LDAP Loab balancing with NetScaler 11

LDAPS Load Balancing with Citrix NetScaler 11.

Make sure to catch up this series' previous posts first!

 

In this post, we will see how to load balance LDAP with our external NetScaler 11 HA pair created in Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair) and how to use NetScaler to offload SSL.

By default LDAP uses port 389 (PLAIN TEXT). We could just create a LB virtual server for the port 389 but Active Directory requires secure LDAP (LDAPS) on the port 636 for password changes.

Requirements

  • Certificate Authority must be installed on your controllers to allow LDAPS
  • Wildcard certificate generated

Lab configuration

  • NetScaler OS 11 62.10nc version
  • HA pair configured (192.168.0.201)
  • DC (10.0.0.10)
  • Communication only allowed to backend servers via the SNIP address

Note: in our lab, we only have 1 DC. 

Create Secure LDAP (LDAP) load balancing

Servers

Go to NetScaler > Traffic Management > Load Balancing, select Servers and Add.

Add all Domains controllers you want to be part of the load balancing.

Add server
Add server

In the lab, we only have one domain controller but the following procedure is the same.

Service group

Go to NetScaler > Traffic Management > Load Balancing, select Service groups and Add.

  • Name: svcgrp-ldap-ssltcp
  • Protocol: SSL_TCP

Add service group
Add service group

 

Add service group members
Add service group members
Select servers and Port 636
Select servers and Port 636

Repeat the operation for all servers.

Added
Added

 

Monitor

Citrix offers a Perl script to monitor LDAP service, documented here: CTX114335 and CTX117943.
This advanced monitor performs an LDAP query and check for a valid response over the NSIP address.
However in our lab, the NSIP does NOT communicate with our Domain controllers which is required to use the advanced monitor.

Advanced Settings
Advanced Settings
Add service group monitor
Add service group monitor

Select TCP ECV monitor
Select TCP ECV monitor

 

Service group configured and UP
Service group configured and UP

Virtual Server

Go to NetScaler > Traffic Management > Load Balancing, select Virtual servers and Add.

  • Name: vslb-ldap
  • Protocol: SSL_TCP
  • Port: 636

Create Virtual Server

 

Bind service group previously created
Bind service group previously created

 

Service group bound
Service group bound

The virtual server is currently DOWN because the Certkey is not found.

Cert needed
Cert needed

We need to import and assign a certificate.

Certificate

Go to NetScaler > Traffic Management > SSL, select Certificates and Install.

Install Wildcard
Install Wildcard

 

Certificate installed
Certificate installed

Go to NetScaler > Traffic Management > Load Balancing, select Virtual servers.

Select vslb-ldap.

Certificates
Certificates

Bind wildcard certificate
Bind wildcard certificate

 

Certificate bound
Certificate bound

The virtual server is now UP.

Virtual server UP
Virtual server UP

 

Virtual server UP and running
Virtual server UP and running

Security

Go to Scoring an A+ on SSLLABS.COM with NetScaler 11 VPX and follow the instructions.

In the next post, we will discuss how to configure active directory authentication for NetScaler gateway or for the management website. Stay tuned.

Make sure to catch up this series' previous posts first!