Configuring Active-Active Citrix NetScaler Load Balancing on Microsoft Azure Resource Manager

Intro:

Public cloud adoption especially Azure & AWS is on the rise in EMEA region, though government policies are restricting government entities to go all in with public cloud never the less enterprises are very much starting to ride the wave. OPEX model given the current situation especially in GCC (Oil Prices & War)is what most customer are looking for so the cloud offers a safe haven and an optimal solution. Citrix strategy is Cloud, no doubt about it, the recent alignment with Microsoft (Azure RemoteApp depreciated for XenApp Essentials and DaaS with XenDesktop Essentials to be released soon) and Citrix Cloud is the way of the future in terms of OPEX management.

I don’t want to repeat myself by stating that Citrix documentation is inefficient to say the least ( I did repeat myself Smile ) so lets jump into the actual configuration. The whole aim of this post is to give a more detailed step by step guide on how to configure Active-Active load balancing of Citrix NetScaler on Azure ARM (Azure Resource Manager). The Active-Passive configuration has been covered by many CTPs and can be easily googled so no need to showcase that as well.

Assumptions:

Scope:

  • Create two NetScaler VPX, each connected to a different subnet, and both connected to the same Availability Set which would be created within the new VPX wizard. A public IP for each NetScaler VPX is not required as management can be NATed through the load balancer never the less for the sake of testing I am going to add a public IP for each and also configure NATing later for your reference (mgmt. of each NetScaler VPX would be accessible using the Load Balancer public IP with different ports) . Each NetScaler will have identical configuration for Access Gateway except for the mgmt. IP Smile obviously.
  • Create a Load Balancer with a FrontEnd IP Pool mapped to a new public IP, connect backend IP Pool to the two NetScaler VPX instances created earlier, configure health probes, and create the load balancing rules for NetScaler Access Gateway. Also configure NaTing for mgmt. access of both VPX.
  • Configure Access Gateway on each NetScaler independently.
  • Test

Configuration:

Create a new VPX (NetScaler-1):

image

Make sure that the virtual network that is going to be used for NetScaler is within the Resource Group chosen below.

image

Select the size required for the NetScaler VPX, the more size chosen the more SSL connections/requests can be handled. Check the NetScaler Azure guide from Citrix for more information.

image

Choose the existing virtual network (The small lock beside it is because its the only virtual network available in the resource group chosen in earlier steps), Choose from one of the subnets, Keep the new public IP (not required), Create a new Network Security Group with default inbound rules (will change later), Create a new Availability Set with defaults, OK to continue, and Purchase.

image

image

image

image

Create the secondary NetScaler VPX (NetScaler-2) using the same procedure but connecting to same virtual network, second subnet, new public IP, and joining the Availability Set created earlier (NetScaler-AvailabilitySet):

image

After deployment, lets check the private and public IP of NetScaler-1 and NetScaler-2. Also add an https 443 allow on the NetScaler-SecurityGroup  to allow management from the public IP of each VPX     (Since we did not create the load balancer yet, the public IP of each VPX came in handy). More so lets initialize and configure Access Gateway on each NetScaler.

Private & Public IP of NetScaler-1

image

Private & Public IP of NetScaler-2

image

Open port 443 on NetScaler-SecurityGroup ( which would apply on both NetScaler VPX public IPs since both are part of this security group ). Press on the box beside inbound security rules.

Capture

Don’t mind the red marks Smile its because I have them already created with the same name but I edited them out of the pic for your convenience (That is why the SSH default rule is not showing). Choose whatever name makes sense like NS Mgmt. . Later on the public IPs of both NS can be removed and NATing on the load balancer can be used to access mgmt. interface.

Capture

Since NetScaler on Azure has several well known ports restricted (used internally by Citrix) ex. 80, 443, 9000 … The Access Gateway created on each NetScaler will have a custom port of our choosing which doesn’t conflict with the restricted ports. No worries, AG will be accessible from 443 later using PAT built into Azure load balancing but for now we have to open access to the port used. For my example I am using port 15000, the same port will be used on both AG hosted on the first and second NetScaler.

Add a rule to Allow port 15000 using the same procedure before and the following should be the final look of the inbound security rules.

image

Now public IP of NetScaler-1 and NetScaler-2 should be accessible for NetScaler management. Lets start by configuring NetScaler-1:

image

Do not enter a subnet-IP (NetScaler on Azure runs in Single IP mode) and make sure other settings are configured including licensing (Bring-Your-Own).

image

Make sure required basic features are enabled (For our case only NetScaler Gateway, Load Balancing, and SSL Offloading are required).

image

Go to the NetScaler for  XenApp & XenDesktop wizard to start the AG deployment (I already added an SSL cert to the NS).

image

image

Gateway FQDN is a public domain that is mapped in public DNS to the public IP of the load balancer that will be created later so services are accessed using the Azure LB Public IP. The IP of the gateway is the same private IP assigned to the NetScaler. The port as discussed earlier will be 15000.

image

image

image

image

image

image

Change the theme for this Access Gateway so that it is differentiated when testing from the second Access Gateway that will be created on the second VPX.

image

Connect to the public IP of the second NetScaler and configure the same as before except that the IP of the Access Gateway would be the private IP of the second NetScaler.

image

image

Again the dedicated public IPs created for both NS VPX will come to some benefit here. We can now test both Access Gateways by using the public IP of each NS and port 15000.

NetScaler-1: https://52.176.41.206:15000

image

NetScaler-2: https://13.89.227.23:15000

image

Great. Now lets create the Azure Load balancer which will allow us to achieve two very important requirements. Actively load balance both Access Gateways & Access through port 443.

Create new Azure Load Balancer:

image

Create new public IP and make sure to assign as static. Resource Group is the same that was used earlier.

image

image

After the deployment of the load balancer is complete, navigate to the created load balancer and go to Frontend IP Pool. This should be configured automatically since we chose to create the IP using the LB wizard never the less if you have a new IP created earlier then click on Add and choose it.

image

Navigate to BackEnd pools, and click on Add. Make sure the Availability set selected is the one created earlier for NetScaler and choose both NetScaler virtual machines.

Capture

image

image

Navigate to Health probes and create a probe on port 9000 (This port is an internal port used by NetScaler and is recommended from Citrix to be used as probe target for Azure LB).

image

image

Navigate to Load Balancing Rules, click on ADD, and fill a depicted below.

image

image

Load balancing is done and now Access Gateway on both NetScalers should be accessible from the public IP which I have created a DNS record of ag.diyarunited.com for testing purposes. One more thing is to add two NAT rules for mgmt. NetScaler-1 and NetScaler-2 after which the public IPs created for them can be deleted safely. I will choose mgmt. port of 16000 for NetScaler-1 and 18000 for NetScaler-2.

NetScaler-1 Management: https://ag.diyarunited.com:16000

image

NetScaler-1 Management: https://ag.diyarunited.com:18000

image

image

Testing:

Active-Active Access Gateway ( Because of Client IP persistence, the test should be done from different connections): https://ag.diyarunited.com (pointing to Azure LB PIP).

image

image

NetScaler-1 & NetScaler-2 Management (note the ports):

image

image

Conclusion:

That’s it, Active-Active NetScaler Load Balancing on Azure Resource Manager, would love to hear your comments and suggestions.

Salam Smile .

4032 Total Views 24 Views Today

Leave a Reply

Your email address will not be published. Required fields are marked *