StoreFront Internal load balancing

Configure StoreFront 3 Load Balancing with Citrix NetScaler.

Make sure to catch up this series' previous posts first!

 

In this post, we will review how to use our NetScaler TriScale cluster to load balance Citrix StoreFront. We will not use NetScaler Gateway for internal Load Balancing as our users will connect directly to the Citrix servers on the LAN.

StoreFront Load Balancing

Requirements

Lab Configuration

  • Two servers with StoreFront installed (SF01/SF02).
  • SF02 is the primary StoreFront server (10.0.0.32/8)
  • SF01 is the secondary StoreFront (10.0.0.31/8)
  • DNS Record: storefront.citrixguru.lab pointing to SF02.
  • NetScaler Cluster IP (CLIP): 192.168.1.100
  • NetScaler SNIP: 10.0.0.111 and 10.0.0.112.
  • Load Balancing/SSL features enabled on the NetScaler cluster.
  • IP for the Load Balancing : 10.0.0.30.
  • CA Certificate is ready.
  • StoreFront certificate is ready.

StoreFront Load Balancing Configuration

Connect to the NetScaler Cluster using the CLIP (http://192.168.0.100) and logon with the nsroot account.

Import Certificates

Navigate to the Traffic Management > SSL. Make sure that the feature is enabled.

Import Root CA certificate

Select SSL and navigate to Tools, select Manage Certificate/ Keys / CSRs.

Select Upload.

Upload
Upload

Select the Root CA certificate to upload.

CitrixGuru_Lab_Capture_337_1449166726

 

Go to Certificates and select Install. Browse the appliance the find the Root CA certificate previously updated.

Install Root CA certificate
Install Root CA certificate

Click on Install.

Root CA certificate installed
Root CA certificate installed
Import StoreFront certificate

Method 1: not secure

Go to Certificates and select Install. Browse your local computer the find the StoreFront certificate created in the previous post: Lab: Part 15 – Configure SSL in StoreFront.

Import StoreFront certificate
Import StoreFront certificate
StoreFront certificate is installed
StoreFront certificate is installed

Note: Take a look at the key file (located in nsconfig/ssl/storefront.fx.ns). The file is not encrypted.

Private key not encrypted
Private key not encrypted

Method 2: secure

To import the StoreFront certificate and keep the private key encrypted, Go to SSL and navigate to Tools, select Import PKCS#12.

  • Output file name: /nsconfig/ssl/storefront.cer
  • Input file name: storefront.pfx located on your local computer
Import PKCS#12
Import PKCS#12

Select Ok to import the certificate.

StoreFront certificate imported
StoreFront certificate imported

Select SSL and navigate to Tools, select Manage Certificate/ Keys / CSRs.

Select StoreFront.cer and View.

View imported certificate
View imported certificate

 

Encrypted
Encrypted

Add servers

Navigate to Traffic Management > Load Balancing. Make sure that the feature is enabled then go to servers.

Add the two StoreFront servers.

Add servers
Add servers

Both servers should be Enabled. If not make sure that you can ping the servers from the NetScalers.

Create new service group

Navigate to Service groups and add a new service group.

  • Name: svcgrp-storefront-https
  • Protocol: HTTPS
Add new service group
Add new service group

The state of the service group is Down but it is normal at this time.

Now click on No Service group Member to add members.

Add members
Add members

Select Server based and Click to select.

Create service group member
Create service group member

Select both servers previously created.

Select servers
Select servers

Specify the port 443.

Group member port
Group member port

Select Create to create the service group members.

Members created
Members created

Monitors

On the right panel, select Monitors.

Select Monitors
Select Monitors

Select No Service group to monitor binding.

Select No Service group to monitor binding
Select No Service group to monitor binding

Select Click to select.

Select Monitor
Select Monitor

Select HTTPS-EVC.

Note: NetScaler has a specific monitor for StoreFront but we cannot use it here as the StoreFront monitor is using the NSIP to communicate with the StoreFront servers. In our lab, this communication is not allowed (the StoreFront monitor does not work over the SNIP).

Select HTTPS-EVC
Select HTTPS-EVC

Select Bind.

Bind monitor to service group
Bind monitor to service group

The service group should now be UP.

Service group configuration
Service group configuration

Select Settings and configure as below:

Select Client IP and for the Header, enter : X-Forwarded-For.

Settings
Settings
Settings configured
Settings configured

Create new virtual server

Navigate to Traffic Management > Load Balancing > Virtual Servers. Select Add to create a new virtual server.

  • Name: vslb-storefront
  • Protocol: SSL
  • IP address: 10.0.0.30
  • Port: 443
Create new virtual server
Create new virtual server

Click Ok to create the virtual server. Don’t worry about the down state, we first need to bind our new virtual server to something.

Select No Load Balancing Virtual Server ServiceGroup Binding.

Select No Load Balancing Virtual Server ServiceGroup Binding
Select No Load Balancing Virtual Server ServiceGroup Binding

Select Click to Select.

Click to Select
Click to Select

Select the previously created serviceGroup.

Select the previously created serviceGroup
Select the previously created serviceGroup

Select  Bind.

Bind
Bind

Our new virtual server is now bound to our service group.

vServer bound
vServer bound

The next step is to link the certificates to this vServer.

Certificates
Certificates

Select CA certificate.

Select CA certificate
Select CA certificate
Select CA certificate
Select CA certificate

Select Bind.

Bind Root CA
Bind Root CA

Repeat the same for the server certificate.

Link StoreFront cert
Link StoreFront cert

Both certificates are now linked to the vServer.

Certificates linked
Certificates linked

You can also configure the persistence. Usually I recommend to use SOURCEIP.

Persistence
Persistence

The timeout is 30minutes.

Persistence configuration
Persistence configuration
Persistence configured
Persistence configured

You can also configure the load Balancing method.

LEASTCONNECTION will redirect the requests on the server with the lowest number of sessions.

LB Method
LB Method

The vServer is now configured and ready to use.

StoreFront vServer is configured
StoreFront vServer is configured

Testing

You need first to change the DNS record storefront.citrixguru.lab to use the vServer IP address (10.0.0.30) instead of SF02 IP address (10.0.0.32).

Once the DNS is updated, go to https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb.

StoreFront homepage
StoreFront homepage

You can play with the Load Balancing to validate the two StoreFront servers, go Servers and disable SF01 or SF02.

That’s all for StoreFront internal Load Balancing. In the next post, we will discuss how to optimize the load balancing configuration.

Make sure to catch up this series' previous posts first!

 

1 COMMENT

  1. Nicolas, thanks for share the setup info, I have a question in your example
    •IP for the Load Balancing : 10.0.0.30. is this NS VIP address? please advise thanks

Comments are closed.