Jump to content
Welcome to our new Citrix community!

Load Balancing IIS sites with hostname bindings


Recommended Posts

Hey all,

 

I am having some issues with load balancing IIS sites and looking for some guidance/assistance. I have a single IIS server which is serving up 2 IIS sites (3 if you count the Default Web Site). The two sites are configured with hostname bindings (site1.company.com, site2.company.com). These sites are configured for HTTP/HTTPS bindings and set to all unassigned IP's. Setting this up using SSL_Bridge works fine; I can use the same IP address for each A record and the hostname will be forwarded to the server and the page will answer as expected. However, I don't want to use bridging since it has limited control over SSL sessions. My problem is that I cannot get a standard SSL or even SSL_TCP vServer to load any page. It just doesn't work. All I get from the load balancer is err_connection_refused. Its like the vip is dropping my request immediately as fiddler doesn't even show a cert presented before it fails. Fiddler shows the host name in the request with the load balancer so I'm really not sure what is going on. I am using a wildcard certificate which is installed on the IIS box & the ADC. Even though its a wildcard, I set up an SSL profile that enables SNI and attached that to the vserver; no change. I've also tried changing the SNI HTTP Host Match option in the SSL profiles with no change either. I have went through some similar articles:

 

https://discussions.citrix.com/topic/387008-ssl-sni-on-backend-servicegroup-commonname/

 

https://support.citrix.com/article/CTX205113

 

but nothing has helped me so far. its like the ADC is actively refusing the connections but I cannot figure out why. Looking at the requests from Fiddler I don't see anything different in the headers other than LB connections get a Connection Failed and [Fiddler] The connection to 'site1.company.com' failed. <br />Error: ConnectionRefused (0x274d). <br />System.Net.Sockets.SocketException No connection could be made because the target machine actively refused it x.x.x.x:443

While connections to the server get a 200 Connection Established and forwarded on to the logon page of the service. (even though the logon page is set as the landing page, I have even tried including the full URL path when connecting with the load balancer although I do not see any change in behavior). 

 

I feel like I'm missing something obvious but I cannot figure it out. 

 

TIA!

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...