NetScaler : Load Balancing Storefront 1.1

SF-Cert5

In this article I’ll cover setup of an internal NetScaler VPX Load Balancer for Storefront 1.1. Note that this configuration will also work with Storefront 1.0, just the Storefront MMC snap-in doesn’t work as-of the 1st April this year!

Use the following article to install and configure Storefront for internal use first.

Contents

1. Lab Environemnt

2. SSL Certificate Requirements

3. Service Group Definition

4. Virtual Server Definition

5. DNS Configuration

6. Testing

 

1. Lab Environemnt

The environment for this example configuration is as follows:

  • CTX1.domlocal.net – 192.168.0.102/24 – Citrix XenApp 6.5 Server with Storefront 1.1 Locally Installed (in a production environment I would seperate Storefront onto it’s own server)
  • CTX2.domlocal.net – 192.168.0.102/24 – Citrix XenApp 6.5 Server (as above!)
  • Two-arm NetScaler HA Pair also using VMAC’s:
    • NS1 – 192.168.0.230/24
    • NS2 – 192.168.0.231/24

I have allocated 192.168.0.247/24 as the Load Balancer IP address for Storefront.

I’m using an Internal IP address for the Load Balancer, this could equally be an external IP address (an IP address that corresponds to a NIC other than the one that the NetScaler IP is served from).

 

2. SSL Certificate Requirements

I woud suggest you generate or purchase a SAN SSL certificate for the Load Balancer Virtual Server. In this lab environment I’m using the following Subject Names:

  • ctx1.domlocal.net
  • ctx2.domlocal.net
  • ctx1
  • ctx2
  • ctx.domlocal.net
  • ctx

As I plan on using the LB internally only an internal PKI/AD CS certificate is fine, even for my Access Gateway setup as it’s the endpoint connetcion SSL certificate that is key. Importantly, all internal devices trust the RootCA, hence the issued cert will work as required.

The image below shows I’m using a Common Name of ‘ctx.domlocal.net’ for the Certificate Subject name, with DNS Alternative Names (including ctx.domlocal.net and those listed above) :

SF-Cert5

 

3. Service Group Definition

Browse to Load Balancer > Service Groups and click ‘Add…’ at the bottom of the window.

Enter a name of Storefront_SSL and select SSL as the protocol, then for each server add the Storefront Server IP address with a port of 443.

StoreFront-LB1

Add the https-ecv montior then click OK to create the Service Group:

StoreFront-LB2

Under Advanced enable the Compression override:

StoreFront-LB3

Note; You don’t need to add the SSL Certificate to the Service Group, we’ll add it to the Virtual Server in a minute.

 

4. Virtual Server Definition

Browse to Load Balancer > Virtual Server and click ‘Add…’ at the bottom of the window.

Set Protocol as SSL and add an IP address, in this example 192.168.0.247:

StoreFront-LB4

Add the Service Group you just defined.

StoreFront-LB5

Under LB Method select Least Connection & under persistance set SOURCEIP:

StoreFront-LB5

Finally, bind the SSL Certificate you imported for the Storefront Server to the Virtual Server

StoreFront-LB6

 

5. DNS Configuration

Create a DNS A Record that matches the name of a SAN in your certificate; the IP address for the record is that of your Virtual Server. For this lab I created; ctx.domlocal.net 192.168.0.247

StoreFront-LB7

All receiver clients should be configured ot use this DNS name.

 

6. Testing

Confirm you can browse to the StoreFront URL (note that you will have to enter the complete URL, not just the FQDN). In this example I’d browse to http://ctx.domlocal.net/Citrix/CB-NetStoreWeb

 

Confirm that you can point the receiver client at the Load Balancer and it works as expected.

Create an account; enter the URL as https://ctx.domlocal.net

StoreFront-LB8

Logon (I haven’t configured SSO yet):

StoreFront-LB10 

Test access to applications:

StoreFront-LB11