Introduction
In many of our Citrix infrastructure assessments and audits, we have discovered that STA server configuration does not follow Citrix’s leading practices and will not allow users to reconnect to the existing session in case of a NetScaler Gateway failure in a Global Server Load Balancing (GSLB) setup and session reconnection is properly configured. That is, a specific scenario where Data Center 1’s NetScalers are impacted, but the local Citrix VDAs are unaffected. So, let’s review the scenario shown in the following image.
The Issue
During normal operation, a user is connected to its session through the NetScaler Gateway in DC1. As you can see the session is established using only STA servers from DC1. Having the STA servers configured as shown in the picture, let’s review the situation if NetScalers Gateways become unavailable for any reason (DMZ firewall issues, ISP connectivity to DC1, etc.) that does not affect the Citrix workloads.
- Users will automatically be re-routed to the NetScaler Gateways in DC2 for login provided GSLB properly detects the failure.
- During the initial session launch process, the ICA ticket will contain only DC2 STA servers.
- In this configuration, what we have observed is that the user will not be able to reconnect to their existing session automatically on GSLB failover with session reconnection enabled due to a mismatch of the STA servers, and clicking on the icon in StoreFront may even start a new session versus connecting to the old one.
Recommended Configuration
For sessions reconnect to happen, the STA server configuration must match on the NetScaler Gateways as well as StoreFront servers in both, DC1 and DC2, firewall rules allow the STA communication between DC1 and DC2, and NetScalers in either DC1 and DC2 have firewall rules allowing connectivity to all the Citrix VDAs. The following image shows the proper configuration of STA servers.
With this configuration, STA servers’ configuration is identical between both sites, and session reconnects will occur in case of an outage isolated to NetScaler Gateway.
To summarize, the configuration of the STA servers should be identical between data centers or regions if the NetScaler Gateways are deployed in the public cloud. As a rule of thumb, it is recommended to have at least two STA servers from each location. I have seen some deployments where all of the Delivery Controllers (Cloud Connectors) are listed as STA servers. That is not necessary and creates a bit harder configuration to troubleshoot.
In the scenario depicted above NetScaler Gateways are used for authentication and HDX routing. If your environment has NetScaler Gateways dedicated to authentication only and HDX routing only, make sure that your STA servers match between deployments as well.
Hope this sheds some light on the recommended configuration of STA servers.
-
Zeljko Macanovic
Zeljko is Ferroque’s Chief Architect and a leading expert in Citrix technologies, boasting over three decades of experience with Citrix and Microsoft platforms. His contributions at Citrix include serving on the CCAT board and enhancing Citrix Consulting standards and methodologies.