Jump to content
Welcome to our new Citrix community!

NetScaler LDAP/NTP/RADIUS communications over NSIP or SNIP


Ken Z

Recommended Posts

Hi Everyone

 

In "old" versions of the NetScaler firmware, the NetScaler used to communicate with LDAP/RADIUS/NTP via the NSIP unless a load-balanced vServer was created, which forced it to use the SNIP.

The latest firmware now uses the SNIP rather than the NSIP for the same communications without the need to set up a load-balanced vServer.

 

does anyone know which firmware version this "feature" first became available on?

 

Thanks

 

Ken Z

Link to comment
Share on other sites

Hi Carl

 

thanks for responding, but what I'm after is slightly different.

 

My customer has a NetScaler with oldish(?) firmware  which has an Access Gateway license (ie. the "cheap" replacement for WI/CSG, which doesn't have AAA or LB  enabled/licensed - they're using Basic Authentication) and they need to have the NSIP in a non-routable "management" VLAN that doesn't route to the Server VLAN where the domain controllers are situated. Normally with a standard/advanced/premium platform license I'd set up LDAP and DNS load-balancing vServers which gives me access to the services via the SNIP. They don't want to upgrade to the very latest firmware but I know that at some point the code had changed so that LDAP/DNS/NTP goes out the SNIP not the NSIP without having to use AAA or LB. Just need to know what is the oldest firmware that they need to give them that functionality.

 

https://support.citrix.com/article/CTX207661 - The NSIP, SNIP and the Auth Servers are all on different subnets.

 

Regards

 

Ken Z

Link to comment
Share on other sites

One of the articles show NetScaler 10.5 so it's been there for a while.

 

In Gateway-only firmware, you can go to Traffic Management > Virtual Servers and add a VIP so it uses SNIP to talk to back-end. It's the same as load balancing but you can only bind one service. You can do Backup vServer to fail over to a second server if the first is down.

Link to comment
Share on other sites

Hello Ken, hello Carl,

 

using the latest 13.0 Firmware-Build. https://support.citrix.com/article/CTX132935 & https://support.citrix.com/article/CTX218050 is enabled (I've also tried to bind a NetProfile with a SNIP to Service Group)

 

In my current example for LoadBalancing LDAPS - SNIP is used to request 636 to ADS Servers, but the LDAPS Monitor (which is nsldap.pl) is used by NSIP. So atm (as NSIP is a separated MGMT VLAN) I am not able to use the preferred LDAPS Monitor, I'm only able to use ICMP.

 

Any hints or help would be appreciated. Maybe this is a worse design problem on ADC how the pearl based monitors are working?

 

Thanks and Best Regards

Julian

Link to comment
Share on other sites

So, Julian, you are running into scriptable monitor behavior.  (ldaps/ldap monitors, storefront monitors and several of the other advanced monitors). These monitors are invoked from shell and source from the NSIP. ACLS or PBRs might be able to *force* this from NSIP to a SNIP.  But I was mostly only aware of the use NetProfileBSDTraffic setting (linked below which I think overlaps with Carls references).   But otherwise source ip for scriptable monitors use the NSIP. So either use a non-scriptable monitors instead (like tcp, ping, http, or other alternate monitor).  Any monitor with a net profile that can be set, will use the SNIP of the service by default or the net profile of the service, or the net profile of the monitor (to keep this simple).  Any profile where a net profile can't be set is "scriptable" and uses the NSIP.

 

But for KAZIMIERZ, I don't think the article you cited applies to your scenario.   (If someone thinks I'm wrong, please correct me.)  That article talks about the nsldap.pl which is the LDAP monitor and isn't a reference to LDAP traffic itself. The monitor is a scriptable monitor and uses the NSIP specifically (per above).  LDAP traffic still sources from NSIP if pointed to the server directly, or SNIP if handled by load balancer.  The ldap-based monitor follows the traffic sourcing rules of scriptable monitors; otherwise use a tcp or tcp_ssl monitor for a more basic test and which will use snip instead.

 

So, Julian, your question regarding the ldap monitor source is expected behavior.  If the netwprofile for BSD traffic doesn't work, then your alternative is to change the monitor type to a non-scriptable monitor.

 

For Kazimierz, I didn't think it was possible to force the LDAP traffic to use  a SNIP with a vserver/service config except through the settings already highlighted by Carl.  (This overlaps with the details Carl provided  https://docs.citrix.com/en-us/citrix-adc/current-release/networking/source-citrix-adc-freebsd-traffic-from-snip.html)

 

Edited by Rhonda Rowland
Added note
  • Like 1
Link to comment
Share on other sites

Rhonda

 

thanks for responding, but let me explain what's happening...

 

I've just installed a brand new MPX 5901 for a customer, and upgraded the firmware to 13.0 Build 85.15.

interfaces 0/1 and LOM were added to a dedicated management VLAN that wasn't routable to the main Server VLAN containing the domain controllers

interfaces 1/1 and 1/2 were link aggregated (LA/1) using LACP and connected to an internet-facing DMZ. 

interfaces 1/3 and 1/4 were link aggregated (LA/2) also using LACP and connected to an internal-facing DMZ. 

Default gateway was the firewall interface on the internet-facing DMZ 

There were static routes for the Citrix VLAN and Server VLAN pointing to the firewall interface on the internal-facing DMZ

A SNIP was set up on the internal-facing DMZ  to talk to the Citrix Farm and Sever VLAN. (The SNIP was not on the same subnet as the domain controllers in the Server VLAN)

I could ping the Citrix farm and the domain controllers via the internal-facing DMZ so routing was working fine. Mgmt VLAN had no route to the DCs.

 

I went to Citrix Gateway > Policies > Authentication > LDAP > Servers and set up an LDAP entry and I could talk to the DCs.

The only was this could work is if the LDAP connection was talking via the SNIP, not the NSIP

I double-checked this by monitoring the firewall logs and confirmed the NetScaler was talking to the LDAP servers (DCs) via the SNIP

There was no other setting I did on the NetScaler resembling what carl suggested to make this work.

(Normally I'd enable MBF if using multiple interfaces, but I believe this is not recommended when using link aggregation so this isn't ticked on the NetScaler)

This would imply that either using link aggregation, or a change in firmware functionality, is forcing LDAP to talk via SNIP to the DCs,

 

Can anyone explain why else this would happen?

 

Regards

 

Ken Z

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...