Optimize and secure StoreFront 3 Load Balancing with Citrix NetScaler.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
In the previous lab post, we configured StoreFront load balancing using Citrix NetScaler. Today, I would like to review how to make our internal StoreFront LB more secure and optimized.
Redirect StoreFront HTTP to HTTPS with NetScaler
The goal here is to redirect http://storefront/ to https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb.
There are multiple options to perform this task, you can for example modify the IIS configuration on each server but it is not efficient as NetScaler allows us to do this configuration in a centralized location.
Connect to your Netscaler. In the lab we will use our TriScale NetScaler internal cluster to perform this operation.
Navigate to Traffic Management > Load Balancing > Virtual Servers.
Create a new LB virtual server:
- Name: vslb-storefront-redirect
- Protocol: HTTP
- IP Address: 10.0.0.30
- Port: 80
The new vServer will be down all the time and will not be linked to anything.
Instead we are going to use a feature of the vServer called Protection. This feature will redirect the requests to another URL if the vServer is down which will be the case all the time.
On the panel on the right, select Protection. Enter https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb as Redirect URL.
Select OK to validate.
You can try to connect to StoreFront by typing http://storefront. You will be automatically redirected to https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb.
Create vServer LB and redirection via command line:
|
1 |
add lb vserver vslb-storefront-redirect HTTP 10.0.0.30 80 -persistenceType NONE -redirectURL "https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb" |
Redirect to StoreFront full web Path with NetScaler (default page)
The goal here is to redirect https://storefront.citrixguru.lab/ to https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb.
There is multiple options to perform this task, you can for example modify the IIS configuration on each server but it is not efficient as NetScaler allow us to do this configuration only one time.
Navigate to Traffic Management > Load Balancing and Select the HTTPS vServer associated with StoreFront (vslb-storefront). Then select Edit.
On the right panel select Policies.
Add a new policy.
Select Rewrite and Request.
- Name: rw_storefront_pol
- Expression: HTTP.REQ.URL.EQ(“/”)
You can either type the expression manually or use the expression editor to create the expression.
Under Action, Select + to create a new rewrite action.
- Name: rw_action_storefront
- Type: REPLACE
- Expression Target: HTTP.REQ.URL
- Expression: “/Citrix/CitrixGuruStoreWeb”
Select Bind.
The policy is bound to vServer.
Now, try to open https://storefront.citrixguru.lab. You will be redirected to https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb.
Go to AppExpert > Rewrite > Policies and take a look at rw_pol_storefront:
The policy has 4 hits, so it is working as expected.
Same configuration is possible via command line:
Create rewrite action
|
1 |
add rewrite action rw_action_storefront replace HTTP.REQ.URL "\"/Citrix/CitrixGuruStoreWeb\"" |
Create rewrite policy
|
1 |
add rewrite policy rw_pol_storefront “HTTP.REQ.URL.EQ(\”/\”)” rw_action_storefront |
Bind rewrite policy to vServer
|
1 |
bind lb vserver vslb-storefront -policyName rw_pol_storefront -priority 100 -gotoPriorityExpression END -type REQUEST |
Security
Go to Scoring an A+ on SSLLABS.COM with NetScaler 11 VPX and follow the instructions.
More from the Lab!
