb.png.544de362ec99d4817fb298840118c45e.png

 

 

My second query was related to Netscaler Gateway URL not Storefront, sorry for the confusion. So do I need to create a policy under the Gateway vServer as a responder and then need to define the settings there to redirect the old Gateway URL to new Gateway URL pls ?

 

 

Link to comment
Share on other sites

Connection limit is different than weighted load balancing.

If you want a given storefront server to ONLY accept 10 connections or 5 connections - and then once it receives its max connection limit it is not used for load balancing until below threshold that can be done...BUT this is a very low connection limit and would have to be done differently with servicegroups and you would be better off with individual services.

 

A typical web server can handle easily 200 connections (or more)... are you sure this is the limit you need?  (Also this isn't the same as a user count...but you wouldn't want it to be either).

 

To set a max connection limit (aka "max clients" in the service property), you should use individual services and NOT use service groups.

The reason is that all members of a service group have a common set of settings.  Setting the "max client" limit at the service group level would then set the individual limit per each member. You would then need 3 different service groups (one with two members and two with one member each) for the thresholds you cite.

 

For services:  maxclients means maximum connections

add service svc_stf1 <ip1> ssl 443 -maxClient 10

add service svc_stf2 <ip1> ssl 443 -maxClient 5

add service svc_stf3 <ip1> ssl 443 -maxClient 15

add service svc_stf4 <ip1> ssl 443 -maxClient 10

 

When binding to the lb vserver, weights would not be used now.

bind lb vserver lb_vsrv_storefront svc_stf1

bind lb vserver lb_vsrv_storefront svc_stf2

bind lb vserver lb_vsrv_storefront svc_stf3

bind lb vserver lb_vsrv_storefront svc_stf4

 

For service groups (but services would be easier in this case):

add servicegroup svcg_stf_10max SSL -maxclient 10

   bind servicegroup svcg_stf_10max <stf srv ip1> 443

   bind servicegroup svcg_stf_10max <stf srv ip4> 443

add servicegroup svcg_stf_15max SSL -maxclient 15

   bind servicegroup svcg_stf_15max <stf srv ip3> 443

add servicegroup svcg_stf_5max SSL -maxclient 5

   bind servicegroup svcg_stf_5max <stf srv ip2> 443

 

bind lb vserver lb_vsrv_storefront svcg_stf_10max

bind lb vserver lb_vsrv_storefront svcg_stf_15max

bind lb vserver lb_vsrv_storefront svcg_stf_5max

 

56 minutes ago, Jitendra Kumar said:

My second query was related to Netscaler Gateway URL not Storefront, sorry for the confusion. So do I need to create a policy under the Gateway vServer as a responder and then need to define the settings there to redirect the old Gateway URL to new Gateway URL pls ?

 

The process to redirect old gateway to new is similar to what we discussed above, but yes the responder policy on old vpn vserver to direct traffic to new vpn vserver.

 

There are a couple of ways it if you don't want to keep "running" the old vpn vserver to reduce risk.

 

You could also though decommission the vpn vserver. Assign the <old gateway vip1> to a lb vserver on the same VIP1:SSL:443 (using a always up/placeholder service on the backend). Whose sole function is to catch the old VIP:443 traffic and let the responder policy direct traffic to the new gateway:SSL:443.

OR even use a down lb vserver on the VIP1:ssl:443 config and its redirect url function to redirect to https://<newgatewayfqdn>

 

It just depends if you need to keep the "old vpn vserver" available.

 

The redirect means the users will see the change from one fqdn to another.

Your storefront behind the gateway will need to be configured with updated info for the new gateway fqdn as well.

 

You can also just make DNS resolve the "old fqdn" to the <new gateway vip> and then use the responder policy to redirect only the old hostnames to the newone. Without needing a separate vpn vserver or lb vserver available.  (if the old gateway isn't needed at all, this would probably be the option I would do first; if changing the dns isn't possible, then the lb vserver would be my next choice.)  I can mock up tomorrow if you need an example.

 

 

 

 

 

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

So here I want to decomission the old Netscaler later on and do not want to keep the old VPN. The network team might take the old VIP back which is used by old Netscaler VPN.

 

Are you talking similar to this article below pls ? from the article what I can understand is to create a responder Action and policy under the "AppExpert"  in Netscaler and put the redirect URL Name as instructed in this article. And after that go to Gateway>>>then Virtual Server and then edit your VPN, IN VPN under Policy click on + icon to add policy and select Responder as Policy and Create as type and then bind the policy .

 

Will this article talk on the same pls.

https://support.citrix.com/article/CTX221243

Link to comment
Share on other sites

Yes, that article and the responder policy example for the storefront would work, just modify for the gateway fqdn and bind to the vpn vserver on the old system.

Create responder policy to redirect old host name to new one and bind to your existing vpn vserver to send traffic to new ONE.

OR

Change dns of old name to new ip (as a lb vserver on the new appliance) and bind the responder policy to direct old name to new name on this lb vserver. 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...